Use CLI for Trino installation on Kubernetes

Sergei Tikhomirov

Prerequisites

To deploy Trino on Kubernetes via CLI, you need:

  • A Kubernetes cluster (1.32 or later) with access configured through kubectl.

  • The CLI tool that is unpacked from your offline pack.

  • The following images that are unpacked and pushed to your repository:

    • hub.arenadata.io/adc-enterprise/trino-operator:<version>

    • hub.arenadata.io/adh-enterprise/trino-docker:<version>

    These artifacts can be found in the offline packages, which can be requested from the Arenadata support team.

  • An up-and-running ADH cluster (4.2.0 or later) with the following services:

    • Core configuration

    • ADPG

    • Zookeeper

    • HDFS

    • YARN

    • Hive

    Trino runs outside the ADH cluster — in Kubernetes pods, and communicates with ADH over the network.

For security configurations, refer to the tabs below.

  • Ranger

  • Kerberos + SSL

If you plan to integrate Trino with Ranger, you need an ADPS cluster (2.0.0 or later) installed and running. Also, you need to create a service for Trino in Ranger.

This guide describes how to create a service via Ranger REST API. Alternatively, you can create a service in the Ranger web UI.

  1. Define a service in a JSON file:

    {
  "isEnabled": true,
  "type": "trino",
  "name": "trino_k8s", (1)
  "displayName": "trino_k8s",
  "description": "Service for Kubernetes Trino",
  "configs": {
    "username": "trino", (2)
    "password": "bigdata",  (3)
    "ranger.plugin.audit.filters": "[{'accessResult':'DENIED','isAudited':true},{'isAudited':false,'resources':{'queryid':{'values':['*']}},'accessTypes':['execute']},{'isAudited':false,'resources':{'trinouser':{'values':['{USER}']}},'accessTypes':['impersonate']}]",
    "jdbc.driverClassName": "io.trino.jdbc.TrinoDriver",
    "jdbc.url": "jdbc:trino://10.92.42.219" (4)
  }
}
    1 A name of the Trino service in Ranger. Must be unique.
    2 A username for the service.
    3 A password for the service.
    4 A JDBC string for connecting to Trino exposed by Ingress or load balancer.

  2. Push the defined service to Ranger:

    $ curl -u admin:<admin_pwd> -H "Content-Type: application/json" -X POST -d @ranger-trino-k8s.json http://<ranger-admin>:6080/service/public/v2/api/service

  1. Make sure that SSL is enabled for the ADH cluster and for ADPS if you plan to use both SSL and Ranger.

  2. To access Trino web UI and allow JDBC connections, generate a certificate for Ingress:

    $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout trino-cloud.ru-central1.internal.key -out trino-cloud.ru-central1.internal.crt -subj "/CN=trino-cloud.ru-central1.internal"

  3. Unpack and push the Kerberos operator image to your repository.

  4. Initialize Kerberos operator:

    $ ./adc operators init --kerberos -o operator-kerberos-init.yaml

    This operation creates the operator-kerberos-init.yaml file with a template configuration.

  5. Edit the configuration file to your needs:

    kerberos:
image: hub.arenadata.io/adc-enterprise/kerberos-operator:<tag> (1)

  # Number of replicas
  # replicas: 1

  resources:
    limits:
      cpu: 500m
      memory: 256Mi

  # Operator service account.
  serviceAccount: (2)
    create: true
    name: kerberos-operator

  # Namespace to run the operator.
  # Operator's ServiceAccount, deployment and RBAC components will be installed in it.
  namespace: (3)
    create: true
    name: kerberos-operator

  # Create namespaces to run the payload.
  createPayloadNamespaces: true

  # List of namespaces to run the payload in.
  payloadNamespaces: (4)
    - trino

  ## Image pull secret for a private registry.
  ## Either set 'name' to reference an existing Secret,
  ## or set 'credentials' and the CLI will create a dockerconfigjson Secret.
  #imagePullSecret:
  #  name: my-pull-secret
  #  credentials:
  #    registry: registry.example.com
  #    username: user
  #    password: pass
  kdc: (5)
    realm: RU-CENTRAL1.INTERNAL
    labelSelector:
      env: prod
    realms:
      RU-CENTRAL1.INTERNAL: |-
        kdc = tsn-freeipa.ru-central1.internal
        admin_server = tsn-freeipa.ru-central1.internal
    domainRealm:
      ru-central1.internal: RU-CENTRAL1.INTERNAL
    libdefaults:
      debug: "false"
      default_realm: RU-CENTRAL1.INTERNAL
      dns_lookup_kdc: "false"
      dns_lookup_realm: 'false'
      udp_preference_limit: '1'

  ldapSecret: (6)
    addr: ldaps://tsn-freeipa.ru-central1.internal:636
    adminPW: AdhCloud!
    adminDN: uid=admin,cn=users,cn=accounts,dc=ru-central1,dc=internal
    baseDN: cn=services,cn=accounts,dc=ru-central1,dc=internal
    ca: (7)
    provider: freeipa
    1 URL to the Kerberos operator image in your repository.
    2 Service account settings.
    3 Namespace settings.
    4 Payload namespace settings. The listed namespaces will be available to the Kerberos operator instance.
    5 KDC settings.
    6 LDAP settings. If you don’t use SSL, change the protocol to ldap and port to 389.
    7 CA certificate if LDAP is secured with SSL.

  6. Apply the configuration and deploy Kerberos operator:

    $ ./adc operators apply kerberos-operator -f operator-kerberos-init.yaml

Step 1. Install Trino operator

  1. Initiate the Trino operator:

    $ ./adc operators init --trino -o operator-trino-init.yaml

    This operation creates the operator-trino-init.yaml file with a template configuration.

  2. Edit the configuration file to your needs:

    operator-trino-init.yaml
    trino:
  image: hub.arenadata.io/adc-enterprise/trino-operator:<tag> (1)

  # Number of replicas
  # replicas: 1

  resources:
    limits:
      cpu: 500m
      memory: 256Mi

  # Operator service account.
  serviceAccount: (2)
    create: true
    name: "trino"

  # Namespace to run the operator.
  # Operator's ServiceAccount, deployment and RBAC components will be installed in it.
  namespace: (3)
    create: true
    name: trino-operator

  # Create namespaces to run the payload.
  createPayloadNamespaces: true

  # List of namespaces to run the payload in.
  payloadNamespaces: (4)
    - trino

  ## Image pull secret for a private registry.
  ## Either set 'name' to reference an existing Secret,
  ## or set 'credentials' and the CLI will create a dockerconfigjson Secret.
  #imagePullSecret:
  #  name: my-pull-secret
  #  credentials:
  #    registry: registry.example.com
  #    username: user
  #    password: pass
    1 URL to the Trino operator image in your repository.
    2 Service account settings.
    3 Namespace settings.
    4 Payload namespace settings. The listed namespaces will be available to the Trino operator instance.

  3. Apply the configuration and deploy the Trino operator:

    $ ./adc operators apply trino-operator -f operator-trino-init.yaml

    The expected output contains the confirmation of success:

    time="20260518125157UTC" level="info" msg="operator trino-operator applied to namespace trino-operator"

  4. Verify the Trino operator:

    $ kubectl get pods -n trino-operator

    The expected output should be similar to:

    NAME                               READY   STATUS    RESTARTS      AGE
trino-operator-trino-operator-6bf8788587-7s22r   1/1     Running   0          150m

Step 2. Install Trino cluster

  • No security

  • Ranger

  • Kerberos + SSL

  1. Prepare the hadoop_conf.yaml Hadoop configuration file:

    sites:
  core:
    fs.defaultFS: hdfs://adh
    hadoop.security.authentication: simple
  hdfs:
    dfs.client.failover.proxy.provider.adh: org.apache.hadoop.hdfs.server.namenode.ha.ObserverReadProxyProvider
    dfs.ha.namenodes.adh: nn_tsn-k8s-1,nn_tsn-k8s-3
    dfs.namenode.rpc-address.adh.nn_tsn-k8s-1: tsn-k8s-1.ru-central1.internal:8020
    dfs.namenode.rpc-address.adh.nn_tsn-k8s-3: tsn-k8s-3.ru-central1.internal:8020
    dfs.nameservices: adh
  ozone:
    ozone.om.address.adh.om_tsn-k8s-1: tsn-k8s-1.ru-central1.internal:9862
    ozone.om.address.adh.om_tsn-k8s-2: tsn-k8s-2.ru-central1.internal:9862
    ozone.om.address.adh.om_tsn-k8s-3: tsn-k8s-3.ru-central1.internal:9862
    ozone.om.nodes.adh: om_tsn-k8s-1,om_tsn-k8s-1,om_tsn-k8s-1
    ozone.om.service.ids: adhom
  hive:
    hive.metastore.sasl.enabled: false
    hive.metastore.uris: thrift://tsn-k8s-1.ru-central1.internal:9083
    metastore.use.SSL: false

  2. Initialize the Trino cluster:

    $ ./adc cluster init --product trino --hadoop-file hadoop_conf.yaml --output cluster-trino-init.yaml

    This operation creates the cluster-trino-init.yaml file with a template configuration.

  3. Edit the configuration file to your needs:

    product: trino
namespace: trino (1)
image: (2)
  registry: hub.arenadata.io
  repository: adh-enterprise/trino-docker
  tag: <version>
  pullPolicy: Always

  ## Image pull secret for a private registry.
  ## Either set 'name' to reference an existing Secret,
  ## or set 'credentials' and the CLI will create a dockerconfigjson Secret.
  #imagePullSecret:
  #  name: my-pull-secret
  #  credentials:
  #    registry: registry.example.com
  #    username: user
  #    password: pass
trino:
    ## Component arguments. Key-value pairs passed to the component configuration.
    #args:
    #  redirect_stdout_stderr: "false"
  coordinator:
    replicas: 1

    ## Component arguments. Key-value pairs passed to the component configuration.
    #args:
    #  redirect_stdout_stderr: "false"
  worker:
    replicas: 2

  catalogs:
    iceberg.properties:
      connector.name: iceberg
      fs.hadoop.enabled: "True"
      hive.config.resources: /opt/trino-server/etc/catalog/core-site.xml
      hive.hdfs.authentication.type: NONE
      hive.hdfs.impersonation.enabled: "True"
      hive.metastore.authentication.type: NONE
      hive.metastore.thrift.impersonation.enabled: "True"
      hive.metastore.uri: thrift://tsn-k8s-1.ru-central1.internal:9083
      hive.metastore.thrift.client.ssl.enabled: "False"

    ## Component arguments. Key-value pairs passed to the component configuration.
    #args:
    #  redirect_stdout_stderr: "false"
hadoop: (3)
  core:
    fs.defaultFS: hdfs://adh
    hadoop.proxyuser.trino.groups: '*'
    hadoop.proxyuser.trino.hosts: '*'
    hadoop.security.authentication: simple
  hdfs:
    dfs.client.failover.proxy.provider.adh: org.apache.hadoop.hdfs.server.namenode.ha.ObserverReadProxyProvider
    dfs.ha.namenodes.adh: nn_tsn-k8s-1,nn_tsn-k8s-3
    dfs.namenode.rpc-address.adh.nn_tsn-k8s-1: tsn-k8s-1.ru-central1.internal:8020
    dfs.namenode.rpc-address.adh.nn_tsn-k8s-3: tsn-k8s-3.ru-central1.internal:8020
    dfs.nameservices: adh
  hive:
    hive.metastore.sasl.enabled: "false"
    hive.metastore.uris: thrift://tsn-k8s-1.ru-central1.internal:9083
    metastore.use.SSL: "false"
  ozone:
    ozone.om.address.adh.om_tsn-k8s-1: tsn-k8s-1.ru-central1.internal:9862
    ozone.om.address.adh.om_tsn-k8s-2: tsn-k8s-2.ru-central1.internal:9862
    ozone.om.address.adh.om_tsn-k8s-3: tsn-k8s-3.ru-central1.internal:9862
    ozone.om.nodes.adh: om_tsn-k8s-1,om_tsn-k8s-2,om_tsn-k8s-3
    ozone.om.service.ids: adhom
    1 Namespace that the Trino cluster will use.
    2 Settings for pulling the Trino cluster image.
    3 Hadoop settings that were taken from the previously created hadoop_conf.yaml.

  1. Prepare the hadoop_conf.yaml Hadoop configuration file:

    sites:
  core:
    fs.defaultFS: hdfs://adh
    hadoop.security.authentication: simple
  hdfs:
    dfs.client.failover.proxy.provider.adh: org.apache.hadoop.hdfs.server.namenode.ha.ObserverReadProxyProvider
    dfs.ha.namenodes.adh: nn_tsn-k8s-1,nn_tsn-k8s-3
    dfs.namenode.rpc-address.adh.nn_tsn-k8s-1: tsn-k8s-1.ru-central1.internal:8020
    dfs.namenode.rpc-address.adh.nn_tsn-k8s-3: tsn-k8s-3.ru-central1.internal:8020
    dfs.nameservices: adh
  ozone:
    ozone.om.address.adh.om_tsn-k8s-1: tsn-k8s-1.ru-central1.internal:9862
    ozone.om.address.adh.om_tsn-k8s-2: tsn-k8s-2.ru-central1.internal:9862
    ozone.om.address.adh.om_tsn-k8s-3: tsn-k8s-3.ru-central1.internal:9862
    ozone.om.nodes.adh: om_tsn-k8s-1,om_tsn-k8s-1,om_tsn-k8s-1
    ozone.om.service.ids: adhom
  hive:
    hive.metastore.sasl.enabled: false
    hive.metastore.uris: thrift://tsn-k8s-1.ru-central1.internal:9083
    metastore.use.SSL: false

  2. Initialize the Trino cluster:

    $ ./adc cluster init --product trino --hadoop-file hadoop_conf.yaml --output cluster-trino-init.yaml

    This operation creates the cluster-trino-init.yaml file with a template configuration.

  3. Edit the configuration file to your needs:

    product: trino
namespace: trino (1)
image: (2)
  registry: hub.arenadata.io
  repository: adh-enterprise/trino-docker
  tag: <version>
  pullPolicy: Always

  ## Image pull secret for a private registry.
  ## Either set 'name' to reference an existing Secret,
  ## or set 'credentials' and the CLI will create a dockerconfigjson Secret.
  #imagePullSecret:
  #  name: my-pull-secret
  #  credentials:
  #    registry: registry.example.com
  #    username: user
  #    password: pass
trino:
    ## Component arguments. Key-value pairs passed to the component configuration.
    #args:
    #  redirect_stdout_stderr: "false"
  coordinator:
    replicas: 1

    ## Component arguments. Key-value pairs passed to the component configuration.
    #args:
    #  redirect_stdout_stderr: "false"
  worker:
    replicas: 2

    ## Component arguments. Key-value pairs passed to the component configuration.
    #args:
    #  redirect_stdout_stderr: "false"
  catalogs:
    iceberg.properties:
      connector.name: iceberg
      fs.hadoop.enabled: "True"
      hive.config.resources: /opt/trino-server/etc/catalog/core-site.xml
      hive.hdfs.authentication.type: NONE
      hive.hdfs.impersonation.enabled: "True"
      hive.metastore.authentication.type: NONE
      hive.metastore.thrift.impersonation.enabled: "True"
      hive.metastore.uri: thrift://tsn-k8s-1.ru-central1.internal:9083
      hive.metastore.thrift.client.ssl.enabled: "False"

    ## Component arguments. Key-value pairs passed to the component configuration.
    #args:
    #  redirect_stdout_stderr: "false"
hadoop: (3)
  core:
    fs.defaultFS: hdfs://adh
    hadoop.proxyuser.trino.groups: '*'
    hadoop.proxyuser.trino.hosts: '*'
    hadoop.security.authentication: simple
  hdfs:
    dfs.client.failover.proxy.provider.adh: org.apache.hadoop.hdfs.server.namenode.ha.ObserverReadProxyProvider
    dfs.ha.namenodes.adh: nn_tsn-k8s-1,nn_tsn-k8s-3
    dfs.namenode.rpc-address.adh.nn_tsn-k8s-1: tsn-k8s-1.ru-central1.internal:8020
    dfs.namenode.rpc-address.adh.nn_tsn-k8s-3: tsn-k8s-3.ru-central1.internal:8020
    dfs.nameservices: adh
  hive:
    hive.metastore.sasl.enabled: "false"
    hive.metastore.uris: thrift://tsn-k8s-1.ru-central1.internal:9083
    metastore.use.SSL: "false"
  ozone:
    ozone.om.address.adh.om_tsn-k8s-1: tsn-k8s-1.ru-central1.internal:9862
    ozone.om.address.adh.om_tsn-k8s-2: tsn-k8s-2.ru-central1.internal:9862
    ozone.om.address.adh.om_tsn-k8s-3: tsn-k8s-3.ru-central1.internal:9862
    ozone.om.nodes.adh: om_tsn-k8s-1,om_tsn-k8s-2,om_tsn-k8s-3
    ozone.om.service.ids: adhom

