From 94d6be47c45c279fdb91782bc81c751dc0bc6399 Mon Sep 17 00:00:00 2001 From: Manas Srivastava Date: Mon, 11 May 2026 22:35:36 +0530 Subject: [PATCH] chore(infra): retire self-hosted MinIO after DO Spaces flip DO Spaces is now the active object-store backend. The self-hosted MinIO Deployment in the instant-data namespace is no longer in the request path for POST /storage/new. This PR retires the local MinIO manifests and replaces every MINIO_* env injection on production k8s deployments with OBJECT_STORE_* sourced from instant-secrets / instant-infra-secrets. Manifests deleted: - k8s/data/minio.yaml (Deployment + PVC + Service + NodePort 30900/30901) - k8s/data/minio-bucket-init.yaml (Job that created the instant-shared bucket on first deploy) - k8s/data/minio-secret.yaml (local-dev MinIO root creds in instant-data ns) Env-var injection updated: - k8s/app.yaml (instant-api): removed MINIO_ROOT_USER/PASSWORD optional secret refs. The API reads OBJECT_STORE_* from instant-secrets via internal/config/config.go. - k8s/worker/deployment.yaml (instant-worker): replaced MINIO_* env vars (the storage_bytes scanner block) with OBJECT_STORE_* sourced from instant-infra-secrets. - k8s/provisioner/deployment.yaml (instant-provisioner): removed the MINIO_* block used for StorageBytes queries. Also removes the dangling reference to a "minio-secrets" Secret in the instant-infra namespace that was never defined in-tree. - k8s/configmap.yaml: removed MINIO_ENDPOINT / MINIO_BUCKET_NAME. - k8s/secrets.yaml (template): removed MINIO_ROOT_USER/PASSWORD template keys; added OBJECT_STORE_* template keys. Not touched (intentional): - k8s/data/minio-ingress.yaml is untracked locally and not part of this commit; it serves s3.instanode.dev -> minio Service and will 404 once the Deployment is removed. A follow-up commit on master should delete or repoint it to DO Spaces. - api/internal/config/config.go keeps the legacy MINIO_* fallback so local docker-compose dev (where MINIO_* env vars may still be set in a .env file) continues to work unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) --- k8s/app.yaml | 19 ++--- k8s/configmap.yaml | 7 +- k8s/data/minio-bucket-init.yaml | 46 ------------ k8s/data/minio-secret.yaml | 12 ---- k8s/data/minio.yaml | 124 -------------------------------- k8s/provisioner/deployment.yaml | 21 ++---- k8s/secrets.yaml | 17 ++++- k8s/worker/deployment.yaml | 47 ++++++++---- 8 files changed, 64 insertions(+), 229 deletions(-) delete mode 100644 k8s/data/minio-bucket-init.yaml delete mode 100644 k8s/data/minio-secret.yaml delete mode 100644 k8s/data/minio.yaml diff --git a/k8s/app.yaml b/k8s/app.yaml index 959316b..da7d2db 100644 --- a/k8s/app.yaml +++ b/k8s/app.yaml @@ -128,18 +128,13 @@ spec: name: instant-secrets key: R2_BUCKET_NAME optional: true - - name: MINIO_ROOT_USER - valueFrom: - secretKeyRef: - name: instant-secrets - key: MINIO_ROOT_USER - optional: true - - name: MINIO_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: instant-secrets - key: MINIO_ROOT_PASSWORD - optional: true + # Object storage credentials (DO Spaces / AWS S3 / GCS / R2 etc.) + # are sourced from instant-secrets as OBJECT_STORE_* — see + # internal/config/config.go. The legacy MINIO_ROOT_USER/PASSWORD + # injection was removed when self-hosted MinIO was retired + # (PR: chore(infra): retire self-hosted MinIO after DO Spaces flip). + # config.go still reads MINIO_* as a fallback for local docker-compose + # dev, so existing .env files keep working unchanged. readinessProbe: httpGet: path: /healthz diff --git a/k8s/configmap.yaml b/k8s/configmap.yaml index 3959696..8c52fd5 100644 --- a/k8s/configmap.yaml +++ b/k8s/configmap.yaml @@ -25,5 +25,8 @@ data: COMPUTE_PROVIDER: "k8s" STACK_EXPOSE_VIA: "nodeport" KUBE_NAMESPACE_APPS: "instant-apps" - MINIO_ENDPOINT: "minio.instant-data.svc.cluster.local:9000" - MINIO_BUCKET_NAME: "instant-shared" + # Object storage endpoint/bucket are sourced from instant-secrets as + # OBJECT_STORE_* (see internal/config/config.go). The legacy MINIO_ENDPOINT + # / MINIO_BUCKET_NAME ConfigMap entries were removed when self-hosted + # MinIO was retired in favour of DO Spaces — see PR: + # chore(infra): retire self-hosted MinIO after DO Spaces flip. diff --git a/k8s/data/minio-bucket-init.yaml b/k8s/data/minio-bucket-init.yaml deleted file mode 100644 index 8231b47..0000000 --- a/k8s/data/minio-bucket-init.yaml +++ /dev/null @@ -1,46 +0,0 @@ -# One-shot Job: creates the instant-shared bucket in MinIO after it starts. -# Idempotent — mc mb --ignore-existing is safe to re-run. -# Apply after minio.yaml: kubectl apply -f data/minio-bucket-init.