ملاحظات الترقية
ملاحظات الترقية
الإصدار التالي
نموذج الملاحظة
1. التغيير
ميزة:
وصف الميزة
القيم المحذوفة - اسم الرسم البياني
| اسم | سبب |
|---|---|
helm.value | سبب حذف قيمة Helm |
القيم المضافة - اسم الرسم البياني
وصف قسم القيم
| اسم | وصف | قيمة |
|---|---|---|
helm.value | وصف قيمة الدفة | القيمة الافتراضية |
الأسماء التي تم تغييرها - اسم الرسم البياني
| الاسم القديم | اسم جديد |
|---|---|
الاسم القديم | اسم جديد |
⚠️⚠️⚠️ التحذيرات
القيم التي تم تغييرها - اسم الرسم البياني
| اسم | القيمة القديمة | قيمة جديدة |
|---|---|---|
helm.value | القيمة القديمة | قيمة جديدة |
RELEASE 6.7.3
1. UI internationalization (i18n) + RTL
ميزة:
The web UI can now switch language and text direction at runtime from Settings (persisted to localStorage). The set of available languages is config-driven: add or remove a language with no frontend rebuild. Ships English + Persian (RTL) + Arabic (RTL) + Portuguese + Spanish + Chinese
- Hindi; direction follows the language.
Values added - helm_ui (mirrored under ilum-ui.runtimeVars in helm_aio)
UI language configuration (rendered into the ILUM-UI ConfigMap)
| اسم | وصف | قيمة |
|---|---|---|
runtimeVars.defaultLanguage | Default UI language code (ILUM_DEFAULT_LANGUAGE) | en |
runtimeVars.availableLanguages | Languages in the selector + i18next supportedLngs (ILUM_AVAILABLE_LANGUAGES); array of {code,label,dir,font?} | [en, fa(rtl), ar(rtl), pt, es, zh, hi] |
i18n.extraLocaleConfigMaps | Optional ConfigMaps mounted over /usr/share/nginx/html/locales/ to add or override catalogs at runtime (no rebuild) | [] |
Per-language font (the font field of each availableLanguages entry): Persian
(fa) uses IRANSans, Arabic (ar) uses Vazirmatn. Both are self-hosted and the
binaries are NOT shipped in the image; fa uses the free IRANSansWeb build. To render
Persian in IRANSans, place the IRANSansWeb woff2 files in a custom UI image (public/fonts/)
or mount them; otherwise the UI falls back to the system Persian font. Vazirmatn is SIL-OFL —
confirm IRANSansWeb's terms fit your deployment, or set fa's font ل "Vazirmatn".
⚠️⚠️⚠️ التحذيرات
None. New keys are additive with safe defaults; existing installs default to
English with no behavior change. To add a brand-new language at runtime,
append an availableLanguages entry AND mount its catalog JSON via
i18n.extraLocaleConfigMaps (or bake it into a custom UI image under
public/locales//).
2. RustFS object-storage provider (opt-in)
ميزة:
RustFS (Apache-2.0) is now bundled as an opt-in S3-compatible object
storage provider alongside MinIO, which remains the default in the 6.7.x
line. RustFS is planned to become the default in 6.8.0. Switching is a
single Helm flag (rustfs.enabled=true, minio.enabled=false). A
pre-upgrade hook refuses ترقية Helm when an existing MinIO PVC would
be orphaned without explicit acknowledgement.
For step-by-step instructions, refer to Migrate Between Object Storage Providers. For the broader storage decision and provider reference pages, refer to the Object Storage section.
3. Object-storage credentials consolidation
ميزة:
All object-storage consumers now read S3 credentials from a single shared
Secret, ilum-objectstorage-credentials, instead of per-consumer literal
values in القيم.yaml. The Secret holds six aliased keys: access-key,
secret-key, root-user, root-password, RUSTFS_ACCESS_KEY,
RUSTFS_SECRET_KEY. Consumers wired to this Secret include إيلوم كور,
ilum-jupyter, ilum-history-server, ilum-hive-metastore, airflow,
kestra, ترينو, langfuse, loki, مينيوو rustfs.
Default credentials for net-new installs are المشرف/المشرف. On upgrade,
the credentials-secret template's lookup preserves the live Secret
values, so existing deployments keep their current credentials.
Per-consumer accessKey/secretKey literals in Helm values are now
ignored when an existingSecret reference is set, which is the default in
helm_aio.
The chart resolves the S3 Service + credentials Secret via templates/_storage.tpl helpers. Defaults to MinIO (ilum-minio, keys root-user/root-password); a live lookup for Service ilum-objectstorage switches it to the rustfs alias (ilum-objectstorage-credentials, keys access-key/secret-key) automatically. objectStorage.useAlias: true forces the alias path for CI helm template (no cluster lookup). Rotation is performed by editing the shared Secret and restarting the affected Pods. For the full procedure, refer to Rotate Object Storage Credentials.
4. OpenMetadata + OpenLineage integration
ميزة:
Ilum now ships an optional OpenMetadata data-catalog and governance layer, fed by OpenLineage events from Airflow and Spark. The whole stack is disabled by default and is safe on upgrade: an existing deployment that does not set the new flags brings up zero OpenMetadata resources and behaves exactly as before.
The integration is gated by five flags, all defaulting to خطأ: openmetadata.enabled, openmetadata-dependencies.enabled, openmetadataBootstrap.enabled, fixHmsDeltaColumns.enabledو ilum-core.job.openLineage.openmetadata.enabled. Enabling the first four plus the OpenLineage transport leg brings up the OpenMetadata server (a small Ilum fork of the 1.12.5 image), its OpenSearch + PostgreSQL dependencies, the bootstrap Job, and the OL→OM backfill CronJob. Spark and Airflow lineage then flows into OpenMetadata via a composite OpenLineage transport that fans out to both Marquez and OpenMetadata.
Iceberg-via-Nessie catalog ingestion ships in preview status. For configuration, the governance model, and operational details, refer to OpenMetadata.
5. OM bootstrap Job + bot tokens
- Bootstrap is a regular Job (
), not a hook —-om-bootstrap- helm installreturns immediately. Watch:kubectl logs -f job/; final line is-om-bootstrap- BOOTSTRAP_SUMMARY: {...}. Completed Jobs GC after 24h. - Bot tokens default-on (
openmetadataBootstrap.botTokens.enabled: true): OM clients use theingestion-bot/lineage-botJWTs in theilum-om-bot-tokensSecret; consumers fall back to admin login while the Secret holds placeholders. - ilum-core blocks startup on the bot token (
job.openLineage.openmetadata.auth.waitForBotToken: true) via await-for-om-bot-tokeninitContainer, so OpenLineage never falls back to the 1h-expiring admin login (which 401s long-lived Kyuubi engines). SetwaitForBotToken: falsefor an external OM with no bootstrap-published token. - Bot-token attribution is self-healing but lags: pods that boot before the JWTs
are published attribute OM writes to the
إيلومadmin until their next restart. To switch immediately, roll Airflow + ilum-core once after BOOTSTRAP_SUMMARY. Cosmetic only (audit attribution) — both paths have identical permissions. ilum-om-bot-tokenscarrieshelm.sh/resource-policy: keepand holds never-expiring JWTs. On a shared cluster, after teardown delete it explicitly (kubectl delete secret ilum-om-bot-tokens -n) or rotate the bots in OM.
6. OpenMetadata bootstrap behaviour
The bootstrap Job registers Hive/Superset/MinIO/Delta services and runs polish ops:
sets openMetadataBaseUrlConfiguration, triggers SearchIndexing + DataInsights,
seeds Table custom properties (sourceSystem, slaHours), bumps certification
duration to P365D, and seeds two demo users. All ops are idempotent + non-fatal,
and re-runs preserve operator overrides (GET-before-PUT on the base URL, service
connections carrying ssl/kerberos/sasl/jaas/auth keys, and existing custom
properties). The Hive service routes through Kyuubi (ilum-sql-thrift-binary:10009)
— no separate Kyuubi service is registered.
| اسم | وصف | قيمة |
|---|---|---|
openmetadataBootstrap.publicBaseUrl | OM base URL for alert mails / deep-links. Override in production. | http://localhost:9777/external/openmetadata |
openmetadataBootstrap.demoUsersEnabled | Seed analyst/steward demo users. جبر خطأ in production. | صحيح |
openmetadataBootstrap.certificationDurationISO8601 | Default certification validity. | "P365D" |
openmetadataBootstrap.omUser | OM admin user (Secret ). | [البريد الإلكتروني محمي] |
openmetadataBootstrap.omPassword | OM admin password. Change for production. | المشرف |
openmetadataBootstrap.botTokens.enabled | Publish bot JWTs to ilum-om-bot-tokens. | صحيح |
The OM admin password lives only in the Secret
(consumed by the bootstrap Job, Airflow, and ilum-core via secretKeyRef); rotate
by editing openmetadataBootstrap.omPassword. Two more Secrets render with the
release: ilum-superset-admin و ilum-hms-db-creds (account for them if you
mirror manifests externally).
7. OM ingestion CronJobs are OM-owned
OM creates 7 om-cronjob-* ingestion CronJobs server-side (label
managed-by=openmetadata, no ownerReferences). Edit schedules/pipelines through a
re-bootstrap PATCH, not the CronJob directly (reverted on next bootstrap). The
helm uninstall pre-delete hook reaps them. Scheduled Hive ingestion runs with
overrideMetadata: false so it preserves DAG-set Tier/Certification governance.
8. Delta + lineage helpers (opt-in flags, default on)
| اسم | وصف | قيمة |
|---|---|---|
openmetadataBootstrap.deltaEnricher.enabled | CronJob PATCHing Delta facets onto OM tables (Rust deltalake, ~80MB). | صحيح |
openmetadataBootstrap.deltaEnricher.schedule | Delta property refresh cron. | 0 */6 * * * |
openmetadataBootstrap.olBackfill.enabled | CronJob replaying Marquez OL events to OM (idempotent gap-fill). | صحيح |
openmetadataBootstrap.olBackfill.schedule | OL replay scan cron. | 0 2 * * * |
fixHmsDeltaColumns.enabled | Post-install/upgrade Job repairing Delta col array HMS schemas. | خطأ |
OM's native DeltaLake-S3 connector stays paused (>4Gi peak); the enricher CronJob fills Delta facets instead.
9. OpenLineage namespace
Airflow OL events use airflow.config.openlineage.namespace (default ilum-airflow,
single source of truth). Bootstrap's namespaceToServiceMapping attaches
s3://ilum-data, spark://ilum-sql-thrift-binary:10009و ilum-airflow to the
right OM services. Override the namespace only to match events already in Marquez/OM.
10. Production overrides checklist
| Key | افتراضي | For production |
|---|---|---|
openmetadataBootstrap.publicBaseUrl | http://localhost:9777/external/openmetadata | actual ingress URL |
openmetadataBootstrap.demoUsersEnabled | صحيح | خطأ (use LDAP/OIDC) |
openmetadataBootstrap.omPassword | المشرف | a real password |
gitea.gitea.config.server.ROOT_URL | http://localhost:9777/external/gitea/ | public host (path must match STATIC_URL_PREFIX) |
The chart installs into any namespace (bare service DNS names, no
.svc.cluster.local). If you carry extraValues overrides with FQDN metastore
addresses, drop .ilum.svc.cluster.local or Spark lineage silently fails to map.
11. Iceberg via Project Nessie (opt-in, OFF by default)
A stock install runs Hive-only with no Nessie pod. Enable Iceberg cataloging (starts a Nessie pod + Postgres DB) with BOTH flags — the gate ANDs them:
helm upgrade ilum ./helm_aio \
--جبر nessie.enabled=صحيح \
--جبر openmetadataBootstrap.services.iceberg.enabled=صحيح
| اسم | وصف | قيمة |
|---|---|---|
openmetadataBootstrap.services.iceberg.enabled | Register OM Iceberg service (needs nessie.enabled). | خطأ |
openmetadataBootstrap.services.iceberg.restUri | Nessie Iceberg-REST URI (no ref in path). | http://ilum-nessie:19120/iceberg |
openmetadataBootstrap.services.iceberg.warehouse / .catalogName | Symbolic warehouse name. | nessie_catalog |
openmetadataBootstrap.services.iceberg.{endpoint,accessKey,secretKey,region} | S3-reader overrides (empty = objectStorage Secret). | "" / الولايات المتحدة الشرقية 1 |
nessie.catalog.enabled | Nessie Iceberg-REST endpoint. | صحيح |
Gotchas:
- Do NOT disable Hive to go "Iceberg-first": the bundled example tables are
Delta/Parquet via HMS, and bootstrap gates SUCCESS on Hive producing ≥10 tables
(
openmetadataBootstrap.examplesIngest.expectedMinTables). Iceberg-only also needsopenmetadataBootstrap.examplesIngest.enabled=false. - The OM ingestion reader reads Iceberg
metadata.json/manifests directly from S3, so it MUST hold creds that reads3://ilum-data/nessie_catalog/. A credential mismatch registers fine but ingests 0 tables. - On rustfs/non-default backends, override
nessie.catalog.storage.s3.defaultOptions.accessKeySecret(static YAML, defaults to the minio Secret) so Nessie and the OM reader resolve the SAME identity. - To catalog a ref other than
رئيسي, pin it via a Nessie warehouse, not the URI path (putting the ref in the path → HTTP 404). OM ingests one ref; no history.
12. Hive 4 support (opt-in)
جبر ilum-hive-metastore.majorVersion: 4 من أجل apache/hive:standalone-metastore-4.x
images (default 3). A v3 Postgres DB cannot be reused for v4 (incompatible
schemas). Running v3 + v4 side-by-side: give v4 its own database
(--set ilum-hive-metastore.postgresql.database=metastore_v4) and add it to
postgresExtensions.databasesToCreate. Spark against a v4 metastore needs Hive 4
client jars — use ilum/spark:4.0.2-delta-hive4 as the cluster image.
13. Airflow pools
airflowExtensions.pools pre-creates the listed Airflow pools (name + slots) via an
init container on the Airflow api-server/scheduler. Default is empty ([]); add your
own DAGs' pools here.
14. Cross-stack observability + cost attribution
ميزة
A new cross-stack observability stack (off by default) bundles an OpenTelemetry
Collector (helm_otel_collector sub-chart), a Tempo trace backend
(ilum-tempo, S3-backed), and Loki/Promtail log correlation, adding a Pipeline
Trace tab spanning Airflow → ilum-service → Spark. A separate daily
cost-attribution rollup (off by default) writes cost landing files from an
in-driver Spark plugin and folds them in-core into per-job and per-table Cost
tabs. Hostnames are release-name portable via _helpers.tpl, so the stack works
under any release name. The settings entity (sampling ratio, listener policy,
rate card) is seeded from helm_core's observabilityDefaults on first boot
only — UI/dev-API edits win afterward. The previously-unprotected
/api/dev/reactive/lineage/* و /cost/* endpoints now require permissions.
Values added - helm_aio
| اسم | وصف | قيمة |
|---|---|---|
global.observability.otel.enabled | Enable the OTel collector + Tempo trace backend + log correlation | خطأ |
global.observability.monitoring.enabled | Render the ServiceMonitor + PrometheusRule alert set for Tempo/collector | خطأ |
global.costAggregator.enabled | Enable the daily cost-attribution rollup | خطأ |
global.costAggregator.retentionDays | Clamp the cost reader window to this many days | 90 |
global.observability.otel.tempoAuth.mode | Tempo query auth (none | bearer | basic) | none |
global.logAggregation.loki.auth.mode | Loki query auth (none | bearer | basic) | none |
global.observability.otel.tenant.id | Tenant filter for a shared Tempo (empty = single-tenant) | "" |
Values changed - ilum-tempo
| اسم | القيمة القديمة | New value |
|---|---|---|
ilum-tempo.tempo.resources.limits.memory | 2Gi | 4جي |
⚠️ Warnings
The observability stack hostnames are now derived at render time by helpers in
helm_aio/templates/_helpers.tpl (ilum-aio.tempoHost,
ilum-aio.lokiReadHost, ilum-aio.otelCollectorHost,
ilum-aio.lokiQueryUrl). An overlay carrying an explicit hostname override
copied from a previous release still takes precedence but couples the install to
the إيلوم release name — drop it to let the helpers pick the correct hostname.
RELEASE 6.7.2
1. Default Java options for ilum-core
ميزة:
Added default JVM options to ilum-core for optimized memory and performance. The javaOpts value is now appended to security-related Java options (trustStore/keyStore) instead of replacing them, allowing both to coexist.
Values changed - helm_core
| اسم | القيمة القديمة | قيمة جديدة |
|---|---|---|
javaOpts | "" | "-XX:-UsePerfData -XX:+UseStringDeduplication -Xms256m -XX:MaxMetaspaceSize=256m -XX:MaxDirectMemorySize=256m -XX:CICompilerCount=2 -XX:G1ConcRefinementThreads=2 -XX:ReservedCodeCacheSize=128m" |
2. Unity Catalog init container for ilum-core
ميزة:
Added a wait-for-unity-catalog init container to the ilum-core deployment, matching the existing pattern for Hive and Nessie. When metastore.type تم ضبطه على unity, the init container waits for the Unity Catalog server to become reachable before starting ilum-core, preventing startup failures due to race conditions.
Values added - helm_aio
| اسم | وصف | قيمة |
|---|---|---|
ilum-core.metastore.unity.statusProbe.enabled | Enable init container to wait for Unity Catalog | صحيح |
3. PostgreSQL support for ilum-core
ميزة:
Added PostgreSQL as an alternative persistence backend to MongoDB. The backend is selected via storage.type (mongo أو Postgres). When set to Postgres, Mongock migrations and the MongoDB status probe are skipped, and PostgreSQL connection details are injected instead. The MongoDB URI (mongo.uri) is always present in the configmap regardless of storage.type, so that the built-in MongoToPostgresMigration tool can read from MongoDB during migration. Flyway migrations run automatically on startup — no manual schema setup is needed. Existing deployments using MongoDB are unaffected; the default remains mongo.
Values added - helm_core
Storage type selection and migration
| اسم | وصف | قيمة |
|---|---|---|
storage.type | Persistence backend: mongo أو Postgres | mongo |
storage.migration.mongoToPostgres | Enable one-time data migration from MongoDB to PostgreSQL. Set to صحيح together with storage.type=postgres and a valid mongo.uri to migrate all data on startup. Disable after migration completes. | خطأ |
PostgreSQL connection settings
| اسم | وصف | قيمة |
|---|---|---|
postgres.host | PostgreSQL hostname | ilum-postgresql |
postgres.port | PostgreSQL port | 5432 |
postgres.database | Database name | إيلوم |
postgres.username | Database username | إيلوم |
postgres.password | Database password | CHANGEMEPLEASE |
postgres.createSecret | Create a K8s Secret with postgres credentials | صحيح |
postgres.existingSecret | Use an existing K8s Secret (must have keys: POSTGRES_USERNAME, POSTGRES_PASSWORD) | "" |
postgres.statusProbe.enabled | Enable init container that waits for PostgreSQL readiness | صحيح |
postgres.statusProbe.image | Image used for the PostgreSQL readiness probe | busybox:1.36 |
⚠️⚠️⚠️ التحذيرات
Migrating from MongoDB to PostgreSQL:
- جبر
storage.type=postgresand configurepostgres.*connection values - Ensure
mongo.uristill points to the existing MongoDB instance - جبر
storage.migration.mongoToPostgres=true - Run
ترقية Helm— the backend will migrate all data from MongoDB to PostgreSQL on startup - After successful migration, set
storage.migration.mongoToPostgres=falseand runترقية Helmagain
4. Slimmed down ilum-core bundled configuration
ميزة:
The bundled application.yml in ilum-core has been significantly slimmed down.
Hardcoded defaults that are now managed by the application itself
(Spring multipart config, Kafka admin settings, codec size, task scheduling pool, leader election tuning, third-party logging levels, license validation details)
have been removed from the Helm-generated config.
This reduces the surface area of the ConfigMap and avoids conflicts with application-managed defaults.
⚠️⚠️⚠️ التحذيرات
If you relied on any of the removed hardcoded values (e.g., custom spring.servlet.multipart limits, spring.kafka.admin.fail-fast, logging levels for org.apache.kafka أو org.mongodb.driver),
you must now set them via the new customConfig أو overrideConfig mechanisms described below.
5. Config override and custom config for ilum-core
ميزة:
Added two new mechanisms for advanced configuration of ilum-core:
overrideConfig: Replaces the bundledapplication.ymlentirely with a user-managed ConfigMap (mounted at/etc/ilum/override).customConfig: Mounts an additional ConfigMap at/etc/ilum/customfor partial overrides that layer on top of the bundled config.
Values added - helm_core
Full config override
| اسم | وصف | قيمة |
|---|---|---|
overrideConfig.enabled | Enable full config override (replaces bundled application.yml entirely) | خطأ |
overrideConfig.configMapName | Name of a user-managed ConfigMap containing a complete application.yml replacement | "" |
Custom config escape hatch
| اسم | وصف | قيمة |
|---|---|---|
customConfig.enabled | Enable custom config escape hatch (mounts an additional ConfigMap at /etc/ilum/custom) | خطأ |
customConfig.configMapName | Name of a user-managed ConfigMap containing application.yml overrides | "" |
⚠️⚠️⚠️ التحذيرات
The config mount path has changed from /config ل /etc/ilum/config. If you have scripts or tooling that references the old path, update them accordingly.
6. Default communication mode changed to gRPC
ميزة:
The default communication mode in ilum-core has changed from كافكا ل جي بي سي.
Values changed - helm_core
| اسم | القيمة القديمة | قيمة جديدة |
|---|---|---|
الاتصالات.النوع | كافكا | جي بي سي |
⚠️⚠️⚠️ التحذيرات
If your deployment depends on Kafka-based communication between ilum components, explicitly set communication.type: kafka in your values.
7. New configurable parameters in ilum-core
ميزة:
Spring actuator endpoint exposure and job instance result timeout are now configurable via values instead of being hardcoded.
Values added - helm_core
| اسم | وصف | قيمة |
|---|---|---|
management.endpoints.web.exposure.include | Spring actuator endpoints to expose | "info,configprops,env,metrics,mappings,beans,prometheus,health" |
job.instance.result.timeout.ms | Job instance result timeout in milliseconds | 120000 |
8. Schema and nullability fixes
ميزة:
Fixed sql.url ل sql.host in the ilum-core configmap to match the actual values key.
Names changed - helm_core (configmap only)
| الاسم القديم | اسم جديد |
|---|---|
sql.url | sql.host |
9. rustfs added as an opt-in object storage provider
ميزة
rustfs (Apache-2.0) is now bundled in helm_aio as an opt-in S3-compatible object storage provider (rustfs.enabled=false by default). مينيو remains the default provider (minio.enabled=true); rustfs is planned to become the default in 6.8.0. A stable Service alias ilum-objectstorage routes to whichever provider is enabled; all downstream consumers (Trino, Nessie, Jupyter, MLflow, Airflow, Kestra, Langfuse, the helm_core readiness probe) target this alias instead of provider-specific names.
⚠️⚠️⚠️ التحذيرات
- rustfs is currently published as
1.0.0-alpha.99; distributed mode is marked "under testing" upstream. helm_aio defaults rustfs to standalone mode with a single 50Gi PVC. - A pre-upgrade hook detects orphan minio PVCs and refuses the upgrade unless the operator has chosen one of the paths below.
Choose one path on upgrade
Path A: keep using minio (zero-touch)
helm upgrade ilum ./helm_aio --جبر minio.enabled=صحيح --جبر rustfs.enabled=خطأ
Existing data is untouched; consumers continue talking to ilum-objectstorage which now selects minio pods.
Path B: migrate from minio to rustfs
Single credential source. Every consumer (ilum-core, jupyter, airflow, trino, kestra, langfuse, loki, hive-metastore, minio, rustfs) now reads S3 credentials from the shared
ilum-objectstorage-credentialsSecret. Net-new installs default toالمسؤول / المسؤول; rotate with:kubectl edit secret ilum-objectstorage-credentials
kubectl rollout restart deploy,statefulset -l 'app.kubernetes.io/part-of=ilum'When upgrading from a MinIO-only deployment with non-default credentials, seed the new Secret with the live minio root creds before running the upgrade so consumers don't lose access:
EXISTING_USER=$(kubectl get secret ilum-minio -س jsonpath='{.data.root-user}' | base64 -d)
EXISTING_PASS=$(kubectl get secret ilum-minio -س jsonpath='{.data.root-password}' | base64 -d)
kubectl create secret generic ilum-objectstorage-credentials \
--from-literal=access-key=$EXISTING_USER \
--from-literal=secret-key=$EXISTING_PASS \
--from-literal=root-user=$EXISTING_USER \
--from-literal=root-password=$EXISTING_PASS \
--from-literal=RUSTFS_ACCESS_KEY=$EXISTING_USER \
--from-literal=RUSTFS_SECRET_KEY=$EXISTING_PASS
# the credentials-secret template's preserveExisting lookup will keep these
# values intact across helm upgrades.
# 1. Run both providers side by side. Acknowledge the cutover so the
# pre-upgrade hook accepts the upgrade.
helm upgrade ilum ./helm_aio \
--جبر minio.enabled=صحيح \
--جبر rustfs.enabled=صحيح \
--جبر rustfs.migrationAcknowledged=صحيح
# 2. Dry-run the migration Job to preview what would be copied.
helm upgrade ilum ./helm_aio \
--جبر minio.enabled=صحيح \
--جبر rustfs.enabled=صحيح \
--جبر rustfs.migrationAcknowledged=صحيح \
--جبر migration.minioToRustfs.enabled=صحيح \
--جبر migration.minioToRustfs.dryRun=صحيح
kubectl logs job/ilum-minio-to-rustfs-migration-<rev>
# 3. Run the real migration.
helm upgrade ilum ./helm_aio \
--جبر minio.enabled=صحيح \
--جبر rustfs.enabled=صحيح \
--جبر rustfs.migrationAcknowledged=صحيح \
--جبر migration.minioToRustfs.enabled=صحيح
كوبيكتل -ن إيلوم wait job -l app.kubernetes.io/component=migration --for=condition=complete --timeout=600s
# 4. Verify (e.g. mc diff against both providers), then disable minio.
helm upgrade ilum ./helm_aio --جبر rustfs.migrationAcknowledged=صحيح
For per-bucket manual procedures (no Job), see the documentation site: documentation/docs/operations/migrate-minio-to-rustfs.md.
Path C: net-new install
Nothing to do. minio is the default; the alias Service is created automatically. To start on rustfs instead, set rustfs.enabled=true و minio.enabled=false.
Values added - helm_aio
| اسم | وصف | قيمة |
|---|---|---|
global.s3.host | Stable Service name targeted by S3 consumers | ilum-objectstorage |
global.s3.port | S3 API port | 9000 |
global.s3.consolePort | Web console port | 9001 |
global.s3.region | Default S3 region | الولايات المتحدة الشرقية 1 |
global.s3.pathStyle | Path-style addressing flag for S3 clients | صحيح |
global.s3.ssl | SSL flag for S3 clients | خطأ |
rustfs.enabled | Enable bundled rustfs chart | صحيح |
rustfs.mode | rustfs deployment mode | standalone |
rustfs.persistence.size | rustfs PVC size | 50Gi |
rustfs.migrationAcknowledged | Operator acknowledgement that disabling minio is intentional (read by the pre-upgrade hook) | خطأ |
rustfsExtensions.enabled | Enable bucket/policy bootstrap on rustfs | صحيح |
objectStorage.service.enabled | Render the ilum-objectstorage Service alias | صحيح |
objectStorage.credentials.create | Create the shared credentials Secret | صحيح |
objectStorage.credentials.name | Name of the shared credentials Secret | ilum-objectstorage-credentials |
objectStorage.credentials.accessKey | Default access key (only used to bootstrap the Secret; rotated values survive upgrades via lookup) | المشرف |
objectStorage.credentials.secretKey | Default secret key | المشرف |
rustfs.secret.rustfs.access_key | Root access key the rustfs Pod is launched with (must match objectStorage.credentials.accessKey) | المشرف |
rustfs.secret.rustfs.secret_key | Root secret key the rustfs Pod is launched with | المشرف |
objectStorage.defaultBuckets | Default buckets created by the rustfs init Job and migrated by the migration Job | [ilum-files, ilum-data, ...] |
migration.minioToRustfs.enabled | Render the one-shot migration Job | خطأ |
migration.minioToRustfs.dryRun | Pass --fake to mc mirror (preview only) | خطأ |
migration.minioToRustfs.deleteAfter | After successful mirror, remove source data with mc mirror --remove | خطأ |
migration.minioToRustfs.ttlSecondsAfterFinished | Keep Job logs around for inspection | 86400 |
preUpgradeChecks.enabled | Render the pre-upgrade safety hook (disable in CI) | صحيح |
Values changed - helm_aio
| اسم | القيمة القديمة | New value |
|---|---|---|
minio.enabled | صحيح | خطأ |
ilum-core.kubernetes.s3.host | ilum-minio | ilum-objectstorage |
ilum-core.metastore.nessie.s3Endpoint | http://ilum-minio:9000/ | http://ilum-objectstorage:9000/ |
ilum-core.minio.statusProbe.baseUrl | http://ilum-minio:9000 | http://ilum-objectstorage:9000 |
trino.catalogs.ilum-delta (s3.endpoint=...) | http://ilum-minio:9000 | http://ilum-objectstorage:9000 |
mlflow.externalS3.host | ilum-minio | ilum-objectstorage |
mlflow.externalS3.existingSecret | ilum-minio | ilum-objectstorage-credentials |
mlflow.externalS3.existingSecretAccessKeyIDKey | root-user | access-key |
mlflow.externalS3.existingSecretKeySecretKey | root-password | secret-key |
kestra.configuration.kestra.storage.minio.endpoint | ilum-minio | ilum-objectstorage |
langfuse.langfuse.s3.endpoint | http://ilum-minio:9000 | http://ilum-objectstorage:9000 |
ilum-jupyter.extraEnv (S3_ENDPOINT) | http://ilum-minio:9000 | http://ilum-objectstorage:9000 |
airflow.extraEnv (MINIO_ENDPOINT, AWS_ENDPOINT_URL, AIRFLOW_CONN_ILUM-MINIO) | http://ilum-minio:9000 | http://ilum-objectstorage:9000 |
ilum-ui.runtimeVars.minioUrl | http://ilum-minio:9001 | http://ilum-objectstorage:9001 |
Values added - helm_core
| اسم | وصف | قيمة |
|---|---|---|
objectStorage.statusProbe.enabled | Enable readiness probe init container for object storage | صحيح |
objectStorage.statusProbe.baseUrl | Base URL probed for readiness | http://ilum-objectstorage:9000 |
objectStorage.statusProbe.image | Probe init-container image | curlimages / حليقة: 8.5.0 |
objectStorage.statusProbe.healthPath | HTTP path probed (root works for both rustfs and minio) | / |
Values changed - helm_core
| اسم | القيمة القديمة | New value |
|---|---|---|
minio.statusProbe.baseUrl | http://ilum-minio:9000 | http://ilum-objectstorage:9000 |
The legacy minio.statusProbe block is retained as a deprecated alias; templates prefer objectStorage.statusProbe and fall back to it when the new key is unset.
Values added - helm_ui
| اسم | وصف | قيمة |
|---|---|---|
runtimeVars.objectStorageUrl | Console URL for the object-storage view | http://ilum-objectstorage:9001 |
runtimeVars.objectStoragePath | UI iframe path | /external/object-storage/ |
nginx.config.objectStorage.enabled | Render the /external/object-storage/ proxy block | خطأ |
nginx.config.http_cookie.objectStorage.enabled | Cookie gate for the new path | صحيح |
10. Kestra chart 1.0.x upgrade (breaking)
ميزة:
Bumped the bundled kestra chart from ^0.22.x ل ^1.0.x (Kestra app ~v0.20 → v1.3.x).
The Kestra Helm chart was rewritten in 1.0.0 — top-level deployment fields moved under a new common: block,
the configuration: map was renamed to configurations.application, serviceAccountName was replaced by a structured serviceAccount block,
the dind sidecar gained a mode: rootless|insecure selector,
and the bundled Postgres/مينيو/كافكا/elasticsearch subchart dependencies were dropped (operators bring their own).
The umbrella kestra: block has been restructured accordingly; existing Ilum integrations (PostgreSQL backend, MinIO storage,
Nginx context path, root-mode dind, post-install example flow Job) are preserved.
Names changed - kestra
| الاسم القديم | اسم جديد |
|---|---|
kestra.configuration | kestra.configurations.application |
kestra.serviceAccountName | kestra.serviceAccount.name (with kestra.serviceAccount.create: false) |
kestra.securityContext | kestra.common.securityContext |
kestra.initContainers | kestra.common.initContainers |
kestra.dind.image.tag | kestra.dind.base.insecure.image.tag (with kestra.dind.mode: insecure) |
kestra.dind.args | kestra.dind.base.insecure.args |
kestra.dind.securityContext | kestra.dind.base.insecure.securityContext |
Values changed - kestra
| اسم | Old Value | قيمة جديدة |
|---|---|---|
kestra.exampleFlow.kestraService | kestra-service | kestra |
ilum-ui.runtimeVars.kestraUrl | http://ilum-kestra-service:8080 | http://ilum-kestra:8080 |
Values deleted - kestra
| اسم | سبب |
|---|---|
kestra.postgresql.enabled | Subchart dependency removed in 1.0.0; operators provide their own PostgreSQL. |
kestra.minio.enabled | Subchart dependency removed in 1.0.0; operators provide their own object storage. |
kestra.startupProbe.path | Replaced by the structured kestra.common.startupProbe (full Kubernetes probe spec). Path stays /external/kestra/health because Micronaut propagates server.contextPath to the management server (8081) too. |
kestra.livenessProbe.path | Replaced by kestra.common.livenessProbe; path stays /external/kestra/health/liveness. |
kestra.readinessProbe.path | Replaced by kestra.common.readinessProbe; path stays /external/kestra/health/readiness. |
Values added - kestra
| اسم | وصف | قيمة |
|---|---|---|
kestra.deployments.standalone.enabled | Enables the standalone Kestra deployment in the new split-deployment model. | صحيح |
kestra.deployments.standalone.dind.enabled | Enables the dind sidecar for the standalone deployment. | صحيح |
kestra.dind.mode | Selects the dind sidecar mode (rootless أو insecure); Ilum defaults to insecure to preserve prior root-mode behaviour. | insecure |
kestra.serviceAccount.create | Controls whether the chart creates the ServiceAccount; Ilum sets it to خطأ and reuses the Spark SA. | خطأ |
⚠️⚠️⚠️ التحذيرات
- The Kestra application itself was bumped from the 0.x line to v1.3.x. Verify any custom flow definitions against the Kestra 1.0.0 migration guide — reserved Flow IDs, the
purgeAuditLogs.permissions → resourcesrename, removal of the Singer plugin, dynamic rendering of input defaults, and custom-plugin package structure changes can break existing flows. kestra.dind.mode: insecureruns the dind sidecar privileged with elevated capabilities. On hardened clusters switch tokestra.dind.mode: rootlessand drop thekestra.common.securityContext.runAsUser/runAsGroupoverrides.- The Kestra Service object is now named
(chart fullname) instead of-kestra . The bundled-kestra-service helm_uikestraUrlruntimeVar (consumed by the Nginx proxy viaILUM_KESTRA_URL) and theexampleFlowpost-install Job have been updated to the new name. Any external references toilum-kestra-servicemust be updated manually. - Kestra 1.0+ moved the flow API under a tenant path (
/api/v1/{tenant}/flows). The bundledexampleFlowJob now POSTs to/api/v1/main/flows(the OSS implicit tenant). Operators with customحليقه/SDK calls against the Kestra API must add the tenant segment.
11. Kyuubi server image bumped to 1.11.1-spark-trino
ميزة
The default ILUM-SQL (Kyuubi) server image is bumped to ilum/kyuubi:1.11.1-spark-trino. Existing ترقية Helm users will pick up the new image automatically.
Values changed - helm_kyuubi
| اسم | Old Value | قيمة جديدة |
|---|---|---|
image.tag | 1.10.2-spark-trino | 1.11.1-spark-trino |
12. JupyterLab Pipeline Exporter ↔ Airflow integration (helm_jupyter)
ميزة
The bundled JupyterLab now ships jupyterlab-pipeline-exporter (JPE),
which generates Airflow DAGs from notebooks and can auto-trigger them
against the in-cluster Airflow REST API. The helm_jupyter Deployment
mounts a new jupyter-pipeline-exporter-cm.yaml ConfigMap and renders
the env vars JPE needs to mint bearer tokens (AIRFLOW_JWT_SECRET,
AIRFLOW_API_URL), push DAGs into Gitea (GITEA_USERNAME,
GITEA_PASSWORD), and build clickable deep-links (ILUM_UI_URL).
git.enabled is split into two orthogonal flags so a slim deploy
without the gitea subchart can keep JPE's Gitea creds without forcing
the init-container seed loop to run. The init loop (curl healthz
wait + git init/commit/push) is now gated on
git.initialCommit.enabled; the GITEA_* env vars are gated on
git.existingSecret alone. git.enabled is retained as a deprecated
back-compat alias for git.initialCommit.enabled.
Operator impact (zero by default)
On AIO (airflow.enabled=true, gitea subchart present) the chart
defaults render the full integration automatically on ترقية Helm —
no action required. On a slim deploy without Airflow, set
airflowIntegration.enabled=false to suppress the JWT env block; on a
slim deploy without the gitea subchart, set
git.initialCommit.enabled=false (instead of the old
git.enabled=false) so the init container no longer hangs while still
mounting JPE's Gitea creds via git.existingSecret.
Values added - helm_jupyter
| اسم | وصف | قيمة |
|---|---|---|
airflowIntegration.enabled | Render the AIRFLOW_JWT_SECRET / AIRFLOW_API_URL block for JPE's DAG auto-trigger | صحيح |
git.initialCommit.enabled | Run the init-container that seeds the work dir into Gitea | خطأ |
ilumUiUrl | Browser-facing Ilum UI base URL surfaced as ILUM_UI_URL for JPE deep-links | http://localhost:9777 |
Values changed - helm_jupyter
| اسم | Pre-upgrade | Post-upgrade |
|---|---|---|
git.enabled | gated init loop و GITEA_* env vars | deprecated alias for git.initialCommit.enabled; GITEA_* env vars now gate on git.existingSecret |
13. Preset feature
ميزة
New first-class Preset entity. A preset is a named bag of Spark / runtime
properties that can be attached by id to clusters, services (groups),
schedules, and jobs. At job-launch time the preset's properties merge into
the resulting Spark config so users can pin a bundle (Delta / Iceberg / Hudi)
once and reuse it instead of re-typing the same 5+ keys.
CRUD is exposed at POST/GET/PUT/DELETE /api/v1/preset (public) and at
/api/dev/reactive/preset (internal). New PRESET_READ, PRESET_CREATE,
PRESET_EDIT, PRESET_DELETE permissions are added.
Postgres V1 schema gains a preset table and preset_ids text[] columns
on عنقود, المجموعات, schedule. Mongo gains the same field lazily — no
migration required.
Operator-controllable defaults (helm)
helm_core/values.yaml ships a new top-level presets: block. Each entry
(اسم, وصف, خصائص) is auto-seeded at first boot by the
backend's DefaultPresetInitializer. The chart defaults ship a الدلتا and
an مثلجة entry; remove or override them to taste, or set presets: []
to disable defaults entirely.
The default cluster's attached presets are also helm-controlled via
kubernetes.defaultCluster.presetNames (defaults to [delta]). Each entry
is resolved to a preset id at boot time via a deterministic v3 UUID derived
from the name (same hash as the initializer uses), so the linkage is
stable across restarts.
Values added — helm_core
| اسم | وصف | قيمة |
|---|---|---|
presets | Spark/runtime property bundles auto-seeded on first boot | List of الدلتا + مثلجة |
kubernetes.defaultCluster.presetNames | Names (declared under presets:) attached to the default cluster on first boot | [delta] |
Values removed — helm_core
| اسم | سبب |
|---|---|
kubernetes.defaultCluster.config.spark.kubernetes.container.image | Moved into the الدلتا preset entry under top-level presets: |
kubernetes.defaultCluster.config.spark.databricks.delta.catalog.update.enabled | Same |
kubernetes.defaultCluster.config.spark.sql.extensions | Same |
kubernetes.defaultCluster.config.spark.sql.catalog.spark_catalog | Same |
Operator impact
Zero on a default upgrade. The bundled الدلتا preset reproduces exactly
the Delta keys that previously lived inline in the default cluster's
defaultApplicationConfig. Existing user-created clusters keep their own
config unchanged.
If you customised kubernetes.defaultCluster.config with non-Delta
overrides, those entries are preserved as-is — only the four Delta-specific
keys were lifted into the preset.
Operators wanting to add their own preset (e.g. a tuned نيسي bundle)
extend presets: in their values override:
إيلوم كور:
presets:
- اسم: نيسي
وصف: Iceberg + Nessie wiring
خصائص:
spark.kubernetes.container.image: my-registry/spark:نيسي
spark.sql. الامتدادات: org.projectnessie.spark.extensions.NessieSparkSessionExtensions
# ...
kubernetes:
defaultCluster:
presetNames:
- الدلتا
- نيسي
Renaming a preset detaches any cluster / group / schedule that referenced
the old id (the id is derived from the name). Detach in the UI first, or
use the API to update presetIds to the new id before removing the old
entry.
Merge precedence at job launch (last wins): cluster's effective config
(including its attached presets via ClusterConfigurer) → system providers
(memory, metastore, packages) → entity presets → entity jobConfig. The
symmetric "plain spark args you typed at the entity level win" rule still
applies. Follow-up #202 will extract صورة و Namespace to first-class
cluster fields so presets layer cleanly without the current "plain wins"
caveat on the cluster scope.
14. Airflow secret backend + base image bump
ميزة
The bundled Airflow image (ilum/airflow) now ships an
IlumS3SecretsBackend that resolves the conn-id aliases ilum-minio,
ilum-s3و ilum-objectstorage (plus their _-separated and
case variants) to a single canonical AIRFLOW_CONN_ILUM_S3 env var.
Activating the backend (AIRFLOW__SECRETS__BACKEND=ilum_secrets_backend.IlumS3SecretsBackend)
is already wired in helm_aio/values.yaml.
This replaces the broken AIRFLOW_CONN_ILUM-MINIO_CMD /
AIRFLOW_CONN_ILUM-S3_CMD printf-based env-var pattern. Airflow 3
silently dropped _CMD resolution for connection env vars — the suffix
now resolves only for config keys like SQL_ALCHEMY_CONN_CMD — which
caused worker pods to surface RuntimeError: generator didn't yield
from the remote-logging path and InvalidAccessKeyId from user S3Hook
calls.
The same change bumps the base image from apache/airflow:3.1.6 ل
apache/airflow:3.2.1 across all four ops/docker/ilum-airflow/
variants (دوكر فايل, Dockerfile-plain, Dockerfile-spark,
Dockerfile-spark-4.x), and switches the bake-in install location for
the backend to /opt/ilum_secrets/ with a PYTHONPATH prepend so the
module path no longer depends on the base image's Python minor.
Operator impact (zero by default)
The Helm values flip is opt-in via the chart-default airflow.enabled
flag — operators with airflow.enabled=true pick up the new env
configuration automatically on ترقية Helm. No DAG changes are
required: BaseHook.get_connection("ilum-minio") و
S3Hook(aws_conn_id="ilum-s3") continue to work, but now resolve to a
storage-backend-agnostic connection.
| Key | Pre-upgrade | Post-upgrade |
|---|---|---|
airflow.airflowVersion | 3.1.6 | 3.2.1 |
airflow.images.airflow.tag | 3.1.6 | 3.2.1 |
airflow.extraEnv AIRFLOW_CONN_ILUM-MINIO_CMD | (broken printf pattern) | removed |
airflow.extraEnv AIRFLOW_CONN_ILUM-S3_CMD | (broken printf pattern) | removed |
airflow.extraEnv AIRFLOW__SECRETS__BACKEND | (unset) | ilum_secrets_backend.IlumS3SecretsBackend |
airflow.extraEnv AIRFLOW_CONN_ILUM_S3 | (unset) | JSON literal with $(AWS_*) downward expansion |
DAG-level changes from Airflow 3.1.6 to 3.2.1 are minor; full changelog at https://airflow.apache.org/docs/apache-airflow/3.2.1/release_notes.html.
Failure modes (now caught at chart-render time)
- If an operator overrides
airflow.images.airflow.tagto anilum/airflowtag that does not contain/opt/ilum_secrets/(e.g. an older custom build), the secrets backend resolves toModuleNotFoundError: ilum_secrets_backendat scheduler start. Fix by upgrading the image or unsettingAIRFLOW__SECRETS__BACKEND.
15. Object storage console wiring is now data-driven
ميزة
The active object-storage provider, the Object Storage iframe path, and the
/external/object-storage/ nginx redirect target are now derived from a
single source of truth in helm_aio/templates/_helpers.tpl. The
previously hand-rolled three-way conditional in ui-cm.yaml has been
replaced with helper calls; the objectstorage-svc.yaml inline resolution
has been collapsed into the same helper.
A new objectStorage.providers registry maps provider names to their
console paths and routing modes. To enable a third S3-compatible backend
(e.g. SeaweedFS) for benchmarking or migration:
- Add the chart dependency under
helm_aio/Chart.yaml. - Add an entry under
objectStorage.providers.معconsolePathوconsoleMode(same-originأوnginx-rewrite). - جبر
objectStorage.activeProvider:to flip user-facing traffic.
Operator impact (zero by default)
Existing RC2 overlays that only set rustfs.enabled / minio.enabled /
rustfs.migrationAcknowledged continue to work unchanged. The chart reads
the legacy flags as back-compat shims.
The registry intentionally does NOT set a default تمكين field for
rustfs و مينيو; the chart-level flags (.Values.rustfs.enabled /
.Values.minio.enabled) remain the single source of truth for those two
providers. This avoids the silent override that would occur if the new
chart-default registry flipped objectStorage.providers.rustfs.enabled=true
on a user who had rustfs.enabled=false in their overlay.
Verified upgrade paths (zero operator action required):
| Pre-upgrade overlay | Post-upgrade resolved provider | Risk |
|---|---|---|
minio.enabled=true, rustfs.enabled=false (default) | مينيو | none |
minio.enabled=false, rustfs.enabled=true (opt-in) | rustfs | none |
minio.enabled=true, rustfs.enabled=true, rustfs.migrationAcknowledged=false | minio (data-bearing side) | none |
minio.enabled=true, rustfs.enabled=true, rustfs.migrationAcknowledged=true | rustfs (post-cutover) | none |
objectStorage.activeProvider= explicit override | verbatim | only if has no pods, ilum-core readiness fails loudly |
| Pre-RC2 install (no rustfs key, only minio.enabled=true) | مينيو | none |
Misconfiguration scenarios that fail loudly (not silently):
- 3+ providers enabled with
activeProvider=auto: render-time error names the enabled providers and asks for an explicit choice. - Explicit
activeProvider=wherehas no running pods: Service alias has no endpoints; ilum-core readiness probe fails with a clear log message.
New values to know about
| Key | افتراضي | Meaning |
|---|---|---|
objectStorage.previousProvider | "minio" | Required when two providers are enabled and activeProvider=auto. Names the side that holds the data; the alias targets it until cutover is acknowledged. |
objectStorage.cutoverAcknowledged | خطأ | Generalizes the previous rustfs.migrationAcknowledged. Flips the alias from previousProvider to the other enabled provider. The legacy flag is still honored as an alias. |
objectStorage.providers. | per-provider | Mirror of .Values. for new providers without their own chart-level flag. |
objectStorage.providers. | /rustfs/console/, / خارجي / مينيو / | UI iframe path for that provider's console. |
objectStorage.providers. | same-origin (rustfs), nginx-rewrite (minio) | Controls whether nginx redirects /external/object-storage/ to the provider's path (nginx-rewrite, for consoles pinned to a single URL) or keeps the proxy body (same-origin). |
Failure modes (now loud)
- Three or more providers enabled with
activeProvider=auto: the chart fails at render time with a message naming the enabled providers and asking the operator to setactiveProvider=explicitly. - Two providers enabled with
previousProviderempty: chart fails at render time asking the operator to setpreviousProviderto the data-bearing side, or to setactiveProviderexplicitly. activeProviderset to a name with no matching pods: the chart renders but the alias Service has no Endpoints, andإيلوم كور's readiness probe surfaces the misconfiguration in pod logs.
16. Rook-Ceph S3 Storage Backend (BYO)
ميزة:
A pre-deployed (BYO) rook-ceph cluster can now be used as the sole S3-compatible storage backend, in place of the default minio (or opt-in rustfs). The rook-ceph operator and CephCluster must be deployed separately; see the Rook-Ceph user guide for end-to-end setup.
Values added - ilum (AIO)
| اسم | وصف | قيمة |
|---|---|---|
rookCeph.enabled | Enable rook-ceph S3 storage integration (requires pre-deployed rook-ceph) | خطأ |
rookCeph.s3.host | RGW service hostname (e.g., rook-ceph-rgw-my-store.rook-ceph.svc.cluster.local) | "" |
rookCeph.s3.serviceName | RGW Service name for Endpoints lookup; falls back to first segment of مضيف | "" |
rookCeph.s3.namespace | Namespace containing the RGW Service; falls back to second segment of مضيف | "" |
rookCeph.s3.port | RGW service port | 80 |
rookCeph.s3.scheme | URL scheme (HTTP أو https); set to https for TLS-terminating RGW Services | HTTP |
rookCeph.s3.insecureSkipVerify | Skip TLS certificate verification (opt-in for self-signed Rook-managed RGW) | خطأ |
rookCeph.s3.region | S3 region | الولايات المتحدة الشرقية 1 |
rookCeph.s3.accessKey | S3 access key from CephObjectStoreUser | CHANGEMEPLEASE |
rookCeph.s3.secretKey | S3 secret key from CephObjectStoreUser | CHANGEMEPLEASE |
rookCeph.bucketInit.enabled | Create S3 buckets on the RGW endpoint (reuses objectStorage.defaultBuckets) | صحيح |
rookCeph.bucketInit.image | aws-cli image for bucket creation | amazon/aws-cli:2.27.31 |
rookCeph.statusProbe.enabled | Enable RGW health check in the bucket init Job | صحيح |
rookCeph.statusProbe.image | Health check image | curlimages / حليقة: 8.5.0 |
⚠️⚠️⚠️ التحذيرات
minio.enabled=trueis the chart default in the 6.7.x line (rustfs is opt-in until it becomes the default in 6.8.0). When switching to rook-ceph, the values overlay must set bothminio.enabled=falseوrustfs.enabled=false. TherustfsExtensionsوminioExtensionsbootstrap Jobs are already gated on their parent providers, so a separate*Extensions.enabled=falseflag is not required. A chart validation now fails the install whenrookCeph.enabledis combined with either bundled provider.- ال
ilum-objectstorageService alias is rendered as a selector-less Service backed by a manual Endpoints object that mirrors the live RGW Pod IPs from therook-cephnamespace (a label-selector alias cannot cross namespaces, and an ExternalName CNAME is black-holed by kube-proxy because it cannot DNAT a packet twice). RGW Pod restarts rotate the Pod IPs and stale the mirrored Endpoints; re-runhelm upgrade ilum ./helm_aio -f ilum-rook-ceph-values.yamlafter any RGW Pod restart to refresh the addresses. - The shared
ilum-objectstorage-credentialsSecret is now seeded fromrookCeph.s3.{accessKey,secretKey}in rook-ceph-only mode; an install fails fast when either is left at theCHANGEMEPLEASEplaceholder. - The bucket init Job no longer swallows aws-cli errors. Network/credential/endpoint misconfigurations now fail the Job loudly instead of completing 1/1 with no buckets created.
To perform the rollout:
# 1. Deploy the rook-ceph operator and CephCluster in the rook-ceph namespace
# (operator chart, CephCluster CR, CephObjectStore, CephObjectStoreUser).
# Wait for the RGW Service and Pods to become Ready in the rook-ceph
# namespace; ilum-objectstorage Endpoints are mirrored from this Service
# at chart install/upgrade time.
# 2. Extract S3 credentials from the CephObjectStoreUser Secret.
ACCESS_KEY=$(كوبيكتل -ن rook-ceph get secret \
rook-ceph-object-user-<store-name>-<user-name> \
-س jsonpath='{.data.AccessKey}' | base64 -d)
SECRET_KEY=$(كوبيكتل -ن rook-ceph get secret \
rook-ceph-object-user-<store-name>-<user-name> \
-س jsonpath='{.data.SecretKey}' | base64 -d)
# 3. Render the overlay (the doc ships a complete template).
cat > ilum-rook-ceph-values.yaml <<EOF
rustfs:
enabled: false
minio:
enabled: false
rookCeph:
enabled: true
s3:
host: rook-ceph-rgw-.rook-ceph.svc.cluster.local
port: 80
accessKey: $ACCESS_KEY
secretKey: $SECRET_KEY
EOF
# 4. Install or upgrade.
ترقية Helm --install ilum ./helm_aio -و ilum-rook-ceph-values.yaml
# 5. After RGW Pod restarts (Ceph cluster upgrades, rook-ceph operator
# rollouts, node maintenance), refresh the mirrored Endpoints:
helm upgrade ilum ./helm_aio -و ilum-rook-ceph-values.yaml
17. Legacy activities audit feature removed (helm_core)
ميزة:
The backend dropped the legacy "activities" audit trail; the structured EventLog now backs all audit and user/group operation statistics. The corresponding backend config key was removed, so its Helm value is dead.
Values deleted - helm_core
| اسم | سبب |
|---|---|
security.activities.timeToLive | Backend security.activities.timeToLive property no longer exists |
RELEASE 6.7.1
1. Cluster-scoped RBAC for the management API
ميزة:
The management API (helm_api, which backs the Ilum CLI and the in-UI Module Marketplace) can now be granted a cluster-scoped role so it can install and manage modules that require cluster-scoped resources — CRDs, ClusterRoles/ClusterRoleBindings, admission webhooks, and Prometheus Operator custom resources (for example, kube-prometheus-stack). When rbac.clusterScope is enabled, the chart renders a ClusterRole و ClusterRoleBinding bound to the API service account; with it disabled, the API keeps only its namespace-scoped permissions.
Values added - helm_api
| اسم | وصف | قيمة |
|---|---|---|
rbac.clusterScope | Render a cluster-scoped ClusterRole/ClusterRoleBinding for the management API | صحيح |
القيم المضافة - ilum-aio
| اسم | وصف | قيمة |
|---|---|---|
ilum-api.rbac.create | Create RBAC resources for the management API | صحيح |
ilum-api.rbac.clusterScope | Grant the management API cluster-scoped RBAC | صحيح |
2. Probe and startup hardening
ميزة:
Liveness, readiness, and startup probe timings were relaxed across إيلوم كور, ILUM-UIو ilum-api (longer initial delays, periods, and failure thresholds, with startup probes enabled) so the stack comes up cleanly in slower or resource-constrained environments. The bundled default cluster also gained a spark.kubernetes.memoryOverheadFactor من 0.5 and a higher default driver memory. No operator action is required.
RELEASE 6.7.0
1. Airflow version update
ميزة:
Updated Airflow from version 3.1.1 to 3.1.6.
Values changed - helm_aio
| اسم | القيمة القديمة | قيمة جديدة |
|---|---|---|
airflow.airflowVersion | 3.1.1 | 3.1.6 |
airflow.images.airflow.tag | 3.1.1 | 3.1.6 |
airflow.apiServer.extraInitContainers[0].image | `ilum/airflow:3.1.1 | ilum/airflow:3.1.6 |
2. Added ClickHouse and Langfuse to ilum-aio
ميزة:
Added ClickHouse and Langfuse to ilum-aio as new modules. ClickHouse is a fast open-source OLAP database management system. Langfuse is an open source LLM engineering platform.
القيم المضافة - ilum-aio
| اسم | وصف | قيمة |
|---|---|---|
clickhouse.enabled | Flag to enable ClickHouse deployment in ilum-aio | خطأ |
langfuse.enabled | Flag to enable Langfuse deployment in ilum-aio | خطأ |
القيم المضافة - ilum-ui
| اسم | وصف | قيمة |
|---|---|---|
runtimeVars.langfuseUrl | URL of the Langfuse instance | http://ilum-langfuse-web:3000 |
runtimeVars.langfusePath | Proxy path for Langfuse | /external/langfuse/ |
nginx.config.langfuse.enabled | Enable proxy for Langfuse | خطأ |
nginx.config.http_cookie.langfuse.enabled | Enables cookie mapping for Langfuse | صحيح |
3. Configurable Scala version for default cluster
ميزة:
مضاف scalaVersion configuration option to the default cluster settings. This allows users to specify which Scala version their Spark jobs are run with, supporting both Scala 2.12 for spark 3.x and 2.13 for spark 4.x
Values added - helm_core
| اسم | وصف | قيمة |
|---|---|---|
kubernetes.defaultCluster.scalaVersion | Scala version for Spark jobs (SCALA_2_12 or SCALA_2_13) | SCALA_2_13 |
4. API token authentication system
ميزة:
Added "API token authentication system for internal and external service authentication."
