76 lines
2.3 KiB
Markdown
76 lines
2.3 KiB
Markdown
# MinIO Access Method Verification
|
|
|
|
## Chosen Access Method
|
|
|
|
**Internal Cluster DNS**: `minio.geocrop.svc.cluster.local:9000`
|
|
|
|
This is the recommended method for accessing MinIO from within the Kubernetes cluster as it:
|
|
- Uses cluster-internal networking
|
|
- Bypasses external load balancers
|
|
- Provides lower latency
|
|
- Works without external network connectivity
|
|
|
|
## Credentials Obtained
|
|
|
|
Credentials were retrieved from the MinIO deployment environment variables:
|
|
|
|
```bash
|
|
kubectl -n geocrop get deployment minio -o jsonpath='{.spec.template.spec.containers[0].env}'
|
|
```
|
|
|
|
| Variable | Value |
|
|
|----------|-------|
|
|
| MINIO_ROOT_USER | minioadmin |
|
|
| MINIO_ROOT_PASSWORD | minioadmin123 |
|
|
|
|
**Note**: Credentials are stored in the deployment manifest (k8s/20-minio.yaml), not in Kubernetes secrets.
|
|
|
|
## MinIO Client (mc) Status
|
|
|
|
**NOT INSTALLED** on this server.
|
|
|
|
The MinIO client (`mc`) is not available. To install it for testing:
|
|
|
|
```bash
|
|
# Option 1: Binary download
|
|
curl https://dl.min.io/client/mc/release/linux-amd64/mc -o /usr/local/bin/mc
|
|
chmod +x /usr/local/bin/mc
|
|
|
|
# Option 2: Via pip (less recommended)
|
|
pip install minio
|
|
```
|
|
|
|
## Testing Access
|
|
|
|
To test MinIO access from within the cluster (requires mc to be installed):
|
|
|
|
```bash
|
|
# Set alias
|
|
mc alias set geocrop-minio http://minio.geocrop.svc.cluster.local:9000 minioadmin minioadmin123
|
|
|
|
# List buckets
|
|
mc ls geocrop-minio/
|
|
```
|
|
|
|
## Current MinIO Service Configuration
|
|
|
|
From the cluster state:
|
|
|
|
| Service | Type | Cluster IP | Ports |
|
|
|---------|------|------------|-------|
|
|
| minio | ClusterIP | 10.43.71.8 | 9000/TCP, 9001/TCP |
|
|
|
|
## Issues Encountered
|
|
|
|
1. **No mc installed**: The MinIO client is not available on the current server. Installation required for direct CLI testing.
|
|
|
|
2. **Credentials in deployment**: Unlike TLS certificates (stored in secrets), the root user credentials are defined directly in the deployment manifest. This is a security consideration for future hardening.
|
|
|
|
3. **No dedicated credentials secret**: There is no `minio-credentials` secret in the namespace - only TLS secrets exist.
|
|
|
|
## Recommendations
|
|
|
|
1. Install mc for testing: `curl https://dl.min.io/client/mc/release/linux-amd64/mc -o /usr/local/bin/mc`
|
|
2. Consider creating a Kubernetes secret for credentials (separate from deployment) in future hardening
|
|
3. Use the console port (9001) for web-based management if needed
|