Note sull'aggiornamento
Note sull'aggiornamento
PROSSIMA VERSIONE
MODELLO DI NOTA
1. Cambiamento
Caratteristica:
Descrizione della funzionalità
Valori eliminati - nome del grafico
| Nome | Ragione |
|---|---|
helm.value | Motivo dell'eliminazione del valore Helm |
Valori aggiunti - nome del grafico
Descrizione della sezione Valori
| Nome | Descrizione | Valore |
|---|---|---|
helm.value | Descrizione del valore dell'elmo | Valore predefinito |
Nomi cambiati - nome del grafico
| Vecchio nome | Nuovo nome |
|---|---|
vecchio nome | Nuovo nome |
⚠️⚠️⚠️ Warnings
Valori modificati - nome del grafico
| Nome | Vecchio valore | Nuovo valore |
|---|---|---|
helm.value | Valore precedente | Nuovo valore |
RELEASE 6.7.3
1. UI internationalization (i18n) + RTL
Caratteristica:
The web UI can now switch language and text direction at runtime from Settings (persisted to localStorage). The set of available languages is config-driven: add or remove a language with no frontend rebuild. Ships English + Persian (RTL) + Arabic (RTL) + Portuguese + Spanish + Chinese
- Hindi; direction follows the language.
Values added - helm_ui (mirrored under ilum-ui.runtimeVars in helm_aio)
UI language configuration (rendered into the ilum-ui ConfigMap)
| Nome | Descrizione | Valore |
|---|---|---|
runtimeVars.defaultLanguage | Default UI language code (ILUM_DEFAULT_LANGUAGE) | en |
runtimeVars.availableLanguages | Languages in the selector + i18next supportedLngs (ILUM_AVAILABLE_LANGUAGES); array of {code,label,dir,font?} | [en, fa(rtl), ar(rtl), pt, es, zh, hi] |
i18n.extraLocaleConfigMaps | Optional ConfigMaps mounted over /usr/share/nginx/html/locales/ to add or override catalogs at runtime (no rebuild) | [] |
Per-language font (the font field of each availableLanguages entry): Persian
(fa) uses IRANSans, Arabic (ar) uses Vazirmatn. Both are self-hosted and the
binaries are NOT shipped in the image; fa uses the free IRANSansWeb build. To render
Persian in IRANSans, place the IRANSansWeb woff2 files in a custom UI image (public/fonts/)
or mount them; otherwise the UI falls back to the system Persian font. Vazirmatn is SIL-OFL —
confirm IRANSansWeb's terms fit your deployment, or set fa's font A "Vazirmatn".
⚠️⚠️⚠️ Warnings
None. New keys are additive with safe defaults; existing installs default to
English with no behavior change. To add a brand-new language at runtime,
append an availableLanguages entry AND mount its catalog JSON via
i18n.extraLocaleConfigMaps (or bake it into a custom UI image under
public/locales//).
2. RustFS object-storage provider (opt-in)
Caratteristica:
RustFS (Apache-2.0) is now bundled as an opt-in S3-compatible object
storage provider alongside MinIO, which remains the default in the 6.7.x
line. RustFS is planned to become the default in 6.8.0. Switching is a
single Helm flag (rustfs.enabled=true, minio.enabled=false). A
pre-upgrade hook refuses Aggiornamento dell'elmo when an existing MinIO PVC would
be orphaned without explicit acknowledgement.
For step-by-step instructions, refer to Migrate Between Object Storage Providers. For the broader storage decision and provider reference pages, refer to the Object Storage section.
3. Object-storage credentials consolidation
Caratteristica:
All object-storage consumers now read S3 credentials from a single shared
Secret, ilum-objectstorage-credentials, instead of per-consumer literal
values in valori.yaml. The Secret holds six aliased keys: access-key,
secret-key, root-user, root-password, RUSTFS_ACCESS_KEY,
RUSTFS_SECRET_KEY. Consumers wired to this Secret include ilum-core,
ilum-jupyter, ilum-history-server, ilum-hive-metastore, airflow,
kestra, Trino, langfuse, loki, minioe rustfs.
Default credentials for net-new installs are Admin/Admin. On upgrade,
the credentials-secret template's lookup preserves the live Secret
values, so existing deployments keep their current credentials.
Per-consumer accessKey/secretKey literals in Helm values are now
ignored when an existingSecret reference is set, which is the default in
helm_aio.
The chart resolves the S3 Service + credentials Secret via templates/_storage.tpl helpers. Defaults to MinIO (ilum-minio, keys root-user/root-password); a live lookup for Service ilum-objectstorage switches it to the rustfs alias (ilum-objectstorage-credentials, keys access-key/secret-key) automatically. objectStorage.useAlias: true forces the alias path for CI helm template (no cluster lookup). Rotation is performed by editing the shared Secret and restarting the affected Pods. For the full procedure, refer to Rotate Object Storage Credentials.
4. OpenMetadata + OpenLineage integration
Caratteristica:
Ilum now ships an optional OpenMetadata data-catalog and governance layer, fed by OpenLineage events from Airflow and Spark. The whole stack is disabled by default and is safe on upgrade: an existing deployment that does not set the new flags brings up zero OpenMetadata resources and behaves exactly as before.
The integration is gated by five flags, all defaulting to falso: openmetadata.enabled, openmetadata-dependencies.enabled, openmetadataBootstrap.enabled, fixHmsDeltaColumns.enablede ilum-core.job.openLineage.openmetadata.enabled. Enabling the first four plus the OpenLineage transport leg brings up the OpenMetadata server (a small Ilum fork of the 1.12.5 image), its OpenSearch + PostgreSQL dependencies, the bootstrap Job, and the OL→OM backfill CronJob. Spark and Airflow lineage then flows into OpenMetadata via a composite OpenLineage transport that fans out to both Marquez and OpenMetadata.
Iceberg-via-Nessie catalog ingestion ships in preview status. For configuration, the governance model, and operational details, refer to OpenMetadata.
5. OM bootstrap Job + bot tokens
- Bootstrap is a regular Job (
), not a hook —-om-bootstrap- helm installreturns immediately. Watch:kubectl logs -f job/; final line is-om-bootstrap- BOOTSTRAP_SUMMARY: {...}. Completed Jobs GC after 24h. - Bot tokens default-on (
openmetadataBootstrap.botTokens.enabled: true): OM clients use theingestion-bot/lineage-botJWTs in theilum-om-bot-tokensSecret; consumers fall back to admin login while the Secret holds placeholders. - ilum-core blocks startup on the bot token (
job.openLineage.openmetadata.auth.waitForBotToken: true) via await-for-om-bot-tokeninitContainer, so OpenLineage never falls back to the 1h-expiring admin login (which 401s long-lived Kyuubi engines). SetwaitForBotToken: falsefor an external OM with no bootstrap-published token. - Bot-token attribution is self-healing but lags: pods that boot before the JWTs
are published attribute OM writes to the
ilumadmin until their next restart. To switch immediately, roll Airflow + ilum-core once after BOOTSTRAP_SUMMARY. Cosmetic only (audit attribution) — both paths have identical permissions. ilum-om-bot-tokenscarrieshelm.sh/resource-policy: keepand holds never-expiring JWTs. On a shared cluster, after teardown delete it explicitly (kubectl delete secret ilum-om-bot-tokens -n) or rotate the bots in OM.
6. OpenMetadata bootstrap behaviour
The bootstrap Job registers Hive/Superset/MinIO/Delta services and runs polish ops:
sets openMetadataBaseUrlConfiguration, triggers SearchIndexing + DataInsights,
seeds Table custom properties (sourceSystem, slaHours), bumps certification
duration to P365D, and seeds two demo users. All ops are idempotent + non-fatal,
and re-runs preserve operator overrides (GET-before-PUT on the base URL, service
connections carrying ssl/kerberos/sasl/jaas/auth keys, and existing custom
properties). The Hive service routes through Kyuubi (ilum-sql-thrift-binary:10009)
— no separate Kyuubi service is registered.
| Nome | Descrizione | Valore |
|---|---|---|
openmetadataBootstrap.publicBaseUrl | OM base URL for alert mails / deep-links. Override in production. | http://localhost:9777/external/openmetadata |
openmetadataBootstrap.demoUsersEnabled | Seed analyst/steward demo users. Set falso in production. | vero |
openmetadataBootstrap.certificationDurationISO8601 | Default certification validity. | "P365D" |
openmetadataBootstrap.omUser | OM admin user (Secret ). | [email protected] |
openmetadataBootstrap.omPassword | OM admin password. Change for production. | Admin |
openmetadataBootstrap.botTokens.enabled | Publish bot JWTs to ilum-om-bot-tokens. | vero |
The OM admin password lives only in the Secret
(consumed by the bootstrap Job, Airflow, and ilum-core via secretKeyRef); rotate
by editing openmetadataBootstrap.omPassword. Two more Secrets render with the
release: ilum-superset-admin e ilum-hms-db-creds (account for them if you
mirror manifests externally).
7. OM ingestion CronJobs are OM-owned
OM creates 7 om-cronjob-* ingestion CronJobs server-side (label
managed-by=openmetadata, no ownerReferences). Edit schedules/pipelines through a
re-bootstrap PATCH, not the CronJob directly (reverted on next bootstrap). The
helm uninstall pre-delete hook reaps them. Scheduled Hive ingestion runs with
overrideMetadata: false so it preserves DAG-set Tier/Certification governance.
8. Delta + lineage helpers (opt-in flags, default on)
| Nome | Descrizione | Valore |
|---|---|---|
openmetadataBootstrap.deltaEnricher.enabled | CronJob PATCHing Delta facets onto OM tables (Rust deltalake, ~80MB). | vero |
openmetadataBootstrap.deltaEnricher.schedule | Delta property refresh cron. | 0 */6 * * * |
openmetadataBootstrap.olBackfill.enabled | CronJob replaying Marquez OL events to OM (idempotent gap-fill). | vero |
openmetadataBootstrap.olBackfill.schedule | OL replay scan cron. | 0 2 * * * |
fixHmsDeltaColumns.enabled | Post-install/upgrade Job repairing Delta col array HMS schemas. | falso |
OM's native DeltaLake-S3 connector stays paused (>4Gi peak); the enricher CronJob fills Delta facets instead.
9. OpenLineage namespace
Airflow OL events use airflow.config.openlineage.namespace (default ilum-airflow,
single source of truth). Bootstrap's namespaceToServiceMapping attaches
s3://ilum-data, spark://ilum-sql-thrift-binary:10009e ilum-airflow to the
right OM services. Override the namespace only to match events already in Marquez/OM.
10. Production overrides checklist
| Key | Default | For production |
|---|---|---|
openmetadataBootstrap.publicBaseUrl | http://localhost:9777/external/openmetadata | actual ingress URL |
openmetadataBootstrap.demoUsersEnabled | vero | falso (use LDAP/OIDC) |
openmetadataBootstrap.omPassword | Admin | a real password |
gitea.gitea.config.server.ROOT_URL | http://localhost:9777/external/gitea/ | public host (path must match STATIC_URL_PREFIX) |
The chart installs into any namespace (bare service DNS names, no
.svc.cluster.local). If you carry extraValues overrides with FQDN metastore
addresses, drop .ilum.svc.cluster.local or Spark lineage silently fails to map.
11. Iceberg via Project Nessie (opt-in, OFF by default)
A stock install runs Hive-only with no Nessie pod. Enable Iceberg cataloging (starts a Nessie pod + Postgres DB) with BOTH flags — the gate ANDs them:
helm upgrade ilum ./helm_aio \
--mettere nessie.enabled=vero \
--mettere openmetadataBootstrap.services.iceberg.enabled=vero
| Nome | Descrizione | Valore |
|---|---|---|
openmetadataBootstrap.services.iceberg.enabled | Register OM Iceberg service (needs nessie.enabled). | falso |
openmetadataBootstrap.services.iceberg.restUri | Nessie Iceberg-REST URI (no ref in path). | http://ilum-nessie:19120/iceberg |
openmetadataBootstrap.services.iceberg.warehouse / .catalogName | Symbolic warehouse name. | nessie_catalog |
openmetadataBootstrap.services.iceberg.{endpoint,accessKey,secretKey,region} | S3-reader overrides (empty = objectStorage Secret). | "" / Stati Uniti-Est-1 |
nessie.catalog.enabled | Nessie Iceberg-REST endpoint. | vero |
Gotchas:
- Do NOT disable Hive to go "Iceberg-first": the bundled example tables are
Delta/Parquet via HMS, and bootstrap gates SUCCESS on Hive producing ≥10 tables
(
openmetadataBootstrap.examplesIngest.expectedMinTables). Iceberg-only also needsopenmetadataBootstrap.examplesIngest.enabled=false. - The OM ingestion reader reads Iceberg
metadata.json/manifests directly from S3, so it MUST hold creds that reads3://ilum-data/nessie_catalog/. A credential mismatch registers fine but ingests 0 tables. - On rustfs/non-default backends, override
nessie.catalog.storage.s3.defaultOptions.accessKeySecret(static YAML, defaults to the minio Secret) so Nessie and the OM reader resolve the SAME identity. - To catalog a ref other than
principale, pin it via a Nessie warehouse, not the URI path (putting the ref in the path → HTTP 404). OM ingests one ref; no history.
12. Hive 4 support (opt-in)
Set ilum-hive-metastore.majorVersion: 4 per apache/hive:standalone-metastore-4.x
images (default 3). A v3 Postgres DB cannot be reused for v4 (incompatible
schemas). Running v3 + v4 side-by-side: give v4 its own database
(--set ilum-hive-metastore.postgresql.database=metastore_v4) and add it to
postgresExtensions.databasesToCreate. Spark against a v4 metastore needs Hive 4
client jars — use ilum/spark:4.0.2-delta-hive4 as the cluster image.
13. Airflow pools
airflowExtensions.pools pre-creates the listed Airflow pools (name + slots) via an
init container on the Airflow api-server/scheduler. Default is empty ([]); add your
own DAGs' pools here.
14. Cross-stack observability + cost attribution
Caratteristica
A new cross-stack observability stack (off by default) bundles an OpenTelemetry
Collector (helm_otel_collector sub-chart), a Tempo trace backend
(ilum-tempo, S3-backed), and Loki/Promtail log correlation, adding a Pipeline
Trace tab spanning Airflow → ilum-service → Spark. A separate daily
cost-attribution rollup (off by default) writes cost landing files from an
in-driver Spark plugin and folds them in-core into per-job and per-table Cost
tabs. Hostnames are release-name portable via _helpers.tpl, so the stack works
under any release name. The settings entity (sampling ratio, listener policy,
rate card) is seeded from helm_core's observabilityDefaults on first boot
only — UI/dev-API edits win afterward. The previously-unprotected
/api/dev/reactive/lineage/* e /cost/* endpoints now require permissions.
Values added - helm_aio
| Nome | Descrizione | Valore |
|---|---|---|
global.observability.otel.enabled | Enable the OTel collector + Tempo trace backend + log correlation | falso |
global.observability.monitoring.enabled | Render the ServiceMonitor + PrometheusRule alert set for Tempo/collector | falso |
global.costAggregator.enabled | Enable the daily cost-attribution rollup | falso |
global.costAggregator.retentionDays | Clamp the cost reader window to this many days | 90 |
global.observability.otel.tempoAuth.mode | Tempo query auth (none | bearer | basic) | none |
global.logAggregation.loki.auth.mode | Loki query auth (none | bearer | basic) | none |
global.observability.otel.tenant.id | Tenant filter for a shared Tempo (empty = single-tenant) | "" |
Values changed - ilum-tempo
| Nome | Vecchio valore | New value |
|---|---|---|
ilum-tempo.tempo.resources.limits.memory | 2Gi | 4Gi |
⚠️ Warnings
The observability stack hostnames are now derived at render time by helpers in
helm_aio/templates/_helpers.tpl (ilum-aio.tempoHost,
ilum-aio.lokiReadHost, ilum-aio.otelCollectorHost,
ilum-aio.lokiQueryUrl). An overlay carrying an explicit hostname override
copied from a previous release still takes precedence but couples the install to
the ilum release name — drop it to let the helpers pick the correct hostname.
RELEASE 6.7.2
1. Default Java options for ilum-core
Caratteristica:
Added default JVM options to ilum-core for optimized memory and performance. The javaOpts value is now appended to security-related Java options (trustStore/keyStore) instead of replacing them, allowing both to coexist.
Values changed - helm_core
| Nome | Vecchio valore | Nuovo valore |
|---|---|---|
javaOpts | "" | "-XX:-UsePerfData -XX:+UseStringDeduplication -Xms256m -XX:MaxMetaspaceSize=256m -XX:MaxDirectMemorySize=256m -XX:CICompilerCount=2 -XX:G1ConcRefinementThreads=2 -XX:ReservedCodeCacheSize=128m" |
2. Unity Catalog init container for ilum-core
Caratteristica:
Added a wait-for-unity-catalog init container to the ilum-core deployment, matching the existing pattern for Hive and Nessie. When metastore.type è impostato su unity, the init container waits for the Unity Catalog server to become reachable before starting ilum-core, preventing startup failures due to race conditions.
Values added - helm_aio
| Nome | Descrizione | Valore |
|---|---|---|
ilum-core.metastore.unity.statusProbe.enabled | Enable init container to wait for Unity Catalog | vero |
3. PostgreSQL support for ilum-core
Caratteristica:
Added PostgreSQL as an alternative persistence backend to MongoDB. The backend is selected via storage.type (mongo o postgres). When set to postgres, Mongock migrations and the MongoDB status probe are skipped, and PostgreSQL connection details are injected instead. The MongoDB URI (mongo.uri) is always present in the configmap regardless of storage.type, so that the built-in MongoToPostgresMigration tool can read from MongoDB during migration. Flyway migrations run automatically on startup — no manual schema setup is needed. Existing deployments using MongoDB are unaffected; the default remains mongo.
Values added - helm_core
Storage type selection and migration
| Nome | Descrizione | Valore |
|---|---|---|
storage.type | Persistence backend: mongo o postgres | mongo |
storage.migration.mongoToPostgres | Enable one-time data migration from MongoDB to PostgreSQL. Set to vero together with storage.type=postgres and a valid mongo.uri to migrate all data on startup. Disable after migration completes. | falso |
PostgreSQL connection settings
| Nome | Descrizione | Valore |
|---|---|---|
postgres.host | PostgreSQL hostname | ilum-postgresql |
postgres.port | PostgreSQL port | 5432 |
postgres.database | Database name | ilum |
postgres.username | Database username | ilum |
postgres.password | Database password | CAMBIAMIPER favore |
postgres.createSecret | Create a K8s Secret with postgres credentials | vero |
postgres.existingSecret | Use an existing K8s Secret (must have keys: POSTGRES_USERNAME, POSTGRES_PASSWORD) | "" |
postgres.statusProbe.enabled | Enable init container that waits for PostgreSQL readiness | vero |
postgres.statusProbe.image | Image used for the PostgreSQL readiness probe | busybox:1.36 |
⚠️⚠️⚠️ Warnings
Migrating from MongoDB to PostgreSQL:
- Set
storage.type=postgresand configurepostgres.*connection values - Ensure
mongo.uristill points to the existing MongoDB instance - Set
storage.migration.mongoToPostgres=true - Run
Aggiornamento dell'elmo— the backend will migrate all data from MongoDB to PostgreSQL on startup - After successful migration, set
storage.migration.mongoToPostgres=falseand runAggiornamento dell'elmoagain
4. Slimmed down ilum-core bundled configuration
Caratteristica:
The bundled application.yml in ilum-core has been significantly slimmed down.
Hardcoded defaults that are now managed by the application itself
(Spring multipart config, Kafka admin settings, codec size, task scheduling pool, leader election tuning, third-party logging levels, license validation details)
have been removed from the Helm-generated config.
This reduces the surface area of the ConfigMap and avoids conflicts with application-managed defaults.
⚠️⚠️⚠️ Warnings
If you relied on any of the removed hardcoded values (e.g., custom spring.servlet.multipart limits, spring.kafka.admin.fail-fast, logging levels for org.apache.kafka o org.mongodb.driver),
you must now set them via the new customConfig o overrideConfig mechanisms described below.
5. Config override and custom config for ilum-core
Caratteristica:
Added two new mechanisms for advanced configuration of ilum-core:
overrideConfig: Replaces the bundledapplication.ymlentirely with a user-managed ConfigMap (mounted at/etc/ilum/override).customConfig: Mounts an additional ConfigMap at/etc/ilum/customfor partial overrides that layer on top of the bundled config.
Values added - helm_core
Full config override
| Nome | Descrizione | Valore |
|---|---|---|
overrideConfig.enabled | Enable full config override (replaces bundled application.yml entirely) | falso |
overrideConfig.configMapName | Name of a user-managed ConfigMap containing a complete application.yml replacement | "" |
Custom config escape hatch
| Nome | Descrizione | Valore |
|---|---|---|
customConfig.enabled | Enable custom config escape hatch (mounts an additional ConfigMap at /etc/ilum/custom) | falso |
customConfig.configMapName | Name of a user-managed ConfigMap containing application.yml overrides | "" |
⚠️⚠️⚠️ Warnings
The config mount path has changed from /config A /etc/ilum/config. If you have scripts or tooling that references the old path, update them accordingly.
6. Default communication mode changed to gRPC
Caratteristica:
The default communication mode in ilum-core has changed from Kafka A grpc.
Values changed - helm_core
| Nome | Vecchio valore | Nuovo valore |
|---|---|---|
comunicazione.tipo | Kafka | grpc |
⚠️⚠️⚠️ Warnings
If your deployment depends on Kafka-based communication between ilum components, explicitly set communication.type: kafka in your values.
7. New configurable parameters in ilum-core
Caratteristica:
Spring actuator endpoint exposure and job instance result timeout are now configurable via values instead of being hardcoded.
Values added - helm_core
| Nome | Descrizione | Valore |
|---|---|---|
management.endpoints.web.exposure.include | Spring actuator endpoints to expose | "info,configprops,env,metrics,mappings,beans,prometheus,health" |
job.instance.result.timeout.ms | Job instance result timeout in milliseconds | 120000 |
8. Schema and nullability fixes
Caratteristica:
Fixed sql.url A sql.host in the ilum-core configmap to match the actual values key.
Names changed - helm_core (configmap only)
| Vecchio nome | Nuovo nome |
|---|---|
sql.url | sql.host |
9. rustfs added as an opt-in object storage provider
Caratteristica
rustfs (Apache-2.0) is now bundled in helm_aio as an opt-in S3-compatible object storage provider (rustfs.enabled=false by default). minio remains the default provider (minio.enabled=true); rustfs is planned to become the default in 6.8.0. A stable Service alias ilum-objectstorage routes to whichever provider is enabled; all downstream consumers (Trino, Nessie, Jupyter, MLflow, Airflow, Kestra, Langfuse, the helm_core readiness probe) target this alias instead of provider-specific names.
⚠️⚠️⚠️ Warnings
- rustfs is currently published as
1.0.0-alpha.99; distributed mode is marked "under testing" upstream. helm_aio defaults rustfs to standalone mode with a single 50Gi PVC. - A pre-upgrade hook detects orphan minio PVCs and refuses the upgrade unless the operator has chosen one of the paths below.
Choose one path on upgrade
Path A: keep using minio (zero-touch)
helm upgrade ilum ./helm_aio --mettere minio.enabled=vero --mettere rustfs.enabled=falso
Existing data is untouched; consumers continue talking to ilum-objectstorage which now selects minio pods.
Path B: migrate from minio to rustfs
Single credential source. Every consumer (ilum-core, jupyter, airflow, trino, kestra, langfuse, loki, hive-metastore, minio, rustfs) now reads S3 credentials from the shared
ilum-objectstorage-credentialsSecret. Net-new installs default toamministratore/amministratore; rotate with:kubectl edit secret ilum-objectstorage-credentials
kubectl rollout restart deploy,statefulset -l 'app.kubernetes.io/part-of=ilum'When upgrading from a MinIO-only deployment with non-default credentials, seed the new Secret with the live minio root creds before running the upgrade so consumers don't lose access:
EXISTING_USER=$(kubectl get secret ilum-minio -o jsonpath='{.data.root-user}' | base64 -d)
EXISTING_PASS=$(kubectl get secret ilum-minio -o jsonpath='{.data.root-password}' | base64 -d)
kubectl create secret generic ilum-objectstorage-credentials \
--from-literal=access-key=$EXISTING_USER \
--from-literal=secret-key=$EXISTING_PASS \
--from-literal=root-user=$EXISTING_USER \
--from-literal=root-password=$EXISTING_PASS \
--from-literal=RUSTFS_ACCESS_KEY=$EXISTING_USER \
--from-literal=RUSTFS_SECRET_KEY=$EXISTING_PASS
# the credentials-secret template's preserveExisting lookup will keep these
# values intact across helm upgrades.
# 1. Run both providers side by side. Acknowledge the cutover so the
# pre-upgrade hook accepts the upgrade.
helm upgrade ilum ./helm_aio \
--mettere minio.enabled=vero \
--mettere rustfs.enabled=vero \
--mettere rustfs.migrationAcknowledged=vero
# 2. Dry-run the migration Job to preview what would be copied.
helm upgrade ilum ./helm_aio \
--mettere minio.enabled=vero \
--mettere rustfs.enabled=vero \
--mettere rustfs.migrationAcknowledged=vero \
--mettere migration.minioToRustfs.enabled=vero \
--mettere migration.minioToRustfs.dryRun=vero
kubectl logs job/ilum-minio-to-rustfs-migration-<rev>
# 3. Run the real migration.
helm upgrade ilum ./helm_aio \
--mettere minio.enabled=vero \
--mettere rustfs.enabled=vero \
--mettere rustfs.migrationAcknowledged=vero \
--mettere migration.minioToRustfs.enabled=vero
kubectl -n ilum wait job -l app.kubernetes.io/component=migration --for=condition=complete --timeout=600s
# 4. Verify (e.g. mc diff against both providers), then disable minio.
helm upgrade ilum ./helm_aio --mettere rustfs.migrationAcknowledged=vero
For per-bucket manual procedures (no Job), see the documentation site: documentation/docs/operations/migrate-minio-to-rustfs.md.
Path C: net-new install
Nothing to do. minio is the default; the alias Service is created automatically. To start on rustfs instead, set rustfs.enabled=true e minio.enabled=false.
Values added - helm_aio
| Nome | Descrizione | Valore |
|---|---|---|
global.s3.host | Stable Service name targeted by S3 consumers | ilum-objectstorage |
global.s3.port | S3 API port | 9000 |
global.s3.consolePort | Web console port | 9001 |
global.s3.region | Default S3 region | Stati Uniti-Est-1 |
global.s3.pathStyle | Path-style addressing flag for S3 clients | vero |
global.s3.ssl | SSL flag for S3 clients | falso |
rustfs.enabled | Enable bundled rustfs chart | vero |
rustfs.mode | rustfs deployment mode | standalone |
rustfs.persistence.size | rustfs PVC size | 50Gi |
rustfs.migrationAcknowledged | Operator acknowledgement that disabling minio is intentional (read by the pre-upgrade hook) | falso |
rustfsExtensions.enabled | Enable bucket/policy bootstrap on rustfs | vero |
objectStorage.service.enabled | Render the ilum-objectstorage Service alias | vero |
objectStorage.credentials.create | Create the shared credentials Secret | vero |
objectStorage.credentials.name | Name of the shared credentials Secret | ilum-objectstorage-credentials |
objectStorage.credentials.accessKey | Default access key (only used to bootstrap the Secret; rotated values survive upgrades via lookup) | Admin |
objectStorage.credentials.secretKey | Default secret key | Admin |
rustfs.secret.rustfs.access_key | Root access key the rustfs Pod is launched with (must match objectStorage.credentials.accessKey) | Admin |
rustfs.secret.rustfs.secret_key | Root secret key the rustfs Pod is launched with | Admin |
objectStorage.defaultBuckets | Default buckets created by the rustfs init Job and migrated by the migration Job | [ilum-files, ilum-data, ...] |
migration.minioToRustfs.enabled | Render the one-shot migration Job | falso |
migration.minioToRustfs.dryRun | Pass --fake to mc mirror (preview only) | falso |
migration.minioToRustfs.deleteAfter | After successful mirror, remove source data with mc mirror --remove | falso |
migration.minioToRustfs.ttlSecondsAfterFinished | Keep Job logs around for inspection | 86400 |
preUpgradeChecks.enabled | Render the pre-upgrade safety hook (disable in CI) | vero |
Values changed - helm_aio
| Nome | Vecchio valore | New value |
|---|---|---|
minio.enabled | vero | falso |
ilum-core.kubernetes.s3.host | ilum-minio | ilum-objectstorage |
ilum-core.metastore.nessie.s3Endpoint | http://ilum-minio:9000/ | http://ilum-objectstorage:9000/ |
ilum-core.minio.statusProbe.baseUrl | http://ilum-minio:9000 | http://ilum-objectstorage:9000 |
trino.catalogs.ilum-delta (s3.endpoint=...) | http://ilum-minio:9000 | http://ilum-objectstorage:9000 |
mlflow.externalS3.host | ilum-minio | ilum-objectstorage |
mlflow.externalS3.existingSecret | ilum-minio | ilum-objectstorage-credentials |
mlflow.externalS3.existingSecretAccessKeyIDKey | root-user | access-key |
mlflow.externalS3.existingSecretKeySecretKey | root-password | secret-key |
kestra.configuration.kestra.storage.minio.endpoint | ilum-minio | ilum-objectstorage |
langfuse.langfuse.s3.endpoint | http://ilum-minio:9000 | http://ilum-objectstorage:9000 |
ilum-jupyter.extraEnv (S3_ENDPOINT) | http://ilum-minio:9000 | http://ilum-objectstorage:9000 |
airflow.extraEnv (MINIO_ENDPOINT, AWS_ENDPOINT_URL, AIRFLOW_CONN_ILUM-MINIO) | http://ilum-minio:9000 | http://ilum-objectstorage:9000 |
ilum-ui.runtimeVars.minioUrl | http://ilum-minio:9001 | http://ilum-objectstorage:9001 |
Values added - helm_core
| Nome | Descrizione | Valore |
|---|---|---|
objectStorage.statusProbe.enabled | Enable readiness probe init container for object storage | vero |
objectStorage.statusProbe.baseUrl | Base URL probed for readiness | http://ilum-objectstorage:9000 |
objectStorage.statusProbe.image | Probe init-container image | curlimages/curl:8.5.0 |
objectStorage.statusProbe.healthPath | HTTP path probed (root works for both rustfs and minio) | / |
Values changed - helm_core
| Nome | Vecchio valore | New value |
|---|---|---|
minio.statusProbe.baseUrl | http://ilum-minio:9000 | http://ilum-objectstorage:9000 |
The legacy minio.statusProbe block is retained as a deprecated alias; templates prefer objectStorage.statusProbe and fall back to it when the new key is unset.
Values added - helm_ui
| Nome | Descrizione | Valore |
|---|---|---|
runtimeVars.objectStorageUrl | Console URL for the object-storage view | http://ilum-objectstorage:9001 |
runtimeVars.objectStoragePath | UI iframe path | /external/object-storage/ |
nginx.config.objectStorage.enabled | Render the /external/object-storage/ proxy block | falso |
nginx.config.http_cookie.objectStorage.enabled | Cookie gate for the new path | vero |
10. Kestra chart 1.0.x upgrade (breaking)
Caratteristica:
Bumped the bundled kestra chart from ^0.22.x A ^1.0.x (Kestra app ~v0.20 → v1.3.x).
The Kestra Helm chart was rewritten in 1.0.0 — top-level deployment fields moved under a new common: block,
the configuration: map was renamed to configurations.application, serviceAccountName was replaced by a structured serviceAccount block,
the dind sidecar gained a mode: rootless|insecure selector,
and the bundled postgres/minio/Kafka/elasticsearch subchart dependencies were dropped (operators bring their own).
The umbrella kestra: block has been restructured accordingly; existing Ilum integrations (PostgreSQL backend, MinIO storage,
Nginx context path, root-mode dind, post-install example flow Job) are preserved.
Names changed - kestra
| Vecchio nome | Nuovo nome |
|---|---|
kestra.configuration | kestra.configurations.application |
kestra.serviceAccountName | kestra.serviceAccount.name (with kestra.serviceAccount.create: false) |
kestra.securityContext | kestra.common.securityContext |
kestra.initContainers | kestra.common.initContainers |
kestra.dind.image.tag | kestra.dind.base.insecure.image.tag (with kestra.dind.mode: insecure) |
kestra.dind.args | kestra.dind.base.insecure.args |
kestra.dind.securityContext | kestra.dind.base.insecure.securityContext |
Values changed - kestra
| Nome | Old Value | Nuovo valore |
|---|---|---|
kestra.exampleFlow.kestraService | kestra-service | kestra |
ilum-ui.runtimeVars.kestraUrl | http://ilum-kestra-service:8080 | http://ilum-kestra:8080 |
Values deleted - kestra
| Nome | Ragione |
|---|---|
kestra.postgresql.enabled | Subchart dependency removed in 1.0.0; operators provide their own PostgreSQL. |
kestra.minio.enabled | Subchart dependency removed in 1.0.0; operators provide their own object storage. |
kestra.startupProbe.path | Replaced by the structured kestra.common.startupProbe (full Kubernetes probe spec). Path stays /external/kestra/health because Micronaut propagates server.contextPath to the management server (8081) too. |
kestra.livenessProbe.path | Replaced by kestra.common.livenessProbe; path stays /external/kestra/health/liveness. |
kestra.readinessProbe.path | Replaced by kestra.common.readinessProbe; path stays /external/kestra/health/readiness. |
Values added - kestra
| Nome | Descrizione | Valore |
|---|---|---|
kestra.deployments.standalone.enabled | Enables the standalone Kestra deployment in the new split-deployment model. | vero |
kestra.deployments.standalone.dind.enabled | Enables the dind sidecar for the standalone deployment. | vero |
kestra.dind.mode | Selects the dind sidecar mode (rootless o insecure); Ilum defaults to insecure to preserve prior root-mode behaviour. | insecure |
kestra.serviceAccount.create | Controls whether the chart creates the ServiceAccount; Ilum sets it to falso and reuses the Spark SA. | falso |
⚠️⚠️⚠️ Warnings
- The Kestra application itself was bumped from the 0.x line to v1.3.x. Verify any custom flow definitions against the Kestra 1.0.0 migration guide — reserved Flow IDs, the
purgeAuditLogs.permissions → resourcesrename, removal of the Singer plugin, dynamic rendering of input defaults, and custom-plugin package structure changes can break existing flows. kestra.dind.mode: insecureruns the dind sidecar privileged with elevated capabilities. On hardened clusters switch tokestra.dind.mode: rootlessand drop thekestra.common.securityContext.runAsUser/runAsGroupoverrides.- The Kestra Service object is now named
(chart fullname) instead of-kestra . The bundled-kestra-service helm_uikestraUrlruntimeVar (consumed by the Nginx proxy viaILUM_KESTRA_URL) and theexampleFlowpost-install Job have been updated to the new name. Any external references toilum-kestra-servicemust be updated manually. - Kestra 1.0+ moved the flow API under a tenant path (
/api/v1/{tenant}/flows). The bundledexampleFlowJob now POSTs to/api/v1/main/flows(the OSS implicit tenant). Operators with customricciolo/SDK calls against the Kestra API must add the tenant segment.
