# AIStor Operator RELEASE.2026-04-11T08-24-01Z

Released: 2026-04-11

This release fixes password rotation on single-server ObjectStore deployments, upgrades Go to v1.26.2 with updated gRPC dependencies, and delivers new Helm chart versions for the AIStor Operator, MinKMS Operator, and MinKMS charts with several breaking changes in the MinKMS chart.

---

## Component Versions

| Component       | Tag                                                    | Container Image                                                                            |
| --------------- | ------------------------------------------------------ | ------------------------------------------------------------------------------------------ |
| Operator        | `RELEASE.2026-04-11T08-24-01Z.operator`                | `quay.io/minio/aistor/operator:RELEASE.2026-04-11T08-24-01Z`                               |
| Migration       | `RELEASE.2026-04-11T08-24-01Z.migration`               | `quay.io/minio/aistor/operator-migration:RELEASE.2026-04-11T08-24-01Z`                     |
| MinIO Sidecar   | `RELEASE.2026-04-11T08-21-39Z.minio-sidecar`           | `quay.io/minio/aistor/minio-sidecar:RELEASE.2026-04-11T08-21-39Z`                          |
| KES Sidecar     | `RELEASE.2026-04-08T22-44-27Z.kes-sidecar`             | `quay.io/minio/aistor/kes-sidecar:RELEASE.2026-04-08T22-44-27Z`                            |
| MinKMS Sidecar  | `RELEASE.2026-04-11T08-18-20Z.minkms-sidecar`          | `quay.io/minio/aistor/minkms-sidecar:RELEASE.2026-04-11T08-18-20Z`                         |

### Container Images

```bash
# Operator
docker pull quay.io/minio/aistor/operator:RELEASE.2026-04-11T08-24-01Z
docker pull quay.io/minio/aistor/operator:RELEASE.2026-04-11T08-24-01Z.fips

# Migration
docker pull quay.io/minio/aistor/operator-migration:RELEASE.2026-04-11T08-24-01Z
docker pull quay.io/minio/aistor/operator-migration:RELEASE.2026-04-11T08-24-01Z.fips

# Sidecars
docker pull quay.io/minio/aistor/minio-sidecar:RELEASE.2026-04-11T08-21-39Z
docker pull quay.io/minio/aistor/minio-sidecar:RELEASE.2026-04-11T08-21-39Z.fips
docker pull quay.io/minio/aistor/kes-sidecar:RELEASE.2026-04-08T22-44-27Z
docker pull quay.io/minio/aistor/kes-sidecar:RELEASE.2026-04-08T22-44-27Z.fips
docker pull quay.io/minio/aistor/minkms-sidecar:RELEASE.2026-04-11T08-18-20Z
docker pull quay.io/minio/aistor/minkms-sidecar:RELEASE.2026-04-11T08-18-20Z.fips
```

### Helm Charts

```bash
# AIStor Operator
helm repo add aistor https://helm.min.io/aistor
helm upgrade --install aistor-operator aistor/aistor-operator
```

| Chart                | Version   |
| -------------------- | --------- |
| aistor-operator      | `5.6.0`   |
| minkms-operator      | `1.5.0`   |
| minkms               | `2.3.0`   |

---

## Breaking Changes

### MinKMS Helm Chart: `imagePullSecret` Renamed to `imagePullSecrets`

`minkms.imagePullSecret` (object) has been replaced by `minkms.imagePullSecrets` (array). The chart will fail with an error if the old field is used. Migrate from:

```yaml
minkms:
  imagePullSecret:
    name: my-secret
```

To:

```yaml
minkms:
  imagePullSecrets:
    - name: my-secret
```

### MinKMS Helm Chart: `affinity` No Longer Set by Default

The `minkms.affinity` field is now commented out by default instead of being set to empty objects. If you relied on the default empty affinity being set, remove it from your values or set it explicitly.

### MinKMS Operator: License Secret Removed

The `minio-license` secret is no longer created or mounted by the MinKMS Operator chart. If you previously relied on the `license` or `global.license` values to inject a license into the MinKMS operator, these values are now ignored. No action is needed unless external tooling references the `minio-license` secret.

---

## Bug Fixes

- **Operator**: Fixed password rotation for single-server ObjectStore deployments. The configuration check previously failed silently on single-server pools because the ellipsis pattern expander could not parse plain hostnames. The operator now resolves individual pod FQDNs directly, ensuring credential updates propagate correctly on all pool sizes (#1430)

---

## Improvements

- **Operator**: Upgraded Go toolchain to v1.26.2 and google.golang.org/grpc to v1.80.0, keeping the build current and resolving vulnerability scanner findings on transitive dependencies (#1440)

---

## Helm Chart Changes

All Helm charts updated in #1433.

### aistor-operator v5.6.0

Updated default component images:

| Image | Version | Previous Version |
|---|---|---|
| `aistor/operator` | `RELEASE.2026-04-02T21-08-25Z` | `RELEASE.2026-03-18T17-36-17Z` |
| `aistor/mc` | `RELEASE.2026-03-27T15-57-12Z` | `RELEASE.2026-03-12T19-18-47Z` |
| `aistor/kes-sidecar` | `RELEASE.2026-04-02T20-56-12Z` | `RELEASE.2026-03-18T11-55-01Z` |
| `aistor/minio-sidecar` | `RELEASE.2026-04-02T13-20-39Z` | `RELEASE.2026-03-18T17-20-10Z` |

### minkms-operator v1.5.0

- Removed license requirement: the MinKMS operator no longer needs a `minio-license` secret
- Updated default operator image to `RELEASE.2026-04-02T21-08-25Z`
- Updated default minkms image to `RELEASE.2026-03-27T09-51-41Z`

### minkms v2.3.0

- Added `minkms.env` field for setting custom environment variables on MinKMS pods
- Added `minkms.annotations` field for setting annotations on the MinKMS StatefulSet and Pod template
- Added `minkms.imagePullSecrets` (array) replacing the previous `minkms.imagePullSecret` (object)
- Fixed HSM configuration template to allow both MinKMS and Vault HSM backends simultaneously
- Fixed `topologySpreadConstraints` and `affinity` rendering in the MinKMS CR template
- Fixed `annotations` rendering in the HSM secret template

---

## Security & Compliance

### Software Bill of Materials (SBOM)

This release includes comprehensive SBOM documentation in multiple formats:

- [SPDX JSON](sbom-RELEASE.2026-04-11T08-24-01Z.spdx.json) - Standard SBOM format
- [CycloneDX JSON](sbom-RELEASE.2026-04-11T08-24-01Z.cyclonedx.json) - Security scanner compatible
- [Go Modules](go-modules-RELEASE.2026-04-11T08-24-01Z.txt) - Human-readable dependency list

SBOM files document all direct and transitive dependencies for security auditing and compliance requirements.

---

## Upgrade Instructions

For detailed upgrade instructions, please read: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-kubernetes-operator/

Platform-specific guides:

- **Kubernetes with Helm**: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-kubernetes-operator/upgrade-aistor-kubernetes-helm/
- **Kubernetes with Kustomize**: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-kubernetes-operator/upgrade-aistor-kubernetes-kustomize/

### Migration Notes

If using the MinKMS Helm chart, review the breaking changes above for `imagePullSecrets` and `affinity` before upgrading.

### Support

For enterprise support:

- SUBNET Support: https://subnet.min.io
- Documentation: https://docs.min.io