Skip to content

Apache Superset

Deploy Apache Superset on Kubernetes — a modern business intelligence platform with 60+ database connectors, interactive dashboards, SQL editor, and chart builder. The chart deploys three independent components: a Gunicorn web server, Celery workers for async queries, and a Celery Beat scheduler for cache warming and alerts.

secretKey protects all sessions — losing it logs out every user simultaneously

superset.secretKey is the Flask SECRET_KEY used to sign all session cookies. Without superset.existingSecret, a reinstall auto-generates a new key and immediately invalidates all active sessions. Always persist it via superset.existingSecret before the first deployment.

PostgreSQL and Redis are enabled by default — both subcharts are bundled

Unlike most charts, Superset ships with postgresql.enabled: true and redis.enabled: true. No manual activation is needed for a quick start. Set both to false and configure database.mode: external and redisConfig.mode: external to use external services.

Key Features

  • Three-component architecture — web (Gunicorn), worker (Celery), beat (Celery Beat)
  • Init Job — runs superset db upgrade and admin creation on every install/upgrade
  • Bundled PostgreSQL and Redis — both enabled by default
  • superset_config.py override — arbitrary Python config via superset.extraConfig
  • pg_dump backup — scheduled PostgreSQL S3 backup CronJob

Installation

HTTPS repository:

helm repo add helmforge https://repo.helmforge.dev
helm repo update
helm install superset helmforge/superset -f values.yaml

OCI registry:

helm install superset oci://ghcr.io/helmforgedev/helm/superset -f values.yaml

Deployment Examples

# values.yaml — Superset with bundled PostgreSQL + Redis (defaults)
superset:
  adminUsername: admin
  adminEmail: [email protected]
  existingSecret: superset-secrets
  existingSecretPasswordKey: admin-password
  existingSecretSecretKeyKey: secret-key # Flask SECRET_KEY

postgresql:
  enabled: true
  auth:
    database: superset
    username: superset
    password: 'strong-db-password'

redis:
  enabled: true
  auth:
    password: 'strong-redis-password'

ingress:
  enabled: true
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  hosts:
    - host: superset.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: superset-tls
      hosts:
        - superset.example.com
# values.yaml — Superset with scaled web, workers, and beat scheduler
superset:
  existingSecret: superset-secrets

web:
  replicaCount: 2 # web server pods
  workers: 4 # Gunicorn worker processes per web pod (NOT Celery workers)
  timeout: 120

worker:
  enabled: true
  replicaCount: 3 # Celery worker pods
  concurrency: 4 # simultaneous Celery tasks per worker pod

beat:
  enabled: true # Celery Beat: cache warming, alerts, reports

postgresql:
  enabled: true
  auth:
    password: 'strong-db-password'

redis:
  enabled: true
  auth:
    password: 'strong-redis-password'

ingress:
  enabled: true
  ingressClassName: traefik
  hosts:
    - host: superset.example.com
      paths:
        - path: /
          pathType: Prefix
# values.yaml — Superset with external PostgreSQL and Redis
superset:
  existingSecret: superset-secrets

postgresql:
  enabled: false

redis:
  enabled: false

database:
  mode: external
  external:
    host: postgres.database.svc.cluster.local
    port: 5432
    name: superset
    username: superset
    existingSecret: superset-db-credentials
    existingSecretPasswordKey: password

redisConfig:
  mode: external
  external:
    host: redis.cache.svc.cluster.local
    port: 6379
    db: 0
    existingSecret: superset-redis-credentials
    existingSecretPasswordKey: password

backup:
  enabled: true
  schedule: '0 3 * * *'
  s3:
    endpoint: https://s3.amazonaws.com
    bucket: superset-backups
    existingSecret: superset-s3-credentials

ingress:
  enabled: true
  ingressClassName: traefik
  hosts:
    - host: superset.example.com
      paths:
        - path: /
          pathType: Prefix
# values.yaml — Superset with OIDC/OAuth2 via superset.extraConfig
superset:
  existingSecret: superset-secrets
  extraConfig: |
    from flask_appbuilder.security.manager import AUTH_OAUTH
    AUTH_TYPE = AUTH_OAUTH
    OAUTH_PROVIDERS = [
      {
        "name": "keycloak",
        "token_key": "access_token",
        "icon": "fa-key",
        "remote_app": {
          "client_id": "superset",
          "client_secret": "my-client-secret",
          "server_metadata_url": "https://auth.example.com/realms/myrealm/.well-known/openid-configuration",
          "client_kwargs": {"scope": "openid email profile"},
          "redirect_uri": "https://superset.example.com/oauth-authorized/keycloak",
        },
      }
    ]
    AUTH_USER_REGISTRATION = True
    AUTH_USER_REGISTRATION_ROLE = "Gamma"

postgresql:
  enabled: true
  auth:
    password: 'strong-db-password'

redis:
  enabled: true
  auth:
    password: 'strong-redis-password'

ingress:
  enabled: true
  ingressClassName: traefik
  hosts:
    - host: superset.example.com
      paths:
        - path: /
          pathType: Prefix

Configuration Reference

Image

Parameter Type Default Description
image.repository string docker.io/apache/superset Superset image.
image.tag string "4.1.4" Image tag.

Superset Application

Parameter Type Default Description
superset.adminUsername string admin Admin username created by the init Job.
superset.adminPassword string "" Admin password. Auto-generated if empty. Use existingSecret.
superset.secretKey string "" Flask SECRET_KEY. Auto-generated if empty. Use existingSecret.
superset.existingSecret string "" Existing secret with admin password and SECRET_KEY.
superset.existingSecretPasswordKey string admin-password Key for the admin password in the existing secret.
superset.existingSecretSecretKeyKey string secret-key Key for the Flask SECRET_KEY in the existing secret.
superset.loadExamples boolean false Load example dashboards during init (use for demos only).
superset.extraConfig string "" Extra Python appended to superset_config.py (OAuth, cache, features).
superset.extraEnv array [] Extra environment variables for all Superset containers.

Web Server

Parameter Type Default Description
web.replicaCount integer 1 Number of web server pods.
web.workers integer 2 Gunicorn worker processes per pod (not Celery workers).
web.timeout integer 120 Gunicorn worker timeout in seconds.
web.resources object {} CPU and memory requests/limits for web pods.

Celery Worker

Parameter Type Default Description
worker.enabled boolean true Enable Celery worker Deployment.
worker.replicaCount integer 1 Number of Celery worker pods.
worker.concurrency integer 2 Simultaneous Celery tasks per worker pod.
worker.resources object {} CPU and memory requests/limits for worker pods.

Celery Beat

Parameter Type Default Description
beat.enabled boolean true Enable Celery Beat scheduler (cache warming, alerts, reports).
beat.resources object {} CPU and memory requests/limits for the beat pod.

Init Job

Parameter Type Default Description
init.enabled boolean true Enable the init Job. Runs superset db upgrade + admin creation on every install/upgrade.
init.resources object {} CPU and memory requests/limits for the init container.

Database

Parameter Type Default Description
database.mode string subchart Mode: subchart or external.
database.external.host string "" External database hostname.
database.external.existingSecret string "" Existing secret with database password.
database.external.existingSecretPasswordKey string password Key for the password in the existing secret.
postgresql.enabled boolean true Deploy the bundled PostgreSQL subchart.
postgresql.auth.password string "" Password. Auto-generated if empty.

Redis

Parameter Type Default Description
redisConfig.mode string subchart Mode: subchart or external.
redisConfig.external.host string "" External Redis hostname.
redisConfig.external.existingSecret string "" Existing secret with Redis password.
redis.enabled boolean true Deploy the bundled Redis subchart.
redis.auth.password string "" Password. Auto-generated if empty.

Service and Ingress

Parameter Type Default Description
service.type string ClusterIP Service type.
service.port integer 80 Service port.
ingress.enabled boolean false Enable an Ingress resource.
ingress.ingressClassName string traefik Ingress class name.

Backup

Backup runs pg_dump on PostgreSQL. No backup for Redis data.

Parameter Type Default Description
backup.enabled boolean false Enable scheduled pg_dump S3 backup.
backup.schedule string "0 3 * * *" Cron schedule.
backup.s3.endpoint string "" S3-compatible endpoint URL.
backup.s3.bucket string "" Target bucket name.
backup.s3.existingSecret string "" Existing secret with S3 credentials.
extraManifests array [] Extra Kubernetes manifests.

More Information