stackabletech · sbernauer · Mar 9, 2026 · Mar 9, 2026
diff --git a/tests/templates/kuttl/iceberg-hive/34_trino.yaml.j2 b/tests/templates/kuttl/iceberg-hive/34_trino.yaml.j2
@@ -1,5 +1,39 @@
 ---
 apiVersion: trino.stackable.tech/v1alpha1
+kind: TrinoCatalog
+metadata:
+  name: iceberg
+  labels:
+    trino: trino
+spec:
+  connector:
+    iceberg:
+      metastore:
+        configMap: hive
+      s3:
+        reference: minio
+      hdfs:
+        configMap: hdfs
+{% if test_scenario['values']['iceberg-use-kerberos'] == 'true' %}
+  configOverrides:
+    # HDFS configuration
+    hive.hdfs.authentication.type: KERBEROS
+    hive.hdfs.trino.principal: trino/trino.$NAMESPACE.svc.cluster.local@{{ test_scenario['values']['kerberos-realm'] }}
+    hive.hdfs.trino.keytab: /stackable/kerberos/keytab
+    hive.hdfs.impersonation.enabled: "false"
+    hive.hdfs.wire-encryption.enabled: "true"
+    # HMS configuration
+    hive.metastore.authentication.type: KERBEROS
+    hive.metastore.client.principal: trino/trino.$NAMESPACE.svc.cluster.local@{{ test_scenario['values']['kerberos-realm'] }}
+    hive.metastore.client.keytab: /stackable/kerberos/keytab
+    hive.metastore.service.principal: hive/hive.$NAMESPACE.svc.cluster.local@{{ test_scenario['values']['kerberos-realm'] }}
+    hive.metastore.thrift.impersonation.enabled: "false"
+    # By default, Hive views are executed with the RUN AS DEFINER security mode. Set the hive.hive-views.run-as-invoker catalog configuration property to true to use RUN AS INVOKER semantics.
+    # However, this does *not* work for Iceberg catalogs :/ (I asked on the Trino slack: https://trinodb.slack.com/archives/CJ6UC075E/p1711449384648869)
+    # hive.hive-views.run-as-invoker: "true"
+{% endif %}
+---
+apiVersion: trino.stackable.tech/v1alpha1
 kind: TrinoCluster
 metadata:
   name: trino
@@ -71,37 +105,3 @@ spec:
       default:
         replicas: 1
         config: {}
----
-apiVersion: trino.stackable.tech/v1alpha1
-kind: TrinoCatalog
-metadata:
-  name: iceberg
-  labels:
-    trino: trino
-spec:
-  connector:
-    iceberg:
-      metastore:
-        configMap: hive
-      s3:
-        reference: minio
-      hdfs:
-        configMap: hdfs
-{% if test_scenario['values']['iceberg-use-kerberos'] == 'true' %}
-  configOverrides:
-    # HDFS configuration
-    hive.hdfs.authentication.type: KERBEROS
-    hive.hdfs.trino.principal: trino/trino.$NAMESPACE.svc.cluster.local@{{ test_scenario['values']['kerberos-realm'] }}
-    hive.hdfs.trino.keytab: /stackable/kerberos/keytab
-    hive.hdfs.impersonation.enabled: "false"
-    hive.hdfs.wire-encryption.enabled: "true"
-    # HMS configuration
-    hive.metastore.authentication.type: KERBEROS
-    hive.metastore.client.principal: trino/trino.$NAMESPACE.svc.cluster.local@{{ test_scenario['values']['kerberos-realm'] }}
-    hive.metastore.client.keytab: /stackable/kerberos/keytab
-    hive.metastore.service.principal: hive/hive.$NAMESPACE.svc.cluster.local@{{ test_scenario['values']['kerberos-realm'] }}
-    hive.metastore.thrift.impersonation.enabled: "false"
-    # By default, Hive views are executed with the RUN AS DEFINER security mode. Set the hive.hive-views.run-as-invoker catalog configuration property to true to use RUN AS INVOKER semantics.
-    # However, this does *not* work for Iceberg catalogs :/ (I asked on the Trino slack: https://trinodb.slack.com/archives/CJ6UC075E/p1711449384648869)
-    # hive.hive-views.run-as-invoker: "true"
-{% endif %}
diff --git a/tests/templates/kuttl/iceberg-rest/31_trino.yaml.j2 b/tests/templates/kuttl/iceberg-rest/31_trino.yaml.j2
@@ -1,5 +1,25 @@
 ---
 apiVersion: trino.stackable.tech/v1alpha1
+kind: TrinoCatalog
+metadata:
+  name: lakehouse
+  labels:
+    trino: trino
+spec:
+  connector:
+    iceberg:
+      s3:
+        reference: minio
+  configOverrides:
+    iceberg.catalog.type: rest
+    # We are using the headless service, as the hive-metastore service is missing port 9001
+    iceberg.rest-catalog.uri: http://hive-metastore-default-headless:9001/iceberg
+    iceberg.rest-catalog.security: OAUTH2
+    iceberg.rest-catalog.oauth2.server-uri: https://keycloak.$NAMESPACE.svc.cluster.local:8443/realms/test/protocol/openid-connect/token
+    # TODO Mount as env var from Secret trino-client-credentials
+    iceberg.rest-catalog.oauth2.credential: trino:trino-secret
+---
+apiVersion: trino.stackable.tech/v1alpha1
 kind: TrinoCluster
 metadata:
   name: trino
@@ -34,23 +54,3 @@ spec:
     roleGroups:
       default:
         replicas: 1
----
-apiVersion: trino.stackable.tech/v1alpha1
-kind: TrinoCatalog
-metadata:
-  name: lakehouse
-  labels:
-    trino: trino
-spec:
-  connector:
-    iceberg:
-      s3:
-        reference: minio
-  configOverrides:
-    iceberg.catalog.type: rest
-    # We are using the headless service, as the hive-metastore service is missing port 9001
-    iceberg.rest-catalog.uri: http://hive-metastore-default-headless:9001/iceberg
-    iceberg.rest-catalog.security: OAUTH2
-    iceberg.rest-catalog.oauth2.server-uri: https://keycloak.$NAMESPACE.svc.cluster.local:8443/realms/test/protocol/openid-connect/token
-    # TODO Mount as env var from Secret trino-client-credentials
-    iceberg.rest-catalog.oauth2.credential: trino:trino-secret