From 523af28cbbf139ae32362e73942b3d781fee05c5 Mon Sep 17 00:00:00 2001 From: Stacky McStackface Date: Thu, 19 Feb 2026 09:03:44 +0000 Subject: [PATCH] chore: Generated commit to update templated files since the last template run up to stackabletech/operator-templating@0fd2a1f7769df93202f555da3afa8723372b462e Reference-to: stackabletech/operator-templating@0fd2a1f (Rollout CRD versioning related changes and Nix fix) --- .gitignore | 1 + Makefile | 2 ++ Tiltfile | 5 ----- deny.toml | 17 +++++++++++++++++ .../helm/opa-operator/templates/deployment.yaml | 5 ++--- deploy/helm/opa-operator/templates/service.yaml | 4 ++++ shell.nix | 6 +++--- 7 files changed, 29 insertions(+), 11 deletions(-) diff --git a/.gitignore b/.gitignore index 2dbc7ab0..696bc411 100644 --- a/.gitignore +++ b/.gitignore @@ -13,6 +13,7 @@ result image.tar tilt_options.json +.values.yaml .direnv/ .direnvrc diff --git a/Makefile b/Makefile index 91f3e2f8..0d36162f 100644 --- a/Makefile +++ b/Makefile @@ -44,6 +44,8 @@ config: cp -r deploy/config-spec/* "deploy/helm/${OPERATOR_NAME}/configs";\ fi +# We generate a crds.yaml, so that the effect of code changes are visible. +# The operator will take care of the CRD rollout itself. crds: mkdir -p extra cargo run --bin stackable-"${OPERATOR_NAME}" -- crd > extra/crds.yaml diff --git a/Tiltfile b/Tiltfile index 31808985..53c3a8e4 100644 --- a/Tiltfile +++ b/Tiltfile @@ -17,11 +17,6 @@ custom_build( outputs_image_ref_to='result/ref', ) -# Load the latest CRDs from Nix -watch_file('result') -if os.path.exists('result'): - k8s_yaml('result/crds.yaml') - # We need to set the correct image annotation on the operator Deployment to use e.g. # oci.stackable.tech/sandbox/opa-operator:7y19m3d8clwxlv34v5q2x4p7v536s00g instead of # oci.stackable.tech/sandbox/opa-operator:0.0.0-dev (which does not exist) diff --git a/deny.toml b/deny.toml index d02a12f4..8ec7e452 100644 --- a/deny.toml +++ b/deny.toml @@ -24,6 +24,20 @@ ignore = [ # # https://github.com/RustCrypto/RSA/issues/19 is the tracking issue "RUSTSEC-2023-0071", + + # https://rustsec.org/advisories/RUSTSEC-2024-0436 + # The "paste" crate is no longer maintained because the owner states that the implementation is + # finished. There are at least two (forked) alternatives which state to be maintained. They'd + # need to be vetted before a potential switch. Additionally, they'd need to be in a maintained + # state for a couple of years to provide any benefit over using "paste". + # + # This crate is only used in a single place in the xtask package inside the declarative + # "write_crd" macro. The impact of vulnerabilities, if any, should be fairly minimal. + # + # See thread: https://users.rust-lang.org/t/paste-alternatives/126787/4 + # + # This can only be removed again if we decide to use a different crate. + "RUSTSEC-2024-0436", ] [bans] @@ -67,6 +81,9 @@ license-files = [ [sources] unknown-registry = "deny" unknown-git = "deny" +allow-git = [ + "https://github.com/kube-rs/kube-rs", +] [sources.allow-org] github = ["stackabletech"] diff --git a/deploy/helm/opa-operator/templates/deployment.yaml b/deploy/helm/opa-operator/templates/deployment.yaml index 89f028f7..fb318bdf 100644 --- a/deploy/helm/opa-operator/templates/deployment.yaml +++ b/deploy/helm/opa-operator/templates/deployment.yaml @@ -77,9 +77,6 @@ spec: fieldRef: fieldPath: spec.nodeName - - name: OPA_BUNDLE_BUILDER_CLUSTERROLE - value: {{ include "operator.fullname" . }}-opa-bundle-builder-clusterrole - {{- if .Values.kubernetesClusterDomain }} - name: KUBERNETES_CLUSTER_DOMAIN value: {{ .Values.kubernetesClusterDomain | quote }} @@ -87,6 +84,8 @@ spec: {{- include "telemetry.envVars" . | nindent 12 }} {{- include "maintenance.envVars" . | nindent 12 }} + - name: OPA_BUNDLE_BUILDER_CLUSTERROLE + value: {{ include "operator.fullname" . }}-opa-bundle-builder-clusterrole volumes: - name: config-spec configMap: diff --git a/deploy/helm/opa-operator/templates/service.yaml b/deploy/helm/opa-operator/templates/service.yaml index b625850f..978f914d 100644 --- a/deploy/helm/opa-operator/templates/service.yaml +++ b/deploy/helm/opa-operator/templates/service.yaml @@ -1,7 +1,11 @@ + --- apiVersion: v1 kind: Service metadata: + # Note(@sbernauer): We could also call the Service something like + # "product-operator-conversion-webhook". However, in the future we will have more webhooks, and + # it seems like an overkill to have a dedicated Service per webhook. name: {{ include "operator.fullname" . }} labels: {{- include "operator.labels" . | nindent 4 }} diff --git a/shell.nix b/shell.nix index 7ef77f28..b6ee3afb 100644 --- a/shell.nix +++ b/shell.nix @@ -21,10 +21,10 @@ in pkgs.mkShell rec { ]; # derivation runtime dependencies - buildInputs = pkgs.lib.concatMap (crate: crate.buildInputs) cargoDependencySet; + buildInputs = pkgs.lib.unique (pkgs.lib.concatMap (crate: crate.buildInputs) cargoDependencySet); # build time dependencies - nativeBuildInputs = pkgs.lib.concatMap (crate: crate.nativeBuildInputs) cargoDependencySet ++ (with pkgs; [ + nativeBuildInputs = pkgs.lib.unique (pkgs.lib.concatMap (crate: crate.nativeBuildInputs) cargoDependencySet ++ (with pkgs; [ beku docker gettext # for the proper envsubst @@ -38,7 +38,7 @@ in pkgs.mkShell rec { # tilt already defined in default.nix which yq-go - ]); + ])); LIBCLANG_PATH = "${pkgs.libclang.lib}/lib"; BINDGEN_EXTRA_CLANG_ARGS = "-I${pkgs.glibc.dev}/include -I${pkgs.clang}/resource-root/include";