fix(airflow/superset): Pin Cython version (#1116)

* chore(airflow): Move runtime constraint files

Co-authored-by: Natalie Klestrup Röijezon <[email protected]>
Co-authored-by: Maxi Wittich <[email protected]>

* chore(airflow): Add build constraint files

* chore(airflow): Use uv to install dependencies

* chore(superset): Move runtime constraint files

* chore(superset): Add build constraints files

* chore(superset): Use uv to install dependencies

* chore: Update changelog

---------

Co-authored-by: Natalie Klestrup Röijezon <[email protected]>
Co-authored-by: Maxi Wittich <[email protected]>

Author: 3 people

CHANGELOG.md

@@ -40,6 +40,7 @@ All notable changes to this project will be documented in this file.
 
 ### Changed
 
+- airflow,superset: Use `uv` to build the product ([#1116]).
 - ubi-rust-builder: Bump Rust toolchain to 1.85.0, cargo-cyclonedx to 0.5.7, and cargo-auditable to 0.6.6 ([#1050]).
 - ubi9-rust-builder: Bump base image and update protoc to `30.2` ([#1091]).
 - stackable-devel: Bump ubi9 base image ([#1103]).
@@ -53,6 +54,7 @@ All notable changes to this project will be documented in this file.
 
 ### Fixed
 
+- airflow: Pin Cython version ([#1116]).
 - druid: reduce docker image size by removing the recursive chown/chmods in the final image ([#1039]).
 - hadoop: reduce docker image size by removing the recursive chown/chmods in the final image ([#1029]).
 - hbase: reduce docker image size by removing the recursive chown/chmods in the final image ([#1028]).
@@ -63,6 +65,7 @@ All notable changes to this project will be documented in this file.
 - opa: reduce docker image size by removing the recursive chown/chmods in the final image ([#1038]).
 - opa: Manually install Go 1.23.9 ([#1103]).
 - spark-k8s: reduce docker image size by removing the recursive chown/chmods in the final image ([#1042]).
+- superset: Pin Cython version ([#1116]).
 - trino: reduce docker image size by removing the recursive chown/chmods in the final image ([#1025]).
 - zookeeper: reduce docker image size by removing the recursive chown/chmods in the final image ([#1043]).
 - Fixed two hardcoded username references ([#1052]).
@@ -104,6 +107,7 @@ All notable changes to this project will be documented in this file.
 [#1103]: https://github.com/stackabletech/docker-images/pull/1103
 [#1106]: https://github.com/stackabletech/docker-images/pull/1106
 [#1108]: https://github.com/stackabletech/docker-images/pull/1108
+[#1116]: https://github.com/stackabletech/docker-images/pull/1116
 
 ## [25.3.0] - 2025-03-21
 

airflow/Dockerfile

@@ -31,9 +31,7 @@ ARG TARGETARCH
 ARG STACKABLE_USER_UID
 ARG S3FS
 ARG CYCLONEDX_BOM
-
-COPY airflow/constraints-${PRODUCT}-python${PYTHON}.txt /tmp/constraints.txt
-COPY --from=opa-auth-manager-builder /tmp/opa-auth-manager/dist/opa_auth_manager-0.1.0-py3-none-any.whl /tmp/
+ARG UV
 
 # The mysql provider is currently excluded.
 # Requires implementation of https://github.com/apache/airflow/blob/2.2.5/scripts/docker/install_mysql.sh
@@ -62,19 +60,27 @@ RUN microdnf update && \
     microdnf clean all && \
     rm -rf /var/cache/yum
 
+COPY airflow/stackable/constraints/${PRODUCT}/constraints-python${PYTHON}.txt /tmp/constraints.txt
+COPY airflow/stackable/constraints/${PRODUCT}/build-constraints-python${PYTHON}.txt /tmp/build-constraints.txt
+COPY --from=opa-auth-manager-builder /tmp/opa-auth-manager/dist/opa_auth_manager-0.1.0-py3-none-any.whl /tmp/
+
 RUN <<EOF
 python${PYTHON} -m venv --system-site-packages /stackable/app
 
 source /stackable/app/bin/activate
 
+# Upgrade pip to the latest version
+# Also install uv to get support for build constraints
 pip install --no-cache-dir --upgrade pip
-pip install --no-cache-dir apache-airflow[${AIRFLOW_EXTRAS}]==${PRODUCT} --constraint /tmp/constraints.txt
+pip install --no-cache-dir uv==${UV}
+
+uv pip install --no-cache-dir apache-airflow[${AIRFLOW_EXTRAS}]==${PRODUCT} --constraint /tmp/constraints.txt --build-constraints /tmp/build-constraints.txt
 # Needed for pandas S3 integration to e.g. write and read csv and parquet files to/from S3
-pip install --no-cache-dir s3fs==${S3FS} cyclonedx-bom==${CYCLONEDX_BOM}
+uv pip install --no-cache-dir s3fs==${S3FS} cyclonedx-bom==${CYCLONEDX_BOM}
 # Needed for OIDC
-pip install --no-cache-dir Flask_OIDC==2.2.0 Flask-OpenID==1.3.1
+uv pip install --no-cache-dir Flask_OIDC==2.2.0 Flask-OpenID==1.3.1
 
