AIStor Server Helm Chart
The following page includes the full contents of the AIStor Server Helm Chart default values.yaml and all accompanying documentation.
# Following annotations/labels are applied to all resources created by the Helm chart
annotations: {}
labels: {}
# Allow to override the namespace for all resources
#namespaceOverride: "test"
###
# Root key for dynamically creating a secret for use with configuring root MinIO User
# Specify the ``name`` and then a list of environment variables.
#
# .. important::
#
# Do not use this in production environments.
# This field is intended for use with rapid development or testing only.
#
# For example:
#
# .. code-block:: yaml
#
# name: myaistor-env-configuration
# accessKey: minio
# secretKey: minio123
#
secrets:
name: myaistor-env-configuration
accessKey: minio
secretKey: minio123
###
# If this variable is set, then enable the usage of an existing Kubernetes secret to set environment variables for the Object Store.
# The existing Kubernetes secret name must be placed under .objectStore.configuration.name e.g. existing-minio-env-configuration
# The secret must contain a key ``config.env``.
# The values should be a series of export statements to set environment variables for the Object Store.
# For example:
#
# .. code-block:: shell
#
# stringData:
# config.env: |-
# export MINIO_ROOT_USER=ROOTUSERNAME
# export MINIO_ROOT_PASSWORD=ROOTUSERPASSWORD
#
#existingSecret: true
###
# Root key for AIStor Object Store
objectStore:
###
# The Object Store name
name: myaistor
###
# Specify the container image to use.
# ``image.tag``
# For example, the following sets the image to the ``quay.io/minio/aistor/minio`` repo and the RELEASE.2025-05-14T05-01-13Z tag.
# The container pulls the image if not already present:
#
# .. code-block:: yaml
#
# image:
# repository: quay.io/minio/aistor/minio
# tag: RELEASE.2025-05-14T05-01-13Z
# pullPolicy: IfNotPresent
#
# The chart also supports specifying an image based on digest value:
#
# .. code-block:: yaml
#
# image:
# repository: quay.io/minio/aistor/minio@sha256
# digest: 8ed72368aadd22e5c60f074e2e403040e782cb02c7341ba9c47dfc6d37567367
# pullPolicy: IfNotPresent
#
#
image: {}
# repository: quay.io/minio/aistor/minio
# tag: RELEASE.2024-10-10T15-35-50Z
# pullPolicy: IfNotPresent
###
#
# A Kubernetes secret name to use for pulling images from a private ``image.repository``.
# name: myaistor-image-pull-secret
imagePullSecret: {}
###
# The Kubernetes `Scheduler <https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/>`__ to use for dispatching Object Store pods.
#
# Specify an empty dictionary ``{}`` to dispatch pods with the default scheduler.
scheduler: {}
###
# The Kubernetes secret name that contains MinIO environment variable configurations.
# The secret is expected to have a key named config.env containing environment variables exports.
configuration:
name: myaistor-env-configuration
###
# If this variable is set to true, then enable the usage of an existing Kubernetes secret to set environment variables for the Object Store.
# The existing Kubernetes secret name must be placed under .objectStore.configuration.name e.g. existing-minio-env-configuration
# The secret must contain a key ``config.env``.
# The values should be a series of export statements to set environment variables for the Object Store.
# For example:
#
# .. code-block:: shell
#
# stringData:
# config.env: |-
# export MINIO_ROOT_USER=ROOTUSERNAME
# export MINIO_ROOT_PASSWORD=ROOTUSERPASSWORD
#
# existingSecret: false
###
# Top level key for configuring Pool(s) in this Object Store.
#
# See `Operator CRD: Pools <https://docs.min.io/enterprise/aistor-object-store/reference/kubernetes/aistor-crd-v1/#pool>`__ for more information on all subfields.
