This is an automated email from the ASF dual-hosted git repository.
mchades pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/main by this push:
new 94d6045856 [#11268] fix(helm): enterprise readiness cleanups and
follow-up fixes for chart (#11514)
94d6045856 is described below
commit 94d6045856d4830733ce624df06574c1bc9d27c0
Author: Danhua Wang <[email protected]>
AuthorDate: Wed Jun 10 18:40:39 2026 +0800
[#11268] fix(helm): enterprise readiness cleanups and follow-up fixes for
chart (#11514)
### What changes were proposed in this pull request?
This PR includes the enterprise readiness cleanups for the Helm chart
(authored by @markhoerth) plus follow-up fixes for template correctness
and CI stability issues discovered during review.
**Commit 1 (by @markhoerth):** `feat(helm): enterprise readiness
cleanups for chart`
- Remove vendor-specific property references from ci-values.yaml and
values.yaml
- Add structured values.yaml paths for entity.maxConnections,
lock.maxNodes, and lock.minNodes
- Ship dev-values.yaml and prod-values.yaml scenario files
- Replace NOTES.txt with a post-install deployment summary with runtime
warnings
- Add default-credential warnings for mysql and postgresql sections
- Emit dynamic-config-provider sub-properties conditionally
**Commit 2 (follow-up fixes):**
1. **Conditional OAuth rendering** (`gravitino.conf`): Wrap all
`gravitino.authenticator.oauth.*` properties in `{{- if contains "oauth"
.Values.authenticators }}` with per-property guards. Previously these
properties were rendered unconditionally with empty values even in
simple-auth mode, overriding server defaults.
2. **Fix H2 backend detection** (`NOTES.txt`): Replace exact-match `eq
"jdbc:h2"` with `hasPrefix "jdbc:h2"` so H2 file-mode URLs are correctly
identified.
3. **Fix CI crash** (`ci-values.yaml`): Replace
`gravitino.eventListener.names: "audit,sync"` with
`gravitino.server.shutdown.timeout: "5000"`. The eventListener config
declared listeners without the required `.class` properties, causing
server startup failure.
4. **Document additionalConfigItems usage** (`values.yaml`): Add
complete commented example for event listener configuration.
5. **Migrate to non-deprecated entrypoint** (`values.yaml`,
`pg-values.yaml`): Replace `bin/start-gravitino.sh` with
`docker/docker-entrypoint.sh` to align with the Dockerfile ENTRYPOINT.
### Why are the changes needed?
- Empty OAuth properties override server defaults silently.
- The H2 detection bug suppresses the data-loss warning for H2 file-mode
URLs.
- The `eventListener.names` config without `class` properties crashes
the server during CI chart tests.
- The deprecated `start-gravitino.sh` generates unnecessary warning
noise and will break when removed.
Fix: #11268
### Does this PR introduce _any_ user-facing change?
- When `authenticators` is `simple` (default), `gravitino.conf` no
longer contains empty `gravitino.authenticator.oauth.*` lines.
- NOTES.txt correctly classifies H2 file-mode JDBC URLs as "Embedded
H2".
- The deprecation warning from `bin/start-gravitino.sh` no longer
appears in pod logs.
### How was this patch tested?
- Ran `helm template` with default values (simple auth) — no
`authenticator.oauth` lines emitted.
- Ran `helm template` with `prod-values.yaml` (oauth) — all configured
OAuth properties render correctly.
- Ran `helm template` with `ci-values.yaml` —
`gravitino.server.shutdown.timeout = 5000` renders in
additionalConfigItems section.
- All template renderings compile without errors.
