API Reference¶
Packages¶
superset.apache.org/v1alpha1¶
Package v1alpha1 contains API Schema definitions for the superset v1alpha1 API group.
Resource Types¶
AdminUserSpec¶
AdminUserSpec defines admin user credentials for dev-mode initialization.
Appears in: - InitTaskSpec
| Field | Description | Default | Validation |
|---|---|---|---|
username string |
Admin username. | admin | Optional: {} |
password string |
Admin password. Stored as plain-text env var in Development mode. | admin | Optional: {} |
firstName string |
Admin first name. | Superset | Optional: {} |
lastName string |
Admin last name. | Admin | Optional: {} |
email string |
Admin email. | admin@example.com | Optional: {} |
AutoscalingSpec¶
AutoscalingSpec configures a HorizontalPodAutoscaler.
Appears in: - CeleryFlowerComponentSpec - CeleryWorkerComponentSpec - McpServerComponentSpec - ScalableComponentSpec - SupersetSpec - WebServerComponentSpec - WebsocketServerComponentSpec
| Field | Description | Default | Validation |
|---|---|---|---|
minReplicas integer |
Minimum replica count (defaults to 1). | Minimum: 1 Optional: {} |
|
maxReplicas integer |
Maximum replica count; HPA will not scale above this. | Maximum: 100 Minimum: 1 |
|
metrics MetricSpec array |
Metrics for the HPA. Supports CPU, memory, custom, and external metrics. When empty, Kubernetes defaults to 80% average CPU utilization. |
Optional: {} |
BaseTaskSpec¶
BaseTaskSpec contains fields shared by all lifecycle task types.
Appears in: - CloneTaskSpec - InitTaskSpec - MigrateTaskSpec - RotateTaskSpec - SchedulableBaseTaskSpec
| Field | Description | Default | Validation |
|---|---|---|---|
command string array |
Command override for the task Job. | Optional: {} |
|
trigger string |
Trigger is an opaque string. Changing its value forces a re-run of this task and all downstream tasks. Use a timestamp, UUID, or CI build ID. |
Optional: {} |
|
requiresDrain boolean |
RequiresDrain controls whether components must be drained before this task runs. When true, the operator removes component workloads before executing the task Job, preventing database connection conflicts. Drain is skipped when the task is already complete for the current checksum, or when no configured component has desired replicas greater than zero. Defaults vary per task type: true for clone, migrate, and rotate; false for init. |
Optional: {} |
|
timeout Duration |
Maximum timeout per attempt. | Optional: {} |
|
maxRetries integer |
Maximum number of retries before permanent failure. | 3 | Minimum: 1 Optional: {} |
disabled boolean |
Disabled skips this task entirely when true. | Optional: {} |
CeleryBeatComponentSpec¶
CeleryBeatComponentSpec defines the celery beat component on the parent CRD.
CeleryBeat is a singleton: it always runs with one replica, and the
inherited spec.replicas value (if any) is ignored. The spec exposes no
replicas field, no autoscaling, and no PodDisruptionBudget by design.
Appears in: - SupersetSpec
| Field | Description | Default | Validation |
|---|---|---|---|
deploymentTemplate DeploymentTemplate |
Deployment-level overrides (strategy, revision history). Replica count is fixed at 1 by the controller and cannot be overridden. |
Optional: {} |
|
podTemplate PodTemplate |
Pod and container template for Celery beat pods. | Optional: {} |
|
image ImageOverrideSpec |
Image tag and/or repository overrides; inherits from spec.image if unset. | Optional: {} |
|
config string |
Per-component raw Python appended after top-level config. | Optional: {} |
|
bootstrapScript string |
Per-component bootstrap script. Overrides spec.bootstrapScript. Set to an empty string to disable inherited bootstrap for this component. |
Optional: {} |
|
sqlaEngineOptions SQLAlchemyEngineOptionsSpec |
Per-component SQLAlchemy engine options (overrides spec.sqlaEngineOptions entirely). | Optional: {} |
CeleryFlowerComponentSpec¶
CeleryFlowerComponentSpec defines the celery flower component on the parent CRD.
Appears in: - SupersetSpec
| Field | Description | Default | Validation |
|---|---|---|---|
deploymentTemplate DeploymentTemplate |
Deployment template (Deployment-level configuration). | Optional: {} |
|
podTemplate PodTemplate |
Pod template (Pod and container configuration). | Optional: {} |
|
replicas integer |
Desired replica count; overridden by autoscaling when active. Defaults to spec.replicas if unset. | Optional: {} |
|
autoscaling AutoscalingSpec |
HorizontalPodAutoscaler configuration. When set, the HPA manages replica count. Overrides spec.autoscaling. | Optional: {} |
|
podDisruptionBudget PDBSpec |
PodDisruptionBudget for protecting availability during voluntary disruptions. Overrides spec.podDisruptionBudget. | Optional: {} |
|
image ImageOverrideSpec |
Image tag and/or repository overrides; inherits from spec.image if unset. | Optional: {} |
|
config string |
Per-component raw Python appended after top-level config. | Optional: {} |
|
bootstrapScript string |
Per-component bootstrap script. Overrides spec.bootstrapScript. Set to an empty string to disable inherited bootstrap for this component. |
Optional: {} |
|
service ComponentServiceSpec |
Service configuration (type, port, annotations). | Optional: {} |
CeleryWorkerComponentSpec¶
CeleryWorkerComponentSpec defines the celery worker component on the parent CRD.
Appears in: - SupersetSpec
| Field | Description | Default | Validation |
|---|---|---|---|
deploymentTemplate DeploymentTemplate |
Deployment template (Deployment-level configuration). | Optional: {} |
|
podTemplate PodTemplate |
Pod template (Pod and container configuration). | Optional: {} |
|
replicas integer |
Desired replica count; overridden by autoscaling when active. Defaults to spec.replicas if unset. | Optional: {} |
|
autoscaling AutoscalingSpec |
HorizontalPodAutoscaler configuration. When set, the HPA manages replica count. Overrides spec.autoscaling. | Optional: {} |
|
podDisruptionBudget PDBSpec |
PodDisruptionBudget for protecting availability during voluntary disruptions. Overrides spec.podDisruptionBudget. | Optional: {} |
|
image ImageOverrideSpec |
Image tag and/or repository overrides; inherits from spec.image if unset. | Optional: {} |
|
config string |
Per-component raw Python appended after top-level config. | Optional: {} |
|
bootstrapScript string |
Per-component bootstrap script. Overrides spec.bootstrapScript. Set to an empty string to disable inherited bootstrap for this component. |
Optional: {} |
|
celery CeleryWorkerProcessSpec |
Celery worker execution configuration. Controls concurrency, pool type, and related parameters. | Optional: {} |
|
sqlaEngineOptions SQLAlchemyEngineOptionsSpec |
Per-component SQLAlchemy engine options (overrides spec.sqlaEngineOptions entirely). | Optional: {} |
CeleryWorkerProcessSpec¶
CeleryWorkerProcessSpec configures Celery worker execution parameters. Fields controlled by presets: concurrency, pool. All other fields have static defaults independent of preset.
Appears in: - CeleryWorkerComponentSpec
| Field | Description | Default | Validation |
|---|---|---|---|
preset string |
Preset controlling concurrency and pool defaults. Individual fields override preset-computed values. |
Enum: [disabled conservative balanced performance aggressive] Optional: {} |
|
concurrency integer |
Number of concurrent task workers (maps to celery -c flag). | Minimum: 1 Optional: {} |
|
pool string |
Celery pool implementation. | Enum: [prefork threads gevent eventlet solo] Optional: {} |
|
optimization string |
Task distribution optimization strategy. | Enum: [default fair] Optional: {} |
|
maxTasksPerChild integer |
Maximum tasks a worker process handles before being replaced (prefork only; 0 = unlimited). | Minimum: 0 Optional: {} |
|
maxMemoryPerChild integer |
Maximum resident memory in bytes per worker before being replaced (prefork only; 0 = disabled). | Minimum: 0 Optional: {} |
|
prefetchMultiplier integer |
Task prefetch multiplier — number of tasks prefetched per worker. | Minimum: 0 Optional: {} |
|
softTimeLimit integer |
Soft time limit in seconds — raises SoftTimeLimitExceeded (0 = disabled). | Minimum: 0 Optional: {} |
|
timeLimit integer |
Hard time limit in seconds — kills the task (0 = disabled). | Minimum: 0 Optional: {} |
CloneSourceSpec¶
CloneSourceSpec defines the source database connection for cloning.
Appears in: - CloneTaskSpec
| Field | Description | Default | Validation |
|---|---|---|---|
type string |
Database type: PostgreSQL (default) or MySQL. | PostgreSQL | Enum: [PostgreSQL MySQL] Optional: {} |
host string |
Source database hostname. | ||
port integer |
Source database port. Defaults to 5432 (postgresql) or 3306 (mysql). | Optional: {} |
|
database string |
Database name on the source server. | ||
username string |
Username for the source database (should have read-only access). | ||
password string |
Password for the source database (Development mode only). In Staging, use passwordFrom to reference a Kubernetes Secret. |
Optional: {} |
|
passwordFrom SecretKeySelector |
PasswordFrom references a Secret containing the source database password. | Optional: {} |
CloneTaskSpec¶
CloneTaskSpec configures database cloning from an external source into this CR's metastore. Runs before migrate and init tasks. The clone target is always spec.metastore — the metastore user must have CREATEDB rights. Only allowed in Development or Staging mode. Triggers on source config changes and the trigger field (inherited from BaseTaskSpec).
Appears in: - LifecycleSpec
| Field | Description | Default | Validation |
|---|---|---|---|
command string array |
Command override for the task Job. | Optional: {} |
|
trigger string |
Trigger is an opaque string. Changing its value forces a re-run of this task and all downstream tasks. Use a timestamp, UUID, or CI build ID. |
Optional: {} |
|
requiresDrain boolean |
RequiresDrain controls whether components must be drained before this task runs. When true, the operator removes component workloads before executing the task Job, preventing database connection conflicts. Drain is skipped when the task is already complete for the current checksum, or when no configured component has desired replicas greater than zero. Defaults vary per task type: true for clone, migrate, and rotate; false for init. |
Optional: {} |
|
timeout Duration |
Maximum timeout per attempt. | Optional: {} |
|
maxRetries integer |
Maximum number of retries before permanent failure. | 3 | Minimum: 1 Optional: {} |
disabled boolean |
Disabled skips this task entirely when true. | Optional: {} |
|
cronSchedule string |
CronSchedule is a 5-field cron expression (minute hour day-of-month month day-of-week) that triggers periodic re-execution of this task and all downstream tasks. When the clock crosses a cron boundary, the task checksum changes and the lifecycle pipeline re-runs. Uses standard cron syntax. Examples: "0 2 * * " (daily 2 AM UTC), "0 /6 * * " (every 6 hours), "30 1 * * 1" (Mondays 1:30 AM UTC). Predefined schedules (e.g. "@daily") are not accepted; use the explicit 5-field form. Pattern validation rejects only malformed shape* at admission (e.g. fewer than five fields, disallowed characters); out-of-range values like "99 99 99 99 99" still pass admission and are caught by the runtime parser, which blocks the lifecycle pipeline with an InvalidCronSchedule condition until the expression is corrected. |
MaxLength: 256 MinLength: 9 Pattern: ^[A-Za-z0-9*/,?-]+(\s+[A-Za-z0-9*/,?-]+)\{4\}$ Optional: {} |
|
source CloneSourceSpec |
Source database to clone from (typically production, read-only user). | ||
excludeTables string array |
Tables to exclude entirely from the dump (schema and data). | Optional: {} |
|
excludeTableData string array |
Tables where schema is dumped but data is not. Useful for large tables needed by migrations but not for testing (e.g., "logs", "query"). |
Optional: {} |
|
postCloneSQL string array |
SQL statements to execute against the target database after cloning. Useful for sanitizing cloned data (e.g., disabling alerts, deleting OAuth tokens, masking PII). |
Optional: {} |
|
image ContainerImageSpec |
Image for the clone Job. Defaults to postgres:17-alpine (PostgreSQL) or mysql:8-alpine (MySQL) based on source.type. Partial specs (e.g., only tag set) inherit the type-appropriate default for omitted fields. |
Optional: {} |
|
podTemplate PodTemplate |
Pod and container template for the clone task Job. | Optional: {} |
|
podRetention PodRetentionSpec |
Retention policy for completed clone Jobs and their Pods. | Optional: {} |
ComponentRefStatus¶
ComponentRefStatus holds the status summary of a managed component.
Appears in: - ComponentStatusMap
| Field | Description | Default | Validation |
|---|---|---|---|
phase string |
Phase summarizes the component workload state. | Enum: [Pending Progressing Ready Unavailable Drained] Optional: {} |
|
resources ComponentResourceStatus array |
Resources lists the Kubernetes resources currently expected for this component and whether the operator can observe them. |
Optional: {} |
|
image string |
Image currently configured on the component's main container. | Optional: {} |
|
replicas integer |
Desired replica count used for status reporting. | Optional: {} |
|
readyReplicas integer |
ReadyReplicas is the number of ready component pods. | Optional: {} |
|
updatedReplicas integer |
UpdatedReplicas is the number of pods updated to the current template. | Optional: {} |
|
availableReplicas integer |
AvailableReplicas is the number of available component pods. | Optional: {} |
|
configChecksum string |
Checksum stamped on the component pod template by the parent. Drives rolling restarts; surfaced here so users can see which revision each component is reconciling against. |
Optional: {} |
|
message string |
Message gives a short human-oriented reason when the component is not ready. | Optional: {} |
ComponentResourceStatus¶
ComponentResourceStatus describes one Kubernetes resource managed for a component.
Appears in: - ComponentRefStatus
| Field | Description | Default | Validation |
|---|---|---|---|
kind string |
Resource kind, for example Deployment, Service, ConfigMap, HorizontalPodAutoscaler. | ||
name string |
Resource name. | ||
status string |
Observed status: Present or Missing. | Enum: [Present Missing] |
ComponentServiceSpec¶
ComponentServiceSpec defines the Service configuration for a component.
Appears in: - CeleryFlowerComponentSpec - McpServerComponentSpec - WebServerComponentSpec - WebsocketServerComponentSpec
| Field | Description | Default | Validation |
|---|---|---|---|
type ServiceType |
Service type (ClusterIP, NodePort, LoadBalancer). | ClusterIP | Enum: [ClusterIP NodePort LoadBalancer] Optional: {} |
port integer |
Service port exposed to clients. Defaults to the component's standard port (8088 for web server, 5555 for Flower). | Optional: {} |
|
nodePort integer |
Fixed NodePort number when type=NodePort (30000-32767). If omitted, Kubernetes auto-assigns. | Maximum: 32767 Minimum: 30000 Optional: {} |
|
annotations object (keys:string, values:string) |
Service annotations (e.g., for cloud load balancer configuration). | Optional: {} |
|
labels object (keys:string, values:string) |
Service labels; merged with operator-managed labels. | Optional: {} |
|
gatewayPath string |
URL path prefix for this component's HTTPRoute rule. Only used when spec.networking.gateway is set. Defaults: /ws (websocket), /mcp (MCP server), /flower (Celery Flower). |
Pattern: ^/[a-zA-Z0-9/_.-]+$ Optional: {} |
ComponentSpec¶
ComponentSpec defines per-component identity fields. Embedded by all component specs except InitSpec.
Appears in: - CeleryBeatComponentSpec - CeleryFlowerComponentSpec - CeleryWorkerComponentSpec - McpServerComponentSpec - WebServerComponentSpec - WebsocketServerComponentSpec
| Field | Description | Default | Validation |
|---|---|---|---|
image ImageOverrideSpec |
Image tag and/or repository overrides; inherits from spec.image if unset. | Optional: {} |
ComponentStatusMap¶
ComponentStatusMap holds status for each component.
Appears in: - SupersetStatus
| Field | Description | Default | Validation |
|---|---|---|---|
webServer ComponentRefStatus |
Optional: {} |
||
celeryWorker ComponentRefStatus |
Optional: {} |
||
celeryBeat ComponentRefStatus |
Optional: {} |
||
celeryFlower ComponentRefStatus |
Optional: {} |
||
websocketServer ComponentRefStatus |
Optional: {} |
||
mcpServer ComponentRefStatus |
Optional: {} |
ContainerImageSpec¶
ContainerImageSpec defines a generic container image. Unlike ImageSpec, it
has no Superset-specific repository default — the operator selects a
context-appropriate default at reconcile time when fields are omitted (e.g.,
nginx:alpine for the maintenance page, postgres:17-alpine /
mysql:8-alpine for the clone Job). Use this type for non-Superset images.
Appears in: - CloneTaskSpec - MaintenancePageSpec
| Field | Description | Default | Validation |
|---|---|---|---|
repository string |
Container image repository. | Optional: {} |
|
tag string |
Image tag. | Optional: {} |
|
pullPolicy PullPolicy |
Image pull policy (IfNotPresent, Always, Never). | IfNotPresent | Optional: {} |
pullSecrets LocalObjectReference array |
References to Secrets for pulling images from private registries. | Optional: {} |
ContainerTemplate¶
ContainerTemplate configures fields on the main Superset container.
Appears in: - PodTemplate
| Field | Description | Default | Validation |
|---|---|---|---|
resources ResourceRequirements |
Resource requirements (CPU, memory). | Optional: {} |
|
env EnvVar array |
Environment variables. | Optional: {} |
|
envFrom EnvFromSource array |
Environment variable sources (ConfigMaps, Secrets). | Optional: {} |
|
volumeMounts VolumeMount array |
Volume mounts for the main container. | Optional: {} |
|
ports ContainerPort array |
Container ports. Replaces operator defaults when set. | Optional: {} |
|
securityContext SecurityContext |
Container-level security context. | Optional: {} |
|
command string array |
Container entrypoint override. | Optional: {} |
|
args string array |
Container arguments override. | Optional: {} |
|
livenessProbe Probe |
Liveness probe; container is restarted when the probe fails. | Optional: {} |
|
readinessProbe Probe |
Readiness probe; pod is removed from Service endpoints when the probe fails. | Optional: {} |
|
startupProbe Probe |
Startup probe; liveness and readiness probes are deferred until this probe succeeds. | Optional: {} |
|
lifecycle Lifecycle |
Lifecycle hooks for the main container. | Optional: {} |
DeploymentTemplate¶
DeploymentTemplate configures Kubernetes Deployment-level fields for operator-managed Deployments. Pod and container configuration is in the sibling PodTemplate field.
Appears in: - CeleryBeatComponentSpec - CeleryFlowerComponentSpec - CeleryWorkerComponentSpec - MaintenancePageSpec - McpServerComponentSpec - ScalableComponentSpec - SupersetSpec - WebServerComponentSpec - WebsocketServerComponentSpec
| Field | Description | Default | Validation |
|---|---|---|---|
revisionHistoryLimit integer |
Number of old ReplicaSets to retain for rollback. | Optional: {} |
|
minReadySeconds integer |
Minimum seconds a pod must be ready before considered available. | Optional: {} |
|
progressDeadlineSeconds integer |
Maximum seconds for a deployment to make progress before considered failed. | Optional: {} |
|
strategy DeploymentStrategy |
Deployment update strategy. | Optional: {} |
|
labels object (keys:string, values:string) |
Deployment metadata labels (merged with operator-managed labels which cannot be overridden). |
Optional: {} |
|
annotations object (keys:string, values:string) |
Deployment metadata annotations. | Optional: {} |
GatewaySpec¶
GatewaySpec defines HTTPRoute configuration.
Appears in: - NetworkingSpec
| Field | Description | Default | Validation |
|---|---|---|---|
gatewayRef ParentReference |
Reference to the Gateway resource to attach the HTTPRoute to. | ||
hostnames Hostname array |
Hostnames for the HTTPRoute (e.g., "superset.example.com"). | Optional: {} |
|
annotations object (keys:string, values:string) |
HTTPRoute annotations. | Optional: {} |
|
labels object (keys:string, values:string) |
HTTPRoute labels. | Optional: {} |
GunicornSpec¶
GunicornSpec configures Gunicorn worker parameters for the web server. Fields controlled by presets: workers, threads, workerClass. All other fields have static defaults independent of preset.
Appears in: - WebServerComponentSpec
| Field | Description | Default | Validation |
|---|---|---|---|
preset string |
Preset controlling workers, threads, and workerClass defaults. Individual fields override preset-computed values. |
Enum: [disabled conservative balanced performance aggressive] Optional: {} |
|
workers integer |
Number of Gunicorn worker processes. | Minimum: 1 Optional: {} |
|
threads integer |
Number of threads per worker (only effective with gthread worker class). | Minimum: 1 Optional: {} |
|
workerClass string |
Gunicorn worker class. | Enum: [sync gthread gevent eventlet] Optional: {} |
|
timeout integer |
Request timeout in seconds. | Minimum: 1 Optional: {} |
|
keepAlive integer |
Keep-alive timeout in seconds for waiting for requests on a connection. | Minimum: 0 Optional: {} |
|
maxRequests integer |
Maximum requests per worker before recycling (0 = disabled). | Minimum: 0 Optional: {} |
|
maxRequestsJitter integer |
Random jitter added to maxRequests to prevent thundering herd on worker recycling. | Minimum: 0 Optional: {} |
|
limitRequestLine integer |
Maximum size of HTTP request line in bytes (0 = unlimited). | Minimum: 0 Optional: {} |
|
limitRequestFieldSize integer |
Maximum size of HTTP request header field in bytes (0 = unlimited). | Minimum: 0 Optional: {} |
|
logLevel string |
Gunicorn log level. | Enum: [debug info warning error critical] Optional: {} |
ImageOverrideSpec¶
ImageOverrideSpec allows a component to override specific image fields. Unset fields inherit from spec.image.
Appears in: - CeleryBeatComponentSpec - CeleryFlowerComponentSpec - CeleryWorkerComponentSpec - ComponentSpec - LifecycleSpec - McpServerComponentSpec - WebServerComponentSpec - WebsocketServerComponentSpec
| Field | Description | Default | Validation |
|---|---|---|---|
tag string |
Override the image tag for this component; inherits from spec.image.tag if omitted. | Optional: {} |
|
repository string |
Override the image repository for this component; inherits from spec.image.repository if omitted. | Optional: {} |
|
pullPolicy PullPolicy |
Override the image pull policy for this component; inherits from spec.image.pullPolicy if omitted. | Enum: [Always IfNotPresent Never] Optional: {} |
ImageSpec¶
ImageSpec defines the container image configuration.
Appears in: - SupersetSpec
| Field | Description | Default | Validation |
|---|---|---|---|
repository string |
Container image repository. | apachesuperset.docker.scarf.sh/apache/superset | Optional: {} |
tag string |
Image tag. | MinLength: 1 |
|
pullPolicy PullPolicy |
Image pull policy (IfNotPresent, Always, Never). | IfNotPresent | Optional: {} |
pullSecrets LocalObjectReference array |
References to Secrets for pulling images from private registries. | Optional: {} |
IngressHost¶
IngressHost defines a host rule for the Ingress.
Appears in: - IngressSpec
| Field | Description | Default | Validation |
|---|---|---|---|
host string |
Optional: {} |
||
paths IngressPath array |
Optional: {} |
IngressPath¶
IngressPath defines a path rule for an Ingress host.
Appears in: - IngressHost
| Field | Description | Default | Validation |
|---|---|---|---|
path string |
/ | ||
pathType PathType |
Prefix | Optional: {} |
IngressSpec¶
IngressSpec defines Ingress configuration.
