This trino-values.yaml configuration provides a starting point for deploying Trino on Kubernetes using the Immuta image with the plugin pre-installed. It's designed to help users get a functional deployment quickly, though it may require further customization.
For additional details please consult both the Trino OSS helm chart and default values documentation here:
trino-values.yaml
image:
repository: ocir.immuta.com/field/immuta-trino
tag: <image-tag>
imagePullSecrets:
- name: immuta-oci-registry
# This ingress example is useful when deploying to EKS using AWS Load Balancer Controller
#ingress:
# enabled: true
# className: alb
# annotations:
# alb.ingress.kubernetes.io/group.name: immuta
# alb.ingress.kubernetes.io/scheme: internet-facing
# alb.ingress.kubernetes.io/target-type: ip
# alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
# alb.ingress.kubernetes.io/ssl-redirect: '443'
# alb.ingress.kubernetes.io/backend-protocol: HTTP
# hosts:
# - host: trino.immuta.us
# paths:
# - path: /
# pathType: Prefix
serviceAccount:
create: true
name: trino
server:
config:
authenticationType: PASSWORD
coordinatorExtraConfig: |-
access-control.config-files=/immuta/immuta-access-control.properties
web-ui.enabled=true
additionalConfigProperties:
- http-server.process-forwarded=true
# https://trino.io/docs/current/security/internal-communication.html#configure-shared-secret
- internal-communication.shared-secret=<openssl rand 512 | base64>
secretMounts:
# This file contains the Immuta URL and API key as well as additional
# configuration options
- name: immuta-access-control
secretName: immuta-access-control
path: /immuta/
# Optional secret containing CA for Immuta (referenced in immuta-access-control.properties)
# - name: immuta-ca-file
# secretName: immuta-ca
# path: /extracerts/
# Optional debug config
additionalLogProperties:
- io.trino=DEBUG
- io.trino.plugin.immuta=DEBUG
auth:
# See https://trino.io/docs/current/security/password-file.html#file-format
# for instructions on creating these users
passwordAuth: |-
immuta-admin:<admin-password-here>
# The data consumer username must be associated with a user profile (Trino Username)
# in Immuta for policy enforcement to occur
data-consumer:<user-password-here>
type: configmap
# Sample Catalog addition; can test with TPCH without adding additional
additionalCatalogs:
postgres: |-
connector.name=postgresql
connection-url=jdbc:postgresql://<postgres-host>:<postgres-port>/<postgres-db>
connection-user=postgres
connection-password=<postgres password>
mysql: |-
connector.name=mysql
connection-url=jdbc:mysql://<mysql-host>:<mysql-port>
connection-user=admin
connection-password=<mysql-admin-password>
immuta-access-control.properties
access-control.name=immuta
immuta.endpoint=https://<immuta-hostname>
immuta.apikey=<apikey from trino integration in immuta ui>
# At least one of the following must be configured
# These users are EXEMPT from Immuta Policy
immuta.user.admin=immuta-admin
#immuta.group.admin=your-admin-group
An example deployment using the above might look something like this:
