This is an automated email from the ASF dual-hosted git repository. rusackas pushed a commit to branch fix/helm-replace-dockerize in repository https://gitbox.apache.org/repos/asf/superset.git
commit dd216d64bc5f263504e16fe34f828a1bdd6d4449 Author: Claude Code <[email protected]> AuthorDate: Mon May 25 19:05:43 2026 -0700 fix(helm)!: replace dockerize initContainer with bash TCP wait Drops `apache/superset:dockerize` from the chart entirely. The five initContainers that gate startup on Postgres / Redis now run from the same `apache/superset` image we're already pulling, using bash's built-in `/dev/tcp/host/port` redirect for the readiness probe — no external `dockerize`, `nc`, or busybox needed. A trivy scan of the current published `apache/superset:dockerize` (image created 2024-05-09, alpine 3.19.1 EOSL) found 3 CRITICAL, 25 HIGH, 71 MEDIUM, and 24 LOW CVEs — 64 of them in the bundled `dockerize` Go binary itself (stale Go stdlib + golang.org/x/{net, crypto}); the rest in the alpine base. Rebuilding the image on a fresher base would just defer the same problem; removing the dependency eliminates it. Verified `/bin/bash` 5.2.15 is present in `apache/superset:latest` and supports the `/dev/tcp` redirect (the image's `/bin/sh` is dash, which does not — hence the explicit `/bin/bash` invocation). Rendered the chart with `helm template` and confirmed all five initContainers (supersetNode, init, supersetWorker, supersetCeleryBeat, supersetCeleryFlower) emit the expected bash-based probe and pull the main superset image. The 120s timeout from `dockerize -timeout 120s` is preserved via a SECONDS-based deadline in the bash loop. Two-port waits (postgres + redis) factor out a small `wait_for` helper to keep the script readable. BREAKING CHANGE: chart `values.yaml` no longer defines `initImage`. Operators who customised `.Values.initImage.repository/tag/pullPolicy` must remove those overrides — they are silently ignored. Operators who fully overrode `.Values.supersetNode.initContainers` (etc.) are unaffected; their override still wins. Chart bumped 0.15.5 → 0.16.0. Closes #40424 Co-Authored-By: Claude Opus 4.7 <[email protected]> --- helm/superset/Chart.yaml | 2 +- helm/superset/README.md | 5 +- helm/superset/values.yaml | 117 ++++++++++++++++++++++++++++++++++++---------- 3 files changed, 94 insertions(+), 30 deletions(-) diff --git a/helm/superset/Chart.yaml b/helm/superset/Chart.yaml index 8ed79ee8bb1..ac08019575c 100644 --- a/helm/superset/Chart.yaml +++ b/helm/superset/Chart.yaml @@ -29,7 +29,7 @@ maintainers: - name: craig-rueda email: [email protected] url: https://github.com/craig-rueda -version: 0.15.5 # See [README](https://github.com/apache/superset/blob/master/helm/superset/README.md#versioning) for version details. +version: 0.16.0 # See [README](https://github.com/apache/superset/blob/master/helm/superset/README.md#versioning) for version details. dependencies: - name: postgresql version: 16.7.27 diff --git a/helm/superset/README.md b/helm/superset/README.md index 53077bd338f..1d9e5b13c4b 100644 --- a/helm/superset/README.md +++ b/helm/superset/README.md @@ -23,7 +23,7 @@ NOTE: This file is generated by helm-docs: https://github.com/norwoodj/helm-docs # superset - + Apache Superset is a modern, enterprise-ready business intelligence web application @@ -111,9 +111,6 @@ On helm this can be set on `extraSecretEnv.SUPERSET_SECRET_KEY` or `configOverri | init.resources | object | `{}` | | | init.tolerations | list | `[]` | | | init.topologySpreadConstraints | list | `[]` | TopologySpreadConstrains to be added to init job | -| initImage.pullPolicy | string | `"IfNotPresent"` | | -| initImage.repository | string | `"apache/superset"` | | -| initImage.tag | string | `"dockerize"` | | | nameOverride | string | `nil` | Provide a name to override the name of the chart | | nodeSelector | object | `{}` | | | postgresql | object | see `values.yaml` | Configuration values for the postgresql dependency. ref: https://github.com/bitnami/charts/tree/main/bitnami/postgresql | diff --git a/helm/superset/values.yaml b/helm/superset/values.yaml index fc5124004f7..43f7259b7d0 100644 --- a/helm/superset/values.yaml +++ b/helm/superset/values.yaml @@ -194,11 +194,6 @@ image: imagePullSecrets: [] -initImage: - repository: apache/superset - tag: dockerize - pullPolicy: IfNotPresent - service: type: ClusterIP port: 8088 @@ -303,15 +298,28 @@ supersetNode: # @default -- a container waiting for postgres initContainers: - name: wait-for-postgres - image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}" - imagePullPolicy: "{{ .Values.initImage.pullPolicy }}" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" envFrom: - secretRef: name: "{{ tpl .Values.envFromSecret . }}" command: - - /bin/sh + - /bin/bash - -c - - dockerize -wait "tcp://$DB_HOST:$DB_PORT" -timeout 120s + - | + # bash's /dev/tcp redirect performs a TCP connect; no external + # `dockerize`, `nc`, or busybox needed. SECONDS-based deadline + # mirrors the prior `dockerize -timeout 120s` behaviour. + SECONDS=0 + until (echo > /dev/tcp/"$DB_HOST"/"$DB_PORT") 2>/dev/null; do + if [ "$SECONDS" -ge 120 ]; then + echo "timeout waiting for postgres at $DB_HOST:$DB_PORT after 120s" >&2 + exit 1 + fi + echo "waiting for postgres at $DB_HOST:$DB_PORT (elapsed ${SECONDS}s)" + sleep 2 + done + echo "postgres at $DB_HOST:$DB_PORT is up" resources: limits: memory: "256Mi" @@ -407,15 +415,31 @@ supersetWorker: # @default -- a container waiting for postgres and redis initContainers: - name: wait-for-postgres-redis - image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}" - imagePullPolicy: "{{ .Values.initImage.pullPolicy }}" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" envFrom: - secretRef: name: "{{ tpl .Values.envFromSecret . }}" command: - - /bin/sh + - /bin/bash - -c - - dockerize -wait "tcp://$DB_HOST:$DB_PORT" -wait "tcp://$REDIS_HOST:$REDIS_PORT" -timeout 120s + - | + # See supersetNode.initContainers for the rationale. + SECONDS=0 + wait_for() { + local host=$1 port=$2 name=$3 + until (echo > /dev/tcp/"$host"/"$port") 2>/dev/null; do + if [ "$SECONDS" -ge 120 ]; then + echo "timeout waiting for $name at $host:$port after 120s" >&2 + exit 1 + fi + echo "waiting for $name at $host:$port (elapsed ${SECONDS}s)" + sleep 2 + done + echo "$name at $host:$port is up" + } + wait_for "$DB_HOST" "$DB_PORT" postgres + wait_for "$REDIS_HOST" "$REDIS_PORT" redis resources: limits: memory: "256Mi" @@ -495,15 +519,31 @@ supersetCeleryBeat: # @default -- a container waiting for postgres initContainers: - name: wait-for-postgres-redis - image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}" - imagePullPolicy: "{{ .Values.initImage.pullPolicy }}" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" envFrom: - secretRef: name: "{{ tpl .Values.envFromSecret . }}" command: - - /bin/sh + - /bin/bash - -c - - dockerize -wait "tcp://$DB_HOST:$DB_PORT" -wait "tcp://$REDIS_HOST:$REDIS_PORT" -timeout 120s + - | + # See supersetNode.initContainers for the rationale. + SECONDS=0 + wait_for() { + local host=$1 port=$2 name=$3 + until (echo > /dev/tcp/"$host"/"$port") 2>/dev/null; do + if [ "$SECONDS" -ge 120 ]; then + echo "timeout waiting for $name at $host:$port after 120s" >&2 + exit 1 + fi + echo "waiting for $name at $host:$port (elapsed ${SECONDS}s)" + sleep 2 + done + echo "$name at $host:$port is up" + } + wait_for "$DB_HOST" "$DB_PORT" postgres + wait_for "$REDIS_HOST" "$REDIS_PORT" redis resources: limits: memory: "256Mi" @@ -594,15 +634,31 @@ supersetCeleryFlower: # @default -- a container waiting for postgres and redis initContainers: - name: wait-for-postgres-redis - image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}" - imagePullPolicy: "{{ .Values.initImage.pullPolicy }}" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" envFrom: - secretRef: name: "{{ tpl .Values.envFromSecret . }}" command: - - /bin/sh + - /bin/bash - -c - - dockerize -wait "tcp://$DB_HOST:$DB_PORT" -wait "tcp://$REDIS_HOST:$REDIS_PORT" -timeout 120s + - | + # See supersetNode.initContainers for the rationale. + SECONDS=0 + wait_for() { + local host=$1 port=$2 name=$3 + until (echo > /dev/tcp/"$host"/"$port") 2>/dev/null; do + if [ "$SECONDS" -ge 120 ]; then + echo "timeout waiting for $name at $host:$port after 120s" >&2 + exit 1 + fi + echo "waiting for $name at $host:$port (elapsed ${SECONDS}s)" + sleep 2 + done + echo "$name at $host:$port is up" + } + wait_for "$DB_HOST" "$DB_PORT" postgres + wait_for "$REDIS_HOST" "$REDIS_PORT" redis resources: limits: memory: "256Mi" @@ -764,15 +820,26 @@ init: # @default -- a container waiting for postgres initContainers: - name: wait-for-postgres - image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}" - imagePullPolicy: "{{ .Values.initImage.pullPolicy }}" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" envFrom: - secretRef: name: "{{ tpl .Values.envFromSecret . }}" command: - - /bin/sh + - /bin/bash - -c - - dockerize -wait "tcp://$DB_HOST:$DB_PORT" -timeout 120s + - | + # See supersetNode.initContainers for the rationale. + SECONDS=0 + until (echo > /dev/tcp/"$DB_HOST"/"$DB_PORT") 2>/dev/null; do + if [ "$SECONDS" -ge 120 ]; then + echo "timeout waiting for postgres at $DB_HOST:$DB_PORT after 120s" >&2 + exit 1 + fi + echo "waiting for postgres at $DB_HOST:$DB_PORT (elapsed ${SECONDS}s)" + sleep 2 + done + echo "postgres at $DB_HOST:$DB_PORT is up" resources: limits: memory: "256Mi"