Appears in: - NetworkingSpec
| Field | Description | Default | Validation |
|---|---|---|---|
className string |
IngressClass name (e.g., "nginx") that determines which controller processes this Ingress. | Optional: {} |
|
host string |
Primary hostname for the Ingress rule (e.g., "superset.example.com"). | Optional: {} |
|
annotations object (keys:string, values:string) |
Ingress annotations (e.g., for TLS, auth, or controller-specific configuration). | Optional: {} |
|
labels object (keys:string, values:string) |
Ingress labels. | Optional: {} |
|
hosts IngressHost array |
Additional host/path rules beyond the primary host. | Optional: {} |
|
tls IngressTLS array |
TLS configuration (certificate secrets and hostnames). | Optional: {} |
InitTaskSpec¶
InitTaskSpec defines the application initialization task. Triggers on config changes and upstream task re-execution.
Appears in: - LifecycleSpec
| Field | Description | Default | Validation |
|---|---|---|---|
command string array |
Command override for the task Job. | Optional: {} |
|
trigger string |
Trigger is an opaque string. Changing its value forces a re-run of this task and all downstream tasks. Use a timestamp, UUID, or CI build ID. |
Optional: {} |
|
requiresDrain boolean |
RequiresDrain controls whether components must be drained before this task runs. When true, the operator removes component workloads before executing the task Job, preventing database connection conflicts. Drain is skipped when the task is already complete for the current checksum, or when no configured component has desired replicas greater than zero. Defaults vary per task type: true for clone, migrate, and rotate; false for init. |
Optional: {} |
|
timeout Duration |
Maximum timeout per attempt. | Optional: {} |
|
maxRetries integer |
Maximum number of retries before permanent failure. | 3 | Minimum: 1 Optional: {} |
disabled boolean |
Disabled skips this task entirely when true. | Optional: {} |
|
adminUser AdminUserSpec |
Admin user to create during initialization. Only allowed in Development mode. When set, the operator appends a superset fab create-admin step to the init command. |
Optional: {} |
|
loadExamples boolean |
Load example dashboards and data during initialization. Only allowed in Development mode. When true, the operator appends a superset load-examples step to the init command. |
Optional: {} |
LifecycleSpec¶
LifecycleSpec defines lifecycle management configuration for database migrations and application initialization tasks.
Appears in: - SupersetSpec
| Field | Description | Default | Validation |
|---|---|---|---|
upgradeMode string |
UpgradeMode controls whether upgrades require manual approval. Automatic runs immediately on image change; Supervised waits for an approval annotation matching the recorded upgrade token before proceeding. |
Automatic | Enum: [Automatic Supervised] Optional: {} |
disabled boolean |
Set to true to skip all lifecycle tasks entirely. | Optional: {} |
|
image ImageOverrideSpec |
Image override for lifecycle task Jobs. | Optional: {} |
|
podTemplate PodTemplate |
Pod and container template for lifecycle task Jobs. | Optional: {} |
|
podRetention PodRetentionSpec |
Retention policy for completed lifecycle task Jobs and their Pods. | Optional: {} |
|
config string |
Per-lifecycle raw Python appended after top-level config. | Optional: {} |
|
bootstrapScript string |
Bootstrap script for lifecycle migrate, rotate, and init task Jobs. Overrides spec.bootstrapScript. Set to an empty string to disable inherited bootstrap for lifecycle tasks. |
Optional: {} |
|
sqlaEngineOptions SQLAlchemyEngineOptionsSpec |
Per-lifecycle SQLAlchemy engine options (overrides spec.sqlaEngineOptions entirely). | Optional: {} |
|
maintenancePage MaintenancePageSpec |
MaintenancePage configures a lightweight maintenance page served during lifecycle drain and task execution. Presence enables the feature when a drain will actually run and an existing web-server workload is present. In managed mode (no image override), an nginx:alpine container serves a default or custom HTML page. In custom mode (image set), the user's image handles serving, and content fields are passed as env vars. |
Optional: {} |
|
clone CloneTaskSpec |
Clone configures database cloning from an external source before running migrations. The clone target is always spec.metastore. Only allowed in Development or Staging mode. |
Optional: {} |
|
migrate MigrateTaskSpec |
Database migration task configuration. | Optional: {} |
|
rotate RotateTaskSpec |
Secret key rotation task configuration. Runs after migrate and before init. Presence enables the task; absence disables it. |
Optional: {} |
|
init InitTaskSpec |
Application initialization task configuration. | Optional: {} |
LifecycleStatus¶
LifecycleStatus tracks the current lifecycle task execution state.
Appears in: - SupersetStatus
| Field | Description | Default | Validation |
|---|---|---|---|
phase string |
Phase of the lifecycle: Cloning, Draining, Migrating, Rotating, Initializing, Restoring, Complete, Blocked, AwaitingApproval. | Optional: {} |
|
maintenanceActive boolean |
MaintenanceActive indicates the maintenance page is currently serving traffic via the web-server Service. |
Optional: {} |
|
lastCompletedChecksums object (keys:string, values:string) |
LastCompletedChecksums maps task type to its task checksum at last successful completion. Used to detect input drift when task status refs are absent. |
Optional: {} |
|
clone TaskRefStatus |
Clone task status summary. | Optional: {} |
|
migrate TaskRefStatus |
Migrate task status summary. | Optional: {} |
|
rotate TaskRefStatus |
Rotate task status summary. | Optional: {} |
|
init TaskRefStatus |
Init task status summary. | Optional: {} |
|
upgrade UpgradeContext |
Upgrade context (populated during active upgrade). | Optional: {} |
MaintenancePageSpec¶
MaintenancePageSpec configures a lightweight maintenance page served while components are drained for lifecycle tasks. The page is only started when a drain will actually run and an existing web-server workload is present. Supports two modes: - Managed (default): uses nginx:alpine with operator-generated HTML and nginx config. - Custom (image set): user provides their own image/command; content fields are passed as SUPERSET_OPERATOR__MAINTENANCE_* env vars.
Appears in: - LifecycleSpec
| Field | Description | Default | Validation |
|---|---|---|---|
title string |
Title displayed on the maintenance page heading (managed mode). In custom mode, passed as env var SUPERSET_OPERATOR__MAINTENANCE_TITLE. |
Optional: {} |
|
message string |
Message displayed below the title (managed mode). In custom mode, passed as env var SUPERSET_OPERATOR__MAINTENANCE_MESSAGE. |
Optional: {} |
|
body string |
Full HTML page content. When set in managed mode, title and message are ignored and this value is served as the complete page. In custom mode, passed as env var SUPERSET_OPERATOR__MAINTENANCE_BODY. |
Optional: {} |
|
image ContainerImageSpec |
Image for the maintenance page container. When set, switches to custom mode: no nginx config is injected, and the user's image is responsible for serving HTTP traffic on the web-server port (default 8088). The port must match the web-server Service's target port since the maintenance page takes over that Service during lifecycle tasks. When unset, defaults to nginx:alpine (managed mode). Partial specs (e.g., only tag set) inherit the nginx default for the omitted fields. |
Optional: {} |
|
replicas integer |
Number of maintenance page pod replicas. | 1 | Optional: {} |
deploymentTemplate DeploymentTemplate |
Deployment-level overrides for the maintenance page (strategy, revision history). For pod-level settings, use PodTemplate. |
Optional: {} |
|
podTemplate PodTemplate |
Pod template for the maintenance page pod. | Optional: {} |
McpServerComponentSpec¶
McpServerComponentSpec defines the MCP server component on the parent CRD.
Appears in: - SupersetSpec
| Field | Description | Default | Validation |
|---|---|---|---|
deploymentTemplate DeploymentTemplate |
Deployment template (Deployment-level configuration). | Optional: {} |
|
podTemplate PodTemplate |
Pod template (Pod and container configuration). | Optional: {} |
|
replicas integer |
Desired replica count; overridden by autoscaling when active. Defaults to spec.replicas if unset. | Optional: {} |
|
autoscaling AutoscalingSpec |
HorizontalPodAutoscaler configuration. When set, the HPA manages replica count. Overrides spec.autoscaling. | Optional: {} |
|
podDisruptionBudget PDBSpec |
PodDisruptionBudget for protecting availability during voluntary disruptions. Overrides spec.podDisruptionBudget. | Optional: {} |
|
image ImageOverrideSpec |
Image tag and/or repository overrides; inherits from spec.image if unset. | Optional: {} |
|
config string |
Per-component raw Python appended after top-level config. | Optional: {} |
|
bootstrapScript string |
Per-component bootstrap script. Overrides spec.bootstrapScript. Set to an empty string to disable inherited bootstrap for this component. |
Optional: {} |
|
service ComponentServiceSpec |
Service configuration (type, port, annotations). | Optional: {} |
|
sqlaEngineOptions SQLAlchemyEngineOptionsSpec |
Per-component SQLAlchemy engine options (overrides spec.sqlaEngineOptions entirely). | Optional: {} |
MetastoreSpec¶
MetastoreSpec defines the database connection for Superset's metastore. Either a URI (passthrough) or structured fields (host, database, etc.) can be used. They are mutually exclusive.
Appears in: - SupersetSpec
| Field | Description | Default | Validation |
|---|---|---|---|
uri string |
Full SQLAlchemy database URI. Mutually exclusive with structured fields and uriFrom. In Staging or Production, CRD validation rejects plain text URIs — use uriFrom to reference a Kubernetes Secret. |
Optional: {} |
|
uriFrom SecretKeySelector |
Reference to a Secret key containing the full SQLAlchemy URI. Mutually exclusive with uri and structured fields. |
Optional: {} |
|
type string |
Database type. Determines the SQLAlchemy dialect and default driver. | PostgreSQL | Enum: [PostgreSQL MySQL] Optional: {} |
driver string |
SQLAlchemy driver name for structured mode. When omitted, PostgreSQL uses psycopg2 and MySQL uses mysqldb. Set this to a driver installed in the Superset image, such as psycopg, pg8000, pymysql, or mysqlconnector. The operator selects the SQLAlchemy scheme only; it does not install Python driver packages into the image. |
Pattern: ^[A-Za-z0-9_]+$ Optional: {} |
|
host string |
Database hostname. | Optional: {} |
|
port integer |
Database port. Defaults per type (5432 for PostgreSQL, 3306 for MySQL). | Optional: {} |
|
database string |
Database name. | Optional: {} |
|
username string |
Database username. | Optional: {} |
|
password string |
Database password. In Staging or Production, CRD validation rejects plain text passwords — use passwordFrom to reference a Kubernetes Secret. | Optional: {} |
|
passwordFrom SecretKeySelector |
Reference to a Secret key containing the database password. Mutually exclusive with password. |
Optional: {} |
|
createDatabase boolean |
CreateDatabase, when true, instructs the operator to attach a one-shot init container to the migrate Job that issues CREATE DATABASE againstthe server before superset db upgrade runs. Existing databases aredetected and the step becomes a no-op. Requires the configured metastore user to hold CREATEDB (PostgreSQL) or CREATE (MySQL) privilege on the server. Only valid with structured metastore (host/database/username); rejected when uri or uriFrom is set. |
Optional: {} |
MigrateTaskSpec¶
MigrateTaskSpec defines the database migration task. Triggers on image (version) changes and upstream task re-execution.
Appears in: - LifecycleSpec
| Field | Description | Default | Validation |
|---|---|---|---|
command string array |
Command override for the task Job. | Optional: {} |
|
trigger string |
Trigger is an opaque string. Changing its value forces a re-run of this task and all downstream tasks. Use a timestamp, UUID, or CI build ID. |
Optional: {} |
|
requiresDrain boolean |
RequiresDrain controls whether components must be drained before this task runs. When true, the operator removes component workloads before executing the task Job, preventing database connection conflicts. Drain is skipped when the task is already complete for the current checksum, or when no configured component has desired replicas greater than zero. Defaults vary per task type: true for clone, migrate, and rotate; false for init. |
Optional: {} |
|
timeout Duration |
Maximum timeout per attempt. | Optional: {} |
|
maxRetries integer |
Maximum number of retries before permanent failure. | 3 | Minimum: 1 Optional: {} |
disabled boolean |
Disabled skips this task entirely when true. | Optional: {} |
MonitoringSpec¶
MonitoringSpec defines Prometheus monitoring configuration.
Appears in: - SupersetSpec
| Field | Description | Default | Validation |
|---|---|---|---|
serviceMonitor ServiceMonitorSpec |
Optional: {} |
NetworkPolicySpec¶
NetworkPolicySpec defines network segmentation configuration.
Appears in: - SupersetSpec
| Field | Description | Default | Validation |
|---|---|---|---|
extraIngress NetworkPolicyIngressRule array |
Additional ingress rules appended to the operator-generated NetworkPolicy (e.g., allow traffic from monitoring namespace). | Optional: {} |
|
extraEgress NetworkPolicyEgressRule array |
Additional egress rules appended to the operator-generated NetworkPolicy. | Optional: {} |
NetworkingSpec¶
NetworkingSpec defines external access configuration.
Appears in: - SupersetSpec
| Field | Description | Default | Validation |
|---|---|---|---|
gateway GatewaySpec |
Gateway API HTTPRoute configuration. | Optional: {} |
|
ingress IngressSpec |
Ingress configuration. | Optional: {} |
PDBSpec¶
PDBSpec configures a PodDisruptionBudget.
Appears in: - CeleryFlowerComponentSpec - CeleryWorkerComponentSpec - McpServerComponentSpec - ScalableComponentSpec - SupersetSpec - WebServerComponentSpec - WebsocketServerComponentSpec
| Field | Description | Default | Validation |
|---|---|---|---|
minAvailable IntOrString |
Minimum pods that must remain available during voluntary disruptions. Mutually exclusive with maxUnavailable. | Optional: {} |
|
maxUnavailable IntOrString |
Maximum pods allowed to be unavailable during voluntary disruptions. Mutually exclusive with minAvailable. | Optional: {} |
PodRetentionSpec¶
PodRetentionSpec defines retention behavior for lifecycle task Jobs and their Pods.
Appears in: - CloneTaskSpec - LifecycleSpec
| Field | Description | Default | Validation |
|---|---|---|---|
policy string |
Retention policy: Delete removes Jobs and Pods after completion, Retain keeps all, RetainOnFailure (the default) keeps only failed Jobs and Pods for debugging and deletes successful ones to reduce noise. Retained Jobs and Pods are automatically deleted when the task is reset or disabled, and garbage-collected when the parent Superset CR is deleted. |
RetainOnFailure | Enum: [Delete Retain RetainOnFailure] Optional: {} |
PodTemplate¶
PodTemplate configures Kubernetes PodSpec fields for the pod template.
Appears in: - CeleryBeatComponentSpec - CeleryFlowerComponentSpec - CeleryWorkerComponentSpec - CloneTaskSpec - LifecycleSpec - MaintenancePageSpec - McpServerComponentSpec - ScalableComponentSpec - SupersetSpec - WebServerComponentSpec - WebsocketServerComponentSpec
| Field | Description | Default | Validation |
|---|---|---|---|
annotations object (keys:string, values:string) |
Pod annotations. | Optional: {} |
|
labels object (keys:string, values:string) |
Pod labels (merged with operator-managed labels which cannot be overridden). | Optional: {} |
|
affinity Affinity |
Pod affinity and anti-affinity rules for scheduling. | Optional: {} |
|
tolerations Toleration array |
Tolerations for scheduling on tainted nodes. | Optional: {} |
|
nodeSelector object (keys:string, values:string) |
Node labels for constraining pod scheduling. | Optional: {} |
|
topologySpreadConstraints TopologySpreadConstraint array |
Topology spread constraints for distributing pods across failure domains. | Optional: {} |
|
hostAliases HostAlias array |
Entries added to /etc/hosts in pod containers. | Optional: {} |
|
podSecurityContext PodSecurityContext |
Pod-level security context (runAsUser, fsGroup, seccomp, etc.). | Optional: {} |
|
priorityClassName string |
Priority class name for pod scheduling priority and preemption. | Optional: {} |
|
volumes Volume array |
Additional volumes for the pod (mounted via container.volumeMounts). | Optional: {} |
|
sidecars Container array |
Sidecar containers added alongside the main Superset container. | Optional: {} |
|
initContainers Container array |
Init containers run before the main container starts. | Optional: {} |
|
terminationGracePeriodSeconds integer |
Grace period for pod termination in seconds. | Optional: {} |
|
dnsPolicy DNSPolicy |
DNS policy for pods. | Optional: {} |
|
dnsConfig PodDNSConfig |
Custom DNS configuration for pods. | Optional: {} |
|
runtimeClassName string |
RuntimeClass for pods. | Optional: {} |
|
shareProcessNamespace boolean |
Share a single process namespace between all containers in a pod. | Optional: {} |
|
enableServiceLinks boolean |
Controls whether service environment variables are injected into pods. | Optional: {} |
|
resources ResourceRequirements |
Pod-level resource requirements (CPU, memory). When set, defines the total resources for the entire pod, enabling resource sharing among containers. Requires Kubernetes 1.34+ with the PodLevelResources feature gate. |
Optional: {} |
|
container ContainerTemplate |
Main container configuration. | Optional: {} |
RotateTaskSpec¶
RotateTaskSpec defines the secret key rotation task. Runs superset re-encrypt-secrets between migrate and init when the secret key is rotated. Requires previousSecretKey or previousSecretKeyFrom to be set on the parent spec.
