Improve secret setting & fix GCS backend

charts/s3proxy/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.5
+version: 0.0.6
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/s3proxy/override-values.example.yaml

@@ -67,73 +67,76 @@ config:
       region: "us-west-2"
       # endpoint: "https://s3.amazonaws.com"  # Optional custom endpoint (e.g., MinIO, Ceph)
       accessKeyID: "AKIAIOSFODNN7EXAMPLE"
-      secretAccessKey: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+      secretAccessKey:
+        value: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+        # existingSecret: "my-s3-secret"
+        # secretKey: "secretAccessKey"
 
     # Azure Blob Storage backend
     azureblob:
       enabled: false  # Set to true to use Azure Blob backend
       provider: "azureblob"  # Can be "azureblob" or "azureblob-sdk"
       account: "mystorageaccount"
-      key: "base64encodedkey=="
+      key:
+        value: "base64encodedkey=="
+        # existingSecret: "my-azure-secret"
+        # secretKey: "accountKey"
       # endpoint: "https://mystorageaccount.blob.core.windows.net"  # Optional
-      # sasToken: ""  # Optional SAS token
+      sasToken:
+        value: ""  # Optional SAS token
+        # existingSecret: "my-azure-sas-secret"
+        # secretKey: "sasToken"
 
     # Google Cloud Storage backend
     googleCloudStorage:
       enabled: false  # Set to true to use GCS backend
       projectID: "my-project"
 
-      # Service account email or user email (required for both authentication methods)
+      # Service account email or user email
       clientEmail: "service-account@my-project.iam.gserviceaccount.com"
 
-      # Option 1: Using privateKey directly
-      privateKey: "-----BEGIN RSA PRIVATE KEY-----\n..."
-
-      # Option 2: Using JSON credentials file (preferred for GCP)
-      # This provides the credential (privateKey) via a mounted file
-      jsonCredentials:
-        enabled: false  # Set to true to use JSON credentials
-
-        # Either provide the JSON content directly:
-        # jsonContent: |
-        #   {
-        #     "type": "service_account",
-        #     "project_id": "my-project",
-        #     "private_key_id": "key-id",
-        #     "private_key": "-----BEGIN RSA PRIVATE KEY-----\n...",
-        #     "client_email": "service-account@my-project.iam.gserviceaccount.com",
-        #     "client_id": "...",
-        #     "auth_uri": "https://accounts.google.com/o/oauth2/auth",
-        #     "token_uri": "https://oauth2.googleapis.com/token",
-        #     "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
-        #     "client_x509_cert_url": "..."
-        #   }
-
-        # Or reference an existing secret containing the JSON:
-        # existingSecret: "my-gcp-credentials-secret"
-        # secretKey: "credentials.json"  # Key in the secret containing the JSON (default: credentials.json)
+      # Private key configuration
+      privateKey:
+        # Option 1: Provide private key directly
+        # value: |-
+        #   -----BEGIN RSA PRIVATE KEY-----
+        #   ...
+        #   -----END RSA PRIVATE KEY-----
+
+        # Option 2: Reference an existing secret containing the private key
+        # existingSecret: "my-gcs-privatekey-secret"
+        # secretKey: "privateKey"
 
     # Backblaze B2 backend
     b2:
       enabled: false  # Set to true to use B2 backend
       account: "account-id"
-      applicationKey: "application-key"
+      applicationKey:
+        value: "application-key"
+        # existingSecret: "my-b2-secret"
+        # secretKey: "applicationKey"
 
     # OpenStack Swift backend
     openstackSwift:
       enabled: false  # Set to true to use Swift backend
       authURL: "https://auth.cloud.com/v2.0"
       tenantName: "my-tenant"
       userName: "my-user"
-      password: "my-password"
+      password:
+        value: "my-password"
+        # existingSecret: "my-swift-secret"
+        # secretKey: "password"
       region: "RegionOne"
 
     # Rackspace Cloud Files backend
     rackspaceCloudfiles:
       enabled: false  # Set to true to use Rackspace Cloud Files backend
       region: "us"  # Region: "us" or "uk"
       userName: "my-user"
-      apiKey: "my-api-key"
+      apiKey:
+        value: "my-api-key"
+        # existingSecret: "my-rackspace-secret"
+        # secretKey: "apiKey"
 
