fix(helm): Include option to use Redis with SSL

[shakeelansari63]

SUMMARY

Updated Helm Chart to allow connection to Redis Server which enforce SSL connection. For example, Azure managed Redis Cache enforce connection through ssl only.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

• Has associated issue: Installing latest superset via helm, cant connect to azure redis service via ssl #25375
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[github-actions]

Congrats on making your first PR and thank you for contributing to Superset! 🎉 ❤️

We hope to see you in our Slack community too! Not signed up? Use our Slack App to self-register.

[shakeelansari63]

I have user CACHE_REDIS_URL instead of CACHE_REDIS_HOST

Here are some sample examples of rendered templates..

1. No Password and No SSL

values.yaml

Rendered Template

2. With Password and No SSL

values.yaml

Rendered Template

3. No Password and With SSL (ssl_cert_reqs = CERT_NONE)

values.yaml

Rendered Template

4. With Password and With SSL (ssl_cert_reqs = CERT_NONE)

values.yaml

Rendered Template

5. With Password and With SSL (ssl_cert_reqs = CERT_OPTIONAL)

values.yaml

Rendered Template

[dpgaspar]

can you please rebase if bump the chart version again to fix the conflict

[shakeelansari63]

can you please rebase if bump the chart version again to fix the conflict

Sure, will do it shortly

[shakeelansari63]

@dpgaspar , Rebased and bumped the chart version to 0.12.1

[shakeelansari63]

So I have added 2 new Parameters in Values which will translate to 2 new Environment variables.
Also bumped up the chart version.

With Default Config

values.yaml

Generated secret-env.yaml

Generated secret-superset-config.yaml

With modified config

values.yaml

Generated secret-env.yaml

Generated secret-superset-config.yaml

[shakeelansari63]

Default Config without Redis SSL and Redis Password

values.yaml

Rendered secret-env.yaml

Rendered superset-config.py under secret-superset-config.yaml

Updated Config with Redis SSL and Redis Password

values.yaml

Rendered secret-env.yaml

Rendered superset-config.py under secret-superset-config.yaml

[shakeelansari63]

Hey guys, can you please review the code and tell me if you feel anything else should be changed...

[craig-rueda]

Looking good. I just left one more comment and I think @dpgaspar has one as well

[shakeelansari63]

Hey guys, can you please suggest if any further change is needed?

[rusackas]

Re-running CI, while @craig-rueda and @dpgaspar review the requested changes. 🤞

[dpgaspar]

Almost there!

you need to update the README.md

 | supersetNode.connections.db_pass | string | `"superset"` |  |
 | supersetNode.connections.db_port | string | `"5432"` |  |
 | supersetNode.connections.db_user | string | `"superset"` |  |
+| supersetNode.connections.redis_cache_db | string | `"1"` |  |
+| supersetNode.connections.redis_celery_db | string | `"0"` |  |
 | supersetNode.connections.redis_host | string | `"{{ .Release.Name }}-redis-headless"` | Change in case of bringing your own redis and then also set redis.enabled:false |
 | supersetNode.connections.redis_port | string | `"6379"` |  |
+| supersetNode.connections.redis_ssl.enabled | bool | `false` |  |
+| supersetNode.connections.redis_ssl.ssl_cert_reqs | string | `"CERT_NONE"` |  |
+| supersetNode.connections.redis_user | string | `""` |  |
 | supersetNode.containerSecurityContext | object | `{}` |  |
 | supersetNode.deploymentAnnotations | object | `{}` | Annotations to be added to supersetNode deployment |
 | supersetNode.deploymentLabels | object | `{}` | Labels to be added to supersetNode deployment |

[shakeelansari63]

Almost there!

you need to update the README.md

 | supersetNode.connections.db_pass | string | `"superset"` |  |
 | supersetNode.connections.db_port | string | `"5432"` |  |
 | supersetNode.connections.db_user | string | `"superset"` |  |
+| supersetNode.connections.redis_cache_db | string | `"1"` |  |
+| supersetNode.connections.redis_celery_db | string | `"0"` |  |
 | supersetNode.connections.redis_host | string | `"{{ .Release.Name }}-redis-headless"` | Change in case of bringing your own redis and then also set redis.enabled:false |
 | supersetNode.connections.redis_port | string | `"6379"` |  |
+| supersetNode.connections.redis_ssl.enabled | bool | `false` |  |
+| supersetNode.connections.redis_ssl.ssl_cert_reqs | string | `"CERT_NONE"` |  |
+| supersetNode.connections.redis_user | string | `""` |  |
 | supersetNode.containerSecurityContext | object | `{}` |  |
 | supersetNode.deploymentAnnotations | object | `{}` | Annotations to be added to supersetNode deployment |
 | supersetNode.deploymentLabels | object | `{}` | Labels to be added to supersetNode deployment |

Yes, Just saw the failed CI task and updated this.

[rusackas]

Thanks for the quick turnaround. Go, CI, go!!!

[shakeelansari63]

@rusackas , please trigger ci again , I had missed to update helm version in readme

[shakeelansari63]

Yay .. All CI Checks finally completed 🥳

[craig-rueda]

LGTM!

[fengsi]

This has broken those w/o generating the default secret, which is a very common use case to manage secrets separately (rather than relying on the Helm chart).

This kind of backward compatibility should have been implemented somewhere else, and it's not a good practice not to even document/mention this feature/behavior change at all.

[fengsi]

The solution was to add the new REDIS_PROTO in the managed secret. However, it was a hassle to root cause it, due to lacking of documentation.