refactor: standardize helm labels and improve error handling

Helm chart:
- Add _helpers.tpl with standardized label templates
- Refactor all templates to use shared label helpers
- Add PodDisruptionBudget for HA deployments

s3proxy:
- Improve error handling and XML responses
- Fix multipart upload/copy handlers
- Update state serialization

Author: ServerSideHannes

chart/templates/_helpers.tpl

@@ -0,0 +1,25 @@
+{{/*
+Common labels for all resources
+*/}}
+{{- define "s3proxy.labels" -}}
+app.kubernetes.io/name: {{ .Chart.Name }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" }}
+{{- end }}
+
+{{/*
+Selector labels (subset of labels used for pod selection)
+*/}}
+{{- define "s3proxy.selectorLabels" -}}
+app.kubernetes.io/name: {{ .Chart.Name }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Full name with release prefix
+*/}}
+{{- define "s3proxy.fullname" -}}
+{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" }}
+{{- end }}

chart/templates/configmap.yaml

@@ -3,7 +3,7 @@ kind: ConfigMap
 metadata:
   name: {{ .Chart.Name }}-config
   labels:
-    app.kubernetes.io/name: {{ .Chart.Name }}
+    {{- include "s3proxy.labels" . | nindent 4 }}
 data:
   S3PROXY_HOST: {{ .Values.s3.host | quote }}
   S3PROXY_REGION: {{ .Values.s3.region | quote }}

chart/templates/deployment.yaml

@@ -3,17 +3,16 @@ kind: Deployment
 metadata:
   name: {{ .Chart.Name }}
   labels:
-    app.kubernetes.io/name: {{ .Chart.Name }}
+    {{- include "s3proxy.labels" . | nindent 4 }}
 spec:
   replicas: {{ .Values.replicaCount }}
   selector:
     matchLabels:
-      app: {{ .Chart.Name }}
+      {{- include "s3proxy.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       labels:
-        app: {{ .Chart.Name }}
-        app.kubernetes.io/name: {{ .Chart.Name }}
+        {{- include "s3proxy.labels" . | nindent 8 }}
     spec:
       containers:
         - name: {{ .Chart.Name }}

chart/templates/gateway-service.yaml

@@ -5,7 +5,8 @@ metadata:
   name: {{ .Values.gateway.serviceName }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ .Chart.Name }}-gateway
+    {{- include "s3proxy.labels" . | nindent 4 }}
+    app.kubernetes.io/component: gateway
 spec:
   type: ExternalName
   externalName: {{ .Values.gateway.ingressService }}

chart/templates/ingress.yaml

@@ -4,7 +4,7 @@ kind: Ingress
 metadata:
   name: {{ .Chart.Name }}
   labels:
-    app.kubernetes.io/name: {{ .Chart.Name }}
+    {{- include "s3proxy.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}

chart/templates/pdb.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ .Chart.Name }}
+  labels:
+    {{- include "s3proxy.labels" . | nindent 4 }}
+spec:
+  {{- if .Values.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+  {{- else if .Values.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
+  {{- else }}
+  minAvailable: 1
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "s3proxy.selectorLabels" . | nindent 6 }}
+{{- end }}

chart/templates/secret.yaml

@@ -6,7 +6,7 @@ kind: Secret
 metadata:
   name: {{ .Chart.Name }}-secrets
   labels:
-    app.kubernetes.io/name: {{ .Chart.Name }}
+    {{- include "s3proxy.labels" . | nindent 4 }}
 type: Opaque
 stringData:
   S3PROXY_ENCRYPT_KEY: {{ .Values.secrets.encryptKey | quote }}

chart/templates/service.yaml

@@ -3,11 +3,11 @@ kind: Service
 metadata:
   name: {{ .Chart.Name }}
   labels:
-    app.kubernetes.io/name: {{ .Chart.Name }}
+    {{- include "s3proxy.labels" . | nindent 4 }}
 spec:
   type: {{ .Values.service.type }}
   selector:
-    app: {{ .Chart.Name }}
+    {{- include "s3proxy.selectorLabels" . | nindent 4 }}
   ports:
     - name: http
       port: {{ .Values.service.port }}

chart/values.yaml

@@ -122,6 +122,12 @@ affinity: {}
 
 topologySpreadConstraints: []
 
+# Pod Disruption Budget - ensures HA during node maintenance/upgrades
+podDisruptionBudget:
+  enabled: true
+  minAvailable: 1
+  # maxUnavailable: 1  # Alternative to minAvailable
+
 ingress:
   enabled: false
   className: "nginx"

s3proxy/client/verifier.py

@@ -41,6 +41,38 @@ def __init__(self, credentials_store: dict[str, str]):
         """Initialize with a mapping of access_key -> secret_key."""
         self.credentials_store = credentials_store
 
+    def _parse_v4_credential(
+        self, credential: str
+    ) -> tuple[S3Credentials | None, str, str, str, str | None]:
+        """Parse V4 credential string and lookup secret key.
+
+        Returns: (credentials, date_stamp, region, service, error)
+        """
+        try:
+            parts = credential.split("/")
+            access_key, date_stamp, region, service = parts[0], parts[1], parts[2], parts[3]
+        except (IndexError, ValueError):
+            return None, "", "", "", "Invalid credential format"
+
+        secret_key = self.credentials_store.get(access_key)
+        if not secret_key:
+            return None, "", "", "", f"Unknown access key: {access_key}"
+
+        creds = S3Credentials(
+            access_key=access_key, secret_key=secret_key, region=region, service=service
+        )
+        return creds, date_stamp, region, service, None
+
+    def _compute_v4_signature(
+        self, canonical_request: str, amz_date: str, date_stamp: str, region: str, service: str, secret_key: str
+    ) -> str:
+        """Compute V4 signature for a canonical request."""
+        string_to_sign = self._build_string_to_sign(
+            amz_date, date_stamp, region, service, canonical_request
+        )
+        signing_key = _derive_signing_key(secret_key, date_stamp, region, service)
+        return hmac.new(signing_key, string_to_sign.encode(), hashlib.sha256).hexdigest()
+
     def verify(self, request: ParsedRequest, path: str) -> tuple[bool, S3Credentials | None, str]:
         """Verify SigV4 signature. Returns (is_valid, credentials, error_message)."""
         # Check for Authorization header (standard SigV4)
@@ -73,60 +105,38 @@ def _verify_header_signature(
             signed_headers = auth_parts["SignedHeaders"]
             signature = auth_parts["Signature"]
 
-            cred_parts = credential.split("/")
-            access_key = cred_parts[0]
-            date_stamp = cred_parts[1]
-            region = cred_parts[2]
-            service = cred_parts[3]
-
-            secret_key = self.credentials_store.get(access_key)
-            if not secret_key:
-                return False, None, f"Unknown access key: {access_key}"
-
-            credentials = S3Credentials(
-                access_key=access_key,
-                secret_key=secret_key,
-                region=region,
-                service=service,
-            )
+            credentials, date_stamp, region, service, error = self._parse_v4_credential(credential)
+            if error:
+                return False, None, error
 
             amz_date = request.headers.get("x-amz-date", "")
             if not amz_date:
                 return False, credentials, "Missing x-amz-date header"
 
             try:
                 request_time = datetime.strptime(amz_date, "%Y%m%dT%H%M%SZ").replace(tzinfo=UTC)
-                now = datetime.now(UTC)
-                if abs(now - request_time) > CLOCK_SKEW_TOLERANCE:
+                if abs(datetime.now(UTC) - request_time) > CLOCK_SKEW_TOLERANCE:
                     return False, credentials, "Request time too skewed"
             except ValueError:
                 return False, credentials, "Invalid x-amz-date format"
 
             canonical_request = self._build_canonical_request(
                 request, path, signed_headers.split(";")
             )
-
-            string_to_sign = self._build_string_to_sign(
-                amz_date, date_stamp, region, service, canonical_request
+            calculated_sig = self._compute_v4_signature(
+                canonical_request, amz_date, date_stamp, region, service, credentials.secret_key
             )
 
-            signing_key = _derive_signing_key(secret_key, date_stamp, region, service)
-            calculated_sig = hmac.new(
-                signing_key, string_to_sign.encode(), hashlib.sha256
-            ).hexdigest()
-
             if hmac.compare_digest(calculated_sig, signature):
                 return True, credentials, ""
 
-            # Log debug info for signature mismatch to help diagnose issues
             logger.debug(
                 "Signature verification failed",
                 method=request.method,
                 path=path,
                 signed_headers=signed_headers,
                 expected_sig=signature[:16] + "...",
                 calculated_sig=calculated_sig[:16] + "...",
-                canonical_request_hash=hashlib.sha256(canonical_request.encode()).hexdigest()[:16],
             )
             return False, credentials, "Signature mismatch"
 
