buun-stack/superset/superset-values.gomplate.yaml

# Apache Superset Helm values
# Generated by gomplate

# Service configuration
service:
  type: ClusterIP
  port: 8088

# Ingress configuration
ingress:
  enabled: true
  ingressClassName: traefik
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
  hosts:
    - {{ env.Getenv "SUPERSET_HOST" }}
  tls:
    - secretName: superset-tls
      hosts:
        - {{ env.Getenv "SUPERSET_HOST" }}

# Init job settings (disable to use external database initialization)
init:
  enabled: true
  createAdmin: false
  loadExamples: false

# Superset node configuration
supersetNode:
  replicaCount: 1
  connections:
    # Redis configuration
    redis_host: superset-redis-headless
    redis_port: "6379"
    redis_cache_db: "1"
    redis_celery_db: "0"
    # PostgreSQL configuration for initContainer (wait-for-postgres)
    # The actual database connection uses SQLALCHEMY_DATABASE_URI from extraEnvRaw
    db_host: postgres-cluster-rw.postgres
    db_port: "5432"
    db_user: superset
    db_pass: {{ env.Getenv "SUPERSET_DB_PASSWORD" }}
    db_name: superset

# Superset worker (Celery) configuration
supersetWorker:
  replicaCount: 1

# Database configuration (use existing PostgreSQL)
postgresql:
  enabled: false

# Redis configuration (embedded)
redis:
  enabled: true
  image:
    registry: docker.io
    repository: bitnami/redis
    # Since August 2025, Bitnami changed its strategy:
    # - Community users can only use 'latest' tag (no version pinning)
    # - Versioned tags moved to 'bitnamilegacy' repository (deprecated, no updates)
    # - For production with version pinning, consider using official redis image separately
    tag: latest
  master:
    persistence:
      enabled: false

# Extra environment variables
extraEnv:
  KEYCLOAK_HOST: {{ env.Getenv "KEYCLOAK_HOST" }}
  KEYCLOAK_REALM: {{ env.Getenv "KEYCLOAK_REALM" }}

# Extra environment variables from existing secrets
extraEnvRaw:
  - name: SUPERSET_SECRET_KEY
    valueFrom:
      secretKeyRef:
        name: superset-secret
        key: SECRET_KEY
  - name: SQLALCHEMY_DATABASE_URI
    valueFrom:
      secretKeyRef:
        name: superset-secret
        key: SQLALCHEMY_DATABASE_URI
  - name: OAUTH_CLIENT_SECRET
    valueFrom:
      secretKeyRef:
        name: superset-secret
        key: OAUTH_CLIENT_SECRET

# Configuration overrides for superset_config.py
configOverrides:
  keycloak_oauth: |
    import os
    from flask_appbuilder.security.manager import AUTH_OAUTH
    from superset.security import SupersetSecurityManager


    class CustomSsoSecurityManager(SupersetSecurityManager):
        def oauth_user_info(self, provider, response=None):
            """Get user information from OAuth provider."""
            if provider == "keycloak":
                me = self.appbuilder.sm.oauth_remotes[provider].get(
                    "protocol/openid-connect/userinfo"
                )
                data = me.json()
                return {
                    "username": data.get("preferred_username"),
                    "name": data.get("name"),
                    "email": data.get("email"),
                    "first_name": data.get("given_name", ""),
                    "last_name": data.get("family_name", ""),
                    "role_keys": data.get("groups", []),
                }
            return {}


    # Authentication type
    AUTH_TYPE = AUTH_OAUTH

    # Auto-registration for new users
    AUTH_USER_REGISTRATION = True
    AUTH_USER_REGISTRATION_ROLE = "Gamma"

    # Custom security manager
    CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager

    # OAuth configuration
    OAUTH_PROVIDERS = [
        {
            "name": "keycloak",
            "icon": "fa-key",
            "token_key": "access_token",
            "remote_app": {
                "client_id": "superset",
                "client_secret": os.environ.get("OAUTH_CLIENT_SECRET"),
                "server_metadata_url": f"https://{os.environ.get('KEYCLOAK_HOST')}/realms/{os.environ.get('KEYCLOAK_REALM')}/.well-known/openid-configuration",
                "api_base_url": f"https://{os.environ.get('KEYCLOAK_HOST')}/realms/{os.environ.get('KEYCLOAK_REALM')}/",
                "client_kwargs": {
                    "scope": "openid email profile"
                },
            }
        }
    ]

    # Role mapping
    AUTH_ROLES_MAPPING = {
        "superset-admin": ["Admin"],
        "Alpha": ["Alpha"],
        "Gamma": ["Gamma"],
    }

    # Sync roles at each login
    AUTH_ROLES_SYNC_AT_LOGIN = True

    # Enable Trino database support
    PREVENT_UNSAFE_DB_CONNECTIONS = False

    # Proxy configuration (for HTTPS behind Traefik)
    ENABLE_PROXY_FIX = True
    PREFERRED_URL_SCHEME = "https"

    # Disable SQL Lab backend persistence to avoid tab state migration errors
    SQLLAB_BACKEND_PERSISTENCE = False

# Bootstrap script for initial setup
# Note: Superset 5.0+ uses 'uv' instead of 'pip' for package management
bootstrapScript: |
  #!/bin/bash
  uv pip install psycopg2-binary sqlalchemy-trino authlib
  if [ ! -f ~/bootstrap ]; then echo "Bootstrap complete" > ~/bootstrap; fi