Values added - helm_core
| اسم | وصف | قيمة |
|---|---|---|
security.api-token.enabled | Flag to enable API token authentication | خطأ |
security.api-token.tokens | List of initial tokens | [] |
القيم المضافة - ilum-aio
| اسم | وصف | قيمة |
|---|---|---|
ilum-core.security.api-token.enabled | Flag to enable API token authentication | خطأ |
ilum-core.security.api-token.tokens | List of initial tokens | [{name: "superset", token: "initial-superset-token-for-engine-creation", permissions: ["SQLENGINE_CREATE"]}] |
5. Startup probe for Ilum-core
ميزة:
Added startup probe to the Ilum-core deployment. This allows the application to have sufficient time to start in constrained environments while maintaining quick readiness and liveness checks once started. The startup probe delays readiness and liveness probes until the application starts successfully.
Values added - helm_core
| اسم | وصف | قيمة |
|---|---|---|
startupProbe | Startup probe configuration for ilum-core container | See values.yaml for full structure |
startupProbe.failureThreshold | Number of failures before giving up (300 × 2s = 10 minutes max) | 300 |
startupProbe.periodSeconds | How often to perform the probe | 2 |
startupProbe.timeoutSeconds | Timeout for each probe request | 1 |
startupProbe.httpGet.path | HTTP path for startup probe | /actuator/health/liveness |
Values changed - helm_core
| اسم | القيمة القديمة | قيمة جديدة |
|---|---|---|
livenessProbe.initialDelaySeconds | 120 | 10 |
readinessProbe.initialDelaySeconds | 120 | 10 |
6. Disabled SASL in Kafka configuration
ميزة:
Disabled SASL authentication in the default Kafka configuration. This change simplifies the setup for users who do not require SASL authentication for their Kafka clusters. Users who need SASL can still enable it through custom configuration.
Values added - helm_aio
| اسم | وصف | قيمة |
|---|---|---|
kafka.listeners.interbroker.protocol | Interbroker protocol | PLAINTEXT |
kafka.listeners.controller.protocol | Controller protocol | PLAINTEXT |
kafka.kraft.clusterId | Kraft clusterId to prevent Bitnami chart upgrade failures | aWx1bS1kZWZhdWx0LWlkMQ |
7. Management API and Ilum CLI
ميزة:
Added the helm_api chart (ilum-api), a Management API sidecar that exposes the Ilum CLI's operations over HTTP and powers the in-UI Module Marketplace for point-and-click module deployment. It is deployed by default in ilum-aio.
القيم المضافة - ilum-aio
| اسم | وصف | قيمة |
|---|---|---|
ilum-api.enabled | Deploy the Management API sidecar (CLI over HTTP) | صحيح |
RELEASE 6.6.2
1. Spark 4.x Upgrade - Scala 2.13 Migration
ميزة:
Updated default Spark images to ilum/spark:4.0.1-delta and ilum-spark-launcher to spark-4.1.0. Spark 4.x exclusively uses Scala 2.13 and has dropped support for Scala 2.12.
Values changed - helm_core
| اسم | القيمة القديمة | قيمة جديدة |
|---|---|---|
kubernetes.defaultCluster.dockerImage | ilum/spark:3.5.7-delta | ilum/spark:4.0.1-delta |
historyServer.image | spark-3.5.7 | spark-4.1.0 |
externalSparkSubmit.image.tag | spark-3.5.7 | spark-4.1.0 |
⚠️⚠️⚠️ CRITICAL WARNING - BREAKING CHANGE ⚠️⚠️⚠️
Spark 4.x uses Scala 2.13 exclusively. Scala 2.12 is NO LONGER SUPPORTED.
This is a BREAKING CHANGE that may affect your existing Spark jobs:
-
JAR Compatibility: Any Spark applications, libraries, or dependencies compiled with Scala 2.12 WILL NOT WORK with Spark 4.x. You must recompile all custom JARs with Scala 2.13.
-
Affected Components:
- Custom Spark applications (Scala-based)
- Third-party libraries compiled for Scala 2.12
- UDFs written in Scala
- أي
.jarfiles built withscalaVersion := "2.12.x"
-
How to Identify Affected JARs:
- Check your
build.sbtأوpom.xmlمن أجلscalaVersionsettings - JAR names often contain the Scala version suffix (e.g.,
myapp_2.12-1.0.jar) - JARs with
_2.12suffix need to be rebuilt with_2.13
- Check your
-
Required Actions Before Upgrade:
- Inventory all custom Spark JARs in use
- Recompile all Scala-based applications with Scala 2.13
- Update all third-party dependencies to Scala 2.13 versions
- Test all jobs thoroughly in a staging environment
-
No Backwards Compatibility:
- Starting from this version, Ilum's Spark job wrapper uses Scala 2.13 exclusively
- Running Spark 3.x jobs compiled with Scala 2.12 is no longer supported
- أنت MUST recompile all your Scala-based Spark jobs with Scala 2.13 before upgrading
-
PySpark Users: PySpark jobs are generally unaffected unless they use Scala-based UDFs or custom Scala libraries.
RECOMMENDATION: Test your workloads in a non-production environment before upgrading to this release.
2. Added environment variables support to default cluster configuration
ميزة:
Added support for configuring environment variables in the default cluster configuration. This allows users to set environment variables that will be applied to Spark jobs running on the default cluster. The SPARK_SUBMIT_OPTS environment variable is now configurable through Helm values instead of being hardcoded, providing better flexibility for JVM tuning and other environment-specific configurations.
Values added - helm_core
Default cluster environment variables configuration
| اسم | وصف | قيمة |
|---|---|---|
kubernetes.defaultCluster.environmentVariables | Environment variables for default cluster | {} |
kubernetes.defaultCluster.environmentVariables.SPARK_SUBMIT_OPTS | JVM options for Spark submit process | "-XX:MaxHeapSize=64m -XX:MaxMetaspaceSize=64m -Xss256k" |
3. Added Unity Catalog integration
ميزة:
مضاف helm_unity_catalog chart to provide Unity Catalog support as an optional catalog backend (similar to Hive Metastore and Nessie). Unity Catalog is disabled by default and can be enabled to provide unified governance for data and AI assets. The chart is integrated with the existing PostgreSQL database and MinIO S3 storage, with automatic JWT keypair generation for authentication.
Values added - helm_unity_catalog
| اسم | وصف | قيمة |
|---|---|---|
ilum-unity-catalog.enabled | Enables Unity Catalog deployment | خطأ |
ilum-unity-catalog.server.enabled | Enables the Unity Catalog server | صحيح |
ilum-unity-catalog.server.db.type | Database backend type (file or postgresql) | postgresql |
ilum-unity-catalog.server.db.postgresqlConfig.host | PostgreSQL host | ilum-postgresql-hl |
ilum-unity-catalog.server.db.postgresqlConfig.port | PostgreSQL port | 5432 |
ilum-unity-catalog.server.db.postgresqlConfig.dbName | PostgreSQL database name | unitycatalog |
ilum-unity-catalog.server.db.postgresqlConfig.user | PostgreSQL username | إيلوم |
ilum-unity-catalog.server.db.postgresqlConfig.passwordSecretName | Secret containing PostgreSQL password | ilum-postgres-credentials |
ilum-unity-catalog.server.db.postgresqlConfig.passwordSecretKey | Key in secret for password | شعار |
ilum-unity-catalog.server.jwtKeypairSecret.create | Auto-generate JWT keypair for authentication | صحيح |
ilum-unity-catalog.storage.modelStorageRoot | S3 path for Unity Catalog model storage | s3a://ilum-data/unity-catalog/ |
ilum-unity-catalog.storage.credentials.s3[0].bucketPath | S3 bucket path | s3://ilum-data |
ilum-unity-catalog.storage.credentials.s3[0].region | S3 region | الولايات المتحدة الشرقية 1 |
ilum-unity-catalog.storage.credentials.s3[0].credentialsSecretName | Secret containing S3 credentials | ilum-minio |
ilum-unity-catalog.storage.credentials.s3[0].accessKeySecretKey | Key name for S3 access key in secret | root-user |
ilum-unity-catalog.storage.credentials.s3[0].secretKeySecretKey | Key name for S3 secret key in secret | root-password |
ilum-unity-catalog.ui.enabled | Enables Unity Catalog UI | خطأ |
Values added - helm_core
Unity Catalog metastore configuration
| اسم | وصف | قيمة |
|---|---|---|
ilum-core.metastore.type | ضبط على unity to use Unity Catalog as metastore | خلية |
ilum-core.metastore.unity.address | Unity Catalog server endpoint | http://unity-catalog-ilum-unity-catalog-server:8080 |
ilum-core.metastore.unity.warehouseDir | Unity Catalog warehouse directory | s3a://ilum-data/unity-catalog/ |
ilum-core.metastore.unity.s3Endpoint | S3 endpoint for Unity Catalog | http://ilum-minio:9000/ |
ilum-core.metastore.unity.s3PathStyleAccess | Enable S3 path-style access | صحيح |
ilum-core.metastore.unity.catalogName | Unity Catalog name in Spark | unity_catalog |
ilum-core.metastore.unity.config | Spark configuration for Unity Catalog integration | See values.yaml |
Values added - postgresExtensions
| اسم | وصف | قيمة |
|---|---|---|
postgresExtensions.databasesToCreate | مضاف unitycatalog database for Unity Catalog metadata | ...,nessie,unitycatalog |
⚠️⚠️⚠️ التحذيرات
- Unity Catalog requires PostgreSQL and S3-compatible storage to be enabled
- JWT keypairs are auto-generated on first deployment and stored in Kubernetes secrets
- When using Unity Catalog, set
ilum-core.metastore.type: unityto configure Spark integration
4. Added DuckDb and DuckLake to Ilum Core
ميزة:
Added DuckDb as an SQL executor and DuckLake as a metastore option in Ilum Core. DuckDb is a fast and lightweight SQL engine that supports a wide range of data types and SQL features. DuckLake is a distributed metastore for DuckDb, which provides options for multi-user access and data versioning.
Values added - ilum_core
| اسم | وصف | قيمة |
|---|---|---|
sql.duckdb.idleTimeout | Determines the time DuckDb connections are kept alive without activity | 1h |
sql.duckdb.ducklake.enabled | Enables DuckLake | صحيح |
sql.duckdb.ducklake.location | Location of the data in for the DuckLake | s3://ilum-ducklake/ |
sql.duckdb.ducklake.postgres.host | Host for the metastore postgres connection | `` |
sql.duckdb.ducklake.postgres.port | Port for the metastore postgres connection | 5432 |
sql.duckdb.ducklake.postgres.database | Database name for the metastore postgres connection | ducklake |
sql.duckdb.ducklake.postgres.user | Username for the metastore postgres connection | `` |
sql.duckdb.ducklake.postgres.password | Password for the metastore postgres connection | `` |
sql.duckdb.ducklake.s3.endpoint | S3 endpoint for the metastore data | `` |
sql.duckdb.ducklake.s3.region | S3 region for the metastore data | الولايات المتحدة الشرقية 1 |
sql.duckdb.ducklake.s3.keyId | S3 key id for the metastore data | `` |
sql.duckdb.ducklake.s3.secret | S3 secret for the metastore data | `` |
sql.duckdb.ducklake.s3.urlStyle | Url style to use for S3. Either مسار أو vhost | مسار |
sql.duckdb.ducklake.s3.ssl | Whether to use SSL for the S3 connection | خطأ |
RELEASE 6.6.1
1. Ugraded JupyterHub experience
ميزة:
Ugraded helm_jupyterhub to bundle Ilum-specific SSH/Git/LDAP bootstrap logic, curated notebooks, and tailored singleuser defaults so helm_aio merely enables the dependency, pins fullnameOverride, and surfaces only the still-relevant overrides. This also keeps the SSH network policy open for port 2222 and ensures the shared ilum-jupyter-ssh-keys secret remains stable, while c.JupyterHub.cleanup_servers = True guarantees the SSH service and user pods stop with the release.
Values added - helm_aio
| اسم | وصف | قيمة |
|---|---|---|
ilum-jupyterhub.enabled | Enables the curated Ilum JupyterHub chart | خطأ |
Values added - helm_jupyterhub
| اسم | وصف | قيمة |
|---|---|---|
fullnameOverride | Override for the full resource name | ilum-jupyterhub |
تمكين | Chart enabled flag | خطأ |
SSH configuration
| اسم | وصف | قيمة |
|---|---|---|
ssh.enabled | Enables the bundled SSH operator, service, and shared key workflow | خطأ |
ssh.keysSecret | Secret that provides the stable host and authorized keys | ilum-jupyter-ssh-keys |
ssh.mode | SSH authentication mode: أحسن (shared authorized_keys from keysSecret) or per-user (individual secrets per user) | أحسن |
ssh.perUserSecretNameTemplate | Template for per-user secret names when using per-user mode | ssh-keys-{username} |
ssh.perUserAuthorizedKeysKey | Key name in per-user secrets containing authorized_keys | authorized_keys |
ssh.service.type | Type of service fronting port 2222 | NodePort |
ssh.service.port | Port exposed for SSH traffic | 2222 |
ssh.service.targetPort | Target port for SSH traffic | 2222 |
ssh.service.nodePort | NodePort number (empty for auto-assignment) | "" |
ssh.service.clusterIP | ClusterIP address (empty for auto-assignment) | "" |
ssh.service.loadBalancerIP | LoadBalancer IP address | "" |
ssh.service.annotations | Annotations for the SSH service | {} |
ssh.service.prefix | Prefix for SSH service resources | ilum-jupyter-ssh |
ssh.sshdConfig.customConfig | Custom sshd_config lines | [] |
ssh.operatorImage.name | SSH operator image repository | docker.ilum.cloud/ilum-jupyterhub |
ssh.operatorImage.tag | SSH operator image tag | ssh-operator-4.3.1 |
ssh.extraEnv | Extra environment variables for SSH operator | [] |
Git configuration
| اسم | وصف | قيمة |
|---|---|---|
git.existingSecret | Credentials that allow the Git init job to seed the notebooks repository | ilum-git-credentials |
git.email | Git email for commits | ilum@ilum |
git.repository | اسم مستودع Git | جوبيتر |
git.address | Gitea server address | ilum-gitea-http:3000 |
git.url | Gitea endpoint URL used to seed the ilum-jupyterhub org | http://ilum-gitea-http:3000 |
git.orgName | Organization managed by the git-init job | ilum-jupyterhub |
git.operatorImage.name | Git operator image repository | docker.ilum.cloud/ilum-jupyterhub |
git.operatorImage.tag | Git operator image tag | gitea-operator-4.3.1 |
git.secret.name | Secret containing credentials referenced by the operator | ilum-git-credentials |
git.secret.usernameKey | Key for username in the secret | اسم المستخدم |
git.secret.passwordKey | Key for password in the secret | شعار |
LDAP configuration
| اسم | وصف | قيمة |
|---|---|---|
ldap.enabled | Keeps the LDAP authenticator wired into Ilum JupyterHub | صحيح |
ldap.urls | LDAP server endpoints that front the Ilum directory | ["ldap://ilum-openldap:389"] |
ldap.base | Search base for Ilum users and groups | "dc=ilum,dc=cloud" |
ldap.username | Bind DN used for authentication | "cn=admin,dc=ilum,dc=cloud" |
ldap.password | Password for the bind DN | Not@SecurePassw0rd |
ldap.adminUsers | LDAP accounts with admin privileges in JupyterHub | ["ilumadmin","admin"] |
ldap.userSearchBase | Base DN where user entries live | "ou=people,dc=ilum,dc=cloud" |
ldap.userSearchFilter | Filter for user lookups | "uid = {0}" |
ldap.groupSearchBase | Base DN where group entries live | "ou=groups,dc=ilum,dc=cloud" |
ldap.groupSearchFilter | Filter that matches members | "(عضو = {0})" |
ldap.allowedGroups | Empty list allows all groups unless specified | [] |
ldap.userAttribute | User attribute for username | "أويد" |
ldap.fullnameAttribute | Attribute for user's full name | "سي إن " |
ldap.emailAttribute | Attribute for user's email | "البريد" |
ldap.groupNameAttribute | Attribute for group name | "سي إن " |
ldap.groupMemberAttribute | Attribute for group membership | "member" |
ldap.useSsl | Use SSL for LDAP connection | خطأ |
ldap.startTls | Use STARTTLS for LDAP connection | خطأ |
ldap.lookupDn | Lookup DN before binding | صحيح |
Hub configuration
| اسم | وصف | قيمة |
|---|---|---|
hub.image.name | Hub image repository | docker.ilum.cloud/ilum-jupyterhub |
hub.image.tag | Hub image tag | jupyterhub-4.3.1 |
hub.contentSecurityPolicy.enabled | Turns the managed CSP header injection on/off | صحيح |
hub.contentSecurityPolicy.frameAncestors | Origins allowed to embed JupyterHub in an iframe | ["'self'","http://localhost:9777"] |
hub.gitInit.enabled | Runs the job that ensures the ilum-jupyterhub organization/repo exist | صحيح |
Singleuser runtime defaults
| اسم | وصف | قيمة |
|---|---|---|
singleuser.startupArgs.iopubDataRateLimit | Raised output bandwidth ceiling for Ilum workloads | 1000000000 |
singleuser.startupArgs.extraArgs | Additional CLI arguments forwarded to the user server | [] |
singleuser.nodeSelector | Architecture-agnostic placement (empty by default) | {} |
singleuser.tolerations | Allows scheduling on tainted nodes when needed | [] |
Image pull credentials
| اسم | وصف | قيمة |
|---|---|---|
imagePullSecret.create | Create the pull secret in-cluster | خطأ |
imagePullSecret.automaticReferenceInjection | Auto-inject the created secret into JupyterHub workloads | صحيح |
imagePullSecret.registry | Registry host for the pull secret | "" |
imagePullSecret.username | Registry username for the pull secret | "" |
imagePullSecret.password | Registry password for the pull secret | "" |
imagePullSecret.email | Registry email for the pull secret | "" |
imagePullSecret.name | Existing secret name to reference instead of the autogenerated pull secret | "" |
imagePullSecrets | Additional pull secrets injected into all hub-managed pods | [] |
Values changed - helm_jupyterhub
| اسم | القيمة القديمة | قيمة جديدة |
|---|---|---|
singleuser.networkPolicy.allowedIngressPorts | [] | [2222] |
Instructions
- Keep
ilum-jupyter-ssh-keysstable outside Helm so the SSH host fingerprint survives upgrades; rotating the secret requires removing stale entries from userknown_hosts. - Ensure
ilum-git-credentialscontains valid credentials for a Gitea account with org-level write access—both the SSH operator and Git init job rely on the rendered token. - To refresh the curated notebooks, update
helm_jupyterhub/files/examples(and their config map templates) so the init container can push them into theilum-jupyterhubrepo again.
⚠️⚠️⚠️ التحذيرات
-
Port 2222 is opened via the SSH operator’s shared service; if you switch to per-user authorized keys, keep the service numbering and secrets aligned.
-
Cleanup is forced (
c.JupyterHub.cleanup_servers = True), so user pods and the SSH service terminate with the Helm release. Manage any long-lived workloads outside this chart.
2. Upgraded Livy compatible API to version 0.8.0
ميزة:
Upgraded Livy compatible API to version 0.8.0 with enhanced configuration options for compression, server version control, and TTL-based session cleanup.
القيم المضافة - ilum-core
Livy Compression Configuration
| اسم | وصف | قيمة |
|---|---|---|
livy.compression.enabled | Enable response compression for Livy endpoints | خطأ |
Livy Server Configuration
| اسم | وصف | قيمة |
|---|---|---|
livy.server.version | Livy server version identifier | 0.8.0 |
livy.server.sendServerVersion | Send server version in response headers | خطأ |
livy.server.allowCustomClasspath | Allow custom classpath in session creation | خطأ |
Livy TTL Session Cleanup Configuration
| اسم | وصف | قيمة |
|---|---|---|
livy.ttl.checkPeriod | Background sweep period in milliseconds for checking expired sessions | 300000 |
livy.ttl.checkInitialDelay | Initial delay in milliseconds before first TTL background check | 60000 |
القيم المضافة - ilum-aio
Same values as إيلوم كور but under the ilum-core. prefix (e.g., ilum-core.livy.compression.enabled).
⚠️⚠️⚠️ Important Notes
For most users: ✅ No action required. All new configuration options have safe defaults and are backward compatible.
Optional Performance Optimization: If you handle large Livy responses, you may enable compression by setting livy.compression.enabled: true.
إدارة الجلسة: The new TTL cleanup uses a hybrid approach (lazy + background sweep) to automatically clean up expired sessions. Default settings should work for most deployments.
3. Updated default Spark version and added autopause configuration
ميزة:
Updated default Spark version to 3.5.7-delta في kubernetes.defaultCluster.config.
Added spark.ilum.autopause: "true" ل kubernetes.defaultCluster.config to set the default behavior of the autopause feature.
القيم التي تغيرت - ilum-core
| اسم | القيمة القديمة | قيمة جديدة |
|---|---|---|
kubernetes.defaultCluster.config.spark.kubernetes.container.image | ILUM / شرارة: 3.5.6-دلتا | ilum/spark:3.5.7-delta |
القيم المضافة - ilum-core
| اسم | وصف | قيمة |
|---|---|---|
kubernetes.defaultCluster.config.spark.ilum.autopause | Sets the default behavior of autopause feature | "صحيح" |
1. HTTP cookie-based access control now disabled by default
ميزة:
Fixed stability issues and changed HTTP cookie-based access control to be disabled by default for all external services (Jupyter, Airflow, MLflow, Grafana, etc.).
What Changed?
- External services are now open by default - no cookie requirements
- All users can access services without any special configuration
- System works out-of-the-box
What This Means for You
- ✅ Your services will become more accessible
- ✅ Users can access Jupyter, Airflow, MLflow, etc. without cookie setup
- ✅ No action required for most deployments
If you need to restrict access:
- Use the built-in OAuth2/Hydra authentication (recommended for production)
- Or manually enable cookie-based access control per service (see below)
When to Use Cookie-Based Access Control?
This is an advanced feature for specific use cases:
- ✅ Temporary access restrictions for specific users/sessions
- ✅ Custom access control integrated with your frontend application
To enable for a specific service:
nginx:
التكوين:
http_cookie:
تمكين: صحيح
ilum-jupyter:
تمكين: صحيح
Values changed - ilum-ui
| اسم | القيمة القديمة | قيمة جديدة |
|---|---|---|
nginx.config.http_cookie.enabled | صحيح | خطأ |
Values changed - ilum-aio
| اسم | القيمة القديمة | قيمة جديدة |
|---|---|---|
ilum-ui.nginx.config.http_cookie.enabled | صحيح | خطأ |
⚠️⚠️⚠️ Important Notes
For most users: ✅ No action required. This change makes services more accessible.
If you customized cookie settings in 6.6.0: You may need to review your configuration. The system now defaults to open access instead of requiring cookies.
