The module lifecycle stagePreview
The module has requirements for installation

HiveMetastore

A namespaced resource that allows creating the final configuration and serves as the source of truth for the state of a specific deployed hivemetastore service.

HiveMetastoreClassName

The name of the class that will be associated with a specific resource.
Without a created HiveMetastore, deploying the service is impossible.

spec:
  valkeyClassName: default

Instance

A section that describes the resources of the service being created.
Must pass validation according to the sizingPolicy of the corresponding class:

  instance:
    memory:
      size: "4Gi"
    cpu:
      cores: 2
      coreFraction: "25%"

Supported Hive Metastore Versions

A current supported Hive Metastore version is 4.2.0

Our images for running Hive Metastore containers are based on distroless architecture.

External Connections

Hive Metastore can be configured to connect to various external services, such as databases and object stores, through the externalConnections configuration in your YAML specification.

Database Connection

The metastore supports PostgreSQL as an external database backend with two credential management modes.

Secret Mode (Recommended)

database:
  type: Postgres
  postgres:
    mode: Secret
    secretName: pg-creds

In this mode:

  • Database credentials are stored in a Kubernetes Secret
  • The secretName must reference an existing Secret containing the database credentials
  • This provides secure credential management and prevents exposed secrets

Plain Text Mode

database:
  type: Postgres
  postgres:
    mode: Plain
    host: postgresql.postgresql
    port: 5432
    database: my-database
    password: plain-text-password
    username: my-user

In this mode:

  • host - specifies the PostgreSQL server address
  • port - database port (default 5432)
  • database name for metastore tables
  • username and password in plain text format

Security Warning: Plain text mode exposes sensitive credentials in the configuration file. Use only when necessary and ensure proper access controls.

Object Store Configuration (S3 Compatible)

Hive Metastore can store external table data in S3-compatible object storage:

objectStore:
  type: S3
  s3:
    endpoint: minio.minio:9000
    bucket: data-lake
    region: ru-east-1
    prefix: directory
    usePathStyle: true
    credentials:
      mode: Plain 
      accessKey: access-key-here
      secretKey: secret-key-here

Configuration parameters:

  • endpoint - S3 service address
  • bucket - target bucket name for data storage
  • region - specified AWS region format
  • prefix - directory path prefix within the bucket
  • usePathStyle - enables path-style URL addressing

Credential Modes:

Two authentication methods supported:

  • Plain Text - Direct key/value input
  • Secret - References external Secret resource (recommended)

Status

The status of the Managed Hive Metastore service is reflected in the Hive Metastore resource.
The Conditions structure clearly shows the current status of the service

Significant types:

  • LastValidConfigurationApplied - An aggregating type that shows whether the last valid configuration has been successfully applied at least once.
  • ConfigurationValid - shows whether the configuration has passed all validations of the associated HiveMetastoreClass.
  • ScaledToLastValidConfiguration - shows whether the number of running replicas matches the specified configuration.
  • Available - shows whether the neede count of available replica running according deployment strategy.
conditions:
    - lastTransitionTime: '2025-09-22T23:20:36Z'
      observedGeneration: 2
      status: 'True'
      type: Available
    - lastTransitionTime: '2025-09-22T14:38:04Z'
      observedGeneration: 2
      status: 'True'
      type: ConfigurationValid
    - lastTransitionTime: '2025-09-22T14:38:47Z'
      observedGeneration: 2
      status: 'True'
      type: LastValidConfigurationApplied
    - lastTransitionTime: '2025-09-22T23:20:36Z'
      observedGeneration: 2
      status: 'True'
      type: ScaledToLastValidConfiguration

A False status indicates a problem at one stage or another, or incomplete state synchronization.
For such a state, a reason and message with a description will be specified.

---
    - lastTransitionTime: '2025-09-23T14:53:33Z'
      message: Syncing
      observedGeneration: 1
      reason: Syncing
      status: 'False'
      type: LastValidConfigurationApplied
    - lastTransitionTime: '2025-09-23T14:54:58Z'
      message: Not all the instances are running still waiting for 1 to become ready
      observedGeneration: 1
      reason: ScalingInProgress
      status: 'False'
      type: ScaledToLastValidConfiguration
---

Usage Examples

Basic Usage (Secret Mode)

  1. Create a namespace named hivemetastore.
  2. Create a Hivemetastore resource
kubectl apply -f managed-services_v1alpha1_hivemetastore_with_secret_mode.yaml -n hivemetastore
apiVersion: managed-services.deckhouse.io/v1alpha1
kind: HiveMetastore
metadata:
  name: hivemetastore-sample
spec:
  hivemetastoreClassName: default
  externalConnections:
    database:
      type: Postgres
      postgres:
        mode: Secret
        secretName: pg-creds
    objectStore:
      type: S3
      s3:
        endpoint: minio.minio:9000
        bucket: data-lake
        region: ru-east-1
        prefix: directory
        usePathStyle: true
        credentials:
          mode: Plain 
          secretName: s3-creds
  instance:
    memory:
      size: "4Gi"
    cpu:
      cores: 2
      coreFraction: "25%"
  1. Wait until the instance is created and all conditions are True:
  kubectl get hivemetastore hivemetastore-sample -n hivemetastore -o wide -w

Plain vs Secret Modes

The HiveMetastore supports two modes for handling sensitive information like database credentials and object store access keys:

Plain Mode

In Plain mode, sensitive data is specified directly in the configuration:

apiVersion: managed-services.deckhouse.io/v1alpha1
kind: HiveMetastore
metadata:
  name: hivemetastore-sample
spec:
  hivemetastoreClassName: default
  externalConnections:
    database:
      type: Postgres
      postgres:
        mode: Plain
        host: postgresql.postgresql
        port: 5432
        database: my-database
        password: plain-text-password
        username: my-user
    objectStore:
      type: S3
      s3:
        endpoint: minio.minio:9000
        bucket: data-lake
        region: ru-east-1
        prefix: directory
        usePathStyle: true
        credentials:
          mode: Plain
          accessKey: access-key-here
          secretKey: secret-key-here
  instance:
    memory:
      size: "4Gi"
    cpu:
      cores: 2
      coreFraction: "25%"

This mode is convenient for development and testing but should be used cautiously in production due to security considerations.

Secret Mode

In Secret mode, sensitive information is stored in Kubernetes Secrets:

apiVersion: managed-services.deckhouse.io/v1alpha1
kind: HiveMetastore
metadata:
  name: hivemetastore-sample
spec:
  hivemetastoreClassName: default
  externalConnections:
    database:
      type: Postgres
      postgres:
        mode: Secret
        secretName: pg-creds
    objectStore:
      type: S3
      s3:
        endpoint: minio.minio:9000
        bucket: data-lake
        region: ru-east-1
        prefix: directory
        usePathStyle: true
        credentials:
          mode: Secret
          secretName: s3-creds
  instance:
    memory:
      size: "4Gi"
    cpu:
      cores: 2
      coreFraction: "25%"

Before applying this configuration, you need to create the corresponding Secrets:

For database credentials:

apiVersion: v1
kind: Secret
metadata:
  name: pg-creds
type: Opaque
stringData:
  host: postgresql.postgresql
  port: "5432"
  database: my-database
  username: my-user
  password: plain-text-password

For object store credentials:

apiVersion: v1
kind: Secret
metadata:
  name: s3-creds
type: Opaque
stringData:
  accessKey: access-key-here
  secretKey: secret-key-here