Skip to content

feat(helm): Superset 6 structured config schema with deprecation path#41777

Open
lucargir wants to merge 1 commit into
apache:masterfrom
lucargir:feat/helm-superset-6
Open

feat(helm): Superset 6 structured config schema with deprecation path#41777
lucargir wants to merge 1 commit into
apache:masterfrom
lucargir:feat/helm-superset-6

Conversation

@lucargir

@lucargir lucargir commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

SUMMARY

Part of the Helm chart modernization originally proposed in #38597 (the full implementation), being landed as a series of smaller, reviewable PRs.

Restructures the Helm chart configuration onto a first-class, documented values schema and renders superset_config.py from it, while keeping existing installs working through a deprecation path (old keys are auto-mapped and a warning is printed in NOTES.txt — nothing hard-fails).

This is the "core" of a larger, previously-split chart effort; it is the foundation the follow-up chart PRs build on. It intentionally preserves recent chart behavior on master (bash /dev/tcp init wait, redis_driver, SQLALCHEMY_TRACK_MODIFICATIONS=False).

Highlights

  • New values schema: database.*, cache.*, cluster.*, config.*, featureFlags.* (+ globalPodAnnotations). superset_config.py is rendered by a new superset.config helper; the legacy superset-config define is removed.
  • Backward compatible (deprecation path): coalescing resolver helpers map legacy supersetNode.connections.* and root serviceAccountName onto the new schema; a deprecation notice is surfaced in NOTES.txt. Existing values.yaml files keep working on upgrade.
  • cache.driver ports the legacy redis_driver escape hatch (REDIS_DRIVER).
  • serviceAccount.name is now honored (with legacy serviceAccountName fallback), fixing a gap where the new key was never read.
  • Init job runs superset db upgrade + superset init (schema migration) in addition to admin/examples; init.initscript is deprecated/unused.
  • values.schema.json (permissive) so bad values fail helm install early without rejecting existing values files.
  • Docs: UPGRADING.md migration guide; README.md regenerated. Chart bumped to 0.20.0 (appVersion unchanged, 6.1.0).

⚠️ Breaking-ish but mapped: the values schema changed, but old keys are auto-mapped and only warned about, so helm upgrade continues to work. See helm/superset/UPGRADING.md.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A — Helm chart change, no UI.

TESTING INSTRUCTIONS

# Lint (also validates values.schema.json)
helm lint helm/superset

# Render + verify no unrendered values
helm template t helm/superset | grep -c '<no value>'   # expect 0

# Schema validation (target k8s version)
helm template t helm/superset | kubeconform -kubernetes-version 1.29.0 -strict -skip CustomResourceDefinition

# Unit tests
helm unittest helm/superset

# Deprecation path: legacy keys still work + warn
helm template t helm/superset --set supersetNode.connections.db_host=legacy | grep DB_HOST   # -> legacy
helm install --dry-run r helm/superset --set supersetNode.connections.db_host=x | grep -A2 "DEPRECATION"

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@netlify

netlify Bot commented Jul 5, 2026

Copy link
Copy Markdown

Deploy Preview for superset-docs-preview ready!

Name Link
🔨 Latest commit 76777f5
🔍 Latest deploy log https://app.netlify.com/projects/superset-docs-preview/deploys/6a4a4b2da325950007a2dad2
😎 Deploy Preview https://deploy-preview-41777--superset-docs-preview.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

Comment thread helm/superset/templates/_helpers.tpl Outdated
SQLALCHEMY_DATABASE_URI = f"{{ $driver }}://{{ include "superset.db.user" . }}:{{ include "superset.db.password" . }}@{{ include "superset.db.host" . }}:{{ include "superset.db.port" . }}/{{ include "superset.db.name" . }}{{ $sslParams }}"
{{- end }}
{{- if hasKey .Values.config "SQLALCHEMY_TRACK_MODIFICATIONS" }}
SQLALCHEMY_TRACK_MODIFICATIONS = {{ .Values.config.SQLALCHEMY_TRACK_MODIFICATIONS | lower }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: The generated Python uses lowercase boolean literals for this setting, but Python requires True/False. If users set this value, superset_config.py will fail to import with a NameError at startup. Render booleans using Python casing instead of piping through lower. [type error]

Severity Level: Critical 🚨
- ❌ Superset config import fails; web server does not start.
- ⚠️ Helm deployment pods enter crashloop due to invalid configuration.
Steps of Reproduction ✅
1. Install the Helm chart in `helm/superset`, which renders
`secret-superset-config.yaml:29-34` and uses `{{- include "superset.config" . }}` to
generate the `superset_config.py` payload from `_helpers.tpl:200-671`.

