External S3 (BYO)
विहंगावलोकन
इलम does not require a bundled object storage sub-chart. Any S3-compatible backend reachable from the cluster can serve as the data plane, including AWS S3, Wasabi, Backblaze B2, on-prem मिनियो, Google Cloud Storage via the S3 interoperability layer, or any self-hosted S3 implementation.
This page explains the configuration shape. The integration is operator-driven: इलम does not provision the buckets, manage the credentials, or expose a console for an external provider.
| Property | मूल्य |
|---|---|
| लाइसेंस | Provider-dependent |
| Status in Ilum | Supported |
| Bundled chart | None |
| Bundled image | None |
Default in helm_aio | Not active by default; requires setting both rustfs.enabled और minio.enabled तक गलत (the chart enables मीनो by default) |
| Distributed mode | Provider-dependent |
| Console UX | Provider-hosted; not embedded in the इलम UI |
| OIDC integration | Provider-dependent |
When to use an external S3 backend
- Production deployments where object storage operations should be delegated to a managed service.
- Multi-cluster setups where multiple इलम releases share a single backing bucket layout.
- Air-gapped or compliance-bound environments that already operate a central S3-compatible service.
- Cost or scale profiles that exceed what the bundled providers offer in their current default configurations.
Configure Ilum against an external S3 backend
Disable both bundled providers and supply the endpoint plus credentials through the chart's existing values:
helm upgrade ilum ilum/helm_aio \
--अस्त हो rustfs.enabled=गलत \
--अस्त हो minio.enabled=गलत \
--अस्त हो objectStorage.endpoint=https://s3.us-east-1.amazonaws.com \
--अस्त हो objectStorage.credentials.accessKey=<aws-access-key-id> \
--अस्त हो objectStorage.credentials.secretKey=<aws-secret-access-key>
The shared ilum-objectstorage-credentials Secret carries the
credentials; every bundled consumer reads from it via the env keys
documented in Rotate Object Storage Credentials.
When both rustfs.enabled और minio.enabled are गलत, the chart
does not render the ilum-objectstorage Service alias. Consumers
resolve the configured endpoint hostname directly.
Region-specific examples
AWS S3
objectStorage:
समापन बिंदु: एचटीटीपीएस://s3.us-पूर्व-1.amazonaws.com
region: us-पूर्व-1
pathStyle: गलत
प्रत्यय-पत्र:
existingSecret: इलम-objectstorage-प्रत्यय-पत्र
Wasabi (EU)
objectStorage:
समापन बिंदु: एचटीटीपीएस://s3.eu-केंद्रीय-1.wasabisys.com
region: eu-केंद्रीय-1
pathStyle: सच्चा
प्रत्यय-पत्र:
existingSecret: इलम-objectstorage-प्रत्यय-पत्र
Backblaze B2
objectStorage:
समापन बिंदु: एचटीटीपीएस://s3.us-west-002.backblazeb2.com
region: us-west-002
pathStyle: गलत
प्रत्यय-पत्र:
existingSecret: इलम-objectstorage-प्रत्यय-पत्र
Google Cloud Storage (S3 interop)
objectStorage:
समापन बिंदु: एचटीटीपीएस://storage.googleapis.com
region: auto
pathStyle: गलत
प्रत्यय-पत्र:
existingSecret: इलम-objectstorage-प्रत्यय-पत्र
The S3 interop credentials are HMAC keys. Provision them with gcloud
against a service account that has the Storage HMAC Key Admin role:
# Grant the role on the project (skip if the SA already has it).
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
--member="serviceAccount:$SA_EMAIL" \
--role="roles/storage.hmacKeyAdmin"
# Create the HMAC key. Capture access_id and secret from the output.
gcloud storage hmac create "$SA_EMAIL"
Both the accessId and the रहस्य from the output map onto the
access-key और secret-key entries in ilum-objectstorage-credentials.
The S3-compatible endpoint for GCS is https://storage.googleapis.com
regardless of bucket location.
Bucket bootstrap
The bundled init नौकरीs (init-rustfs-buckets, init-minio-policies)
do not run against an external backend. The operator must create the
default buckets manually before installing इलम:
इलम फ़ाइलें
ilum-data
इलम टेबल्स
ilum-mlflow
ilum-kestra
ilum-ducklake
ilum-langfuse
The bucket list is configurable via objectStorage.defaultBuckets.
Bundled consumers expect bucket names from that list.
Known limitations
- No embedded console. The Object Storage view in the इलम UI does not render for external backends. Operators access the provider's own console through the provider's domain.
- No bucket lifecycle automation. The bundled migration
नौकरी(migration.minioToRustfs) runs against the in-cluster providers only. Migrations involving an external backend should be performed manually withmcor the provider's own tooling. See Migrate Between Providers for the procedure. - OIDC and IAM-mode credentials. The chart sources S3 credentials
from the shared
Secret. AWS IAM-role-based authentication (IRSA, instance profiles) requires a sub-chart override that bypasses theSecret-based credential flow.
Reference
- AWS S3 endpoint reference: docs.aws.amazon.com/general/latest/gr/s3.html
- Wasabi service URL endpoints: docs.wasabi.com/docs/service-url-endpoints
- Backblaze B2 S3 endpoint reference: www.backblaze.com/b2/docs/s3_compatible_api.html
- Google Cloud Storage interoperability: cloud.google.com/storage/docs/interoperability
- प्रत्यय-पत्र: Rotate Object Storage Credentials
- Helm values: Object Storage Helm Values