GitHub user dosubot[bot] added a comment to the discussion: Need help setting up Superset chart in AWS EKS behind ALB
<!-- Answer --> Your config is close, but there are a few critical tweaks and checks needed for Superset behind AWS ALB in EKS: 1. **SESSION_COOKIE_SECURE and SAMESITE**: Uncomment and set `SESSION_COOKIE_SECURE = True` in your configOverrides if you're using HTTPS. Also add `SESSION_COOKIE_SAMESITE = "None"` if you have cross-domain or HTTPS traffic. This ensures cookies are sent securely and avoids login/session issues behind ALB ([source](https://github.com/apache/superset/discussions/35241#discussioncomment-14483120)). 2. **ALB/Ingress annotations**: Double-check your ingress annotations. You need: ``` alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]' alb.ingress.kubernetes.io/healthcheck-path: /health alb.ingress.kubernetes.io/healthcheck-port: traffic-port alb.ingress.kubernetes.io/healthcheck-protocol: HTTP ``` And make sure the `hosts` field is a valid DNS name (not empty) ([source](https://github.com/apache/superset/discussions/34882#discussioncomment-14410476)). 3. **Health checks**: Superset must respond with HTTP 200 on `/health` at port 8088. Use: ``` kubectl exec <pod> -- curl localhost:8088/health ``` Check that your ALB target group shows healthy targets ([source](https://github.com/apache/superset/discussions/35241#discussioncomment-14483120)). 4. **Proxy headers**: ALB must forward all `X-Forwarded-*` headers. Your `ENABLE_PROXY_FIX` and `PROXY_FIX_CONFIG` are correct for SSL termination at ALB, but if headers are missing, you'll see redirect loops or session issues ([source](https://github.com/apache/superset/issues/34159#issuecomment-3070138204)). Use browser dev tools or add logging to confirm headers are present. 5. **Timeouts**: Set ALB, Nginx, and Kubernetes timeouts higher than Superset’s `SUPERSET_WEBSERVER_TIMEOUT` (default 60s) to avoid disconnects during login/OAuth ([source](https://github.com/apache/superset/issues/34159#issuecomment-3070138204)). 6. **OAuth checklist**: When you enable OAuth, make sure: - `redirect_uri` in Superset and your OAuth provider match exactly (protocol, port, path). - `AUTH_TYPE = AUTH_OAUTH` and `OAUTH_PROVIDERS` are set in configOverrides. - Authlib is installed (your Dockerfile covers this). - If you see intermittent login issues, test with NGINX ingress—some users report ALB-specific header/stickiness problems ([source](https://github.com/apache/superset/discussions/31584#discussioncomment-11631061)). If you still see hanging or gateway timeouts, focus on ALB health checks and header forwarding. Most issues are due to unhealthy pods, missing headers, or session cookie misconfig ([source](https://github.com/apache/superset/discussions/35241#discussioncomment-14483120)). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/56f73907-5a2b-4c09-a6f0-71ba9dd87096?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/56f73907-5a2b-4c09-a6f0-71ba9dd87096?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/56f73907-5a2b-4c09-a6f0-71ba9dd87096?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/56f73907-5a2b-4c09-a6f0-71ba9dd87096?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/56f73907-5a2b-4c09-a6f0-71ba9dd87096?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/56f73907-5a2b-4c09-a6f0-71ba9dd87096?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/56f73907-5a2b-4c09-a6f0-71ba9dd87096?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=Your%20config%20is%20close%2C%20but%20there%20are%20a%20few%20critical%20tweaks%20and%20checks%20needed%20for%20Superset%20behind%20AWS%20ALB%20in%20EKS%3A%0A%0A1.%20%2A%2ASESSION_COOKIE_SECURE%20and%20SAMESITE%2A%2A%3A%20%20%0A%20%20%20Uncomment%20and%20set%20%60SESSION_COOKIE_SECURE%20%3D%20True%60%20in%20your%20configOverrides%20if%20you%27re%20using%20HTTPS.