docs: consolidate README, clean up e2e tests

ServerSideHannes · ServerSideHannes · commit 12802153ccd6 · 2026-02-06T13:41:59.000+01:00
- Merge Quick Start and Production Deployment into single Install section
- Add collapsible FAQ sections
- Remove debug hooks and DebugS3Client from integration conftest
- Delete fake state recovery tests, keep real Redis test
- Fix stale port comments in HA tests
- Update e2e memoryLimitMb 64→128
diff --git a/README.md b/README.md
@@ -43,7 +43,9 @@ S3's server-side encryption is great, but your cloud provider holds the keys. S3
 
 ---
 
-## Quick Start
+## Install
+
+**Option A** — inline secrets (quick start):
 
 ```bash
 helm install s3proxy oci://ghcr.io/serversidehannes/s3proxy-python/charts/s3proxy-python \
@@ -52,22 +54,36 @@ helm install s3proxy oci://ghcr.io/serversidehannes/s3proxy-python/charts/s3prox
   --set secrets.awsSecretAccessKey="wJalr..."
 ```
 
+**Option B** — existing K8s secret (recommended for production):
+
+```bash
+kubectl create secret generic s3proxy-secrets \
+  --from-literal=S3PROXY_ENCRYPT_KEY="your-32-byte-key" \
+  --from-literal=AWS_ACCESS_KEY_ID="AKIA..." \
+  --from-literal=AWS_SECRET_ACCESS_KEY="wJalr..."
+
+helm install s3proxy oci://ghcr.io/serversidehannes/s3proxy-python/charts/s3proxy-python \
+  --set secrets.existingSecrets.enabled=true \
+  --set secrets.existingSecrets.name=s3proxy-secrets
+```
+
+Then point any S3 client at the proxy:
+
 ```bash
 aws s3 --endpoint-url http://s3proxy-python:4433 cp file.txt s3://bucket/
 ```
 
-That's it. Point any S3 client at the proxy, use the **same credentials** you configured above.
+Use the **same credentials** you configured above. That's it.
+
+> **Endpoints** — In-cluster: `http://s3proxy-python.<ns>:4433` · Gateway: `http://s3-gateway.<ns>` · Ingress: `https://s3proxy.example.com`
+>
+> **Health** — `GET /healthz` · `GET /readyz` · **Metrics** — `GET /metrics`
 
 ---
 
 ## Battle-Tested
 
-<p align="center">
-  <img src="https://img.shields.io/badge/PostgreSQL_17-336791?style=flat-square&logo=postgresql&logoColor=white" alt="PostgreSQL">
-  <img src="https://img.shields.io/badge/Elasticsearch_9-005571?style=flat-square&logo=elasticsearch&logoColor=white" alt="Elasticsearch">
-  <img src="https://img.shields.io/badge/ScyllaDB_6-53cadd?style=flat-square&logo=scylladb&logoColor=white" alt="ScyllaDB">
-  <img src="https://img.shields.io/badge/ClickHouse_24-ffcc00?style=flat-square&logo=clickhouse&logoColor=black" alt="ClickHouse">
-</p>
+Verified with real database operators: **backup, cluster delete, restore, data integrity check.**
 
 | Database | Operator | Backup Tool |
 |:--------:|:--------:|:-----------:|
@@ -76,8 +92,6 @@ That's it. Point any S3 client at the proxy, use the **same credentials** you co
 | ScyllaDB 6.x | Scylla Operator 1.19 | Scylla Manager |
 | ClickHouse 24.x | Altinity Operator | clickhouse-backup |
 
-All verified: **backup, cluster delete, restore, data integrity check.**
-
 ---
 
 ## How It Works
@@ -94,33 +108,6 @@ Master Key → KEK (derived via SHA-256)
 
 ---
 
-## Production Deployment
-
-### External Secrets (recommended)
-
-```bash
-kubectl create secret generic s3proxy-secrets \
-  --from-literal=S3PROXY_ENCRYPT_KEY="your-32-byte-key" \
-  --from-literal=AWS_ACCESS_KEY_ID="AKIA..." \
-  --from-literal=AWS_SECRET_ACCESS_KEY="wJalr..."
-
-helm install s3proxy oci://ghcr.io/serversidehannes/s3proxy-python/charts/s3proxy-python \
-  --set secrets.existingSecrets.enabled=true \
-  --set secrets.existingSecrets.name=s3proxy-secrets
-```
-
-### Endpoints
-
-| Access | Endpoint |
-|--------|----------|
-| In-cluster | `http://s3proxy-python.<ns>:4433` |
-| Gateway | `http://s3-gateway.<ns>` |
-| Ingress | `https://s3proxy.example.com` |
-
-Health: `GET /healthz` · `GET /readyz` · Metrics: `GET /metrics`
-
----
-
 ## Configuration
 
 | Value | Default | Description |
@@ -141,15 +128,30 @@ See [chart/README.md](chart/README.md) for all options.
 
 ## FAQ
 
-**Can I use existing unencrypted data?** Yes. S3Proxy detects unencrypted objects and returns them as-is. Migrate by copying through the proxy.
-
-**What if I lose my encryption key?** Data is unrecoverable. Back up your key.
-
-**What if Redis fails mid-upload?** Upload fails and must restart. Use `redis-ha.enabled=true` with persistence.
-
-**MinIO / R2 / Spaces?** Yes. Set `s3.host` to your endpoint.
-
-**Presigned URLs?** GET works. PUT/POST don't — the proxy encrypts the body which invalidates the pre-signed signature.
+<details>
+<summary><strong>Can I use existing unencrypted data?</strong></summary>
+Yes. S3Proxy detects unencrypted objects and returns them as-is. Migrate by copying through the proxy.
+</details>
+
+<details>
+<summary><strong>What if I lose my encryption key?</strong></summary>
+Data is unrecoverable. Back up your key.
+</details>
+
+<details>
+<summary><strong>What if Redis fails mid-upload?</strong></summary>
+Upload fails and must restart. Use <code>redis-ha.enabled=true</code> with persistence.
+</details>
+
+<details>
+<summary><strong>MinIO / R2 / Spaces?</strong></summary>
+Yes. Set <code>s3.host</code> to your endpoint.
+</details>
+
+<details>
+<summary><strong>Presigned URLs?</strong></summary>
+GET works. PUT/POST don't — the proxy encrypts the body which invalidates the pre-signed signature.
+</details>
 
 ---
 
diff --git a/e2e/docker-compose.yml b/e2e/docker-compose.yml
@@ -416,7 +416,7 @@ services:
           --set secrets.awsAccessKeyId="minioadmin" \
           --set secrets.awsSecretAccessKey="minioadmin" \
           --set logLevel="DEBUG" \
-          --set performance.memoryLimitMb=64 \
+          --set performance.memoryLimitMb=128 \
           --set gateway.enabled=true \
           --set ingress.enabled=true \
           --set 'ingress.annotations.nginx\.ingress\.kubernetes\.io/proxy-body-size=256m' \
diff --git a/tests/ha/test_ha_redis_e2e.py b/tests/ha/test_ha_redis_e2e.py
@@ -186,8 +186,8 @@ def test_upload_parts_to_different_pods(self, s3_clients, test_bucket):
         Test uploading parts to different pods maintains sequential numbering.
 
         Scenario:
-        - Part 1 → Pod A (port 4433)
-        - Part 2 → Pod B (port 4434)
+        - Part 1 → Pod A (port 4450)
+        - Part 2 → Pod B (port 4451)
         - Both pods share Redis state
         - Internal parts should be [1, 2] (sequential)
         """
diff --git a/tests/integration/conftest.py b/tests/integration/conftest.py
@@ -93,28 +93,6 @@ def _wait_for_port(port: int, proc: subprocess.Popen, timeout: float = 15) -> No
     raise RuntimeError(f"s3proxy failed to start on port {port} after {timeout}s")
 
 
-# === DEBUGGING HOOKS - show exactly where tests get stuck ===
-
-def pytest_runtest_logstart(nodeid, location):
-    """Called before each test starts."""
-    print(f"\n>>> STARTING: {nodeid}", file=sys.stderr, flush=True)
-
-
-def pytest_runtest_logfinish(nodeid, location):
-    """Called after each test finishes."""
-    print(f"<<< FINISHED: {nodeid}", file=sys.stderr, flush=True)
-
-
-def pytest_runtest_setup(item):
-    """Called before test setup."""
-    print(f"  [setup] {item.name}", file=sys.stderr, flush=True)
-
-
-def pytest_runtest_teardown(item):
-    """Called before test teardown."""
-    print(f"  [teardown] {item.name}", file=sys.stderr, flush=True)
-
-
 @pytest.fixture(scope="session")
 def s3proxy_server():
     """Start s3proxy server for e2e tests.
@@ -139,46 +117,16 @@ def s3proxy_server():
         print(f"[FIXTURE] Stopping s3proxy (pid={proc.pid})...")
 
 
-class DebugS3Client:
-    """Wrapper that logs every S3 operation."""
-
-    def __init__(self, client):
-        self._client = client
-        # Expose exceptions directly for contextlib.suppress compatibility
-        self.exceptions = client.exceptions
-
-    def __getattr__(self, name):
-        attr = getattr(self._client, name)
-        if callable(attr):
-            def wrapper(*args, **kwargs):
-                # Log the call
-                args_str = ", ".join([f"{k}={v!r}" for k, v in kwargs.items() if k != "Body"])
-                if "Body" in kwargs:
-                    body = kwargs["Body"]
-                    args_str += f", Body=<{len(body)} bytes>"
-                print(f"  -> s3.{name}({args_str})", file=sys.stderr, flush=True)
-                try:
-                    result = attr(*args, **kwargs)
-                    print(f"  <- s3.{name} OK", file=sys.stderr, flush=True)
-                    return result
-                except Exception as e:
-                    print(f"  <- s3.{name} FAILED: {e}", file=sys.stderr, flush=True)
-                    raise
-            return wrapper
-        return attr
-
-
 @pytest.fixture
 def s3_client(s3proxy_server):
     """Create boto3 S3 client pointing to s3proxy."""
-    client = boto3.client(
+    return boto3.client(
         "s3",
         endpoint_url=s3proxy_server,
         aws_access_key_id="minioadmin",
         aws_secret_access_key="minioadmin",
         region_name="us-east-1",
     )
-    return DebugS3Client(client)
 
 
 @pytest.fixture
diff --git a/tests/integration/test_state_recovery_e2e.py b/tests/integration/test_state_recovery_e2e.py