RELEASE 6.6.0
1. Upgraded Apache Airflow to 3.1.1
ميزة:
Upgraded Apache Airflow from 3.0.5 to 3.1.1 with improved OIDC authentication support using authlib OAuth providers (AUTH_OAUTH) instead of deprecated flask-oidc (AUTH_OIDC). This upgrade includes fixes for OAuth redirect URI patterns and proper volume mounting for OIDC client secrets in init containers.
Values changed - ilum-aio
| اسم | القيمة القديمة | قيمة جديدة |
|---|---|---|
airflow.airflowVersion | 3.0.5 | 3.1.1 |
airflow.images.airflow.tag | 3.0.5 | 3.1.1 |
airflow.apiServer.extraInitContainers[0].image | ilum/airflow:3.0.5 | ilum/airflow:3.1.1 |
القيم المضافة - ilum-aio
| اسم | وصف | قيمة |
|---|---|---|
airflow.migrateDatabaseJob.useHelmHooks | Disable Helm hooks for database migration job | خطأ |
airflow.apiServer.extraInitContainers[0] | Modified create admin user init container | See below |
airflow.apiServer.apiServerConfigConfigMapName | Custom webserver_config.py configmap | ilum-api-server-config |
Init Container Volume Mount Configuration
- اسم: create-المشرف-مستخدم
صورة: ilum/airflow:3.1.1
command: ["/bin/bash", "/scripts/init.sh"]
volumeMounts:
- اسم: إيلوم-airflow-create-مستخدم-سر
mountPath: /scripts
- اسم: التكوين
mountPath: /opt/airflow/airflow.cfg
المسار الفرعي: airflow.cfg
- اسم: أوث-سر-volume
mountPath: /opt/airflow/client-سر
readOnly: صحيح
- اسم: webserver-التكوين-volume
mountPath: /opt/airflow/webserver_config.py
المسار الفرعي: webserver_config.py
readOnly: صحيح
⚠️⚠️⚠️ التحذيرات
Configuration value airflow.apiServer.apiServerConfigConfigMapName is preconfigured to use a ConfigMap named ilum-api-server-config.
But the name of this configMap must follow pattern to be properly mounted as it is Airflow's chart requirement.
So if your release name is different from إيلوم, please change this value accordingly. For example use:
airflow:
apiServer:
apiServerConfigConfigMapName: < الخاص بك-release-اسم>-واجهة برمجة التطبيقات-ملقم-التكوين
extraVolumes:
- اسم: أوث-سر-volume
سر:
اسم سري: إيلوم-هيدرا-عميل-سر
- اسم: إيلوم-airflow-create-مستخدم-سر
سر:
اسم سري: إيلوم-airflow-create-مستخدم-سر
- اسم: webserver-التكوين-volume
configMap:
اسم: < الخاص بك-release-اسم>-واجهة برمجة التطبيقات-ملقم-التكوين
2. Enhanced Jupyter startup configuration
ميزة:
Added configurable startup arguments for Jupyter notebook server, allowing users to customize base URL, IOPub data rate limits, and pass additional command-line arguments. Also added support for extra environment variables with templating support.
القيم المضافة - ilum-jupyter
Startup and environment configuration
| اسم | وصف | قيمة |
|---|---|---|
token | Jupyter notebook authentication token | "" |
startupArgs.baseUrl | Jupyter base URL path for reverse proxy configurations | /external/jupyter/ |
startupArgs.iopubDataRateLimit | IOPub data rate limit in bytes/sec (controls output bandwidth) | 1000000000 |
startupArgs.extraArgs | Additional command-line arguments to pass to Jupyter server | [] |
extraEnv | Additional environment variables for Jupyter container as string template | "" |
⚠️⚠️⚠️ التحذيرات
- All startup arguments configured via
startupArgs.*can be completely overridden by setting theأرجسparameter in values.yaml. Whenأرجسis set, all default startup arguments are ignored, giving you full control over the Jupyter server startup command. - ال
extraEnvparameter accepts a string template (multiline YAML using|). Example usage:extraEnv: |
- name: MY_VAR
value: value
3. Added Apache NiFi module
ميزة:
Added Apache NiFi to ilum-aio as a new module. This will allow users to easily deploy NiFi and use it next to Ilum.
القيم المضافة - ilum-aio
| اسم | وصف | قيمة |
|---|---|---|
nifi.enabled | Flag to enable NiFi deployment in ilum-aio | خطأ |
nifi.fullnameOverride | Full name override for NiFi | ilum-nifi |
nifi.image.tag | Tag of the source NiFi image | 2.5.0 |
nifi.properties.safetyValve | Additional properties passed to nifi.properties | رأى القيم.yaml |
nifi.persistence.enabled | Enables PVC for the data directory | صحيح |
nifi.persistence.subpath.enabled | Enabled one PVC instead of many | صحيح |
nifi.persistence.subpath.size | Size of the data directory | 10Gi |
nifi.zookeeper.enabled | Enables bundled Zookeeper deployment | خطأ |
nifi.registry.enabled | Enables bundled NiFi registry deployment | خطأ |
nifi.ca.enabled | Enables bundled CA deployment | خطأ |
nifi.openldap.enabled | Enables bundled openLDAP deployment | خطأ |
القيم المضافة - ilum-ui
| اسم | وصف | قيمة |
|---|---|---|
runtimeVars.nifiUrl | URL of the NiFi instance | http://ilum-nifi:8443/nifi/ |
runtimeVars.nifiPath | Proxy path of NiFi | /external/nifi/ |
nginx.config.nifi.enabled | Enable proxy for NiFi | خطأ |
nginx.config.http_cookie.nifi.enabled | Enables cookie mapping for NiFi | صحيح |
4. Added integration with Project Nessie metastore
ميزة:
Added integration with Project Nessie metastore in Ilum, which allows the use of Nessie as a metastore for Spark jobs.
القيم المضافة - ilum-core
| اسم | وصف | قيمة |
|---|---|---|
metastore.type | Indicates the default metastore | خلية |
metastore.nessie.address | The address of the default Nessie metastore | http://ilum-nessie:19120/api/v2 |
metastore.nessie.warehouseDir | The location of the warehouse of the default Nessie metastore | s3a://ilum-data/nessie_catalog |
metastore.nessie.s3Endpoint | The S3 API endpoint to use for the default Nessie metastore | http://ilum-minio:9000 |
metastore.nessie.s3PathStyleAccess | Whether to use path style access for the S3 Nessie connection | صحيح |
metastore.nessie.authType | Auth type of the default Nessie metastore | NONE |
metastore.nessie.ref | The branch to use for the default Nessie metastore | رئيسي |
metastore.nessie.cacheEnabled | Enables caching in the default Nessie metastore | خطأ |
metastore.nessie.catalog_name | The name of the catalog for the default Nessie metastore | nessie_catalog |
metastore.nessie.config | Additional config to add for the Spark job | رأى القيم.yaml |
metastore.nessie.statusProbe | Status probe for the Nessie metastore, so Ilum-core does not launch too quickly | رأى القيم.yaml |
القيم المضافة - ilum-aio
| اسم | وصف | قيمة |
|---|---|---|
nessie.enabled | Enables or disables bundled Nessie deployment | خطأ |
nessie.fullnameOverride | Full name override for Nessie | ilum-nessie |
nessie.versionStoreType | Type of persistent metadata storage | JDBC2 |
nessie.extraInitContainers | Adds init containers to Nessie (waiting for database) | رأى القيم.yaml |
nessie.jdbc.jdbcUrl | Url for DB connection | jdbc:postgresql://ilum-postgresql-hl:5432/nessie |
nessie.jdbc.secret.name | Secret containing DB credentials | ilum-postgres-credentals |
nessie.jdbc.secret.username | Key of username in the secret | اسم المستخدم |
nessie.jdbc.secret.password | Key of password in the secret | شعار |
الأسماء المتغيرة - ilum-core
| الاسم القديم | اسم جديد |
|---|---|
hiveMetastore.enabled | metastore.enabled |
hiveMetastore.* | metastore.hive.* |
القيم التي تغيرت - ilum-core
| اسم | القيمة القديمة | قيمة جديدة |
|---|---|---|
kubernetes.defaultCluster.config | رأى القيم.yaml | رأى القيم.yaml |
⚠️⚠️⚠️ التحذيرات
This is an important change that will need to be addressed if any custom changes to the default configuration were made. Please carefully review the changes and make sure they will not break your deployment.
5. Livy API now fully served by ilum-core (embedded)
ميزة:
Livy API is implemented and served directly by إيلوم كور (embedded).
The legacy Livy proxy is deprecated but can still be turned on for backward compatibility.
القيم المضافة - ilum-aio
| اسم | وصف | قيمة |
|---|---|---|
ilum-core.livy.enabled | Enables embedded Livy integration in AIO via إيلوم كور | صحيح |
ilum-core.livy.ilumUI.publicEndpoint | Public endpoint of ilum-ui used for Livy links/integration | http://localhost:9777 |
ilum-livy-proxy.legacy.enabled | Turns on the legacy Livy proxy resources (ConfigMap/Deployment/etc.) | خطأ |
⚠️⚠️⚠️ التحذيرات
- ال compat Service (
ilum-livy-proxy→ ilum-core) is deprecated and will be removed in a future release. - ال legacy proxy is also deprecated and will be removed after the transition period.
- Mode matrix (AIO):
ilum-livy-proxy.enabled=false&ilum-livy-proxy.legacy.enabled=false→ nothing created; callإيلوم كورdirectly.ilum-livy-proxy.enabled=true&ilum-livy-proxy.legacy.enabled=false→ create compat Service pointing to the newإيلوم كورLivy API.ilum-livy-proxy.enabled=false&ilum-livy-proxy.legacy.enabled=true→ deploy legacy proxy.
- When legacy is enabled, update client endpoints to use the legacy Service:
ilum-jupyter.livyEndpoint = http://ilum-livy-proxy:8998ilum-zeppelin.livyEndpoint = http://ilum-livy-proxy:8998- Airflow connection:
AIRFLOW_CONN_ILUM-LIVY-PROXY=livy://ilum-livy-proxy:8998
- Some resources (e.g., ConfigMap/Ingress) are rendered based on
ilum-livy-proxy.legacy.enabledonly (not onilum-livy-proxy.enabled).
6. Added cronjob cleaning after uninstalling
ميزة:
A pre-delete hook will now clean up kubernetes cronjobs after uninstalling the chart.
القيم المضافة - ilum-core
| اسم | وصف | قيمة |
|---|---|---|
cronjob.cleanup.enabled | Enable cronjob cleanup after uninstalling the chart | صحيح |
cronjob.cleanup.image | Image used for the cleanup job | alpine/kubectl:1.34.1 |
RELEASE 6.5.2
1. SSH mode implementation for helm_jupyter
ميزة:
SSH mode in the helm_jupyter chart has been implemented to provide SSH access directly within the main Jupyter container. This allows users to access their Jupyter environment via SSH while maintaining workspace consistency between web and SSH interfaces.
Values added - helm_jupyter
SSH access configuration
| اسم | وصف | قيمة |
|---|---|---|
ssh.enabled | Enable SSH access in the Jupyter container | صحيح |
ssh.keysSecret | Name of the secret containing SSH keys | ilum-jupyter-ssh-keys |
ssh.service.type | SSH service type | NodePort |
ssh.service.port | SSH service port | 2222 |
ssh.service.nodePort | SSH service node port (when service type is NodePort) | "" |
ssh.service.clusterIP | SSH service cluster IP | "" |
ssh.service.loadBalancerIP | SSH service load balancer IP | "" |
ssh.service.annotations | SSH service annotations | {} |
ssh.sshdConfig.customConfig | Custom SSH server configuration | [] |