LogoLogo
Public Knowledge Base
Public Knowledge Base
  • Self-hosted Immuta
    • Official Immuta Self-Managed Deployment Documentation
    • What's new in 2024.2?
    • Deployment Options
      • AWS Immuta Deployment
      • Azure Immuta Deployment
      • K3s Deployment
      • SUSE Rancher Kubernetes Engine (RKE2) Deployment
      • In-cluster PostgreSQL using Crunchydata
      • In-cluster Elasticsearch using Elastic Cloud on Kubernetes (ECK)
      • Production Linkerd with AWS Private CA issuer
      • Deploying Linkerd via Open Source Linkerd
      • Deploying Linkerd Service Mesh via Buoyant Enterprise for Linkerd
      • Uninstalling Linkerd
      • Upgrading to Immuta 2024.2 LTS
      • LTS Upgrade via Legacy Chart
      • Legacy Audit - no Elasticsearch
      • Temporal with RDS
      • Setting Up OpenSearch User Pemissions
    • Air gapped installations
      • Immuta Installation on k3s in Air Gapped environment
      • Air-gapped Installation Artifact Transfer
  • Excessive failed jobs in pgboss impacting system performance
  • Example Trino installation via Open Source Helm Chart
  • Immuta Installation on Self Managed Infrastructure Overview
  • Repeatable k3s stack deployment on AWS EC2
  • Trino OAuth2 and JWT via Okta
  • Copy of Okta Attribute Mapping
Powered by GitBook
On this page

Example Trino installation via Open Source Helm Chart

PreviousExcessive failed jobs in pgboss impacting system performanceNextImmuta Installation on Self Managed Infrastructure Overview

Last updated 2 months ago

This trino-values.yaml configuration provides a starting point for deploying Trino on Kubernetes using the Immuta image with the plugin pre-installed. It's designed to help users get a functional deployment quickly, though it may require further customization.

For additional details please consult both the Trino OSS helm chart and default values documentation here:

trino-values.yaml
image:
  repository: ocir.immuta.com/field/immuta-trino
  tag: <image-tag>
imagePullSecrets:
  - name: immuta-oci-registry
# This ingress example is useful when deploying to EKS using AWS Load Balancer Controller  
#ingress:
#  enabled: true
#  className: alb
#  annotations:
#    alb.ingress.kubernetes.io/group.name: immuta
#    alb.ingress.kubernetes.io/scheme: internet-facing
#    alb.ingress.kubernetes.io/target-type: ip
#    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
#    alb.ingress.kubernetes.io/ssl-redirect: '443'
#    alb.ingress.kubernetes.io/backend-protocol: HTTP
#  hosts:
#    - host: trino.immuta.us
#      paths:
#        - path: /
#          pathType: Prefix

serviceAccount:
  create: true
  name: trino

server:
  config:
    authenticationType: PASSWORD
  coordinatorExtraConfig: |-
    access-control.config-files=/immuta/immuta-access-control.properties
    web-ui.enabled=true

additionalConfigProperties:
- http-server.process-forwarded=true
# https://trino.io/docs/current/security/internal-communication.html#configure-shared-secret
- internal-communication.shared-secret=<openssl rand 512 | base64>
secretMounts:
  # This file contains the Immuta URL and API key as well as additional
  # configuration options
  - name: immuta-access-control
    secretName: immuta-access-control
    path: /immuta/
  # Optional secret containing CA for Immuta (referenced in immuta-access-control.properties)
  #  - name: immuta-ca-file
  #    secretName: immuta-ca
  #    path: /extracerts/

# Optional debug config
additionalLogProperties:
- io.trino=DEBUG
- io.trino.plugin.immuta=DEBUG

auth:
  # See https://trino.io/docs/current/security/password-file.html#file-format
  # for instructions on creating these users
  passwordAuth: |-
    immuta-admin:<admin-password-here>
    # The data consumer username must be associated with a user profile (Trino Username)
    # in Immuta for policy enforcement to occur
    data-consumer:<user-password-here>
  type: configmap

# Sample Catalog addition; can test with TPCH without adding additional
additionalCatalogs:
  postgres: |-
    connector.name=postgresql
    connection-url=jdbc:postgresql://<postgres-host>:<postgres-port>/<postgres-db>
    connection-user=postgres
    connection-password=<postgres password>
  mysql: |-
    connector.name=mysql
    connection-url=jdbc:mysql://<mysql-host>:<mysql-port>
    connection-user=admin
    connection-password=<mysql-admin-password>
immuta-access-control.properties
access-control.name=immuta
immuta.endpoint=https://<immuta-hostname>
immuta.apikey=<apikey from trino integration in immuta ui>

# At least one of the following must be configured
# These users are EXEMPT from Immuta Policy
immuta.user.admin=immuta-admin
#immuta.group.admin=your-admin-group

An example deployment using the above might look something like this:

helm repo add trino https://trinodb.github.io/charts/
kubectl create namespace trino
kubectl -n trino create secret generic immuta-access-control --from-file=immuta-access-control.properties
helm install -n trino trino trino/trino -f trino-values.yaml

The following properties file is a minimal example. Additional options which may be necessary are documented here:

https://github.com/trinodb/charts/blob/main/charts/trino/README.md
https://github.com/trinodb/charts/blob/main/charts/trino/values.yaml
https://documentation.immuta.com/saas/configuration/integrations/starburst-trino/how-to-guides/configure#id-2-configure-the-immuta-system-access-control-plugin-in-starburst