Superset Helm+K8s部署并集成飞连SSO

1.背景说明

开源免费的大数据工具

 

2.实现方式

K8S+Helm部署

 

3.部署过程

 

#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#nameOverride: ~
fullnameOverride: ~
extraLabels: {}
runAsUser: 0secretEnv:create: trueserviceAccountName: ~
serviceAccount:create: falseannotations: {}bootstrapScript: |#!/bin/bashset -eapt update && \apt-get install -y --no-install-recommends \build-essential \python3-dev \default-libmysqlclient-dev \pkg-config && \apt-get clean && \rm -rf /var/lib/apt/lists/* && \#pip install psycopg2-binary authlib && \#pip install mysqlclient pymysql && \#pip install sqlalchemy-redshift redshift-connector && \#uv pip install .[postgres,bigquery,elasticsearch,redshift] && \/app/.venv/bin/python -m ensurepip --upgrade && \/app/.venv/bin/python -m pip install --upgrade pip && \/app/.venv/bin/pip install psycopg2-binary authlib && \/app/.venv/bin/pip install mysqlclient==2.2.7 pymysql==1.1.0 && \/app/.venv/bin/pip install sqlalchemy-redshift redshift-connector && \/app/.venv/bin/pip install uv && \/app/.venv/bin/uv pip install .[postgres,bigquery,elasticsearch,redshift] && \if [ ! -f ~/bootstrap ]; then echo "Running Superset with uid {{ .Values.runAsUser }}" > ~/bootstrap; ficonfigFromSecret: '{{ template "superset.fullname" . }}-config'
envFromSecret: '{{ template "superset.fullname" . }}-env'
envFromSecrets: []extraEnv: {}extraPipPackages:- psycopg2-binaryextraEnvRaw: []extraSecretEnv:FEILIAN_CLIENT_ID: "找管理员获取"FEILIAN_CLIENT_SECRET: "找管理员获取"extraConfigs: {}
extraSecrets: {}
extraVolumes: []
extraVolumeMounts: []configOverrides:secret: |SECRET_KEY = '找管理员获取'superset_config: |FEATURE_FLAGS = {"HORIZONTAL_FILTER_BAR": True, "DASHBOARD_RBAC": True}sqllab_timeout: |SQLLAB_TIMEOUT = 600SUPERSET_WEBSERVER_TIMEOUT = 600SQLLAB_ASYNC_TIME_LIMIT_SEC = 600SQL_MAX_ROW = 100000oauth: |import osimport urllib.requestimport jsonfrom flask_appbuilder.security.manager import AUTH_OAUTHfrom superset.security.manager import SupersetSecurityManagerENABLE_PROXY_FIX = TruePROXY_FIX_CONFIG = {"x_for": 1, "x_proto": 1, "x_host": 1}# 配置管理员邮箱列表ADMIN_EMAILS = ["test@system.com"]class CustomSecurityManager(SupersetSecurityManager):def oauth_user_info(self, provider, response=None):if provider == "feilian":access_token = response.get("access_token")req = urllib.request.Request("https://ltp.sealsuite.com/api/oauth2/userinfo",headers={"Authorization": f"Bearer {access_token}"})with urllib.request.urlopen(req) as resp:result = json.loads(resp.read().decode())# 用户数据在 data 字段里data = result.get("data", {})return {"username": data.get("user_id"),"email": data.get("email", ""),"first_name": data.get("fullname", ""),"last_name": "",}return super().oauth_user_info(provider, response)def auth_user_oauth(self, userinfo):user = super().auth_user_oauth(userinfo)if user:email = userinfo.get("email", "")# 根据邮箱分配角色if email in ADMIN_EMAILS:admin_role = self.find_role("Admin")if admin_role and admin_role not in user.roles:user.roles.append(admin_role)self.update_user(user)return userCUSTOM_SECURITY_MANAGER = CustomSecurityManagerAUTH_TYPE = AUTH_OAUTHAUTH_USER_REGISTRATION = TrueAUTH_USER_REGISTRATION_ROLE = "Public"OAUTH_PROVIDERS = [dict(name="feilian",redirect_uri="https://superset-nonprod.system.com/oauth-authorized/feilian",token_key="access_token",icon="fa-sign-in",remote_app=dict(client_id=os.environ.get("FEILIAN_CLIENT_ID"),client_secret=os.environ.get("FEILIAN_CLIENT_SECRET"),client_kwargs=dict(scope="openid email profile"),api_base_url="https://test.sealsuite.com/",authorize_url="https://test.sealsuite.com/api/oauth2/authorize",access_token_url="https://test.sealsuite.com/api/oauth2/token",userinfo_endpoint="https://test.sealsuite.com/api/oauth2/userinfo"))] 
