rusackas opened a new pull request, #40425:
URL: https://github.com/apache/superset/pull/40425
### SUMMARY
Drops `apache/superset:dockerize` from the chart entirely. The five
`initContainers` that gate startup on Postgres / Redis now run from the same
`apache/superset` image we're already pulling, using bash's built-in
`/dev/tcp/host/port` redirect for the readiness probe — no external
`dockerize`, `nc`, or busybox needed.
A trivy scan of the current published `apache/superset:dockerize` (image
created **2024-05-09**, base **alpine 3.19.1 EOSL**) found:
| Severity | Count | Fix available |
|---|---|---|
| CRITICAL | 3 | yes |
| HIGH | 25 | yes |
| MEDIUM | 71 | yes |
| LOW | 24 | yes |
| **Total** | **123** | **123/123** |
64 of the CVEs are in the bundled `dockerize` Go binary itself (stale Go
stdlib + `golang.org/x/{net,crypto}`); the rest are in the alpine base packages
(`libcrypto3`, `libssl3`, `busybox`, `musl`). Rebuilding the image on a fresher
base would just defer the same problem; removing the dependency eliminates it.
### Why bash `/dev/tcp` over the alternatives
- vs **`busybox + nc -z`**: introduces an external image dependency, which
is what we're trying to escape.
- vs **a Chainguard image**: external registry dependency that hurts
air-gapped users, and we don't need a hardened build of a non-trivial tool — we
just need a TCP connect, which bash does for free.
- vs **rebuilding `apache/superset:dockerize` on a fresher base**: kicks the
can; we'd be back here in another year.
Verified `/bin/bash` 5.2.15 is present in `apache/superset:latest` and
supports the `/dev/tcp` redirect (the image's `/bin/sh` is dash, which does not
— hence the explicit `/bin/bash`).
### Changes
- `helm/superset/values.yaml`:
- Removed the `initImage:` block.
- Rewrote all 5 `initContainers` blocks (`init`, `supersetNode`,
`supersetWorker`, `supersetCeleryBeat`, `supersetCeleryFlower`) to use `{{
.Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion
}}` and a bash `/dev/tcp` loop. The 120s timeout from `dockerize -timeout 120s`
is preserved via a `SECONDS`-based deadline. Two-port waits factor out a small
`wait_for` helper.
- `helm/superset/Chart.yaml`: chart version 0.15.5 → **0.16.0** (minor bump
per the chart's documented [versioning
policy](https://github.com/apache/superset/blob/master/helm/superset/README.md#versioning)
— default behaviour changed; a documented value was removed).
- `helm/superset/README.md`: auto-regenerated by `helm-docs` pre-commit hook
(the three `initImage.*` rows are gone; version badge bumped).
### Compatibility
| User profile | Impact |
|---|---|
| Default chart user | None visible. Same wait behaviour, different binary. |
| Overrides `.Values.initImage.repository/tag/pullPolicy` | **Breaking.**
The value is no longer read. Overrides should be removed; the chart will pull
from `.Values.image` automatically. |
| Fully overrides `.Values.supersetNode.initContainers` (etc.) with their
own block | None — the override still wins. |
| Pinned `apache/superset:dockerize` in network policies / image allowlists
| Can be removed once on chart 0.16.0. |
### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
N/A — chart-only change.
### TESTING INSTRUCTIONS
```bash
cd helm/superset
helm dependency build
helm template . --skip-tests --skip-schema-validation \
--set supersetCeleryBeat.enabled=true \
--set supersetCeleryFlower.enabled=true \
| grep -B1 -A3 'name: wait-for'
```
Expect 5 `wait-for-*` blocks, all using `apache/superset:5.0.0` (or whatever
`appVersion` resolves to), all running `/bin/bash` with a `/dev/tcp` probe.
To exercise the actual deploy:
```bash
helm install superset . --create-namespace --namespace superset
kubectl -n superset logs -l app=superset -c wait-for-postgres -f
# expect: "waiting for postgres at ... (elapsed Ns)" lines then "postgres at
... is up"
```
### ADDITIONAL INFORMATION
- [x] Has associated issue: #40424
- [ ] Required feature flags:
- [ ] Changes UI
- [ ] Includes DB Migration
- [ ] Introduces new feature or API
- [x] Removes existing feature or API (the `initImage` values block)
### Out of scope (good follow-ups)
- Stop publishing `apache/superset:dockerize` from
`.github/workflows/docker.yml` and `tag-release.yml`. Worth one release of
overlap so users on older chart versions still get fresh builds while they
upgrade, then a separate PR to drop the matrix entry.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
