Security — Superset
This section covers application secrets, metadata database, and external PostgreSQL integration in the tdp-superset chart. Advanced authentication (LDAP, OAuth, etc.) depends on the Superset upstream and your values file — always validate with helm show values and the official Superset documentation before applying in production.
SUPERSET_SECRET_KEY
Required. Used to encrypt sensitive data in Superset.
- Set in
superset.extraSecretEnv.SUPERSET_SECRET_KEY(referencing a Secret or secure tool in the values file). - Generate with high entropy (e.g.
openssl rand -base64 42). - Do not commit in plain text to a repository.
Superset PostgreSQL password
The chart can manage a Secret for the metadata user password (supersetPostgresqlPassword, superset.postgresqlSecrets.* depending on the package). Align Secret names and keys to what your installation expects.
Administrative PostgreSQL (external bootstrap)
When TDPConfigurations.externalDatabase.enabled=true, the database/user creation job reads the PostgreSQL admin password from a Secret built as <releaseName>-<area>, key postgres-password. Ensure this Secret exists in the correct namespace before the hook, with the values the chart documents for your version.
General best practices
- Rotate credentials after the first production deployment.
- Restrict
NetworkPolicyand service exposure (Ingress only when necessary). - Keep the image with required drivers (Trino, ClickHouse, etc.) without exposing credentials in literal
extraEnv— prefersecretKeyRef.
Troubleshooting
| Problem | What to check |
|---|---|
| Pods do not start | SUPERSET_SECRET_KEY defined |
| Init job fails | DB host, credentials, and db-create-job / admin Secret |
| Login after migration | Admin user created by superset.init in the values file |
Consult helm show values for the chart version you deployed.