baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(trino): install Trino

Browse Source
This commit is contained in:
Masaki Yatsu
2025-10-15 17:22:00 +09:00
parent 29d6bb15c2
commit 1719e623d7
8 changed files with 714 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
trino/.gitignore vendored Normal file
View File

@@ -0,0 +1,4 @@
trino-minio-external-secret.yaml
trino-oauth-external-secret.yaml
trino-postgres-external-secret.yaml
trino-values.yaml

359
trino/justfile Normal file
View File

@@ -0,0 +1,359 @@
set fallback := true
export TRINO_NAMESPACE := env("TRINO_NAMESPACE", "trino")
export TRINO_CHART_VERSION := env("TRINO_CHART_VERSION", "1.41.0")
export TRINO_IMAGE_TAG := env("TRINO_IMAGE_TAG", "477")
export TRINO_HOST := env("TRINO_HOST", "")
export EXTERNAL_SECRETS_NAMESPACE := env("EXTERNAL_SECRETS_NAMESPACE", "external-secrets")
export KEYCLOAK_REALM := env("KEYCLOAK_REALM", "buunstack")
export TRINO_COORDINATOR_MEMORY := env("TRINO_COORDINATOR_MEMORY", "4Gi")
export TRINO_COORDINATOR_CPU := env("TRINO_COORDINATOR_CPU", "2")
export TRINO_COORDINATOR_JVM_HEAP := env("TRINO_COORDINATOR_JVM_HEAP", "4G")
export TRINO_WORKER_MEMORY := env("TRINO_WORKER_MEMORY", "4Gi")
export TRINO_WORKER_CPU := env("TRINO_WORKER_CPU", "2")
export TRINO_WORKER_JVM_HEAP := env("TRINO_WORKER_JVM_HEAP", "4G")
export TRINO_WORKER_COUNT := env("TRINO_WORKER_COUNT", "2")
export POSTGRES_NAMESPACE := env("POSTGRES_NAMESPACE", "postgres")
export MINIO_NAMESPACE := env("MINIO_NAMESPACE", "minio")
[private]
default:
@just --list --unsorted --list-submodules
# Add Helm repository
add-helm-repo:
helm repo add trino https://trinodb.github.io/charts
helm repo update
# Remove Helm repository
remove-helm-repo:
helm repo remove trino
# Create Trino namespace
create-namespace:
@kubectl get namespace ${TRINO_NAMESPACE} &>/dev/null || \
kubectl create namespace ${TRINO_NAMESPACE}
# Delete Trino namespace
delete-namespace:
@kubectl delete namespace ${TRINO_NAMESPACE} --ignore-not-found
# Create OAuth client in Keycloak for Trino authentication
create-oauth-client:
#!/bin/bash
set -euo pipefail
if [ -z "${TRINO_HOST}" ]; then
echo "Error: TRINO_HOST environment variable is required"
exit 1
fi
echo "Creating Trino OAuth client in Keycloak..."
echo "Removing existing client if present..."
just keycloak::delete-client ${KEYCLOAK_REALM} trino || true
CLIENT_SECRET=$(just utils::random-password)
just keycloak::create-client \
realm=${KEYCLOAK_REALM} \
client_id=trino \
redirect_url="https://${TRINO_HOST}/oauth2/callback" \
client_secret="$CLIENT_SECRET" \
post_logout_redirect_url="https://${TRINO_HOST}/ui/logout/logout.html"
if helm status external-secrets -n ${EXTERNAL_SECRETS_NAMESPACE} &>/dev/null; then
echo "External Secrets available. Storing credentials in Vault and creating ExternalSecret..."
just vault::put trino/oauth \
client_id=trino \
client_secret="$CLIENT_SECRET"
kubectl delete externalsecret trino-oauth-external-secret -n ${TRINO_NAMESPACE} --ignore-not-found
kubectl delete secret trino-oauth-secret -n ${TRINO_NAMESPACE} --ignore-not-found
gomplate -f trino-oauth-external-secret.gomplate.yaml -o trino-oauth-external-secret.yaml
kubectl apply -f trino-oauth-external-secret.yaml
echo "Waiting for OAuth secret to be ready..."
