Operator CRD v2 Reference
Package v2 - This page provides a quick automatically generated
reference for the MinIO Operator Operator CRD v2 Reference CRD. For more
complete documentation on the MinIO Operator CRD, see MinIO Kubernetes
Documentation.
The Operator CRD v2 Reference API was released with the v4.0.0 MinIO Operator.
The MinIO Operator automatically converts existing tenants using the
/v1 API to /v2.
Bucket
Bucket describes the default created buckets
| Field |
Description |
name
string
|
|
region
string
|
|
objectLock
boolean
|
|
CertificateConfig
CertificateConfig (certConfig) defines controlling attributes
associated to any TLS certificate automatically generated by the
Operator as part of tenant creation. These fields have no effect if
spec.autoCert: false.
| Field |
Description |
commonName
string
|
Optional
The CommonName or CN attribute to associate to
automatically generated TLS certificates.
|
organizationName
string array
|
Optional
Specify one or more OrganizationName or O
attributes to associate to automatically generated TLS
certificates.
|
dnsNames
string array
|
Optional
Specify one or more x.509 Subject Alternative Names (SAN) to associate
to automatically generated TLS certificates. MinIO Server pods use SNI
to determine which certificate to respond with based on the requested
hostname. |
CertificateStatus
CertificateStatus keeps track of all the certificates managed by the
operator
| Field |
Description |
autoCertEnabled
boolean
|
AutoCertEnabled registers whether we
know if the tenant has autocert enabled |
customCertificates
CustomCertificates
|
Provides the output of the
client, minio, and`minioCAs` custom TLS
certificates manually added to the Operator. |
CustomCertificateConfig
CustomCertificateConfig (customCertificateConfig) provides attributes
associated of the TLS certificates manually added to the Operator as
part of tenant creation. These fields contain no data if there are no
custom TLS certificates.
CustomCertificates
CustomCertificates (customCertificates) provides groupings of the TLS
certificates manually added to the Operator as part of tenant creation.
These fields contain no data if there are no custom TLS certificates.
ExposeServices
ExposeServices (exposeServices) defines the exposure of the MinIO
object storage and Console services.
| Field |
Description |
minio
boolean
|
Optional
Directs the Operator to expose the MinIO service. Defaults to
true.
|
console
boolean
|
Optional
Directs the Operator to expose the MinIO Console service. Defaults to
true.
|
Features
Features (features) - Object describing which MinIO features to
enable/disable in the MinIO Tenant.
| Field |
Description |
bucketDNS
boolean
|
Optional
Specify true to allow clients to access buckets using the
DNS path <bucket>.minio.default.svc.cluster.local.
Defaults to false. |
domains
TenantDomains
|
Optional
Specify a list of domains used to access MinIO and Console. |
enableSFTP
boolean
|
Optional
Starts minio server with SFTP support |
HealthStatus (string)
HealthStatus represents whether the tenant is healthy, with decreased
service or offline
KESConfig
KESConfig (kes) defines the configuration of the MinIO Key Encryption
Service (KES) StatefulSet deployed as
part of the MinIO Tenant. KES supports Server-Side Encryption of objects
using an external Key Management Service (KMS).
| Field |
Description |
replicas
integer
|
Optional
Specify the number of replica KES pods to deploy in the tenant. Defaults
to 2. |
image
string
|
Optional
|
imagePullPolicy
PullPolicy
|
Optional
The pull policy for the MinIO Docker image. Specify one of the
following:
* Always
* Never
* IfNotPresent (Default)
Refer to the Kubernetes documentation for details https://kubernetes.io/docs/concepts/containers/images#updating-images |
serviceAccountName
string
|
Optional
The Kubernetes
Service Account to use for running MinIO KES pods created as part of
the Tenant.
|
kesSecret
LocalObjectReference
|
Required
Specify a Kubernetes
opaque secret which contains environment variables to use for
setting up the MinIO KES service.
