tenant_crd.adoc

API Reference

minio.min.io/v2

Package v2 - This page provides a quick automatically generated reference for the MinIO Operator minio.min.io/v2 CRD. For more complete documentation on the MinIO Operator CRD, see MinIO Kubernetes Documentation.

The minio.min.io/v2 API was released with the v4.0.0 MinIO Operator. The MinIO Operator automatically converts existing tenants using the /v1 API to /v2.

Resource Types

• Tenant

Bucket

Bucket describes the default created buckets

Appears In:

• TenantSpec

Field	Description
name string
region string
objectLock boolean

CertificateConfig

CertificateConfig (certConfig) defines controlling attributes associated to any TLS certificate automatically generated by the Operator as part of tenant creation. These fields have no effect if spec.autoCert: false.

Appears In:

• TenantSpec

Field	Description
commonName string	Optional The CommonName or CN attribute to associate to automatically generated TLS certificates.
organizationName string array	Optional Specify one or more OrganizationName or O attributes to associate to automatically generated TLS certificates.
dnsNames string array	Optional Specify one or more x.509 Subject Alternative Names (SAN) to associate to automatically generated TLS certificates. MinIO Server pods use SNI to determine which certificate to respond with based on the requested hostname.

CertificateStatus

CertificateStatus keeps track of all the certificates managed by the operator

Appears In:

• TenantStatus

Field	Description
autoCertEnabled boolean	AutoCertEnabled registers whether we know if the tenant has autocert enabled
customCertificates CustomCertificates	Provides the output of the client, minio, and`minioCAs` custom TLS certificates manually added to the Operator.

CustomCertificateConfig

CustomCertificateConfig (customCertificateConfig) provides attributes associated of the TLS certificates manually added to the Operator as part of tenant creation. These fields contain no data if there are no custom TLS certificates.

Appears In:

• CustomCertificates

CustomCertificates

CustomCertificates (customCertificates) provides groupings of the TLS certificates manually added to the Operator as part of tenant creation. These fields contain no data if there are no custom TLS certificates.

Appears In:

• CertificateStatus

Field	Description
client CustomCertificateConfig array	Optional Client
minio CustomCertificateConfig array	Optional Minio
minioCAs CustomCertificateConfig array	Optional Certificate Authorities

ExposeServices

ExposeServices (exposeServices) defines the exposure of the MinIO object storage and Console services.

Appears In:

• TenantSpec

Field	Description
minio boolean	Optional Directs the Operator to expose the MinIO service. Defaults to true.
console boolean	Optional Directs the Operator to expose the MinIO Console service. Defaults to true.

Features

Features (features) - Object describing which MinIO features to enable/disable in the MinIO Tenant.

Appears In:

• TenantSpec

Field	Description
bucketDNS boolean	Optional Specify true to allow clients to access buckets using the DNS path <bucket>.minio.default.svc.cluster.local. Defaults to false.
domains TenantDomains	Optional Specify a list of domains used to access MinIO and Console.

HealthStatus (string)

HealthStatus represents whether the tenant is healthy, with decreased service or offline

Appears In:

• TenantStatus

KESConfig

KESConfig (kes) defines the configuration of the MinIO Key Encryption Service (KES) StatefulSet deployed as part of the MinIO Tenant. KES supports Server-Side Encryption of objects using an external Key Management Service (KMS).

Appears In:

• TenantSpec

Field	Description
replicas integer	Optional Specify the number of replica KES pods to deploy in the tenant. Defaults to 2.
image string	Optional The Docker image to use for deploying MinIO KES. Defaults to minio/kes:2023-07-26T11-13-07Z.
imagePullPolicy PullPolicy	Optional The pull policy for the MinIO Docker image. Specify one of the following: * Always * Never * IfNotPresent (Default) Refer to the Kubernetes documentation for details https://kubernetes.io/docs/concepts/containers/images#updating-images
serviceAccountName string	Optional The Kubernetes Service Account to use for running MinIO KES pods created as part of the Tenant.
kesSecret LocalObjectReference	Required Specify a Kubernetes opaque secret which contains environment variables to use for setting up the MinIO KES service. See the MinIO Operator console-secret.yaml for an example.
externalCertSecret LocalCertificateReference	Optional Enables TLS with SNI support on each MinIO KES pod in the tenant. If externalCertSecret is omitted and spec.requestAutoCert is set to false, MinIO KES pods deploy without TLS enabled. Specify a Kubernetes TLS secret. The MinIO Operator copies the specified certificate to every MinIO pod in the tenant. When the MinIO pod/service responds to a TLS connection request, it uses SNI to select the certificate with matching subjectAlternativeName. Specify an object containing the following fields: * - name - The name of the Kubernetes secret containing the TLS certificate. * - type - Specify kubernetes.io/tls See the MinIO Operator CRD reference for examples and more complete documentation on configuring TLS for MinIO Tenants.
clientCertSecret LocalCertificateReference	Optional Specify a a Kubernetes TLS secret containing a custom root Certificate Authority and x.509 certificate to use for performing mTLS authentication with an external Key Management Service, such as Hashicorp Vault. Specify an object containing the following fields: * - name - The name of the Kubernetes secret containing the Certificate Authority and x.509 Certificate. * - type - Specify kubernetes.io/tls
gcpCredentialSecretName string	Optional Specify the GCP default credentials to be used for KES to authenticate to GCP key store
gcpWorkloadIdentityPool string	Optional Specify the name of the workload identity pool (This is required for generating service account token)
annotations object (keys:string, values:string)	Optional If provided, use these annotations for KES Object Meta annotations
labels object (keys:string, values:string)	Optional If provided, use these labels for KES Object Meta labels
resources ResourceRequirements	Optional Object specification for specifying CPU and memory resource allocations or limits in the MinIO tenant.
nodeSelector object (keys:string, values:string)	Optional The filter for the Operator to apply when selecting which nodes on which to deploy MinIO KES pods. The Operator only selects those nodes whose labels match the specified selector. See the Kubernetes documentation on Assigning Pods to Nodes for more information.
tolerations Toleration array	Optional Specify one or more Kubernetes tolerations to apply to MinIO KES pods.
affinity Affinity	Optional Specify node affinity, pod affinity, and pod anti-affinity for the KES pods.
topologySpreadConstraints TopologySpreadConstraint array	Optional Specify one or more Kubernetes Topology Spread Constraints to apply to pods deployed in the MinIO pool.
keyName string	Optional If provided, use this as the name of the key that KES creates on the KMS backend
securityContext PodSecurityContext	Specify the Security Context of MinIO KES pods. The Operator supports only the following pod security fields: * fsGroup * fsGroupChangePolicy * runAsGroup * runAsNonRoot * runAsUser * seLinuxOptions
env EnvVar array	Optional If provided, the MinIO Operator adds the specified environment variables when deploying the KES resource.

LocalCertificateReference

LocalCertificateReference (externalCertSecret, externalCaCertSecret,clientCertSecret) contains a Kubernetes secret containing TLS certificates or Certificate Authority files for use with enabling TLS in the MinIO Tenant.

Appears In:

• KESConfig

• TenantSpec

Field	Description
name string	Required The name of the Kubernetes secret containing the TLS certificate or Certificate Authority file.
type string	Required The type of Kubernetes secret. Specify kubernetes.io/tls

Logging

Logging describes Logging for MinIO tenants.

Appears In:

• TenantSpec

Field	Description
json boolean
anonymous boolean
quiet boolean

Pool

Pool (pools) defines a MinIO server pool on a Tenant. Each pool consists of a set of MinIO server pods which "pool" their storage resources for supporting object storage and retrieval requests. Each server pool is independent of all others and supports horizontal scaling of available storage resources in the MinIO Tenant.
See the MinIO Operator CRD reference for the pools object for examples and more complete documentation.

Appears In:

• TenantSpec

Field	Description
name string	Optional Specify the name of the pool. The Operator automatically generates the pool name if this field is omitted.
servers integer	Required The number of MinIO server pods to deploy in the pool. The minimum value is 2. The MinIO Operator requires a minimum of 4 volumes per pool. Specifically, the result of pools.servers X pools.volumesPerServer must be greater than 4.
volumesPerServer integer	Required The number of Persistent Volume Claims to generate for each MinIO server pod in the pool. The MinIO Operator requires a minimum of 4 volumes per pool. Specifically, the result of pools.servers X pools.volumesPerServer must be greater than 4.
volumeClaimTemplate PersistentVolumeClaim	Required Specify the configuration options for the MinIO Operator to use when generating Persistent Volume Claims for the MinIO tenant.
resources ResourceRequirements	Optional Object specification for specifying CPU and memory resource allocations or limits in the MinIO tenant.
nodeSelector object (keys:string, values:string)	Optional The filter for the Operator to apply when selecting which nodes on which to deploy pods in the pool. The Operator only selects those nodes whose labels match the specified selector. See the Kubernetes documentation on Assigning Pods to Nodes for more information.
affinity Affinity	Optional Specify node affinity, pod affinity, and pod anti-affinity for pods in the MinIO pool.
tolerations Toleration array	Optional Specify one or more Kubernetes tolerations to apply to pods deployed in the MinIO pool.
topologySpreadConstraints TopologySpreadConstraint array	Optional Specify one or more Kubernetes Topology Spread Constraints to apply to pods deployed in the MinIO pool.
securityContext PodSecurityContext	Optional Specify the Security Context of pods in the pool. The Operator supports only the following pod security fields: * fsGroup * fsGroupChangePolicy * runAsGroup * runAsNonRoot * runAsUser
containerSecurityContext SecurityContext	Specify the Security Context of containers in the pool. The Operator supports only the following container security fields: * runAsGroup * runAsNonRoot * runAsUser
annotations object (keys:string, values:string)	Optional Specify custom labels and annotations to append to the Pool. Optional If provided, use these annotations for the Pool Objects Meta annotations (Statefulset and Pod template)
labels object (keys:string, values:string)	Optional If provided, use these labels for the Pool Objects Meta annotations (Statefulset and Pod template)
runtimeClassName string	Optional If provided, each pod on the Statefulset will run with the specified RuntimeClassName, for more info https://kubernetes.io/docs/concepts/containers/runtime-class/

PoolState (string)

PoolState represents the state of a pool

Appears In:

• PoolStatus

PoolStatus

PoolStatus keeps track of all the pools and their current state

Appears In:

• TenantStatus

Field	Description
ssName string
state PoolState
legacySecurityContext boolean	LegacySecurityContext stands for Legacy SecurityContext. It represents that these pool was created before v4.2.3 when we introduced the default securityContext as non-root, thus we should keep running this Pool without a Security Context

ServiceMetadata

ServiceMetadata (serviceMetadata) defines custom labels and annotations for the MinIO Object Storage service and/or MinIO Console service.

Appears In:

• TenantSpec

Field	Description
minioServiceLabels object (keys:string, values:string)	Optional If provided, append these labels to the MinIO service
minioServiceAnnotations object (keys:string, values:string)	Optional If provided, append these annotations to the MinIO service
consoleServiceLabels object (keys:string, values:string)	Optional If provided, append these labels to the Console service
consoleServiceAnnotations object (keys:string, values:string)	Optional If provided, append these annotations to the Console service

SideCars

SideCars (sidecars) defines a list of containers that the Operator attaches to each MinIO server pods in the pool.

Appears In:

• TenantSpec

Field	Description
containers Container array	Optional List of containers to run inside the Pod
volumeClaimTemplates PersistentVolumeClaim array	Optional volumeClaimTemplates is a list of claims that pods are allowed to reference. The StatefulSet controller is responsible for mapping network identities to claims in a way that maintains the identity of a pod. Every claim in this list must have at least one matching (by name) volumeMount in one container in the template. A claim in this list takes precedence over any volumes in the template, with the same name.
volumes Volume array	Optional List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes

Tenant

Tenant is a Kubernetes object describing a MinIO Tenant.

Appears In:

• TenantList

Field	Description
apiVersion string	minio.min.io/v2
kind string	Tenant
metadata ObjectMeta	Refer to Kubernetes API documentation for fields of metadata.
scheduler TenantScheduler
spec TenantSpec	Required The root field for the MinIO Tenant object.

TenantDomains

TenantDomains (domains) - List of domains used to access the tenant from outside the kubernetes clusters. this will only configure MinIO for the domains listed, but external DNS configuration is still needed. The listed domains should include schema and port if any is used, i.e. https://minio.domain.com:8123

Appears In:

• Features

Field	Description
minio string array	List of Domains used by MinIO. This will enable DNS style access to the object store where the bucket name is inferred from a subdomain in the domain.
console string	Domain used to expose the MinIO Console, this will configure the redirect on MinIO when visiting from the browser If Console is exposed via a subpath, the domain should include it, i.e. https://console.domain.com:8123/subpath/

TenantScheduler

TenantScheduler (scheduler) - Object describing Kubernetes Scheduler to use for deploying the MinIO Tenant.

Appears In:

• Tenant

Field	Description
name string	Optional Specify the name of the Kubernetes scheduler to be used to schedule Tenant pods

TenantSpec

TenantSpec (spec) defines the configuration of a MinIO Tenant object.
The following parameters are specific to the minio.min.io/v2 MinIO CRD API spec definition added as part of the MinIO Operator v4.0.0.
For more complete documentation on this object, see the MinIO Kubernetes Documentation.

Appears In:

• Tenant

Field	Description
pools Pool array	Required An array of objects describing each MinIO server pool deployed in the MinIO Tenant. Each pool consists of a set of MinIO server pods which "pool" their storage resources for supporting object storage and retrieval requests. Each server pool is independent of all others and supports horizontal scaling of available storage resources in the MinIO Tenant. The MinIO Tenant spec must have at least one element in the pools array. See the MinIO Operator CRD reference for the pools object for examples and more complete documentation.
image string	Optional The Docker image to use when deploying minio server pods. Defaults to minio/minio:RELEASE.2023-07-21T21-12-44Z.
imagePullSecret LocalObjectReference	Optional Specify the secret key to use for pulling images from a private Docker repository.
podManagementPolicy PodManagementPolicyType	Optional Pod Management Policy for pod created by StatefulSet
credsSecret LocalObjectReference	optional Specify a Kubernetes opaque secret to use for setting the MinIO root access key and secret key. Specify the secret as name: <secret>. The Kubernetes secret must contain the following fields: * data.accesskey - The access key for the root credentials * data.secretkey - The secret key for the root credentials
env EnvVar array	Optional If provided, the MinIO Operator adds the specified environment variables when deploying the Tenant resource.
externalCertSecret LocalCertificateReference array	Optional Enables TLS with SNI support on each MinIO pod in the tenant. If externalCertSecret is omitted and requestAutoCert is set to false, the MinIO Tenant deploys without TLS enabled. Specify an array of Kubernetes TLS secrets. The MinIO Operator copies the specified certificates to every MinIO server pod in the tenant. When the MinIO pod/service responds to a TLS connection request, it uses SNI to select the certificate with matching subjectAlternativeName. Each element in the externalCertSecret array is an object containing the following fields: * - name - The name of the Kubernetes secret containing the TLS certificate. * - type - Specify kubernetes.io/tls See the MinIO Operator CRD reference for examples and more complete documentation on configuring TLS for MinIO Tenants.
externalCaCertSecret LocalCertificateReference array	Optional Allows MinIO server pods to verify client TLS certificates signed by a Certificate Authority not in the pod’s trust store. Specify an array of Kubernetes TLS secrets. The MinIO Operator copies the specified certificates to every MinIO server pod in the tenant. Each element in the externalCertSecret array is an object containing the following fields: * - name - The name of the Kubernetes secret containing the Certificate Authority. * - type - Specify kubernetes.io/tls. See the MinIO Operator CRD reference for examples and more complete documentation on configuring TLS for MinIO Tenants.
externalClientCertSecret LocalCertificateReference	Optional Enables mTLS authentication between the MinIO Tenant pods and MinIO KES. Required for enabling connectivity between the MinIO Tenant and MinIO KES. Specify a Kubernetes TLS secrets. The MinIO Operator copies the specified certificate to every MinIO server pod in the tenant. The secret must contain the following fields: * name - The name of the Kubernetes secret containing the TLS certificate. * type - Specify kubernetes.io/tls The specified certificate must correspond to an identity on the KES server. See the KES Wiki for more information on KES identities. If deploying KES with the MinIO Operator, include the hash of the certificate as part of the kes object specification. See the MinIO Operator CRD reference for examples and more complete documentation on configuring TLS for MinIO Tenants.
externalClientCertSecrets LocalCertificateReference array	Optional Provide support for mounting additional client certificate into MinIO Tenant pods Multiple client certificates will be mounted using the following folder structure: certs
	+ client.crt
+ client.key	+ client.crt
+ client.key	+ client.crt
+ client.key Specify a Kubernetes TLS secrets. The MinIO Operator copies the specified certificate to every MinIO server pod in the tenant that later can be referenced using environment variables. The secret must contain the following fields: * name - The name of the Kubernetes secret containing the TLS certificate. * type - Specify kubernetes.io/tls	mountPath string
Optional Mount path for MinIO volume (PV). Defaults to /export	subPath string
Optional Subpath inside mount path. This is the directory where MinIO stores data. Default to ""` (empty)	requestAutoCert boolean
Optional Enables using Kubernetes-based TLS certificate generation and signing for pods and services in the MinIO Tenant. * Specify true to explicitly enable automatic certificate generate (Default). * Specify false to disable automatic certificate generation. If requestAutoCert is set to false and externalCertSecret is omitted, the MinIO Tenant deploys without TLS enabled. See the MinIO Operator CRD reference for examples and more complete documentation on configuring TLS for MinIO Tenants.	liveness Probe
Liveness Probe for container liveness. Container will be restarted if the probe fails.	readiness Probe
Readiness Probe for container readiness. Container will be removed from service endpoints if the probe fails.	startup Probe
Startup Probe allows to configure a max grace period for a pod to start before getting traffic routed to it.	features Features
S3 related features can be disabled or enabled such as bucketDNS etc.	certConfig CertificateConfig
Optional Enables setting the CommonName, Organization, and dnsName attributes for all TLS certificates automatically generated by the Operator. Configuring this object has no effect if requestAutoCert is false.	kes KESConfig
Optional Directs the MinIO Operator to deploy the MinIO Key Encryption Service (KES) using the specified configuration. The MinIO KES supports performing server-side encryption of objects on the MiNIO Tenant.	prometheusOperator boolean
Optional Directs the MinIO Operator to use prometheus operator. Tenant scrape configuration will be added to prometheus managed by the prometheus-operator.	serviceAccountName string
Optional The Kubernetes Service Account to use for running MinIO pods created as part of the Tenant.	priorityClassName string
Optional Indicates the Pod priority and therefore importance of a Pod relative to other Pods in the cluster. This is applied to MinIO pods only. Refer Kubernetes Priority Class documentation for more complete documentation.	imagePullPolicy PullPolicy
Optional The pull policy for the MinIO Docker image. Specify one of the following: * Always * Never * IfNotPresent (Default) Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/containers/images#updating-images	sideCars SideCars
Optional A list of containers to run as sidecars along every MinIO Pod deployed in the tenant.	exposeServices ExposeServices
Optional Directs the Operator to expose the MinIO and/or Console services.	serviceMetadata ServiceMetadata
Optional Specify custom labels and annotations to append to the MinIO service and/or Console service.	users LocalObjectReference array
Optional An array of Kubernetes opaque secrets to use for generating MinIO users during tenant provisioning. Each element in the array is an object consisting of a key-value pair name: <string>, where the <string> references an opaque Kubernetes secret. Each referenced Kubernetes secret must include the following fields: * CONSOLE_ACCESS_KEY - The "Username" for the MinIO user * CONSOLE_SECRET_KEY - The "Password" for the MinIO user The Operator creates each user with the consoleAdmin policy by default. You can change the assigned policy after the Tenant starts.	buckets Bucket array
Optional Create buckets when creating a new tenant. Skip if bucket with given name already exists	logging Logging
Optional Enable JSON, Anonymous logging for MinIO tenants.	configuration LocalObjectReference

TenantUsage

TenantUsage are metrics regarding the usage and capacity of the tenant

Appears In:

• TenantStatus

Field	Description
capacity integer	Capacity the usage capacity of this tenant in bytes.
rawCapacity integer	Capacity the raw capacity of this tenant in bytes.
usage integer	Usage is how much data is managed by MinIO in bytes.
rawUsage integer	Usage is the raw usage on disks in bytes.
tiers TierUsage array	Tiers includes the usage of individual tiers in the tenant

TierUsage

TierUsage represents the usage from a tier setup by the tenant

Appears In:

• TenantUsage

Field	Description
Name string	Name of the tier
Type string	type of the tier
totalSize integer	TotalSize usage of the tier