refactor(storage): remove MinIO backend, filesystem-only storage

Remove the MinIO/S3 storage backend entirely. The filesystem backend is fully implemented, already used in production, and a migrate-storage tool exists for any remaining MinIO deployments to migrate beforehand. Changes: - Delete MinIO client implementation (internal/storage/storage.go) - Delete migrate-storage tool (cmd/migrate-storage, scripts/migrate-storage.sh) - Remove MinIO service, volumes, and env vars from all Docker Compose files - Simplify StorageConfig: remove Endpoint, AccessKey, SecretKey, Bucket, UseSSL, Region fields; add SILO_STORAGE_ROOT_DIR env override - Change all SQL COALESCE defaults from 'minio' to 'filesystem' - Add migration 020 to update column defaults to 'filesystem' - Remove minio-go/v7 dependency (go mod tidy) - Update all config examples, setup scripts, docs, and tests
2026-02-19 14:36:22 -06:00
parent 12ecffdabe
commit 88d1ab1f97
30 changed files with 104 additions and 849 deletions
--- a/deployments/config.dev.yaml
+++ b/deployments/config.dev.yaml
@@ -17,12 +17,9 @@ database:
  max_connections: 10

 storage:
-  endpoint: "minio:9000"
-  access_key: "${MINIO_ACCESS_KEY:-silominio}"
-  secret_key: "${MINIO_SECRET_KEY:-silominiosecret}"
-  bucket: "silo-files"
-  use_ssl: false
-  region: "us-east-1"
+  backend: "filesystem"
+  filesystem:
+    root_dir: "/var/lib/silo/data"

 schemas:
  directory: "/etc/silo/schemas"
--- a/deployments/docker-compose.allinone.yaml
+++ b/deployments/docker-compose.allinone.yaml
@@ -1,5 +1,5 @@
 # Silo All-in-One Stack
-# PostgreSQL + MinIO + OpenLDAP + Silo API + Nginx (optional)
+# PostgreSQL + OpenLDAP + Silo API + Nginx (optional)
 #
 # Quick start:
 #   ./scripts/setup-docker.sh
@@ -40,29 +40,6 @@ services:
    networks:
      - silo-net

-  # ---------------------------------------------------------------------------
-  # MinIO (S3-compatible object storage)
-  # ---------------------------------------------------------------------------
-  minio:
-    image: minio/minio:latest
-    container_name: silo-minio
-    restart: unless-stopped
-    command: server /data --console-address ":9001"
-    environment:
-      MINIO_ROOT_USER: ${MINIO_ACCESS_KEY:?Run ./scripts/setup-docker.sh first}
-      MINIO_ROOT_PASSWORD: ${MINIO_SECRET_KEY:?Run ./scripts/setup-docker.sh first}
-    volumes:
-      - minio_data:/data
-    ports:
-      - "9001:9001"           # MinIO console (remove in hardened setups)
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
-    networks:
-      - silo-net
-
  # ---------------------------------------------------------------------------
  # OpenLDAP (user directory for LDAP authentication)
  # ---------------------------------------------------------------------------
@@ -83,9 +60,13 @@ services:
      - openldap_data:/bitnami/openldap
      - ./ldap:/docker-entrypoint-initdb.d:ro
    ports:
-      - "1389:1389"           # LDAP access for debugging (remove in hardened setups)
+      - "1389:1389" # LDAP access for debugging (remove in hardened setups)
    healthcheck:
-      test: ["CMD-SHELL", "ldapsearch -x -H ldap://localhost:1389 -b dc=silo,dc=local -D cn=admin,dc=silo,dc=local -w $${LDAP_ADMIN_PASSWORD} '(objectClass=organization)' >/dev/null 2>&1"]
+      test:
+        [
+          "CMD-SHELL",
+          "ldapsearch -x -H ldap://localhost:1389 -b dc=silo,dc=local -D cn=admin,dc=silo,dc=local -w $${LDAP_ADMIN_PASSWORD} '(objectClass=organization)' >/dev/null 2>&1",
+        ]
      interval: 10s
      timeout: 5s
      retries: 5
@@ -104,8 +85,6 @@ services:
    depends_on:
      postgres:
        condition: service_healthy
-      minio:
-        condition: service_healthy
      openldap:
        condition: service_healthy
    env_file:
@@ -117,12 +96,10 @@ services:
      SILO_DB_NAME: silo
      SILO_DB_USER: silo
      SILO_DB_PASSWORD: ${POSTGRES_PASSWORD}
-      SILO_MINIO_ENDPOINT: minio:9000
-      SILO_MINIO_ACCESS_KEY: ${MINIO_ACCESS_KEY}
-      SILO_MINIO_SECRET_KEY: ${MINIO_SECRET_KEY}
    ports:
      - "${SILO_PORT:-8080}:8080"
    volumes:
+      - silo_data:/var/lib/silo/data
      - ../schemas:/etc/silo/schemas:ro
      - ./config.docker.yaml:/etc/silo/config.yaml:ro
    healthcheck:
@@ -164,7 +141,7 @@ services:

 volumes:
  postgres_data:
-  minio_data:
+  silo_data:
  openldap_data:

 networks:
--- a/deployments/docker-compose.prod.yaml
+++ b/deployments/docker-compose.prod.yaml
@@ -1,10 +1,8 @@
 # Production Docker Compose for Silo
-# Uses external PostgreSQL (psql.example.internal) and MinIO (minio.example.internal)
+# Uses external PostgreSQL (psql.example.internal) and filesystem storage
 #
 # Usage:
 #   export SILO_DB_PASSWORD=<your-password>
-#   export SILO_MINIO_ACCESS_KEY=<your-access-key>
-#   export SILO_MINIO_SECRET_KEY=<your-secret-key>
 #   docker compose -f docker-compose.prod.yaml up -d

 services:
@@ -24,14 +22,6 @@ services:
      # Note: SILO_DB_PORT and SILO_DB_SSLMODE are NOT supported as direct
      # env var overrides. Set these in config.yaml instead, or use ${VAR}
      # syntax in the YAML file. See docs/CONFIGURATION.md for details.
-
-      # MinIO storage (minio.example.internal)
-      # Supported as direct env var overrides:
-      SILO_MINIO_ENDPOINT: minio.example.internal:9000
-      SILO_MINIO_ACCESS_KEY: ${SILO_MINIO_ACCESS_KEY:?MinIO access key required}
-      SILO_MINIO_SECRET_KEY: ${SILO_MINIO_SECRET_KEY:?MinIO secret key required}
-      # Note: SILO_MINIO_BUCKET and SILO_MINIO_USE_SSL are NOT supported as
-      # direct env var overrides. Set these in config.yaml instead.
    ports:
      - "8080:8080"
    volumes:
--- a/deployments/docker-compose.yaml
+++ b/deployments/docker-compose.yaml
@@ -19,26 +19,6 @@ services:
    networks:
      - silo-network

-  minio:
-    image: minio/minio:RELEASE.2023-05-04T21-44-30Z
-    container_name: silo-minio
-    command: server /data --console-address ":9001"
-    environment:
-      MINIO_ROOT_USER: ${MINIO_ACCESS_KEY:-silominio}
-      MINIO_ROOT_PASSWORD: ${MINIO_SECRET_KEY:-silominiosecret}
-    volumes:
-      - minio_data:/data
-    ports:
-      - "9000:9000"
-      - "9001:9001"
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
-    networks:
-      - silo-network
-
  silo:
    build:
      context: ..
@@ -47,19 +27,12 @@ services:
    depends_on:
      postgres:
        condition: service_healthy
-      minio:
-        condition: service_healthy
    environment:
      SILO_DB_HOST: postgres
      SILO_DB_PORT: 5432
      SILO_DB_NAME: silo
      SILO_DB_USER: silo
      SILO_DB_PASSWORD: ${POSTGRES_PASSWORD:-silodev}
-      SILO_MINIO_ENDPOINT: minio:9000
-      SILO_MINIO_ACCESS_KEY: ${MINIO_ACCESS_KEY:-silominio}
-      SILO_MINIO_SECRET_KEY: ${MINIO_SECRET_KEY:-silominiosecret}
-      SILO_MINIO_BUCKET: silo-files
-      SILO_MINIO_USE_SSL: "false"
      SILO_SESSION_SECRET: ${SILO_SESSION_SECRET:-change-me-in-production}
      SILO_OIDC_CLIENT_SECRET: ${SILO_OIDC_CLIENT_SECRET:-}
      SILO_LDAP_BIND_PASSWORD: ${SILO_LDAP_BIND_PASSWORD:-}
@@ -68,6 +41,7 @@ services:
    ports:
      - "8080:8080"
    volumes:
+      - silo_data:/var/lib/silo/data
      - ../schemas:/etc/silo/schemas:ro
      - ./config.dev.yaml:/etc/silo/config.yaml:ro
    healthcheck:
@@ -80,7 +54,7 @@ services:

 volumes:
  postgres_data:
-  minio_data:
+  silo_data:

 networks:
  silo-network:
--- a/deployments/systemd/silod.service
+++ b/deployments/systemd/silod.service
@@ -27,6 +27,7 @@ NoNewPrivileges=yes
 ProtectSystem=strict
 ProtectHome=yes
 PrivateTmp=yes
+ReadWritePaths=/opt/silo/data
 ReadOnlyPaths=/etc/silo /opt/silo

 # Resource limits