Skip to main content

Upgrade Notes

Upgrade notes

NEXT RELEASE

NOTE TEMPLATE

1. Change

Feature:

Feature description

Values deleted - chart name

NameReason
helm.valueHelm value deletion reason

Values added - chart name

Values section description
NameDescriptionValue
helm.valueHelm value descriptiondefault value

Names changed - chart name

Old NameNew Name
old namenew name

⚠️⚠️⚠️ Warnings

Values changed - chart name

NameOld valueNew Value
helm.valueold valuenew value

RELEASE 6.7.3

1. UI internationalization (i18n) + RTL

Feature:

The web UI can now switch language and text direction at runtime from Settings (persisted to localStorage). The set of available languages is config-driven: add or remove a language with no frontend rebuild. Ships English + Persian (RTL) + Arabic (RTL) + Portuguese + Spanish + Chinese

  • Hindi; direction follows the language.

Values added - helm_ui (mirrored under ilum-ui.runtimeVars in helm_aio)

UI language configuration (rendered into the ilum-ui ConfigMap)
NameDescriptionValue
runtimeVars.defaultLanguageDefault UI language code (ILUM_DEFAULT_LANGUAGE)en
runtimeVars.availableLanguagesLanguages in the selector + i18next supportedLngs (ILUM_AVAILABLE_LANGUAGES); array of {code,label,dir,font?}[en, fa(rtl), ar(rtl), pt, es, zh, hi]
i18n.extraLocaleConfigMapsOptional ConfigMaps mounted over /usr/share/nginx/html/locales// to add or override catalogs at runtime (no rebuild)[]

Per-language font (the font field of each availableLanguages entry): Persian (fa) uses IRANSans, Arabic (ar) uses Vazirmatn. Both are self-hosted and the binaries are NOT shipped in the image; fa uses the free IRANSansWeb build. To render Persian in IRANSans, place the IRANSansWeb woff2 files in a custom UI image (public/fonts/) or mount them; otherwise the UI falls back to the system Persian font. Vazirmatn is SIL-OFL — confirm IRANSansWeb's terms fit your deployment, or set fa's font to "Vazirmatn".

⚠️⚠️⚠️ Warnings

None. New keys are additive with safe defaults; existing installs default to English with no behavior change. To add a brand-new language at runtime, append an availableLanguages entry AND mount its catalog JSON via i18n.extraLocaleConfigMaps (or bake it into a custom UI image under public/locales//).

2. RustFS object-storage provider (opt-in)

Feature:

RustFS (Apache-2.0) is now bundled as an opt-in S3-compatible object storage provider alongside MinIO, which remains the default in the 6.7.x line. RustFS is planned to become the default in 6.8.0. Switching is a single Helm flag (rustfs.enabled=true, minio.enabled=false). A pre-upgrade hook refuses helm upgrade when an existing MinIO PVC would be orphaned without explicit acknowledgement.

For step-by-step instructions, refer to Migrate Between Object Storage Providers. For the broader storage decision and provider reference pages, refer to the Object Storage section.

3. Object-storage credentials consolidation

Feature:

All object-storage consumers now read S3 credentials from a single shared Secret, ilum-objectstorage-credentials, instead of per-consumer literal values in values.yaml. The Secret holds six aliased keys: access-key, secret-key, root-user, root-password, RUSTFS_ACCESS_KEY, RUSTFS_SECRET_KEY. Consumers wired to this Secret include ilum-core, ilum-jupyter, ilum-history-server, ilum-hive-metastore, airflow, kestra, trino, langfuse, loki, minio, and rustfs.

Default credentials for net-new installs are admin/admin. On upgrade, the credentials-secret template's lookup preserves the live Secret values, so existing deployments keep their current credentials.

Per-consumer accessKey/secretKey literals in Helm values are now ignored when an existingSecret reference is set, which is the default in helm_aio.

The chart resolves the S3 Service + credentials Secret via templates/_storage.tpl helpers. Defaults to MinIO (ilum-minio, keys root-user/root-password); a live lookup for Service ilum-objectstorage switches it to the rustfs alias (ilum-objectstorage-credentials, keys access-key/secret-key) automatically. objectStorage.useAlias: true forces the alias path for CI helm template (no cluster lookup). Rotation is performed by editing the shared Secret and restarting the affected Pods. For the full procedure, refer to Rotate Object Storage Credentials.

4. OpenMetadata + OpenLineage integration

Feature:

Ilum now ships an optional OpenMetadata data-catalog and governance layer, fed by OpenLineage events from Airflow and Spark. The whole stack is disabled by default and is safe on upgrade: an existing deployment that does not set the new flags brings up zero OpenMetadata resources and behaves exactly as before.

The integration is gated by five flags, all defaulting to false: openmetadata.enabled, openmetadata-dependencies.enabled, openmetadataBootstrap.enabled, fixHmsDeltaColumns.enabled, and ilum-core.job.openLineage.openmetadata.enabled. Enabling the first four plus the OpenLineage transport leg brings up the OpenMetadata server (a small Ilum fork of the 1.12.5 image), its OpenSearch + PostgreSQL dependencies, the bootstrap Job, and the OL→OM backfill CronJob. Spark and Airflow lineage then flows into OpenMetadata via a composite OpenLineage transport that fans out to both Marquez and OpenMetadata.

Iceberg-via-Nessie catalog ingestion ships in preview status. For configuration, the governance model, and operational details, refer to OpenMetadata.

5. OM bootstrap Job + bot tokens

  • Bootstrap is a regular Job (-om-bootstrap-), not a hook — helm install returns immediately. Watch: kubectl logs -f job/-om-bootstrap-; final line is BOOTSTRAP_SUMMARY: {...}. Completed Jobs GC after 24h.
  • Bot tokens default-on (openmetadataBootstrap.botTokens.enabled: true): OM clients use the ingestion-bot/lineage-bot JWTs in the ilum-om-bot-tokens Secret; consumers fall back to admin login while the Secret holds placeholders.
  • ilum-core blocks startup on the bot token (job.openLineage.openmetadata.auth.waitForBotToken: true) via a wait-for-om-bot-token initContainer, so OpenLineage never falls back to the 1h-expiring admin login (which 401s long-lived Kyuubi engines). Set waitForBotToken: false for an external OM with no bootstrap-published token.
  • Bot-token attribution is self-healing but lags: pods that boot before the JWTs are published attribute OM writes to the ilum admin until their next restart. To switch immediately, roll Airflow + ilum-core once after BOOTSTRAP_SUMMARY. Cosmetic only (audit attribution) — both paths have identical permissions.
  • ilum-om-bot-tokens carries helm.sh/resource-policy: keep and holds never-expiring JWTs. On a shared cluster, after teardown delete it explicitly (kubectl delete secret ilum-om-bot-tokens -n ) or rotate the bots in OM.

6. OpenMetadata bootstrap behaviour

The bootstrap Job registers Hive/Superset/MinIO/Delta services and runs polish ops: sets openMetadataBaseUrlConfiguration, triggers SearchIndexing + DataInsights, seeds Table custom properties (sourceSystem, slaHours), bumps certification duration to P365D, and seeds two demo users. All ops are idempotent + non-fatal, and re-runs preserve operator overrides (GET-before-PUT on the base URL, service connections carrying ssl/kerberos/sasl/jaas/auth keys, and existing custom properties). The Hive service routes through Kyuubi (ilum-sql-thrift-binary:10009) — no separate Kyuubi service is registered.

NameDescriptionValue
openmetadataBootstrap.publicBaseUrlOM base URL for alert mails / deep-links. Override in production.http://localhost:9777/external/openmetadata
openmetadataBootstrap.demoUsersEnabledSeed analyst/steward demo users. Set false in production.true
openmetadataBootstrap.certificationDurationISO8601Default certification validity."P365D"
openmetadataBootstrap.omUserOM admin user (Secret -openmetadata-admin).[email protected]
openmetadataBootstrap.omPasswordOM admin password. Change for production.admin
openmetadataBootstrap.botTokens.enabledPublish bot JWTs to ilum-om-bot-tokens.true

The OM admin password lives only in the -openmetadata-admin Secret (consumed by the bootstrap Job, Airflow, and ilum-core via secretKeyRef); rotate by editing openmetadataBootstrap.omPassword. Two more Secrets render with the release: ilum-superset-admin and ilum-hms-db-creds (account for them if you mirror manifests externally).

7. OM ingestion CronJobs are OM-owned

OM creates 7 om-cronjob-* ingestion CronJobs server-side (label managed-by=openmetadata, no ownerReferences). Edit schedules/pipelines through a re-bootstrap PATCH, not the CronJob directly (reverted on next bootstrap). The helm uninstall pre-delete hook reaps them. Scheduled Hive ingestion runs with overrideMetadata: false so it preserves DAG-set Tier/Certification governance.

8. Delta + lineage helpers (opt-in flags, default on)

NameDescriptionValue
openmetadataBootstrap.deltaEnricher.enabledCronJob PATCHing Delta facets onto OM tables (Rust deltalake, ~80MB).true
openmetadataBootstrap.deltaEnricher.scheduleDelta property refresh cron.0 */6 * * *
openmetadataBootstrap.olBackfill.enabledCronJob replaying Marquez OL events to OM (idempotent gap-fill).true
openmetadataBootstrap.olBackfill.scheduleOL replay scan cron.0 2 * * *
fixHmsDeltaColumns.enabledPost-install/upgrade Job repairing Delta col array HMS schemas.false

OM's native DeltaLake-S3 connector stays paused (>4Gi peak); the enricher CronJob fills Delta facets instead.

9. OpenLineage namespace

Airflow OL events use airflow.config.openlineage.namespace (default ilum-airflow, single source of truth). Bootstrap's namespaceToServiceMapping attaches s3://ilum-data, spark://ilum-sql-thrift-binary:10009, and ilum-airflow to the right OM services. Override the namespace only to match events already in Marquez/OM.

10. Production overrides checklist

KeyDefaultFor production
openmetadataBootstrap.publicBaseUrlhttp://localhost:9777/external/openmetadataactual ingress URL
openmetadataBootstrap.demoUsersEnabledtruefalse (use LDAP/OIDC)
openmetadataBootstrap.omPasswordadmina real password
gitea.gitea.config.server.ROOT_URLhttp://localhost:9777/external/gitea/public host (path must match STATIC_URL_PREFIX)

The chart installs into any namespace (bare service DNS names, no .svc.cluster.local). If you carry extraValues overrides with FQDN metastore addresses, drop .ilum.svc.cluster.local or Spark lineage silently fails to map.

11. Iceberg via Project Nessie (opt-in, OFF by default)

A stock install runs Hive-only with no Nessie pod. Enable Iceberg cataloging (starts a Nessie pod + Postgres DB) with BOTH flags — the gate ANDs them:

helm upgrade ilum ./helm_aio \
--set nessie.enabled=true \
--set openmetadataBootstrap.services.iceberg.enabled=true
NameDescriptionValue
openmetadataBootstrap.services.iceberg.enabledRegister OM Iceberg service (needs nessie.enabled).false
openmetadataBootstrap.services.iceberg.restUriNessie Iceberg-REST URI (no ref in path).http://ilum-nessie:19120/iceberg
openmetadataBootstrap.services.iceberg.warehouse / .catalogNameSymbolic warehouse name.nessie_catalog
openmetadataBootstrap.services.iceberg.{endpoint,accessKey,secretKey,region}S3-reader overrides (empty = objectStorage Secret)."" / us-east-1
nessie.catalog.enabledNessie Iceberg-REST endpoint.true

Gotchas:

  • Do NOT disable Hive to go "Iceberg-first": the bundled example tables are Delta/Parquet via HMS, and bootstrap gates SUCCESS on Hive producing ≥10 tables (openmetadataBootstrap.examplesIngest.expectedMinTables). Iceberg-only also needs openmetadataBootstrap.examplesIngest.enabled=false.
  • The OM ingestion reader reads Iceberg metadata.json/manifests directly from S3, so it MUST hold creds that read s3://ilum-data/nessie_catalog/. A credential mismatch registers fine but ingests 0 tables.
  • On rustfs/non-default backends, override nessie.catalog.storage.s3.defaultOptions.accessKeySecret (static YAML, defaults to the minio Secret) so Nessie and the OM reader resolve the SAME identity.
  • To catalog a ref other than main, pin it via a Nessie warehouse, not the URI path (putting the ref in the path → HTTP 404). OM ingests one ref; no history.

12. Hive 4 support (opt-in)

Set ilum-hive-metastore.majorVersion: 4 for apache/hive:standalone-metastore-4.x images (default 3). A v3 Postgres DB cannot be reused for v4 (incompatible schemas). Running v3 + v4 side-by-side: give v4 its own database (--set ilum-hive-metastore.postgresql.database=metastore_v4) and add it to postgresExtensions.databasesToCreate. Spark against a v4 metastore needs Hive 4 client jars — use ilum/spark:4.0.2-delta-hive4 as the cluster image.

13. Airflow pools

airflowExtensions.pools pre-creates the listed Airflow pools (name + slots) via an init container on the Airflow api-server/scheduler. Default is empty ([]); add your own DAGs' pools here.

14. Cross-stack observability + cost attribution

Feature

A new cross-stack observability stack (off by default) bundles an OpenTelemetry Collector (helm_otel_collector sub-chart), a Tempo trace backend (ilum-tempo, S3-backed), and Loki/Promtail log correlation, adding a Pipeline Trace tab spanning Airflow → ilum-service → Spark. A separate daily cost-attribution rollup (off by default) writes cost landing files from an in-driver Spark plugin and folds them in-core into per-job and per-table Cost tabs. Hostnames are release-name portable via _helpers.tpl, so the stack works under any release name. The settings entity (sampling ratio, listener policy, rate card) is seeded from helm_core's observabilityDefaults on first boot only — UI/dev-API edits win afterward. The previously-unprotected /api/dev/reactive/lineage/* and /cost/* endpoints now require permissions.

Values added - helm_aio

NameDescriptionValue
global.observability.otel.enabledEnable the OTel collector + Tempo trace backend + log correlationfalse
global.observability.monitoring.enabledRender the ServiceMonitor + PrometheusRule alert set for Tempo/collectorfalse
global.costAggregator.enabledEnable the daily cost-attribution rollupfalse
global.costAggregator.retentionDaysClamp the cost reader window to this many days90
global.observability.otel.tempoAuth.modeTempo query auth (none | bearer | basic)none
global.logAggregation.loki.auth.modeLoki query auth (none | bearer | basic)none
global.observability.otel.tenant.idTenant filter for a shared Tempo (empty = single-tenant)""

Values changed - ilum-tempo

NameOld valueNew value
ilum-tempo.tempo.resources.limits.memory2Gi4Gi

⚠️ Warnings

The observability stack hostnames are now derived at render time by helpers in helm_aio/templates/_helpers.tpl (ilum-aio.tempoHost, ilum-aio.lokiReadHost, ilum-aio.otelCollectorHost, ilum-aio.lokiQueryUrl). An overlay carrying an explicit hostname override copied from a previous release still takes precedence but couples the install to the ilum release name — drop it to let the helpers pick the correct hostname.

RELEASE 6.7.2

1. Default Java options for ilum-core

Feature:

Added default JVM options to ilum-core for optimized memory and performance. The javaOpts value is now appended to security-related Java options (trustStore/keyStore) instead of replacing them, allowing both to coexist.

Values changed - helm_core

NameOld valueNew Value
javaOpts"""-XX:-UsePerfData -XX:+UseStringDeduplication -Xms256m -XX:MaxMetaspaceSize=256m -XX:MaxDirectMemorySize=256m -XX:CICompilerCount=2 -XX:G1ConcRefinementThreads=2 -XX:ReservedCodeCacheSize=128m"

2. Unity Catalog init container for ilum-core

Feature:

Added a wait-for-unity-catalog init container to the ilum-core deployment, matching the existing pattern for Hive and Nessie. When metastore.type is set to unity, the init container waits for the Unity Catalog server to become reachable before starting ilum-core, preventing startup failures due to race conditions.

Values added - helm_aio

NameDescriptionValue
ilum-core.metastore.unity.statusProbe.enabledEnable init container to wait for Unity Catalogtrue

3. PostgreSQL support for ilum-core

Feature:

Added PostgreSQL as an alternative persistence backend to MongoDB. The backend is selected via storage.type (mongo or postgres). When set to postgres, Mongock migrations and the MongoDB status probe are skipped, and PostgreSQL connection details are injected instead. The MongoDB URI (mongo.uri) is always present in the configmap regardless of storage.type, so that the built-in MongoToPostgresMigration tool can read from MongoDB during migration. Flyway migrations run automatically on startup — no manual schema setup is needed. Existing deployments using MongoDB are unaffected; the default remains mongo.

Values added - helm_core

Storage type selection and migration
NameDescriptionValue
storage.typePersistence backend: mongo or postgresmongo
storage.migration.mongoToPostgresEnable one-time data migration from MongoDB to PostgreSQL. Set to true together with storage.type=postgres and a valid mongo.uri to migrate all data on startup. Disable after migration completes.false
PostgreSQL connection settings
NameDescriptionValue
postgres.hostPostgreSQL hostnameilum-postgresql
postgres.portPostgreSQL port5432
postgres.databaseDatabase nameilum
postgres.usernameDatabase usernameilum
postgres.passwordDatabase passwordCHANGEMEPLEASE
postgres.createSecretCreate a K8s Secret with postgres credentialstrue
postgres.existingSecretUse an existing K8s Secret (must have keys: POSTGRES_USERNAME, POSTGRES_PASSWORD)""
postgres.statusProbe.enabledEnable init container that waits for PostgreSQL readinesstrue
postgres.statusProbe.imageImage used for the PostgreSQL readiness probebusybox:1.36

⚠️⚠️⚠️ Warnings

Migrating from MongoDB to PostgreSQL:

  1. Set storage.type=postgres and configure postgres.* connection values
  2. Ensure mongo.uri still points to the existing MongoDB instance
  3. Set storage.migration.mongoToPostgres=true
  4. Run helm upgrade — the backend will migrate all data from MongoDB to PostgreSQL on startup
  5. After successful migration, set storage.migration.mongoToPostgres=false and run helm upgrade again

4. Slimmed down ilum-core bundled configuration

Feature:

The bundled application.yml in ilum-core has been significantly slimmed down. Hardcoded defaults that are now managed by the application itself (Spring multipart config, Kafka admin settings, codec size, task scheduling pool, leader election tuning, third-party logging levels, license validation details) have been removed from the Helm-generated config. This reduces the surface area of the ConfigMap and avoids conflicts with application-managed defaults.

⚠️⚠️⚠️ Warnings

If you relied on any of the removed hardcoded values (e.g., custom spring.servlet.multipart limits, spring.kafka.admin.fail-fast, logging levels for org.apache.kafka or org.mongodb.driver), you must now set them via the new customConfig or overrideConfig mechanisms described below.

5. Config override and custom config for ilum-core

Feature:

Added two new mechanisms for advanced configuration of ilum-core:

  • overrideConfig: Replaces the bundled application.yml entirely with a user-managed ConfigMap (mounted at /etc/ilum/override).
  • customConfig: Mounts an additional ConfigMap at /etc/ilum/custom for partial overrides that layer on top of the bundled config.

Values added - helm_core

Full config override
NameDescriptionValue
overrideConfig.enabledEnable full config override (replaces bundled application.yml entirely)false
overrideConfig.configMapNameName of a user-managed ConfigMap containing a complete application.yml replacement""
Custom config escape hatch
NameDescriptionValue
customConfig.enabledEnable custom config escape hatch (mounts an additional ConfigMap at /etc/ilum/custom)false
customConfig.configMapNameName of a user-managed ConfigMap containing application.yml overrides""

⚠️⚠️⚠️ Warnings

The config mount path has changed from /config to /etc/ilum/config. If you have scripts or tooling that references the old path, update them accordingly.

6. Default communication mode changed to gRPC

Feature:

The default communication mode in ilum-core has changed from kafka to grpc.

Values changed - helm_core

NameOld valueNew Value
communication.typekafkagrpc

⚠️⚠️⚠️ Warnings

If your deployment depends on Kafka-based communication between ilum components, explicitly set communication.type: kafka in your values.

7. New configurable parameters in ilum-core

Feature:

Spring actuator endpoint exposure and job instance result timeout are now configurable via values instead of being hardcoded.

Values added - helm_core

NameDescriptionValue
management.endpoints.web.exposure.includeSpring actuator endpoints to expose"info,configprops,env,metrics,mappings,beans,prometheus,health"
job.instance.result.timeout.msJob instance result timeout in milliseconds120000

8. Schema and nullability fixes

Feature:

Fixed sql.url to sql.host in the ilum-core configmap to match the actual values key.