See the MinIO
Operator console-secret.yaml for an example. |
externalCertSecret
LocalCertificateReference
|
Optional
Enables TLS with SNI support on each MinIO KES pod in the tenant. If
externalCertSecret is omitted and
spec.requestAutoCert is set to false, MinIO
KES pods deploy without TLS enabled.
Specify a Kubernetes
TLS secret. The MinIO Operator copies the specified certificate to
every MinIO pod in the tenant. When the MinIO pod/service responds to a
TLS connection request, it uses SNI to select the certificate with
matching subjectAlternativeName.
Specify an object containing the following fields:
* - name - The name of the Kubernetes secret containing the
TLS certificate.
* - type - Specify kubernetes.io/tls
See the MinIO
Operator CRD reference for examples and more complete documentation
on configuring TLS for MinIO Tenants. |
clientCertSecret
LocalCertificateReference
|
Optional
Specify a a Kubernetes
TLS secret containing a custom root Certificate Authority and x.509
certificate to use for performing mTLS authentication with an external
Key Management Service, such as Hashicorp Vault.
Specify an object containing the following fields:
* - name - The name of the Kubernetes secret containing the
Certificate Authority and x.509 Certificate.
* - type - Specify kubernetes.io/tls
|
gcpCredentialSecretName
string
|
Optional
Specify the GCP default credentials to be used for KES to authenticate
to GCP key store |
gcpWorkloadIdentityPool
string
|
Optional
Specify the name of the workload identity pool (This is required for
generating service account token) |
annotations
object (keys:string, values:string)
|
Optional
If provided, use these annotations for KES Object Meta
annotations |
labels
object (keys:string, values:string)
|
Optional
If provided, use these labels for KES Object Meta labels |
resources
ResourceRequirements
|
Optional
Object specification for specifying CPU and memory resource
allocations or limits in the MinIO tenant.
|
nodeSelector
object (keys:string, values:string)
|
Optional
The filter for the Operator to apply when selecting which nodes on which
to deploy MinIO KES pods. The Operator only selects those nodes whose
labels match the specified selector.
See the Kubernetes documentation on Assigning
Pods to Nodes for more information. |
tolerations
Toleration
array
|
Optional
Specify one or more Kubernetes
tolerations to apply to MinIO KES pods. |
affinity
Affinity
|
Optional
Specify node affinity, pod affinity, and pod anti-affinity for the KES
pods.
|
topologySpreadConstraints
TopologySpreadConstraint
array
|
Optional
Specify one or more Kubernetes
Topology Spread Constraints to apply to pods deployed in the MinIO
pool. |
keyName
string
|
Optional
If provided, use this as the name of the key that KES creates on the KMS
backend |
securityContext
PodSecurityContext
|
Specify the Security
Context of MinIO KES pods. The Operator supports only the following
pod security fields:
* fsGroup
* fsGroupChangePolicy
* runAsGroup
* runAsNonRoot
* runAsUser
* seLinuxOptions
|
env
EnvVar
array
|
Optional
If provided, the MinIO Operator adds the specified environment variables
when deploying the KES resource. |
LocalCertificateReference
LocalCertificateReference (externalCertSecret,
externalCaCertSecret,clientCertSecret) contains a Kubernetes secret
containing TLS certificates or Certificate Authority files for use with
enabling TLS in the MinIO Tenant.
| Field |
Description |
name
string
|
Required
The name of the Kubernetes secret containing the TLS certificate or
Certificate Authority file.
|
type
string
|
Required
The type of Kubernetes secret. Specify
kubernetes.io/tls
|
Logging
Logging describes Logging for MinIO tenants.
| Field |
Description |
json
boolean
|
|
anonymous
boolean
|
|
quiet
boolean
|
|
Pool
Pool (pools) defines a MinIO server pool on a Tenant. Each pool
consists of a set of MinIO server pods which "pool" their storage
resources for supporting object storage and retrieval requests. Each
server pool is independent of all others and supports horizontal scaling
of available storage resources in the MinIO Tenant.
