Skip to content

feat(bucket): add readonly S3 access credentials#2105

Merged
kvaps merged 1 commit intomainfrom
feat/bucket-users
Feb 27, 2026
Merged

feat(bucket): add readonly S3 access credentials#2105
kvaps merged 1 commit intomainfrom
feat/bucket-users

Conversation

@IvanHunters
Copy link
Collaborator

@IvanHunters IvanHunters commented Feb 25, 2026
edited by coderabbitai bot
Loading

Summary

  • Add a readonly BucketAccessClass to the seaweedfs COSI chart with accessPolicy: "readonly" parameter
  • Each bucket now automatically creates two sets of S3 credentials: readWrite (existing, for UI) and readonly
  • Update dashboard RBAC and ApplicationDefinition to expose the readonly credentials secret

Test plan

  • Verify seaweedfs chart templates render both BucketAccessClass resources (readWrite and readonly)
  • Verify bucket app templates render BucketClaim + 2 BucketAccess (readWrite + readonly)
  • Deploy a bucket and confirm both credential secrets are created by COSI driver
  • Confirm readonly credentials can only read/list objects, not write/delete

Summary by CodeRabbit

  • New Features
    • Introduced read-only bucket access capabilities. Users can now configure read-only permissions for bucket storage resources, complementing existing access control options. New read-only access classes and configurations provide enhanced security controls and finer-grained permission management. This enables improved data protection while maintaining flexibility for various access requirements across applications and storage infrastructure.

@IvanHunters
feat(bucket): add readonly S3 access credentials
0ab7cc7 
Add a readonly BucketAccessClass to the seaweedfs COSI chart and a
second fixed BucketAccess per bucket so each bucket automatically
gets both readWrite and readonly S3 credentials.

Signed-off-by: IvanHunters <[email protected]>
@dosubot dosubot bot added size:S This PR changes 10-29 lines, ignoring generated files. enhancement New feature or request labels Feb 25, 2026
@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Feb 25, 2026

Summary of Changes

Hello @IvanHunters, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances object storage capabilities by introducing a mechanism for generating and managing readonly S3 access credentials. This allows for more granular control over bucket permissions, providing a dedicated set of credentials that can only perform read and list operations, thereby improving security and access management for applications interacting with object storage.

Highlights

  • Readonly BucketAccessClass: A new BucketAccessClass has been introduced for SeaweedFS, specifically configured with accessPolicy: "readonly" to enable restricted S3 access.
  • Dual S3 Credentials: Each bucket will now automatically provision two sets of S3 credentials: the existing read/write credentials and a new set of readonly credentials.
  • Dashboard and Application Exposure: The dashboard RBAC and ApplicationDefinition have been updated to expose the newly created readonly credentials secret, allowing applications to utilize them.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog
  • packages/apps/bucket/templates/bucketclaim.yaml
    • Added a new BucketAccess resource definition for readonly credentials, named {{ .Release.Name }}-readonly.
  • packages/apps/bucket/templates/dashboard-resourcemap.yaml
    • Included the new {{ .Release.Name }}-readonly secret in the resourceNames list for dashboard RBAC rules, granting get, list, and watch permissions.
  • packages/system/bucket-rd/cozyrds/bucket.yaml
    • Updated the resourceNames within the bucket application definition to expose the bucket-{{ .name }}-readonly secret.
  • packages/system/seaweedfs/charts/seaweedfs/templates/cosi/cosi-bucket-class.yaml
    • Introduced a new BucketAccessClass named {{ .Values.cosi.bucketClassName }}-readonly with accessPolicy: "readonly" parameters.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 25, 2026
edited
Loading

📝 Walkthrough

Walkthrough

The changes introduce read-only variants of bucket access configurations by adding a new BucketAccess resource, a corresponding BucketAccessClass, associated role resource names, and secret resource mappings across multiple Kubernetes manifest templates.

Changes

Cohort / File(s) Summary
Bucket Access Configuration
packages/apps/bucket/templates/bucketclaim.yaml, packages/system/seaweedfs/charts/seaweedfs/templates/cosi/cosi-bucket-class.yaml		 Adds read-only variants: a BucketAccess resource with read-only credentials secret binding, and a BucketAccessClass with readonly access policy parameter, complementing existing read-write configurations.
Resource Mapping & Permissions
packages/apps/bucket/templates/dashboard-resourcemap.yaml		 Extends the resourceNames list to include the read-only Role variant for role-based access control in the dashboard.
Secret Resource Management
packages/system/bucket-rd/cozyrds/bucket.yaml		 Adds the read-only bucket secret resource name to the ApplicationDefinition's secrets inclusion list alongside existing bucket and credentials secrets.

Possibly related issues

Poem

🐰 A rabbit hops through storage so fair,
Now read-only buckets float in the air!
With "-readonly" tags placed just right,
The system guards secrets with all of its might! 🔒

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main feature addition: enabling readonly S3 access credentials for buckets. It clearly summarizes the primary change in the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feat/bucket-users

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 25, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces readonly S3 access credentials for buckets. The changes are well-structured and consistently implemented across the affected Helm charts and Kubernetes resource definitions. A new BucketAccessClass with a readonly access policy is added, and corresponding BucketAccess resources are created to generate the readonly credentials. The RBAC roles and application definitions are correctly updated to include the new readonly secret. The implementation looks correct and complete for the intended feature.

coderabbitai[bot]
coderabbitai bot reviewed Feb 25, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@packages/system/seaweedfs/charts/seaweedfs/templates/cosi/cosi-bucket-class.yaml`:
- Around line 16-24: You added a BucketAccessClass resource directly inside a
vendored Helm template (the manifest that uses .Values.cosi.bucketClassName and
.Values.cosi.driverName to create a -readonly BucketAccessClass with
authenticationType KEY and parameters accessPolicy: "readonly"); revert that
direct edit in the vendored cosi-bucket-class.yaml and instead add the same
templated manifest via the project's Helm/chart vendoring or patch overlay
mechanism (create a chart patch/overlay that renders the BucketAccessClass using
.Values.cosi.bucketClassName and .Values.cosi.driverName) so upstream vendored
files remain untouched.
ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c63fcf5 and 0ab7cc7.

📒 Files selected for processing (4)
  • packages/apps/bucket/templates/bucketclaim.yaml
  • packages/apps/bucket/templates/dashboard-resourcemap.yaml
  • packages/system/bucket-rd/cozyrds/bucket.yaml
  • packages/system/seaweedfs/charts/seaweedfs/templates/cosi/cosi-bucket-class.yaml

@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Feb 27, 2026
@kvaps kvaps merged commit 3c108c3 into main Feb 27, 2026
12 checks passed
@kvaps kvaps deleted the feat/bucket-users branch February 27, 2026 15:36
@kvaps kvaps mentioned this pull request Feb 27, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@kvaps kvaps kvaps approved these changes

@lllamnyp lllamnyp Awaiting requested review from lllamnyp lllamnyp is a code owner

@lexfrei lexfrei Awaiting requested review from lexfrei lexfrei is a code owner

@androndo androndo Awaiting requested review from androndo androndo is a code owner

@sircthulhu sircthulhu Awaiting requested review from sircthulhu sircthulhu is a code owner

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

enhancement New feature or request lgtm This PR has been approved by a maintainer size:S This PR changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@IvanHunters @kvaps