chore: Add 6.1.0 and deprecate 6.0.0

docs/modules/superset/partials/supported-versions.adoc

@@ -2,5 +2,6 @@
 // This is a separate file, since it is used by both the direct Superset documentation, and the overarching
 // Stackable Platform documentation.
 
-- 6.0.0
+- 6.1.0
+- 6.0.0 (deprecated)
 - 4.1.4 (LTS)

tests/templates/kuttl/upgrade/00-limit-range.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: LimitRange
+metadata:
+  name: limit-request-ratio
+spec:
+  limits:
+  - type: "Container"
+    maxLimitRequestRatio:
+      cpu: 5
+      memory: 1

tests/templates/kuttl/upgrade/00-patch-ns.yaml.j2

@@ -0,0 +1,9 @@
+{% if test_scenario['values']['openshift'] == 'true' %}
+# see https://github.com/stackabletech/issues/issues/566
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: kubectl patch namespace $NAMESPACE -p '{"metadata":{"labels":{"pod-security.kubernetes.io/enforce":"privileged"}}}'
+    timeout: 120
+{% endif %}

tests/templates/kuttl/upgrade/10-assert.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+metadata:
+  name: test-superset-postgresql
+timeout: 480
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: superset-postgresql
+status:
+  readyReplicas: 1
+  replicas: 1

tests/templates/kuttl/upgrade/10-install-postgresql.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: >-
+      helm install superset-postgresql
+      --namespace $NAMESPACE
+      --version 12.5.6
+      -f 10_helm-bitnami-postgresql-values.yaml
+      --repo https://charts.bitnami.com/bitnami postgresql
+      --wait
+    timeout: 600

tests/templates/kuttl/upgrade/10_helm-bitnami-postgresql-values.yaml.j2

@@ -0,0 +1,44 @@
+---
+global:
+  security:
+    allowInsecureImages: true # needed starting with Chart version 16.3.0 if modifying images
+
+image:
+  repository: bitnamilegacy/postgresql
+
+volumePermissions:
+  enabled: false
+  image:
+    repository: bitnamilegacy/os-shell
+  securityContext:
+    runAsUser: auto
+
+metrics:
+  image:
+    repository: bitnamilegacy/postgres-exporter
+
+primary:
+  podSecurityContext:
+{% if test_scenario['values']['openshift'] == 'true' %}
+    enabled: false
+{% else %}
+    enabled: true
+{% endif %}
+  containerSecurityContext:
+    enabled: false
+  resources:
+    requests:
+      memory: "128Mi"
+      cpu: "512m"
+    limits:
+      memory: "128Mi"
+      cpu: "1"
+
+shmVolume:
+  chmod:
+    enabled: false
+
+auth:
+  username: superset
+  password: superset
+  database: superset

tests/templates/kuttl/upgrade/20-install-vector-aggregator-discovery-configmap.yaml.j2

@@ -0,0 +1,9 @@
+{% if lookup('env', 'VECTOR_AGGREGATOR') %}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vector-aggregator-discovery
+data:
+  ADDRESS: {{ lookup('env', 'VECTOR_AGGREGATOR') }}
+{% endif %}

tests/templates/kuttl/upgrade/30-assert.yaml.j2

@@ -0,0 +1,16 @@
+{% if test_scenario['values']['authentication'] == 'oidc' %}
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+metadata:
+  name: test-keycloak
+timeout: 480
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: keycloak1
+status:
+  readyReplicas: 1
+  replicas: 1
+{% endif %}

tests/templates/kuttl/upgrade/30-keycloak.yaml.j2

@@ -0,0 +1,17 @@
+{% if test_scenario['values']['authentication'] == 'oidc' %}
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |
+      INSTANCE_NAME=keycloak1 \
+      REALM=test1 \
+      USERNAME=jane.doe \
+      FIRST_NAME=Jane \
+      LAST_NAME=Doe \
+      EMAIL=jane.doe@stackable.tech \
+      PASSWORD=T8mn72D9 \
+      CLIENT_ID=superset1 \
+      CLIENT_SECRET=R1bxHUD569vHeQdw \
+      envsubst < 30_install-keycloak.yaml | kubectl apply -n $NAMESPACE -f -
+{% endif %}

