epinio · psanghvi17 · Feb 10, 2026 · Feb 10, 2026 · Feb 17, 2026
diff --git a/docs/explanations/advanced.md b/docs/explanations/advanced.md
@@ -84,11 +84,11 @@ Deployments, Services,  Ingresses and Secrets.
 
 Reflector is a Kubernetes addon designed to monitor changes to resources (secrets and configmaps) and reflect changes to mirror resources in the same or other namespaces.
 
-### Minio
+### SeaweedFS
 
-[Minio project link](https://github.com/minio/minio)
+[SeaweedFS project link](https://github.com/seaweedfs/seaweedfs)
 
-Minio is a storage solution implementing the same API as [Amazon S3](https://aws.amazon.com/s3/).
+SeaweedFS is a distributed S3-compatible storage used by Epinio to store application source code.
 
 When the user pushes an application using a source code directory
 (with the [`epinio push`](../references/commands/cli/epinio_push.md) command),
@@ -97,16 +97,16 @@ It then uploads it to the Epinio API server.
 The API server copies that to the configured S3 storage for
 use during the staging of the application.
 
-When installing Epinio, you choose to use external S3 compatible storage,
-or let Epinio install one of Minio or s3gw on the cluster.
-You can see a [How-to here](../howtos/customization/setup_external_s3.md).
+When installing Epinio, you can use external S3 compatible storage,
+or let Epinio install SeaweedFS or s3gw on the cluster.
+See [Setup external S3](../howtos/customization/setup_external_s3.md).
 
 ### s3gw
 
 [The s3gw project link](https://github.com/aquarist-labs/s3gw)
 
 S3gw is a lightweight S3-compatible solution.
-You can specify it in the Epinio Helm chart as an alternative to Minio or an external S3 provider.
+You can specify it in the Epinio Helm chart as an alternative to SeaweedFS or an external S3 provider.
 
 ### Container registry
 

diff --git a/docs/explanations/detailed-push-process.md b/docs/explanations/detailed-push-process.md
@@ -29,10 +29,10 @@ BasicAuth, a session cookie or, if using WebSockets, a token.
 
 ## Copying the code to S3 (step 2)
 
-The Epinio helm-chart can install either [Minio](https://min.io/) (the default)
+The Epinio helm-chart can install either [SeaweedFS](https://github.com/seaweedfs/seaweedfs) (the default)
 or [s3gw](https://s3gw.io/) on your cluster.
 You can also [configure external S3](../howtos/customization/setup_external_s3.md).
-Both Minio and s3gw are S3-compatible storage solutions which Epinio uses to store application source code.
+Both SeaweedFS and s3gw are S3-compatible storage solutions which Epinio uses to store application source code.
 The chosen S3 storage solution is later used by the staging job.
 
 After successful authentication (step 1),

diff --git a/docs/explanations/epinio-push-detailed.svg b/docs/explanations/epinio-push-detailed.svg
diff --git a/docs/howtos/customization/setup_external_s3.md b/docs/howtos/customization/setup_external_s3.md
@@ -10,34 +10,34 @@ doc-persona: [epinio-operator]
 ---
 
 One of the steps involved in running `epinio push` is storing the requested version of the code in the configured Epinio S3 compatible storage.
-By default, Epinio installs and configures [Minio](https://github.com/minio/minio) to use.
-This document describes how to configure Epinio to use another S3 compatible storage and skip the Minio installation.
+By default, Epinio installs and configures [SeaweedFS](https://github.com/seaweedfs/seaweedfs) as S3-compatible storage.
+This document describes how to configure Epinio to use another S3 compatible storage and skip the SeaweedFS installation.
 
 The Epinio Helm chart has the following optional parameters:
 
