Deploy MinIO Through EKS

Prerequisites

You must create a subscription in the AWS Marketplace for MinIO, otherwise the automation from this setup won't work due to a missing entitlement.

Additionally:

Configuration Parameters

To get started, you are going to need three basic configuration parameters for your cluster. Entering them below will populate the necessary commands to deploy MinIO through EKS.

Account Number What is this?
Region
Cluster Name

1.Setup Cluster

Copy
eksctl create cluster --config-file minio-cluster.yaml

Where the minio-cluster.yaml file is the following:

Download Copy
apiVersion: eksctl.io/v1alpha5
availabilityZones:
  - us-west-2c
  - us-west-2d
  - us-west-2b
cloudWatch:
  clusterLogging: { }
iam:
  vpcResourceControllerPolicy: true
  withOIDC: false
kind: ClusterConfig
managedNodeGroups:
  - amiFamily: AmazonLinux2
    desiredCapacity: 2
    maxSize: 2
    minSize: 2
    disableIMDSv1: false
    disablePodIMDS: false
    iam:
      withAddonPolicies:
        albIngress: false
        appMesh: false
        appMeshPreview: false
        autoScaler: false
        certManager: false
        cloudWatch: false
        ebs: false
        efs: false
        externalDNS: false
        fsx: false
        imageBuilder: false
        xRay: false
    instanceSelector: { }
    instanceType: m5.xlarge
    labels:
      alpha.eksctl.io/cluster-name: minio-cluster
      alpha.eksctl.io/nodegroup-name: ng-minio-mngt
      alpha.min.io/nodegroup-template: template
    name: ng-minio-mngt
    privateNetworking: false
    releaseVersion: ""
    securityGroups:
      withLocal: null
      withShared: null
    ssh:
      allow: false
      publicKeyPath: ""
    tags:
      alpha.eksctl.io/nodegroup-name: ng-minio-mngt
      alpha.eksctl.io/nodegroup-type: managed
    volumeIOPS: 3000
    volumeSize: 80
    volumeThroughput: 125
    volumeType: gp3
    preBootstrapCommands:
      - echo IyEvYmluL2Jhc2gKI3NldCAteAoKbW91bnRfZGV2aWNlKCl7CkRFVklDRT0iL2Rldi8kMSIKVk9MVU1FX05BTUU9JDIKTU9VTlRfUE9JTlQ9JDMKCmZvcm1hdF9kZXZpY2UoKSB7CiAgZWNobyAiRm9ybWF0dGluZyAkREVWSUNFIgogIG1rZnMueGZzIC1pbWF4cGN0PTI1IC1mIC1MICRNT1VOVF9QT0lOVCAkREVWSUNFCn0KY2hlY2tfZGV2aWNlKCkgewogIGlmIFsgLWYgIi9ldGMvc3lzdGVtZC9zeXN0ZW0vJE1PVU5UX1BPSU5ULm1vdW50IiBdOyB0aGVuCiAgICBlY2hvICJEZXZpY2UgJE1PVU5UX1BPSU5UICgkREVWSUNFKSBleGlzdHMiCiAgICBlY2hvICJObyBhY3Rpb25zIHJlcXVpcmVkLi4uIgogIGVsc2UKICAgIGVjaG8gIiRNT1VOVF9QT0lOVC5tb3VudCB3YXMgbm90IGZvdW5kLCBjcmVhdGluZyB2b2x1bWUiCiAgICBmb3JtYXRfZGV2aWNlCiAgZmkKfQpjaGVja19tb3VudCgpIHsKICBpZiBbIC1mICIvZXRjL3N5c3RlbWQvc3lzdGVtLyRNT1VOVF9QT0lOVC5tb3VudCIgXTsgdGhlbgogICAgZWNobyAiRm91bmQgJE1PVU5UX1BPSU5ULm1vdW50IGluIC9ldGMvc3lzdGVtZC9zeXN0ZW0vIgogICAgZWNobyAiTm8gYWN0aW9ucyByZXF1aXJlZC4uLiIKICBlbHNlCiAgICBlY2hvICIkTU9VTlRfUE9JTlQubW91bnQgd2FzIG5vdCBmb3VuZCBpbiAvZXRjL3N5c3RlbWQvc3lzdGVtLyBhZGRpbmcgaXQiCiAgICBta2RpciAtcCAvJE1PVU5UX1BPSU5UCiAgICAKICAgIGVjaG8gIltVbml0XSIgPj4gL2V0Yy9zeXN0ZW1kL3N5c3RlbS8kTU9VTlRfUE9JTlQubW91bnQKICAgIGVjaG8gIkRlc2NyaXB0aW9uPU1vdW50IFN5c3RlbSBCYWNrdXBzIERpcmVjdG9yeSIgPj4gL2V0Yy9zeXN0ZW1kL3N5c3RlbS8kTU9VTlRfUE9JTlQubW91bnQKICAgIGVjaG8gIiIgPj4gL2V0Yy9zeXN0ZW1kL3N5c3RlbS8kTU9VTlRfUE9JTlQubW91bnQKICAgIGVjaG8gIltNb3VudF0iID4+IC9ldGMvc3lzdGVtZC9zeXN0ZW0vJE1PVU5UX1BPSU5ULm1vdW50CiAgICBlY2hvICJXaGF0PUxBQkVMPSRNT1VOVF9QT0lOVCIgPj4gL2V0Yy9zeXN0ZW1kL3N5c3RlbS8kTU9VTlRfUE9JTlQubW91bnQKICAgIGVjaG8gIldoZXJlPS8kTU9VTlRfUE9JTlQiID4+IC9ldGMvc3lzdGVtZC9zeXN0ZW0vJE1PVU5UX1BPSU5ULm1vdW50CiAgICBlY2hvICJUeXBlPXhmcyIgPj4gL2V0Yy9zeXN0ZW1kL3N5c3RlbS8kTU9VTlRfUE9JTlQubW91bnQKICAgIGVjaG8gIk9wdGlvbnM9bm9hdGltZSIgPj4gL2V0Yy9zeXN0ZW1kL3N5c3RlbS8kTU9VTlRfUE9JTlQubW91bnQKICAgIGVjaG8gIiIgPj4gL2V0Yy9zeXN0ZW1kL3N5c3RlbS8kTU9VTlRfUE9JTlQubW91bnQKICAgIGVjaG8gIltJbnN0YWxsXSIgPj4gL2V0Yy9zeXN0ZW1kL3N5c3RlbS8kTU9VTlRfUE9JTlQubW91bnQKICAgIGVjaG8gIldhbnRlZEJ5PW11bHRpLXVzZXIudGFyZ2V0IiA+PiAvZXRjL3N5c3RlbWQvc3lzdGVtLyRNT1VOVF9QT0lOVC5tb3VudAoKICAgIHN5c3RlbWN0bCBlbmFibGUgJE1PVU5UX1BPSU5ULm1vdW50CiAgICBzeXN0ZW1jdGwgc3RhcnQgJE1PVU5UX1BPSU5ULm1vdW50CiAgZmkKfQpMQUJFTD0kKGJsa2lkIC1MICRWT0xVTUVfTkFNRSkKY2hlY2tfZGV2aWNlCmNoZWNrX21vdW50CnN5c3RlbWN0bCBkYWVtb24tcmVsb2FkCn0KCmZvciBpIGluIGBsc2JsayAtZCB8IGdyZXAgLXYgTkFNRSB8IGdyZXAgLXYgbnZtZTAgfCBhd2sgJ3twcmludCAkMX0nYDsgZG8KICBtbnRfcG9pbnQ9YGVjaG8gJGkgfCBzZWQgLWUgJ3MvbnZtZS9kaXNrL2cnIC1lICdzL24xLy9nJ2AKICBtb3VudF9kZXZpY2UgJGkgJGkgJG1udF9wb2ludDsKZG9uZQo= | base64 --decode > mount_drives.sh
      - chmod +x mount_drives.sh
      - ./mount_drives.sh
metadata:
  name: minio-cluster
  region: us-west-2
  version: "1.21"
privateCluster:
  enabled: false
  skipEndpointCreation: false
vpc:
  autoAllocateIPv6: false
  cidr: 192.168.0.0/16
  clusterEndpoints:
    privateAccess: false
    publicAccess: true
  manageSharedNodeSecurityGroupRules: true
  nat:
    gateway: Single

