Aller au contenu principal

Notes de mise à niveau

Notes de mise à niveau

PROCHAINE DIFFUSION

MODÈLE DE NOTE

1. Changement

Caractéristique:

Description de la fonctionnalité

Valeurs supprimées - nom du graphique

NomRaison
helm.valueRaison de la suppression de la valeur Helm

Valeurs ajoutées - nom de la carte

Description de la section Valeurs
NomDescriptionValeur
helm.valueDescription de la valeur Helmvaleur par défaut

Noms modifiés - nom de la carte

Ancien nomNouveau nom
ancien nomNouveau nom

⚠️⚠️⚠️ Warnings

Valeurs modifiées - nom de la carte

NomAncienne valeurNouvelle valeur
helm.valueancienne valeurNouvelle valeur

RELEASE 6.7.3

1. UI internationalization (i18n) + RTL

Caractéristique:

The web UI can now switch language and text direction at runtime from Settings (persisted to localStorage). The set of available languages is config-driven: add or remove a language with no frontend rebuild. Ships English + Persian (RTL) + Arabic (RTL) + Portuguese + Spanish + Chinese

  • Hindi; direction follows the language.

Values added - helm_ui (mirrored under ilum-ui.runtimeVars in helm_aio)

UI language configuration (rendered into the ilum-ui ConfigMap)
NomDescriptionValeur
runtimeVars.defaultLanguageDefault UI language code (ILUM_DEFAULT_LANGUAGE)en
runtimeVars.availableLanguagesLanguages in the selector + i18next supportedLngs (ILUM_AVAILABLE_LANGUAGES); array of {code,label,dir,font?}[en, fa(rtl), ar(rtl), pt, es, zh, hi]
i18n.extraLocaleConfigMapsOptional ConfigMaps mounted over /usr/share/nginx/html/locales// to add or override catalogs at runtime (no rebuild)[]

Per-language font (the font field of each availableLanguages entry): Persian (fa) uses IRANSans, Arabic (ar) uses Vazirmatn. Both are self-hosted and the binaries are NOT shipped in the image; fa uses the free IRANSansWeb build. To render Persian in IRANSans, place the IRANSansWeb woff2 files in a custom UI image (public/fonts/) or mount them; otherwise the UI falls back to the system Persian font. Vazirmatn is SIL-OFL — confirm IRANSansWeb's terms fit your deployment, or set fa's font À "Vazirmatn".

⚠️⚠️⚠️ Warnings

None. New keys are additive with safe defaults; existing installs default to English with no behavior change. To add a brand-new language at runtime, append an availableLanguages entry AND mount its catalog JSON via i18n.extraLocaleConfigMaps (or bake it into a custom UI image under public/locales//).

2. RustFS object-storage provider (opt-in)

Caractéristique:

RustFS (Apache-2.0) is now bundled as an opt-in S3-compatible object storage provider alongside MinIO, which remains the default in the 6.7.x line. RustFS is planned to become the default in 6.8.0. Switching is a single Helm flag (rustfs.enabled=true, minio.enabled=false). A pre-upgrade hook refuses Mise à niveau Helm when an existing MinIO PVC would be orphaned without explicit acknowledgement.

For step-by-step instructions, refer to Migrate Between Object Storage Providers. For the broader storage decision and provider reference pages, refer to the Object Storage section.

3. Object-storage credentials consolidation

Caractéristique:

All object-storage consumers now read S3 credentials from a single shared Secret, ilum-objectstorage-credentials, instead of per-consumer literal values in valeurs.yaml. The Secret holds six aliased keys: access-key, secret-key, root-user, root-password, RUSTFS_ACCESS_KEY, RUSTFS_SECRET_KEY. Consumers wired to this Secret include ilum-core, ilum-jupyter, ilum-history-server, ilum-hive-metastore, airflow, kestra, Trino, langfuse, loki, minioet rustfs.

Default credentials for net-new installs are Admin/Admin. On upgrade, the credentials-secret template's lookup preserves the live Secret values, so existing deployments keep their current credentials.

Per-consumer accessKey/secretKey literals in Helm values are now ignored when an existingSecret reference is set, which is the default in helm_aio.

The chart resolves the S3 Service + credentials Secret via templates/_storage.tpl helpers. Defaults to MinIO (ilum-minio, keys root-user/root-password); a live lookup for Service ilum-objectstorage switches it to the rustfs alias (ilum-objectstorage-credentials, keys access-key/secret-key) automatically. objectStorage.useAlias: true forces the alias path for CI helm template (no cluster lookup). Rotation is performed by editing the shared Secret and restarting the affected Pods. For the full procedure, refer to Rotate Object Storage Credentials.

4. OpenMetadata + OpenLineage integration

Caractéristique:

Ilum now ships an optional OpenMetadata data-catalog and governance layer, fed by OpenLineage events from Airflow and Spark. The whole stack is disabled by default and is safe on upgrade: an existing deployment that does not set the new flags brings up zero OpenMetadata resources and behaves exactly as before.

The integration is gated by five flags, all defaulting to faux: openmetadata.enabled, openmetadata-dependencies.enabled, openmetadataBootstrap.enabled, fixHmsDeltaColumns.enabledet ilum-core.job.openLineage.openmetadata.enabled. Enabling the first four plus the OpenLineage transport leg brings up the OpenMetadata server (a small Ilum fork of the 1.12.5 image), its OpenSearch + PostgreSQL dependencies, the bootstrap Job, and the OL→OM backfill CronJob. Spark and Airflow lineage then flows into OpenMetadata via a composite OpenLineage transport that fans out to both Marquez and OpenMetadata.

Iceberg-via-Nessie catalog ingestion ships in preview status. For configuration, the governance model, and operational details, refer to OpenMetadata.

5. OM bootstrap Job + bot tokens

  • Bootstrap is a regular Job (-om-bootstrap-), not a hook — helm install returns immediately. Watch: kubectl logs -f job/-om-bootstrap-; final line is BOOTSTRAP_SUMMARY: {...}. Completed Jobs GC after 24h.
  • Bot tokens default-on (openmetadataBootstrap.botTokens.enabled: true): OM clients use the ingestion-bot/lineage-bot JWTs in the ilum-om-bot-tokens Secret; consumers fall back to admin login while the Secret holds placeholders.
  • ilum-core blocks startup on the bot token (job.openLineage.openmetadata.auth.waitForBotToken: true) via a wait-for-om-bot-token initContainer, so OpenLineage never falls back to the 1h-expiring admin login (which 401s long-lived Kyuubi engines). Set waitForBotToken: false for an external OM with no bootstrap-published token.
  • Bot-token attribution is self-healing but lags: pods that boot before the JWTs are published attribute OM writes to the ilum admin until their next restart. To switch immediately, roll Airflow + ilum-core once after BOOTSTRAP_SUMMARY. Cosmetic only (audit attribution) — both paths have identical permissions.
  • ilum-om-bot-tokens carries helm.sh/resource-policy: keep and holds never-expiring JWTs. On a shared cluster, after teardown delete it explicitly (kubectl delete secret ilum-om-bot-tokens -n ) or rotate the bots in OM.

6. OpenMetadata bootstrap behaviour

The bootstrap Job registers Hive/Superset/MinIO/Delta services and runs polish ops: sets openMetadataBaseUrlConfiguration, triggers SearchIndexing + DataInsights, seeds Table custom properties (sourceSystem, slaHours), bumps certification duration to P365D, and seeds two demo users. All ops are idempotent + non-fatal, and re-runs preserve operator overrides (GET-before-PUT on the base URL, service connections carrying ssl/kerberos/sasl/jaas/auth keys, and existing custom properties). The Hive service routes through Kyuubi (ilum-sql-thrift-binary:10009) — no separate Kyuubi service is registered.

NomDescriptionValeur
openmetadataBootstrap.publicBaseUrlOM base URL for alert mails / deep-links. Override in production.http://localhost:9777/external/openmetadata
openmetadataBootstrap.demoUsersEnabledSeed analyst/steward demo users. Poser faux in production.vrai
openmetadataBootstrap.certificationDurationISO8601Default certification validity."P365D"
openmetadataBootstrap.omUserOM admin user (Secret -openmetadata-admin).[email protected]
openmetadataBootstrap.omPasswordOM admin password. Change for production.Admin
openmetadataBootstrap.botTokens.enabledPublish bot JWTs to ilum-om-bot-tokens.vrai

The OM admin password lives only in the -openmetadata-admin Secret (consumed by the bootstrap Job, Airflow, and ilum-core via secretKeyRef); rotate by editing openmetadataBootstrap.omPassword. Two more Secrets render with the release: ilum-superset-admin et ilum-hms-db-creds (account for them if you mirror manifests externally).

7. OM ingestion CronJobs are OM-owned

OM creates 7 om-cronjob-* ingestion CronJobs server-side (label managed-by=openmetadata, no ownerReferences). Edit schedules/pipelines through a re-bootstrap PATCH, not the CronJob directly (reverted on next bootstrap). The helm uninstall pre-delete hook reaps them. Scheduled Hive ingestion runs with overrideMetadata: false so it preserves DAG-set Tier/Certification governance.

8. Delta + lineage helpers (opt-in flags, default on)

NomDescriptionValeur
openmetadataBootstrap.deltaEnricher.enabledCronJob PATCHing Delta facets onto OM tables (Rust deltalake, ~80MB).vrai
openmetadataBootstrap.deltaEnricher.scheduleDelta property refresh cron.0 */6 * * *
openmetadataBootstrap.olBackfill.enabledCronJob replaying Marquez OL events to OM (idempotent gap-fill).vrai
openmetadataBootstrap.olBackfill.scheduleOL replay scan cron.0 2 * * *
fixHmsDeltaColumns.enabledPost-install/upgrade Job repairing Delta col array HMS schemas.faux

OM's native DeltaLake-S3 connector stays paused (>4Gi peak); the enricher CronJob fills Delta facets instead.

9. OpenLineage namespace

Airflow OL events use airflow.config.openlineage.namespace (default ilum-airflow, single source of truth). Bootstrap's namespaceToServiceMapping attaches s3://ilum-data, spark://ilum-sql-thrift-binary:10009et ilum-airflow to the right OM services. Override the namespace only to match events already in Marquez/OM.

10. Production overrides checklist

KeyFaire défautFor production
openmetadataBootstrap.publicBaseUrlhttp://localhost:9777/external/openmetadataactual ingress URL
openmetadataBootstrap.demoUsersEnabledvraifaux (use LDAP/OIDC)
openmetadataBootstrap.omPasswordAdmina real password
gitea.gitea.config.server.ROOT_URLhttp://localhost:9777/external/gitea/public host (path must match STATIC_URL_PREFIX)

The chart installs into any namespace (bare service DNS names, no .svc.cluster.local). If you carry extraValues overrides with FQDN metastore addresses, drop .ilum.svc.cluster.local or Spark lineage silently fails to map.

11. Iceberg via Project Nessie (opt-in, OFF by default)

A stock install runs Hive-only with no Nessie pod. Enable Iceberg cataloging (starts a Nessie pod + Postgres DB) with BOTH flags — the gate ANDs them:

helm upgrade ilum ./helm_aio \
--poser nessie.enabled=vrai \
--poser openmetadataBootstrap.services.iceberg.enabled=vrai
NomDescriptionValeur
openmetadataBootstrap.services.iceberg.enabledRegister OM Iceberg service (needs nessie.enabled).faux
openmetadataBootstrap.services.iceberg.restUriNessie Iceberg-REST URI (no ref in path).http://ilum-nessie:19120/iceberg
openmetadataBootstrap.services.iceberg.warehouse / .catalogNameSymbolic warehouse name.nessie_catalog
openmetadataBootstrap.services.iceberg.{endpoint,accessKey,secretKey,region}S3-reader overrides (empty = objectStorage Secret)."" / États-Unis-Est-1
nessie.catalog.enabledNessie Iceberg-REST endpoint.vrai

Gotchas:

  • Do NOT disable Hive to go "Iceberg-first": the bundled example tables are Delta/Parquet via HMS, and bootstrap gates SUCCESS on Hive producing ≥10 tables (openmetadataBootstrap.examplesIngest.expectedMinTables). Iceberg-only also needs openmetadataBootstrap.examplesIngest.enabled=false.
  • The OM ingestion reader reads Iceberg metadata.json/manifests directly from S3, so it MUST hold creds that read s3://ilum-data/nessie_catalog/. A credential mismatch registers fine but ingests 0 tables.
  • On rustfs/non-default backends, override nessie.catalog.storage.s3.defaultOptions.accessKeySecret (static YAML, defaults to the minio Secret) so Nessie and the OM reader resolve the SAME identity.
  • To catalog a ref other than principal, pin it via a Nessie warehouse, not the URI path (putting the ref in the path → HTTP 404). OM ingests one ref; no history.

12. Hive 4 support (opt-in)

Poser ilum-hive-metastore.majorVersion: 4 pour apache/hive:standalone-metastore-4.x images (default 3). A v3 Postgres DB cannot be reused for v4 (incompatible schemas). Running v3 + v4 side-by-side: give v4 its own database (--set ilum-hive-metastore.postgresql.database=metastore_v4) and add it to postgresExtensions.databasesToCreate. Spark against a v4 metastore needs Hive 4 client jars — use ilum/spark:4.0.2-delta-hive4 as the cluster image.

13. Airflow pools

airflowExtensions.pools pre-creates the listed Airflow pools (name + slots) via an init container on the Airflow api-server/scheduler. Default is empty ([]); add your own DAGs' pools here.

14. Cross-stack observability + cost attribution

Caractéristique

A new cross-stack observability stack (off by default) bundles an OpenTelemetry Collector (helm_otel_collector sub-chart), a Tempo trace backend (ilum-tempo, S3-backed), and Loki/Promtail log correlation, adding a Pipeline Trace tab spanning Airflow → ilum-service → Spark. A separate daily cost-attribution rollup (off by default) writes cost landing files from an in-driver Spark plugin and folds them in-core into per-job and per-table Cost tabs. Hostnames are release-name portable via _helpers.tpl, so the stack works under any release name. The settings entity (sampling ratio, listener policy, rate card) is seeded from helm_core's observabilityDefaults on first boot only — UI/dev-API edits win afterward. The previously-unprotected /api/dev/reactive/lineage/* et /cost/* endpoints now require permissions.

Values added - helm_aio

NomDescriptionValeur
global.observability.otel.enabledEnable the OTel collector + Tempo trace backend + log correlationfaux
global.observability.monitoring.enabledRender the ServiceMonitor + PrometheusRule alert set for Tempo/collectorfaux
global.costAggregator.enabledEnable the daily cost-attribution rollupfaux
global.costAggregator.retentionDaysClamp the cost reader window to this many days90
global.observability.otel.tempoAuth.modeTempo query auth (none | bearer | basic)none
global.logAggregation.loki.auth.modeLoki query auth (none | bearer | basic)none
global.observability.otel.tenant.idTenant filter for a shared Tempo (empty = single-tenant)""

Values changed - ilum-tempo

NomAncienne valeurNew value
ilum-tempo.tempo.resources.limits.memory2Gi4Gi

⚠️ Warnings

The observability stack hostnames are now derived at render time by helpers in helm_aio/templates/_helpers.tpl (ilum-aio.tempoHost, ilum-aio.lokiReadHost, ilum-aio.otelCollectorHost, ilum-aio.lokiQueryUrl). An overlay carrying an explicit hostname override copied from a previous release still takes precedence but couples the install to the ilum release name — drop it to let the helpers pick the correct hostname.

RELEASE 6.7.2

1. Default Java options for ilum-core

Caractéristique:

Added default JVM options to ilum-core for optimized memory and performance. The javaOpts value is now appended to security-related Java options (trustStore/keyStore) instead of replacing them, allowing both to coexist.

Values changed - helm_core

NomAncienne valeurNouvelle valeur
javaOpts"""-XX:-UsePerfData -XX:+UseStringDeduplication -Xms256m -XX:MaxMetaspaceSize=256m -XX:MaxDirectMemorySize=256m -XX:CICompilerCount=2 -XX:G1ConcRefinementThreads=2 -XX:ReservedCodeCacheSize=128m"

2. Unity Catalog init container for ilum-core

Caractéristique:

Added a wait-for-unity-catalog init container to the ilum-core deployment, matching the existing pattern for Hive and Nessie. When metastore.type est défini sur unity, the init container waits for the Unity Catalog server to become reachable before starting ilum-core, preventing startup failures due to race conditions.

Values added - helm_aio

NomDescriptionValeur
ilum-core.metastore.unity.statusProbe.enabledEnable init container to wait for Unity Catalogvrai

3. PostgreSQL support for ilum-core

Caractéristique:

Added PostgreSQL as an alternative persistence backend to MongoDB. The backend is selected via storage.type (mongo ou Postgres). When set to Postgres, Mongock migrations and the MongoDB status probe are skipped, and PostgreSQL connection details are injected instead. The MongoDB URI (mongo.uri) is always present in the configmap regardless of storage.type, so that the built-in MongoToPostgresMigration tool can read from MongoDB during migration. Flyway migrations run automatically on startup — no manual schema setup is needed. Existing deployments using MongoDB are unaffected; the default remains mongo.

Values added - helm_core

Storage type selection and migration
NomDescriptionValeur
storage.typePersistence backend: mongo ou Postgresmongo
storage.migration.mongoToPostgresEnable one-time data migration from MongoDB to PostgreSQL. Set to vrai together with storage.type=postgres and a valid mongo.uri to migrate all data on startup. Disable after migration completes.faux
PostgreSQL connection settings
NomDescriptionValeur
postgres.hostPostgreSQL hostnameilum-postgresql
postgres.portPostgreSQL port5432
postgres.databaseDatabase nameilum
postgres.usernameDatabase usernameilum
postgres.passwordDatabase passwordCHANGEMEPLEASE
postgres.createSecretCreate a K8s Secret with postgres credentialsvrai
postgres.existingSecretUse an existing K8s Secret (must have keys: POSTGRES_USERNAME, POSTGRES_PASSWORD)""
postgres.statusProbe.enabledEnable init container that waits for PostgreSQL readinessvrai
postgres.statusProbe.imageImage used for the PostgreSQL readiness probebusybox:1.36

⚠️⚠️⚠️ Warnings

Migrating from MongoDB to PostgreSQL:

  1. Poser storage.type=postgres and configure postgres.* connection values
  2. Ensure mongo.uri still points to the existing MongoDB instance
  3. Poser storage.migration.mongoToPostgres=true
  4. Run Mise à niveau Helm — the backend will migrate all data from MongoDB to PostgreSQL on startup
  5. After successful migration, set storage.migration.mongoToPostgres=false and run Mise à niveau Helm again

4. Slimmed down ilum-core bundled configuration

Caractéristique:

The bundled application.yml in ilum-core has been significantly slimmed down. Hardcoded defaults that are now managed by the application itself (Spring multipart config, Kafka admin settings, codec size, task scheduling pool, leader election tuning, third-party logging levels, license validation details) have been removed from the Helm-generated config. This reduces the surface area of the ConfigMap and avoids conflicts with application-managed defaults.

⚠️⚠️⚠️ Warnings

If you relied on any of the removed hardcoded values (e.g., custom spring.servlet.multipart limits, spring.kafka.admin.fail-fast, logging levels for org.apache.kafka ou org.mongodb.driver), you must now set them via the new customConfig ou overrideConfig mechanisms described below.

5. Config override and custom config for ilum-core

Caractéristique:

Added two new mechanisms for advanced configuration of ilum-core:

  • overrideConfig: Replaces the bundled application.yml entirely with a user-managed ConfigMap (mounted at /etc/ilum/override).
  • customConfig: Mounts an additional ConfigMap at /etc/ilum/custom for partial overrides that layer on top of the bundled config.

Values added - helm_core

Full config override
NomDescriptionValeur
overrideConfig.enabledEnable full config override (replaces bundled application.yml entirely)faux
overrideConfig.configMapNameName of a user-managed ConfigMap containing a complete application.yml replacement""
Custom config escape hatch
NomDescriptionValeur
customConfig.enabledEnable custom config escape hatch (mounts an additional ConfigMap at /etc/ilum/custom)faux
customConfig.configMapNameName of a user-managed ConfigMap containing application.yml overrides""

⚠️⚠️⚠️ Warnings

The config mount path has changed from /config À /etc/ilum/config. If you have scripts or tooling that references the old path, update them accordingly.

6. Default communication mode changed to gRPC

Caractéristique:

The default communication mode in ilum-core has changed from Kafka À GRPC.

Values changed - helm_core

NomAncienne valeurNouvelle valeur
communication.typeKafkaGRPC

⚠️⚠️⚠️ Warnings

If your deployment depends on Kafka-based communication between ilum components, explicitly set communication.type: kafka in your values.

7. New configurable parameters in ilum-core

Caractéristique:

Spring actuator endpoint exposure and job instance result timeout are now configurable via values instead of being hardcoded.

Values added - helm_core

NomDescriptionValeur
management.endpoints.web.exposure.includeSpring actuator endpoints to expose"info,configprops,env,metrics,mappings,beans,prometheus,health"
job.instance.result.timeout.msJob instance result timeout in milliseconds120000

8. Schema and nullability fixes

Caractéristique:

Fixed sql.url À sql.host in the ilum-core configmap to match the actual values key.

Names changed - helm_core (configmap only)

Ancien nomNouveau nom
sql.urlsql.host

9. rustfs added as an opt-in object storage provider

Caractéristique

rustfs (Apache-2.0) is now bundled in helm_aio as an opt-in S3-compatible object storage provider (rustfs.enabled=false by default). minio remains the default provider (minio.enabled=true); rustfs is planned to become the default in 6.8.0. A stable Service alias ilum-objectstorage routes to whichever provider is enabled; all downstream consumers (Trino, Nessie, Jupyter, MLflow, Airflow, Kestra, Langfuse, the helm_core readiness probe) target this alias instead of provider-specific names.

⚠️⚠️⚠️ Warnings

  • rustfs is currently published as 1.0.0-alpha.99; distributed mode is marked "under testing" upstream. helm_aio defaults rustfs to standalone mode with a single 50Gi PVC.
  • A pre-upgrade hook detects orphan minio PVCs and refuses the upgrade unless the operator has chosen one of the paths below.

Choose one path on upgrade

Path A: keep using minio (zero-touch)
helm upgrade ilum ./helm_aio --poser minio.enabled=vrai --poser rustfs.enabled=faux

Existing data is untouched; consumers continue talking to ilum-objectstorage which now selects minio pods.

