NVIDIA · vvnpn-nv · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026 · Apr 1, 2026
@@ -35,6 +35,9 @@ spec:
         {{- end }}
       annotations:
         checksum/envoy-config: {{ .Values.sidecars.envoy | toYaml | sha256sum }}
+        {{- if .Values.services.dynamicConfig.enabled }}
+        checksum/dynamic-config: {{ .Values.services.dynamicConfig | toYaml | sha256sum }}
+        {{- end }}
         {{- include "osmo.extra-annotations" .Values.services.service | nindent 8 }}
     spec:
       {{- with .Values.services.service.hostAliases }}
@@ -149,6 +152,10 @@ spec:
         - --default_admin_username
         - {{ .Values.services.defaultAdmin.username | quote }}
         {{- end }}
+        {{- if .Values.services.dynamicConfig.enabled }}
+        - --dynamic_config_file
+        - /etc/osmo/dynamic-config/config.yaml
+        {{- end }}
         {{- range $arg := .Values.services.service.extraArgs }}
         - {{ $arg | quote }}
         {{- end }}
@@ -192,14 +199,36 @@ spec:
         ports:
         - name: metrics
           containerPort: 9464
-        {{- if or .Values.services.configFile.enabled .Values.global.logs.enabled .Values.services.service.extraVolumeMounts }}
+        {{- if or .Values.services.configFile.enabled .Values.global.logs.enabled .Values.services.dynamicConfig.enabled .Values.services.service.extraVolumeMounts }}
         volumeMounts:
         {{- end }}
         {{- if .Values.services.configFile.enabled}}
         - mountPath: {{ .Values.services.configFile.path }}
           name: mek-volume
           subPath: mek.yaml
         {{- end }}
+        {{- if .Values.services.dynamicConfig.enabled }}
+        - name: dynamic-config
+          mountPath: /etc/osmo/dynamic-config
+          readOnly: true
+        {{- range $name, $data := .Values.services.dynamicConfig.secrets }}
+        - name: dynamic-secret-{{ $name }}
+          mountPath: /etc/osmo/secrets/{{ $name }}.yaml
+          subPath: {{ $name }}.yaml
+          readOnly: true
+        {{- end }}
+        {{- if .Values.services.dynamicConfig.dataset }}
+        {{- range $bucketName, $bucketConfig := .Values.services.dynamicConfig.dataset.config.buckets }}
+        {{- if and (kindIs "map" $bucketConfig) $bucketConfig.default_credential }}
+        {{- if $bucketConfig.default_credential.credentialSecretName }}
+        - name: {{ $bucketConfig.default_credential.credentialSecretName }}
+          mountPath: /etc/osmo/secrets/{{ $bucketConfig.default_credential.credentialSecretName }}
+          readOnly: true
+        {{- end }}
+        {{- end }}
+        {{- end }}
+        {{- end }}
+        {{- end }}
         {{- if .Values.global.logs.enabled }}
         - name: logs
           mountPath: /logs
@@ -262,6 +291,28 @@ spec:
             name: mek-config
           name: mek-volume
         {{- end}}
+        {{- if .Values.services.dynamicConfig.enabled }}
+        - name: dynamic-config
+          configMap:
+            name: {{ .Values.services.service.serviceName }}-dynamic-config
+        {{- range $name, $data := .Values.services.dynamicConfig.secrets }}
+        - name: dynamic-secret-{{ $name }}
+          secret:
+            secretName: {{ $.Values.services.service.serviceName }}-dynamic-secret-{{ $name }}
+        {{- end }}
+        {{- if .Values.services.dynamicConfig.dataset }}
+        {{- range $bucketName, $bucketConfig := .Values.services.dynamicConfig.dataset.config.buckets }}
+        {{- if and (kindIs "map" $bucketConfig) $bucketConfig.default_credential }}
+        {{- if $bucketConfig.default_credential.credentialSecretName }}
+        - name: {{ $bucketConfig.default_credential.credentialSecretName }}
+          secret:
+            secretName: {{ $bucketConfig.default_credential.credentialSecretName }}
+            optional: true
+        {{- end }}
+        {{- end }}
+        {{- end }}
+        {{- end }}
+        {{- end }}
 ---
 {{- if .Values.sidecars.envoy.enabled }}
 

@@ -0,0 +1,30 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+{{- if and .Values.services.dynamicConfig.enabled .Values.services.dynamicConfig.secrets }}
+{{- range $name, $data := .Values.services.dynamicConfig.secrets }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $.Values.services.service.serviceName }}-dynamic-secret-{{ $name }}
+  labels:
+    app: {{ $.Values.services.service.serviceName }}
+type: Opaque
+stringData:
+  {{ $name }}.yaml: |
+    {{- toYaml $data | nindent 4 }}
+{{- end }}
+{{- end }}
@@ -0,0 +1,79 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+{{- if .Values.services.dynamicConfig.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.services.service.serviceName }}-dynamic-config
+  labels:
+    app: {{ .Values.services.service.serviceName }}
+data:
+  config.yaml: |
+    managed_configs:
+      {{- $dc := .Values.services.dynamicConfig }}
+      {{- if $dc.service }}
+      service:
+        {{- toYaml $dc.service | nindent 8 }}
+      {{- end }}
+      {{- if $dc.workflow }}
+      workflow:
+        {{- toYaml $dc.workflow | nindent 8 }}
+      {{- end }}
+      {{- if $dc.dataset }}
+      dataset:
+        {{- $dataset := deepCopy $dc.dataset }}
+        {{- if $dataset.config }}
+        {{- range $bucketName, $bucketConfig := $dataset.config.buckets }}
+        {{- if and (kindIs "map" $bucketConfig) $bucketConfig.default_credential }}
+        {{- if $bucketConfig.default_credential.credentialSecretName }}
+        {{- $secretName := $bucketConfig.default_credential.credentialSecretName }}
+        {{- $_ := set $bucketConfig.default_credential "secret_file" (printf "/etc/osmo/secrets/%s/cred.yaml" $secretName) }}
+        {{- $_ := unset $bucketConfig.default_credential "credentialSecretName" }}
+        {{- end }}
+        {{- end }}
+        {{- end }}
+        {{- end }}
+        {{- toYaml $dataset | nindent 8 }}
+      {{- end }}
+      {{- if $dc.pools }}
+      pools:
+        {{- toYaml $dc.pools | nindent 8 }}
+      {{- end }}
+      {{- if $dc.podTemplates }}
+      pod_templates:
+        {{- toYaml $dc.podTemplates | nindent 8 }}
+      {{- end }}
+      {{- if $dc.resourceValidations }}
+      resource_validations:
+        {{- toYaml $dc.resourceValidations | nindent 8 }}
+      {{- end }}
+      {{- if $dc.backends }}
+      backends:
+        {{- toYaml $dc.backends | nindent 8 }}
+      {{- end }}
+      {{- if $dc.backendTests }}
+      backend_tests:
+        {{- toYaml $dc.backendTests | nindent 8 }}
+      {{- end }}
+      {{- if $dc.groupTemplates }}
+      group_templates:
+        {{- toYaml $dc.groupTemplates | nindent 8 }}
+      {{- end }}
+      {{- if $dc.roles }}
+      roles:
+        {{- toYaml $dc.roles | nindent 8 }}
+      {{- end }}
+{{- end }}
@@ -229,6 +229,61 @@ services:
     ##
     passwordSecretKey: password
 
+  ## Dynamic configuration loaded from ConfigMap on service startup
+  ## When enabled, renders a ConfigMap with all config types and mounts it into the API service.
+  ## The service reads the file on startup and applies configs to the database.
+  ##
+  ## managed_by modes:
+  ##   seed: Only apply if config doesn't exist in DB (default). CLI changes are preserved.
+  ##   configmap: Always overwrite DB from ConfigMap on startup. CLI changes are ephemeral.
+  ##
+  dynamicConfig:
+    ## Enable dynamic configuration loading from ConfigMap
+    ##
+    enabled: false
+
+    ## Per-type configuration sections. Each section supports managed_by and config/items.
+    ## Example:
+    ##   service:
+    ##     managed_by: seed
+    ##     config:
+    ##       service_base_url: "https://osmo.example.com"
+    ##
+    ## Dataset buckets support credentialSecretName to simplify secret wiring.
+    ## Instead of manually adding extraVolumes/extraVolumeMounts, just specify
+    ## the K8s Secret name and the chart auto-generates volume + mount:
+    ##   dataset:
+    ##     config:
+    ##       buckets:
+    ##         my-bucket:
+    ##           dataset_path: "s3://my-bucket"
+    ##           default_credential:
+    ##             credentialSecretName: my-secret-name
+    ## The Secret should contain a cred.yaml key with access_key_id and access_key fields.
+    ##
+    service: {}
+    workflow: {}
+    dataset: {}
+    pools: {}
+    podTemplates: {}
+    resourceValidations: {}
+    backends: {}
+    backendTests: {}
+    groupTemplates: {}
+    roles: {}
+
+    ## Secret credential files mounted from K8s Secrets.
+    ## Each entry creates a K8s Secret + volume mount at /etc/osmo/secrets/<name>.yaml
+    ## Used by dataset bucket default_credential.secret_file references.
+    ##
+    ## Example:
+    ##   secrets:
+    ##     bucket-primary-cred:
+    ##       access_key_id: "AKIA..."
+    ##       access_key: "wJalrXUtn..."
+    ##
+    secrets: {}
+
   ## Redis cache service configuration
   ## Set enabled to false if using an external Redis deployment
   ##