Skip to content


Folders and files

Last commit message
Last commit date

Latest commit



27 Commits

Repository files navigation


This plugin allows Prestosql coordinator / workers to participate in a Consul Connect Service Mesh by leveraging Native Integration:

The rationale here is that Presto's internal distributed architecture makes it hard to go with a sidecar approach, especially when one is looking to extend the zero-trust network for internal communication as well

The plugin is an extension of Prestosql's pluggable Certificate Authenticator backend, available from release 334:

compiling sources

  • clone repo
  • mvn clean install

downloading latest release

The latest release can be downloaded from Maven central repo:;quick~presto-consul-connect

deploying plugin


presto-consul-connect expects the following parameters to be present either in the plugin's config file or as environment variables:

  • consul.service=<service_name>
  • consul.addr=<consul_address>
  • consul.token=<consul_token>


Instructions on using the official docker image:

For the plugin to work with this image, the following steps are required:

  • create a java keystore based on Consul's certification chain and leaf certificate for Presto; all the required certs can be obtained using Consul's HTTP API ( or Consul template
  • make the keystore available to the container (it must be referenced by file in an upcoming step)
  • copy the jar with dependencies to: /usr/lib/presto/plugin/consulconnect (within the container)
  • add a file to /lib/presto/default/etc (with the properties mentioned in the previous section)
  • configure Presto to use SSL for Presto external / internal communication (

special considerations

  • in a multi-node setup, each service associated with Presto (coordinator, workers) can request its own leaf certificate from Consul, then each JKS has a very narrow, focused scope (useful for multi-cloud, multi-datacenter scenarios)
  • leaf certificates should be short-lived, so then the JKSs need to be kept updated; an approach to achieve this is by delegating to a certificate handler, which can run out of process either as a system service or as a sidecar container
  • hot reloading of SSL certificates is quite challenging in Java; with an application like Presto which is mostly stateless, it might be more practical to just signal the node to gracefully shutdown & restart when the JKS has been updated (


  • the following is a ready-made example which runs on Nomad:
