Description Use this command to discover the block devices present in the cluster. The command outputs a yaml file listing the available drives. After generating the yaml, modify the file to select the drive(s) you wish to use with Volume Manager. Ensure that any drives that should not be erased by Volume Manager have not been selected in the yaml file.

This page documents settings for configuring an Webhook service as a target for Bucket Notifications. See Publish Events to Webhook for a tutorial on using these settings. You can establish or modify settings by defining: an environment variable on the host system prior to starting or restarting the AIStor Server. Refer to your operating system’s documentation for how to define an environment variable. a configuration setting using mc admin config set. If you define both an environment variable and the similar configuration setting, AIStor uses the environment variable value.

This page documents settings for enabling external identity management using the MinIO Identity Management Plugin. See MinIO External Identity Management Plugin for a tutorial on using these settings. You can establish or modify settings by defining: an environment variable on the host system prior to starting or restarting the AIStor Server. Refer to your operating system’s documentation for how to define an environment variable. a configuration setting using mc admin config set. If you define both an environment variable and the similar configuration setting, AIStor uses the environment variable value.

The following page includes the full contents of the AIStor Server Helm Chart default values.yaml and all accompanying documentation. # Following annotations/labels are applied to all resources created by the Helm chart annotations: {} labels: {} # Allow to override the namespace for all resources #namespaceOverride: "test" ### # Root key for dynamically creating a secret for use with configuring root MinIO User # Specify the ``name`` and then a list of environment variables. # # .. important:: # # Do not use this in production environments. # This field is intended for use with rapid development or testing only. # # For example: # # .. code-block:: yaml # # name: myminio-env-configuration # accessKey: minio # secretKey: minio123 # secrets: name: myminio-env-configuration accessKey: minio secretKey: minio123 ### # If this variable is set, then enable the usage of an existing Kubernetes secret to set environment variables for the Object Store. # The existing Kubernetes secret name must be placed under .objectStore.configuration.name e.g. existing-minio-env-configuration # The secret must contain a key ``config.env``. # The values should be a series of export statements to set environment variables for the Object Store. # For example: # # .. code-block:: shell # # stringData: # config.env: |- # export MINIO_ROOT_USER=ROOTUSERNAME # export MINIO_ROOT_PASSWORD=ROOTUSERPASSWORD # #existingSecret: true ### # Root key for AIStor Object Store objectStore: ### # The Object Store name name: myminio ### # Specify the container image to use. # ``image.tag`` # For example, the following sets the image to the ``quay.io/minio/aistor/minio`` repo and the RELEASE.2025-05-14T05-01-13Z tag. # The container pulls the image if not already present: # # .. code-block:: yaml # # image: # repository: quay.io/minio/aistor/minio # tag: RELEASE.2025-05-14T05-01-13Z # pullPolicy: IfNotPresent # # The chart also supports specifying an image based on digest value: # # .. code-block:: yaml # # image: # repository: quay.io/minio/aistor/minio@sha256 # digest: 8ed72368aadd22e5c60f074e2e403040e782cb02c7341ba9c47dfc6d37567367 # pullPolicy: IfNotPresent # # image: {} # repository: quay.io/minio/aistor/minio # tag: RELEASE.2024-10-10T15-35-50Z # pullPolicy: IfNotPresent ### # # A Kubernetes secret name to use for pulling images from a private ``image.repository``. # name: myminio-image-pull-secret imagePullSecret: {} ### # The Kubernetes `Scheduler <https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/>`__ to use for dispatching Object Store pods. # # Specify an empty dictionary ``{}`` to dispatch pods with the default scheduler. scheduler: {} ### # The Kubernetes secret name that contains MinIO environment variable configurations. # The secret is expected to have a key named config.env containing environment variables exports. configuration: name: myminio-env-configuration ### # If this variable is set to true, then enable the usage of an existing Kubernetes secret to set environment variables for the Object Store. # The existing Kubernetes secret name must be placed under .objectStore.configuration.name e.g. existing-minio-env-configuration # The secret must contain a key ``config.env``. # The values should be a series of export statements to set environment variables for the Object Store. # For example: # # .. code-block:: shell # # stringData: # config.env: |- # export MINIO_ROOT_USER=ROOTUSERNAME # export MINIO_ROOT_PASSWORD=ROOTUSERPASSWORD # # existingSecret: false ### # Top level key for configuring Pool(s) in this Object Store. # # See `Operator CRD: Pools <https://docs.min.io/enterprise/aistor-object-store/reference/kubernetes/aistor-crd-v1/#pool>`__ for more information on all subfields. pools: ### # The number of MinIO Object Store Pods / Servers in this pool. # For standalone mode, supply 1. For distributed mode, supply 4 or more. # Note that the operator does not support upgrading from standalone to distributed mode. - servers: 4 ### # Custom name for the pool