Names changed - helm_core (configmap only)

Old NameNew Name
sql.urlsql.host

9. rustfs added as an opt-in object storage provider

Feature

rustfs (Apache-2.0) is now bundled in helm_aio as an opt-in S3-compatible object storage provider (rustfs.enabled=false by default). minio remains the default provider (minio.enabled=true); rustfs is planned to become the default in 6.8.0. A stable Service alias ilum-objectstorage routes to whichever provider is enabled; all downstream consumers (Trino, Nessie, Jupyter, MLflow, Airflow, Kestra, Langfuse, the helm_core readiness probe) target this alias instead of provider-specific names.

⚠️⚠️⚠️ Warnings

  • rustfs is currently published as 1.0.0-alpha.99; distributed mode is marked "under testing" upstream. helm_aio defaults rustfs to standalone mode with a single 50Gi PVC.
  • A pre-upgrade hook detects orphan minio PVCs and refuses the upgrade unless the operator has chosen one of the paths below.

Choose one path on upgrade

Path A: keep using minio (zero-touch)
helm upgrade ilum ./helm_aio --set minio.enabled=true --set rustfs.enabled=false

Existing data is untouched; consumers continue talking to ilum-objectstorage which now selects minio pods.

Path B: migrate from minio to rustfs

Single credential source. Every consumer (ilum-core, jupyter, airflow, trino, kestra, langfuse, loki, hive-metastore, minio, rustfs) now reads S3 credentials from the shared ilum-objectstorage-credentials Secret. Net-new installs default to admin/admin; rotate with:

kubectl edit secret ilum-objectstorage-credentials
kubectl rollout restart deploy,statefulset -l 'app.kubernetes.io/part-of=ilum'

When upgrading from a MinIO-only deployment with non-default credentials, seed the new Secret with the live minio root creds before running the upgrade so consumers don't lose access:

EXISTING_USER=$(kubectl get secret ilum-minio -o jsonpath='{.data.root-user}' | base64 -d)
EXISTING_PASS=$(kubectl get secret ilum-minio -o jsonpath='{.data.root-password}' | base64 -d)
kubectl create secret generic ilum-objectstorage-credentials \
--from-literal=access-key=$EXISTING_USER \
--from-literal=secret-key=$EXISTING_PASS \
--from-literal=root-user=$EXISTING_USER \
--from-literal=root-password=$EXISTING_PASS \
--from-literal=RUSTFS_ACCESS_KEY=$EXISTING_USER \
--from-literal=RUSTFS_SECRET_KEY=$EXISTING_PASS
# the credentials-secret template's preserveExisting lookup will keep these
# values intact across helm upgrades.
# 1. Run both providers side by side. Acknowledge the cutover so the
# pre-upgrade hook accepts the upgrade.
helm upgrade ilum ./helm_aio \
--set minio.enabled=true \
--set rustfs.enabled=true \
--set rustfs.migrationAcknowledged=true

# 2. Dry-run the migration Job to preview what would be copied.
helm upgrade ilum ./helm_aio \
--set minio.enabled=true \
--set rustfs.enabled=true \
--set rustfs.migrationAcknowledged=true \
--set migration.minioToRustfs.enabled=true \
--set migration.minioToRustfs.dryRun=true
kubectl logs job/ilum-minio-to-rustfs-migration-<rev>

# 3. Run the real migration.
helm upgrade ilum ./helm_aio \
--set minio.enabled=true \
--set rustfs.enabled=true \
--set rustfs.migrationAcknowledged=true \
--set migration.minioToRustfs.enabled=true
kubectl -n ilum wait job -l app.kubernetes.io/component=migration --for=condition=complete --timeout=600s

# 4. Verify (e.g. mc diff against both providers), then disable minio.
helm upgrade ilum ./helm_aio --set rustfs.migrationAcknowledged=true

For per-bucket manual procedures (no Job), see the documentation site: documentation/docs/operations/migrate-minio-to-rustfs.md.

Path C: net-new install

Nothing to do. minio is the default; the alias Service is created automatically. To start on rustfs instead, set rustfs.enabled=true and minio.enabled=false.

Values added - helm_aio

NameDescriptionValue
global.s3.hostStable Service name targeted by S3 consumersilum-objectstorage
global.s3.portS3 API port9000
global.s3.consolePortWeb console port9001
global.s3.regionDefault S3 regionus-east-1
global.s3.pathStylePath-style addressing flag for S3 clientstrue
global.s3.sslSSL flag for S3 clientsfalse
rustfs.enabledEnable bundled rustfs charttrue
rustfs.moderustfs deployment modestandalone
rustfs.persistence.sizerustfs PVC size50Gi
rustfs.migrationAcknowledgedOperator acknowledgement that disabling minio is intentional (read by the pre-upgrade hook)false
rustfsExtensions.enabledEnable bucket/policy bootstrap on rustfstrue
objectStorage.service.enabledRender the ilum-objectstorage Service aliastrue
objectStorage.credentials.createCreate the shared credentials Secrettrue
objectStorage.credentials.nameName of the shared credentials Secretilum-objectstorage-credentials
objectStorage.credentials.accessKeyDefault access key (only used to bootstrap the Secret; rotated values survive upgrades via lookup)admin
objectStorage.credentials.secretKeyDefault secret keyadmin
rustfs.secret.rustfs.access_keyRoot access key the rustfs Pod is launched with (must match objectStorage.credentials.accessKey)admin
rustfs.secret.rustfs.secret_keyRoot secret key the rustfs Pod is launched withadmin
objectStorage.defaultBucketsDefault buckets created by the rustfs init Job and migrated by the migration Job[ilum-files, ilum-data, ...]
migration.minioToRustfs.enabledRender the one-shot migration Jobfalse
migration.minioToRustfs.dryRunPass --fake to mc mirror (preview only)false
migration.minioToRustfs.deleteAfterAfter successful mirror, remove source data with mc mirror --removefalse
migration.minioToRustfs.ttlSecondsAfterFinishedKeep Job logs around for inspection86400
preUpgradeChecks.enabledRender the pre-upgrade safety hook (disable in CI)true

Values changed - helm_aio

NameOld valueNew value
minio.enabledtruefalse
ilum-core.kubernetes.s3.hostilum-minioilum-objectstorage
ilum-core.metastore.nessie.s3Endpointhttp://ilum-minio:9000/http://ilum-objectstorage:9000/
ilum-core.minio.statusProbe.baseUrlhttp://ilum-minio:9000http://ilum-objectstorage:9000
trino.catalogs.ilum-delta (s3.endpoint=...)http://ilum-minio:9000http://ilum-objectstorage:9000
mlflow.externalS3.hostilum-minioilum-objectstorage
mlflow.externalS3.existingSecretilum-minioilum-objectstorage-credentials
mlflow.externalS3.existingSecretAccessKeyIDKeyroot-useraccess-key
mlflow.externalS3.existingSecretKeySecretKeyroot-passwordsecret-key
kestra.configuration.kestra.storage.minio.endpointilum-minioilum-objectstorage
langfuse.langfuse.s3.endpointhttp://ilum-minio:9000http://ilum-objectstorage:9000
ilum-jupyter.extraEnv (S3_ENDPOINT)http://ilum-minio:9000http://ilum-objectstorage:9000
airflow.extraEnv (MINIO_ENDPOINT, AWS_ENDPOINT_URL, AIRFLOW_CONN_ILUM-MINIO)http://ilum-minio:9000http://ilum-objectstorage:9000
ilum-ui.runtimeVars.minioUrlhttp://ilum-minio:9001http://ilum-objectstorage:9001

Values added - helm_core

NameDescriptionValue
objectStorage.statusProbe.enabledEnable readiness probe init container for object storagetrue
objectStorage.statusProbe.baseUrlBase URL probed for readinesshttp://ilum-objectstorage:9000
objectStorage.statusProbe.imageProbe init-container imagecurlimages/curl:8.5.0
objectStorage.statusProbe.healthPathHTTP path probed (root works for both rustfs and minio)/

Values changed - helm_core

NameOld valueNew value
minio.statusProbe.baseUrlhttp://ilum-minio:9000http://ilum-objectstorage:9000

The legacy minio.statusProbe block is retained as a deprecated alias; templates prefer objectStorage.statusProbe and fall back to it when the new key is unset.

Values added - helm_ui

NameDescriptionValue
runtimeVars.objectStorageUrlConsole URL for the object-storage viewhttp://ilum-objectstorage:9001
runtimeVars.objectStoragePathUI iframe path/external/object-storage/
nginx.config.objectStorage.enabledRender the /external/object-storage/ proxy blockfalse
nginx.config.http_cookie.objectStorage.enabledCookie gate for the new pathtrue

10. Kestra chart 1.0.x upgrade (breaking)

Feature:

Bumped the bundled kestra chart from ^0.22.x to ^1.0.x (Kestra app ~v0.20 → v1.3.x). The Kestra Helm chart was rewritten in 1.0.0 — top-level deployment fields moved under a new common: block, the configuration: map was renamed to configurations.application, serviceAccountName was replaced by a structured serviceAccount block, the dind sidecar gained a mode: rootless|insecure selector, and the bundled postgres/minio/kafka/elasticsearch subchart dependencies were dropped (operators bring their own). The umbrella kestra: block has been restructured accordingly; existing Ilum integrations (PostgreSQL backend, MinIO storage, Nginx context path, root-mode dind, post-install example flow Job) are preserved.

Names changed - kestra

Old NameNew Name
kestra.configurationkestra.configurations.application
kestra.serviceAccountNamekestra.serviceAccount.name (with kestra.serviceAccount.create: false)
kestra.securityContextkestra.common.securityContext
kestra.initContainerskestra.common.initContainers
kestra.dind.image.tagkestra.dind.base.insecure.image.tag (with kestra.dind.mode: insecure)
kestra.dind.argskestra.dind.base.insecure.args
kestra.dind.securityContextkestra.dind.base.insecure.securityContext

Values changed - kestra

NameOld ValueNew Value
kestra.exampleFlow.kestraServicekestra-servicekestra
ilum-ui.runtimeVars.kestraUrlhttp://ilum-kestra-service:8080http://ilum-kestra:8080

Values deleted - kestra

NameReason
kestra.postgresql.enabledSubchart dependency removed in 1.0.0; operators provide their own PostgreSQL.
kestra.minio.enabledSubchart dependency removed in 1.0.0; operators provide their own object storage.
kestra.startupProbe.pathReplaced by the structured kestra.common.startupProbe (full Kubernetes probe spec). Path stays /external/kestra/health because Micronaut propagates server.contextPath to the management server (8081) too.
kestra.livenessProbe.pathReplaced by kestra.common.livenessProbe; path stays /external/kestra/health/liveness.
kestra.readinessProbe.pathReplaced by kestra.common.readinessProbe; path stays /external/kestra/health/readiness.

Values added - kestra

NameDescriptionValue
kestra.deployments.standalone.enabledEnables the standalone Kestra deployment in the new split-deployment model.true
kestra.deployments.standalone.dind.enabledEnables the dind sidecar for the standalone deployment.true
kestra.dind.modeSelects the dind sidecar mode (rootless or insecure); Ilum defaults to insecure to preserve prior root-mode behaviour.insecure
kestra.serviceAccount.createControls whether the chart creates the ServiceAccount; Ilum sets it to false and reuses the Spark SA.false

⚠️⚠️⚠️ Warnings

  • The Kestra application itself was bumped from the 0.x line to v1.3.x. Verify any custom flow definitions against the Kestra 1.0.0 migration guide — reserved Flow IDs, the purgeAuditLogs.permissions → resources rename, removal of the Singer plugin, dynamic rendering of input defaults, and custom-plugin package structure changes can break existing flows.
  • kestra.dind.mode: insecure runs the dind sidecar privileged with elevated capabilities. On hardened clusters switch to kestra.dind.mode: rootless and drop the kestra.common.securityContext.runAsUser/runAsGroup overrides.
  • The Kestra Service object is now named -kestra (chart fullname) instead of -kestra-service. The bundled helm_ui kestraUrl runtimeVar (consumed by the Nginx proxy via ILUM_KESTRA_URL) and the exampleFlow post-install Job have been updated to the new name. Any external references to ilum-kestra-service must be updated manually.
  • Kestra 1.0+ moved the flow API under a tenant path (/api/v1/{tenant}/flows). The bundled exampleFlow Job now POSTs to /api/v1/main/flows (the OSS implicit tenant). Operators with custom curl/SDK calls against the Kestra API must add the tenant segment.

11. Kyuubi server image bumped to 1.11.1-spark-trino

Feature

The default ilum-sql (Kyuubi) server image is bumped to ilum/kyuubi:1.11.1-spark-trino. Existing helm upgrade users will pick up the new image automatically.

Values changed - helm_kyuubi

NameOld ValueNew Value
image.tag1.10.2-spark-trino1.11.1-spark-trino

12. JupyterLab Pipeline Exporter ↔ Airflow integration (helm_jupyter)

Feature

The bundled JupyterLab now ships jupyterlab-pipeline-exporter (JPE), which generates Airflow DAGs from notebooks and can auto-trigger them against the in-cluster Airflow REST API. The helm_jupyter Deployment mounts a new jupyter-pipeline-exporter-cm.yaml ConfigMap and renders the env vars JPE needs to mint bearer tokens (AIRFLOW_JWT_SECRET, AIRFLOW_API_URL), push DAGs into Gitea (GITEA_USERNAME, GITEA_PASSWORD), and build clickable deep-links (ILUM_UI_URL).

git.enabled is split into two orthogonal flags so a slim deploy without the gitea subchart can keep JPE's Gitea creds without forcing the init-container seed loop to run. The init loop (curl healthz wait + git init/commit/push) is now gated on git.initialCommit.enabled; the GITEA_* env vars are gated on git.existingSecret alone. git.enabled is retained as a deprecated back-compat alias for git.initialCommit.enabled.

Operator impact (zero by default)

On AIO (airflow.enabled=true, gitea subchart present) the chart defaults render the full integration automatically on helm upgrade — no action required. On a slim deploy without Airflow, set airflowIntegration.enabled=false to suppress the JWT env block; on a slim deploy without the gitea subchart, set git.initialCommit.enabled=false (instead of the old git.enabled=false) so the init container no longer hangs while still mounting JPE's Gitea creds via git.existingSecret.

Values added - helm_jupyter

NameDescriptionValue
airflowIntegration.enabledRender the AIRFLOW_JWT_SECRET / AIRFLOW_API_URL block for JPE's DAG auto-triggertrue
git.initialCommit.enabledRun the init-container that seeds the work dir into Giteafalse
ilumUiUrlBrowser-facing Ilum UI base URL surfaced as ILUM_UI_URL for JPE deep-linkshttp://localhost:9777

Values changed - helm_jupyter

NamePre-upgradePost-upgrade
git.enabledgated init loop and GITEA_* env varsdeprecated alias for git.initialCommit.enabled; GITEA_* env vars now gate on git.existingSecret

13. Preset feature

Feature

New first-class Preset entity. A preset is a named bag of Spark / runtime properties that can be attached by id to clusters, services (groups), schedules, and jobs. At job-launch time the preset's properties merge into the resulting Spark config so users can pin a bundle (Delta / Iceberg / Hudi) once and reuse it instead of re-typing the same 5+ keys.

CRUD is exposed at POST/GET/PUT/DELETE /api/v1/preset (public) and at /api/dev/reactive/preset (internal). New PRESET_READ, PRESET_CREATE, PRESET_EDIT, PRESET_DELETE permissions are added.

Postgres V1 schema gains a preset table and preset_ids text[] columns on cluster, groups, schedule. Mongo gains the same field lazily — no migration required.

Operator-controllable defaults (helm)

helm_core/values.yaml ships a new top-level presets: block. Each entry (name, description, properties) is auto-seeded at first boot by the backend's DefaultPresetInitializer. The chart defaults ship a delta and an iceberg entry; remove or override them to taste, or set presets: [] to disable defaults entirely.

The default cluster's attached presets are also helm-controlled via kubernetes.defaultCluster.presetNames (defaults to [delta]). Each entry is resolved to a preset id at boot time via a deterministic v3 UUID derived from the name (same hash as the initializer uses), so the linkage is stable across restarts.

Values added — helm_core

NameDescriptionValue
presetsSpark/runtime property bundles auto-seeded on first bootList of delta + iceberg
kubernetes.defaultCluster.presetNamesNames (declared under presets:) attached to the default cluster on first boot[delta]

Values removed — helm_core

NameReason
kubernetes.defaultCluster.config.spark.kubernetes.container.imageMoved into the delta preset entry under top-level presets:
kubernetes.defaultCluster.config.spark.databricks.delta.catalog.update.enabledSame
kubernetes.defaultCluster.config.spark.sql.extensionsSame
kubernetes.defaultCluster.config.spark.sql.catalog.spark_catalogSame

Operator impact

Zero on a default upgrade. The bundled delta preset reproduces exactly the Delta keys that previously lived inline in the default cluster's defaultApplicationConfig. Existing user-created clusters keep their own config unchanged.

If you customised kubernetes.defaultCluster.config with non-Delta overrides, those entries are preserved as-is — only the four Delta-specific keys were lifted into the preset.

Operators wanting to add their own preset (e.g. a tuned nessie bundle) extend presets: in their values override:

ilum-core:
presets:
- name: nessie
description: Iceberg + Nessie wiring
properties:
spark.kubernetes.container.image: my-registry/spark:nessie
spark.sql.extensions: org.projectnessie.spark.extensions.NessieSparkSessionExtensions
# ...
kubernetes:
defaultCluster:
presetNames:
- delta
- nessie

Renaming a preset detaches any cluster / group / schedule that referenced the old id (the id is derived from the name). Detach in the UI first, or use the API to update presetIds to the new id before removing the old entry.

Merge precedence at job launch (last wins): cluster's effective config (including its attached presets via ClusterConfigurer) → system providers (memory, metastore, packages) → entity presets → entity jobConfig. The symmetric "plain spark args you typed at the entity level win" rule still applies. Follow-up #202 will extract image and namespace to first-class cluster fields so presets layer cleanly without the current "plain wins" caveat on the cluster scope.

14. Airflow secret backend + base image bump

Feature

The bundled Airflow image (ilum/airflow) now ships an IlumS3SecretsBackend that resolves the conn-id aliases ilum-minio, ilum-s3, and ilum-objectstorage (plus their _-separated and case variants) to a single canonical AIRFLOW_CONN_ILUM_S3 env var. Activating the backend (AIRFLOW__SECRETS__BACKEND=ilum_secrets_backend.IlumS3SecretsBackend) is already wired in helm_aio/values.yaml.

This replaces the broken AIRFLOW_CONN_ILUM-MINIO_CMD / AIRFLOW_CONN_ILUM-S3_CMD printf-based env-var pattern. Airflow 3 silently dropped _CMD resolution for connection env vars — the suffix now resolves only for config keys like SQL_ALCHEMY_CONN_CMD — which caused worker pods to surface RuntimeError: generator didn't yield from the remote-logging path and InvalidAccessKeyId from user S3Hook calls.

The same change bumps the base image from apache/airflow:3.1.6 to apache/airflow:3.2.1 across all four ops/docker/ilum-airflow/ variants (Dockerfile, Dockerfile-plain, Dockerfile-spark, Dockerfile-spark-4.x), and switches the bake-in install location for the backend to /opt/ilum_secrets/ with a PYTHONPATH prepend so the module path no longer depends on the base image's Python minor.

Operator impact (zero by default)

The Helm values flip is opt-in via the chart-default airflow.enabled flag — operators with airflow.enabled=true pick up the new env configuration automatically on helm upgrade. No DAG changes are required: BaseHook.get_connection("ilum-minio") and S3Hook(aws_conn_id="ilum-s3") continue to work, but now resolve to a storage-backend-agnostic connection.

KeyPre-upgradePost-upgrade
airflow.airflowVersion3.1.63.2.1
airflow.images.airflow.tag3.1.63.2.1
airflow.extraEnv AIRFLOW_CONN_ILUM-MINIO_CMD(broken printf pattern)removed
airflow.extraEnv AIRFLOW_CONN_ILUM-S3_CMD(broken printf pattern)removed
airflow.extraEnv AIRFLOW__SECRETS__BACKEND(unset)ilum_secrets_backend.IlumS3SecretsBackend
airflow.extraEnv AIRFLOW_CONN_ILUM_S3(unset)JSON literal with $(AWS_*) downward expansion

DAG-level changes from Airflow 3.1.6 to 3.2.1 are minor; full changelog at https://airflow.apache.org/docs/apache-airflow/3.2.1/release_notes.html.

Failure modes (now caught at chart-render time)

  • If an operator overrides airflow.images.airflow.tag to an ilum/airflow tag that does not contain /opt/ilum_secrets/ (e.g. an older custom build), the secrets backend resolves to ModuleNotFoundError: ilum_secrets_backend at scheduler start. Fix by upgrading the image or unsetting AIRFLOW__SECRETS__BACKEND.

15. Object storage console wiring is now data-driven

Feature

The active object-storage provider, the Object Storage iframe path, and the /external/object-storage/ nginx redirect target are now derived from a single source of truth in helm_aio/templates/_helpers.tpl. The previously hand-rolled three-way conditional in ui-cm.yaml has been replaced with helper calls; the objectstorage-svc.yaml inline resolution has been collapsed into the same helper.

A new objectStorage.providers registry maps provider names to their console paths and routing modes. To enable a third S3-compatible backend (e.g. SeaweedFS) for benchmarking or migration:

  1. Add the chart dependency under helm_aio/Chart.yaml.
  2. Add an entry under objectStorage.providers. with consolePath and consoleMode (same-origin or nginx-rewrite).
  3. Set objectStorage.activeProvider: to flip user-facing traffic.

Operator impact (zero by default)

Existing RC2 overlays that only set rustfs.enabled / minio.enabled / rustfs.migrationAcknowledged continue to work unchanged. The chart reads the legacy flags as back-compat shims.

The registry intentionally does NOT set a default enabled field for rustfs and minio; the chart-level flags (.Values.rustfs.enabled / .Values.minio.enabled) remain the single source of truth for those two providers. This avoids the silent override that would occur if the new chart-default registry flipped objectStorage.providers.rustfs.enabled=true on a user who had rustfs.enabled=false in their overlay.

Verified upgrade paths (zero operator action required):

Pre-upgrade overlayPost-upgrade resolved providerRisk
minio.enabled=true, rustfs.enabled=false (default)minionone
minio.enabled=false, rustfs.enabled=true (opt-in)rustfsnone
minio.enabled=true, rustfs.enabled=true, rustfs.migrationAcknowledged=falseminio (data-bearing side)none
minio.enabled=true, rustfs.enabled=true, rustfs.migrationAcknowledged=truerustfs (post-cutover)none
objectStorage.activeProvider= explicit override verbatimonly if has no pods, ilum-core readiness fails loudly
Pre-RC2 install (no rustfs key, only minio.enabled=true)minionone

Misconfiguration scenarios that fail loudly (not silently):

  • 3+ providers enabled with activeProvider=auto: render-time error names the enabled providers and asks for an explicit choice.
  • Explicit activeProvider= where has no running pods: Service alias has no endpoints; ilum-core readiness probe fails with a clear log message.

New values to know about

KeyDefaultMeaning
objectStorage.previousProvider"minio"Required when two providers are enabled and activeProvider=auto. Names the side that holds the data; the alias targets it until cutover is acknowledged.
objectStorage.cutoverAcknowledgedfalseGeneralizes the previous rustfs.migrationAcknowledged. Flips the alias from previousProvider to the other enabled provider. The legacy flag is still honored as an alias.
objectStorage.providers..enabledper-providerMirror of .Values..enabled for new providers without their own chart-level flag.
objectStorage.providers..consolePath/rustfs/console/, /external/minio/UI iframe path for that provider's console.
objectStorage.providers..consoleModesame-origin (rustfs), nginx-rewrite (minio)Controls whether nginx redirects /external/object-storage/ to the provider's path (nginx-rewrite, for consoles pinned to a single URL) or keeps the proxy body (same-origin).

Failure modes (now loud)

  • Three or more providers enabled with activeProvider=auto: the chart fails at render time with a message naming the enabled providers and asking the operator to set activeProvider= explicitly.
  • Two providers enabled with previousProvider empty: chart fails at render time asking the operator to set previousProvider to the data-bearing side, or to set activeProvider explicitly.
  • activeProvider set to a name with no matching pods: the chart renders but the alias Service has no Endpoints, and ilum-core's readiness probe surfaces the misconfiguration in pod logs.

16. Rook-Ceph S3 Storage Backend (BYO)

Feature:

A pre-deployed (BYO) rook-ceph cluster can now be used as the sole S3-compatible storage backend, in place of the default minio (or opt-in rustfs). The rook-ceph operator and CephCluster must be deployed separately; see the Rook-Ceph user guide for end-to-end setup.

Values added - ilum (AIO)

NameDescriptionValue
rookCeph.enabledEnable rook-ceph S3 storage integration (requires pre-deployed rook-ceph)false
rookCeph.s3.hostRGW service hostname (e.g., rook-ceph-rgw-my-store.rook-ceph.svc.cluster.local)""
rookCeph.s3.serviceNameRGW Service name for Endpoints lookup; falls back to first segment of host""
rookCeph.s3.namespaceNamespace containing the RGW Service; falls back to second segment of host""
rookCeph.s3.portRGW service port80
rookCeph.s3.schemeURL scheme (http or https); set to https for TLS-terminating RGW Serviceshttp
rookCeph.s3.insecureSkipVerifySkip TLS certificate verification (opt-in for self-signed Rook-managed RGW)false
rookCeph.s3.regionS3 regionus-east-1
rookCeph.s3.accessKeyS3 access key from CephObjectStoreUserCHANGEMEPLEASE
rookCeph.s3.secretKeyS3 secret key from CephObjectStoreUserCHANGEMEPLEASE
rookCeph.bucketInit.enabledCreate S3 buckets on the RGW endpoint (reuses objectStorage.defaultBuckets)true
rookCeph.bucketInit.imageaws-cli image for bucket creationamazon/aws-cli:2.27.31
rookCeph.statusProbe.enabledEnable RGW health check in the bucket init Jobtrue
rookCeph.statusProbe.imageHealth check imagecurlimages/curl:8.5.0

⚠️⚠️⚠️ Warnings

  • minio.enabled=true is the chart default in the 6.7.x line (rustfs is opt-in until it becomes the default in 6.8.0). When switching to rook-ceph, the values overlay must set both minio.enabled=false and rustfs.enabled=false. The rustfsExtensions and minioExtensions bootstrap Jobs are already gated on their parent providers, so a separate *Extensions.enabled=false flag is not required. A chart validation now fails the install when rookCeph.enabled is combined with either bundled provider.
  • The ilum-objectstorage Service alias is rendered as a selector-less Service backed by a manual Endpoints object that mirrors the live RGW Pod IPs from the rook-ceph namespace (a label-selector alias cannot cross namespaces, and an ExternalName CNAME is black-holed by kube-proxy because it cannot DNAT a packet twice). RGW Pod restarts rotate the Pod IPs and stale the mirrored Endpoints; re-run helm upgrade ilum ./helm_aio -f ilum-rook-ceph-values.yaml after any RGW Pod restart to refresh the addresses.
  • The shared ilum-objectstorage-credentials Secret is now seeded from rookCeph.s3.{accessKey,secretKey} in rook-ceph-only mode; an install fails fast when either is left at the CHANGEMEPLEASE placeholder.
  • The bucket init Job no longer swallows aws-cli errors. Network/credential/endpoint misconfigurations now fail the Job loudly instead of completing 1/1 with no buckets created.

To perform the rollout:

# 1. Deploy the rook-ceph operator and CephCluster in the rook-ceph namespace
# (operator chart, CephCluster CR, CephObjectStore, CephObjectStoreUser).
# Wait for the RGW Service and Pods to become Ready in the rook-ceph
# namespace; ilum-objectstorage Endpoints are mirrored from this Service
# at chart install/upgrade time.

# 2. Extract S3 credentials from the CephObjectStoreUser Secret.
ACCESS_KEY=$(kubectl -n rook-ceph get secret \
rook-ceph-object-user-<store-name>-<user-name> \
-o jsonpath='{.data.AccessKey}' | base64 -d)
SECRET_KEY=$(kubectl -n rook-ceph get secret \
rook-ceph-object-user-<store-name>-<user-name> \
-o jsonpath='{.data.SecretKey}' | base64 -d)

# 3. Render the overlay (the doc ships a complete template).
cat > ilum-rook-ceph-values.yaml <<EOF
rustfs:
enabled: false
minio:
enabled: false
rookCeph:
enabled: true
s3:
host: rook-ceph-rgw-.rook-ceph.svc.cluster.local
port: 80
accessKey: $ACCESS_KEY
secretKey: $SECRET_KEY
EOF

# 4. Install or upgrade.
helm upgrade --install ilum ./helm_aio -f ilum-rook-ceph-values.yaml

# 5. After RGW Pod restarts (Ceph cluster upgrades, rook-ceph operator
# rollouts, node maintenance), refresh the mirrored Endpoints:
helm upgrade ilum ./helm_aio -f ilum-rook-ceph-values.yaml

17. Legacy activities audit feature removed (helm_core)

Feature:

The backend dropped the legacy "activities" audit trail; the structured EventLog now backs all audit and user/group operation statistics. The corresponding backend config key was removed, so its Helm value is dead.

Values deleted - helm_core

NameReason
security.activities.timeToLiveBackend security.activities.timeToLive property no longer exists

RELEASE 6.7.1

1. Cluster-scoped RBAC for the management API

Feature:

The management API (helm_api, which backs the Ilum CLI and the in-UI Module Marketplace) can now be granted a cluster-scoped role so it can install and manage modules that require cluster-scoped resources — CRDs, ClusterRoles/ClusterRoleBindings, admission webhooks, and Prometheus Operator custom resources (for example, kube-prometheus-stack). When rbac.clusterScope is enabled, the chart renders a ClusterRole and ClusterRoleBinding bound to the API service account; with it disabled, the API keeps only its namespace-scoped permissions.

Values added - helm_api

NameDescriptionValue
rbac.clusterScopeRender a cluster-scoped ClusterRole/ClusterRoleBinding for the management APItrue

Values added - ilum-aio

NameDescriptionValue
ilum-api.rbac.createCreate RBAC resources for the management APItrue
ilum-api.rbac.clusterScopeGrant the management API cluster-scoped RBACtrue

2. Probe and startup hardening

Feature:

Liveness, readiness, and startup probe timings were relaxed across ilum-core, ilum-ui, and ilum-api (longer initial delays, periods, and failure thresholds, with startup probes enabled) so the stack comes up cleanly in slower or resource-constrained environments. The bundled default cluster also gained a spark.kubernetes.memoryOverheadFactor of 0.5 and a higher default driver memory. No operator action is required.

RELEASE 6.7.0

1. Airflow version update

Feature:

Updated Airflow from version 3.1.1 to 3.1.6.

Values changed - helm_aio

NameOld valueNew Value
airflow.airflowVersion3.1.13.1.6
airflow.images.airflow.tag3.1.13.1.6
airflow.apiServer.extraInitContainers[0].image`ilum/airflow:3.1.1ilum/airflow:3.1.6

2. Added ClickHouse and Langfuse to ilum-aio

Feature:

Added ClickHouse and Langfuse to ilum-aio as new modules. ClickHouse is a fast open-source OLAP database management system. Langfuse is an open source LLM engineering platform.

Values added - ilum-aio

NameDescriptionValue
clickhouse.enabledFlag to enable ClickHouse deployment in ilum-aiofalse
langfuse.enabledFlag to enable Langfuse deployment in ilum-aiofalse

Values added - ilum-ui

NameDescriptionValue
runtimeVars.langfuseUrlURL of the Langfuse instancehttp://ilum-langfuse-web:3000
runtimeVars.langfusePathProxy path for Langfuse/external/langfuse/
nginx.config.langfuse.enabledEnable proxy for Langfusefalse
nginx.config.http_cookie.langfuse.enabledEnables cookie mapping for Langfusetrue

3. Configurable Scala version for default cluster

Feature:

Added scalaVersion configuration option to the default cluster settings. This allows users to specify which Scala version their Spark jobs are run with, supporting both Scala 2.12 for spark 3.x and 2.13 for spark 4.x

Values added - helm_core

NameDescriptionValue
kubernetes.defaultCluster.scalaVersionScala version for Spark jobs (SCALA_2_12 or SCALA_2_13)SCALA_2_13

4. API token authentication system

Feature:

Added "API token authentication system for internal and external service authentication."

Values added - helm_core

NameDescriptionValue
security.api-token.enabledFlag to enable API token authenticationfalse
security.api-token.tokensList of initial tokens[]

Values added - ilum-aio

NameDescriptionValue
ilum-core.security.api-token.enabledFlag to enable API token authenticationfalse
ilum-core.security.api-token.tokensList of initial tokens[{name: "superset", token: "initial-superset-token-for-engine-creation", permissions: ["SQLENGINE_CREATE"]}]

5. Startup probe for Ilum-core

Feature:

Added startup probe to the Ilum-core deployment. This allows the application to have sufficient time to start in constrained environments while maintaining quick readiness and liveness checks once started. The startup probe delays readiness and liveness probes until the application starts successfully.

Values added - helm_core

NameDescriptionValue
startupProbeStartup probe configuration for ilum-core containerSee values.yaml for full structure
startupProbe.failureThresholdNumber of failures before giving up (300 × 2s = 10 minutes max)300
startupProbe.periodSecondsHow often to perform the probe2
startupProbe.timeoutSecondsTimeout for each probe request1
startupProbe.httpGet.pathHTTP path for startup probe/actuator/health/liveness

Values changed - helm_core

NameOld valueNew Value
livenessProbe.initialDelaySeconds12010
readinessProbe.initialDelaySeconds12010

6. Disabled SASL in Kafka configuration

Feature:

Disabled SASL authentication in the default Kafka configuration. This change simplifies the setup for users who do not require SASL authentication for their Kafka clusters. Users who need SASL can still enable it through custom configuration.

Values added - helm_aio

NameDescriptionValue
kafka.listeners.interbroker.protocolInterbroker protocolPLAINTEXT
kafka.listeners.controller.protocolController protocolPLAINTEXT
kafka.kraft.clusterIdKraft clusterId to prevent Bitnami chart upgrade failuresaWx1bS1kZWZhdWx0LWlkMQ

7. Management API and Ilum CLI

Feature:

Added the helm_api chart (ilum-api), a Management API sidecar that exposes the Ilum CLI's operations over HTTP and powers the in-UI Module Marketplace for point-and-click module deployment. It is deployed by default in ilum-aio.

Values added - ilum-aio

NameDescriptionValue
ilum-api.enabledDeploy the Management API sidecar (CLI over HTTP)true

RELEASE 6.6.2

1. Spark 4.x Upgrade - Scala 2.13 Migration

Feature:

Updated default Spark images to ilum/spark:4.0.1-delta and ilum-spark-launcher to spark-4.1.0. Spark 4.x exclusively uses Scala 2.13 and has dropped support for Scala 2.12.

Values changed - helm_core

NameOld valueNew Value
kubernetes.defaultCluster.dockerImageilum/spark:3.5.7-deltailum/spark:4.0.1-delta
historyServer.imagespark-3.5.7spark-4.1.0
externalSparkSubmit.image.tagspark-3.5.7spark-4.1.0

⚠️⚠️⚠️ CRITICAL WARNING - BREAKING CHANGE ⚠️⚠️⚠️

Spark 4.x uses Scala 2.13 exclusively. Scala 2.12 is NO LONGER SUPPORTED.

This is a BREAKING CHANGE that may affect your existing Spark jobs:

  1. JAR Compatibility: Any Spark applications, libraries, or dependencies compiled with Scala 2.12 WILL NOT WORK with Spark 4.x. You must recompile all custom JARs with Scala 2.13.

  2. Affected Components:

    • Custom Spark applications (Scala-based)
    • Third-party libraries compiled for Scala 2.12
    • UDFs written in Scala
    • Any .jar files built with scalaVersion := "2.12.x"
  3. How to Identify Affected JARs:

    • Check your build.sbt or pom.xml for scalaVersion settings
    • JAR names often contain the Scala version suffix (e.g., myapp_2.12-1.0.jar)
    • JARs with _2.12 suffix need to be rebuilt with _2.13
  4. Required Actions Before Upgrade:

    • Inventory all custom Spark JARs in use
    • Recompile all Scala-based applications with Scala 2.13
    • Update all third-party dependencies to Scala 2.13 versions
    • Test all jobs thoroughly in a staging environment
  5. No Backwards Compatibility:

    • Starting from this version, Ilum's Spark job wrapper uses Scala 2.13 exclusively
    • Running Spark 3.x jobs compiled with Scala 2.12 is no longer supported
    • You MUST recompile all your Scala-based Spark jobs with Scala 2.13 before upgrading
  6. PySpark Users: PySpark jobs are generally unaffected unless they use Scala-based UDFs or custom Scala libraries.

RECOMMENDATION: Test your workloads in a non-production environment before upgrading to this release.

2. Added environment variables support to default cluster configuration

Feature:

Added support for configuring environment variables in the default cluster configuration. This allows users to set environment variables that will be applied to Spark jobs running on the default cluster. The SPARK_SUBMIT_OPTS environment variable is now configurable through Helm values instead of being hardcoded, providing better flexibility for JVM tuning and other environment-specific configurations.

Values added - helm_core

Default cluster environment variables configuration
NameDescriptionValue
kubernetes.defaultCluster.environmentVariablesEnvironment variables for default cluster{}
kubernetes.defaultCluster.environmentVariables.SPARK_SUBMIT_OPTSJVM options for Spark submit process"-XX:MaxHeapSize=64m -XX:MaxMetaspaceSize=64m -Xss256k"

3. Added Unity Catalog integration

Feature:

Added helm_unity_catalog chart to provide Unity Catalog support as an optional catalog backend (similar to Hive Metastore and Nessie). Unity Catalog is disabled by default and can be enabled to provide unified governance for data and AI assets. The chart is integrated with the existing PostgreSQL database and MinIO S3 storage, with automatic JWT keypair generation for authentication.

Values added - helm_unity_catalog

NameDescriptionValue
ilum-unity-catalog.enabledEnables Unity Catalog deploymentfalse
ilum-unity-catalog.server.enabledEnables the Unity Catalog servertrue
ilum-unity-catalog.server.db.typeDatabase backend type (file or postgresql)postgresql
ilum-unity-catalog.server.db.postgresqlConfig.hostPostgreSQL hostilum-postgresql-hl
ilum-unity-catalog.server.db.postgresqlConfig.portPostgreSQL port5432
ilum-unity-catalog.server.db.postgresqlConfig.dbNamePostgreSQL database nameunitycatalog
ilum-unity-catalog.server.db.postgresqlConfig.userPostgreSQL usernameilum
ilum-unity-catalog.server.db.postgresqlConfig.passwordSecretNameSecret containing PostgreSQL passwordilum-postgres-credentials
ilum-unity-catalog.server.db.postgresqlConfig.passwordSecretKeyKey in secret for passwordpassword
ilum-unity-catalog.server.jwtKeypairSecret.createAuto-generate JWT keypair for authenticationtrue
ilum-unity-catalog.storage.modelStorageRootS3 path for Unity Catalog model storages3a://ilum-data/unity-catalog/
ilum-unity-catalog.storage.credentials.s3[0].bucketPathS3 bucket paths3://ilum-data
ilum-unity-catalog.storage.credentials.s3[0].regionS3 regionus-east-1
ilum-unity-catalog.storage.credentials.s3[0].credentialsSecretNameSecret containing S3 credentialsilum-minio
ilum-unity-catalog.storage.credentials.s3[0].accessKeySecretKeyKey name for S3 access key in secretroot-user
ilum-unity-catalog.storage.credentials.s3[0].secretKeySecretKeyKey name for S3 secret key in secretroot-password
ilum-unity-catalog.ui.enabledEnables Unity Catalog UIfalse

Values added - helm_core

Unity Catalog metastore configuration
NameDescriptionValue
ilum-core.metastore.typeSet to unity to use Unity Catalog as metastorehive
ilum-core.metastore.unity.addressUnity Catalog server endpointhttp://unity-catalog-ilum-unity-catalog-server:8080
ilum-core.metastore.unity.warehouseDirUnity Catalog warehouse directorys3a://ilum-data/unity-catalog/
ilum-core.metastore.unity.s3EndpointS3 endpoint for Unity Cataloghttp://ilum-minio:9000/
ilum-core.metastore.unity.s3PathStyleAccessEnable S3 path-style accesstrue
ilum-core.metastore.unity.catalogNameUnity Catalog name in Sparkunity_catalog
ilum-core.metastore.unity.configSpark configuration for Unity Catalog integrationSee values.yaml

Values added - postgresExtensions

NameDescriptionValue
postgresExtensions.databasesToCreateAdded unitycatalog database for Unity Catalog metadata...,nessie,unitycatalog

⚠️⚠️⚠️ Warnings

  • Unity Catalog requires PostgreSQL and S3-compatible storage to be enabled
  • JWT keypairs are auto-generated on first deployment and stored in Kubernetes secrets
  • When using Unity Catalog, set ilum-core.metastore.type: unity to configure Spark integration

4. Added DuckDb and DuckLake to Ilum Core

Feature:

Added DuckDb as an SQL executor and DuckLake as a metastore option in Ilum Core. DuckDb is a fast and lightweight SQL engine that supports a wide range of data types and SQL features. DuckLake is a distributed metastore for DuckDb, which provides options for multi-user access and data versioning.

Values added - ilum_core

NameDescriptionValue
sql.duckdb.idleTimeoutDetermines the time DuckDb connections are kept alive without activity1h
sql.duckdb.ducklake.enabledEnables DuckLaketrue
sql.duckdb.ducklake.locationLocation of the data in for the DuckLakes3://ilum-ducklake/
sql.duckdb.ducklake.postgres.hostHost for the metastore postgres connection``
sql.duckdb.ducklake.postgres.portPort for the metastore postgres connection5432
sql.duckdb.ducklake.postgres.databaseDatabase name for the metastore postgres connectionducklake
sql.duckdb.ducklake.postgres.userUsername for the metastore postgres connection``
sql.duckdb.ducklake.postgres.passwordPassword for the metastore postgres connection``
sql.duckdb.ducklake.s3.endpointS3 endpoint for the metastore data``
sql.duckdb.ducklake.s3.regionS3 region for the metastore dataus-east-1
sql.duckdb.ducklake.s3.keyIdS3 key id for the metastore data``
sql.duckdb.ducklake.s3.secretS3 secret for the metastore data``
sql.duckdb.ducklake.s3.urlStyleUrl style to use for S3. Either path or vhostpath
sql.duckdb.ducklake.s3.sslWhether to use SSL for the S3 connectionfalse

RELEASE 6.6.1

1. Ugraded JupyterHub experience

Feature:

Ugraded helm_jupyterhub to bundle Ilum-specific SSH/Git/LDAP bootstrap logic, curated notebooks, and tailored singleuser defaults so helm_aio merely enables the dependency, pins fullnameOverride, and surfaces only the still-relevant overrides. This also keeps the SSH network policy open for port 2222 and ensures the shared ilum-jupyter-ssh-keys secret remains stable, while c.JupyterHub.cleanup_servers = True guarantees the SSH service and user pods stop with the release.

Values added - helm_aio

NameDescriptionValue
ilum-jupyterhub.enabledEnables the curated Ilum JupyterHub chartfalse

Values added - helm_jupyterhub

NameDescriptionValue
fullnameOverrideOverride for the full resource nameilum-jupyterhub
enabledChart enabled flagfalse
SSH configuration
NameDescriptionValue
ssh.enabledEnables the bundled SSH operator, service, and shared key workflowfalse
ssh.keysSecretSecret that provides the stable host and authorized keysilum-jupyter-ssh-keys
ssh.modeSSH authentication mode: master (shared authorized_keys from keysSecret) or per-user (individual secrets per user)master
ssh.perUserSecretNameTemplateTemplate for per-user secret names when using per-user modessh-keys-{username}
ssh.perUserAuthorizedKeysKeyKey name in per-user secrets containing authorized_keysauthorized_keys
ssh.service.typeType of service fronting port 2222NodePort
ssh.service.portPort exposed for SSH traffic2222
ssh.service.targetPortTarget port for SSH traffic2222
ssh.service.nodePortNodePort number (empty for auto-assignment)""
ssh.service.clusterIPClusterIP address (empty for auto-assignment)""
ssh.service.loadBalancerIPLoadBalancer IP address""
ssh.service.annotationsAnnotations for the SSH service{}
ssh.service.prefixPrefix for SSH service resourcesilum-jupyter-ssh
ssh.sshdConfig.customConfigCustom sshd_config lines[]
ssh.operatorImage.nameSSH operator image repositorydocker.ilum.cloud/ilum-jupyterhub
ssh.operatorImage.tagSSH operator image tagssh-operator-4.3.1
ssh.extraEnvExtra environment variables for SSH operator[]
Git configuration
NameDescriptionValue
git.existingSecretCredentials that allow the Git init job to seed the notebooks repositoryilum-git-credentials
git.emailGit email for commitsilum@ilum
git.repositoryGit repository namejupyter
git.addressGitea server addressilum-gitea-http:3000
git.urlGitea endpoint URL used to seed the ilum-jupyterhub orghttp://ilum-gitea-http:3000
git.orgNameOrganization managed by the git-init jobilum-jupyterhub
git.operatorImage.nameGit operator image repositorydocker.ilum.cloud/ilum-jupyterhub
git.operatorImage.tagGit operator image taggitea-operator-4.3.1
git.secret.nameSecret containing credentials referenced by the operatorilum-git-credentials
git.secret.usernameKeyKey for username in the secretusername
git.secret.passwordKeyKey for password in the secretpassword
LDAP configuration
NameDescriptionValue
ldap.enabledKeeps the LDAP authenticator wired into Ilum JupyterHubtrue
ldap.urlsLDAP server endpoints that front the Ilum directory["ldap://ilum-openldap:389"]
ldap.baseSearch base for Ilum users and groups"dc=ilum,dc=cloud"
ldap.usernameBind DN used for authentication"cn=admin,dc=ilum,dc=cloud"
ldap.passwordPassword for the bind DNNot@SecurePassw0rd
ldap.adminUsersLDAP accounts with admin privileges in JupyterHub["ilumadmin","admin"]
ldap.userSearchBaseBase DN where user entries live"ou=people,dc=ilum,dc=cloud"
ldap.userSearchFilterFilter for user lookups"uid={0}"
ldap.groupSearchBaseBase DN where group entries live"ou=groups,dc=ilum,dc=cloud"
ldap.groupSearchFilterFilter that matches members"(member={0})"
ldap.allowedGroupsEmpty list allows all groups unless specified[]
ldap.userAttributeUser attribute for username"uid"
ldap.fullnameAttributeAttribute for user's full name"cn"
ldap.emailAttributeAttribute for user's email"mail"
ldap.groupNameAttributeAttribute for group name"cn"
ldap.groupMemberAttributeAttribute for group membership"member"
ldap.useSslUse SSL for LDAP connectionfalse
ldap.startTlsUse STARTTLS for LDAP connectionfalse
ldap.lookupDnLookup DN before bindingtrue
Hub configuration
NameDescriptionValue
hub.image.nameHub image repositorydocker.ilum.cloud/ilum-jupyterhub
hub.image.tagHub image tagjupyterhub-4.3.1
hub.contentSecurityPolicy.enabledTurns the managed CSP header injection on/offtrue
hub.contentSecurityPolicy.frameAncestorsOrigins allowed to embed JupyterHub in an iframe["'self'","http://localhost:9777"]
hub.gitInit.enabledRuns the job that ensures the ilum-jupyterhub organization/repo existtrue
Singleuser runtime defaults
NameDescriptionValue
singleuser.startupArgs.iopubDataRateLimitRaised output bandwidth ceiling for Ilum workloads1000000000
singleuser.startupArgs.extraArgsAdditional CLI arguments forwarded to the user server[]
singleuser.nodeSelectorArchitecture-agnostic placement (empty by default){}
singleuser.tolerationsAllows scheduling on tainted nodes when needed[]
Image pull credentials
NameDescriptionValue
imagePullSecret.createCreate the pull secret in-clusterfalse
imagePullSecret.automaticReferenceInjectionAuto-inject the created secret into JupyterHub workloadstrue
imagePullSecret.registryRegistry host for the pull secret""
imagePullSecret.usernameRegistry username for the pull secret""
imagePullSecret.passwordRegistry password for the pull secret""
imagePullSecret.emailRegistry email for the pull secret""
imagePullSecret.nameExisting secret name to reference instead of the autogenerated pull secret""
imagePullSecretsAdditional pull secrets injected into all hub-managed pods[]

Values changed - helm_jupyterhub

NameOld valueNew Value
singleuser.networkPolicy.allowedIngressPorts[][2222]

Instructions

  • Keep ilum-jupyter-ssh-keys stable outside Helm so the SSH host fingerprint survives upgrades; rotating the secret requires removing stale entries from user known_hosts.
  • Ensure ilum-git-credentials contains valid credentials for a Gitea account with org-level write access—both the SSH operator and Git init job rely on the rendered token.
  • To refresh the curated notebooks, update helm_jupyterhub/files/examples (and their config map templates) so the init container can push them into the ilum-jupyterhub repo again.

⚠️⚠️⚠️ Warnings

  • Port 2222 is opened via the SSH operator’s shared service; if you switch to per-user authorized keys, keep the service numbering and secrets aligned.

  • Cleanup is forced (c.JupyterHub.cleanup_servers = True), so user pods and the SSH service terminate with the Helm release. Manage any long-lived workloads outside this chart.

2. Upgraded Livy compatible API to version 0.8.0

Feature:

Upgraded Livy compatible API to version 0.8.0 with enhanced configuration options for compression, server version control, and TTL-based session cleanup.

Values added - ilum-core

Livy Compression Configuration
NameDescriptionValue
livy.compression.enabledEnable response compression for Livy endpointsfalse
Livy Server Configuration
NameDescriptionValue
livy.server.versionLivy server version identifier0.8.0
livy.server.sendServerVersionSend server version in response headersfalse
livy.server.allowCustomClasspathAllow custom classpath in session creationfalse
Livy TTL Session Cleanup Configuration
NameDescriptionValue
livy.ttl.checkPeriodBackground sweep period in milliseconds for checking expired sessions300000
livy.ttl.checkInitialDelayInitial delay in milliseconds before first TTL background check60000

Values added - ilum-aio

Same values as ilum-core but under the ilum-core. prefix (e.g., ilum-core.livy.compression.enabled).

⚠️⚠️⚠️ Important Notes

For most users:No action required. All new configuration options have safe defaults and are backward compatible.

Optional Performance Optimization: If you handle large Livy responses, you may enable compression by setting livy.compression.enabled: true.

Session Management: The new TTL cleanup uses a hybrid approach (lazy + background sweep) to automatically clean up expired sessions. Default settings should work for most deployments.

3. Updated default Spark version and added autopause configuration

Feature:

Updated default Spark version to 3.5.7-delta in kubernetes.defaultCluster.config. Added spark.ilum.autopause: "true" to kubernetes.defaultCluster.config to set the default behavior of the autopause feature.

Values changed - ilum-core

NameOld valueNew Value
kubernetes.defaultCluster.config.spark.kubernetes.container.imageilum/spark:3.5.6-deltailum/spark:3.5.7-delta

Values added - ilum-core

NameDescriptionValue
kubernetes.defaultCluster.config.spark.ilum.autopauseSets the default behavior of autopause feature"true"

Feature:

Fixed stability issues and changed HTTP cookie-based access control to be disabled by default for all external services (Jupyter, Airflow, MLflow, Grafana, etc.).

What Changed?

  • External services are now open by default - no cookie requirements
  • All users can access services without any special configuration
  • System works out-of-the-box

What This Means for You

  • ✅ Your services will become more accessible
  • ✅ Users can access Jupyter, Airflow, MLflow, etc. without cookie setup
  • ✅ No action required for most deployments

If you need to restrict access:

  • Use the built-in OAuth2/Hydra authentication (recommended for production)
  • Or manually enable cookie-based access control per service (see below)

This is an advanced feature for specific use cases:

  • ✅ Temporary access restrictions for specific users/sessions
  • ✅ Custom access control integrated with your frontend application

To enable for a specific service:

nginx:
config:
http_cookie:
enabled: true
ilum-jupyter:
enabled: true

Values changed - ilum-ui

NameOld valueNew Value
nginx.config.http_cookie.enabledtruefalse

Values changed - ilum-aio

NameOld valueNew Value
ilum-ui.nginx.config.http_cookie.enabledtruefalse

⚠️⚠️⚠️ Important Notes

For most users:No action required. This change makes services more accessible.

If you customized cookie settings in 6.6.0: You may need to review your configuration. The system now defaults to open access instead of requiring cookies.

RELEASE 6.6.0

1. Upgraded Apache Airflow to 3.1.1

Feature:

Upgraded Apache Airflow from 3.0.5 to 3.1.1 with improved OIDC authentication support using authlib OAuth providers (AUTH_OAUTH) instead of deprecated flask-oidc (AUTH_OIDC). This upgrade includes fixes for OAuth redirect URI patterns and proper volume mounting for OIDC client secrets in init containers.

Values changed - ilum-aio

NameOld valueNew Value
airflow.airflowVersion3.0.53.1.1
airflow.images.airflow.tag3.0.53.1.1
airflow.apiServer.extraInitContainers[0].imageilum/airflow:3.0.5ilum/airflow:3.1.1

Values added - ilum-aio

NameDescriptionValue
airflow.migrateDatabaseJob.useHelmHooksDisable Helm hooks for database migration jobfalse
airflow.apiServer.extraInitContainers[0]Modified create admin user init containerSee below
airflow.apiServer.apiServerConfigConfigMapNameCustom webserver_config.py configmapilum-api-server-config
Init Container Volume Mount Configuration
- name: create-admin-user
image: ilum/airflow:3.1.1
command: ["/bin/bash", "/scripts/init.sh"]
volumeMounts:
- name: ilum-airflow-create-user-secret
mountPath: /scripts
- name: config
mountPath: /opt/airflow/airflow.cfg
subPath: airflow.cfg
- name: oauth-secret-volume
mountPath: /opt/airflow/client-secret
readOnly: true
- name: webserver-config-volume
mountPath: /opt/airflow/webserver_config.py
subPath: webserver_config.py
readOnly: true

⚠️⚠️⚠️ Warnings

Configuration value airflow.apiServer.apiServerConfigConfigMapName is preconfigured to use a ConfigMap named ilum-api-server-config. But the name of this configMap must follow pattern -api-server-config to be properly mounted as it is Airflow's chart requirement. So if your release name is different from ilum, please change this value accordingly. For example use:

airflow:
apiServer:
apiServerConfigConfigMapName: -release-name>-api-server-config
extraVolumes:
- name: oauth-secret-volume
secret:
secretName: ilum-hydra-client-secret
- name: ilum-airflow-create-user-secret
secret:
secretName: ilum-airflow-create-user-secret
- name: webserver-config-volume
configMap:
name: -release-name>-api-server-config

2. Enhanced Jupyter startup configuration

Feature:

Added configurable startup arguments for Jupyter notebook server, allowing users to customize base URL, IOPub data rate limits, and pass additional command-line arguments. Also added support for extra environment variables with templating support.

Values added - ilum-jupyter

Startup and environment configuration
NameDescriptionValue
tokenJupyter notebook authentication token""
startupArgs.baseUrlJupyter base URL path for reverse proxy configurations/external/jupyter/
startupArgs.iopubDataRateLimitIOPub data rate limit in bytes/sec (controls output bandwidth)1000000000
startupArgs.extraArgsAdditional command-line arguments to pass to Jupyter server[]
extraEnvAdditional environment variables for Jupyter container as string template""

⚠️⚠️⚠️ Warnings

  • All startup arguments configured via startupArgs.* can be completely overridden by setting the args parameter in values.yaml. When args is set, all default startup arguments are ignored, giving you full control over the Jupyter server startup command.
  • The extraEnv parameter accepts a string template (multiline YAML using |). Example usage:
    extraEnv: |
    - name: MY_VAR
    value: value

3. Added Apache NiFi module

Feature:

Added Apache NiFi to ilum-aio as a new module. This will allow users to easily deploy NiFi and use it next to Ilum.

Values added - ilum-aio

NameDescriptionValue
nifi.enabledFlag to enable NiFi deployment in ilum-aiofalse
nifi.fullnameOverrideFull name override for NiFiilum-nifi
nifi.image.tagTag of the source NiFi image2.5.0
nifi.properties.safetyValveAdditional properties passed to nifi.propertiesSee values.yaml
nifi.persistence.enabledEnables PVC for the data directorytrue
nifi.persistence.subpath.enabledEnabled one PVC instead of manytrue
nifi.persistence.subpath.sizeSize of the data directory10Gi
nifi.zookeeper.enabledEnables bundled Zookeeper deploymentfalse
nifi.registry.enabledEnables bundled NiFi registry deploymentfalse
nifi.ca.enabledEnables bundled CA deploymentfalse
nifi.openldap.enabledEnables bundled openLDAP deploymentfalse

Values added - ilum-ui

NameDescriptionValue
runtimeVars.nifiUrlURL of the NiFi instancehttp://ilum-nifi:8443/nifi/
runtimeVars.nifiPathProxy path of NiFi/external/nifi/
nginx.config.nifi.enabledEnable proxy for NiFifalse
nginx.config.http_cookie.nifi.enabledEnables cookie mapping for NiFitrue

4. Added integration with Project Nessie metastore

Feature:

Added integration with Project Nessie metastore in Ilum, which allows the use of Nessie as a metastore for Spark jobs.

Values added - ilum-core

NameDescriptionValue
metastore.typeIndicates the default metastorehive
metastore.nessie.addressThe address of the default Nessie metastorehttp://ilum-nessie:19120/api/v2
metastore.nessie.warehouseDirThe location of the warehouse of the default Nessie metastores3a://ilum-data/nessie_catalog
metastore.nessie.s3EndpointThe S3 API endpoint to use for the default Nessie metastorehttp://ilum-minio:9000
metastore.nessie.s3PathStyleAccessWhether to use path style access for the S3 Nessie connectiontrue
metastore.nessie.authTypeAuth type of the default Nessie metastoreNONE
metastore.nessie.refThe branch to use for the default Nessie metastoremain
metastore.nessie.cacheEnabledEnables caching in the default Nessie metastorefalse
metastore.nessie.catalog_nameThe name of the catalog for the default Nessie metastorenessie_catalog
metastore.nessie.configAdditional config to add for the Spark jobSee values.yaml
metastore.nessie.statusProbeStatus probe for the Nessie metastore, so Ilum-core does not launch too quicklySee values.yaml

Values added - ilum-aio

NameDescriptionValue
nessie.enabledEnables or disables bundled Nessie deploymentfalse
nessie.fullnameOverrideFull name override for Nessieilum-nessie
nessie.versionStoreTypeType of persistent metadata storageJDBC2
nessie.extraInitContainersAdds init containers to Nessie (waiting for database)See values.yaml
nessie.jdbc.jdbcUrlUrl for DB connectionjdbc:postgresql://ilum-postgresql-hl:5432/nessie
nessie.jdbc.secret.nameSecret containing DB credentialsilum-postgres-credentals
nessie.jdbc.secret.usernameKey of username in the secretusername
nessie.jdbc.secret.passwordKey of password in the secretpassword

Names changed - ilum-core

Old NameNew Name
hiveMetastore.enabledmetastore.enabled
hiveMetastore.*metastore.hive.*

Values changed - ilum-core

NameOld valueNew Value
kubernetes.defaultCluster.configSee values.yamlSee values.yaml

⚠️⚠️⚠️ Warnings

This is an important change that will need to be addressed if any custom changes to the default configuration were made. Please carefully review the changes and make sure they will not break your deployment.

5. Livy API now fully served by ilum-core (embedded)

Feature:

Livy API is implemented and served directly by ilum-core (embedded). The legacy Livy proxy is deprecated but can still be turned on for backward compatibility.

Values added - ilum-aio

NameDescriptionValue
ilum-core.livy.enabledEnables embedded Livy integration in AIO via ilum-coretrue
ilum-core.livy.ilumUI.publicEndpointPublic endpoint of ilum-ui used for Livy links/integrationhttp://localhost:9777
ilum-livy-proxy.legacy.enabledTurns on the legacy Livy proxy resources (ConfigMap/Deployment/etc.)false

⚠️⚠️⚠️ Warnings

  • The compat Service (ilum-livy-proxy → ilum-core) is deprecated and will be removed in a future release.
  • The legacy proxy is also deprecated and will be removed after the transition period.
  • Mode matrix (AIO):
    • ilum-livy-proxy.enabled=false & ilum-livy-proxy.legacy.enabled=false → nothing created; call ilum-core directly.
    • ilum-livy-proxy.enabled=true & ilum-livy-proxy.legacy.enabled=false → create compat Service pointing to the new ilum-core Livy API.
    • ilum-livy-proxy.enabled=false & ilum-livy-proxy.legacy.enabled=true → deploy legacy proxy.
  • When legacy is enabled, update client endpoints to use the legacy Service:
    • ilum-jupyter.livyEndpoint = http://ilum-livy-proxy:8998
    • ilum-zeppelin.livyEndpoint = http://ilum-livy-proxy:8998
    • Airflow connection: AIRFLOW_CONN_ILUM-LIVY-PROXY=livy://ilum-livy-proxy:8998
  • Some resources (e.g., ConfigMap/Ingress) are rendered based on ilum-livy-proxy.legacy.enabled only (not on ilum-livy-proxy.enabled).

6. Added cronjob cleaning after uninstalling

Feature:

A pre-delete hook will now clean up kubernetes cronjobs after uninstalling the chart.

Values added - ilum-core

NameDescriptionValue
cronjob.cleanup.enabledEnable cronjob cleanup after uninstalling the charttrue
cronjob.cleanup.imageImage used for the cleanup jobalpine/kubectl:1.34.1

RELEASE 6.5.2

1. SSH mode implementation for helm_jupyter

Feature:

SSH mode in the helm_jupyter chart has been implemented to provide SSH access directly within the main Jupyter container. This allows users to access their Jupyter environment via SSH while maintaining workspace consistency between web and SSH interfaces.

Values added - helm_jupyter

SSH access configuration
NameDescriptionValue
ssh.enabledEnable SSH access in the Jupyter containertrue
ssh.keysSecretName of the secret containing SSH keysilum-jupyter-ssh-keys
ssh.service.typeSSH service typeNodePort
ssh.service.portSSH service port2222
ssh.service.nodePortSSH service node port (when service type is NodePort)""
ssh.service.clusterIPSSH service cluster IP""
ssh.service.loadBalancerIPSSH service load balancer IP""
ssh.service.annotationsSSH service annotations{}
ssh.sshdConfig.customConfigCustom SSH server configuration[]

⚠️⚠️⚠️ Warnings

  • SSH server runs directly in the main Jupyter container on port 2222 internally
  • SSH keys must be provided via a Kubernetes Secret referenced by ssh.keysSecret parameter
  • The secret should contain both SSH host keys and authorized_keys for authentication
  • SSH access provides direct access to the /home/jovyan/work directory (same as web interface)
  • Custom SSH server configuration can be provided via ssh.sshdConfig.customConfig array

2. Address Bitnami’s move to bitnamilegacy + bitnamisecure

Feature:

Bitnami has moved to bitnamilegacy + bitnamisecure for their images after the 18th of August 2025. This change moves used images to the new repositories.

Values added - ilum-aio

NameDescriptionValue
global.security.allowInsecureImagesAllows images from outside of bitnami repository in Bitnami's chartstrue
kafka.image.repositoryRepository for Kafka's imagebitnamilegacy/kafka
minio.image.repositoryRepository for Minio's imagebitnamilegacy/minio
mlflow.image.repositoryRepository for MlFlow's imagebitnamilegacy/mlflow
postgresql.image.repositoryRepository for Postgresql's imagebitnamilegacy/postgresql

Values changed - ilum-aio

NameOld valueNew Value
airflowExtensions.git.imagebitnami/git:2.48.1bitnamisecure/git@sha256:72ae5bd9715fc81446becc0418011883479c593bac427911aa62ecf27ef96546
postgresExtensions.imagebitnami/postgresql:16bitnamilegacy/postgresql:16

Values changed - ilum-core

NameOld valueNew Value
kafka.statusProbe.imagebitnami/kafka:3.4.1bitnamilegacy/kafka:3.4.1

Values changed - ilum-hive-metastore

NameOld valueNew Value
postgresql.imagebitnami/postgresql:16bitnamilegacy/postgresql:16

Values changed - ilum-jupyter

NameOld valueNew Value
git.init.imagebitnami/git:2.48.1bitnamisecure/git@sha256:72ae5bd9715fc81446becc0418011883479c593bac427911aa62ecf27ef96546

Values changed - ilum-marquez

NameOld valueNew Value
marquez.db.imagebitnami/postgresql:16bitnamilegacy/postgresql:16

1. Updated Airflow defaults in ilum-aio

Feature:

Bumped Airflow to 3.0.5 and streamlined default connection/env configuration. Removed legacy cleanup and scheduler overrides in favor of chart defaults and connection-based setup.

Values added - ilum-aio

NameDescriptionValue
airflow.enableBuiltInSecretEnvVars.AIRFLOW__CORE__FERNET_KEYEnable default fernet key generationfalse

Values changed - ilum-aio

NameOld valueNew Value
airflow.extraEnvSee values.yamlSee values.yaml
airflow.airflowVersion3.0.33.0.5
airflow.images.airflow.tag3.0.33.0.5
airflow.apiServer.extraInitContainers[0].imageilum/airflow:3.0.3ilum/airflow:3.0.5

Values deleted - ilum-aio

NameReason
airflow.scheduler.argsRevert to chart default scheduler command as we manage connections via env variables now
airflow.cleanup.enabledUse executor's instant cleanup
airflow.config.kubernetes_executor.delete_worker_podsUse chart defaults
airflow.config.kubernetes_executor.delete_worker_pods_on_failureUse chart defaults

⚠️⚠️⚠️ Warnings

As the default Airflow’s fernet key creation mechanism made it impossible to enable Airflow via values upgrade, the mechanism will get disabled by default. To use it once again, manually create a Kubernetes secret and set required values in the airflow chart.

Feature:

Added configurable HTTP cookie mappings in the ilum-ui nginx configuration. This allows users to enable or disable cookie-based access control for individual services or turn off the entire cookie mapping section. Each service can be controlled individually while maintaining backward compatibility with all options enabled by default.

Values added - ilum-ui

NameDescriptionValue
nginx.config.http_cookie.enabledGlobal flag to enable HTTP cookie mappingstrue
nginx.config.http_cookie.historyServer.enabledEnable cookie mapping for history server accesstrue
nginx.config.http_cookie.mlflow.enabledEnable cookie mapping for MLflow accesstrue
nginx.config.http_cookie.ilum-jupyter.enabledEnable cookie mapping for Jupyter notebook accesstrue
nginx.config.http_cookie.gitea.enabledEnable cookie mapping for Gitea accesstrue
nginx.config.http_cookie.n8n.enabledEnable cookie mapping for n8n accesstrue
nginx.config.http_cookie.minio.enabledEnable cookie mapping for MinIO accesstrue
nginx.config.http_cookie.airflow.enabledEnable cookie mapping for Airflow accesstrue
nginx.config.http_cookie.superset.enabledEnable cookie mapping for Superset accesstrue
nginx.config.http_cookie.grafana.enabledEnable cookie mapping for Grafana accesstrue
nginx.config.http_cookie.kestra.enabledEnable cookie mapping for Kestra accesstrue
nginx.config.http_cookie.mageai.enabledEnable cookie mapping for Mage AI accesstrue

4. PostgreSQL Max Connections Configuration

Feature:

Added PostgreSQL max_connections configuration to address database connection limits in high-load scenarios.

Values added - ilum-aio

PostgreSQL configuration
NameDescriptionValue
postgresql.primary.extendedConfigurationExtended PostgreSQL configuration to set max_connections parametermax_connections = 1000

RELEASE 6.4.3

1. Added Mage to ilum-aio

Feature:

Added Mage OSS to ilum-aio as a new module. This will allow users to easily deploy Mage and use it next to Ilum.

Values added - ilum-aio

NameDescriptionValue
mageai.enabledFlag to enable Mage OSS deployment in ilum-aiofalse
mageai.fullnameOverrideOverrides the full name of the Mage deploymentilum-mageai
mageai.image.repositoryRepository of the source Mage imageilum/mageai
mageai.image.tagTag of the source Mage image0.9.76
mageai.rootPathThe root path for the Mage web serverexternal/mageai
mageai.service.typeType of Mage's kubernetes serviceClusterIP
mageai.redis.enabledEnables Redis for the Mage deploymentfalse
mageai.postgresql.enabledEnables external Postgres for Magetrue
mageai.postgresql.deployDeploys external Postgres for Magefalse
mageai.postgresql.fullnameOverrideThe name of the Postgres serviceilum-postgresql-hl
mageai.postgresql.auth.usernameUsername of the Postgres userilum
mageai.postgresql.auth.passwordPassword of the Postgres userCHANGEMEPLEASE
mageai.postgresql.auth.databaseThe database Mage should usemageai
mageai.persistence.enabledEnables PVC for the main data directorytrue

2. Updated Airflow’s chart and values to support Airflow 3.0

Feature:

Updated Airflow’s chart and values to support Airflow 3.0, which includes changes in the configuration and deployment of Airflow.

Values added - ilum-aio

NameDescriptionValue
airflow.airflowVersionSets chart compatibility for given Airflow version3.0.3
airflow.apiServer.*apiServer replaces webserver settingsSee values.yaml
airflow.config.core.auth_managerClass of auth manager used in Airflowairflow.providers.fab.auth_manager.fab_auth_manager.FabAuthManager
airflow.config.api.base_urlThe base path of the Airflow web apphttp://localhost:9777/external/airflow
airflow.config.api.enable_xcom_deserialize_supportEnables XCom deserialization in Airflow APITrue
airflow.config.logging.colored_console_logEnables colored console log in AirflowTrue
airflow.config.kubernetes_executor.delete_worker_podsEnables instant deletion of worker podsFalse
airflow.config.kubernetes_executor.delete_worker_pods_on_failureEnables instant deletion of failed worker podsFalse
airflow.cleanup.enabledEnables periodic deletion of worker podsTrue

Values changed - ilum-aio

NameOld valueNew Value
airflow.images.airflow.tag2.9.33.0.3
airflow.executorLocalKubernetesExecutorKubernetesExecutor
airflow.extraEnvSee values.yamlSee values.yaml
airflow.webserver.extraInitContainersSee values.yamlSee values.yaml

Values deleted - ilum-aio

NameReason
airflow.migrateDatabaseJob.useHelmHooksRevert to chart default

Values changed - ilum-ui

NameOld valueNew Value
runtimeVars.airflowUrlhttp://ilum-airflow-webserver:8080http://ilum-airflow-api-server:8080

⚠️⚠️⚠️ Warnings

Ilum’s changes, Airflow 3.0 and the new Airflow chart version bring significant changes to the Airflow configuration and deployment. Please review the new values and adjust your configuration accordingly.

If you are a user of Ilum’s OAuth2 provider, this update may require you to manually update some configuration, as Helm is likely to not be able to automatically migrate the values.

3. Added securityContext configuration for ilum charts

Feature:

Added comprehensive securityContext configuration for enhanced security across all ilum Helm charts. This includes both pod-level and container-level security contexts with non-root user execution, capability dropping, and seccomp profiles.

Values added - ilum-core

NameDescriptionValue
securityContext.pod.runAsNonRootRun container as non-root usertrue
securityContext.pod.runAsUserUser ID to run the container1001
securityContext.pod.runAsGroupGroup ID to run the container1001
securityContext.pod.fsGroupFile system group ID1001
securityContext.pod.seccompProfile.typeSeccomp profile typeUnconfined
securityContext.container.allowPrivilegeEscalationAllow privilege escalationfalse
securityContext.container.readOnlyRootFilesystemRead-only root filesystemfalse
securityContext.container.runAsNonRootRun container as non-root usertrue
securityContext.container.runAsUserUser ID to run the container1001
securityContext.container.runAsGroupGroup ID to run the container1001
securityContext.container.capabilities.dropCapabilities to drop["ALL"]
securityContext.container.seccompProfile.typeSeccomp profile typeUnconfined

Values added - ilum-ui

NameDescriptionValue
securityContext.pod.runAsNonRootRun pod as non-root usertrue
securityContext.pod.runAsUserUser ID to run the pod101
securityContext.pod.runAsGroupGroup ID to run the pod101
securityContext.pod.fsGroupFile system group ID101
securityContext.pod.seccompProfile.typeSeccomp profile typeUnconfined
securityContext.container.allowPrivilegeEscalationAllow privilege escalationfalse
securityContext.container.readOnlyRootFilesystemRead-only root filesystemfalse
securityContext.container.runAsNonRootRun container as non-root usertrue
securityContext.container.runAsUserUser ID to run the container101
securityContext.container.runAsGroupGroup ID to run the container101
securityContext.container.capabilities.dropCapabilities to drop["ALL"]
securityContext.container.seccompProfile.typeSeccomp profile typeUnconfined

Values added - ilum-jupyter

NameDescriptionValue
securityContext.container.allowPrivilegeEscalationAllow privilege escalationfalse
securityContext.container.readOnlyRootFilesystemRead-only root filesystemfalse
securityContext.container.runAsNonRootRun container as non-root usertrue
securityContext.container.runAsUserUser ID to run the container1000
securityContext.container.runAsGroupGroup ID to run the container100
securityContext.container.capabilities.dropCapabilities to drop["ALL"]
securityContext.container.seccompProfile.typeSeccomp profile typeUnconfined
securityContext.initContainer.allowPrivilegeEscalationAllow privilege escalation for init containerfalse
securityContext.initContainer.readOnlyRootFilesystemRead-only root filesystem for init containerfalse
securityContext.initContainer.runAsNonRootRun init container as non-root userfalse
securityContext.initContainer.runAsUserUser ID to run the init container0
securityContext.initContainer.runAsGroupGroup ID to run the init container0
securityContext.initContainer.capabilities.dropCapabilities to drop for init container["ALL"]
securityContext.initContainer.seccompProfile.typeSeccomp profile type for init containerUnconfined

Values added - ilum-livy-proxy

NameDescriptionValue
securityContext.pod.runAsNonRootRun pod as non-root usertrue
securityContext.pod.runAsUserUser ID to run the pod1001
securityContext.pod.runAsGroupGroup ID to run the pod1001
securityContext.pod.fsGroupFile system group ID1001
securityContext.pod.seccompProfile.typeSeccomp profile typeUnconfined
securityContext.container.allowPrivilegeEscalationAllow privilege escalationfalse
securityContext.container.readOnlyRootFilesystemRead-only root filesystemfalse
securityContext.container.runAsNonRootRun container as non-root usertrue
securityContext.container.runAsUserUser ID to run the container1001
securityContext.container.runAsGroupGroup ID to run the container1001
securityContext.container.seccompProfile.typeSeccomp profile typeUnconfined

Values added - ilum-aio

Added securityContext configuration for postgresExtensions
NameDescriptionValue
postgresExtensions.securityContext.pod.runAsNonRootRun pod as non-root usertrue
postgresExtensions.securityContext.pod.runAsUserUser ID to run the pod999
postgresExtensions.securityContext.pod.runAsGroupGroup ID to run the pod999
postgresExtensions.securityContext.pod.fsGroupFile system group ID999
postgresExtensions.securityContext.pod.seccompProfile.typeSeccomp profile typeUnconfined
postgresExtensions.securityContext.container.allowPrivilegeEscalationAllow privilege escalationfalse
postgresExtensions.securityContext.container.readOnlyRootFilesystemRead-only root filesystemfalse
postgresExtensions.securityContext.container.runAsNonRootRun container as non-root usertrue
postgresExtensions.securityContext.container.runAsUserUser ID to run the container999
postgresExtensions.securityContext.container.runAsGroupGroup ID to run the container999
postgresExtensions.securityContext.container.capabilities.dropCapabilities to drop["ALL"]
postgresExtensions.securityContext.container.seccompProfile.typeSeccomp profile typeUnconfined

RELEASE 6.4.2

1. changed openldap chart provider to jp-gouin's

Feature:

Changed openldap chart provider to jp-gouin's, which is more actively maintained and has better support for features like TLS. Because of that, the default configuration of openldap was changed to reflect the new provider's defaults.

Values changed - ilum-core

NameOld valueNew Value
security.ldap.userMapping.enabledsnemployeeType
security.ldap.userMapping.enabledValue~active
security.ldap.passwordadminNot@SecurePassw0rd

Values added - ilum-aio

Added new values for openldap configuration
NameDescriptionValue
global.ldapDomainDomain of the LDAP configurationilum.cloud
openldap.replicaCountReplica count of openLDAP1
openldap.replication.enabledEnable HA for openLDAPfalse
openldap.ltb-passwd.enabledEnable ltb-passwd servicefalse
openldap.phpldapadmin.enabledEnable PhpLdapAdminfalse

Values changed - ilum-aio

NameOld valueNew Value
openldap.env.LDAP_BACKENDhdbmdb
openldap.customLdifFilessee values.yamlsee values.yaml

Values deleted - ilum-aio

NameReason
openldap.env.LDAP_ORGANISATIONManaged by the chart
openldap.env.LDAP_DOMAINManaged by the chart
openldap.env.LDAP_TLSManaged by the chart
openldap.env.LDAP_TLS_ENFORCEManaged by the chart

RELEASE 6.4.1

1. Adapt hydra to https

Values added - ilum-aio

NameDescriptionValue
global.security.hydra.uiDomainDomain where ilum-ui can be accessed from browser``
global.security.hydra.uiProtocolProtocol used to access ilum-ui: http or httpshttp

Values deleted - ilum-aio

NameReason
global.security.hydra.uiUrlReplaced with uiDomain and uiProtocol

Values added - ilum-core

NameDescriptionValue
hydra.cookies.same_site_modeSameSite value for hydra cookies in set-cookie headerLax

2. Added openldap to helm chart and ilum-to-ldap synchronization

Values added - ilum-aio

Added openldap configuration values
NameDescriptionValue
openldap.enabledFlag used to enable openldapfalse
openldap.adminPasswordPassword of admin ldap useradmin
openldap.fullnameOverrideName of Openldap helm chart resourcesilum-openldap
openldap.persistence.enabledFlag to enable persistence by openldaptrue
openldap.persistence.sizeMemory used by openldap for storage1Gi
openldap.env.LDAP_ORGANIZATIONOrganization name of main ldap domainIlum
openldap.env.LDAP_DOMAINMain domain used in ldap by adminilum.cloud
openldap.env.LDAP_BACKENDType of ldap backendhdb
openldap.env.LDAP_TLSFlag used to enable TLS in ldapfalse
openldap.env.LDAP_TLS_ENFORCEFlag used to enforce TLS in ldapfalse
openldap.env.LDAP_REMOVE_CONFIG_AFTER_SETUPFlag used to update configtrue
openldap.customLdifFiles.schemas.ldifFile with custom schem applied at the startup

Values added - ilum-core

Added configurations for synchronization of ldap with ilum
NameDescriptionValue
security.ldap.ilumToLdapSyncFlag used to enable ilum to ldap syncfalse
security.ldap.userMapping.ocOC values used during insertion of ilum users into ldap
security.ldap.groupMapping.ocOC values used during insertion of ilum groups into ldap

Values changed - ilum-core

NameOld valueNew Value
security.ldap.urls[][ "ldap://ilum-openldap:389" ]
security.ldap.base""dc=ilum,dc=cloud
security.ldap.username""cn=admin,dc=ilum,dc=cloud
security.ldap.password""admin
security.ldap.adminUsers[ "admin" ][ "admin", "ilumadmin" ]
security.ldap.userMapping.base""ou=people
security.ldap.userMapping.fullname""cn
security.ldap.userMapping.description""description
security.ldap.userMapping.email""mail
security.ldap.userMapping.enabled""sn
security.ldap.userMapping.base""ou=groups
security.ldap.userMapping.description""description

3. Restricted RBAC Mode for ilum-core service

Feature:

Introduced a new rbac.restricted.enabled flag in the ilum-core chart. When set to true, this option applies a more restrictive set of RBAC permissions for the service account. This enhances security by adhering to the principle of least privilege and is recommended for production or security-sensitive environments.

Values added - ilum-core

Added a flag to enable a more restrictive RBAC configuration.
NameDescriptionValue
rbac.restricted.enabledIf true, applies a more restrictive, non-cluster-wide set of RBAC permissions for Spark applications.false

4. Added enabled flag to Trino in ilum-sql

Feature:

Added enabled flag to Trino in ilum-sql, which allows users to disable Trino if they do not need it. This also will help ilum-ui with the configuration of Trino.

Values added - ilum-sql

NameDescriptionValue
config.trino.enabledFlag to enable Trino in ilum-sqlfalse

⚠️⚠️⚠️ Warnings

Trino was enabled by default, so if you wish to enable it after the version upgrade, you need to set ilum-sql.config.trino.enabled to true in your helm values.

