chore: Generated commit to update templated files since the last template run up to stackabletech/operator-templating@1f730e7

Reference-to: stackabletech/operator-templating@1f730e7 (Part of stackabletech/issues#716)

Author: stackable-bot

.github/workflows/build.yaml

@@ -48,7 +48,7 @@ jobs:
 
       - name: Check for changed files
         id: check
-        uses: stackabletech/actions/detect-changes@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1
+        uses: stackabletech/actions/detect-changes@ac6f1d3b87f68826b9a5838d13864ef8e88dcf40 # v0.14.0
         with:
           patterns: |
             - '.github/workflows/build.yaml'
@@ -166,7 +166,7 @@ jobs:
 
       - name: Build Container Image
         id: build
-        uses: stackabletech/actions/build-container-image@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1
+        uses: stackabletech/actions/build-container-image@ac6f1d3b87f68826b9a5838d13864ef8e88dcf40 # v0.14.0
         with:
           image-name: ${{ env.OPERATOR_NAME }}
           image-index-manifest-tag: ${{ steps.version.outputs.OPERATOR_VERSION }}
@@ -175,7 +175,7 @@ jobs:
 
       - name: Publish Container Image
         if: ${{ !github.event.pull_request.head.repo.fork }}
-        uses: stackabletech/actions/publish-image@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1
+        uses: stackabletech/actions/publish-image@ac6f1d3b87f68826b9a5838d13864ef8e88dcf40 # v0.14.0
         with:
           image-registry-uri: oci.stackable.tech
           image-registry-username: robot$sdp+github-action-build
@@ -203,7 +203,7 @@ jobs:
           persist-credentials: false
 
       - name: Publish and Sign Image Index
-        uses: stackabletech/actions/publish-image-index-manifest@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1
+        uses: stackabletech/actions/publish-image-index-manifest@ac6f1d3b87f68826b9a5838d13864ef8e88dcf40 # v0.14.0
         with:
           image-registry-uri: oci.stackable.tech
           image-registry-username: robot$sdp+github-action-build
@@ -230,7 +230,7 @@ jobs:
           submodules: recursive
 
       - name: Package, Publish, and Sign Helm Chart
-        uses: stackabletech/actions/publish-helm-chart@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1
+        uses: stackabletech/actions/publish-helm-chart@ac6f1d3b87f68826b9a5838d13864ef8e88dcf40 # v0.14.0
         with:
           chart-registry-uri: oci.stackable.tech
           chart-registry-username: robot$sdp-charts+github-action-build
@@ -260,7 +260,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Run OpenShift Preflight Check
-        uses: stackabletech/actions/run-openshift-preflight@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1
+        uses: stackabletech/actions/run-openshift-preflight@ac6f1d3b87f68826b9a5838d13864ef8e88dcf40 # v0.14.0
         with:
           image-index-uri: oci.stackable.tech/sdp/${{ env.OPERATOR_NAME }}:${{ needs.build-container-image.outputs.operator-version }}
           image-architecture: ${{ matrix.arch }}
@@ -300,7 +300,7 @@ jobs:
           persist-credentials: false
 
       - name: Send Notification
-        uses: stackabletech/actions/send-slack-notification@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1
+        uses: stackabletech/actions/send-slack-notification@ac6f1d3b87f68826b9a5838d13864ef8e88dcf40 # v0.14.0
         with:
           publish-helm-chart-result: ${{ needs.publish-helm-chart.result }}
           publish-manifests-result: ${{ needs.publish-index-manifest.result }}

.github/workflows/integration-test.yml

@@ -41,7 +41,7 @@ jobs:
       # TODO: Enable the scheduled runs which hard-code what profile to use
       - name: Run Integration Test
         id: test
-        uses: stackabletech/actions/run-integration-test@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1
+        uses: stackabletech/actions/run-integration-test@ac6f1d3b87f68826b9a5838d13864ef8e88dcf40 # v0.14.0
         with:
           replicated-api-token: ${{ secrets.REPLICATED_API_TOKEN }}
           test-mode-input: ${{ inputs.test-mode-input }}
@@ -51,7 +51,7 @@ jobs:
 
       - name: Send Notification
         if: ${{ failure() || github.run_attempt > 1 }}
-        uses: stackabletech/actions/send-slack-notification@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1
+        uses: stackabletech/actions/send-slack-notification@ac6f1d3b87f68826b9a5838d13864ef8e88dcf40 # v0.14.0
         with:
           slack-token: ${{ secrets.SLACK_INTEGRATION_TEST_TOKEN }}
           failed-tests: ${{ steps.test.outputs.failed-tests }}

.github/workflows/pr_pre-commit.yaml

@@ -27,7 +27,7 @@ jobs:
           persist-credentials: false
           submodules: recursive
           fetch-depth: 0
-      - uses: stackabletech/actions/run-pre-commit@9848c5593dff4793aacba240116a648c02f20fa4 # v0.13.1
+      - uses: stackabletech/actions/run-pre-commit@ac6f1d3b87f68826b9a5838d13864ef8e88dcf40 # v0.14.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           rust: ${{ env.RUST_TOOLCHAIN_VERSION }}

Makefile

@@ -76,3 +76,9 @@ run-dev: check-nix check-kubernetes
 
 stop-dev: check-nix check-kubernetes
 	nix run --extra-experimental-features "nix-command flakes" -f. tilt -- down
+
+helm-install:
+	helm install \
+		--values deploy/helm/${OPERATOR_NAME}/values.yaml \
+		--values deploy/helm/${OPERATOR_NAME}/values/$(OCI_REGISTRY_HOSTNAME).yaml \
+		${OPERATOR_NAME} deploy/helm/${OPERATOR_NAME}

Tiltfile

@@ -1,16 +1,19 @@
-# If tilt_options.json exists read it and load the default_registry value from it
+# Load the metadata first, so that we immediately get access to the operator name
+meta = read_json('nix/meta.json')
+operator_name = meta['operator']['name']
+
+# If tilt_options.json exists read it and load the default_registry and default_repository value from it
 settings = read_json('tilt_options.json', default={})
-registry = settings.get('default_registry', 'oci.stackable.tech/sandbox')
+registry = settings.get('default_registry', 'oci.stackable.tech')
+repository = settings.get('default_repository', registry + '/' + 'sdp')
+operator_image_name = repository + '/' + operator_name
 
-# Configure default registry either read from config file above, or with default value of "oci.stackable.tech/sandbox"
+# Configure default registry either read from config file above, or with default value of "oci.stackable.tech"
 default_registry(registry)
 
-meta = read_json('nix/meta.json')
-operator_name = meta['operator']['name']
-
 custom_build(
-    registry + '/' + operator_name,
-    'make regenerate-nix && nix-build . -A docker --argstr dockerName "${EXPECTED_REGISTRY}/' + operator_name + '" && ./result/load-image | docker load',
+    operator_image_name,
+    'make regenerate-nix && nix-build . -A docker --argstr dockerName "' + operator_image_name + '" && ./result/load-image | docker load',
     deps=['rust', 'Cargo.toml', 'Cargo.lock', 'default.nix', "nix", 'build.rs', 'vendor'],
     ignore=['*.~undo-tree~'],
     # ignore=['result*', 'Cargo.nix', 'target', *.yaml],
@@ -28,7 +31,7 @@ k8s_kind('DaemonSet', image_json_path='{.spec.template.metadata.annotations.inte
 # supported by helm(set).
 helm_values = settings.get('helm_values', None)
 
-helm_override_image_repository = 'image.repository=' + registry + '/' + operator_name
+helm_override_image_repository = 'image.repository=' + repository
 
 k8s_yaml(helm(
    'deploy/helm/' + operator_name,

deny.toml

@@ -18,9 +18,9 @@ ignore = [
     # https://rustsec.org/advisories/RUSTSEC-2023-0071
     # "rsa" crate: Marvin Attack: potential key recovery through timing sidechannel
     #
-    # No patch is yet available, however work is underway to migrate to a fully constant-time implementation
-    # So we need to accept this, as of SDP 25.3 we are not using the rsa crate to create certificates used in production
-    # setups.
+    # No patch is yet available, however work is underway to migrate to a fully constant-time implementation.
+    # So we need to accept this, as of SDP 26.3 we are "only" using the crate to create private +
+    # public key pairs used by webhooks, such as conversion or mutating webhooks.
     #
     # https://github.com/RustCrypto/RSA/issues/19 is the tracking issue
     "RUSTSEC-2023-0071",

deploy/helm/commons-operator/.helmignore

@@ -6,6 +6,8 @@
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and
 # negation (prefixed with !). Only one pattern per line.
+# Ignore the file itself
+.helmignore
 .DS_Store
 # Common VCS dirs
 .git/
@@ -26,3 +28,5 @@
 .idea/
 *.tmproj
 .vscode/
+# Partial, unmerged, registry-specific values files
+values/

deploy/helm/commons-operator/templates/_helpers.tpl

@@ -77,3 +77,10 @@ Labels for Kubernetes objects created by helm test
 {{- define "operator.testLabels" -}}
 helm.sh/test: {{ include "operator.chart" . }}
 {{- end }}
+
+{{/*
+Build the full container image reference.
+*/}}
+{{- define "operator.image" -}}
+{{- printf "%s/%s:%s" .Values.image.repository .Chart.Name (.Values.image.tag | default .Chart.AppVersion) -}}
+{{- end }}

deploy/helm/commons-operator/templates/deployment.yaml

@@ -15,7 +15,7 @@ spec:
   template:
     metadata:
       annotations:
-        internal.stackable.tech/image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        internal.stackable.tech/image: {{ include "operator.image" . }}
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
         {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
@@ -37,7 +37,7 @@ spec:
         - name: {{ include "operator.appname" . }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: {{ include "operator.image" . }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
@@ -70,6 +70,10 @@ spec:
             - name: OPERATOR_SERVICE_NAME
               value: {{ include "operator.fullname" . }}
 
+            # The image repository, like "oci.stackable.tech/sdp"
+            - name: IMAGE_REPOSITORY
+              value: {{ .Values.image.repository }}
+
             # Operators need to know the node name they are running on, to e.g. discover the
             # Kubernetes domain name from the kubelet API.
             - name: KUBERNETES_NODE_NAME

deploy/helm/commons-operator/values/oci.stackable.tech.yaml

@@ -0,0 +1,4 @@
+---
+# Values overlay for chart packages published to oci.stackable.tech.
+image:
+  repository: oci.stackable.tech/sdp