configOverridesFiles: {}
configMountPath: "/app/pythonpath"
extraConfigMountPath: "/app/configs"image:registry: ""repository: 292309088324.dkr.ecr.ap-northeast-1.amazonaws.com/sretoolstag: "superset-5.0.0"pullPolicy: IfNotPresentimagePullSecrets: []initImage:registry: ""repository: 292309088324.dkr.ecr.ap-northeast-1.amazonaws.com/sretoolstag: "superset-dockerize"pullPolicy: IfNotPresentservice:type: ClusterIPport: 8088annotations: {}loadBalancerIP: ~nodePort:http: nilingress:enabled: falseingressClassName: ~annotations: {}path: /pathType: ImplementationSpecifichosts:- chart-example.localtls: []extraHostsRaw: []resources:limits:cpu: 4000mmemory: 10Girequests:cpu: 500mmemory: 1GihostAliases: []supersetNode:replicas:enabled: truereplicaCount: 1autoscaling:enabled: falseminReplicas: 1maxReplicas: 100targetCPUUtilizationPercentage: 80podDisruptionBudget:enabled: falseminAvailable: 1maxUnavailable: 1command:- "/bin/sh"- "-c"- ". {{ .Values.configMountPath }}/superset_bootstrap.sh; /usr/bin/run-server.sh"connections:redis_host: "{{ .Release.Name }}-redis-headless"redis_port: "6379"redis_user: ""redis_password: ""redis_cache_db: "1"redis_celery_db: "0"redis_ssl:enabled: falsessl_cert_reqs: CERT_NONEdb_host: "{{ .Release.Name }}-postgresql"db_port: "5432"db_user: supersetdb_pass: supersetdb_name: supersetenv: {}forceReload: falseinitContainers:- name: wait-for-postgresimage: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"imagePullPolicy: "{{ .Values.initImage.pullPolicy }}"envFrom:- secretRef:name: "{{ tpl .Values.envFromSecret . }}"command:- /bin/sh- -c- dockerize -wait "tcp://$DB_HOST:$DB_PORT" -timeout 300sextraContainers: []deploymentAnnotations: {}deploymentLabels: {}affinity: {}topologySpreadConstraints: []podAnnotations: {}podLabels: {}startupProbe:httpGet:path: /healthport: httpinitialDelaySeconds: 30timeoutSeconds: 5failureThreshold: 30periodSeconds: 10successThreshold: 1livenessProbe:httpGet:path: /healthport: httpinitialDelaySeconds: 30timeoutSeconds: 5failureThreshold: 3periodSeconds: 10successThreshold: 1readinessProbe:httpGet:path: /healthport: httpinitialDelaySeconds: 30timeoutSeconds: 5failureThreshold: 3periodSeconds: 10successThreshold: 1resources:limits:cpu: 4000mmemory: 8Girequests:cpu: 500mmemory: 1GipodSecurityContext: {}containerSecurityContext: {}strategy: {}supersetWorker:replicas:enabled: truereplicaCount: 1autoscaling:enabled: falseminReplicas: 1maxReplicas: 100targetCPUUtilizationPercentage: 80podDisruptionBudget:enabled: falseminAvailable: 1maxUnavailable: 1command:- "/bin/sh"- "-c"- ". {{ .Values.configMountPath }}/superset_bootstrap.sh; celery --app=superset.tasks.celery_app:app worker"forceReload: falseinitContainers:- name: wait-for-postgres-redisimage: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"imagePullPolicy: "{{ .Values.initImage.pullPolicy }}"envFrom:- secretRef:name: "{{ tpl .Values.envFromSecret . }}"command:- /bin/sh- -c- dockerize -wait "tcp://$DB_HOST:$DB_PORT" -wait "tcp://$REDIS_HOST:$REDIS_PORT" -timeout 300sextraContainers: []deploymentAnnotations: {}deploymentLabels: {}affinity: {}topologySpreadConstraints: []podAnnotations: {}podLabels: {}resources:limits:cpu: 2000mmemory: 4Girequests:cpu: 500mmemory: 1GipodSecurityContext: {}containerSecurityContext: {}strategy: {}livenessProbe:exec:command:- sh- -c- celery -A superset.tasks.celery_app:app inspect ping -d celery@$HOSTNAMEinitialDelaySeconds: 