Storage Configuration
Output Organizer uses configurable storage for documents uploaded via the file browser or drag-and-drop import. The default configuration stores uploads on the local container filesystem, which is only suitable for single-instance deployments.
Storage configuration is required when the Organizer runs with more than one replica. For scaling context, see Scaling.
S3-Compatible Object Storage
For multi-instance deployments, S3 is the recommended storage backend. Any S3-compatible service works — including AWS S3, MinIO, or Azure Blob Storage with an S3 gateway.
Enable S3 storage by setting organizer.storage.s3.enabled: true. This replaces the local filesystem as the upload storage target.
Credentials
S3 credentials are passed as a Kubernetes secret. See the Sealed Secrets section of the deployment reference for the required secret keys.
| Secret name | Key | Description |
|---|---|---|
s3-secret | s3-bucket | Name of the S3 bucket |
s3-secret | s3-endpoint | S3 endpoint URL |
s3-secret | s3-access-key | S3 access key |
s3-secret | s3-secret-key | S3 secret key |
You can either let the chart create the secret from values, or reference an existing secret:
secrets:
s3:
# Option 1 – provide credentials directly (plain or sealed)
bucket: "my-bucket"
endpoint: "https://s3.eu-central-1.amazonaws.com"
accessKey: "AKIAIOSFODNN7EXAMPLE"
secretKey: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
# Option 2 – reference an existing Kubernetes secret
existingSecret: "s3-secret"
Basic S3 Configuration
| Parameter | Description | Default |
|---|---|---|
organizer.storage.s3.enabled | Enable S3 as the storage backend. | false |
organizer.storage.s3.signingRegion | AWS region used for request signing (e.g. eu-central-1). | "" |
organizer.storage.s3.checksumValidationEnabled | Enable S3 checksum validation on uploads and downloads. Disable if your S3-compatible provider does not support it. | true |
Example — Basic S3 with access key
organizer:
storage:
s3:
enabled: true
signingRegion: "eu-central-1"
checksumValidationEnabled: false # set to false for non-AWS S3 providers
secrets:
s3:
bucket: "my-output-bucket"
endpoint: "https://s3.eu-central-1.amazonaws.com"
accessKey: "AKIAIOSFODNN7EXAMPLE"
secretKey: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
AWS STS-Based Authentication (IAM Role Assumption)
For AWS environments, instead of long-lived access keys you can authenticate using AWS Security Token Service (STS). The organizer will assume the specified IAM role and rotate credentials automatically.
| Parameter | Description | Default |
|---|---|---|
organizer.storage.s3.stsEndpoint | STS endpoint URL (e.g. https://sts.eu-central-1.amazonaws.com). | "" |
organizer.storage.s3.roleArn | ARN of the IAM role to assume. | "" |
organizer.storage.s3.roleSessionName | Name of the STS session. | "" |
organizer.storage.s3.durationSeconds | Lifetime of the assumed role session in seconds. | "" |
Example — S3 with STS role assumption
organizer:
storage:
s3:
enabled: true
signingRegion: "eu-central-1"
stsEndpoint: "https://sts.eu-central-1.amazonaws.com"
roleArn: "arn:aws:iam::123456789012:role/my-output-role"
roleSessionName: "my-output-role"
durationSeconds: 1200
When using STS-based auth, the secrets.s3 access key and secret key are still required as the initial credentials used to perform the role assumption.
Advanced Connection Options
For non-AWS S3-compatible providers or specific network requirements, additional connection parameters can be set under organizer.storage.s3.connection.
| Parameter | Description | Default |
|---|---|---|
organizer.storage.s3.connection.signingRegion | Override the signing region at the connection level. | "" |
organizer.storage.s3.connection.checksumValidationEnabled | Override checksum validation at the connection level. | true |
organizer.storage.s3.connection.client_configuration.protocol | Transfer protocol: HTTP or HTTPS. | HTTPS |
organizer.storage.s3.connection.client_configuration.use_expect_continue | Enable or disable the HTTP Expect: 100-continue header. Disable for providers that do not support it. | true |
Example — MinIO or other non-AWS provider
organizer:
storage:
s3:
enabled: true
connection:
signingRegion: "de-south-holzgerlingen"
checksumValidationEnabled: false
client_configuration:
protocol: HTTPS
use_expect_continue: false
PVC-based Storage solution
Disclaimer: this solution is only recommended if the S3-based solution does not work for you.
PVC (Persistent Volume Claim) is a Kubernetes resource that allows you to request a persistent volume from the cluster.
The PVC can be configured in a multitude of ways. The used Storage has to fulfil the requirements listed below:
- The PVC must be bound to a PV (Persistent Volume).
- The PV and PVC must be created and maintained externally. (It is not part of the Organizer chart.)
- The PV must have enough storage capacity to store the data.
- The PV must be persistent.
- The PVC must be accessible to the Organizer pod.
- The PVC must have a shared storage type, so it can be accessed by multiple pods.
Sufficient space is required to ensure all files uploads and export results can be saved. Data deletion has to be done manually, and it is recommended to delete files older than a predefined timeframe.
Configuration
Here is the necessary configuration for the PVC-based storage solution:
| Parameter | Description | Default |
|---|---|---|
organizer.storage.pvc.name | Name of existing pvc. | "" |
organizer.storage.directory | mount path in the pod. | /home/nonroot/data |
Example — PVC configuration
organizer:
storage:
directory: "/home/nonroot/data" # mount path in the pod
pvc:
name: "shared-pvc"
s3:
enabled: false
ehcache:
enabled: false