 |Variable name|Description|Mandatory|Default|
 |:---|:---|:---:|:---:|
-|`minio.enabled`|Whether to install Minio or not|yes|"true"|
+|`seaweedfs.enabled`|Whether to install SeaweedFS or not|yes|"true"|
 |`s3.bucket`|S3 bucket where you want to store your apps|yes|`epinio`|
-|`s3.endpoint`|S3 endpoint|yes|`minio.epinio.svc.cluster.local`|
-|`s3.accessKeyID`|S3 access key id to authenticate to the endpoint|no|random value when Minio is enabled|
-|`s3.secretAccessKey`|S3 secret access key id to authenticate to the endpoint|no|random value when Minio is enabled|
+|`s3.endpoint`|S3 endpoint|yes|`seaweedfs-s3.epinio.svc.cluster.local:8333`|
+|`s3.accessKeyID`|S3 access key id to authenticate to the endpoint|no|random value when SeaweedFS is enabled|
+|`s3.secretAccessKey`|S3 secret access key id to authenticate to the endpoint|no|random value when SeaweedFS is enabled|
 |`s3.useSSL`|Use SSL for encryption|no|`true`|
 |`s3.region`|S3 region where your bucket is|no|""|
-|`s3.certificateSecret`|An existing TLS secret to be trusted (if self signed)|no|"minio-tls" if Minio is enabled|
+|`s3.certificateSecret`|An existing TLS secret to be trusted (if self signed)|no|"seaweedfs-tls" if SeaweedFS is enabled|
 
 To configure Epinio to store application sources to an external S3 compatible storage, at least the mandatory options should be set.
 
 :::note
 
-Some implementations don't need the location, for example, Minio and `s3.useSSL` has a default value of "true".
+Some implementations don't need the location, for example, SeaweedFS and `s3.useSSL` has a default value of "true".
 
 :::
 
