chore: Generated commit to update templated files since the last temp…

…late run up to stackabletech/operator-templating@1789cc2

Reference-to: stackabletech/operator-templating@1789cc2 (Change UID of docker user)

.github/actionlint.yaml

@@ -0,0 +1,5 @@
+---
+self-hosted-runner:
+  # Ubicloud machines we are using
+  labels:
+    - ubicloud-standard-8-arm

.github/workflows/build.yml

@@ -88,18 +88,18 @@ jobs:
           TRIGGER: ${{ github.event_name }}
           GITHUB_REF: ${{ github.ref }}
         run: |
-          if [[ $TRIGGER == "pull_request" ]]; then
+          if [[ "$TRIGGER" == "pull_request" ]]; then
             echo "exporting test as target helm repo: ${{ env.TEST_REPO_HELM_URL }}"
-            echo "helm_repo=${{ env.TEST_REPO_HELM_URL }}" >> $GITHUB_OUTPUT
-          elif [[ ( $TRIGGER == "push" || $TRIGGER == "schedule" || $TRIGGER == "workflow_dispatch" ) && $GITHUB_REF == "refs/heads/main" ]]; then
+            echo "helm_repo=${{ env.TEST_REPO_HELM_URL }}" >> "$GITHUB_OUTPUT"
+          elif [[ ( "$TRIGGER" == "push" || "$TRIGGER" == "schedule" || "$TRIGGER" == "workflow_dispatch" ) && "$GITHUB_REF" == "refs/heads/main" ]]; then
             echo "exporting dev as target helm repo: ${{ env.DEV_REPO_HELM_URL }}"
-            echo "helm_repo=${{ env.DEV_REPO_HELM_URL }}" >> $GITHUB_OUTPUT
-          elif [[ $TRIGGER == "push" && $GITHUB_REF == refs/tags/* ]]; then
+            echo "helm_repo=${{ env.DEV_REPO_HELM_URL }}" >> "$GITHUB_OUTPUT"
+          elif [[ "$TRIGGER" == "push" && $GITHUB_REF == refs/tags/* ]]; then
             echo "exporting stable as target helm repo: ${{ env.STABLE_REPO_HELM_URL }}"
-            echo "helm_repo=${{ env.STABLE_REPO_HELM_URL }}" >> $GITHUB_OUTPUT
+            echo "helm_repo=${{ env.STABLE_REPO_HELM_URL }}" >> "$GITHUB_OUTPUT"
           else
             echo "Unknown trigger and ref combination encountered, skipping publish step: $TRIGGER $GITHUB_REF"
-            echo "helm_repo=skip" >> $GITHUB_OUTPUT
+            echo "helm_repo=skip" >> "$GITHUB_OUTPUT"
           fi
 
   run_cargodeny:
@@ -379,7 +379,7 @@ jobs:
       - id: printtag
         name: Output image name and tag
         if: ${{ !github.event.pull_request.head.repo.fork }}
-        run: echo "IMAGE_TAG=$(make -e print-docker-tag)" >> $GITHUB_OUTPUT
+        run: echo "IMAGE_TAG=$(make -e print-docker-tag)" >> "$GITHUB_OUTPUT"
 
   create_manifest_list:
     name: Build and publish manifest list
@@ -437,4 +437,4 @@ jobs:
           ARCH_FOR_PREFLIGHT="$(arch | sed -e 's#x86_64#amd64#' | sed -e 's#aarch64#arm64#')"
           ./preflight-linux-amd64 check container "$IMAGE_TAG" --platform "${ARCH_FOR_PREFLIGHT}" > preflight.out
       - name: "Passed?"
-        run: '[ "$(cat preflight.out | jq -r .passed)" == true ]'
+        run: '[ "$(jq -r .passed < preflight.out)" == true ]'

.github/workflows/pr_pre-commit.yaml

@@ -16,6 +16,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
+          submodules: recursive
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: '3.12'
@@ -39,6 +40,7 @@ jobs:
           chmod 700 "${LOCATION_BIN}"
 
           echo "$LOCATION_DIR" >> "$GITHUB_PATH"
+      - uses: cachix/install-nix-action@8887e596b4ee1134dae06b98d573bd674693f47c # v26
       - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
         with:
           extra_args: "--from-ref ${{ github.event.pull_request.base.sha }} --to-ref ${{ github.event.pull_request.head.sha }}"

.pre-commit-config.yaml

@@ -66,13 +66,13 @@ repos:
       - id: regenerate-charts
         name: regenerate-charts
         language: system
-        entry: make regenerate-charts
+        entry: nix-shell --run 'make regenerate-charts'
         stages: [commit, merge-commit, manual]
         pass_filenames: false
 
       - id: cargo-test
         name: cargo-test
         language: system
-        entry: cargo test
+        entry: nix-shell --run 'cargo test'
         stages: [commit, merge-commit, manual]
         pass_filenames: false

docker/Dockerfile

@@ -1,40 +1,109 @@
+# syntax=docker/dockerfile:1.10.0@sha256:865e5dd094beca432e8c0a1d5e1c465db5f998dca4e439981029b3b81fb39ed5
+# NOTE: The syntax directive needs to be the first line in a Dockerfile
+
 # =============
 # This file is automatically generated from the templates in stackabletech/operator-templating
 # DON'T MANUALLY EDIT THIS FILE
 # =============
-FROM oci.stackable.tech/sdp/ubi9-rust-builder AS builder
 
-FROM registry.access.redhat.com/ubi9/ubi-minimal AS operator
+# https://docs.docker.com/build/checks/#fail-build-on-check-violations
+# check=error=true
+
+# We want to automatically use the latest. We also don't tag our images with a version.
+# hadolint ignore=DL3007
+FROM oci.stackable.tech/sdp/ubi9-rust-builder:latest AS builder
+
+
+# We want to automatically use the latest.
+# hadolint ignore=DL3007
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS operator
 
 ARG VERSION
 ARG RELEASE="1"
 
-LABEL name="Stackable Operator for Apache HDFS" \
-  maintainer="[email protected]" \
-  vendor="Stackable GmbH" \
-  version="${VERSION}" \
-  release="${RELEASE}" \
-  summary="Deploy and manage Apache HDFS clusters." \
-  description="Deploy and manage Apache HDFS clusters."
+# These are chosen at random and are this high on purpose to have very little chance to clash with an existing user or group on the host system
+ARG STACKABLE_USER_GID="574654813"
+ARG STACKABLE_USER_UID="782252253"
+
+# These labels have mostly been superceded by the OpenContainer spec annotations below but it doesn't hurt to include them
+# http://label-schema.org/rc1/
+LABEL name="Stackable Operator for Apache HDFS"
+LABEL maintainer="[email protected]"
+LABEL vendor="Stackable GmbH"
+LABEL version="${VERSION}"
+LABEL release="${RELEASE}"
+LABEL summary="Deploy and manage Apache HDFS clusters."
+LABEL description="Deploy and manage Apache HDFS clusters."
+
+# Overwriting/Pinning UBI labels
+# https://github.com/projectatomic/ContainerApplicationGenericLabels
+LABEL vcs-ref=""
+LABEL distribution-scope="public"
+LABEL url="https://stackable.tech"
+ARG TARGETARCH
+LABEL architecture="${TARGETARCH}"
+LABEL com.redhat.component=""
+# It complains about it being an invalid label but RedHat uses it and we want to override it and it works....
+# hadolint ignore=DL3048
+LABEL com.redhat.license_terms=""
+LABEL io.buildah.version=""
+LABEL io.openshift.expose-services=""
 
+# https://github.com/opencontainers/image-spec/blob/036563a4a268d7c08b51a08f05a02a0fe74c7268/annotations.md#annotations
+LABEL org.opencontainers.image.authors="[email protected]"
+LABEL org.opencontainers.image.url="https://stackable.tech"
+LABEL org.opencontainers.image.vendor="Stackable GmbH"
+LABEL org.opencontainers.image.licenses="OSL-3.0"
+LABEL org.opencontainers.image.documentation="https://docs.stackable.tech/home/stable/hdfs/"
+LABEL org.opencontainers.image.version="${VERSION}"
+LABEL org.opencontainers.image.revision="${RELEASE}"
+LABEL org.opencontainers.image.title="Stackable Operator for Apache HDFS"
+LABEL org.opencontainers.image.description="Deploy and manage Apache HDFS clusters."
+
+# https://docs.openshift.com/container-platform/4.16/openshift_images/create-images.html#defining-image-metadata
+# https://github.com/projectatomic/ContainerApplicationGenericLabels/blob/master/vendor/redhat/labels.md
+LABEL io.openshift.tags="ubi9,stackable,sdp,hdfs"
+LABEL io.k8s.description="Deploy and manage Apache HDFS clusters."
+LABEL io.k8s.display-name="Stackable Operator for Apache HDFS"
+
+RUN <<EOF
 # Update image and install kerberos client libraries
 # install_weak_deps in microdnf does not support the literal "False" as dnf does
 # https://github.com/rpm-software-management/microdnf/blob/a600c62f29262d71a6259b70dc220df65a2ab9b5/dnf/dnf-main.c#L176-L189
-RUN microdnf update -y --setopt=install_weak_deps=0 \
-    && microdnf install -y --setopt=install_weak_deps=0 \
-      krb5-libs \
-      libkadm5 \
-    && microdnf clean all \
-    && rm -rf /var/cache/yum
+microdnf update
+# NOTE (@NickLarsenNZ): Maybe we should consider pinning package versions?
+# hadolint ignore=DL3041
+microdnf install -y \
+  krb5-libs \
+  libkadm5 \
+  shadow-utils
+
+groupadd --gid ${STACKABLE_USER_GID} --system ${STACKABLE_USER_NAME}
+# The --no-log-init is required to work around a bug/problem in Go/Docker when very large UIDs are used
+# See https://github.com/moby/moby/issues/5419#issuecomment-41478290 for more context
+# Making this a system user prevents a mail dir from being created, expiry of passwords etc. but it will warn:
+#   useradd warning: stackable's uid 1000 is greater than SYS_UID_MAX 999
+# We can safely ignore this warning, to get rid of the warning we could change /etc/login.defs but that does not seem worth it
+# We'll leave the home directory hardcoded to /stackable because I don't want to deal with which chars might be valid and which might not in user name vs. directory
+useradd \
+  --no-log-init \
+  --gid ${STACKABLE_USER_GID} \
+  --uid ${STACKABLE_USER_UID} \
+  --system \
+  --create-home \
+  --home-dir /stackable \
+   stackable
+microdnf remove shadow-utils
+microdnf clean all
+rm -rf /var/cache/yum
+EOF
 
 COPY LICENSE /licenses/LICENSE
 
 COPY --from=builder /app/* /usr/local/bin/
-COPY deploy/config-spec/properties.yaml /etc/stackable/hdfs-operator/config-spec/properties.yaml
-
-RUN groupadd -g 1000 stackable && adduser -u 1000 -g stackable -c 'Stackable Operator' stackable
-
-USER stackable:stackable
+# COPY deploy/config-spec/properties.yaml /etc/stackable/hdfs-operator/config-spec/properties.yaml
+# 
+USER ${STACKABLE_USER_UID}
 
 ENTRYPOINT ["stackable-hdfs-operator"]
 CMD ["run"]