From 546e2f621c1f64b13f80c5f479c430662f2512ac Mon Sep 17 00:00:00 2001
From: = <=>
Date: Mon, 18 May 2026 21:22:58 +0000
Subject: [PATCH] Garage Admin Ui works very stable, web access and object
 security is also in place

---
 kubernetes-templates/garage.yml | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/kubernetes-templates/garage.yml b/kubernetes-templates/garage.yml
index 6c4eddc..230822f 100644
--- a/kubernetes-templates/garage.yml
+++ b/kubernetes-templates/garage.yml
@@ -30,11 +30,19 @@ data:
     [s3_api]
     s3_region = "garage"
     api_bind_addr = "[::]:3900"
-    root_domain = ".garage.svc.cluster.local"
+    # Leaving this blank removes the hostname restriction on the API port.
+    # This allows internal pods to use 'garage.garage.svc.cluster.local' AND 
+    # external apps to use '192.168.1.177:30900' or 's3.khongisa.co.za' without signature errors.
+    root_domain = "" 
 
     [admin]
     api_bind_addr = "[::]:3903"
     admin_token = "sWG5o2sa9xJx5Er3CgXqvOUSHXofFaz0pEj2G9roQ5hDREGQVVoAFSEv8iMLQ6qO"
+
+    [s3_web]
+    bind_addr = "[::]:3902"
+    # This enforces that public web traffic matches 'test-bucket.s3.khongisa.co.za'
+    root_domain = ".cdn.khongisa.co.za"
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -81,6 +89,8 @@ spec:
               name: s3-api
             - containerPort: 3903
               name: admin-api
+            - containerPort: 3902
+              name: s3-web
           volumeMounts:
             - name: config
               mountPath: /etc/garage.toml
@@ -120,7 +130,7 @@ spec:
               value: "http://garage:3903"
             - name: S3_ENDPOINT_URL
               value: "http://garage:3900"
-            - name: API_ADMIN_KEY # The UI uses this for the token
+            - name: API_ADMIN_KEY
               valueFrom:
                 secretKeyRef:
                   name: garage-secrets
@@ -147,6 +157,8 @@ spec:
       port: 3900
     - name: admin-api
       port: 3903
+    - name: s3-web
+      port: 3902
 ---
 apiVersion: v1
 kind: Service
@@ -174,7 +186,11 @@ spec:
     - name: s3-api-external
       port: 3900
       targetPort: 3900
-      nodePort: 30900
+      nodePort: 30900    
+    - name: s3-web-external
+      port: 3902
+      targetPort: 3902
+      nodePort: 30902
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
@@ -184,7 +200,7 @@ metadata:
 spec:
   entryPoints: ["websecure"]
   routes:
-    - match: Host(`cdn.khongisa.co.za`)
+    - match: Host(`s3.khongisa.co.za`)
       kind: Rule
       services:
         - name: garage-ui