---------
Co-authored-by: Mark Hoerth <[email protected]>
Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
Co-authored-by: Qi Yu <[email protected]>
---
.../gravitino/resources/config/gravitino.conf | 69 +++++++--
.../gravitino/resources/scenarios/ci-values.yaml | 13 +-
.../gravitino/resources/scenarios/dev-values.yaml | 42 ++++++
.../gravitino/resources/scenarios/pg-values.yaml | 2 +-
.../gravitino/resources/scenarios/prod-values.yaml | 93 ++++++++++++
dev/charts/gravitino/templates/NOTES.txt | 66 +++++++-
dev/charts/gravitino/tests/configmap_test.yaml | 167 ++++++++++++++++++++-
dev/charts/gravitino/values.yaml | 51 ++++++-
8 files changed, 472 insertions(+), 31 deletions(-)
diff --git a/dev/charts/gravitino/resources/config/gravitino.conf
b/dev/charts/gravitino/resources/config/gravitino.conf
index 5855b37d95..f09a8cb7b4 100644
--- a/dev/charts/gravitino/resources/config/gravitino.conf
+++ b/dev/charts/gravitino/resources/config/gravitino.conf
@@ -48,6 +48,20 @@ gravitino.entity.store.relational.jdbcDriver = {{ if
.Values.mysql.enabled }}com
gravitino.entity.store.relational.jdbcUser = {{ if .Values.mysql.enabled }}{{
.Values.mysql.auth.username }}{{ else if .Values.postgresql.enabled }}{{
.Values.postgresql.auth.username }}{{ else }}{{ .Values.entity.jdbcUser }}{{
end }}
gravitino.entity.store.relational.jdbcPassword = {{ if .Values.mysql.enabled
}}{{ .Values.mysql.auth.password }}{{ else if .Values.postgresql.enabled }}{{
.Values.postgresql.auth.password }}{{ else }}{{ .Values.entity.jdbcPassword
}}{{ end }}
gravitino.entity.store.relational.storagePath = {{ .Values.entity.storagePath
}}
+{{- if .Values.entity.maxConnections }}
+gravitino.entity.store.relational.maxConnections = {{
.Values.entity.maxConnections }}
+{{- end }}
+
+{{- if or .Values.lock.maxNodes .Values.lock.minNodes }}
+
+# THE CONFIGURATION FOR Gravitino TREE LOCK
+{{- if .Values.lock.maxNodes }}
+gravitino.lock.maxNodes = {{ .Values.lock.maxNodes }}
+{{- end }}
+{{- if .Values.lock.minNodes }}
+gravitino.lock.minNodes = {{ .Values.lock.minNodes }}
+{{- end }}
+{{- end }}
# THE CONFIGURATION FOR Gravitino CATALOG
gravitino.catalog.cache.evictionIntervalMs = {{ if
.Values.catalog.evictionIntervalMs }}{{ .Values.catalog.evictionIntervalMs }}{{
else }}3600000{{ end }}
@@ -64,18 +78,43 @@ gravitino.cache.implementation = {{
.Values.cache.implementation | default "caff
gravitino.authorization.enable = {{ .Values.authorization.enable }}
gravitino.authorization.serviceAdmins = {{ .Values.authorization.serviceAdmins
}}
gravitino.authenticators = {{ .Values.authenticators }}
-gravitino.authenticator.oauth.serviceAudience = {{
.Values.authenticator.oauth.serviceAudience }}
-gravitino.authenticator.oauth.defaultSignKey = {{
.Values.authenticator.oauth.defaultSignKey }}
-gravitino.authenticator.oauth.serverUri = {{
.Values.authenticator.oauth.serverUri }}
-gravitino.authenticator.oauth.tokenPath = {{
.Values.authenticator.oauth.tokenPath }}
-
-gravitino.authenticator.oauth.provider = {{
.Values.authenticator.oauth.provider }}
-gravitino.authenticator.oauth.clientId = {{
.Values.authenticator.oauth.clientId }}
-gravitino.authenticator.oauth.authority = {{
.Values.authenticator.oauth.authority }}
-gravitino.authenticator.oauth.scope = {{ .Values.authenticator.oauth.scope }}
-gravitino.authenticator.oauth.jwksUri = {{ .Values.authenticator.oauth.jwksUri
}}
-gravitino.authenticator.oauth.tokenValidatorClass = {{
.Values.authenticator.oauth.tokenValidatorClass }}
