stackabletech · stackable-bot · Feb 13, 2026
diff --git a/.gitignore b/.gitignore
@@ -13,6 +13,7 @@ result
 image.tar
 
 tilt_options.json
+.values.yaml
 
 .direnv/
 .direnvrc

diff --git a/Makefile b/Makefile
@@ -45,8 +45,8 @@ config:
 	fi
 
 crds:
-	mkdir -p extra
-	cargo run --bin stackable-"${OPERATOR_NAME}" -- crd > extra/crds.yaml
+	mkdir -p deploy/helm/"${OPERATOR_NAME}"/crds
+	cargo run --bin stackable-"${OPERATOR_NAME}" -- crd | yq eval '.metadata.annotations["helm.sh/resource-policy"]="keep"' - > "deploy/helm/${OPERATOR_NAME}/crds/crds.yaml"
 
 chart-lint: compile-chart
 	docker run -it -v $(shell pwd):/build/helm-charts -w /build/helm-charts quay.io/helmpack/chart-testing:v3.5.0  ct lint --config deploy/helm/ct.yaml

diff --git a/Tiltfile b/Tiltfile
@@ -35,12 +35,18 @@ helm_values = settings.get('helm_values', None)
 
 helm_override_image_repository = 'image.repository=' + registry + '/' + operator_name
 
-k8s_yaml(helm(
-   'deploy/helm/' + operator_name,
-   name=operator_name,
-   namespace="stackable-operators",
-   set=[
-      helm_override_image_repository,
-   ],
-   values=helm_values,
-))
+# Exclude stale CRDs from Helm chart, and apply the rest
+helm_crds, helm_non_crds = filter_yaml(
+   helm(
+      'deploy/helm/' + operator_name,
+      name=operator_name,
+      namespace="stackable-operators",
+      set=[
+         helm_override_image_repository,
+      ],
+      values=helm_values,
+   ),
+   api_version = "^apiextensions\\.k8s\\.io/.*$",
+   kind = "^CustomResourceDefinition$",
+)
+k8s_yaml(helm_non_crds)
diff --git a/deny.toml b/deny.toml
@@ -24,6 +24,20 @@ ignore = [
     #
     # https://github.com/RustCrypto/RSA/issues/19 is the tracking issue
     "RUSTSEC-2023-0071",
+
+    # https://rustsec.org/advisories/RUSTSEC-2024-0436
+    # The "paste" crate is no longer maintained because the owner states that the implementation is
+    # finished. There are at least two (forked) alternatives which state to be maintained. They'd
+    # need to be vetted before a potential switch. Additionally, they'd need to be in a maintained
+    # state for a couple of years to provide any benefit over using "paste".
+    #
+    # This crate is only used in a single place in the xtask package inside the declarative
+    # "write_crd" macro. The impact of vulnerabilities, if any, should be fairly minimal.
+    #
+    # See thread: https://users.rust-lang.org/t/paste-alternatives/126787/4
+    #
+    # This can only be removed again if we decide to use a different crate.
+    "RUSTSEC-2024-0436",
 ]
 
 [bans]
@@ -67,6 +81,9 @@ license-files = [
 [sources]
 unknown-registry = "deny"
 unknown-git = "deny"
+allow-git = [
+    "https://github.com/kube-rs/kube-rs",
+]
 
 [sources.allow-org]
 github = ["stackabletech"]
diff --git a/deploy/helm/opa-operator/crds/crds.yaml b/deploy/helm/opa-operator/crds/crds.yaml
diff --git a/deploy/helm/opa-operator/templates/deployment.yaml b/deploy/helm/opa-operator/templates/deployment.yaml
@@ -21,9 +21,6 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
       labels:
-        {{- if .Values.maintenance.customResourceDefinitions.maintain }}
-        webhook.stackable.tech/conversion: enabled
-        {{- end }}
         {{- include "operator.selectorLabels" . | nindent 8 }}
     spec:
       {{- with .Values.image.pullSecrets }}
@@ -77,16 +74,13 @@ spec:
                 fieldRef:
                   fieldPath: spec.nodeName
 
-            - name: OPA_BUNDLE_BUILDER_CLUSTERROLE
-              value: {{ include "operator.fullname" . }}-opa-bundle-builder-clusterrole
-
             {{- if .Values.kubernetesClusterDomain }}
             - name: KUBERNETES_CLUSTER_DOMAIN
               value: {{ .Values.kubernetesClusterDomain | quote }}
             {{- end }}
-
             {{- include "telemetry.envVars" . | nindent 12 }}
-            {{- include "maintenance.envVars" . | nindent 12 }}
+            - name: OPA_BUNDLE_BUILDER_CLUSTERROLE
+              value: {{ include "operator.fullname" . }}-opa-bundle-builder-clusterrole
       volumes:
         - name: config-spec
           configMap:

diff --git a/deploy/helm/opa-operator/templates/service.yaml b/deploy/helm/opa-operator/templates/service.yaml
@@ -1,16 +1,17 @@
+
 ---
 apiVersion: v1
 kind: Service
 metadata:
+  # Note(@sbernauer): We could also call the Service something like
+  # "product-operator-conversion-webhook". However, in the future we will have more webhooks, and
+  # it seems like an overkill to have a dedicated Service per webhook.
   name: {{ include "operator.fullname" . }}
   labels:
     {{- include "operator.labels" . | nindent 4 }}
 spec:
   selector:
-    {{- if .Values.maintenance.customResourceDefinitions.maintain }}
-    webhook.stackable.tech/conversion: enabled
-    {{- end }}
-    {{- include "operator.selectorLabels" . | nindent 4 }}
+    {{- include "operator.selectorLabels" . | nindent 6 }}
   ports:
     - name: conversion-webhook
       protocol: TCP