mcp-trino Helm Chart Installation Guide

This guide provides step-by-step instructions for installing the mcp-trino Helm chart on Amazon EKS.

OAuth Authentication: mcp-trino uses oauth-mcp-proxy for OAuth 2.1 authentication. See the library documentation for detailed provider configuration and security best practices.

Quick Start

1. Prerequisites

  • Kubernetes cluster (EKS recommended)

  • Helm 3.0+ installed

  • kubectl configured for your cluster

  • AWS Load Balancer Controller (for EKS ingress)

2. Basic Installation

# Clone the repository
git clone https://github.com/tuannvm/mcp-trino.git
cd mcp-trino

# Install with default values
helm install mcp-trino ./charts/mcp-trino

# Check deployment status
kubectl get pods -l app.kubernetes.io/name=mcp-trino

3. Development Installation

# Install with development values
helm install mcp-trino ./charts/mcp-trino -f ./charts/mcp-trino/values-development.yaml

# Port forward to test locally
kubectl port-forward svc/mcp-trino 8080:8080

# Test the MCP server
curl http://localhost:8080/

4. Production Installation on EKS

# Copy and customize production values
cp ./charts/mcp-trino/values-production.yaml my-production-values.yaml

# Edit the values file with your specific configuration
# - Update trino.host to your Trino server
# - Configure OAuth settings if needed
# - Set appropriate resource limits
# - Configure IRSA role ARN

# Install with production configuration
helm install mcp-trino ./charts/mcp-trino -f my-production-values.yaml

# Verify installation
helm test mcp-trino

Configuration Examples

Basic Trino Connection

# values.yaml
trino:
  host: "my-trino.company.com"
  port: 8080
  user: "analytics-user"
  catalog: "hive"
  schema: "analytics"

OAuth with Okta - Fixed Redirect Mode (Development)

# values.yaml - Development with localhost support
trino:
  oauth:
    enabled: true
    mode: "proxy"
    provider: "okta"
    jwtSecret: ""  # Generate with: openssl rand -hex 32
    redirectURIs: "https://mcp-server.company.com/oauth/callback"  # Fixed mode
    oidc:
      issuer: "https://company.okta.com"
      audience: "trino-mcp"
      clientId: "mcp-client-id"

# Install with secrets
helm install mcp-trino ./charts/mcp-trino \
  -f values.yaml \
  --set trino.oauth.jwtSecret="$(openssl rand -hex 32)" \
  --set trino.oauth.oidc.clientSecret="your-client-secret"

OAuth with Okta - Allowlist Mode (Production)

# values.yaml - Production with allowlist
trino:
  oauth:
    enabled: true
    mode: "proxy"
    provider: "okta"
    jwtSecret: ""  # Must be same across all pods
    redirectURIs: "https://app1.company.com/callback,https://app2.company.com/callback"  # Allowlist mode
    oidc:
      issuer: "https://company.okta.com"
      audience: "https://api.company.com"
      clientId: "production-client-id"

# Install with secrets
helm install mcp-trino ./charts/mcp-trino \
  -f values.yaml \
  --set trino.oauth.jwtSecret="your-persistent-jwt-secret" \
  --set trino.oauth.oidc.clientSecret="your-client-secret"

OAuth Native Mode (Zero Server-Side Secrets)

# values.yaml - Most secure, client handles OAuth
trino:
  oauth:
    enabled: true
    mode: "native"
    provider: "okta"
    oidc:
      issuer: "https://company.okta.com"
      audience: "https://mcp-server.com"
      # No clientId or clientSecret needed

# Install without secrets
helm install mcp-trino ./charts/mcp-trino -f values.yaml

EKS with Load Balancer

# values.yaml
service:
  type: LoadBalancer
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
    service.beta.kubernetes.io/aws-load-balancer-scheme: internal

eks:
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/mcp-trino-role

Common Operations

Upgrading

# Upgrade to new version
helm upgrade mcp-trino ./charts/mcp-trino --reuse-values

# Upgrade with new configuration
helm upgrade mcp-trino ./charts/mcp-trino -f my-values.yaml

Monitoring

# Check pod status
kubectl get pods -l app.kubernetes.io/name=mcp-trino

# View logs
kubectl logs -l app.kubernetes.io/name=mcp-trino

# Check service endpoints
kubectl get svc mcp-trino

# Test connectivity
kubectl run curl --image=curlimages/curl -i --tty --rm -- \
  curl -f http://mcp-trino:8080/

Troubleshooting

# Check pod events
kubectl describe pod -l app.kubernetes.io/name=mcp-trino

# Check service
kubectl describe svc mcp-trino

# Check ingress (if enabled)
kubectl describe ingress mcp-trino

# View configuration
kubectl get configmap mcp-trino -o yaml
kubectl get secret mcp-trino -o yaml

Scaling

# Manual scaling
kubectl scale deployment mcp-trino --replicas=3

# Enable autoscaling via values
helm upgrade mcp-trino ./charts/mcp-trino \
  --set autoscaling.enabled=true \
  --set autoscaling.minReplicas=2 \
  --set autoscaling.maxReplicas=10

Security Considerations

Pod Security

The chart implements security best practices:

  • Non-root user (UID 65534)

  • Read-only root filesystem

  • Dropped capabilities

  • No privilege escalation

OAuth Security

Critical for Multi-Pod Deployments:

⚠️ JWT_SECRET must be configured when running multiple replicas to ensure state signing consistency:

# Generate secure JWT secret
export JWT_SECRET=$(openssl rand -hex 32)

helm install mcp-trino ./charts/mcp-trino \
  --set trino.oauth.jwtSecret="$JWT_SECRET"

Redirect URI Modes:

  • Fixed Mode (single URI): Only accepts localhost callbacks (development)

  • Allowlist Mode (comma-separated): Exact match required (production)

  • See OAuth Architecture for security details

Network Policies

Enable network policies for production:

networkPolicy:
  enabled: true
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              name: ai-services

Secrets Management

For production, use external secret management:

# Use AWS Secrets Manager
extraEnvVarsSecret: "mcp-trino-secrets"

# Or use sealed secrets
trino:
  password: ""  # Leave empty, provide via sealed secret
  oauth:
    jwtSecret: ""  # Provide via sealed secret
    oidc:
      clientSecret: ""  # Provide via sealed secret

Performance Tuning

Resource Allocation

resources:
  requests:
    cpu: 200m
    memory: 256Mi
  limits:
    cpu: 1000m
    memory: 1Gi

Connection Pooling

Trino client uses connection pooling by default:

  • Max open connections: 10

  • Max idle connections: 5

  • Connection max lifetime: 5 minutes

Query Timeout

trino:
  queryTimeout: 60  # seconds

AWS EKS Specific Setup

IAM Role for Service Account (IRSA)

  1. Create IAM role:

eksctl create iamserviceaccount \
  --name mcp-trino \
  --namespace default \
  --cluster my-cluster \
  --attach-policy-arn arn:aws:iam::aws:policy/CloudWatchLogsFullAccess \
  --approve

  1. Update values:

eks:
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT:role/eksctl-cluster-addon-iamserviceaccount-Role

Load Balancer Controller

Ensure AWS Load Balancer Controller is installed:

helm repo add eks https://aws.github.io/eks-charts
helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
  -n kube-system \
  --set clusterName=my-cluster

Cleanup

# Uninstall the chart
helm uninstall mcp-trino

# Clean up test resources
kubectl delete pod --selector=helm.sh/hook=test

Next Steps

  • Configure monitoring with Prometheus

  • Set up log aggregation with FluentBit

  • Implement backup strategies for configuration

  • Set up multi-region deployment for HA

  • Configure custom domains with Route53

For more advanced configuration options, see the README.md.

PreviouschartsNextmcp-trino Helm Chart

Last updated

Was this helpful?