 For instance, add the following options to your Helm command to make Epinio point to AWS:
 
 ```console
---set minio.enabled=false \
+--set seaweedfs.enabled=false \
 --set s3.endpoint=s3.amazonaws.com \
 --set s3.bucket=<your_bucket_here> \
 --set s3.region=<your_region_here> \

diff --git a/docs/howtos/other/minio.md b/docs/howtos/other/minio.md
diff --git a/docs/howtos/other/seaweedfs.md b/docs/howtos/other/seaweedfs.md
@@ -0,0 +1,62 @@
+---
+sidebar_label: Epinio's SeaweedFS (S3) service
+sidebar_position: 30
+title: Accessing Epinio's internal SeaweedFS S3 service
+description: How to access Epinio's internal SeaweedFS S3-compatible service
+keywords: [epinio, kubernetes, internal seaweedfs, s3 service]
+doc-type: [how-to]
+doc-topic: [epinio, how-to, other, access-s3-service]
+doc-persona: [epinio-developer]
+---
+
+Epinio uses [SeaweedFS](https://github.com/seaweedfs/seaweedfs) as its default S3-compatible storage for application source code.
+You can expose the internal S3 API for debugging, for example using the Amazon Web Services (AWS) CLI or the MinIO Client (`mc`).
+In both cases you expose the internal service through a Kubernetes `NodePort` service.
+
+:::caution
+
+For security reasons, delete the exposed services when you finish debugging.
+
+:::
+
+## Access Epinio's S3 storage through the AWS CLI
+
+Expose the SeaweedFS S3 service and use the AWS CLI to talk to it.
+
+```bash
+# Expose the SeaweedFS S3 service (service name may vary; typically seaweedfs-s3)
+kubectl expose deployment seaweedfs-s3 -n epinio --name epinio-s3-np --port=8333 --type=NodePort
+# If the S3 component is a different workload type, use the appropriate resource (e.g. pod or service)
+PORT=$(kubectl get svc -n epinio epinio-s3-np -o jsonpath='{.spec.ports[0].nodePort}')
+NODE=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}")
+S3_KEY=$(kubectl get secrets/seaweedfs-creds -n epinio -o=go-template='{{index .data "accesskey" | base64decode}}')
+S3_SECRET=$(kubectl get secrets/seaweedfs-creds -n epinio -o=go-template='{{index .data "secretkey" | base64decode}}')
+```
+
+Install the [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and configure it for the internal S3 endpoint:
+
+```bash
+aws configure set aws_access_key_id $S3_KEY
+aws configure set aws_secret_access_key $S3_SECRET
+aws configure set default.region us-east-1
+echo "Usage: aws --no-verify-ssl --endpoint-url https://$NODE:$PORT s3 ls"
+```
+
+To list the Epinio bucket:
+
+```bash
+aws --no-verify-ssl --endpoint-url https://$NODE:$PORT s3 ls s3://epinio/
+```
+
+When you are done, remove the NodePort service:
+
+```console
+kubectl delete service epinio-s3-np -n epinio
+```
+
+## Access using MinIO Client (mc)
+
+You can also use the [MinIO Client](https://min.io/docs/minio/linux/reference/minio-mc.html) (`mc`), which works with any S3-compatible API.
+After exposing the S3 service as above, configure an alias and use `mc ls`, `mc cp`, etc. as needed.
+
+For more on S3-compatible access, see [AWS CLI S3](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and [MinIO Client with S3](https://min.io/docs/minio/linux/integrations/aws-cli-with-minio.html).
diff --git a/docs/installation/install_epinio.md b/docs/installation/install_epinio.md
@@ -9,7 +9,7 @@ keywords: [epinio, kubernetes, k8s, installation, install]
 ## Introduction
 
 Epinio is installed from a single Helm chart.
-This also installs Reflector, [`MinIO`](#s3-storage), [`Dex`](#dex) and a [container registry](#container-registry) in your Kubernetes cluster.
+This also installs Reflector, [SeaweedFS](#s3-storage) (S3-compatible storage), [`Dex`](#dex) and a [container registry](#container-registry) in your Kubernetes cluster.
 You can disable the installation of these additional "sub" charts by changing the settings as described in their sections below.
 
 ## Prerequisites
@@ -233,11 +233,11 @@ The configurations under `server.stagingWorkloads` gets mapped to the build scri
 ### S3 storage
 
 Epinio uses an S3 compatible storage to store the application source code.
-This chart will install [Minio](https://min.io/) when `.Values.minio.enabled` is
+This chart will install [SeaweedFS](https://github.com/seaweedfs/seaweedfs) when `.Values.seaweedfs.enabled` is
 `true` (default).
 
-In addition to Minio, Epinio offers [s3gw](https://s3gw.io/) as another S3 compatible store.
-It is installed when `.Values.minio.enabled` is set to `false` and `.Values.s3gw.enabled` is set to `true`.
+In addition to SeaweedFS, Epinio offers [s3gw](https://s3gw.io/) as another S3 compatible store.
+It is installed when `.Values.seaweedfs.enabled` is set to `false` and `.Values.s3gw.enabled` is set to `true`.
 
 :::caution
 The s3gw support is __experimental__.
@@ -248,12 +248,12 @@ If there is an outage of the node where s3gw's pod is currently deployed, k8s wi
 
 Both choices for internal S3 compatible storage can be configured to use a user-defined storageClass.
 If no StorageClass is defined, the default storageClass is used.
-When using Minio set the custom storageClass to the value of `.Values.persistance.storageClass`.
+When using SeaweedFS set the custom storageClass to the value of `.Values.seaweedfs.persistence.storageClass`.
 When using s3gw set the custom storageClass to the value of `.Values.s3gw.storageClass.name`.
 
-Use any external S3 compatible solution by setting `.Values.minio.enabled` to `false`
+Use any external S3 compatible solution by setting `.Values.seaweedfs.enabled` to `false`
 (`.Values.s3gw.enabled` is `false` by default) and using
-[the values under `s3`](https://github.com/epinio/helm-charts/blob/b389a4875af9f03b484a911c49a14f834ba04b64/chart/epinio/values.yaml#L44)
+[the values under `s3`](https://github.com/epinio/helm-charts/blob/main/chart/epinio/values.yaml)
 to point to the required S3 server.
 
 ### Dex

diff --git a/docs/references/authorization.md b/docs/references/authorization.md
