baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(superset): fix reinstall and adjust resource request/limit

Browse Source
This commit is contained in:
Masaki Yatsu
2025-11-23 22:36:34 +09:00
parent 744ce1e4c5
commit 6e9580c7bd
2 changed files with 66 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
superset/justfile
View File

@@ -7,6 +7,18 @@ export EXTERNAL_SECRETS_NAMESPACE := env("EXTERNAL_SECRETS_NAMESPACE", "external
export K8S_VAULT_NAMESPACE := env("K8S_VAULT_NAMESPACE", "vault") export K8S_VAULT_NAMESPACE := env("K8S_VAULT_NAMESPACE", "vault")
export KEYCLOAK_REALM := env("KEYCLOAK_REALM", "buunstack") export KEYCLOAK_REALM := env("KEYCLOAK_REALM", "buunstack")
export KEYCLOAK_HOST := env("KEYCLOAK_HOST", "") export KEYCLOAK_HOST := env("KEYCLOAK_HOST", "")
export SUPERSET_CPU_REQUEST := env("SUPERSET_CPU_REQUEST", "50m")
export SUPERSET_CPU_LIMIT := env("SUPERSET_CPU_LIMIT", "1")
export SUPERSET_MEMORY_REQUEST := env("SUPERSET_MEMORY_REQUEST", "500Mi")
export SUPERSET_MEMORY_LIMIT := env("SUPERSET_MEMORY_LIMIT", "3Gi")
export SUPERSET_WORKER_CPU_REQUEST := env("SUPERSET_WORKER_CPU_REQUEST", "300m")
export SUPERSET_WORKER_CPU_LIMIT := env("SUPERSET_WORKER_CPU_LIMIT", "4")
export SUPERSET_WORKER_MEMORY_REQUEST := env("SUPERSET_WORKER_MEMORY_REQUEST", "4Gi")
export SUPERSET_WORKER_MEMORY_LIMIT := env("SUPERSET_WORKER_MEMORY_LIMIT", "8Gi")
export REDIS_CPU_REQUEST := env("REDIS_CPU_REQUEST", "50m")
export REDIS_CPU_LIMIT := env("REDIS_CPU_LIMIT", "200m")
export REDIS_MEMORY_REQUEST := env("REDIS_MEMORY_REQUEST", "128Mi")
export REDIS_MEMORY_LIMIT := env("REDIS_MEMORY_LIMIT", "256Mi")
[private] [private]
default: default:
@@ -84,8 +96,6 @@ create-secrets postgres_password='':
#!/bin/bash #!/bin/bash
set -euo pipefail set -euo pipefail
secret_key=$(just utils::random-password)
pg_host="postgres-cluster-rw.postgres" pg_host="postgres-cluster-rw.postgres"
pg_port="5432" pg_port="5432"
pg_user="superset" pg_user="superset"
@@ -101,17 +111,26 @@ create-secrets postgres_password='':
oauth_client_secret=$(kubectl get secret superset-oauth-temp -n ${SUPERSET_NAMESPACE} \ oauth_client_secret=$(kubectl get secret superset-oauth-temp -n ${SUPERSET_NAMESPACE} \
-o jsonpath='{.data.client_secret}' | base64 -d) -o jsonpath='{.data.client_secret}' | base64 -d)
else else
echo "Error: Cannot retrieve OAuth client secret. Please run 'just superset::create-keycloak-client' first." echo "Error: Cannot retrieve OAuth client secret. Please run 'just superset::create-keycloak-client' first." >&2
exit 1 exit 1
fi fi
if helm status external-secrets -n ${EXTERNAL_SECRETS_NAMESPACE} &>/dev/null; then if helm status external-secrets -n ${EXTERNAL_SECRETS_NAMESPACE} &>/dev/null; then
echo "External Secrets Operator detected. Storing secrets in Vault..." echo "External Secrets Operator detected. Storing secrets in Vault..."
# Try to retrieve existing SECRET_KEY, generate new one if not found
if secret_key=$(just vault::get superset/config SECRET_KEY 2>/dev/null); then
echo "Using existing SECRET_KEY from Vault."
else
echo "Generating new SECRET_KEY..."
secret_key=$(just utils::random-password)
fi
just vault::put superset/config \ just vault::put superset/config \
SECRET_KEY="${secret_key}" \ SECRET_KEY="${secret_key}" \
SQLALCHEMY_DATABASE_URI="${database_url}" \ SQLALCHEMY_DATABASE_URI="${database_url}" \
OAUTH_CLIENT_SECRET="${oauth_client_secret}" OAUTH_CLIENT_SECRET="${oauth_client_secret}" \
DB_PASSWORD="${pg_password}"
kubectl delete secret superset-secret -n ${SUPERSET_NAMESPACE} --ignore-not-found kubectl delete secret superset-secret -n ${SUPERSET_NAMESPACE} --ignore-not-found
kubectl delete externalsecret superset-secret -n ${SUPERSET_NAMESPACE} --ignore-not-found kubectl delete externalsecret superset-secret -n ${SUPERSET_NAMESPACE} --ignore-not-found
@@ -161,8 +180,21 @@ install:
pod-security.kubernetes.io/enforce=baseline --overwrite pod-security.kubernetes.io/enforce=baseline --overwrite
# Create Superset database and user # Create Superset database and user
if just postgres::user-exists superset &>/dev/null; then
echo "PostgreSQL user 'superset' already exists."
if helm status external-secrets -n ${EXTERNAL_SECRETS_NAMESPACE} &>/dev/null; then
POSTGRES_PASSWORD=$(just vault::get superset/config DB_PASSWORD)
else
echo "Without External Secrets Operator, cannot retrieve DB password." >&2
echo "Please dump the database and run restore after installation:" >&2
echo "just superset::restore <backup-file>" >&2
exit 1
fi
else
echo "Creating new PostgreSQL user and database..."
POSTGRES_PASSWORD=$(just utils::random-password) POSTGRES_PASSWORD=$(just utils::random-password)
just postgres::create-user-and-db superset superset "${POSTGRES_PASSWORD}" just postgres::create-user-and-db superset superset "${POSTGRES_PASSWORD}"
fi
just create-keycloak-client just create-keycloak-client
just create-secrets "${POSTGRES_PASSWORD}" just create-secrets "${POSTGRES_PASSWORD}"
@@ -174,7 +206,7 @@ install:
export OAUTH_CLIENT_SECRET=$(kubectl get secret superset-oauth-temp -n ${SUPERSET_NAMESPACE} \ export OAUTH_CLIENT_SECRET=$(kubectl get secret superset-oauth-temp -n ${SUPERSET_NAMESPACE} \
-o jsonpath='{.data.client_secret}' | base64 -d) -o jsonpath='{.data.client_secret}' | base64 -d)
else else
echo "Error: Cannot retrieve OAuth client secret. Please run 'just superset::create-keycloak-client' first." echo "Error: Cannot retrieve OAuth client secret. Please run 'just superset::create-keycloak-client' first." >&2
exit 1 exit 1
fi fi
@@ -226,7 +258,7 @@ upgrade:
export OAUTH_CLIENT_SECRET=$(kubectl get secret superset-oauth-temp -n ${SUPERSET_NAMESPACE} \ export OAUTH_CLIENT_SECRET=$(kubectl get secret superset-oauth-temp -n ${SUPERSET_NAMESPACE} \
-o jsonpath='{.data.client_secret}' | base64 -d) -o jsonpath='{.data.client_secret}' | base64 -d)
else else
echo "Error: Cannot retrieve OAuth client secret. Please run 'just superset::create-keycloak-client' first." echo "Error: Cannot retrieve OAuth client secret. Please run 'just superset::create-keycloak-client' first." >&2
exit 1 exit 1
fi fi
@@ -254,10 +286,10 @@ uninstall delete-db='true':
just delete-namespace just delete-namespace
if [ "{{ delete-db }}" = "true" ]; then if [ "{{ delete-db }}" = "true" ]; then
just postgres::delete-user-and-db superset superset just postgres::delete-user-and-db superset superset
just vault::delete superset/config || true
fi fi
if helm status vault -n ${K8S_VAULT_NAMESPACE} &>/dev/null; then if helm status vault -n ${K8S_VAULT_NAMESPACE} &>/dev/null; then
just vault::delete superset/config || true
just vault::delete superset/oauth || true just vault::delete superset/oauth || true
fi fi
@@ -275,7 +307,7 @@ restore backup_file charts_only='false':
fi fi
if [ ! -f "${BACKUP_FILE}" ]; then if [ ! -f "${BACKUP_FILE}" ]; then
echo "Error: Backup file '${BACKUP_FILE}' not found" echo "Error: Backup file '${BACKUP_FILE}' not found" >&2
exit 1 exit 1
fi fi
@@ -283,7 +315,7 @@ restore backup_file charts_only='false':
-o jsonpath='{.items[0].metadata.name}') -o jsonpath='{.items[0].metadata.name}')
if [ -z "${POD_NAME}" ]; then if [ -z "${POD_NAME}" ]; then
echo "Error: PostgreSQL pod not found" echo "Error: PostgreSQL pod not found" >&2
exit 1 exit 1
fi fi

