villebro opened a new pull request, #73:
URL: https://github.com/apache/superset-kubernetes-operator/pull/73
## Summary
Adds an opt-in `metastore.createDatabase: true` flag that ensures the
metastore database exists before `superset db upgrade` runs. Closes the
chicken-and-egg gap on fresh PostgreSQL/MySQL servers where migrate would
otherwise fail because the database itself hasn't been created.
When enabled, the operator attaches a one-shot init container to the migrate
Job that issues `CREATE DATABASE` against the server. The container uses the
same DB-tool images clone already uses (`postgres:17-alpine` /
`mysql:8-alpine`) — the Superset image isn't assumed to ship `psql`/`mysql`
clients. The step is idempotent: PostgreSQL queries `pg_database` first and
skips `createdb` when present; MySQL relies on native `CREATE DATABASE IF NOT
EXISTS`. CEL rejects the flag in URI mode and requires
`host`/`database`/`username` (it needs structured fields to issue admin
statements). Resources and securityContext are inherited from the resolved
`spec.lifecycle.podTemplate.container` so strict admission policies (PSS
`restricted`, Kyverno, OPA) are satisfied without a dedicated knob. The flag is
container detects the existing DB and no-ops.
## Details
- `MetastoreSpec.CreateDatabase *bool` + CEL rule requiring structured
metastore (`has(self.host) && !has(self.uri) && !has(self.uriFrom)`) when true;
existing structured-fields rule handles `database`/`username` transitively
- New `buildCreateDatabaseInitContainer` injected post-resolution onto the
migrate Job's PodTemplate, inheriting `Resources`/`SecurityContext` from the
resolved lifecycle container template. Any user-supplied init container with
the reserved name `create-database` is replaced (operator wins
deterministically; no duplicate-container-name PodSpec rejections)
- Defensive guard: returns nil if `host`/`database`/`username` are nil even
when the flag is true (CEL should prevent this, but protects against malformed
CRs)
- `migrateInputs` includes the flag *and* the structured target
(host/port/database/username/type) when the flag is true so toggling or
re-targeting triggers a re-run; structured-target changes are intentionally
ignored when the flag is false. Init/rotate re-run automatically via the
existing checksum cascade — no init-side plumbing needed
- DB name is escaped at the SQL identifier boundary (psql `:'var'`
substitution for the existence check; sed-doubled backticks for MySQL).
Username/password/host pass through `"$VAR"` shell quoting unchanged — bash
variable expansion is single-pass, so quotes/backticks/dollar signs in
passwords are safe
- Passwordless metastores (trust/peer auth, IAM-issued credentials) work in
both backends: Postgres uses `${VAR:-}` for `PGPASSWORD`; MySQL uses
`MYSQL_PWD` env var only when set, avoiding `-p`-prompt semantics and
word-splitting on whitespace - Privilege caveat documented: the metastore user
must hold `CREATEDB` (PostgreSQL) or `CREATE` (MySQL)
- TLS for the init container is out of scope — metastore has no SSL fields
today; will need updating alongside clone/migrate/init when metastore TLS lands
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