@@ -128,15 +128,27 @@ These actions enable operations on Namespace commands and resources.
 
 These actions enable operations on App commands and resources. They also enable commands related to  AppCharts (`epinio app chart`) and application environment variables.
 
-| Action ID       | Description 
-|-----------------|-------------
-| `app_read`        | Read permissions (app list and show, env list and show)
-| `app_logs`        | Read application logs
-| `app_restart`     | Restart permission (without write permissions) <br/>Depends on: `app_read`
-| `app_write`       | Write permissions (app create, delete, push, export, stage, env set and unset)<br/>Depends on: `app_read`, `app_logs`
-| `app_exec`        | Perform an exec into a running application
-| `app_portforward` | Open a tunnel with the `port-forward` command
-| `app`             | All the above<br/>Depends on: `app_read`, `app_logs`, `app_write`, `app_exec`, `app_portforward`
+| Action ID             | Description 
+|-----------------------|-------------
+| `app_read`            | Read permissions (app list and show, env list and show)
+| `app_logs`            | Read application logs
+| `app_restart`         | Restart permission (without write permissions) <br/>Depends on: `app_read`
+| `app_create`          | Create and upload/import applications<br/>Depends on: `app_read`, `app_logs`
+| `app_update`          | Generic application update (patch) covering routes, chart values, instances and settings
+| `app_scale`           | Scale applications by changing the desired number of instances (implemented via the `AppUpdate` endpoint)
+| `app_update_env`      | Update application environment variables (set and unset)
+| `app_update_configs`  | Manage application configuration bindings (create and delete)
+| `app_update_routes`   | Update application routes/domains (implemented via the `AppUpdate` endpoint)
+| `app_update_settings` | Update application settings (chart values) stored on the App resource (implemented via the `AppUpdate` endpoint)
+| `app_update_chart`    | Update application chart selection and values (implemented via the `AppUpdate` endpoint)
+| `app_stage`           | Stage an application<br/>Depends on: `app_read`, `app_logs`
+| `app_deploy`          | Deploy an application<br/>Depends on: `app_read`, `app_logs`
+| `app_export`          | Export an application image and metadata
+| `app_delete`          | Delete applications
+| `app_write`           | Backward-compatible umbrella for app create/update/delete/export/stage/deploy and all application update operations (including scale, routes, settings, chart and env/config updates)
+| `app_exec`            | Perform an exec into a running application
+| `app_portforward`     | Open a tunnel with the `port-forward` command
+| `app`                 | All app permissions (including granular app actions, logs, exec and port-forward)
 
 ### Configuration
 
@@ -178,6 +190,17 @@ This action enable operations on Export Registries commands and resources. Only
 |---------------------------|-------------
 | `export_registries_read`  | Read permissions
 
+## Built-in Role Examples
+
+The following roles are shipped as ConfigMaps and can be assigned directly to users:
+
+| Role ID | Intended scope |
+|---------|----------------|
+| `view_only` | Read-only access to application, configuration, service, gitconfig and export-registry resources |
+| `application_developer` | Create/update applications without application delete and without non-application write permissions |
+| `application_manager` | Full application CRUD and runtime operations, without non-application write permissions |
+| `system_manager` | No-delete role: application create/update/runtime operations plus read-only access on other resource types |
+
 
 ## Assign Roles to User
 

diff --git a/docs/references/cert-manager.md b/docs/references/cert-manager.md
@@ -54,24 +54,24 @@ The Epinio chart then falls back to the data for `epinio`.
 The information is ignored when the `dex` and/or `ui` components are disabled.
 
 The `s3` information applies to whichever internal S3-compatible store is configured when installing
-Epinio, i.e. `minio` or `s3gw`. The `s3` information is not applied when Epinio is configured to use
+Epinio, i.e. `seaweedfs` or `s3gw`. The `s3` information is not applied when Epinio is configured to use
 an external S3 store.
 
 :::note
 
 The certificates for `epinio` (including workloads) and `dex` are served through public domains and
 are permitted to use wildcard domains (e.g. `*.1.2.3.4.nip.io`) in their `CN`/`SAN` fields.
 
-The certificates for `registry` and `s3`(minio) are inter-cluster "private" domains
+The certificates for `registry` and `s3` (SeaweedFS) are inter-cluster "private" domains
 (`registry.<ns>.svc.cluster.local` and
-`minio.<ns>.svc.cluster.local`).
+`seaweedfs-s3.<ns>.svc.cluster.local`).
 The placeholder `<ns>` refers to the namespace Epinio is installed in.
 
 :::
 
 :::caution
 
-When used with Minio the `s3` certificate cannot use wildcard domains in its `CN`/`SAN` fields.
+When used with SeaweedFS the `s3` certificate cannot use wildcard domains in its `CN`/`SAN` fields.
 
 :::
 

diff --git a/docs/references/customization/sources.md b/docs/references/customization/sources.md
@@ -8,11 +8,11 @@ sidebar_label: "Source Code Storage"
 Epinio saves the uploaded sources of applications to be deployed to an S3 compatible
 storage system. The staging process then retrieves the sources from that storage.
 
-By default Epinio uses [minio](https://min.io/) as the store, as an internal component.
+By default Epinio uses [SeaweedFS](https://github.com/seaweedfs/seaweedfs) as the S3-compatible store, as an internal component.
 
 To use an external S3 compatible storage it is necessary to
 
-  - Set chart key `minio.enabled=false`, and
+  - Set chart key `seaweedfs.enabled=false`, and
   - the various S3 connection keys, i.e.
 
       - `s3.endpoint`