11. Kyuubi server image bumped to 1.11.1-spark-trino
Caratteristica
The default ilum-sql (Kyuubi) server image is bumped to ilum/kyuubi:1.11.1-spark-trino. Existing Aggiornamento dell'elmo users will pick up the new image automatically.
Values changed - helm_kyuubi
| Nome | Old Value | Nuovo valore |
|---|---|---|
immagine.tag | 1.10.2-spark-trino | 1.11.1-spark-trino |
12. JupyterLab Pipeline Exporter ↔ Airflow integration (helm_jupyter)
Caratteristica
The bundled JupyterLab now ships jupyterlab-pipeline-exporter (JPE),
which generates Airflow DAGs from notebooks and can auto-trigger them
against the in-cluster Airflow REST API. The helm_jupyter Deployment
mounts a new jupyter-pipeline-exporter-cm.yaml ConfigMap and renders
the env vars JPE needs to mint bearer tokens (AIRFLOW_JWT_SECRET,
AIRFLOW_API_URL), push DAGs into Gitea (GITEA_USERNAME,
GITEA_PASSWORD), and build clickable deep-links (ILUM_UI_URL).
git.enabled is split into two orthogonal flags so a slim deploy
without the gitea subchart can keep JPE's Gitea creds without forcing
the init-container seed loop to run. The init loop (curl healthz
wait + git init/commit/push) is now gated on
git.initialCommit.enabled; the GITEA_* env vars are gated on
git.existingSecret alone. git.enabled is retained as a deprecated
back-compat alias for git.initialCommit.enabled.
Operator impact (zero by default)
On AIO (airflow.enabled=true, gitea subchart present) the chart
defaults render the full integration automatically on Aggiornamento dell'elmo —
no action required. On a slim deploy without Airflow, set
airflowIntegration.enabled=false to suppress the JWT env block; on a
slim deploy without the gitea subchart, set
git.initialCommit.enabled=false (instead of the old
git.enabled=false) so the init container no longer hangs while still
mounting JPE's Gitea creds via git.existingSecret.
Values added - helm_jupyter
| Nome | Descrizione | Valore |
|---|---|---|
airflowIntegration.enabled | Render the AIRFLOW_JWT_SECRET / AIRFLOW_API_URL block for JPE's DAG auto-trigger | vero |
git.initialCommit.enabled | Run the init-container that seeds the work dir into Gitea | falso |
ilumUiUrl | Browser-facing Ilum UI base URL surfaced as ILUM_UI_URL for JPE deep-links | http://localhost:9777 |
Values changed - helm_jupyter
| Nome | Pre-upgrade | Post-upgrade |
|---|---|---|
git.enabled | gated init loop e GITEA_* env vars | deprecated alias for git.initialCommit.enabled; GITEA_* env vars now gate on git.existingSecret |
13. Preset feature
Caratteristica
New first-class Preset entity. A preset is a named bag of Spark / runtime
properties that can be attached by id to clusters, services (groups),
schedules, and jobs. At job-launch time the preset's properties merge into
the resulting Spark config so users can pin a bundle (Delta / Iceberg / Hudi)
once and reuse it instead of re-typing the same 5+ keys.
CRUD is exposed at POST/GET/PUT/DELETE /api/v1/preset (public) and at
/api/dev/reactive/preset (internal). New PRESET_READ, PRESET_CREATE,
PRESET_EDIT, PRESET_DELETE permissions are added.
Postgres V1 schema gains a preset table and preset_ids text[] columns
on grappolo, Gruppi, schedule. Mongo gains the same field lazily — no
migration required.
Operator-controllable defaults (helm)
helm_core/values.yaml ships a new top-level presets: block. Each entry
(nome, descrizione, proprietà) is auto-seeded at first boot by the
backend's DefaultPresetInitializer. The chart defaults ship a delta and
an iceberg entry; remove or override them to taste, or set presets: []
to disable defaults entirely.
The default cluster's attached presets are also helm-controlled via
kubernetes.defaultCluster.presetNames (defaults to [delta]). Each entry
is resolved to a preset id at boot time via a deterministic v3 UUID derived
from the name (same hash as the initializer uses), so the linkage is
stable across restarts.
Values added — helm_core
| Nome | Descrizione | Valore |
|---|---|---|
presets | Spark/runtime property bundles auto-seeded on first boot | List of delta + iceberg |
kubernetes.defaultCluster.presetNames | Names (declared under presets:) attached to the default cluster on first boot | [delta] |
Values removed — helm_core
| Nome | Ragione |
|---|---|
kubernetes.defaultCluster.config.spark.kubernetes.container.image | Moved into the delta preset entry under top-level presets: |
kubernetes.defaultCluster.config.spark.databricks.delta.catalog.update.enabled | Same |
kubernetes.defaultCluster.config.spark.sql.extensions | Same |
kubernetes.defaultCluster.config.spark.sql.catalog.spark_catalog | Same |
Operator impact
Zero on a default upgrade. The bundled delta preset reproduces exactly
the Delta keys that previously lived inline in the default cluster's
defaultApplicationConfig. Existing user-created clusters keep their own
config unchanged.
If you customised kubernetes.defaultCluster.config with non-Delta
overrides, those entries are preserved as-is — only the four Delta-specific
keys were lifted into the preset.
Operators wanting to add their own preset (e.g. a tuned Nessie bundle)
extend presets: in their values override:
ilum-core:
presets:
- nome: Nessie
descrizione: Iceberg + Nessie wiring
proprietà:
spark.kubernetes.container.image: my-registry/spark:Nessie
spark.sql.extensions: org.projectnessie.spark.extensions.NessieSparkSessionExtensions
# ...
kubernetes:
defaultCluster:
presetNames:
- delta
- Nessie
Renaming a preset detaches any cluster / group / schedule that referenced
the old id (the id is derived from the name). Detach in the UI first, or
use the API to update presetIds to the new id before removing the old
entry.
Merge precedence at job launch (last wins): cluster's effective config
(including its attached presets via ClusterConfigurer) → system providers
(memory, metastore, packages) → entity presets → entity jobConfig. The
symmetric "plain spark args you typed at the entity level win" rule still
applies. Follow-up #202 will extract immagine e Namespace to first-class
cluster fields so presets layer cleanly without the current "plain wins"
caveat on the cluster scope.
14. Airflow secret backend + base image bump
Caratteristica
The bundled Airflow image (ilum/airflow) now ships an
IlumS3SecretsBackend that resolves the conn-id aliases ilum-minio,
ilum-s3e ilum-objectstorage (plus their _-separated and
case variants) to a single canonical AIRFLOW_CONN_ILUM_S3 env var.
Activating the backend (AIRFLOW__SECRETS__BACKEND=ilum_secrets_backend.IlumS3SecretsBackend)
is already wired in helm_aio/values.yaml.
This replaces the broken AIRFLOW_CONN_ILUM-MINIO_CMD /
AIRFLOW_CONN_ILUM-S3_CMD printf-based env-var pattern. Airflow 3
silently dropped _CMD resolution for connection env vars — the suffix
now resolves only for config keys like SQL_ALCHEMY_CONN_CMD — which
caused worker pods to surface RuntimeError: generator didn't yield
from the remote-logging path and InvalidAccessKeyId from user S3Hook
calls.
The same change bumps the base image from apache/airflow:3.1.6 A
apache/airflow:3.2.1 across all four ops/docker/ilum-airflow/
variants (Dockerfile, Dockerfile-plain, Dockerfile-spark,
Dockerfile-spark-4.x), and switches the bake-in install location for
the backend to /opt/ilum_secrets/ with a PYTHONPATH prepend so the
module path no longer depends on the base image's Python minor.
Operator impact (zero by default)
The Helm values flip is opt-in via the chart-default airflow.enabled
flag — operators with airflow.enabled=true pick up the new env
configuration automatically on Aggiornamento dell'elmo. No DAG changes are
required: BaseHook.get_connection("ilum-minio") e
S3Hook(aws_conn_id="ilum-s3") continue to work, but now resolve to a
storage-backend-agnostic connection.
| Key | Pre-upgrade | Post-upgrade |
|---|---|---|
airflow.airflowVersion | 3.1.6 | 3.2.1 |
airflow.images.airflow.tag | 3.1.6 | 3.2.1 |
airflow.extraEnv AIRFLOW_CONN_ILUM-MINIO_CMD | (broken printf pattern) | removed |
airflow.extraEnv AIRFLOW_CONN_ILUM-S3_CMD | (broken printf pattern) | removed |
airflow.extraEnv AIRFLOW__SECRETS__BACKEND | (unset) | ilum_secrets_backend.IlumS3SecretsBackend |
airflow.extraEnv AIRFLOW_CONN_ILUM_S3 | (unset) | JSON literal with $(AWS_*) downward expansion |
DAG-level changes from Airflow 3.1.6 to 3.2.1 are minor; full changelog at https://airflow.apache.org/docs/apache-airflow/3.2.1/release_notes.html.
Failure modes (now caught at chart-render time)
- If an operator overrides
airflow.images.airflow.tagto anilum/airflowtag that does not contain/opt/ilum_secrets/(e.g. an older custom build), the secrets backend resolves toModuleNotFoundError: ilum_secrets_backendat scheduler start. Fix by upgrading the image or unsettingAIRFLOW__SECRETS__BACKEND.
15. Object storage console wiring is now data-driven
Caratteristica
The active object-storage provider, the Object Storage iframe path, and the
/external/object-storage/ nginx redirect target are now derived from a
single source of truth in helm_aio/templates/_helpers.tpl. The
previously hand-rolled three-way conditional in ui-cm.yaml has been
replaced with helper calls; the objectstorage-svc.yaml inline resolution
has been collapsed into the same helper.
A new objectStorage.providers registry maps provider names to their
console paths and routing modes. To enable a third S3-compatible backend
(e.g. SeaweedFS) for benchmarking or migration:
- Add the chart dependency under
helm_aio/Chart.yaml. - Add an entry under
objectStorage.providers.conconsolePatheconsoleMode(same-originonginx-rewrite). - Set
objectStorage.activeProvider:to flip user-facing traffic.
Operator impact (zero by default)
Existing RC2 overlays that only set rustfs.enabled / minio.enabled /
rustfs.migrationAcknowledged continue to work unchanged. The chart reads
the legacy flags as back-compat shims.
The registry intentionally does NOT set a default Abilitato field for
rustfs e minio; the chart-level flags (.Values.rustfs.enabled /
.Values.minio.enabled) remain the single source of truth for those two
providers. This avoids the silent override that would occur if the new
chart-default registry flipped objectStorage.providers.rustfs.enabled=true
on a user who had rustfs.enabled=false in their overlay.
Verified upgrade paths (zero operator action required):
| Pre-upgrade overlay | Post-upgrade resolved provider | Risk |
|---|---|---|
minio.enabled=true, rustfs.enabled=false (default) | minio | none |
minio.enabled=false, rustfs.enabled=true (opt-in) | rustfs | none |
minio.enabled=true, rustfs.enabled=true, rustfs.migrationAcknowledged=false | minio (data-bearing side) | none |
minio.enabled=true, rustfs.enabled=true, rustfs.migrationAcknowledged=true | rustfs (post-cutover) | none |
objectStorage.activeProvider= explicit override | verbatim | only if has no pods, ilum-core readiness fails loudly |
| Pre-RC2 install (no rustfs key, only minio.enabled=true) | minio | none |
Misconfiguration scenarios that fail loudly (not silently):
- 3+ providers enabled with
activeProvider=auto: render-time error names the enabled providers and asks for an explicit choice. - Explicit
activeProvider=wherehas no running pods: Service alias has no endpoints; ilum-core readiness probe fails with a clear log message.
New values to know about
| Key | Default | Meaning |
|---|---|---|
objectStorage.previousProvider | "minio" | Required when two providers are enabled and activeProvider=auto. Names the side that holds the data; the alias targets it until cutover is acknowledged. |
objectStorage.cutoverAcknowledged | falso | Generalizes the previous rustfs.migrationAcknowledged. Flips the alias from previousProvider to the other enabled provider. The legacy flag is still honored as an alias. |
objectStorage.providers. | per-provider | Mirror of .Values. for new providers without their own chart-level flag. |
objectStorage.providers. | /rustfs/console/, /esterno/minio/ | UI iframe path for that provider's console. |
objectStorage.providers. | same-origin (rustfs), nginx-rewrite (minio) | Controls whether nginx redirects /external/object-storage/ to the provider's path (nginx-rewrite, for consoles pinned to a single URL) or keeps the proxy body (same-origin). |
Failure modes (now loud)
- Three or more providers enabled with
activeProvider=auto: the chart fails at render time with a message naming the enabled providers and asking the operator to setactiveProvider=explicitly. - Two providers enabled with
previousProviderempty: chart fails at render time asking the operator to setpreviousProviderto the data-bearing side, or to setactiveProviderexplicitly. activeProviderset to a name with no matching pods: the chart renders but the alias Service has no Endpoints, andilum-core's readiness probe surfaces the misconfiguration in pod logs.
16. Rook-Ceph S3 Storage Backend (BYO)
Caratteristica:
A pre-deployed (BYO) rook-ceph cluster can now be used as the sole S3-compatible storage backend, in place of the default minio (or opt-in rustfs). The rook-ceph operator and CephCluster must be deployed separately; see the Rook-Ceph user guide for end-to-end setup.
Values added - ilum (AIO)
| Nome | Descrizione | Valore |
|---|---|---|
rookCeph.enabled | Enable rook-ceph S3 storage integration (requires pre-deployed rook-ceph) | falso |
rookCeph.s3.host | RGW service hostname (e.g., rook-ceph-rgw-my-store.rook-ceph.svc.cluster.local) | "" |
rookCeph.s3.serviceName | RGW Service name for Endpoints lookup; falls back to first segment of ospite | "" |
rookCeph.s3.namespace | Namespace containing the RGW Service; falls back to second segment of ospite | "" |
rookCeph.s3.port | RGW service port | 80 |
rookCeph.s3.scheme | URL scheme (http (in inglese) o https); set to https for TLS-terminating RGW Services | http (in inglese) |
rookCeph.s3.insecureSkipVerify | Skip TLS certificate verification (opt-in for self-signed Rook-managed RGW) | falso |
rookCeph.s3.region | S3 region | Stati Uniti-Est-1 |
rookCeph.s3.accessKey | S3 access key from CephObjectStoreUser | CAMBIAMIPER favore |
rookCeph.s3.secretKey | S3 secret key from CephObjectStoreUser | CAMBIAMIPER favore |
rookCeph.bucketInit.enabled | Create S3 buckets on the RGW endpoint (reuses objectStorage.defaultBuckets) | vero |
rookCeph.bucketInit.image | aws-cli image for bucket creation | amazon/aws-cli:2.27.31 |
rookCeph.statusProbe.enabled | Enable RGW health check in the bucket init Job | vero |
rookCeph.statusProbe.image | Health check image | curlimages/curl:8.5.0 |
⚠️⚠️⚠️ Warnings
minio.enabled=trueis the chart default in the 6.7.x line (rustfs is opt-in until it becomes the default in 6.8.0). When switching to rook-ceph, the values overlay must set bothminio.enabled=falseerustfs.enabled=false. TherustfsExtensionseminioExtensionsbootstrap Jobs are already gated on their parent providers, so a separate*Extensions.enabled=falseflag is not required. A chart validation now fails the install whenrookCeph.enabledis combined with either bundled provider.- Le
ilum-objectstorageService alias is rendered as a selector-less Service backed by a manual Endpoints object that mirrors the live RGW Pod IPs from therook-cephnamespace (a label-selector alias cannot cross namespaces, and an ExternalName CNAME is black-holed by kube-proxy because it cannot DNAT a packet twice). RGW Pod restarts rotate the Pod IPs and stale the mirrored Endpoints; re-runhelm upgrade ilum ./helm_aio -f ilum-rook-ceph-values.yamlafter any RGW Pod restart to refresh the addresses. - The shared
ilum-objectstorage-credentialsSecret is now seeded fromrookCeph.s3.{accessKey,secretKey}in rook-ceph-only mode; an install fails fast when either is left at theCAMBIAMIPER favoreplaceholder. - The bucket init Job no longer swallows aws-cli errors. Network/credential/endpoint misconfigurations now fail the Job loudly instead of completing 1/1 with no buckets created.
To perform the rollout:
# 1. Deploy the rook-ceph operator and CephCluster in the rook-ceph namespace
# (operator chart, CephCluster CR, CephObjectStore, CephObjectStoreUser).
# Wait for the RGW Service and Pods to become Ready in the rook-ceph
# namespace; ilum-objectstorage Endpoints are mirrored from this Service
# at chart install/upgrade time.
# 2. Extract S3 credentials from the CephObjectStoreUser Secret.
ACCESS_KEY=$(kubectl -n rook-ceph get secret \
rook-ceph-object-user-<store-name>-<user-name> \
-o jsonpath='{.data.AccessKey}' | base64 -d)
SECRET_KEY=$(kubectl -n rook-ceph get secret \
rook-ceph-object-user-<store-name>-<user-name> \
-o jsonpath='{.data.SecretKey}' | base64 -d)
# 3. Render the overlay (the doc ships a complete template).
cat > ilum-rook-ceph-values.yaml <<EOF
rustfs:
enabled: false
minio:
enabled: false
rookCeph:
enabled: true
s3:
host: rook-ceph-rgw-.rook-ceph.svc.cluster.local
port: 80
accessKey: $ACCESS_KEY
secretKey: $SECRET_KEY
EOF
# 4. Install or upgrade.
Aggiornamento dell'elmo --install ilum ./helm_aio -f ilum-rook-ceph-values.yaml
# 5. After RGW Pod restarts (Ceph cluster upgrades, rook-ceph operator
# rollouts, node maintenance), refresh the mirrored Endpoints:
helm upgrade ilum ./helm_aio -f ilum-rook-ceph-values.yaml
17. Legacy activities audit feature removed (helm_core)
Caratteristica:
The backend dropped the legacy "activities" audit trail; the structured EventLog now backs all audit and user/group operation statistics. The corresponding backend config key was removed, so its Helm value is dead.
Values deleted - helm_core
| Nome | Ragione |
|---|---|
security.activities.timeToLive | Backend security.activities.timeToLive property no longer exists |
RELEASE 6.7.1
1. Cluster-scoped RBAC for the management API
Caratteristica:
The management API (helm_api, which backs the Ilum CLI and the in-UI Module Marketplace) can now be granted a cluster-scoped role so it can install and manage modules that require cluster-scoped resources — CRDs, ClusterRoles/ClusterRoleBindings, admission webhooks, and Prometheus Operator custom resources (for example, kube-prometheus-stack). When rbac.clusterScope is enabled, the chart renders a Ruolo del cluster e ClusterRoleBinding bound to the API service account; with it disabled, the API keeps only its namespace-scoped permissions.
Values added - helm_api
| Nome | Descrizione | Valore |
|---|---|---|
rbac.clusterScope | Render a cluster-scoped Ruolo del cluster/ClusterRoleBinding for the management API | vero |
Valori aggiunti - ilum-aio
| Nome | Descrizione | Valore |
|---|---|---|
ilum-api.rbac.create | Create RBAC resources for the management API | vero |
ilum-api.rbac.clusterScope | Grant the management API cluster-scoped RBAC | vero |
2. Probe and startup hardening
Caratteristica:
Liveness, readiness, and startup probe timings were relaxed across ilum-core, ilum-uie ilum-api (longer initial delays, periods, and failure thresholds, with startup probes enabled) so the stack comes up cleanly in slower or resource-constrained environments. The bundled default cluster also gained a spark.kubernetes.memoryOverheadFactor di 0.5 and a higher default driver memory. No operator action is required.
RELEASE 6.7.0
1. Airflow version update
Caratteristica:
Updated Airflow from version 3.1.1 to 3.1.6.
Values changed - helm_aio
| Nome | Vecchio valore | Nuovo valore |
|---|---|---|
airflow.airflowVersion | 3.1.1 | 3.1.6 |
airflow.images.airflow.tag | 3.1.1 | 3.1.6 |
airflow.apiServer.extraInitContainers[0].image | `ilum/airflow:3.1.1 | ilum/airflow:3.1.6 |
2. Added ClickHouse and Langfuse to ilum-aio
Caratteristica:
Added ClickHouse and Langfuse to ilum-aio as new modules. ClickHouse is a fast open-source OLAP database management system. Langfuse is an open source LLM engineering platform.
Valori aggiunti - ilum-aio
| Nome | Descrizione | Valore |
|---|---|---|
clickhouse.enabled | Flag to enable ClickHouse deployment in ilum-aio | falso |
langfuse.enabled | Flag to enable Langfuse deployment in ilum-aio | falso |
Valori aggiunti - ilum-ui
| Nome | Descrizione | Valore |
|---|---|---|
runtimeVars.langfuseUrl | URL of the Langfuse instance | http://ilum-langfuse-web:3000 |
runtimeVars.langfusePath | Proxy path for Langfuse | /external/langfuse/ |
nginx.config.langfuse.enabled | Enable proxy for Langfuse | falso |
nginx.config.http_cookie.langfuse.enabled | Enables cookie mapping for Langfuse | vero |
3. Configurable Scala version for default cluster
Caratteristica:
Aggiunto scalaVersion configuration option to the default cluster settings. This allows users to specify which Scala version their Spark jobs are run with, supporting both Scala 2.12 for spark 3.x and 2.13 for spark 4.x
Values added - helm_core
| Nome | Descrizione | Valore |
|---|---|---|
kubernetes.defaultCluster.scalaVersion | Scala version for Spark jobs (SCALA_2_12 or SCALA_2_13) | SCALA_2_13 |
4. API token authentication system
Caratteristica:
Added "API token authentication system for internal and external service authentication."
Values added - helm_core
| Nome | Descrizione | Valore |
|---|---|---|
security.api-token.enabled | Flag to enable API token authentication | falso |
security.api-token.tokens | List of initial tokens | [] |
Valori aggiunti - ilum-aio
| Nome | Descrizione | Valore |
|---|---|---|
ilum-core.security.api-token.enabled | Flag to enable API token authentication | falso |
ilum-core.security.api-token.tokens | List of initial tokens | [{name: "superset", token: "initial-superset-token-for-engine-creation", permissions: ["SQLENGINE_CREATE"]}] |
5. Startup probe for Ilum-core
Caratteristica:
Added startup probe to the Ilum-core deployment. This allows the application to have sufficient time to start in constrained environments while maintaining quick readiness and liveness checks once started. The startup probe delays readiness and liveness probes until the application starts successfully.
Values added - helm_core
| Nome | Descrizione | Valore |
|---|---|---|
startupProbe | Startup probe configuration for ilum-core container | See values.yaml for full structure |
startupProbe.failureThreshold | Number of failures before giving up (300 × 2s = 10 minutes max) | 300 |
startupProbe.periodSeconds | How often to perform the probe | 2 |
startupProbe.timeoutSeconds | Timeout for each probe request | 1 |
startupProbe.httpGet.path | HTTP path for startup probe | /actuator/health/liveness |
Values changed - helm_core
| Nome | Vecchio valore | Nuovo valore |
|---|---|---|
livenessProbe.initialDelaySeconds | 120 | 10 |
readinessProbe.initialDelaySeconds | 120 | 10 |
6. Disabled SASL in Kafka configuration
Caratteristica:
Disabled SASL authentication in the default Kafka configuration. This change simplifies the setup for users who do not require SASL authentication for their Kafka clusters. Users who need SASL can still enable it through custom configuration.
Values added - helm_aio
| Nome | Descrizione | Valore |
|---|---|---|
kafka.listeners.interbroker.protocol | Interbroker protocol | PLAINTEXT |
kafka.listeners.controller.protocol | Controller protocol | PLAINTEXT |
kafka.kraft.clusterId | Kraft clusterId to prevent Bitnami chart upgrade failures | aWx1bS1kZWZhdWx0LWlkMQ |
7. Management API and Ilum CLI
Caratteristica:
Added the helm_api chart (ilum-api), a Management API sidecar that exposes the Ilum CLI's operations over HTTP and powers the in-UI Module Marketplace for point-and-click module deployment. It is deployed by default in ilum-aio.
Valori aggiunti - ilum-aio
| Nome | Descrizione | Valore |
|---|---|---|
ilum-api.enabled | Deploy the Management API sidecar (CLI over HTTP) | vero |
RELEASE 6.6.2
1. Spark 4.x Upgrade - Scala 2.13 Migration
Caratteristica:
Updated default Spark images to ilum/spark:4.0.1-delta and ilum-spark-launcher to spark-4.1.0. Spark 4.x exclusively uses Scala 2.13 and has dropped support for Scala 2.12.
Values changed - helm_core
| Nome | Vecchio valore | Nuovo valore |
|---|---|---|
kubernetes.defaultCluster.dockerImage | ilum/spark:3.5.7-delta | ilum/spark:4.0.1-delta |
historyServer.image | spark-3.5.7 | spark-4.1.0 |
externalSparkSubmit.image.tag | spark-3.5.7 | spark-4.1.0 |
⚠️⚠️⚠️ CRITICAL WARNING - BREAKING CHANGE ⚠️⚠️⚠️
Spark 4.x uses Scala 2.13 exclusively. Scala 2.12 is NO LONGER SUPPORTED.
This is a BREAKING CHANGE that may affect your existing Spark jobs:
-
JAR Compatibility: Any Spark applications, libraries, or dependencies compiled with Scala 2.12 WILL NOT WORK with Spark 4.x. You must recompile all custom JARs with Scala 2.13.
-
Affected Components:
- Custom Spark applications (Scala-based)
- Third-party libraries compiled for Scala 2.12
- UDFs written in Scala
- Qualunque
.jarfiles built withscalaVersion := "2.12.x"
-
How to Identify Affected JARs:
- Check your
build.sbtopom.xmlperscalaVersionsettings - JAR names often contain the Scala version suffix (e.g.,
myapp_2.12-1.0.jar) - JARs with
_2.12suffix need to be rebuilt with_2.13
- Check your
-
Required Actions Before Upgrade:
- Inventory all custom Spark JARs in use
- Recompile all Scala-based applications with Scala 2.13
- Update all third-party dependencies to Scala 2.13 versions
- Test all jobs thoroughly in a staging environment
-
No Backwards Compatibility:
- Starting from this version, Ilum's Spark job wrapper uses Scala 2.13 exclusively
- Running Spark 3.x jobs compiled with Scala 2.12 is no longer supported
- Tu MUST recompile all your Scala-based Spark jobs with Scala 2.13 before upgrading
-
PySpark Users: PySpark jobs are generally unaffected unless they use Scala-based UDFs or custom Scala libraries.
RECOMMENDATION: Test your workloads in a non-production environment before upgrading to this release.
2. Added environment variables support to default cluster configuration
Caratteristica:
Added support for configuring environment variables in the default cluster configuration. This allows users to set environment variables that will be applied to Spark jobs running on the default cluster. The SPARK_SUBMIT_OPTS environment variable is now configurable through Helm values instead of being hardcoded, providing better flexibility for JVM tuning and other environment-specific configurations.
Values added - helm_core
Default cluster environment variables configuration
| Nome | Descrizione | Valore |
|---|---|---|
kubernetes.defaultCluster.environmentVariables | Environment variables for default cluster | {} |
kubernetes.defaultCluster.environmentVariables.SPARK_SUBMIT_OPTS | JVM options for Spark submit process | "-XX:MaxHeapSize=64m -XX:MaxMetaspaceSize=64m -Xss256k" |
3. Added Unity Catalog integration
Caratteristica:
Aggiunto helm_unity_catalog chart to provide Unity Catalog support as an optional catalog backend (similar to Hive Metastore and Nessie). Unity Catalog is disabled by default and can be enabled to provide unified governance for data and AI assets. The chart is integrated with the existing PostgreSQL database and MinIO S3 storage, with automatic JWT keypair generation for authentication.
Values added - helm_unity_catalog
| Nome | Descrizione | Valore |
|---|---|---|
ilum-unity-catalog.enabled | Enables Unity Catalog deployment | falso |
ilum-unity-catalog.server.enabled | Enables the Unity Catalog server | vero |
ilum-unity-catalog.server.db.type | Database backend type (file or postgresql) | postgresql |
ilum-unity-catalog.server.db.postgresqlConfig.host | PostgreSQL host | ilum-postgresql-hl |
ilum-unity-catalog.server.db.postgresqlConfig.port | PostgreSQL port | 5432 |
ilum-unity-catalog.server.db.postgresqlConfig.dbName | PostgreSQL database name | unitycatalog |
ilum-unity-catalog.server.db.postgresqlConfig.user | PostgreSQL username | ilum |
ilum-unity-catalog.server.db.postgresqlConfig.passwordSecretName | Secret containing PostgreSQL password | ilum-postgres-credentials |
ilum-unity-catalog.server.db.postgresqlConfig.passwordSecretKey | Key in secret for password | parola d’ordine |
ilum-unity-catalog.server.jwtKeypairSecret.create | Auto-generate JWT keypair for authentication | vero |
ilum-unity-catalog.storage.modelStorageRoot | S3 path for Unity Catalog model storage | s3a://ilum-data/unity-catalog/ |
ilum-unity-catalog.storage.credentials.s3[0].bucketPath | S3 bucket path | s3://ilum-data |
ilum-unity-catalog.storage.credentials.s3[0].region | S3 region | Stati Uniti-Est-1 |
ilum-unity-catalog.storage.credentials.s3[0].credentialsSecretName | Secret containing S3 credentials | ilum-minio |
ilum-unity-catalog.storage.credentials.s3[0].accessKeySecretKey | Key name for S3 access key in secret | root-user |
ilum-unity-catalog.storage.credentials.s3[0].secretKeySecretKey | Key name for S3 secret key in secret | root-password |
ilum-unity-catalog.ui.enabled | Enables Unity Catalog UI | falso |
Values added - helm_core
Unity Catalog metastore configuration
| Nome | Descrizione | Valore |
|---|---|---|
ilum-core.metastore.type | Impostare su unity to use Unity Catalog as metastore | alveare |
ilum-core.metastore.unity.address | Unity Catalog server endpoint | http://unity-catalog-ilum-unity-catalog-server:8080 |
ilum-core.metastore.unity.warehouseDir | Unity Catalog warehouse directory | s3a://ilum-data/unity-catalog/ |
ilum-core.metastore.unity.s3Endpoint | S3 endpoint for Unity Catalog | http://ilum-minio:9000/ |
ilum-core.metastore.unity.s3PathStyleAccess | Enable S3 path-style access | vero |
ilum-core.metastore.unity.catalogName | Unity Catalog name in Spark | unity_catalog |
ilum-core.metastore.unity.config | Spark configuration for Unity Catalog integration | See values.yaml |
Values added - postgresExtensions
| Nome | Descrizione | Valore |
|---|---|---|
postgresExtensions.databasesToCreate | Aggiunto unitycatalog database for Unity Catalog metadata | ...,nessie,unitycatalog |
⚠️⚠️⚠️ Warnings
- Unity Catalog requires PostgreSQL and S3-compatible storage to be enabled
- JWT keypairs are auto-generated on first deployment and stored in Kubernetes secrets
- When using Unity Catalog, set
ilum-core.metastore.type: unityto configure Spark integration
4. Added DuckDb and DuckLake to Ilum Core
Caratteristica:
Added DuckDb as an SQL executor and DuckLake as a metastore option in Ilum Core. DuckDb is a fast and lightweight SQL engine that supports a wide range of data types and SQL features. DuckLake is a distributed metastore for DuckDb, which provides options for multi-user access and data versioning.
Values added - ilum_core
| Nome | Descrizione | Valore |
|---|---|---|
sql.duckdb.idleTimeout | Determines the time DuckDb connections are kept alive without activity | 1h |
sql.duckdb.ducklake.enabled | Enables DuckLake | vero |
sql.duckdb.ducklake.location | Location of the data in for the DuckLake | s3://ilum-ducklake/ |
sql.duckdb.ducklake.postgres.host | Host for the metastore postgres connection | `` |
sql.duckdb.ducklake.postgres.port | Port for the metastore postgres connection | 5432 |
sql.duckdb.ducklake.postgres.database | Database name for the metastore postgres connection | ducklake |
sql.duckdb.ducklake.postgres.user | Username for the metastore postgres connection | `` |
sql.duckdb.ducklake.postgres.password | Password for the metastore postgres connection | `` |
sql.duckdb.ducklake.s3.endpoint | S3 endpoint for the metastore data | `` |
sql.duckdb.ducklake.s3.region | S3 region for the metastore data | Stati Uniti-Est-1 |
sql.duckdb.ducklake.s3.keyId | S3 key id for the metastore data | `` |
sql.duckdb.ducklake.s3.secret | S3 secret for the metastore data | `` |
sql.duckdb.ducklake.s3.urlStyle | Url style to use for S3. Either sentiero o vhost | sentiero |
sql.duckdb.ducklake.s3.ssl | Whether to use SSL for the S3 connection | falso |
RELEASE 6.6.1
1. Ugraded JupyterHub experience
Caratteristica:
Ugraded helm_jupyterhub to bundle Ilum-specific SSH/Git/LDAP bootstrap logic, curated notebooks, and tailored singleuser defaults so helm_aio merely enables the dependency, pins fullnameOverride, and surfaces only the still-relevant overrides. This also keeps the SSH network policy open for port 2222 and ensures the shared ilum-jupyter-ssh-keys secret remains stable, while c.JupyterHub.cleanup_servers = True guarantees the SSH service and user pods stop with the release.
Values added - helm_aio
| Nome | Descrizione | Valore |
|---|---|---|
ilum-jupyterhub.enabled | Enables the curated Ilum JupyterHub chart | falso |
Values added - helm_jupyterhub
| Nome | Descrizione | Valore |
|---|---|---|
fullnameOverride | Override for the full resource name | ilum-jupyterhub |
Abilitato | Chart enabled flag | falso |
SSH configuration
| Nome | Descrizione | Valore |
|---|---|---|
ssh.enabled | Enables the bundled SSH operator, service, and shared key workflow | falso |
ssh.keysSecret | Secret that provides the stable host and authorized keys | ilum-jupyter-ssh-keys |
ssh.mode | SSH authentication mode: padrone (shared authorized_keys from keysSecret) or per-user (individual secrets per user) | padrone |
ssh.perUserSecretNameTemplate | Template for per-user secret names when using per-user mode | ssh-keys-{username} |
ssh.perUserAuthorizedKeysKey | Key name in per-user secrets containing authorized_keys | authorized_keys |
ssh.service.type | Type of service fronting port 2222 | Porta nodo |
ssh.service.port | Port exposed for SSH traffic | 2222 |
ssh.service.targetPort | Target port for SSH traffic | 2222 |
ssh.service.nodePort | NodePort number (empty for auto-assignment) | "" |
ssh.service.clusterIP | ClusterIP address (empty for auto-assignment) | "" |
ssh.service.loadBalancerIP | LoadBalancer IP address | "" |
ssh.service.annotations | Annotations for the SSH service | {} |
ssh.service.prefix | Prefix for SSH service resources | ilum-jupyter-ssh |
ssh.sshdConfig.customConfig | Custom sshd_config lines | [] |
ssh.operatorImage.name | SSH operator image repository | docker.ilum.cloud/ilum-jupyterhub |
ssh.operatorImage.tag | SSH operator image tag | ssh-operator-4.3.1 |
ssh.extraEnv | Extra environment variables for SSH operator | [] |
Git configuration
| Nome | Descrizione | Valore |
|---|---|---|
git.existingSecret | Credentials that allow the Git init job to seed the notebooks repository | ilum-git-credenziali |
git.email | Git email for commits | ilum@ilum |
git.repository | Nome del repository Git | Jupyter |
git.address | Gitea server address | ilum-gitea-http:3000 |
git.url | Gitea endpoint URL used to seed the ilum-jupyterhub org | http://ilum-gitea-http:3000 |
git.orgName | Organization managed by the git-init job | ilum-jupyterhub |
git.operatorImage.name | Git operator image repository | docker.ilum.cloud/ilum-jupyterhub |
git.operatorImage.tag | Git operator image tag | gitea-operator-4.3.1 |
git.secret.name | Secret containing credentials referenced by the operator | ilum-git-credenziali |
git.secret.usernameKey | Key for username in the secret | nome utente |
git.secret.passwordKey | Key for password in the secret | parola d’ordine |
LDAP configuration
| Nome | Descrizione | Valore |
|---|---|---|
ldap.enabled | Keeps the LDAP authenticator wired into Ilum JupyterHub | vero |
ldap.urls | LDAP server endpoints that front the Ilum directory | ["ldap://ilum-openldap:389"] |
ldap.base | Search base for Ilum users and groups | "dc=ilum,dc=cloud" |
ldap.username | Bind DN used for authentication | "cn=admin,dc=ilum,dc=cloud" |
ldap.password | Password for the bind DN | Not@SecurePassw0rd |
ldap.adminUsers | LDAP accounts with admin privileges in JupyterHub | ["ilumadmin","admin"] |
ldap.userSearchBase | Base DN where user entries live | "ou=people,dc=ilum,dc=cloud" |
ldap.userSearchFilter | Filter for user lookups | "uid={0}" |
ldap.groupSearchBase | Base DN where group entries live | "ou=groups,dc=ilum,dc=cloud" |
ldap.groupSearchFilter | Filter that matches members | "(membro={0})" |
ldap.allowedGroups | Empty list allows all groups unless specified | [] |
ldap.userAttribute | User attribute for username | "uido" |
ldap.fullnameAttribute | Attribute for user's full name | "cn" |
ldap.emailAttribute | Attribute for user's email | "posta" |
ldap.groupNameAttribute | Attribute for group name | "cn" |
ldap.groupMemberAttribute | Attribute for group membership | "member" |
ldap.useSsl | Use SSL for LDAP connection | falso |
ldap.startTls | Use STARTTLS for LDAP connection | falso |
ldap.lookupDn | Lookup DN before binding | vero |
Hub configuration
| Nome | Descrizione | Valore |
|---|---|---|
hub.image.name | Hub image repository | docker.ilum.cloud/ilum-jupyterhub |
hub.image.tag | Hub image tag | jupyterhub-4.3.1 |
hub.contentSecurityPolicy.enabled | Turns the managed CSP header injection on/off | vero |
hub.contentSecurityPolicy.frameAncestors | Origins allowed to embed JupyterHub in an iframe | ["'self'","http://localhost:9777"] |
hub.gitInit.enabled | Runs the job that ensures the ilum-jupyterhub organization/repo exist | vero |
Singleuser runtime defaults
| Nome | Descrizione | Valore |
|---|---|---|
singleuser.startupArgs.iopubDataRateLimit | Raised output bandwidth ceiling for Ilum workloads | 1000000000 |
singleuser.startupArgs.extraArgs | Additional CLI arguments forwarded to the user server | [] |
singleuser.nodeSelector | Architecture-agnostic placement (empty by default) | {} |
singleuser.tolerations | Allows scheduling on tainted nodes when needed | [] |
Image pull credentials
| Nome | Descrizione | Valore |
|---|---|---|
imagePullSecret.create | Create the pull secret in-cluster | falso |
imagePullSecret.automaticReferenceInjection | Auto-inject the created secret into JupyterHub workloads | vero |
imagePullSecret.registry | Registry host for the pull secret | "" |
imagePullSecret.username | Registry username for the pull secret | "" |
imagePullSecret.password | Registry password for the pull secret | "" |
imagePullSecret.email | Registry email for the pull secret | "" |
imagePullSecret.name | Existing secret name to reference instead of the autogenerated pull secret | "" |
imagePullSecrets | Additional pull secrets injected into all hub-managed pods | [] |
Values changed - helm_jupyterhub
| Nome | Vecchio valore | Nuovo valore |
|---|---|---|
singleuser.networkPolicy.allowedIngressPorts | [] | [2222] |
Instructions
- Keep
ilum-jupyter-ssh-keysstable outside Helm so the SSH host fingerprint survives upgrades; rotating the secret requires removing stale entries from userknown_hosts. - Ensure
ilum-git-credenzialicontains valid credentials for a Gitea account with org-level write access—both the SSH operator and Git init job rely on the rendered token. - To refresh the curated notebooks, update
helm_jupyterhub/files/examples(and their config map templates) so the init container can push them into theilum-jupyterhubrepo again.
⚠️⚠️⚠️ Warnings
-
Port 2222 is opened via the SSH operator’s shared service; if you switch to per-user authorized keys, keep the service numbering and secrets aligned.
-
Cleanup is forced (
c.JupyterHub.cleanup_servers = True), so user pods and the SSH service terminate with the Helm release. Manage any long-lived workloads outside this chart.
2. Upgraded Livy compatible API to version 0.8.0
Caratteristica:
Upgraded Livy compatible API to version 0.8.0 with enhanced configuration options for compression, server version control, and TTL-based session cleanup.
Valori aggiunti - ilum-core
Livy Compression Configuration
| Nome | Descrizione | Valore |
|---|---|---|
livy.compression.enabled | Enable response compression for Livy endpoints | falso |
Livy Server Configuration
| Nome | Descrizione | Valore |
|---|---|---|
livy.server.version | Livy server version identifier | 0.8.0 |
livy.server.sendServerVersion | Send server version in response headers | falso |
livy.server.allowCustomClasspath | Allow custom classpath in session creation | falso |
Livy TTL Session Cleanup Configuration
| Nome | Descrizione | Valore |
|---|---|---|
livy.ttl.checkPeriod | Background sweep period in milliseconds for checking expired sessions | 300000 |
livy.ttl.checkInitialDelay | Initial delay in milliseconds before first TTL background check | 60000 |
Valori aggiunti - ilum-aio
Same values as ilum-core but under the ilum-core. prefix (e.g., ilum-core.livy.compression.enabled).
⚠️⚠️⚠️ Important Notes
For most users: ✅ No action required. All new configuration options have safe defaults and are backward compatible.
Optional Performance Optimization: If you handle large Livy responses, you may enable compression by setting livy.compression.enabled: true.
Gestione delle sessioni: The new TTL cleanup uses a hybrid approach (lazy + background sweep) to automatically clean up expired sessions. Default settings should work for most deployments.
3. Updated default Spark version and added autopause configuration
Caratteristica:
Updated default Spark version to 3.5.7-delta in kubernetes.defaultCluster.config.
Added spark.ilum.autopause: "true" A kubernetes.defaultCluster.config to set the default behavior of the autopause feature.
Valori modificati - ilum-core
| Nome | Vecchio valore | Nuovo valore |
|---|---|---|
kubernetes.defaultCluster.config.spark.kubernetes.container.image | ILUM / Scintilla: 3.5.6-Delta | ilum/spark:3.5.7-delta |
Valori aggiunti - ilum-core
| Nome | Descrizione | Valore |
|---|---|---|
kubernetes.defaultCluster.config.spark.ilum.autopause | Sets the default behavior of autopause feature | "vero" |
1. HTTP cookie-based access control now disabled by default
Caratteristica:
Fixed stability issues and changed HTTP cookie-based access control to be disabled by default for all external services (Jupyter, Airflow, MLflow, Grafana, etc.).
What Changed?
- External services are now open by default - no cookie requirements
- All users can access services without any special configuration
- System works out-of-the-box
What This Means for You
- ✅ Your services will become more accessible
- ✅ Users can access Jupyter, Airflow, MLflow, etc. without cookie setup
- ✅ No action required for most deployments
If you need to restrict access:
- Use the built-in OAuth2/Hydra authentication (recommended for production)
- Or manually enable cookie-based access control per service (see below)
When to Use Cookie-Based Access Control?
This is an advanced feature for specific use cases:
- ✅ Temporary access restrictions for specific users/sessions
- ✅ Custom access control integrated with your frontend application
To enable for a specific service:
nginx:
configurazione:
http_cookie:
Abilitato: vero
ilum-jupyter:
Abilitato: vero
Values changed - ilum-ui
| Nome | Vecchio valore | Nuovo valore |
|---|---|---|
nginx.config.http_cookie.enabled | vero | falso |
Values changed - ilum-aio
| Nome | Vecchio valore | Nuovo valore |
|---|---|---|
ilum-ui.nginx.config.http_cookie.enabled | vero | falso |
⚠️⚠️⚠️ Important Notes
For most users: ✅ No action required. This change makes services more accessible.
