Re: [PR] feat(helm): Helm chart refactor [superset]

Mon, 23 Mar 2026 00:50:33 -0700 


plaes commented on PR #38597:
URL: https://github.com/apache/superset/pull/38597#issuecomment-4108641587

   IMHO including the externalsecrets (even if it's optional) makes the helm 
chart even more complicated.
   In a properly set up cluster You either are already using existing resources 
(ie databases) and for these there are already secrets present in the cluster 
(or pullable from vaults) as verbatim.
   
   So basically, in Helm chart you have `values.database` with:
   ```yaml
   # (Optional) secret containing database connection string (or values)
   databaseSecretName: ""
   # (Optional) database configuration and secret variables
   # Note that values defined in `databaseSecrets` override data defined in 
`databaseSecretName`
   databaseSecrets: []
     # Example:
     # Secrets can be specified either by {name, value}:
     # - name: SUPERSET_DB_ENGINE
     #   value: "postgresql"
     # Or by referencing values from pre-existing secrets:
     # - name: SUPERSET_DB_NAME
     #   valueFrom:
     #     secretKeyRef:
     #       name: "superset-cluster-app"
     #       key: dbname
   ```
   
   And in deployments we just load the secrets in appropriate places:
   ```yaml
   env:
   {{- (include "superset.renderSecretEnv" (dict "data" 
.Values.database.databaseSecrets)) | nindent ... -}}
   # (if guards omitted..)
   envFrom:
     - secretRef:
       name: "{{ .Values.database.databaseSecret }}"
   ```
   
   ```yaml
   # charts/superset/templates/_helpers.tpl
   {{/*
   Render secrets
   */}}
   {{- define "superset.renderSecretEnv" -}}
     {{- range .data }}
     - name: {{ .name }}
     {{- if .value }}
       value: {{ .value | quote }}
     {{- else if .valueFrom }}
       valueFrom:
         secretKeyRef:
           name: {{ .valueFrom.secretKeyRef.name }}
           key: {{ .valueFrom.secretKeyRef.key }}
     {{- else -}}
       {{- fail "Unhandled value, expecting either value for valueFrom" -}}
     {{- end -}}
     {{- end -}}
   {{- end -}}
   ```
   
   All the escaping etc, should be handled by the "glue logic" in application 
which picks up the configuration from the environment. This is not the job for 
the Helm chart.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to