reduce size of demo and prepare for public use

Author: adwk67

stacks/airflow-trino-dbt/airflow.yaml

@@ -0,0 +1,155 @@
+---
+apiVersion: airflow.stackable.tech/v1alpha1
+kind: AirflowCluster
+metadata:
+  name: airflow
+spec:
+  image:
+    productVersion: 3.0.6
+    pullPolicy: IfNotPresent
+  clusterConfig:
+    vectorAggregatorConfigMapName: vector-aggregator-discovery
+    authorization:
+      opa:
+        configMapName: opa
+        package: airflow
+        cache:
+          entryTimeToLive: 5s
+          maxEntries: 10
+    loadExamples: false
+    credentialsSecret: airflow-credentials
+    volumes:
+      - name: airflow-dags
+        configMap:
+          name: airflow-dags
+    volumeMounts:
+      - name: airflow-dags
+        mountPath: /stackable/airflow/dags/dbt.py
+        subPath: dbt.py
+  webservers:
+    roleConfig:
+      listenerClass: external-stable
+    config:
+      logging:
+        enableVectorAgent: true
+      resources:
+        cpu:
+          min: "2"
+          max: "3"
+        memory:
+          limit: 3Gi
+    roleGroups:
+      default:
+        replicas: 1
+  celeryExecutors:
+    config:
+      logging:
+        enableVectorAgent: true
+      resources:
+        cpu:
+          min: "2"
+          max: "3"
+        memory:
+          limit: 4Gi
+    roleGroups:
+      default:
+        replicas: 1
+  # kubernetesExecutors:
+  #   config: {}
+  schedulers:
+    config:
+      logging:
+        enableVectorAgent: true
+    roleGroups:
+      default:
+        replicas: 1
+  dagProcessors:
+    config:
+      logging:
+        enableVectorAgent: true
+    roleGroups:
+      default:
+        replicas: 1
+  triggerers:
+    config:
+      logging:
+        enableVectorAgent: true
+    roleGroups:
+      default:
+        replicas: 1
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: airflow-dags
+data:
+  dbt.py: |
+    from airflow import DAG
+    from airflow.providers.cncf.kubernetes.operators.pod import KubernetesPodOperator
+    from kubernetes.client import models as k8s
+    from kubernetes.client import V1EnvVar, V1EnvVarSource, V1SecretKeySelector
+
+    tls_volume = k8s.V1Volume(
+        name="server-tls-mount",
+        ephemeral=k8s.V1EphemeralVolumeSource(
+            volume_claim_template=k8s.V1PersistentVolumeClaimTemplate(
+                metadata=k8s.V1ObjectMeta(
+                    annotations={
+                        "secrets.stackable.tech/class": "trino-tls",
+                        "secrets.stackable.tech/scope": "pod,node"
+                    }
+                ),
+                spec=k8s.V1PersistentVolumeClaimSpec(
+                    access_modes=["ReadWriteOnce"],
+                    resources=k8s.V1ResourceRequirements(
+                        requests={"storage": "1"}
+                    ),
+                    storage_class_name="secrets.stackable.tech"
+                )
+            )
+        )
+    )
+
+    tls_volume_mount = k8s.V1VolumeMount(
+      name="server-tls-mount", mount_path="/dbt/trusted"
+    )
+
+    pod_security_context = k8s.V1PodSecurityContext(
+        fs_group=1000
+    )
+
+    with DAG(
+        dag_id="run_dbt",
+        schedule=None,
+        tags=["Demo", "DBT"],
+        catchup=False
+    ) as dag:
+      run_dbt = KubernetesPodOperator(
+          image="oci.stackable.tech/sandbox/andrew/dbt-trino:0.0.1",
+          image_pull_policy="IfNotPresent",
+          cmds=["/bin/bash", "-x", "-euo", "pipefail", "-c"],
+          arguments=["cd /dbt && export DBT_PROFILES_DIR=/dbt && dbt debug"],
+          name="run-dbt",
+          task_id="dbt-test",
+          get_logs=True,
+          volumes=[tls_volume],
+          volume_mounts=[tls_volume_mount],
+          env_vars=[
+              V1EnvVar(
+                  name="TRINO_PASSWORD",
+                  value_from=V1EnvVarSource(
+                      secret_key_ref=V1SecretKeySelector(
+                          name="demo-password",
+                          key="password"
+                      )
+                  )
+              ),
+              V1EnvVar(name="TRINO_USER", value="admin"),
+              V1EnvVar(name="TRINO_HOST", value="trino-coordinator-default-headless.default.svc.cluster.local"),
+              V1EnvVar(name="TRINO_PORT", value="8443"),
+              V1EnvVar(name="CERT_PATH", value="/dbt/trusted/ca.crt"),
+          ],
+          security_context=pod_security_context,
+          startup_timeout_seconds=600
+      )
+      run_dbt

stacks/airflow-trino-dbt/hive-metastores.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: hive.stackable.tech/v1alpha1
+kind: HiveCluster
+metadata:
+  name: hive-iceberg
+spec:
+  image:
+    productVersion: 4.1.0
+  clusterConfig:
+    database:
+      connString: jdbc:postgresql://postgresql-hive-iceberg:5432/hive
+      dbType: postgres
+      credentialsSecret: postgres-credentials
+    s3:
+      reference: minio
+  metastore:
+    roleGroups:
+      default:
+        replicas: 1
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: postgres-credentials
+type: Opaque
+stringData:
+  username: hive
+  password: hive

stacks/trino-iceberg/opa-rules.yaml stacks/airflow-trino-dbt/opa-rules.yamlstacks/trino-iceberg/opa-rules.yaml renamed to stacks/airflow-trino-dbt/opa-rules.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: s3.stackable.tech/v1alpha1
+kind: S3Connection
+metadata:
+  name: minio
+spec:
+  host: minio.default.svc.cluster.local
+  port: 9000
+  accessStyle: Path
+  credentials:
+    secretClass: minio-s3-credentials
+  tls:
+    verification:
+      server:
+        caCert:
+          secretClass: tls
+---
+apiVersion: secrets.stackable.tech/v1alpha1
+kind: SecretClass
+metadata:
+  name: minio-s3-credentials
+spec:
+  backend:
+    k8sSearch:
+      searchNamespace:
+        pod: {}

stacks/trino-iceberg/opa.yaml stacks/airflow-trino-dbt/opa.yamlstacks/trino-iceberg/opa.yaml renamed to stacks/airflow-trino-dbt/opa.yaml

@@ -0,0 +1,138 @@
+---
+apiVersion: trino.stackable.tech/v1alpha1
+kind: TrinoCluster
+metadata:
+  name: trino
+spec:
+  image:
+    productVersion: "477"
+  clusterConfig:
+    catalogLabelSelector:
+      matchLabels:
+        trino: trino
+    authentication:
+      - authenticationClass: trino-users
+    authorization:
+      opa:
+        configMapName: opa
+        package: trino
+    tls:
+      serverSecretClass: trino-tls
+      internalSecretClass: trino-internal-tls
+  coordinators:
+    roleGroups:
+      default:
+        replicas: 1
+    roleConfig:
+      listenerClass: external-stable
+  workers:
+    roleGroups:
+      default:
+        replicas: 1
+---
+apiVersion: secrets.stackable.tech/v1alpha1
+kind: SecretClass
+metadata:
+  name: trino-tls
+spec:
+  backend:
+    autoTls:
+      ca:
+        secret:
+          name: secret-provisioner-trino-tls-ca
+          namespace: default
+        autoGenerate: true
+---
+apiVersion: secrets.stackable.tech/v1alpha1
+kind: SecretClass
+metadata:
+  name: trino-internal-tls
+spec:
+  backend:
+    autoTls:
+      ca:
+        secret:
+          name: secret-provisioner-trino-internal-tls-ca
+          namespace: default
+        autoGenerate: true
+---
+apiVersion: authentication.stackable.tech/v1alpha1
+kind: AuthenticationClass
+metadata:
+  name: trino-users
+spec:
+  provider:
+    static:
+      userCredentialsSecret:
+        name: trino-users
+---
+apiVersion: trino.stackable.tech/v1alpha1
+kind: TrinoCatalog
+metadata:
+  name: iceberg
+  labels:
+    trino: trino
+spec:
+  connector:
+    iceberg:
+      metastore:
+        configMap: hive-iceberg
+      s3:
+        reference: minio
+---
+apiVersion: trino.stackable.tech/v1alpha1
+kind: TrinoCatalog
+metadata:
+  name: dpx
+  labels:
+    trino: trino
+spec:
+  connector:
+    generic:
+      connectorName: postgresql
+      properties:
+        connection-url:
+          value: jdbc:postgresql://140.238.212.205:55432/suva
+        connection-user:
+          valueFromSecret:
+            name: dpx-credentials
+            key: username
+        connection-password:
+          valueFromSecret:
+            name: dpx-credentials
+            key: password
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: trino-opa-bundle
+  labels:
+    opa.stackable.tech/bundle: "trino"
+data:
+  trino.rego: |
+    package trino
+
+    default allow = false
+
+    # Allow non-batched access
+    allow if {
+      is_admin
+    }
+    # Allow batched access
+    batch contains i if {
+      some i
+      input.action.filterResources[i]
+      is_admin
+    }
+    # Corner case: filtering columns is done with a single table item, and many columns inside
+    batch contains i if {
+      some i
+      input.action.operation == "FilterColumns"
+      count(input.action.filterResources) == 1
+      input.action.filterResources[0].table.columns[i]
+      is_admin
+    }
+
+    is_admin() if {
+      input.context.identity.user == "admin"
+    }