taskworld · cherviakovtaskworld · Jun 5, 2026 · Jun 5, 2026
diff --git a/README.md b/README.md
@@ -31,6 +31,8 @@ Required keys:
 |-----|-------------|
 | `CUBEJS_API_SECRET` | Cryptographically random string (minimum 32 bytes / 64 hex chars) used to sign JWT tokens for API access. Generate with: `openssl rand -hex 32` |
 | `CUBEJS_DB_BQ_CREDENTIALS_FILE` | BigQuery service account JSON key (file contents) |
+| `CUBEJS_SQL_USER` | **Only when the SQL API is enabled** (`cubeApi.sql.enabled=true`). Arbitrary username SQL clients use to connect over the Postgres protocol. Unrelated to BigQuery auth. |
+| `CUBEJS_SQL_PASSWORD` | **Only when the SQL API is enabled.** Arbitrary password for the SQL client connection. |
 
 ```bash
 kubectl create secret generic cubejs-secret \
@@ -111,6 +113,28 @@ cubestoreWorker:
   image: "cubejs/cubestore:v1.6.29"
 ```
 
+## SQL API (Postgres protocol)
+
+Cube's Postgres-compatible SQL API is **off by default** (REST and GraphQL work without it). Enable it to connect BI tools (Metabase, Superset, `psql`):
+
+```yaml
+cubeApi:
+  sql:
+    enabled: true
+    port: 15432
+```
+
+When enabled, the chart sets `CUBEJS_PG_SQL_PORT` and exposes the port on the `cube-api` Service. The client credentials `CUBEJS_SQL_USER` and `CUBEJS_SQL_PASSWORD` are **arbitrary values you choose** — add both to the K8s Secret (`cubeApi.secret.name`) before enabling. They are independent of BigQuery authentication:
+
+```bash
+kubectl create secret generic cubejs-secret \
+  --from-literal=CUBEJS_API_SECRET=$(openssl rand -hex 32) \
+  --from-file=CUBEJS_DB_BQ_CREDENTIALS_FILE=sa-key.json \
+  --from-literal=CUBEJS_SQL_USER=cube \
+  --from-literal=CUBEJS_SQL_PASSWORD=$(openssl rand -hex 16) \
+  -n cubejs
+```
+
 ## Key values
 
 | Value | Default | Description |
@@ -127,3 +151,5 @@ cubestoreWorker:
 | `cubestoreRouter.replicas` | `1` | CubeStore router pods — do not exceed 1 |
 | `cubestoreWorker.replicas` | `1` | Number of CubeStore worker pods |
 | `cubeApi.secret.name` | `cubejs-secret` | Name of the K8s Secret with credentials |
+| `cubeApi.sql.enabled` | `false` | Enable the Postgres-compatible SQL API |
+| `cubeApi.sql.port` | `15432` | Port for the SQL API (set via `CUBEJS_PG_SQL_PORT`) |
diff --git a/charts/cubejs/Chart.yaml b/charts/cubejs/Chart.yaml
@@ -19,7 +19,7 @@ maintainers:
     email: developers@taskworld.com
 
 # Increment this version on every chart change
-version: 1.0.9
+version: 1.0.10
 
 # Tracks the deployed Cube.js application version
 appVersion: "1.6.29"
diff --git a/charts/cubejs/templates/cube-api-configmap.yaml b/charts/cubejs/templates/cube-api-configmap.yaml
@@ -8,3 +8,7 @@ data:
   {{ $key }}: {{ $val | quote }}
   {{- end }}
   CUBEJS_DB_BQ_PROJECT_ID: {{ required "bigquery.projectId is required" .Values.bigquery.projectId | quote }}
+  {{- if .Values.cubeApi.sql.enabled }}
+  # Enables the Postgres-compatible SQL API. CUBEJS_SQL_USER/CUBEJS_SQL_PASSWORD come from the Secret.
+  CUBEJS_PG_SQL_PORT: {{ .Values.cubeApi.sql.port | quote }}
+  {{- end }}
diff --git a/charts/cubejs/templates/cube-api-deployment.yaml b/charts/cubejs/templates/cube-api-deployment.yaml
@@ -50,6 +50,11 @@ spec:
             - name: http
               containerPort: {{ .Values.cubeApi.service.port }}
               protocol: TCP
+            {{- if .Values.cubeApi.sql.enabled }}
+            - name: pg-sql
+              containerPort: {{ .Values.cubeApi.sql.port }}
+              protocol: TCP
+            {{- end }}
           startupProbe:
             httpGet:
               path: /livez

diff --git a/charts/cubejs/templates/cube-api-service.yaml b/charts/cubejs/templates/cube-api-service.yaml
@@ -13,5 +13,12 @@ spec:
       protocol: TCP
       name: http
       appProtocol: http
+    {{- if .Values.cubeApi.sql.enabled }}
+    - port: {{ .Values.cubeApi.sql.port }}
+      targetPort: pg-sql
+      protocol: TCP
+      name: pg-sql
+      appProtocol: tcp
+    {{- end }}
   selector:
     cubejsApp: cubeApi
diff --git a/charts/cubejs/values.schema.json b/charts/cubejs/values.schema.json
@@ -64,6 +64,19 @@
           "type": "string",
           "enum": ["Always", "IfNotPresent", "Never"]
         },
+        "sql": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            },
+            "port": {
+              "type": "integer",
+              "minimum": 1,
+              "maximum": 65535
+            }
+          }
+        },
         "resources": {
           "$ref": "#/$defs/resources"
         }

diff --git a/charts/cubejs/values.yaml b/charts/cubejs/values.yaml
@@ -57,6 +57,13 @@ cubeApi:
   # Sensitive vars (BigQuery credentials + CUBEJS_API_SECRET) come from a K8s Secret.
   secret:
     name: cubejs-secret
+  # Postgres-compatible SQL API. Off by default (Cube's default) — REST/GraphQL work without it.
+  # When enabled, setting CUBEJS_PG_SQL_PORT turns the SQL API on and the port is exposed on the Service.
+  # CUBEJS_SQL_USER / CUBEJS_SQL_PASSWORD are arbitrary client credentials — add both to the K8s Secret
+  # (secret.name). They are unrelated to BigQuery auth.
+  sql:
+    enabled: false
+    port: 15432
   env:
     var:
       CUBEJS_DB_TYPE: "bigquery"