chore: Generated commit to update templated files since the last template run up to stackabletech/operator-templating@0fd2a1f (#807)

stackable-bot · web-flow · commit f0af4ccfd6e0 · 2026-02-19T09:19:58.000Z
Reference-to: stackabletech/operator-templating@0fd2a1f (Rollout CRD versioning related changes and Nix fix)
diff --git a/.gitignore b/.gitignore
@@ -13,6 +13,7 @@ result
 image.tar
 
 tilt_options.json
+.values.yaml
 
 .direnv/
 .direnvrc
diff --git a/Makefile b/Makefile
@@ -44,6 +44,8 @@ config:
 		cp -r deploy/config-spec/* "deploy/helm/${OPERATOR_NAME}/configs";\
 	fi
 
+# We generate a crds.yaml, so that the effect of code changes are visible.
+# The operator will take care of the CRD rollout itself.
 crds:
 	mkdir -p extra
 	cargo run --bin stackable-"${OPERATOR_NAME}" -- crd > extra/crds.yaml
diff --git a/Tiltfile b/Tiltfile
@@ -17,11 +17,6 @@ custom_build(
     outputs_image_ref_to='result/ref',
 )
 
-# Load the latest CRDs from Nix
-watch_file('result')
-if os.path.exists('result'):
-   k8s_yaml('result/crds.yaml')
-
 # We need to set the correct image annotation on the operator Deployment to use e.g.
 # oci.stackable.tech/sandbox/opa-operator:7y19m3d8clwxlv34v5q2x4p7v536s00g instead of
 # oci.stackable.tech/sandbox/opa-operator:0.0.0-dev (which does not exist)
diff --git a/deny.toml b/deny.toml
@@ -24,6 +24,20 @@ ignore = [
     #
     # https://github.com/RustCrypto/RSA/issues/19 is the tracking issue
     "RUSTSEC-2023-0071",
+
+    # https://rustsec.org/advisories/RUSTSEC-2024-0436
+    # The "paste" crate is no longer maintained because the owner states that the implementation is
+    # finished. There are at least two (forked) alternatives which state to be maintained. They'd
+    # need to be vetted before a potential switch. Additionally, they'd need to be in a maintained
+    # state for a couple of years to provide any benefit over using "paste".
+    #
+    # This crate is only used in a single place in the xtask package inside the declarative
+    # "write_crd" macro. The impact of vulnerabilities, if any, should be fairly minimal.
+    #
+    # See thread: https://users.rust-lang.org/t/paste-alternatives/126787/4
+    #
+    # This can only be removed again if we decide to use a different crate.
+    "RUSTSEC-2024-0436",
 ]
 
 [bans]
@@ -67,6 +81,9 @@ license-files = [
 [sources]
 unknown-registry = "deny"
 unknown-git = "deny"
+allow-git = [
+    "https://github.com/kube-rs/kube-rs",
+]
 
 [sources.allow-org]
 github = ["stackabletech"]
diff --git a/deploy/helm/opa-operator/templates/deployment.yaml b/deploy/helm/opa-operator/templates/deployment.yaml
@@ -77,16 +77,15 @@ spec:
                 fieldRef:
                   fieldPath: spec.nodeName
 
-            - name: OPA_BUNDLE_BUILDER_CLUSTERROLE
-              value: {{ include "operator.fullname" . }}-opa-bundle-builder-clusterrole
-
             {{- if .Values.kubernetesClusterDomain }}
             - name: KUBERNETES_CLUSTER_DOMAIN
               value: {{ .Values.kubernetesClusterDomain | quote }}
             {{- end }}
 
             {{- include "telemetry.envVars" . | nindent 12 }}
             {{- include "maintenance.envVars" . | nindent 12 }}
+            - name: OPA_BUNDLE_BUILDER_CLUSTERROLE
+              value: {{ include "operator.fullname" . }}-opa-bundle-builder-clusterrole
       volumes:
         - name: config-spec
           configMap:
diff --git a/deploy/helm/opa-operator/templates/service.yaml b/deploy/helm/opa-operator/templates/service.yaml
@@ -1,7 +1,11 @@
+
 ---
 apiVersion: v1
 kind: Service
 metadata:
+  # Note(@sbernauer): We could also call the Service something like
+  # "product-operator-conversion-webhook". However, in the future we will have more webhooks, and
+  # it seems like an overkill to have a dedicated Service per webhook.
   name: {{ include "operator.fullname" . }}
   labels:
     {{- include "operator.labels" . | nindent 4 }}
diff --git a/shell.nix b/shell.nix
@@ -21,10 +21,10 @@ in pkgs.mkShell rec {
   ];
 
   # derivation runtime dependencies
-  buildInputs = pkgs.lib.concatMap (crate: crate.buildInputs) cargoDependencySet;
+  buildInputs = pkgs.lib.unique (pkgs.lib.concatMap (crate: crate.buildInputs) cargoDependencySet);
 
   # build time dependencies
-  nativeBuildInputs = pkgs.lib.concatMap (crate: crate.nativeBuildInputs) cargoDependencySet ++ (with pkgs; [
+  nativeBuildInputs = pkgs.lib.unique (pkgs.lib.concatMap (crate: crate.nativeBuildInputs) cargoDependencySet ++ (with pkgs; [
     beku
     docker
     gettext # for the proper envsubst
@@ -38,7 +38,7 @@ in pkgs.mkShell rec {
     # tilt already defined in default.nix
     which
     yq-go
-  ]);
+  ]));
 
   LIBCLANG_PATH = "${pkgs.libclang.lib}/lib";
   BINDGEN_EXTRA_CLANG_ARGS = "-I${pkgs.glibc.dev}/include -I${pkgs.clang}/resource-root/include";
