From c05898aa2324e348075582e1be1b9c4e6e022fe9 Mon Sep 17 00:00:00 2001 From: Lars Francke Date: Sat, 31 May 2025 22:25:51 +0200 Subject: [PATCH 1/2] chore: Remove hardcoded uid and gid --- CHANGELOG.md | 7 ++++++- rust/operator-binary/src/controller.rs | 9 +-------- tests/templates/kuttl/opa-authorization/check-opa.py.j2 | 4 ++-- 3 files changed, 9 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c3560755..8d4e6d40 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,10 @@ All notable changes to this project will be documented in this file. - test: Bump to Vector `0.46.1` ([#743]). - test: Bump OPA `1.4.2` ([#745]). - Use versioned common structs ([#748]). +- BREAKING: Previously this operator would hardcode the UID and GID of the Pods being created to 1000/0, this has changed now ([#752]) + - The `runAsUser` and `runAsGroup` fields will not be set anymore by the operator + - The defaults from the docker images itself will now apply, which will be different from 1000/0 going forward + - This is marked as breaking because tools and policies might exist, which require these fields to be set ### Fixed @@ -40,6 +44,7 @@ All notable changes to this project will be documented in this file. [#743]: https://github.com/stackabletech/trino-operator/pull/743 [#745]: https://github.com/stackabletech/trino-operator/pull/745 [#748]: https://github.com/stackabletech/trino-operator/pull/748 +[#752]: https://github.com/stackabletech/trino-operator/pull/752 ## [25.3.0] - 2025-03-21 @@ -116,7 +121,7 @@ All notable changes to this project will be documented in this file. - BREAKING: The fields `connection` and `host` on `S3Connection` as well as `bucketName` on `S3Bucket`are now mandatory ([#646]). - Don't ignore envOverrides ([#633]). -- Don't print credentials to STDOUT during startup. Ideally we should use [config-utils](https://github.com/stackabletech/config-utils), but that's not easy (see [here](https://github.com/stackabletech/trino-operator/tree/fix/secret-printing)) ([#634]). +- Don't print credentials to STDOUT during startup. Ideally, we should use [config-utils](https://github.com/stackabletech/config-utils), but that's not easy (see [our experimental branch](https://github.com/stackabletech/trino-operator/tree/fix/secret-printing)) ([#634]). - Invalid `TrinoCluster`, `TrinoCatalog` or `AuthenticationClass` objects don't stop the operator from reconciliation ([#657]) ### Removed diff --git a/rust/operator-binary/src/controller.rs b/rust/operator-binary/src/controller.rs index 09dbb175..be2928ad 100644 --- a/rust/operator-binary/src/controller.rs +++ b/rust/operator-binary/src/controller.rs @@ -104,7 +104,6 @@ pub struct Ctx { pub const OPERATOR_NAME: &str = "trino.stackable.tech"; pub const CONTROLLER_NAME: &str = "trinocluster"; pub const FULL_CONTROLLER_NAME: &str = concatcp!(CONTROLLER_NAME, '.', OPERATOR_NAME); -pub const TRINO_UID: i64 = 1000; pub const STACKABLE_LOG_DIR: &str = "/stackable/log"; pub const STACKABLE_LOG_CONFIG_DIR: &str = "/stackable/log_config"; @@ -1141,13 +1140,7 @@ fn build_rolegroup_statefulset( ) .context(AddVolumeSnafu)? .service_account_name(sa_name) - .security_context( - PodSecurityContextBuilder::new() - .run_as_user(TRINO_UID) - .run_as_group(0) - .fs_group(1000) - .build(), - ); + .security_context(PodSecurityContextBuilder::new().fs_group(1000).build()); let mut pod_template = pod_builder.build_template(); pod_template.merge_from(role.config.pod_overrides.clone()); diff --git a/tests/templates/kuttl/opa-authorization/check-opa.py.j2 b/tests/templates/kuttl/opa-authorization/check-opa.py.j2 index 4e478a37..39e9f11b 100755 --- a/tests/templates/kuttl/opa-authorization/check-opa.py.j2 +++ b/tests/templates/kuttl/opa-authorization/check-opa.py.j2 @@ -3,7 +3,7 @@ import argparse import pytest import trino -from datetime import datetime +from datetime import datetime, UTC from trino.exceptions import TrinoUserError import urllib3 @@ -502,7 +502,7 @@ class TestOpa: print("") def log(user, query): - timestamp = datetime.utcnow().isoformat(sep=" ", timespec="milliseconds") + timestamp = datetime.now(UTC).isoformat(sep=" ", timespec="milliseconds") print(f"[{timestamp}] - {user:20s} -> {query}") def run_query(connection, query): From a49fea96142454c77932adcb2480ef61ae43ec44 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Mon, 2 Jun 2025 12:38:46 +0200 Subject: [PATCH 2/2] fix: add @staticmethod decorators --- tests/templates/kuttl/opa-authorization/check-opa.py.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/templates/kuttl/opa-authorization/check-opa.py.j2 b/tests/templates/kuttl/opa-authorization/check-opa.py.j2 index 39e9f11b..bafd398e 100755 --- a/tests/templates/kuttl/opa-authorization/check-opa.py.j2 +++ b/tests/templates/kuttl/opa-authorization/check-opa.py.j2 @@ -501,15 +501,18 @@ class TestOpa: print("") + @staticmethod def log(user, query): timestamp = datetime.now(UTC).isoformat(sep=" ", timespec="milliseconds") print(f"[{timestamp}] - {user:20s} -> {query}") + @staticmethod def run_query(connection, query): cursor = connection.cursor() cursor.execute(query) return cursor.fetchall() + @staticmethod def get_connection(username, password, namespace, impersonation=None): connection = trino.dbapi.connect( host="trino-coordinator.{0}.svc.cluster.local".format(namespace),