2. Set `.Values.config.SQLALCHEMY_TRACK_MODIFICATIONS` to `true` or `"True"` in your
release values (documented as a generic config override in `helm/superset/README.md:30`),
so `_helpers.tpl:226-227` renders `SQLALCHEMY_TRACK_MODIFICATIONS = true` into
`superset_config.py`.

3. Start Superset; `superset/config.py:2931-2952` checks `SUPERSET_CONFIG_PATH` (or falls
back to importing `superset_config`) and executes the generated `superset_config.py`
module via `importlib.util.spec_from_file_location`.

4. During module execution, Python evaluates `SQLALCHEMY_TRACK_MODIFICATIONS = true` from
`superset_config.py`, raising `NameError` because `true` is undefined, causing the config
import to fail and preventing the Superset application from starting.

Fix in Cursor Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖
This is a comment left during a code review.

**Path:** helm/superset/templates/_helpers.tpl
**Line:** 227:227
**Comment:**
	*Type Error: The generated Python uses lowercase boolean literals for this setting, but Python requires `True`/`False`. If users set this value, `superset_config.py` will fail to import with a `NameError` at startup. Render booleans using Python casing instead of piping through `lower`.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
👍 | 👎

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in e49092e096. SQLALCHEMY_TRACK_MODIFICATIONS now renders as a Python bool via toString | title (True/False). Added a regression test asserting SQLALCHEMY_TRACK_MODIFICATIONS = True when the value is set.

{{ $key }} = {{ $value | toJson }}
{{- end }}

CELERY_IMPORTS = CeleryConfig.imports

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: This assumes every custom CeleryConfig defines an imports attribute; if users provide a minimal config without it, config import raises AttributeError and workers fail to start. Only assign this when imports exists or use a safe default. [api mismatch]

Severity Level: Critical 🚨
- ❌ Superset config import crashes if CeleryConfig lacks imports.
- ❌ Celery workers fail starting; background tasks never execute.
Steps of Reproduction ✅
1. Configure a custom Celery settings map in Helm by setting `.Values.config.celeryConfig`
in `helm/superset/values.yaml` to a YAML object containing keys like `broker_url` and
`result_backend`, but not defining an `imports` key.

2. When `secret-superset-config.yaml:29-34` renders, `_helpers.tpl:302-314` detects
`.Values.config.celeryConfig` and, since `kindIs "string"` is false, emits a `class
CeleryConfig:` with one attribute per key in the map; no `imports` attribute is generated
unless the user provided it.

3. Immediately after, `_helpers.tpl:312` writes `CELERY_IMPORTS = CeleryConfig.imports`
and `CELERY_CONFIG = CeleryConfig` into `superset_config.py`, so the file contains an
assignment accessing a non-existent `CeleryConfig.imports` attribute.

4. On Superset startup, `superset/config.py:2931-2952` imports `superset_config` via
`importlib.util.spec_from_file_location`; Python executes `CELERY_IMPORTS =
CeleryConfig.imports`, raises `AttributeError` because `imports` is missing, and aborts
config import, preventing Celery-based background workers (superset tasks like
`superset.sql_lab` and schedulers) from starting properly.

Fix in Cursor Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖
This is a comment left during a code review.

**Path:** helm/superset/templates/_helpers.tpl
**Line:** 312:312
**Comment:**
	*Api Mismatch: This assumes every custom CeleryConfig defines an `imports` attribute; if users provide a minimal config without it, config import raises `AttributeError` and workers fail to start. Only assign this when `imports` exists or use a safe default.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
👍 | 👎

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in e49092e096. CELERY_IMPORTS = CeleryConfig.imports is now only emitted when the custom celeryConfig actually defines an imports key (guarded with hasKey). Regression test added for a celeryConfig without imports.

