Operator Environment Variables
This page documents environment variables that control the behavior of the AIStor Operator.
Configure these variables in the object-store-operator Deployment to customize how the Operator manages AIStor Object Store deployments on Kubernetes.
TLS and certificates
The following environment variables control TLS certificate handling for the Operator.
CSR signer name
MINIO_OPERATOR_CSR_SIGNER_NAME
Optional
Specifies the signer name to use for Certificate Signing Requests.
Default: kubernetes.io/kubelet-serving
On Amazon EKS clusters, the Operator automatically detects the EKS environment and uses beta.eks.amazonaws.com/app-serving as the signer name.
Operator TLS certificate password
Optional
Password to decrypt the private key in the TLS certificate for the Operator service. Only required if the TLS certificate private key is encrypted.
Default: Empty (no password).
Disable auto-generated TLS certificates
Optional
Disables automatic TLS certificate creation for the Operator’s upgrade service. The upgrade service provides MinIO binary artifacts during Object Store upgrades.
| Value | Description |
|---|---|
on |
Disable automatic TLS certificate generation. The upgrade service runs over HTTP. |
Default: Automatic TLS certificate generation is enabled. The upgrade service runs over HTTPS.
When disabled, you can:
- Provide custom certificates using
OPERATOR_CUSTOM_TLS_SECRET_NAME. - Run the upgrade service without TLS (not recommended for production).
The Operator automatically renews auto-generated certificates before expiration.
Custom TLS secret name
OPERATOR_CUSTOM_TLS_SECRET_NAME
Optional
Specifies the name of a Kubernetes Secret containing custom TLS certificates for the Operator’s upgrade service.
The Secret must exist in the same namespace as the Operator and contain tls.crt and tls.key entries.
Default: Empty (use auto-generated certificates).
Use this variable in combination with OPERATOR_AUTO_CERT_DISABLED=on to provide your own TLS certificates for the upgrade service.
When using custom certificates, add the CA certificate to the Object Store’s trusted CAs so MinIO trusts the certificate presented by the upgrade service:
objectStore:
certificates:
trustedCAs:
- name: upgrade-service-ca
The Operator automatically reloads certificates when the Secret contents change.
Operator configuration
The following environment variables configure general Operator behavior.
Operator deployment name
MINIO_OPERATOR_DEPLOYMENT_NAME
Optional
Specifies a custom deployment name for the Operator.
Default: object-store-operator.
Watched namespaces
Optional
Comma-separated list of Kubernetes namespaces the Operator monitors for AIStor Object Store custom resources.
Default: Empty (watches all namespaces).
Example: WATCHED_NAMESPACE=minio-tenant-1,minio-tenant-2
When set, the Operator only manages Object Store clusters in the specified namespaces. Use this variable to run multiple Operator instances that manage different sets of Object Store clusters.
Operator sidecar image
Optional
Specifies the container image to use for sidecar containers and the validate-arguments init container in Object Store pods.
Default: Uses the same image as the Operator.
Set this variable when you need sidecar containers to use a different image than the Operator, such as when using a private registry with different image tags.
Kubernetes cluster
The following environment variables relate to Kubernetes cluster configuration.
Cluster domain
Optional
Specifies the Kubernetes cluster domain for DNS resolution.
Default: cluster.local (auto-detected from the cluster).
The Operator uses this value when constructing fully qualified domain names for Object Store services. Only set this variable if your cluster uses a non-standard domain.
Monitoring
The following environment variables configure Prometheus monitoring integration.
Monitoring interval
Optional
Interval in minutes between Object Store health monitoring checks.
Default: 5
The Operator periodically checks the health of managed Object Stores at this interval.
Prometheus namespace
Optional
Namespace where the Prometheus instance managed by the prometheus-operator is deployed.
Default: default
The Operator uses this value to locate the Prometheus custom resource when configuring scrape targets for Object Store metrics.
Prometheus name
Optional
Name of the Prometheus custom resource to configure for Object Store metrics scraping.
Default: Empty (auto-detect).
When not set and multiple Prometheus instances exist in the namespace specified by PROMETHEUS_NAMESPACE, the Operator returns an error.
Set this variable explicitly when running multiple Prometheus instances.
Security
Disable minisign verification
Optional
Disables minisign signature verification for AIStor binary updates.
| Value | Description |
|---|---|
on |
Disable signature verification |
off |
Enable signature verification (default) |
Default: off