chore: Remove hardcoded uid and gid (#752)

* chore: Remove hardcoded uid and gid

* fix: add @staticmethod decorators

---------

Co-authored-by: Razvan-Daniel Mihai <[email protected]>

Author: lfrancke

CHANGELOG.md

@@ -25,6 +25,10 @@ All notable changes to this project will be documented in this file.
 - test: Bump to Vector `0.46.1` ([#743]).
 - test: Bump OPA `1.4.2` ([#745]).
 - Use versioned common structs ([#748]).
+- BREAKING: Previously this operator would hardcode the UID and GID of the Pods being created to 1000/0, this has changed now ([#752])
+  - The `runAsUser` and `runAsGroup` fields will not be set anymore by the operator
+  - The defaults from the docker images itself will now apply, which will be different from 1000/0 going forward
+  - This is marked as breaking because tools and policies might exist, which require these fields to be set
 
 ### Fixed
 
@@ -40,6 +44,7 @@ All notable changes to this project will be documented in this file.
 [#743]: https://github.com/stackabletech/trino-operator/pull/743
 [#745]: https://github.com/stackabletech/trino-operator/pull/745
 [#748]: https://github.com/stackabletech/trino-operator/pull/748
+[#752]: https://github.com/stackabletech/trino-operator/pull/752
 
 ## [25.3.0] - 2025-03-21
 
@@ -116,7 +121,7 @@ All notable changes to this project will be documented in this file.
 
 - BREAKING: The fields `connection` and `host` on `S3Connection` as well as `bucketName` on `S3Bucket`are now mandatory ([#646]).
 - Don't ignore envOverrides ([#633]).
-- Don't print credentials to STDOUT during startup. Ideally we should use [config-utils](https://github.com/stackabletech/config-utils), but that's not easy (see [here](https://github.com/stackabletech/trino-operator/tree/fix/secret-printing)) ([#634]).
+- Don't print credentials to STDOUT during startup. Ideally, we should use [config-utils](https://github.com/stackabletech/config-utils), but that's not easy (see [our experimental branch](https://github.com/stackabletech/trino-operator/tree/fix/secret-printing)) ([#634]).
 - Invalid `TrinoCluster`, `TrinoCatalog` or `AuthenticationClass` objects don't stop the operator from reconciliation ([#657])
 
 ### Removed

rust/operator-binary/src/controller.rs

@@ -104,7 +104,6 @@ pub struct Ctx {
 pub const OPERATOR_NAME: &str = "trino.stackable.tech";
 pub const CONTROLLER_NAME: &str = "trinocluster";
 pub const FULL_CONTROLLER_NAME: &str = concatcp!(CONTROLLER_NAME, '.', OPERATOR_NAME);
-pub const TRINO_UID: i64 = 1000;
 
 pub const STACKABLE_LOG_DIR: &str = "/stackable/log";
 pub const STACKABLE_LOG_CONFIG_DIR: &str = "/stackable/log_config";
@@ -1141,13 +1140,7 @@ fn build_rolegroup_statefulset(
         )
         .context(AddVolumeSnafu)?
         .service_account_name(sa_name)
-        .security_context(
-            PodSecurityContextBuilder::new()
-                .run_as_user(TRINO_UID)
-                .run_as_group(0)
-                .fs_group(1000)
-                .build(),
-        );
+        .security_context(PodSecurityContextBuilder::new().fs_group(1000).build());
 
     let mut pod_template = pod_builder.build_template();
     pod_template.merge_from(role.config.pod_overrides.clone());

tests/templates/kuttl/opa-authorization/check-opa.py.j2

@@ -3,7 +3,7 @@ import argparse
 import pytest
 import trino
 
-from datetime import datetime
+from datetime import datetime, UTC
 from trino.exceptions import TrinoUserError
 
 import urllib3
@@ -501,15 +501,18 @@ class TestOpa:
 
             print("")
 
+    @staticmethod
     def log(user, query):
-        timestamp = datetime.utcnow().isoformat(sep=" ", timespec="milliseconds")
+        timestamp = datetime.now(UTC).isoformat(sep=" ", timespec="milliseconds")
         print(f"[{timestamp}] - {user:20s} -> {query}")
 
+    @staticmethod
     def run_query(connection, query):
         cursor = connection.cursor()
         cursor.execute(query)
         return cursor.fetchall()
 
+    @staticmethod
     def get_connection(username, password, namespace, impersonation=None):
         connection = trino.dbapi.connect(
             host="trino-coordinator.{0}.svc.cluster.local".format(namespace),