Comment thread helm/superset/templates/_helpers.tpl Outdated
Comment on lines +461 to +466
{{- if .Values.cache.sentinel }}
{{- if .Values.cache.sentinel.sentinels }}
"CACHE_REDIS_SENTINELS": {{ .Values.cache.sentinel.sentinels | toJson }},
{{- else }}
{{- fail "CONFIGURATION ERROR: cache.sentinel.enabled is true but cache.sentinel.sentinels is not set. You must provide Sentinel host(s) in cache.sentinel.sentinels (e.g., [['sentinel-host', 26379]])." }}
{{- end }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: The sentinel block activates whenever cache.sentinel is any non-null map, even if users set enabled: false. This can trigger validation failures or sentinel-only settings when sentinel is intentionally disabled. Gate this block on cache.sentinel.enabled explicitly. [incorrect condition logic]

Severity Level: Major ⚠️
- ❌ Helm template rendering fails when sentinel map present disabled.
- ⚠️ Redis Sentinel toggles unusable without fully removing configuration.
Steps of Reproduction ✅
1. Define Redis cache values in `helm/superset/values.yaml` with `.Values.cache.enabled =
true` and `.Values.cache.sentinel` set to a map containing `enabled: false` (or similar)
but omitting `sentinels`, so Sentinel is conceptually disabled but the configuration
object exists.

2. During chart rendering, `secret-superset-config.yaml:29-34` includes `superset.config`;
inside `_helpers.tpl:443-487` the `GLOBAL_ASYNC_QUERIES_CACHE_BACKEND` dict is built.

3. At `_helpers.tpl:461-466`, the condition `{{- if .Values.cache.sentinel }}` evaluates
truthy because `.Values.cache.sentinel` is a non-null map, and `{{- if
.Values.cache.sentinel.sentinels }}` evaluates falsy, so the template executes the `fail`
call with the message “CONFIGURATION ERROR: cache.sentinel.enabled is true but
cache.sentinel.sentinels is not set…”.

4. As a result, `helm install` or `helm upgrade` fails while rendering
`superset_config.py`, even though `cache.sentinel.enabled` is false and Sentinel was
intentionally disabled, preventing deployment and blocking configuration of the global
async queries cache backend.

Fix in Cursor Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖
This is a comment left during a code review.

**Path:** helm/superset/templates/_helpers.tpl
**Line:** 461:466
**Comment:**
	*Incorrect Condition Logic: The sentinel block activates whenever `cache.sentinel` is any non-null map, even if users set `enabled: false`. This can trigger validation failures or sentinel-only settings when sentinel is intentionally disabled. Gate this block on `cache.sentinel.enabled` explicitly.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
👍 | 👎

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in e49092e096. The sentinel block is now gated on cache.sentinel.enabled (if and .Values.cache.sentinel .Values.cache.sentinel.enabled), so sentinel: {enabled: false} no longer triggers the validation fail. Test added.

Comment thread helm/superset/templates/_helpers.tpl Outdated
Comment on lines +476 to +479
"CACHE_REDIS_SSL_CERTFILE": {{ .Values.cache.ssl.certfile | default "None" }},
"CACHE_REDIS_SSL_KEYFILE": {{ .Values.cache.ssl.keyfile | default "None" }},
"CACHE_REDIS_SSL_CERT_REQS": {{ .Values.cache.ssl.ssl_cert_reqs | default "required" | quote }},
"CACHE_REDIS_SSL_CA_CERTS": {{ .Values.cache.ssl.ca_certs | default "None" }},

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: These values are emitted without quoting, so string file paths render as bare Python tokens (for example /etc/ssl/cert.pem) and produce invalid syntax in superset_config.py. Emit proper quoted strings (or explicit None) for these fields. [type error]

Severity Level: Critical 🚨
- ❌ Superset config file contains invalid Redis SSL paths.
- ⚠️ Global async query cache backend cannot start with SSL.
Steps of Reproduction ✅
1. Enable Redis SSL for global async queries in `helm/superset/values.yaml` by setting
`.Values.cache.enabled = true` and `.Values.cache.ssl.enabled = true` with file path
values such as `certfile: "/etc/ssl/cert.pem"`, `keyfile: "/etc/ssl/key.pem"`, and
`ca_certs: "/etc/ssl/ca.pem"`.