-gravitino.authenticator.oauth.principalFields = {{
.Values.authenticator.oauth.principalFields }}
+{{- if contains "oauth" (.Values.authenticators | default "") }}
+{{- with .Values.authenticator.oauth }}
+{{- if .serviceAudience }}
+gravitino.authenticator.oauth.serviceAudience = {{ .serviceAudience }}
+{{- end }}
+{{- if .defaultSignKey }}
+gravitino.authenticator.oauth.defaultSignKey = {{ .defaultSignKey }}
+{{- end }}
+{{- if .serverUri }}
+gravitino.authenticator.oauth.serverUri = {{ .serverUri }}
+{{- end }}
+{{- if .tokenPath }}
+gravitino.authenticator.oauth.tokenPath = {{ .tokenPath }}
+{{- end }}
+{{- if .provider }}
+gravitino.authenticator.oauth.provider = {{ .provider }}
+{{- end }}
+{{- if .clientId }}
+gravitino.authenticator.oauth.clientId = {{ .clientId }}
+{{- end }}
+{{- if .authority }}
+gravitino.authenticator.oauth.authority = {{ .authority }}
+{{- end }}
+{{- if .scope }}
+gravitino.authenticator.oauth.scope = {{ .scope }}
+{{- end }}
+{{- if .jwksUri }}
+gravitino.authenticator.oauth.jwksUri = {{ .jwksUri }}
+{{- end }}
+{{- if .tokenValidatorClass }}
+gravitino.authenticator.oauth.tokenValidatorClass = {{ .tokenValidatorClass }}
+{{- end }}
+{{- if .principalFields }}
+gravitino.authenticator.oauth.principalFields = {{ .principalFields }}
+{{- end }}
+{{- end }}
+{{- end }}
# THE CONFIGURATION FOR AUXILIARY SERVICE
gravitino.auxService.names = {{ .Values.auxService.names | default
"iceberg-rest" }}
@@ -165,10 +204,16 @@ gravitino.iceberg-rest.azure-client-secret =
{{.Values.icebergRest.azure.clientS
gravitino.iceberg-rest.catalog-config-provider = {{
.Values.icebergRest.catalogConfigProvider }}
{{- end }}
{{- if .Values.icebergRest.dynamicConfigProvider }}
+{{- if .Values.icebergRest.dynamicConfigProvider.uri }}
gravitino.iceberg-rest.gravitino-uri = {{
.Values.icebergRest.dynamicConfigProvider.uri }}
+{{- end }}
+{{- if .Values.icebergRest.dynamicConfigProvider.metalake }}
gravitino.iceberg-rest.gravitino-metalake = {{
.Values.icebergRest.dynamicConfigProvider.metalake }}
+{{- end }}
+{{- if .Values.icebergRest.dynamicConfigProvider.defaultCatalogName }}
gravitino.iceberg-rest.default-catalog-name = {{
.Values.icebergRest.dynamicConfigProvider.defaultCatalogName }}
{{- end }}
+{{- end }}
# Audit log configuration
gravitino.audit.enabled = {{ .Values.audit.enabled }}
diff --git a/dev/charts/gravitino/resources/scenarios/ci-values.yaml
b/dev/charts/gravitino/resources/scenarios/ci-values.yaml
index fc40fc570e..59b3c1fa82 100644
--- a/dev/charts/gravitino/resources/scenarios/ci-values.yaml
+++ b/dev/charts/gravitino/resources/scenarios/ci-values.yaml
@@ -19,17 +19,16 @@
mysql:
enabled: true
-visibleConfigs:
"gravitino.datastrato.custom.authorization.ranger.admin.url,gravitino.datastrato.custom.authorization.ranger.username,gravitino.datastrato.custom.authorization.ranger.password,gravitino.datastrato.custom.authorization.ranger.auth.type"
+visibleConfigs:
"gravitino.custom.example.url,gravitino.custom.example.username,gravitino.custom.example.password,gravitino.custom.example.auth.type"
visibleConfigsItems:
- gravitino.datastrato.custom.authorization.ranger.admin.url:
"http://ranger:6080";
- gravitino.datastrato.custom.authorization.ranger.username: admin
- gravitino.datastrato.custom.authorization.ranger.password: "rangerR0cks!"
- gravitino.datastrato.custom.authorization.ranger.auth.type: simple
+ gravitino.custom.example.url: "http://example:6080";
+ gravitino.custom.example.username: admin
+ gravitino.custom.example.password: "exampleR0cks!"
+ gravitino.custom.example.auth.type: simple
additionalConfigItems:
- gravitino.testAdditionalConfigItems.names: audit,sync
- gravitino.testAdditionalConfigItems.names.test: test
+ gravitino.server.shutdown.timeout: "5000"
extraVolumeMounts:
- name: gravitino-log
diff --git a/dev/charts/gravitino/resources/scenarios/dev-values.yaml
b/dev/charts/gravitino/resources/scenarios/dev-values.yaml
new file mode 100644
index 0000000000..4d35327f6a
--- /dev/null
+++ b/dev/charts/gravitino/resources/scenarios/dev-values.yaml
@@ -0,0 +1,42 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# Dev scenario for the Apache Gravitino Helm chart.
+#
+# Mirrors the development sample gravitino.conf in
+# docs/gravitino-server-config.md#development.
+#
+# Defaults from the chart's values.yaml are appropriate for local
+# development with the embedded H2 metadata backend. This file opts in
+# to the Iceberg REST server in auxiliary mode with the dynamic config
+# provider so the IRC server federates the local Gravitino metalake.
+#
+# Authentication remains the default "simple" mode (anonymous user).
+# To enable OAuth or Kerberos, see prod-values.yaml or the canonical
+# samples in docs/gravitino-server-config.md.
+#
+# Apply with:
+# helm install gravitino oci://registry-1.docker.io/apache/gravitino-helm \
+# --version <VERSION> -n gravitino --create-namespace \
+# -f
https://raw.githubusercontent.com/apache/gravitino/main/dev/charts/gravitino/resources/scenarios/dev-values.yaml
+
+icebergRest:
+ catalogConfigProvider: dynamic-config-provider
+ dynamicConfigProvider:
+ metalake: test
diff --git a/dev/charts/gravitino/resources/scenarios/pg-values.yaml
b/dev/charts/gravitino/resources/scenarios/pg-values.yaml
index 322e3b9827..e188082abf 100644
--- a/dev/charts/gravitino/resources/scenarios/pg-values.yaml
+++ b/dev/charts/gravitino/resources/scenarios/pg-values.yaml
@@ -22,4 +22,4 @@ postgresql:
initScript: |
cp /tmp/conf/* ${GRAVITINO_HOME}/conf
echo "Start the Gravitino Server"
- /bin/bash ${GRAVITINO_HOME}/bin/start-gravitino.sh
+ /bin/bash ${GRAVITINO_HOME}/docker/docker-entrypoint.sh
diff --git a/dev/charts/gravitino/resources/scenarios/prod-values.yaml
b/dev/charts/gravitino/resources/scenarios/prod-values.yaml
new file mode 100644
index 0000000000..2efbb4535a
--- /dev/null
+++ b/dev/charts/gravitino/resources/scenarios/prod-values.yaml
@@ -0,0 +1,93 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# Production scenario for the Apache Gravitino Helm chart.
+#
+# Mirrors the production sample gravitino.conf in
+# docs/gravitino-server-config.md#production.
+#
+# Configures externally managed MySQL as the metadata backend, larger
+# cache and tree-lock limits, audit logging, the Iceberg REST server
+# in auxiliary mode with the dynamic config provider, and OAuth 2.0
+# OIDC authentication with JWKS-based token validation.
+#
+# Placeholders use the convention <placeholder-name>. Fill in your own
+# values for the JDBC URL/user/password, OIDC tenant ID, client ID,
+# and service audience before applying this file. Sensitive values
+# (JDBC password, OAuth client secret) should be sourced from a
+# Kubernetes Secret rather than embedded as plaintext; the Secret-
+# reference mechanism is tracked separately in the chart's enterprise
+# readiness work.
+#
+# Initialize the MySQL metadata backend before installing. See
+# docs/how-to-use-relational-backend-storage.md for setup steps and
+# SQL scripts.
+#
+# Apply with:
+# curl -O
https://raw.githubusercontent.com/apache/gravitino/main/dev/charts/gravitino/resources/scenarios/prod-values.yaml
+# # edit placeholders below to fill in your environment
+# helm install gravitino oci://registry-1.docker.io/apache/gravitino-helm \
+# --version <VERSION> -n gravitino --create-namespace -f prod-values.yaml
+
+# Externally managed MySQL metadata backend.