name: pool-0 ### # The number of volumes attached per MinIO Pod / Server. volumesPerServer: 4 ### # The capacity per volume requested per MinIO Pod. size: 10Gi ### # The prefix for the storage name used by the Object Store. # This prefix is used to generate the Persistent Volume Claim (PVC) names for each volume # in the pool. The default is `data`, but you may want to override it, when you upgrade from # a non-Helm deployment to a Helm deployment. If the volume claim template didn't have a name, # then it should be set to an empty string. #storageNamePrefix: '' ### # The `storageClass <https://kubernetes.io/docs/concepts/storage/storage-classes/>`__ to associate with volumes generated for this pool. # # If using Amazon Elastic Block Store (EBS) CSI driver # Please make sure to set xfs for "csi.storage.k8s.io/fstype" parameter under StorageClass.parameters. # Docs: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/parameters.md # storageClassName: standard ### # Specify `storageAnnotations <https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/>`__ to associate to PVCs. storageAnnotations: {} ### # Specify `annotations <https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/>`__ to associate to pods. annotations: {} ### # Specify `labels <https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/>`__ to associate to pods. labels: {} ### # # An array of `Toleration labels <https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/>`__ to associate to pods. # # These settings determine the distribution of pods across worker nodes. tolerations: [] ### # Any `Node Selectors <https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/>`__ to apply to pods. # # The Kubernetes scheduler uses these selectors to determine which worker nodes onto which it can deploy pods. # # If no worker nodes match the specified selectors, the deployment will fail. nodeSelector: {} ### # # The `affinity <https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/>`__ or anti-affinity settings to apply to the pods. # # These settings determine the distribution of pods across worker nodes and can help prevent or allow colocating pods onto the same worker nodes. affinity: {} ### # # The `Requests or Limits <https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/>`__ for resources to associate to the pods. # # These settings can control the minimum and maximum resources requested for each pod. # If no worker nodes can meet the specified requests, the Operator may fail to deploy. resources: {} ### # The Kubernetes `SecurityContext <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/>`__ to use for deploying Object Store resources. # # You may need to modify these values to meet your cluster's security and access settings. # # We recommend disabling recursive permission changes by setting ``fsGroupChangePolicy`` to ``OnRootMismatch`` as those operations can be expensive for certain workloads (e.g. large volumes with many small files). securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 fsGroupChangePolicy: "OnRootMismatch" runAsNonRoot: true ### # The Kubernetes `SecurityContext <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/>`__ to use for deploying Object Store containers. # You may need to modify these values to meet your cluster's security and access settings. containerSecurityContext: runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true allowPrivilegeEscalation: false capabilities: drop: - ALL seccompProfile: type: RuntimeDefault ### # # An array of `Topology Spread Constraints <https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/>`__ to associate to the pods. # # These settings determine the distribution of pods across worker nodes. topologySpreadConstraints: [] ### # # The name of a custom `Container Runtime <https://kubernetes.io/docs/concepts/containers/runtime-class/>`__ to use for the pods. # runtimeClassName: "" ### # The mount path where Persistent Volumes are mounted inside Object Store container(s). mountPath: /export ### # The Sub path inside Mount path where MinIO stores data. # # .. warning:: # # Treat the ``mountPath`` and ``subPath`` values as immutable once you deploy the Object Store. # If you change these values post-deployment, then you may have different paths for new and pre-existing data. # This can vastly increase operational complexity and may result in unpredictable data states. subPath: /data ### # Configures a Prometheus-compatible scraping endpoint at the specified port. metrics: enabled: false port: 9000 protocol: http ### # Configures external certificate settings for the Object Store. certificates: ### # Specify an array of Kubernetes TLS secrets, where each entry corresponds to a secret the TLS private key and public certificate pair. # # This is used by MinIO to verify TLS connections from clients using those CAs # If you omit this and have clients using TLS certificates minted by an external CA, those connections may fail with warnings around certificate verification. # See `ObjectStore CRD: ObjectStoreSpec <https://docs.min.io/enterprise/aistor-object-store/reference/kubernetes/aistor-crd-v1/#objectstorespec>`__. trustedCAs: [] ### # Specify an array of Kubernetes secrets, where each entry corresponds to a secret contains the TLS private key and public certificate pair. # # Omit this to use only the MinIO Operator autogenerated certificates. # # If you omit this field *and* set ``disableAutoCert`` to true, the Object Store starts without TLS. # # See `ObjectStore CRD: ObjectStoreSpec <https://docs.min.io/enterprise/aistor-object-store/reference/kubernetes/aistor-crd-v1/#objectstorespec>`__. # .. important:: # # The Object Store Operator may output TLS connectivity errors if it cannot trust the Certificate Authority (CA) which minted the custom certificates. # # You can pass the CA to the Object Store Operator to allow it to trust that cert. # See `Self-Signed, Internal, and Private Certificates <https://docs.min.io/enterprise/aistor-object-store/installation/kubernetes/network-encryption/>`__ for more information. # This step may also be necessary for globally trusted CAs where you must provide intermediate certificates to the Object Store Operator to help build the full chain of trust. server: [] ## Use this field to provide client certificates for MinIO & KES. This can be used to configure ## mTLS for MinIO and your KES server. Files will be mounted under /tmp/certs folder, supported types: ## Opaque | kubernetes.io/tls | cert-manager.io/v1alpha2 | cert-manager.io/v1 ## ie: ## ## KESClient: ## name: mtls-certificates-for-object-store ## type: Opaque ## ## Create secrets as explained here: ## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret # KESClient: {} ## ## Use this field to provide additional client certificate for the MinIO Object Store ## Certificate secret files will be mounted under /tmp/certs folder, supported types: ## Opaque | kubernetes.io/tls | cert-manager.io/v1alpha2 | cert-manager.io/v1 ## ## mount path inside container: ## ## certs ## | ## + client-0 ## | + client.crt ## | + client.key ## + client-1 ## | + client.crt ## | + client.key ## + client-2 ## | + client.crt ## | + client.key ## ie: ## ## client: ## - name: client-certificate-1 ## type: kubernetes.io/tls ## - name: client-certificate-2 ## type: kubernetes.io/tls ## - name:client-certificate-3 ## type: kubernetes.io/tls ## ## Create secrets as explained here: ## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret client: [] ### # Enable automatic Kubernetes based `certificate generation and signing <https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster>`__ disableAutoCert: false ### # The minimum number of days to expiry before an alert for an expiring certificate is fired. # In the below example, if a given certificate will expire in 7 days then expiration events will only be triggered 1 day before expiry # certExpiryAlertThreshold: 1 ### # This field is used only when ``disableAutoCert: false``. # Use this field to set CommonName for the auto-generated certificate. # MinIO defaults to using the internal Kubernetes DNS name for the pod # The default DNS name format is typically ``*.minio.default.svc.cluster.local``. # # See `Operator CRD: CertificateConfig <https://docs.min.io/enterprise/aistor-object-store/reference/kubernetes/aistor-crd-v1/#certificateconfig>`__ config: {} ### # MinIO features to enable or disable in the MinIO Object Store # See `Operator CRD: Features <https://docs.min.io/enterprise/aistor-object-store/reference/kubernetes/aistor-crd-v1/#features>`__. features: bucketDNS: false domains: {} enableSFTP: false ### # The `PodManagement <https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy>`__ policy for Object Store Pods. # Can be "OrderedReady" or "Parallel" podManagementPolicy: Parallel # The `Liveness Probe <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>`__ for monitoring Object Store pod liveness. # Object Store pods will be restarted if the probe fails. liveness: {} ### # `Readiness Probe <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/>`__ for monitoring Object Store container readiness. # Object Store pods will be removed from service endpoints if the probe fails. readiness: {} ### # `Startup Probe <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/>`__ for monitoring container startup. # Object Store pods will be restarted if the probe fails. # Refer startup: {} ### # The `Lifecycle hooks <https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/>`__ for container. lifecycle: {} ### # Directs the Object Store Operator to expose the S3 API or Web Console services to clients outside of the Kubernetes cluster. # # Supports `LoadBalancer`, `NodePort`, and `ClusterIP` (Default) # # These configurations do not prevent exposing the services via Ingress, Routes, or other networking features services: console: serviceType: ClusterIP #serviceType: NodePort #nodePort: 31000 #serviceExternalTrafficPolicy: Local #annotations: {} #labels: {} minio: serviceType: ClusterIP #serviceType: NodePort #nodePort: 31001 #serviceExternalTrafficPolicy: Local #annotations: {} #labels: {} ### # The `Kubernetes Service Account <https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/>`__ associated with the Object Store. serviceAccountName: "" ### # When legacy audience is set to `true` the Object Store Operator will require the legacy audience (Kubernetes API) in the Service Account tokens. # The new default behavior requires Kubernetes Service Accounts to include the `sts.min.io` audience claim to prevent MinIO tokens to be used for # contacting the Kubernetes API or vice-versa. Only set this to `true` if you are using an older version of the Object Store Operator that does # not support the new audience or rely on the old behavior. legacyAudience: false ### # Directs the Object Store Operator to add the Object Store's metric scrape configuration to an existing Kubernetes Prometheus deployment managed by the Prometheus Operator. prometheusOperator: false ### # Configure pod logging configuration for the MinIO Object Store. # # - Specify ``json`` for JSON-formatted logs. # - Specify ``anonymous`` for anonymized logs. # - Specify ``quiet`` to supress logging. # # An example of JSON-formatted logs is as follows: # # .. code-block:: shell # # $ k logs myminio-pool-0-0 -n default # {"level":"INFO","errKind":"","time":"2022-04-07T21:49:33.740058549Z","message":"All MinIO sub-systems initialized successfully"} logging: {} ### # Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config) env: [] ### # PriorityClassName indicates the Pod priority and hence importance of a Pod relative to other Pods. # This is applied to MinIO pods only. # Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass/ priorityClassName: "" ### # An array of `Initialization Containers <https://kubernetes.io/docs/concepts/workloads/pods/init-containers/>`__ to initialize the Object Store pods. # # All initialization containers should be run to completion before the Object Store pod starts. initContainers: [] ### # An array of `Volumes <https://kubernetes.io/docs/concepts/storage/volumes/>`__ which the Operator can mount to Object Store pods. # # The volumes must exist *and* be accessible to the Object Store pods. additionalVolumes: [] ### # An array of volume mount points associated to each Object Store container. # # Specify each item in the array as follows: # # .. code-block:: yaml # # volumeMounts: # - name: volumename # mountPath: /path/to/mount # # The ``name`` field must correspond to an entry in the ``additionalVolumes`` array. additionalVolumeMounts: [] # Define configuration for KES (stateless and distributed key-management system) # Refer https://github.com/minio/kes #kes: # ## Image field: # # Image from tag (original behavior), for example: # # image: # # repository: quay.io/minio/kes # # tag: 2024-06-17T15-47-05Z # # Image from digest (added after original behavior), for example: # # image: # # repository: quay.io/minio/kes@sha256 # # digest: fb15af611149892f357a8a99d1bcd8bf5dae713bd64c15e6eb27fbdb88fc208b # image: # repository: quay.io/minio/kes # tag: 2024-06-17T15-47-05Z # pullPolicy: IfNotPresent # env: [ ] # replicas: 1 # configuration: |- # address: :7373 # tls: # key: /tmp/kes/server.key # Path to the TLS private key # cert: /tmp/kes/server.crt # Path to the TLS certificate # proxy: # identities: [] # header: # cert: X-Tls-Client-Cert # admin: # identity: ${MINIO_KES_IDENTITY} # cache: # expiry: # any: 5m0s # unused: 20s # log: # error: on # audit: off # keystore: # # KES configured with fs (File System mode) doesn't work in Kubernetes environments and is not recommended # # use a real KMS # # fs: # # path: "./keys" # Path to directory. Keys will be stored as files. Not Recommended for Production. # vault: # endpoint: "http://vault.default.svc.cluster.local:8200" # The Vault endpoint # namespace: "" # An optional Vault namespace. See: https://www.vaultproject.io/docs/enterprise/namespaces/index.html # prefix: "my-minio" # An optional K/V prefix. The server will store keys under this prefix. # approle: # AppRole credentials. See: https://www.vaultproject.io/docs/auth/approle.html # id: "<YOUR APPROLE ID HERE>" # Your AppRole Role ID # secret: "<YOUR APPROLE SECRET ID HERE>" # Your AppRole Secret ID # retry: 15s # Duration until the server tries to re-authenticate after connection loss. # tls: # The Vault client TLS configuration for mTLS authentication and certificate verification # key: "" # Path to the TLS client private key for mTLS authentication to Vault # cert: "" # Path to the TLS client certificate for mTLS authentication to Vault # ca: "" # Path to one or multiple PEM root CA certificates # status: # Vault status configuration. The server will periodically reach out to Vault to check its status. # ping: 10s # Duration until the server checks Vault's status again. # # aws: # # # The AWS SecretsManager key store. The server will store # # # secret keys at the AWS SecretsManager encrypted with # # # AWS-KMS. See: https://aws.amazon.com/secrets-manager # # secretsmanager: # # endpoint: "" # The AWS SecretsManager endpoint - e.g.: secretsmanager.us-east-2.amazonaws.com # # region: "" # The AWS region of the SecretsManager - e.g.: us-east-2 # # kmskey: "" # The AWS-KMS key ID used to en/decrypt secrets at the SecretsManager. By default (if not set) the default AWS-KMS key will be used. # # credentials: # The AWS credentials for accessing secrets at the AWS SecretsManager. # # accesskey: "" # Your AWS Access Key # # secretkey: "" # Your AWS Secret Key # # token: "" # Your AWS session token (usually optional) # imagePullPolicy: "IfNotPresent" # externalCertSecret: null # clientCertSecret: null # trustedCAs: null # # Key name to be created on the KMS, default is "my-minio-key" # keyName: "" # resources: { } # nodeSelector: { } # affinity: # nodeAffinity: { } # podAffinity: { } # podAntiAffinity: { } # tolerations: [ ] # annotations: { } # labels: { } # serviceAccountName: "" # securityContext: # runAsUser: 1000 # runAsGroup: 1000 # runAsNonRoot: true # fsGroup: 1000 # containerSecurityContext: # runAsUser: 1000 # runAsGroup: 1000 # runAsNonRoot: true # allowPrivilegeEscalation: false # capabilities: # drop: # - ALL # seccompProfile: # type: RuntimeDefault # Use an extraResources template section to include additional Kubernetes resources # with the Helm deployment. #extraResources: # - | # apiVersion: v1 # kind: Secret # type: Opaque # metadata: # name: {{ dig "secrets" "name" "" (.Values | merge (dict)) }} # stringData: # config.env: |- # export MINIO_ROOT_USER='minio' # export MINIO_ROOT_PASSWORD='minio123'

The following page includes the full contents of the AIStor Custom Resource Definition V1 (Stable) CustomResourceDefinition. API Reference Packages aistor.min.io/v1 aistor.min.io/v1 Package v1 - This page provides a quick automatically generated reference for the AIStor ObjectStore Operator aistor.min.io/v1 CRD.

This page covers settings that control behavior related to AIStor bucket notifications. You can establish or modify settings by defining: an environment variable on the host system prior to starting or restarting the AIStor Server. Refer to your operating system’s documentation for how to define an environment variable. a configuration setting using mc admin config set. If you define both an environment variable and the similar configuration setting, AIStor uses the environment variable value.

The pages in this section document settings for configuring AIStor to work with identity and access management (IAM) solutions. There is a page of settings for each of the IAM methods AIStor supports. Active Directory / LDAP OpenID MinIO Identity Management Plugin MinIO Access Management Plugin

The mc sql command provides an S3 Select interface for performing sql queries on objects in the specified AIStor deployment. See Selecting content from objects for more information on S3 Select behavior and limitations. Syntax Example The following command queries all objects in the mydata bucket on the myminio AIStor deployment:

The mc rb command removes one or more buckets on AIStor or another S3-compatible service. To remove only the contents of a bucket, use mc rm instead. mc rb permanently deletes bucket(s) on the target deployment, including any and all object versions and bucket configurations such as lifecycle management or replication. You can also use mc rb against the local filesystem to produce similar results to the rm --rf commandline tool.

The mc replicate backlog shows a list of unreplicated new or deleted objects. You can list the replication status of objects for a particular remote target. To do so, you must have the ARN of the remote target. You can mc replicate ls and mc replicate status to retrieve the remote targets configured for a bucket and find the ARN. Syntax Example The following command shows new or deleted objects in the notes bucket of the teamorange/projects prefix on the myminio alias that have not yet replicated to a specific remote target bucket. The remote target’s ARN is arn:minio:replication::3bb8c736-4014-42c5-b3cb-d64e3ebaa75e:notes.