300timeoutSeconds: 120failureThreshold: 10periodSeconds: 60successThreshold: 1startupProbe: {}readinessProbe: {}priorityClassName: ~supersetCeleryBeat:enabled: falsepodDisruptionBudget:enabled: falseminAvailable: 1maxUnavailable: 1command:- "/bin/sh"- "-c"- ". {{ .Values.configMountPath }}/superset_bootstrap.sh; celery --app=superset.tasks.celery_app:app beat --pidfile /tmp/celerybeat.pid --schedule /tmp/celerybeat-schedule"forceReload: falseinitContainers:- name: wait-for-postgres-redisimage: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"imagePullPolicy: "{{ .Values.initImage.pullPolicy }}"envFrom:- secretRef:name: "{{ tpl .Values.envFromSecret . }}"command:- /bin/sh- -c- dockerize -wait "tcp://$DB_HOST:$DB_PORT" -wait "tcp://$REDIS_HOST:$REDIS_PORT" -timeout 300sextraContainers: []deploymentAnnotations: {}affinity: {}topologySpreadConstraints: []podAnnotations: {}podLabels: {}resources:limits:cpu: 2000mmemory: 4Girequests:cpu: 250mmemory: 512MipodSecurityContext: {}containerSecurityContext: {}priorityClassName: ~supersetCeleryFlower:enabled: falsereplicaCount: 1podDisruptionBudget:enabled: falseminAvailable: 1maxUnavailable: 1command:- "/bin/sh"- "-c"- "celery --app=superset.tasks.celery_app:app flower"service:type: ClusterIPannotations: {}loadBalancerIP: ~port: 5555nodePort:http: nilstartupProbe:httpGet:path: /api/workersport: flowerinitialDelaySeconds: 5timeoutSeconds: 1failureThreshold: 60periodSeconds: 5successThreshold: 1livenessProbe:httpGet:path: /api/workersport: flowerinitialDelaySeconds: 5timeoutSeconds: 1failureThreshold: 3periodSeconds: 5successThreshold: 1readinessProbe:httpGet:path: /api/workersport: flowerinitialDelaySeconds: 5timeoutSeconds: 1failureThreshold: 3periodSeconds: 5successThreshold: 1initContainers:- name: wait-for-postgres-redisimage: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"imagePullPolicy: "{{ .Values.initImage.pullPolicy }}"envFrom:- secretRef:name: "{{ tpl .Values.envFromSecret . }}"command:- /bin/sh- -c- dockerize -wait "tcp://$DB_HOST:$DB_PORT" -wait "tcp://$REDIS_HOST:$REDIS_PORT" -timeout 300sextraContainers: []deploymentAnnotations: {}affinity: {}topologySpreadConstraints: []podAnnotations: {}podLabels: {}resources:limits:cpu: 2000mmemory: 4Girequests:cpu: 250mmemory: 512MipodSecurityContext: {}containerSecurityContext: {}priorityClassName: ~supersetWebsockets:enabled: falsereplicaCount: 1podDisruptionBudget:enabled: falseminAvailable: 1maxUnavailable: 1ingress:path: /wspathType: Prefiximage:registry: ""repository: 292309088324.dkr.ecr.ap-northeast-1.amazonaws.com/sretoolstag: "superset-websocket"pullPolicy: IfNotPresentconfig:port: 8080logLevel: "debug"logToFile: falselogFilename: "app.log"statsd:host: "127.0.0.1"port: 8125globalTags: []redis:port: 6379host: "127.0.0.1"password: ""db: 0ssl: falseredisStreamPrefix: "async-events-"jwtSecret: "CHANGE-ME"jwtCookieName: "async-token"service:type: ClusterIPannotations: {}loadBalancerIP: ~port: 8080nodePort:http: nilcommand: []resources: {}extraContainers: []deploymentAnnotations: {}affinity: {}topologySpreadConstraints: []podAnnotations: {}podLabels: {}strategy: {}podSecurityContext: {}containerSecurityContext: {}startupProbe:httpGet:path: /healthport: wsinitialDelaySeconds: 5timeoutSeconds: 1failureThreshold: 60periodSeconds: 5successThreshold: 1livenessProbe:httpGet:path: /healthport: wsinitialDelaySeconds: 5timeoutSeconds: 1failureThreshold: 3periodSeconds: 5successThreshold: 1readinessProbe:httpGet:path: /healthport: wsinitialDelaySeconds: 5timeoutSeconds: 1failureThreshold: 3periodSeconds: 5successThreshold: 1priorityClassName: ~init:resources:limits:cpu: 1000mmemory: 2Girequests:cpu: 500mmemory: 1Gicommand:- "/bin/sh"- "-c"- ". {{ .Values.configMountPath }}/superset_bootstrap.sh; . {{ .Values.configMountPath }}/superset_init.sh"enabled: truetimeout: 600jobAnnotations:"helm.sh/hook": post-install,post-upgrade"helm.sh/hook-delete-policy": "before-hook-creation"loadExamples: falsecreateAdmin: trueadminUser:username: adminfirstname: Supersetlastname: Adminemail: admin@superset.compassword: admininitContainers:- name: wait-for-postgresimage: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"imagePullPolicy: "{{ .Values.initImage.pullPolicy }}"envFrom:- secretRef:name: "{{ tpl .Values.envFromSecret . }}"command:- /bin/sh- -c- dockerize -wait "tcp://$DB_HOST:$DB_PORT" -timeout 300sinitscript: |-#!/bin/shset -euecho "Upgrading DB schema..."superset db upgradeecho "Initializing roles..."superset init{{ if .Values.init.createAdmin }}echo "Creating admin user..."superset fab create-admin \--username {{ .Values.init.adminUser.username }} \--firstname {{ .Values.init.adminUser.firstname }} \--lastname {{ .Values.init.adminUser.lastname }} \--email {{ .Values.init.adminUser.email }} \--password {{ .Values.init.adminUser.password }} \|| true{{- end }}{{ if .Values.init.loadExamples }}echo "Loading examples..."superset load_examples{{- end }}if [ -f "{{ .Values.extraConfigMountPath }}/import_datasources.yaml" ]; thenecho "Importing database connections.... "superset import_datasources -p {{ .Values.extraConfigMountPath }}/import_datasources.yamlfiextraContainers: []podAnnotations: {}podLabels: {}podSecurityContext: {}containerSecurityContext: {}tolerations: []affinity: {}topologySpreadConstraints: []priorityClassName: ~postgresql:enabled: trueauth:existingSecret:username: supersetpassword: supersetdatabase: supersetimage:registry: "292309088324.dkr.ecr.ap-northeast-1.amazonaws.com"repository: sretoolstag: "postgres-14.12"pullPolicy: IfNotPresentprimary:persistence:enabled: trueexistingClaim: "superset-postgresql-pvc"accessModes:- ReadWriteOnceservice:ports:postgresql: "5432"resources:requests:memory: 256Micpu: 250mredis:enabled: trueimage:registry: "292309088324.dkr.ecr.ap-northeast-1.amazonaws.com"repository: sretoolstag: "redis-7.0.15"pullPolicy: IfNotPresentarchitecture: standaloneauth:enabled: falseexistingSecret: ""existingSecretKey: ""password: ""master:livenessProbe:enabled: falsereadinessProbe:enabled: falsecommand: ["/bin/sh", "-c", "redis-server"]persistence:enabled: falseaccessModes:- ReadWriteOnceresources:requests:memory: 128Micpu: 100mlimits:memory: 4096Micpu: 2048mnodeSelector: {}
tolerations: []
affinity: {}
topologySpreadConstraints: []
priorityClassName: ~

 

apiVersion: v1
kind: PersistentVolumeClaim
metadata:name: superset-postgresql-pvcnamespace: supersetlabels:app: superset-postgresql
spec:accessModes:- ReadWriteOncestorageClassName: gp5 # 使用新的 StorageClassresources:requests:storage: 50Gi
[root@ip-10-18-75-168 superset]# cat storageclass-2.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:name: gp5
provisioner: ebs.csi.aws.com
parameters:fsType: ext4type: gp3
reclaimPolicy: Retain
volumeBindingMode: Immediate
allowVolumeExpansion: true
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:name: superset-postgresql-pvcnamespace: supersetlabels:app: superset-postgresql
spec:accessModes:- ReadWriteOncestorageClassName: gp5 # 使用新的 StorageClassresources:requests:storage: 50Gi

 

helm upgrade superset superset/superset     -f values.yaml -n superset

 

4.实现效果