From cb1b762f9db6f30b33ea69b690cd670d82fd7ee3 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Tue, 10 Mar 2026 10:01:33 +0100 Subject: [PATCH 1/4] cluster first, catalogs after --- .../20-install-trino.yaml.j2 | 88 +++++++++---------- 1 file changed, 44 insertions(+), 44 deletions(-) diff --git a/tests/templates/kuttl/opa-authorization/20-install-trino.yaml.j2 b/tests/templates/kuttl/opa-authorization/20-install-trino.yaml.j2 index 888d7159..be67c0a8 100644 --- a/tests/templates/kuttl/opa-authorization/20-install-trino.yaml.j2 +++ b/tests/templates/kuttl/opa-authorization/20-install-trino.yaml.j2 @@ -1,4 +1,48 @@ --- +apiVersion: trino.stackable.tech/v1alpha1 +kind: TrinoCluster +metadata: + name: trino +spec: + image: +{% if test_scenario['values']['trino'].find(",") > 0 %} + custom: "{{ test_scenario['values']['trino'].split(',')[1] }}" + productVersion: "{{ test_scenario['values']['trino'].split(',')[0] }}" +{% else %} + productVersion: "{{ test_scenario['values']['trino'] }}" +{% endif %} + pullPolicy: IfNotPresent + clusterConfig: + catalogLabelSelector: + matchLabels: + trino: trino + authentication: + - authenticationClass: trino-users-auth + authorization: + opa: + configMapName: opa + package: trino +{% if lookup('env', 'VECTOR_AGGREGATOR') %} + vectorAggregatorConfigMapName: vector-aggregator-discovery +{% endif %} + coordinators: + config: + logging: + enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }} + roleGroups: + default: + replicas: 1 + config: {} + workers: + config: + gracefulShutdownTimeout: 10s # Let the test run faster + logging: + enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }} + roleGroups: + default: + replicas: 1 + config: {} +--- apiVersion: authentication.stackable.tech/v1alpha1 kind: AuthenticationClass metadata: @@ -64,47 +108,3 @@ spec: configMap: hive # It's fine to reuse the existing HMS for tests. Not recommended for production though, there a dedicated HMS should be used. s3: reference: minio ---- -apiVersion: trino.stackable.tech/v1alpha1 -kind: TrinoCluster -metadata: - name: trino -spec: - image: -{% if test_scenario['values']['trino'].find(",") > 0 %} - custom: "{{ test_scenario['values']['trino'].split(',')[1] }}" - productVersion: "{{ test_scenario['values']['trino'].split(',')[0] }}" -{% else %} - productVersion: "{{ test_scenario['values']['trino'] }}" -{% endif %} - pullPolicy: IfNotPresent - clusterConfig: - catalogLabelSelector: - matchLabels: - trino: trino - authentication: - - authenticationClass: trino-users-auth - authorization: - opa: - configMapName: opa - package: trino -{% if lookup('env', 'VECTOR_AGGREGATOR') %} - vectorAggregatorConfigMapName: vector-aggregator-discovery -{% endif %} - coordinators: - config: - logging: - enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }} - roleGroups: - default: - replicas: 1 - config: {} - workers: - config: - gracefulShutdownTimeout: 10s # Let the test run faster - logging: - enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }} - roleGroups: - default: - replicas: 1 - config: {} From 3cacc684591c18c6ac9f8b8dca0eec550677709e Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Tue, 10 Mar 2026 16:47:00 +0100 Subject: [PATCH 2/4] fix: do not pass catalog credentials through the environment --- rust/operator-binary/src/catalog/commons.rs | 4 ++-- rust/operator-binary/src/catalog/config.rs | 7 +++---- rust/operator-binary/src/command.rs | 6 ++++++ 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/rust/operator-binary/src/catalog/commons.rs b/rust/operator-binary/src/catalog/commons.rs index fc3f4e26..af733136 100644 --- a/rust/operator-binary/src/catalog/commons.rs +++ b/rust/operator-binary/src/catalog/commons.rs @@ -123,8 +123,8 @@ impl ExtendCatalogConfig for s3::v1alpha1::InlineConnectionOrReference { ..=468 => ("hive.s3.aws-access-key", "hive.s3.aws-secret-key"), 469.. => ("s3.aws-access-key", "s3.aws-secret-key"), }; - catalog_config.add_env_property_from_file(access_key_prop, access_key); - catalog_config.add_env_property_from_file(secret_key_prop, secret_key); + catalog_config.add_property_from_file(access_key_prop, access_key); + catalog_config.add_property_from_file(secret_key_prop, secret_key); } match trino_version { diff --git a/rust/operator-binary/src/catalog/config.rs b/rust/operator-binary/src/catalog/config.rs index de6a18ad..1ac8587d 100644 --- a/rust/operator-binary/src/catalog/config.rs +++ b/rust/operator-binary/src/catalog/config.rs @@ -55,15 +55,14 @@ impl CatalogConfig { self.properties.insert(property.into(), value.into()); } - pub fn add_env_property_from_file( + pub fn add_property_from_file( &mut self, property: impl Into, file_name: impl Into, ) { let property = property.into(); - let env_name = calculate_env_name(&self.name, &property); - self.add_property(&property, format!("${{ENV:{env_name}}}")); - self.load_env_from_files.insert(env_name, file_name.into()); + let file = file_name.into(); + self.add_property(&property, format!("${{file:UTF-8:{file}}}")); } pub fn add_env_property_from_secret( diff --git a/rust/operator-binary/src/command.rs b/rust/operator-binary/src/command.rs index e14cac17..fc90b94e 100644 --- a/rust/operator-binary/src/command.rs +++ b/rust/operator-binary/src/command.rs @@ -112,6 +112,12 @@ pub fn container_trino_args( } }); + // Resolve credentials in all catalog configs. + args.push(format!( + "for catalog_file in {rw_conf}/catalog/*; do test -f \"$catalog_file\" && config-utils template \"$catalog_file\"; done", + rw_conf = RW_CONFIG_DIR_NAME + )); + // Resolve credentials for fault tolerant execution exchange manager if needed args.push(format!( "test -f {rw_exchange_manager_config_file} && config-utils template {rw_exchange_manager_config_file}", From 0f996c540126a01e62a98db61aa2f52dd784e3c5 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Tue, 10 Mar 2026 16:56:02 +0100 Subject: [PATCH 3/4] remove unused field --- rust/operator-binary/src/catalog/config.rs | 6 ------ rust/operator-binary/src/command.rs | 10 +--------- rust/operator-binary/src/controller.rs | 2 +- 3 files changed, 2 insertions(+), 16 deletions(-) diff --git a/rust/operator-binary/src/catalog/config.rs b/rust/operator-binary/src/catalog/config.rs index 1ac8587d..5efa5624 100644 --- a/rust/operator-binary/src/catalog/config.rs +++ b/rust/operator-binary/src/catalog/config.rs @@ -21,11 +21,6 @@ pub struct CatalogConfig { /// List of EnvVar that will be added to every Trino container pub env_bindings: Vec, - /// Env-Vars that should be exported. - /// The value will be read from the file specified. - /// You can think of it like `export ="$(cat )"` - pub load_env_from_files: BTreeMap, - /// Additional commands that needs to be executed before starting Trino pub init_container_extra_start_commands: Vec, @@ -42,7 +37,6 @@ impl CatalogConfig { name: name.into(), properties: BTreeMap::new(), env_bindings: Vec::new(), - load_env_from_files: BTreeMap::new(), init_container_extra_start_commands: Vec::new(), volumes: Vec::new(), volume_mounts: Vec::new(), diff --git a/rust/operator-binary/src/command.rs b/rust/operator-binary/src/command.rs index fc90b94e..8fc33c6c 100644 --- a/rust/operator-binary/src/command.rs +++ b/rust/operator-binary/src/command.rs @@ -82,10 +82,7 @@ pub fn container_prepare_args( args } -pub fn container_trino_args( - authentication_config: &TrinoAuthenticationConfig, - catalogs: &[CatalogConfig], -) -> Vec { +pub fn container_trino_args(authentication_config: &TrinoAuthenticationConfig) -> Vec { let mut args = vec![ // copy config files to a writeable empty folder format!( @@ -106,11 +103,6 @@ pub fn container_trino_args( // Add the commands that are needed to set up the catalogs // Don't print secret contents! args.push("set +x".to_string()); - catalogs.iter().for_each(|catalog| { - for (env_name, file) in &catalog.load_env_from_files { - args.push(format!("export {env_name}=\"$(cat {file})\"")); - } - }); // Resolve credentials in all catalog configs. args.push(format!( diff --git a/rust/operator-binary/src/controller.rs b/rust/operator-binary/src/controller.rs index 80ecdb28..e11b8cb4 100644 --- a/rust/operator-binary/src/controller.rs +++ b/rust/operator-binary/src/controller.rs @@ -1243,7 +1243,7 @@ fn build_rolegroup_statefulset( "-c".to_string(), ]) .args(vec![ - command::container_trino_args(trino_authentication_config, catalogs).join("\n"), + command::container_trino_args(trino_authentication_config).join("\n"), ]) .add_env_vars(env) .add_volume_mount("config", CONFIG_DIR_NAME) From c8a0c6bff97c79f0be8cca02843937dc6bba317d Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Tue, 10 Mar 2026 17:11:09 +0100 Subject: [PATCH 4/4] recurse into catalog subfolders --- rust/operator-binary/src/command.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust/operator-binary/src/command.rs b/rust/operator-binary/src/command.rs index 8fc33c6c..a46daf14 100644 --- a/rust/operator-binary/src/command.rs +++ b/rust/operator-binary/src/command.rs @@ -106,7 +106,7 @@ pub fn container_trino_args(authentication_config: &TrinoAuthenticationConfig) - // Resolve credentials in all catalog configs. args.push(format!( - "for catalog_file in {rw_conf}/catalog/*; do test -f \"$catalog_file\" && config-utils template \"$catalog_file\"; done", + "find {rw_conf}/catalog -type f -exec config-utils template '{{}}' ';'", rw_conf = RW_CONFIG_DIR_NAME ));