feat(k8s): make app-tier object storage configurable via storage.s3#5932
Open
aicam wants to merge 1 commit into
Open
feat(k8s): make app-tier object storage configurable via storage.s3#5932aicam wants to merge 1 commit into
aicam wants to merge 1 commit into
Conversation
Route the file-service and workflow-computing-unit-manager S3 access (endpoint + credentials) through a new `storage.s3` values block instead of hardcoding the in-cluster MinIO Service/Secret. When storage.s3.endpoint is empty the helpers fall back to the in-cluster MinIO, so the default install is unchanged (no-op render). Setting storage.s3.endpoint + credentials points those services at an external S3-compatible store; a `<release>-s3-credentials` Secret is generated from the inline keys unless storage.s3.existingSecret is provided. LakeFS/Lakekeeper storage and the minio.enabled off-switch are intentionally left for the next step. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Automated Reviewer SuggestionsBased on the
|
bobbai00
requested changes
Jun 26, 2026
bobbai00
left a comment
bobbai00
left a comment
Contributor
There was a problem hiding this comment.
Left a comment for clarification
| # S3-compatible endpoint URL -- together with region and credentials -- to | ||
| # point the services at an external store (e.g. AWS S3) instead. | ||
| storage: | ||
| s3: |
Contributor
There was a problem hiding this comment.
we have currently two places that use s3:
- datasetS3: LakeFS uses S3 as its underlying storage
- executionS3: Workflow execution results are using s3
Which one is this PR introducing ?
Seems both are touched in this PR. But should LakeFS's s3 connection also be updated because it should use datasetS3 ?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this PR?
This makes the application tier's object-storage target configurable, as the first step toward supporting an external S3 store alongside the in-cluster MinIO. It is non-breaking: the default (on-prem / in-cluster MinIO) install renders an identical set of resources.
Today
file-serviceandworkflow-computing-unit-managerhardcode the S3 endpoint and credentials to the in-cluster MinIO Service ({{ .Release.Name }}-minio) and its auto-generated Secret. This PR routes both through a newstorage.s3values block:values.yaml— newstorage.s3block:endpoint,region,existingSecret,accessKeyId,secretAccessKey. All default to empty.templates/base/_helpers.tpl(new) — helpers that resolve the S3 endpoint and the credentials Secret name/keys. Whenstorage.s3.endpointis empty they fall back to the in-cluster MinIO Service and its{{ .Release.Name }}-minioSecret (keysroot-user/root-password), so the default render is unchanged.templates/aws/s3-credentials-secret.yaml(new) — a{{ .Release.Name }}-s3-credentialsSecret, rendered only when an externalendpointis set and noexistingSecretis supplied. Renders nothing on the default install.file-service/workflow-computing-unit-managerdeployments — theSTORAGE_S3_*env now comes from the helpers;STORAGE_S3_REGIONis added only in external mode.How it behaves:
storage.s3.endpoint+region+ credentials (orexistingSecret) → both services use that store; the chart materializes the credentials Secret unless you bring your own.Out of scope (intentionally deferred to keep this PR small and atomic): LakeFS blockstore + Lakekeeper warehouse external-S3 wiring, the
minio.enabledswitch to drop the in-cluster MinIO entirely, and avalues-aws.yamlexample overlay. Those are the LakeFS/Lakekeeper half of "make object storage pluggable" and will land as a follow-up.Any related issues, documentation, discussions?
Closes #5931 (app-tier
storage.s3task).Part of #5891 — unify AWS (EKS) and on-premise Kubernetes deployment under
bin/k8s(parent feature).Follows #5757 (Helm template reorg) and the design discussion in #5641.
How was this PR tested?
Verified the default install is unchanged and the external path renders correctly:
helm template texera bin/k8son this branch vs onmainrenders the same 102 resources — identical after ignoring comments. The only textual artifact is one empty---document from the gated-offs3-credentials-secret.yaml(its# licenseheader is emitted by Helm even though the{{- if }}body is empty); it produces no Kubernetes object.helm lintpasses.helm template ... --set storage.s3.endpoint=https://s3.us-west-2.amazonaws.com --set storage.s3.accessKeyId=… --set storage.s3.secretAccessKey=…renders the*-s3-credentialsSecret, repoints both deployments'STORAGE_S3_ENDPOINT/credentials at it (keysaccess-key-id/secret-access-key), and addsSTORAGE_S3_REGION.--set storage.s3.existingSecret=my-creds, the deployments referencemy-credsand the chart generates no Secret.helm lint bin/k8spasses for both the default and the external value sets.helm installlocally with Minikube and test creating dataset and running workflowsNo unit tests were added — the change is limited to Helm chart values/templates, validated by the render diff and
helm lintabove.Was this PR authored or co-authored using generative AI tooling?
Generated-by: Claude Code (Claude Opus 4.8)