From a4b9913b7e8c4e83eb309cb0cdbcbfc640105475 Mon Sep 17 00:00:00 2001
From: Nikholas Pcenicni <82239765+nikpcenicni@users.noreply.github.com>
Date: Sat, 28 Mar 2026 18:28:52 -0400
Subject: [PATCH] Update .env.sample and compose.yaml for Versity S3 Gateway to
 enhance WebUI and CORS configuration. Add comments clarifying the purpose of
 VGW_CORS_ALLOW_ORIGIN and correct usage of VGW_WEBUI_GATEWAYS, improving
 deployment instructions and user understanding.

---
 komodo/s3/versitygw/.env.sample  | 8 +++++++-
 komodo/s3/versitygw/compose.yaml | 6 ++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/komodo/s3/versitygw/.env.sample b/komodo/s3/versitygw/.env.sample
index c44fd38..6b0ea78 100644
--- a/komodo/s3/versitygw/.env.sample
+++ b/komodo/s3/versitygw/.env.sample
@@ -21,10 +21,16 @@ VERSITYGW_PORT=10000
 # WebUI (container listens on 8080). In Pangolin, create a *second* HTTP resource for this
 # port — do not point the UI hostname at :10000 (that is S3 API only; `/` is not the SPA).
 VERSITYGW_WEBUI_PORT=8080
-# HTTPS URL clients use for the S3 API (must match your Pangolin route to :10000), e.g.:
+# HTTPS URL of the *S3 API* (Pangolin resource → host :10000). **Not** the WebUI URL.
+# No trailing slash. Wrong value → WebUI calls the wrong host and bucket create can 404.
 # VGW_WEBUI_GATEWAYS=https://s3.example.com
 VGW_WEBUI_GATEWAYS=
 
+# Public origin of the **WebUI** page (Pangolin → :8080), e.g. https://s3-ui.example.com
+# Required when UI and API are on different hosts so the browser can call the API (CORS).
+# VGW_CORS_ALLOW_ORIGIN=https://s3-ui.example.com
+VGW_CORS_ALLOW_ORIGIN=
+
 # NFS: object metadata defaults to xattrs; most NFS mounts need sidecar mode
 # (compose.yaml uses --sidecar /data/sidecar). Create the host path, e.g.
 #   mkdir -p /mnt/nfs/versity/sidecar
diff --git a/komodo/s3/versitygw/compose.yaml b/komodo/s3/versitygw/compose.yaml
index b5cfbdc..4a55333 100644
--- a/komodo/s3/versitygw/compose.yaml
+++ b/komodo/s3/versitygw/compose.yaml
@@ -23,9 +23,11 @@ services:
       VGW_HEALTH: /_/health
       # WebUI (browser): separate listener; TLS terminates at Pangolin — serve HTTP in-container.
       VGW_WEBUI_NO_TLS: "true"
-      # Public base URL of the *S3 API* (same host you expose on port 10000 via Pangolin).
-      # Required for the WebUI JS to call the gateway (see Versity wiki / chart notes).
+      # Public base URL of the *S3 API* only (Pangolin → :10000). Not the WebUI hostname.
+      # No trailing slash. If this points at the UI URL, bucket ops return 404/wrong host.
       VGW_WEBUI_GATEWAYS: ${VGW_WEBUI_GATEWAYS}
+      # Browser Origin when WebUI and API use different HTTPS hostnames (see wiki / WebGUI CORS).
+      VGW_CORS_ALLOW_ORIGIN: ${VGW_CORS_ALLOW_ORIGIN}
     ports:
       - "${VERSITYGW_PORT:-10000}:10000"
       - "${VERSITYGW_WEBUI_PORT:-8080}:8080"