Path B: migrate from minio to rustfs

Single credential source. Every consumer (ilum-core, jupyter, airflow, trino, kestra, langfuse, loki, hive-metastore, minio, rustfs) now reads S3 credentials from the shared ilum-objectstorage-credentials Secret. Net-new installs default to admin/admin; rotate with:

kubectl edit secret ilum-objectstorage-credentials
kubectl rollout restart deploy,statefulset -l 'app.kubernetes.io/part-of=ilum'

When upgrading from a MinIO-only deployment with non-default credentials, seed the new Secret with the live minio root creds before running the upgrade so consumers don't lose access:

EXISTING_USER=$(kubectl get secret ilum-minio -o jsonpath='{.data.root-user}' | base64 -d)
EXISTING_PASS=$(kubectl get secret ilum-minio -o jsonpath='{.data.root-password}' | base64 -d)
kubectl create secret generic ilum-objectstorage-credentials \
--from-literal=access-key=$EXISTING_USER \
--from-literal=secret-key=$EXISTING_PASS \
--from-literal=root-user=$EXISTING_USER \
--from-literal=root-password=$EXISTING_PASS \
--from-literal=RUSTFS_ACCESS_KEY=$EXISTING_USER \
--from-literal=RUSTFS_SECRET_KEY=$EXISTING_PASS
# the credentials-secret template's preserveExisting lookup will keep these
# values intact across helm upgrades.
# 1. Run both providers side by side. Acknowledge the cutover so the
# pre-upgrade hook accepts the upgrade.
helm upgrade ilum ./helm_aio \
--poser minio.enabled=vrai \
--poser rustfs.enabled=vrai \
--poser rustfs.migrationAcknowledged=vrai

# 2. Dry-run the migration Job to preview what would be copied.
helm upgrade ilum ./helm_aio \
--poser minio.enabled=vrai \
--poser rustfs.enabled=vrai \
--poser rustfs.migrationAcknowledged=vrai \
--poser migration.minioToRustfs.enabled=vrai \
--poser migration.minioToRustfs.dryRun=vrai
kubectl logs job/ilum-minio-to-rustfs-migration-<rev>

# 3. Run the real migration.
helm upgrade ilum ./helm_aio \
--poser minio.enabled=vrai \
--poser rustfs.enabled=vrai \
--poser rustfs.migrationAcknowledged=vrai \
--poser migration.minioToRustfs.enabled=vrai
kubectl -n ilum wait job -l app.kubernetes.io/component=migration --for=condition=complete --timeout=600s

# 4. Verify (e.g. mc diff against both providers), then disable minio.
helm upgrade ilum ./helm_aio --poser rustfs.migrationAcknowledged=vrai

For per-bucket manual procedures (no Job), see the documentation site: documentation/docs/operations/migrate-minio-to-rustfs.md.

Path C: net-new install

Nothing to do. minio is the default; the alias Service is created automatically. To start on rustfs instead, set rustfs.enabled=true et minio.enabled=false.

Values added - helm_aio

NomDescriptionValeur
global.s3.hostStable Service name targeted by S3 consumersilum-objectstorage
global.s3.portS3 API port9000
global.s3.consolePortWeb console port9001
global.s3.regionDefault S3 regionÉtats-Unis-Est-1
global.s3.pathStylePath-style addressing flag for S3 clientsvrai
global.s3.sslSSL flag for S3 clientsfaux
rustfs.enabledEnable bundled rustfs chartvrai
rustfs.moderustfs deployment modestandalone
rustfs.persistence.sizerustfs PVC size50Gi
rustfs.migrationAcknowledgedOperator acknowledgement that disabling minio is intentional (read by the pre-upgrade hook)faux
rustfsExtensions.enabledEnable bucket/policy bootstrap on rustfsvrai
objectStorage.service.enabledRender the ilum-objectstorage Service aliasvrai
objectStorage.credentials.createCreate the shared credentials Secretvrai
objectStorage.credentials.nameName of the shared credentials Secretilum-objectstorage-credentials
objectStorage.credentials.accessKeyDefault access key (only used to bootstrap the Secret; rotated values survive upgrades via lookup)Admin
objectStorage.credentials.secretKeyDefault secret keyAdmin
rustfs.secret.rustfs.access_keyRoot access key the rustfs Pod is launched with (must match objectStorage.credentials.accessKey)Admin
rustfs.secret.rustfs.secret_keyRoot secret key the rustfs Pod is launched withAdmin
objectStorage.defaultBucketsDefault buckets created by the rustfs init Job and migrated by the migration Job[ilum-files, ilum-data, ...]
migration.minioToRustfs.enabledRender the one-shot migration Jobfaux
migration.minioToRustfs.dryRunPass --fake to mc mirror (preview only)faux
migration.minioToRustfs.deleteAfterAfter successful mirror, remove source data with mc mirror --removefaux
migration.minioToRustfs.ttlSecondsAfterFinishedKeep Job logs around for inspection86400
preUpgradeChecks.enabledRender the pre-upgrade safety hook (disable in CI)vrai

Values changed - helm_aio

NomAncienne valeurNew value
minio.enabledvraifaux
ilum-core.kubernetes.s3.hostilum-minioilum-objectstorage
ilum-core.metastore.nessie.s3Endpointhttp://ilum-minio:9000/http://ilum-objectstorage:9000/
ilum-core.minio.statusProbe.baseUrlhttp://ilum-minio:9000http://ilum-objectstorage:9000
trino.catalogs.ilum-delta (s3.endpoint=...)http://ilum-minio:9000http://ilum-objectstorage:9000
mlflow.externalS3.hostilum-minioilum-objectstorage
mlflow.externalS3.existingSecretilum-minioilum-objectstorage-credentials
mlflow.externalS3.existingSecretAccessKeyIDKeyroot-useraccess-key
mlflow.externalS3.existingSecretKeySecretKeyroot-passwordsecret-key
kestra.configuration.kestra.storage.minio.endpointilum-minioilum-objectstorage
langfuse.langfuse.s3.endpointhttp://ilum-minio:9000http://ilum-objectstorage:9000
ilum-jupyter.extraEnv (S3_ENDPOINT)http://ilum-minio:9000http://ilum-objectstorage:9000
airflow.extraEnv (MINIO_ENDPOINT, AWS_ENDPOINT_URL, AIRFLOW_CONN_ILUM-MINIO)http://ilum-minio:9000http://ilum-objectstorage:9000
ilum-ui.runtimeVars.minioUrlhttp://ilum-minio:9001http://ilum-objectstorage:9001

Values added - helm_core

NomDescriptionValeur
objectStorage.statusProbe.enabledEnable readiness probe init container for object storagevrai
objectStorage.statusProbe.baseUrlBase URL probed for readinesshttp://ilum-objectstorage:9000
objectStorage.statusProbe.imageProbe init-container imagecurlimages/curl :8.5.0
objectStorage.statusProbe.healthPathHTTP path probed (root works for both rustfs and minio)/

Values changed - helm_core

NomAncienne valeurNew value
minio.statusProbe.baseUrlhttp://ilum-minio:9000http://ilum-objectstorage:9000

The legacy minio.statusProbe block is retained as a deprecated alias; templates prefer objectStorage.statusProbe and fall back to it when the new key is unset.

Values added - helm_ui

NomDescriptionValeur
runtimeVars.objectStorageUrlConsole URL for the object-storage viewhttp://ilum-objectstorage:9001
runtimeVars.objectStoragePathUI iframe path/external/object-storage/
nginx.config.objectStorage.enabledRender the /external/object-storage/ proxy blockfaux
nginx.config.http_cookie.objectStorage.enabledCookie gate for the new pathvrai

10. Kestra chart 1.0.x upgrade (breaking)

Caractéristique:

Bumped the bundled kestra chart from ^0.22.x À ^1.0.x (Kestra app ~v0.20 → v1.3.x). The Kestra Helm chart was rewritten in 1.0.0 — top-level deployment fields moved under a new common: block, the configuration: map was renamed to configurations.application, serviceAccountName was replaced by a structured serviceAccount block, the dind sidecar gained a mode: rootless|insecure selector, and the bundled Postgres/minio/Kafka/elasticsearch subchart dependencies were dropped (operators bring their own). The umbrella kestra: block has been restructured accordingly; existing Ilum integrations (PostgreSQL backend, MinIO storage, Nginx context path, root-mode dind, post-install example flow Job) are preserved.

Names changed - kestra

Ancien nomNouveau nom
kestra.configurationkestra.configurations.application
kestra.serviceAccountNamekestra.serviceAccount.name (with kestra.serviceAccount.create: false)
kestra.securityContextkestra.common.securityContext
kestra.initContainerskestra.common.initContainers
kestra.dind.image.tagkestra.dind.base.insecure.image.tag (with kestra.dind.mode: insecure)
kestra.dind.argskestra.dind.base.insecure.args
kestra.dind.securityContextkestra.dind.base.insecure.securityContext

Values changed - kestra

NomOld ValueNouvelle valeur
kestra.exampleFlow.kestraServicekestra-servicekestra
ilum-ui.runtimeVars.kestraUrlhttp://ilum-kestra-service:8080http://ilum-kestra:8080

Values deleted - kestra

NomRaison
kestra.postgresql.enabledSubchart dependency removed in 1.0.0; operators provide their own PostgreSQL.
kestra.minio.enabledSubchart dependency removed in 1.0.0; operators provide their own object storage.
kestra.startupProbe.pathReplaced by the structured kestra.common.startupProbe (full Kubernetes probe spec). Path stays /external/kestra/health because Micronaut propagates server.contextPath to the management server (8081) too.
kestra.livenessProbe.pathReplaced by kestra.common.livenessProbe; path stays /external/kestra/health/liveness.
kestra.readinessProbe.pathReplaced by kestra.common.readinessProbe; path stays /external/kestra/health/readiness.

Values added - kestra

NomDescriptionValeur
kestra.deployments.standalone.enabledEnables the standalone Kestra deployment in the new split-deployment model.vrai
kestra.deployments.standalone.dind.enabledEnables the dind sidecar for the standalone deployment.vrai
kestra.dind.modeSelects the dind sidecar mode (rootless ou insecure); Ilum defaults to insecure to preserve prior root-mode behaviour.insecure
kestra.serviceAccount.createControls whether the chart creates the ServiceAccount; Ilum sets it to faux and reuses the Spark SA.faux

⚠️⚠️⚠️ Warnings

  • The Kestra application itself was bumped from the 0.x line to v1.3.x. Verify any custom flow definitions against the Kestra 1.0.0 migration guide — reserved Flow IDs, the purgeAuditLogs.permissions → resources rename, removal of the Singer plugin, dynamic rendering of input defaults, and custom-plugin package structure changes can break existing flows.
  • kestra.dind.mode: insecure runs the dind sidecar privileged with elevated capabilities. On hardened clusters switch to kestra.dind.mode: rootless and drop the kestra.common.securityContext.runAsUser/runAsGroup overrides.
  • The Kestra Service object is now named -kestra (chart fullname) instead of -kestra-service. The bundled helm_ui kestraUrl runtimeVar (consumed by the Nginx proxy via ILUM_KESTRA_URL) and the exampleFlow post-install Job have been updated to the new name. Any external references to ilum-kestra-service must be updated manually.
  • Kestra 1.0+ moved the flow API under a tenant path (/api/v1/{tenant}/flows). The bundled exampleFlow Job now POSTs to /api/v1/main/flows (the OSS implicit tenant). Operators with custom friser/SDK calls against the Kestra API must add the tenant segment.

11. Kyuubi server image bumped to 1.11.1-spark-trino

Caractéristique

The default ilum-sql (Kyuubi) server image is bumped to ilum/kyuubi:1.11.1-spark-trino. Existing Mise à niveau Helm users will pick up the new image automatically.

Values changed - helm_kyuubi

NomOld ValueNouvelle valeur
image.tag1.10.2-spark-trino1.11.1-spark-trino

12. JupyterLab Pipeline Exporter ↔ Airflow integration (helm_jupyter)

Caractéristique

The bundled JupyterLab now ships jupyterlab-pipeline-exporter (JPE), which generates Airflow DAGs from notebooks and can auto-trigger them against the in-cluster Airflow REST API. The helm_jupyter Deployment mounts a new jupyter-pipeline-exporter-cm.yaml ConfigMap and renders the env vars JPE needs to mint bearer tokens (AIRFLOW_JWT_SECRET, AIRFLOW_API_URL), push DAGs into Gitea (GITEA_USERNAME, GITEA_PASSWORD), and build clickable deep-links (ILUM_UI_URL).

git.enabled is split into two orthogonal flags so a slim deploy without the gitea subchart can keep JPE's Gitea creds without forcing the init-container seed loop to run. The init loop (curl healthz wait + git init/commit/push) is now gated on git.initialCommit.enabled; the GITEA_* env vars are gated on git.existingSecret alone. git.enabled is retained as a deprecated back-compat alias for git.initialCommit.enabled.

Operator impact (zero by default)

On AIO (airflow.enabled=true, gitea subchart present) the chart defaults render the full integration automatically on Mise à niveau Helm — no action required. On a slim deploy without Airflow, set airflowIntegration.enabled=false to suppress the JWT env block; on a slim deploy without the gitea subchart, set git.initialCommit.enabled=false (instead of the old git.enabled=false) so the init container no longer hangs while still mounting JPE's Gitea creds via git.existingSecret.

Values added - helm_jupyter

NomDescriptionValeur
airflowIntegration.enabledRender the AIRFLOW_JWT_SECRET / AIRFLOW_API_URL block for JPE's DAG auto-triggervrai
git.initialCommit.enabledRun the init-container that seeds the work dir into Giteafaux
ilumUiUrlBrowser-facing Ilum UI base URL surfaced as ILUM_UI_URL for JPE deep-linkshttp://localhost:9777

Values changed - helm_jupyter

NomPre-upgradePost-upgrade
git.enabledgated init loop et GITEA_* env varsdeprecated alias for git.initialCommit.enabled; GITEA_* env vars now gate on git.existingSecret

13. Preset feature

Caractéristique

New first-class Preset entity. A preset is a named bag of Spark / runtime properties that can be attached by id to clusters, services (groups), schedules, and jobs. At job-launch time the preset's properties merge into the resulting Spark config so users can pin a bundle (Delta / Iceberg / Hudi) once and reuse it instead of re-typing the same 5+ keys.

CRUD is exposed at POST/GET/PUT/DELETE /api/v1/preset (public) and at /api/dev/reactive/preset (internal). New PRESET_READ, PRESET_CREATE, PRESET_EDIT, PRESET_DELETE permissions are added.

Postgres V1 schema gains a preset table and preset_ids text[] columns on Grappe, groupe, schedule. Mongo gains the same field lazily — no migration required.

Operator-controllable defaults (helm)

helm_core/values.yaml ships a new top-level presets: block. Each entry (nom, description, properties) is auto-seeded at first boot by the backend's DefaultPresetInitializer. The chart defaults ship a delta and an iceberg entry; remove or override them to taste, or set presets: [] to disable defaults entirely.

The default cluster's attached presets are also helm-controlled via kubernetes.defaultCluster.presetNames (defaults to [delta]). Each entry is resolved to a preset id at boot time via a deterministic v3 UUID derived from the name (same hash as the initializer uses), so the linkage is stable across restarts.

Values added — helm_core

NomDescriptionValeur
presetsSpark/runtime property bundles auto-seeded on first bootList of delta + iceberg
kubernetes.defaultCluster.presetNamesNames (declared under presets:) attached to the default cluster on first boot[delta]

Values removed — helm_core

NomRaison
kubernetes.defaultCluster.config.spark.kubernetes.container.imageMoved into the delta preset entry under top-level presets:
kubernetes.defaultCluster.config.spark.databricks.delta.catalog.update.enabledSame
kubernetes.defaultCluster.config.spark.sql.extensionsSame
kubernetes.defaultCluster.config.spark.sql.catalog.spark_catalogSame

Operator impact

Zero on a default upgrade. The bundled delta preset reproduces exactly the Delta keys that previously lived inline in the default cluster's defaultApplicationConfig. Existing user-created clusters keep their own config unchanged.

If you customised kubernetes.defaultCluster.config with non-Delta overrides, those entries are preserved as-is — only the four Delta-specific keys were lifted into the preset.

Operators wanting to add their own preset (e.g. a tuned nessie bundle) extend presets: in their values override:

ilum-core:
presets:
- nom: nessie
description: Iceberg + Nessie wiring
properties:
spark.kubernetes.container.image: my-registry/spark:nessie
spark.sql.extensions: org.projectnessie.spark.extensions.NessieSparkSessionExtensions
# ...
kubernetes:
defaultCluster:
presetNames:
- delta
- nessie

Renaming a preset detaches any cluster / group / schedule that referenced the old id (the id is derived from the name). Detach in the UI first, or use the API to update presetIds to the new id before removing the old entry.

Merge precedence at job launch (last wins): cluster's effective config (including its attached presets via ClusterConfigurer) → system providers (memory, metastore, packages) → entity presets → entity jobConfig. The symmetric "plain spark args you typed at the entity level win" rule still applies. Follow-up #202 will extract image et Namespace to first-class cluster fields so presets layer cleanly without the current "plain wins" caveat on the cluster scope.

14. Airflow secret backend + base image bump

Caractéristique

The bundled Airflow image (ilum/airflow) now ships an IlumS3SecretsBackend that resolves the conn-id aliases ilum-minio, ilum-s3et ilum-objectstorage (plus their _-separated and case variants) to a single canonical AIRFLOW_CONN_ILUM_S3 env var. Activating the backend (AIRFLOW__SECRETS__BACKEND=ilum_secrets_backend.IlumS3SecretsBackend) is already wired in helm_aio/values.yaml.

This replaces the broken AIRFLOW_CONN_ILUM-MINIO_CMD / AIRFLOW_CONN_ILUM-S3_CMD printf-based env-var pattern. Airflow 3 silently dropped _CMD resolution for connection env vars — the suffix now resolves only for config keys like SQL_ALCHEMY_CONN_CMD — which caused worker pods to surface RuntimeError: generator didn't yield from the remote-logging path and InvalidAccessKeyId from user S3Hook calls.

The same change bumps the base image from apache/airflow:3.1.6 À apache/airflow:3.2.1 across all four ops/docker/ilum-airflow/ variants (Fichier Dockerfile, Dockerfile-plain, Dockerfile-spark, Dockerfile-spark-4.x), and switches the bake-in install location for the backend to /opt/ilum_secrets/ with a PYTHONPATH prepend so the module path no longer depends on the base image's Python minor.

Operator impact (zero by default)

The Helm values flip is opt-in via the chart-default airflow.enabled flag — operators with airflow.enabled=true pick up the new env configuration automatically on Mise à niveau Helm. No DAG changes are required: BaseHook.get_connection("ilum-minio") et S3Hook(aws_conn_id="ilum-s3") continue to work, but now resolve to a storage-backend-agnostic connection.

KeyPre-upgradePost-upgrade
airflow.airflowVersion3.1.63.2.1
airflow.images.airflow.tag3.1.63.2.1
airflow.extraEnv AIRFLOW_CONN_ILUM-MINIO_CMD(broken printf pattern)removed
airflow.extraEnv AIRFLOW_CONN_ILUM-S3_CMD(broken printf pattern)removed
airflow.extraEnv AIRFLOW__SECRETS__BACKEND(unset)ilum_secrets_backend.IlumS3SecretsBackend
airflow.extraEnv AIRFLOW_CONN_ILUM_S3(unset)JSON literal with $(AWS_*) downward expansion

DAG-level changes from Airflow 3.1.6 to 3.2.1 are minor; full changelog at https://airflow.apache.org/docs/apache-airflow/3.2.1/release_notes.html.

Failure modes (now caught at chart-render time)

  • If an operator overrides airflow.images.airflow.tag to an ilum/airflow tag that does not contain /opt/ilum_secrets/ (e.g. an older custom build), the secrets backend resolves to ModuleNotFoundError: ilum_secrets_backend at scheduler start. Fix by upgrading the image or unsetting AIRFLOW__SECRETS__BACKEND.

15. Object storage console wiring is now data-driven

Caractéristique

The active object-storage provider, the Object Storage iframe path, and the /external/object-storage/ nginx redirect target are now derived from a single source of truth in helm_aio/templates/_helpers.tpl. The previously hand-rolled three-way conditional in ui-cm.yaml has been replaced with helper calls; the objectstorage-svc.yaml inline resolution has been collapsed into the same helper.

A new objectStorage.providers registry maps provider names to their console paths and routing modes. To enable a third S3-compatible backend (e.g. SeaweedFS) for benchmarking or migration:

  1. Add the chart dependency under helm_aio/Chart.yaml.
  2. Add an entry under objectStorage.providers. avec consolePath et consoleMode (same-origin ou nginx-rewrite).
  3. Poser objectStorage.activeProvider: to flip user-facing traffic.

Operator impact (zero by default)

Existing RC2 overlays that only set rustfs.enabled / minio.enabled / rustfs.migrationAcknowledged continue to work unchanged. The chart reads the legacy flags as back-compat shims.

The registry intentionally does NOT set a default Activé field for rustfs et minio; the chart-level flags (.Values.rustfs.enabled / .Values.minio.enabled) remain the single source of truth for those two providers. This avoids the silent override that would occur if the new chart-default registry flipped objectStorage.providers.rustfs.enabled=true on a user who had rustfs.enabled=false in their overlay.

Verified upgrade paths (zero operator action required):

Pre-upgrade overlayPost-upgrade resolved providerRisk
minio.enabled=true, rustfs.enabled=false (default)minionone
minio.enabled=false, rustfs.enabled=true (opt-in)rustfsnone
minio.enabled=true, rustfs.enabled=true, rustfs.migrationAcknowledged=falseminio (data-bearing side)none
minio.enabled=true, rustfs.enabled=true, rustfs.migrationAcknowledged=truerustfs (post-cutover)none
objectStorage.activeProvider= explicit override verbatimonly if has no pods, ilum-core readiness fails loudly
Pre-RC2 install (no rustfs key, only minio.enabled=true)minionone

Misconfiguration scenarios that fail loudly (not silently):

  • 3+ providers enabled with activeProvider=auto: render-time error names the enabled providers and asks for an explicit choice.
  • Explicit activeProvider= where has no running pods: Service alias has no endpoints; ilum-core readiness probe fails with a clear log message.

New values to know about

KeyFaire défautMeaning
objectStorage.previousProvider"minio"Required when two providers are enabled and activeProvider=auto. Names the side that holds the data; the alias targets it until cutover is acknowledged.
objectStorage.cutoverAcknowledgedfauxGeneralizes the previous rustfs.migrationAcknowledged. Flips the alias from previousProvider to the other enabled provider. The legacy flag is still honored as an alias.
objectStorage.providers..enabledper-providerMirror of .Values..enabled for new providers without their own chart-level flag.
objectStorage.providers..consolePath/rustfs/console/, /externe/minio/UI iframe path for that provider's console.
objectStorage.providers..consoleModesame-origin (rustfs), nginx-rewrite (minio)Controls whether nginx redirects /external/object-storage/ to the provider's path (nginx-rewrite, for consoles pinned to a single URL) or keeps the proxy body (same-origin).

Failure modes (now loud)

  • Three or more providers enabled with activeProvider=auto: the chart fails at render time with a message naming the enabled providers and asking the operator to set activeProvider= explicitly.
  • Two providers enabled with previousProvider empty: chart fails at render time asking the operator to set previousProvider to the data-bearing side, or to set activeProvider explicitly.
  • activeProvider set to a name with no matching pods: the chart renders but the alias Service has no Endpoints, and ilum-core's readiness probe surfaces the misconfiguration in pod logs.

16. Rook-Ceph S3 Storage Backend (BYO)

Caractéristique:

A pre-deployed (BYO) rook-ceph cluster can now be used as the sole S3-compatible storage backend, in place of the default minio (or opt-in rustfs). The rook-ceph operator and CephCluster must be deployed separately; see the Rook-Ceph user guide for end-to-end setup.

Values added - ilum (AIO)

NomDescriptionValeur
rookCeph.enabledEnable rook-ceph S3 storage integration (requires pre-deployed rook-ceph)faux
rookCeph.s3.hostRGW service hostname (e.g., rook-ceph-rgw-my-store.rook-ceph.svc.cluster.local)""
rookCeph.s3.serviceNameRGW Service name for Endpoints lookup; falls back to first segment of hôte""
rookCeph.s3.namespaceNamespace containing the RGW Service; falls back to second segment of hôte""
rookCeph.s3.portRGW service port80
rookCeph.s3.schemeURL scheme (http ou https); set to https for TLS-terminating RGW Serviceshttp
rookCeph.s3.insecureSkipVerifySkip TLS certificate verification (opt-in for self-signed Rook-managed RGW)faux
rookCeph.s3.regionS3 regionÉtats-Unis-Est-1
rookCeph.s3.accessKeyS3 access key from CephObjectStoreUserCHANGEMEPLEASE
rookCeph.s3.secretKeyS3 secret key from CephObjectStoreUserCHANGEMEPLEASE
rookCeph.bucketInit.enabledCreate S3 buckets on the RGW endpoint (reuses objectStorage.defaultBuckets)vrai
rookCeph.bucketInit.imageaws-cli image for bucket creationamazon/aws-cli:2.27.31
rookCeph.statusProbe.enabledEnable RGW health check in the bucket init Jobvrai
rookCeph.statusProbe.imageHealth check imagecurlimages/curl :8.5.0

⚠️⚠️⚠️ Warnings

  • minio.enabled=true is the chart default in the 6.7.x line (rustfs is opt-in until it becomes the default in 6.8.0). When switching to rook-ceph, the values overlay must set both minio.enabled=false et rustfs.enabled=false. The rustfsExtensions et minioExtensions bootstrap Jobs are already gated on their parent providers, so a separate *Extensions.enabled=false flag is not required. A chart validation now fails the install when rookCeph.enabled is combined with either bundled provider.
  • Le ilum-objectstorage Service alias is rendered as a selector-less Service backed by a manual Endpoints object that mirrors the live RGW Pod IPs from the rook-ceph namespace (a label-selector alias cannot cross namespaces, and an ExternalName CNAME is black-holed by kube-proxy because it cannot DNAT a packet twice). RGW Pod restarts rotate the Pod IPs and stale the mirrored Endpoints; re-run helm upgrade ilum ./helm_aio -f ilum-rook-ceph-values.yaml after any RGW Pod restart to refresh the addresses.
  • The shared ilum-objectstorage-credentials Secret is now seeded from rookCeph.s3.{accessKey,secretKey} in rook-ceph-only mode; an install fails fast when either is left at the CHANGEMEPLEASE placeholder.
  • The bucket init Job no longer swallows aws-cli errors. Network/credential/endpoint misconfigurations now fail the Job loudly instead of completing 1/1 with no buckets created.

To perform the rollout:

# 1. Deploy the rook-ceph operator and CephCluster in the rook-ceph namespace
# (operator chart, CephCluster CR, CephObjectStore, CephObjectStoreUser).
# Wait for the RGW Service and Pods to become Ready in the rook-ceph
# namespace; ilum-objectstorage Endpoints are mirrored from this Service
# at chart install/upgrade time.

# 2. Extract S3 credentials from the CephObjectStoreUser Secret.
ACCESS_KEY=$(kubectl -n rook-ceph get secret \
rook-ceph-object-user-<store-name>-<user-name> \
-o jsonpath='{.data.AccessKey}' | base64 -d)
SECRET_KEY=$(kubectl -n rook-ceph get secret \
rook-ceph-object-user-<store-name>-<user-name> \
-o jsonpath='{.data.SecretKey}' | base64 -d)

# 3. Render the overlay (the doc ships a complete template).
cat > ilum-rook-ceph-values.yaml <<EOF
rustfs:
enabled: false
minio:
enabled: false
rookCeph:
enabled: true
s3:
host: rook-ceph-rgw-.rook-ceph.svc.cluster.local
port: 80
accessKey: $ACCESS_KEY
secretKey: $SECRET_KEY
EOF

# 4. Install or upgrade.
Mise à niveau Helm --install ilum ./helm_aio -f ilum-rook-ceph-values.yaml

# 5. After RGW Pod restarts (Ceph cluster upgrades, rook-ceph operator
# rollouts, node maintenance), refresh the mirrored Endpoints:
helm upgrade ilum ./helm_aio -f ilum-rook-ceph-values.yaml

17. Legacy activities audit feature removed (helm_core)

Caractéristique:

The backend dropped the legacy "activities" audit trail; the structured EventLog now backs all audit and user/group operation statistics. The corresponding backend config key was removed, so its Helm value is dead.

Values deleted - helm_core

NomRaison
security.activities.timeToLiveBackend security.activities.timeToLive property no longer exists

RELEASE 6.7.1

1. Cluster-scoped RBAC for the management API

Caractéristique:

The management API (helm_api, which backs the Ilum CLI and the in-UI Module Marketplace) can now be granted a cluster-scoped role so it can install and manage modules that require cluster-scoped resources — CRDs, ClusterRoles/ClusterRoleBindings, admission webhooks, and Prometheus Operator custom resources (for example, kube-prometheus-stack). When rbac.clusterScope is enabled, the chart renders a ClusterRole et ClusterRoleBinding bound to the API service account; with it disabled, the API keeps only its namespace-scoped permissions.

Values added - helm_api

NomDescriptionValeur
rbac.clusterScopeRender a cluster-scoped ClusterRole/ClusterRoleBinding for the management APIvrai

Valeurs ajoutées - ilum-aio

NomDescriptionValeur
ilum-api.rbac.createCreate RBAC resources for the management APIvrai
ilum-api.rbac.clusterScopeGrant the management API cluster-scoped RBACvrai

2. Probe and startup hardening

Caractéristique:

Liveness, readiness, and startup probe timings were relaxed across ilum-core, ilum-uiet ilum-api (longer initial delays, periods, and failure thresholds, with startup probes enabled) so the stack comes up cleanly in slower or resource-constrained environments. The bundled default cluster also gained a spark.kubernetes.memoryOverheadFactor de 0.5 and a higher default driver memory. No operator action is required.

RELEASE 6.7.0

1. Airflow version update

Caractéristique:

Updated Airflow from version 3.1.1 to 3.1.6.

Values changed - helm_aio

NomAncienne valeurNouvelle valeur
airflow.airflowVersion3.1.13.1.6
airflow.images.airflow.tag3.1.13.1.6
airflow.apiServer.extraInitContainers[0].image`ilum/airflow:3.1.1ilum/airflow:3.1.6

2. Added ClickHouse and Langfuse to ilum-aio

Caractéristique:

Added ClickHouse and Langfuse to ilum-aio as new modules. ClickHouse is a fast open-source OLAP database management system. Langfuse is an open source LLM engineering platform.

Valeurs ajoutées - ilum-aio

NomDescriptionValeur
clickhouse.enabledFlag to enable ClickHouse deployment in ilum-aiofaux
langfuse.enabledFlag to enable Langfuse deployment in ilum-aiofaux

Valeurs ajoutées - ilum-ui

NomDescriptionValeur
runtimeVars.langfuseUrlURL of the Langfuse instancehttp://ilum-langfuse-web:3000
runtimeVars.langfusePathProxy path for Langfuse/external/langfuse/
nginx.config.langfuse.enabledEnable proxy for Langfusefaux
nginx.config.http_cookie.langfuse.enabledEnables cookie mapping for Langfusevrai

3. Configurable Scala version for default cluster

Caractéristique:

Supplémentaire scalaVersion configuration option to the default cluster settings. This allows users to specify which Scala version their Spark jobs are run with, supporting both Scala 2.12 for spark 3.x and 2.13 for spark 4.x

Values added - helm_core

NomDescriptionValeur
kubernetes.defaultCluster.scalaVersionScala version for Spark jobs (SCALA_2_12 or SCALA_2_13)SCALA_2_13

4. API token authentication system

Caractéristique:

Added "API token authentication system for internal and external service authentication."

Values added - helm_core

NomDescriptionValeur
security.api-token.enabledFlag to enable API token authenticationfaux
security.api-token.tokensList of initial tokens[]

Valeurs ajoutées - ilum-aio

NomDescriptionValeur
ilum-core.security.api-token.enabledFlag to enable API token authenticationfaux
ilum-core.security.api-token.tokensList of initial tokens[{name: "superset", token: "initial-superset-token-for-engine-creation", permissions: ["SQLENGINE_CREATE"]}]

5. Startup probe for Ilum-core

Caractéristique:

Added startup probe to the Ilum-core deployment. This allows the application to have sufficient time to start in constrained environments while maintaining quick readiness and liveness checks once started. The startup probe delays readiness and liveness probes until the application starts successfully.

Values added - helm_core

NomDescriptionValeur
startupProbeStartup probe configuration for ilum-core containerSee values.yaml for full structure
startupProbe.failureThresholdNumber of failures before giving up (300 × 2s = 10 minutes max)300
startupProbe.periodSecondsHow often to perform the probe2
startupProbe.timeoutSecondsTimeout for each probe request1
startupProbe.httpGet.pathHTTP path for startup probe/actuator/health/liveness

Values changed - helm_core

NomAncienne valeurNouvelle valeur
livenessProbe.initialDelaySeconds12010
readinessProbe.initialDelaySeconds12010

6. Disabled SASL in Kafka configuration

Caractéristique:

Disabled SASL authentication in the default Kafka configuration. This change simplifies the setup for users who do not require SASL authentication for their Kafka clusters. Users who need SASL can still enable it through custom configuration.

Values added - helm_aio

NomDescriptionValeur
kafka.listeners.interbroker.protocolInterbroker protocolPLAINTEXT
kafka.listeners.controller.protocolController protocolPLAINTEXT
kafka.kraft.clusterIdKraft clusterId to prevent Bitnami chart upgrade failuresaWx1bS1kZWZhdWx0LWlkMQ

7. Management API and Ilum CLI

Caractéristique:

Added the helm_api chart (ilum-api), a Management API sidecar that exposes the Ilum CLI's operations over HTTP and powers the in-UI Module Marketplace for point-and-click module deployment. It is deployed by default in ilum-aio.

Valeurs ajoutées - ilum-aio

NomDescriptionValeur
ilum-api.enabledDeploy the Management API sidecar (CLI over HTTP)vrai

RELEASE 6.6.2

1. Spark 4.x Upgrade - Scala 2.13 Migration

Caractéristique:

Updated default Spark images to ilum/spark:4.0.1-delta and ilum-spark-launcher to spark-4.1.0. Spark 4.x exclusively uses Scala 2.13 and has dropped support for Scala 2.12.

Values changed - helm_core

NomAncienne valeurNouvelle valeur
kubernetes.defaultCluster.dockerImageilum/spark:3.5.7-deltailum/spark:4.0.1-delta
historyServer.imagespark-3.5.7spark-4.1.0
externalSparkSubmit.image.tagspark-3.5.7spark-4.1.0

⚠️⚠️⚠️ CRITICAL WARNING - BREAKING CHANGE ⚠️⚠️⚠️

Spark 4.x uses Scala 2.13 exclusively. Scala 2.12 is NO LONGER SUPPORTED.

This is a BREAKING CHANGE that may affect your existing Spark jobs:

  1. JAR Compatibility: Any Spark applications, libraries, or dependencies compiled with Scala 2.12 WILL NOT WORK with Spark 4.x. You must recompile all custom JARs with Scala 2.13.

  2. Affected Components:

    • Custom Spark applications (Scala-based)
    • Third-party libraries compiled for Scala 2.12
    • UDFs written in Scala
    • Quelconque .jar files built with scalaVersion := "2.12.x"
  3. How to Identify Affected JARs:

    • Check your build.sbt ou pom.xml pour scalaVersion settings
    • JAR names often contain the Scala version suffix (e.g., myapp_2.12-1.0.jar)
    • JARs with _2.12 suffix need to be rebuilt with _2.13
  4. Required Actions Before Upgrade:

    • Inventory all custom Spark JARs in use
    • Recompile all Scala-based applications with Scala 2.13
    • Update all third-party dependencies to Scala 2.13 versions
    • Test all jobs thoroughly in a staging environment
  5. No Backwards Compatibility:

    • Starting from this version, Ilum's Spark job wrapper uses Scala 2.13 exclusively
    • Running Spark 3.x jobs compiled with Scala 2.12 is no longer supported
    • Vous MUST recompile all your Scala-based Spark jobs with Scala 2.13 before upgrading
  6. PySpark Users: PySpark jobs are generally unaffected unless they use Scala-based UDFs or custom Scala libraries.

RECOMMENDATION: Test your workloads in a non-production environment before upgrading to this release.

2. Added environment variables support to default cluster configuration

Caractéristique:

Added support for configuring environment variables in the default cluster configuration. This allows users to set environment variables that will be applied to Spark jobs running on the default cluster. The SPARK_SUBMIT_OPTS environment variable is now configurable through Helm values instead of being hardcoded, providing better flexibility for JVM tuning and other environment-specific configurations.

Values added - helm_core

Default cluster environment variables configuration
NomDescriptionValeur
kubernetes.defaultCluster.environmentVariablesEnvironment variables for default cluster{}
kubernetes.defaultCluster.environmentVariables.SPARK_SUBMIT_OPTSJVM options for Spark submit process"-XX:MaxHeapSize=64m -XX:MaxMetaspaceSize=64m -Xss256k"

3. Added Unity Catalog integration

Caractéristique:

Supplémentaire helm_unity_catalog chart to provide Unity Catalog support as an optional catalog backend (similar to Hive Metastore and Nessie). Unity Catalog is disabled by default and can be enabled to provide unified governance for data and AI assets. The chart is integrated with the existing PostgreSQL database and MinIO S3 storage, with automatic JWT keypair generation for authentication.

Values added - helm_unity_catalog

NomDescriptionValeur
ilum-unity-catalog.enabledEnables Unity Catalog deploymentfaux
ilum-unity-catalog.server.enabledEnables the Unity Catalog servervrai
ilum-unity-catalog.server.db.typeDatabase backend type (file or postgresql)postgresql
ilum-unity-catalog.server.db.postgresqlConfig.hostPostgreSQL hostilum-postgresql-hl
ilum-unity-catalog.server.db.postgresqlConfig.portPostgreSQL port5432
ilum-unity-catalog.server.db.postgresqlConfig.dbNamePostgreSQL database nameunitycatalog
ilum-unity-catalog.server.db.postgresqlConfig.userPostgreSQL usernameilum
ilum-unity-catalog.server.db.postgresqlConfig.passwordSecretNameSecret containing PostgreSQL passwordilum-postgres-credentials
ilum-unity-catalog.server.db.postgresqlConfig.passwordSecretKeyKey in secret for passwordmot de passe
ilum-unity-catalog.server.jwtKeypairSecret.createAuto-generate JWT keypair for authenticationvrai
ilum-unity-catalog.storage.modelStorageRootS3 path for Unity Catalog model storages3a://ilum-data/unity-catalog/
ilum-unity-catalog.storage.credentials.s3[0].bucketPathS3 bucket paths3://ilum-data
ilum-unity-catalog.storage.credentials.s3[0].regionS3 regionÉtats-Unis-Est-1
ilum-unity-catalog.storage.credentials.s3[0].credentialsSecretNameSecret containing S3 credentialsilum-minio
ilum-unity-catalog.storage.credentials.s3[0].accessKeySecretKeyKey name for S3 access key in secretroot-user
ilum-unity-catalog.storage.credentials.s3[0].secretKeySecretKeyKey name for S3 secret key in secretroot-password
ilum-unity-catalog.ui.enabledEnables Unity Catalog UIfaux

Values added - helm_core

Unity Catalog metastore configuration
NomDescriptionValeur
ilum-core.metastore.typeSe mettre à unity to use Unity Catalog as metastoreruche
ilum-core.metastore.unity.addressUnity Catalog server endpointhttp://unity-catalog-ilum-unity-catalog-server:8080
ilum-core.metastore.unity.warehouseDirUnity Catalog warehouse directorys3a://ilum-data/unity-catalog/
ilum-core.metastore.unity.s3EndpointS3 endpoint for Unity Cataloghttp://ilum-minio:9000/
ilum-core.metastore.unity.s3PathStyleAccessEnable S3 path-style accessvrai
ilum-core.metastore.unity.catalogNameUnity Catalog name in Sparkunity_catalog
ilum-core.metastore.unity.configSpark configuration for Unity Catalog integrationSee values.yaml

Values added - postgresExtensions

NomDescriptionValeur
postgresExtensions.databasesToCreateSupplémentaire unitycatalog database for Unity Catalog metadata...,nessie,unitycatalog

⚠️⚠️⚠️ Warnings

  • Unity Catalog requires PostgreSQL and S3-compatible storage to be enabled
  • JWT keypairs are auto-generated on first deployment and stored in Kubernetes secrets
  • When using Unity Catalog, set ilum-core.metastore.type: unity to configure Spark integration

4. Added DuckDb and DuckLake to Ilum Core

Caractéristique:

Added DuckDb as an SQL executor and DuckLake as a metastore option in Ilum Core. DuckDb is a fast and lightweight SQL engine that supports a wide range of data types and SQL features. DuckLake is a distributed metastore for DuckDb, which provides options for multi-user access and data versioning.

Values added - ilum_core

NomDescriptionValeur
sql.duckdb.idleTimeoutDetermines the time DuckDb connections are kept alive without activity1h
sql.duckdb.ducklake.enabledEnables DuckLakevrai
sql.duckdb.ducklake.locationLocation of the data in for the DuckLakes3://ilum-ducklake/
sql.duckdb.ducklake.postgres.hostHost for the metastore postgres connection``
sql.duckdb.ducklake.postgres.portPort for the metastore postgres connection5432
sql.duckdb.ducklake.postgres.databaseDatabase name for the metastore postgres connectionducklake
sql.duckdb.ducklake.postgres.userUsername for the metastore postgres connection``
sql.duckdb.ducklake.postgres.passwordPassword for the metastore postgres connection``
sql.duckdb.ducklake.s3.endpointS3 endpoint for the metastore data``
sql.duckdb.ducklake.s3.regionS3 region for the metastore dataÉtats-Unis-Est-1
sql.duckdb.ducklake.s3.keyIdS3 key id for the metastore data``
sql.duckdb.ducklake.s3.secretS3 secret for the metastore data``
sql.duckdb.ducklake.s3.urlStyleUrl style to use for S3. Either chemin ou vhostchemin
sql.duckdb.ducklake.s3.sslWhether to use SSL for the S3 connectionfaux

RELEASE 6.6.1

1. Ugraded JupyterHub experience

Caractéristique:

Ugraded helm_jupyterhub to bundle Ilum-specific SSH/Git/LDAP bootstrap logic, curated notebooks, and tailored singleuser defaults so helm_aio merely enables the dependency, pins fullnameRemplacer, and surfaces only the still-relevant overrides. This also keeps the SSH network policy open for port 2222 and ensures the shared ilum-jupyter-ssh-keys secret remains stable, while c.JupyterHub.cleanup_servers = True guarantees the SSH service and user pods stop with the release.

