DEV Community

DEV-AI
DEV-AI

Posted on

MinIO as an Enterprise CDN: Use Case & K8s Deployment Steps

MinIO as an Enterprise CDN: Use Case & Benefits

Deploying MinIO on Kubernetes enables you to build a scalable, private CDN for assets (CSS, JS, images) used by web or mobile applications.

Key benefits include:

  • Scalability: Automatically grows with application traffic.
  • Performance: Built-in compression and cache headers optimize asset delivery.
  • Security: Strict OWASP-compliant headers, access controls, and TLS encryption protect every asset.
  • API Compatibility: S3 interface integrates with DevOps, CI/CD, and analytics pipelines.
  • Multi-cloud Ready: Run in any Kubernetes, on-prem or cloud.

Below: a YAML-only Helm configuration for a production-ready, secure MinIO CDN with OWASP HTTP headers (CSP, CORS, HSTS, etc.) preconfigured for static asset serving.

# minio-cdn-values.yaml — OWASP-hardened MinIO for secure static asset CDN

tenant:
  name: cdn-minio
  image:
    repository: minio/minio
    tag: RELEASE.2024-08-17T01-24-54Z
    pullPolicy: IfNotPresent

  pools:
    - name: pool-0
      servers: 4
      volumesPerServer: 2
      size: 100Gi
      storageClassName: fast-ssd

  console:
    image:
      repository: minio/console
      tag: v0.30.0
    replicaCount: 2

  users:
    - accessKey: cdn-admin
      secretKey: "CHANGEME_SUPER_SECRET"
      policy: consoleAdmin

  tls:
    enabled: true
    certSecret: minio-tls-secret

  securityContext:
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
    runAsNonRoot: true

  env:
    # S3 public URLs and built-in compression
    - name: MINIO_SERVER_URL
      value: "https://cdn.your-domain.com"
    - name: MINIO_COMPRESSION_ENABLE
      value: "on"
    - name: MINIO_COMPRESSION_EXTENSIONS
      value: ".txt,.log,.csv,.json,.css,.js"
    - name: MINIO_COMPRESSION_MIME_TYPES
      value: "text/*,application/json,application/xml"

    # ── OWASP / HTTP security headers ────────────────
    # CSP: restrict asset sources to own CDN
    - name: MINIO_BROWSER_HEADER_CONTENT_SECURITY_POLICY
      value: "default-src 'self'; img-src 'self' https://cdn.your-domain.com/images; style-src 'self' https://cdn.your-domain.com/css; script-src 'self' https://cdn.your-domain.com/js"
    # CORS: only GET/HEAD from allowed origins
    - name: MINIO_API_CORS_ALLOW_ORIGIN
      value: "https://your-frontend.com,https://www.your-frontend.com"
    - name: MINIO_API_CORS_ALLOW_METHODS
      value: "GET,HEAD"
    - name: MINIO_API_CORS_ALLOW_HEADERS
      value: "Authorization"
    - name: MINIO_API_CORS_EXPOSE_HEADERS
      value: "ETag"
    - name: MINIO_API_CORS_MAX_AGE
      value: "3600"
    # HSTS
    - name: MINIO_BROWSER_HEADER_STRICT_TRANSPORT_SECURITY
      value: "max-age=63072000; includeSubDomains; preload"
    # Clickjacking, XSS, and content type protections
    - name: MINIO_BROWSER_HEADER_X_FRAME_OPTIONS
      value: "DENY"
    - name: MINIO_BROWSER_HEADER_X_CONTENT_TYPE_OPTIONS
      value: "nosniff"
    - name: MINIO_BROWSER_HEADER_REFERRER_POLICY
      value: "strict-origin-when-cross-origin"
    - name: MINIO_BROWSER_HEADER_PERMISSIONS_POLICY
      value: "geolocation=(), microphone=(), camera=()"
    - name: MINIO_BROWSER_HEADER_X_XSS_PROTECTION
      value: "1; mode=block"

service:
  type: ClusterIP
  port: 9000

consoleService:
  type: ClusterIP
  port: 9001
Enter fullscreen mode Exit fullscreen mode

Deploy with:

helm repo add minio https://operator.min.io/
helm repo update
kubectl create ns minio-cdn
helm install cdn-minio minio/tenant -n minio-cdn -f minio-cdn-values.yaml
Enter fullscreen mode Exit fullscreen mode

This configuration delivers a simple, cloud-native, secure CDN for your static resources—ready to connect with your ingress, asset pipeline, or development team needs.

Top comments (0)