See the MinIO Operator
CRD
reference for the pools object for examples and more complete
documentation.
| Field |
Description |
name
string
|
Optional
Specify the name of the pool. The Operator automatically generates the
pool name if this field is omitted. |
servers
integer
|
Required The number of
MinIO server pods to deploy in the pool. The minimum value is
2. The MinIO Operator requires a minimum of 4
volumes per pool. Specifically, the result of
pools.servers X pools.volumesPerServer must be greater than
4.
|
volumesPerServer
integer
|
Required
The number of Persistent Volume Claims to generate for each MinIO server
pod in the pool.
The MinIO Operator requires a minimum of 4 volumes per
pool. Specifically, the result of
pools.servers X pools.volumesPerServer must be greater than
4.
|
volumeClaimTemplate
PersistentVolumeClaim
|
Required
Specify the configuration options for the MinIO Operator to use when
generating Persistent Volume Claims for the MinIO tenant.
|
resources
ResourceRequirements
|
Optional
Object specification for specifying CPU and memory resource
allocations or limits in the MinIO tenant.
|
nodeSelector
object (keys:string, values:string)
|
Optional
The filter for the Operator to apply when selecting which nodes on which
to deploy pods in the pool. The Operator only selects those nodes whose
labels match the specified selector.
See the Kubernetes documentation on Assigning
Pods to Nodes for more information. |
affinity
Affinity
|
Optional
Specify node affinity, pod affinity, and pod anti-affinity for pods in
the MinIO pool.
|
tolerations
Toleration
array
|
Optional
Specify one or more Kubernetes
tolerations to apply to pods deployed in the MinIO pool. |
topologySpreadConstraints
TopologySpreadConstraint
array
|
Optional
Specify one or more Kubernetes
Topology Spread Constraints to apply to pods deployed in the MinIO
pool. |
securityContext
PodSecurityContext
|
Optional
Specify the Security
Context of pods in the pool. The Operator supports only the
following pod security fields:
* fsGroup
* fsGroupChangePolicy
* runAsGroup
* runAsNonRoot
* runAsUser
|
containerSecurityContext
SecurityContext
|
Specify the Security
Context of containers in the pool. The Operator supports only the
following container security fields:
* runAsGroup
* runAsNonRoot
* runAsUser
|
annotations
object (keys:string, values:string)
|
Optional
Specify custom labels and annotations to append to the Pool.
Optional
If provided, use these annotations for the Pool Objects Meta annotations
(Statefulset and Pod template) |
labels
object (keys:string, values:string)
|
Optional
If provided, use these labels for the Pool Objects Meta annotations
(Statefulset and Pod template) |
runtimeClassName
string
|
Optional
If provided, each pod on the Statefulset will run with the specified
RuntimeClassName, for more info https://kubernetes.io/docs/concepts/containers/runtime-class/ |
PoolState (string)
PoolState represents the state of a pool
PoolStatus
PoolStatus keeps track of all the pools and their current state
| Field |
Description |
ssName
string
|
|
state
PoolState
|
|
legacySecurityContext
boolean
|
LegacySecurityContext stands for Legacy
SecurityContext. It represents that these pool was created before v4.2.3
when we introduced the default securityContext as non-root, thus we
should keep running this Pool without a Security Context |
ServiceMetadata
ServiceMetadata (serviceMetadata) defines custom labels and
annotations for the MinIO Object Storage service and/or MinIO Console
service.
| Field |
Description |
minioServiceLabels
object (keys:string, values:string)
|
Optional
If provided, append these labels to the MinIO service |
minioServiceAnnotations
object (keys:string, values:string)
|
Optional
If provided, append these annotations to the MinIO service |
consoleServiceLabels
object (keys:string, values:string)
|
Optional
If provided, append these labels to the Console service |
consoleServiceAnnotations
object (keys:string, values:string)
|
Optional
If provided, append these annotations to the Console service |
SideCars
SideCars (sidecars) defines a list of containers that the Operator
attaches to each MinIO server pods in the pool.
| Field |
Description |
containers
Container
array
|
Optional
List of containers to run inside the Pod |
volumeClaimTemplates
PersistentVolumeClaim
array
|
Optional
volumeClaimTemplates is a list of claims that pods are allowed to
reference. The StatefulSet controller is responsible for mapping network
identities to claims in a way that maintains the identity of a pod.
