AIStor Server Operator Helm Chart
The following page includes the full contents of the AIStor Server Operator Helm Chart default values.yaml and all accompanying documentation.
Configuration precedence
The MinIO AIStor Operator Helm chart supports a hierarchical configuration system where settings can be defined at multiple levels. When the same setting is defined at multiple levels, the following order of precedence determines which value is used (highest to lowest):
- Individual operator settings - Settings specified for a specific operator in
operators.<operator-name>.*. Example:operators.object-store.replicas. - Global operator settings - Settings specified in
global.operator.*that apply to all operators. - Default values - Default values defined in the Helm chart templates.
For example, if you set global.operator.replicas: 2 and then set operators.object-store.replicas: 3, the object-store operator will use 3 replicas while other operators will use 2 replicas.
This precedence model allows you to define common settings globally while selectively overriding specific values for individual operators as needed.
Values reference
# Default values for AIStor Operators chart
# The Following annotations/labels are applied to all resources created by the Helm chart
annotations: {}
labels: {}
# Allow override the namespace for all resources
#namespaceOverride: "test"
# The MinIO license can be set directly from the Helm chart. Note that it is not advised
# to expose the license key in the Helm chart. Instead, it is recommended to create a
# secret manually. It's just here for convenience.
license: ""
# global settings are settings that will be applied to all operators
# unless explicitly overridden in the operator settings.
global:
# The Helm chart will try to auto-detect OpenShift. If it cannot detect OpenShift
# (i.e. when running helm template), then it will default to false. You can
# override this setting to force OpenShift mode.
#forceOpenShift: true
# Specify the default cluster domain. When it's not set, then it
# will try to auto-detect the cluster. But you may want to set it
# explicitly
# clusterDomain: "cluster.xxx"
# The following settings will be set for all operators. They can
# be overridden per operator by setting the same key in the
# .operator.<operator> section.
operator:
# Specify number of replicas
replicas: 1
# Specify `annotations <https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/>`__ to associate to pods.
podAnnotations: {}
# Specify `labels <https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/>`__ to associate to pods.
podLabels: {}
# This will add extra environment variables to the operator
# containers.
#
# OpenTelemetry Configuration Example:
# To enable OpenTelemetry logging, add OTEL environment variables:
#
# extraEnv:
# - name: OTEL_EXPORTER_OTLP_ENDPOINT
# # For gRPC protocol: use host:port (scheme optional, will be auto-stripped)
# value: "otel-collector.observability.svc.cluster.local:4317"
# # For HTTP protocol: include the http:// or https:// scheme
# # value: "http://otel-collector.observability.svc.cluster.local:4318"
# - name: OTEL_EXPORTER_OTLP_PROTOCOL
# value: "grpc" # or "http"
# - name: OTEL_EXPORTER_OTLP_INSECURE
# value: "false"
# - name: OTEL_EXPORTER_OTLP_HEADERS
# value: "authorization=Bearer token123" # Optional: for authentication
extraEnv: []
# Image pull policy (empty uses the default registry policy).
imagePullPolicy: ""
###
# You may need to set the image pull secrets when using a private registry.
# Need to be set as an array of LocalObjectReference.
# .. code-block:: yaml
#
# imagePullSecrets:
# - name: minio-registry-secret
# type: kubernetes.io/dockerconfigjson
imagePullSecrets: []
# Resources for the operator containers.
resources:
requests:
cpu: 200m
ephemeral-storage: 500Mi
memory: 256Mi
# Security context for the operator containers (ignored on OpenShift)
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
# Security context for the operator pods (ignored on OpenShift)
podSecurityContext: {}
# fsGroup: 2000
# An array of `Toleration labels for Operator pods to associate.
# .. code-block:: yaml
#
# tolerations:
# - effect: "NoSchedule"
# operator: "Equal"
# key: "key1"
# value: "value1"
tolerations: []