RELEASE 6.4.0

1. Addition of OAuth Provider and its integration with Services

Feature:

Added Hydra deployment to helm chart and fields to configure it

Values added - ilum-core

NameDescriptionValue
global.security.hydra.enabledFlag to enable hydrafalse
global.security.hydra.uiUrlIlum UI url required to configure OpenID connect``
global.security.hydra.clientIdClient Id of OpenID client created in hydrailum-client
global.security.hydra.cliendSecretClient Secret of OpenId Client created in hydrasecret
hydra.dsnDSN for database used by hydrapostgres://ilum:CHANGEMEPLEASE@ilum-postgresql:5432/hydra?sslmode=disable
hydra.secretsSystemSecret used by hydra to securily store dataCHANGEMEPLEASE
hydra.recreateClientBoolean flag for OpenId client recreation during hydra startuptrue
hydra.resources.requestsMemory and CPU limits and requests used by hydra deploymentnull
hydra.imagePullPolicyHydra container image pull policyIfNotPresent
hydra.service.domainDomain used by hydra serviceilum-hydra
hydra.service.publicPortPort that exposes public api of hydra4444
hydra.service.adminPortPort that exposes admin api of hydra4445
hydra.service.typeHydra service typeClusterIP
hydra.service.publicNodePortHydra service node port assigned to public port``
hydra.service.publicNodePortHydra service node port assigned to admin port``
hydra.service.clusterIPHydra service cluster IP``
hydra.service.loadBalancerIPHydra service load balancer IP``
hydra.service.annotationsAnnotations used by hydra service{}
hydra.separateDeploymentFlag to launch hydra in a separate deployment or in ilum-coretrue

Values added - ilum-ui

NameDescriptionValue
runtimeVars.hydraUrlUrl of Hydra Public APIhttp://ilum-hydra:4444
runtimeVars.hydraPathilum-ui proxy-path to hydra public api/external/hydra

Feature

Added helm values to specify how roles and groups from ilum-core are going to be mapped to microservices of ilum

Values added - ilum-core

NameDescriptionValue
hydra.rewriteMappingBoolean flag for recreation of ilum-to-services roles config after ilum-core restarttrue
hydra.mapping.minioMinAccessRoleDefault role assigned to ilum users with access to minioreadonly
hydra.mapping.airflowMinAccessRoleDefault role assigned to ilum users with access to airflowViewer
hydra.mapping.supersetMinAccessRoleDefault role assigned to ilum users with access to supersetGamma
hydra.mapping.grafanaMinAccessRoleDefault role assigned to ilum users with access to grafanaViewer
hydra.mapping.giteaMinAccessRoleDefault role assigned to ilum users with access to gitea``
hydra.mapping.groupsToMinioMap of ilum groups to a list of minio policiesnull
hydra.mapping.groupsToSupersetMap of ilum groups to a list of superset rolesnull
hydra.mapping.groupsToAirflowMap of ilum groups to a list of airflow rolesnull
hydra.mapping.groupsToGrafanaMap of ilum groups to a list of grafana rolesnull
hydra.mapping.groupsToGiteaMap of ilum groups to a list of gitea rolesnull
hydra.mapping.groupsToMinio[*].ilumObjName of ilum group to be mapped``
hydra.mapping.groupsToMinio[*].serviceObjsList of minio policies that the ilum group is mapped to``
hydra.mapping.groupsToSuperset[*].ilumObjName of ilum group to be mapped``
hydra.mapping.groupsToSuperset[*].serviceObjsList of superset roles that the ilum group is mapped to``
hydra.mapping.groupsToAirflow[*].ilumObjName of ilum group to be mapped``
hydra.mapping.groupsToAirflow[*].serviceObjsList of airflow roles that the ilum group is mapped to``
hydra.mapping.groupsToGrafana[*].ilumObjName of ilum group to be mapped``
hydra.mapping.groupsToGrafana[*].serviceObjsList of grafana roles that the ilum group is mapped to``
hydra.mapping.groupsToGitea[*].ilumObjName of ilum group to be mapped``
hydra.mapping.groupsToGitea[*].serviceObjsList of gitea roles that the ilum group is mapped to``
hydra.mapping.rolesToGiteaMap of ilum roles to a list of gitea rolesnull
hydra.mapping.rolesToMinio[0].ilumObjName of ilum role to be mappedADMIN
hydra.mapping.rolesToMinio[0].serviceObjsList of minio policies that the ilum role is mapped to[ consoleAdmin ]
hydra.mapping.rolesToMinio[1].ilumObjName of ilum role to be mappedDATA_ENGINEER
hydra.mapping.rolesToMinio[1].serviceObjsList of minio policies that the ilum role is mapped to[ readonly, writeonly, diagnostics ]
hydra.mapping.rolesToSuperset[0].ilumObjName of ilum role to be mappedADMIN
hydra.mapping.rolesToSuperset[0].serviceObjsList of superset roles that the ilum role is mapped to[ Admin ]
hydra.mapping.rolesToSuperset[1].ilumObjName of ilum role to be mappedDATA_ENGINEER
hydra.mapping.rolesToSuperset[1].serviceObjsList of superset roles that the ilum role is mapped to[ Alpha ]
hydra.mapping.rolesToAirflow[0].ilumObjName of ilum role to be mappedADMIN
hydra.mapping.rolesToAirflow[0].serviceObjsList of airflow roles that the ilum role is mapped to[ Admin ]
hydra.mapping.rolesToAirflow[1].ilumObjName of ilum role to be mappedDATA_ENGINEER
hydra.mapping.rolesToAirflow[1].serviceObjsList of airflow roles that the ilum role is mapped to[ User ]
hydra.mapping.rolesToGrafana[0].ilumObjName of ilum role to be mappedADMIN
hydra.mapping.rolesToGrafana[0].serviceObjsList of grafana roles that the ilum role is mapped to[ Admin ]
hydra.mapping.rolesToGrafana[1].ilumObjName of ilum role to be mappedDATA_ENGINEER
hydra.mapping.rolesToGrafana[1].serviceObjsList of grafana roles that the ilum role is mapped to[ Editor ]
hydra.mapping.rolesToMinio[*].ilumObjName of ilum role to be mapped``
hydra.mapping.rolesToMinio[*].serviceObjsList of minio policies that the ilum role is mapped to``
hydra.mapping.rolesToSuperset[*].ilumObjName of ilum role to be mapped``
hydra.mapping.rolesToSuperset[*].serviceObjsList of superset roles that the ilum role is mapped to``
hydra.mapping.rolesToAirflow[*].ilumObjName of ilum role to be mapped``
hydra.mapping.rolesToAirflow[*].serviceObjsList of airflow roles that the ilum role is mapped to``
hydra.mapping.rolesToGrafana[*].ilumObjName of ilum role to be mapped``
hydra.mapping.rolesToGrafana[*].serviceObjsList of grafana roles that the ilum role is mapped to``
hydra.mapping.rolesToGitea[*].ilumObjName of ilum role to be mapped``
hydra.mapping.rolesToGitea[*].serviceObjsList of gitea roles that the ilum role is mapped to``

Feature

Integrated minio with Hydra OIDC in values.yaml by adding new environment variables with oidc client data taken from global.security.hydra

Values added - minio

| minio.extraEnvVars | | |

NameOld valueNew Value
minio.extraEnvVars......

Feature

Integrated airflow with Hydra OIDC in values.yaml

Values added - airflow

NameDescriptionValue
airflow.webserver.extraVolumes[0].nameName of additional airflow volume with oidc configoauth-secret-volume
airflow.webserver.extraVolumes[0].secret.secretNameAirflow secret with hydra oidc client configilum-hydra-client-secret
airflow.webserver.extraVolumeMounts[0].nameName of volume-mount of secret with oidc configoauth-secret-volume
airflow.webserver.extraVolumeMounts[0].mountPathPath for volume-mount of secret with oidc config/opt/airflow/client-secret
airflow.webserver.extraVolumeMounts[0].readOnlyreadonly flag of volume mount with oidc configtrue

Feature

Integrated grafana with Hydra OIDC in values.yaml

Values added - grafana

NameDescriptionValue
grafana.grafana.ini.auth.generic_oauth.enabledFlag to enable oauth in grafana, taken from global.security.hydra.enabled by defaultfalse
grafana.grafana.ini.auth.generic_oauth.nameName of oauth clientIlum
grafana.grafana.ini.auth.generic_oauth.allow_sign_upFlag to enable user creation when signing in with oauthtrue
grafana.grafana.ini.auth.generic_oauth.client_idId of oauth client, taken from global.security.hydra.clientId by defaultilum-client
grafana.grafana.ini.auth.generic_oauth.client_secretSecret of oauth client, taken from global.security.hydra.clientSecret by defaultsecret
grafana.grafana.ini.auth.generic_oauth.scopesScopes requested from oauthopenid profile email offline_access
grafana.grafana.ini.auth.generic_oauth.auth_urlUrl used to initiate oauth authentication, uses global.security.hydra.uiUrl as base by default/external/hydra/oauth2/auth
grafana.grafana.ini.auth.generic_oauth.token_urlUrl used for tokens exchange in oauth workflow, uses global.security.hydra.uiUrl as base by default/external/hydra/oauth2/token
grafana.grafana.ini.auth.generic_oauth.api_urlUrl used to access user info, uses global.security.hydra.uiUrl as base by default/external/hydra/userinfo
grafana.grafana.ini.auth.generic_oauth.login_attribute_pathId token claim used to distinguish different usersuserId
grafana.grafana.ini.auth.generic_oauth.email_attribute_nameId token claim with emailemail
grafana.grafana.ini.auth.generic_oauth.role_attribute_pathExpression used to map roles from id_token to grafana...
grafana.grafana.ini.auth.generic_oauth.role_attribute_strictFlag to require the role during sign uptrue

Feature

Integrated superset with Hydra OIDC in values.yaml

Values added - superset

NameDescriptionValue
superset.configOverrides.ilum_oauth_securityCode added to superset config in order to enable oidc...
superset.extraVolumes[0].nameName of extra volume with a secret for oidc connectionoauth-secret-volume
superset.extraVolumes[0].secret.secretNameName of secret used in extra volume for oidc connectionilum-hydra-client-secret
superset.extraVolumes[1].nameName of extra volume with superset plugin used to enable oidcoauth-plugin-volume
superset.extraVolumes[1].secret.secretNameSecret with superset plugin used to enable oidcilum-superset-oidc-plugin-secret
superset.extraVolumeMounts[0].nameName of volume mount with oidc secret dataoauth-secret-volume
superset.extraVolumeMounts[0].mountPathPath of volume mount with oidc secret data/app/pythonpath/oauth
superset.extraVolumeMounts[1].nameName of volume mount with a superset plugin as a python fileoauth-plugin-volume
superset.extraVolumeMounts[1].mountPathPath of volume mound with a superset plugin/app/pythonpath/security

2. Addition of examples for ilum-core and superset

Feature:

Added examples for Ilum modules. New Ilum users can use these examples to quickly understand how to use Ilum modules like ilum-sql, superset and others.

Values added - ilum-core

NameDescriptionValue
examples.jobEnables creating single job exampletrue
examples.scheduleEnables creating schedule exampletrue
examples.sqlNotebookEnables creating sql notebook exampletrue
examples.sqlQueryEnables creating sql query exampletrue
examples.databaseEnables creating database exampletrue

Values added - ilum-aio

NameDescriptionValue
ilum-core.examples.jobEnables creating single job exampletrue
ilum-core.examples.scheduleEnables creating schedule exampletrue
ilum-core.examples.sqlNotebookEnables creating sql notebook exampletrue
ilum-core.examples.sqlQueryEnables creating sql query exampletrue
ilum-core.examples.databaseEnables creating database exampletrue
superset.extraEnv.IMPORT_DASHBOARDEnables creating superset dashboard exampletrue
superset.extraVolumes[2].nameVolume name for dashboard importexample-dashboard
superset.extraVolumes[2].configMap.nameConfigMap that contains base64-encoded dashboardilum-superset-example-dashboard
superset.extraVolumeMounts[2].nameMount name for example dashboard configexample-dashboard
superset.extraVolumeMounts[2].mountPathPath in container to mount the dashboard config/config
superset.extraVolumeMounts[2].readOnlyMount config as read-onlytrue
superset.init.initscriptCustom init script to conditionally import dashboardSee script in ilum-aio values file

3. Internal users upgrade credentials flag

Values added - ilum-core

NameDescriptionValue
ilum-core.security.internal.upgradeCredentialsEnables overriding user password with helm configurationfalse

4. Tighter integration of Marquez with Ilum

Feature:

Enhanced Marquez integration with ilum-core, which means no direct communication between ilum-frontend and Marquez is needed anymore. This way, having a customized Marquez build is not necessary anymore.

Values changed - ilum-core

NameOld valueNew Value
job.openLineage.transport.endpoint/external/lineage/api/v1/lineage/api/v1/lineage

5. Changed superset load example variable name

Values deleted - ilum-aio

NameReason
superset.extraEnv.IMPORT_DASHBOARDChanged to other variable name

Values added - ilum-aio

NameDescriptionValue
superset.init.loadExamplesEnables creating superset dashboard exampletrue

RELEASE 6.3.2

1. Addition of frequently used values to ilum-sql

Feature:

Added frequently used values to ilum-sql chart, so that their configuration is easier.

Values added - ilum-sql

NameDescriptionValue
config.kyuubi.logLevelBase log-level of the log4j frameworkINFO
config.kyuubi.idleEngineTimeoutAuto-shutdown time of Kyuubi engines30M
config.kyuubi.idleSessionTimeoutAuto-shutdown time of Kyuubi sessions30M
config.kyuubi.engineAliveProbeWhether to create a probe, which will check engine livenesstrue
config.kyuubi.cleanupTerminatedSparkDriverPodsDetermines which of the terminated Spark engine pods will get deleted. Available: NONE, COMPLETED, ALLALL

Values changed - ilum-aio

NameOld valueNew Value
ilum-sql.config.kyuubi.defaultssee values.yaml~

⚠️⚠️⚠️ Warnings

Because these values were already present in the ilum-aio chart, the change will not be noticeable for users who have changed the value of ilum-sql.config.kyuubi.defaults.

2. Support of Trino in ilum-sql

Feature:

Introduced support for Trino as an SQL engine in ilum-sql chart.

Values added - ilum-aio

NameDescriptionValue
trino.enabledEnables built-in Trinofalse
trino.nameOverrideSets the name overrideilum-trino
trino.coordinatorNameOverrideSets the name override for the coordinatorilum-trino-coordinator
trino.workerNameOverrideSets the name override for the worker nodesilum-trino-worker
trino.server.workersSets the number of workers1
trino.catalogs.ilum-deltaConfigures the 'ilum-delta' catalogSee values.yaml
ilum-sql.config.trino.catalogThe catalog of choice for Trinoilum-delta

Values added - ilum-sql

NameDescriptionValue
config.trino.urlUrl pointing to Trino coordinatorhttp://ilum-trino:8080
config.trino.catalogThe catalog of choice for Trinosystem
config.trino.defaultsAdditional settings of Trino engines. All properties must be prefixed with trino.~

3. Enhanced Oauth2

Feature

Added users, groups and roles mapping during authentication from OAuth2 Autherization server to Ilum Core. Added ability to assign Admin role to oauth2 users.

Values added - ilum-core

NameDescriptionValue
security.oauth2.mapping.idJWT claim that should be mapped to user`s id""
security.oauth2.mapping.nameJWT claim that should be mapped to user`s namesub
security.oauth2.mapping.emailJWT claim that should be mapped to user`s emailemail
security.oauth2.mapping.fullnameJWT claim that should be mapped to user`s fullnamefullname
security.oauth2.mapping.descriptionJWT claim that should be mapped to user`s description""
security.oauth2.mapping.departmentJWT claim that should be mapped to user`s department""
security.oauth2.mapping.groupsJWT claim with a list of groups that user is a part of represented by strings"groups"
security.oauth2.mapping.rolesJWT claim with a list of roles that user uses represented by strings"roles"
security.oauth2.mapping.enabledJWT claim that should be mapped to user`s state""
security.oauth2.mapping.enabledTrueValue of JWT claim with the name of mapping.enabled that stands for ENABLED""
security.oauth2.mapping.singleGroupJWT claim that contains a string with name of group that the user is part of""
security.oauth2.mapping.singleRoleJWT claim that contains a string with name of role that the user has""

4. Addition of kubernetes s3 region to ilum-core and ilum-aio

Feature:

Added the ability to set the S3 region in ilum-core.

Values added - ilum-core

NameDescriptionValue
kubernetes.s3.regiondefault kubernetes cluster S3 storage region to store spark resourcesus-east-1

Values added - ilum-aio

NameDescriptionValue
ilum-core.kubernetes.s3.regiondefault kubernetes cluster S3 storage region to store spark resourcesus-east-1
ilum-core.kubernetes.defaultCluster.config.spark.hadoop.fs.s3a.bucket.ilum-data.regiondefault kubernetes cluster S3 storage region to store spark resourcesus-east-1

5. Protocol in superset

Feature:

Added the ability to set the protocol in superset.

Values added - superset

NameDescriptionValue
protocolsuperset protocolhttp

6. Addition of hive metastore status probe to ilum-core helm chart

Feature:

Added possibility to enable status probe for hive metastore.

Values added - ilum-core

NameDescriptionValue
hiveMetastore.statusProbe.enabledHive metastore status probe enabled flagfalse
hiveMetastore.statusProbe.imageHive metastore status probe imagecurlimages/curl:8.5.0
hiveMetastore.statusProbe.hostHive metastore status probe hostilum-hive-metastore
hiveMetastore.statusProbe.portHive metastore status probe port9083

RELEASE 6.3.1

1. Added extra buckets to storage config

Feature

Added ability to include extra buckets to ilum cluster spark storage configuration.

Values added - ilum-core

NameDescriptionValue
kubernetes.s3.extraBucketsilum-core default kubernetes cluster S3 storage extra buckets to include[]
kubernetes.gcs.extraBucketsilum-core default kubernetes cluster GCS storage extra buckets to include[]
kubernetes.wasbs.extraContainersilum-core default kubernetes cluster WASBS storage extra containers to include[]
kubernetes.hdfs.extraCatalogsilum-core default kubernetes cluster HDFS storage extra catalogs to include[]

2. Enhanced LDAP

Added the ability to map users, groups, and roles — along with their properties and relationships — from an LDAP server to Ilum Core based on mapping configurations in Helm. Enabled the option to assign Admin role to LDAP users.

Values added - ilum-core

NameDescriptionValue
security.ldap.userMapping.baseLDAP base of user entries""
security.ldap.userMapping.filterLDAP filter used for users search"uid={0}"
security.ldap.userMapping.usernameName of LDAP attribute that should be mapped to user`s usernameuid
security.ldap.userMapping.passwordName of LDAP attribute that should be mapped to user`s passworduserPassword
security.ldap.userMapping.descriptionName of LDAP attribute that should be mapped to user`s description""
security.ldap.userMapping.fullnameName of LDAP attribute that should be mapped to user`s fullname""
security.ldap.userMapping.departmentName of LDAP attribute that should be mapped to user`s department""
security.ldap.userMapping.emailName of LDAP attribute that should be mapped to user`s email""
security.ldap.userMapping.enabledName of LDAP attribute that should be mapped to user`s state""
security.ldap.userMapping.enabledValueValue of attribute with the name of userMapping.enabled that stands for ENABLED""
security.ldap.groupMapping.baseLDAP base for group entries""
security.ldap.groupMapping.filterLDAP filter used for groups search(member={0})
security.ldap.groupMapping.nameName of LDAP attribute that should be mapped to group`s namecn
security.ldap.groupMapping.descriptionName of LDAP attribute that should be mapped to group`s description""
security.ldap.groupMapping.memberAttributeName of LDAP attribute that lists users having the groupuid
security.ldap.groupMapping.rolesLDAP attribute that lists the roles that the group includes""
security.ldap.groupMapping.roleFilterAttributeLDAP attribute of roles that represents a role in groupMapping.roles attribute""
security.ldap.groupMapping.enabledName of LDAP attribute that should be mapped to group`s state""
security.ldap.groupMapping.enabledTrueValue of attribute from groupMapping.enabled that stands for ENABLED""
security.ldap.roleMapping.baseLDAP base for role entries""
security.ldap.roleMapping.filterLDAP filter used for roles search""
security.ldap.roleMapping.memberAttributeName of LDAP attribute that lists users having the role""
security.ldap.roleMapping.nameName of LDAP attribute that should be mapped to role`s name""
security.ldap.roleMapping.descriptionName of LDAP attribute that should be mapped to role`s description""
security.ldap.roleMapping.enabledName of LDAP attribute that should be mapped to role`s state""
security.ldap.roleMapping.enabledTrueValue of attribute from roleMapping.enabled that stands for ENABLED""

Values deleted - ilum-core

NameReason
security.ldap.userSearchReplaced with security.ldap.userMapping
security.ldap.groupSearchReplaced with security.ldap.groupMapping

Names changed - ilum-core

Old NameNew Name
security.internal.users[*].passwordsecurity.internal.users[*].initialPassword

3. sparkmagic default config

Values changed - ilum-jupyter configuration parameters change because of the introduction of the spark session form.