%20Also%20add%20%60SESSION_COOKIE_SAMESITE%20%3D%20%22None%22%60%20if%20you%20have%20cross-domain%20or%20HTTPS%20traffic.%20This%20ensures%20cookies%20are%20sent%20securely%20and%20avoids%20login/session%20issues%20behind%20ALB%20%28%5Bsource%5D%28https%3A//github.com/apache/superset/discussions/35241%23discussioncomment-14483120%29%29.%0A%0A2.%20%2A%2AALB/Ingress%20annotations%2A%2A%3A%20%20%0 A%20%20%20Double-check%20your%20ingress%20annotations.%20You%20need%3A%0A%20%20%20%60%60%60%0A%20%20%20alb.ingress.kubernetes.io/scheme%3A%20internet-facing%0A%20%20%20alb.ingress.kubernetes.io/target-type%3A%20ip%0A%20%20%20alb.ingress.kubernetes.io/listen-ports%3A%20%27%5B%7B%22HTTP%22%3A%2080%7D%5D%27%0A%20%20%20alb.ingress.kubernetes.io/healthcheck-path%3A%20/health%0A%20%20%20alb.ingress.kubernetes.io/healthcheck-port%3A%20traffic-port%0A%20%20%20alb.ingress.kubernetes.io/healthcheck-protocol%3A%20HTTP%0A%20%20%20%60%60%60%0A%20%20%20And%20make%20sure%20the%20%60hosts%60%20field%20is%20a%20valid%20DNS%20name%20%28not%20empty%29%20%28%5Bsource%5D%28https%3A//github.com/apache/superset/discussions/34882%23discussioncomment-14410476%29%29.%0A%0A3.%20%2A%2AHealth%20checks%2A%2A%3A%20%20%0A%20%20%20Superset%20must%20respond%20with%20HTTP%20200%20on%20%60/health%60%20at%20port%208088.%20Use%3A%0A%20%20%20%60%60%60%0A%20%20%20kubectl%20exec%20%3Cpod%3E%20--%20curl%20localhost%3A8088/h ealth%0A%20%20%20%60%60%60%0A%20%20%20Check%20that%20your%20ALB%20target%20group%20shows%20healthy%20targets%20%28%5Bsource%5D%28https%3A//github.com/apache/superset/discussions/35241%23discussioncomment-14483120%29%29.%0A%0A4.%20%2A%2AProxy%20headers%2A%2A%3A%20%20%0A%20%20%20ALB%20must%20forward%20all%20%60X-Forwarded-%2A%60%20headers.%20Your%20%60ENABLE_PROXY_FIX%60%20and%20%60PROXY_FIX_CONFIG%60%20are%20correct%20for%20SSL%20termination%20at%20ALB%2C%20but%20if%20headers%20are%20missing%2C%20you%27ll%20see%20redirect%20loops%20or%20session%20issues%20%28%5Bsource%5D%28https%3A//github.com/apache/superset/issues/34159%23issuecomment-3070138204%29%29.%20Use%20browser%20dev%20tools%20or%20add%20logging%20to%20confirm%20headers%20are%20present.%0A%0A5.%20%2A%2ATimeouts%2A%2A%3A%20%20%0A%20%20%20Set%20ALB%2C%20Nginx%2C%20and%20Kubernetes%20timeouts%20higher%20than%20Superset%E2%80%99s%20%60SUPERSET_WEBSERVER_TIMEOUT%60%20%28default%2060s%29%20to%20avoid%20disconnects%20during%20login /OAuth%20%28%5Bsource%5D%28https%3A//github.com/apache/superset/issues/34159%23issuecomment-3070138204%29%29.%0A%0A6.%20%2A%2AOAuth%20checklist%2A%2A%3A%20%20%0A%20%20%20When%20you%20enable%20OAuth%2C%20make%20sure%3A%0A%20%20%20-%20%60redirect_uri%60%20in%20Superset%20and%20your%20OAuth%20provider%20match%20exactly%20%28protocol%2C%20port%2C%20path%29.%0A%20%20%20-%20%60AUTH_TYPE%20%3D%20AUTH_OAUTH%60%20and%20%60OAUTH_PROVIDERS%60%20are%20set%20in%20configOverrides.%0A%20%20%20-%20Authlib%20is%20installed%20%28your%20Dockerfile%20covers%20this%29.%0A%20%20%20-%20If%20you%20see%20intermittent%20login%20issues%2C%20test%20with%20NGINX%20ingress%E2%80%94some%20users%20report%20ALB-specific%20header/stickiness%20problems%20%28%5Bsource%5D%28https%3A//github.com/apache/superset/discussions/31584%23discussioncomment-11631061%29%29.%0A%0AIf%20you%20still%20see%20hanging%20or%20gateway%20timeouts%2C%20focus%20on%20ALB%20health%20checks%20and%20header%20forwarding.%20Most%20issues%20are%20d ue%20to%20unhealthy%20pods%2C%20missing%20headers%2C%20or%20session%20cookie%20misconfig%20%28%5Bsource%5D%28https%3A//github.com/apache/superset/discussions/35241%23discussioncomment-14483120%29%29.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36296) GitHub link: https://github.com/apache/superset/discussions/36296#discussioncomment-15089496 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