kubectl wait --for=condition=Ready externalsecret/trino-oauth-external-secret \
-n ${TRINO_NAMESPACE} --timeout=60s
else
echo "External Secrets not available. Creating Kubernetes Secret directly..."
kubectl delete secret trino-oauth-secret -n ${TRINO_NAMESPACE} --ignore-not-found
kubectl create secret generic trino-oauth-secret -n ${TRINO_NAMESPACE} \
--from-literal=client_id=trino \
--from-literal=client_secret="$CLIENT_SECRET"
echo "OAuth secret created directly in Kubernetes"
fi
echo "OAuth client created successfully"
# Delete OAuth secret
delete-oauth-secret:
@kubectl delete secret trino-oauth-secret -n ${TRINO_NAMESPACE} --ignore-not-found
@kubectl delete externalsecret trino-oauth-external-secret -n ${TRINO_NAMESPACE} --ignore-not-found
# Create self-signed certificate for HTTPS
create-self-signed-cert:
#!/bin/bash
set -euo pipefail
echo "Creating self-signed certificate for Trino..."
CERT_PASSWORD=$(just utils::random-password)
TRINO_HOST=${TRINO_HOST:-trino.local}
# Create temporary directory
TEMP_DIR=$(mktemp -d)
trap "rm -rf ${TEMP_DIR}" EXIT
# Generate JKS keystore with self-signed certificate
keytool -genkeypair \
-alias trino \
-keyalg RSA \
-keysize 2048 \
-validity 3650 \
-keystore ${TEMP_DIR}/keystore.jks \
-storepass "${CERT_PASSWORD}" \
-keypass "${CERT_PASSWORD}" \
-dname "CN=${TRINO_HOST}, OU=Trino, O=BuunStack, L=Local, ST=Local, C=US" \
-ext SAN=dns:${TRINO_HOST},dns:trino-coordinator,dns:trino-coordinator.${TRINO_NAMESPACE}.svc.cluster.local
echo "Certificate created successfully"
# Create Kubernetes secret
kubectl delete secret trino-tls-secret -n ${TRINO_NAMESPACE} --ignore-not-found
kubectl create secret generic trino-tls-secret -n ${TRINO_NAMESPACE} \
--from-file=keystore.jks=${TEMP_DIR}/keystore.jks \
--from-literal=keystore-password="${CERT_PASSWORD}"
echo "TLS secret created in Kubernetes"
echo "Certificate password stored in secret 'trino-tls-secret'"
# Delete TLS secret
delete-tls-secret:
@kubectl delete secret trino-tls-secret -n ${TRINO_NAMESPACE} --ignore-not-found
# Setup PostgreSQL catalog for Trino
setup-postgres-catalog:
#!/bin/bash
set -euo pipefail
echo "Setting up PostgreSQL catalog for Trino..."
if just postgres::db-exists trino &>/dev/null; then
echo "Database 'trino' already exists."
else
echo "Creating new database 'trino'..."
just postgres::create-db trino
fi
if just postgres::user-exists trino &>/dev/null; then
echo "User 'trino' already exists."
if helm status external-secrets -n ${EXTERNAL_SECRETS_NAMESPACE} &>/dev/null; then
if DB_PASSWORD=$(just vault::get trino/postgres password 2>/dev/null); then
echo "Using existing password from Vault."
else
echo "Generating new password and updating Vault..."
DB_PASSWORD=$(just utils::random-password)
just postgres::psql -c "ALTER USER trino WITH PASSWORD '$DB_PASSWORD';"
fi
else
echo "Generating new password for existing user..."
DB_PASSWORD=$(just utils::random-password)
just postgres::psql -c "ALTER USER trino WITH PASSWORD '$DB_PASSWORD';"
fi
else
echo "Creating new user 'trino'..."