## Ranger plugin configuration.
## Uncomment and fill the lines below. cluster apply derives the rest.
ranger: (4)
  security:
    ranger.plugin.trino.policy.rest.url: "<ranger-admin>:6080"
    ranger.plugin.trino.service.name: "trino_k8s"
    ranger.plugin.trino.use.rangerGroups: "True"
    ranger.plugin.trino.use.only.rangerGroups: "True"

  # fill xasecure.audit.destination.solr.zookeepers below with Zookeepers endpoints to resolve solr service, e.g. adps-adc.ru-central1.internal:2181/Arenadata.Hadoop-2.solr.server
  audit:
    xasecure.audit.destination.solr.zookeepers: "tsn-adps2-1.ru-central1.internal:2181/Arenadata.Hadoop-3.solr.server"

  # Local Ranger files consumed by the CLI during 'cluster apply'.
  # Paths are relative to the config file. The CLI reads these files
  # and writes them into the generated configs Secret.
  files: (5)
    jceksStorePath: ranger-trino.jceks
    1 Namespace that the Trino cluster will use.
    2 Settings for pulling the Trino cluster image.
    3 Hadoop settings that were taken from the previously created hadoop_conf.yaml.
    4 Ranger configuration.
    5 Additional JCEKS file if Ranger is used along with SSL.

  1. Prepare the hadoop_conf.yaml Hadoop configuration file:

    sites:
  core:
    fs.defaultFS: hdfs://adh
    hadoop.security.authentication: kerberos
  hdfs:
    dfs.client.failover.proxy.provider.adh: org.apache.hadoop.hdfs.server.namenode.ha.ObserverReadProxyProvider
    dfs.ha.namenodes.adh: nn_tsn-k8s-1,nn_tsn-k8s-3
    dfs.namenode.rpc-address.adh.nn_tsn-k8s-1: tsn-k8s-1.ru-central1.internal:8020
    dfs.namenode.rpc-address.adh.nn_tsn-k8s-3: tsn-k8s-3.ru-central1.internal:8020
    dfs.nameservices: adh
    dfs.namenode.kerberos.principal: nn/_HOST@RU-CENTRAL1.INTERNAL
    dfs.journalnode.kerberos.principal: jn/_HOST@RU-CENTRAL1.INTERNAL
    dfs.datanode.kerberos.principal: dn/_HOST@RU-CENTRAL1.INTERNAL
  ozone:
    ozone.om.address.adh.om_tsn-k8s-1: tsn-k8s-1.ru-central1.internal:9862
    ozone.om.address.adh.om_tsn-k8s-2: tsn-k8s-2.ru-central1.internal:9862
    ozone.om.address.adh.om_tsn-k8s-3: tsn-k8s-3.ru-central1.internal:9862
    ozone.om.nodes.adh: om_tsn-k8s-1,om_tsn-k8s-1,om_tsn-k8s-1
    ozone.om.kerberos.principal: om/_HOST@RU-CENTRAL1.INTERNAL
    ozone.om.service.ids: adhom
  hive:
    hive.metastore.sasl.enabled: true
    hive.metastore.uris: thrift://tsn-k8s-1.ru-central1.internal:9083
    hive.metastore.kerberos.principal: hive/_HOST@RU-CENTRAL1.INTERNAL
    metastore.use.SSL: true

  2. Initialize the Trino cluster:

    $ ./adc cluster init --product trino --hadoop-file hadoop_conf.yaml --output cluster-trino-init.yaml

    This operation creates the cluster-trino-init.yaml file with a template configuration.

  3. Edit the configuration file to your needs:

    product: trino
namespace: trino (1)
image: (2)
  registry: hub.arenadata.io
  repository: adh-enterprise/trino-docker
  tag: <version>
  pullPolicy: Always

  ## Image pull secret for a private registry.
  ## Either set 'name' to reference an existing Secret,
  ## or set 'credentials' and the CLI will create a dockerconfigjson Secret.
  #imagePullSecret:
  #  name: my-pull-secret
  #  credentials:
  #    registry: registry.example.com
  #    username: user
  #    password: pass
trino:
    ## Component arguments. Key-value pairs passed to the component configuration.
    #args:
    #  redirect_stdout_stderr: "false"
  coordinator:
    replicas: 1

    ## Component arguments. Key-value pairs passed to the component configuration.
    #args:
    #  redirect_stdout_stderr: "false"
  worker:
    replicas: 2

