Environment Variable Configuration

You can configure AIStor Object Store behavior by setting environment variables using the ObjectStore custom resource. The Operator writes these variables to a configuration file accessible by all AIStor Pods in the object store.

Overview

Version changed
Support for valueFrom with configMapKeyRef and secretKeyRef requires Operator version RELEASE.2025-10-16T16-46-38Z or later.

The Operator supports two methods for setting environment variables:

Static values
Define environment variable values directly in the ObjectStore specification.
Dynamic values from Kubernetes resources
Reference values stored in ConfigMaps or Secrets using the valueFrom field. This approach keeps sensitive information separate from the ObjectStore specification and allows for centralized configuration management.

When you update environment variable values in ConfigMaps or Secrets, the Operator automatically propagates the changes to the AIStor Pods during the next synchronization cycle, typically within one minute. This eliminates the need for Pod restarts when updating configuration values.

Configuration

Static environment variables

Define environment variables with static values directly in the ObjectStore specification in the Helm values chart:

objectStore:
  name: primary-object-store
  env:
    - name: MINIO_STORAGE_CLASS_STANDARD
      value: "EC:4"
    - name: MINIO_BROWSER
      value: "on"

Environment variables from Secrets

Use valueFrom.secretKeyRef to reference sensitive values stored in Kubernetes Secrets. This is the recommended approach for credentials, passwords, and other sensitive configuration data.

First, create a Secret containing the sensitive value:

kubectl create secret generic ldap-credentials \
  --from-literal=bind-password='MySecurePassword123!' \
  --namespace primary-object-store

Then reference the Secret in the custom Helm chart values files:

objectStore:
  name: primary-object-store
  env:
    - name: MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD
      valueFrom:
        secretKeyRef:
          name: ldap-credentials
          key: bind-password

Environment variables from ConfigMaps

Use valueFrom.configMapKeyRef to reference non-sensitive configuration values stored in ConfigMaps. This approach centralizes configuration management and allows multiple ObjectStores to share common settings.

First, create a ConfigMap containing the configuration value:

kubectl create configmap aistor-config \
  --from-literal=storage-class='EC:6' \
  --namespace primary-object-store

Then reference the ConfigMap in your custom Helm chart values file:

objectStore:
  name: primary-object-store
  env:
    - name: MINIO_STORAGE_CLASS_STANDARD
      valueFrom:
        configMapKeyRef:
          name: aistor-config
          key: storage-class

Optional environment variables

Mark an environment variable as optional to prevent ObjectStore deployment failures when the referenced Secret or ConfigMap does not exist:

  env:
    - name: MINIO_OPTIONAL_SETTING
      valueFrom:
        secretKeyRef:
          name: optional-secret
          key: optional-key
          optional: true

When optional: true is set:

  • If the Secret or ConfigMap exists, the Operator uses its value.
  • If the Secret or ConfigMap does not exist, the Operator skips the environment variable without error.
  • The ObjectStore deployment proceeds normally.

Without the optional field or when set to false, missing Secrets or ConfigMaps cause deployment failures.

Update behavior

When you modify values in a Secret or ConfigMap referenced by an ObjectStore:

  1. The Operator detects the change during its next synchronization cycle, typically every minute.
  2. The Operator updates the configuration file on all AIStor Pods.
  3. The Operator signals the AIStor process to reload its configuration.
  4. Changes take effect without restarting Pods.

Synchronization typically occurs within one minute of the change. Unlike earlier Operator versions, Pod restarts are not required for environment variable updates.

To update a Secret value:

kubectl create secret generic ldap-credentials \
  --from-literal=bind-password='NewSecurePassword456!' \
  --namespace primary-object-store \
  --dry-run=client -o yaml | kubectl apply -f -

To update a ConfigMap value:

kubectl create configmap aistor-config \
  --from-literal=storage-class='EC:8' \
  --namespace primary-object-store \
  --dry-run=client -o yaml | kubectl apply -f -

Limitations

The Operator supports only configMapKeyRef and secretKeyRef as value sources.

The following Kubernetes environment variable sources are not supported:

fieldRef
Pod field references such as metadata.name or status.podIP are not supported because these values are pod-specific and cannot be stored in a shared configuration file.
resourceFieldRef
Container resource references such as limits.cpu or requests.memory are not supported for the same reason.

If you require pod-specific environment variables, contact SUBNET support to discuss your use case.

Common use cases

LDAP bind password

Store LDAP bind passwords in a Secret rather than in the ObjectStore specification:

# Create the Secret
kubectl create secret generic ldap-bind-secret \
  --from-literal=password='BindPassword123!' \
  --namespace primary-object-store

Create or update your custom Helm chart values file (aistor-objectstore-values.yaml) to reference the Secret:

objectStore:
  name: primary-object-store
  env:
    - name: MINIO_IDENTITY_LDAP_SERVER_ADDR
      value: "ldap.example.com:636"
    - name: MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN
      value: "cn=admin,dc=example,dc=com"
    - name: MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD
      valueFrom:
        secretKeyRef:
          name: ldap-bind-secret
          key: password
    - name: MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN
      value: "ou=users,dc=example,dc=com"
    - name: MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER
      value: "(uid=%s)"

Deploy or upgrade the object store using Helm:

helm upgrade --install primary-object-store minio/aistor-objectstore \
  -n primary-object-store --create-namespace \
  -f aistor-objectstore-values.yaml

For complete LDAP configuration details, see Configure Active Directory / LDAP for External Identity Management.

Centralized storage class configuration

Use a ConfigMap to manage storage class settings across multiple ObjectStores:

# Create shared ConfigMap
kubectl create configmap storage-settings \
  --from-literal=standard-class='EC:4' \
  --from-literal=reduced-redundancy='EC:2' \
  --namespace primary-object-store

Create or update your custom Helm chart values file (aistor-objectstore-values.yaml) for the first object store:

objectStore:
  name: primary-object-store
  env:
    - name: MINIO_STORAGE_CLASS_STANDARD
      valueFrom:
        configMapKeyRef:
          name: storage-settings
          key: standard-class
    - name: MINIO_STORAGE_CLASS_RRS
      valueFrom:
        configMapKeyRef:
          name: storage-settings
          key: reduced-redundancy

Create a second values file (aistor-objectstore-secondary-values.yaml) for a second object store in a different namespace:

objectStore:
  name: secondary-object-store
  env:
    - name: MINIO_STORAGE_CLASS_STANDARD
      valueFrom:
        configMapKeyRef:
          name: storage-settings
          key: standard-class
    - name: MINIO_STORAGE_CLASS_RRS
      valueFrom:
        configMapKeyRef:
          name: storage-settings
          key: reduced-redundancy

Deploy both object stores using Helm:

# Deploy first object store
helm upgrade --install primary-object-store minio/aistor-objectstore \
  -n primary-object-store --create-namespace \
  -f aistor-objectstore-values.yaml

# Create the ConfigMap in the second namespace
kubectl create configmap storage-settings \
  --from-literal=standard-class='EC:4' \
  --from-literal=reduced-redundancy='EC:2' \
  --namespace secondary-object-store

# Deploy second object store
helm upgrade --install secondary-object-store minio/aistor-objectstore \
  -n secondary-object-store --create-namespace \
  -f aistor-objectstore-secondary-values.yaml

Updating the ConfigMap automatically propagates changes to all ObjectStores that reference it.

Webhook endpoint authentication

Store webhook authentication tokens in a Secret:

# Create Secret with webhook token
kubectl create secret generic webhook-auth \
  --from-literal=token='webhook-secret-token-xyz' \
  --namespace primary-object-store

Create or update your custom Helm chart values file (aistor-objectstore-values.yaml) to reference the Secret:

objectStore:
  name: primary-object-store
  env:
    - name: MINIO_NOTIFY_WEBHOOK_ENABLE_primary
      value: "on"
    - name: MINIO_NOTIFY_WEBHOOK_ENDPOINT_primary
      value: "https://webhook.example.com/events"
    - name: MINIO_NOTIFY_WEBHOOK_AUTH_TOKEN_primary
      valueFrom:
        secretKeyRef:
          name: webhook-auth
          key: token

Deploy or upgrade the object store using Helm:

helm upgrade --install primary-object-store minio/aistor-objectstore \
  -n primary-object-store --create-namespace \
  -f aistor-objectstore-values.yaml

For webhook configuration details, see Publish Events to a Webhook.

Verify environment variable configuration

Check that the Operator has applied environment variables to the AIStor Pods:

# Get a pod name from the ObjectStore
POD_NAME=$(kubectl get pods -n primary-object-store \
  -l aistor.min.io/objectStore=primary-object-store \
  -o jsonpath='{.items[0].metadata.name}')

# Check the configuration file
kubectl exec -n primary-object-store $POD_NAME -- \
  cat /tmp/minio-config/config.env | grep MINIO_

To verify that the AIStor process has loaded the environment variables:

# Use mc admin to view server configuration
mc admin config get myaistor/ | grep -i <setting-name>

Replace myaistor with your AIStor Client alias and <setting-name> with the relevant configuration key.

Reference

For complete field definitions, see the ObjectStore CRD reference.

For a complete list of available AIStor environment variables, see AIStor Server Configuration Settings.

Environment variable fields

name
The environment variable name. Must be a valid AIStor environment variable name.
value
The environment variable value as a static string. Use this field for non-sensitive configuration values. Do not use both value and valueFrom in the same environment variable definition.
valueFrom
Reference to a Kubernetes resource containing the environment variable value. Use this field to retrieve values from Secrets or ConfigMaps. Do not use both value and valueFrom in the same environment variable definition.
valueFrom.secretKeyRef
Reference to a key in a Secret in the same namespace. Use this for sensitive values such as passwords, tokens, or credentials.
valueFrom.secretKeyRef.name
The name of the Secret containing the value.
valueFrom.secretKeyRef.key
The key within the Secret data that contains the value.
valueFrom.secretKeyRef.optional
If true, the ObjectStore deployment proceeds even if the Secret does not exist. If false or omitted, missing Secrets cause deployment failures.
valueFrom.configMapKeyRef
Reference to a key in a ConfigMap in the same namespace. Use this for non-sensitive configuration values.
valueFrom.configMapKeyRef.name
The name of the ConfigMap containing the value.
valueFrom.configMapKeyRef.key
The key within the ConfigMap data that contains the value.
valueFrom.configMapKeyRef.optional
If true, the ObjectStore deployment proceeds even if the ConfigMap does not exist. If false or omitted, missing ConfigMaps cause deployment failures.