Bring my own secret for postgresql connection

[AurimasNav]

Hi,
I want to configure external postgresql to work with superset, however doing it in helm values does not work well with GitOps since I don't want to have my username/pass in git. I can provision my own secret, but I don't see a way to tell helm chart to use it for env vars for this purpose.
I have also tried to merge the existing secret with new values (using external-secrets) which would work in theory, but argocd syncs it back to original values.
Any suggestions to do it properly with argocd+external-secrets if there is no native way to configure it via helm?

[AurimasNav]

it works fine with adding ingore diffs to argocd application:

  ignoreDifferences:
    - kind: Secret
      name: superset-env
      namespace: superset
      jsonPointers:
        - /data/DB_HOST
        - /data/DB_NAME
        - /data/DB_PASS
        - /data/DB_USER

however I would still prefer a way to specify my own secret for postgresql connection paramaters.

[FleischerT]

The following configuration works for us:

# -- Specify rather or not helm should create the secret described in `secret-env.yaml` template
secretEnv:
  # -- Change to false in order to support externally created secret (Binami "Sealed Secrets" for Kubernetes or External Secrets Operator)
  # note: when externally creating the secret, the chart still expects to pull values from a secret with the name of the release defaults to `release-name-superset-env` - full logic located in _helpers.tpl file: `define "superset.fullname"`
  create: false
  
postgresql:
  ##
  ## Use the PostgreSQL chart dependency.
  ## Set to false if bringing your own PostgreSQL.
  enabled: false

You can then create your own secret, but this must have the name superset-env. The secret must contain all the values that are otherwise defined in https://github.com/apache/superset/blob/master/helm/superset/templates/secret-env.yaml.

[nchao-ciitizen]

The following configuration works for us:

# -- Specify rather or not helm should create the secret described in `secret-env.yaml` template
secretEnv:
  # -- Change to false in order to support externally created secret (Binami "Sealed Secrets" for Kubernetes or External Secrets Operator)
  # note: when externally creating the secret, the chart still expects to pull values from a secret with the name of the release defaults to `release-name-superset-env` - full logic located in _helpers.tpl file: `define "superset.fullname"`
  create: false
  
postgresql:
  ##
  ## Use the PostgreSQL chart dependency.
  ## Set to false if bringing your own PostgreSQL.
  enabled: false

You can then create your own secret, but this must have the name superset-env. The secret must contain all the values that are otherwise defined in https://github.com/apache/superset/blob/master/helm/superset/templates/secret-env.yaml.

This worked for us but is a very clunky workaround for obvious reasons. Having a simpler way of pulling DB credentials from k8s secrets would be a feature I would expect for a helm chart like this.

[sushanth2901]

I created a kubernetes secret with name my-secret-env Can I know how we pass them in values.yaml and do we need to deployment.yaml file too?

[yiskaneto]

Here's how I addressed this:

1. Created a secret on k8s named superset-secrets-helm-override (I actually created the secret in AWS Secrets Manager and on the K8s cluster the secret is pulled by the K8s secrets operator but, you can manually create the secret directly in the k8s cluster). This secret should contain all the sensitive data that will be accessed through environmental variables, for example:

---
kind: Secret
apiVersion: v1
metadata:
  name: superset-secrets-helm-override
  namespace: superset
type: Opaque

data:
  DB_HOST: <base64 value>
  DB_NAME: <base64 value>
  DB_PASS: d<base64 value>
  DB_PORT: <base64 value>
  DB_USER: <base64 value>
  REDIS_CELERY_DB: <base64 value>
  REDIS_DB: <base64 value>
  REDIS_HOST: <base64 value>
  REDIS_PORT: <base64 value>
  REDIS_PROTO: <base64 value>
  REDIS_USER: ""

  ## Custom
  SUPERSET_SECRET_KEY: <base64 value>

  ## LDAP
  AUTH_LDAP_SERVER: <base64 value>
  AUTH_LDAP_SEARCH: <base64 value>
  AUTH_LDAP_UID_FIELD: <base64 value>
  AUTH_LDAP_BIND_USER: <base64 value>
  AUTH_LDAP_BIND_PASSWORD: <base64 value>
  AUTH_LDAP_BIND_DOMAIN: <base64 value>
  
  ## EMAIL STUFF
  SMTP_VALUE_A: <base64 value>
  SMTP_VALUE_B: <base64 value>
  SMTP_VALUE_C: <base64 value>
  SMTP_VALUE_D: <base64 value>
  
  ## OTHER SENSITIVE DATA
  SENSITIVE_VALUE_A: <base64 value>
  SENSITIVE_VALUE_B: <base64 value>
  SENSITIVE_VALUE_C: <base64 value>
  SENSITIVE_VALUE_D: <base64 value>

1. On your values.yaml file make sure to disable the default secrets created by helm and to reference the secret above:

secretEnv:
  create: false

envFromSecret: 'superset-secrets-helm-override' ## This will make the secret values created on the fist step to be available in the pod container as environmental variables.

1. Now, to use the values from the secret in the first step in the superset_config.py file you can reference the target env values by using the os.environ.get() function, to be more explicit about your data you can surrounded with the type of data function, for example the value of PERMANENT_SESSION_LIFETIME is an integer so we can use:

PERMANENT_SESSION_LIFETIME = int(os.environ.get('PERMANENT_SESSION_LIFETIME'))

Example for configOverrides:

configOverrides: ## This translates to the superset_config.py file https://github.com/apache/superset/blob/master/superset/config.py
  secret: |
    ## The use of `.encode('utf-8').strip()` is only needed for the `SUPERSET_SECRET_KEY` value
    SECRET_KEY = os.environ.get("SUPERSET_SECRET_KEY").encode('utf-8').strip()
  enable_ldap: |
    from flask_appbuilder.security.manager import AUTH_LDAP

    # search configs
    AUTH_LDAP_SEARCH = str(os.environ.get('AUTH_LDAP_SEARCH'))
    AUTH_LDAP_UID_FIELD = str(os.environ.get('AUTH_LDAP_UID_FIELD'))
    AUTH_LDAP_BIND_USER = str(os.environ.get('AUTH_LDAP_BIND_USER'))
    AUTH_LDAP_BIND_PASSWORD = str(os.environ.get('AUTH_LDAP_BIND_PASSWORD'))
    AUTH_LDAP_BIND_DOMAIN = str(os.environ.get('AUTH_LDAP_BIND_DOMAIN'))

Tip

For some reason while trying to get the SECRET_KEY value from the SUPERSET_SECRET_KEY environmental variable didn't work and superset complained that the passed secret key wasn't the same used to encrypt the data, so adding .encode('utf-8').strip() resolved this:

configOverrides: ## This translates to the superset_config.py file https://github.com/apache/superset/blob/master/superset/config.py
  secret: |
    ## The use of `.encode('utf-8').strip()` is only needed for the `SUPERSET_SECRET_KEY` value
    SECRET_KEY = os.environ.get("SUPERSET_SECRET_KEY").encode('utf-8').strip()