feat: adding API gateway

feat: adding API gateway

Author: florianow

.github/workflows/build-container.yml

@@ -98,7 +98,7 @@ jobs:
       with:
         context: .
         platforms: linux/amd64,linux/arm64
-        push: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/feature/redirect-url' || (github.event.inputs.push_image == 'true') }}
+        push: ${{ github.ref == 'refs/heads/main' || (github.event.inputs.push_image == 'true') }}
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
         build-args: |

Caddyfile

@@ -20,12 +20,17 @@
                 # Step 2: Initialize TX variable
                 SecAction "id:2,phase:1,pass,nolog,setvar:tx.bucket_ops=0"
 
-                # Example rule: Block DELETE on /minio/admin
-                SecRule REQUEST_URI "@beginsWith /minio/admin" "id:1001,phase:1,deny,status:403,msg:'MinIO Admin API Access Blocked'"
+                # Allow WebSocket connections for MinIO console
+                #SecRule REQUEST_URI "@beginsWith /ws/" "id:1000,phase:1,pass,msg:'Allow WebSocket connections'"
+                SecRule REQUEST_HEADERS:Upgrade "@streq websocket" "id:1001,phase:1,pass,msg:'Allow WebSocket upgrade requests'"
+
+                # Example rule: Block DELETE on /minio/admin (except WebSocket connections)
+                SecRule REQUEST_URI "@beginsWith /minio/admin" "id:1002,phase:1,deny,status:403,msg:'MinIO Admin API Access Blocked',chain"
+                SecRule REQUEST_HEADERS:Upgrade "!@streq websocket"
 
                 # Rate limiting example
-                SecRule REQUEST_METHOD "@rx ^(PUT|POST|DELETE)$" "id:1002,phase:1,pass,msg:'Bucket operation',setvar:tx.bucket_ops=+1,expirevar:tx.bucket_ops=60"
-                SecRule TX:bucket_ops "@gt 50" "id:1003,phase:1,deny,status:429,msg:'Bucket operation rate limit exceeded'"
+                SecRule REQUEST_METHOD "@rx ^(PUT|POST|DELETE)$" "id:1003,phase:1,pass,msg:'Bucket operation',setvar:tx.bucket_ops=+1,expirevar:tx.bucket_ops=60"
+                SecRule TX:bucket_ops "@gt 50" "id:1004,phase:1,deny,status:429,msg:'Bucket operation rate limit exceeded'dd"
             `
         }
 

Dockerfile

@@ -28,7 +28,7 @@ RUN mkdir -p /etc/caddy /var/lib/caddy /var/log/caddy && \
     chown -R caddy:caddy /etc/caddy /var/lib/caddy /var/log/caddy
 
 # Copy Caddyfile template
-# COPY Caddyfile /etc/caddy/Caddyfile
+COPY Caddyfile /etc/caddy/Caddyfile
 
 # Install curl for health checks
 RUN apk add --no-cache curl

main.tf

@@ -29,8 +29,9 @@ resource "azurerm_subnet" "aci_subnet" {
     name = "aci-delegation"
 
     service_delegation {
-      name    = "Microsoft.ContainerInstance/containerGroups"
-      actions = ["Microsoft.Network/virtualNetworks/subnets/join/action"]
+      name = "Microsoft.ContainerInstance/containerGroups"
+      actions = [
+      "Microsoft.Network/virtualNetworks/subnets/action"]
     }
   }
 }
@@ -274,8 +275,13 @@ resource "azurerm_container_group" "minio_aci_container_group" {
     environment_variables = {
       MINIO_ROOT_USER            = var.minio_root_user
       MINIO_ROOT_PASSWORD        = var.minio_root_password
-      MINIO_BROWSER_REDIRECT_URL = "https://${azurerm_public_ip.agw_pip.fqdn}"
+      MINIO_BROWSER_REDIRECT_URL = "https://testminio.westeurope.cloudapp.azure.com"
+      MINIO_BROWSER              = "on"
+      MINIO_CONSOLE_WEBROOT      = "/"
+      MINIO_CONSOLE_ORIGINS      = "http://localhost:9001,https://testminio.westeurope.cloudapp.azure.com"
+
     }
+
     volume {
       name                 = "minio-volume"
       mount_path           = "/data"
@@ -316,10 +322,7 @@ resource "azurerm_container_group" "minio_aci_container_group" {
       port     = 8081
       protocol = "TCP"
     }
-    environment_variables = {
-      MINIO_UI_BACKEND  = "localhost:9001"
-      MINIO_API_BACKEND = "localhost:9000"
-    }
+
     liveness_probe {
       http_get {
         path   = "/health"

outputs.tf

@@ -20,7 +20,7 @@ output "public_ip" {
 
 output "mc_alias_command" {
   description = "MinIO client setup command"
-  value       = "mc alias set myminio https://${azurerm_container_group.minio_aci_container_group.fqdn}:8443 --insecure"
+  value       = "mc alias set myminio https://${azurerm_public_ip.agw_pip.fqdn}:8443 --insecure"
 }
 
 output "storage_account_name" {

variables.tf

@@ -31,17 +31,6 @@ variable "minio_root_password" {
   }
 }
 
-variable "cert_password" {
-  type        = string
-  sensitive   = true
-  nullable    = false
-  description = "Password for the SSL certificate"
-  validation {
-    condition     = length(var.cert_password) > 0
-    error_message = "Certificate password cannot be empty."
-  }
-}
-
 variable "storage_share_size" {
   default     = 100
   type        = number
@@ -68,19 +57,6 @@ variable "public_url_domain_name" {
   description = "Domain name for the public URL (e.g., 'miniotest' creates 'miniotest.westeurope.azurecontainer.io')"
 }
 
-# Container configurations
-variable "ssl_cert_file" {
-  type        = string
-  default     = "server.crt"
-  description = "Name of the SSL certificate file"
-}
-
-variable "ssl_key_file" {
-  type        = string
-  default     = "server.key"
-  description = "Name of the SSL private key file"
-}
-
 variable "minio_image" {
   type        = string
   default     = "quay.io/minio/minio:RELEASE.2025-04-22T22-12-26Z"