From 3b60fed0783f49f3e0187197421fd8690007acf8 Mon Sep 17 00:00:00 2001
From: hailin <hailin.zhao@gdzx.xyz>
Date: Sat, 7 Mar 2026 00:03:01 -0800
Subject: [PATCH] feat(infra): migrate MinIO object storage to gateway server
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

将 MinIO 对象存储从内网服务器（192.168.1.222）迁移至入口网关服务器
（192.168.1.200 / 14.215.128.96），作为独立基础设施部署。

变更内容：

backend/docker-compose.yml
- 移除 minio 和 minio-init 服务（不再随后端栈启动）
- admin-service 的 MINIO_ENDPOINT 改为 192.168.1.200，端口改为 9100
- 移除 admin-service 对 minio 服务的 depends_on 依赖
- 删除 minio_data docker volume 声明

infrastructure/minio/docker-compose.yml（新增）
- MinIO 独立部署配置
- S3 API  : 9100（映射容器内 9000）
- Console : 9101（映射容器内 9001）
- 数据持久化到宿主机 /data/minio

infrastructure/minio/deploy.sh（新增）
- 支持 up / down / status / init / logs 命令
- up 时自动创建全部 7 个 bucket：
    app-releases, kyc-documents, coupon-images,
    issuer-documents, sar-reports, avatars, exports
- coupon-images / avatars 设为匿名可下载

部署说明：
  # 在网关服务器上首次部署
  cd infrastructure/minio && ./deploy.sh up

  # 查看状态
  ./deploy.sh status

服务器现状：
  genex-minio 已在 14.215.128.96 上运行，所有 bucket 已初始化。
  admin-service 已重启并指向新地址，文件上传恢复正常。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/docker-compose.yml              | 55 ++-----------------
 infrastructure/minio/deploy.sh          | 72 +++++++++++++++++++++++++
 infrastructure/minio/docker-compose.yml | 19 +++++++
 3 files changed, 96 insertions(+), 50 deletions(-)
 create mode 100644 infrastructure/minio/deploy.sh
 create mode 100644 infrastructure/minio/docker-compose.yml

diff --git a/backend/docker-compose.yml b/backend/docker-compose.yml
index cb62bde..215d534 100644
--- a/backend/docker-compose.yml
+++ b/backend/docker-compose.yml
@@ -89,51 +89,9 @@ services:
     networks:
       - genex-network
 
-  # MinIO Object Storage (S3-compatible, multi-region replication support)
-  minio:
-    image: minio/minio:latest
-    container_name: genex-minio
-    environment:
-      MINIO_ROOT_USER: genex-admin
-      MINIO_ROOT_PASSWORD: genex-minio-secret
-    ports:
-      - "127.0.0.1:49000:9000"     # S3 API
-      - "127.0.0.1:49001:9001"     # Console UI
-    volumes:
-      - minio_data:/data
-    command: server /data --console-address ":9001"
-    healthcheck:
-      test: ["CMD", "mc", "ready", "local"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
-    restart: unless-stopped
-    networks:
-      - genex-network
-
-  # MinIO bucket initialization
-  minio-init:
-    image: minio/mc:latest
-    container_name: genex-minio-init
-    depends_on:
-      minio:
-        condition: service_healthy
-    entrypoint: >
-      /bin/sh -c "
-      mc alias set genex http://minio:9000 genex-admin genex-minio-secret;
-      mc mb --ignore-existing genex/kyc-documents;
-      mc mb --ignore-existing genex/coupon-images;
-      mc mb --ignore-existing genex/issuer-documents;
-      mc mb --ignore-existing genex/sar-reports;
-      mc mb --ignore-existing genex/avatars;
-      mc mb --ignore-existing genex/exports;
-      mc mb --ignore-existing genex/app-releases;
-      mc anonymous set download genex/coupon-images;
-      mc anonymous set download genex/avatars;
-      echo 'MinIO buckets initialized';
-      "
-    networks:
-      - genex-network
+  # MinIO has been migrated to the gateway server (192.168.1.200).
+  # Deployment: infrastructure/minio/deploy.sh
+  # API endpoint: 192.168.1.200:9100  Console: 192.168.1.200:9101
 