+# Leave mysql.enabled and postgresql.enabled at their defaults (false)
+# so the chart does not deploy an in-cluster database. Provide the
+# external JDBC URL directly.
+entity:
+ jdbcUrl: jdbc:mysql://<your-mysql-host>:3306/<your-database>
+ jdbcDriver: com.mysql.cj.jdbc.Driver
+ jdbcUser: <your-mysql-user>
+ jdbcPassword: <your-mysql-password>
+ maxConnections: 200
+
+# Tree-lock tuning for production load.
+lock:
+ maxNodes: 500000
+ minNodes: 5000
+
+# Cache tuning for production load.
+cache:
+ maxEntries: 100000
+ enableStats: true
+
+# Audit logging.
+audit:
+ enabled: true
+
+# Iceberg REST server in auxiliary mode with shared Gravitino catalogs.
+icebergRest:
+ catalogConfigProvider: dynamic-config-provider
+ dynamicConfigProvider:
+ metalake: production
+
+# OAuth 2.0 / OIDC authentication with JWKS-based token validation.
+# Example values shown for Azure AD; substitute your identity provider's
+# URLs and identifiers. For Kerberos, simple auth, or static-key OAuth,
+# see the Authentication section of gravitino-server-config.md.
+authenticators: oauth
+authenticator:
+ oauth:
+ provider: oidc
+ tokenValidatorClass:
org.apache.gravitino.server.authentication.JwksTokenValidator
+ authority: https://login.microsoftonline.com/<your-tenant-id>/v2.0
+ jwksUri:
https://login.microsoftonline.com/<your-tenant-id>/discovery/v2.0/keys
+ clientId: <your-app-client-id>
+ serviceAudience: <your-app-client-id-or-api-identifier>
+ scope: openid profile email
+ principalFields: preferred_username,email,sub
diff --git a/dev/charts/gravitino/templates/NOTES.txt
b/dev/charts/gravitino/templates/NOTES.txt
index 08cea4ad97..c72f34d14d 100644
--- a/dev/charts/gravitino/templates/NOTES.txt
+++ b/dev/charts/gravitino/templates/NOTES.txt
@@ -16,10 +16,72 @@
specific language governing permissions and limitations
under the License.
*/}}
-🚀 {{ $.Chart.Name }} has been installed. Check its status by running:
+🚀 Apache Gravitino has been installed in namespace {{ include
"gravitino.namespace" . }}.
+
+Deployment summary:
+- Release name: {{ .Release.Name }}
+- Service name: {{ .Values.service.name }}
+- Replicas: {{ .Values.replicas }}
+- Metadata backend: {{ if .Values.mysql.enabled }}MySQL (in-chart){{ else if
.Values.postgresql.enabled }}PostgreSQL (in-chart){{ else if and
.Values.entity.jdbcUrl (not (hasPrefix "jdbc:h2" .Values.entity.jdbcUrl))
}}External (configured via entity.jdbcUrl){{ else }}Embedded H2 (testing
only){{ end }}
+- Persistence: {{ if .Values.persistence.enabled }}Enabled ({{
.Values.persistence.size }}){{ else }}Disabled (emptyDir){{ end }}
+- Iceberg REST server: {{ if contains "iceberg-rest" .Values.auxService.names
}}Enabled on port {{ .Values.icebergRest.httpPort | default 9001 }}{{ else
}}Disabled{{ end }}
+- Authentication: {{ .Values.authenticators | default "simple (anonymous)" }}
+- Service type: {{ .Values.service.type }}
+
+{{- if and (not .Values.mysql.enabled) (not .Values.postgresql.enabled) (or
(not .Values.entity.jdbcUrl) (hasPrefix "jdbc:h2" .Values.entity.jdbcUrl)) }}
+
+WARNING: This deployment uses the embedded H2 metadata backend on an
+emptyDir volume. All metadata will be lost when the pod restarts. For
+any non-throwaway use, configure an external metadata backend (MySQL
+or PostgreSQL) via the entity.* values, or enable an in-chart database
+via mysql.enabled or postgresql.enabled.
+{{- end }}
+
+{{- if and (contains "iceberg-rest" .Values.auxService.names) (not
.Values.icebergRest.catalogConfigProvider) (eq
(.Values.icebergRest.catalogBackend | default "memory") "memory") }}
+
+WARNING: The Iceberg REST server is enabled with the default in-memory
+catalog backend. Tables registered through this server will be lost
+when the pod restarts. For real use, configure
icebergRest.catalogConfigProvider
+to use the dynamic-config-provider with a persistent metadata backend,
+or set icebergRest.catalogBackend to jdbc or hive with a persistent store.
+{{- end }}
+
+{{- if or (eq .Values.authenticators "") (eq .Values.authenticators "simple")
}}
+
+WARNING: Authentication is set to simple mode (anonymous). The deployed
+server accepts all requests without credentials. Configure authenticators
+to "oauth" or "kerberos" before exposing the server beyond a trusted
+network.
+{{- end }}
+
+{{- if and .Values.mysql.enabled (or (eq .Values.mysql.auth.rootPassword
"admin") (eq .Values.mysql.auth.password "gravitino")) }}
+
+WARNING: The in-chart MySQL is using default credentials (root password
+"admin" and/or user password "gravitino"). Override mysql.auth.rootPassword
+and mysql.auth.password (or set mysql.auth.existingSecret) before any
+non-trial deployment.
+{{- end }}
+
+{{- if and .Values.postgresql.enabled (eq .Values.postgresql.auth.password
"gravitino") }}
+
+WARNING: The in-chart PostgreSQL is using the default password "gravitino".
+Override postgresql.auth.password (or set postgresql.auth.existingSecret)
+before any non-trial deployment.
+{{- end }}
+
+To check pod status:
kubectl get pods --namespace {{ include "gravitino.namespace" . }}
-Check the "gravitino.conf" by running:
+To view the rendered gravitino.conf:
kubectl get cm {{ include "gravitino.fullname" . }} -n {{ include
"gravitino.namespace" . }} -o json | jq -r '.data["gravitino.conf"]'
+
+To access the Gravitino server locally:
+
+ kubectl -n {{ include "gravitino.namespace" . }} port-forward svc/{{
.Values.service.name }} {{ .Values.service.port }}:{{
.Values.service.targetPort }}
+
+Then open http://localhost:{{ .Values.service.port }} in a browser.
+
+For production deployment patterns, see:
+https://gravitino.apache.org/docs/latest/chart
diff --git a/dev/charts/gravitino/tests/configmap_test.yaml
b/dev/charts/gravitino/tests/configmap_test.yaml
index f82edaca2b..949f953821 100644
--- a/dev/charts/gravitino/tests/configmap_test.yaml
+++ b/dev/charts/gravitino/tests/configmap_test.yaml
@@ -39,7 +39,7 @@ tests:
path: data["log4j2.properties"]
- matchRegex:
path: data["init.sh"]
- pattern: "start-gravitino\\.sh"
+ pattern: "docker-entrypoint\\.sh"
- matchRegex:
path: data["gravitino.conf"]
pattern: "gravitino\\.server\\.webserver\\.httpPort = 8090"
@@ -132,3 +132,168 @@ tests:
- matchRegex:
path: data["gravitino.conf"]
pattern: "gravitino\\.entity\\.store\\.relational\\.jdbcPassword =
pg_password"
+
+ - it: does not render OAuth properties when authenticators is simple
(default)
+ release:
+ name: gravitino
+ asserts:
+ - matchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.authenticators = simple"
+ - notMatchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.authenticator\\.oauth\\."
