- docs: updated DEPLOYMENT.m

minor changes

DEPLOYMENT.md

@@ -2,14 +2,79 @@
 
 ## For development
 
-Configure keycloak's `LOGOUT_REDIRECT_URL` and `OAUTH_PROVIDERS` in `docker/pythonpath_dev/superset_config.py`.
+Configure keycloak's `LOGOUT_REDIRECT_URL` and `KC_*` variables in the `docker/.env` file.
 
 An example realm and users export is provided in the `keycloak exports` folder.
 
 You can launch the application with `docker compose up`.
 
 ## For production
 
-There are no clear instruction on running this in production, but you can inspect [the official documentation](https://superset.apache.org/docs/configuration/configuring-superset/) for basic configuration options.
+There are no clear instruction on running this in production, you can only inspect [the official documentation](https://superset.apache.org/docs/configuration/configuring-superset/) for basic configuration options. Even so, I will give a short, nonexhaustive guide for it.
 
-There is a `docker-compose-non-dev.yml` that was used for the production deployment.
+There is a `docker-compose-non-dev.yml` that was used for the production deployment. Superset also [ships for helm](https://superset.apache.org/docs/installation/kubernetes/) if you're interested in that.
+
+### Deploying the `docker-compose-non-dev.yml`
+
+To verify nothing is terribly wrong, use the command `docker compose -f docker-compose-non-dev.yml up --build --force-recreate`(`--build --force-recreate` not required but useful). If everything went fine, you should be able to get to a login screen at `http://localhost:8088`. You can stop the compose now, reconfigure and try again.
+
+### Configuration
+
+You will mainly be interested in `docker/.env`.
+
+First, configure access to an external database labeled as `# database configurations (do not modify)` in the envfile. If this works, continue to the next step.
+
+Configure the `KC_*` variables in the envfile to connect to keycloak. I strongly encourage you to import the realm and users from `keycloak exports` and use the `pokadm` keycloak user after a password reset. You should change the `Root URL` and `Web origins` in the keycloak client of the superset application, else you will see `Invalid login. Please try again.`.
+
+This time, you should be able to log into superset, and you should see some example dashboard and be able to access administration in the top right.
+
+After this, you should configure proper keycloak access. If that works, you're done.
+
+#### Additionally
+
+You likely need to change everything that contains the word secret, do a fuzzy search. This includes `SUPERSET_SECRET_KEY` in the envfile.
+
+Consider setting a more restrictive CORS policy in `CORS_OPTIONS` in `docker/pythonpath_dev/superset_config.py`.
+
+DO NOT delete the db service in the compose file, as it contains the example database.
+
+# Český transkript
+
+# Instrukce pro instalaci
+
+## Pro vývoj
+
+Nastavte proměnné `LOGOUT_REDIRECT_URL` a `KC_*` Keycloaku v souboru `docker/.env`.
+
+Příkladem exportu realm a uživatelů je poskytován v složce keycloak exports.
+
+Aplikaci můžete spustit příkazem `docker compose up`.
+
+## Pro produkční prostředí
+
+Neexistují žádné jasně dobré instrukce pro běh v produkčním prostředí, ale můžete se podívat na o[oficiální dokumentaci](https://superset.apache.org/docs/configuration/configuring-superset/) pro základní možnosti konfigurace. Taky vám dám stručný, neúplný návod.
+
+Existuje soubor `docker-compose-non-dev.yml`, který býval použit pro produkční nasazení. Superset také umožňuje nasazení pomocí [helmu](https://superset.apache.org/docs/installation/kubernetes/), pokud vás něco takového zajímá.
+
+### Nasazení souboru docker-compose-non-dev.yml
+
+Chcete-li ověřit, že nic není hrubě špatné, použijte příkaz `docker compose -f docker-compose-non-dev.yml up --build --force-recreate` (`--build --force-recreate` není vyžadováno, ale je to užitečné). Pokud všechno šlo dobře, měli byste být schopni dostat se na přihlašovací stránku na adrese http://localhost:8088. Nyní můžete zastavit compose, změnit konfiguraci a zkusit znovu.
+
+### Konfigurace
+
+Bude vás především zajímat soubor `docker/.env`.
+
+Nejprve nastavte přístup k externí databázi označené jako `# database configurations (do not modify)` v envfilu. Pokud to funguje, pokračujte dalším krokem.
+
+Nastavte proměnné `KC_*` v souboru env pro připojení k Keycloaku. Silně doporučuji importovat realm a uživatele z `keycloak exports` a použít uživatele Keycloaku `pokadm` po resetu hesla. Změňte `Root URL` a `Web origins` pro keycloak client supersetu, jinak by superset měl vracet `Invalid login. Please try again`.
+Tentokrát byste měli být schopni se přihlásit do Supersetu a měli byste vidět některé ukázkové dashboardy a mít přístup k administraci v pravém horním rohu.
+
+Po tomto kroku byste měli nastavit řádný přístup Keycloaku ve vašem vlastním realmu. Pokud to funguje, jste hotovi.
+
+### Dále
+
+Pravděpodobně budete muset změnit všechno, co obsahuje slovo secret, udělejte si pro jistotu fuzzy search. Ale jedno takové místo je `SUPERSET_SECRET_KEY` v souboru env.
+
+Zvažte nastavení více restriktivní politiky CORS v `CORS_OPTIONS` v `docker/pythonpath_dev/superset_config.py`.
+
+NEMAŽTE službu db v souboru compose, protože obsahuje ukázkovou databázi.

docker/.env

@@ -24,18 +24,12 @@ DATABASE_HOST=db
 # Make sure you set this to a unique secure random value on production
 DATABASE_PASSWORD=superset
 DATABASE_USER=superset
+DATABASE_PORT=5432
+DATABASE_DIALECT=postgresql
 
-EXAMPLES_DB=examples
-EXAMPLES_HOST=db
-EXAMPLES_USER=examples
-# Make sure you set this to a unique secure random value on production
-EXAMPLES_PASSWORD=examples
-EXAMPLES_PORT=5432
 
 # database engine specific environment variables
 # change the below if you prefer another database engine
-DATABASE_PORT=5432
-DATABASE_DIALECT=postgresql
 POSTGRES_DB=superset
 POSTGRES_USER=superset
 # Make sure you set this to a unique secure random value on production
@@ -45,6 +39,14 @@ POSTGRES_PASSWORD=superset
 #MYSQL_PASSWORD=superset
 #MYSQL_RANDOM_ROOT_PASSWORD=yes
 
+# database with example datasets, feel free to ignore this during deployment
+EXAMPLES_DB=examples
+EXAMPLES_HOST=db
+EXAMPLES_USER=examples
+# Make sure you set this to a unique secure random value on production
+EXAMPLES_PASSWORD=examples
+EXAMPLES_PORT=5432
+
 # Add the mapped in /app/pythonpath_docker which allows devs to override stuff
 PYTHONPATH=/app/pythonpath:/app/docker/pythonpath_dev
 REDIS_HOST=redis
@@ -64,4 +66,10 @@ ENABLE_PLAYWRIGHT=false
 PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true
 BUILD_SUPERSET_FRONTEND_IN_DOCKER=true
 
-ADMIN_PASSWORD=admin
+ADMIN_PASSWORD=admin
+
+# KEYCLOAK INTEGRATION VARIABLES
+KC_SERVER_METADATA_URL="http://192.168.27.55/realms/etikos/.well-known/openid-configuration"
+KC_API_BASE_URL="http://192.168.27.55/realms/etikos/protocol/"
+KC_CLIENT_SECRET="2vF08d2BlT8XtCLIlQQifIiXi2X5ZRNl"
+LOGOUT_REDIRECT_URL="http://192.168.27.55/realms/etikos/protocol/openid-connect/logout"

docker/pythonpath_dev/superset_config.py

@@ -41,6 +41,11 @@
 EXAMPLES_PORT = os.getenv("EXAMPLES_PORT")
 EXAMPLES_DB = os.getenv("EXAMPLES_DB")
 
+KC_SERVER_METADATA_URL = os.getenv("SERVER_METADATA_URL")
+KC_API_BASE_URL = os.getenv("API_BASE_URL")
+LOGOUT_REDIRECT_URL = os.getenv("LOGOUT_REDIRECT_URL")
+KC_CLIENT_SECRET = os.getenv("KC_CLIENT_SECRET")
+
 # The SQLAlchemy connection string.
 SQLALCHEMY_DATABASE_URI = (
     f"{DATABASE_DIALECT}://"
@@ -107,7 +112,7 @@ class CeleryConfig:
     "supports_credentials": True,
     "allow_headers": ["*"],
     "resources": ["*"],
-    "origins": ["http://localhost:8088", "http://localhost:8888"],
+    "origins": ["*"],
 }
 SUPERSET_FEATURE_EMBEDDED_SUPERSET = True
 
@@ -137,9 +142,6 @@ class CeleryConfig:
 
 # Enable OAuth authentication
 AUTH_TYPE = AUTH_OAUTH
-LOGOUT_REDIRECT_URL = (
-    "http://192.168.27.55/realms/etikos/protocol/openid-connect/logout"
-)
 # AUTH_USER_REGISTRATION_ROLE = 'Admin'
 AUTH_USER_REGISTRATION = True
 AUTH_USER_REGISTRATION_ROLE = "Gamma"
@@ -160,12 +162,12 @@ class CeleryConfig:
         "token_key": "access_token",  # Keycloak uses 'access_token' for the access token
         "remote_app": {
             "client_id": "superset",
-            "client_secret": "2vF08d2BlT8XtCLIlQQifIiXi2X5ZRNl",
+            "client_secret": KC_CLIENT_SECRET,
             "client_kwargs": {
                 "scope": "openid profile email",
             },
-            "server_metadata_url": "http://192.168.27.55/realms/etikos/.well-known/openid-configuration",
-            "api_base_url": "http://192.168.27.55/realms/etikos/protocol/",
+            "server_metadata_url": KC_SERVER_METADATA_URL,
+            "api_base_url": KC_API_BASE_URL,
         },
     }
 ]

docker/requirements-local.txt

@@ -1,6 +1,8 @@
-clickhouse-connect>=0.6.8
-sqlalchemy-bigquery
-gsheetsdb
+# libraries for extra external datasource support
+clickhouse-connect>=0.6.8 # clickhouse
+sqlalchemy-bigquery # bigquery
+gsheetsdb # google sheets
+# libraries for the keycloak integration to work
 flask-oidc==1.3.0
 itsdangerous==2.0.1
 flask_openid