MinIO Key Management Service Operator Helm Chart

The following page includes the full contents of the MinIO Key Management Service (KMS) Operator Helm chart default values.yaml and all accompanying documentation.

Configuration precedence

The KMS Operator Helm chart supports a hierarchical configuration system where you can define settings at multiple levels. When the chart defines the same setting at multiple levels, the following order determines which value to use:

  1. Individual operator settings - Settings specified for a specific operator in operators.<operator-name>.* (for example, operators.minkms.replicas) take highest precedence.
  2. Global operator settings - Settings specified in global.operator.* that apply to all operators that do not have an individual setting.
  3. Default values - Settings in the default Helm chart template when neither a global nor an individual setting exists.

For example, if you set global.operator.replicas: 2 and operators.minkms.replicas: 3, the minkms operator uses 3 replicas while other operators use 2 replicas.

This precedence model allows you to define common settings globally while selectively overriding specific values for individual operators.

Values reference 

# Default values for AIStor Operators chart

# Following annotations/labels are applied to all resources created by the Helm chart
annotations: {}
labels: {}

# Allow override the namespace for all resources
#namespaceOverride: "test"

# global settings are settings that will be applied to all operators
# unless explicitly overridden in the operator settings.
global:
  # The Helm chart will try to auto-detect OpenShift. If it cannot detect OpenShift
  # (i.e. when running helm template), then it will default to false. You can
  # override this setting to force OpenShift mode.
  #forceOpenShift: true

  # Specify the default cluster domain. When it's not set, then it
  # will try to auto-detect the cluster. But you may want to set it
  # explicitly
  # clusterDomain: "cluster.xxx"

  # The following settings will be set for all operators. They can
  # be overridden per operator by setting the same key in the
  # .operator.<operator> section.
  operator:
    # Specify number of replicas
    replicas: 1

    # Specify `annotations <https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/>`__ to associate to pods.
    podAnnotations: {}

    # Specify `labels <https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/>`__ to associate to pods.
    podLabels: {}

    # This will add extra environment variables to the operator
    # containers.
    #
    # OpenTelemetry Configuration Example:
    # To enable OpenTelemetry logging, add OTEL environment variables:
    #
    # extraEnv:
    #   - name: OTEL_EXPORTER_OTLP_ENDPOINT
    #     # For gRPC protocol: use host:port (scheme optional, will be auto-stripped)
    #     value: "otel-collector.observability.svc.cluster.local:4317"
    #     # For HTTP protocol: include the http:// or https:// scheme
    #     # value: "http://otel-collector.observability.svc.cluster.local:4318"
    #   - name: OTEL_EXPORTER_OTLP_PROTOCOL
    #     value: "grpc"  # or "http"
    #   - name: OTEL_EXPORTER_OTLP_INSECURE
    #     value: "false"
    #   - name: OTEL_EXPORTER_OTLP_HEADERS
    #     value: "authorization=Bearer token123"  # Optional: for authentication
    extraEnv: []

    # Image pull policy (empty uses the default registry policy).
    imagePullPolicy: ""
    ###
    # You may need to set the image pull secrets when using a private registry.
    # Need to be set as an array of LocalObjectReference.
    #  .. code-block:: yaml
    #
    #    imagePullSecrets:
    #        - name: minio-registry-secret
    #          type: kubernetes.io/dockerconfigjson
    imagePullSecrets: []

    # Resources for the operator containers.
    resources:
      requests:
        cpu: 200m
        ephemeral-storage: 500Mi
        memory: 256Mi

    # Security context for the operator containers (ignored on OpenShift)
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: RuntimeDefault

    # Security context for the operator pods (ignored on OpenShift)
    podSecurityContext: {}
      # fsGroup: 2000

    # An array of `Toleration labels for Operator pods to associate.
    # .. code-block:: yaml
    #
    #    tolerations:
    #    - effect: "NoSchedule"
    #      operator: "Equal"
    #      key: "key1"
    #      value: "value1"
    tolerations: []

    # Node selector labels
    nodeSelector: {}

    # When set, the operator only monitors resources in the listed namespaces.
    # A RoleBinding is created in each namespace instead of a ClusterRoleBinding.
    # Leave empty (default) for cluster-wide mode.
    #
    # watchedNamespaces:
    #   - namespace1
    #   - namespace2
    #
    # Automatic certificates requires global cluster-wide permissions, so it you
    # may want to disable this in namespace-scoped mode. Since OpenShift uses
    # OpenShift Service CA Operator to issue certificates, this setting is not
    # applicable in OpenShift.
    #
    # optOutAutomaticCertificates: true

# All operators will be using the global setting, unless overridden
# in the section below. All keys in `.global.operator` can also be
# used here and will override (not extend) the global setting.
#
# All operators will be disabled by default, with the exception of
# the key manager.
operators:
  minkms:
    disabled: false
    # affinity:
    #   podAntiAffinity:
    #     requiredDuringSchedulingIgnoredDuringExecution:
    #     - labelSelector:
    #         matchExpressions:
    #         - key: minkms.min.io/name
    #           operator: In
    #           values:
    #           - minkms-operator
    #       topologyKey: kubernetes.io/hostname

# The repositories allow overriding the default repositories that
# are used to determine the full image names.
#
# When image pull secrets are added, then they are also used by the
# operator to set the proper image pull secrets for deployments,
# statefulsets, ... that use that repository.
repositories:
  aistor:
    hostname: quay.io
    pathPrefix: minio/aistor/
    # imagePullPolicy: IfNotPresent
    # imagePullSecrets:
    # - name: pull-secret1
    # - name: pull-secret2

# The images allow overriding the default images that are used to
# determine the full image names. When overriding the images,
# you can specify the full image name (including registry and path)
# or just the image name. When specifying just the image name,
# then the repository settings will be used to determine the full
# image name.
#
# It's not required to override all images if you only need to
# override a few of them. The images that are not overridden will
# use the default images.
#
# If you want to override an image without using the repository settings,
# then you can specify the full image name (including registry and path).
#
# images:
#   minkms: private.repo.org/aistor/minkms:latest
#
# AUTOGENERATE
images:
  minkms:
    repository: aistor
    image: minkms:RELEASE.2026-06-03T18-18-01Z
  minkms-sidecar:
    repository: aistor
    image: minkms-sidecar:RELEASE.2026-06-10T04-57-39Z
  operator:
    repository: aistor
    image: operator:RELEASE.2026-06-10T05-02-21Z