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: minio-bucket-init - namespace: instant-data -spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: wait-for-minio - image: busybox:1.36 - command: - - sh - - -c - - | - until wget -q -O /dev/null http://minio.instant-data.svc.cluster.local:9000/minio/health/ready; do - echo "Waiting for MinIO..."; sleep 3 - done - echo "MinIO ready." - containers: - - name: create-bucket - image: minio/mc:RELEASE.2024-10-02T08-27-28Z - command: - - sh - - -c - - | - mc alias set myminio \ - http://minio.instant-data.svc.cluster.local:9000 \ - "$MINIO_ROOT_USER" "$MINIO_ROOT_PASSWORD" && \ - mc mb --ignore-existing myminio/instant-shared && \ - echo "Bucket instant-shared is ready." - env: - - name: MINIO_ROOT_USER - valueFrom: - secretKeyRef: - name: minio-secrets - key: MINIO_ROOT_USER - - name: MINIO_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: minio-secrets - key: MINIO_ROOT_PASSWORD diff --git a/k8s/data/minio-secret.yaml b/k8s/data/minio-secret.yaml deleted file mode 100644 index 3dc6e8f..0000000 --- a/k8s/data/minio-secret.yaml +++ /dev/null @@ -1,12 +0,0 @@ -# MinIO root credentials — local dev only. -# Apply: kubectl apply -f data/minio-secret.yaml -# The API pod reads these same values from instant-secrets (instant namespace). -apiVersion: v1 -kind: Secret -metadata: - name: minio-secrets - namespace: instant-data -type: Opaque -stringData: - MINIO_ROOT_USER: "minioadmin" - MINIO_ROOT_PASSWORD: "minioadmin123" diff --git a/k8s/data/minio.yaml b/k8s/data/minio.yaml deleted file mode 100644 index e10bd54..0000000 --- a/k8s/data/minio.yaml +++ /dev/null @@ -1,124 +0,0 @@ -# MinIO S3-compatible object storage — instant-data namespace -# Local dev backend for POST /storage/new. -# Apply: kubectl apply -f data/minio-secret.yaml && kubectl apply -f data/minio.yaml ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: minio-data - namespace: instant-data -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: minio - namespace: instant-data - labels: - app: minio -spec: - replicas: 1 - selector: - matchLabels: - app: minio - template: - metadata: - labels: - app: minio - spec: - containers: - - name: minio - image: minio/minio:RELEASE.2024-10-13T13-34-11Z - args: - - server - - /data - - --console-address - - :9001 - env: - - name: MINIO_ROOT_USER - valueFrom: - secretKeyRef: - name: minio-secrets - key: MINIO_ROOT_USER - - name: MINIO_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: minio-secrets - key: MINIO_ROOT_PASSWORD - ports: - - name: api - containerPort: 9000 - - name: console - containerPort: 9001 - resources: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "512Mi" - cpu: "500m" - readinessProbe: - httpGet: - path: /minio/health/ready - port: 9000 - initialDelaySeconds: 10 - periodSeconds: 10 - livenessProbe: - httpGet: - path: /minio/health/live - port: 9000 - initialDelaySeconds: 30 - periodSeconds: 30 - volumeMounts: - - name: data - mountPath: /data - volumes: - - name: data - persistentVolumeClaim: - claimName: minio-data ---- -# Cluster-internal service (used by the API pod) -apiVersion: v1 -kind: Service -metadata: - name: minio - namespace: instant-data - labels: - app: minio -spec: - selector: - app: minio - ports: - - name: api - port: 9000 - targetPort: 9000 - - name: console - port: 9001 - targetPort: 9001 ---- -# NodePort for external access from test machine / developer browser -apiVersion: v1 -kind: Service -metadata: - name: minio-external - namespace: instant-data - labels: - app: minio -spec: - type: NodePort - selector: - app: minio - ports: - - name: api - port: 9000 - targetPort: 9000 - nodePort: 30900 - - name: console - port: 9001 - targetPort: 9001 - nodePort: 30901 diff --git a/k8s/provisioner/deployment.yaml b/k8s/provisioner/deployment.yaml index 80b2631..487818e 100644 --- a/k8s/provisioner/deployment.yaml +++ b/k8s/provisioner/deployment.yaml @@ -98,21 +98,12 @@ spec: value: "1" - name: K8S_MONGO_STORAGE_GI value: "1" - # ── MinIO storage bytes queries ─────────────────────────────────── - - name: MINIO_ENDPOINT - value: "minio.instant-data.svc.cluster.local:9000" - - name: MINIO_BUCKET_NAME - value: "instant-shared" - - name: MINIO_ROOT_USER - valueFrom: - secretKeyRef: - name: minio-secrets - key: MINIO_ROOT_USER - - name: MINIO_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: minio-secrets - key: MINIO_ROOT_PASSWORD + # Object-storage credentials for the per-resource StorageBytes + # queries are sourced from instant-infra-secrets as OBJECT_STORE_* + # (DO Spaces is now the active backend). The legacy MINIO_* + # injection block that lived here was removed when self-hosted + # MinIO was retired — see PR: + # chore(infra): retire self-hosted MinIO after DO Spaces flip. readinessProbe: tcpSocket: port: 50051 diff --git a/k8s/secrets.yaml b/k8s/secrets.yaml index e8ef3ed..6b30ef7 100644 --- a/k8s/secrets.yaml +++ b/k8s/secrets.yaml @@ -26,6 +26,17 @@ stringData: R2_API_TOKEN: "CHANGE_ME" R2_ENDPOINT: "CHANGE_ME" R2_BUCKET_NAME: "CHANGE_ME" - # MinIO credentials (same values as in infra/k8s/data/minio-secret.yaml) - MINIO_ROOT_USER: "minioadmin" - MINIO_ROOT_PASSWORD: "minioadmin123" + # Object storage backend (DO Spaces is the live default — see api/internal/config/config.go). + # OBJECT_STORE_BACKEND: "shared-key" for DO Spaces / AWS S3 / GCS / R2 etc. + OBJECT_STORE_BACKEND: "shared-key" + OBJECT_STORE_ENDPOINT: "CHANGE_ME" # e.g. nyc3.digitaloceanspaces.com + OBJECT_STORE_PUBLIC_URL: "CHANGE_ME" # e.g. https://nyc3.digitaloceanspaces.com + OBJECT_STORE_ACCESS_KEY: "CHANGE_ME" + OBJECT_STORE_SECRET_KEY: "CHANGE_ME" + OBJECT_STORE_BUCKET: "instant-shared" + OBJECT_STORE_REGION: "nyc3" + OBJECT_STORE_SECURE: "true" + # Legacy MINIO_* keys were removed when self-hosted MinIO was retired. + # config.go still reads MINIO_* as a fallback for local docker-compose dev, + # but production no longer needs them. See PR: + # chore(infra): retire self-hosted MinIO after DO Spaces flip. diff --git a/k8s/worker/deployment.yaml b/k8s/worker/deployment.yaml index 4fb46f1..8556340 100644 --- a/k8s/worker/deployment.yaml +++ b/k8s/worker/deployment.yaml @@ -59,26 +59,43 @@ spec: value: development - name: KUBE_NAMESPACE_APPS value: "instant-apps" - # MinIO storage_bytes scanner — added 2026-05-11 in worker - # PR #4. The scanner walks every storage resource's bucket - # once per scan interval, sums object sizes, and updates - # resources.storage_bytes in the platform Postgres. When - # MINIO_ENDPOINT is empty (e.g., in CI), the scanner runs - # as a fail-open no-op and emits a single warn-log line - # per storage resource per interval. - - name: MINIO_ENDPOINT - value: "minio.instant-data.svc.cluster.local:9000" - - name: MINIO_BUCKET_NAME - value: "instant-shared" - - name: MINIO_ROOT_USER + # Object storage scanner — reads OBJECT_STORE_* env vars from + # instant-infra-secrets and walks each storage resource's + # bucket prefix to update resources.storage_bytes in platform + # Postgres. The legacy MINIO_* env injection was removed when + # self-hosted MinIO was retired (DO Spaces is now the active + # backend) — see PR: chore(infra): retire self-hosted MinIO + # after DO Spaces flip. The scanner falls back to MINIO_* via + # config.go for local docker-compose dev. + - name: OBJECT_STORE_ENDPOINT valueFrom: secretKeyRef: name: instant-infra-secrets - key: MINIO_ROOT_USER + key: OBJECT_STORE_ENDPOINT optional: true - - name: MINIO_ROOT_PASSWORD + - name: OBJECT_STORE_ACCESS_KEY valueFrom: secretKeyRef: name: instant-infra-secrets - key: MINIO_ROOT_PASSWORD + key: OBJECT_STORE_ACCESS_KEY optional: true + - name: OBJECT_STORE_SECRET_KEY + valueFrom: + secretKeyRef: + name: instant-infra-secrets + key: OBJECT_STORE_SECRET_KEY + optional: true + - name: OBJECT_STORE_BUCKET + valueFrom: + secretKeyRef: + name: instant-infra-secrets + key: OBJECT_STORE_BUCKET + optional: true + - name: OBJECT_STORE_REGION + valueFrom: + secretKeyRef: + name: instant-infra-secrets + key: OBJECT_STORE_REGION + optional: true + - name: OBJECT_STORE_SECURE + value: "true"