diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1ea53a0..ae06034 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added `?mode=` query parameter to override download mode per-request (#48)
 - Added `/api/v1/project/{project}/{package}/+/{ref}/url` endpoint for getting presigned URLs (#48)
 - Added `PresignedUrlResponse` schema with URL, expiry, checksums, and artifact metadata (#48)
+- Added MinIO ingress support in Helm chart for presigned URL access (#48)
+- Added `orchard.download.mode` and `orchard.download.presignedUrlExpiry` Helm values (#48)
 - Added integrity verification workflow design document (#24)
 - Added `sha256` field to API responses for clarity (alias of `id`) (#25)
 - Added `checksum_sha1` field to artifacts table for compatibility (#25)
diff --git a/helm/orchard/templates/_helpers.tpl b/helm/orchard/templates/_helpers.tpl
index 847ed56..ba58ae7 100644
--- a/helm/orchard/templates/_helpers.tpl
+++ b/helm/orchard/templates/_helpers.tpl
@@ -97,10 +97,27 @@ password
 {{- end }}
 
 {{/*
-MinIO host
+MinIO internal host (for server-side operations)
+*/}}
+{{- define "orchard.minio.internalHost" -}}
+{{- if .Values.minio.enabled }}
+{{- printf "http://%s-minio:9000" .Release.Name }}
+{{- else }}
+{{- .Values.orchard.s3.endpoint }}
+{{- end }}
+{{- end }}
+
+{{/*
+MinIO host (uses external URL if ingress enabled, for presigned URLs)
 */}}
 {{- define "orchard.minio.host" -}}
-{{- if .Values.minio.enabled }}
+{{- if and .Values.minio.enabled .Values.minio.ingress.enabled .Values.minio.ingress.host }}
+{{- if .Values.minio.ingress.tls.enabled }}
+{{- printf "https://%s" .Values.minio.ingress.host }}
+{{- else }}
+{{- printf "http://%s" .Values.minio.ingress.host }}
+{{- end }}
+{{- else if .Values.minio.enabled }}
 {{- printf "http://%s-minio:9000" .Release.Name }}
 {{- else }}
 {{- .Values.orchard.s3.endpoint }}
diff --git a/helm/orchard/templates/deployment.yaml b/helm/orchard/templates/deployment.yaml
index c24b6f1..3a8c97b 100644
--- a/helm/orchard/templates/deployment.yaml
+++ b/helm/orchard/templates/deployment.yaml
@@ -92,6 +92,10 @@ spec:
                 secretKeyRef:
                   name: {{ include "orchard.minio.secretName" . }}
                   key: {{ if .Values.minio.enabled }}root-password{{ else }}{{ .Values.orchard.s3.existingSecretSecretKeyKey }}{{ end }}
+            - name: ORCHARD_DOWNLOAD_MODE
+              value: {{ .Values.orchard.download.mode | quote }}
+            - name: ORCHARD_PRESIGNED_URL_EXPIRY
+              value: {{ .Values.orchard.download.presignedUrlExpiry | quote }}
           livenessProbe:
             {{- toYaml .Values.livenessProbe | nindent 12 }}
           readinessProbe:
diff --git a/helm/orchard/templates/minio-ingress.yaml b/helm/orchard/templates/minio-ingress.yaml
new file mode 100644
index 0000000..84e40b2
--- /dev/null
+++ b/helm/orchard/templates/minio-ingress.yaml
@@ -0,0 +1,34 @@
+{{- if and .Values.minio.enabled .Values.minio.ingress.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "orchard.fullname" . }}-minio
+  labels:
+    {{- include "orchard.labels" . | nindent 4 }}
+    app.kubernetes.io/component: minio
+  {{- with .Values.minio.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.minio.ingress.className }}
+  ingressClassName: {{ .Values.minio.ingress.className }}
+  {{- end }}
+  {{- if .Values.minio.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - {{ .Values.minio.ingress.host | quote }}
+      secretName: {{ .Values.minio.ingress.tls.secretName }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.minio.ingress.host | quote }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Release.Name }}-minio
+                port:
+                  number: 9000
+{{- end }}
diff --git a/helm/orchard/values.yaml b/helm/orchard/values.yaml
index 1565be3..abfc2e0 100644
--- a/helm/orchard/values.yaml
+++ b/helm/orchard/values.yaml
@@ -115,6 +115,11 @@ orchard:
     existingSecretAccessKeyKey: "access-key-id"
     existingSecretSecretKeyKey: "secret-access-key"
 
+  # Download configuration
+  download:
+    mode: "presigned"  # presigned, redirect, or proxy
+    presignedUrlExpiry: 3600  # Presigned URL expiry in seconds
+
 # PostgreSQL subchart configuration
 postgresql:
   enabled: true
@@ -147,6 +152,17 @@ minio:
   persistence:
     enabled: false
     size: 50Gi
+  # MinIO ingress for presigned URL access
+  ingress:
+    enabled: false
+    className: "nginx"
+    annotations:
+      cert-manager.io/cluster-issuer: "letsencrypt"
+      nginx.ingress.kubernetes.io/proxy-body-size: "0"  # Disable body size limit for uploads
+    host: ""  # e.g., minio.your-domain.com
+    tls:
+      enabled: true
+      secretName: minio-tls
 
 # Redis subchart configuration (for future caching)
 redis: