mcp-trino Helm Chart Installation Guide

This guide provides step-by-step instructions for installing the mcp-trino Helm chart on Amazon EKS.

OAuth Authentication: mcp-trino uses oauth-mcp-proxy for OAuth 2.1 authentication. See the library documentation for detailed provider configuration and security best practices.

Quick Start

1. Prerequisites

• Kubernetes cluster (EKS recommended)

• Helm 3.0+ installed

• kubectl configured for your cluster

• AWS Load Balancer Controller (for EKS ingress)

2. Basic Installation

# Clone the repository
git clone https://github.com/tuannvm/mcp-trino.git
cd mcp-trino

# Install with default values
helm install mcp-trino ./charts/mcp-trino

# Check deployment status
kubectl get pods -l app.kubernetes.io/name=mcp-trino

3. Development Installation

4. Production Installation on EKS

Configuration Examples

Basic Trino Connection

OAuth with Okta - Fixed Redirect Mode (Development)

OAuth with Okta - Allowlist Mode (Production)

OAuth Native Mode (Zero Server-Side Secrets)

EKS with Load Balancer

Common Operations

Upgrading

Monitoring

Troubleshooting

Scaling

Security Considerations

Pod Security

The chart implements security best practices:

• Non-root user (UID 65534)

• Read-only root filesystem

• Dropped capabilities

• No privilege escalation

OAuth Security

Critical for Multi-Pod Deployments:

⚠️ JWT_SECRET must be configured when running multiple replicas to ensure state signing consistency:

Redirect URI Modes:

• Fixed Mode (single URI): Only accepts localhost callbacks (development)

• Allowlist Mode (comma-separated): Exact match required (production)

• See OAuth Architecture for security details

Network Policies

Enable network policies for production:

Secrets Management

For production, use external secret management:

Performance Tuning

Resource Allocation

Connection Pooling

Trino client uses connection pooling by default:

• Max open connections: 10

• Max idle connections: 5

• Connection max lifetime: 5 minutes

Query Timeout

AWS EKS Specific Setup

IAM Role for Service Account (IRSA)

1. Create IAM role:

1. Update values:

Load Balancer Controller

Ensure AWS Load Balancer Controller is installed:

Cleanup

Next Steps

• Configure monitoring with Prometheus

• Set up log aggregation with FluentBit

• Implement backup strategies for configuration

• Set up multi-region deployment for HA

• Configure custom domains with Route53

For more advanced configuration options, see the README.md.