Refactor Versity S3 Gateway configuration in README.md, .env.sample, and compose.yaml. Update README to clarify environment variable usage and adjust .env.sample for local setup instructions. Modify compose.yaml to utilize environment variable interpolation, ensuring proper credential handling and enhancing deployment security.

README.md

@@ -184,7 +184,7 @@ Shared services used across multiple applications.
 
 - **[Versity S3 Gateway](https://github.com/versity/versitygw)** (Port: 10000 by default) - S3-compatible API over a POSIX directory (named Docker volumes). Use as shared object storage for apps that expect S3; pair with clients using path-style URLs and your LAN hostname or reverse proxy.
 
-**Configuration:** Set either `ROOT_ACCESS_KEY` / `ROOT_SECRET_KEY` or `ROOT_ACCESS_KEY_ID` / `ROOT_SECRET_ACCESS_KEY` in a `.env` file next to `compose.yaml` (see `.env.sample`). Optional `VERSITYGW_PORT`. Komodo writes Stack Environment to `.env` by default; the service uses `env_file: .env` so those values reach the container (unlike shell pass-through, which does not read that file).
+**Configuration:** Set either `ROOT_ACCESS_KEY` / `ROOT_SECRET_KEY` or `ROOT_ACCESS_KEY_ID` / `ROOT_SECRET_ACCESS_KEY`. Optional `VERSITYGW_PORT`. Compose uses `${VAR}` interpolation so credentials work with Komodo’s `docker compose --env-file <run_directory>/.env` (avoid `env_file:` in the service when `run_directory` is not the same folder as `compose.yaml`, or the written `.env` will not be found).
 
 ---
 

komodo/s3/versitygw/.env.sample

@@ -1,14 +1,14 @@
 # Versity S3 Gateway — root credentials for the flat-file IAM backend.
-# Copy to `.env` in this directory (same folder as compose.yaml).
 # https://github.com/versity/versitygw/wiki/Quickstart
 #
-# Komodo: use these exact names in Stack Environment — they are written to `.env`
+# Local: copy to `.env` next to compose.yaml (or set `run_directory` to this folder
-# on the host (default `env_file_path`). If you change `env_file_path` in the Stack,
+# in Komodo) so `docker compose` can interpolate `${ROOT_ACCESS_KEY}` etc.
-# update `env_file` in compose.yaml to match.
 #
-# Set either pair (Helm chart uses the *_ID / *_ACCESS_KEY names):
+# Komodo: Stack Environment is written to `<run_directory>/.env` and passed as
+# `--env-file` — that drives `${VAR}` in compose.yaml. Set **one** pair using exact
+# names (leave the other pair unset / empty):
 #   ROOT_ACCESS_KEY + ROOT_SECRET_KEY
-#   ROOT_ACCESS_KEY_ID + ROOT_SECRET_ACCESS_KEY
+#   ROOT_ACCESS_KEY_ID + ROOT_SECRET_ACCESS_KEY (Helm-style)
 
 ROOT_ACCESS_KEY=
 ROOT_SECRET_KEY=

komodo/s3/versitygw/compose.yaml

@@ -5,15 +5,18 @@ services:
     image: versity/versitygw:v1.3.1
     container_name: versitygw
     restart: unless-stopped
-    # Komodo writes Stack Environment to `.env` in the run directory; that file is
+    # Credentials: use `${VAR}` so values come from the same env Komodo passes with
-    # not automatically injected into the container unless listed here (pass-through
+    # `docker compose --env-file <run_directory>/.env` (see Komodo Stack docs).
-    # only sees the compose process env, not this file).
+    # Do NOT use `env_file: .env` here: that path is resolved next to *this* compose
-    env_file:
+    # file, while Komodo writes `.env` under `run_directory` — they often differ
-      - path: .env
+    # (e.g. run_directory = repo root, compose in komodo/s3/versitygw/).
-        required: false
     environment:
+      ROOT_ACCESS_KEY: ${ROOT_ACCESS_KEY}
+      ROOT_SECRET_KEY: ${ROOT_SECRET_KEY}
+      ROOT_ACCESS_KEY_ID: ${ROOT_ACCESS_KEY_ID}
+      ROOT_SECRET_ACCESS_KEY: ${ROOT_SECRET_ACCESS_KEY}
       # Matches Helm chart default; enables `/_/health` for probes.
-      - VGW_HEALTH=/_/health
+      VGW_HEALTH: /_/health
     ports:
       - "${VERSITYGW_PORT:-10000}:10000"
     volumes: