From 35eb57de76b9978e294ec84dfe04a95deabd9b2f Mon Sep 17 00:00:00 2001 From: Alex Corvin Date: Tue, 3 Oct 2023 10:47:42 -0400 Subject: [PATCH] Move deployment artifacts for Superset Previously our superset deployment pulled from the kustomize artifacts in the upstream odh-contrib-manifests repo. To simplify the deployment of superset, this pulls all of the artifacts into this repo. --- kfdefs/base/superset/kfdef.yaml | 23 --- kfdefs/base/superset/kustomization.yaml | 26 --- kfdefs/base/superset/superset-deployment.yaml | 20 --- kfdefs/overlays/dev/kustomization.yaml | 1 - kfdefs/overlays/prod/kustomization.yaml | 1 - kfdefs/overlays/stage/kustomization.yaml | 1 - superset/base/deployment.yaml | 98 +++++++++++ superset/base/kustomization.yaml | 125 ++++++++++++++ superset/base/params.env | 11 ++ superset/base/params.yaml | 24 +++ superset/base/route.yaml | 15 ++ .../base}/secret-generator.yaml | 0 superset/base/secret-superset.yaml | 13 ++ superset/base/service-account.yaml | 7 + superset/base/service.yaml | 15 ++ superset/base/superset-rbac-viewer-role.yaml | 12 ++ .../superset-rbac-viewer-rolebinding.yaml | 11 ++ superset/base/superset-service-account.yaml | 6 + .../base}/superset_additional_config.py | 0 superset/base/superset_config.py | 157 ++++++++++++++++++ superset/base/supersetdb-deployment.yaml | 69 ++++++++ superset/base/supersetdb-pvc.yaml | 14 ++ superset/base/supersetdb-secret.yaml | 14 ++ superset/base/supersetdb-service.yaml | 15 ++ .../trino-route-certificate-secret.enc.yaml | 0 .../overlays/dev}/kustomization.yaml | 2 +- .../prod}/bareos-fd-config-secret.enc.yaml | 0 .../prod}/bareos-fd-deploymentconfig.yaml | 0 .../overlays/prod}/bareos-fd-imagestream.yaml | 0 .../overlays/prod}/bareos-fd-service.yaml | 0 .../overlays/prod}/kustomization.yaml | 2 +- .../overlays/prod}/secret-generator.yaml | 0 .../prod}/superset-admin-secret.enc.yaml | 0 .../prod}/superset-db-secret.enc.yaml | 0 .../prod}/superset-secured-route.enc.yaml | 0 .../prod}/superset-service-account.yaml | 0 .../supersetdb-deployment-pvc-backup.yaml | 0 .../overlays/prod}/supersetdb-route.yaml | 0 .../prod}/supersetdb-service-nodePort.yaml | 0 .../overlays/stage}/kustomization.yaml | 2 +- .../overlays/stage}/secret-generator.yaml | 0 .../stage}/superset-admin-secret.enc.yaml | 0 .../stage}/superset-db-secret.enc.yaml | 0 43 files changed, 609 insertions(+), 75 deletions(-) delete mode 100644 kfdefs/base/superset/kfdef.yaml delete mode 100644 kfdefs/base/superset/kustomization.yaml delete mode 100644 kfdefs/base/superset/superset-deployment.yaml create mode 100644 superset/base/deployment.yaml create mode 100644 superset/base/kustomization.yaml create mode 100644 superset/base/params.env create mode 100644 superset/base/params.yaml create mode 100644 superset/base/route.yaml rename {kfdefs/base/superset => superset/base}/secret-generator.yaml (100%) create mode 100644 superset/base/secret-superset.yaml create mode 100644 superset/base/service-account.yaml create mode 100644 superset/base/service.yaml create mode 100644 superset/base/superset-rbac-viewer-role.yaml create mode 100644 superset/base/superset-rbac-viewer-rolebinding.yaml create mode 100644 superset/base/superset-service-account.yaml rename {kfdefs/base/superset => superset/base}/superset_additional_config.py (100%) create mode 100644 superset/base/superset_config.py create mode 100644 superset/base/supersetdb-deployment.yaml create mode 100644 superset/base/supersetdb-pvc.yaml create mode 100644 superset/base/supersetdb-secret.yaml create mode 100644 superset/base/supersetdb-service.yaml rename {kfdefs/base/superset => superset/base}/trino-route-certificate-secret.enc.yaml (100%) rename {kfdefs/overlays/dev/dh-dev-superset => superset/overlays/dev}/kustomization.yaml (89%) rename {kfdefs/overlays/prod/dh-prod-superset => superset/overlays/prod}/bareos-fd-config-secret.enc.yaml (100%) rename {kfdefs/overlays/prod/dh-prod-superset => superset/overlays/prod}/bareos-fd-deploymentconfig.yaml (100%) rename {kfdefs/overlays/prod/dh-prod-superset => superset/overlays/prod}/bareos-fd-imagestream.yaml (100%) rename {kfdefs/overlays/prod/dh-prod-superset => superset/overlays/prod}/bareos-fd-service.yaml (100%) rename {kfdefs/overlays/prod/dh-prod-superset => superset/overlays/prod}/kustomization.yaml (99%) rename {kfdefs/overlays/prod/dh-prod-superset => superset/overlays/prod}/secret-generator.yaml (100%) rename {kfdefs/overlays/prod/dh-prod-superset => superset/overlays/prod}/superset-admin-secret.enc.yaml (100%) rename {kfdefs/overlays/prod/dh-prod-superset => superset/overlays/prod}/superset-db-secret.enc.yaml (100%) rename {kfdefs/overlays/prod/dh-prod-superset => superset/overlays/prod}/superset-secured-route.enc.yaml (100%) rename {kfdefs/overlays/prod/dh-prod-superset => superset/overlays/prod}/superset-service-account.yaml (100%) rename {kfdefs/overlays/prod/dh-prod-superset => superset/overlays/prod}/supersetdb-deployment-pvc-backup.yaml (100%) rename {kfdefs/overlays/prod/dh-prod-superset => superset/overlays/prod}/supersetdb-route.yaml (100%) rename {kfdefs/overlays/prod/dh-prod-superset => superset/overlays/prod}/supersetdb-service-nodePort.yaml (100%) rename {kfdefs/overlays/stage/dh-stage-superset => superset/overlays/stage}/kustomization.yaml (98%) rename {kfdefs/overlays/stage/dh-stage-superset => superset/overlays/stage}/secret-generator.yaml (100%) rename {kfdefs/overlays/stage/dh-stage-superset => superset/overlays/stage}/superset-admin-secret.enc.yaml (100%) rename {kfdefs/overlays/stage/dh-stage-superset => superset/overlays/stage}/superset-db-secret.enc.yaml (100%) diff --git a/kfdefs/base/superset/kfdef.yaml b/kfdefs/base/superset/kfdef.yaml deleted file mode 100644 index 4c844885..00000000 --- a/kfdefs/base/superset/kfdef.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -apiVersion: kfdef.apps.kubeflow.org/v1 -kind: KfDef -metadata: - annotations: - kfctl.kubeflow.io/force-delete: "false" - name: opendatahub -spec: - applications: - - kustomizeConfig: - repoRef: - name: manifests - path: odh-common - name: odh-common - - kustomizeConfig: - repoRef: - name: manifests - path: superset - name: superset - repos: - - name: manifests - uri: "https://github.com/opendatahub-io/odh-manifests/tarball/v1.1.0" - version: v1.1.0 diff --git a/kfdefs/base/superset/kustomization.yaml b/kfdefs/base/superset/kustomization.yaml deleted file mode 100644 index 404898e1..00000000 --- a/kfdefs/base/superset/kustomization.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: idh-superset - -bases: - - github.com/opendatahub-io-contrib/odh-contrib-manifests/superset/base?ref=b0d11d452ce1a3a14d9c604a34c5d213342fb9aa - -patchesStrategicMerge: - - ./superset-deployment.yaml - -generators: -- ./secret-generator.yaml - -generatorOptions: - disableNameSuffixHash: true -configMapGenerator: - - name: superset-config-py - behavior: merge - files: - - superset_additional_config.py - -images: - - name: quay.io/opendatahub/superset:1.5.0-ubi - newName: quay.io/opendatahub/superset - newTag: 1.5.2-ubi diff --git a/kfdefs/base/superset/superset-deployment.yaml b/kfdefs/base/superset/superset-deployment.yaml deleted file mode 100644 index 0fc3999e..00000000 --- a/kfdefs/base/superset/superset-deployment.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: superset -spec: - template: - spec: - containers: - - name: superset - env: - - name: SUPERSET_ADDITIONAL_CONFIG - value: /etc/superset/superset_additional_config.py - volumeMounts: - - mountPath: "/etc/certs" - name: trino-route-certificate-secret - readOnly: true - volumes: - - name: trino-route-certificate-secret - secret: - secretName: trino-route-certificate-secret diff --git a/kfdefs/overlays/dev/kustomization.yaml b/kfdefs/overlays/dev/kustomization.yaml index 89711954..c49d740e 100644 --- a/kfdefs/overlays/dev/kustomization.yaml +++ b/kfdefs/overlays/dev/kustomization.yaml @@ -4,4 +4,3 @@ kind: Kustomization resources: - dh-dev-trino - - dh-dev-superset diff --git a/kfdefs/overlays/prod/kustomization.yaml b/kfdefs/overlays/prod/kustomization.yaml index 5e6d6052..e61fd121 100644 --- a/kfdefs/overlays/prod/kustomization.yaml +++ b/kfdefs/overlays/prod/kustomization.yaml @@ -4,4 +4,3 @@ kind: Kustomization resources: - dh-prod-trino - - dh-prod-superset diff --git a/kfdefs/overlays/stage/kustomization.yaml b/kfdefs/overlays/stage/kustomization.yaml index 2d64b0c6..fe99715d 100644 --- a/kfdefs/overlays/stage/kustomization.yaml +++ b/kfdefs/overlays/stage/kustomization.yaml @@ -4,4 +4,3 @@ kind: Kustomization resources: - dh-stage-trino - - dh-stage-superset diff --git a/superset/base/deployment.yaml b/superset/base/deployment.yaml new file mode 100644 index 00000000..8c3ff9d8 --- /dev/null +++ b/superset/base/deployment.yaml @@ -0,0 +1,98 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: superset + labels: + app: superset +spec: + replicas: 1 + selector: + matchLabels: + deployment: superset + template: + metadata: + labels: + app: superset + deployment: superset + spec: + initContainers: + - name: superset-init + env: + - name: SUPERSET_CONFIG_PATH + value: /etc/superset/superset_config.py + - name: POSTGRESQL_USERNAME + valueFrom: + secretKeyRef: + key: database-user + name: $(superset_db_secret) + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + key: database-password + name: $(superset_db_secret) + - name: POSTGRESQL_DATABASE + valueFrom: + secretKeyRef: + key: database-name + name: $(superset_db_secret) + envFrom: + - secretRef: + name: $(superset_secret) + image: superset + command: ['sh', '-c', "sleep 30; superset-init --username $SUPERSET_ADMIN_USER --firstname $SUPERSET_ADMIN_FNAME --lastname $SUPERSET_ADMIN_LNAME --email $SUPERSET_ADMIN_EMAIL --password $SUPERSET_ADMIN_PASSWORD"] + volumeMounts: + - mountPath: /etc/superset + name: superset-config + containers: + - name: superset + env: + - name: SUPERSET_ADDITIONAL_CONFIG + value: /etc/superset/superset_additional_config.py + - name: SUPERSET_SECRET_KEY + valueFrom: + secretKeyRef: + key: SUPERSET_SECRET_KEY + name: $(superset_secret) + - name: POSTGRESQL_USERNAME + valueFrom: + secretKeyRef: + key: database-user + name: $(superset_db_secret) + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + key: database-password + name: $(superset_db_secret) + - name: POSTGRESQL_DATABASE + valueFrom: + secretKeyRef: + key: database-name + name: $(superset_db_secret) + - name: SUPERSET_CONFIG_PATH + value: /etc/superset/superset_config.py + image: superset + ports: + - containerPort: 8088 + protocol: TCP + volumeMounts: + - mountPath: "/etc/certs" + name: trino-route-certificate-secret + readOnly: true + - mountPath: /etc/superset + name: superset-config + resources: + requests: + cpu: $(superset_cpu_requests) + memory: $(superset_memory_requests) + limits: + cpu: $(superset_cpu_limits) + memory: $(superset_memory_limits) + serviceAccountName: superset + volumes: + - name: superset-config + configMap: + name: superset-config-py + defaultMode: 420 + - name: trino-route-certificate-secret + secret: + secretName: trino-route-certificate-secret diff --git a/superset/base/kustomization.yaml b/superset/base/kustomization.yaml new file mode 100644 index 00000000..3a5514b5 --- /dev/null +++ b/superset/base/kustomization.yaml @@ -0,0 +1,125 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - secret-superset.yaml + - deployment.yaml + - service.yaml + - route.yaml + - supersetdb-deployment.yaml + - supersetdb-pvc.yaml + - supersetdb-secret.yaml + - supersetdb-service.yaml + - superset-rbac-viewer-role.yaml + - superset-rbac-viewer-rolebinding.yaml + - superset-service-account.yaml + +commonLabels: + opendatahub.io/component: "true" + component.opendatahub.io/name: superset + app: superset + app.kubernetes.io/part-of: superset + +generators: + - ./secret-generator.yaml + +configMapGenerator: + - name: superset-config + envs: + - params.env + - name: superset-config-py + files: + - superset_config.py + - superset_additional_config.py + +vars: + - name: superset_secret + objref: + name: superset-config + kind: ConfigMap + apiVersion: v1 + fieldref: + fieldpath: data.superset_secret + - name: superset_db_secret + objref: + name: superset-config + kind: ConfigMap + apiVersion: v1 + fieldref: + fieldpath: data.superset_db_secret + - name: superset_memory_requests + objref: + name: superset-config + kind: ConfigMap + apiVersion: v1 + fieldref: + fieldpath: data.superset_memory_requests + - name: superset_memory_limits + objref: + name: superset-config + kind: ConfigMap + apiVersion: v1 + fieldref: + fieldpath: data.superset_memory_limits + - name: superset_cpu_requests + objref: + name: superset-config + kind: ConfigMap + apiVersion: v1 + fieldref: + fieldpath: data.superset_cpu_requests + - name: superset_cpu_limits + objref: + name: superset-config + kind: ConfigMap + apiVersion: v1 + fieldref: + fieldpath: data.superset_cpu_limits + - name: superset_db_memory_requests + objref: + name: superset-config + kind: ConfigMap + apiVersion: v1 + fieldref: + fieldpath: data.superset_db_memory_requests + - name: superset_db_memory_limits + objref: + name: superset-config + kind: ConfigMap + apiVersion: v1 + fieldref: + fieldpath: data.superset_db_memory_limits + - name: superset_db_cpu_requests + objref: + name: superset-config + kind: ConfigMap + apiVersion: v1 + fieldref: + fieldpath: data.superset_db_cpu_requests + - name: superset_db_cpu_limits + objref: + name: superset-config + kind: ConfigMap + apiVersion: v1 + fieldref: + fieldpath: data.superset_db_cpu_limits + - name: storage_class + objref: + name: superset-config + kind: ConfigMap + apiVersion: v1 + fieldref: + fieldpath: data.storage_class + +configurations: + - params.yaml + +generatorOptions: + disableNameSuffixHash: true + +images: + - name: superset + newName: quay.io/opendatahub/superset + newTag: "1.5.2-ubi" + - name: supersetdb + newName: quay.io/internaldatahub/postgresql-96-centos7 + newTag: "9.6" diff --git a/superset/base/params.env b/superset/base/params.env new file mode 100644 index 00000000..02dfe094 --- /dev/null +++ b/superset/base/params.env @@ -0,0 +1,11 @@ +storage_class=default +superset_secret=superset +superset_db_secret=supersetdb +superset_memory_requests=1Gi +superset_memory_limits=2Gi +superset_cpu_requests=300m +superset_cpu_limits=2 +superset_db_memory_requests=300Mi +superset_db_memory_limits=1Gi +superset_db_cpu_requests=300m +superset_db_cpu_limits=1 diff --git a/superset/base/params.yaml b/superset/base/params.yaml new file mode 100644 index 00000000..416cd609 --- /dev/null +++ b/superset/base/params.yaml @@ -0,0 +1,24 @@ +--- +varReference: + - path: data + kind: ConfigMap + - path: stringData + kind: Secret + - path: metadata/annotations/volume.beta.kubernetes.io\/storage-class + kind: PersistentVolumeClaim + - path: spec/template/spec/containers[]/resources/requests/cpu + kind: Deployment + - path: spec/template/spec/containers[]/resources/limits/cpu + kind: Deployment + - path: spec/template/spec/containers[]/resources/requests/memory + kind: Deployment + - path: spec/template/spec/containers[]/resources/limits/memory + kind: Deployment + - path: spec/template/spec/containers[]/envFrom/secretRef/name + kind: Deployment + - path: spec/template/spec/initContainers[]/envFrom/secretRef/name + kind: Deployment + - path: spec/template/spec/containers[]/env[]/valueFrom/secretKeyRef/name + kind: Deployment + - path: spec/template/spec/initContainers[]/env[]/valueFrom/secretKeyRef/name + kind: Deployment diff --git a/superset/base/route.yaml b/superset/base/route.yaml new file mode 100644 index 00000000..539ea6cc --- /dev/null +++ b/superset/base/route.yaml @@ -0,0 +1,15 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: superset + labels: + app: superset +spec: + port: + targetPort: 8088-tcp + to: + kind: Service + name: superset + tls: + insecureEdgeTerminationPolicy: Redirect + termination: edge diff --git a/kfdefs/base/superset/secret-generator.yaml b/superset/base/secret-generator.yaml similarity index 100% rename from kfdefs/base/superset/secret-generator.yaml rename to superset/base/secret-generator.yaml diff --git a/superset/base/secret-superset.yaml b/superset/base/secret-superset.yaml new file mode 100644 index 00000000..fcb6c435 --- /dev/null +++ b/superset/base/secret-superset.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + name: superset + labels: + app: superset +stringData: + SUPERSET_ADMIN_USER: admin + SUPERSET_ADMIN_FNAME: admin + SUPERSET_ADMIN_LNAME: admin + SUPERSET_ADMIN_EMAIL: admin@fab.org + SUPERSET_ADMIN_PASSWORD: admin + SUPERSET_SECRET_KEY: thisISaSECRET_1234 diff --git a/superset/base/service-account.yaml b/superset/base/service-account.yaml new file mode 100644 index 00000000..9dbe7b10 --- /dev/null +++ b/superset/base/service-account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: superset + labels: + app: superset + service: superset diff --git a/superset/base/service.yaml b/superset/base/service.yaml new file mode 100644 index 00000000..37133cc2 --- /dev/null +++ b/superset/base/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: superset + labels: + app: superset +spec: + ports: + - name: 8088-tcp + port: 8088 + protocol: TCP + targetPort: 8088 + selector: + deployment: superset + type: ClusterIP diff --git a/superset/base/superset-rbac-viewer-role.yaml b/superset/base/superset-rbac-viewer-role.yaml new file mode 100644 index 00000000..8fbcc846 --- /dev/null +++ b/superset/base/superset-rbac-viewer-role.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: superset-rbac-viewer +rules: + - verbs: + - get + - list + apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings diff --git a/superset/base/superset-rbac-viewer-rolebinding.yaml b/superset/base/superset-rbac-viewer-rolebinding.yaml new file mode 100644 index 00000000..0f8103c1 --- /dev/null +++ b/superset/base/superset-rbac-viewer-rolebinding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: superset-rbac-viewer +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: superset-rbac-viewer +subjects: +- kind: ServiceAccount + name: superset diff --git a/superset/base/superset-service-account.yaml b/superset/base/superset-service-account.yaml new file mode 100644 index 00000000..d3a8e669 --- /dev/null +++ b/superset/base/superset-service-account.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: superset + annotations: + serviceaccounts.openshift.io/oauth-redirectreference.first: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"superset"}}' diff --git a/kfdefs/base/superset/superset_additional_config.py b/superset/base/superset_additional_config.py similarity index 100% rename from kfdefs/base/superset/superset_additional_config.py rename to superset/base/superset_additional_config.py diff --git a/superset/base/superset_config.py b/superset/base/superset_config.py new file mode 100644 index 00000000..991b1dde --- /dev/null +++ b/superset/base/superset_config.py @@ -0,0 +1,157 @@ +import os +import requests + +from flask_appbuilder.security.manager import AUTH_OAUTH +from superset.security import SupersetSecurityManager + +MAPBOX_API_KEY = os.getenv('MAPBOX_API_KEY', '') + +db_username = os.environ['POSTGRESQL_USERNAME'] +db_password = os.environ['POSTGRESQL_PASSWORD'] +db_name = os.environ['POSTGRESQL_DATABASE'] +SQLALCHEMY_DATABASE_URI = (f'postgresql://{db_username}:' + f'{db_password}@supersetdb:5432/{db_name}') + +SQLALCHEMY_TRACK_MODIFICATIONS = True +SECRET_KEY = os.getenv('SUPERSET_SECRET_KEY', '') +DATA_DIR = '/var/lib/superset' +LOG_LEVEL = 'INFO' +FEATURE_FLAGS = { + 'ENABLE_TEMPLATE_PROCESSING': True, +} + +SUPERSET_WEBSERVER_PROTOCOL = 'https' +ENABLE_PROXY_FIX = True + +AUTH_USER_REGISTRATION = True +AUTH_USER_REGISTRATION_ROLE = 'Public' +AUTH_ROLE_ADMIN = 'Admin' +PUBLIC_ROLE_LIKE = 'Gamma' + +# if we should replace ALL the user's roles each login +AUTH_ROLES_SYNC_AT_LOGIN = True + +# force users to re-auth after 6 hours of inactivity (to keep roles in sync) +PERMANENT_SESSION_LIFETIME = 21600 + +SQLALCHEMY_ENGINE_OPTIONS = { + 'pool_size': 15, + 'pool_timeout': 60, + 'pool_recycle': 3600 +} + +# Set Webserver timeout to 30 minutes to wait for the queries to be executed +SUPERSET_WEBSERVER_TIMEOUT = 1800 + +SYSTEM_CERT_BUNDLE = '/etc/ssl/certs/ca-bundle.crt' +CLUSTER_CERT_BUNDLE = '/run/secrets/kubernetes.io/serviceaccount/ca.crt' +COMBINED_CERT_BUNDLE = '/tmp/superset-combined-cert-bundle.crt' + +with open(COMBINED_CERT_BUNDLE, 'a+') as combined: + with open(SYSTEM_CERT_BUNDLE) as sys_bundle: + combined.write(sys_bundle.read()) + + with open(CLUSTER_CERT_BUNDLE) as clus_bundle: + combined.write(clus_bundle.read()) + +os.environ['CURL_CA_BUNDLE'] = COMBINED_CERT_BUNDLE + +AUTH_TYPE = AUTH_OAUTH + +service_account_path = '/var/run/secrets/kubernetes.io/serviceaccount' +with open(os.path.join(service_account_path, 'token')) as f: + client_secret = f.read().strip() + +with open(os.path.join(service_account_path, 'namespace')) as f: + namespace = f.read().strip() + +openshift_url = 'https://openshift.default.svc.cluster.local' +auth_info_url = f'{openshift_url}/.well-known/oauth-authorization-server' +auth_api_url = requests.get(auth_info_url, verify=False).json().get('issuer') + +OAUTH_PROVIDERS = [ + { + 'name': 'openshift', + 'icon': 'fa-circle-o', + 'token_key': 'access_token', + 'remote_app': { + 'client_id': f'system:serviceaccount:{namespace}:superset', + 'client_secret': client_secret, + 'api_base_url': 'https://openshift.default.svc.cluster.local:443', + 'client_kwargs': { + 'scope': 'user:info', + }, + 'access_token_url': f'{auth_api_url}/oauth/token', + 'authorize_url': f'{auth_api_url}/oauth/authorize', + 'token_endpoint_auth_method': 'client_secret_post' + } + } +] + + +class CustomSecurityManager(SupersetSecurityManager): + + def user_is_namespace_admin(self, provider, username): + rolebindings_endpoint = ('apis/rbac.authorization.k8s.io/v1/' + f'namespaces/{namespace}/' + 'rolebindings/admin') + + headers = {} + headers["Accept"] = "application/json" + headers["Authorization"] = f"Bearer {client_secret}" + + rb_url = f'{openshift_url}/{rolebindings_endpoint}' + data = requests.get(rb_url, verify=False, headers=headers).json() + + subjects = data.get('subjects', []) + for subject in subjects: + if subject.get('name', '') == username: + return True + + return False + + def oauth_user_info(self, provider, response=None): + me = self.appbuilder.sm.oauth_remotes[provider].get( + "apis/user.openshift.io/v1/users/~", + verify=COMBINED_CERT_BUNDLE + ) + data = me.json() + username = data.get('metadata').get('name') + full_name = data.get('fullName', '') + first_name = '' + last_name = '' + if ' ' in full_name: + first_name = full_name.split(' ')[0] + last_name = full_name.split(' ')[1] + if self.user_is_namespace_admin(provider, username): + roles = ['Admin'] + else: + roles = [] + + return { + "username": username, + 'name': full_name, + 'first_name': first_name, + 'last_name': last_name, + 'email': username, + "role_keys": roles + } + + def auth_user_oauth(self, userinfo): + user = super(CustomSecurityManager, self).auth_user_oauth(userinfo) + for rk in userinfo['role_keys']: + role = self.find_role(rk) + if role is not None and role not in user.roles: + user.roles.append(role) + self.update_user(user) # update user roles + + return user + + +CUSTOM_SECURITY_MANAGER = CustomSecurityManager + +additional_config_path = os.getenv('SUPERSET_ADDITIONAL_CONFIG') +if additional_config_path: + with open(additional_config_path) as f: + additional_config = f.read() + exec(additional_config) diff --git a/superset/base/supersetdb-deployment.yaml b/superset/base/supersetdb-deployment.yaml new file mode 100644 index 00000000..8e906936 --- /dev/null +++ b/superset/base/supersetdb-deployment.yaml @@ -0,0 +1,69 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + template.alpha.openshift.io/wait-for-ready: "true" + labels: + app: supersetdb + name: supersetdb +spec: + replicas: 1 + selector: + matchLabels: + name: supersetdb + strategy: + type: Recreate + template: + metadata: + labels: + name: supersetdb + spec: + containers: + - name: postgresql + image: supersetdb + env: + - name: POSTGRESQL_USER + valueFrom: + secretKeyRef: + key: database-user + name: $(superset_db_secret) + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + key: database-password + name: $(superset_db_secret) + - name: POSTGRESQL_DATABASE + valueFrom: + secretKeyRef: + key: database-name + name: $(superset_db_secret) + imagePullPolicy: Always + livenessProbe: + exec: + command: + - /usr/libexec/check-container + - --live + initialDelaySeconds: 120 + timeoutSeconds: 10 + ports: + - containerPort: 5432 + readinessProbe: + exec: + command: + - /usr/libexec/check-container + initialDelaySeconds: 5 + timeoutSeconds: 1 + resources: + requests: + cpu: $(superset_db_cpu_requests) + memory: $(superset_db_memory_requests) + limits: + cpu: $(superset_db_cpu_limits) + memory: $(superset_db_memory_limits) + volumeMounts: + - mountPath: /var/lib/pgsql/data + name: "supersetdb-data" + volumes: + - name: "supersetdb-data" + persistentVolumeClaim: + claimName: supersetdb-data diff --git a/superset/base/supersetdb-pvc.yaml b/superset/base/supersetdb-pvc.yaml new file mode 100644 index 00000000..ccd68848 --- /dev/null +++ b/superset/base/supersetdb-pvc.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: supersetdb-data + labels: + app: supersetdb +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + limits: + storage: 1Gi diff --git a/superset/base/supersetdb-secret.yaml b/superset/base/supersetdb-secret.yaml new file mode 100644 index 00000000..d5b18264 --- /dev/null +++ b/superset/base/supersetdb-secret.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Secret +metadata: + labels: + app: supersetdb + annotations: + template.openshift.io/expose-database_name: '{.data[''database-name'']}' + template.openshift.io/expose-password: '{.data[''database-password'']}' + template.openshift.io/expose-username: '{.data[''database-user'']}' + name: supersetdb +stringData: + database-name: superset + database-password: changeme + database-user: changeme diff --git a/superset/base/supersetdb-service.yaml b/superset/base/supersetdb-service.yaml new file mode 100644 index 00000000..96a4812b --- /dev/null +++ b/superset/base/supersetdb-service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: supersetdb + name: supersetdb +spec: + ports: + - name: postgresql + port: 5432 + targetPort: 5432 + protocol: TCP + type: ClusterIP + selector: + name: supersetdb diff --git a/kfdefs/base/superset/trino-route-certificate-secret.enc.yaml b/superset/base/trino-route-certificate-secret.enc.yaml similarity index 100% rename from kfdefs/base/superset/trino-route-certificate-secret.enc.yaml rename to superset/base/trino-route-certificate-secret.enc.yaml diff --git a/kfdefs/overlays/dev/dh-dev-superset/kustomization.yaml b/superset/overlays/dev/kustomization.yaml similarity index 89% rename from kfdefs/overlays/dev/dh-dev-superset/kustomization.yaml rename to superset/overlays/dev/kustomization.yaml index a86b9b6a..e7aec8c3 100644 --- a/kfdefs/overlays/dev/dh-dev-superset/kustomization.yaml +++ b/superset/overlays/dev/kustomization.yaml @@ -4,7 +4,7 @@ kind: Kustomization namespace: dh-dev-superset resources: - - ../../../base/superset + - ../../base/ images: - name: quay.io/opendatahub/superset:1.4.1-ubi diff --git a/kfdefs/overlays/prod/dh-prod-superset/bareos-fd-config-secret.enc.yaml b/superset/overlays/prod/bareos-fd-config-secret.enc.yaml similarity index 100% rename from kfdefs/overlays/prod/dh-prod-superset/bareos-fd-config-secret.enc.yaml rename to superset/overlays/prod/bareos-fd-config-secret.enc.yaml diff --git a/kfdefs/overlays/prod/dh-prod-superset/bareos-fd-deploymentconfig.yaml b/superset/overlays/prod/bareos-fd-deploymentconfig.yaml similarity index 100% rename from kfdefs/overlays/prod/dh-prod-superset/bareos-fd-deploymentconfig.yaml rename to superset/overlays/prod/bareos-fd-deploymentconfig.yaml diff --git a/kfdefs/overlays/prod/dh-prod-superset/bareos-fd-imagestream.yaml b/superset/overlays/prod/bareos-fd-imagestream.yaml similarity index 100% rename from kfdefs/overlays/prod/dh-prod-superset/bareos-fd-imagestream.yaml rename to superset/overlays/prod/bareos-fd-imagestream.yaml diff --git a/kfdefs/overlays/prod/dh-prod-superset/bareos-fd-service.yaml b/superset/overlays/prod/bareos-fd-service.yaml similarity index 100% rename from kfdefs/overlays/prod/dh-prod-superset/bareos-fd-service.yaml rename to superset/overlays/prod/bareos-fd-service.yaml diff --git a/kfdefs/overlays/prod/dh-prod-superset/kustomization.yaml b/superset/overlays/prod/kustomization.yaml similarity index 99% rename from kfdefs/overlays/prod/dh-prod-superset/kustomization.yaml rename to superset/overlays/prod/kustomization.yaml index 8fcae780..55ae487f 100644 --- a/kfdefs/overlays/prod/dh-prod-superset/kustomization.yaml +++ b/superset/overlays/prod/kustomization.yaml @@ -4,7 +4,7 @@ kind: Kustomization namespace: dh-prod-superset resources: - - ../../../base/superset + - ../../base/ - supersetdb-route.yaml - bareos-fd-deploymentconfig.yaml - bareos-fd-imagestream.yaml diff --git a/kfdefs/overlays/prod/dh-prod-superset/secret-generator.yaml b/superset/overlays/prod/secret-generator.yaml similarity index 100% rename from kfdefs/overlays/prod/dh-prod-superset/secret-generator.yaml rename to superset/overlays/prod/secret-generator.yaml diff --git a/kfdefs/overlays/prod/dh-prod-superset/superset-admin-secret.enc.yaml b/superset/overlays/prod/superset-admin-secret.enc.yaml similarity index 100% rename from kfdefs/overlays/prod/dh-prod-superset/superset-admin-secret.enc.yaml rename to superset/overlays/prod/superset-admin-secret.enc.yaml diff --git a/kfdefs/overlays/prod/dh-prod-superset/superset-db-secret.enc.yaml b/superset/overlays/prod/superset-db-secret.enc.yaml similarity index 100% rename from kfdefs/overlays/prod/dh-prod-superset/superset-db-secret.enc.yaml rename to superset/overlays/prod/superset-db-secret.enc.yaml diff --git a/kfdefs/overlays/prod/dh-prod-superset/superset-secured-route.enc.yaml b/superset/overlays/prod/superset-secured-route.enc.yaml similarity index 100% rename from kfdefs/overlays/prod/dh-prod-superset/superset-secured-route.enc.yaml rename to superset/overlays/prod/superset-secured-route.enc.yaml diff --git a/kfdefs/overlays/prod/dh-prod-superset/superset-service-account.yaml b/superset/overlays/prod/superset-service-account.yaml similarity index 100% rename from kfdefs/overlays/prod/dh-prod-superset/superset-service-account.yaml rename to superset/overlays/prod/superset-service-account.yaml diff --git a/kfdefs/overlays/prod/dh-prod-superset/supersetdb-deployment-pvc-backup.yaml b/superset/overlays/prod/supersetdb-deployment-pvc-backup.yaml similarity index 100% rename from kfdefs/overlays/prod/dh-prod-superset/supersetdb-deployment-pvc-backup.yaml rename to superset/overlays/prod/supersetdb-deployment-pvc-backup.yaml diff --git a/kfdefs/overlays/prod/dh-prod-superset/supersetdb-route.yaml b/superset/overlays/prod/supersetdb-route.yaml similarity index 100% rename from kfdefs/overlays/prod/dh-prod-superset/supersetdb-route.yaml rename to superset/overlays/prod/supersetdb-route.yaml diff --git a/kfdefs/overlays/prod/dh-prod-superset/supersetdb-service-nodePort.yaml b/superset/overlays/prod/supersetdb-service-nodePort.yaml similarity index 100% rename from kfdefs/overlays/prod/dh-prod-superset/supersetdb-service-nodePort.yaml rename to superset/overlays/prod/supersetdb-service-nodePort.yaml diff --git a/kfdefs/overlays/stage/dh-stage-superset/kustomization.yaml b/superset/overlays/stage/kustomization.yaml similarity index 98% rename from kfdefs/overlays/stage/dh-stage-superset/kustomization.yaml rename to superset/overlays/stage/kustomization.yaml index b5b9f622..59090f69 100644 --- a/kfdefs/overlays/stage/dh-stage-superset/kustomization.yaml +++ b/superset/overlays/stage/kustomization.yaml @@ -4,7 +4,7 @@ kind: Kustomization namespace: dh-stage-superset resources: - - ../../../base/superset + - ../../base/ generators: - secret-generator.yaml diff --git a/kfdefs/overlays/stage/dh-stage-superset/secret-generator.yaml b/superset/overlays/stage/secret-generator.yaml similarity index 100% rename from kfdefs/overlays/stage/dh-stage-superset/secret-generator.yaml rename to superset/overlays/stage/secret-generator.yaml diff --git a/kfdefs/overlays/stage/dh-stage-superset/superset-admin-secret.enc.yaml b/superset/overlays/stage/superset-admin-secret.enc.yaml similarity index 100% rename from kfdefs/overlays/stage/dh-stage-superset/superset-admin-secret.enc.yaml rename to superset/overlays/stage/superset-admin-secret.enc.yaml diff --git a/kfdefs/overlays/stage/dh-stage-superset/superset-db-secret.enc.yaml b/superset/overlays/stage/superset-db-secret.enc.yaml similarity index 100% rename from kfdefs/overlays/stage/dh-stage-superset/superset-db-secret.enc.yaml rename to superset/overlays/stage/superset-db-secret.enc.yaml