Values added - helm_aio

NomDescriptionValeur
ilum-jupyterhub.enabledEnables the curated Ilum JupyterHub chartfaux

Values added - helm_jupyterhub

NomDescriptionValeur
fullnameRemplacerOverride for the full resource nameilum-jupyterhub
ActivéChart enabled flagfaux
SSH configuration
NomDescriptionValeur
ssh.enabledEnables the bundled SSH operator, service, and shared key workflowfaux
ssh.keysSecretSecret that provides the stable host and authorized keysilum-jupyter-ssh-keys
ssh.modeSSH authentication mode: maître (shared authorized_keys from keysSecret) or per-user (individual secrets per user)maître
ssh.perUserSecretNameTemplateTemplate for per-user secret names when using per-user modessh-keys-{username}
ssh.perUserAuthorizedKeysKeyKey name in per-user secrets containing authorized_keysauthorized_keys
ssh.service.typeType of service fronting port 2222NodePort
ssh.service.portPort exposed for SSH traffic2222
ssh.service.targetPortTarget port for SSH traffic2222
ssh.service.nodePortNodePort number (empty for auto-assignment)""
ssh.service.clusterIPClusterIP address (empty for auto-assignment)""
ssh.service.loadBalancerIPLoadBalancer IP address""
ssh.service.annotationsAnnotations for the SSH service{}
ssh.service.prefixPrefix for SSH service resourcesilum-jupyter-ssh
ssh.sshdConfig.customConfigCustom sshd_config lines[]
ssh.operatorImage.nameSSH operator image repositorydocker.ilum.cloud/ilum-jupyterhub
ssh.operatorImage.tagSSH operator image tagssh-operator-4.3.1
ssh.extraEnvExtra environment variables for SSH operator[]
Git configuration
NomDescriptionValeur
git.existingSecretCredentials that allow the Git init job to seed the notebooks repositoryilum-git-credentials
git.emailGit email for commitsilum@ilum
git.repositoryNom du dépôt GitJupyter
git.addressGitea server addressilum-gitea-http :3000
git.urlGitea endpoint URL used to seed the ilum-jupyterhub orghttp://ilum-gitea-http:3000
git.orgNameOrganization managed by the git-init jobilum-jupyterhub
git.operatorImage.nameGit operator image repositorydocker.ilum.cloud/ilum-jupyterhub
git.operatorImage.tagGit operator image taggitea-operator-4.3.1
git.secret.nameSecret containing credentials referenced by the operatorilum-git-credentials
git.secret.usernameKeyKey for username in the secretnom d’utilisateur
git.secret.passwordKeyKey for password in the secretmot de passe
LDAP configuration
NomDescriptionValeur
ldap.enabledKeeps the LDAP authenticator wired into Ilum JupyterHubvrai
ldap.urlsLDAP server endpoints that front the Ilum directory["ldap://ilum-openldap:389"]
ldap.baseSearch base for Ilum users and groups"dc=ilum,dc=cloud"
ldap.usernameBind DN used for authentication"cn=admin,dc=ilum,dc=cloud"
ldap.passwordPassword for the bind DNNot@SecurePassw0rd
ldap.adminUsersLDAP accounts with admin privileges in JupyterHub["ilumadmin","admin"]
ldap.userSearchBaseBase DN where user entries live"ou=people,dc=ilum,dc=cloud"
ldap.userSearchFilterFilter for user lookups« uid={0} »
ldap.groupSearchBaseBase DN where group entries live"ou=groups,dc=ilum,dc=cloud"
ldap.groupSearchFilterFilter that matches members« (membre={0}) »
ldap.allowedGroupsEmpty list allows all groups unless specified[]
ldap.userAttributeUser attribute for username« UID »
ldap.fullnameAttributeAttribute for user's full name« CN »
ldap.emailAttributeAttribute for user's email« courrier »
ldap.groupNameAttributeAttribute for group name« CN »
ldap.groupMemberAttributeAttribute for group membership"member"
ldap.useSslUse SSL for LDAP connectionfaux
ldap.startTlsUse STARTTLS for LDAP connectionfaux
ldap.lookupDnLookup DN before bindingvrai
Hub configuration
NomDescriptionValeur
hub.image.nameHub image repositorydocker.ilum.cloud/ilum-jupyterhub
hub.image.tagHub image tagjupyterhub-4.3.1
hub.contentSecurityPolicy.enabledTurns the managed CSP header injection on/offvrai
hub.contentSecurityPolicy.frameAncestorsOrigins allowed to embed JupyterHub in an iframe["'self'","http://localhost:9777"]
hub.gitInit.enabledRuns the job that ensures the ilum-jupyterhub organization/repo existvrai
Singleuser runtime defaults
NomDescriptionValeur
singleuser.startupArgs.iopubDataRateLimitRaised output bandwidth ceiling for Ilum workloads1000000000
singleuser.startupArgs.extraArgsAdditional CLI arguments forwarded to the user server[]
singleuser.nodeSelectorArchitecture-agnostic placement (empty by default){}
singleuser.tolerationsAllows scheduling on tainted nodes when needed[]
Image pull credentials
NomDescriptionValeur
imagePullSecret.createCreate the pull secret in-clusterfaux
imagePullSecret.automaticReferenceInjectionAuto-inject the created secret into JupyterHub workloadsvrai
imagePullSecret.registryRegistry host for the pull secret""
imagePullSecret.usernameRegistry username for the pull secret""
imagePullSecret.passwordRegistry password for the pull secret""
imagePullSecret.emailRegistry email for the pull secret""
imagePullSecret.nameExisting secret name to reference instead of the autogenerated pull secret""
imagePullSecretsAdditional pull secrets injected into all hub-managed pods[]

Values changed - helm_jupyterhub

NomAncienne valeurNouvelle valeur
singleuser.networkPolicy.allowedIngressPorts[][2222]

Instructions

  • Keep ilum-jupyter-ssh-keys stable outside Helm so the SSH host fingerprint survives upgrades; rotating the secret requires removing stale entries from user known_hosts.
  • Ensure ilum-git-credentials contains valid credentials for a Gitea account with org-level write access—both the SSH operator and Git init job rely on the rendered token.
  • To refresh the curated notebooks, update helm_jupyterhub/files/examples (and their config map templates) so the init container can push them into the ilum-jupyterhub repo again.

⚠️⚠️⚠️ Warnings

  • Port 2222 is opened via the SSH operator’s shared service; if you switch to per-user authorized keys, keep the service numbering and secrets aligned.

  • Cleanup is forced (c.JupyterHub.cleanup_servers = True), so user pods and the SSH service terminate with the Helm release. Manage any long-lived workloads outside this chart.

2. Upgraded Livy compatible API to version 0.8.0

Caractéristique:

Upgraded Livy compatible API to version 0.8.0 with enhanced configuration options for compression, server version control, and TTL-based session cleanup.

Valeurs ajoutées - ilum-core

Livy Compression Configuration
NomDescriptionValeur
livy.compression.enabledEnable response compression for Livy endpointsfaux
Livy Server Configuration
NomDescriptionValeur
livy.server.versionLivy server version identifier0.8.0
livy.server.sendServerVersionSend server version in response headersfaux
livy.server.allowCustomClasspathAllow custom classpath in session creationfaux
Livy TTL Session Cleanup Configuration
NomDescriptionValeur
livy.ttl.checkPeriodBackground sweep period in milliseconds for checking expired sessions300000
livy.ttl.checkInitialDelayInitial delay in milliseconds before first TTL background check60000

Valeurs ajoutées - ilum-aio

Same values as ilum-core but under the ilum-core. prefix (e.g., ilum-core.livy.compression.enabled).

⚠️⚠️⚠️ Important Notes

For most users:No action required. All new configuration options have safe defaults and are backward compatible.

Optional Performance Optimization: If you handle large Livy responses, you may enable compression by setting livy.compression.enabled: true.

Session Management: The new TTL cleanup uses a hybrid approach (lazy + background sweep) to automatically clean up expired sessions. Default settings should work for most deployments.

3. Updated default Spark version and added autopause configuration

Caractéristique:

Updated default Spark version to 3.5.7-delta dans kubernetes.defaultCluster.config. Added spark.ilum.autopause: "true" À kubernetes.defaultCluster.config to set the default behavior of the autopause feature.

Valeurs modifiées - ilum-core

NomAncienne valeurNouvelle valeur
kubernetes.defaultCluster.config.spark.kubernetes.container.imageilum/spark:3.5.6-deltailum/spark:3.5.7-delta

Valeurs ajoutées - ilum-core

NomDescriptionValeur
kubernetes.defaultCluster.config.spark.ilum.autopauseSets the default behavior of autopause feature« Vrai »

Caractéristique:

Fixed stability issues and changed HTTP cookie-based access control to be disabled by default for all external services (Jupyter, Airflow, MLflow, Grafana, etc.).

What Changed?

  • External services are now open by default - no cookie requirements
  • All users can access services without any special configuration
  • System works out-of-the-box

What This Means for You

  • ✅ Your services will become more accessible
  • ✅ Users can access Jupyter, Airflow, MLflow, etc. without cookie setup
  • ✅ No action required for most deployments

If you need to restrict access:

  • Use the built-in OAuth2/Hydra authentication (recommended for production)
  • Or manually enable cookie-based access control per service (see below)

This is an advanced feature for specific use cases:

  • ✅ Temporary access restrictions for specific users/sessions
  • ✅ Custom access control integrated with your frontend application

To enable for a specific service:

nginx:
Configuration:
http_cookie:
Activé: vrai
ilum-jupyter:
Activé: vrai

Values changed - ilum-ui

NomAncienne valeurNouvelle valeur
nginx.config.http_cookie.enabledvraifaux

Values changed - ilum-aio

NomAncienne valeurNouvelle valeur
ilum-ui.nginx.config.http_cookie.enabledvraifaux

⚠️⚠️⚠️ Important Notes

For most users:No action required. This change makes services more accessible.

If you customized cookie settings in 6.6.0: You may need to review your configuration. The system now defaults to open access instead of requiring cookies.

RELEASE 6.6.0

1. Upgraded Apache Airflow to 3.1.1

Caractéristique:

Upgraded Apache Airflow from 3.0.5 to 3.1.1 with improved OIDC authentication support using authlib OAuth providers (AUTH_OAUTH) instead of deprecated flask-oidc (AUTH_OIDC). This upgrade includes fixes for OAuth redirect URI patterns and proper volume mounting for OIDC client secrets in init containers.

Values changed - ilum-aio

NomAncienne valeurNouvelle valeur
airflow.airflowVersion3.0.53.1.1
airflow.images.airflow.tag3.0.53.1.1
airflow.apiServer.extraInitContainers[0].imageilum/airflow:3.0.5ilum/airflow:3.1.1

Valeurs ajoutées - ilum-aio

NomDescriptionValeur
airflow.migrateDatabaseJob.useHelmHooksDisable Helm hooks for database migration jobfaux
airflow.apiServer.extraInitContainers[0]Modified create admin user init containerSee below
airflow.apiServer.apiServerConfigConfigMapNameCustom webserver_config.py configmapilum-api-server-config
Init Container Volume Mount Configuration
- nom: create-Admin-utilisateur
image: ilum/airflow:3.1.1
command: ["/bin/bash", "/scripts/init.sh"]
volumeMontures:
- nom: ilum-airflow-create-utilisateur-secret
mountPath: /scripts
- nom: Configuration
mountPath: /opt/airflow/airflow.cfg
subPath: airflow.cfg
- nom: OAuth-secret-volume
mountPath: /opt/airflow/client-secret
readOnly: vrai
- nom: webserver-Configuration-volume
mountPath: /opt/airflow/webserver_config.py
subPath: webserver_config.py
readOnly: vrai

⚠️⚠️⚠️ Warnings

Configuration value airflow.apiServer.apiServerConfigConfigMapName is preconfigured to use a ConfigMap named ilum-api-server-config. But the name of this configMap must follow pattern -api-server-config to be properly mounted as it is Airflow's chart requirement. So if your release name is different from ilum, please change this value accordingly. For example use:

airflow:
apiServer:
apiServerConfigConfigMapName: -release-nom>-API-serveur-Configuration
extraVolumes:
- nom: OAuth-secret-volume
secret:
secretName: ilum-hydre-client-secret
- nom: ilum-airflow-create-utilisateur-secret
secret:
secretName: ilum-airflow-create-utilisateur-secret
- nom: webserver-Configuration-volume
configMap:
nom: -release-nom>-API-serveur-Configuration

2. Enhanced Jupyter startup configuration

Caractéristique:

Added configurable startup arguments for Jupyter notebook server, allowing users to customize base URL, IOPub data rate limits, and pass additional command-line arguments. Also added support for extra environment variables with templating support.

Valeurs ajoutées - ilum-jupyter

Startup and environment configuration
NomDescriptionValeur
tokenJupyter notebook authentication token""
startupArgs.baseUrlJupyter base URL path for reverse proxy configurations/external/jupyter/
startupArgs.iopubDataRateLimitIOPub data rate limit in bytes/sec (controls output bandwidth)1000000000
startupArgs.extraArgsAdditional command-line arguments to pass to Jupyter server[]
extraEnvAdditional environment variables for Jupyter container as string template""

⚠️⚠️⚠️ Warnings

  • All startup arguments configured via startupArgs.* can be completely overridden by setting the args parameter in values.yaml. When args is set, all default startup arguments are ignored, giving you full control over the Jupyter server startup command.
  • Le extraEnv parameter accepts a string template (multiline YAML using |). Example usage:
    extraEnv: |
    - name: MY_VAR
    value: value

3. Added Apache NiFi module

Caractéristique:

Added Apache NiFi to ilum-aio as a new module. This will allow users to easily deploy NiFi and use it next to Ilum.

Valeurs ajoutées - ilum-aio

NomDescriptionValeur
nifi.enabledFlag to enable NiFi deployment in ilum-aiofaux
nifi.fullnameOverrideFull name override for NiFiilum-nifi
nifi.image.tagTag of the source NiFi image2.5.0
nifi.properties.safetyValveAdditional properties passed to nifi.propertiesSee valeurs.yaml
nifi.persistence.enabledEnables PVC for the data directoryvrai
nifi.persistence.subpath.enabledEnabled one PVC instead of manyvrai
nifi.persistence.subpath.sizeSize of the data directory10Gi
nifi.zookeeper.enabledEnables bundled Zookeeper deploymentfaux
nifi.registry.enabledEnables bundled NiFi registry deploymentfaux
nifi.ca.enabledEnables bundled CA deploymentfaux
nifi.openldap.enabledEnables bundled openLDAP deploymentfaux

Valeurs ajoutées - ilum-ui

NomDescriptionValeur
runtimeVars.nifiUrlURL of the NiFi instancehttp://ilum-nifi:8443/nifi/
runtimeVars.nifiPathProxy path of NiFi/external/nifi/
nginx.config.nifi.enabledEnable proxy for NiFifaux
nginx.config.http_cookie.nifi.enabledEnables cookie mapping for NiFivrai

4. Added integration with Project Nessie metastore

Caractéristique:

Added integration with Project Nessie metastore in Ilum, which allows the use of Nessie as a metastore for Spark jobs.

Valeurs ajoutées - ilum-core

NomDescriptionValeur
metastore.typeIndicates the default metastoreruche
metastore.nessie.addressThe address of the default Nessie metastorehttp://ilum-nessie:19120/api/v2
metastore.nessie.warehouseDirThe location of the warehouse of the default Nessie metastores3a://ilum-data/nessie_catalog
metastore.nessie.s3EndpointThe S3 API endpoint to use for the default Nessie metastorehttp://ilum-minio:9000
metastore.nessie.s3PathStyleAccessWhether to use path style access for the S3 Nessie connectionvrai
metastore.nessie.authTypeAuth type of the default Nessie metastoreNONE
metastore.nessie.refThe branch to use for the default Nessie metastoreprincipal
metastore.nessie.cacheEnabledEnables caching in the default Nessie metastorefaux
metastore.nessie.catalog_nameThe name of the catalog for the default Nessie metastorenessie_catalog
metastore.nessie.configAdditional config to add for the Spark jobSee valeurs.yaml
metastore.nessie.statusProbeStatus probe for the Nessie metastore, so Ilum-core does not launch too quicklySee valeurs.yaml

Valeurs ajoutées - ilum-aio

NomDescriptionValeur
nessie.enabledEnables or disables bundled Nessie deploymentfaux
nessie.fullnameOverrideFull name override for Nessieilum-nessie
nessie.versionStoreTypeType of persistent metadata storageJDBC2
nessie.extraInitContainersAdds init containers to Nessie (waiting for database)See valeurs.yaml
nessie.jdbc.jdbcUrlUrl for DB connectionjdbc:postgresql://ilum-postgresql-hl:5432/nessie
nessie.jdbc.secret.nameSecret containing DB credentialsilum-postgres-credentals
nessie.jdbc.secret.usernameKey of username in the secretnom d’utilisateur
nessie.jdbc.secret.passwordKey of password in the secretmot de passe

Changements de noms - ilum-core

Ancien nomNouveau nom
hiveMetastore.enabledmetastore.enabled
hiveMetastore.*metastore.hive.*

Valeurs modifiées - ilum-core

NomAncienne valeurNouvelle valeur
kubernetes.defaultCluster.configSee valeurs.yamlSee valeurs.yaml

⚠️⚠️⚠️ Warnings

This is an important change that will need to be addressed if any custom changes to the default configuration were made. Please carefully review the changes and make sure they will not break your deployment.

5. Livy API now fully served by ilum-core (embedded)

Caractéristique:

Livy API is implemented and served directly by ilum-core (embedded). The legacy Livy proxy is deprecated but can still be turned on for backward compatibility.

Valeurs ajoutées - ilum-aio

NomDescriptionValeur
ilum-core.livy.enabledEnables embedded Livy integration in AIO via ilum-corevrai
ilum-core.livy.ilumUI.publicEndpointPublic endpoint of ilum-ui used for Livy links/integrationhttp://localhost:9777
ilum-livy-proxy.legacy.enabledTurns on the legacy Livy proxy resources (ConfigMap/Deployment/etc.)faux

⚠️⚠️⚠️ Warnings

  • Le compat Service (ilum-livy-proxy → ilum-core) is deprecated and will be removed in a future release.
  • Le legacy proxy is also deprecated and will be removed after the transition period.
  • Mode matrix (AIO):
    • ilum-livy-proxy.enabled=false & ilum-livy-proxy.legacy.enabled=false → nothing created; call ilum-core directly.
    • ilum-livy-proxy.enabled=true & ilum-livy-proxy.legacy.enabled=false → create compat Service pointing to the new ilum-core Livy API.
    • ilum-livy-proxy.enabled=false & ilum-livy-proxy.legacy.enabled=true → deploy legacy proxy.
  • When legacy is enabled, update client endpoints to use the legacy Service:
    • ilum-jupyter.livyEndpoint = http://ilum-livy-proxy:8998
    • ilum-zeppelin.livyEndpoint = http://ilum-livy-proxy:8998
    • Airflow connection: AIRFLOW_CONN_ILUM-LIVY-PROXY=livy://ilum-livy-proxy:8998
  • Some resources (e.g., ConfigMap/Ingress) are rendered based on ilum-livy-proxy.legacy.enabled only (not on ilum-livy-proxy.enabled).

6. Added cronjob cleaning after uninstalling

Caractéristique:

A pre-delete hook will now clean up kubernetes cronjobs after uninstalling the chart.

Valeurs ajoutées - ilum-core

NomDescriptionValeur
cronjob.cleanup.enabledEnable cronjob cleanup after uninstalling the chartvrai
cronjob.cleanup.imageImage used for the cleanup jobalpine/kubectl:1.34.1

RELEASE 6.5.2

1. SSH mode implementation for helm_jupyter

Caractéristique:

SSH mode in the helm_jupyter chart has been implemented to provide SSH access directly within the main Jupyter container. This allows users to access their Jupyter environment via SSH while maintaining workspace consistency between web and SSH interfaces.

Values added - helm_jupyter

SSH access configuration
NomDescriptionValeur
ssh.enabledEnable SSH access in the Jupyter containervrai
ssh.keysSecretName of the secret containing SSH keysilum-jupyter-ssh-keys
ssh.service.typeSSH service typeNodePort
ssh.service.portSSH service port2222
ssh.service.nodePortSSH service node port (when service type is NodePort)""
ssh.service.clusterIPSSH service cluster IP""
ssh.service.loadBalancerIPSSH service load balancer IP""
ssh.service.annotationsSSH service annotations{}
ssh.sshdConfig.customConfigCustom SSH server configuration[]

⚠️⚠️⚠️ Warnings

  • SSH server runs directly in the main Jupyter container on port 2222 internally
  • SSH keys must be provided via a Kubernetes Secret referenced by ssh.keysSecret parameter
  • The secret should contain both SSH host keys and authorized_keys for authentication
  • SSH access provides direct access to the /home/jovyan/work directory (same as web interface)
  • Custom SSH server configuration can be provided via ssh.sshdConfig.customConfig array

2. Address Bitnami’s move to bitnamilegacy + bitnamisecure

Caractéristique:

Bitnami has moved to bitnamilegacy + bitnamisecure for their images after the 18th of August 2025. This change moves used images to the new repositories.

Valeurs ajoutées - ilum-aio

NomDescriptionValeur
global.security.allowInsecureImagesAllows images from outside of bitnami repository in Bitnami's chartsvrai
kafka.image.repositoryRepository for Kafka's imagebitnamilegacy/kafka
minio.image.repositoryRepository for Minio's imagebitnamilegacy/minio
mlflow.image.repositoryRepository for MlFlow's imagebitnamilegacy/mlflow
postgresql.image.repositoryRepository for Postgresql's imagebitnamilegacy/postgresql

Values changed - ilum-aio

NomAncienne valeurNouvelle valeur
airflowExtensions.git.imagebitnami/git :2.48.1bitnamisecure/git@sha256:72ae5bd9715fc81446becc0418011883479c593bac427911aa62ecf27ef96546
postgresExtensions.imagebitnami/postgresql :16bitnamilegacy/postgresql:16

Valeurs modifiées - ilum-core

NomAncienne valeurNouvelle valeur
kafka.statusProbe.imagebitnami/kafka :3.4.1bitnamilegacy/kafka:3.4.1

Values changed - ilum-hive-metastore

NomAncienne valeurNouvelle valeur
postgresql.imagebitnami/postgresql :16bitnamilegacy/postgresql:16

Values changed - ilum-jupyter

NomAncienne valeurNouvelle valeur
git.init.imagebitnami/git :2.48.1bitnamisecure/git@sha256:72ae5bd9715fc81446becc0418011883479c593bac427911aa62ecf27ef96546

Values changed - ilum-marquez

NomAncienne valeurNouvelle valeur
marquez.db.imagebitnami/postgresql :16bitnamilegacy/postgresql:16

1. Updated Airflow defaults in ilum-aio

Caractéristique:

Bumped Airflow to 3.0.5 and streamlined default connection/env configuration. Removed legacy cleanup and scheduler overrides in favor of chart defaults and connection-based setup.

Valeurs ajoutées - ilum-aio

NomDescriptionValeur
airflow.enableBuiltInSecretEnvVars.AIRFLOW__CORE__FERNET_KEYEnable default fernet key generationfaux

Values changed - ilum-aio

NomAncienne valeurNouvelle valeur
airflow.extraEnvSee valeurs.yamlSee valeurs.yaml
airflow.airflowVersion3.0.33.0.5
airflow.images.airflow.tag3.0.33.0.5
airflow.apiServer.extraInitContainers[0].imageilum/airflow:3.0.3ilum/airflow:3.0.5

Values deleted - ilum-aio

NomRaison
airflow.scheduler.argsRevert to chart default scheduler command as we manage connections via env variables now
airflow.cleanup.enabledUse executor's instant cleanup
airflow.config.kubernetes_executor.delete_worker_podsUse chart defaults
airflow.config.kubernetes_executor.delete_worker_pods_on_failureUse chart defaults

⚠️⚠️⚠️ Warnings

As the default Airflow’s fernet key creation mechanism made it impossible to enable Airflow via values upgrade, the mechanism will get disabled by default. To use it once again, manually create a Kubernetes secret and set required values in the airflow chart.

Caractéristique:

Added configurable HTTP cookie mappings in the ilum-ui nginx configuration. This allows users to enable or disable cookie-based access control for individual services or turn off the entire cookie mapping section. Each service can be controlled individually while maintaining backward compatibility with all options enabled by default.

Valeurs ajoutées - ilum-ui

NomDescriptionValeur
nginx.config.http_cookie.enabledGlobal flag to enable HTTP cookie mappingsvrai
nginx.config.http_cookie.historyServer.enabledEnable cookie mapping for history server accessvrai
nginx.config.http_cookie.mlflow.enabledEnable cookie mapping for MLflow accessvrai
nginx.config.http_cookie.ilum-jupyter.enabledEnable cookie mapping for Jupyter notebook accessvrai
nginx.config.http_cookie.gitea.enabledEnable cookie mapping for Gitea accessvrai
nginx.config.http_cookie.n8n.enabledEnable cookie mapping for n8n accessvrai
nginx.config.http_cookie.minio.enabledEnable cookie mapping for MinIO accessvrai
nginx.config.http_cookie.airflow.enabledEnable cookie mapping for Airflow accessvrai
nginx.config.http_cookie.superset.enabledEnable cookie mapping for Superset accessvrai
nginx.config.http_cookie.grafana.enabledEnable cookie mapping for Grafana accessvrai
nginx.config.http_cookie.kestra.enabledEnable cookie mapping for Kestra accessvrai
nginx.config.http_cookie.mageai.enabledEnable cookie mapping for Mage AI accessvrai

4. PostgreSQL Max Connections Configuration

Caractéristique:

Added PostgreSQL max_connections configuration to address database connection limits in high-load scenarios.