 # Persistence settings for filesystem backend
 persistence:
@@ -233,4 +236,3 @@ extraEnvVars:
 #               values:
 #                 - s3proxy
 #         topologyKey: kubernetes.io/hostname
-

charts/s3proxy/templates/configmap.yaml

@@ -1,67 +1,66 @@
 {{- define "s3proxy.main.config" -}}
-    # S3Proxy configuration
-    s3proxy.endpoint=http://0.0.0.0:{{ .Values.service.targetPort }}
-    s3proxy.authorization={{ .Values.config.auth.type }}
-{{- if .Values.config.virtualHost }}
-    s3proxy.virtual-host={{ .Values.config.virtualHost }}
-{{- end }}
-
-{{- if ne .Values.config.auth.type "none" }}
-    # Authentication credentials will be merged from the secret properties file
-    # s3proxy.identity and s3proxy.credential will be provided by the secret
-{{- end }}
-
-{{- if .Values.config.cors.enabled }}
-    # CORS configuration
-  {{- if .Values.config.cors.allowOrigins }}
-    s3proxy.cors-allow-origins={{ join " " .Values.config.cors.allowOrigins }}
+# S3Proxy configuration
+s3proxy.endpoint=http://0.0.0.0:{{ .Values.service.targetPort }}
+s3proxy.authorization={{ .Values.config.auth.type }}
+  {{- if .Values.config.virtualHost }}
+s3proxy.virtual-host={{ .Values.config.virtualHost }}
   {{- end }}
-  {{- if .Values.config.cors.allowMethods }}
-    s3proxy.cors-allow-methods={{ join " " .Values.config.cors.allowMethods }}
+
+  {{- if ne .Values.config.auth.type "none" }}
+# Authentication credentials will be merged from the secret properties file
+# s3proxy.identity and s3proxy.credential will be provided by the secret
   {{- end }}
-  {{- if .Values.config.cors.allowHeaders }}
-    s3proxy.cors-allow-headers={{ join " " .Values.config.cors.allowHeaders }}
+
+  {{- if .Values.config.cors.enabled }}
+# CORS configuration
+    {{- if .Values.config.cors.allowOrigins }}
+s3proxy.cors-allow-origins={{ join " " .Values.config.cors.allowOrigins }}
+    {{- end }}
+    {{- if .Values.config.cors.allowMethods }}
+s3proxy.cors-allow-methods={{ join " " .Values.config.cors.allowMethods }}
+    {{- end }}
+    {{- if .Values.config.cors.allowHeaders }}
+s3proxy.cors-allow-headers={{ join " " .Values.config.cors.allowHeaders }}
+    {{- end }}
+s3proxy.cors-allow-credential={{ .Values.config.cors.allowCredential }}
   {{- end }}
-    s3proxy.cors-allow-credential={{ .Values.config.cors.allowCredential }}
-{{- end }}
 
-{{- if .Values.config.buckets.alias }}
-    # Bucket aliasing
-  {{- range $key, $value := .Values.config.buckets.alias }}
-    s3proxy.alias.{{ $key }}={{ $value }}
+  {{- if .Values.config.buckets.alias }}
+# Bucket aliasing
+    {{- range $key, $value := .Values.config.buckets.alias }}
+s3proxy.alias.{{ $key }}={{ $value }}
+    {{- end }}
   {{- end }}
-{{- end }}
 
-{{- if .Values.config.buckets.locator }}
-    # Bucket locator
-  {{- range $index, $bucket := .Values.config.buckets.locator }}
-    s3proxy.bucket-locator.{{ add $index 1 }}={{ $bucket }}
+  {{- if .Values.config.buckets.locator }}
+# Bucket locator
+    {{- range $index, $bucket := .Values.config.buckets.locator }}
+s3proxy.bucket-locator.{{ add $index 1 }}={{ $bucket }}
+    {{- end }}
   {{- end }}
-{{- end }}
 
-{{- if .Values.config.middlewares.readOnly }}
-    # Read-only middleware
-    s3proxy.read-only-blobstore=true
-{{- end }}
+  {{- if .Values.config.middlewares.readOnly }}
+# Read-only middleware
+s3proxy.read-only-blobstore=true
+  {{- end }}
 
