From 89677d409181b014153179e4aa709cb9ffe79035 Mon Sep 17 00:00:00 2001 From: Miguel Ruiz Date: Fri, 4 Apr 2025 15:20:11 +0200 Subject: [PATCH] [bitnami/superset] Set `usePasswordFiles=true` by default (#32778) * [bitnami/superset] Set `usePasswordFiles=true` by default Signed-off-by: Miguel Ruiz * Add upgrading notes Signed-off-by: Miguel Ruiz * Update CHANGELOG.md Signed-off-by: Bitnami Bot * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Bot * Update CHANGELOG.md Signed-off-by: Bitnami Bot * Fix init containers Signed-off-by: Miguel Ruiz * Fix probes Signed-off-by: Miguel Ruiz --------- Signed-off-by: Miguel Ruiz Signed-off-by: Bitnami Bot Co-authored-by: Bitnami Bot --- bitnami/superset/CHANGELOG.md | 8 +++- bitnami/superset/Chart.yaml | 2 +- bitnami/superset/README.md | 10 ++++- bitnami/superset/templates/_helpers.tpl | 45 +++++++++++++++++++ .../superset/templates/beat/deployment.yaml | 21 +++++++++ .../templates/externaldb-secrets.yaml | 4 +- .../superset/templates/flower/deployment.yaml | 30 +++++++++---- bitnami/superset/templates/init/init-job.yaml | 28 ++++++++++++ .../superset/templates/web/deployment.yaml | 21 +++++++++ .../superset/templates/worker/deployment.yaml | 30 +++++++++++++ bitnami/superset/values.yaml | 6 +-- 11 files changed, 186 insertions(+), 19 deletions(-) diff --git a/bitnami/superset/CHANGELOG.md b/bitnami/superset/CHANGELOG.md index 6d1f3bfe64..5534285bbb 100644 --- a/bitnami/superset/CHANGELOG.md +++ b/bitnami/superset/CHANGELOG.md @@ -1,8 +1,12 @@ # Changelog -## 1.1.3 (2025-04-02) +## 2.0.0 (2025-04-04) -* [bitnami/superset] Release 1.1.3 ([#32777](https://github.com/bitnami/charts/pull/32777)) +* [bitnami/superset] Set `usePasswordFiles=true` by default ([#32778](https://github.com/bitnami/charts/pull/32778)) + +## 1.1.3 (2025-04-02) + +* [bitnami/superset] Release 1.1.3 (#32777) ([d856953](https://github.com/bitnami/charts/commit/d856953250bfdba841d438923045fdc67808d47c)), closes [#32777](https://github.com/bitnami/charts/issues/32777) ## 1.1.2 (2025-03-25) diff --git a/bitnami/superset/Chart.yaml b/bitnami/superset/Chart.yaml index e7acba9991..3891f01a23 100644 --- a/bitnami/superset/Chart.yaml +++ b/bitnami/superset/Chart.yaml @@ -38,4 +38,4 @@ sources: - https://github.com/bitnami/charts/tree/main/bitnami/superset - https://github.com/bitnami/containers/tree/main/bitnami/superset - https://github.com/apache/superset -version: 1.1.3 +version: 2.0.0 diff --git a/bitnami/superset/README.md b/bitnami/superset/README.md index f4f3577e85..0b4a59e7eb 100644 --- a/bitnami/superset/README.md +++ b/bitnami/superset/README.md @@ -172,6 +172,7 @@ As an alternative, use one of the preset configurations for pod affinity, pod an | `commonAnnotations` | Annotations to add to all deployed objects | `{}` | | `clusterDomain` | Kubernetes cluster domain name | `cluster.local` | | `extraDeploy` | Array of extra objects to deploy with the release | `[]` | +| `usePasswordFiles` | Mount credentials as files instead of using an environment variable | `true` | | `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | | `diagnosticMode.command` | Command to override all containers in the chart release | `["sleep"]` | | `diagnosticMode.args` | Args to override all containers in the chart release | `["infinity"]` | @@ -516,7 +517,6 @@ As an alternative, use one of the preset configurations for pod affinity, pod an | `flower.auth.enabled` | Enables Apache Celery flower HTTP basic authentication | `true` | | `flower.auth.username` | Apache Celery flower username | `user` | | `flower.auth.password` | Apache Celery flower password | `""` | -| `flower.auth.usePasswordFiles` | Mount credentials as files instead of using an environment variable | `true` | | `flower.auth.existingSecret` | Name of existing secret to use for Superset Celery flower | `""` | | `flower.livenessProbe.enabled` | Enable livenessProbe on Superset celery flower containers | `true` | | `flower.