# MinIO Access Method Verification

## Chosen Access Method

**Internal Cluster DNS**: `minio.geocrop.svc.cluster.local:9000`

This is the recommended method for accessing MinIO from within the Kubernetes cluster as it:
- Uses cluster-internal networking
- Bypasses external load balancers
- Provides lower latency
- Works without external network connectivity

## Credentials Obtained

Credentials were retrieved from the MinIO deployment environment variables:

```bash
kubectl -n geocrop get deployment minio -o jsonpath='{.spec.template.spec.containers[0].env}'
```

| Variable | Value |
|----------|-------|
| MINIO_ROOT_USER | minioadmin |
| MINIO_ROOT_PASSWORD | minioadmin123 |

**Note**: Credentials are stored in the deployment manifest (k8s/20-minio.yaml), not in Kubernetes secrets.

## MinIO Client (mc) Status

**NOT INSTALLED** on this server.

The MinIO client (`mc`) is not available. To install it for testing:

```bash
# Option 1: Binary download
curl https://dl.min.io/client/mc/release/linux-amd64/mc -o /usr/local/bin/mc
chmod +x /usr/local/bin/mc

# Option 2: Via pip (less recommended)
pip install minio
```

## Testing Access

To test MinIO access from within the cluster (requires mc to be installed):

```bash
# Set alias
mc alias set geocrop-minio http://minio.geocrop.svc.cluster.local:9000 minioadmin minioadmin123

# List buckets
mc ls geocrop-minio/
```

## Current MinIO Service Configuration

From the cluster state:

| Service | Type | Cluster IP | Ports |
|---------|------|------------|-------|
| minio | ClusterIP | 10.43.71.8 | 9000/TCP, 9001/TCP |

## Issues Encountered

1. **No mc installed**: The MinIO client is not available on the current server. Installation required for direct CLI testing.

2. **Credentials in deployment**: Unlike TLS certificates (stored in secrets), the root user credentials are defined directly in the deployment manifest. This is a security consideration for future hardening.

3. **No dedicated credentials secret**: There is no `minio-credentials` secret in the namespace - only TLS secrets exist.

## Recommendations

1. Install mc for testing: `curl https://dl.min.io/client/mc/release/linux-amd64/mc -o /usr/local/bin/mc`
2. Consider creating a Kubernetes secret for credentials (separate from deployment) in future hardening
3. Use the console port (9001) for web-based management if needed