pools:
###
# The number of MinIO Object Store Pods / Servers in this pool.
# For standalone mode, supply 1. For distributed mode, supply 4 or more.
# Note that the operator does not support upgrading from standalone to distributed mode.
- servers: 4
###
# Custom name for the pool
name: pool-0
###
# The number of volumes attached per MinIO Pod / Server.
volumesPerServer: 4
###
# The capacity per volume requested per MinIO Pod.
size: 10Gi
###
# The prefix for the storage name used by the Object Store.
# This prefix is used to generate the Persistent Volume Claim (PVC) names for each volume
# in the pool. The default is `data`, but you may want to override it, when you upgrade from
# a non-Helm deployment to a Helm deployment. If the volume claim template didn't have a name,
# then it should be set to an empty string.
#storageNamePrefix: ''
###
# The `storageClass <https://kubernetes.io/docs/concepts/storage/storage-classes/>`__ to associate with volumes generated for this pool.
#
# If using Amazon Elastic Block Store (EBS) CSI driver
# Please make sure to set xfs for "csi.storage.k8s.io/fstype" parameter under StorageClass.parameters.
# Docs: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/parameters.md
# storageClassName: standard
###
# Specify `storageAnnotations <https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/>`__ to associate to PVCs.
storageAnnotations: {}
###
# Specify `annotations <https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/>`__ to associate to pods.
annotations: {}
###
# Specify `labels <https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/>`__ to associate to pods.
labels: {}
###
#
# An array of `Toleration labels <https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/>`__ to associate to pods.
#
# These settings determine the distribution of pods across worker nodes.
tolerations: []
###
# Any `Node Selectors <https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/>`__ to apply to pods.
#
# The Kubernetes scheduler uses these selectors to determine which worker nodes onto which it can deploy pods.
#
# If no worker nodes match the specified selectors, the deployment will fail.
nodeSelector: {}
###
#
# The `affinity <https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/>`__ or anti-affinity settings to apply to the pods.
#
# These settings determine the distribution of pods across worker nodes and can help prevent or allow colocating pods onto the same worker nodes.
affinity: {}
###
#
# The `Requests or Limits <https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/>`__ for resources to associate to the pods.
#
# These settings can control the minimum and maximum resources requested for each pod.
# If no worker nodes can meet the specified requests, the Operator may fail to deploy.
resources: {}
###
# The Kubernetes `SecurityContext <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/>`__ to use for deploying Object Store resources.
#
# You may need to modify these values to meet your cluster's security and access settings.
#
# We recommend disabling recursive permission changes by setting ``fsGroupChangePolicy`` to ``OnRootMismatch`` as those operations can be expensive for certain workloads (e.g. large volumes with many small files).
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
runAsNonRoot: true
###
# The Kubernetes `SecurityContext <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/>`__ to use for deploying Object Store containers.
# You may need to modify these values to meet your cluster's security and access settings.
containerSecurityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
###
#
# An array of `Topology Spread Constraints <https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/>`__ to associate to the pods.
#
# These settings determine the distribution of pods across worker nodes.
topologySpreadConstraints: []
###
#
# The name of a custom `Container Runtime <https://kubernetes.io/docs/concepts/containers/runtime-class/>`__ to use for the pods.
# runtimeClassName: ""
###
# The mount path where Persistent Volumes are mounted inside Object Store container(s).
mountPath: /export
###
# The Sub path inside Mount path where MinIO stores data.
#
# .. warning::
#
# Treat the ``mountPath`` and ``subPath`` values as immutable once you deploy the Object Store.
# If you change these values post-deployment, then you may have different paths for new and pre-existing data.
# This can vastly increase operational complexity and may result in unpredictable data states.
subPath: /data
###
# Configures a Prometheus-compatible scraping endpoint at the specified port.
metrics:
enabled: false
port: 9000
protocol: http
###
# Configures external certificate settings for the Object Store.
certificates:
###
# Specify an array of Kubernetes TLS secrets, where each entry corresponds to a secret the TLS private key and public certificate pair.
#
# This is used by MinIO to verify TLS connections from clients using those CAs
# If you omit this and have clients using TLS certificates minted by an external CA, those connections may fail with warnings around certificate verification.
