forgejo_admin/pal-e-platform
1
0
Fork 1
Code Issues 35 Pull requests Projects Releases Packages Wiki Activity Actions

Public CDN: MinIO assets bucket with public-read policy + public funnel #126

New issue
Closed
opened 2026-03-21 15:36:50 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-03-21 15:36:50 +00:00
Owner
Copy link

Type

Feature

Lineage

plan-pal-e-platform → discovered scope (jersey email images unreachable)

Repo

forgejo_admin/pal-e-platform

User Story

As a platform operator
I want the MinIO assets bucket to be publicly readable
So that images in HTML emails and public pages render correctly from any network

Context

MinIO API (minio-api.tail5b443a.ts.net) is Tailscale-internal only. Images referenced in HTML emails (sent via Gmail API) show as broken/question marks because Gmail servers can't reach Tailscale URLs. The westside-app logo in the nav bar has the same problem in emails.

Enterprise fix: S3 bucket policy makes assets publicly readable, public Tailscale funnel exposes the API. Other buckets (postgres_wal, tf_state_backups) stay private via default-deny — no bucket policy = 403.

File Targets

  • terraform/main.tf — add public funnel annotation to MinIO API ingress, add minio_iam_policy or mc policy for assets bucket
  • terraform/main.tf — MinIO bucket policy resource for assets (public-read)

Files the agent should NOT touch:

  • postgres_wal bucket config — must remain private
  • tf_state_backups bucket config — must remain private

Acceptance Criteria

  • assets bucket has anonymous GET (public-read) policy
  • postgres_wal and tf_state_backups return 403 for anonymous requests
  • MinIO API is accessible via public Tailscale funnel
  • https://minio-api.tail5b443a.ts.net/assets/westside/jerseys/IMG_4164.jpeg loads from any browser (not on tailnet)
  • https://minio-api.tail5b443a.ts.net/postgres_wal/ returns 403 from any browser

Test Expectations

  • curl https://minio-api.tail5b443a.ts.net/assets/westside/branding/logo.jpeg -o /dev/null -w '%{http_code}' returns 200 from non-tailnet
  • curl https://minio-api.tail5b443a.ts.net/postgres_wal/ -o /dev/null -w '%{http_code}' returns 403
  • Run command: tofu plan -lock=false

Constraints

  • Only assets bucket gets public-read. Other buckets must remain private.
  • Must use bucket policy, not global anonymous access
  • tofu fmt && tofu validate before push

Checklist

  • PR opened
  • Tests pass
  • No unrelated changes

Related

  • pal-e-platform — project
  • Blocks jersey email images for Westside Queens
### Type Feature ### Lineage `plan-pal-e-platform` → discovered scope (jersey email images unreachable) ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform operator I want the MinIO `assets` bucket to be publicly readable So that images in HTML emails and public pages render correctly from any network ### Context MinIO API (`minio-api.tail5b443a.ts.net`) is Tailscale-internal only. Images referenced in HTML emails (sent via Gmail API) show as broken/question marks because Gmail servers can't reach Tailscale URLs. The westside-app logo in the nav bar has the same problem in emails. Enterprise fix: S3 bucket policy makes `assets` publicly readable, public Tailscale funnel exposes the API. Other buckets (`postgres_wal`, `tf_state_backups`) stay private via default-deny — no bucket policy = 403. ### File Targets - `terraform/main.tf` — add public funnel annotation to MinIO API ingress, add `minio_iam_policy` or `mc policy` for assets bucket - `terraform/main.tf` — MinIO bucket policy resource for `assets` (public-read) Files the agent should NOT touch: - `postgres_wal` bucket config — must remain private - `tf_state_backups` bucket config — must remain private ### Acceptance Criteria - [ ] `assets` bucket has anonymous GET (public-read) policy - [ ] `postgres_wal` and `tf_state_backups` return 403 for anonymous requests - [ ] MinIO API is accessible via public Tailscale funnel - [ ] `https://minio-api.tail5b443a.ts.net/assets/westside/jerseys/IMG_4164.jpeg` loads from any browser (not on tailnet) - [ ] `https://minio-api.tail5b443a.ts.net/postgres_wal/` returns 403 from any browser ### Test Expectations - [ ] `curl https://minio-api.tail5b443a.ts.net/assets/westside/branding/logo.jpeg -o /dev/null -w '%{http_code}'` returns 200 from non-tailnet - [ ] `curl https://minio-api.tail5b443a.ts.net/postgres_wal/ -o /dev/null -w '%{http_code}'` returns 403 - Run command: `tofu plan -lock=false` ### Constraints - Only `assets` bucket gets public-read. Other buckets must remain private. - Must use bucket policy, not global anonymous access - `tofu fmt && tofu validate` before push ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `pal-e-platform` — project - Blocks jersey email images for Westside Queens
forgejo_admin 2026-03-21 16:55:33 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/pal-e-platform#126
No description provided.