phase 14-15: docker build validation and helm deployment

2026-04-11 11:59:45 -07:00
parent 7394d241c9
commit ce10afa034
179 changed files with 32559 additions and 576 deletions
@@ -6,6 +6,7 @@ metadata:
  labels:
    app: superset
    app.kubernetes.io/part-of: stonks-oracle
+    stonks-oracle/tier: dashboard
 spec:
  replicas: 1
  selector:
@@ -15,22 +16,38 @@ spec:
    metadata:
      labels:
        app: superset
+        stonks-oracle/tier: dashboard
    spec:
+      automountServiceAccountToken: false
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
      containers:
        - name: superset
          image: apache/superset:latest
          ports:
            - containerPort: 8088
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
          env:
            - name: SUPERSET_SECRET_KEY
              valueFrom:
                secretKeyRef:
-                  name: stonks-secrets
+                  name: stonks-dashboard-secrets
                  key: SUPERSET_SECRET_KEY
            - name: ADMIN_USERNAME
              value: admin
            - name: ADMIN_PASSWORD
-              value: admin
+              valueFrom:
+                secretKeyRef:
+                  name: stonks-dashboard-secrets
+                  key: SUPERSET_ADMIN_PASSWORD
            - name: ADMIN_EMAIL
              value: admin@stonks.local
          volumeMounts:
@@ -94,12 +111,39 @@ data:
    import os
    SECRET_KEY = os.getenv("SUPERSET_SECRET_KEY", "stonks-dev-secret-key-change-me")
    SQLALCHEMY_DATABASE_URI = "trino://trino@trino.stonks-oracle.svc.cluster.local:8080/lakehouse/stonks"
+    # Additional database connections available in Superset UI:
+    #   Hive catalog:    trino://trino@trino.stonks-oracle.svc.cluster.local:8080/lakehouse/stonks
+    #   Iceberg catalog: trino://trino@trino.stonks-oracle.svc.cluster.local:8080/iceberg/stonks
    FEATURE_FLAGS = {"ENABLE_TEMPLATE_PROCESSING": True}
    CACHE_CONFIG = {
        "CACHE_TYPE": "RedisCache",
        "CACHE_DEFAULT_TIMEOUT": 300,
        "CACHE_KEY_PREFIX": "superset_",
-        "CACHE_REDIS_HOST": os.getenv("REDIS_HOST", "redis.redis-service.svc.cluster.local"),
+        "CACHE_REDIS_HOST": os.getenv("REDIS_HOST", "redis-master.redis-service.svc.cluster.local"),
        "CACHE_REDIS_PORT": int(os.getenv("REDIS_PORT", "6379")),
        "CACHE_REDIS_DB": 1,
    }
+
+    # --- Security hardening ---
+    # Disable public user role (require login)
+    PUBLIC_ROLE_LIKE = None
+    # Session cookie security
+    SESSION_COOKIE_HTTPONLY = True
+    SESSION_COOKIE_SECURE = True
+    SESSION_COOKIE_SAMESITE = "Lax"
+    # Talisman CSP headers
+    TALISMAN_ENABLED = True
+    TALISMAN_CONFIG = {
+        "content_security_policy": {
+            "default-src": ["'self'"],
+            "img-src": ["'self'", "data:"],
+            "style-src": ["'self'", "'unsafe-inline'"],
+            "script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
+        },
+        "force_https": False,  # TLS terminated at ingress
+    }
+    # Prevent Superset from allowing arbitrary SQL database connections
+    PREVENT_UNSAFE_DB_CONNECTIONS = True
+    # Row limit for queries
+    ROW_LIMIT = 50000
+    SQL_MAX_ROW = 100000