NameOld valueNew Value
sparkmagic.config.sessionConfigs.conf'{ "pyRequirements": "pandas", "cluster": "default", "autoPause": "false", "spark.example.config": "You can change the default configuration in ilum-jupyter-config k8s configmap" }''{}'

Values deleted - ilum-jupyter

NameReason
sparkmagic.config.sessionConfigs.executorCoresNot needed anymore because of the new spark session form

Values deleted - ilum-jupyter

NameReason
sparkmagic.config.sessionConfigs.driverMemoryNot needed anymore because of the new spark session form

RELEASE 6.3.0

1. Changed image tag version of kyuubi

Values changed - sparkmagic configuration parameters

NameOld valueNew Value
sparkmagic.config.sessionConfigs.conf'{ "pyRequirements": "pandas", "spark.example.config": "You can change the default configuration in ilum-jupyter-config k8s configmap" }''{ "pyRequirements": "pandas", "cluster": "default", "autoPause": "false", "spark.example.config": "You can change the default configuration in ilum-jupyter-config k8s configmap" }'

2. Added property to set kafka address for ilum-core

Feature

Added ability to set kafka address for ilum-core pod, separate from global kafka address configuration for both spark jobs and ilum-core pod set via kafka.address property.

Values added - ilum-core

NameDescriptionValue
kafka.ilum.addressilum-core kafka address only for ilum-core pod, overrides kafka.addressnot defined

3. Changed ilum job healthcheck tolerance time

Values changed - ilum job healthcheck configuration parameters

NameOld valueNew Value
job.healthcheck.tolerance1203600

4. Introducing embedded git repo

Feature

Added Gitea as a module providing build in git server for ilum platform.

Values added - gitea

NameDescriptionValue
gitea.enabledEnable or disable Gitea deploymenttrue
gitea.image.rootlessRun Gitea in rootless modefalse
gitea.gitea.config.database.DB_TYPEDatabase type used for Giteapostgres
gitea.gitea.config.database.HOSTDatabase host and port for Giteailum-postgresql-hl:5432
gitea.gitea.config.database.NAMEDatabase name for Giteagitea
gitea.gitea.config.database.USERDatabase username for Giteailum
gitea.gitea.config.database.PASSWDDatabase password for Gitea (Change required)CHANGEMEPLEASE
gitea.gitea.admin.existingSecretGitea secret to store init credentialsilum-git-credentials
gitea.gitea.admin.emailGitea admin emaililum@ilum
gitea.gitea.admin.passwordModePassword mode for admin accountinitialOnlyNoReset
gitea.gitea.additionalConfigFromEnvs[0].nameEnable push-create userGITEA__REPOSITORY__ENABLE_PUSH_CREATE_USER
gitea.gitea.additionalConfigFromEnvs[0].valueValue for enabling push-create usertrue
gitea.gitea.additionalConfigFromEnvs[1].nameEnable push-create organizationGITEA__REPOSITORY__ENABLE_PUSH_CREATE_ORG
gitea.gitea.additionalConfigFromEnvs[1].valueValue for enabling push-create organizationtrue
gitea.gitea.additionalConfigFromEnvs[2].nameDefault repository branchGITEA__REPOSITORY__DEFAULT_BRANCH
gitea.gitea.additionalConfigFromEnvs[2].valueValue for default repository branchmaster
gitea.gitea.additionalConfigFromEnvs[3].nameRoot URL of the Gitea serverGITEA__SERVER__ROOT_URL
gitea.gitea.additionalConfigFromEnvs[3].valueValue for Gitea server root URLhttp://git.example.com/external/gitea/
gitea.gitea.additionalConfigFromEnvs[4].nameStatic URL prefixGITEA__SERVER__STATIC_URL_PREFIX
gitea.gitea.additionalConfigFromEnvs[4].valueValue for static URL prefix/external/gitea/
gitea.redis-cluster.enabledEnable or disable Redis clusterfalse
gitea.redis.enabledEnable or disable Redisfalse
gitea.postgresql.enabledEnable or disable standalone PostgreSQLfalse
gitea.postgresql-ha.enabledEnable or disable PostgreSQL HAfalse

Values added - ilum-jupyter

NameDescriptionValue
ilum-jupyter.git.enabledEnable or disable Git integrationfalse
ilum-jupyter.git.usernameGit username for authenticationilum
ilum-jupyter.git.passwordGit password for authenticationilum
ilum-jupyter.git.emailGit email addressilum@ilum
ilum-jupyter.git.repositoryGit repository namejupyter
ilum-jupyter.git.addressGit server addressilum-gitea-http:3000
ilum-jupyter.git.init.imageGit initialization imagebitnami/git:2.48.1

Values added - ilum-airflow

NameDescriptionValue
airflow.dags.gitSync.enabledEnable or disable Git synchronization for DAGstrue
airflow.dags.gitSync.repoGit repository URL for DAGshttp://ilum-gitea-http:3000/ilum/airflow.git
airflow.dags.gitSync.branchGit branch to sync frommaster
airflow.dags.gitSync.refGit reference to syncHEAD
airflow.dags.gitSync.depthGit clone depth1
airflow.dags.gitSync.maxFailuresMaximum allowed synchronization failures0
airflow.dags.gitSync.subPathSubpath within the repository to sync""
airflow.dags.gitSync.credentialsSecretSecret used for Git authenticationilum-git-credentials

5. Ilum SQL configuration naming changes

Change the naming of Ilum Sql Configuration to better reflect the current usage of Kyuubi

Names changed - ilum-core

Old NameNew Name
kyuubi.*sql.*

Names changed - ilum-aio

Old NameNew Name
ilum-kyuubi.*ilum-sql.*

⚠️⚠️⚠️ Warnings

Due to the changes in naming and in the inner workings of the SQL engine launching, and restrictions on what can be done via a helm upgrade, it is required to manually delete the old stateful set (e.g. kubectl delete sts ilum-sql) before upgrading to this version. This will ensure that during the update, a new stateful set is created with the correct configuration. The breaking changes are related to the labels and volume mounts that are used by the ilum-sql stateful set.

6. Add configurations for Ilum Submit for Spark Sql engines

Ilum Submit enhances the process of launching Spark SQL engines via both the Ilum Web Application and the JDBC endpoint by automatically applying the configurations of the selected cluster. This improvement eliminates the need to manually provide Kyuubi's Spark configuration to Ilum Core.

Valued deleted - ilum-core

NameReason
sql.sparkConfigUnnecessary after the change

Values added - ilum-kyuubi

NameDescriptionValue
ilumSubmit.enabledFlag to enable ilum submit servicefalse
ilumSubmit.ilum.hostHost of Ilum REST serviceilum-core
ilumSubmit.ilum.portPort of Ilum REST service9888

Values added - ilum-aio

NameDescriptionValue
ilum-sql.ilumSubmit.enabledFlag to enable SQL engine creation through Ilumtrue

⚠️⚠️⚠️ Warnings

Since Kyuubi's Spark config is not needed in Ilum Core anymore, the default spark config should be supplied directly to ilum-sql.config.spark.defaults instead of the global value.

Feature

Security‑related configuration (including internal user credentials, LDAP, OAuth2, JWT, and authorities settings) has been moved from the config map to a dedicated Kubernetes Secret. This improves the security of sensitive data by isolating it from non‑sensitive configuration.

Values added - ilum-core

NameDescriptionValue
security.secret.nameName of the secret that holds security‑related configuration. Use this to override the default secret name.ilum-security

8. Changed ilum-ui service type

Because of the problems with kubectl port-forward we are exposing a NodePort by default.

Values changed - ilum-ui healthcheck configuration parameters

NameOld valueNew Value
service.typeClusterIPNodePort
service.nodePort``31777

RELEASE 6.2.1

1. Change the value of Kyuubi's url

Feature

Change the value of Kyuubi's url in ilum-core. The default value should work now out of the box.

Values changed - ilum-core

NameOld valueNew Value
kyuubi.hostilum-sql-restilum-sql-headless

RELEASE 6.2.1-RC1

1. Spark job's memory settings configuration in ilum-core

Feature

Added spark job's memory settings configuration in ilum-core. When default cluster in ilum-core is being created, it will have memory settings parameters set to those values.

Values added - ilum-core

NameDescriptionValue
job.memorysettings.executorsspark jobs executor count2
job.memorysettings.executorMemoryspark jobs executor memory allocation1g
job.memorysettings.driverMemoryspark jobs driver memory allocation1g
job.memorysettings.executorCoresspark jobs executor core count1
job.memorysettings.driverCoresspark jobs driver core count1
job.memorysettings.dynamicAllocationEnabledspark jobs dynamic allocation enabled flagfalse
job.memorysettings.minExecutorsspark jobs minimum number of executors0
job.memorysettings.initialExecutorsspark jobs initial number of executors0
job.memorysettings.maxExecutorsspark jobs maximum number of executors20

2. Spark history server retention parameters addition

Feature

Added spark history server retention parameters to ilum-core. These parameters allow the user to configure the retention of spark history server logs.

Values added - ilum-core

NameDescriptionValue
historyServer.parameters.spark.history.fs.cleaner.enabledhistory server cleaner enabled flagtrue
historyServer.parameters.spark.history.fs.cleaner.intervalhistory server cleaner interval1d
historyServer.parameters.spark.history.fs.cleaner.maxAgehistory server logs max age7d

3. Split Kyuubi's url into host and port

Feature

Split Kyuubi's url into host and port in ilum-core. This change was necessary for us to be able to create custom engines.

Values added - ilum-core

NameDescriptionValue
kyuubi.hostKyuubi hostilum-sql-rest
kyuubi.portKyuubi port10099

Values deleted - ilum-core

NameReason
kyuubi.urlUnnecessary after the change

4. Extra entries in helm_ui nginx server config map

Feature

Added enabled flags for history server, minio, ilum-jupyter, airflow, mlflow and lineage to ilum-ui. These flags allow the user to enable or disable the access to these services through ilum-ui. These values will be used in nginx server config map.

Values added - ilum-ui chart

NameDescriptionValue
nginx.config.ilum-jupyter.enabledilum-ui nginx config ilum-jupyter enabled flagfalse
nginx.config.airflow.enabledilum-ui nginx config airflow enabled flagfalse
nginx.config.minio.enabledilum-ui nginx config minio enabled flagfalse
nginx.config.historyServer.enabledilum-ui nginx config historyServer enabled flagfalse
nginx.config.mlflow.enabledilum-ui nginx config mlflow enabled flagfalse
nginx.config.lineage.enabledilum-ui nginx config lineage enabled flagfalse

5. Superset in ilum-aio chart

Feature

Superset in ilum AIO chart. Superset is fast, lightweight, intuitive, and loaded with options that make it easy for users of all skill sets to explore and visualize their data, from simple line charts to highly detailed geospatial charts. Superset is one of modules integrated with Ilum platform.

Values added - ilum-ui

log aggregation config
NameDescriptionValue
runtimeVars.supersetUrlsuperset service urlhttp://ilum-superset:8088/
nginx.config.superset.enabledilum-ui nginx config superset enabled flagfalse

4. Ilum default kubernetes cluster config from helm values

Feature

From now on, the default ilum cluster parameters will be set based on the helm values.

Values added - ilum-core chart

NameDescriptionValue
kubernetes.defaultCluster.configilum-core default kubernetes cluster configurationconfig:
  spark.driver.extraJavaOptions: "-Divy.cache.dir=/tmp -Divy.home=/tmp"
  spark.kubernetes.container.image: "ilum/spark:3.5.2-delta"
  spark.databricks.delta.catalog.update.enabled: "true"

RELEASE 6.2.0

1. Changed image tag version of kyuubi

Values changed - ilum-kyuubi chart

NameOld valueNew Value
image.tag1.9.2-spark1.10.0-spark

2. Changed kyuubi spark configuration in ilum-kyuubi chart

Added spark.driver.memory=2g in global.kyuubi.sparkConfig

RELEASE 6.2.0-RC2

1. Minio status probe addition

Feature

Added status probe in ilum-core that checks whether minio storage is ready

Values added - ilum-core

NameDescriptionValue
minio.statusProbe.enabledminio status probe enabled flagtrue
minio.statusProbe.imageminio status probe imagecurlimages/curl:8.5.0
minio.statusProbe.baseUrlminio base url"http://ilum-minio:9000"

2. Kyuubi configuration in ilum-core

Feature

Added Kyuubi configuration in ilum-core helm chart. Kyuubi will allow the user to execute SQL queries on many different data sources using ILUM UI.

Values added - ilum-core

NameDescriptionValue
kyuubi.enabledKyuubi enabled flagtrue
kyuubi.urlUrl of Kyuubi's rest servicehttp://ilum-sql-rest:10099

⚠️⚠️⚠️ Warnings

In order to properly manage SQL engines, we need to pass Kyuubi's spark configuration to ilum-core. This is done by configuring Kyuubi's spark in global.kyuubi.sparkConfig and allows the user to write one configuration which can be passed to both Kyuubi and ilum-core.

3. MongoDb uri configuration in ilum-core

Feature

Change the way mongoDb uri is passed to ilum-core. Now it is passed as a single string, which enables the user to provide more granular configuration such as authSource.

Values added - ilum-core

NameDescriptionValue
mongo.uriMongoDb connection stringmongodb://mongo:27017/ilum-default?replicaSet=rs0

Values deleted - ilum-core

NameReason
mongo.instancesUnnecessary after the change
mongo.replicaSetNameUnnecessary after the change

⚠️⚠️⚠️ Warnings

The mongo.uri, if set incorrectly, will cause the application to not work properly. Make sure to provide the correct connection string.

Previously the format was: mongodb://{ mongo.instances }/ilum-{ release_namespace }?replicaSet={ mongo.replicaSetName } By default in the ilum-aio chart these values were:

  • mongo.instances - ilum-mongodb-0.ilum-mongodb-headless:27017,ilum-mongodb-1.ilum-mongodb-headless:27017
  • mongo.replicaSetName - rs0
  • release_namespace - default

4. Autopausing configuration in ilum-core

Feature

Added autopausing in ilum-core, which periodically checks if any groups are idle for the specified time and pauses the group. Each group has to have autopausing exclicitly turned on for this to take place.

Values added - ilum-core

NameDescriptionValue
job.autoPause.enabledFeature flag to enable auto pausingtrue
job.autoPause.periodInterval in seconds to check the idleness groups180
job.autoPause.idleTimeTime in seconds that the group needs to be idle to be auto paused3600

5. Graphite exporter in ilum-aio chart

Feature

Graphite exporter in ilum AIO chart and Graphite configuration in ilum-core chart. Graphite exporter is a Prometheus exporter for metrics exported in the Graphite plaintext protocol.

Values added - graphite-exporter

Newly added whole chart, check its values on the chart's page

6. Graphite configuration in ilum-core

Feature

Added Graphite configuration in ilum-core helm chart. Graphite will allow Spark jobs to send their metrics to graphite sink, which will be scraped by Prometheus.

Values added - ilum-core

NameDescriptionValue
job.graphite.enabledGraphite enabled flagfalse
job.graphite.hostGraphite hostilum-graphite-graphite-tcp
job.graphite.portGraphite port9109
job.graphite.periodInterval between sending job metrics10
job.graphite.unitsTime unitseconds

RELEASE 6.1.4

1. Jupyter default sparkmagic configuration change

Feature

Changed method of passing spark default configs to jupyter notebook, now it is passed as json string

Values added - ilum-jupyter

sparkmagic configuration parameters
NameDescriptionValue
sparkmagic.config.sessionConfigs.confsparkmagic session spark configuration'{ "pyRequirements": "pandas", "spark.jars.packages": "io.delta:delta-core_2.12:2.4.0", "spark.sql.extensions": "io.delta.sql.DeltaSparkSessionExtension", "spark.sql.catalog.spark_catalog": "org.apache.spark.sql.delta.catalog.DeltaCatalog"}'
sparkmagic.config.sessionConfigsDefaults.confsparkmagic session defaults spark configuration'{ "pyRequirements": "pandas", "spark.jars.packages": "io.delta:delta-core_2.12:2.4.0", "spark.sql.extensions": "io.delta.sql.DeltaSparkSessionExtension", "spark.sql.catalog.spark_catalog": "org.apache.spark.sql.delta.catalog.DeltaCatalog"}'

2. Kyuubi in ilum-aio chart

Feature

Kyuubi in ilum AIO chart. Kyuubi is a distributed multi-tenant gateway providing SQL query services for data warehouses and lakehouses. It provides both JDBC and ODBC interfaces, and a REST API for clients to interact with.

Values added - ilum-kyuubi

Newly added whole chart, check its values on the chart's page

RELEASE 6.1.3

1. Jupyter configuration and persistent storage

Feature

Added extended configuration of jupyter notebook helm chart through helm values. Moreover added persitent storage to jupyter pod. All data saved in work directory will now be available after jupyter restart/update.

Values added - ilum-jupyter

pvc parameters
NameDescriptionValue
pvc.annotationspersistent volume claim annotations{}
pvc.selectorpersistent volume claim selector{}
pvc.accessModespersistent volume claim accessModesReadWriteOnce
pvc.storagepersistent volume claim storage requests4Gi
pvc.storageClassNamepersistent volume claim storageClassName``
sparkmagic configuration parameters
NameDescriptionValue
sparkmagic.config.kernelPythonCredentials.usernamesparkmagic python kernel username""
sparkmagic.config.kernelPythonCredentials.passwordsparkmagic python kernel password""
sparkmagic.config.kernelPythonCredentials.authsparkmagic python kernel auth mode"None"
sparkmagic.config.kernelScalaCredentials.usernamesparkmagic python kernel username""
sparkmagic.config.kernelScalaCredentials.passwordsparkmagic scala kernel password""
sparkmagic.config.kernelScalaCredentials.authsparkmagic scala kernel auth mode"None"
sparkmagic.config.kernelRCredentials.usernamesparkmagic r kernel username""
sparkmagic.config.kernelRCredentials.passwordsparkmagic r kernel password""
sparkmagic.config.waitForIdleTimeoutSecondssparkmagic timeout waiting for idle state15
sparkmagic.config.livySessionStartupTimeoutSecondssparkmagic timeout waiting for the session to start300
sparkmagic.config.ignoreSslErrorssparkmagic ignore ssl errors flagfalse
sparkmagic.config.sessionConfigs.confsparkmagic session spark configuration[pyRequirements: pandas, spark.jars.packages: io.delta:delta-core_2.12:2.4.0, spark.sql.extensions: io.delta.sql.DeltaSparkSessionExtension,spark.sql.catalog.spark_catalog: org.apache.spark.sql.delta.catalog.DeltaCatalog]
sparkmagic.config.sessionConfigs.driverMemorysparkmagic session driver memory1000M
sparkmagic.config.sessionConfigs.executorCoressparkmagic session executor cores2
sparkmagic.config.sessionConfigsDefaults.confsparkmagic session defaults spark configuration[pyRequirements: pandas, spark.jars.packages: io.delta:delta-core_2.12:2.4.0, spark.sql.extensions: io.delta.sql.DeltaSparkSessionExtension,spark.sql.catalog.spark_catalog: org.apache.spark.sql.delta.catalog.DeltaCatalog]
sparkmagic.config.sessionConfigsDefaults.driverMemorysparkmagic session defaults driver memory1000M
sparkmagic.config.sessionConfigsDefaults.executorCoressparkmagic session defaults executor cores2
sparkmagic.config.useAutoVizsparkmagic use auto viz flagtrue
sparkmagic.config.coerceDataframesparkmagic coerce dataframe flagtrue
sparkmagic.config.maxResultsSqlsparkmagic max sql result2500
sparkmagic.config.pysparkDataframeEncodingsparkmagic pyspark dataframe encodingutf-8
sparkmagic.config.heartbeatRefreshSecondssparkmagic heartbeat refresh seconds30
sparkmagic.config.livyServerHeartbeatTimeoutSecondssparkmagic livy server heartbeat timeout seconds0
sparkmagic.config.heartbeatRetrySecondssparkmagic heartbeat retry seconds10
sparkmagic.config.serverExtensionDefaultKernelNamesparkmagic server extension default kernel namepysparkkernel
sparkmagic.config.retryPolicysparkmagic retry policyconfigurable
sparkmagic.config.retrySecondsToSleepListsparkmagic retry seconds to sleep list[0.2, 0.5, 1, 3, 5]
sparkmagic.config.configurableRetryPolicyMaxRetriessparkmagic retry policy max retries8

RELEASE 6.1.2

1. Hive metastore in ilum-aio chart

Feature

Hive metastore in ilum AIO chart. HMS is a central repository of metadata for Hive tables and partitions in a relational database, and provides clients (including Hive, Impala and Spark) access to this information using the metastore service API. With hive metastore enabled in ilum AIO helm stack spark jobs run by ilum can be configured to autmatically access it.

Values added - ilum-hive-metastore

Newly added whole chart, check its values on chart page

Values added - ilum-core

NameDescriptionValue
hiveMetastore.enabledpassing hive metastore config to ilum spark jobs flagfalse
hiveMetastore.addresshive metastore addressthrift://ilum-hive-metastore:9083
hiveMetastore.warehouseDirhive metastore warehouse directorys3a://ilum-data/

2. Postgres extensions added

Feature

Few of ilum AIO subchars use postgresql, to make it easier to manage deployment of them we have added postgres extension resource to create postgresql databases for ilum sucharts.

Values added - ilum-aio

postgresql extensions parameters
NameDescriptionValue
postgresExtensions.enabledpostgres extensions enabled flagtrue
postgresExtensions.imageimage to run extensions inbitnami/postgresql:16
postgresExtensions.pullPolicyimage pull policyIfNotPresent
postgresExtensions.imagePullSecretsimage pull secrets[]
postgresExtensions.hostpostgresql database hostilum-postgresql-0.ilum-postgresql-hl
postgresExtensions.portpostgresql database port5432
postgresExtensions.databasesToCreatecomma separated list of databases to createmarquez,airflow,metastore
postgresExtensions.auth.usernamepostgresql account usernameilum
postgresExtensions.auth.passwordpostgresql account passwordCHANGEMEPLEASE
postgresExtensions.nodeSelectorpostgresql extensions pods node selector{}
postgresExtensions.tolerationspostgresql extensions pods tolerations[]

3. Loki and promtail in ilum-aio chart

Feature

Loki and promtail in ilum AIO chart. Loki is a horizontally scalable, highly available, multi-tenant log aggregation system inspired by Prometheus. Promtail is an agent which ships the contents of local logs to a Grafana Loki instance. Ilum will now use loki to aggregate logs from spark job pods to be able to clean cluster resources after jobs are done. Loki and promtail are preconfigured to scrap logs only from spark pods run by ilum in order to fetch job logs after their finish.

Values added - ilum-core

log aggregation config
NameDescriptionValue
global.logAggregation.enabledilum log aggregation flag, if enabled Ilum will fetch logs of finished kubernetes spark pods from lokifalse
global.logAggregation.loki.urlloki gateway address to access logshttp://ilum-loki-gateway

Values added - ilum-aio

log aggregation - loki config
NameDescriptionValue
loki.nameOverridesubchart name overrideilum-loki
loki.monitoring.selfMonitoring.enabledself monitoring enabled flagfalse
loki.monitoring.selfMonitoring.grafanaAgent.installOperatorself monitoring grafana agent operator install flagfalse
loki.monitoring.selfMonitoring.lokiCanary.enabledself monitoring canary enabled flagfalse
loki.test.enabledtests enabled flagfalse
loki.loki.auth_enabledauthentication enabled flagfalse
loki.loki.storage.bucketNames.chunksstorage chunks bucketilum-files
loki.loki.storage.bucketNames.rulerstorage ruler bucketilum-files
loki.loki.storage.bucketNames.adminstorage admin bucketilum-files
loki.loki.storage.typestorage types3
loki.loki.s3.endpoints3 storage endpointhttp://ilum-minio:9000
loki.loki.s3.regions3 storage endpointus-east-1
loki.loki.s3.secretAccessKeys3 storage secret access keyminioadmin
loki.loki.s3.accessKeyIds3 storage access key idminioadmin
loki.loki.s3.s3ForcePathStyles3 storage path style access flagtrue
loki.loki.s3.insecures3 storage insecure flagtrue
loki.loki.compactor.retention_enabledlogs retention enabled flagtrue
loki.loki.compactor.deletion_modedeletion modefilter-and-delete
loki.loki.compactor.shared_storeshared stores3
loki.loki.limits_config.allow_deletesallow logs deletion flagtrue
log aggregation - loki config
NameDescriptionValue
promtail.config.clients[0].urlfirst client urlhttp://ilum-loki-write:3100/loki/api/v1/push
promtail.snippets.pipelineStages[0].match.selectorpipeline stage to drop non ilum logs selector{ilum_logAggregation!="true"}
promtail.snippets.pipelineStages[0].match.actionpipeline stage to drop non ilum logs actiondrop
promtail.snippets.pipelineStages[0].match.drop_counter_reasonpipeline stage to drop non ilum logs drop_counter_reasonnon_ilum_log
promtail.snippets.extraRelabelConfigs[0].actionrelabel config to keep ilum pod labels actionlabelmap
promtail.snippets.extraRelabelConfigs[0].regexrelabel config to keep ilum pod labels regex__meta_kubernetes_pod_label_ilum(.*)
promtail.snippets.extraRelabelConfigs[0].replacementrelabel config to keep ilum pod labels replacementilum${1}
promtail.snippets.extraRelabelConfigs[1].actionrelabel config to keep spark pod labels actionlabelmap
promtail.snippets.extraRelabelConfigs[1].regexrelabel config to keep spark pod labels regex__meta_kubernetes_pod_label_spark(.*)
promtail.snippets.extraRelabelConfigs[1].replacementrelabel config to keep spark pod labels replacementspark${1}

RELEASE 6.1.1

1. Added health checks for ilum interactive jobs

Feature

To prevent situations with unexpected crushes of ilum groups we added healthchecks to make sure they work as they should.

Values added - ilum-core

ilum-job parameters
NameDescriptionValue
job.healthcheck.enabledspark interactive jobs healthcheck enabled flagtrue
job.healthcheck.intervalspark interactive jobs healthcheck interval in seconds300
job.healthcheck.tolerancespark interactive jobs healthcheck response time tolerance in seconds120

2. Parameterized replica scale for ilum scalable services

Feature

The configuration of the number of replicas for ilum scalable services was extracted to helm values.

Values added - ilum-core

ilum-core common parameters
NameDescriptionValue
replicaCountnumber of ilum-core replicas1

Values added - ilum-ui

ilum-ui common parameters
NameDescriptionValue
replicaCountnumber of ilum-ui replicas1

RELEASE 6.1.0

1. Deleted unneeded parameters from ilum cluster wasbs storage

Feature

WASBS storage containers no longer needs to have sas token porvided in helm values as it turned out to be unnecessary

Values deleted - ilum-core

wasbs storage parameters
NameReason
kubernetes.wasbs.sparkContainer.nameMoved to kubernetes.wasbs.sparkContainer value
kubernetes.wasbs.sparkContainer.sasTokenTurned out to be unnecessary
kubernetes.wasbs.dataContainer.nameMoved to kubernetes.wasbs.dataContainer value
kubernetes.wasbs.dataContainer.sasTokenTurned out to be unnecessary

Values added - ilum-core

wasbs storage parameters
NameDescriptionValue
kubernetes.wasbs.sparkContainerdefault kubernetes cluster WASBS storage container name to store spark resourcesilum-files
kubernetes.wasbs.dataContainerdefault kubernetes cluster WASBS storage container name to store ilum tablesilum-tables

2. Added init containers to check service availability

Feature

To make Ilum deployment more gracefully, from now on Ilum containers have containers waiting for the availability of the services they depend on.

Values added - ilum-core

NameDescriptionValue
mongo.statusProbe.enabledmongo status probe enabled flagtrue
mongo.statusProbe.imageinit container that waits for mongodb to be available imagemongo:7.0.5
kafka.statusProbe.enabledkafka status probe enabled flagtrue
kafka.statusProbe.imageinit container that waits for kafka to be available imagebitnami/kafka:3.4.1
historyServer.statusProbe.enabledilum history server ilum-core status probe enabled flagtrue
historyServer.statusProbe.imageilum history server init container that waits for ilum-core to be available imagecurlimages/curl:8.5.0

Values added - ilum-livy-proxy

NameDescriptionValue
statusProbe.enabledilum-core status probe enabled flagtrue
statusProbe.imageinit container that waits for ilum-core to be available imagecurlimages/curl:8.5.0

Values added - ilum-ui

NameDescriptionValue
statusProbe.enabledilum-core status probe enabled flagtrue
statusProbe.imageinit container that waits for ilum-core to be available imagecurlimages/curl:8.5.0

3. Parameterized kafka producers in ilum-core chart

Feature

In kafka communication mode ilum interactive jobs responses to interactive job instances using kafka producers. With newly added helm values kafka producer can be adapted to match user needs.

Values added - ilum-core

kafka parameters
NameDescriptionValue
kafka.maxPollRecordskafka max.poll.records parameter for ilum jobs kafka consumer, it determines how much requests ilum-job kafka consumer will fetch with each poll500
kafka.maxPollIntervalkafka max.poll.interval.ms parameter for ilum jobs kafka consumer, it determines the maximum delay between invocations of poll, which in ilum-job context means time limit for processing requests fetched in poll60000

RELEASE 6.1.0-RC1

1. added support for service annotations

Feature

Ilum helm charts services annotations may now be configured through helm values

Values added - ilum-core

service parameters
NameDescriptionValue
service.annotationsservice annotations{}
grpc.service.annotationsgrpc service annotations{}
historyServer.service.annotationshistory server service annotations{}

Values added - ilum-jupyter

service parameters
NameDescriptionValue
service.annotationsservice annotations{}

Values added - ilum-livy-proxy

service parameters
NameDescriptionValue
service.annotationsservice annotations{}

Values added - ilum-ui

service parameters
NameDescriptionValue
service.annotationsservice annotations{}

Values added - ilum-zeppelin

service parameters
NameDescriptionValue
service.annotationsservice annotations{}

2. Pulled out security oauth2 parameters to global values

Feature

Ilum security oauth2 configuration is now being set through global values

Values added - ilum-aio

security parameters
NameDescriptionValue
global.security.oauth2.clientIdoauth2 client ID``
global.security.oauth2.issuerUrioauth2 URI that can either be an OpenID Connect discovery endpoint or an OAuth 2.0 Authorization Server Metadata endpoint defined by RFC 8414``
global.security.oauth2.audiencesoauth2 audiences``
global.security.oauth2.clientSecretoauth2 client secret``

Values deleted - ilum-core

security parameters
NameReasonValue
security.oauth2.clientIdoauth2 security parameters are now configured through global values``
security.oauth2.issuerUrioauth2 security parameters are now configured through global values``

3. Runtime environment variables for frontend

Feature

Configuration for frontend environment variables throuhg helm ui values.

Values added - ilum-ui

runtime variables
NameDescriptionValue
runtimeVars.defaultConfigMap.enableddefault config map for frontend runtime environment variablestrue
runtimeVars.debugdebug logging flagfalse
runtimeVars.backenUrlilum-core backend urlhttp://ilum-core:9888
runtimeVars.historyServerUrlurl of history server uihttp://ilum-history-server:9666
runtimeVars.jupyterUrlurl of jupyter uihttp://ilum-jupyter:8888
runtimeVars.airflowUrlurl of airflow uihttp://ilum-webserver:8080
runtimeVars.minioUrlurl of minio uihttp://ilum-minio:9001
runtimeVars.mlflowUrlurl of mlflow uihttp://mlflow:5000
runtimeVars.historyServerPathilum-ui proxy path to history server ui/external/history-server/
runtimeVars.jupyterPathilum-ui proxy path to jupyter ui/external/jupyter/lab/tree/work/IlumIntro.ipynb
runtimeVars.airflowPathilum-ui proxy path to airflow ui/external/airflow/
runtimeVars.dataPathilum-ui proxy path to minio ui/external/minio/
runtimeVars.mlflowPathilum-ui proxy path to mlflow ui/external/mlflow/

Values deleted - ilum-ui

NameReason
debugmoved to runtimeVars section
backenUrlmoved to runtimeVars section
historyServerUrlmoved to runtimeVars section
jupyterUrlmoved to runtimeVars section
airflowUrlmoved to runtimeVars section

4. Kube-prometheus-stack in ilum-aio chart

Feature

Kube prometheus stack in ilum AIO chart. Preconfigured to automatically work wiht ilum deployment in order to collect metrics of ilum pods and spark jobs run by ilum. Ilum provides prometheus service monitors to autoamtically scrape metrics from spark driver pods run by ilum and ilum backend services. Additionally ilum_aio chart provides built-in grafana dashboards that can be found in Ilum folder.

Values added - ilum-aio

kube-prometheus-stack variables - for extended configuration check kube-prometheus stack helm chart
NameDescriptionValue
kube-prometheus-stack.enabledkube-prometheus-stack enabled flagfalse
kube-prometheus-stack.releaseLabelkube-prometheus-stack flag to watch resource only from ilum_aio releasetrue
kube-prometheus-stack.kubeStateMetrics.enabledkube-prometheus-stack Component scraping kube state metrics enabled flagfalse
kube-prometheus-stack.nodeExporter.enabledkube-prometheus-stack node exporter daemon set deployment flagfalse
kube-prometheus-stack.alertmanager.enabledkube-prometheus-stack alert manager flagfalse
kube-prometheus-stack.grafana.sidecar.dashboards.folderAnnotationkube-prometheus-stack, If specified, the sidecar will look for annotation with this name to create folder and put graph heregrafana_folder
kube-prometheus-stack.grafana.sidecar.dashboards.provider.foldersFromFilesStructurekube-prometheus-stack, allow Grafana to replicate dashboard structure from filesystemtrue

Values added - ilum-core

NameDescriptionValue
job.prometheus.enabledprometheus enabled flag, If true spark jobs run by Ilum will share metrics in prometheus formattrue

5. Marquez OpenLineage in ilum-aio chart

Feature

Marquez OpenLineage in ilum AIO chart. Marquez enables consuming, storing, and visualizing OpenLineage metadata from across an organization, serving use cases including data governance, data quality monitoring, and performance analytics. With marquez enabled in ilum AIO helm stack spark job run by Ilum will share lineage information with marquez backend. Marquez web interface visualize data lienage information collected from spark jobs and it is accesible through ilum UI as iframe.

Values added - ilum-aio

NameDescriptionValue
global.lineage.enabledmarquez enabled flagfalse

Values added - ilum-core

NameDescriptionValue
job.openLineage.transport.typemarquez communication typehttp
job.openLineage.transport.serverUrlmarquez backend urlhttp://ilum-marquez:9555/
job.openLineage.transport.endpointmarquez backend endpoint/external/lineage/api/v1/lineage

Values added - ilum-marquez

Newly added whole chart, check its values on chart page

Values added - ilum-ui

NameDescriptionValue
runtimeVars.lineageUrlurl to provide marquez openlineage UI iframehttp://ilum-marquez-web:9444
runtimeVars.lineagePathilum-ui proxy path to marquez openlineage UI/external/lineage/

RELEASE 6.0.3

1. Parameterized kafka producers max.request.size parameter in ilum-core chart

Feature

In kafka communication mode ilum interactive jobs responses to interactive job instances using kafka producers. With newly added helm value max.request.size kafka producer parameter can be adapted to match responses size needs.

Values added - ilum-core

kafka parameters
NameDescriptionValue
kafka.requestSizekafka max.request.size parameter for ilum jobs kafka producers20000000

RELEASE 6.0.2

1. Support for hdfs, gcs and azure blob storage in ilum-core chart

Feature

Ilum cluster no longer has to be attached to s3 storage, from now default cluster can be configured to use hdfs, gcs or azure blob as storage as well. It can be achieved using newly added values in ilum-core helm chart.

Values deleted - ilum-core

NameReason
kubernetes.s3.bucketFrom now on two separated buckets must be set with new values: kubernetes.s3.sparkBucket, kubernetes.s3.dataBucket

Values added - ilum-core

kubernetes storage parameters
NameDescriptionValue
kubernetes.upgradeClusterOnStartupdefault kubernetes cluster upgrade from values in config map flagfalse
kubernetes.storage.typedefault kubernetes cluster storage type, available options: s3, gcs, wasbs, hdfss3
s3 kubernetes storage parameters
NameDescriptionValue
kubernetes.s3.hostdefault kubernetes cluster S3 storage host to store spark resourcess3
kubernetes.s3.portdefault kubernetes cluster S3 storage port to store spark resources7000
kubernetes.s3.sparkBucketdefault kubernetes cluster S3 storage bucket to store spark resourcesilum-files
kubernetes.s3.dataBucketdefault kubernetes cluster S3 storage bucket to store ilum tablesilum-tables
kubernetes.s3.accessKeydefault kubernetes cluster S3 storage access key to store spark resources""
kubernetes.s3.secretKeydefault kubernetes cluster S3 storage secret key to store spark resources""
gcs kubernetes storage parameters
NameDescriptionValue
kubernetes.gcs.clientEmaildefault kubernetes cluster GCS storage client email""
kubernetes.gcs.sparkBucketdefault kubernetes cluster GCS storage bucket to store spark resources"ilum-files"
kubernetes.gcs.dataBucketdefault kubernetes cluster GCS storage bucket to store ilum tables"ilum-tables"
kubernetes.gcs.privateKeydefault kubernetes cluster GCS storage private key to store spark resources""
kubernetes.gcs.privateKeyIddefault kubernetes cluster GCS storage private key id to store spark resources""
wasbs kubernetes storage parameters
NameDescriptionValue
kubernetes.wasbs.accountNamedefault kubernetes cluster WASBS storage account name""
kubernetes.wasbs.accessKeydefault kubernetes cluster WASBS storage access key to store spark resources""
kubernetes.wasbs.sparkContainer.namedefault kubernetes cluster WASBS storage container name to store spark resources"ilum-files"
kubernetes.wasbs.sparkContainer.sasTokendefault kubernetes cluster WASBS storage container sas token to store spark resources""
kubernetes.wasbs.dataContainer.namedefault kubernetes cluster WASBS storage container name to store ilum tables"ilum-tables"
kubernetes.wasbs.dataContainer.sasTokendefault kubernetes cluster WASBS storage container sas token to store ilum tables""
hdfs kubernetes storage parameters
NameDescriptionValue
kubernetes.hdfs.hadoopUsernamedefault kubernetes cluster HDFS storage hadoop username""
kubernetes.hdfs.configdefault kubernetes cluster HDFS storage dict of config files with name as key and base64 encoded content as value""
kubernetes.hdfs.sparkCatalogdefault kubernetes cluster HDFS storage catalog to store spark resources"ilum-files"
kubernetes.hdfs.dataCatalogdefault kubernetes cluster HDFS storage catalog to store ilum-tables"ilum-tables"
kubernetes.hdfs.keyTabdefault kubernetes cluster HDFS storage keytab file base64 encoded content""
kubernetes.hdfs.principaldefault kubernetes cluster HDFS storage principal name""
kubernetes.hdfs.krb5default kubernetes cluster HDFS storage krb5 file base64 encoded content""
kubernetes.hdfs.trustStoredefault kubernetes cluster HDFS storage trustStore file base64 encoded content""
kubernetes.hdfs.logDirectorydefault kubernetes cluster HDFS storage directory absolute path to store eventLog for history server""

Important! Make sure S3/GCS buckets or WASBS containers are already created and reachable!

2. Added spark history server to ilum-core helm chart

Feature

Spark history server can be deployed from now on along with ilum-core. History server config is being passed to every spark job ilum runs. History server UI can now be accesesed by ilum UI. If enabled it will use default kubernetes cluster storage configured with kubernetes.[STORAGE_TYPE].[PARAMETER] values as eventLog storage.

Values added - ilum-core

history server parameters
NameDescriptionValue
historyServer.enabledspark history server flagtrue
historyServer.imagespark history server imageilum/spark-launcher:spark-3.5.3
historyServer.addressspark history server addresshttp://ilum-history-server:9666
historyServer.pullPolicyspark history server image pull policyIfNotPresent
historyServer.imagePullSecretsspark history server image pull secrets[]
historyServer.parametersspark history server custom spark parameters[]
historyServer.resourcesspark history server pod resources
limits:
memory: "500Mi"
requests:
memory: "300Mi"
historyServer.service.typespark history server service typeClusterIP
historyServer.service.portspark history server service port9666
historyServer.service.nodePortspark history server service nodePort""
historyServer.service.clusterIPspark history server service clusterIP""
historyServer.service.loadBalancerIPspark history server service loadbalancerIP""
historyServer.ingress.enabledspark history server ingress flagfalse
historyServer.ingress.versionspark history server ingress version"v1"
historyServer.ingress.classNamespark history server ingress className""
historyServer.ingress.hostspark history server ingress host"host"
historyServer.ingress.pathspark history server ingress path"/(.*)"
historyServer.ingress.pathTypespark history server ingress pathTypePrefix
historyServer.ingress.annotationsspark history server annotationsnginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.ingress.kubernetes.io/proxy-body-size: "600m"
nginx.org/client-max-body-size: "600m"

Warnings

  1. Make sure HDFS logDirectory (helm value kubernetes.hdfs.logDirectory) is absolute path of configured sparkCatalog with /ilum/logs suffix! Eg for kubernetes.hdfs.sparkCatalog=spark-catalog put hdfs://name-node/user/username/spark-catalog/ilum/logs

3. Job retention in ilum-core chart

Feature

Ilum jobs will be deleted after the configured retention period expires

Values added - ilum-core

job retention parameters
NameDescriptionValue
job.retain.hoursspark jobs retention hours limit168