DB_PASSWORD=$(just utils::random-password)
just postgres::create-user trino "$DB_PASSWORD"
fi
echo "Ensuring database permissions..."
just postgres::grant trino trino
if helm status external-secrets -n ${EXTERNAL_SECRETS_NAMESPACE} &>/dev/null; then
echo "External Secrets available. Storing credentials in Vault and creating ExternalSecret..."
just vault::put trino/postgres username=trino password="$DB_PASSWORD"
gomplate -f trino-postgres-external-secret.gomplate.yaml -o trino-postgres-external-secret.yaml
kubectl apply -f trino-postgres-external-secret.yaml
echo "Waiting for PostgreSQL secret to be ready..."
kubectl wait --for=condition=Ready externalsecret/trino-postgres-external-secret \
-n ${TRINO_NAMESPACE} --timeout=60s
else
echo "External Secrets not available. Creating Kubernetes Secret directly..."
kubectl delete secret trino-postgres-secret -n ${TRINO_NAMESPACE} --ignore-not-found
kubectl create secret generic trino-postgres-secret -n ${TRINO_NAMESPACE} \
--from-literal=username=trino \
--from-literal=password="$DB_PASSWORD"
echo "PostgreSQL secret created directly in Kubernetes"
fi
echo "PostgreSQL catalog setup completed"
# Delete PostgreSQL secret
delete-postgres-secret:
@kubectl delete secret trino-postgres-secret -n ${TRINO_NAMESPACE} --ignore-not-found
@kubectl delete externalsecret trino-postgres-external-secret -n ${TRINO_NAMESPACE} --ignore-not-found
# Setup MinIO storage for Trino (optional)
setup-minio-storage:
#!/bin/bash
set -euo pipefail
echo "Setting up MinIO storage for Trino..."
if ! kubectl get service minio -n ${MINIO_NAMESPACE} &>/dev/null; then
echo "Error: MinIO is not installed. Please install MinIO first with 'just minio::install'"
exit 1
fi
just minio::create-user trino "trino-data"
if helm status external-secrets -n ${EXTERNAL_SECRETS_NAMESPACE} &>/dev/null; then
echo "Creating ExternalSecret for MinIO credentials..."
gomplate -f trino-minio-external-secret.gomplate.yaml -o trino-minio-external-secret.yaml
kubectl apply -f trino-minio-external-secret.yaml
echo "Waiting for MinIO secret to be ready..."
kubectl wait --for=condition=Ready externalsecret/trino-minio-external-secret \
-n ${TRINO_NAMESPACE} --timeout=60s
else
echo "External Secrets not available. Creating Kubernetes Secret directly..."
ACCESS_KEY=trino
SECRET_KEY=$(just vault::get trino/minio secret_key 2>/dev/null || echo "")
if [ -z "$SECRET_KEY" ]; then
echo "Error: Could not retrieve MinIO credentials. Please check Vault."
exit 1
fi
kubectl delete secret trino-minio-secret -n ${TRINO_NAMESPACE} --ignore-not-found
kubectl create secret generic trino-minio-secret -n ${TRINO_NAMESPACE} \
--from-literal=access_key="$ACCESS_KEY" \
--from-literal=secret_key="$SECRET_KEY" \
--from-literal=endpoint="http://minio.${MINIO_NAMESPACE}.svc.cluster.local:9000"
echo "MinIO secret created directly in Kubernetes"
fi
echo "MinIO storage setup completed"
# Delete MinIO secret
delete-minio-secret:
@kubectl delete secret trino-minio-secret -n ${TRINO_NAMESPACE} --ignore-not-found
@kubectl delete externalsecret trino-minio-external-secret -n ${TRINO_NAMESPACE} --ignore-not-found
# Install Trino
install:
#!/bin/bash
set -euo pipefail
export TRINO_HOST=${TRINO_HOST:-}
while [ -z "${TRINO_HOST}" ]; do
TRINO_HOST=$(
gum input --prompt="Trino host (FQDN): " --width=100 \
--placeholder="e.g., trino.example.com"
)
done
echo "Installing Trino..."
just create-namespace
just create-oauth-client
export TRINO_HOST="${TRINO_HOST}"
just create-self-signed-cert
if gum confirm "Setup PostgreSQL catalog?"; then
just setup-postgres-catalog
export TRINO_POSTGRES_ENABLED="true"
else
export TRINO_POSTGRES_ENABLED="false"
fi
if gum confirm "Setup MinIO storage (for Hive/Iceberg catalogs)?"; then
just setup-minio-storage
export TRINO_MINIO_ENABLED="true"
else
export TRINO_MINIO_ENABLED="false"
fi
just add-helm-repo
SHARED_SECRET=$(just utils::random-password)
export TRINO_SHARED_SECRET="$SHARED_SECRET"
gomplate -f trino-values.gomplate.yaml -o trino-values.yaml
helm upgrade --install trino trino/trino \
--namespace ${TRINO_NAMESPACE} \
--version ${TRINO_CHART_VERSION} \
-f trino-values.yaml \
--wait --timeout=10m
echo "Trino installed successfully"
echo "Access Trino at: https://${TRINO_HOST}"
# Upgrade Trino Helm chart with current configuration
upgrade:
#!/bin/bash
set -euo pipefail
echo "Upgrading Trino..."
# Detect current configuration from existing secrets
if kubectl get secret trino-postgres-secret -n ${TRINO_NAMESPACE} &>/dev/null; then
export TRINO_POSTGRES_ENABLED="true"
echo "PostgreSQL catalog: enabled"
else
export TRINO_POSTGRES_ENABLED="false"
echo "PostgreSQL catalog: disabled"
fi
if kubectl get secret trino-minio-secret -n ${TRINO_NAMESPACE} &>/dev/null; then
export TRINO_MINIO_ENABLED="true"
echo "MinIO storage: enabled"
else
export TRINO_MINIO_ENABLED="false"
echo "MinIO storage: disabled"
fi
# Get TRINO_HOST from existing ingress
export TRINO_HOST=$(kubectl get ingress -n ${TRINO_NAMESPACE} trino-coordinator -o jsonpath='{.spec.rules[0].host}' 2>/dev/null || echo "")
if [ -z "${TRINO_HOST}" ]; then
echo "Error: Could not determine TRINO_HOST from existing ingress"
exit 1
fi
echo "Trino host: ${TRINO_HOST}"
# Get existing shared secret from config
SHARED_SECRET=$(kubectl get configmap trino-coordinator -n ${TRINO_NAMESPACE} -o jsonpath='{.data.config\.properties}' 2>/dev/null | grep "internal-communication.shared-secret=" | cut -d'=' -f2 || echo "")
if [ -z "${SHARED_SECRET}" ]; then
echo "Error: Could not retrieve existing shared secret"
exit 1
fi
export TRINO_SHARED_SECRET="${SHARED_SECRET}"
gomplate -f trino-values.gomplate.yaml -o trino-values.yaml
helm upgrade trino trino/trino \
--namespace ${TRINO_NAMESPACE} \
--version ${TRINO_CHART_VERSION} \
-f trino-values.yaml \
--wait --timeout=10m
echo "Trino upgraded successfully"
echo "Access Trino at: https://${TRINO_HOST}"
# Uninstall Trino
uninstall delete-db='true':
#!/bin/bash
set -euo pipefail
echo "Uninstalling Trino..."
helm uninstall trino -n ${TRINO_NAMESPACE} --ignore-not-found
just delete-oauth-secret
just delete-postgres-secret
just delete-minio-secret
just delete-tls-secret
just delete-namespace
if [ "{{ delete-db }}" = "true" ]; then
just postgres::delete-db trino || true
fi
just keycloak::delete-client ${KEYCLOAK_REALM} trino || true
echo "Trino uninstalled"
# Clean up resources
cleanup:
#!/bin/bash
set -euo pipefail
echo "This will delete the Trino database and all secrets."
if gum confirm "Are you sure you want to proceed?"; then
echo "Cleaning up Trino resources..."
just postgres::delete-db trino || true
just vault::delete trino/oauth || true
just vault::delete trino/postgres || true
just vault::delete trino/minio || true
just keycloak::delete-client ${KEYCLOAK_REALM} trino || true
echo "Cleanup completed"
else
echo "Cleanup cancelled"
fi

22
trino/trino-minio-external-secret.gomplate.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: trino-minio-external-secret
namespace: {{ .Env.TRINO_NAMESPACE }}
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-secret-store
kind: ClusterSecretStore
target:
name: trino-minio-secret
creationPolicy: Owner
data:
- secretKey: access_key
remoteRef:
key: trino/minio
property: access_key
- secretKey: secret_key
remoteRef:
key: trino/minio
property: secret_key

22
trino/trino-oauth-external-secret.gomplate.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: trino-oauth-external-secret
namespace: {{ .Env.TRINO_NAMESPACE }}
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-secret-store
kind: ClusterSecretStore
target:
name: trino-oauth-secret
creationPolicy: Owner
data:
- secretKey: client_id
remoteRef:
key: trino/oauth
property: client_id
- secretKey: client_secret
remoteRef:
key: trino/oauth
property: client_secret

22
trino/trino-postgres-external-secret.gomplate.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: trino-postgres-external-secret
namespace: {{ .Env.TRINO_NAMESPACE }}
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-secret-store
kind: ClusterSecretStore
target:
name: trino-postgres-secret
creationPolicy: Owner
data:
- secretKey: username
remoteRef:
key: trino/postgres
property: username
- secretKey: password
remoteRef:
key: trino/postgres
property: password

284
trino/trino-values.gomplate.yaml Normal file
View File

@@ -0,0 +1,284 @@
# Trino Helm Chart Values
# Configuration for Trino deployment with Keycloak OIDC authentication
image:
tag: "{{ .Env.TRINO_IMAGE_TAG }}"
server:
workers: {{ .Env.TRINO_WORKER_COUNT }}
node:
environment: production
dataDir: /data/trino
pluginDir: /usr/lib/trino/plugin
log:
trino:
level: INFO
config:
path: /etc/trino
https:
enabled: false
authenticationType: "OAUTH2"
exchangeManager:
name: "filesystem"
baseDir: "/tmp/trino-local-file-system-exchange-manager"
workerExtraConfig: ""
coordinatorExtraConfig: |
http-server.authentication.oauth2.issuer=https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}
http-server.authentication.oauth2.auth-url=https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/auth
http-server.authentication.oauth2.token-url=https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/token
http-server.authentication.oauth2.jwks-url=https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/certs
http-server.authentication.oauth2.userinfo-url=https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/userinfo
http-server.authentication.oauth2.client-id=${ENV:OAUTH2_CLIENT_ID}
http-server.authentication.oauth2.client-secret=${ENV:OAUTH2_CLIENT_SECRET}
http-server.authentication.oauth2.scopes=openid,email,profile
http-server.authentication.oauth2.oidc.discovery=true
web-ui.authentication.type=oauth2
autoscaling:
enabled: false
additionalNodeProperties: {}
additionalConfigProperties:
- internal-communication.shared-secret={{ .Env.TRINO_SHARED_SECRET }}
- http-server.process-forwarded=true
additionalLogProperties: {}
additionalExchangeManagerProperties: {}
eventListenerProperties: {}
accessControl: {}
resourceGroups: {}
{{- if eq (.Env.TRINO_POSTGRES_ENABLED | default "false") "true" }}
catalogs:
postgresql: |
connector.name=postgresql
connection-url=jdbc:postgresql://postgres-cluster-rw.{{ .Env.POSTGRES_NAMESPACE }}.svc.cluster.local:5432/trino
connection-user=${ENV:POSTGRES_USER}
connection-password=${ENV:POSTGRES_PASSWORD}
tpch: |
connector.name=tpch
tpch.splits-per-node=4
{{- if eq (.Env.TRINO_MINIO_ENABLED | default "false") "true" }}
iceberg: |
connector.name=iceberg
iceberg.catalog.type=rest
iceberg.rest-catalog.uri=http://lakekeeper.lakekeeper.svc.cluster.local:8181
iceberg.rest-catalog.warehouse=default
iceberg.rest-catalog.nested-namespace-enabled=true
iceberg.rest-catalog.vended-credentials-enabled=true
iceberg.unique-table-location=true
fs.native-s3.enabled=true
s3.region=us-east-1
s3.endpoint=http://minio.{{ .Env.MINIO_NAMESPACE }}.svc.cluster.local:9000
s3.path-style-access=true
{{- end }}
{{- else }}
catalogs:
tpch: |
connector.name=tpch
tpch.splits-per-node=4
{{- end }}
service:
type: ClusterIP
port: 8080
ingress:
enabled: true
className: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
hosts:
- host: {{ .Env.TRINO_HOST }}
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: trino-tls
hosts:
- {{ .Env.TRINO_HOST }}
auth: {}
serviceAccount:
create: true
name: "trino"
annotations: {}
secretMounts: []
coordinator:
jvm:
maxHeapSize: "{{ .Env.TRINO_COORDINATOR_JVM_HEAP }}"
gcMethod:
type: "UseG1GC"
g1:
heapRegionSize: "32M"
config:
memory:
heapHeadroomPerNode: ""
query:
maxMemoryPerNode: "1GB"
additionalJVMConfig: {}
additionalExposedPorts: {}
resources:
requests:
memory: "{{ .Env.TRINO_COORDINATOR_MEMORY }}"
cpu: "{{ .Env.TRINO_COORDINATOR_CPU }}"
limits:
memory: "{{ .Env.TRINO_COORDINATOR_MEMORY }}"
cpu: "{{ .Env.TRINO_COORDINATOR_CPU }}"
livenessProbe:
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
readinessProbe:
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
nodeSelector: {}
tolerations: []
affinity: {}
additionalConfigFiles: {}
additionalVolumes: []
additionalVolumeMounts: []
annotations: {}
labels: {}
secretMounts: []
worker:
jvm:
maxHeapSize: "{{ .Env.TRINO_WORKER_JVM_HEAP }}"
gcMethod:
type: "UseG1GC"
g1:
heapRegionSize: "32M"
config:
memory:
heapHeadroomPerNode: ""
query:
maxMemoryPerNode: "1GB"
additionalJVMConfig: {}
additionalExposedPorts: {}
resources:
requests:
memory: "{{ .Env.TRINO_WORKER_MEMORY }}"
cpu: "{{ .Env.TRINO_WORKER_CPU }}"
limits:
memory: "{{ .Env.TRINO_WORKER_MEMORY }}"
cpu: "{{ .Env.TRINO_WORKER_CPU }}"
livenessProbe:
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
readinessProbe:
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
nodeSelector: {}
tolerations: []
affinity: {}
additionalConfigFiles: {}
additionalVolumes: []
additionalVolumeMounts: []
annotations: {}
labels: {}
secretMounts: []
kafka:
mountPath: "/etc/trino/schemas"
tableDescriptions: {}
commonLabels: {}
initContainers: {}
sidecarContainers: {}
securityContext:
runAsUser: 1000
runAsGroup: 1000
shareProcessNamespace:
coordinator: false
worker: false
volumePermissions:
enabled: false
env:
- name: OAUTH2_CLIENT_ID
valueFrom:
secretKeyRef:
name: trino-oauth-secret
key: client_id
- name: OAUTH2_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: trino-oauth-secret
key: client_secret
{{- if eq (.Env.TRINO_POSTGRES_ENABLED | default "false") "true" }}
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: trino-postgres-secret
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: trino-postgres-secret
key: password
{{- end }}
envFrom: []