@@ -144,61 +154,39 @@ def _verify_presigned_v4(
             signed_headers = request.query_params.get("X-Amz-SignedHeaders", [""])[0]
             signature = request.query_params.get("X-Amz-Signature", [""])[0]
 
-            cred_parts = credential.split("/")
-            access_key = cred_parts[0]
-            date_stamp = cred_parts[1]
-            region = cred_parts[2]
-            service = cred_parts[3]
-
-            secret_key = self.credentials_store.get(access_key)
-            if not secret_key:
-                return False, None, f"Unknown access key: {access_key}"
-
-            credentials = S3Credentials(
-                access_key=access_key,
-                secret_key=secret_key,
-                region=region,
-                service=service,
-            )
+            credentials, date_stamp, region, service, error = self._parse_v4_credential(credential)
+            if error:
+                return False, None, error
 
             request_time = datetime.strptime(amz_date, "%Y%m%dT%H%M%SZ").replace(tzinfo=UTC)
-            expiry_time = request_time + timedelta(seconds=expires)
-            if datetime.now(UTC) > expiry_time:
+            if datetime.now(UTC) > request_time + timedelta(seconds=expires):
                 return False, credentials, "Presigned URL expired"
 
             query_for_signing = {
                 k: v for k, v in request.query_params.items() if k != "X-Amz-Signature"
             }
+            signed_headers_list = signed_headers.split(";")
 
             # Try verification with original headers first
             canonical_request = self._build_canonical_request_presigned(
-                request, path, signed_headers.split(";"), query_for_signing
+                request, path, signed_headers_list, query_for_signing
             )
-
-            string_to_sign = self._build_string_to_sign(
-                amz_date, date_stamp, region, service, canonical_request
+            calculated_sig = self._compute_v4_signature(
+                canonical_request, amz_date, date_stamp, region, service, credentials.secret_key
             )
 
-            signing_key = _derive_signing_key(secret_key, date_stamp, region, service)
-            calculated_sig = hmac.new(
-                signing_key, string_to_sign.encode(), hashlib.sha256
-            ).hexdigest()
-
             if hmac.compare_digest(calculated_sig, signature):
                 return True, credentials, ""
 
             # Try with alternate host header (with/without :80) for HTTP port normalization
-            # Some clients sign with explicit :80, others normalize it away
             host_header = request.headers.get("host", "")
-            if "host" in signed_headers.split(";"):
-                alternate_host = None
-                if host_header.endswith(":80"):
-                    alternate_host = host_header[:-3]  # Try without :80
-                elif ":" not in host_header:
-                    alternate_host = host_header + ":80"  # Try with :80
-
+            if "host" in signed_headers_list:
+                alternate_host = (
+                    host_header[:-3] if host_header.endswith(":80")
+                    else host_header + ":80" if ":" not in host_header
+                    else None
+                )
                 if alternate_host:
-                    # Create modified request with alternate host
                     modified_headers = dict(request.headers)
                     modified_headers["host"] = alternate_host
                     modified_request = ParsedRequest(
@@ -210,29 +198,23 @@ def _verify_presigned_v4(
                         body=request.body,
                         is_presigned=request.is_presigned,
                     )
-
                     canonical_request_alt = self._build_canonical_request_presigned(
-                        modified_request, path, signed_headers.split(";"), query_for_signing
+                        modified_request, path, signed_headers_list, query_for_signing
                     )
-                    string_to_sign_alt = self._build_string_to_sign(
-                        amz_date, date_stamp, region, service, canonical_request_alt
+                    calculated_sig_alt = self._compute_v4_signature(
+                        canonical_request_alt, amz_date, date_stamp, region, service,
+                        credentials.secret_key,
                     )
-                    calculated_sig_alt = hmac.new(
-                        signing_key, string_to_sign_alt.encode(), hashlib.sha256
-                    ).hexdigest()
-
                     if hmac.compare_digest(calculated_sig_alt, signature):
                         return True, credentials, ""
 
-            # Debug logging for presigned URL signature mismatch
             logger.warning(
                 "Presigned URL signature mismatch",
                 path=path,
                 signed_headers=signed_headers,
                 host_header=host_header,
                 expected_sig=signature[:16] + "...",
                 calculated_sig=calculated_sig[:16] + "...",
-                canonical_request_preview=canonical_request[:500],
             )
             return False, credentials, "Signature mismatch"