tests/templates/kuttl/upgrade/30_install-keycloak.yaml.j2

@@ -0,0 +1,188 @@
+# The environment variables must be replaced.
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: $INSTANCE_NAME-realms
+data:
+  test-realm.json: |
+    {
+      "realm": "$REALM",
+      "enabled": true,
+      "users": [
+        {
+          "enabled": true,
+          "username": "$USERNAME",
+          "firstName" : "$FIRST_NAME",
+          "lastName" : "$LAST_NAME",
+          "email" : "$EMAIL",
+          "credentials": [
+            {
+              "type": "password",
+              "value": "$PASSWORD"
+            }
+          ],
+          "realmRoles": [
+            "user"
+          ]
+        }
+      ],
+      "roles": {
+        "realm": [
+          {
+            "name": "user",
+            "description": "User privileges"
+          }
+        ]
+      },
+      "clients": [
+        {
+          "clientId": "$CLIENT_ID",
+          "enabled": true,
+          "clientAuthenticatorType": "client-secret",
+          "secret": "$CLIENT_SECRET",
+          "redirectUris": [
+            "*"
+          ],
+          "webOrigins": [
+            "*"
+          ],
+          "standardFlowEnabled": true,
+          "protocol": "openid-connect"
+        }
+      ]
+    }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: $INSTANCE_NAME
+  labels:
+    app: $INSTANCE_NAME
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: $INSTANCE_NAME
+  template:
+    metadata:
+      labels:
+        app: $INSTANCE_NAME
+    spec:
+      serviceAccountName: keycloak
+      containers:
+        - name: keycloak
+          image: quay.io/keycloak/keycloak:23.0.4
+          args:
+            - start-dev
+            - --import-realm
+            - --https-certificate-file=/tls/tls.crt
+            - --https-certificate-key-file=/tls/tls.key
+          env:
+            - name: KEYCLOAK_ADMIN
+              value: admin
+            - name: KEYCLOAK_ADMIN_PASSWORD
+              value: admin
+          # Both requests and limits must be set and satisfy the ratios in
+          # 00-limit-range.yaml (memory ratio 1 requires request == limit),
+          # otherwise the LimitRanger admission controller rejects the pod.
+          resources:
+            requests:
+              memory: "1Gi"
+              cpu: "500m"
+            limits:
+              memory: "1Gi"
+              cpu: "2"
+          ports:
+            - name: https
+              containerPort: 8443
+          volumeMounts:
+            - name: realms
+              mountPath: /opt/keycloak/data/import
+            - name: tls
+              mountPath: /tls
+          readinessProbe:
+            httpGet:
+              scheme: HTTPS
+              path: /realms/$REALM
+              port: 8443
+      volumes:
+        - name: realms
+          configMap:
+            name: $INSTANCE_NAME-realms
+        - name: tls
+          ephemeral:
+            volumeClaimTemplate:
+              metadata:
+                annotations:
+                  secrets.stackable.tech/class: tls
+                  secrets.stackable.tech/scope: service=$INSTANCE_NAME
+              spec:
+                storageClassName: secrets.stackable.tech
+                accessModes:
+                  - ReadWriteOnce
+                resources:
+                  requests:
+                    storage: "1"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: $INSTANCE_NAME
+spec:
+  selector:
+    app: $INSTANCE_NAME
+  ports:
+    - protocol: TCP
+      port: 8443
+---
+apiVersion: authentication.stackable.tech/v1alpha1
+kind: AuthenticationClass
+metadata:
+  name: $INSTANCE_NAME-$NAMESPACE
+spec:
+  provider:
+    oidc:
+      hostname: $INSTANCE_NAME.$NAMESPACE.svc.cluster.local
+      port: 8443
+      rootPath: /realms/$REALM/
+      scopes:
+        - email
+        - openid
+        - profile
+      principalClaim: preferred_username
+      providerHint: Keycloak
+      tls:
+        verification:
+          server:
+            caCert:
+              secretClass: tls
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: keycloak
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: keycloak
+{% if test_scenario['values']['openshift'] == 'true' %}
+rules:
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+{% endif %}
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: keycloak
+subjects:
+  - kind: ServiceAccount
+    name: keycloak
+roleRef:
+  kind: Role
+  name: keycloak
+  apiGroup: rbac.authorization.k8s.io

tests/templates/kuttl/upgrade/40-assert.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+metadata:
+  name: install-superset
+timeout: 600
+commands:
+  - script: kubectl -n $NAMESPACE wait --for=condition=available=true supersetclusters.superset.stackable.tech/superset --timeout 601s
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: superset-node-default
+status:
+  readyReplicas: 1
+  replicas: 1

tests/templates/kuttl/upgrade/40-install-superset.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+timeout: 300
+commands:
+  - script: >
+      envsubst '$NAMESPACE' < 40_install-superset.yaml |
+      kubectl apply -n $NAMESPACE -f -