Trino Configuration
What is Trino?
Trino is the distributed SQL query engine used by TDP Kubernetes.
It can query multiple data sources with a single SQL statement, such as ClickHouse, PostgreSQL, Hive, Iceberg, Kafka, and data in S3/Ozone storage, without moving the data into Trino.
Trino does not store its own data: it is a federated query engine.
Data sources are exposed through catalogs configured in the chart.
See Trino - Concepts for a broader view of the tool, architecture, and runtime model.
Helm value structure
All Trino values must be placed under the tdp-trino: key (the dependency alias in Chart.yaml).
Respecting this prefix ensures that Helm applies the values to the correct subchart:
tdp-trino:
server:
workers: 3
service:
port: 8080
Coordinator-worker Architecture
The tdp-trino chart deploys one coordinator and a set of workers.
| Component | Role |
|---|---|
| Coordinator | Receives the SQL query, builds the execution plan, and distributes the work |
| Workers | Execute plan stages in parallel, processing data in external sources |
The coordinator is single-instance.
To increase parallelism, tune tdp-trino.server.workers or the worker autoscaling mechanisms.
Overview
| Property | Value |
|---|---|
| Chart | tdp-trino |
| Trino version | 478 |
| Chart version | 3.0.1 |
| Registry | oci://registry.tecnisys.com.br/tdp/charts/tdp-trino |
| Chart AppVersion | 478 |
Related Pages
- Integrations - Trino: catalogs, connectors, and external source dependencies.
- Security - Trino: LDAP, HTTPS, certificates, Secrets, and Ranger.
- External exposure - Trino: HTTP/HTTPS exposure through Ingress or Gateway API.
Prerequisites
Before installing or customizing the tdp-trino chart, confirm:
- Kubernetes 1.32+, Red Hat OpenShift 4.19+, or Rancher Manager 2.10.x+.
- Helm 3.2.0+.
- StorageClass available when certificates, PVCs, or persistent volumes are required.
- Tecnisys OCI registry reachable from the installation environment.
- CPU Requirement: Worker nodes must support the x86-64-v3 instruction set (Intel Haswell 2013+ or AMD Zen 2+). Trino 478+ requires AVX2, BMI1, BMI2, and FMA extensions.
- External sources reachable from the Trino namespace when using additional catalogs.
- Metrics Server and worker
resources.requestsconfigured for HPA; for KEDA, KEDA installed and Prometheus available with Trino JMX metrics. - Certificates and Secrets prepared when using HTTPS, LDAP, or Ranger.
- Installation
- Main parameters
- Configuration details
- Access & Security
- Troubleshooting
- Uninstallation
Installation
helm install <RELEASE_NAME> oci://registry.tecnisys.com.br/tdp/charts/tdp-trino -n <NAMESPACE> --create-namespace
Example:
helm upgrade tdp-trino oci://registry.tecnisys.com.br/tdp/charts/tdp-trino \
--namespace tdp-project \
--values values.yaml
Resource names derive from the Helm release by default.
Use tdp-trino.fullnameOverride, tdp-trino.coordinatorNameOverride, and tdp-trino.workerNameOverride only when you need to avoid naming conflicts, for example when deploying multiple releases in the same namespace.
Main Parameters
| Parameter | Description | Chart default |
|---|---|---|
tdp-trino.enabled | Enables Trino deployment | true |
tdp-trino.image.tag | Trino image tag | 478 |
tdp-trino.server.workers | Initial worker count | 2 |
tdp-trino.server.node.environment | Trino environment label | environment |
tdp-trino.service.type | Kubernetes Service type | ClusterIP |
tdp-trino.service.port | HTTP Service port | 8080 |
tdp-trino.server.config.https.enabled | Enables HTTPS in Trino | false |
tdp-trino.server.config.authenticationType | Authentication type | "" |
tdp-trino.catalogs | Catalog/connector definitions | tpch, tpcds, memory |
tdp-trino.accessControl | Access control configuration | {} |
tdp-trino.server.autoscaling.enabled | Worker HPA | true |
tdp-trino.server.keda.enabled | Worker KEDA | false |
tdp-trino.jmx.enabled | Enables JMX | true |
tdp-trino.serviceMonitor.enabled | Creates ServiceMonitor | false |
trinoCerts.pvc.enabled | Certificate PVC | false |
trinoCerts.secret.enabled | Certificate Secret | false |
trinoCerts.copyJob.enabled | Job that copies certificates to the PVC | false |
TDP-Settings.gateway.ingress.enabled | Renders TDP Ingress | false |
TDP-Settings.gateway.gatewayApi.enabled | Renders Gateway API HTTPRoute | false |
Catalogs
Catalogs are how Trino registers external data sources.
Each catalog defines a connector and the access properties Trino needs to locate schemas, tables, and objects in that source.
In the chart configuration, catalogs are defined in tdp-trino.catalogs.
Each key becomes a Trino catalog and is used in queries as catalog.schema.object.
The chart includes reference catalogs for tpch, tpcds, and memory.
In production, add the catalogs required by your environment, such as ClickHouse, PostgreSQL, Hive, Iceberg, or Kafka.
See Integrations - Trino for connector examples and prerequisites.
CPU and Memory Resources
Workers handle query execution and typically need more resources than the coordinator.
Adjust values based on your query complexity and data volume.
| Parameter | Description | Chart default |
|---|---|---|
tdp-trino.coordinator.resources.requests.cpu | Coordinator CPU request | 1 |
tdp-trino.coordinator.resources.requests.memory | Coordinator memory request | 2Gi |
tdp-trino.coordinator.resources.limits.cpu | Coordinator CPU limit | 2 |
tdp-trino.coordinator.resources.limits.memory | Coordinator memory limit | 4Gi |
tdp-trino.worker.resources.requests.cpu | Worker CPU request | 1 |
tdp-trino.worker.resources.requests.memory | Worker memory request | 2Gi |
tdp-trino.worker.resources.limits.cpu | Worker CPU limit | 2 |
tdp-trino.worker.resources.limits.memory | Worker memory limit | 4Gi |
tdp-trino:
coordinator:
resources:
requests:
cpu: "2"
memory: "4Gi"
limits:
cpu: "4"
memory: "8Gi"
worker:
resources:
requests:
cpu: "2"
memory: "4Gi"
limits:
cpu: "4"
memory: "8Gi"
Autoscaling and Observability
The chart supports native HPA through tdp-trino.server.autoscaling and KEDA through tdp-trino.server.keda.
Do not combine native HPA and KEDA for the same workers.
Native HPA (tdp-trino.server.autoscaling.enabled) and JMX (tdp-trino.jmx.enabled) are enabled by default in the chart, with maxReplicas: 5, targetCPUUtilizationPercentage: 50, and targetMemoryUtilizationPercentage: 80.
To use KEDA instead of native HPA, set tdp-trino.server.autoscaling.enabled: false and tdp-trino.server.keda.enabled: true.
For KEDA, the cluster must have KEDA installed, Prometheus available with Trino JMX metrics, and tdp-trino.serviceMonitor.enabled: true when using Prometheus Operator.
HPA uses Kubernetes CPU and memory metrics to adjust the number of workers.
KEDA is used when scaling needs to respond to external metrics; in this chart, the example uses Prometheus querying Trino JMX metrics.
JMX exposes Trino internal metrics, and ServiceMonitor tells Prometheus Operator to collect them.
HPA example:
tdp-trino:
server:
workers: 2
autoscaling:
enabled: true
maxReplicas: 10
targetCPUUtilizationPercentage: 70
targetMemoryUtilizationPercentage: 80
behavior:
scaleDown:
stabilizationWindowSeconds: 300
scaleUp:
stabilizationWindowSeconds: 0
worker:
resources:
requests:
cpu: "2"
memory: "8Gi"
limits:
cpu: "4"
memory: "16Gi"
KEDA example:
tdp-trino:
server:
autoscaling:
enabled: false
keda:
enabled: true
pollingInterval: 30
cooldownPeriod: 300
minReplicaCount: 1
maxReplicaCount: 10
triggers:
- type: prometheus
metricType: Value
metadata:
serverAddress: "http://prometheus-server.monitoring.svc.cluster.local"
threshold: "1"
metricName: required_workers
query: >-
sum(avg_over_time(trino_execution_ClusterSizeMonitor_RequiredWorkers{
service="tdp-trino"
}[1m]))
jmx:
enabled: true
exporter:
enabled: true
serviceMonitor:
enabled: true
Security
The chart adjusts HTTPS and authentication according to ldap.enabled:
| Mode | Behavior |
|---|---|
ldap.enabled: false (default) | Uses HTTP only on port 8080, with no required authentication, no certificate volumes, and no shared secrets. |
ldap.enabled: true | Enables HTTPS on port 8443, PASSWORD authentication, certificate mounts, shared secrets, and full LDAP integration. |
Ranger uses tdp-trino.accessControl and additional coordinator files, often together with certificates when HTTPS is required.
See Security - Trino for complete examples.
External exposure
Ingress and Gateway API are mutually exclusive, controlled by TDP-Settings.gateway.*. Trino is exposed on port 8080 (or 8443 with HTTPS/LDAP).
For the complete values examples (Ingress and Gateway API), see External exposure.
Local Access
kubectl -n <NAMESPACE> port-forward service/<RELEASE_NAME> 8080:8080
With LDAP/HTTPS, use port 8443 according to the applied configuration.
Troubleshooting
kubectl -n <NAMESPACE> get pods
kubectl -n <NAMESPACE> get svc
kubectl -n <NAMESPACE> get events --sort-by=.lastTimestamp
Uninstallation
helm uninstall <RELEASE_NAME> -n <NAMESPACE>
For the full parameter list, consult the chart values.yaml or run helm show values for the installed version.