Every claim in this list must have at least one matching (by name)
volumeMount in one container in the template. A claim in this list takes
precedence over any volumes in the template, with the same
name. |
volumes
Volume
array
|
Optional
List of volumes that can be mounted by containers belonging to the pod.
More info: https://kubernetes.io/docs/concepts/storage/volumes |
resources
ResourceRequirements
|
Optional
sidecar’s Resource, initcontainer will use that if set. |
Tenant
Tenant is a Kubernetes
object
describing a MinIO Tenant.
| Field |
Description |
apiVersion
string
|
Operator CRD v2 Reference
|
kind
string
|
Tenant
|
metadata
ObjectMeta
|
Refer to Kubernetes API documentation
for fields of metadata. |
scheduler
TenantScheduler
|
|
spec
TenantSpec
|
Required
The root field for the MinIO Tenant object. |
TenantDomains
TenantDomains (domains) - List of domains used to access the tenant
from outside the kubernetes clusters. this will only configure MinIO for
the domains listed, but external DNS configuration is still needed. The
listed domains should include schema and port if any is used, i.e.
https://minio.domain.com:8123
| Field |
Description |
minio
string array
|
List of Domains used by MinIO. This
will enable DNS style access to the object store where the bucket name
is inferred from a subdomain in the domain. |
console
string
|
Domain used to expose the MinIO
Console, this will configure the redirect on MinIO when visiting from
the browser If Console is exposed via a subpath, the domain should
include it, i.e. https://console.domain.com:8123/subpath/ |
TenantScheduler
TenantScheduler (scheduler) - Object describing Kubernetes Scheduler
to use for deploying the MinIO Tenant.
| Field |
Description |
name
string
|
Optional
Specify the name of the Kubernetes
scheduler to be used to schedule Tenant pods |
TenantSpec
TenantSpec (spec) defines the configuration of a MinIO Tenant
object.
The following parameters are specific to the Operator CRD v2 Reference MinIO CRD
API spec definition added as part of the MinIO Operator v4.0.0.
For more complete documentation on this object, see the MinIO
Kubernetes
Documentation.
| Field |
Description |
pools
Pool
array
|
Required
An array of objects describing each MinIO server pool deployed in the
MinIO Tenant. Each pool consists of a set of MinIO server pods which
"pool" their storage resources for supporting object storage and
retrieval requests. Each server pool is independent of all others and
supports horizontal scaling of available storage resources in the MinIO
Tenant.
The MinIO Tenant spec must have at least
one element in the pools array.
See the MinIO
Operator CRD reference for the pools object for
examples and more complete documentation. |
image
string
|
Optional
|
imagePullSecret
LocalObjectReference
|
Optional
Specify the secret key to use for pulling images from a private Docker
repository.
|
podManagementPolicy
PodManagementPolicyType
|
Optional
Pod Management Policy for pod created by StatefulSet |
credsSecret
LocalObjectReference
|
optional
Specify a Kubernetes
opaque secret to use for setting the MinIO root access key and
secret key. Specify the secret as name: <secret>. The
Kubernetes secret must contain the following fields:
* data.accesskey - The access key for the root
credentials
* data.secretkey - The secret key for the root
credentials
|
env
EnvVar
array
|
Optional
If provided, the MinIO Operator adds the specified environment variables
when deploying the Tenant resource. |
externalCertSecret
LocalCertificateReference
array
|
Optional
Enables TLS with SNI support on each MinIO pod in the tenant. If
externalCertSecret is omitted and
requestAutoCert is set to false, the MinIO
Tenant deploys without TLS enabled.