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | @@ -740,6 +740,12 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/super Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). +## Upgrading + +### To 2.0.0 + +This version replaces the value `flower.auth.usePasswordFiles` with the new value `usePasswordFiles`. When using `usePasswordFiles=true`, , all credentials will be mounted as files instead of using an environment variable. + ## License Copyright © 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. @@ -754,4 +760,4 @@ Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and -limitations under the License. \ No newline at end of file +limitations under the License. diff --git a/bitnami/superset/templates/_helpers.tpl b/bitnami/superset/templates/_helpers.tpl index 0803741646..0b6076ff04 100644 --- a/bitnami/superset/templates/_helpers.tpl +++ b/bitnami/superset/templates/_helpers.tpl @@ -201,11 +201,16 @@ Add environment variables to configure database values - name: SUPERSET_DATABASE_USER value: {{ include "superset.database.user" . | quote }} {{- if or (not .Values.postgresql.enabled) .Values.postgresql.auth.enablePostgresUser }} +{{- if .Values.usePasswordFiles }} +- name: SUPERSET_DATABASE_PASSWORD_FILE + value: {{ printf "/opt/bitnami/superset/secrets/%s" (include "superset.database.secretKey" .) }} +{{- else }} - name: SUPERSET_DATABASE_PASSWORD valueFrom: secretKeyRef: name: {{ include "superset.postgresql.secretName" . }} key: {{ include "superset.database.secretKey" . }} +{{- end }} {{- else }} - name: ALLOW_EMPTY_PASSWORD value: "true" @@ -222,22 +227,32 @@ Add environment variables to configure redis values value: {{ include "superset.redis.port" . | quote }} - name: REDIS_USER value: {{ ternary "default" .Values.externalRedis.username .Values.redis.enabled | quote }} +{{- if .Values.usePasswordFiles }} +- name: REDIS_PASSWORD_FILE + value: {{ printf "/opt/bitnami/superset/secrets/%s" (include "superset.redis.secretKey" .) }} +{{- else }} - name: REDIS_PASSWORD valueFrom: secretKeyRef: name: {{ include "superset.redis.secretName" . }} key: {{ include "superset.redis.secretKey" . }} +{{- end }} {{- end -}} {{/* Add environment variables to configure superset common values */}} {{- define "superset.configure.common" -}} +{{- if .Values.usePasswordFiles }} +- name: SUPERSET_SECRET_KEY_FILE + value: "/opt/bitnami/superset/secrets/superset-secret-key" +{{- else }} - name: SUPERSET_SECRET_KEY valueFrom: secretKeyRef: name: {{ include "superset.secretName" . }} key: superset-secret-key +{{- end }} {{- if or .Values.existingConfigmap .Values.config }} - name: SUPERSET_CONF_FILE value: "/bitnami/superset/conf/superset_config.py" @@ -276,6 +291,10 @@ Init container definition to wait for PostgreSQL . /opt/bitnami/scripts/liblog.sh . /opt/bitnami/scripts/libpostgresql.sh + {{- if .Values.usePasswordFiles }} + export SUPERSET_DATABASE_PASSWORD="$(< $SUPERSET_DATABASE_PASSWORD_FILE)" + {{- end }} + check_postgresql_connection() { echo "SELECT 1" | postgresql_remote_execute "$SUPERSET_DATABASE_HOST" "$SUPERSET_DATABASE_PORT_NUMBER" "$SUPERSET_DATABASE_NAME" "$SUPERSET_DATABASE_USER" "$SUPERSET_DATABASE_PASSWORD" } @@ -289,6 +308,12 @@ Init container definition to wait for PostgreSQL fi env: {{- include "superset.configure.database" . | nindent 4 }} + {{- if .Values.usePasswordFiles }} + volumeMounts: + - name: superset-secrets + mountPath: /opt/bitnami/superset/secrets + readOnly: true + {{- end }} {{- end -}} {{/* @@ -320,6 +345,10 @@ Init container definition to wait for Redis . /opt/bitnami/scripts/libos.sh . /opt/bitnami/scripts/liblog.sh + {{- if .Values.usePasswordFiles }} + export REDIS_PASSWORD="$(< $REDIS_PASSWORD_FILE)" + {{- end }} + check_redis_connection() { local result="$(redis-cli -h ${REDIS_HOST} -p ${REDIS_PORT_NUMBER} -a ${REDIS_PASSWORD} --user ${REDIS_USER} PING)" if [[ "$result" != "PONG" ]]; then @@ -336,6 +365,12 @@ Init container definition to wait for Redis fi env: {{- include "superset.configure.redis" . | nindent 4 }} + {{- if .Values.usePasswordFiles }} + volumeMounts: + - name: superset-secrets + mountPath: /opt/bitnami/superset/secrets + readOnly: true + {{- end }} {{- end }} {{- define "superset.initContainers.waitForExamples" -}} @@ -365,6 +400,10 @@ Init container definition to wait for Redis . /opt/bitnami/scripts/liblog.sh . /opt/bitnami/scripts/libpostgresql.sh + {{- if .Values.usePasswordFiles }} + export SUPERSET_DATABASE_PASSWORD="$(< $SUPERSET_DATABASE_PASSWORD_FILE)" + {{- end }} + check_examples_database() { echo "SELECT dashboard_title FROM dashboards" | postgresql_remote_execute_print_output "$SUPERSET_DATABASE_HOST" "$SUPERSET_DATABASE_PORT_NUMBER" "$SUPERSET_DATABASE_NAME" "$SUPERSET_DATABASE_USER" "$SUPERSET_DATABASE_PASSWORD" | grep "Dashboard" } @@ -378,6 +417,12 @@ Init container definition to wait for Redis fi env: {{- include "superset.configure.database" . | nindent 4 }} + {{- if .Values.usePasswordFiles }} + volumeMounts: + - name: superset-secrets + mountPath: /opt/bitnami/superset/secrets + readOnly: true + {{- end }} {{- end }} {{/* diff --git a/bitnami/superset/templates/beat/deployment.yaml b/bitnami/superset/templates/beat/deployment.yaml index d19b87ffcb..764aee74b8 100644 --- a/bitnami/superset/templates/beat/deployment.yaml +++ b/bitnami/superset/templates/beat/deployment.yaml @@ -161,6 +161,11 @@ spec: - name: empty-dir mountPath: /opt/bitnami/superset/tmp subPath: app-tmp-dir + {{- if .Values.usePasswordFiles }} + - name: superset-secrets + mountPath: /opt/bitnami/superset/secrets + readOnly: true + {{- end }} {{- if or .Values.existingConfigmap .Values.config }} - name: superset-config mountPath: /bitnami/superset/conf @@ -174,6 +179,22 @@ spec: volumes: - name: empty-dir emptyDir: {} + {{- if .Values.usePasswordFiles }} + - name: superset-secrets + projected: + sources: + - secret: + name: {{ include "superset.secretName" . }} + items: + - key: superset-secret-key + path: superset-secret-key + - secret: + name: {{ include "superset.redis.secretName" . }} + {{- if or (not .Values.postgresql.enabled) .Values.postgresql.auth.enablePostgresUser }} + - secret: + name: {{ include "superset.postgresql.secretName" . }} + {{- end }} + {{- end }} {{- if or .Values.existingConfigmap .Values.config }} - name: superset-config configMap: diff --git a/bitnami/superset/templates/externaldb-secrets.yaml b/bitnami/superset/templates/externaldb-secrets.yaml index e7f2391afd..d19604bb85 100644 --- a/bitnami/superset/templates/externaldb-secrets.yaml +++ b/bitnami/superset/templates/externaldb-secrets.yaml @@ -3,7 +3,7 @@ Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.existingSecret) .Values.externalDatabase.password -}} +{{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.existingSecret) .Values.externalDatabase.password }} apiVersion: v1 kind: Secret metadata: @@ -17,7 +17,7 @@ type: Opaque data: {{ .Values.externalDatabase.existingSecretPasswordKey }}: {{ .Values.externalDatabase.password | b64enc | quote }} {{- end }} -{{- if and (not .Values.redis.enabled) (not .Values.externalRedis.existingSecret) .Values.externalRedis.password -}} +{{- if and (not .Values.redis.enabled) (not .Values.externalRedis.existingSecret) .Values.externalRedis.password }} --- apiVersion: v1 kind: Secret diff --git a/bitnami/superset/templates/flower/deployment.yaml b/bitnami/superset/templates/flower/deployment.yaml index 7413459ee7..ba89463d00 100644 --- a/bitnami/superset/templates/flower/deployment.yaml +++ b/bitnami/superset/templates/flower/deployment.yaml @@ -175,8 +175,8 @@ spec: - name: empty-dir mountPath: /opt/bitnami/superset/superset_home subPath: superset-home - {{- if and .Values.flower.auth.enabled .Values.flower.auth.usePasswordFiles }} - - name: flower-basic-auth + {{- if .Values.usePasswordFiles }} + - name: superset-secrets mountPath: /opt/bitnami/superset/secrets readOnly: true {{- end }} @@ -193,13 +193,25 @@ spec: volumes: - name: empty-dir emptyDir: {} - {{- if and .Values.flower.auth.enabled .Values.flower.auth.usePasswordFiles }} - - name: flower-basic-auth - secret: - secretName: {{ template "superset.flower.secretName" . }} - items: - - key: flower-basic-auth - path: flower-basic-auth + {{- if .Values.usePasswordFiles }} + - name: superset-secrets + projected: + sources: + - secret: + name: {{ include "superset.secretName" . }} + items: + - key: superset-secret-key + path: superset-secret-key + - secret: + name: {{ include "superset.redis.secretName" . }} + {{- if .Values.flower.auth.enabled }} + - secret: + name: {{ include "superset.flower.secretName" . }} + {{- end }} + {{- if or (not .Values.postgresql.enabled) .Values.postgresql.auth.enablePostgresUser }} + - secret: + name: {{ include "superset.postgresql.secretName" . }} + {{- end }} {{- end }} {{- if or .Values.existingConfigmap .Values.config }} - name: superset-config diff --git a/bitnami/superset/templates/init/init-job.yaml b/bitnami/superset/templates/init/init-job.yaml index d6d27076ce..9ded7f7e21 100644 --- a/bitnami/superset/templates/init/init-job.yaml +++ b/bitnami/superset/templates/init/init-job.yaml @@ -74,11 +74,16 @@ spec: value: {{ .Values.auth.username | quote }} - name: SUPERSET_EMAIL value: {{ .Values.auth.email | quote }} + {{- if .Values.usePasswordFiles }} + - name: SUPERSET_PASSWORD_FILE + value: "/opt/bitnami/superset/secrets/superset-password" + {{- else }} - name: SUPERSET_PASSWORD valueFrom: secretKeyRef: name: {{ include "superset.secretName" . }} key: superset-password + {{- end }} - name: SUPERSET_LOAD_EXAMPLES value: {{ ternary "true" "false" .Values.loadExamples | quote }} {{- if .Values.init.extraEnvVars }} @@ -105,6 +110,11 @@ spec: - name: empty-dir mountPath: /opt/bitnami/superset/superset_home subPath: superset-home + {{- if .Values.usePasswordFiles }} + - name: superset-secrets + mountPath: /opt/bitnami/superset/secrets + readOnly: true + {{- end }} {{- if or .Values.existingConfigmap .Values.config }} - name: superset-config mountPath: /bitnami/superset/conf @@ -118,6 +128,24 @@ spec: volumes: - name: empty-dir emptyDir: {} + {{- if .Values.usePasswordFiles }} + - name: superset-secrets + projected: + sources: + - secret: + name: {{ include "superset.secretName" . }} + items: + - key: superset-secret-key + path: superset-secret-key + - key: superset-password + path: superset-password + - secret: + name: {{ include "superset.redis.secretName" . }} + {{- if or (not .Values.postgresql.enabled) .Values.postgresql.auth.enablePostgresUser }} + - secret: + name: {{ include "superset.postgresql.secretName" . }} + {{- end }} + {{- end }} {{- if or .Values.existingConfigmap .Values.config }} - name: superset-config configMap: diff --git a/bitnami/superset/templates/web/deployment.yaml b/bitnami/superset/templates/web/deployment.yaml index e015aa718c..53ab5eea32 100644 --- a/bitnami/superset/templates/web/deployment.yaml +++ b/bitnami/superset/templates/web/deployment.yaml @@ -167,6 +167,11 @@ spec: - name: empty-dir mountPath: /opt/bitnami/superset/superset_home subPath: superset-home + {{- if .Values.usePasswordFiles }} + - name: superset-secrets + mountPath: /opt/bitnami/superset/secrets + readOnly: true + {{- end }} {{- if or .Values.existingConfigmap .Values.config }} - name: superset-config mountPath: /bitnami/superset/conf @@ -180,6 +185,22 @@ spec: volumes: - name: empty-dir emptyDir: {} + {{- if .Values.usePasswordFiles }} + - name: superset-secrets + projected: + sources: + - secret: + name: {{ include "superset.secretName" . }} + items: + - key: superset-secret-key + path: superset-secret-key + - secret: + name: {{ include "superset.redis.secretName" . }} + {{- if or (not .Values.postgresql.enabled) .Values.postgresql.auth.enablePostgresUser }} + - secret: + name: {{ include "superset.postgresql.secretName" . }} + {{- end }} + {{- end }} {{- if or .Values.existingConfigmap .Values.config }} - name: superset-config configMap: diff --git a/bitnami/superset/templates/worker/deployment.yaml b/bitnami/superset/templates/worker/deployment.yaml index c6f6c592dc..15d4c6fdd5 100644 --- a/bitnami/superset/templates/worker/deployment.yaml +++ b/bitnami/superset/templates/worker/deployment.yaml @@ -131,6 +131,9 @@ spec: - /bin/bash - -ec - | + {{- if .Values.usePasswordFiles }} + export SUPERSET_SECRET_KEY="$(< $SUPERSET_SECRET_KEY_FILE)" + {{- end }} . /opt/bitnami/scripts/superset-env.sh && celery -A superset.tasks.celery_app:app inspect ping -d celery@$HOSTNAME {{- end }} {{- if .Values.worker.customReadinessProbe }} @@ -142,6 +145,9 @@ spec: - /bin/bash - -ec - | + {{- if .Values.usePasswordFiles }} + export SUPERSET_SECRET_KEY="$(< $SUPERSET_SECRET_KEY_FILE)" + {{- end }} . /opt/bitnami/scripts/superset-env.sh && celery -A superset.tasks.celery_app:app inspect ping -d celery@$HOSTNAME {{- end }} {{- if .Values.worker.customStartupProbe }} @@ -153,6 +159,9 @@ spec: - /bin/bash - -ec - | + {{- if .Values.usePasswordFiles }} + export SUPERSET_SECRET_KEY="$(< $SUPERSET_SECRET_KEY_FILE)" + {{- end }} . /opt/bitnami/scripts/superset-env.sh && celery -A superset.tasks.celery_app:app inspect ping -d celery@$HOSTNAME {{- end }} {{- end }} @@ -166,6 +175,11 @@ spec: - name: empty-dir mountPath: /opt/bitnami/superset/superset_home subPath: superset-home + {{- if .Values.usePasswordFiles }} + - name: superset-secrets + mountPath: /opt/bitnami/superset/secrets + readOnly: true + {{- end }} {{- if or .Values.existingConfigmap .Values.config }} - name: superset-config mountPath: /bitnami/superset/conf @@ -179,6 +193,22 @@ spec: volumes: - name: empty-dir emptyDir: {} + {{- if .Values.usePasswordFiles }} + - name: superset-secrets + projected: + sources: + - secret: + name: {{ include "superset.secretName" . }} + items: + - key: superset-secret-key + path: superset-secret-key + - secret: + name: {{ include "superset.redis.secretName" . }} + {{- if or (not .Values.postgresql.enabled) .Values.postgresql.auth.enablePostgresUser }} + - secret: + name: {{ include "superset.postgresql.secretName" . }} + {{- end }} + {{- end }} {{- if or .Values.existingConfigmap .Values.config }} - name: superset-config configMap: diff --git a/bitnami/superset/values.yaml b/bitnami/superset/values.yaml index ccfa548921..10cfbb8d76 100644 --- a/bitnami/superset/values.yaml +++ b/bitnami/superset/values.yaml @@ -59,6 +59,9 @@ clusterDomain: cluster.local ## @param extraDeploy Array of extra objects to deploy with the release ## extraDeploy: [] +## @param usePasswordFiles Mount credentials as files instead of using an environment variable +## +usePasswordFiles: true ## Diagnostic mode ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) ## @param diagnosticMode.command Command to override all containers in the chart release @@ -1488,9 +1491,6 @@ flower: ## If empty, a random password will be autogenerated ## password: "" - ## @param flower.auth.usePasswordFiles Mount credentials as files instead of using an environment variable - ## - usePasswordFiles: true ## @param flower.auth.existingSecret Name of existing secret to use for Superset Celery flower ## The secret must contain the key 'flower-basic-auth' encoding the HTTP basic auth string ##