2. When Helm renders `secret-superset-config.yaml:29-34`, it includes `superset.config`;
inside `_helpers.tpl:474-480`, the SSL-enabled branch of the
`GLOBAL_ASYNC_QUERIES_CACHE_BACKEND` dict executes.

3. That branch emits lines like `"CACHE_REDIS_SSL_CERTFILE": /etc/ssl/cert.pem` and
`"CACHE_REDIS_SSL_CA_CERTS": /etc/ssl/ca.pem` without quotes, so the generated
`superset_config.py` contains bare path tokens inside a Python dict literal, which are not
valid Python expressions.

4. Superset loads configuration using `superset/config.py:2931-2952`, importing and
executing `superset_config.py`; Python parsing the dict with unquoted paths raises a
`SyntaxError`, causing config import to fail and preventing the global async queries Redis
cache backend from starting when SSL is configured.

Fix in Cursor Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖
This is a comment left during a code review.

**Path:** helm/superset/templates/_helpers.tpl
**Line:** 476:479
**Comment:**
	*Type Error: These values are emitted without quoting, so string file paths render as bare Python tokens (for example `/etc/ssl/cert.pem`) and produce invalid syntax in `superset_config.py`. Emit proper quoted strings (or explicit `None`) for these fields.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
👍 | 👎

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in e49092e096. SSL certfile/keyfile/ca_certs are now quoted when set and rendered as bare None when unset, so the generated dict is always valid Python. Test asserts the quoted certfile; the rendered config is validated with ast.parse.

Comment thread helm/superset/templates/_helpers.tpl Outdated
Comment on lines +570 to +573
{{- if .Values.config.GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SECURE }}
GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SECURE = {{ if .Values.config.GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SECURE }}True{{ else }}False{{ end }}
{{- else if and .Values.supersetWebsockets.enabled (or (hasPrefix "wss://" $wsUrl) .Values.ingress.tls) }}
GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SECURE = True

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: This condition checks truthiness instead of key presence, so an explicit false value is treated as “unset” and gets overwritten by auto-detection. That breaks user intent and can force secure-cookie behavior unexpectedly. Check with hasKey (or equivalent) before applying defaults. [falsy zero check]

Severity Level: Major ⚠️
- ⚠️ User-set JWT cookie secure flag silently overridden.
- ⚠️ Configuration values behave unexpectedly under WebSocket TLS.
Steps of Reproduction ✅
1. Configure the Helm chart in `helm/superset/values.yaml` with
`.Values.supersetWebsockets.enabled = true` and TLS (`.Values.ingress.tls` non-empty), and
explicitly set `.Values.config.GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SECURE = false`.

2. When `secret-superset-config.yaml:29-34` renders, `_helpers.tpl:570-575` handles the
value: the condition `if .Values.config.GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SECURE` treats the
explicit `false` as falsy, so the template skips the user branch and enters the TLS
branch, emitting `GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SECURE = True` into
`superset_config.py`.

3. Superset loads configuration via `superset/config.py:2931-2952`, importing
`superset_config` and copying its uppercase settings (including
`GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SECURE`) into the main `superset.config` module and
`app.config`.

4. `superset/async_events/async_query_manager.py:150-151` reads
`app.config["GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SECURE"]` to configure the JWT cookie; the
value is `True` because of auto-detection, ignoring the user’s explicit `False`, so
secure-cookie behavior cannot be disabled as intended.

Fix in Cursor Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖
This is a comment left during a code review.

**Path:** helm/superset/templates/_helpers.tpl
**Line:** 570:573
**Comment:**
	*Falsy Zero Check: This condition checks truthiness instead of key presence, so an explicit `false` value is treated as “unset” and gets overwritten by auto-detection. That breaks user intent and can force secure-cookie behavior unexpectedly. Check with `hasKey` (or equivalent) before applying defaults.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
👍 | 👎

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in e49092e096. Now uses hasKey .Values.config "GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SECURE" so an explicit false is honored instead of falling through to TLS auto-detection. Test added.

