# Versity S3 Gateway — root credentials for the flat-file IAM backend. # https://github.com/versity/versitygw/wiki/Quickstart # # Local: copy to `.env` next to compose.yaml (or set `run_directory` to this folder # in Komodo) so `docker compose` can interpolate `${ROOT_ACCESS_KEY}` etc. # # Komodo: Stack Environment is written to `/.env` and passed as # `--env-file` — that drives `${VAR}` in compose.yaml. Set **one** pair using exact # names (leave the other pair unset / empty): # ROOT_ACCESS_KEY + ROOT_SECRET_KEY # ROOT_ACCESS_KEY_ID + ROOT_SECRET_ACCESS_KEY (Helm-style) ROOT_ACCESS_KEY= ROOT_SECRET_KEY= # ROOT_ACCESS_KEY_ID= # ROOT_SECRET_ACCESS_KEY= # Host port mapped to the gateway (container listens on 10000). VERSITYGW_PORT=10000 # WebUI (container listens on 8080). In Pangolin, create a *second* HTTP resource for this # port — do not point the UI hostname at :10000 (that is S3 API only; `/` is not the SPA). VERSITYGW_WEBUI_PORT=8080 # HTTPS URL of the *S3 API* (Pangolin resource → host :10000). **Not** the WebUI URL. # No trailing slash. Wrong value → WebUI calls the wrong host and bucket create can 404. # VGW_WEBUI_GATEWAYS=https://s3.example.com VGW_WEBUI_GATEWAYS= # Public origin of the **browser app** that calls the S3 API (no path, no trailing slash). # Use this when the UI is on a different hostname than the API — e.g. third-party S3 consoles, # or the built-in WebUI behind Pangolin on another host than :10000. # Example: VGW_CORS_ALLOW_ORIGIN=https://s3-ui.pcenicni.dev # # VersityGW maps the browser’s preflight Access-Control-Request-Headers into # Access-Control-Allow-Headers (Authorization, X-Amz-Date, X-Amz-Content-Sha256, Content-Type, …) # when there is **no** per-bucket CORS configuration. You do not set those headers separately here. # # If you used PutBucketCors on a bucket, that config replaces this fallback for that bucket: add # the same Origin and AllowedHeader entries (or *) there, or delete bucket CORS to rely on this. # VGW_CORS_ALLOW_ORIGIN=https://s3-ui.example.com VGW_CORS_ALLOW_ORIGIN= # --- Pangolin (edge) vs Versity CORS --- # If VGW_CORS_ALLOW_ORIGIN is correct but the browser still says CORS failed, the edge often # never returns Versity’s Access-Control-* headers: Pangolin can answer OPTIONS / block preflight # before Newt reaches :10000. S3 clients send OPTIONS without SigV4 auth; Pangolin SSO or # “authorization” on the HTTP resource can reject that (see https://github.com/fosrl/pangolin/issues/2369 ). # Mitigations: make the **S3 API** hostname resource public (no Pangolin auth on that resource), # or add a rule that allows OPTIONS to pass through when Pangolin supports method-based rules; # confirm with: curl -sv -X OPTIONS -H "Origin: https://your-s3-ui" -H "Access-Control-Request-Method: PUT" \ # -H "Access-Control-Request-Headers: authorization,content-type" "https://your-s3-api-host/" 2>&1 | head -40 # NFS: object metadata defaults to xattrs; most NFS mounts need sidecar mode # (compose.yaml uses --sidecar /data/sidecar). Create the host path, e.g. # mkdir -p /mnt/nfs/versity/sidecar # Or use NFSv4.2 with xattr support and remove --sidecar from compose if you prefer.