-{{- if .Values.config.middlewares.eventualConsistency }}
-    # Eventual consistency middleware
-    s3proxy.eventual-consistency=true
-{{- end }}
+  {{- if .Values.config.middlewares.eventualConsistency }}
+# Eventual consistency middleware
+s3proxy.eventual-consistency=true
+  {{- end }}
 
-{{- if .Values.config.middlewares.shardedBackend }}
-    # Sharded backend middleware
-    s3proxy.sharded-blobstore=true
-    s3proxy.sharded-blobstore.prefix=2
-    s3proxy.sharded-blobstore.levels=2
-{{- end }}
+  {{- if .Values.config.middlewares.shardedBackend }}
+# Sharded backend middleware
+s3proxy.sharded-blobstore=true
+s3proxy.sharded-blobstore.prefix=2
+s3proxy.sharded-blobstore.levels=2
+  {{- end }}
 
-{{- if .Values.config.middlewares.largeObjectMocking }}
-    # Large object mocking middleware
-    s3proxy.large-object-mocking=true
-{{- end }}
+  {{- if .Values.config.middlewares.largeObjectMocking }}
+# Large object mocking middleware
+s3proxy.large-object-mocking=true
+  {{- end }}
 {{- end }}
-
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -70,8 +69,8 @@ metadata:
     {{- include "s3proxy.labels" . | nindent 4 }}
 data:
 {{- if .Values.config.backends.filesystem.enabled }}
-  backend-filesystem.properties: |
-{{- include "s3proxy.main.config" . | nindent 4 }}
+  backend-filesystem.properties: |-
+{{ include "s3proxy.main.config" . | nindent 4 }}
 
     # Filesystem backend configuration
   {{- if .Values.config.backends.filesystem.nio2 }}
@@ -83,8 +82,8 @@ data:
 {{- end }}
 
 {{- if .Values.config.backends.transient.enabled }}
-  backend-transient.properties: |
-{{- include "s3proxy.main.config" . | nindent 4 }}
+  backend-transient.properties: |-
+{{ include "s3proxy.main.config" . | nindent 4 }}
 
     # Transient backend configuration
   {{- if .Values.config.backends.transient.nio2 }}
@@ -95,8 +94,8 @@ data:
 {{- end }}
 
 {{- if .Values.config.backends.s3.enabled }}
-  backend-s3.properties: |
-{{- include "s3proxy.main.config" . | nindent 4 }}
+  backend-s3.properties: |-
+{{ include "s3proxy.main.config" . | nindent 4 }}
 
     # S3 backend configuration
   {{- if .Values.config.backends.s3.aws }}
@@ -110,49 +109,69 @@ data:
   {{- if .Values.config.backends.s3.endpoint }}
     jclouds.endpoint={{ .Values.config.backends.s3.endpoint }}
   {{- end }}
-    # Credentials will be merged from the secret properties file
-    # jclouds.identity and jclouds.credential will be provided by the secret
+  {{- if .Values.config.backends.s3.accessKeyID }}
+    jclouds.identity={{ .Values.config.backends.s3.accessKeyID }}
+  {{- end }}
+  {{- if .Values.config.backends.s3.secretAccessKey.value }}
+    # Credential will be merged from the secret properties file
+  {{- end }}
 {{- end }}
 
 {{- if .Values.config.backends.azureblob.enabled }}
-  backend-azureblob.properties: |
-{{- include "s3proxy.main.config" . | nindent 4 }}
+  backend-azureblob.properties: |-
+{{ include "s3proxy.main.config" . | nindent 4 }}
 
     # Azure Blob backend configuration
     jclouds.provider={{ .Values.config.backends.azureblob.provider }}
   {{- if .Values.config.backends.azureblob.endpoint }}
     jclouds.azureblob.endpoint={{ .Values.config.backends.azureblob.endpoint }}
   {{- end }}
+  {{- if .Values.config.backends.azureblob.account }}
+    jclouds.identity={{ .Values.config.backends.azureblob.account }}
+  {{- end }}
+  {{- if or .Values.config.backends.azureblob.key.value .Values.config.backends.azureblob.sasToken.value }}
     # Credentials will be merged from the secret properties file
-    # jclouds.identity, jclouds.credential, and jclouds.azureblob.sas will be provided by the secret
+  {{- end }}
 {{- end }}
 
