Version Next

Security — Trino

The tdp-trino chart supports LDAP authentication when ldap.enabled: true in the values file. Behavior summary:

ldap.enabled: false (default): HTTP (port 8080), no mandatory authentication, no extra certificate volumes for this flow.
ldap.enabled: true (with LDAP values): HTTPS (port 8443), PASSWORD authentication, certificates, and associated secrets.

Optional certificate resources: trinoCerts.pvc, trinoCerts.secret, trinoCerts.copyJob — see the chart's values.yaml.

Preparation

LDAP server accessible from the cluster.
Keystores/passwords required for HTTPS, stored in Kubernetes Secrets (do not commit real values to Git).

Create Secret with TLS materials (example)

Example

kubectl -n <namespace> create secret generic <certificate-secret-name> \
  --from-file=keystore.jks=<local-path>/keystore.jks

Adjust key names to what the chart expects (check in the Helm values export).

LDAP enabled (illustrative)

A supplementary file (e.g. values-ldap.yaml) typically sets ldap.enabled: true and adjusts trino.server.config (HTTPS, authenticationType, etc.). Replace hosts, DNs, and secrets with those from your directory:

ldap:
  enabled: true

trino:
  server:
    config:
      https:
        enabled: true
        port: 8443
        keystore:
          path: "/etc/trino/certs/keystore.jks"
      authenticationType: "PASSWORD"
  # Additional volumes, mounts, and files: follow the comments in helm show values

Installation or upgrade:

Example
helm upgrade --install <release> oci://registry.tecnisys.com.br/tdp/charts/tdp-trino \
  -n <namespace> --create-namespace \
  -f values.yaml \
  -f values-ldap.yaml

Connect with Trino client

HTTP (LDAP disabled):

kubectl -n <namespace> port-forward service/<release> 8080:8080 &
trino --server http://localhost:8080

HTTPS (LDAP enabled):

kubectl -n <namespace> port-forward service/<release> 8443:8443 &
trino --server https://localhost:8443 \
      --user <ldap-user> \
      --password \
      --insecure

In production, prefer validating the certificate instead of using --insecure.

Quick comparison

Mode	Typical port	Authentication	HTTPS
`ldap.enabled: false`	8080	None (chart default)	No
`ldap.enabled: true`	8443	PASSWORD (LDAP)	Yes

Main Parameters

Parameter	LDAP off	LDAP on
`ldap.enabled`	`false`	`true`
`trino.server.config.https.enabled`	`false`	`true`
`trino.server.config.authenticationType`	`""`	`PASSWORD`
`trinoCerts.pvc.enabled`	`false`	`true` (typical)
`trinoCerts.secret.enabled`	`false`	`true` (typical)

Best practices

Prefer LDAPS (port 636) in production over plain LDAP.
Rotate keystore passwords and secrets.
Restrict LDAP bind user permissions.

Troubleshooting

Problem	What to check
Pod does not start with LDAP	Keystore paths, Secret, and `trinoCerts.*`
Login failure	Bind/DN pattern and LDAP connectivity
Port error	Client using 8080 vs 8443 depending on mode

For the full list of parameters, use helm show values for the chart version you installed.

Preparation​

Create Secret with TLS materials (example)​

LDAP enabled (illustrative)​

Connect with Trino client​

Quick comparison​

Main Parameters​

Best practices​

Troubleshooting​