During the agile design and architecture process of your new (web) service, two key questions will often be:
Generate a certificate-key pair. MinIO secret. Generate a set of random 20 & 64 character alpha-numeric keys for MinIO. To let GitLab have access to incoming. About Django Secret Key Generator. The Django Secret Key Generator is used to generate a new SECRETKEY that you can put in your settings.py module. To show this, I created a Docker-Compose file under data/ that will create a four node cluster of minio. The Access- and Sec-Key is set to minio/minio123. The Access- and Sec-Key is set to minio. Docker network create -driver overlay ntwminio Deploying 4 instances (Minio Erasure Code) Run this the leader node: Create your own MINIOACCESSKEY and MINIOSECRETKEY values! Ensure access key = 5 to 20 characters; Ensure secret key = 8 to 40 characters.
- How are we going to deal with object storage?
MinIO Custom Access and Secret Keys using Docker secrets. To override MinIO's auto-generated keys, you may pass secret and access keys explicitly by creating access and secret keys as Docker secrets. MinIO server also allows regular strings as access and secret keys.
- Is there a better way than getting locked into Amazon S3 etc.?
Yes, and yes! Hello cloud-native world, meet Minio, your private, on-your-own-terms object storage solution, on any public cloud or server.
This blog post will guide you on how to run your cloud object storage on any server with Minio and Cloud 66 backed by Kubernetes.
Object storage, also known as object-based storage, is a computer data storage architecture that manages data as objects, as opposed to other storage architectures like file systems, which manage data as a file hierarchy, and block storage, which manages data as blocks within sectors and tracks.
Each object typically includes the data itself, a variable amount of metadata, and a globally unique identifier.
Minio is an object storage server, compatible with the Amazon S3 cloud storage service. It is best suited for storing unstructured data such as photos, videos, log files, backups, and container/VM images. Object size can range from a few KBs to a maximum of 5TB.
Minio is like owning your own S3 Cloud on your premises, under your data privacy laws, and on your own terms—and it's very easy to setup with Cloud 66 on any public cloud or your own servers!
Before running Minio in production, let's give it a test spin on your local box.
Just install docker
and docker-compose
(instructions here) and use the following docker-compose.yml
.
Run docker-compose up
and hit the end-point http://localhost:9000, then use the MINIO_ACCESS_KEY
and MINIO_SECRET_KEY
credentials to login.
BAM! You have your own S3-like object storage!
Minio is compatible with all S3 commands—if your service can talk to S3 you can talk to Minio! No code changes.
Let's use an S3 command line tool called s3cmd
as an example. You can find all the details here.
To play around with your local instalment, edit the following fields in your s3cmd configuration file ~/.s3cfg
Create a bucket in your brand new object storage:
s3cmd mb s3://hello-world-bucket
Add some files to your new bucket:
s3cmd put FILE [FILE..] s3://hello-world-bucket
List the contents of your bucket:
s3cmd ls s3://hello-world-bucket
Or use the UI to manage your buckets and files.
It's time to run production on any cloud provider or on your own server.
We are going to deploy Minio on our Cloud 66 for Containers offering—a complete solution for building, running, and maintaining containerized apps in production. This will allow you to run a multi-tenant setup on your own server(s).
Sign-up to Cloud 66, of course ;-)
service.yml
A service.yml
is a Cloud 66 service definition file that tells you which services we want to run on your infrastructure. (For more about service.yml, check our documentation.)
Given the ephemeral nature of containers, it’s important to consider storage solutions to avoid data loss. That's the reason you find the volume statement in service.yml
Choose to deploy in a production environment
Choose which provider you want to deploy (make sure you entered your provider credentials) or bring your own server using our registered server feature.
Hit deploy! and wait until we're done with all the heavy lifting. After a couple of minutes, you will have deployed your own object storage, backed by Kubernetes!
Yes! Kubernetes in Space.
Of course, this instalment is not secure because we are using HTTP and not HTTPS. Cloud 66 support Let's Encrypt (FREE!) SSL, or you can bring your own SSL.
Again, we take care of all the heavy lifting and when the SSL certificate is created and installed, you have your Minio running with SSL!
Look! Green lock! ;-)
To start using your production Minio service. Edit the following fields in your s3cmd configuration file ~/.s3cfg
Check if you can create a bucket in your brand new object storage:
s3cmd mb s3://hello-world-bucket
BAM! Object storage at your service.
Deploying your own S3-compatible object storage is as simple as buying a pair of shoes. It's fun running Minio on any server! Give us a spin a let us know what you think of our services.
Start using the space!
MinIO is an object storage server, compatible with Amazon S3 cloud storage service, mainly used for storing unstructured data (such as photos, videos, log files, etc.)
Generating a new private key android. Generate a new secret key. To generate the key, follow the same process as the one for generating a new private key. You use the Security library in each case. Import encrypted keys more securely. Android 9 (API level 28) and higher allow you to import encrypted keys securely into the Keystore using an ASN.1‑encoded key format.
This chart bootstraps a MinIO deployment on a Kubernetes cluster using the Helm package manager.
Bitnami charts can be used with Kubeapps for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of Bitnami Kubernetes Production Runtime (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications.
To install the chart with the release name my-release
:
These commands deploy MinIO on the Kubernetes cluster in the default configuration. The Parameters section lists the parameters that can be configured during installation.
Tip: List all releases using helm list
To uninstall/delete the my-release
deployment:
The command removes all the Kubernetes components associated with the chart and deletes the release.
The following table lists the configurable parameters of the MinIO chart and their default values.
Parameter | Description | Default |
---|---|---|
global.imageRegistry | Global Docker image registry | nil |
global.imagePullSecrets | Global Docker registry secret names as an array | [] (does not add image pull secrets to deployed pods) |
global.storageClass | Global storage class for dynamic provisioning | nil |
global.minio.existingSecret | Name of existing secret to use for MinIO credentials (overrides existingSecret ) | nil |
global.minio.accessKey | MinIO Access Key (overrides accessKey.password ) | nil |
global.minio.secretKey | MinIO Secret Key (overrides secretKey.password ) | nil |
image.registry | MinIO image registry | docker.io |
image.repository | MinIO image name | bitnami/minio |
image.tag | MinIO image tag | {TAG_NAME} |
image.pullPolicy | Image pull policy | IfNotPresent |
image.pullSecrets | Specify docker-registry secret names as an array | [] (does not add image pull secrets to deployed pods) |
image.debug | Specify if debug logs should be enabled | false |
nameOverride | String to partially override minio.fullname template with a string (will prepend the release name) | nil |
fullnameOverride | String to fully override minio.fullname template with a string | nil |
serviceAccount.create | Specifies whether a ServiceAccount should be created | true |
serviceAccount.name | If serviceAccount.create is enabled, what should the serviceAccount name be - otherwise defaults to the fullname | nil |
clusterDomain | Kubernetes cluster domain | cluster.local |
clientImage.registry | MinIO Client image registry | docker.io |
clientImage.repository | MinIO Client image name | bitnami/minio-client |
clientImage.tag | MinIO Client image tag | {TAG_NAME} |
volumePermissions.enabled | Enable init container that changes volume permissions in the data directory (for cases where the default k8s runAsUser and fsUser values do not work) | false |
volumePermissions.image.registry | Init container volume-permissions image registry | docker.io |
volumePermissions.image.repository | Init container volume-permissions image name | bitnami/minideb |
volumePermissions.image.tag | Init container volume-permissions image tag | buster |
volumePermissions.image.pullPolicy | Init container volume-permissions image pull policy | Always |
volumePermissions.resources | Init container resource requests/limit | nil |
mode | MinIO server mode (standalone or distributed ) | standalone |
statefulset.replicaCount | Number of pods (only for Minio distributed mode). Should be 4 <= x <= 32 | 4 |
statefulset.updateStrategy | Statefulset update strategy policy | RollingUpdate |
statefulset.podManagementpolicy | Statefulset pods management policy | Parallel |
deployment.updateStrategy | Deployment update strategy policy | Recreate |
existingSecret | Existing secret with MinIO credentials | nil |
useCredentialsFile | Have the secret mounted as a file instead of env vars | false |
accessKey.password | MinIO Access Key. Ignored if existing secret is provided. | random 10 character alphanumeric string |
accessKey.forcePassword | Force users to specify an Access Key | false |
secretKey.password | MinIO Secret Key. Ignored if existing secret is provided. | random 40 character alphanumeric string |
secretKey.forcePassword | Force users to specify an Secret Key | false |
defaultBuckets | Comma, semi-colon or space separated list of buckets to create (only in standalone mode) | nil |
disableWebUI | Disable MinIO Web UI | false |
