Object Storage Module (MinIO)

Complete guide to deploying and managing MinIO object storage with S3-compatible API, high availability, and automated backups.

🏗️ Overview

The MinIO module provides enterprise-grade object storage with S3-compatible API, designed for cloud-native applications. It offers high performance, scalability, and security for storing unstructured data like documents, images, videos, and backups.

Architecture Components

MinIO Deployment:
├── MinIO Server Pods (Distributed)
├── Persistent Storage (SSD)
├── S3-Compatible API
├── Web Console
├── Ingress Configuration
└── SSL/TLS Termination

🚀 Features

S3-Compatible Storage

S3 API Compatibility: Full compatibility with Amazon S3 API
Multi-Tenant Support: Isolated buckets and access policies
Object Versioning: Track and manage object versions
Lifecycle Management: Automated object lifecycle policies

Performance & Scalability

High Performance: Optimized for high-throughput workloads
Horizontal Scaling: Add nodes to increase capacity
Erasure Coding: Data protection with configurable parity
Caching Layer: In-memory caching for frequently accessed objects

Security Features

Access Control: IAM-style policies and bucket policies
Encryption: Server-side encryption for data at rest
SSL/TLS: Encrypted data in transit
Audit Logging: Comprehensive access and operation logs

📦 Deployment Configuration

Helmfile Configuration

The MinIO deployment uses Helmfile for environment management:

repositories:
  - name: bitnami
    url: https://charts.bitnami.com/bitnami

releases:
  - name: minio
    namespace: minio
    chart: bitnami/minio
    version: "17.0.4"
    values:
      - values.yaml

Core Configuration Values

auth:
  rootUser: minioadmin
  rootPassword: minioadmin

defaultBuckets: "private, public"

persistence:
  enabled: true
  size: 200Gi
  storageClass: "local-path"

resources:
  requests:
    memory: "1Gi"
    cpu: "500m"
  limits:
    memory: "2Gi"
    cpu: "1000m"

ingress:
  enabled: true
  ingressClassName: traefik
  hostname: s3.theratap.de
  pathType: Prefix
  tls: true
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt

console:
  ingress:
    enabled: true
    ingressClassName: traefik
    hostname: console.s3.theratap.de
    pathType: Prefix
    tls: true
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt

Advanced Configuration Options

# High-availability configuration
mode: distributed
replicaCount: 4

# Performance tuning
resources:
  requests:
    memory: "4Gi"
    cpu: "2000m"
  limits:
    memory: "8Gi"
    cpu: "4000m"

# Security configuration
securityContext:
  enabled: true
  runAsUser: 1001
  fsGroup: 1001

# Monitoring
metrics:
  enabled: true
  serviceMonitor:
    enabled: true

🔄 Bucket Management

Default Buckets

The module automatically creates two default buckets:

private: For sensitive data requiring restricted access
public: For publicly accessible content

Creating Additional Buckets

# Using MinIO client (mc)
mc alias set myminio https://s3.theratap.de minioadmin minioadmin

# Create new bucket
mc mb myminio/myapp-data

# Set bucket policy
mc policy set download myminio/public
mc policy set private myminio/private

Bucket Policies

// Public read access
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["s3:GetObject"],
      "Resource": ["arn:aws:s3:::public/*"]
    }
  ]
}

// Private access only
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": ["s3:GetObject"],
      "Resource": ["arn:aws:s3:::private/*"]
    }
  ]
}

🔐 Access Management

User Management

# Create new user
mc admin user add myminio appuser apppassword

# Create access key
mc admin policy create myminio app-policy app-policy.json
mc admin policy attach myminio app-policy --user appuser

# List users
mc admin user list myminio

Access Key Configuration

# Application configuration
s3:
  endpoint: https://s3.theratap.de
  accessKey: appuser
  secretKey: apppassword
  bucket: myapp-data
  region: us-east-1
  useSSL: true

📊 Monitoring & Metrics

Health Checks

# Check MinIO service status
kubectl get pods -n minio -l app.kubernetes.io/name=minio

# Check service endpoints
kubectl get endpoints -n minio

# Test S3 API connectivity
curl -I https://s3.theratap.de

Performance Monitoring

# Check resource usage
kubectl top pods -n minio

# Monitor storage usage
kubectl exec -it minio-0 -n minio -- df -h

# Check MinIO metrics
kubectl port-forward -n minio svc/minio 9000:9000
curl http://localhost:9000/minio/v2/metrics/cluster

Log Analysis

# View MinIO logs
kubectl logs -n minio -l app.kubernetes.io/name=minio

# Follow logs in real-time
kubectl logs -f -n minio deployment/minio

# Check for errors
kubectl logs -n minio -l app.kubernetes.io/name=minio | grep ERROR

🚀 Deployment

Deploy MinIO Module

# Navigate to module directory
cd iac/modules/minio

# Deploy using Helmfile
helmfile apply

# Verify deployment
kubectl get pods -n minio
kubectl get services -n minio

Verify Deployment

# Check pod status
kubectl get pods -n minio -l app.kubernetes.io/name=minio

# Test S3 API
curl -I https://s3.theratap.de

# Access web console
open https://console.s3.theratap.de

Post-Deployment Setup

# Install MinIO client
wget https://dl.min.io/client/mc/release/linux-amd64/mc
chmod +x mc
sudo mv mc /usr/local/bin/

# Configure client
mc alias set myminio https://s3.theratap.de minioadmin minioadmin

# Test connection
mc ls myminio

🔧 Maintenance Operations

Backup Operations

# Backup bucket data
mc mirror myminio/myapp-data ./backup/myapp-data

# Backup with compression
mc mirror --compress myminio/myapp-data ./backup/myapp-data

# Restore from backup
mc mirror ./backup/myapp-data myminio/myapp-data

Scaling Operations

# Scale MinIO replicas
kubectl scale deployment minio -n minio --replicas=4

# Update storage capacity
kubectl patch pvc minio -n minio -p '{"spec":{"resources":{"requests":{"storage":"500Gi"}}}}'

Update Operations

# Update MinIO version
helmfile apply

# Monitor update progress
kubectl rollout status deployment/minio -n minio

# Rollback if needed
kubectl rollout undo deployment/minio -n minio

🚨 Troubleshooting

Common Issues

1. Connection Problems

# Check service connectivity
kubectl get services -n minio

# Test network connectivity
kubectl exec -it minio-0 -n minio -- nc -zv minio-service 9000

# Verify DNS resolution
kubectl exec -it minio-0 -n minio -- nslookup s3.theratap.de

2. Storage Issues

# Check persistent volume status
kubectl get pv | grep minio

# Check storage usage
kubectl exec -it minio-0 -n minio -- df -h

# Check for disk space alerts
kubectl describe pod minio-0 -n minio

3. Authentication Issues

# Verify credentials
mc alias list

# Test authentication
mc ls myminio

# Reset credentials if needed
mc alias remove myminio
mc alias set myminio https://s3.theratap.de minioadmin minioadmin

4. Performance Issues

# Check resource usage
kubectl top pods -n minio

# Monitor network I/O
kubectl exec -it minio-0 -n minio -- iostat -x 1

# Check for slow operations
kubectl logs -n minio -l app.kubernetes.io/name=minio | grep "slow"

Recovery Procedures

Emergency Recovery

# Force delete stuck pods
kubectl delete pod minio-0 -n minio --grace-period=0 --force

# Restore from backup
mc mirror ./backup/myapp-data myminio/myapp-data

# Verify data integrity
mc diff myminio/myapp-data ./backup/myapp-data

🔒 Security Configuration

SSL/TLS Configuration

# TLS configuration
tls:
  enabled: true
  secretName: minio-tls

# Certificate configuration
certificatesSecret: "minio-certs"

Network Security

# Network policy for MinIO access
networkPolicy:
  enabled: true
  allowExternal: false
  ingressRules:
    primaryAccessOnlyFrom:
      enabled: true
      namespaceSelector:
        matchLabels:
          name: production
      podSelector:
        matchLabels:
          app.kubernetes.io/name: backend

Access Control

# IAM configuration
iam:
  enabled: true
  policy:
    - Effect: Allow
      Action:
        - s3:GetObject
        - s3:PutObject
        - s3:DeleteObject
      Resource:
        - arn:aws:s3:::myapp-data/*

📝 Configuration Examples

High-Performance Configuration

# High-performance values
resources:
  requests:
    memory: 8Gi
    cpu: 4000m
  limits:
    memory: 16Gi
    cpu: 8000m

# Performance tuning
configuration: |-
  MINIO_CACHE_DRIVES=auto
  MINIO_CACHE_EXCLUDE=*.pdf;*.doc;*.docx
  MINIO_CACHE_EXPIRY=168h
  MINIO_CACHE_MAXUSE=80

Backup-Optimized Configuration

# Enhanced backup configuration
backup:
  enabled: true
  schedule: "0 2 * * *" # Daily at 2 AM
  retention: 30
  compression: true

🔄 Maintenance Schedule

Daily Tasks

Monitor storage usage
Check backup completion
Review access logs
Verify service health

Weekly Tasks

Analyze performance metrics
Review security policies
Update access keys
Check for updates

Monthly Tasks

Capacity planning review
Security audit
Performance optimization
Disaster recovery testing

📋 Operational Checklist

Pre-Deployment

Post-Deployment

Regular Maintenance

Backend Application - S3 integration
Configuration Guide - Storage configuration
Security Guide - Object storage security
Disaster Recovery - Backup strategies

The MinIO object storage module provides enterprise-grade S3-compatible storage with high availability and comprehensive management capabilities.