 {{- if .Values.config.backends.googleCloudStorage.enabled }}
-  backend-google-cloud-storage.properties: |
-{{- include "s3proxy.main.config" . | nindent 4 }}
+  backend-google-cloud-storage.properties: |-
+{{ include "s3proxy.main.config" . | nindent 4 }}
 
     # Google Cloud Storage backend configuration
     jclouds.provider=google-cloud-storage
   {{- if .Values.config.backends.googleCloudStorage.projectID }}
     jclouds.project-id={{ .Values.config.backends.googleCloudStorage.projectID }}
   {{- end }}
-    # Credentials will be merged from the secret properties file
-    # jclouds.identity and jclouds.credential will be provided by the secret
+  {{- if .Values.config.backends.googleCloudStorage.clientEmail }}
+    jclouds.identity={{ .Values.config.backends.googleCloudStorage.clientEmail }}
+  {{- end }}
+  {{- if .Values.config.backends.googleCloudStorage.privateKey.existingSecret }}
+    # Using privateKey from mounted secret file
+    jclouds.credential=/credentials/gcs-private.key
+  {{- else if .Values.config.backends.googleCloudStorage.privateKey.value }}
+    # Private key credential will be merged from the secret properties file
+    # jclouds.credential will be provided by the secret
+  {{- end }}
 {{- end }}
 
 {{- if .Values.config.backends.b2.enabled }}
-  backend-b2.properties: |
-{{- include "s3proxy.main.config" . | nindent 4 }}
+  backend-b2.properties: |-
+{{ include "s3proxy.main.config" . | nindent 4 }}
 
     # Backblaze B2 backend configuration
     jclouds.provider=b2
-    # Credentials will be merged from the secret properties file
-    # jclouds.identity and jclouds.credential will be provided by the secret
+  {{- if .Values.config.backends.b2.account }}
+    jclouds.identity={{ .Values.config.backends.b2.account }}
+  {{- end }}
+  {{- if .Values.config.backends.b2.applicationKey.value }}
+    # Credential will be merged from the secret properties file
+  {{- end }}
 {{- end }}
 
 {{- if .Values.config.backends.openstackSwift.enabled }}
-  backend-openstack-swift.properties: |
-{{- include "s3proxy.main.config" . | nindent 4 }}
+  backend-openstack-swift.properties: |-
+{{ include "s3proxy.main.config" . | nindent 4 }}
 
     # OpenStack Swift backend configuration
     jclouds.provider=openstack-swift
@@ -162,20 +181,28 @@ data:
   {{- if .Values.config.backends.openstackSwift.region }}
     jclouds.region={{ .Values.config.backends.openstackSwift.region }}
   {{- end }}
-    # Credentials will be merged from the secret properties file
-    # jclouds.identity and jclouds.credential will be provided by the secret
+  {{- if and .Values.config.backends.openstackSwift.tenantName .Values.config.backends.openstackSwift.userName }}
+    jclouds.identity={{ printf "%s:%s" .Values.config.backends.openstackSwift.tenantName .Values.config.backends.openstackSwift.userName }}
+  {{- end }}
+  {{- if .Values.config.backends.openstackSwift.password.value }}
+    # Credential will be merged from the secret properties file
+  {{- end }}
 {{- end }}
 
 {{- if .Values.config.backends.rackspaceCloudfiles.enabled }}
-  backend-rackspace-cloudfiles.properties: |
-{{- include "s3proxy.main.config" . | nindent 4 }}
+  backend-rackspace-cloudfiles.properties: |-
+{{ include "s3proxy.main.config" . | nindent 4 }}
 
     # Rackspace Cloud Files backend configuration
   {{- if eq .Values.config.backends.rackspaceCloudfiles.region "uk" }}
     jclouds.provider=rackspace-cloudfiles-uk
   {{- else }}
     jclouds.provider=rackspace-cloudfiles-us
   {{- end }}
-    # Credentials will be merged from the secret properties file
-    # jclouds.identity and jclouds.credential will be provided by the secret
+  {{- if .Values.config.backends.rackspaceCloudfiles.userName }}
+    jclouds.identity={{ .Values.config.backends.rackspaceCloudfiles.userName }}
+  {{- end }}
+  {{- if .Values.config.backends.rackspaceCloudfiles.apiKey.value }}
+    # Credential will be merged from the secret properties file
+  {{- end }}
 {{- end }}