rusackas opened a new issue, #40424:
URL: https://github.com/apache/superset/issues/40424
## Problem
The Helm chart's initContainers use `apache/superset:dockerize` to wait on
Postgres / Redis before Superset starts. The image is single-purpose, isn't on
the regular Superset release/rebuild cadence, and tends to accumulate CVEs as
its Alpine base ages out.
Concrete scan from today against the current published
`apache/superset:dockerize`:
| | |
|---|---|
| Image created | 2024-05-09 |
| Base | Alpine 3.19.1 (EOSL) |
| CRITICAL | 3 |
| HIGH | 25 |
| MEDIUM | 71 |
| LOW | 24 |
| Fixes available | 123 / 123 |
64 of those CVEs are in the bundled `dockerize` Go binary itself (stale Go
stdlib + `golang.org/x/{net,crypto}`); the remainder are the Alpine base
packages (`libcrypto3`, `libssl3`, `busybox`, `musl`).
This supersedes #23103, which originated as a complaint about the upstream
`jwilder/dockerize` image. We later took ownership of the image
(`apache/superset:dockerize`), which addressed the original "unmaintained
upstream" angle but kicked the maintenance burden to us — and we haven't kept
up.
## Proposal
Drop `dockerize` from the chart entirely. The four `dockerize -wait
"tcp://$DB_HOST:$DB_PORT" -timeout 120s` calls in
[`helm/superset/values.yaml`](https://github.com/apache/superset/blob/master/helm/superset/values.yaml)
can be replaced with a bash TCP probe against the **superset image we're
already pulling**, e.g.:
```yaml
- name: wait-for-postgres
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default
.Chart.AppVersion }}"
imagePullPolicy: "{{ .Values.image.pullPolicy }}"
command:
- /bin/bash
- -c
- |
until (echo > /dev/tcp/$DB_HOST/$DB_PORT) 2>/dev/null; do
echo "waiting for postgres at $DB_HOST:$DB_PORT"; sleep 2;
done
env:
- name: DB_HOST
value: { { tpl .Values.supersetNode.connections.db_host . | quote } }
- name: DB_PORT
value: { { .Values.supersetNode.connections.db_port | quote } }
```
Benefits:
- **Zero new images.** The superset image is already on the node — same
layer cache, same vulnerability scan posture as the running app.
- **Removes `initImage` from `values.yaml` entirely** (or leaves it as
deprecated/no-op for one release with a value override path for users who
customized).
- **No CVE backlog** beyond what the main image already has.
- **No external dependency** (bash's `/dev/tcp` is built in; doesn't need
`nc`, doesn't need `busybox`, doesn't need Chainguard).
The four call sites that need updating are in `helm/superset/values.yaml`:
- L304 (init), L408 (supersetCeleryBeat), L496 (supersetCeleryFlower), L595
(supersetWorker)
- `initImage:` block at L197 can be removed (or kept with a deprecation note
for one release).
## Compatibility
Operators who have overridden `.Values.initContainers` to inject their own
steps are unaffected. Operators who pin `.Values.initImage.repository/tag` will
need to migrate; a one-release deprecation cycle + an UPDATING.md entry should
be enough.
## Out of scope
- Rebuilding `apache/superset:dockerize` on a fresh base — punted because
the real win is removing the dependency, not maintaining it.
- Replacing with `busybox + nc` — adds an external image dependency, defeats
the purpose.
- Replacing with a Chainguard image — same objection plus a registry
dependency that hurts air-gapped users.
## Tasks
- [ ] Rewrite the four `initContainers` blocks in `values.yaml`
- [ ] Remove (or deprecate) the `initImage:` block in `values.yaml` and
corresponding entries in README.md
- [ ] UPDATING.md entry for operators with custom `initImage` pins
- [ ] Bump chart version
- [ ] Optionally: stop publishing `apache/superset:dockerize` once usage in
the chart is removed (separate workflow change)
Closes #23103
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