-pip install --no-cache-dir /tmp/opa_auth_manager-0.1.0-py3-none-any.whl
+uv pip install --no-cache-dir /tmp/opa_auth_manager-0.1.0-py3-none-any.whl
 
 # Create the SBOM for Airflow
 # Important: All `pip install` commands must be above this line, otherwise the SBOM will be incomplete

airflow/stackable/constraints/2.10.4/build-constraints-python3.12.txt

@@ -0,0 +1 @@
+Cython==3.1.0

airflow/constraints-2.10.4-python3.12.txt renamed to airflow/stackable/constraints/2.10.4/constraints-python3.12.txt

@@ -0,0 +1 @@
+Cython==3.1.0

airflow/stackable/constraints/2.10.5/build-constraints-python3.12.txt

@@ -0,0 +1 @@
+Cython==3.0.12

airflow/constraints-2.10.5-python3.12.txt renamed to airflow/stackable/constraints/2.10.5/constraints-python3.12.txt

@@ -8,6 +8,7 @@
         "statsd_exporter": "0.28.0",
         "tini": "0.19.0",
         "vector": "0.46.1",
+        "uv": "0.7.3",
     },
     {
         "product": "2.10.4",
@@ -18,6 +19,7 @@
         "statsd_exporter": "0.28.0",
         "tini": "0.19.0",
         "vector": "0.46.1",
+        "uv": "0.7.3",
     },
     {
         "product": "2.10.5",
@@ -28,5 +30,6 @@
         "statsd_exporter": "0.28.0",
         "tini": "0.19.0",
         "vector": "0.46.1",
+        "uv": "0.7.3",
     },
 ]

airflow/stackable/constraints/2.9.3/build-constraints-python3.9.txt

@@ -41,9 +41,7 @@ ARG AUTHLIB
 ARG TARGETARCH
 ARG TARGETOS
 ARG CYCLONEDX_BOM
-
-COPY superset/constraints-${PRODUCT}.txt /tmp/constraints.txt
-COPY --from=opa-authorizer-builder /tmp/opa-authorizer/dist/opa_authorizer-0.1.0-py3-none-any.whl /tmp/
+ARG UV
 
 RUN microdnf update \
     && microdnf install \
@@ -68,6 +66,12 @@ RUN microdnf update \
     && microdnf clean all && \
     rm -rf /var/cache/yum
 
+COPY superset/stackable/constraints/${PRODUCT}/constraints.txt /tmp/constraints.txt
+COPY superset/stackable/constraints/${PRODUCT}/build-constraints.txt /tmp/build-constraints.txt
+COPY --from=opa-authorizer-builder /tmp/opa-authorizer/dist/opa_authorizer-0.1.0-py3-none-any.whl /tmp/
+
+# Upgrade pip to the latest version
+# Also install uv to get support for build constraints
 # DL3042 false-positive, --no-chache-dir is specified a few lines below.
 #        See https://github.com/hadolint/hadolint/issues/1042.
 # hadolint ignore=DL3042
@@ -78,10 +82,12 @@ RUN python3 -m venv /stackable/app \
         --upgrade \
         setuptools==75.2.0 \
         pip \
-    && pip install \
+        uv==${UV} \
+    && uv pip install \
         --no-cache-dir \
         --upgrade \
-        --constraint /tmp/constraints.txt \
+        --constraints /tmp/constraints.txt \
+        --build-constraints /tmp/build-constraints.txt \
         apache-superset==${PRODUCT} \
         gevent \
         psycopg2-binary \
@@ -104,15 +110,15 @@ RUN python3 -m venv /stackable/app \
     # We only want to bump this for the 4.0.x line, as the others already have updated and we don't want to accidentially downgrade the version
     && if [[ "$PRODUCT" =~ ^4\.0\..* ]]; \
         then echo "Superset 4.0.x detected, installing gunicorn 22.0.0 to fix CVE-2024-1135" \
-        && pip install gunicorn==22.0.0; \
+        && uv pip install gunicorn==22.0.0; \
     fi \
-    && pip install \
+    && uv pip install \
         --no-cache-dir \
         --upgrade \
         python-json-logger \
         cyclonedx-bom==${CYCLONEDX_BOM} \
     && if [ -n "$AUTHLIB" ]; then pip install Authlib==${AUTHLIB}; fi && \
-    pip install --no-cache-dir /tmp/opa_authorizer-0.1.0-py3-none-any.whl
+    uv pip install --no-cache-dir /tmp/opa_authorizer-0.1.0-py3-none-any.whl
 
 COPY --from=statsd_exporter-builder /statsd_exporter/statsd_exporter /stackable/statsd_exporter