   # Debezium Kafka Connect (CDC - Change Data Capture)
   # 版本说明: 必须使用 2.5.1+ (修复 DBZ-7316: searchWalPosition 不推进 confirmed_flush_lsn, 导致 WAL 无限积压)
@@ -395,8 +353,8 @@ services:
       - DB_USERNAME=genex
       - DB_PASSWORD=${DB_PASSWORD}
       - DB_NAME=genex
-      - MINIO_ENDPOINT=minio
-      - MINIO_PORT=9000
+      - MINIO_ENDPOINT=192.168.1.200   # Gateway server — MinIO runs on 192.168.1.200:9100
+      - MINIO_PORT=9100
       - MINIO_ACCESS_KEY=genex-admin
       - MINIO_SECRET_KEY=genex-minio-secret
       - MINIO_BUCKET=app-releases
@@ -404,8 +362,6 @@ services:
     depends_on:
       postgres:
         condition: service_healthy
-      minio:
-        condition: service_healthy
     networks:
       - genex-network
 
@@ -601,7 +557,6 @@ volumes:
   postgres_data:
   redis_data:
   kafka_data:
-  minio_data:
 
 networks:
   genex-network:
diff --git a/infrastructure/minio/deploy.sh b/infrastructure/minio/deploy.sh
new file mode 100644
index 0000000..41c5291
--- /dev/null
+++ b/infrastructure/minio/deploy.sh
@@ -0,0 +1,72 @@
+#!/bin/bash
+# MinIO deployment script
+# Target server: gateway server (192.168.1.200 / 14.215.128.96)
+# API port  : 9100 (S3-compatible)
+# Console   : 9101
+#
+# Usage: ./deploy.sh [up|down|status|init|logs]
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# All buckets used by backend microservices
+BUCKETS=(
+  app-releases       # admin-service  — APK/IPA packages
+  kyc-documents      # compliance-service — KYC verification files
+  coupon-images      # issuer-service — coupon artwork
+  issuer-documents   # issuer-service — prospectus / legal docs
+  sar-reports        # compliance-service — SAR export files
+  avatars            # user-service — profile pictures
+  exports            # clearing-service — finance report exports
+)
+
+# Buckets that should be publicly readable (no auth needed for download)
+PUBLIC_BUCKETS=(coupon-images avatars)
+
+_init_buckets() {
+  local user="${MINIO_ROOT_USER:-genex-admin}"
+  local pass="${MINIO_ROOT_PASSWORD:-genex-minio-secret}"
+
+  docker exec genex-minio mc alias set local http://localhost:9000 "$user" "$pass"
+
+  for bucket in "${BUCKETS[@]}"; do
+    docker exec genex-minio mc mb --ignore-existing "local/${bucket}"
+    echo "  bucket ready: ${bucket}"
+  done
+
+  for bucket in "${PUBLIC_BUCKETS[@]}"; do
+    docker exec genex-minio mc anonymous set download "local/${bucket}"
+    echo "  public download enabled: ${bucket}"
+  done
+}
+
+case "${1:-up}" in
+  up)
+    docker compose -f "$SCRIPT_DIR/docker-compose.yml" up -d
+    echo "Waiting for MinIO to be ready..."
+    sleep 4
+    _init_buckets
+    echo ""
+    echo "MinIO is running:"
+    echo "  S3 API  : http://192.168.1.200:9100"
+    echo "  Console : http://192.168.1.200:9101"
+    ;;
+  down)
+    docker compose -f "$SCRIPT_DIR/docker-compose.yml" down
+    ;;
+  status)
+    docker compose -f "$SCRIPT_DIR/docker-compose.yml" ps
+    ;;
+  init)
+    # Re-create buckets without restarting the container
+    _init_buckets
+    ;;
+  logs)
+    docker compose -f "$SCRIPT_DIR/docker-compose.yml" logs -f
+    ;;
+  *)
+    echo "Usage: $0 [up|down|status|init|logs]"
+    exit 1
+    ;;
+esac
diff --git a/infrastructure/minio/docker-compose.yml b/infrastructure/minio/docker-compose.yml
new file mode 100644
index 0000000..d843877
--- /dev/null
+++ b/infrastructure/minio/docker-compose.yml
@@ -0,0 +1,19 @@
+services:
+  minio:
+    image: minio/minio
+    container_name: genex-minio
+    restart: unless-stopped
+    ports:
+      - "9100:9000"   # S3 API
+      - "9101:9001"   # Console
+    volumes:
+      - /data/minio:/data
+    environment:
+      MINIO_ROOT_USER: ${MINIO_ROOT_USER:-genex-admin}
+      MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD:-genex-minio-secret}
+    command: server /data --console-address ':9001'
+    healthcheck:
+      test: ["CMD", "mc", "ready", "local"]
+      interval: 30s
+      timeout: 10s
+      retries: 3