rusackas opened a new pull request, #41396: URL: https://github.com/apache/superset/pull/41396
### SUMMARY Adopts the work from [anandraiin3/superset#32](https://github.com/anandraiin3/superset/pull/32) (originally authored via Devin AI, thanks to @anandraiin3 for the fork work) and supersedes the stale #25799 by @Cerebus. **Closes #25798.** When Istio automatic sidecar injection is enabled on the namespace where Superset is deployed, the `init-db` Job hangs forever: the injected `istio-proxy` container keeps running after the init-db container exits, so the Job never reaches `Completed`. This change adds two opt-in mitigations under a new `init.istio` block in the chart's `values.yaml`. **Both default to `false`**, so the chart's behavior is unchanged for users not running Istio. #### `init.istio.disableSidecarInjection` (default `false`) When `true`, the init-db Job's pod template gains the `sidecar.istio.io/inject: "false"` label, excluding the Job from automatic sidecar injection. This is the cleanest fix and is recommended whenever the cluster's mesh policy allows opting out per pod. Rendered into `helm/superset/templates/init-job.yaml` via `dig` so that users who strip the `init.istio` block from custom values still get a clean render. ```yaml init: istio: disableSidecarInjection: true ``` #### `init.istio.terminateSidecarOnExit` (default `false`) When `true`, the rendered `superset_init.sh` registers an `EXIT` trap that POSTs to the Istio pilot-agent's `/quitquitquit` admin endpoint after the init logic finishes. The trap fires on both success and failure paths (`set -eu`), so the sidecar is terminated either way. Use this when the cluster's mesh policy enforces injection and per-pod opt-out is not allowed. The endpoint is configurable via `init.istio.quitEndpoint` (default `http://localhost:15020/quitquitquit`). ```yaml init: istio: terminateSidecarOnExit: true ``` #### Other changes - `helm/superset/Chart.yaml` version bumped `0.17.3` → `0.17.4` (patch — non-breaking, opt-in fix). Required by the `Helm: lint and test charts` workflow. - `helm/superset/README.md` regenerated with `helm-docs`. - `helm/superset/tests/test-istio.sh` added (13 assertions over 5 `helm template` value matrices). ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF Not applicable — no UI changes (Helm chart only). ### TESTING INSTRUCTIONS Automated chart-rendering tests: ```bash cd helm/superset && helm dependency build bash tests/test-istio.sh # passed: 13, failed: 0 helm lint helm/superset # 1 chart(s) linted, 0 chart(s) failed ``` Manual end-to-end verification (mirrors the bug repro): 1. Stand up a Kubernetes cluster with Istio installed. 2. Create a `superset` namespace with automatic sidecar injection: ```bash kubectl create namespace superset kubectl label namespace superset istio-injection=enabled ``` 3. Install with the mitigation enabled: ```bash helm install superset ./helm/superset -n superset \ --set init.istio.disableSidecarInjection=true ``` 4. Watch the init-db Job: ```bash kubectl -n superset get jobs -w kubectl -n superset describe pod -l job-name=superset-init-db ``` The pod should have only the init-db container (no `istio-proxy` injected) and the Job should reach `Completed` instead of hanging. 5. Repeat with `--set init.istio.terminateSidecarOnExit=true` (and `disableSidecarInjection=false`) on a cluster where the namespace policy forces injection. Confirm the Job pod has both containers, the init-db container exits, the `istio-proxy` container terminates shortly after via the `/quitquitquit` POST, and the Job reaches `Completed`. 6. Confirm the default (`helm install superset ./helm/superset -n superset`) still produces the unchanged manifest and Job behavior in non-Istio namespaces. ### ADDITIONAL INFORMATION - [x] Has associated issue: closes #25798 - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [x] Introduces new feature or API (new opt-in `init.istio.*` chart values) - [ ] Removes existing feature or API --- This adopts and rebases the work from anandraiin3/superset#32 (authored via Devin AI) onto current `master`, and supersedes the stale draft #25799 by @Cerebus. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