2.Setup Required Roles, Policies and Connectors

All of these are scoped to the specific cluster called minio-cluster on the region us-west-2 and the account number , so make sure to update those values on the Configuration Parameters step.

2.1.Create IAM Policy

Copy
aws iam create-policy \
    --policy-name minio-eks-minio-cluster-group-scaling \
    --policy-document file://iam-policy.json

Where the iam-policy.json file is the following:

Download Copy
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "eks:DescribeNodegroup",
        "eks:ListNodegroups"
      ],
      "Resource": [
        "arn:aws:eks:*::nodegroup/minio-cluster/*/*",
        "arn:aws:eks:us-west-2::cluster/minio-cluster"
      ]
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": "eks:UpdateNodegroupConfig",
      "Resource": [
        "arn:aws:eks:*::nodegroup/minio-cluster/*/*",
        "arn:aws:eks:us-west-2::cluster/minio-cluster"
      ]
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "eks:CreateNodegroup",
        "eks:TagResource"
      ],
      "Resource": "arn:aws:eks:us-west-2::cluster/minio-cluster"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole",
        "iam:ListAttachedRolePolicies"
      ],
      "Resource": "arn:aws:iam:::role/eksctl-minio-cluster*"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "iam:GetRole"
      ],
      "Resource": "*"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "ec2:RunInstances",
        "ec2:DescribeSubnets",
        "autoscaling:Describe*",
        "ec2:DescribeLaunchTemplateVersions"
      ],
      "Resource": "*"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateTags"
      ],
      "Resource": "*"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "aws-marketplace:MeterUsage",
        "aws-marketplace:ResolveCustomer",
        "aws-marketplace:BatchMeterUsage",
        "aws-marketplace:GetEntitlements",
        "aws-marketplace:RegisterUsage"
      ],
      "Resource": "*"
    }
}

2.2.Create an OIDC Provider

Copy
eksctl utils associate-iam-oidc-provider --region=us-west-2 --cluster=minio-cluster --approve

2.3.Create Trust + Role + Service Account

Copy
eksctl create iamserviceaccount \
    --name integration-sa \
    --namespace minio-operator \
    --cluster minio-cluster \
    --attach-policy-arn arn:aws:iam:::policy/minio-eks-minio-cluster-group-scaling \
    --approve \
    --override-existing-serviceaccounts

3.Install Operator

Copy
kubectl apply -k github.com/minio/operator/resources/\?ref\=v4.3.7

3.1.Get the JWT to login to Operator UI

Copy
kubectl -n minio-operator  get secret $(kubectl -n minio-operator get serviceaccount console-sa -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode
Get the JWT to login to Operator UI

4.Port Forward into Operator UI

Copy
kubectl -n minio-operator port-forward svc/console 9090
Port Forward into Operator UI

4.1.Open the UI and Create a Tenant

Go to http://localhost:9090, enter the JWT from the previous step and create a tenant.

Open the UI

Now click on "Create Tenant".

Click on Create Tenant

Fill in the desired size of the MinIO tenant and the storage type:

Fill in the Details of MinIO Tenant

5.Sign up for MinIO Subscription Network

To receive 24/7 support, send us an email at with your AWS Account Number to get started.

You are using Internet Explorer version 11 or lower. Due to security issues and lack of support for web standards, it is highly recommended that you upgrade to a modern browser.