@bito-code-review bito-code-review Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Agent Run #dc10d1

Actionable Suggestions - 5
  • helm/superset/tests/values_defaults_test.yaml - 1
  • helm/superset/templates/deployment.yaml - 1
    • Missing checksum annotation consistency · Line 48-48
  • helm/superset/tests/deprecation_test.yaml - 1
  • helm/superset/templates/_helpers.tpl - 2
Additional Suggestions - 5
  • helm/superset/templates/deployment-worker.yaml - 1
    • Backward compatibility gap · Line 48-51
      The checksum migration from `supersetNode.connections` to individual `database`, `cache`, `config`, `featureFlags` paths aligns with values.yaml deprecation notice. However, existing deployments using `supersetNode.connections` won't trigger pod restarts when those values change, potentially causing stale config deployment. Consider adding conditional fallback checksum or documentation for users to migrate.
  • helm/superset/templates/_helpers.tpl - 2
    • Repeated JSON parsing in helper templates · Line 127-196
      Each helper template (db.host, db.port, db.user, db.password, db.name, db.driver, redis.host, redis.port, redis.user, redis.password, redis.cacheDb, redis.celeryDb) independently calls `_superset.legacyConn`, parses the JSON result, and extracts one field. This results in ~15 redundant JSON parse operations per template evaluation.
    • Breaking change for users with empty admin password · Line 202-202
      The security validation at line 202 is a new feature that introduces a hard fail for empty passwords. Users upgrading from versions that allowed empty passwords may encounter template errors if they haven't set init.adminUser.password. This is a breaking change in behavior.
  • helm/superset/tests/initscript_test.yaml - 1
    • Test coverage gap · Line 31-50
      Test 'renders db upgrade before admin creation' asserts pattern existence but not execution order. The test name implies it verifies sequence, yet assertions only check that `superset db upgrade`, `superset init`, and `fab create-admin` each appear somewhere in the output. Use a combined regex (e.g., `superset db upgrade.*superset init.*fab create-admin`) or separate assertions with `notMatchRegex` to confirm `db upgrade` appears before `init`, and `init` before `create-admin`. Per BITO.md [6262], tests should verify actual behavior they claim to test.
  • helm/superset/Chart.yaml - 1
    • Version bump lacks chart changes · Line 32-32
      A minor version bump from 0.19.0 to 0.20.0 should reflect backward-compatible new features, bug fixes, or configuration changes to the chart itself per the README's versioning policy. No such changes are present in this diff. Verify that the intended chart modifications are included, or use a patch version bump (0.19.1) if this is a documentation-only change.
Filtered by Review Rules

Bito filtered these suggestions based on rules created automatically for your feedback. Manage rules.

  • helm/superset/tests/config_test.yaml - 1
Review Details
  • Files reviewed - 18 · Commit Range: 76777f5..76777f5
    • helm/superset/Chart.yaml
    • helm/superset/templates/NOTES.txt
    • helm/superset/templates/_helpers.tpl
    • helm/superset/templates/deployment-beat.yaml
    • helm/superset/templates/deployment-flower.yaml
    • helm/superset/templates/deployment-worker.yaml
    • helm/superset/templates/deployment-ws.yaml
    • helm/superset/templates/deployment.yaml
    • helm/superset/templates/secret-env.yaml
    • helm/superset/templates/secret-superset-config.yaml
    • helm/superset/tests/checksum_test.yaml
    • helm/superset/tests/config_test.yaml
    • helm/superset/tests/deprecation_test.yaml
    • helm/superset/tests/initscript_test.yaml
    • helm/superset/tests/secret_env_test.yaml
    • helm/superset/tests/serviceaccount_test.yaml
    • helm/superset/tests/values_defaults_test.yaml
    • helm/superset/values.yaml
  • Files skipped - 3
    • helm/superset/README.md - Reason: Filter setting
    • helm/superset/UPGRADING.md - Reason: Filter setting
    • helm/superset/values.schema.json - Reason: Filter setting
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

Comment thread helm/superset/tests/values_defaults_test.yaml
Comment thread helm/superset/templates/deployment.yaml
#
suite: deprecation path does not fail render
templates:
- secret-superset-config.yaml

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wrong template targeted

This test references secret-superset-config.yaml but the deprecation mappings for supersetNode.connections and serviceAccountName are defined in _helpers.tpl and consumed by deployment and serviceaccount templates, not by the secret config template. The test will pass even when deprecation mapping is broken.