# Node selector labels
nodeSelector: {}
# When set, the operator only monitors resources in the listed namespaces.
# A RoleBinding is created in each namespace instead of a ClusterRoleBinding.
# Leave empty (default) for cluster-wide mode.
#
# watchedNamespaces:
# - namespace1
# - namespace2
#
# Automatic certificates requires global cluster-wide permissions, so it you
# may want to disable this in namespace-scoped mode. Since OpenShift uses
# OpenShift Service CA Operator to issue certificates, this setting is not
# applicable in OpenShift.
#
# optOutAutomaticCertificates: true
# All operators will be using the global setting, unless overridden
# in the section below. All keys in `.global.operator` can also be
# used here and will override (not extend) the global setting.
#
# All operators will be disabled by default, with the exception of
# the object-store.
operators:
adminjob:
disabled: false
# DEPRECATED: the aihub controller is deprecated and will be removed in a
# future release.
aihub:
disabled: true
object-store:
disabled: false
# affinity:
# podAntiAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# - labelSelector:
# matchExpressions:
# - key: aistor.min.io/name
# operator: In
# values:
# - object-store-operator
# topologyKey: kubernetes.io/hostname
# The operator uses a Kubernetes service account to connect to MinIO. There are
# two modes for validating the Kubernetes tokens that are used for authentication:
#
# - TokenReview (default) - uses the Kubernetes `TokenReview` API to validate the tokens.
# - OIDC - uses the OIDC discovery and JWKS document to validate the tokens.
# - Disabled - disables using Kubernetes tokens for authentication. This cannot be used
# with the operator, because the operator itself needs to authenticate to
# MinIO using a Kubernetes token.
#
# `TokenReview`
# -------------
# This is the default mode, but it requires the following RBAC permissions:
# - Helm installation will install the `aistor:tokenreview` cluster role
# - Operator should be able to assign `aistor:tokenreview` cluster role to
# the AIStor service accounts, so it requires permission to create cluster role
# bindings.
#
# `OIDC`
# ------
# This will perform the token validation itself, so it does not require the
# additional RBAC permissions. To validate the tokens, AIStor needs to be able:
# - Fetch the Kubernetes OIDC discovery document
# - Fetch the Kubernetes JWKS document (can be located outside the cluster)
# Some clusters prevent access to these endpoints, because:
# - The endpoints are outside the cluster and the cluster has network policies
# that prevent the AIStor pods access.
# - The endpoints use a custom CA that is not trusted by the AIStor pods,
# so the AIStor pods won't trust the endpoints.
#
# Most clusters will allow this, but some clusters may have network policies
# that prevent this. In such clusters, you must set `tokenValidation: TokenReview`
# and grant the necessary permissions to AIStor. Clusters that do allow access to the
# OIDC discovery and JWKS document can instead set `tokenValidation: OIDC` to avoid the
# `aistor:tokenreview` cluster role binding.
tokenValidation: TokenReview
webhook:
enabled: true # set to false to disable webhook deployment
caBundle: "" # set a custom CA bundle (base64 encoded PEM certificate), otherwise it will be auto-injected
replicas: 1 # set number of replicas (default is only using a single webhook)
# affinity:
# podAntiAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# - labelSelector:
# matchExpressions:
# - key: aistor.min.io/name
# operator: In
# values:
# - object-store-webhook
# topologyKey: kubernetes.io/hostname
# DEPRECATED: the prompt controller is deprecated and will be removed in a
# future release.
prompt:
disabled: true
warp:
disabled: true
# The repositories allow overriding the default repositories that
# are used to determine the full image names.
#
# When image pull secrets are added, then they are also used by the
# operator to set the proper image pull secrets for deployments,
# statefulsets, ... that use that repository.
repositories:
aistor:
hostname: quay.io
pathPrefix: minio/aistor/
# imagePullPolicy: IfNotPresent
# imagePullSecrets:
# - name: pull-secret1
# - name: pull-secret2
# The images allow overriding the default images that are used to
# determine the full image names. When overriding the images,
# you can specify the full image name (including registry and path)
# or just the image name. When specifying just the image name,
# then the repository settings will be used to determine the full
# image name.
#
# It's not required to override all images if you only need to
# override a few of them. The images that are not overridden will
# use the default images.
#
# If you want to override an image without using the repository settings,
# then you can specify the full image name (including registry and path).
#
# images:
# minio: private.repo.org/aistor/minio:latest
#
# AUTOGENERATE
images:
aihub:
repository: aistor
image: aihub:RELEASE.2025-12-11T18-08-15Z
kes:
repository: aistor
image: kes:RELEASE.2026-04-13T20-11-36Z
kes-sidecar:
repository: aistor
image: kes-sidecar:RELEASE.2026-06-10T04-53-14Z
mc:
repository: aistor
image: mc:RELEASE.2026-04-21T04-26-49Z
minio:
repository: aistor
image: minio:RELEASE.2026-05-28T20-50-32Z
minio-sidecar:
repository: aistor
image: minio-sidecar:RELEASE.2026-06-09T23-40-36Z
operator:
repository: aistor
image: operator:RELEASE.2026-06-10T05-02-21Z
prompt:
repository: aistor
image: prompt:RELEASE.2025-01-17T21-55-43Z
warp:
repository: aistor
image: warp:v1.5.0