Specify an array of Kubernetes
TLS secrets. The MinIO Operator copies the specified certificates to
every MinIO server pod in the tenant. When the MinIO pod/service
responds to a TLS connection request, it uses SNI to select the
certificate with matching subjectAlternativeName.
Each element in the externalCertSecret array is an object
containing the following fields:
* - name - The name of the Kubernetes secret containing the
TLS certificate.
* - type - Specify kubernetes.io/tls
See the MinIO
Operator CRD reference for examples and more complete documentation
on configuring TLS for MinIO Tenants. |
externalCaCertSecret
LocalCertificateReference
array
|
Optional
Allows MinIO server pods to verify client TLS certificates signed by a
Certificate Authority not in the pod’s trust store.
Specify an array of Kubernetes
TLS secrets. The MinIO Operator copies the specified certificates to
every MinIO server pod in the tenant.
Each element in the externalCertSecret array is an object
containing the following fields:
* - name - The name of the Kubernetes secret containing the
Certificate Authority.
* - type - Specify kubernetes.io/tls.
See the MinIO
Operator CRD reference for examples and more complete documentation
on configuring TLS for MinIO Tenants. |
externalClientCertSecret
LocalCertificateReference
|
Optional
Enables mTLS authentication between the MinIO Tenant pods and MinIO KES.
Required for enabling connectivity between the MinIO
Tenant and MinIO KES.
Specify a Kubernetes
TLS secrets. The MinIO Operator copies the specified certificate to
every MinIO server pod in the tenant. The secret must
contain the following fields:
* name - The name of the Kubernetes secret containing the
TLS certificate.
* type - Specify kubernetes.io/tls
The specified certificate must correspond to an
identity on the KES server. See the KES
Wiki for more information on KES identities.
If deploying KES with the MinIO Operator, include the hash of the
certificate as part of the kes
object specification.
See the MinIO
Operator CRD reference for examples and more complete documentation
on configuring TLS for MinIO Tenants. |
externalClientCertSecrets
LocalCertificateReference
array
|
Optional
Provide support for mounting additional client certificate into MinIO
Tenant pods Multiple client certificates will be mounted using the
following folder structure:
* certs
* * client-0
* * * client.crt
* * * client.key
* * client-1
* * * client.crt
* * * client.key
* * * client-2
* * client.crt
* * * client.key
Specify a Kubernetes
TLS secrets. The MinIO Operator copies the specified certificate to
every MinIO server pod in the tenant that later can be referenced using
environment variables. The secret must contain the
following fields:
* name - The name of the Kubernetes secret containing the
TLS certificate.
* type - Specify kubernetes.io/tls
|
mountPath
string
|
Optional
Mount path for MinIO volume (PV). Defaults to
/export |
subPath
string
|
Optional
Subpath inside mount path. This is the directory where MinIO stores
data. Default to ""` (empty) |
requestAutoCert
boolean
|
Optional
Enables using Kubernetes-based
TLS certificate generation and signing for pods and services in the
MinIO Tenant.
* Specify true to explicitly enable automatic certificate
generate (Default).
* Specify false to disable automatic certificate
generation.
If requestAutoCert is set to false
and externalCertSecret is omitted, the
MinIO Tenant deploys without TLS enabled. See the MinIO
Operator CRD reference for examples and more complete documentation
on configuring TLS for MinIO Tenants. |
liveness
Probe
|
Liveness Probe for container liveness.