    ## Component arguments. Key-value pairs passed to the component configuration.
    #args:
    #  redirect_stdout_stderr: "false"
  catalogs:
    iceberg.properties:
      connector.name: iceberg
      fs.hadoop.enabled: "True"
      hive.config.resources: /opt/trino-server/etc/catalog/core-site.xml
      hive.hdfs.authentication.type: KERBEROS
      hive.hdfs.impersonation.enabled: "True"
      hive.hdfs.trino.keytab: /opt/trino-server/kerberos/keytab
      hive.metastore.authentication.type: KERBEROS
      hive.metastore.client.keytab: /opt/trino-server/kerberos/keytab
      hive.metastore.service.principal: hive/_HOST@RU-CENTRAL1.INTERNAL
      hive.metastore.thrift.client.ssl.trust-certificate: /etc/ssl/truststore.jks
      hive.metastore.thrift.client.ssl.trust-certificate-password: bigdata
      hive.metastore.thrift.impersonation.enabled: "True"
      hive.metastore.uri: thrift://tsn-k8s-1.ru-central1.internal:9083
      hive.metastore.thrift.client.ssl.enabled: "True"

    ## Component arguments. Key-value pairs passed to the component configuration.
    #args:
    #  redirect_stdout_stderr: "false"
hadoop: (3)
  core:
    fs.defaultFS: hdfs://adh
    hadoop.proxyuser.trino.groups: '*'
    hadoop.proxyuser.trino.hosts: '*'
    hadoop.security.authentication: kerberos
  hdfs:
    dfs.client.failover.proxy.provider.adh: org.apache.hadoop.hdfs.server.namenode.ha.ObserverReadProxyProvider
    dfs.ha.namenodes.adh: nn_tsn-k8s-1,nn_tsn-k8s-3
    dfs.namenode.rpc-address.adh.nn_tsn-k8s-1: tsn-k8s-1.ru-central1.internal:8020
    dfs.namenode.rpc-address.adh.nn_tsn-k8s-3: tsn-k8s-3.ru-central1.internal:8020
    dfs.nameservices: adh
    dfs.namenode.kerberos.principal: nn/_HOST@RU-CENTRAL1.INTERNAL
    dfs.journalnode.kerberos.principal: jn/_HOST@RU-CENTRAL1.INTERNAL
    dfs.datanode.kerberos.principal: dn/_HOST@RU-CENTRAL1.INTERNAL
  ozone:
    ozone.om.address.adh.om_tsn-k8s-1: tsn-k8s-1.ru-central1.internal:9862
    ozone.om.address.adh.om_tsn-k8s-2: tsn-k8s-2.ru-central1.internal:9862
    ozone.om.address.adh.om_tsn-k8s-3: tsn-k8s-3.ru-central1.internal:9862
    ozone.om.nodes.adh: om_tsn-k8s-1,om_tsn-k8s-1,om_tsn-k8s-1
    ozone.om.kerberos.principal: om/_HOST@RU-CENTRAL1.INTERNAL
    ozone.om.service.ids: adhom
  hive:
    hive.metastore.sasl.enabled: "true"
    hive.metastore.uris: thrift://tsn-k8s-1.ru-central1.internal:9083
    metastore.truststore.password: bigdata
    metastore.truststore.path: /etc/ssl/truststore.jks
    hive.metastore.kerberos.principal: hive/_HOST@RU-CENTRAL1.INTERNAL
    metastore.use.SSL: "true"

## Kerberos configuration for authentication.
## Set 'keytab.create: true' to let the operator create the keytab Secret,
## or set 'keytab.secretName' to reference an existing keytab Secret.
kerberos: (4)
  realm: RU-CENTRAL1.INTERNAL
  service: trino
  hostname: trino-cloud.ru-central1.internal
  keytab:
    create: true
    secretName: kerberos-secret
    labelSelector:
      env: prod
    additionalPrincipals:
      - HTTP/trino-cloud.ru-central1.internal
      - trino/trino-cloud.ru-central1.internal
    rotation:
      interval: 24h
      checkInterval: 1h

## Java KeyStore/TrustStore certificate configuration.
## Either reference an existing Secret via secretName,
## or set files: to have the CLI create the Secret from local files.
ssl: (5)
  secretName: ssl-secret
  trustStoreKey: truststore.jks

  # Local file paths consumed by the CLI during 'cluster apply'.
  # Paths are relative to the config file. The CLI reads these files
  # and creates or updates the Secret named by ssl.secretName.
  files:
    trustStorePath: /etc/ssl/truststore.jks
    1 Namespace that the Trino cluster will use.
    2 Settings for pulling the Trino cluster image.
    3 Hadoop settings that were taken from the previously created hadoop_conf.yaml.
    4 Kerberos settings.
    5 SSL settings.

After completing at least one of the varying steps above, finalize the installation:

  1. Apply the configuration and deploy the Trino cluster:

    $ ./adc cluster apply trino --file cluster-trino-init.yaml

    The expected output contains a confirmation of success:

    time="20260518133858UTC" level="info" msg="cluster trino applied to namespace trino"

  2. Verify the Trino cluster pods:

    $ kubectl get pods -n trino

    The expected output is:

    trino-cluster-coordinator-0   1/1     Running   0          4m49s
trino-cluster-worker-0        1/1     Running   0          4m49s
trino-cluster-worker-1        1/1     Running   0          4m20s

Step 3. Allow JDBC connections to Trino

For external JDBC access to Trino, you need to expose the service using one of the supported publication methods, for example, through a load balancer or Ingress controller.

All configurations related to exposing a service, including DNS, annotations, Ingress settings, load balancing rules, and other platform-specific settings, must be specified according to your Kubernetes environment.

  1. Get the external IP address of your Ingress controller or load balancer. For example:

    trino-lb                    LoadBalancer   10.96.231.158   10.92.42.144   21050:32154/TCP,26000:30753/TCP,24000:32645/TCP   25h

  2. Add the following entry to your /etc/hosts file:

    <lb_ip> trino-cloud.ru-central1.internal

    where <lb_ip> is the external IP exposed by your load balancer. In this example, it is 10.92.42.144.

  3. Connect to the Trino cluster over JDBC, for example, using DBeaver. For this, the JDBC connection string looks as follows:

    jdbc:trino://trino-cloud.ru-central1.internal/default

    For Kerberos and SSL, add the 443 port and append the string with the following parameters:

    SSL=true&SSLTrustStorePath=<path>/truststore.jks&SSLTrustStorePassword=<password>&KerberosPrincipal=user&KerberosRemoteServiceName=HTTP&KerberosKeytabPath=<path>/user.keytab

    where:

    • SSLTrustStorePath=<path>/truststore.jks — path to the truststore with certificates used by DBeaver.

    • SSLTrustStorePassword=<password> — password for accessing the truststore.

    • KerberosPrincipal=user — Kerberos principal used by DBeaver for the connection.

    • KerberosRemoteServiceName=HTTP — service name used for the connection.

  4. Once connected, verify the Trino cluster operability:

    SHOW CATALOGS;

    The expected output:

    Catalog   |
----------+
iceberg   |
system    |

Step 4. Provide access to Trino web UI

To access Trino web interface, you need to expose the service using one of the supported publication methods, for example, through a load balancer or Ingress controller. All configurations related to exposing a service, including DNS, annotations, Ingress settings, load balancing rules, and other platform-specific settings, must be specified according to your Kubernetes environment.

  1. Get the external IP address of your load balancer or Ingress controller. For example:

    NAME             CLASS   HOSTS                               ADDRESS       PORTS   AGE
trino-ingress   nginx   trino-cloud.ru-central1.internal   10.92.41.95   80      8m45s

  2. Add the following entry to your /etc/hosts file:

    <ingress_ip> trino-cloud.ru-central1.internal

    where <ingress_ip> is the external IP exposed by Ingress. In this example, it is 10.92.41.95.

  3. Open Trino web UI in your browser, using the URL: http://trino-cloud.ru-central1.internal (change the protocol to https if you use Kerberos and SSL).

    Trino web UI
    Trino web UI

Delete instances

IMPORTANT

Delete the operator only after all the resources it manages have been deleted.

To delete the Trino cluster, run the command below:

$ ./adc cluster destroy trino -f cluster-trino-init.yaml

To delete the Trino operator, run the command below:

$ ./adc operators destroy trino-operator -f operator-trino-init.yaml

To delete the Kerberos operator, run the command below:

$ ./adc operators destroy kerberos-operator -f operator-kerberos-init.yaml
Found a mistake? Seleсt text and press Ctrl+Enter to report it