Appears in: - LifecycleSpec
| Field | Description | Default | Validation |
|---|---|---|---|
command string array |
Command override for the task Job. | Optional: {} |
|
trigger string |
Trigger is an opaque string. Changing its value forces a re-run of this task and all downstream tasks. Use a timestamp, UUID, or CI build ID. |
Optional: {} |
|
requiresDrain boolean |
RequiresDrain controls whether components must be drained before this task runs. When true, the operator removes component workloads before executing the task Job, preventing database connection conflicts. Drain is skipped when the task is already complete for the current checksum, or when no configured component has desired replicas greater than zero. Defaults vary per task type: true for clone, migrate, and rotate; false for init. |
Optional: {} |
|
timeout Duration |
Maximum timeout per attempt. | Optional: {} |
|
maxRetries integer |
Maximum number of retries before permanent failure. | 3 | Minimum: 1 Optional: {} |
disabled boolean |
Disabled skips this task entirely when true. | Optional: {} |
SQLAlchemyEngineOptionsSpec¶
SQLAlchemyEngineOptionsSpec configures the SQLAlchemy connection pool. Fields controlled by presets: poolClass (NullPool vs QueuePool), poolSize, maxOverflow. Static defaults: poolRecycle=3600, poolPrePing=false.
Appears in: - CeleryBeatComponentSpec - CeleryWorkerComponentSpec - LifecycleSpec - McpServerComponentSpec - SupersetSpec - WebServerComponentSpec
| Field | Description | Default | Validation |
|---|---|---|---|
preset string |
Preset for connection pool behavior. "disabled" suppresses rendering entirely. "conservative" uses NullPool (no persistent connections). "balanced" through "aggressive" use QueuePool with increasing pool sizes. Individual fields override preset-computed values. |
Enum: [disabled conservative balanced performance aggressive] Optional: {} |
|
poolSize integer |
Number of persistent connections in the pool. Overrides preset calculation. | Minimum: 0 Optional: {} |
|
maxOverflow integer |
Maximum overflow connections beyond poolSize (-1 = unlimited). | Optional: {} |
|
poolRecycle integer |
Connection max-age in seconds before recycling. | Minimum: 0 Optional: {} |
|
poolPrePing boolean |
Verify connections are alive before use. | Optional: {} |
|
poolTimeout integer |
Seconds to wait for a connection from the pool before giving up. | Minimum: 0 Optional: {} |
ScalableComponentSpec¶
ScalableComponentSpec provides deployment template and scaling fields. Embedded by scalable components (WebServer, CeleryWorker, CeleryFlower, WebsocketServer, McpServer). Non-scalable components (CeleryBeat, Init) use DeploymentTemplate or PodTemplate directly.
Appears in: - CeleryFlowerComponentSpec - CeleryWorkerComponentSpec - McpServerComponentSpec - WebServerComponentSpec - WebsocketServerComponentSpec
| Field | Description | Default | Validation |
|---|---|---|---|
deploymentTemplate DeploymentTemplate |
Deployment template (Deployment-level configuration). | Optional: {} |
|
podTemplate PodTemplate |
Pod template (Pod and container configuration). | Optional: {} |
|
replicas integer |
Desired replica count; overridden by autoscaling when active. Defaults to spec.replicas if unset. | Optional: {} |
|
autoscaling AutoscalingSpec |
HorizontalPodAutoscaler configuration. When set, the HPA manages replica count. Overrides spec.autoscaling. | Optional: {} |
|
podDisruptionBudget PDBSpec |
PodDisruptionBudget for protecting availability during voluntary disruptions. Overrides spec.podDisruptionBudget. | Optional: {} |
SchedulableBaseTaskSpec¶
SchedulableBaseTaskSpec extends BaseTaskSpec with cron-based scheduling. Tasks that embed this type can be periodically re-executed without external triggers. The schedule is additive to the manual trigger field.
Appears in: - CloneTaskSpec
| Field | Description | Default | Validation |
|---|---|---|---|
command string array |
Command override for the task Job. | Optional: {} |
|
trigger string |
Trigger is an opaque string. Changing its value forces a re-run of this task and all downstream tasks. Use a timestamp, UUID, or CI build ID. |
Optional: {} |
|
requiresDrain boolean |
RequiresDrain controls whether components must be drained before this task runs. When true, the operator removes component workloads before executing the task Job, preventing database connection conflicts. Drain is skipped when the task is already complete for the current checksum, or when no configured component has desired replicas greater than zero. Defaults vary per task type: true for clone, migrate, and rotate; false for init. |
Optional: {} |
|
timeout Duration |
Maximum timeout per attempt. | Optional: {} |
|
maxRetries integer |
Maximum number of retries before permanent failure. | 3 | Minimum: 1 Optional: {} |
disabled boolean |
Disabled skips this task entirely when true. | Optional: {} |
|
cronSchedule string |
CronSchedule is a 5-field cron expression (minute hour day-of-month month day-of-week) that triggers periodic re-execution of this task and all downstream tasks. When the clock crosses a cron boundary, the task checksum changes and the lifecycle pipeline re-runs. Uses standard cron syntax. Examples: "0 2 * * " (daily 2 AM UTC), "0 /6 * * " (every 6 hours), "30 1 * * 1" (Mondays 1:30 AM UTC). Predefined schedules (e.g. "@daily") are not accepted; use the explicit 5-field form. Pattern validation rejects only malformed shape* at admission (e.g. fewer than five fields, disallowed characters); out-of-range values like "99 99 99 99 99" still pass admission and are caught by the runtime parser, which blocks the lifecycle pipeline with an InvalidCronSchedule condition until the expression is corrected. |
MaxLength: 256 MinLength: 9 Pattern: ^[A-Za-z0-9*/,?-]+(\s+[A-Za-z0-9*/,?-]+)\{4\}$ Optional: {} |
ServiceAccountSpec¶
ServiceAccountSpec defines ServiceAccount configuration.
Appears in: - SupersetSpec
| Field | Description | Default | Validation |
|---|---|---|---|
create boolean |
When true (default), the operator creates a ServiceAccount. When false, it references an existing one. | Optional: {} |
|
name string |
ServiceAccount name. Created by the operator when create=true; must pre-exist when create=false. | Optional: {} |
|
annotations object (keys:string, values:string) |
ServiceAccount annotations (e.g., for IAM role bindings on cloud platforms). | Optional: {} |
ServiceMonitorSpec¶
ServiceMonitorSpec defines the ServiceMonitor configuration.
