MinIO Custom Resource Definition

The MinIO Operator installs a Custom Resource Definition (CRD) that describes a MinIO Tenant object. The Operator uses this CRD for provisioning and managing Tenant resources within a Kubernetes cluster.

This page documents the CRD reference for use in customizing Operator-deployed Tenants. This documentation assumes familiarity with all referenced Kubernetes concepts, utilities, and procedures.

Operator CRD v2 Reference

Package v2 - This page provides a quick automatically generated reference for the MinIO Operator Operator CRD v2 Reference CRD. For more complete documentation on the MinIO Operator CRD, see MinIO Kubernetes Documentation.

The Operator CRD v2 Reference API was released with the v4.0.0 MinIO Operator. The MinIO Operator automatically converts existing tenants using the /v1 API to /v2.

Tenant

Bucket

Bucket describes the default created buckets

TenantSpec

Field	Description
`name` string
`region` string
`objectLock` boolean

CertificateConfig

CertificateConfig (certConfig) defines controlling attributes associated to any TLS certificate automatically generated by the Operator as part of tenant creation. These fields have no effect if spec.autoCert: false.

TenantSpec

Field	Description
`commonName` string	Optional The `CommonName` or `CN` attribute to associate to automatically generated TLS certificates.
`organizationName` string array	Optional Specify one or more `OrganizationName` or `O` attributes to associate to automatically generated TLS certificates.
`dnsNames` string array	Optional Specify one or more x.509 Subject Alternative Names (SAN) to associate to automatically generated TLS certificates. MinIO Server pods use SNI to determine which certificate to respond with based on the requested hostname.

CertificateStatus

CertificateStatus keeps track of all the certificates managed by the operator

TenantStatus

Field	Description
`autoCertEnabled` boolean	AutoCertEnabled registers whether we know if the tenant has autocert enabled
`customCertificates` CustomCertificates	Provides the output of the `client`, `minio`, and`minioCAs` custom TLS certificates manually added to the Operator.

CustomCertificateConfig

CustomCertificateConfig (customCertificateConfig) provides attributes associated of the TLS certificates manually added to the Operator as part of tenant creation. These fields contain no data if there are no custom TLS certificates.

CustomCertificates

CustomCertificates

CustomCertificates (customCertificates) provides groupings of the TLS certificates manually added to the Operator as part of tenant creation. These fields contain no data if there are no custom TLS certificates.

CertificateStatus

Field	Description
`client` CustomCertificateConfig array	Optional Client
`minio` CustomCertificateConfig array	Optional Minio
`minioCAs` CustomCertificateConfig array	Optional Certificate Authorities

ExposeServices

ExposeServices (exposeServices) defines the exposure of the MinIO object storage and Console services.

TenantSpec

Field	Description
`minio` boolean	Optional Directs the Operator to expose the MinIO service. Defaults to `true`.
`console` boolean	Optional Directs the Operator to expose the MinIO Console service. Defaults to `true`.

Features

Features (features) - Object describing which MinIO features to enable/disable in the MinIO Tenant.

TenantSpec

Field	Description
`bucketDNS` boolean	Optional Specify `true` to allow clients to access buckets using the DNS path `<bucket>.minio.default.svc.cluster.local`. Defaults to `false`.
`domains` TenantDomains	Optional Specify a list of domains used to access MinIO and Console.
`enableSFTP` boolean	Optional Starts minio server with SFTP support

HealthStatus (string)

HealthStatus represents whether the tenant is healthy, with decreased service or offline

TenantStatus

KESConfig

KESConfig (kes) defines the configuration of the MinIO Key Encryption Service (KES) StatefulSet deployed as part of the MinIO Tenant. KES supports Server-Side Encryption of objects using an external Key Management Service (KMS).

TenantSpec

Field	Description
`replicas` integer	Optional Specify the number of replica KES pods to deploy in the tenant. Defaults to `2`.
`image` string	Optional
`imagePullPolicy` PullPolicy	Optional The pull policy for the MinIO Docker image. Specify one of the following: * `Always` * `Never` * `IfNotPresent` (Default) Refer to the Kubernetes documentation for details https://kubernetes.io/docs/concepts/containers/images#updating-images
`serviceAccountName` string	Optional The Kubernetes Service Account to use for running MinIO KES pods created as part of the Tenant.
`kesSecret` LocalObjectReference	Required Specify a Kubernetes opaque secret which contains environment variables to use for setting up the MinIO KES service. See the MinIO Operator `console-secret.yaml` for an example.
`externalCertSecret` LocalCertificateReference	Optional Enables TLS with SNI support on each MinIO KES pod in the tenant. If `externalCertSecret` is omitted and `spec.requestAutoCert` is set to `false`, MinIO KES pods deploy without TLS enabled. Specify a Kubernetes TLS secret. The MinIO Operator copies the specified certificate to every MinIO pod in the tenant. When the MinIO pod/service responds to a TLS connection request, it uses SNI to select the certificate with matching `subjectAlternativeName`. Specify an object containing the following fields: * - `name` - The name of the Kubernetes secret containing the TLS certificate. * - `type` - Specify `kubernetes.io/tls` See the MinIO Operator CRD reference for examples and more complete documentation on configuring TLS for MinIO Tenants.
`clientCertSecret` LocalCertificateReference	Optional Specify a a Kubernetes TLS secret containing a custom root Certificate Authority and x.509 certificate to use for performing mTLS authentication with an external Key Management Service, such as Hashicorp Vault. Specify an object containing the following fields: * - `name` - The name of the Kubernetes secret containing the Certificate Authority and x.509 Certificate. * - `type` - Specify `kubernetes.io/tls`
`gcpCredentialSecretName` string	Optional Specify the GCP default credentials to be used for KES to authenticate to GCP key store
`gcpWorkloadIdentityPool` string	Optional Specify the name of the workload identity pool (This is required for generating service account token)
`annotations` object (keys:string, values:string)	Optional If provided, use these annotations for KES Object Meta annotations
`labels` object (keys:string, values:string)	Optional If provided, use these labels for KES Object Meta labels
`resources` ResourceRequirements	Optional Object specification for specifying CPU and memory resource allocations or limits in the MinIO tenant.
`nodeSelector` object (keys:string, values:string)	Optional The filter for the Operator to apply when selecting which nodes on which to deploy MinIO KES pods. The Operator only selects those nodes whose labels match the specified selector. See the Kubernetes documentation on Assigning Pods to Nodes for more information.
`tolerations` Toleration array	Optional Specify one or more Kubernetes tolerations to apply to MinIO KES pods.
`affinity` Affinity	Optional Specify node affinity, pod affinity, and pod anti-affinity for the KES pods.
`topologySpreadConstraints` TopologySpreadConstraint array	Optional Specify one or more Kubernetes Topology Spread Constraints to apply to pods deployed in the MinIO pool.
`keyName` string	Optional If provided, use this as the name of the key that KES creates on the KMS backend
`securityContext` PodSecurityContext	Specify the Security Context of MinIO KES pods. The Operator supports only the following pod security fields: * `fsGroup` * `fsGroupChangePolicy` * `runAsGroup` * `runAsNonRoot` * `runAsUser` * `seLinuxOptions`
`env` EnvVar array	Optional If provided, the MinIO Operator adds the specified environment variables when deploying the KES resource.

LocalCertificateReference

LocalCertificateReference (externalCertSecret, externalCaCertSecret,clientCertSecret) contains a Kubernetes secret containing TLS certificates or Certificate Authority files for use with enabling TLS in the MinIO Tenant.

KESConfig
TenantSpec

Field	Description
`name` string	Required The name of the Kubernetes secret containing the TLS certificate or Certificate Authority file.
`type` string	Required The type of Kubernetes secret. Specify `kubernetes.io/tls`

Logging

Logging describes Logging for MinIO tenants.

TenantSpec

Field	Description
`json` boolean
`anonymous` boolean
`quiet` boolean

Pool

Pool (pools) defines a MinIO server pool on a Tenant. Each pool consists of a set of MinIO server pods which “pool” their storage resources for supporting object storage and retrieval requests. Each server pool is independent of all others and supports horizontal scaling of available storage resources in the MinIO Tenant. See the MinIO Operator CRD reference for the pools object for examples and more complete documentation.

TenantSpec

Field	Description
`name` string	Optional Specify the name of the pool. The Operator automatically generates the pool name if this field is omitted.
`servers` integer	Required The number of MinIO server pods to deploy in the pool. The minimum value is `2`. The MinIO Operator requires a minimum of `4` volumes per pool. Specifically, the result of `pools.servers X pools.volumesPerServer` must be greater than `4`.
`volumesPerServer` integer	Required The number of Persistent Volume Claims to generate for each MinIO server pod in the pool. The MinIO Operator requires a minimum of `4` volumes per pool. Specifically, the result of `pools.servers X pools.volumesPerServer` must be greater than `4`.
`volumeClaimTemplate` PersistentVolumeClaim	Required Specify the configuration options for the MinIO Operator to use when generating Persistent Volume Claims for the MinIO tenant.
`resources` ResourceRequirements	Optional Object specification for specifying CPU and memory resource allocations or limits in the MinIO tenant.
`nodeSelector` object (keys:string, values:string)	Optional The filter for the Operator to apply when selecting which nodes on which to deploy pods in the pool. The Operator only selects those nodes whose labels match the specified selector. See the Kubernetes documentation on Assigning Pods to Nodes for more information.
`affinity` Affinity	Optional Specify node affinity, pod affinity, and pod anti-affinity for pods in the MinIO pool.
`tolerations` Toleration array	Optional Specify one or more Kubernetes tolerations to apply to pods deployed in the MinIO pool.
`topologySpreadConstraints` TopologySpreadConstraint array	Optional Specify one or more Kubernetes Topology Spread Constraints to apply to pods deployed in the MinIO pool.
`securityContext` PodSecurityContext	Optional Specify the Security Context of pods in the pool. The Operator supports only the following pod security fields: * `fsGroup` * `fsGroupChangePolicy` * `runAsGroup` * `runAsNonRoot` * `runAsUser`
`containerSecurityContext` SecurityContext	Specify the Security Context of containers in the pool. The Operator supports only the following container security fields: * `runAsGroup` * `runAsNonRoot` * `runAsUser`
`annotations` object (keys:string, values:string)	Optional Specify custom labels and annotations to append to the Pool. Optional If provided, use these annotations for the Pool Objects Meta annotations (Statefulset and Pod template)
`labels` object (keys:string, values:string)	Optional If provided, use these labels for the Pool Objects Meta annotations (Statefulset and Pod template)
`runtimeClassName` string	Optional If provided, each pod on the Statefulset will run with the specified RuntimeClassName, for more info https://kubernetes.io/docs/concepts/containers/runtime-class/

PoolState (string)

PoolState represents the state of a pool

PoolStatus

PoolStatus

PoolStatus keeps track of all the pools and their current state

TenantStatus

Field	Description
`ssName` string
`state` PoolState
`legacySecurityContext` boolean	LegacySecurityContext stands for Legacy SecurityContext. It represents that these pool was created before v4.2.3 when we introduced the default securityContext as non-root, thus we should keep running this Pool without a Security Context

ServiceMetadata

ServiceMetadata (serviceMetadata) defines custom labels and annotations for the MinIO Object Storage service and/or MinIO Console service.

TenantSpec

Field	Description
`minioServiceLabels` object (keys:string, values:string)	Optional If provided, append these labels to the MinIO service
`minioServiceAnnotations` object (keys:string, values:string)	Optional If provided, append these annotations to the MinIO service
`consoleServiceLabels` object (keys:string, values:string)	Optional If provided, append these labels to the Console service
`consoleServiceAnnotations` object (keys:string, values:string)	Optional If provided, append these annotations to the Console service

SideCars

SideCars (sidecars) defines a list of containers that the Operator attaches to each MinIO server pods in the pool.

TenantSpec

Field	Description
`containers` Container array	Optional List of containers to run inside the Pod
`volumeClaimTemplates` PersistentVolumeClaim array	Optional volumeClaimTemplates is a list of claims that pods are allowed to reference. The StatefulSet controller is responsible for mapping network identities to claims in a way that maintains the identity of a pod. Every claim in this list must have at least one matching (by name) volumeMount in one container in the template. A claim in this list takes precedence over any volumes in the template, with the same name.
`volumes` Volume array	Optional List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes
`resources` ResourceRequirements	Optional sidecar’s Resource, initcontainer will use that if set.

Tenant

Tenant is a Kubernetes object describing a MinIO Tenant.

TenantList

Field	Description
`apiVersion` string	`Operator CRD v2 Reference`
`kind` string	`Tenant`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`scheduler` TenantScheduler
`spec` TenantSpec	Required The root field for the MinIO Tenant object.

TenantDomains

TenantDomains (domains) - List of domains used to access the tenant from outside the kubernetes clusters. this will only configure MinIO for the domains listed, but external DNS configuration is still needed. The listed domains should include schema and port if any is used, i.e. https://minio.domain.com:8123

Features

Field	Description
`minio` string array	List of Domains used by MinIO. This will enable DNS style access to the object store where the bucket name is inferred from a subdomain in the domain.
`console` string	Domain used to expose the MinIO Console, this will configure the redirect on MinIO when visiting from the browser If Console is exposed via a subpath, the domain should include it, i.e. https://console.domain.com:8123/subpath/

TenantScheduler

TenantScheduler (scheduler) - Object describing Kubernetes Scheduler to use for deploying the MinIO Tenant.

Tenant

Field	Description
`name` string	Optional Specify the name of the Kubernetes scheduler to be used to schedule Tenant pods

TenantSpec

TenantSpec (spec) defines the configuration of a MinIO Tenant object. The following parameters are specific to the Operator CRD v2 Reference MinIO CRD API spec definition added as part of the MinIO Operator v4.0.0. For more complete documentation on this object, see the MinIO Kubernetes Documentation.

Tenant

Field	Description
`pools` Pool array	Required An array of objects describing each MinIO server pool deployed in the MinIO Tenant. Each pool consists of a set of MinIO server pods which "pool" their storage resources for supporting object storage and retrieval requests. Each server pool is independent of all others and supports horizontal scaling of available storage resources in the MinIO Tenant. The MinIO Tenant `spec` must have at least one element in the `pools` array. See the MinIO Operator CRD reference for the `pools` object for examples and more complete documentation.
`image` string	Optional
`imagePullSecret` LocalObjectReference	Optional Specify the secret key to use for pulling images from a private Docker repository.
`podManagementPolicy` PodManagementPolicyType	Optional Pod Management Policy for pod created by StatefulSet
`credsSecret` LocalObjectReference	optional Specify a Kubernetes opaque secret to use for setting the MinIO root access key and secret key. Specify the secret as `name: <secret>`. The Kubernetes secret must contain the following fields: * `data.accesskey` - The access key for the root credentials * `data.secretkey` - The secret key for the root credentials
`env` EnvVar array	Optional If provided, the MinIO Operator adds the specified environment variables when deploying the Tenant resource.
`externalCertSecret` LocalCertificateReference array	Optional Enables TLS with SNI support on each MinIO pod in the tenant. If `externalCertSecret` is omitted and `requestAutoCert` is set to `false`, the MinIO Tenant deploys without TLS enabled. Specify an array of Kubernetes TLS secrets. The MinIO Operator copies the specified certificates to every MinIO server pod in the tenant. When the MinIO pod/service responds to a TLS connection request, it uses SNI to select the certificate with matching `subjectAlternativeName`. Each element in the `externalCertSecret` array is an object containing the following fields: * - `name` - The name of the Kubernetes secret containing the TLS certificate. * - `type` - Specify `kubernetes.io/tls` See the MinIO Operator CRD reference for examples and more complete documentation on configuring TLS for MinIO Tenants.
`externalCaCertSecret` LocalCertificateReference array	Optional Allows MinIO server pods to verify client TLS certificates signed by a Certificate Authority not in the pod’s trust store. Specify an array of Kubernetes TLS secrets. The MinIO Operator copies the specified certificates to every MinIO server pod in the tenant. Each element in the `externalCertSecret` array is an object containing the following fields: * - `name` - The name of the Kubernetes secret containing the Certificate Authority. * - `type` - Specify `kubernetes.io/tls`. See the MinIO Operator CRD reference for examples and more complete documentation on configuring TLS for MinIO Tenants.
`externalClientCertSecret` LocalCertificateReference	Optional Enables mTLS authentication between the MinIO Tenant pods and MinIO KES. Required for enabling connectivity between the MinIO Tenant and MinIO KES. Specify a Kubernetes TLS secrets. The MinIO Operator copies the specified certificate to every MinIO server pod in the tenant. The secret must contain the following fields: * `name` - The name of the Kubernetes secret containing the TLS certificate. * `type` - Specify `kubernetes.io/tls` The specified certificate must correspond to an identity on the KES server. See the KES Wiki for more information on KES identities. If deploying KES with the MinIO Operator, include the hash of the certificate as part of the `kes` object specification. See the MinIO Operator CRD reference for examples and more complete documentation on configuring TLS for MinIO Tenants.
`externalClientCertSecrets` LocalCertificateReference array	Optional Provide support for mounting additional client certificate into MinIO Tenant pods Multiple client certificates will be mounted using the following folder structure: * certs * * client-0 * * * client.crt * * * client.key * * client-1 * * * client.crt * * * client.key * * * client-2 * * client.crt * * * client.key Specify a Kubernetes TLS secrets. The MinIO Operator copies the specified certificate to every MinIO server pod in the tenant that later can be referenced using environment variables. The secret must contain the following fields: * `name` - The name of the Kubernetes secret containing the TLS certificate. * `type` - Specify `kubernetes.io/tls`
`mountPath` string	Optional Mount path for MinIO volume (PV). Defaults to `/export`
`subPath` string	Optional Subpath inside mount path. This is the directory where MinIO stores data. Default to ""` (empty)
`requestAutoCert` boolean	Optional Enables using Kubernetes-based TLS certificate generation and signing for pods and services in the MinIO Tenant. * Specify `true` to explicitly enable automatic certificate generate (Default). * Specify `false` to disable automatic certificate generation. If `requestAutoCert` is set to `false` and `externalCertSecret` is omitted, the MinIO Tenant deploys without TLS enabled. See the MinIO Operator CRD reference for examples and more complete documentation on configuring TLS for MinIO Tenants.
`liveness` Probe	Liveness Probe for container liveness. Container will be restarted if the probe fails.
`readiness` Probe	Readiness Probe for container readiness. Container will be removed from service endpoints if the probe fails.
`startup` Probe	Startup Probe allows to configure a max grace period for a pod to start before getting traffic routed to it.
`features` Features	S3 related features can be disabled or enabled such as `bucketDNS` etc.
`certConfig` CertificateConfig	Optional Enables setting the `CommonName`, `Organization`, and `dnsName` attributes for all TLS certificates automatically generated by the Operator. Configuring this object has no effect if `requestAutoCert` is `false`.
`kes` KESConfig	Optional Directs the MinIO Operator to deploy the MinIO Key Encryption Service (KES) using the specified configuration. The MinIO KES supports performing server-side encryption of objects on the MiNIO Tenant.
`prometheusOperator` boolean	Optional Directs the MinIO Operator to use prometheus operator. Tenant scrape configuration will be added to prometheus managed by the prometheus-operator.
`serviceAccountName` string	Optional The Kubernetes Service Account to use for running MinIO pods created as part of the Tenant.
`priorityClassName` string	Optional Indicates the Pod priority and therefore importance of a Pod relative to other Pods in the cluster. This is applied to MinIO pods only. Refer Kubernetes Priority Class documentation for more complete documentation.
`imagePullPolicy` PullPolicy	Optional The pull policy for the MinIO Docker image. Specify one of the following: * `Always` * `Never` * `IfNotPresent` (Default) Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/containers/images#updating-images
`sideCars` SideCars	Optional A list of containers to run as sidecars along every MinIO Pod deployed in the tenant.
`exposeServices` ExposeServices	Optional Directs the Operator to expose the MinIO and/or Console services.
`serviceMetadata` ServiceMetadata	Optional Specify custom labels and annotations to append to the MinIO service and/or Console service.
`users` LocalObjectReference array	Optional An array of Kubernetes opaque secrets to use for generating MinIO users during tenant provisioning. Each element in the array is an object consisting of a key-value pair `name: <string>`, where the `<string>` references an opaque Kubernetes secret. Each referenced Kubernetes secret must include the following fields: * `CONSOLE_ACCESS_KEY` - The "Username" for the MinIO user * `CONSOLE_SECRET_KEY` - The "Password" for the MinIO user The Operator creates each user with the `consoleAdmin` policy by default. You can change the assigned policy after the Tenant starts.
`buckets` Bucket array	Optional Create buckets when creating a new tenant. Skip if bucket with given name already exists
`logging` Logging	Optional Enable JSON, Anonymous logging for MinIO tenants.
`configuration` LocalObjectReference	Optional Specify a secret that contains additional environment variable configurations to be used for the MinIO pools. The secret is expected to have a key named config.env containing all exported environment variables for MinIO+
`initContainers` Container array	Optional Add custom initContainers to StatefulSet
`additionalVolumes` Volume array	Optional If provided, statefulset will add these volumes. You should set the rules for the corresponding volumes and volume mounts. We will not test this rule, k8s will show the result.
`additionalVolumeMounts` VolumeMount array	Optional If provided, statefulset will add these volumes. You should set the rules for the corresponding volumes and volume mounts. We will not test this rule, k8s will show the result.

TenantUsage

TenantUsage are metrics regarding the usage and capacity of the tenant

TenantStatus

Field	Description
`capacity` integer	Capacity the usage capacity of this tenant in bytes.
`rawCapacity` integer	Capacity the raw capacity of this tenant in bytes.
`usage` integer	Usage is how much data is managed by MinIO in bytes.
`rawUsage` integer	Usage is the raw usage on disks in bytes.
`tiers` TierUsage array	Tiers includes the usage of individual tiers in the tenant

TierUsage

TierUsage represents the usage from a tier setup by the tenant

TenantUsage

Field	Description
`Name` string	Name of the tier
`Type` string	type of the tier
`totalSize` integer	TotalSize usage of the tier