[charts][trino] add additionalSecrets

[luismacosta]

[charts][trino] add additionalSecrets:

• move catalogs from confimap to secrets
• use ldap config as a secret

Purpose: allow catalogs configuration using secrets. Don't expose passwords in a configMap

@nineinchnick @mosabua can you please review? Thanks
cla sent today via email

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[nineinchnick]

Check the CI workflow runs for errors

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[mosabua]

What is the motivation and need for this change? Also .. is this a breaking change (which is bad in my opinion) or does it duplicate and allow both setups (which is also bad)

[luismacosta]

I would like to avoid having passwords in the configmap and use secrets instead

[mosabua]

You can do that already .. there is no need to have the whole catalog as secret

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[luismacosta]

Hello @nineinchnick

I've applied the changes requested
In order to allow both ConfigMap or Secret, for catalogs creation, this valuation had to be changed:

{{- if or .Values.catalogs .Values.additionalCatalogs}}

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[nineinchnick]

What's the advantage of using this over catalogs? Please update the PR description with the rationale for the change.

[nineinchnick]

Purpose: allow catalogs configuration using secrets. Don't expose passwords in a configMap

Secrets are not a lot more secure. They obfuscate the values, but if anyone has access to configmaps, they can read secrets too. There's also no audit logs who read secrets. It's better to reference sensitive properties from outside, see https://trino.io/docs/current/security/secrets.html. You can already mount additional secrets as env vars using .Values.envFrom.

[luismacosta]

Purpose: allow catalogs configuration using secrets. Don't expose passwords in a configMap

Secrets are not a lot more secure. They obfuscate the values, but if anyone has access to configmaps, they can read secrets too. There's also no audit logs who read secrets. It's better to reference sensitive properties from outside, see https://trino.io/docs/current/security/secrets.html. You can already mount additional secrets as env vars using .Values.envFrom.

I've many catalogs configured, mount additional secrets as env vars would required different envs vars per each catalog, mount additional secrets as env vars using .Values.envFrom. is an approach that we do want to follow. My goal is to have simple config. Declare all catalogs config in the same secrets.yaml, as I'm using mozilla sops to encrypt it as a values.yaml, in order to have the config committed in github.

[nineinchnick]

mount additional secrets as env vars would required different envs vars per each catalog, mount additional secrets as env vars using .Values.envFrom.

Can you give an example?

[luismacosta]

mount additional secrets as env vars would required different envs vars per each catalog, mount additional secrets as env vars using .Values.envFrom.

Can you give an example?

I've:

• Chart.yaml: trino helm chart is defined as a dependency
• values.yaml: overrides defaults values.yaml from helm chart

trino:
  catalogs: {}
  secretMounts:
    - name: catalogs
      secretName: catalogs
      path: /etc/trino/catalog

• secrets.yaml: all catalogs configured using catalogsSecrets and the file is encrypted with mozilla sops, using vault key

trino:
  - name: catalogs
    value:
      #hive
      aaaaa.properties: |
        connector.name=hive
        hive.metastore.uri=
        fs.native-s3.enabled=true
      #iceberg
      bbbbb.properties: |
          connector.name=iceberg
          hive.metastore.uri=
      #mariadb
      cccc.properties: |
        connector.name=mariadb
        connection-url=
        connection-user=
        connection-password=
      #postgresql
      dddd_data.properties: |
        connector.name=postgresql
        connection-url=
        connection-user=
        connection-password=

• ArgoCD appSet reads values.yaml + secrets.yaml as values, uses vault key to decrypt secrets.yaml and deploy trino in eks cluster

[nineinchnick]

Sorry, I don't understand this use case. All the catalogs you provided are different. I don't see why you couldn't reference env vars in them and mount the env vars from a secret.

[luismacosta]

Sorry, I don't understand this use case. All the catalogs you provided are different. I don't see why you couldn't reference env vars in them and mount the env vars from a secret.

Those catalogs are just an example of configuration. I've multiple catalogs for several database engines. I can refer env vars and mount the env vars from a secret. In that case I would need multiple env vars for each catalog password and declare them with .Values.envFrom. It would be a complex configuration in my values.yaml. With secrets.yaml I can have the entire catalogs config in one place, without having the need to declare .Values.envFrom with many env vars.

[nineinchnick]

You reference a single secret in .Values.envFrom and all its keys will be available as different environmental variables. You manage this secret outside the chart. Can you give a complete example how this requires a complex configuration in values.yaml?

[luismacosta]

You reference a single secret in .Values.envFrom and all its keys will be available as different environmental variables. You manage this secret outside the chart. Can you give a complete example how this requires a complex configuration in values.yaml?

Let's say that I've 50 catalogs (postgresql, mariadb, mongodb, scylladb, hive, iceberg)

values.yaml

trino: 
  envFrom:
     - secretRef:
       name: catalogs
  catalogs:
    aaaaa.properties: |
      connector.name=hive
      hive.metastore.uri=
      fs.native-s3.enabled=true
    #iceberg
    bbbbb.properties: |
        connector.name=iceberg
        hive.metastore.uri=
    #mariadb
    cccc.properties: |
      connector.name=mariadb
      connection-url=
      connection-user=
      connection-password=${ENV:DB_PASSWORD_CCCC}
    #postgresql
    dddd_data.properties: |
      connector.name=postgresql
      connection-url=
      connection-user=
      connection-password=${ENV:DB_PASSWORD_DDDD}

The secret.yaml from helm chart (https://github.com/trinodb/charts/blob/main/charts/trino/templates/secret.yaml) does not allow to create more secrets, but that's not a problem, I could create my own template, which would need a config to store all passwords as env vars. I would like to avoid the creation of this secret. With the change that I'm proposing in this PR, is possible to create a single secret, where I have catalogs configured with the passwords under connection-password=passordx and I don't need to declare .Values.envFrom. Also, I would like to pull your chart without having the need to add extra templates.

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[nineinchnick]

@cla-bot check

[cla-bot]

The cla-bot has been summoned, and re-checked this pull request!

[luismacosta]

@nineinchnick Can you please review this PR? Thanks.

[nineinchnick]

So the main change here is to store catalogs in secrets, instead of a configmap? I don't think adding a second property is a good way to solve this. Using a secret is not more secure than using a configmap, and makes debugging harder, since you have to decode its contents. Think about how users will need to pick which property to use.