stackabletech · stackable-bot · Feb 13, 2026
diff --git a/.gitignore b/.gitignore
@@ -13,6 +13,7 @@ result
 image.tar
 
 tilt_options.json
+.values.yaml
 
 .direnv/
 .direnvrc

diff --git a/Makefile b/Makefile
@@ -32,6 +32,7 @@ compile-chart: version crds config
 
 chart-clean:
 	rm -rf "deploy/helm/${OPERATOR_NAME}/configs"
+	rm -rf "deploy/helm/${OPERATOR_NAME}/crds"
 
 version:
 	cat "deploy/helm/${OPERATOR_NAME}/Chart.yaml" | yq ".version = \"${VERSION}\" | .appVersion = \"${VERSION}\"" > "deploy/helm/${OPERATOR_NAME}/Chart.yaml.new"
@@ -43,11 +44,9 @@ config:
 		cp -r deploy/config-spec/* "deploy/helm/${OPERATOR_NAME}/configs";\
 	fi
 
-## N.B. diverges from templating for operators that have CRD-versioning
-## implemented. @adwk67: Do *not* let this be overridden with templating!
 crds:
-	mkdir -p extra
-	cargo run --bin stackable-"${OPERATOR_NAME}" -- crd > extra/crds.yaml
+	mkdir -p deploy/helm/"${OPERATOR_NAME}"/crds
+	cargo run --bin stackable-"${OPERATOR_NAME}" -- crd | yq eval '.metadata.annotations["helm.sh/resource-policy"]="keep"' - > "deploy/helm/${OPERATOR_NAME}/crds/crds.yaml"
 
 chart-lint: compile-chart
 	docker run -it -v $(shell pwd):/build/helm-charts -w /build/helm-charts quay.io/helmpack/chart-testing:v3.5.0  ct lint --config deploy/helm/ct.yaml

diff --git a/Tiltfile b/Tiltfile
@@ -17,6 +17,11 @@ custom_build(
     outputs_image_ref_to='result/ref',
 )
 
+# Load the latest CRDs from Nix
+watch_file('result')
+if os.path.exists('result'):
+   k8s_yaml('result/crds.yaml')
+
 # We need to set the correct image annotation on the operator Deployment to use e.g.
 # oci.stackable.tech/sandbox/opa-operator:7y19m3d8clwxlv34v5q2x4p7v536s00g instead of
 # oci.stackable.tech/sandbox/opa-operator:0.0.0-dev (which does not exist)
@@ -30,14 +35,18 @@ helm_values = settings.get('helm_values', None)
 
 helm_override_image_repository = 'image.repository=' + registry + '/' + operator_name
 
-# N.B. diverges from templating for operators that have CRD-versioning
-# implemented. @adwk67: Do *not* let this be overridden with templating!
-k8s_yaml(helm(
-   'deploy/helm/' + operator_name,
-   name=operator_name,
-   namespace="stackable-operators",
-   set=[
-      helm_override_image_repository,
-   ],
-   values=helm_values,
-) )
+# Exclude stale CRDs from Helm chart, and apply the rest
+helm_crds, helm_non_crds = filter_yaml(
+   helm(
+      'deploy/helm/' + operator_name,
+      name=operator_name,
+      namespace="stackable-operators",
+      set=[
+         helm_override_image_repository,
+      ],
+      values=helm_values,
+   ),
+   api_version = "^apiextensions\\.k8s\\.io/.*$",
+   kind = "^CustomResourceDefinition$",
+)
+k8s_yaml(helm_non_crds)
diff --git a/deny.toml b/deny.toml
@@ -24,6 +24,20 @@ ignore = [
     #
     # https://github.com/RustCrypto/RSA/issues/19 is the tracking issue
     "RUSTSEC-2023-0071",
+
+    # https://rustsec.org/advisories/RUSTSEC-2024-0436
+    # The "paste" crate is no longer maintained because the owner states that the implementation is
+    # finished. There are at least two (forked) alternatives which state to be maintained. They'd
+    # need to be vetted before a potential switch. Additionally, they'd need to be in a maintained
+    # state for a couple of years to provide any benefit over using "paste".
+    #
+    # This crate is only used in a single place in the xtask package inside the declarative
+    # "write_crd" macro. The impact of vulnerabilities, if any, should be fairly minimal.
+    #
+    # See thread: https://users.rust-lang.org/t/paste-alternatives/126787/4
+    #
+    # This can only be removed again if we decide to use a different crate.
+    "RUSTSEC-2024-0436",
 ]
 
 [bans]
@@ -67,6 +81,9 @@ license-files = [
 [sources]
 unknown-registry = "deny"
 unknown-git = "deny"
+allow-git = [
+    "https://github.com/kube-rs/kube-rs",
+]
 
 [sources.allow-org]
 github = ["stackabletech"]
diff --git a/deploy/helm/airflow-operator/crds/crds.yaml b/deploy/helm/airflow-operator/crds/crds.yaml
diff --git a/deploy/helm/airflow-operator/templates/deployment.yaml b/deploy/helm/airflow-operator/templates/deployment.yaml
@@ -21,9 +21,6 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
       labels:
-        {{- if .Values.maintenance.customResourceDefinitions.maintain }}
-        webhook.stackable.tech/conversion: enabled
-        {{- end }}
         {{- include "operator.selectorLabels" . | nindent 8 }}
     spec:
       {{- with .Values.image.pullSecrets }}
@@ -82,7 +79,6 @@ spec:
               value: {{ .Values.kubernetesClusterDomain | quote }}
             {{- end }}
             {{- include "telemetry.envVars" . | nindent 12 }}
-            {{- include "maintenance.envVars" . | nindent 12 }}
       volumes:
         - name: config-spec
           configMap:

diff --git a/deploy/helm/airflow-operator/templates/service.yaml b/deploy/helm/airflow-operator/templates/service.yaml
@@ -1,3 +1,4 @@
+
 ---
 apiVersion: v1
 kind: Service
@@ -10,10 +11,7 @@ metadata:
     {{- include "operator.labels" . | nindent 4 }}
 spec:
   selector:
-    {{- if .Values.maintenance.customResourceDefinitions.maintain }}
-    webhook.stackable.tech/conversion: enabled
-    {{- end }}
-    {{- include "operator.selectorLabels" . | nindent 4 }}
+    {{- include "operator.selectorLabels" . | nindent 6 }}
   ports:
     - name: conversion-webhook
       protocol: TCP

diff --git a/nix/sources.json b/nix/sources.json