New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(minio): support for upload to proxied minio #876
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Motivation: In Kubernetes, if Minio is proxied, the generated presigned upload address could look something like ``` http://minio:9000/{bucket}/{key}?{parameters} ``` However that address is not accesssible outside the cluster, it will be a full domain name, for example ``` https://minio.localtest.me/{bucket}/{key}?{parameters} ``` Read URLs translation is already supported using the MINIO_READ_URL_PREFIX environment variable. Modifications: Introduce an MINIO_UPLOAD_URL_PREFIX as well. Given `MINIO_UPLOAD_URL_PREFIX=https://minio.localtest.me/{bucket}` it will translate the presigned URL `http://minio:9000/{bucket}/{key}?{parameters}` to the externally accessible `https://minio.localtest.me/{bucket}/{key}?{parameters}` Results: If the Ingress controller proxy sets the `Host` header to `minio:9000`. Minio presigned url signature validation will accept the upload.
erikmartino
force-pushed
the
upload-location
branch
from
November 8, 2023 07:57
c43e4e2
to
664ce68
Compare
…s into upload-location
@all-contributors please add @erikmartino for code |
I've put up a pull request to add @erikmartino! 🎉 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation:
In Kubernetes, if Minio is proxied, the generated presigned upload address could look something like
However that address is not accesssible outside the cluster, outside the cluster it should be for example
Read URLs translation is already supported using the MINIO_READ_URL_PREFIX environment variable.
Modifications:
Introduce an MINIO_UPLOAD_URL_PREFIX as well. Given
MINIO_UPLOAD_URL_PREFIX=https://minio.localtest.me/{bucket}
it will translate the presigned URLhttp://minio:9000/{bucket}/{key}?{parameters}
to the externally accessiblehttps://minio.localtest.me/{bucket}/{key}?{parameters}
Results:
If the Ingress controller proxy sets the
Host
header tominio:9000
. Minio presigned url signature validation will accept the upload.References
Use case
It is difficult to create a Sorry Cypress / Minio Kubernetes setup where all the services are hosted behind a single hostname. The Minio API endpoint is inside the cluster but the upload endpoint is outside. Also it is difficult to run
a local setup without messing with port numbers and
/etc/hosts
.Example
If the director is configured
then the readUrl and presigned uploadUrl URL are at the same location
The translated uploadUrl is not directly valid, the host needs to be changed back to the original uploadUrl generated by the minio api. For example if the uploadUrl was generated inside a cluster using the minio endpoint at port 9000 and translated to an external address using the MINIO_UPLOAD_URL_PREFIX. Then an ingress controller at the external address will need to translate it back again for the signature of the presigned URL to be valid.
Ingress controllers are usually configured by annotations on an Ingress definition. For example the NGINX ingress controller will do this translation by adding the annotation
Other Ingress controllers and api gateways handle it slightly differently.
Reason for doing this
I find it hard to configure Sorry-cypress screenshot uploads with Minio in kubernetes, this makes it easier.