feat(superset): install Apache Superset

2025-10-21 20:51:49 +09:00
parent 5905b1b264
commit f287189197
9 changed files with 946 additions and 31 deletions
--- a/superset/superset-values.gomplate.yaml
+++ b/superset/superset-values.gomplate.yaml
@@ -0,0 +1,168 @@
+# Apache Superset Helm values
+# Generated by gomplate
+
+# Service configuration
+service:
+    type: ClusterIP
+    port: 8088
+
+# Ingress configuration
+ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+        kubernetes.io/ingress.class: traefik
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    hosts:
+        - {{ env.Getenv "SUPERSET_HOST" }}
+    tls:
+        - secretName: superset-tls
+          hosts:
+              - {{ env.Getenv "SUPERSET_HOST" }}
+
+# Init job settings (disable to use external database initialization)
+init:
+    enabled: true
+    loadExamples: false
+
+# Superset node configuration
+supersetNode:
+    replicaCount: 1
+    connections:
+        # Redis configuration
+        redis_host: superset-redis-headless
+        redis_port: "6379"
+        redis_cache_db: "1"
+        redis_celery_db: "0"
+        # PostgreSQL configuration for initContainer (wait-for-postgres)
+        # The actual database connection uses SQLALCHEMY_DATABASE_URI from extraEnvRaw
+        db_host: postgres-cluster-rw.postgres
+        db_port: "5432"
+        db_user: superset
+        db_pass: {{ env.Getenv "SUPERSET_DB_PASSWORD" }}
+        db_name: superset
+
+# Superset worker (Celery) configuration
+supersetWorker:
+    replicaCount: 1
+
+# Database configuration (use existing PostgreSQL)
+postgresql:
+    enabled: false
+
+# Redis configuration (embedded)
+redis:
+    enabled: true
+    image:
+        registry: docker.io
+        repository: bitnami/redis
+        # Since August 2025, Bitnami changed its strategy:
+        # - Community users can only use 'latest' tag (no version pinning)
+        # - Versioned tags moved to 'bitnamilegacy' repository (deprecated, no updates)
+        # - For production with version pinning, consider using official redis image separately
+        tag: latest
+    master:
+        persistence:
+            enabled: false
+
+# Extra environment variables
+extraEnv:
+    KEYCLOAK_HOST: {{ env.Getenv "KEYCLOAK_HOST" }}
+    KEYCLOAK_REALM: {{ env.Getenv "KEYCLOAK_REALM" }}
+
+# Extra environment variables from existing secrets
+extraEnvRaw:
+    - name: SUPERSET_SECRET_KEY
+      valueFrom:
+          secretKeyRef:
+              name: superset-secret
+              key: SECRET_KEY
+    - name: SQLALCHEMY_DATABASE_URI
+      valueFrom:
+          secretKeyRef:
+              name: superset-secret
+              key: SQLALCHEMY_DATABASE_URI
+    - name: OAUTH_CLIENT_SECRET
+      valueFrom:
+          secretKeyRef:
+              name: superset-secret
+              key: OAUTH_CLIENT_SECRET
+
+# Configuration overrides for superset_config.py
+configOverrides:
+    keycloak_oauth: |
+        import os
+        from flask_appbuilder.security.manager import AUTH_OAUTH
+        from superset.security import SupersetSecurityManager
+
+
+        class CustomSsoSecurityManager(SupersetSecurityManager):
+            def oauth_user_info(self, provider, response=None):
+                """Get user information from OAuth provider."""
+                if provider == "keycloak":
+                    me = self.appbuilder.sm.oauth_remotes[provider].get(
+                        "protocol/openid-connect/userinfo"
+                    )
+                    data = me.json()
+                    return {
+                        "username": data.get("preferred_username"),
+                        "name": data.get("name"),
+                        "email": data.get("email"),
+                        "first_name": data.get("given_name", ""),
+                        "last_name": data.get("family_name", ""),
+                        "role_keys": data.get("groups", []),
+                    }
+                return {}
+
+
+        # Authentication type
+        AUTH_TYPE = AUTH_OAUTH
+
+        # Auto-registration for new users
+        AUTH_USER_REGISTRATION = True
+        AUTH_USER_REGISTRATION_ROLE = "Gamma"
+
+        # Custom security manager
+        CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager
+
+        # OAuth configuration
+        OAUTH_PROVIDERS = [
+            {
+                "name": "keycloak",
+                "icon": "fa-key",
+                "token_key": "access_token",
+                "remote_app": {
+                    "client_id": "superset",
+                    "client_secret": os.environ.get("OAUTH_CLIENT_SECRET"),
+                    "server_metadata_url": f"https://{os.environ.get('KEYCLOAK_HOST')}/realms/{os.environ.get('KEYCLOAK_REALM')}/.well-known/openid-configuration",
+                    "api_base_url": f"https://{os.environ.get('KEYCLOAK_HOST')}/realms/{os.environ.get('KEYCLOAK_REALM')}/",
+                    "client_kwargs": {
+                        "scope": "openid email profile"
+                    },
+                }
+            }
+        ]
+
+        # Role mapping
+        AUTH_ROLES_MAPPING = {
+            "superset-admin": ["Admin"],
+            "Alpha": ["Alpha"],
+            "Gamma": ["Gamma"],
+        }
+
+        # Sync roles at each login
+        AUTH_ROLES_SYNC_AT_LOGIN = True
+
+        # Enable Trino database support
+        PREVENT_UNSAFE_DB_CONNECTIONS = False
+
+        # Proxy configuration (for HTTPS behind Traefik)
+        ENABLE_PROXY_FIX = True
+        PREFERRED_URL_SCHEME = "https"
+
+# Bootstrap script for initial setup
+# Note: Superset 5.0+ uses 'uv' instead of 'pip' for package management
+bootstrapScript: |
+    #!/bin/bash
+    uv pip install psycopg2-binary sqlalchemy-trino authlib
+    if [ ! -f ~/bootstrap ]; then echo "Bootstrap complete" > ~/bootstrap; fi