Appears in: - MonitoringSpec
| Field | Description | Default | Validation |
|---|---|---|---|
interval string |
Scrape interval (e.g., "30s"). How often Prometheus scrapes the web server metrics endpoint. | 30s | Optional: {} |
labels object (keys:string, values:string) |
Labels for Prometheus ServiceMonitor discovery (must match your Prometheus selector). | Optional: {} |
|
scrapeTimeout string |
Maximum time to wait for a scrape response before timing out. | Optional: {} |
Superset¶
Superset is the top-level resource representing a complete Superset deployment.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
superset.apache.org/v1alpha1 |
||
kind string |
Superset |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec SupersetSpec |
|||
status SupersetStatus |
SupersetSpec¶
SupersetSpec defines the desired state of a Superset deployment.
Appears in: - Superset
| Field | Description | Default | Validation |
|---|---|---|---|
image ImageSpec |
Image configuration inherited by all components. | ||
deploymentTemplate DeploymentTemplate |
Deployment template defaults inherited by all components (field-level merge). | Optional: {} |
|
podTemplate PodTemplate |
Pod template defaults inherited by all components (field-level merge). | Optional: {} |
|
replicas integer |
Default replica count for all scalable components; per-component replicas override this. | Optional: {} |
|
autoscaling AutoscalingSpec |
Default autoscaling for all scalable components (component-level overrides this). | Optional: {} |
|
podDisruptionBudget PDBSpec |
Default pod disruption budget for all scalable components (component-level overrides this). | Optional: {} |
|
environment string |
Environment mode: "Development", "Staging", or "Production". Controls validation strictness. In Production mode, CRD validation rejects plain text secrets and disallows cloning. In Staging mode, secrets are enforced (like Production) but cloning is allowed. In Development mode, plain text secrets, cloning, admin user, and load examples are all permitted. |
Production | Enum: [Development Staging Production] Optional: {} |
secretKey string |
Plain text secret key for session signing. Only allowed in Development mode. In Staging or Production, use secretKeyFrom to reference a Kubernetes Secret. |
Optional: {} |
|
secretKeyFrom SecretKeySelector |
Reference to a Secret key containing the secret key for session signing. Mutually exclusive with secretKey. |
Optional: {} |
|
previousSecretKey string |
Plain text previous secret key for key rotation. Only allowed in Development mode. When set, rendered as PREVIOUS_SECRET_KEY in superset_config.py for all Python components, enabling fallback decryption during key transitions. |
Optional: {} |
|
previousSecretKeyFrom SecretKeySelector |
Reference to a Secret key containing the previous secret key for rotation. Mutually exclusive with previousSecretKey. |
Optional: {} |
|
metastore MetastoreSpec |
Metastore database connection configuration. | Optional: {} |
|
valkey ValkeySpec |
Valkey cache, broker, and results backend configuration. | Optional: {} |
|
config string |
Raw Python appended after operator-generated superset_config.py. | Optional: {} |
|
bootstrapScript string |
Shell script mounted as superset_bootstrap.sh and sourced before the default command for Python components and lifecycle tasks. This is trusted executable input; prefer custom images for production dependency installs. Per-component bootstrapScript overrides this value. Set an override to an empty string to disable inherited bootstrap for that component. |
Optional: {} |
|
featureFlags object (keys:string, values:boolean) |
Feature flags toggled in superset_config.py via FEATURE_FLAGS = {...}. Keys conventionally use UPPER_SNAKE_CASE (e.g. ALERT_REPORTS); values are booleans. |
Optional: {} |
|
sqlaEngineOptions SQLAlchemyEngineOptionsSpec |
SQLAlchemy engine options for connection pooling. Inherited by all Python components; per-component sqlaEngineOptions overrides this entirely. When unset, the operator computes balanced defaults per component. |
Optional: {} |
|
webServer WebServerComponentSpec |
Web server (gunicorn) component. Presence enables it; absence disables. | Optional: {} |
|
celeryWorker CeleryWorkerComponentSpec |
Celery async task worker component. Uses spec.valkey as broker/backend when set; otherwise the broker must be configured manually via spec.config. |
Optional: {} |
|
celeryBeat CeleryBeatComponentSpec |
Celery periodic task scheduler (singleton, always 1 replica). Uses spec.valkey as broker/backend when set; otherwise the broker must be configured manually via spec.config. |
Optional: {} |
|
celeryFlower CeleryFlowerComponentSpec |
Celery Flower monitoring UI component. | Optional: {} |
|
websocketServer WebsocketServerComponentSpec |
WebSocket server for real-time updates (Node.js, no Python config). Experimental: the websocket server is not yet well supported and is pending security hardening — it may exhibit gaps in the operator (e.g. unvalidated gateway/ingress routing) or upstream in the Superset/websocket image. It requires a custom Node.js image. Treat it as subject to change and avoid enabling it in production until it is hardened. |
Optional: {} |
|
mcpServer McpServerComponentSpec |
FastMCP server component for AI tooling integration. | Optional: {} |
|
lifecycle LifecycleSpec |
Lifecycle configuration (database migration, init, upgrade mode). | Optional: {} |
|
networking NetworkingSpec |
Networking configuration (Ingress or Gateway API). | Optional: {} |
|
monitoring MonitoringSpec |
Monitoring configuration. | Optional: {} |
|
networkPolicy NetworkPolicySpec |
Network policy configuration. | Optional: {} |
|
serviceAccount ServiceAccountSpec |
ServiceAccount configuration. | Optional: {} |
|
suspend boolean |
Suspend stops reconciliation when true. | Optional: {} |
|
forceReload string |
ForceReload is an opaque string injected into all pod templates. Changing its value triggers a rolling restart of all components. Use a timestamp or incrementing value (e.g. "2026-04-24T12:00:00Z") to force a restart after rotating referenced Secrets. |
Optional: {} |
SupersetStatus¶
SupersetStatus defines the observed state of Superset.
Appears in: - Superset
| Field | Description | Default | Validation |
|---|---|---|---|
conditions Condition array |
Optional: {} |
||
observedGeneration integer |
Optional: {} |
||
ready string |
Ready summarizes ready component replicas across all enabled components in "ready/desired" format. |
Optional: {} |
|
components ComponentStatusMap |
Optional: {} |
||
lifecycle LifecycleStatus |
Lifecycle tracks the current lifecycle state. | Optional: {} |
|
lastLifecycleImage string |
Last image (repository:tag) that successfully completed the lifecycle. Used to detect image changes on subsequent reconciles. |
Optional: {} |
|
version string |
Optional: {} |
||
configChecksum string |
Optional: {} |
||
phase string |
High-level phase. | Enum: [Initializing Upgrading Running Degraded Suspended Blocked AwaitingApproval] Optional: {} |
TaskRefStatus¶
TaskRefStatus holds the projected status summary of a lifecycle task.
Appears in: - LifecycleStatus
| Field | Description | Default | Validation |
|---|---|---|---|
state string |
Enum: [Pending Running Complete Failed] Optional: {} |
||
startedAt Time |
Optional: {} |
||
completedAt Time |
Optional: {} |
||
attempts integer |
Optional: {} |
||
maxRetries integer |
Maximum number of attempts before the task is considered permanently failed. | Optional: {} |
|
image string |
Optional: {} |
||
message string |
Optional: {} |
||
nextAttemptAt Time |
NextAttemptAt is the earliest time the operator may retry this task after a failure or timeout. |
Optional: {} |
|
desiredChecksum string |
DesiredChecksum is the checksum for the task inputs the operator is currently trying to execute. |
Optional: {} |
|
completedChecksum string |
CompletedChecksum is the task input checksum that last reached a terminal Complete or Failed state. |
Optional: {} |
|
conditions Condition array |
Optional: {} |
||
lastScheduledAt Time |
LastScheduledAt is the cron tick that triggered the most recent scheduled run. | Optional: {} |
|
nextScheduleAt Time |
NextScheduleAt is the next future cron tick when the schedule will fire. | Optional: {} |
UpgradeContext¶
UpgradeContext tracks the current upgrade operation.
Appears in: - LifecycleStatus
| Field | Description | Default | Validation |
|---|---|---|---|
fromVersion string |
Optional: {} |
||
toVersion string |
Optional: {} |
||
direction string |
Enum: [Upgrade Downgrade Unknown] Optional: {} |
||
approvalToken string |
ApprovalToken is the annotation value required to approve this exact upgrade transition. | Optional: {} |
|
startedAt Time |
Optional: {} |
ValkeyCacheSpec¶
ValkeyCacheSpec tunes a Superset Flask-Caching backend backed by Valkey.
Appears in: - ValkeySpec
| Field | Description | Default | Validation |
|---|---|---|---|
disabled boolean |
Disable this cache section. When true, the operator does not render this config — Superset falls back to its built-in default. |
Optional: {} |
|
database integer |
Valkey database number. | Optional: {} |
|
keyPrefix string |
Cache key prefix. | Optional: {} |
|
defaultTimeout integer |
Default cache timeout in seconds. | Optional: {} |
ValkeyCelerySpec¶
ValkeyCelerySpec tunes a Celery Valkey connection.
Appears in: - ValkeySpec
| Field | Description | Default | Validation |
|---|---|---|---|
disabled boolean |
Disable this Celery backend. When true, the operator does not render this config. | Optional: {} |
|
database integer |
Valkey database number. | Optional: {} |
ValkeyResultsBackendSpec¶
ValkeyResultsBackendSpec tunes the SQL Lab async results backend.
Appears in: - ValkeySpec
| Field | Description | Default | Validation |
|---|---|---|---|
disabled boolean |
Disable the results backend. When true, the operator does not render this config. | Optional: {} |
|
database integer |
Valkey database number. | Optional: {} |
|
keyPrefix string |
Cache key prefix for results. | Optional: {} |
ValkeySSLSpec¶
ValkeySSLSpec configures TLS for the Valkey connection.
Appears in: - ValkeySpec
| Field | Description | Default | Validation |
|---|---|---|---|
certRequired string |
Certificate verification mode. | required | Enum: [required optional none] Optional: {} |
keyFile string |
Path to the client private key file (for mTLS). | Optional: {} |
|
certFile string |
Path to the client certificate file (for mTLS). | Optional: {} |
|
caCertFile string |
Path to the CA certificate file for server verification. | Optional: {} |
ValkeySpec¶
ValkeySpec configures Valkey as the shared cache backend, Celery message broker, and SQL Lab results backend for Superset. When set, all sections are enabled with sensible defaults — only host is required.
Appears in: - SupersetSpec
| Field | Description | Default | Validation |
|---|---|---|---|
host string |
Valkey server hostname. | ||
port integer |
Valkey server port. | 6379 | Optional: {} |
username string |
Valkey username. Useful for Redis ACL or managed Redis-compatible services. | Optional: {} |
|
password string |
Plain text password. Only allowed in Development mode — use passwordFrom in Staging or Production. | Optional: {} |
|
passwordFrom SecretKeySelector |
Reference to a Secret key containing the Valkey password. Mutually exclusive with password. |
Optional: {} |
|
ssl ValkeySSLSpec |
SSL/TLS configuration. When set, enables SSL for the Valkey connection. | Optional: {} |
|
cache ValkeyCacheSpec |
General cache (CACHE_CONFIG). Default: db=1, prefix="superset_", timeout=300s. | Optional: {} |
|
dataCache ValkeyCacheSpec |
Data/query results cache (DATA_CACHE_CONFIG). Default: db=2, prefix="superset_data_", timeout=86400s. | Optional: {} |
|
filterStateCache ValkeyCacheSpec |
Dashboard filter state cache (FILTER_STATE_CACHE_CONFIG). Default: db=3, prefix="superset_filter_", timeout=3600s. | Optional: {} |
|
exploreFormDataCache ValkeyCacheSpec |
Chart builder form state cache (EXPLORE_FORM_DATA_CACHE_CONFIG). Default: db=4, prefix="superset_explore_", timeout=3600s. | Optional: {} |
|
thumbnailCache ValkeyCacheSpec |
Thumbnail cache (THUMBNAIL_CACHE_CONFIG). Default: db=5, prefix="superset_thumbnail_", timeout=3600s. | Optional: {} |
|
distributedCoordination ValkeyCacheSpec |
Distributed coordination backend (DISTRIBUTED_COORDINATION_CONFIG). Backs real-time pub/sub messaging, atomic distributed locks, and Global Task Framework signaling. Recommended for production deployments. Default: db=7, prefix="coordination_", timeout=300s. |
Optional: {} |
|
celeryBroker ValkeyCelerySpec |
Celery broker (CeleryConfig.broker_url). Default: db=0. | Optional: {} |
|
celeryResultBackend ValkeyCelerySpec |
Celery result backend (CeleryConfig.result_backend). Default: db=0. | Optional: {} |
|
resultsBackend ValkeyResultsBackendSpec |
SQL Lab async results backend (RESULTS_BACKEND). Default: db=6, prefix="superset_results_". | Optional: {} |
WebServerComponentSpec¶
WebServerComponentSpec defines the web server component on the parent CRD.
Appears in: - SupersetSpec
| Field | Description | Default | Validation |
|---|---|---|---|
deploymentTemplate DeploymentTemplate |
Deployment template (Deployment-level configuration). | Optional: {} |
|
podTemplate PodTemplate |
Pod template (Pod and container configuration). | Optional: {} |
|
replicas integer |
Desired replica count; overridden by autoscaling when active. Defaults to spec.replicas if unset. | Optional: {} |
|
autoscaling AutoscalingSpec |
HorizontalPodAutoscaler configuration. When set, the HPA manages replica count. Overrides spec.autoscaling. | Optional: {} |
|
podDisruptionBudget PDBSpec |
PodDisruptionBudget for protecting availability during voluntary disruptions. Overrides spec.podDisruptionBudget. | Optional: {} |
|
image ImageOverrideSpec |
Image tag and/or repository overrides; inherits from spec.image if unset. | Optional: {} |
|
config string |
Per-component raw Python appended after top-level config. | Optional: {} |
|
bootstrapScript string |
Per-component bootstrap script. Overrides spec.bootstrapScript. Set to an empty string to disable inherited bootstrap for this component. |
Optional: {} |
|
service ComponentServiceSpec |
Service configuration (type, port, annotations). | Optional: {} |
|
gunicorn GunicornSpec |
Gunicorn worker configuration. Controls worker processes, threads, and related parameters. | Optional: {} |
|
sqlaEngineOptions SQLAlchemyEngineOptionsSpec |
Per-component SQLAlchemy engine options (overrides spec.sqlaEngineOptions entirely). | Optional: {} |
WebsocketServerComponentSpec¶
WebsocketServerComponentSpec defines the websocket server component on the parent CRD. The websocket server is a Node.js app — the default Superset image does not contain websocket_server.js, so an image override is required.
Experimental: this component is not yet well supported. It requires a custom Node.js image, and path-based gateway/ingress routing to it has not been validated. The shape and behavior may change in a future release.
Appears in: - SupersetSpec
| Field | Description | Default | Validation |
|---|---|---|---|
deploymentTemplate DeploymentTemplate |
Deployment template (Deployment-level configuration). | Optional: {} |
|
podTemplate PodTemplate |
Pod template (Pod and container configuration). | Optional: {} |
|
replicas integer |
Desired replica count; overridden by autoscaling when active. Defaults to spec.replicas if unset. | Optional: {} |
|
autoscaling AutoscalingSpec |
HorizontalPodAutoscaler configuration. When set, the HPA manages replica count. Overrides spec.autoscaling. | Optional: {} |
|
podDisruptionBudget PDBSpec |
PodDisruptionBudget for protecting availability during voluntary disruptions. Overrides spec.podDisruptionBudget. | Optional: {} |
|
image ImageOverrideSpec |
Image tag and/or repository overrides; inherits from spec.image if unset. | Optional: {} |
|
config JSON |
Inline config.json content for the websocket server. Only allowed in Development mode because this config commonly contains jwtSecret or Redis credentials. In Production, use configFrom to mount an existing Secret key. |
Type: object Optional: {} |
|
configFrom SecretKeySelector |
Reference to a Secret key containing websocket server config.json. The operator mounts the selected key at /home/superset-websocket/config.json without reading or copying the Secret. |
Optional: {} |
|
service ComponentServiceSpec |
Service configuration (type, port, annotations). | Optional: {} |