Container will be restarted if the probe fails. |
readiness
Probe
|
Readiness Probe for container
readiness. Container will be removed from service endpoints if the probe
fails. |
startup
Probe
|
Startup Probe allows to configure a max
grace period for a pod to start before getting traffic routed to
it. |
features
Features
|
S3 related features can be disabled or
enabled such as bucketDNS etc. |
certConfig
CertificateConfig
|
Optional
Enables setting the CommonName, Organization,
and dnsName attributes for all TLS certificates
automatically generated by the Operator. Configuring this object has no
effect if requestAutoCert is false.
|
kes
KESConfig
|
Optional
Directs the MinIO Operator to deploy the MinIO Key Encryption Service
(KES) using the specified configuration. The MinIO KES supports
performing server-side encryption of objects on the MiNIO Tenant.
|
prometheusOperator
boolean
|
Optional
Directs the MinIO Operator to use prometheus operator.
Tenant scrape configuration will be added to prometheus managed by the
prometheus-operator. |
serviceAccountName
string
|
Optional
The Kubernetes
Service Account to use for running MinIO pods created as part of the
Tenant.
|
priorityClassName
string
|
Optional
Indicates the Pod priority and therefore importance of a Pod relative to
other Pods in the cluster. This is applied to MinIO pods only.
Refer Kubernetes Priority
Class documentation for more complete documentation. |
imagePullPolicy
PullPolicy
|
Optional
The pull policy for the MinIO Docker image. Specify one of the
following:
* Always
* Never
* IfNotPresent (Default)
Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/containers/images#updating-images |
sideCars
SideCars
|
Optional
A list of containers to run as sidecars along every MinIO Pod deployed
in the tenant. |
exposeServices
ExposeServices
|
Optional
Directs the Operator to expose the MinIO and/or Console services.
|
serviceMetadata
ServiceMetadata
|
Optional
Specify custom labels and annotations to append to the MinIO service
and/or Console service. |
users
LocalObjectReference
array
|
Optional
An array of Kubernetes
opaque secrets to use for generating MinIO users during tenant
provisioning.
Each element in the array is an object consisting of a key-value pair
name: <string>, where the <string>
references an opaque Kubernetes secret.
Each referenced Kubernetes secret must include the following
fields:
* CONSOLE_ACCESS_KEY - The "Username" for the MinIO
user
* CONSOLE_SECRET_KEY - The "Password" for the MinIO
user
The Operator creates each user with the consoleAdmin policy
by default. You can change the assigned policy after the Tenant
starts.
|
buckets
Bucket
array
|
Optional
Create buckets when creating a new tenant. Skip if bucket with given
name already exists |
logging
Logging
|
Optional
Enable JSON, Anonymous logging for MinIO tenants. |
configuration
LocalObjectReference
|
Optional
Specify a secret that contains additional environment variable
configurations to be used for the MinIO pools. The secret is expected to
have a key named config.env containing all exported environment
variables for MinIO+ |
initContainers
Container
array
|
Optional
Add custom initContainers to StatefulSet |
additionalVolumes
Volume
array
|
Optional
If provided, statefulset will add these volumes. You should set the
rules for the corresponding volumes and volume mounts. We will not test
this rule, k8s will show the result. |
additionalVolumeMounts
VolumeMount
array
|
Optional
If provided, statefulset will add these volumes. You should set the
rules for the corresponding volumes and volume mounts. We will not test
this rule, k8s will show the result. |
TenantUsage
TenantUsage are metrics regarding the usage and capacity of the tenant
| Field |
Description |
capacity
integer
|
Capacity the usage capacity of this
tenant in bytes. |
rawCapacity
integer
|
Capacity the raw capacity of this
tenant in bytes. |
usage
integer
|
Usage is how much data is managed by
MinIO in bytes. |
rawUsage
integer
|
Usage is the raw usage on disks in
bytes. |
tiers
TierUsage
array
|
Tiers includes the usage of individual
tiers in the tenant |
TierUsage
TierUsage represents the usage from a tier setup by the tenant
| Field |
Description |
Name
string
|
Name of the tier |
Type
string
|
type of the tier |
totalSize
integer
|
TotalSize usage of the tier |