Valeurs ajoutées - ilum-aio

PostgreSQL configuration
NomDescriptionValeur
postgresql.primary.extendedConfigurationExtended PostgreSQL configuration to set max_connections parametermax_connections = 1000

RELEASE 6.4.3

1. Added Mage to ilum-aio

Caractéristique:

Added Mage OSS to ilum-aio as a new module. This will allow users to easily deploy Mage and use it next to Ilum.

Valeurs ajoutées - ilum-aio

NomDescriptionValeur
mageai.enabledFlag to enable Mage OSS deployment in ilum-aiofaux
mageai.fullnameOverrideOverrides the full name of the Mage deploymentilum-mageai
mageai.image.repositoryRepository of the source Mage imageilum/mageai
mageai.image.tagTag of the source Mage image0.9.76
mageai.rootPathThe root path for the Mage web serverexternal/mageai
mageai.service.typeType of Mage's kubernetes serviceClusterIP (en anglais)
mageai.redis.enabledEnables Redis for the Mage deploymentfaux
mageai.postgresql.enabledEnables external Postgres for Magevrai
mageai.postgresql.deployDeploys external Postgres for Magefaux
mageai.postgresql.fullnameOverrideThe name of the Postgres serviceilum-postgresql-hl
mageai.postgresql.auth.usernameUsername of the Postgres userilum
mageai.postgresql.auth.passwordPassword of the Postgres userCHANGEMEPLEASE
mageai.postgresql.auth.databaseThe database Mage should usemageai
mageai.persistence.enabledEnables PVC for the main data directoryvrai

2. Updated Airflow’s chart and values to support Airflow 3.0

Caractéristique:

Updated Airflow’s chart and values to support Airflow 3.0, which includes changes in the configuration and deployment of Airflow.

Valeurs ajoutées - ilum-aio

NomDescriptionValeur
airflow.airflowVersionSets chart compatibility for given Airflow version3.0.3
airflow.apiServer.*apiServer replaces webserver settingsSee valeurs.yaml
airflow.config.core.auth_managerClass of auth manager used in Airflowairflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager
airflow.config.api.base_urlThe base path of the Airflow web apphttp://localhost:9777/external/airflow
airflow.config.api.enable_xcom_deserialize_supportEnables XCom deserialization in Airflow APIVrai
airflow.config.logging.colored_console_logEnables colored console log in AirflowVrai
airflow.config.kubernetes_executor.delete_worker_podsEnables instant deletion of worker podsFalse
airflow.config.kubernetes_executor.delete_worker_pods_on_failureEnables instant deletion of failed worker podsFalse
airflow.cleanup.enabledEnables periodic deletion of worker podsVrai

Values changed - ilum-aio

NomAncienne valeurNouvelle valeur
airflow.images.airflow.tag2.9.33.0.3
airflow.executorLocalKubernetesExecutorKubernetesExecutor
airflow.extraEnvSee valeurs.yamlSee valeurs.yaml
airflow.webserver.extraInitContainersSee valeurs.yamlSee valeurs.yaml

Values deleted - ilum-aio

NomRaison
airflow.migrateDatabaseJob.useHelmHooksRevert to chart default

Values changed - ilum-ui

NomAncienne valeurNouvelle valeur
runtimeVars.airflowUrlhttp://ilum-airflow-webserver:8080http://ilum-airflow-api-server:8080

⚠️⚠️⚠️ Warnings

Ilum’s changes, Airflow 3.0 and the new Airflow chart version bring significant changes to the Airflow configuration and deployment. Please review the new values and adjust your configuration accordingly.

If you are a user of Ilum’s OAuth2 provider, this update may require you to manually update some configuration, as Helm is likely to not be able to automatically migrate the values.

3. Added securityContext configuration for ilum charts

Caractéristique:

Added comprehensive securityContext configuration for enhanced security across all ilum Helm charts. This includes both pod-level and container-level security contexts with non-root user execution, capability dropping, and seccomp profiles.

Valeurs ajoutées - ilum-core

NomDescriptionValeur
securityContext.pod.runAsNonRootRun container as non-root uservrai
securityContext.pod.runAsUserUser ID to run the container1001
securityContext.pod.runAsGroupGroup ID to run the container1001
securityContext.pod.fsGroupFile system group ID1001
securityContext.pod.seccompProfile.typeSeccomp profile typeUnconfined
securityContext.container.allowPrivilegeEscalationAllow privilege escalationfaux
securityContext.container.readOnlyRootFilesystemRead-only root filesystemfaux
securityContext.container.runAsNonRootRun container as non-root uservrai
securityContext.container.runAsUserUser ID to run the container1001
securityContext.container.runAsGroupGroup ID to run the container1001
securityContext.container.capabilities.dropCapabilities to drop["ALL"]
securityContext.container.seccompProfile.typeSeccomp profile typeUnconfined

Valeurs ajoutées - ilum-ui

NomDescriptionValeur
securityContext.pod.runAsNonRootRun pod as non-root uservrai
securityContext.pod.runAsUserUser ID to run the pod101
securityContext.pod.runAsGroupGroup ID to run the pod101
securityContext.pod.fsGroupFile system group ID101
securityContext.pod.seccompProfile.typeSeccomp profile typeUnconfined
securityContext.container.allowPrivilegeEscalationAllow privilege escalationfaux
securityContext.container.readOnlyRootFilesystemRead-only root filesystemfaux
securityContext.container.runAsNonRootRun container as non-root uservrai
securityContext.container.runAsUserUser ID to run the container101
securityContext.container.runAsGroupGroup ID to run the container101
securityContext.container.capabilities.dropCapabilities to drop["ALL"]
securityContext.container.seccompProfile.typeSeccomp profile typeUnconfined

Valeurs ajoutées - ilum-jupyter

NomDescriptionValeur
securityContext.container.allowPrivilegeEscalationAllow privilege escalationfaux
securityContext.container.readOnlyRootFilesystemRead-only root filesystemfaux
securityContext.container.runAsNonRootRun container as non-root uservrai
securityContext.container.runAsUserUser ID to run the container1000
securityContext.container.runAsGroupGroup ID to run the container100
securityContext.container.capabilities.dropCapabilities to drop["ALL"]
securityContext.container.seccompProfile.typeSeccomp profile typeUnconfined
securityContext.initContainer.allowPrivilegeEscalationAllow privilege escalation for init containerfaux
securityContext.initContainer.readOnlyRootFilesystemRead-only root filesystem for init containerfaux
securityContext.initContainer.runAsNonRootRun init container as non-root userfaux
securityContext.initContainer.runAsUserUser ID to run the init container0
securityContext.initContainer.runAsGroupGroup ID to run the init container0
securityContext.initContainer.capabilities.dropCapabilities to drop for init container["ALL"]
securityContext.initContainer.seccompProfile.typeSeccomp profile type for init containerUnconfined

Valeurs ajoutées - ilum-livy-proxy

NomDescriptionValeur
securityContext.pod.runAsNonRootRun pod as non-root uservrai
securityContext.pod.runAsUserUser ID to run the pod1001
securityContext.pod.runAsGroupGroup ID to run the pod1001
securityContext.pod.fsGroupFile system group ID1001
securityContext.pod.seccompProfile.typeSeccomp profile typeUnconfined
securityContext.container.allowPrivilegeEscalationAllow privilege escalationfaux
securityContext.container.readOnlyRootFilesystemRead-only root filesystemfaux
securityContext.container.runAsNonRootRun container as non-root uservrai
securityContext.container.runAsUserUser ID to run the container1001
securityContext.container.runAsGroupGroup ID to run the container1001
securityContext.container.seccompProfile.typeSeccomp profile typeUnconfined

Valeurs ajoutées - ilum-aio

Added securityContext configuration for postgresExtensions
NomDescriptionValeur
postgresExtensions.securityContext.pod.runAsNonRootRun pod as non-root uservrai
postgresExtensions.securityContext.pod.runAsUserUser ID to run the pod999
postgresExtensions.securityContext.pod.runAsGroupGroup ID to run the pod999
postgresExtensions.securityContext.pod.fsGroupFile system group ID999
postgresExtensions.securityContext.pod.seccompProfile.typeSeccomp profile typeUnconfined
postgresExtensions.securityContext.container.allowPrivilegeEscalationAllow privilege escalationfaux
postgresExtensions.securityContext.container.readOnlyRootFilesystemRead-only root filesystemfaux
postgresExtensions.securityContext.container.runAsNonRootRun container as non-root uservrai
postgresExtensions.securityContext.container.runAsUserUser ID to run the container999
postgresExtensions.securityContext.container.runAsGroupGroup ID to run the container999
postgresExtensions.securityContext.container.capabilities.dropCapabilities to drop["ALL"]
postgresExtensions.securityContext.container.seccompProfile.typeSeccomp profile typeUnconfined

RELEASE 6.4.2

1. changed openldap chart provider to jp-gouin's

Caractéristique:

Changed openldap chart provider to jp-gouin's, which is more actively maintained and has better support for features like TLS. Because of that, the default configuration of openldap was changed to reflect the new provider's defaults.

Valeurs modifiées - ilum-core

NomAncienne valeurNouvelle valeur
security.ldap.userMapping.enabledSnemployeeType
security.ldap.userMapping.enabledValue~active
security.ldap.passwordAdminNot@SecurePassw0rd

Valeurs ajoutées - ilum-aio

Added new values for openldap configuration
NomDescriptionValeur
global.ldapDomainDomain of the LDAP configurationilum.cloud
openldap.replicaCountReplica count of openLDAP1
openldap.replication.enabledEnable HA for openLDAPfaux
openldap.ltb-passwd.enabledEnable ltb-passwd servicefaux
openldap.phpldapadmin.enabledEnable PhpLdapAdminfaux

Values changed - ilum-aio

NomAncienne valeurNouvelle valeur
openldap.env.LDAP_BACKENDhdbmdb
openldap.customLdifFilessee valeurs.yamlsee valeurs.yaml

Values deleted - ilum-aio

NomRaison
openldap.env.LDAP_ORGANISATIONManaged by the chart
openldap.env.LDAP_DOMAINManaged by the chart
openldap.env.LDAP_TLSManaged by the chart
openldap.env.LDAP_TLS_ENFORCEManaged by the chart

RELEASE 6.4.1

1. Adapt hydra to https

Valeurs ajoutées - ilum-aio

NomDescriptionValeur
global.security.hydra.uiDomaineDomain where ilum-ui can be accessed from browser``
global.security.hydra.uiProtocoleProtocol used to access ilum-ui: http ou httpshttp

Values deleted - ilum-aio

NomRaison
global.security.hydra.uiUrlRemplacé par uiDomain et uiProtocole

Valeurs ajoutées - ilum-core

NomDescriptionValeur
hydra.cookies.same_site_modeSameSite value for hydra cookies in set-cookie headerLaxiste

2. Added openldap to helm chart and ilum-to-ldap synchronization

Valeurs ajoutées - ilum-aio

Added openldap configuration values
NomDescriptionValeur
openldap.enabledFlag used to enable openldapfaux
openldap.adminPasswordPassword of admin ldap userAdmin
openldap.fullnameOverrideName of Openldap helm chart resourcesilum-openldap
openldap.persistence.enabledFlag to enable persistence by openldapvrai
openldap.persistence.sizeMemory used by openldap for storage1Gi
openldap.env.LDAP_ORGANIZATIONOrganization name of main ldap domainIlum
openldap.env.LDAP_DOMAINMain domain used in ldap by adminilum.cloud
openldap.env.LDAP_BACKENDType of ldap backendhdb
openldap.env.LDAP_TLSFlag used to enable TLS in ldapfaux
openldap.env.LDAP_TLS_ENFORCEFlag used to enforce TLS in ldapfaux
openldap.env.LDAP_REMOVE_CONFIG_AFTER_SETUPFlag used to update configvrai
openldap.customLdifFiles.schemas.ldifFile with custom schem applied at the startup

Valeurs ajoutées - ilum-core

Added configurations for synchronization of ldap with ilum
NomDescriptionValeur
security.ldap.ilumToLdapSyncFlag used to enable ilum to ldap syncfaux
security.ldap.userMapping.ocOC values used during insertion of ilum users into ldap
security.ldap.groupMapping.ocOC values used during insertion of ilum groups into ldap

Valeurs modifiées - ilum-core

NomAncienne valeurNouvelle valeur
security.ldap.urls[][ "ldap://ilum-openldap:389" ]
security.ldap.base""dc=ilum,dc=cloud
security.ldap.nom_utilisateur""cn=admin,dc=ilum,dc=cloud
security.ldap.password""Admin
security.ldap.adminUsers[ "admin" ][ "admin", "ilumadmin" ]
security.ldap.userMapping.base""ou=personnes
security.ldap.userMapping.fullname""Cn
security.ldap.userMapping.description""description
security.ldap.userMapping.email""courrier
security.ldap.userMapping.enabled""Sn
security.ldap.userMapping.base""ou=groups
security.ldap.userMapping.description""description

3. Restricted RBAC Mode for ilum-core service

Caractéristique:

Introduced a new rbac.restricted.enabled flag in the ilum-core chart. When set to vrai, this option applies a more restrictive set of RBAC permissions for the service account. This enhances security by adhering to the principle of least privilege and is recommended for production or security-sensitive environments.

Valeurs ajoutées - ilum-core

Added a flag to enable a more restrictive RBAC configuration.
NomDescriptionValeur
rbac.restricted.enabledIf true, applies a more restrictive, non-cluster-wide set of RBAC permissions for Spark applications.faux

4. Added Activé flag to Trino in ilum-sql

Caractéristique:

Supplémentaire Activé flag to Trino in ilum-sql, which allows users to disable Trino if they do not need it. This also will help ilum-ui with the configuration of Trino.

Values added - ilum-sql

NomDescriptionValeur
config.trino.enabledFlag to enable Trino in ilum-sqlfaux

⚠️⚠️⚠️ Warnings

Trino was enabled by default, so if you wish to enable it after the version upgrade, you need to set ilum-sql.config.trino.enabled À vrai dans vos valeurs de casque.

RELEASE 6.4.0

1. Addition of OAuth Provider and its integration with Services

Caractéristique:

Added Hydra deployment to helm chart and fields to configure it

Valeurs ajoutées - ilum-core

NomDescriptionValeur
global.security.hydra.enabledFlag to enable hydrafaux
global.security.hydra.uiUrlIlum UI url required to configure OpenID connect``
global.security.hydra.clientIdClient Id of OpenID client created in hydrailum-client
global.security.hydra.cliendSecretClient Secret of OpenId Client created in hydrasecret
hydra.dsnDSN for database used by hydrapostgres://ilum:CHANGEMEPLEASE@ilum-postgresql:5432/hydra?sslmode=disable
hydra.secretsSystemSecret used by hydra to securily store dataCHANGEMEPLEASE
hydra.recreateClientBoolean flag for OpenId client recreation during hydra startupvrai
hydra.resources.requestsMemory and CPU limits and requests used by hydra deploymentzéro
hydra.imagePullPolicyHydra container image pull policyIfNotPresent
hydra.service.domainDomain used by hydra serviceilum-hydra
hydra.service.publicPortPort that exposes public api of hydra4444
hydra.service.adminPortPort that exposes admin api of hydra4445
hydra.service.typeHydra service typeClusterIP (en anglais)
hydra.service.publicNodePortHydra service node port assigned to public port``
hydra.service.publicNodePortHydra service node port assigned to admin port``
hydra.service.clusterIPHydra service cluster IP``
hydra.service.loadBalancerIPHydra service load balancer IP``
hydra.service.annotationsAnnotations used by hydra service{}
hydra.separateDeploymentFlag to launch hydra in a separate deployment or in ilum-corevrai

Valeurs ajoutées - ilum-ui

NomDescriptionValeur
runtimeVars.hydraUrlUrl of Hydra Public APIhttp://ilum-hydra:4444
runtimeVars.hydraPathilum-ui proxy-path to hydra public api/external/hydra

Caractéristique

Added helm values to specify how roles and groups from ilum-core are going to be mapped to microservices of ilum

Valeurs ajoutées - ilum-core

NomDescriptionValeur
hydra.rewriteMappingBoolean flag for recreation of ilum-to-services roles config after ilum-core restartvrai
hydra.mapping.minioMinAccessRoleDefault role assigned to ilum users with access to minioLecture seule
hydra.mapping.airflowMinAccessRoleDefault role assigned to ilum users with access to airflowViewer
hydra.mapping.supersetMinAccessRoleDefault role assigned to ilum users with access to supersetGamma
hydra.mapping.grafanaMinAccessRoleDefault role assigned to ilum users with access to grafanaViewer
hydra.mapping.giteaMinAccessRoleDefault role assigned to ilum users with access to gitea``
hydra.mapping.groupsToMinioMap of ilum groups to a list of minio policieszéro
hydra.mapping.groupsToSupersetMap of ilum groups to a list of superset roleszéro
hydra.mapping.groupsToAirflowMap of ilum groups to a list of airflow roleszéro
hydra.mapping.groupsToGrafanaMap of ilum groups to a list of grafana roleszéro
hydra.mapping.groupsToGiteaMap of ilum groups to a list of gitea roleszéro
hydra.mapping.groupsToMinio[*].ilumObjName of ilum group to be mapped``
hydra.mapping.groupsToMinio[*].serviceObjsList of minio policies that the ilum group is mapped to``
hydra.mapping.groupsToSuperset[*].ilumObjName of ilum group to be mapped``
hydra.mapping.groupsToSuperset[*].serviceObjsList of superset roles that the ilum group is mapped to``
hydra.mapping.groupsToAirflow[*].ilumObjName of ilum group to be mapped``
hydra.mapping.groupsToAirflow[*].serviceObjsList of airflow roles that the ilum group is mapped to``
hydra.mapping.groupsToGrafana[*].ilumObjName of ilum group to be mapped``
hydra.mapping.groupsToGrafana[*].serviceObjsList of grafana roles that the ilum group is mapped to``
hydra.mapping.groupsToGitea[*].ilumObjName of ilum group to be mapped``
hydra.mapping.groupsToGitea[*].serviceObjsList of gitea roles that the ilum group is mapped to``
hydra.mapping.rolesToGiteaMap of ilum roles to a list of gitea roleszéro
hydra.mapping.rolesToMinio[0].ilumObjName of ilum role to be mappedADMIN
hydra.mapping.rolesToMinio[0].serviceObjsList of minio policies that the ilum role is mapped to[ consoleAdmin ]
hydra.mapping.rolesToMinio[1].ilumObjName of ilum role to be mappedDATA_ENGINEER
hydra.mapping.rolesToMinio[1].serviceObjsList of minio policies that the ilum role is mapped to[ readonly, writeonly, diagnostics ]
hydra.mapping.rolesToSuperset[0].ilumObjName of ilum role to be mappedADMIN
hydra.mapping.rolesToSuperset[0].serviceObjsList of superset roles that the ilum role is mapped to[ Admin ]
hydra.mapping.rolesToSuperset[1].ilumObjName of ilum role to be mappedDATA_ENGINEER
hydra.mapping.rolesToSuperset[1].serviceObjsList of superset roles that the ilum role is mapped to[ Alpha ]
hydra.mapping.rolesToAirflow[0].ilumObjName of ilum role to be mappedADMIN
hydra.mapping.rolesToAirflow[0].serviceObjsList of airflow roles that the ilum role is mapped to[ Admin ]
hydra.mapping.rolesToAirflow[1].ilumObjName of ilum role to be mappedDATA_ENGINEER
hydra.mapping.rolesToAirflow[1].serviceObjsList of airflow roles that the ilum role is mapped to[ User ]
hydra.mapping.rolesToGrafana[0].ilumObjName of ilum role to be mappedADMIN
hydra.mapping.rolesToGrafana[0].serviceObjsList of grafana roles that the ilum role is mapped to[ Admin ]
hydra.mapping.rolesToGrafana[1].ilumObjName of ilum role to be mappedDATA_ENGINEER
hydra.mapping.rolesToGrafana[1].serviceObjsList of grafana roles that the ilum role is mapped to[ Editor ]
hydra.mapping.rolesToMinio[*].ilumObjName of ilum role to be mapped``
hydra.mapping.rolesToMinio[*].serviceObjsList of minio policies that the ilum role is mapped to``
hydra.mapping.rolesToSuperset[*].ilumObjName of ilum role to be mapped``
hydra.mapping.rolesToSuperset[*].serviceObjsList of superset roles that the ilum role is mapped to``
hydra.mapping.rolesToAirflow[*].ilumObjName of ilum role to be mapped``
hydra.mapping.rolesToAirflow[*].serviceObjsList of airflow roles that the ilum role is mapped to``
hydra.mapping.rolesToGrafana[*].ilumObjName of ilum role to be mapped``
hydra.mapping.rolesToGrafana[*].serviceObjsList of grafana roles that the ilum role is mapped to``
hydra.mapping.rolesToGitea[*].ilumObjName of ilum role to be mapped``
hydra.mapping.rolesToGitea[*].serviceObjsList of gitea roles that the ilum role is mapped to``

Caractéristique

Integrated minio with Hydra OIDC in values.yaml by adding new environment variables with oidc client data taken from global.security.hydra

Values added - minio

| minio.extraEnvVars | | |

NomAncienne valeurNouvelle valeur
minio.extraEnvVars......

