Object Storage Helm Values
Overview
This page is the authoritative reference for every Helm value under the
objectStorage.* namespace in the helm_aio chart. Operators wiring
the bundled helm_aio release through values files, GitOps, or --set
flags should refer to this page for the canonical schema and defaults.
For task-oriented guides built on top of these values, refer to:
- Object Storage Overview
- Choose a Provider
- Migrate Between Providers
- Add a New Object Storage Provider
Top-level keys
| Key | Type | Default | Purpose |
|---|---|---|---|
objectStorage.activeProvider | string | auto | Explicit override for the alias target. Set to a provider name (rustfs, minio, ...) to pin the alias regardless of the resolution rules. Defaults to auto. |
objectStorage.previousProvider | string | minio | Names the data-bearing side when two providers are enabled and activeProvider=auto. Read as the legacy default for installs that predated the registry. |
objectStorage.cutoverAcknowledged | bool | false | When true, the alias flips from previousProvider to the other enabled provider. The legacy rustfs.migrationAcknowledged is honored as a synonym. |
objectStorage.service.enabled | bool | true | When false, the ilum-objectstorage Service alias is not rendered, even if a provider is enabled. Useful for BYO external S3 deployments. |
objectStorage.endpoint | string | http://ilum-objectstorage:9000 | S3 API endpoint that bundled consumers target. Defaults to the in-cluster alias hostname. Override to point at an external provider. |
objectStorage.region | string | us-east-1 | S3 region passed to AWS SDK and Hadoop S3A clients. |
objectStorage.pathStyle | bool | true | Path-style addressing toggle. true matches bundled providers; set to false for AWS S3 virtual-hosted-style addressing. |
objectStorage.defaultBuckets | list[string] | [ilum-files, ilum-data, ilum-tables, ilum-mlflow, ilum-kestra, ilum-ducklake, ilum-langfuse] | Default bucket list created by the bundled init Jobs and referenced by the migration Job. |
Provider registry
The objectStorage.providers map declares each provider known to the
chart. Adding a new entry registers the provider; no chart-template
change is required. See Add a New Provider.
| Key | Type | Default | Purpose |
|---|---|---|---|
objectStorage.providers.<name>.enabled | bool | (unset for bundled; required for new providers) | Operator-set enable flag. Bundled providers (rustfs, minio) defer to their chart-level flags (.Values.rustfs.enabled, .Values.minio.enabled). New providers without a chart-level flag set this directly. |
objectStorage.providers.<name>.consolePath | string | provider-specific | iframe path the Ilum UI renders for this provider's console. Bundled defaults: /rustfs/console/ for RustFS, /external/minio/ for MinIO. |
objectStorage.providers.<name>.consoleMode | string (same-origin or nginx-rewrite) | provider-specific | Routing mode the Ilum UI's nginx proxy applies for this provider. same-origin for consoles with a configurable base path (RustFS); nginx-rewrite for consoles pinned to an absolute URL (MinIO). |
Bundled provider defaults
objectStorage:
providers:
rustfs:
consolePath: /rustfs/console/
consoleMode: same-origin
minio:
consolePath: /external/minio/
consoleMode: nginx-rewrite
Credentials
The shared Secret ilum-objectstorage-credentials carries the S3 root
credentials consumed by every bundled component. See
Rotate Object Storage Credentials
for the rotation procedure.
| Key | Type | Default | Purpose |
|---|---|---|---|
objectStorage.credentials.create | bool | true | Whether helm_aio should create the Secret on helm install. Disable when the operator manages the Secret externally. |
objectStorage.credentials.name | string | ilum-objectstorage-credentials | Name of the Secret. Bundled consumers read from this name; do not change without overriding every consumer chart. |
objectStorage.credentials.accessKey | string | admin | Initial access key. The Secret's lookup clause preserves the live value on helm upgrade, so this default applies only to net-new installs. |
objectStorage.credentials.secretKey | string | admin12345 | Initial secret key. Same lookup preservation as accessKey. Must be at least 8 characters for the bundled mc-based init Pod to authenticate. |
objectStorage.credentials.existingSecret | string | (unset) | Reference an externally-managed Secret instead of having helm_aio create one. |
objectStorage.credentials.preserveExisting | bool | true | When true, the chart's lookup clause reads the live Secret on helm upgrade and preserves its values. Set to false for deterministic helm template output in GitOps pipelines. |
Secret key aliases
The ilum-objectstorage-credentials Secret exposes the credential
pair under six aliased keys so each consumer can reference it under its
native naming convention:
| Key | Used by |
|---|---|
access-key | bundled consumers using the generic name |
secret-key | bundled consumers using the generic name |
root-user | the bundled MinIO chart |
root-password | the bundled MinIO chart |
RUSTFS_ACCESS_KEY | the bundled RustFS chart |
RUSTFS_SECRET_KEY | the bundled RustFS chart |
Legacy back-compat shims
The following keys remain accepted in 6.7.2 and later for back-compat with values overlays written against earlier releases. They are deprecated in favour of the new names listed in the table above and will be removed in a future major release.
| Legacy key | New equivalent | Notes |
|---|---|---|
rustfs.migrationAcknowledged | objectStorage.cutoverAcknowledged | Either flag triggers the cutover; both accepted simultaneously. |
rustfs.enabled | objectStorage.providers.rustfs.enabled | The chart-level flag remains the single source of truth for the RustFS sub-chart's render condition. The registry entry honors it. |
minio.enabled | objectStorage.providers.minio.enabled | Same back-compat shape as rustfs.enabled. |
MINIO_READ (backend permission) | OBJECT_STORAGE_READ | The backend continues to accept the legacy permission name and the rolesToMinio / groupsToMinio / minioMinAccessRole Hydra mappings. A one-time deprecation warning is logged on startup when the legacy form is supplied. |
Reference
- Chart source:
helm/helm_aio/values.yamlin the Ilum monorepo - Helpers reference:
helm/helm_aio/templates/_helpers.tpl(definesilum-aio.activeObjectStorageProvider,ilum-aio.objectStorageConsolePath,ilum-aio.objectStorageConsoleMode) - Upgrade notes:
helm/UPGRADE_NOTES.mdin the Ilum monorepo - Task-oriented guides: Object Storage section in User Guides