# Trino Helm Chart Values
# Configuration for Trino deployment with Keycloak OIDC authentication

image:
  tag: "{{ .Env.TRINO_IMAGE_TAG }}"

server:
  workers: {{ .Env.TRINO_WORKER_COUNT }}

  node:
    environment: production
    dataDir: /data/trino
    pluginDir: /usr/lib/trino/plugin

  log:
    trino:
      level: INFO

  config:
    path: /etc/trino
    https:
      enabled: false

    authenticationType: "PASSWORD,OAUTH2"

  exchangeManager:
    name: "filesystem"
    baseDir: "/tmp/trino-local-file-system-exchange-manager"

  workerExtraConfig: ""
  coordinatorExtraConfig: |
    discovery.uri=http://localhost:8080
    http-server.authentication.allow-insecure-over-http=true
    http-server.authentication.oauth2.issuer=https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}
    http-server.authentication.oauth2.auth-url=https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/auth
    http-server.authentication.oauth2.token-url=https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/token
    http-server.authentication.oauth2.jwks-url=https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/certs
    http-server.authentication.oauth2.userinfo-url=https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/userinfo
    http-server.authentication.oauth2.client-id=${ENV:OAUTH2_CLIENT_ID}
    http-server.authentication.oauth2.client-secret=${ENV:OAUTH2_CLIENT_SECRET}
    http-server.authentication.oauth2.scopes=openid,email,profile
    http-server.authentication.oauth2.oidc.discovery=true
    web-ui.authentication.type=oauth2

  autoscaling:
    enabled: false

additionalNodeProperties: {}

additionalConfigProperties:
  - internal-communication.shared-secret={{ .Env.TRINO_SHARED_SECRET }}
  - http-server.process-forwarded=true

additionalLogProperties: {}

additionalExchangeManagerProperties: {}

eventListenerProperties: {}

accessControl:
  type: configmap
  refreshPeriod: 60s
  configFile: "rules.json"
  rules:
    rules.json: |-
      {
        "catalogs": [
          {
            "allow": "all"
          }
        ],
        "impersonation": [
          {
            "original_user": "admin",
            "new_user": ".*"
          }
        ]
      }

resourceGroups: {}

{{- if .Env.TRINO_POSTGRES_ENABLED }}
catalogs:
  postgresql: |
    connector.name=postgresql
    connection-url=jdbc:postgresql://postgres-cluster-rw.{{ .Env.POSTGRES_NAMESPACE }}.svc.cluster.local:5432/trino
    connection-user=${ENV:POSTGRES_USER}
    connection-password=${ENV:POSTGRES_PASSWORD}

  tpch: |
    connector.name=tpch
    tpch.splits-per-node=4

{{- if .Env.TRINO_MINIO_ENABLED }}
  iceberg: |
    connector.name=iceberg
    iceberg.catalog.type=rest
    iceberg.rest-catalog.uri=http://lakekeeper.lakekeeper.svc.cluster.local:8181/catalog
    iceberg.rest-catalog.warehouse=default
    iceberg.rest-catalog.security=OAUTH2
    iceberg.rest-catalog.oauth2.credential=${ENV:OAUTH2_CLIENT_ID}:${ENV:OAUTH2_CLIENT_SECRET}
    iceberg.rest-catalog.oauth2.server-uri=https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/token
    iceberg.rest-catalog.oauth2.scope=openid profile lakekeeper
    iceberg.rest-catalog.nested-namespace-enabled=true
    iceberg.rest-catalog.vended-credentials-enabled=false
    iceberg.unique-table-location=true
    fs.native-s3.enabled=true
    s3.region=us-east-1
    s3.endpoint=http://minio.{{ .Env.MINIO_NAMESPACE }}.svc.cluster.local:9000
    s3.path-style-access=true
    s3.aws-access-key=${ENV:MINIO_ACCESS_KEY}
    s3.aws-secret-key=${ENV:MINIO_SECRET_KEY}
{{- end }}
{{- else }}
catalogs:
  tpch: |
    connector.name=tpch
    tpch.splits-per-node=4
{{- end }}

service:
  type: ClusterIP
  port: 8080

ingress:
  enabled: true
  className: traefik
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    # Pass X-Forwarded-* headers to Trino so it returns correct URLs
    traefik.ingress.kubernetes.io/router.middlewares: trino-trino-headers@kubernetescrd
  hosts:
    - host: {{ .Env.TRINO_HOST }}
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls: []

auth: {}

serviceAccount:
  create: true
  name: "trino"
  annotations: {}

secretMounts: []

coordinator:
  jvm:
    maxHeapSize: "{{ .Env.TRINO_COORDINATOR_JVM_HEAP }}"
    gcMethod:
      type: "UseG1GC"
      g1:
        heapRegionSize: "32M"

  config:
    memory:
      heapHeadroomPerNode: ""
    query:
      maxMemoryPerNode: "1GB"

  additionalJVMConfig: {}

  additionalExposedPorts: {}

  resources:
    requests:
      memory: "{{ .Env.TRINO_COORDINATOR_MEMORY }}"
      cpu: "{{ .Env.TRINO_COORDINATOR_CPU }}"
    limits:
      memory: "{{ .Env.TRINO_COORDINATOR_MEMORY }}"
      cpu: "{{ .Env.TRINO_COORDINATOR_CPU }}"

  livenessProbe:
    initialDelaySeconds: 30
    periodSeconds: 10
    timeoutSeconds: 5
    failureThreshold: 6
    successThreshold: 1

  readinessProbe:
    initialDelaySeconds: 10
    periodSeconds: 10
    timeoutSeconds: 5
    failureThreshold: 6
    successThreshold: 1

  nodeSelector: {}

  tolerations: []

  affinity: {}

  additionalConfigFiles:
    password-authenticator.properties: |
      password-authenticator.name=file
      file.password-file=/etc/trino/password/password.db

  additionalVolumes: []

  additionalVolumeMounts: []

  annotations: {}

  labels: {}

  secretMounts:
    - name: trino-password
      secretName: trino-password-secret
      path: /etc/trino/password

worker:
  jvm:
    maxHeapSize: "{{ .Env.TRINO_WORKER_JVM_HEAP }}"
    gcMethod:
      type: "UseG1GC"
      g1:
        heapRegionSize: "32M"

  config:
    memory:
      heapHeadroomPerNode: ""
    query:
      maxMemoryPerNode: "1GB"

  additionalJVMConfig: {}

  additionalExposedPorts: {}

  resources:
    requests:
      memory: "{{ .Env.TRINO_WORKER_MEMORY }}"
      cpu: "{{ .Env.TRINO_WORKER_CPU }}"
    limits:
      memory: "{{ .Env.TRINO_WORKER_MEMORY }}"
      cpu: "{{ .Env.TRINO_WORKER_CPU }}"

  livenessProbe:
    initialDelaySeconds: 30
    periodSeconds: 10
    timeoutSeconds: 5
    failureThreshold: 6
    successThreshold: 1

  readinessProbe:
    initialDelaySeconds: 10
    periodSeconds: 10
    timeoutSeconds: 5
    failureThreshold: 6
    successThreshold: 1

  nodeSelector: {}

  tolerations: []

  affinity: {}

  additionalConfigFiles: {}

  additionalVolumes: []

  additionalVolumeMounts: []

  annotations: {}

  labels: {}

  secretMounts: []

kafka:
  mountPath: "/etc/trino/schemas"
  tableDescriptions: {}

commonLabels: {}

initContainers: {}

sidecarContainers: {}

securityContext:
  runAsUser: 1000
  runAsGroup: 1000

shareProcessNamespace:
  coordinator: false
  worker: false

volumePermissions:
  enabled: false

env:
  - name: OAUTH2_CLIENT_ID
    valueFrom:
      secretKeyRef:
        name: trino-oauth-secret
        key: client_id
  - name: OAUTH2_CLIENT_SECRET
    valueFrom:
      secretKeyRef:
        name: trino-oauth-secret
        key: client_secret
{{- if .Env.TRINO_POSTGRES_ENABLED }}
  - name: POSTGRES_USER
    valueFrom:
      secretKeyRef:
        name: trino-postgres-secret
        key: username
  - name: POSTGRES_PASSWORD
    valueFrom:
      secretKeyRef:
        name: trino-postgres-secret
        key: password
{{- end }}
{{- if .Env.TRINO_MINIO_ENABLED }}
  - name: MINIO_ACCESS_KEY
    valueFrom:
      secretKeyRef:
        name: trino-minio-secret
        key: access_key
  - name: MINIO_SECRET_KEY
    valueFrom:
      secretKeyRef:
        name: trino-minio-secret
        key: secret_key
{{- end }}

envFrom: []