extraEnv | Any extra environment variables you would like to pass to the pods | {} |
resources | Minio containers' resources | {} |
podAnnotations | Pod annotations | {} |
affinity | Map of node/pod affinities | {} (The value is evaluated as a template) |
nodeSelector | Node labels for pod assignment | {} (The value is evaluated as a template) |
tolerations | Tolerations for pod assignment | [] (The value is evaluated as a template) |
securityContext.enabled | Enable security context | true |
securityContext.fsGroup | Group ID for the container | 1001 |
securityContext.runAsUser | User ID for the container | 1001 |
livenessProbe.enabled | Enable/disable the Liveness probe | true |
livenessProbe.initialDelaySeconds | Delay before liveness probe is initiated | 60 |
livenessProbe.periodSeconds | How often to perform the probe | 10 |
livenessProbe.timeoutSeconds | When the probe times out | 5 |
livenessProbe.successThreshold | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 |
livenessProbe.failureThreshold | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
readinessProbe.enabled | Enable/disable the Readiness probe | true |
readinessProbe.initialDelaySeconds | Delay before readiness probe is initiated | 5 |
readinessProbe.periodSeconds | How often to perform the probe | 10 |
readinessProbe.timeoutSeconds | When the probe times out | 5 |
readinessProbe.failureThreshold | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
readinessProbe.successThreshold | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 |
persistence.enabled | Use a PVC to persist data | true |
persistence.mountPath | Path to mount the volume at | /data |
persistence.storageClass | Storage class of backing PVC | nil (uses alpha storage class annotation) |
persistence.accessMode | Use volume as ReadOnly or ReadWrite | ReadWriteOnce |
persistence.size | Size of data volume | 8Gi |
persistence.annotations | Persistent Volume annotations | {} |
persistence.existingClaim | Name of an existing PVC to use (only in 'standalone' mode) | nil |
service.type | Kubernetes Service type | ClusterIP |
service.port | MinIO service port | 9000 |
service.nodePort | Port to bind to for NodePort service type | nil |
service.loadBalancerIP | Static IP Address to use for LoadBalancer service type | nil |
service.annotations | Kubernetes service annotations | {} |
ingress.enabled | Enable/disable ingress | false |
ingress.certManager | Add annotations for cert-manager | false |
ingress.annotations | Ingress annotations | [] |
ingress.hosts[0].name | Hostname to your MinIO installation | minio.local |
ingress.hosts[0].path | Path within the url structure | / |
ingress.hosts[0].tls | Utilize TLS backend in ingress | false |
ingress.hosts[0].tlsHosts | Array of TLS hosts for ingress record (defaults to ingress.hosts[0].name if nil ) | nil |
ingress.hosts[0].tlsSecret | TLS Secret (certificates) | minio.local-tls |
ingress.secrets[0].name | TLS Secret Name | nil |
ingress.secrets[0].certificate | TLS Secret Certificate | nil |
ingress.secrets[0].key | TLS Secret Key | nil |
networkPolicy.enabled | Enable NetworkPolicy | false |
networkPolicy.allowExternal | Don't require client label for connections | true |
prometheusAuthType | Authentication mode for Prometheus (jwt or public ) | public |
Specify each parameter using the --set key=value[,key=value]
argument to helm install
. For example,
The above command sets the MinIO Server access key and secret key to minio-access-key
and minio-secret-key
, respectively.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
Tip: You can use the default values.yaml
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
This chart includes a values-production.yaml
file where you can find some parameters oriented to production configuration in comparison to the regular values.yaml
. You can use this file instead of the default one.
You can start the MinIO chart in distributed mode with the following parameter: mode=distributed
This chart sets Minio server in distributed mode with 4 nodes by default. You can change the number of nodes setting the statefulset.replicaCount
parameter, for example to statefulset.replicaCount=8
Note: that the number of replicas must even, greater than 4 and lower than 32
MinIO exports Prometheus metrics at /minio/prometheus/metrics
. To allow Prometheus collecting your MinIO metrics, modify the values.yaml
adding the corresponding annotations:
Find more information about MinIO metrics at https://docs.min.io/docs/how-to-monitor-minio-using-prometheus.html
The Bitnami MinIO image stores data at the /data
path of the container.
The chart mounts a Persistent Volume at this location. The volume is created using dynamic volume provisioning.
As the image run as non-root by default, it is necessary to adjust the ownership of the persistent volume so that the container can write data into it.
By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions.As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination.
You can enable this initContainer by setting volumePermissions.enabled
to true
.