chore(infra): retire self-hosted MinIO after DO Spaces flip

k8s/app.yaml

@@ -128,18 +128,13 @@ spec:
                   name: instant-secrets
                   key: R2_BUCKET_NAME
                   optional: true
-            - name: MINIO_ROOT_USER
-              valueFrom:
-                secretKeyRef:
-                  name: instant-secrets
-                  key: MINIO_ROOT_USER
-                  optional: true
-            - name: MINIO_ROOT_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: instant-secrets
-                  key: MINIO_ROOT_PASSWORD
-                  optional: true
+            # Object storage credentials (DO Spaces / AWS S3 / GCS / R2 etc.)
+            # are sourced from instant-secrets as OBJECT_STORE_* — see
+            # internal/config/config.go. The legacy MINIO_ROOT_USER/PASSWORD
+            # injection was removed when self-hosted MinIO was retired
+            # (PR: chore(infra): retire self-hosted MinIO after DO Spaces flip).
+            # config.go still reads MINIO_* as a fallback for local docker-compose
+            # dev, so existing .env files keep working unchanged.
           readinessProbe:
             httpGet:
               path: /healthz

k8s/configmap.yaml

@@ -25,5 +25,8 @@ data:
   COMPUTE_PROVIDER: "k8s"
   STACK_EXPOSE_VIA: "nodeport"
   KUBE_NAMESPACE_APPS: "instant-apps"
-  MINIO_ENDPOINT: "minio.instant-data.svc.cluster.local:9000"
-  MINIO_BUCKET_NAME: "instant-shared"
+  # Object storage endpoint/bucket are sourced from instant-secrets as
+  # OBJECT_STORE_* (see internal/config/config.go). The legacy MINIO_ENDPOINT
+  # / MINIO_BUCKET_NAME ConfigMap entries were removed when self-hosted
+  # MinIO was retired in favour of DO Spaces — see PR:
+  # chore(infra): retire self-hosted MinIO after DO Spaces flip.

k8s/provisioner/deployment.yaml

@@ -98,21 +98,12 @@ spec:
               value: "1"
             - name: K8S_MONGO_STORAGE_GI
               value: "1"
-            # ── MinIO storage bytes queries ───────────────────────────────────
-            - name: MINIO_ENDPOINT
-              value: "minio.instant-data.svc.cluster.local:9000"
-            - name: MINIO_BUCKET_NAME
-              value: "instant-shared"
-            - name: MINIO_ROOT_USER
-              valueFrom:
-                secretKeyRef:
-                  name: minio-secrets
-                  key: MINIO_ROOT_USER
-            - name: MINIO_ROOT_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: minio-secrets
-                  key: MINIO_ROOT_PASSWORD
+            # Object-storage credentials for the per-resource StorageBytes
+            # queries are sourced from instant-infra-secrets as OBJECT_STORE_*
+            # (DO Spaces is now the active backend). The legacy MINIO_*
+            # injection block that lived here was removed when self-hosted
+            # MinIO was retired — see PR:
+            # chore(infra): retire self-hosted MinIO after DO Spaces flip.
           readinessProbe:
             tcpSocket:
               port: 50051

k8s/secrets.yaml

@@ -26,6 +26,17 @@ stringData:
   R2_API_TOKEN: "CHANGE_ME"
   R2_ENDPOINT: "CHANGE_ME"
   R2_BUCKET_NAME: "CHANGE_ME"
-  # MinIO credentials (same values as in infra/k8s/data/minio-secret.yaml)
-  MINIO_ROOT_USER: "minioadmin"
-  MINIO_ROOT_PASSWORD: "minioadmin123"
+  # Object storage backend (DO Spaces is the live default — see api/internal/config/config.go).
+  # OBJECT_STORE_BACKEND: "shared-key" for DO Spaces / AWS S3 / GCS / R2 etc.
+  OBJECT_STORE_BACKEND: "shared-key"
+  OBJECT_STORE_ENDPOINT: "CHANGE_ME"      # e.g. nyc3.digitaloceanspaces.com
+  OBJECT_STORE_PUBLIC_URL: "CHANGE_ME"    # e.g. https://nyc3.digitaloceanspaces.com
+  OBJECT_STORE_ACCESS_KEY: "CHANGE_ME"
+  OBJECT_STORE_SECRET_KEY: "CHANGE_ME"
+  OBJECT_STORE_BUCKET: "instant-shared"
+  OBJECT_STORE_REGION: "nyc3"
+  OBJECT_STORE_SECURE: "true"
+  # Legacy MINIO_* keys were removed when self-hosted MinIO was retired.
+  # config.go still reads MINIO_* as a fallback for local docker-compose dev,
+  # but production no longer needs them. See PR:
+  # chore(infra): retire self-hosted MinIO after DO Spaces flip.

k8s/worker/deployment.yaml

@@ -59,26 +59,43 @@ spec:
               value: development
             - name: KUBE_NAMESPACE_APPS
               value: "instant-apps"
-            # MinIO storage_bytes scanner — added 2026-05-11 in worker
-            # PR #4. The scanner walks every storage resource's bucket
-            # once per scan interval, sums object sizes, and updates
-            # resources.storage_bytes in the platform Postgres. When
-            # MINIO_ENDPOINT is empty (e.g., in CI), the scanner runs
-            # as a fail-open no-op and emits a single warn-log line
-            # per storage resource per interval.
-            - name: MINIO_ENDPOINT
-              value: "minio.instant-data.svc.cluster.local:9000"
-            - name: MINIO_BUCKET_NAME
-              value: "instant-shared"
-            - name: MINIO_ROOT_USER
+            # Object storage scanner — reads OBJECT_STORE_* env vars from
+            # instant-infra-secrets and walks each storage resource's
+            # bucket prefix to update resources.storage_bytes in platform
+            # Postgres. The legacy MINIO_* env injection was removed when
+            # self-hosted MinIO was retired (DO Spaces is now the active
+            # backend) — see PR: chore(infra): retire self-hosted MinIO
+            # after DO Spaces flip. The scanner falls back to MINIO_* via
+            # config.go for local docker-compose dev.
+            - name: OBJECT_STORE_ENDPOINT
               valueFrom:
                 secretKeyRef:
                   name: instant-infra-secrets
-                  key: MINIO_ROOT_USER
+                  key: OBJECT_STORE_ENDPOINT
                   optional: true
-            - name: MINIO_ROOT_PASSWORD
+            - name: OBJECT_STORE_ACCESS_KEY
               valueFrom:
                 secretKeyRef:
                   name: instant-infra-secrets
-                  key: MINIO_ROOT_PASSWORD
+                  key: OBJECT_STORE_ACCESS_KEY
                   optional: true
+            - name: OBJECT_STORE_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: instant-infra-secrets
+                  key: OBJECT_STORE_SECRET_KEY
+                  optional: true
+            - name: OBJECT_STORE_BUCKET
+              valueFrom:
+                secretKeyRef:
+                  name: instant-infra-secrets
+                  key: OBJECT_STORE_BUCKET
+                  optional: true
+            - name: OBJECT_STORE_REGION
+              valueFrom:
+                secretKeyRef:
+                  name: instant-infra-secrets
+                  key: OBJECT_STORE_REGION
+                  optional: true
+            - name: OBJECT_STORE_SECURE
+              value: "true"