diff --git a/cluster-scope/overlays/nerc-ocp-obs/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-obs/kustomization.yaml
index 6f7bcb57..2a1a7384 100644
--- a/cluster-scope/overlays/nerc-ocp-obs/kustomization.yaml
+++ b/cluster-scope/overlays/nerc-ocp-obs/kustomization.yaml
@@ -15,6 +15,7 @@ resources:
 - ../../bundles/prom-keycloak-proxy
 - ../../bundles/zookeeper
 - ../../bundles/solr
+- ../../bundles/minio
 - ../../base/core/namespaces/openshift-gitops
 - ../../base/core/namespaces/dex
 - ../../base/rbac.authorization.k8s.io/clusterroles/allow-edit-rbac
diff --git a/dex/overlays/nerc-ocp-infra/externalsecrets/dex-clients_patch.yaml b/dex/overlays/nerc-ocp-infra/externalsecrets/dex-clients_patch.yaml
index 89c50c12..3c78bab0 100644
--- a/dex/overlays/nerc-ocp-infra/externalsecrets/dex-clients_patch.yaml
+++ b/dex/overlays/nerc-ocp-infra/externalsecrets/dex-clients_patch.yaml
@@ -3,6 +3,9 @@ kind: ExternalSecret
 metadata:
   name: dex-clients
 spec:
+  secretStoreRef:
+    name: nerc-cluster-secrets
+    kind: ClusterSecretStore
   dataFrom:
     - extract:
         key: nerc-ocp-infra/dex/dex-clients
diff --git a/dex/overlays/nerc-ocp-obs/configmaps/files/config.yaml b/dex/overlays/nerc-ocp-obs/configmaps/files/config.yaml
index 28ca50c4..315456d9 100644
--- a/dex/overlays/nerc-ocp-obs/configmaps/files/config.yaml
+++ b/dex/overlays/nerc-ocp-obs/configmaps/files/config.yaml
@@ -21,6 +21,17 @@ staticClients:
     redirectURIs:
       - https://grafana.apps.obs.nerc.mghpcc.org/login/generic_oauth
     secretEnv: GRAFANA_SECRET
+  - id: minio
+    name: MinIO
+    redirectURIs:
+      - https://minio-console-minio.apps.obs.nerc.mghpcc.org/oauth_callback
+      - https://minio-minio.apps.obs.nerc.mghpcc.org/oauth_callback
+    secretEnv: MINIO_IDENTITY_OPENID_CLIENT_SECRET
+  - id: ai-telemetry
+    name: AI Telemetry
+    redirectURIs:
+      - https://keycloak.apps.obs.nerc.mghpcc.org/realms/NERC/broker/OpenShift/endpoint
+    secretEnv: AI_TELEMETRY_AUTH_SECRET
 
 connectors:
   - type: openshift
diff --git a/dex/overlays/nerc-ocp-obs/externalsecrets/dex-clients_patch.yaml b/dex/overlays/nerc-ocp-obs/externalsecrets/dex-clients_patch.yaml
index c294f322..1f787f84 100644
--- a/dex/overlays/nerc-ocp-obs/externalsecrets/dex-clients_patch.yaml
+++ b/dex/overlays/nerc-ocp-obs/externalsecrets/dex-clients_patch.yaml
@@ -3,6 +3,9 @@ kind: ExternalSecret
 metadata:
   name: dex-clients
 spec:
+  secretStoreRef:
+    name: nerc-cluster-secrets
+    kind: ClusterSecretStore
   dataFrom:
     - extract:
         key: nerc-ocp-obs/dex/dex-clients
diff --git a/minio/base/deployment.yaml b/minio/base/deployment.yaml
index c420f598..94babb15 100644
--- a/minio/base/deployment.yaml
+++ b/minio/base/deployment.yaml
@@ -16,7 +16,7 @@ spec:
         - configMapRef:
             name: minio-config
             optional: true
-        image: docker.io/minio/minio:RELEASE.2024-11-07T00-52-20Z
+        image: quay.io/minio/minio:RELEASE.2024-11-07T00-52-20Z
         ports:
         - containerPort: 9000
           name: object-storage
diff --git a/minio/overlays/nerc-ocp-obs/externalsecrets/patch-minio-admin-credentials.yaml b/minio/overlays/nerc-ocp-obs/externalsecrets/patch-minio-admin-credentials.yaml
new file mode 100644
index 00000000..ea9041b0
--- /dev/null
+++ b/minio/overlays/nerc-ocp-obs/externalsecrets/patch-minio-admin-credentials.yaml
@@ -0,0 +1,12 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: minio-admin-credentials
+  namespace: minio
+spec:
+  secretStoreRef:
+    name: nerc-cluster-secrets
+    kind: ClusterSecretStore
+  dataFrom:
+    - extract:
+        key: nerc/nerc-ocp-obs/minio/minio-admin-credentials
diff --git a/minio/overlays/nerc-ocp-obs/files/minio-config.env b/minio/overlays/nerc-ocp-obs/files/minio-config.env
new file mode 100644
index 00000000..4038f940
--- /dev/null
+++ b/minio/overlays/nerc-ocp-obs/files/minio-config.env
@@ -0,0 +1,11 @@
+# Documentation: https://min.io/docs/minio/linux/reference/minio-server/settings/iam/openid.html
+
+MINIO_IDENTITY_OPENID_CONFIG_URL=https://dex-dex.apps.obs.nerc.mghpcc.org/.well-known/openid-configuration
+MINIO_IDENTITY_OPENID_CLIENT_ID=minio
+MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC=on
+
+# This tells minio to look up policy names in the "groups" claim (so e.g. if
+# someone in the "nerc-ops" group logs in, minio will look for a "nerc-ops"
+# policy to apply). A person cannot log in if there is no policy matches any of
+# the claim values.
+MINIO_IDENTITY_OPENID_CLAIM_NAME=groups
diff --git a/minio/overlays/nerc-ocp-obs/kustomization.yaml b/minio/overlays/nerc-ocp-obs/kustomization.yaml
new file mode 100644
index 00000000..59f1790b
--- /dev/null
+++ b/minio/overlays/nerc-ocp-obs/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+
+configMapGenerator:
+- name: minio-config
+  namespace: minio
+  envs:
+  - files/minio-config.env
+
+patches:
+  - path: externalsecrets/patch-minio-admin-credentials.yaml
+  - path: persistentvolumeclaims/patch-pvc.yaml
diff --git a/minio/overlays/nerc-ocp-obs/persistentvolumeclaims/patch-pvc.yaml b/minio/overlays/nerc-ocp-obs/persistentvolumeclaims/patch-pvc.yaml
new file mode 100644
index 00000000..093d769a
--- /dev/null
+++ b/minio/overlays/nerc-ocp-obs/persistentvolumeclaims/patch-pvc.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: minio-data
+spec:
+  resources:
+    requests:
+      storage: 20Ti