Skip to content

feat: make dynamic bucket region detection optional #549

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

feat: make dynamic bucket region detection optional #549

wants to merge 5 commits into from

Conversation

sasanyasari
Copy link

Overview

Add support for disabling dynamic bucket region detection via the HELM_S3_DYNAMIC_REGION environment variable.

Problem

The current implementation of DynamicBucketRegion always performs automatic bucket region detection by making HEAD requests to Amazon S3, which causes several issues:

  1. Breaks plugin in restricted environments: Environments with limited internet access or strict egress filtering cannot make the required HEAD requests to s3.amazonaws.com
  2. Security/privacy concerns: Internal bucket names are leaked to Amazon S3 even when using alternative S3-compatible storage solutions
  3. Ignores user configuration: The HEAD requests always go to Amazon S3 (s3.amazonaws.com) regardless of custom endpoints configured via AWS_ENDPOINT or AWS profiles

Solution

Introduce HELM_S3_DYNAMIC_REGION environment variable:

  • Default: true (enabled) - maintains backward compatibility
  • Set to false: Disables dynamic region detection, relies on standard AWS region configuration

Changes

  • Added ConditionalDynamicBucketRegion() function that respects the new environment variable
  • Updated all helm-s3 commands to use the conditional function
  • Added comprehensive tests covering both enabled and disabled scenarios
  • Updated documentation in README.md and website

Usage

To disable dynamic bucket region detection:

export HELM_S3_DYNAMIC_REGION=false

This is particularly useful for:

  • Environments with restricted internet access
  • Alternative S3-compatible storage (MinIO, Ceph, etc.)
  • Security-sensitive environments where bucket names should not be exposed to AWS
  • CI/CD pipelines requiring predictable region behavior

Testing

All existing tests pass, and new tests verify:

  • Default behavior (dynamic region enabled)
  • Explicitly enabled dynamic region detection
  • Disabled dynamic region detection

Backward Compatibility

✅ Fully backward compatible - existing users will see no change in behavior unless they explicitly set HELM_S3_DYNAMIC_REGION=false.

Fixes #220

sasanyasari and others added 5 commits September 2, 2025 15:47
@sasanyasari
feat: make dynamic bucket region detection optional
cc7fb9c 
Add HELM_S3_DYNAMIC_REGION environment variable to control automatic
bucket region detection. Defaults to true for backward compatibility.

This addresses several issues:
- Prevents plugin failures in restricted internet environments
- Stops leaking internal bucket names to AWS in non-restricted environments
- Allows users to disable automatic S3 HEAD requests that always go to
  Amazon S3 regardless of custom endpoints or AWS configuration

Setting HELM_S3_DYNAMIC_REGION=false disables dynamic region detection
and relies on standard AWS region configuration (HELM_S3_REGION,
AWS_REGION, AWS_DEFAULT_REGION).

Fixes hypnoglow#220
@sasanyasari
remove redundant checking
af1bad1
@sasanyasari
bump version to v0.17.3
46fb0d3
@sasanyasari
revert
a835c07
@sasanyasari
Merge branch 'master' into feature-optional-dynamic-bucket-region
774c0e8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Plugin cannot connect, dispite AWS CLI connecting without issue
1 participant
@sasanyasari