If you customized cookie settings in 6.6.0: You may need to review your configuration. The system now defaults to open access instead of requiring cookies.
RELEASE 6.6.0
1. Upgraded Apache Airflow to 3.1.1
Caratteristica:
Upgraded Apache Airflow from 3.0.5 to 3.1.1 with improved OIDC authentication support using authlib OAuth providers (AUTH_OAUTH) instead of deprecated flask-oidc (AUTH_OIDC). This upgrade includes fixes for OAuth redirect URI patterns and proper volume mounting for OIDC client secrets in init containers.
Values changed - ilum-aio
| Nome | Vecchio valore | Nuovo valore |
|---|---|---|
airflow.airflowVersion | 3.0.5 | 3.1.1 |
airflow.images.airflow.tag | 3.0.5 | 3.1.1 |
airflow.apiServer.extraInitContainers[0].image | ilum/airflow:3.0.5 | ilum/airflow:3.1.1 |
Valori aggiunti - ilum-aio
| Nome | Descrizione | Valore |
|---|---|---|
airflow.migrateDatabaseJob.useHelmHooks | Disable Helm hooks for database migration job | falso |
airflow.apiServer.extraInitContainers[0] | Modified create admin user init container | See below |
airflow.apiServer.apiServerConfigConfigMapName | Custom webserver_config.py configmap | ilum-api-server-config |
Init Container Volume Mount Configuration
- nome: create-Admin-utente
immagine: ilum/airflow:3.1.1
command: ["/bin/bash", "/scripts/init.sh"]
volumeMounts:
- nome: ilum-airflow-create-utente-segreto
mountPath: /scripts
- nome: configurazione
mountPath: /opt/airflow/airflow.cfg
Percorso secondario: airflow.cfg
- nome: oauth-segreto-volume
mountPath: /opt/airflow/client-segreto
readOnly: vero
- nome: webserver-configurazione-volume
mountPath: /opt/airflow/webserver_config.py
Percorso secondario: webserver_config.py
readOnly: vero
⚠️⚠️⚠️ Warnings
Configuration value airflow.apiServer.apiServerConfigConfigMapName is preconfigured to use a ConfigMap named ilum-api-server-config.
But the name of this configMap must follow pattern to be properly mounted as it is Airflow's chart requirement.
So if your release name is different from ilum, please change this value accordingly. For example use:
airflow:
apiServer:
apiServerConfigConfigMapName: -release-nome>-API-server-configurazione
extraVolumes:
- nome: oauth-segreto-volume
segreto:
Nome segreto: ilum-idra-cliente-segreto
- nome: ilum-airflow-create-utente-segreto
segreto:
Nome segreto: ilum-airflow-create-utente-segreto
- nome: webserver-configurazione-volume
configMap:
nome: -release-nome>-API-server-configurazione
2. Enhanced Jupyter startup configuration
Caratteristica:
Added configurable startup arguments for Jupyter notebook server, allowing users to customize base URL, IOPub data rate limits, and pass additional command-line arguments. Also added support for extra environment variables with templating support.
Valori aggiunti - ilum-jupyter
Startup and environment configuration
| Nome | Descrizione | Valore |
|---|---|---|
token | Jupyter notebook authentication token | "" |
startupArgs.baseUrl | Jupyter base URL path for reverse proxy configurations | /external/jupyter/ |
startupArgs.iopubDataRateLimit | IOPub data rate limit in bytes/sec (controls output bandwidth) | 1000000000 |
startupArgs.extraArgs | Additional command-line arguments to pass to Jupyter server | [] |
extraEnv | Additional environment variables for Jupyter container as string template | "" |
⚠️⚠️⚠️ Warnings
- All startup arguments configured via
startupArgs.*can be completely overridden by setting theargomentiparameter in values.yaml. Whenargomentiis set, all default startup arguments are ignored, giving you full control over the Jupyter server startup command. - Le
extraEnvparameter accepts a string template (multiline YAML using|). Example usage:extraEnv: |
- name: MY_VAR
value: value
3. Added Apache NiFi module
Caratteristica:
Added Apache NiFi to ilum-aio as a new module. This will allow users to easily deploy NiFi and use it next to Ilum.
Valori aggiunti - ilum-aio
| Nome | Descrizione | Valore |
|---|---|---|
nifi.enabled | Flag to enable NiFi deployment in ilum-aio | falso |
nifi.fullnameOverride | Full name override for NiFi | ilum-nifi |
nifi.image.tag | Tag of the source NiFi image | 2.5.0 |
nifi.properties.safetyValve | Additional properties passed to nifi.properties | Vedere valori.yaml |
nifi.persistence.enabled | Enables PVC for the data directory | vero |
nifi.persistence.subpath.enabled | Enabled one PVC instead of many | vero |
nifi.persistence.subpath.size | Size of the data directory | 10Gi |
nifi.zookeeper.enabled | Enables bundled Zookeeper deployment | falso |
nifi.registry.enabled | Enables bundled NiFi registry deployment | falso |
nifi.ca.enabled | Enables bundled CA deployment | falso |
nifi.openldap.enabled | Enables bundled openLDAP deployment | falso |
Valori aggiunti - ilum-ui
| Nome | Descrizione | Valore |
|---|---|---|
runtimeVars.nifiUrl | URL of the NiFi instance | http://ilum-nifi:8443/nifi/ |
runtimeVars.nifiPath | Proxy path of NiFi | /external/nifi/ |
nginx.config.nifi.enabled | Enable proxy for NiFi | falso |
nginx.config.http_cookie.nifi.enabled | Enables cookie mapping for NiFi | vero |
4. Added integration with Project Nessie metastore
Caratteristica:
Added integration with Project Nessie metastore in Ilum, which allows the use of Nessie as a metastore for Spark jobs.
Valori aggiunti - ilum-core
| Nome | Descrizione | Valore |
|---|---|---|
metastore.type | Indicates the default metastore | alveare |
metastore.nessie.address | The address of the default Nessie metastore | http://ilum-nessie:19120/api/v2 |
metastore.nessie.warehouseDir | The location of the warehouse of the default Nessie metastore | s3a://ilum-data/nessie_catalog |
metastore.nessie.s3Endpoint | The S3 API endpoint to use for the default Nessie metastore | http://ilum-minio:9000 |
metastore.nessie.s3PathStyleAccess | Whether to use path style access for the S3 Nessie connection | vero |
metastore.nessie.authType | Auth type of the default Nessie metastore | NONE |
metastore.nessie.ref | The branch to use for the default Nessie metastore | principale |
metastore.nessie.cacheEnabled | Enables caching in the default Nessie metastore | falso |
metastore.nessie.catalog_name | The name of the catalog for the default Nessie metastore | nessie_catalog |
metastore.nessie.config | Additional config to add for the Spark job | Vedere valori.yaml |
metastore.nessie.statusProbe | Status probe for the Nessie metastore, so Ilum-core does not launch too quickly | Vedere valori.yaml |
Valori aggiunti - ilum-aio
| Nome | Descrizione | Valore |
|---|---|---|
nessie.enabled | Enables or disables bundled Nessie deployment | falso |
nessie.fullnameOverride | Full name override for Nessie | ilum-nessie |
nessie.versionStoreType | Type of persistent metadata storage | JDBC2 |
nessie.extraInitContainers | Adds init containers to Nessie (waiting for database) | Vedere valori.yaml |
nessie.jdbc.jdbcUrl | Url for DB connection | jdbc:postgresql://ilum-postgresql-hl:5432/nessie |
nessie.jdbc.secret.name | Secret containing DB credentials | ilum-postgres-credentals |
nessie.jdbc.secret.username | Key of username in the secret | nome utente |
nessie.jdbc.secret.password | Key of password in the secret | parola d’ordine |
Nomi cambiati - ilum-core
| Vecchio nome | Nuovo nome |
|---|---|
hiveMetastore.enabled | metastore.enabled |
hiveMetastore.* | metastore.hive.* |
Valori modificati - ilum-core
| Nome | Vecchio valore | Nuovo valore |
|---|---|---|
kubernetes.defaultCluster.config | Vedere valori.yaml | Vedere valori.yaml |
⚠️⚠️⚠️ Warnings
This is an important change that will need to be addressed if any custom changes to the default configuration were made. Please carefully review the changes and make sure they will not break your deployment.
5. Livy API now fully served by ilum-core (embedded)
Caratteristica:
Livy API is implemented and served directly by ilum-core (embedded).
The legacy Livy proxy is deprecated but can still be turned on for backward compatibility.
Valori aggiunti - ilum-aio
| Nome | Descrizione | Valore |
|---|---|---|
ilum-core.livy.enabled | Enables embedded Livy integration in AIO via ilum-core | vero |
ilum-core.livy.ilumUI.publicEndpoint | Public endpoint of ilum-ui used for Livy links/integration | http://localhost:9777 |
ilum-livy-proxy.legacy.enabled | Turns on the legacy Livy proxy resources (ConfigMap/Deployment/etc.) | falso |
⚠️⚠️⚠️ Warnings
- Le compat Service (
ilum-livy-proxy→ ilum-core) is deprecated and will be removed in a future release. - Le legacy proxy is also deprecated and will be removed after the transition period.
- Mode matrix (AIO):
ilum-livy-proxy.enabled=false&ilum-livy-proxy.legacy.enabled=false→ nothing created; callilum-coredirectly.ilum-livy-proxy.enabled=true&ilum-livy-proxy.legacy.enabled=false→ create compat Service pointing to the newilum-coreLivy API.ilum-livy-proxy.enabled=false&ilum-livy-proxy.legacy.enabled=true→ deploy legacy proxy.
- When legacy is enabled, update client endpoints to use the legacy Service:
ilum-jupyter.livyEndpoint = http://ilum-livy-proxy:8998ilum-zeppelin.livyEndpoint = http://ilum-livy-proxy:8998- Airflow connection:
AIRFLOW_CONN_ILUM-LIVY-PROXY=livy://ilum-livy-proxy:8998
- Some resources (e.g., ConfigMap/Ingress) are rendered based on
ilum-livy-proxy.legacy.enabledonly (not onilum-livy-proxy.enabled).
6. Added cronjob cleaning after uninstalling
Caratteristica:
A pre-delete hook will now clean up kubernetes cronjobs after uninstalling the chart.
Valori aggiunti - ilum-core
| Nome | Descrizione | Valore |
|---|---|---|
cronjob.cleanup.enabled | Enable cronjob cleanup after uninstalling the chart | vero |
cronjob.cleanup.image | Image used for the cleanup job | alpine/kubectl:1.34.1 |
RELEASE 6.5.2
1. SSH mode implementation for helm_jupyter
Caratteristica:
SSH mode in the helm_jupyter chart has been implemented to provide SSH access directly within the main Jupyter container. This allows users to access their Jupyter environment via SSH while maintaining workspace consistency between web and SSH interfaces.
Values added - helm_jupyter
SSH access configuration
| Nome | Descrizione | Valore |
|---|---|---|
ssh.enabled | Enable SSH access in the Jupyter container | vero |
ssh.keysSecret | Name of the secret containing SSH keys | ilum-jupyter-ssh-keys |
ssh.service.type | SSH service type | Porta nodo |
ssh.service.port | SSH service port | 2222 |
ssh.service.nodePort | SSH service node port (when service type is NodePort) | "" |
ssh.service.clusterIP | SSH service cluster IP | "" |
ssh.service.loadBalancerIP | SSH service load balancer IP | "" |
ssh.service.annotations | SSH service annotations | {} |
ssh.sshdConfig.customConfig | Custom SSH server configuration | [] |