Caractéristique

Integrated airflow with Hydra OIDC in values.yaml

Values added - airflow

NomDescriptionValeur
airflow.webserver.extraVolumes[0].nameName of additional airflow volume with oidc configoauth-secret-volume
airflow.webserver.extraVolumes[0].secret.secretNameAirflow secret with hydra oidc client configilum-hydra-client-secret
airflow.webserver.extraVolumeMounts[0].nameName of volume-mount of secret with oidc configoauth-secret-volume
airflow.webserver.extraVolumeMounts[0].mountPathPath for volume-mount of secret with oidc config/opt/airflow/client-secret
airflow.webserver.extraVolumeMounts[0].readOnlyreadonly flag of volume mount with oidc configvrai

Caractéristique

Integrated grafana with Hydra OIDC in values.yaml

Values added - grafana

NomDescriptionValeur
grafana.grafana.ini.auth.generic_oauth.enabledFlag to enable oauth in grafana, taken from global.security.hydra.enabled by defaultfaux
grafana.grafana.ini.auth.generic_oauth.nameName of oauth clientIlum
grafana.grafana.ini.auth.generic_oauth.allow_sign_upFlag to enable user creation when signing in with oauthvrai
grafana.grafana.ini.auth.generic_oauth.client_idId of oauth client, taken from global.security.hydra.clientId by defaultilum-client
grafana.grafana.ini.auth.generic_oauth.client_secretSecret of oauth client, taken from global.security.hydra.clientSecret by defaultsecret
grafana.grafana.ini.auth.generic_oauth.scopesScopes requested from oauthopenid profile email offline_access
grafana.grafana.ini.auth.generic_oauth.auth_urlUrl used to initiate oauth authentication, uses global.security.hydra.uiUrl as base by default/external/hydra/oauth2/auth
grafana.grafana.ini.auth.generic_oauth.token_urlUrl used for tokens exchange in oauth workflow, uses global.security.hydra.uiUrl as base by default/external/hydra/oauth2/token
grafana.grafana.ini.auth.generic_oauth.api_urlUrl used to access user info, uses global.security.hydra.uiUrl as base by default/external/hydra/userinfo
grafana.grafana.ini.auth.generic_oauth.login_attribute_pathId token claim used to distinguish different usersuserId
grafana.grafana.ini.auth.generic_oauth.email_attribute_nameId token claim with emailMessagerie électronique
grafana.grafana.ini.auth.generic_oauth.role_attribute_pathExpression used to map roles from id_token to grafana...
grafana.grafana.ini.auth.generic_oauth.role_attribute_strictFlag to require the role during sign upvrai

Caractéristique

Integrated superset with Hydra OIDC in values.yaml

Values added - superset

NomDescriptionValeur
superset.configOverrides.ilum_oauth_securityCode added to superset config in order to enable oidc...
superset.extraVolumes[0].nameName of extra volume with a secret for oidc connectionoauth-secret-volume
superset.extraVolumes[0].secret.secretNameName of secret used in extra volume for oidc connectionilum-hydra-client-secret
superset.extraVolumes[1].nameName of extra volume with superset plugin used to enable oidcoauth-plugin-volume
superset.extraVolumes[1].secret.secretNameSecret with superset plugin used to enable oidcilum-superset-oidc-plugin-secret
superset.extraVolumeMounts[0].nameName of volume mount with oidc secret dataoauth-secret-volume
superset.extraVolumeMounts[0].mountPathPath of volume mount with oidc secret data/app/pythonpath/oauth
superset.extraVolumeMounts[1].nameName of volume mount with a superset plugin as a python fileoauth-plugin-volume
superset.extraVolumeMounts[1].mountPathPath of volume mound with a superset plugin/app/pythonpath/security

2. Addition of examples for ilum-core and superset

Caractéristique:

Added examples for Ilum modules. New Ilum users can use these examples to quickly understand how to use Ilum modules like ilum-sql, superset and others.

Valeurs ajoutées - ilum-core

NomDescriptionValeur
examples.jobEnables creating single job examplevrai
examples.scheduleEnables creating schedule examplevrai
examples.sqlNotebookEnables creating sql notebook examplevrai
examples.sqlQueryEnables creating sql query examplevrai
examples.databaseEnables creating database examplevrai

Valeurs ajoutées - ilum-aio

NomDescriptionValeur
ilum-core.examples.jobEnables creating single job examplevrai
ilum-core.examples.scheduleEnables creating schedule examplevrai
ilum-core.examples.sqlNotebookEnables creating sql notebook examplevrai
ilum-core.examples.sqlQueryEnables creating sql query examplevrai
ilum-core.examples.databaseEnables creating database examplevrai
superset.extraEnv.IMPORT_DASHBOARDEnables creating superset dashboard examplevrai
superset.extraVolumes[2].nameVolume name for dashboard importexample-dashboard
superset.extraVolumes[2].configMap.nameConfigMap that contains base64-encoded dashboardilum-superset-example-dashboard
superset.extraVolumeMounts[2].nameMount name for example dashboard configexample-dashboard
superset.extraVolumeMounts[2].mountPathPath in container to mount the dashboard config/config
superset.extraVolumeMounts[2].readOnlyMount config as read-onlyvrai
superset.init.initscriptCustom init script to conditionally import dashboardSee script in ilum-aio values file

3. Internal users upgrade credentials flag

Valeurs ajoutées - ilum-core

NomDescriptionValeur
ilum-core.security.internal.upgradeCredentialsEnables overriding user password with helm configurationfaux

4. Tighter integration of Marquez with Ilum

Caractéristique:

Enhanced Marquez integration with ilum-core, which means no direct communication between ilum-frontend and Marquez is needed anymore. This way, having a customized Marquez build is not necessary anymore.

Valeurs modifiées - ilum-core

NomAncienne valeurNouvelle valeur
job.openLineage.transport.endpoint/externe/lignage/api/v1/lignage/api/v1/lineage

5. Changed superset load example variable name

Values deleted - ilum-aio

NomRaison
superset.extraEnv.IMPORT_DASHBOARDChanged to other variable name

Valeurs ajoutées - ilum-aio

NomDescriptionValeur
superset.init.loadExamplesEnables creating superset dashboard examplevrai

RELEASE 6.3.2

1. Addition of frequently used values to ilum-sql

Caractéristique:

Added frequently used values to ilum-sql chart, so that their configuration is easier.

Values added - ilum-sql

NomDescriptionValeur
config.kyuubi.logLevelBase log-level of the log4j frameworkINFO
config.kyuubi.idleEngineTimeoutAuto-shutdown time of Kyuubi engines30M
config.kyuubi.idleSessionTimeoutAuto-shutdown time of Kyuubi sessions30M
config.kyuubi.engineAliveProbeWhether to create a probe, which will check engine livenessvrai
config.kyuubi.cleanupTerminatedSparkDriverPodsDetermines which of the terminated Spark engine pods will get deleted. Available: NONE, COMPLETED, ALLALL

Values changed - ilum-aio

NomAncienne valeurNouvelle valeur
ilum-sql.config.kyuubi.defaultssee valeurs.yaml~

⚠️⚠️⚠️ Warnings

Because these values were already present in the ilum-aio chart, the change will not be noticeable for users who have changed the value of ilum-sql.config.kyuubi.defaults.

2. Support of Trino in ilum-sql

Caractéristique:

Introduced support for Trino as an SQL engine in ilum-sql chart.

Valeurs ajoutées - ilum-aio

NomDescriptionValeur
trino.enabledEnables built-in Trinofaux
trino.nameOverrideSets the name overrideilum-trino
trino.coordinatorNameOverrideSets the name override for the coordinatorilum-trino-coordinator
trino.workerNameOverrideSets the name override for the worker nodesilum-trino-worker
trino.server.workersSets the number of workers1
trino.catalogs.ilum-deltaConfigures the 'ilum-delta' catalogSee valeurs.yaml
ilum-sql.config.trino.catalogThe catalog of choice for Trinoilum-delta

Values added - ilum-sql

NomDescriptionValeur
config.trino.urlUrl pointing to Trino coordinatorhttp://ilum-trino:8080
config.trino.catalogThe catalog of choice for Trinosystème
config.trino.defaultsAdditional settings of Trino engines. All properties must be prefixed with trino.~

3. Enhanced Oauth2

Caractéristique

Added users, groups and roles mapping during authentication from OAuth2 Autherization server to Ilum Core. Added ability to assign Admin role to oauth2 users.

Valeurs ajoutées - ilum-core

NomDescriptionValeur
security.oauth2.mapping.idJWT claim that should be mapped to user`s id""
security.oauth2.mapping.nameJWT claim that should be mapped to user`s namesub
security.oauth2.mapping.emailJWT claim that should be mapped to user`s emailMessagerie électronique
security.oauth2.mapping.fullnameJWT claim that should be mapped to user`s fullnamenom complet
security.oauth2.mapping.descriptionJWT claim that should be mapped to user`s description""
security.oauth2.mapping.departmentJWT claim that should be mapped to user`s department""
security.oauth2.mapping.groupsJWT claim with a list of groups that user is a part of represented by strings« groupes »
security.oauth2.mapping.rolesJWT claim with a list of roles that user uses represented by strings« rôles »
security.oauth2.mapping.enabledJWT claim that should be mapped to user`s state""
security.oauth2.mapping.enabledTrueValue of JWT claim with the name of mapping.enabled qui signifie ENABLED""
security.oauth2.mapping.singleGroupJWT claim that contains a string with name of group that the user is part of""
security.oauth2.mapping.singleRoleJWT claim that contains a string with name of role that the user has""

4. Addition of kubernetes s3 region to ilum-core and ilum-aio

Caractéristique:

Added the ability to set the S3 region in ilum-core.

Valeurs ajoutées - ilum-core

NomDescriptionValeur
kubernetes.s3.regiondefault kubernetes cluster S3 storage region to store spark resourcesÉtats-Unis-Est-1

Valeurs ajoutées - ilum-aio

NomDescriptionValeur
ilum-core.kubernetes.s3.regiondefault kubernetes cluster S3 storage region to store spark resourcesÉtats-Unis-Est-1
ilum-core.kubernetes.defaultCluster.config.spark.hadoop.fs.s3a.bucket.ilum-data.regiondefault kubernetes cluster S3 storage region to store spark resourcesÉtats-Unis-Est-1

5. Protocol in superset

Caractéristique:

Added the ability to set the protocol in superset.

Values added - superset

NomDescriptionValeur
protocolesuperset protocolhttp

6. Addition of hive metastore status probe to ilum-core helm chart

Caractéristique:

Added possibility to enable status probe for hive metastore.

Valeurs ajoutées - ilum-core

NomDescriptionValeur
hiveMetastore.statusProbe.enabledHive metastore status probe enabled flagfaux
hiveMetastore.statusProbe.imageHive metastore status probe imagecurlimages/curl :8.5.0
hiveMetastore.statusProbe.hostHive metastore status probe hostilum-hive-metastore
hiveMetastore.statusProbe.portHive metastore status probe port9083

VERSION 6.3.1

1. Ajout de compartiments supplémentaires à la configuration de stockage

Caractéristique

Ajout de la possibilité d’inclure des compartiments supplémentaires dans la configuration du stockage Spark du cluster ilum.

Valeurs ajoutées - ilum-core

NomDescriptionValeur
kubernetes.s3.extraBucketsilum-core cluster kubernetes par défaut Stockage S3 Compartiments supplémentaires à inclure[]
kubernetes.gcs.extraBucketsilum-core cluster kubernetes par défaut Stockage GCS Compartiments supplémentaires à inclure[]
kubernetes.wasbs.extraContainersilum-core cluster kubernetes par défaut stockage WASBS conteneurs supplémentaires à inclure[]
kubernetes.hdfs.extraCatalogsilum-core cluster kubernetes par défaut Stockage HDFS Catalogues supplémentaires à inclure[]

2. LDAP amélioré

Added the ability to map users, groups, and roles — along with their properties and relationships — from an LDAP server to Ilum Core based on mapping configurations in Helm. Enabled the option to assign Admin role to LDAP users.

Valeurs ajoutées - ilum-core

NomDescriptionValeur
security.ldap.userMapping.baseBase LDAP d’entrées utilisateur""
security.ldap.userMapping.filterFiltre LDAP utilisé pour la recherche d’utilisateurs« uid={0} »
security.ldap.userMapping.nom_utilisateurNom de l’attribut LDAP qui doit être mappé au nom d’utilisateur de l’utilisateurUid
security.ldap.userMapping.passwordNom de l’attribut LDAP qui doit être mappé au mot de passe de l’utilisateuruserPassword
security.ldap.userMapping.descriptionNom de l’attribut LDAP qui doit être mappé à la description de l’utilisateur""
security.ldap.userMapping.fullnameNom de l’attribut LDAP qui doit être mappé au nom complet de l’utilisateur""
security.ldap.userMapping.departmentNom de l’attribut LDAP qui doit être mappé au service de l’utilisateur""
security.ldap.userMapping.emailNom de l’attribut LDAP qui doit être mappé à l’adresse e-mail de l’utilisateur""
security.ldap.userMapping.enabledNom de l’attribut LDAP qui doit être mappé à l’état de l’utilisateur""
security.ldap.userMapping.enabledValueValeur de l’attribut avec le nom de userMapping.enabled qui signifie ENABLED""
security.ldap.groupMapping.baseBase LDAP pour les entrées de groupe""
security.ldap.groupMapping.filterFiltre LDAP utilisé pour la recherche de groupes(membre = {0})
security.ldap.groupMapping.nameNom de l’attribut LDAP qui doit être mappé au nom du groupeCn
security.ldap.groupMapping.descriptionNom de l’attribut LDAP qui doit être mappé à la description du groupe""
security.ldap.groupMapping.memberAttributeNom de l’attribut LDAP qui répertorie les utilisateurs ayant le groupeUid
security.ldap.groupMapping.rolesAttribut LDAP qui répertorie les rôles inclus dans le groupe""
security.ldap.groupMapping.roleFilterAttributeAttribut LDAP des rôles qui représente un rôle dans groupMapping.roles attribut""
security.ldap.groupMapping.enabledNom de l’attribut LDAP qui doit être mappé à l’état du groupe""
security.ldap.groupMapping.enabledTrueValeur de l’attribut de groupMapping.enabled qui signifie ENABLED""
security.ldap.roleMapping.baseBase LDAP pour la saisie des rôles""
security.ldap.roleMapping.filterFiltre LDAP utilisé pour la recherche de rôles""
security.ldap.roleMapping.memberAttributeNom de l’attribut LDAP qui répertorie les utilisateurs ayant le rôle""
security.ldap.roleMapping.nameNom de l’attribut LDAP qui doit être mappé au nom du rôle""
security.ldap.roleMapping.descriptionNom de l’attribut LDAP qui doit être mappé à la description du rôle""
security.ldap.roleMapping.enabledNom de l’attribut LDAP qui doit être mappé à l’état du rôle""
security.ldap.roleMapping.enabledTrueValeur de l’attribut de roleMapping.enabled qui signifie ENABLED""

Valeurs supprimées - ilum-core

NomRaison
security.ldap.userSearchRemplacé par security.ldap.userMappage
security.ldap.groupRechercherRemplacé par security.ldap.groupMappage

Changements de noms - ilum-core

Ancien nomNouveau nom
security.internal.users[*].passwordsecurity.internal.users[*].initialPassword

3. Configuration par défaut de SparkMagic

Valeurs modifiées : les paramètres de configuration d’ilum-jupyter changent en raison de l’introduction du formulaire de session Spark.

NomAncienne valeurNouvelle valeur
sparkmagic.config.sessionConfigs.conf'{ « pyRequirements » : « pandas », « cluster » : « default », « autoPause » : « false », « spark.example.config » : « Tu peux changer la configuration par défaut dans ilum-jupyter-config k8s configmap » }''{}'

Valeurs supprimées - ilum-jupyter

NomRaison
sparkmagic.config.sessionConfigs.executorCoresPlus nécessaire grâce au nouveau formulaire de session Spark

Valeurs supprimées - ilum-jupyter

NomRaison
sparkmagic.config.sessionConfigs.driverMemoryPlus nécessaire grâce au nouveau formulaire de session Spark

VERSION 6.3.0

1. Modification de la version de la balise d’image de kyuubi

Valeurs modifiées - paramètres de configuration de sparkmagic

NomAncienne valeurNouvelle valeur
sparkmagic.config.sessionConfigs.conf'{ « pyRequirements » : « pandas », « spark.example.config » : « Tu peux changer la configuration par défaut dans ilum-jupyter-config k8s configmap » }''{ « pyRequirements » : « pandas », « cluster » : « default », « autoPause » : « false », « spark.example.config » : « Tu peux changer la configuration par défaut dans ilum-jupyter-config k8s configmap » }'

2. Ajout d’une propriété pour définir l’adresse kafka pour ilum-core

Caractéristique

Ajout de la possibilité de définir l’adresse kafka pour le pod ilum-core, séparément de la configuration globale de l’adresse kafka pour les tâches Spark et l’ensemble du pod ilum-core via la propriété kafka.address.

Valeurs ajoutées - ilum-core

NomDescriptionValeur
kafka.ilum.adresseAdresse kafka ilum-core uniquement pour l’espace ilum-core, remplace kafka.addressnon défini

3. Changement du temps de tolérance de vérification de l’état de la tâche ilum

Valeurs modifiées - paramètres de configuration de la vérification de l’état de la tâche ilum

NomAncienne valeurNouvelle valeur
job.healthcheck.tolerance1203600

4. Présentation du dépôt git intégré

Caractéristique

Ajout de Gitea en tant que module fournissant un serveur git intégré pour la plate-forme ilum.

Valeurs ajoutées - gitea

NomDescriptionValeur
gitea.enabledActiver ou désactiver le déploiement de Giteavrai
gitea.image.rootlessExécuter Gitea en mode rootlessfaux
gitea.gitea.config.database.DB_TYPEType de base de données utilisé pour GiteaPostgres
gitea.gitea.config.database.HOSTHôte et port de base de données pour Giteailum-postgresql-hl :5432
gitea.gitea.config.database.NAMENom de la base de données de GiteaGitea
gitea.gitea.config.database.USERNom d’utilisateur de la base de données pour Giteailum
gitea.gitea.config.database.PASSWDMot de passe de la base de données pour Gitea (Modification requise)CHANGEMEPLEASE
gitea.gitea.admin.existingSecretGitea secret pour stocker les identifiants d’initialisationilum-git-credentials
gitea.gitea.admin.emailGitea admin emaililum@ilum
gitea.gitea.admin.passwordModeMode mot de passe pour le compte administrateurinitialOnlyNoReset
gitea.gitea.additionalConfigFromEnvs[0].nameActiver la création d’un utilisateur par pousséeGITEA__REPOSITORY__ENABLE_PUSH_CREATE_USER
gitea.gitea.additionalConfigFromEnvs[0].valueValeur de l’activation de l’utilisateur push-createvrai
gitea.gitea.additionalConfigFromEnvs[1].nameActiver l’organisation push-createGITEA__REPOSITORY__ENABLE_PUSH_CREATE_ORG
gitea.gitea.additionalConfigFromEnvs[1].valueValeur de l’activation de l’organisation push-createvrai
gitea.gitea.additionalConfigFromEnvs[2].nameBranche de référentiel par défautGITEA__REPOSITORY__DEFAULT_BRANCH
gitea.gitea.additionalConfigFromEnvs[2].valueValeur de la branche de référentiel par défautmaître
gitea.gitea.additionalConfigFromEnvs[3].nameURL racine du serveur GiteaGITEA__SERVER__ROOT_URL
gitea.gitea.additionalConfigFromEnvs[3].valueValeur de l’URL racine du serveur Giteahttp://git.example.com/external/gitea/
gitea.gitea.additionalConfigFromEnvs[4].namePréfixe d’URL statiqueGITEA__SERVER__STATIC_URL_PREFIX
gitea.gitea.additionalConfigFromEnvs[4].valueValeur du préfixe d’URL statique/externe/gitea/
gitea.redis-cluster.enabledActiver ou désactiver le cluster Redisfaux
gitea.redis.enabledActiver ou désactiver Redisfaux
gitea.postgresql.enabledActiver ou désactiver PostgreSQL autonomefaux
gitea.postgresql-ha.enabledActiver ou désactiver PostgreSQL HAfaux

Valeurs ajoutées - ilum-jupyter

NomDescriptionValeur
ilum-jupyter.git.enabledActiver ou désactiver l’intégration Gitfaux
ilum-jupyter.git.nom_d’utilisateurNom d’utilisateur Git pour l’authentificationilum
ilum-jupyter.git.passwordMot de passe Git pour l’authentificationilum
ilum-jupyter.git.emailAdresse e-mail Gitilum@ilum
ilum-jupyter.git.repositoryNom du dépôt GitJupyter
ilum-jupyter.git.addressAdresse du serveur Gitilum-gitea-http :3000
ilum-jupyter.git.init.imageImage d’initialisation Gitbitnami/git :2.48.1

Valeurs ajoutées - ilum-airflow

NomDescriptionValeur
airflow.dags.gitSync.enabledActiver ou désactiver la synchronisation Git pour les DAGvrai
airflow.dags.gitSync.repoURL du référentiel Git pour les DAGhttp://ilum-gitea-http:3000/ilum/airflow.git
airflow.dags.gitSync.branchBranche Git à partir de laquelle synchronisermaître
airflow.dags.gitSync.refRéférence Git à synchroniserTÊTE
airflow.dags.gitSync.depthProfondeur du clone Git1
airflow.dags.gitSync.maxFailuresNombre maximal d’échecs de synchronisation autorisés0
airflow.dags.gitSync.subPathSous-chemin d’accès au sein du référentiel à synchroniser""
airflow.dags.gitSync.credentialsSecretSecret utilisé pour l’authentification Gitilum-git-credentials

5. Modifications de nommage de la configuration SQL d’Ilum

Changer le nommage de la configuration Ilum Sql pour mieux refléter l’utilisation actuelle de Kyuubi

Changements de noms - ilum-core

Ancien nomNouveau nom
Kyuubi.*SQL.*

Noms modifiés - ilum-aio

Ancien nomNouveau nom
ilum-kyuubi.*ilum-sql.*

⚠️⚠️⚠️ Warnings

En raison des changements de nommage et du fonctionnement interne du lancement du moteur SQL, et des restrictions sur ce qui peut être fait via un Mise à niveau Helm, Il est nécessaire de supprimer manuellement l’ancien ensemble avec état (par ex. kubectl delete sts ilum-sql) avant de passer à cette version. Cela garantira que lors de la mise à jour, un nouvel ensemble avec état est créé avec la configuration correcte. Les modifications cassantes sont liées aux étiquettes et aux montages de volume utilisés par l’ensemble avec état ilum-sql.

6. Ajouter des configurations pour Ilum Submit pour les moteurs Spark Sql

Ilum Submit améliore le processus de lancement des moteurs Spark SQL via l’application Web Ilum et le point de terminaison JDBC en appliquant automatiquement les configurations du cluster sélectionné. Cette amélioration élimine le besoin de fournir manuellement la configuration Spark de Kyuubi à Ilum Core.

Valeur supprimée - ilum-core

NomRaison
sql.sparkConfigInutile après le changement

Valeurs ajoutées - ilum-kyuubi

NomDescriptionValeur
ilumSubmit.enabledIndicateur pour activer le service d’envoi ilumfaux
ilumSubmit.ilum.hostHôte du service REST Ilumilum-core
ilumSubmit.ilum.portService REST du port d’Ilum9888

Valeurs ajoutées - ilum-aio

NomDescriptionValeur
ilum-sql.ilumSubmit.enabledIndicateur pour activer la création d’un moteur SQL via Ilumvrai

⚠️⚠️⚠️ Warnings

Comme la configuration Spark de Kyuubi n’est plus nécessaire dans Ilum Core, La configuration Spark par défaut doit être fournie directement à ilum-sql.config.spark.defaults au lieu de la valeur globale.

Caractéristique

Security‑related configuration (including internal user credentials, LDAP, OAuth2, JWT, and authorities settings) has been moved from the config map to a dedicated Kubernetes Secret. This improves the security of sensitive data by isolating it from non‑sensitive configuration.

Valeurs ajoutées - ilum-core

NomDescriptionValeur
security.secret.nameName of the secret that holds security‑related configuration. Use this to override the default secret name.ilum-sécurité

8. Changement du type de service ilum-ui

En raison des problèmes avec kubectl port-forward, nous exposons un NodePort par défaut.

Valeurs modifiées - paramètres de configuration de la vérification de l’état de l’interface utilisateur

NomAncienne valeurNouvelle valeur
service.typeClusterIP (en anglais)NodePort
service.nodePort``31777

VERSION 6.2.1

1. Changer la valeur de l’url de Kyuubi

Caractéristique

Changez la valeur de l’url de Kyuubi dans ilum-core. La valeur par défaut devrait maintenant fonctionner dès la sortie de la boîte.

Valeurs modifiées - ilum-core

NomAncienne valeurNouvelle valeur
kyuubi.hostilum-sql-restilum-sql-headless

VERSION 6.2.1-RC1

1. Configuration des paramètres de mémoire de la tâche Spark dans ilum-core

Caractéristique

Ajout de la configuration des paramètres de mémoire de la tâche Spark dans ilum-core. Lors de la création d’un cluster par défaut dans ilum-core, les paramètres de paramètres de mémoire sont définis sur ces valeurs.

Valeurs ajoutées - ilum-core

NomDescriptionValeur
job.memorysettings.executorsNombre d’exécuteurs de travaux Spark2
job.memorysettings.executorMemoryAllocation de mémoire de l’exécuteur des tâches Spark1 g
job.memorysettings.driverMemoryAllocation de mémoire du pilote Spark Jobs1 g
job.memorysettings.executorCoresNombre de cœurs de l’exécuteur des travaux Spark1
job.memorysettings.driverCoresSpark Jobs Pilote Nombre de cœurs1
job.memorysettings.dynamicAllocationEnabledIndicateur d’allocation dynamique activé pour les tâches Sparkfaux
job.memorysettings.minExécuteursspark jobs nombre minimum d’exécuteurs0
job.memorysettings.initialExécuteursspark jobs nombre initial d’exécuteurs testamentaires0
job.memorysettings.maxExécuteursNombre maximal d’exécuteurs de travaux Spark20

2. Ajout des paramètres de rétention du serveur d’historique Spark

Caractéristique

Ajout des paramètres de rétention du serveur d’historique Spark à ilum-core. Ces paramètres permettent à l’utilisateur de configurer la conservation des journaux du serveur d’historique Spark.

Valeurs ajoutées - ilum-core

NomDescriptionValeur
historyServer.parameters.spark.history.fs.cleaner.enabledIndicateur d’activation du nettoyeur d’historiquevrai
historyServer.parameters.spark.history.fs.cleaner.intervalIntervalle de nettoyage du serveur d’historique1d
historyServer.parameters.spark.history.fs.cleaner.maxAgeHistorique Historique Âge maximal7d

3. Divisez l’URL de Kyuubi en hôte et port

Caractéristique

Divisez l’url de Kyuubi en host et port dans ilum-core. Ce changement était nécessaire pour que nous puissions créer des moteurs personnalisés.

Valeurs ajoutées - ilum-core

NomDescriptionValeur
kyuubi.hostKyuubi hôteilum-sql-rest
kyuubi.portPort de Kyuubi10099

Valeurs supprimées - ilum-core

NomRaison
kyuubi.urlInutile après le changement

4. Entrées supplémentaires dans helm_ui carte de configuration du serveur nginx

Caractéristique

Ajout de drapeaux activés pour le serveur d’historique, minio, ilum-jupyter, airflow, mlflow et lineage à ilum-ui. Ces drapeaux permettent à l’utilisateur d’activer ou de désactiver l’accès à ces services via ilum-ui. Ces valeurs seront utilisées dans la carte de configuration du serveur nginx.

Valeurs ajoutées - graphique ilum-ui

NomDescriptionValeur
nginx.config.ilum-jupyter.enabledilum-ui nginx config ilum-jupyter enabled flagfaux
nginx.config.airflow.enabledIndicateur ILUM-UI nginx config Airflow enabledfaux
nginx.config.minio.enabledilum-ui nginx config minio enabled flagfaux
nginx.config.historyServer.enabledilum-ui nginx config historyIndicateur activé par le serveurfaux
nginx.config.mlflow.enabledilum-ui nginx config mlflow enabled flagfaux
nginx.config.lineage.enabledIndicateur ILUM-UI nginx config lineage enabledfaux

5. Superset dans le graphique ilum-aio

Caractéristique

Sur-ensemble dans le graphique AIO de l’ilum. Superset est rapide, léger, intuitif et doté d’options qui permettent aux utilisateurs de tous niveaux d’explorer et de visualiser facilement leurs données. Du simple graphique linéaire aux graphiques géospatiaux très détaillés. Superset est l’un des modules intégrés à la plate-forme Ilum.

Valeurs ajoutées - ilum-ui

Configuration de l’agrégation de journaux
NomDescriptionValeur
runtimeVars.supersetUrlURL du service de sur-ensemblehttp://ilum-superset:8088/
nginx.config.superset.enabledilum-ui nginx config superset enabled flagfaux

4. Configuration par défaut du cluster kubernetes Ilum à partir des valeurs helm

Caractéristique

À partir de maintenant, les paramètres par défaut du cluster ilum seront définis en fonction des valeurs helm.

Valeurs ajoutées - graphique ilum-core

NomDescriptionValeur
kubernetes.defaultCluster.configConfiguration par défaut du cluster Kubernetes ilum-coreConfiguration :
  spark.driver.extraJavaOptions : « -Divy.cache.dir=/tmp -Divy.home=/tmp »
  spark.kubernetes.container.image : « ilum/spark :3.5.2-delta »
  spark.databricks.delta.catalog.update.enabled : « true »

VERSION 6.2.0

1. Modification de la version de la balise d’image de kyuubi

Valeurs modifiées - graphique ilum-kyuubi

NomAncienne valeurNouvelle valeur
image.tag1.9.2-Étincelle1.10.0-étincelle

2. Modification de la configuration de l’étincelle kyuubi dans le graphique ilum-kyuubi

Supplémentaire spark.driver.memory=2g dans global.kyuubi.sparkConfig

VERSION 6.2.0-RC2

1. Ajout de la sonde d’état Minio

Caractéristique

Ajout d’une sonde d’état dans ilum-core qui vérifie si le stockage minio est prêt

Valeurs ajoutées - ilum-core

NomDescriptionValeur
minio.statusProbe.enabledIndicateur d’activation de la sonde d’état Miniovrai
minio.statusProbe.imageImage de la sonde d’état Miniocurlimages/curl :8.5.0
minio.statusProbe.baseUrlURL de base minio« http://ilum-minio:9000 »

2. Configuration de Kyuubi dans ilum-core

Caractéristique

Ajout de la configuration Kyuubi dans le tableau de barre ilum-core. Kyuubi permettra à l’utilisateur d’exécuter des requêtes SQL sur de nombreuses sources de données différentes à l’aide de l’interface utilisateur ILUM.

Valeurs ajoutées - ilum-core

NomDescriptionValeur
kyuubi.enabledDrapeau activé Kyuubivrai
kyuubi.urlUrl du service de repos de Kyuubihttp://ilum-sql-rest:10099

⚠️⚠️⚠️ Warnings

Afin de gérer correctement les moteurs SQL, nous devons passer la configuration spark de Kyuubi à ilum-core. Cela se fait en configurant l’étincelle de Kyuubi dans global.kyuubi.sparkConfig et permet à l’utilisateur d’écrire une configuration qui peut être passée à la fois à Kyuubi et à ilum-core.

3. Configuration de l’uri MongoDb dans ilum-core

Caractéristique

Changement de la façon dont l’uri mongoDb est passé à ilum-core. Désormais, il est transmis sous la forme d’une seule chaîne, ce qui permet à l’utilisateur de fournir une configuration plus granulaire telle que authSource.

Valeurs ajoutées - ilum-core

NomDescriptionValeur
mongo.uriChaîne de connexion MongoDbmongodb://mongo:27017/ilum-default?replicaSet=rs0

Valeurs supprimées - ilum-core

NomRaison
mongo.instancesInutile après le changement
mongo.replicaSetNameInutile après le changement

⚠️⚠️⚠️ Warnings

Le mongo.uri, s’il n’est pas correctement défini, l’application ne fonctionnera pas correctement. Assurez-vous de fournir la chaîne de connexion correcte.

Auparavant, le format était le suivant : mongodb://{ mongo.instances }/ilum-{ release_namespace } ?replicaSet={ mongo.replicaSetName } Par défaut, dans le graphique ilum-aio, ces valeurs étaient les suivantes :

  • mongo.instances - ilum-mongodb-0.ilum-mongodb-headless :27017,ilum-mongodb-1.ilum-mongodb-headless :27017
  • mongo.replicaSetName - RS0
  • release_namespace - faire défaut

4. Configuration de la pause automatique dans ilum-core

Caractéristique

Ajout de la pause automatique dans ilum-core, qui vérifie périodiquement si des groupes sont inactifs pendant la durée spécifiée et met le groupe en pause. Pour que cela se produise, la mise en pause automatique doit être activée dans chaque groupe.

Valeurs ajoutées - ilum-core

NomDescriptionValeur
job.autoPause.enabledIndicateur de fonctionnalité pour activer la pause automatiquevrai
job.autoPause.periodIntervalle en secondes pour vérifier les groupes d’inactivité180
job.autoPause.idleTimeTemps en secondes pendant lequel le groupe doit être inactif pour être mis en pause automatiquement3600

5. Exportateur de graphite dans le graphique ilum-aio

Caractéristique

Exportateur de graphite dans le graphique AIO d’ilum et configuration de graphite dans le graphique ilum-core. L’exportateur Graphite est un exportateur Prometheus pour les métriques exportées dans le protocole Graphite en texte clair.

Valeurs ajoutées - graphite-exporter

Nouvellement ajouté, vérifiez ses valeurs sur le Page du graphique

6. Configuration graphite en ilum-core

Caractéristique

Ajout de la configuration Graphite dans le tableau de barre ilum-core. Graphite permettra aux tâches Spark d’envoyer leurs métriques à un puits de graphite, qui sera récupéré par Prometheus.

Valeurs ajoutées - ilum-core

NomDescriptionValeur
job.graphite.enabledDrapeau activé pour le graphitefaux
job.graphite.hostHôte en graphiteilum-graphite-graphite-tcp
job.graphite.portPort graphite9109
job.graphite.periodeIntervalle entre l’envoi des métriques de tâche10
job.graphite.unitésUnité de tempsSecondes

VERSION 6.1.4

1. Changement de configuration par défaut de Jupyter sparkmagic

Caractéristique

Modification de la méthode de transmission des configurations par défaut de spark au notebook jupyter, maintenant elle est passée sous forme de chaîne json

Valeurs ajoutées - ilum-jupyter

Paramètres de configuration SparkMagic
NomDescriptionValeur
sparkmagic.config.sessionConfigs.confSparkMagic Session Spark Configuration de Spark'{ « pyRequirements » : « pandas », « spark.jars.packages » : « io.delta :delta-core_2.12:2.4.0 », « spark.sql.extensions » : « io.delta.sql.DeltaSparkSessionExtension », « spark.sql.catalog.spark_catalog » : « org.apache.spark.sql.delta.catalog.DeltaCatalog"}'
sparkmagic.config.sessionConfigsDefaults.confConfiguration par défaut de SparkMagic Session'{ « pyRequirements » : « pandas », « spark.jars.packages » : « io.delta :delta-core_2.12:2.4.0 », « spark.sql.extensions » : « io.delta.sql.DeltaSparkSessionExtension », « spark.sql.catalog.spark_catalog » : « org.apache.spark.sql.delta.catalog.DeltaCatalog"}'

2. Kyuubi dans le graphique ilum-aio

Caractéristique

Kyuubi dans le graphique AIO de l’ilum. Kyuubi est une passerelle multi-locataire distribuée fournissant des services de requête SQL pour les entrepôts de données et les lakehouses. Il fournit à la fois des interfaces JDBC et ODBC, ainsi qu’une API REST avec laquelle les clients peuvent interagir.

Valeurs ajoutées - ilum-kyuubi

Nouvellement ajouté, vérifiez ses valeurs sur le Page du graphique

VERSION 6.1.3

1. Configuration de Jupyter et stockage persistant

Caractéristique

Ajout d’une configuration étendue du graphique helm du notebook jupyter via des valeurs helm. De plus, il a ajouté un stockage persistant à la gousse jupyter. Toutes les données enregistrées dans travail Le répertoire sera désormais disponible après le redémarrage/la mise à jour de Jupyter.

Valeurs ajoutées - ilum-jupyter

Paramètres PVC
NomDescriptionValeur
pvc.annotationsAnnotations de revendication de volume persistant{}
pvc.sélecteurSélecteur de revendication de volume persistant{}
pvc.accessModesvolume persistant revendiquant accessModesLireÉcrireUne fois
pvc.stockageDemandes de stockage de revendications de volume persistant4Gi
pvc.storageClassNamerevendication de volume persistant storageClassName``
Paramètres de configuration SparkMagic
NomDescriptionValeur
sparkmagic.config.kernelPythonCredentials.usernameNom d’utilisateur du noyau Python Sparkmagic""
sparkmagic.config.kernelPythonCredentials.passwordMot de passe du noyau Python Sparkmagic""
sparkmagic.config.kernelPythonCredentials.authMode d’authentification du noyau Python Sparkmagic« Aucun »
sparkmagic.config.kernelScalaCredentials.nom_utilisateurNom d’utilisateur du noyau Python Sparkmagic""
sparkmagic.config.kernelScalaCredentials.passwordMot de passe du noyau Sparkmagic Scala""
sparkmagic.config.kernelScalaCredentials.authMode d’authentification du noyau Sparkmagic Scala« Aucun »
sparkmagic.config.kernelRCredentials.nom_utilisateurNom d’utilisateur du noyau Sparkmagic R""
sparkmagic.config.kernelRCredentials.passwordMot de passe du noyau Sparkmagic R""
sparkmagic.config.waitForIdleTimeoutSecondsDélai d’attente de SparkMagic en attente de l’état d’inactivité15
sparkmagic.config.livySessionStartupTimeoutSecondsDélai d’attente SparkMagic pour le démarrage de la session300
sparkmagic.config.ignoreSslErrorsSparkmagic Ignorer l’indicateur d’erreurs SSLfaux
sparkmagic.config.sessionConfigs.confSparkMagic Session Spark Configuration de Spark[pyRequirements : pandas, spark.jars.packages : io.delta :delta-core_2.12:2.4.0, spark.sql.extensions : io.delta.sql.DeltaSparkSessionExtension,spark.sql.catalog.spark_catalog : org.apache.spark.sql.delta.catalog.DeltaCatalog]
sparkmagic.config.sessionConfigs.driverMemoryMémoire du pilote de session Sparkmagic1000M
sparkmagic.config.sessionConfigs.executorCoresCœurs de l’exécuteur de session Sparkmagic2
sparkmagic.config.sessionConfigsDefaults.confConfiguration par défaut de SparkMagic Session[pyRequirements : pandas, spark.jars.packages : io.delta :delta-core_2.12:2.4.0, spark.sql.extensions : io.delta.sql.DeltaSparkSessionExtension,spark.sql.catalog.spark_catalog : org.apache.spark.sql.delta.catalog.DeltaCatalog]
sparkmagic.config.sessionConfigsDefaults.driverMemoryMémoire du pilote par défaut de la session Sparkmagic1000M
sparkmagic.config.sessionConfigsDefaults.executorCoresNoyaux d’exécuteur par défaut de la session Sparkmagic2
sparkmagic.config.useAutoVizSparkmagic Utiliser l’indicateur de visualisation automatiquevrai
sparkmagic.config.coerceDataframeSparkmagic Coerce Dataframe Flagvrai
sparkmagic.config.maxResultsSqlRésultat SQL Sparkmagic Max2500
sparkmagic.config.pysparkDataframeEncodageEncodage de trames de données Sparkmagic PYSparkUTF-8
sparkmagic.config.heartbeatRefreshSecondsSparkmagic Heartbeat Refresh secondes30
sparkmagic.config.livyServerHeartbeatTimeoutSecondsDélai d’expiration du délai d’expiration du délai d’expiration du serveur Sparkmagic Livy0
sparkmagic.config.heartbeatRetrySecondsSparkmagic Heartbeat Retry secondes10
sparkmagic.config.serverExtensionDefaultKernelNameNom du noyau par défaut de Sparkmagic Server Extensionpysparkkernel
sparkmagic.config.retryPolicyPolitique de nouvelle tentative de Sparkmagicparamétrable
sparkmagic.config.retrySecondsToSleepListSparkmagic Retry Liste des secondes avant de dormir[0.2, 0.5, 1, 3, 5]
sparkmagic.config.configurableRetryPolicyMaxRetriesPolitique de relance Sparkmagic Nombre maximal de tentatives8

VERSION 6.1.2

1. Metastore Hive dans le graphique ilum-aio

Caractéristique

Métastore Hive dans le graphique AIO ilum. HMS est un référentiel central de métadonnées pour les tables et partitions Hive dans une base de données relationnelle, et fournit aux clients (y compris Hive, Impala et Spark) l’accès à ces informations à l’aide de l’API du service metastore. Avec le metastore hive activé dans ilum AIO helm stack, les tâches Spark exécutées par ilum peuvent être configurées pour y accéder automatiquement.

Valeurs ajoutées - ilum-hive-metastore

Graphique entier nouvellement ajouté, vérifiez ses valeurs sur Page du graphique

Valeurs ajoutées - ilum-core

NomDescriptionValeur
hiveMetastore.enabledPassage de la configuration du metastore Hive à l’indicateur Spark Jobs d’ilumfaux
hiveMetastore.adresseAdresse du MetaStore Hivethrift://ilum-hive-metastore:9083
hiveMetastore.warehouseDirRépertoire d’entrepôt Hive MetaStores3a ://ilum-data/

2. Extensions Postgres ajoutées

Caractéristique

Peu de sous-chars AIO d’ilum utilisent postgresql, pour faciliter la gestion du déploiement de ceux-ci, nous avons ajouté une ressource d’extension postgres pour créer des bases de données postgresql pour ilum sucharts.

Valeurs ajoutées - ilum-aio

Paramètres des extensions PostgreSQL
NomDescriptionValeur
postgresExtensions.enabledExtension Postgres activé, drapeauvrai
postgresExtensions.imageimage dans laquelle exécuter des extensionsbitnami/postgresql :16
postgresExtensions.pullPolicyStratégie d’extraction d’imagesIfNotPresent
postgresExtensions.imagePullSecretsSecrets d’extraction d’images[]
postgresExtensions.hostHôte de base de données PostgreSQLilum-postgresql-0.ilum-postgresql-hl
postgresExtensions.portport de base de données postgresql5432
postgresExtensions.databasesToCreateListe des bases de données à créer séparées par des virgulesmarquez,airflow,metastore
postgresExtensions.auth.nom_utilisateurNom d’utilisateur du compte PostgreSQLilum
postgresExtensions.auth.passwordMot de passe du compte PostgreSQLCHANGEMEPLEASE
postgresExtensions.nodeSelectorpostgresql extensions pods sélecteur de nœud{}
postgresExtensions.tolerationsExtensions PostgreSQL Pods Tolerations[]

3. Loki et promtail dans le graphique ilum-aio

Caractéristique

Loki et promtail dans le graphique AIO ilum. Loki est un système d’agrégation de journaux multi-locataires évolutif horizontalement, hautement disponible et inspiré de Prometheus. Promtail est un agent qui envoie le contenu des journaux locaux à une instance de Grafana Loki. Ilum utilisera désormais loki pour agréger les journaux des pods de tâches Spark pour pouvoir nettoyer les ressources du cluster une fois les tâches terminées. Loki et promtail sont préconfigurés pour supprimer les journaux uniquement à partir des pods Spark exécutés par ilum afin de récupérer les journaux de travail une fois qu’ils sont terminés.

Valeurs ajoutées - ilum-core

Configuration de l’agrégation de journaux
NomDescriptionValeur
global.logAggregation.enabledilum log aggregegation, s’il est activé, Ilum récupérera les journaux des pods Spark Kubernetes terminés à partir de lokifaux
global.logAggregation.loki.urlAdresse de la passerelle Loki pour accéder aux journauxhttp://ilum-loki-gateway

Valeurs ajoutées - ilum-aio

Agrégation de journaux - Loki Config
NomDescriptionValeur
loki.nameRemplacerRemplacement du nom du sous-graphiqueilum-loki
loki.monitoring.selfMonitoring.enabledIndicateur d’autosurveillance activéfaux
loki.monitoring.selfMonitoring.grafanaAgent.installOperatorIndicateur d’installation de l’opérateur de l’agent Grafana auto-surveillancefaux
loki.monitoring.selfMonitoring.lokiCanary.enabledIndicateur Canary activé pour l’autosurveillancefaux
loki.test.enabledIndicateur Tests activésfaux
loki.loki.auth_enabledIndicateur d’authentification activéefaux
loki.loki.storage.bucketNames.chunksCompartiment de blocs de stockagelimes-ilum
loki.loki.storage.bucketNames.rulerseau de règle de stockagelimes-ilum
loki.loki.storage.bucketNames.adminCompartiment d’administration de stockagelimes-ilum
loki.loki.stockage.typeType de stockageS3
loki.loki.s3.endpointPoint de terminaison de stockage S3http://ilum-minio:9000
loki.loki.s3.regionPoint de terminaison de stockage S3États-Unis-Est-1
loki.loki.s3.secretAccessKeyClé d’accès secrète du stockage S3minioadmin
loki.loki.s3.accessKeyIdID de la clé d’accès au stockage S3minioadmin
loki.loki.s3.s3ForcePathStyleIndicateur d’accès au chemin de stockage S3vrai
loki.loki.s3.insecureIndicateur de stockage non sécurisé S3vrai
loki.loki.compactor.retention_enabledIndicateur de conservation des journaux activévrai
loki.loki.compactor.deletion_modemode de suppressionfiltrer-et-supprimer
loki.loki.compactor.shared_storeMagasin partagéS3
loki.loki.limits_config.allow_deletesAutoriser l’indicateur de suppression des journauxvrai
Agrégation de journaux - Loki Config
NomDescriptionValeur
promtail.config.clients[0].urlPremière URL du clienthttp://ilum-loki-write:3100/loki/api/v1/push
promtail.snippets.pipelineStages[0].match.selectorÉtape de pipeline pour supprimer le sélecteur de journaux non ilum{ilum_logAggregation !="vrai"}
promtail.snippets.pipelineStages[0].match.actionÉtape du pipeline pour supprimer l’action des journaux non ilumgoutte
promtail.snippets.pipelineStages[0].match.drop_counter_reasonétape de pipeline pour abandonner les journaux de non-ilum drop_counter_reasonnon_ilum_log
promtail.snippets.extraRelabelConfigs[0].actionaction Relabel config pour conserver les étiquettes de pod IlumÉtiquettemap
promtail.snippets.extraRelabelConfigs[0].regexRelabel config pour conserver l’expression régulière des étiquettes de pod Ilum__meta_kubernetes_pod_label_ilum(.*)
promtail.snippets.extraRelabelConfigs[0].replacementConfigurer la réétiquette pour conserver le remplacement des étiquettes de pod Ilumilum{1}
promtail.snippets.extraRelabelConfigs[1].actionRelabel config pour conserver l’action Spark Pod LabelsÉtiquettemap
promtail.snippets.extraRelabelConfigs[1].regexRéétiqueter la configuration pour conserver l’expression régulière des étiquettes du pod Spark__meta_kubernetes_pod_label_spark(.*)
promtail.snippets.extraRelabelConfigs[1].replacementRéétiqueter la configuration pour conserver le remplacement des étiquettes du Spark Podétincelle{1} $

VERSION 6.1.1

1. Ajout de vérifications de l’état pour les tâches interactives ilum

Caractéristique

Pour éviter les situations d’écrasement inattendu des groupes d’ilum, nous avons ajouté des contrôles de santé pour nous assurer qu’ils fonctionnent comme ils le devraient.