Code Review Run #dc10d1


Should Bito avoid suggestions like this for future reviews? (Manage Rules)

  • Yes, avoid them

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The actual legacy→new mapping value is asserted in config_test.yaml (e.g. legacy supersetNode.connections.* producing the correct SQLALCHEMY_DATABASE_URI). This suite intentionally verifies the separate contract that deprecated keys do not hard-fail the render, which is the deprecation-path design. Keeping both.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The suggestion provided by the reviewer is based on the observation that the test file secret-superset-config.yaml does not consume the deprecation mappings defined in _helpers.tpl. If the intention of the test is to verify that the deprecation path does not cause a render failure, it is appropriate to ensure the test targets a template that actually utilizes those mappings. You may choose to ignore this suggestion if you believe the current test coverage is sufficient for your design goals, or you can update the test to target a template that consumes the relevant mappings.

Comment thread helm/superset/templates/_helpers.tpl
Comment thread helm/superset/templates/_helpers.tpl
Restructure the chart configuration onto a first-class, documented values
schema and render superset_config.py from it, while keeping existing
installs working via a deprecation path (old keys auto-map + a NOTES
warning, never a hard fail).

Highlights:
- New values sections: database.*, cache.*, cluster.*, config.*,
  featureFlags.* (+ globalPodAnnotations). superset_config.py is rendered
  by a new superset.config helper; the legacy superset-config define is
  removed.
- Backward compatible: coalescing resolver helpers map legacy
  supersetNode.connections.* and root serviceAccountName onto the new
  schema; a deprecation notice is surfaced in NOTES.txt. Nothing fails on
  deprecated keys.
- cache.driver ports the legacy redis_driver escape hatch (REDIS_DRIVER).
- serviceAccount.name is now honored (with legacy serviceAccountName
  fallback).
- init script runs superset db upgrade + superset init in addition to
  admin/examples; init.initscript is deprecated/unused.
- Permissive values.schema.json; deployment checksums track the new
  config sections; bash /dev/tcp init wait (no dockerize);
  SQLALCHEMY_TRACK_MODIFICATIONS defaults False.
- Generated superset_config.py is always valid Python: booleans render
  as True/False, SSL cert paths are quoted, CELERY_IMPORTS is only
  emitted when defined, sentinel config is gated on enabled.
- Docs: UPGRADING.md; README regenerated. Chart 0.20.0 (appVersion 6.1.0).

Validated: helm lint, helm template (no <no value>), kubeconform 1.29
(strict), 69 helm-unittest cases, and ast.parse of the rendered config.
@lucargir lucargir force-pushed the feat/helm-superset-6 branch from 76777f5 to e49092e Compare July 5, 2026 13:02

@bito-code-review bito-code-review Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Agent Run #4f624c

Actionable Suggestions - 1
  • helm/superset/templates/_helpers.tpl - 1
Additional Suggestions - 5
  • helm/superset/templates/secret-env.yaml - 1
    • Missing Redis SSL env var · Line 35-36
      Redis SSL mode is set to 'rediss' via `superset.redis.proto` when `.Values.cache.ssl.enabled` is true, but the SSL certificate requirement mode is no longer exported as an environment variable. The old code exported `REDIS_SSL_CERT_REQS` unconditionally (line 40 of old), ensuring Redis clients know how to validate certificates. Without this env var, the Redis client defaults may not match the server's TLS requirements, causing connection failures. Add the conditional export similar to `DB_SSL_MODE` pattern on line 35.
  • helm/superset/tests/deprecation_test.yaml - 1
    • Weak test assertions for deprecated values · Line 21-27
      Tests verify rendering succeeds but don't validate that deprecated values produce correct output. Per rule 6262, tests should assert actual behavior (e.g., regex match on rendered config) rather than only confirming `hasDocuments: {count: 1}`. This prevents regressions where deprecated paths silently produce wrong values.
  • helm/superset/templates/_helpers.tpl - 1
    • Dead configuration variable · Line 406-406
      `CELERY_WORKER_HEALTH_CHECK_ENABLED` is defined at line 406 but never imported or referenced by any Python file in the repository. It is dead configuration that pollutes the generated config and may mislead operators into believing it has a runtime effect.
  • helm/superset/values.yaml - 1
    • Missing deprecation test for init.initscript · Line 958-962
      The `init.initscript` field is documented as deprecated and silently ignored (line 958-962), but unlike the other deprecated fields, there is no test in `deprecation_test.yaml` verifying that setting it does not break template rendering. Adding a test would complete the deprecation coverage pattern already established for `supersetNode.connections` and `serviceAccountName`.
  • helm/superset/templates/deployment-ws.yaml - 1
    • Missing co-existence test · Line 47-49
      The added block correctly implements globalPodAnnotations support for the websocket deployment, matching the pattern in other templates (deployment.yaml line 66, deployment-worker.yaml line 64, etc.). However, the test suite has a co-existence test for the main deployment (line 37-50) but lacks an equivalent test for this websocket deployment.
Filtered by Review Rules