23
superset/superset-values.gomplate.yaml
View File

@@ -69,6 +69,14 @@ init:
supersetNode: supersetNode:
replicaCount: 1 replicaCount: 1
resources:
requests:
cpu: "{{ .Env.SUPERSET_CPU_REQUEST }}"
memory: "{{ .Env.SUPERSET_MEMORY_REQUEST }}"
limits:
cpu: "{{ .Env.SUPERSET_CPU_LIMIT }}"
memory: "{{ .Env.SUPERSET_MEMORY_LIMIT }}"
# Security context for Pod Security Standards (baseline) # Security context for Pod Security Standards (baseline)
podSecurityContext: podSecurityContext:
fsGroup: 1000 fsGroup: 1000
@@ -126,6 +134,14 @@ supersetNode:
supersetWorker: supersetWorker:
replicaCount: 1 replicaCount: 1
resources:
requests:
cpu: "{{ .Env.SUPERSET_WORKER_CPU_REQUEST }}"
memory: "{{ .Env.SUPERSET_WORKER_MEMORY_REQUEST }}"
limits:
cpu: "{{ .Env.SUPERSET_WORKER_CPU_LIMIT }}"
memory: "{{ .Env.SUPERSET_WORKER_MEMORY_LIMIT }}"
# Security context for Pod Security Standards (baseline) # Security context for Pod Security Standards (baseline)
podSecurityContext: podSecurityContext:
fsGroup: 1000 fsGroup: 1000
@@ -183,6 +199,13 @@ redis:
master: master:
persistence: persistence:
enabled: false enabled: false
resources:
requests:
cpu: "{{ .Env.REDIS_CPU_REQUEST }}"
memory: "{{ .Env.REDIS_MEMORY_REQUEST }}"
limits:
cpu: "{{ .Env.REDIS_CPU_LIMIT }}"
memory: "{{ .Env.REDIS_MEMORY_LIMIT }}"
# Security context for Pod Security Standards (restricted) # Security context for Pod Security Standards (restricted)
podSecurityContext: podSecurityContext:
runAsNonRoot: true runAsNonRoot: true