+
+ - it: renders OAuth properties only when authenticators contains oauth
+ release:
+ name: gravitino
+ set:
+ authenticators: oauth
+ authenticator:
+ oauth:
+ serviceAudience: my-audience
+ defaultSignKey: my-secret-key
+ serverUri: https://auth.example.com
+ tokenPath: /oauth/token
+ provider: oidc
+ clientId: my-client-id
+ authority: https://auth.example.com
+ scope: openid profile
+ jwksUri: https://auth.example.com/.well-known/jwks.json
+ tokenValidatorClass:
org.apache.gravitino.server.authentication.JwksTokenValidator
+ principalFields: preferred_username,email
+ asserts:
+ - matchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.authenticators = oauth"
+ - matchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.authenticator\\.oauth\\.serviceAudience =
my-audience"
+ - matchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.authenticator\\.oauth\\.defaultSignKey =
my-secret-key"
+ - matchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.authenticator\\.oauth\\.serverUri =
https://auth\\.example\\.com";
+ - matchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.authenticator\\.oauth\\.tokenPath =
/oauth/token"
+ - matchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.authenticator\\.oauth\\.provider = oidc"
+ - matchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.authenticator\\.oauth\\.clientId =
my-client-id"
+ - matchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.authenticator\\.oauth\\.jwksUri =
https://auth\\.example\\.com/\\.well-known/jwks\\.json";
+ - matchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.authenticator\\.oauth\\.tokenValidatorClass =
org\\.apache\\.gravitino\\.server\\.authentication\\.JwksTokenValidator"
+ - matchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.authenticator\\.oauth\\.principalFields =
preferred_username,email"
+
+ - it: does not render empty OAuth sub-properties when only some are set
+ release:
+ name: gravitino
+ set:
+ authenticators: oauth
+ authenticator:
+ oauth:
+ serviceAudience: my-audience
+ provider: oidc
+ asserts:
+ - matchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.authenticator\\.oauth\\.serviceAudience =
my-audience"
+ - matchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.authenticator\\.oauth\\.provider = oidc"
+ - notMatchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.authenticator\\.oauth\\.defaultSignKey"
+ - notMatchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.authenticator\\.oauth\\.serverUri"
+
+ - it: renders entity.maxConnections only when set
+ release:
+ name: gravitino
+ set:
+ entity:
+ maxConnections: 200
+ asserts:
+ - matchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.entity\\.store\\.relational\\.maxConnections =
200"
+
+ - it: does not render entity.maxConnections when empty (default)
+ release:
+ name: gravitino
+ asserts:
+ - notMatchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.entity\\.store\\.relational\\.maxConnections"
+
+ - it: renders lock.maxNodes and lock.minNodes only when set
+ release:
+ name: gravitino
+ set:
+ lock:
+ maxNodes: 500000
+ minNodes: 5000
+ asserts:
+ - matchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.lock\\.maxNodes = 500000"
+ - matchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.lock\\.minNodes = 5000"
+
+ - it: does not render lock properties when empty (default)
+ release:
+ name: gravitino
+ asserts:
+ - notMatchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.lock\\.maxNodes"
+ - notMatchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.lock\\.minNodes"
+
+ - it: renders dynamicConfigProvider sub-properties conditionally
+ release:
+ name: gravitino
+ set:
+ icebergRest:
+ catalogConfigProvider: dynamic-config-provider
+ dynamicConfigProvider:
+ metalake: production
+ asserts:
+ - matchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.iceberg-rest\\.catalog-config-provider =
dynamic-config-provider"
+ - matchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.iceberg-rest\\.gravitino-metalake = production"
+ - notMatchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.iceberg-rest\\.gravitino-uri"
+ - notMatchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.iceberg-rest\\.default-catalog-name"
+
+ - it: does not render dynamicConfigProvider properties when not configured
+ release:
+ name: gravitino
+ asserts:
+ - notMatchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.iceberg-rest\\.gravitino-uri"
+ - notMatchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.iceberg-rest\\.gravitino-metalake"
+ - notMatchRegex:
+ path: data["gravitino.conf"]
+ pattern: "gravitino\\.iceberg-rest\\.default-catalog-name"
diff --git a/dev/charts/gravitino/values.yaml b/dev/charts/gravitino/values.yaml
index 84040d594a..49c8ab600c 100644
--- a/dev/charts/gravitino/values.yaml
+++ b/dev/charts/gravitino/values.yaml
@@ -37,6 +37,10 @@ image:
## MySQL chart configuration
## ref: https://github.com/bitnami/charts/blob/main/bitnami/mysql/values.yaml
##
+## WARNING: The defaults below (auth.rootPassword=admin,
auth.password=gravitino)
+## are for trial use only. Override both passwords, or use auth.existingSecret
to
+## source credentials from a Kubernetes Secret, before any non-trial
deployment.
+##
mysql:
## @param mysql.enabled Deploy MySQL container(s)
##
@@ -72,6 +76,10 @@ mysql:
## PostgreSQL chart configuration
## ref:
https://github.com/bitnami/charts/blob/master/bitnami/postgresql/values.yaml
##
+## WARNING: The default below (auth.password=gravitino) is for trial use only.
+## Override the password, or use auth.existingSecret to source credentials from
+## a Kubernetes Secret, before any non-trial deployment.
+##
postgresql:
## @param postgresql.enabled Deploy PostgreSQL container(s)
##
@@ -132,6 +140,23 @@ entity:
##
jdbcPassword: gravitino
storagePath: /opt/gravitino/data/jdbc
+ ## Maximum number of JDBC connections in the relational backend pool.
+ ## Leave unset to use the server default. Production recommendation: 200.
+ ##
+ maxConnections: ""
+
+## THE CONFIGURATION FOR Gravitino TREE LOCK
+##
+lock:
+ ## Maximum number of tree-lock nodes the lock manager will hold concurrently.
+ ## Used to tune tree-lock memory for high-concurrency deployments.
+ ## Leave unset to use the server default. Production recommendation: 500000.
+ ##
+ maxNodes: ""
+ ## Minimum number of tree-lock nodes the lock manager preserves across
cleanup.
+ ## Leave unset to use the server default. Production recommendation: 5000.
+ ##
+ minNodes: ""
## THE CONFIGURATION FOR Gravitino SERVER
##
@@ -342,18 +367,28 @@ metrics:
## Custom Gravitino configuration items
##
visibleConfigs: ""
-# visibleConfigs:
"gravitino.datastrato.custom.authorization.ranger.admin.url,gravitino.datastrato.custom.authorization.ranger.username,gravitino.datastrato.custom.authorization.ranger.password,gravitino.datastrato.custom.authorization.ranger.auth.type"
+# visibleConfigs:
"gravitino.custom.example.url,gravitino.custom.example.username,gravitino.custom.example.password,gravitino.custom.example.auth.type"
visibleConfigsItems: {}
- # gravitino.datastrato.custom.authorization.ranger.admin.url:
"http://ranger:6080";
- # gravitino.datastrato.custom.authorization.ranger.username: admin
- # gravitino.datastrato.custom.authorization.ranger.password: "rangerR0cks!"
- # gravitino.datastrato.custom.authorization.ranger.auth.type: simple
+ # gravitino.custom.example.url: "http://example:6080";
+ # gravitino.custom.example.username: admin
+ # gravitino.custom.example.password: "exampleR0cks!"
+ # gravitino.custom.example.auth.type: simple
-## Additional Gravitino configuration items in gravitino.conf can be added
+## Additional Gravitino configuration items in gravitino.conf can be added.
+## Any key-value pair listed here will be appended verbatim to the rendered
+## gravitino.conf file. This is useful for settings not yet exposed as
+## structured values.yaml paths.
+##
+## Example — configuring event listeners (requires a valid EventListenerPlugin
+## implementation class on the server classpath):
+##
+## additionalConfigItems:
+## gravitino.eventListener.names: "audit,sync"
+## gravitino.eventListener.audit.class: "com.example.AuditEventListener"
+## gravitino.eventListener.sync.class: "com.example.SyncEventListener"
##
additionalConfigItems: {}
-# gravitino.eventListener.names: "audit,sync"
## Additional volumes
##
@@ -443,7 +478,7 @@ additionalLog4j2Properties:
initScript: |
cp /tmp/conf/* ${GRAVITINO_HOME}/conf
echo "Start the Gravitino Server"
- /bin/bash ${GRAVITINO_HOME}/bin/start-gravitino.sh
+ /bin/bash ${GRAVITINO_HOME}/docker/docker-entrypoint.sh
## Expose the gravitino service to be accessed from outside the cluster
(LoadBalancer service).
## or access it from within the cluster (ClusterIP service). Set the service
type and the port to serve it.
