node.internal-address-source | Kerberos is typically sensitive to DNS names. Setting this property to use FQDN ensures correct operation and usage of valid DNS host names.
Older versions of Trino required you to manually manage all the certificates on the nodes. If you upgrade from this setup, you must remove the following configuration properties:
internal-communication.https.keystore.path
internal-communication.https.truststore.path
node.internal-address-source
Based on the errors I'm getting when trying to connect, it looks like I have to manage the certificates on all nodes manually and my config should look something like this:
discovery.uri=https://<coordinator FQDN>:<https port>
node.internal-address-source=FQDN
internal-communication.https.keystore.path=<path to the keystore with the certificate issued for the worker node>
internal-communication.https.truststore.path=<path to the truststore that can validate all node certificates>
If that's correct, shouldn't this caveat be mentioned in the docs?
https://trino.io/docs/current/security/kerberos.html says:
https://trino.io/docs/current/security/internal-communication.html
Based on the errors I'm getting when trying to connect, it looks like I have to manage the certificates on all nodes manually and my config should look something like this:
If that's correct, shouldn't this caveat be mentioned in the docs?