You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(storage)!: migrate engine storage config to schema (FB-1684) (#25)
# Description
Migrate `firebolt-instance-helm` to the **FB-1684** managed-table
storage schema
(no backward compatibility — the chart ships version-matched with the
engine):
- `helm/values-dev.yaml` — floci dev config → `managed_table_storage:
s3` +
`managed_table_bucket_name` + `aws.endpoint` (+ `path_style_addressing:
true`);
drops `type: minio`/`api_scheme`/`bucket_name`/`minio`.
- `helm/templates/engine-statefulset.yaml` + `helm/values.yaml` — add
`engineSpec.extraEnv` / `extraEnvFrom`. The FB-1684 schema no longer
hardcodes
credentials for S3-compatible stores, so callers inject
`AWS_ACCESS_KEY_ID` / `AWS_SECRET_ACCESS_KEY` via env (from a Secret in
production; `values-dev` sets `firebolt`/`firebolt` for zero-auth
floci).
- Docs migrate to the new schema, and a new **S3-compatible** page
documents
Nebius and CoreWeave (`path_style_addressing` is a non-AWS setting).
## ⚠️ Breaking — version-matched with the engine
`customEngineConfig.storage` now uses the FB-1684 schema, which a
**post-FB-1684
engine** (packdb #23716) requires. Like the operator, the chart is
released
version-matched with the engine (`appVersion`), so this is the release
boundary,
not an in-place break. `make dev` needs a post-FB-1684 `:dev` image.
# Issue
FB-1684
# How Has This Been Tested?
- `helm template -f helm/values-dev.yaml` renders the new-schema
`customEngineConfig.storage` and the engine `AWS_*` env from `extraEnv`.
- `helm lint` (default + dev overlay): 0 failures.
# Other comments to the reviewer
- `path_style_addressing` applies only to a custom (non-AWS) endpoint;
it is ignored for AWS S3.
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Breaking storage values affect every install at upgrade and
misconfigured env/endpoint can block engines from becoming Ready;
changes are mostly config/docs with a small, additive Helm template
surface.
>
> **Overview**
> **Breaking release** aligned with post-FB-1684 engines:
`customEngineConfig.storage` must use `managed_table_storage`,
`managed_table_bucket_name`, and per-cloud `aws` / `gcp` / `azure`
blocks. Legacy `type`, `api_scheme`, `bucket_name`, and `minio` /
`azurite` shapes are documented as rejected at engine startup.
>
> The chart adds **`engineSpec.extraEnv` and `engineSpec.extraEnvFrom`**
on the engine StatefulSet so S3-compatible stores get
`AWS_ACCESS_KEY_ID` / `AWS_SECRET_ACCESS_KEY` from env or Secrets
instead of chart-hardcoded creds. **`values-dev`** and the
**quickstart** move floci to the new schema plus placeholder AWS env
vars.
>
> Documentation is rewritten across S3, GCS, and ABS guides, adds a
dedicated **S3-compatible** page (Nebius, CoreWeave,
`path_style_addressing`), updates **security** for credential injection,
and registers the new doc route in **docs.json** / **known_pages.json**.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
003d79d. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Copy file name to clipboardExpand all lines: docs/quickstart.mdx
+12-5Lines changed: 12 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -70,17 +70,24 @@ floci stores data in the pod's ephemeral filesystem and validates no credentials
70
70
71
71
## Configure the engine
72
72
73
-
Create a values file that points the engine's storage at the floci endpoint. The `type: minio` mode signs requests for an S3-compatible endpoint, and `bucket_name` matches the bucket floci created.
73
+
Create a values file that points the engine's storage at the floci endpoint. `managed_table_storage: s3` with `aws.endpoint` targets floci, and `managed_table_bucket_name` matches the bucket floci created. floci is zero-auth, so any AWS credentials work (set via `engineSpec.extraEnv`).
path_style_addressing: true # non-AWS S3-compatible store; ignored for AWS S3
84
91
```
85
92
86
93
This is the only value the local install needs. The chart's defaults provide one engine named `default`, the Envoy gateway, the Metadata Service, and a bundled PostgreSQL.
- Google Cloud: [Workload Identity Federation for GKE](./usage/object-storage/google-cloud-storage#grant-the-engine-a-google-identity).
103
103
104
-
The chart never sees those cloud provider credentials. For S3-compatible endpoints that use the `minio` storage type, the endpoint must accept the credentials expected by the engine mode documented in [Amazon S3](./usage/object-storage/amazon-s3#use-an-s3-compatible-endpoint).
104
+
The chart never sees those cloud provider credentials. For an S3-compatible endpoint (`managed_table_storage: s3` with `aws.endpoint`), the engine authenticates with the `AWS_ACCESS_KEY_ID` / `AWS_SECRET_ACCESS_KEY` you inject via `engineSpec.extraEnv` (from a Secret in production); see [S3-compatible storage](./usage/object-storage/s3-compatible).
Copy file name to clipboardExpand all lines: docs/usage/object-storage/amazon-s3.mdx
+20-18Lines changed: 20 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,13 +4,17 @@ sidebarTitle: Amazon S3
4
4
title: Amazon S3
5
5
---
6
6
7
+
<Warning>
8
+
**Breaking change.** Managed-table storage now uses `managed_table_storage` and `managed_table_bucket_name` with a per-cloud `storage.aws` / `gcp` / `azure` block. The former keys — `type`, `api_scheme`, `bucket_name`, and the `minio` / `azurite` types — are removed and are rejected by the engine at startup. This schema requires a recent engine image; keep the chart and engine on matching versions.
9
+
</Warning>
10
+
7
11
This page configures Amazon S3 or an S3-compatible endpoint as engine object storage.
8
12
9
13
Every engine needs object storage for managed table data. The chart does not support local-filesystem storage for engines, so an engine pod never becomes Ready until `customEngineConfig.storage` points at object storage.
10
14
11
15
With object storage as the backing store, durability does not depend on the per-pod data volumes mounted to each engine. Even a complete loss of those volumes does not cause data loss, because the authoritative copy of managed table data lives in the object store.
12
16
13
-
You configure object storage on the engine through `customEngineConfig.storage`, which the chart passes through unchanged into the engine's `config.yaml`. The `type`, `api_scheme`, and `bucket_name` keys match the Firebolt Core configuration schema, and the chart does not validate them. The engine reads AWS credentials from the pod's workload identity, which you configure through [AWS IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) or [AWS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
17
+
You configure object storage on the engine through `customEngineConfig.storage`, which the chart passes through unchanged into the engine's `config.yaml`. The `managed_table_storage`and `managed_table_bucket_name` keys match the Firebolt Core configuration schema, and the chart does not validate them. The engine reads AWS credentials from the pod's workload identity, which you configure through [AWS IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) or [AWS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
14
18
15
19
## Prerequisites
16
20
@@ -98,9 +102,8 @@ engineSpec:
98
102
99
103
customEngineConfig:
100
104
storage:
101
-
type: s3
102
-
api_scheme: "s3://"
103
-
bucket_name: firebolt-managed
105
+
managed_table_storage: s3
106
+
managed_table_bucket_name: firebolt-managed
104
107
```
105
108
106
109
Create the ServiceAccount, then install the chart with the matching values:
To set the AWS region explicitly, add `region`to the storage block. The EKS identity webhook usually injects the region automatically.
121
+
To set the AWS region explicitly, add `region`under `aws`. The EKS identity webhook usually injects the region automatically.
119
122
120
123
```yaml
121
124
customEngineConfig:
122
125
storage:
123
-
type: s3
124
-
api_scheme: "s3://"
125
-
bucket_name: firebolt-managed
126
-
region: us-east-1
126
+
managed_table_storage: s3
127
+
managed_table_bucket_name: firebolt-managed
128
+
aws:
129
+
region: us-east-1
127
130
```
128
131
129
132
### Confirm that object storage works
@@ -150,16 +153,16 @@ New prefixes appear under the bucket as the engine writes data.
150
153
151
154
## Use an S3-compatible endpoint
152
155
153
-
For any S3-compatible endpoint reachable from the engine pods, such as self-hosted MinIO, Ceph RGW, or an in-cluster S3 emulator, use `type: minio`. The engine signs requests with the access key and secret key `firebolt` in this mode, so the endpoint must accept those credentials.
156
+
For any S3-compatible endpoint reachable from the engine pods, such as self-hosted MinIO, Ceph RGW, or a managed store like Nebius or CoreWeave, set `managed_table_storage: s3` and point `aws.endpoint` at the store. Supply credentials through the engine environment (`engineSpec.extraEnv` / `extraEnvFrom`); a zero-auth emulator accepts any values. See [S3-compatible storage](./s3-compatible) for Nebius and CoreWeave.
Copy file name to clipboardExpand all lines: docs/usage/object-storage/azure-blob-storage.mdx
+8-10Lines changed: 8 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,10 +10,10 @@ Every engine needs object storage for managed table data. The chart does not sup
10
10
11
11
With Azure Blob Storage as the backing store, durability does not depend on the per-pod data volumes mounted to each engine. Even a complete loss of those volumes does not cause data loss, because the authoritative copy of managed table data lives in object storage.
12
12
13
-
You configure object storage on the engine through `customEngineConfig.storage`, which the chart passes through unchanged into the engine's `config.yaml`. The `type`, `api_scheme`, and `bucket_name` keys match the Firebolt Core configuration schema, and the chart does not validate them. The engine reads Azure credentials from the pod's Azure identity, which you provide with [Microsoft Entra Workload ID](https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview).
13
+
You configure object storage on the engine through `customEngineConfig.storage`, which the chart passes through unchanged into the engine's `config.yaml`. The `managed_table_storage`and `managed_table_bucket_name` keys match the Firebolt Core configuration schema, and the chart does not validate them. The engine reads Azure credentials from the pod's Azure identity, which you provide with [Microsoft Entra Workload ID](https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview).
14
14
15
15
<Note>
16
-
The chart passes `customEngineConfig.storage` through unchanged and does not validate the `type`. The `abs` backend requires an engine image that supports it. An unsupported `type` is written verbatim into the engine `config.yaml`, so the engine fails at startup rather than at install time.
16
+
The chart passes `customEngineConfig.storage` through unchanged and does not validate `managed_table_storage`. The `abs` backend requires an engine image that supports it. An unsupported value is written verbatim into the engine `config.yaml`, so the engine fails at startup rather than at install time.
17
17
</Note>
18
18
19
19
## Prerequisites
@@ -117,7 +117,7 @@ metadata:
117
117
118
118
### Point the chart at the container
119
119
120
-
Run the engine pods under the annotated ServiceAccount, label them so Workload ID injects credentials, and set the storage block to the container. The default scheme for `abs` is `azure://`, `bucket_name` is the container name, and `azure.storage_account_name` is the storage account that holds it.
120
+
Run the engine pods under the annotated ServiceAccount, label them so Workload ID injects credentials, and set the storage block to the container. `managed_table_bucket_name` is the container name, and `azure.storage_account_name` is the storage account that holds it.
121
121
122
122
```yaml
123
123
# my-values.yaml
@@ -132,9 +132,8 @@ engines:
132
132
133
133
customEngineConfig:
134
134
storage:
135
-
type: abs
136
-
api_scheme: "azure://"
137
-
bucket_name: firebolt-managed
135
+
managed_table_storage: abs
136
+
managed_table_bucket_name: firebolt-managed
138
137
azure:
139
138
storage_account_name: fireboltenginedemo
140
139
```
@@ -192,15 +191,14 @@ Set its application client ID under `customEngineConfig.storage.azure.intermedia
Copy file name to clipboardExpand all lines: docs/usage/object-storage/google-cloud-storage.mdx
+7-9Lines changed: 7 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,10 +10,10 @@ Every engine needs object storage for managed table data. The chart does not sup
10
10
11
11
With Google Cloud Storage as the backing store, durability does not depend on the per-pod data volumes mounted to each engine. Even a complete loss of those volumes does not cause data loss, because the authoritative copy of managed table data lives in the bucket.
12
12
13
-
You configure object storage on the engine through `customEngineConfig.storage`, which the chart passes through unchanged into the engine's `config.yaml`. The `type`, `api_scheme`, and `bucket_name` keys match the Firebolt Core configuration schema, and the chart does not validate them. The engine reads Google Cloud credentials from the pod's Google identity, which you provide with [Workload Identity Federation for GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity).
13
+
You configure object storage on the engine through `customEngineConfig.storage`, which the chart passes through unchanged into the engine's `config.yaml`. The `managed_table_storage`and `managed_table_bucket_name` keys match the Firebolt Core configuration schema, and the chart does not validate them. The engine reads Google Cloud credentials from the pod's Google identity, which you provide with [Workload Identity Federation for GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity).
14
14
15
15
<Note>
16
-
The chart passes `customEngineConfig.storage` through unchanged and does not validate the `type`. The `gcs` backend requires an engine image that supports it. An unsupported `type` is written verbatim into the engine `config.yaml`, so the engine fails at startup rather than at install time.
16
+
The chart passes `customEngineConfig.storage` through unchanged and does not validate `managed_table_storage`. The `gcs` backend requires an engine image that supports it. An unsupported value is written verbatim into the engine `config.yaml`, so the engine fails at startup rather than at install time.
17
17
</Note>
18
18
19
19
## Prerequisites
@@ -99,9 +99,8 @@ engineSpec:
99
99
100
100
customEngineConfig:
101
101
storage:
102
-
type: gcs
103
-
api_scheme: "gs://"
104
-
bucket_name: firebolt-managed
102
+
managed_table_storage: gcs
103
+
managed_table_bucket_name: firebolt-managed
105
104
```
106
105
107
106
Create the ServiceAccount, then install the chart with the matching values:
@@ -153,14 +152,13 @@ Set its ID under `customEngineConfig.storage.gcp.intermediary_service_account_id
description: Back Firebolt engines with a non-AWS S3-compatible object store (Nebius, CoreWeave, MinIO) using firebolt-instance-helm.
4
+
sidebarTitle: S3-compatible
5
+
---
6
+
7
+
<Warning>
8
+
**Breaking change.** Managed-table storage now uses `managed_table_storage` and `managed_table_bucket_name` with a per-cloud `storage.aws` / `gcp` / `azure` block. The former keys — `type`, `api_scheme`, `bucket_name`, and the `minio` / `azurite` types — are removed and are rejected by the engine at startup. This schema requires a recent engine image; keep the chart and engine on matching versions.
9
+
</Warning>
10
+
11
+
Besides Amazon S3, the engine can use any **S3-compatible** object store — for example [Nebius](https://nebius.com/) Object Storage, [CoreWeave](https://www.coreweave.com/) Object Storage, or a self-hosted [MinIO](https://min.io/). You point the engine at the store's endpoint and supply credentials through the engine container environment.
12
+
13
+
## How it differs from Amazon S3
14
+
15
+
For [Amazon S3](./amazon-s3) you set only `managed_table_storage` and `managed_table_bucket_name`, and credentials come from the pod's AWS identity (IRSA / Pod Identity). For an S3-compatible store you additionally set, under `storage.aws`:
16
+
17
+
-`endpoint` — the store's S3 API endpoint (`https://…`).
18
+
-`path_style_addressing` — the addressing style. **This applies only to a custom (non-AWS) endpoint; it is ignored for Amazon S3.**
19
+
-`true` (path-style, `endpoint/bucket/key`) — the default. Used by MinIO and Nebius.
20
+
-`false` (virtual-hosted, `bucket.endpoint/key`) — required by providers that support virtual-hosted addressing only, such as CoreWeave.
21
+
-`verify_ssl` — set to `false` only for a store with a self-signed certificate or plain HTTP.
22
+
23
+
Credentials are read from the AWS SDK environment chain. Inject `AWS_ACCESS_KEY_ID` / `AWS_SECRET_ACCESS_KEY` into the engine container with `engineSpec.extraEnv` (or `engineSpec.extraEnvFrom` to pull them from a `Secret`).
24
+
25
+
## Nebius Object Storage
26
+
27
+
Nebius exposes an S3 API at `https://storage.<region>.nebius.cloud` and supports path-style addressing (the default).
28
+
29
+
Create a `Secret` from a Nebius static access key:
path_style_addressing: true # non-AWS S3-compatible store; ignored for AWS S3
51
+
```
52
+
53
+
## CoreWeave Object Storage
54
+
55
+
CoreWeave Object Storage supports virtual-hosted addressing only, so set `path_style_addressing: false`. Use the endpoint for your CoreWeave Object Storage account, and create a `Secret` (`coreweave-s3-credentials`) the same way.
path_style_addressing: false # CoreWeave supports virtual-hosted addressing only
71
+
```
72
+
73
+
## Confirm that object storage works
74
+
75
+
Install the chart with your values, wait for the engine to become `Ready`, then create a table and insert a row (see the [Quickstart](../../quickstart) for connecting to the engine). New object-storage prefixes appear under your bucket as the engine writes data — list them with your provider's CLI (`aws s3 ls s3://my-firebolt-bucket --endpoint-url <endpoint>`).
0 commit comments