Valeurs ajoutées - ilum-core

Paramètres ilum-job
NomDescriptionValeur
job.healthcheck.enabledSpark Interactive Jobs Indicateur de vérification de l’état activévrai
job.healthcheck.intervalIntervalle de vérification de l’état des tâches interactives Spark en secondes300
job.healthcheck.toleranceSpark Interactive Jobs Healthcheck Tolérance du temps de réponse en secondes120

2. Échelle de réplication paramétrée pour les services évolutifs ilum

Caractéristique

La configuration du nombre de réplicas pour les services évolutifs ilum a été extraite aux valeurs helm.

Valeurs ajoutées - ilum-core

Paramètres communs ilum-core
NomDescriptionValeur
replicaCountNombre de répliques ilum-core1

Valeurs ajoutées - ilum-ui

Paramètres communs ilum-ui
NomDescriptionValeur
replicaCountNombre de réplicas ilum-UI1

VERSION 6.1.0

1. Suppression des paramètres inutiles du stockage wasbs du cluster ilum

Caractéristique

Les conteneurs de stockage WASBS n’ont plus besoin d’avoir le jeton sas porvidé dans les valeurs helm, car cela s’est avéré inutile

Valeurs supprimées - ilum-core

Paramètres de stockage WASB
NomRaison
kubernetes.wasbs.sparkContainer.nameDéplacé à kubernetes.wasbs.sparkContainer valeur
kubernetes.wasbs.sparkContainer.sasTokenS’est avéré inutile
kubernetes.wasbs.dataContainer.nameDéplacé à kubernetes.wasbs.dataContainer valeur
kubernetes.wasbs.dataContainer.sasTokenS’est avéré inutile

Valeurs ajoutées - ilum-core

Paramètres de stockage WASB
NomDescriptionValeur
kubernetes.wasbs.sparkContainernom du conteneur de stockage WASBS du cluster kubernetes par défaut pour stocker les ressources Sparklimes-ilum
kubernetes.wasbs.dataContainernom du conteneur de stockage WASBS du cluster kubernetes par défaut pour stocker les tables ilumTables-Ilum

2. Ajout de conteneurs d’initialisation pour vérifier la disponibilité du service

Caractéristique

Pour faciliter le déploiement d’Ilum, les conteneurs Ilum ont désormais des conteneurs en attente de la disponibilité des services dont ils dépendent.

Valeurs ajoutées - ilum-core

NomDescriptionValeur
mongo.statusProbe.enabledSonde d’état Mongo, indicateur activévrai
mongo.statusProbe.imageinit container qui attend que mongodb soit disponible imagemongo :7.0.5
kafka.statusProbe.enabledSonde d’état Kafka, indicateur activévrai
kafka.statusProbe.imageinit container qui attend que kafka soit disponible imagebitnami/kafka :3.4.1
historyServer.statusProbe.enabledILUM History Server ILUM-Core Status Sonde Enabled Flagvrai
historyServer.statusProbe.imageConteneur d’initialisation du serveur d’historique ilum qui attend que ilum-core soit disponible Imagecurlimages/curl :8.5.0

Valeurs ajoutées - ilum-livy-proxy

NomDescriptionValeur
statusProbe.enabledIndicateur activé de sonde d’état ilum-corevrai
étatSonde.imageconteneur init qui attend que ilum-core soit disponible imagecurlimages/curl :8.5.0

Valeurs ajoutées - ilum-ui

NomDescriptionValeur
statusProbe.enabledIndicateur activé de sonde d’état ilum-corevrai
étatSonde.imageconteneur init qui attend que ilum-core soit disponible imagecurlimages/curl :8.5.0

3. Producteurs de kafka paramétrés dans le graphique ilum-core

Caractéristique

En mode de communication kafka, ilum interactive jobs répond à des instances de job interactif à l’aide de kafka producers. Avec les nouvelles valeurs de helm, le producteur kafka peut être adapté aux besoins des utilisateurs.

Valeurs ajoutées - ilum-core

Paramètres Kafka
NomDescriptionValeur
kafka.maxPollRecordsKafka max.poll.records pour ilum jobs kafka consumer, il détermine le nombre de requêtes ilum-job kafka consumer récupérera à chaque interrogation500
kafka.maxPollIntervalKafka max.poll.interval.ms paramètre pour les tâches ilum client kafka, il détermine le délai maximum entre les appels de poll, ce qui, dans le contexte ilum-job, signifie une limite de temps pour le traitement des requêtes récupérées dans poll60000

VERSION 6.1.0-RC1

1. Ajout de la prise en charge des annotations de service

Caractéristique

Les annotations des services de graphiques helm Ilum peuvent désormais être configurées via des valeurs helm

Valeurs ajoutées - ilum-core

Paramètres de service
NomDescriptionValeur
service.annotationsAnnotations de service{}
grpc.service.annotationsAnnotations du service GRPC{}
historyServer.service.annotationsAnnotations du service History Server{}

Valeurs ajoutées - ilum-jupyter

Paramètres de service
NomDescriptionValeur
service.annotationsAnnotations de service{}

Valeurs ajoutées - ilum-livy-proxy

Paramètres de service
NomDescriptionValeur
service.annotationsAnnotations de service{}

Valeurs ajoutées - ilum-ui

Paramètres de service
NomDescriptionValeur
service.annotationsAnnotations de service{}

Valeurs ajoutées - ilum-zeppelin

Paramètres de service
NomDescriptionValeur
service.annotationsAnnotations de service{}

2. Extraction des paramètres de sécurité oauth2 aux valeurs globales

Caractéristique

La configuration d’Ilum security oauth2 est désormais définie via des valeurs globales

Valeurs ajoutées - ilum-aio

Paramètres de sécurité
NomDescriptionValeur
global.security.oauth2.clientIdID client oauth2``
global.security.oauth2.issuerUriURI oauth2 qui peut être un point de terminaison de découverte OpenID Connect ou un point de terminaison de métadonnées de serveur d’autorisation OAuth 2.0 défini par la RFC 8414``
global.security.oauth2.audiencesaudiences OAuth2``
global.security.oauth2.clientSecretClé secrète client OAuth2``

Valeurs supprimées - ilum-core

Paramètres de sécurité
NomRaisonValeur
security.oauth2.clientIdLes paramètres de sécurité OAuth2 sont désormais configurés via des valeurs globales``
security.oauth2.issuerUriLes paramètres de sécurité OAuth2 sont désormais configurés via des valeurs globales``

3. Variables d’environnement d’exécution pour le frontend

Caractéristique

Configuration des variables d’environnement frontend via les valeurs helm ui.

Valeurs ajoutées - ilum-ui

Variables d’exécution
NomDescriptionValeur
runtimeVars.defaultConfigMap.enabledCarte de configuration par défaut pour les variables d’environnement d’exécution frontalevrai
runtimeVars.debugindicateur de journalisation de débogagefaux
runtimeVars.backenUrlURL du backend ilum-corehttp://ilum-core:9888
runtimeVars.historyServerUrlURL de l’interface utilisateur du serveur d’historiquehttp://ilum-history-server:9666
runtimeVars.jupyterUrlURL de l’interface utilisateur Jupyterhttp://ilum-jupyter:8888
runtimeVars.airflowUrlURL de l’interface utilisateur d’Airflowhttp://ilum-webserver:8080
runtimeVars.minioUrlURL de l’interface utilisateur Miniohttp://ilum-minio:9001
runtimeVars.mlflowUrlURL de l’interface utilisateur de mlflowhttp://mlflow:5000
runtimeVars.historyServerPathChemin d’accès du proxy ilum-ui à l’interface utilisateur du serveur d’historique/serveur-d-historique/externe/
runtimeVars.jupyterPathChemin d’accès du proxy ilum-ui à l’interface utilisateur Jupyter/externe/jupyter/lab/arbre/travail/IlumIntro.ipynb
runtimeVars.airflowPathChemin d’accès du proxy ilum-ui à l’interface utilisateur d’airflow/externe/flux d’air/
runtimeVars.dataPathChemin d’accès du proxy ilum-ui à l’interface utilisateur minio/externe/minio/
runtimeVars.mlflowPathChemin d’accès du proxy ILUM-UI à l’interface utilisateur MLFrFlow/externe/mlflow/

Valeurs supprimées - ilum-ui

NomRaison
déboguerdéplacé vers la section runtimeVars
backenUrldéplacé vers la section runtimeVars
historyServerUrldéplacé vers la section runtimeVars
jupyterUrldéplacé vers la section runtimeVars
airflowUrldéplacé vers la section runtimeVars

4. Pile de Kube-prometheus dans le graphique ilum-aio

Caractéristique

Pile de Kube prometheus dans le graphique AIO de l’ilum. Préconfiguré pour fonctionner automatiquement avec le déploiement d’ilum afin de collecter les métriques des pods ilum et des tâches Spark exécutées par ilum. Ilum fournit des moniteurs de service prometheus pour extraire automatiquement les métriques des pods de pilote Spark exécutés par ilum et les services backend ilum. De plus, ilum_aio graphique fournit des tableaux de bord grafana intégrés qui peuvent être trouvés dans Ilum dossier.

Valeurs ajoutées - ilum-aio

kube-prometheus-stack variables - pour une vérification de configuration étendue Graphique helm de la pile Kube-Prometheus
NomDescriptionValeur
kube-prometheus-stack.enabledkube-prometheus-stack enabled flagfaux
kube-prometheus-stack.releaseLabelkube-prometheus-stack pour surveiller la ressource uniquement à partir de la version ilum_aiovrai
kube-prometheus-stack.kubeStateMetrics.enabledkube-prometheus-stack Scraping des composants kube state metrics enabled flagfaux
kube-prometheus-stack.nodeExporter.enabledkube-prometheus-stack node, exportateur, daemon, set, deployment flagfaux
kube-prometheus-stack.alertmanager.enabledkube-prometheus-stack alert manager flagfaux
kube-prometheus-stack.grafana.sidecar.dashboards.folderAnnotationkube-prometheus-stack, Si spécifié, le sidecar recherchera une annotation avec ce nom pour créer un dossier et mettre le graphique icigrafana_folder
kube-prometheus-stack.grafana.sidecar.dashboards.provider.foldersFromFilesStructurekube-prometheus-stack, permet à Grafana de répliquer la structure du tableau de bord à partir du système de fichiersvrai

Valeurs ajoutées - ilum-core

NomDescriptionValeur
job.prometheus.enabledprometheus activé, si les tâches true spark exécutées par Ilum partageront les métriques au format prometheusvrai

5. Marquez OpenLineage dans le graphique ilum-aio

Caractéristique

Marquez OpenLineage dans le graphique AIO ilum. Marquez permet d’utiliser, de stocker et de visualiser les métadonnées OpenLineage à l’échelle d’une organisation. Des cas d’utilisation tels que la gouvernance des données, la surveillance de la qualité des données et l’analyse des performances. Lorsque marquez est activé dans ilum AIO, la pile de helm spark exécutée par Ilum partagera les informations de traçabilité avec le backend de marquez. L’interface Web de Marquez visualise les informations de privilège des données collectées à partir des tâches Spark et elles sont accessibles via l’interface utilisateur ilum en tant qu’iframe.

Valeurs ajoutées - ilum-aio

NomDescriptionValeur
global.lineage.enabledDrapeau Marquez Enabledfaux

Valeurs ajoutées - ilum-core

NomDescriptionValeur
job.openLineage.transport.typeType de communication Marquezhttp
job.openLineage.transport.serverUrlURL du backend Marquezhttp://ilum-marquez:9555/
job.openLineage.transport.endpointPoint de terminaison du backend Marquez/externe/lignage/api/v1/lignage

Valeurs ajoutées - ilum-marquez

Graphique entier nouvellement ajouté, vérifiez ses valeurs sur Page du graphique

Valeurs ajoutées - ilum-ui

NomDescriptionValeur
runtimeVars.lineageUrlurl pour fournir marquez openlineage UI iframehttp://ilum-marquez-web:9444
runtimeVars.lineagePathChemin d’accès du proxy ilum-ui à l’interface utilisateur de marquez openlineage/externe/lignée/

VERSION 6.0.3

1. Paramètre max.request.size paramétré des producteurs de kafka dans le graphique ilum-core

Caractéristique

En mode de communication kafka, ilum interactive jobs répond à des instances de job interactif à l’aide de kafka producers. Avec la nouvelle valeur helm max.request.size, le paramètre producteur kafka peut être adapté pour correspondre aux besoins de taille des réponses.

Valeurs ajoutées - ilum-core

Paramètres Kafka
NomDescriptionValeur
kafka.requestSizeParamètre kafka max.request.size pour les tâches ilum Kafka producers20000000

VERSION 6.0.2

1. Prise en charge de hdfs, gcs et du stockage blob Azure dans le graphique ilum-core

Caractéristique

Le cluster Ilum n’a plus besoin d’être attaché au stockage s3, à partir de maintenant, le cluster par défaut peut être configuré pour utiliser hdfs, gcs ou Azure Blob comme stockage. Cela peut être réalisé en utilisant les nouvelles valeurs ajoutées dans le graphique de barre ilum-core.

Valeurs supprimées - ilum-core

NomRaison
kubernetes.s3.bucketDésormais, deux compartiments séparés doivent être définis avec de nouvelles valeurs : kubernetes.s3.sparkBucket, kubernetes.s3.dataBucket

Valeurs ajoutées - ilum-core

Paramètres de stockage Kubernetes
NomDescriptionValeur
kubernetes.upgradeClusterOnStartupMise à niveau du cluster Kubernetes par défaut à partir des valeurs de l’indicateur de carte de configurationfaux
kubernetes.stockage.typeType de stockage de cluster Kubernetes par défaut, options disponibles : S3, CGV, WASB, HDFSS3
Paramètres de stockage Kubernetes S3
NomDescriptionValeur
kubernetes.s3.hostHôte de stockage S3 du cluster Kubernetes par défaut pour stocker les ressources SparkS3
kubernetes.s3.portPort de stockage S3 du cluster Kubernetes par défaut pour stocker les ressources Spark7000
kubernetes.s3.sparkBucketBucket de stockage S3 du cluster Kubernetes par défaut pour stocker les ressources Sparklimes-ilum
kubernetes.s3.dataBucketBucket de stockage S3 du cluster kubernetes par défaut pour stocker les tables ilumTables-Ilum
kubernetes.s3.accessKeyClé d’accès au stockage S3 du cluster Kubernetes par défaut pour stocker les ressources Spark""
kubernetes.s3.secretKeyClé secrète de stockage S3 du cluster kubernetes par défaut pour stocker les ressources Spark""
Paramètres de stockage GCS Kubernetes
NomDescriptionValeur
kubernetes.gcs.clientCourriele-mail du client de stockage GCS du cluster kubernetes par défaut""
kubernetes.gcs.sparkBucketBucket de stockage GCS de cluster Kubernetes par défaut pour stocker les ressources Spark« ilum-files »
kubernetes.gcs.dataBucketBucket de stockage GCS de cluster Kubernetes par défaut pour stocker les tables ilum« Tables-ilum »
kubernetes.gcs.privateKeyClé privée de stockage GCS du cluster kubernetes par défaut pour stocker les ressources Spark""
kubernetes.gcs.privateKeyIdID de clé privée de stockage GCS de cluster kubernetes par défaut pour stocker les ressources Spark""
Paramètres de stockage WASBS Kubernetes
NomDescriptionValeur
kubernetes.wasbs.accountNamenom du compte de stockage WASBS du cluster kubernetes par défaut""
kubernetes.wasbs.accessKeyClé d’accès au stockage WASBS du cluster Kubernetes par défaut pour stocker les ressources Spark""
kubernetes.wasbs.sparkContainer.namenom du conteneur de stockage WASBS du cluster kubernetes par défaut pour stocker les ressources Spark« ilum-files »
kubernetes.wasbs.sparkContainer.sasTokenjeton sas de conteneur de stockage WASBS du cluster kubernetes par défaut pour stocker les ressources Spark""
kubernetes.wasbs.dataContainer.namenom du conteneur de stockage WASBS du cluster kubernetes par défaut pour stocker les tables ilum« Tables-ilum »
kubernetes.wasbs.dataContainer.sasTokenjeton sas de conteneur de stockage WASBS du cluster kubernetes par défaut pour stocker les tables ilum""
Paramètres de stockage HDFS Kubernetes
NomDescriptionValeur
kubernetes.hdfs.hadoopNom d’utilisateurcluster Kubernetes par défaut Stockage HDFS Nom d’utilisateur hadoop""
kubernetes.hdfs.configcluster Kubernetes par défaut Référentiel de stockage HDFS des fichiers de configuration avec le nom comme clé et le contenu encodé en base64 comme valeur""
kubernetes.hdfs.sparkCatalogCluster Kubernetes par défaut Catalogue de stockage HDFS pour stocker les ressources Spark« ilum-files »
kubernetes.hdfs.dataCatalogcluster kubernetes par défaut Catalogue de stockage HDFS pour stocker les ilum-tables« Tables-ilum »
kubernetes.hdfs.keyTabcluster kubernetes par défaut HDFS stockage keytab fichier contenu encodé en base64""
kubernetes.hdfs.principalnom du principal de stockage HDFS du cluster Kubernetes par défaut""
kubernetes.hdfs.krb5cluster kubernetes par défaut Stockage HDFS Fichier krb5 Contenu encodé en base64""
kubernetes.hdfs.trustStorecluster kubernetes par défaut : confiance de stockage HDFS ; stocker le contenu encodé en base64""
kubernetes.hdfs.logRépertoirecluster kubernetes par défaut répertoire de stockage HDFS chemin d’accès absolu au stockage eventLog pour le serveur d’historique""

Important! Assurez-vous que les compartiments S3/GCS ou les conteneurs WASBS sont déjà créés et accessibles !

2. Ajout d’un serveur d’historique d’étincelles au graphique helm d’ilum-core

Caractéristique

Le serveur d’historique Spark peut être déployé dès maintenant avec ilum-core. La configuration du serveur d’historique est transmise à chaque travail Spark exécuté par ilum. L’interface utilisateur du serveur d’historique est désormais accessible par l’interface utilisateur ilum. S’il est activé, il utilisera le stockage de cluster kubernetes par défaut configuré avec kubernetes. [STORAGE_TYPE]. [PARAMETER] comme stockage eventLog.

Valeurs ajoutées - ilum-core

Paramètres du serveur d’historique
NomDescriptionValeur
historyServer.enabledIndicateur du serveur d’historique Sparkvrai
historyServer.imageImage du serveur d’historique Sparkilum/lance-étincelles :spark-3.5.3
historyServer.addressAdresse du serveur de l’historique Sparkhttp://ilum-history-server:9666
historyServer.pullPolicyStratégie d’extraction d’images du serveur d’historique SparkIfNotPresent
historyServer.imagePullSecretsSecrets d’extraction d’images du serveur d’historique Spark[]
historyServer.parametersSpark History Server Paramètres Spark personnalisés[]
historyServer.resourcesRessources du pod du serveur d’historique Spark
Limites:
mémoire : « 500Mi »
Requêtes:
mémoire : « 300Mi »
historyServer.service.typeType de service de serveur d’historique SparkClusterIP (en anglais)
historyServeur.service.portPort de service du serveur d’historique Spark9666
historyServer.service.nodePortspark history server service nodePort""
historyServer.service.clusterIPspark history server service clusterIP""
historyServer.service.loadBalancerIPspark history serveur service loadbalancerIP""
historyServer.ingress.enabledIndicateur d’entrée du serveur Spark Historyfaux
historyServer.ingress.versionVersion d’entrée du serveur Spark History« v1 »
historyServer.ingress.classNamespark history server ingress className""
historyServer.ingress.hostHôte d’entrée du serveur Spark History« hôte »
historyServeur.chemin.d’entréeChemin d’entrée du serveur d’historique Spark"/(.*)"
historyServer.ingress.pathTypespark history chemin d’entrée du serveurPréfixe
historyServer.ingress.annotationsAnnotations du serveur d’historique Sparknginx.ingress.kubernetes.io/rewrite-target : /1 $
nginx.ingress.kubernetes.io/proxy-body-size : « 600m »
nginx.org/client-max-body-size : « 600m »

Avertissements

  1. Assurez-vous que HDFS logDirectory (valeur helm kubernetes.hdfs.logDirectory) est le chemin absolu du sparkCatalog configuré avec le suffixe /ilum/logs ! Par exemple, pour kubernetes.hdfs.sparkCatalog=spark-catalog, mettez hdfs://name-node/user/username/spark-catalog/ilum/logs

3. Maintien dans l’emploi dans le graphique ilum-core

Caractéristique

Les tâches Ilum seront supprimées après l’expiration de la période de rétention configurée

Valeurs ajoutées - ilum-core

Paramètres de rétention d’emploi
NomDescriptionValeur
job.retain.hoursLimite d’heures de rétention des emplois Spark168