Bito filtered these suggestions based on rules created automatically for your feedback. Manage rules.

  • helm/superset/tests/values_defaults_test.yaml - 1
    • Test duplicates existing functionality · Line 22-30
Review Details
  • Files reviewed - 18 · Commit Range: e49092e..e49092e
    • helm/superset/Chart.yaml
    • helm/superset/templates/NOTES.txt
    • helm/superset/templates/_helpers.tpl
    • helm/superset/templates/deployment-beat.yaml
    • helm/superset/templates/deployment-flower.yaml
    • helm/superset/templates/deployment-worker.yaml
    • helm/superset/templates/deployment-ws.yaml
    • helm/superset/templates/deployment.yaml
    • helm/superset/templates/secret-env.yaml
    • helm/superset/templates/secret-superset-config.yaml
    • helm/superset/tests/checksum_test.yaml
    • helm/superset/tests/config_test.yaml
    • helm/superset/tests/deprecation_test.yaml
    • helm/superset/tests/initscript_test.yaml
    • helm/superset/tests/secret_env_test.yaml
    • helm/superset/tests/serviceaccount_test.yaml
    • helm/superset/tests/values_defaults_test.yaml
    • helm/superset/values.yaml
  • Files skipped - 3
    • helm/superset/README.md - Reason: Filter setting
    • helm/superset/UPGRADING.md - Reason: Filter setting
    • helm/superset/values.schema.json - Reason: Filter setting
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

Comment on lines +354 to +380
{{- /* Celery Worker Health Check - File-based health probes for Kubernetes */}}
{{- if and .Values.supersetWorker.healthCheck .Values.supersetWorker.healthCheck.enabled }}
# Celery Worker Health Check Configuration
import threading
from celery import bootsteps
from celery.signals import worker_ready, worker_shutdown, worker_init

_readiness_file = {{ .Values.supersetWorker.healthCheck.readinessFile | default "/tmp/celery_worker_ready" | quote }}
_liveness_file = {{ .Values.supersetWorker.healthCheck.livenessFile | default "/tmp/celery_worker_alive" | quote }}
_heartbeat_interval = {{ .Values.supersetWorker.healthCheck.livenessHeartbeatInterval | default 10 | int }}
_liveness_thread = None
_liveness_stop_event = None

@worker_ready.connect
def create_ready_file(sender, **kwargs):
try:
open(_readiness_file, 'w').close()
except Exception as e:
print(f"Warning: Could not create readiness file: {e}")

@worker_shutdown.connect
def remove_ready_file(sender, **kwargs):
global _liveness_thread, _liveness_stop_event
if _liveness_stop_event:
_liveness_stop_event.set()
if _liveness_thread:
_liveness_thread.join(timeout=5)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CWE-778: Missing healthCheck config

The template references .Values.supersetWorker.healthCheck.enabled (line 355) and its subkeys, but values.yaml does not define supersetWorker.healthCheck. This causes the template to generate None for all values at render time, making the health check configuration non-functional. Add the missing healthCheck section under supersetWorker in values.yaml. (See also: CWE-778)

Code Review Run #4f624c


Should Bito avoid suggestions like this for future reviews? (Manage Rules)

  • Yes, avoid them

@lucargir

lucargir commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

@rusackas regarding the Helm chart, just read on #40507 that it might get deprecated in favour of the operator. If that's the case, I guess the refactor I proposed on #38597 wouldn't make sense? Happy to keep bringing up the pending refactor PRs, but would rather contribute in other aspects if the future of the chart is uncertain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant