329 lines
7.6 KiB
YAML
329 lines
7.6 KiB
YAML
# Trino Helm Chart Values
|
|
# Configuration for Trino deployment with Keycloak OIDC authentication
|
|
|
|
image:
|
|
tag: "{{ .Env.TRINO_IMAGE_TAG }}"
|
|
|
|
server:
|
|
workers: {{ .Env.TRINO_WORKER_COUNT }}
|
|
|
|
node:
|
|
environment: production
|
|
dataDir: /data/trino
|
|
pluginDir: /usr/lib/trino/plugin
|
|
|
|
log:
|
|
trino:
|
|
level: INFO
|
|
|
|
config:
|
|
path: /etc/trino
|
|
https:
|
|
enabled: false
|
|
|
|
authenticationType: "PASSWORD,OAUTH2"
|
|
|
|
exchangeManager:
|
|
name: "filesystem"
|
|
baseDir: "/tmp/trino-local-file-system-exchange-manager"
|
|
|
|
workerExtraConfig: ""
|
|
coordinatorExtraConfig: |
|
|
discovery.uri=http://localhost:8080
|
|
http-server.authentication.allow-insecure-over-http=true
|
|
http-server.authentication.oauth2.issuer=https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}
|
|
http-server.authentication.oauth2.auth-url=https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/auth
|
|
http-server.authentication.oauth2.token-url=https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/token
|
|
http-server.authentication.oauth2.jwks-url=https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/certs
|
|
http-server.authentication.oauth2.userinfo-url=https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/userinfo
|
|
http-server.authentication.oauth2.client-id=${ENV:OAUTH2_CLIENT_ID}
|
|
http-server.authentication.oauth2.client-secret=${ENV:OAUTH2_CLIENT_SECRET}
|
|
http-server.authentication.oauth2.principal-field=preferred_username
|
|
http-server.authentication.oauth2.scopes=openid,email,profile
|
|
http-server.authentication.oauth2.oidc.discovery=true
|
|
web-ui.authentication.type=oauth2
|
|
|
|
autoscaling:
|
|
enabled: false
|
|
|
|
additionalNodeProperties: {}
|
|
|
|
additionalConfigProperties:
|
|
- internal-communication.shared-secret={{ .Env.TRINO_SHARED_SECRET }}
|
|
- http-server.process-forwarded=true
|
|
|
|
additionalLogProperties: {}
|
|
|
|
additionalExchangeManagerProperties: {}
|
|
|
|
eventListenerProperties: {}
|
|
|
|
accessControl:
|
|
type: configmap
|
|
refreshPeriod: 60s
|
|
configFile: "rules.json"
|
|
rules:
|
|
rules.json: |-
|
|
{
|
|
"catalogs": [
|
|
{
|
|
"allow": "all"
|
|
}
|
|
],
|
|
"impersonation": [
|
|
{
|
|
"original_user": "admin",
|
|
"new_user": ".*"
|
|
}
|
|
]
|
|
}
|
|
|
|
resourceGroups: {}
|
|
|
|
{{- if .Env.TRINO_POSTGRES_ENABLED }}
|
|
catalogs:
|
|
postgresql: |
|
|
connector.name=postgresql
|
|
connection-url=jdbc:postgresql://postgres-cluster-rw.{{ .Env.POSTGRES_NAMESPACE }}.svc.cluster.local:5432/trino
|
|
connection-user=${ENV:POSTGRES_USER}
|
|
connection-password=${ENV:POSTGRES_PASSWORD}
|
|
|
|
tpch: |
|
|
connector.name=tpch
|
|
tpch.splits-per-node=4
|
|
|
|
{{- if .Env.TRINO_ICEBERG_ENABLED }}
|
|
iceberg: |
|
|
connector.name=iceberg
|
|
iceberg.catalog.type=rest
|
|
iceberg.rest-catalog.uri=http://lakekeeper.lakekeeper.svc.cluster.local:8181/catalog
|
|
iceberg.rest-catalog.warehouse=default
|
|
iceberg.rest-catalog.security=OAUTH2
|
|
iceberg.rest-catalog.oauth2.credential=${ENV:OAUTH2_CLIENT_ID}:${ENV:OAUTH2_CLIENT_SECRET}
|
|
iceberg.rest-catalog.oauth2.server-uri=https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/token
|
|
iceberg.rest-catalog.oauth2.scope=openid profile lakekeeper
|
|
iceberg.rest-catalog.nested-namespace-enabled=true
|
|
iceberg.rest-catalog.vended-credentials-enabled=false
|
|
iceberg.unique-table-location=true
|
|
fs.native-s3.enabled=true
|
|
s3.region=us-east-1
|
|
s3.endpoint=http://minio.{{ .Env.MINIO_NAMESPACE }}.svc.cluster.local:9000
|
|
s3.path-style-access=true
|
|
s3.aws-access-key=${ENV:MINIO_ACCESS_KEY}
|
|
s3.aws-secret-key=${ENV:MINIO_SECRET_KEY}
|
|
{{- end }}
|
|
{{- else }}
|
|
catalogs:
|
|
tpch: |
|
|
connector.name=tpch
|
|
tpch.splits-per-node=4
|
|
{{- end }}
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 8080
|
|
|
|
ingress:
|
|
enabled: true
|
|
className: traefik
|
|
annotations:
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
# Pass X-Forwarded-* headers to Trino so it returns correct URLs
|
|
traefik.ingress.kubernetes.io/router.middlewares: trino-trino-headers@kubernetescrd
|
|
hosts:
|
|
- host: {{ .Env.TRINO_HOST }}
|
|
paths:
|
|
- path: /
|
|
pathType: ImplementationSpecific
|
|
tls: []
|
|
|
|
auth: {}
|
|
|
|
serviceAccount:
|
|
create: true
|
|
name: "trino"
|
|
annotations: {}
|
|
|
|
secretMounts: []
|
|
|
|
coordinator:
|
|
jvm:
|
|
maxHeapSize: "{{ .Env.TRINO_COORDINATOR_JVM_HEAP }}"
|
|
gcMethod:
|
|
type: "UseG1GC"
|
|
g1:
|
|
heapRegionSize: "32M"
|
|
|
|
config:
|
|
memory:
|
|
heapHeadroomPerNode: ""
|
|
query:
|
|
maxMemoryPerNode: "1GB"
|
|
|
|
additionalJVMConfig: {}
|
|
|
|
additionalExposedPorts: {}
|
|
|
|
resources:
|
|
requests:
|
|
memory: "{{ .Env.TRINO_COORDINATOR_MEMORY }}"
|
|
cpu: "{{ .Env.TRINO_COORDINATOR_CPU }}"
|
|
limits:
|
|
memory: "{{ .Env.TRINO_COORDINATOR_MEMORY }}"
|
|
cpu: "{{ .Env.TRINO_COORDINATOR_CPU }}"
|
|
|
|
livenessProbe:
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 20
|
|
timeoutSeconds: 15
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
|
|
readinessProbe:
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 20
|
|
timeoutSeconds: 15
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
|
|
nodeSelector: {}
|
|
|
|
tolerations: []
|
|
|
|
affinity: {}
|
|
|
|
additionalConfigFiles:
|
|
password-authenticator.properties: |
|
|
password-authenticator.name=file
|
|
file.password-file=/etc/trino/password/password.db
|
|
|
|
additionalVolumes: []
|
|
|
|
additionalVolumeMounts: []
|
|
|
|
annotations: {}
|
|
|
|
labels: {}
|
|
|
|
secretMounts:
|
|
- name: trino-password
|
|
secretName: trino-password-secret
|
|
path: /etc/trino/password
|
|
|
|
worker:
|
|
jvm:
|
|
maxHeapSize: "{{ .Env.TRINO_WORKER_JVM_HEAP }}"
|
|
gcMethod:
|
|
type: "UseG1GC"
|
|
g1:
|
|
heapRegionSize: "32M"
|
|
|
|
config:
|
|
memory:
|
|
heapHeadroomPerNode: ""
|
|
query:
|
|
maxMemoryPerNode: "1GB"
|
|
|
|
additionalJVMConfig: {}
|
|
|
|
additionalExposedPorts: {}
|
|
|
|
resources:
|
|
requests:
|
|
memory: "{{ .Env.TRINO_WORKER_MEMORY }}"
|
|
cpu: "{{ .Env.TRINO_WORKER_CPU }}"
|
|
limits:
|
|
memory: "{{ .Env.TRINO_WORKER_MEMORY }}"
|
|
cpu: "{{ .Env.TRINO_WORKER_CPU }}"
|
|
|
|
livenessProbe:
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 20
|
|
timeoutSeconds: 15
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
|
|
readinessProbe:
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 20
|
|
timeoutSeconds: 15
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
|
|
nodeSelector: {}
|
|
|
|
tolerations: []
|
|
|
|
affinity: {}
|
|
|
|
additionalConfigFiles: {}
|
|
|
|
additionalVolumes: []
|
|
|
|
additionalVolumeMounts: []
|
|
|
|
annotations: {}
|
|
|
|
labels: {}
|
|
|
|
secretMounts: []
|
|
|
|
kafka:
|
|
mountPath: "/etc/trino/schemas"
|
|
tableDescriptions: {}
|
|
|
|
commonLabels: {}
|
|
|
|
initContainers: {}
|
|
|
|
sidecarContainers: {}
|
|
|
|
securityContext:
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
|
|
shareProcessNamespace:
|
|
coordinator: false
|
|
worker: false
|
|
|
|
volumePermissions:
|
|
enabled: false
|
|
|
|
env:
|
|
- name: OAUTH2_CLIENT_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: trino-oauth-secret
|
|
key: client_id
|
|
- name: OAUTH2_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: trino-oauth-secret
|
|
key: client_secret
|
|
{{- if .Env.TRINO_POSTGRES_ENABLED }}
|
|
- name: POSTGRES_USER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: trino-postgres-secret
|
|
key: username
|
|
- name: POSTGRES_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: trino-postgres-secret
|
|
key: password
|
|
{{- end }}
|
|
{{- if .Env.TRINO_ICEBERG_ENABLED }}
|
|
- name: MINIO_ACCESS_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: trino-minio-secret
|
|
key: access_key
|
|
- name: MINIO_SECRET_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: trino-minio-secret
|
|
key: secret_key
|
|
{{- end }}
|
|
|
|
envFrom: []
|