Example Trino installation via Open Source Helm Chart

This trino-values.yaml configuration provides a starting point for deploying Trino on Kubernetes using the Immuta image with the plugin pre-installed. It's designed to help users get a functional deployment quickly, though it may require further customization.

For additional details please consult both the Trino OSS helm chart and default values documentation here: https://github.com/trinodb/charts/blob/main/charts/trino/README.md

https://github.com/trinodb/charts/blob/main/charts/trino/values.yaml

trino-values.yaml
image:
  repository: ocir.immuta.com/field/immuta-trino
  tag: <image-tag>
  imagePullSecrets:
    - immuta-oci-registry
# This ingress example is useful when deploying to EKS using AWS Load Balancer Controller  
#ingress:
#  enabled: true
#  className: alb
#  annotations:
#    alb.ingress.kubernetes.io/group.name: immuta
#    alb.ingress.kubernetes.io/scheme: internet-facing
#    alb.ingress.kubernetes.io/target-type: ip
#    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
#    alb.ingress.kubernetes.io/ssl-redirect: '443'
#    alb.ingress.kubernetes.io/backend-protocol: HTTP
#  hosts:
#    - host: trino.immuta.us
#      paths:
#        - path: /
#          pathType: Prefix

serviceAccount:
  create: true
  name: trino

server:
  config:
    authenticationType: PASSWORD
  coordinatorExtraConfig: |-
    access-control.config-files=/immuta/immuta-access-control.properties
    web-ui.enabled=true

additionalConfigProperties:
- http-server.process-forwarded=true
# https://trino.io/docs/current/security/internal-communication.html#configure-shared-secret
- internal-communication.shared-secret=<openssl rand 512 | base64>
secretMounts:
  # This file contains the Immuta URL and API key as well as additional
  # configuration options
  - name: immuta-access-control
    secretName: immuta-access-control
    path: /immuta/
  # Optional secret containing CA for Immuta (referenced in immuta-access-control.properties)
  #  - name: immuta-ca-file
  #    secretName: immuta-ca
  #    path: /extracerts/

# Optional debug config
additionalLogProperties:
- io.trino=DEBUG
- io.trino.plugin.immuta=DEBUG

auth:
  # See https://trino.io/docs/current/security/password-file.html#file-format
  # for instructions on creating these users
  passwordAuth: |-
    immuta-admin:<admin-password-here>
    # The data consumer username must be associated with a user profile (Trino Username)
    # in Immuta for policy enforcement to occur
    data-consumer:<user-password-here>
  type: configmap

# Sample Catalog addition; can test with TPCH without adding additional
additionalCatalogs:
  postgres: |-
    connector.name=postgresql
    connection-url=jdbc:postgresql://<postgres-host>:<postgres-port>/<postgres-db>
    connection-user=postgres
    connection-password=<postgres password>
  mysql: |-
    connector.name=mysql
    connection-url=jdbc:mysql://<mysql-host>:<mysql-port>
    connection-user=admin
    connection-password=<mysql-admin-password>

The following properties file is a minimal example. Additional options which may be necessary are documented here: https://documentation.immuta.com/saas/configuration/integrations/starburst-trino/how-to-guides/configure#id-2-configure-the-immuta-system-access-control-plugin-in-starburst

immuta-access-control.properties
access-control.name=immuta
immuta.endpoint=https://<immuta-hostname>
immuta.apikey=<apikey from trino integration in immuta ui>

# At least one of the following must be configured
# These users are EXEMPT from Immuta Policy
immuta.user.admin=immuta-admin
#immuta.group.admin=your-admin-group

An example deployment using the above might look something like this:

helm repo add trino https://trinodb.github.io/charts/
kubectl create namespace trino
kubectl -n trino create secret generic immuta-access-control --from-file=immuta-access-control.properties
helm install -n trino trino trino/trino -f trino-values.yaml
PreviousExcessive failed jobs in pgboss impacting system performance

Last updated