# See `ObjectStore CRD: ObjectStoreSpec <https://docs.min.io/enterprise/aistor-object-store/reference/kubernetes/aistor-crd-v1/#objectstorespec>`__.
trustedCAs: []
###
# Specify an array of Kubernetes secrets, where each entry corresponds to a secret contains the TLS private key and public certificate pair.
#
# Omit this to use only the MinIO Operator autogenerated certificates.
#
# If you omit this field *and* set ``disableAutoCert`` to true, the Object Store starts without TLS.
#
# See `ObjectStore CRD: ObjectStoreSpec <https://docs.min.io/enterprise/aistor-object-store/reference/kubernetes/aistor-crd-v1/#objectstorespec>`__.
# .. important::
#
# The Object Store Operator may output TLS connectivity errors if it cannot trust the Certificate Authority (CA) which minted the custom certificates.
#
# You can pass the CA to the Object Store Operator to allow it to trust that cert.
# See `Self-Signed, Internal, and Private Certificates <https://docs.min.io/enterprise/aistor-object-store/installation/kubernetes/network-encryption/>`__ for more information.
# This step may also be necessary for globally trusted CAs where you must provide intermediate certificates to the Object Store Operator to help build the full chain of trust.
server: []
## Use this field to provide client certificates for MinIO & KES. This can be used to configure
## mTLS for MinIO and your KES server. Files will be mounted under /tmp/certs folder, supported types:
## Opaque | kubernetes.io/tls | cert-manager.io/v1alpha2 | cert-manager.io/v1
## ie:
##
## KESClient:
## name: mtls-certificates-for-object-store
## type: Opaque
##
## Create secrets as explained here:
## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
# KESClient: {}
##
## Use this field to provide additional client certificate for the MinIO Object Store
## Certificate secret files will be mounted under /tmp/certs folder, supported types:
## Opaque | kubernetes.io/tls | cert-manager.io/v1alpha2 | cert-manager.io/v1
##
## mount path inside container:
##
## certs
## |
## + client-0
## | + client.crt
## | + client.key
## + client-1
## | + client.crt
## | + client.key
## + client-2
## | + client.crt
## | + client.key
## ie:
##
## client:
## - name: client-certificate-1
## type: kubernetes.io/tls
## - name: client-certificate-2
## type: kubernetes.io/tls
## - name:client-certificate-3
## type: kubernetes.io/tls
##
## Create secrets as explained here:
## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
client: []
###
# Enable automatic Kubernetes based `certificate generation and signing <https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster>`__
disableAutoCert: false
###
# The minimum number of days to expiry before an alert for an expiring certificate is fired.
# In the below example, if a given certificate will expire in 7 days then expiration events will only be triggered 1 day before expiry
# certExpiryAlertThreshold: 1
###
# This field is used only when ``disableAutoCert: false``.
# Use this field to set CommonName for the auto-generated certificate.
# MinIO defaults to using the internal Kubernetes DNS name for the pod
# The default DNS name format is typically ``*.minio.default.svc.cluster.local``.
#
# See `Operator CRD: CertificateConfig <https://docs.min.io/enterprise/aistor-object-store/reference/kubernetes/aistor-crd-v1/#certificateconfig>`__
config: {}
###
# MinIO features to enable or disable in the MinIO Object Store
# See `Operator CRD: Features <https://docs.min.io/enterprise/aistor-object-store/reference/kubernetes/aistor-crd-v1/#features>`__.
features:
bucketDNS: false
domains: {}
enableSFTP: false
###
# The `PodManagement <https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy>`__ policy for Object Store Pods.
# Can be "OrderedReady" or "Parallel"
podManagementPolicy: Parallel
# The `Liveness Probe <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>`__ for monitoring Object Store pod liveness.
# Object Store pods will be restarted if the probe fails.
liveness: {}
###
# `Readiness Probe <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/>`__ for monitoring Object Store container readiness.
# Object Store pods will be removed from service endpoints if the probe fails.
readiness: {}
###
# `Startup Probe <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/>`__ for monitoring container startup.
# Object Store pods will be restarted if the probe fails.
# Refer
startup: {}
###
# The `Lifecycle hooks <https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/>`__ for container.
lifecycle: {}
###
# Directs the Object Store Operator to expose the S3 API or Web Console services to clients outside of the Kubernetes cluster.
#
# Supports `LoadBalancer`, `NodePort`, and `ClusterIP` (Default)
#
# These configurations do not prevent exposing the services via Ingress, Routes, or other networking features
services:
console:
serviceType: ClusterIP
#serviceType: NodePort
#nodePort: 31000
#serviceExternalTrafficPolicy: Local
#annotations: {}
#labels: {}
minio:
serviceType: ClusterIP
#serviceType: NodePort
#nodePort: 31001
#serviceExternalTrafficPolicy: Local
#annotations: {}
#labels: {}
###
# The `Kubernetes Service Account <https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/>`__ associated with the Object Store.
serviceAccountName: ""
###
# When legacy audience is set to `true` the Object Store Operator will require the legacy audience (Kubernetes API) in the Service Account tokens.
# The new default behavior requires Kubernetes Service Accounts to include the `sts.min.io` audience claim to prevent MinIO tokens to be used for
# contacting the Kubernetes API or vice-versa. Only set this to `true` if you are using an older version of the Object Store Operator that does
# not support the new audience or rely on the old behavior.
legacyAudience: false
###
# Directs the Object Store Operator to add the Object Store's metric scrape configuration to an existing Kubernetes Prometheus deployment managed by the Prometheus Operator.
prometheusOperator: false
###
# Configure pod logging configuration for the MinIO Object Store.
#
# - Specify ``json`` for JSON-formatted logs.
# - Specify ``anonymous`` for anonymized logs.
# - Specify ``quiet`` to supress logging.
#
# An example of JSON-formatted logs is as follows:
#
# .. code-block:: shell
#
# $ k logs myaistor-pool-0-0 -n default
# {"level":"INFO","errKind":"","time":"2022-04-07T21:49:33.740058549Z","message":"All MinIO sub-systems initialized successfully"}
logging: {}
###
# Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config)
env: []
###
# PriorityClassName indicates the Pod priority and hence importance of a Pod relative to other Pods.
# This is applied to MinIO pods only.
# Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass/
priorityClassName: ""
###
# An array of `Initialization Containers <https://kubernetes.io/docs/concepts/workloads/pods/init-containers/>`__ to initialize the Object Store pods.
#
# All initialization containers should be run to completion before the Object Store pod starts.
initContainers: []
###
# An array of `Volumes <https://kubernetes.io/docs/concepts/storage/volumes/>`__ which the Operator can mount to Object Store pods.
#
# The volumes must exist *and* be accessible to the Object Store pods.
additionalVolumes: []
###
# An array of volume mount points associated to each Object Store container.
#
# Specify each item in the array as follows:
#
# .. code-block:: yaml
#
# volumeMounts:
# - name: volumename
# mountPath: /path/to/mount
#
# The ``name`` field must correspond to an entry in the ``additionalVolumes`` array.
additionalVolumeMounts: []
# Define configuration for KES (stateless and distributed key-management system)
# Refer https://github.com/minio/kes
#kes:
# ## Image field:
# # Image from tag (original behavior), for example:
# # image:
# # repository: quay.io/minio/kes
# # tag: 2024-06-17T15-47-05Z
# # Image from digest (added after original behavior), for example:
# # image:
# # repository: quay.io/minio/kes@sha256
# # digest: fb15af611149892f357a8a99d1bcd8bf5dae713bd64c15e6eb27fbdb88fc208b
# image:
# repository: quay.io/minio/kes
# tag: 2024-06-17T15-47-05Z
# pullPolicy: IfNotPresent
# env: [ ]
# replicas: 1
# configuration: |-
# address: :7373
# tls:
# key: /tmp/kes/server.key # Path to the TLS private key
# cert: /tmp/kes/server.crt # Path to the TLS certificate
# proxy:
# identities: []
# header:
# cert: X-Tls-Client-Cert
# admin:
# identity: ${MINIO_KES_IDENTITY}
# cache:
# expiry:
# any: 5m0s
# unused: 20s
# log:
# error: on
# audit: off
# keystore:
# # KES configured with fs (File System mode) doesn't work in Kubernetes environments and is not recommended
# # use a real KMS
# # fs:
# # path: "./keys" # Path to directory. Keys will be stored as files. Not Recommended for Production.
# vault:
# endpoint: "http://vault.default.svc.cluster.local:8200" # The Vault endpoint
# namespace: "" # An optional Vault namespace. See: https://www.vaultproject.io/docs/enterprise/namespaces/index.html
# prefix: "my-minio" # An optional K/V prefix. The server will store keys under this prefix.
# approle: # AppRole credentials. See: https://www.vaultproject.io/docs/auth/approle.html
# id: "<YOUR APPROLE ID HERE>" # Your AppRole Role ID
# secret: "<YOUR APPROLE SECRET ID HERE>" # Your AppRole Secret ID
# retry: 15s # Duration until the server tries to re-authenticate after connection loss.
# tls: # The Vault client TLS configuration for mTLS authentication and certificate verification
# key: "" # Path to the TLS client private key for mTLS authentication to Vault
# cert: "" # Path to the TLS client certificate for mTLS authentication to Vault
# ca: "" # Path to one or multiple PEM root CA certificates
# status: # Vault status configuration. The server will periodically reach out to Vault to check its status.
# ping: 10s # Duration until the server checks Vault's status again.
# # aws:
# # # The AWS SecretsManager key store. The server will store
# # # secret keys at the AWS SecretsManager encrypted with
# # # AWS-KMS. See: https://aws.amazon.com/secrets-manager
# # secretsmanager:
# # endpoint: "" # The AWS SecretsManager endpoint - e.g.: secretsmanager.us-east-2.amazonaws.com
# # region: "" # The AWS region of the SecretsManager - e.g.: us-east-2
# # kmskey: "" # The AWS-KMS key ID used to en/decrypt secrets at the SecretsManager. By default (if not set) the default AWS-KMS key will be used.
# # credentials: # The AWS credentials for accessing secrets at the AWS SecretsManager.
# # accesskey: "" # Your AWS Access Key
# # secretkey: "" # Your AWS Secret Key
# # token: "" # Your AWS session token (usually optional)
# imagePullPolicy: "IfNotPresent"
# externalCertSecret: null
# clientCertSecret: null
# trustedCAs: null
# # Key name to be created on the KMS, default is "my-minio-key"
# keyName: ""
# resources: { }
# nodeSelector: { }
# affinity:
# nodeAffinity: { }
# podAffinity: { }
# podAntiAffinity: { }
# tolerations: [ ]
# annotations: { }
# labels: { }
# serviceAccountName: ""
# securityContext:
# runAsUser: 1000
# runAsGroup: 1000
# runAsNonRoot: true
# fsGroup: 1000
# containerSecurityContext:
# runAsUser: 1000
# runAsGroup: 1000
# runAsNonRoot: true
# allowPrivilegeEscalation: false
# capabilities:
# drop:
# - ALL
# seccompProfile:
# type: RuntimeDefault
# Use an extraResources template section to include additional Kubernetes resources
# with the Helm deployment.
#extraResources:
# - |
# apiVersion: v1
# kind: Secret
# type: Opaque
# metadata:
# name: {{ dig "secrets" "name" "" (.Values | merge (dict)) }}
# stringData:
# config.env: |-
# export MINIO_ROOT_USER='minio'
# export MINIO_ROOT_PASSWORD='minio123'