[PR #6840] feat: improve S3-compatible OpenDAL configuration via URI query params #7486

New Issue

GiteaMirror · 2026-03-07T21:18:22-06:00

GiteaMirror commented

2026-03-07 21:18:22 -06:00

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/6840
Author: @g-roliveira
Created: 2/17/2026
Status: 🔄 Open

Base: main ← Head: feature/s3-compatible-opendal

📝 Commits (10+)

2fdcfa6 feat: add S3-compatible OpenDAL URI parameter parsing
63b2538 ci: add MinIO integration test job for S3-compatible mode
7c95c8c docs: document S3-compatible URI parameters and examples
b4dff01 fix: satisfy clippy and rustfmt for S3 config parsing
7b74969 ci: harden MinIO startup in S3 integration job
2b60e58 fix: enforce unknown S3 params and repair MinIO CI command
5996a78 fix: stabilize unknown-param test and set MinIO region
2f50301 test: make unknown S3 parameter assertion robust
7b2b450 ci: add manual R2 integration workflow
0f7fea5 Revert "ci: add manual R2 integration workflow"

📊 Changes

5 files changed (+553 additions, -12 deletions)

View changed files

📝 .env.template (+27 -1)
📝 .github/workflows/build.yml (+69 -0)
📝 README.md (+63 -0)
➕ docs/s3-compatible-object-storage.md (+105 -0)
📝 src/config.rs (+289 -11)

📄 Description

Summary

This PR improves S3-compatible object storage support by parsing and applying URI query parameters for OpenDAL S3 configuration across Vaultwarden storage paths.

It keeps AWS defaults unchanged while enabling robust provider-specific overrides for MinIO, Cloudflare R2, Ceph RGW, and similar S3-compatible endpoints.

What changed

Added centralized S3 URI parsing for paths like:
- DATA_FOLDER
- ATTACHMENTS_FOLDER
- ICON_CACHE_FOLDER
- SENDS_FOLDER
Added support for query parameters on s3://... URIs, including:
- endpoint
- region
- enable_virtual_host_style (including alias handling)
- default_storage_class (including empty value to omit storage class)
Enforced unknown parameter rejection in parsing logic.
Kept AWS-friendly defaults intact when no overrides are provided.

CI / tests

Added/updated unit tests for:
- defaults
- endpoint/path-style overrides
- storage class omission
- boolean variants and implicit flags
- percent-encoded path handling
- unknown parameter rejection
Added MinIO integration coverage in CI and stabilized startup/test execution.
Adjusted error assertion robustness for wrapped error formatting.

Docs

Updated .env.template with S3-compatible parameter guidance and examples.
Updated README.md with practical S3-compatible usage examples.
Added clarification that images must include both DB backend + s3 feature (sqlite,s3 / postgresql,s3 / mysql,s3).

Manual validation

Confirmed local MinIO Put/Get/Delete integration path.
Confirmed Cloudflare R2 Put/Get/Delete behavior using endpoint + region=auto + path-style.

Compatibility notes

AWS S3 behavior remains unchanged by default.
No migration required for existing non-S3 setups.
Existing S3 users without query params continue to work with current defaults.

Operational notes (browser downloads on S3-compatible storage)

When attachments are stored in S3-compatible backends, Web Vault downloads use presigned URLs and are fetched directly by the browser.

To make downloads work reliably, configure both sides:

Vaultwarden CSP: set ALLOWED_CONNECT_SRC to include the object-storage origin (for example https://<accountid>.r2.cloudflarestorage.com).
Object storage CORS policy: allow your Vaultwarden origin (DOMAIN) for GET/HEAD and return Access-Control-Allow-Origin.

Typical errors and causes:

violates the document's Content Security Policy -> missing/incorrect ALLOWED_CONNECT_SRC.
No 'Access-Control-Allow-Origin' header -> missing/incorrect bucket/provider CORS policy.

Follow-up suggestion

Potential future improvement: provide an optional server-side download mode/proxy to reduce CORS setup friction for some deployments.
Trade-offs: extra traffic through Vaultwarden, higher resource usage, and different scalability characteristics.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/6840 **Author:** [@g-roliveira](https://github.com/g-roliveira) **Created:** 2/17/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `feature/s3-compatible-opendal` --- ### 📝 Commits (10+) - [`2fdcfa6`](https://github.com/dani-garcia/vaultwarden/commit/2fdcfa66ebea647959b9bd271367f1250117a5c1) feat: add S3-compatible OpenDAL URI parameter parsing - [`63b2538`](https://github.com/dani-garcia/vaultwarden/commit/63b25380d89761068cfad1fae2a563a95c777707) ci: add MinIO integration test job for S3-compatible mode - [`7c95c8c`](https://github.com/dani-garcia/vaultwarden/commit/7c95c8c5c32b6904abff23c09ed823177b4dfef3) docs: document S3-compatible URI parameters and examples - [`b4dff01`](https://github.com/dani-garcia/vaultwarden/commit/b4dff012ec3e0300ee71936d94857192a1ea7e70) fix: satisfy clippy and rustfmt for S3 config parsing - [`7b74969`](https://github.com/dani-garcia/vaultwarden/commit/7b74969d5a0aa205931c44037164499646360a6a) ci: harden MinIO startup in S3 integration job - [`2b60e58`](https://github.com/dani-garcia/vaultwarden/commit/2b60e5856570a6800870d932f972b215238cfb6f) fix: enforce unknown S3 params and repair MinIO CI command - [`5996a78`](https://github.com/dani-garcia/vaultwarden/commit/5996a78f3277ffd447826952c643e02f59f0c084) fix: stabilize unknown-param test and set MinIO region - [`2f50301`](https://github.com/dani-garcia/vaultwarden/commit/2f503010e35ee7cf1a40a58e741de77747362a8f) test: make unknown S3 parameter assertion robust - [`7b2b450`](https://github.com/dani-garcia/vaultwarden/commit/7b2b450c077b2d64c41773c1068daf8b502c354f) ci: add manual R2 integration workflow - [`0f7fea5`](https://github.com/dani-garcia/vaultwarden/commit/0f7fea5b4aa5ec04a8c1b66e41a9f1b7973eec08) Revert "ci: add manual R2 integration workflow" ### 📊 Changes **5 files changed** (+553 additions, -12 deletions) <details> <summary>View changed files</summary> 📝 `.env.template` (+27 -1) 📝 `.github/workflows/build.yml` (+69 -0) 📝 `README.md` (+63 -0) ➕ `docs/s3-compatible-object-storage.md` (+105 -0) 📝 `src/config.rs` (+289 -11) </details> ### 📄 Description ## Summary This PR improves S3-compatible object storage support by parsing and applying URI query parameters for OpenDAL S3 configuration across Vaultwarden storage paths. It keeps AWS defaults unchanged while enabling robust provider-specific overrides for MinIO, Cloudflare R2, Ceph RGW, and similar S3-compatible endpoints. ## What changed - Added centralized S3 URI parsing for paths like: - `DATA_FOLDER` - `ATTACHMENTS_FOLDER` - `ICON_CACHE_FOLDER` - `SENDS_FOLDER` - Added support for query parameters on `s3://...` URIs, including: - `endpoint` - `region` - `enable_virtual_host_style` (including alias handling) - `default_storage_class` (including empty value to omit storage class) - Enforced unknown parameter rejection in parsing logic. - Kept AWS-friendly defaults intact when no overrides are provided. ## CI / tests - Added/updated unit tests for: - defaults - endpoint/path-style overrides - storage class omission - boolean variants and implicit flags - percent-encoded path handling - unknown parameter rejection - Added MinIO integration coverage in CI and stabilized startup/test execution. - Adjusted error assertion robustness for wrapped error formatting. ## Docs - Updated `.env.template` with S3-compatible parameter guidance and examples. - Updated `README.md` with practical S3-compatible usage examples. - Added clarification that images must include both DB backend + `s3` feature (`sqlite,s3` / `postgresql,s3` / `mysql,s3`). ## Manual validation - Confirmed local MinIO Put/Get/Delete integration path. - Confirmed Cloudflare R2 Put/Get/Delete behavior using endpoint + `region=auto` + path-style. ## Compatibility notes - AWS S3 behavior remains unchanged by default. - No migration required for existing non-S3 setups. - Existing S3 users without query params continue to work with current defaults. ## Operational notes (browser downloads on S3-compatible storage) When attachments are stored in S3-compatible backends, Web Vault downloads use presigned URLs and are fetched directly by the browser. To make downloads work reliably, configure both sides: - Vaultwarden CSP: set `ALLOWED_CONNECT_SRC` to include the object-storage origin (for example `https://<accountid>.r2.cloudflarestorage.com`). - Object storage CORS policy: allow your Vaultwarden origin (`DOMAIN`) for `GET`/`HEAD` and return `Access-Control-Allow-Origin`. Typical errors and causes: - `violates the document's Content Security Policy` -> missing/incorrect `ALLOWED_CONNECT_SRC`. - `No 'Access-Control-Allow-Origin' header` -> missing/incorrect bucket/provider CORS policy. ## Follow-up suggestion Potential future improvement: provide an optional server-side download mode/proxy to reduce CORS setup friction for some deployments. Trade-offs: extra traffic through Vaultwarden, higher resource usage, and different scalability characteristics. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-03-07 21:18:22 -06:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#7486