Merge remote-tracking branch 'origin/main' into feat/hadoop-3.5.0

Author: sbernauer

.scripts/upload_new_statsd_exporter_version.sh

@@ -19,12 +19,13 @@ All notable changes to this project will be documented in this file.
 
 ### Changed
 
-- airflow: Bump statsd_exporter to `0.29.0` ([#1522]).
+- airflow: Bump statsd_exporter to `0.30.0` ([#1524]).
 - ci: Bump `docker/login-action` from `v3.6.0` to `v4.1.0` and `stackabletech/actions` to `v0.14.3` to escape Node.js 20 deprecation ([#1507]).
 - hbase: Update `hbase-opa-authorizer` from `0.1.0` to `0.2.0` and then `0.3.0` ([#1446], [#1454]).
 - stackable-base: Bump `containerdebug` to `0.4.0` and  `config-utils` to `0.4.0` ([#1521]).
-- statsd_exporter: Bump version from `0.28.0` to `0.29.0` ([#1522]).
-- superset: Bump statsd_exporter to `0.29.0` ([#1522]).
+- statsd_exporter: Bump version from `0.28.0` to `0.30.0` ([#1524]).
+  This uses a git mirror and patchable instead of sourcing from Nexus.
+- superset: Bump statsd_exporter to `0.30.0` ([#1524]).
 
 ### Fixed
 
@@ -39,6 +40,7 @@ All notable changes to this project will be documented in this file.
 
 - nifi: Remove `1.28.1`, deprecate `2.7.2` ([#1520]).
 - opa: Remove `1.8.0` ([#1509]).
+- spark-k8s: Remove `3.5.7` and `4.0.1` ([#1525]).
 
 [#1446]: https://github.com/stackabletech/docker-images/pull/1446
 [#1452]: https://github.com/stackabletech/docker-images/pull/1452
@@ -61,6 +63,8 @@ All notable changes to this project will be documented in this file.
 [#1518]: https://github.com/stackabletech/docker-images/pull/1518
 [#1520]: https://github.com/stackabletech/docker-images/pull/1520
 [#1521]: https://github.com/stackabletech/docker-images/pull/1521
+[#1525]: https://github.com/stackabletech/docker-images/pull/1525
+[#1524]: https://github.com/stackabletech/docker-images/pull/1524
 
 ## [26.3.0] - 2026-03-16
 

CHANGELOG.md

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1.16.0@sha256:e2dd261f92e4b763d789984f6eab84be66ab4f5f08052316d8eb8f173593acf7
+# check=error=true;skip=InvalidDefaultArgInFrom,SecretsUsedInArgOrEnv
 # Disabled error checks:
 # - SecretsUsedInArgOrEnv : OPA_AUTH_MANAGER is a false positive and breaks the build.
-# check=error=true;skip=InvalidDefaultArgInFrom,SecretsUsedInArgOrEnv
 
 ARG GIT_SYNC_VERSION
 

Cargo.lock

@@ -3,7 +3,7 @@
 
 # Deprecated since SDP 25.11
 [versions."2.9.3".local-images]
-"shared/statsd-exporter" = "0.29.0"
+"shared/statsd-exporter" = "0.30.0"
 vector = "0.55.0"
 stackable-devel = "1.0.0"
 
@@ -20,7 +20,7 @@ nodejs-version = "20"
 
 # LTS
 [versions."3.0.6".local-images]
-"shared/statsd-exporter" = "0.29.0"
+"shared/statsd-exporter" = "0.30.0"
 vector = "0.55.0"
 stackable-devel = "1.0.0"
 
@@ -56,7 +56,7 @@ nodejs-version = "20"
 
 # Supported
 [versions."3.1.6".local-images]
-"shared/statsd-exporter" = "0.29.0"
+"shared/statsd-exporter" = "0.30.0"
 vector = "0.55.0"
 stackable-devel = "1.0.0"
 

airflow/Dockerfile

@@ -14,6 +14,57 @@ targets = [
 
 [advisories]
 yanked = "deny"
+ignore = [
+  # https://rustsec.org/advisories/RUSTSEC-2023-0071
+  # "rsa" crate: Marvin Attack: potential key recovery through timing sidechannel
+  #
+  # No patch is yet available, however work is underway to migrate to a fully constant-time implementation.
+  # So we need to accept this, as of SDP 26.3 we are "only" using the crate to create private +
+  # public key pairs used by webhooks, such as conversion or mutating webhooks.
+  #
+  # https://github.com/RustCrypto/RSA/issues/19 is the tracking issue
+  "RUSTSEC-2023-0071",
+
+  # https://rustsec.org/advisories/RUSTSEC-2024-0436
+  # The "paste" crate is no longer maintained because the owner states that the implementation is
+  # finished. There are at least two (forked) alternatives which state to be maintained. They'd
+  # need to be vetted before a potential switch. Additionally, they'd need to be in a maintained
+  # state for a couple of years to provide any benefit over using "paste".
+  #
+  # This crate is only used in a single place in the xtask package inside the declarative
+  # "write_crd" macro. The impact of vulnerabilities, if any, should be fairly minimal.
+  #
+  # See thread: https://users.rust-lang.org/t/paste-alternatives/126787/4
+  #
+  # This can only be removed again if we decide to use a different crate.
+  "RUSTSEC-2024-0436",
+
+  # https://rustsec.org/advisories/RUSTSEC-2026-0097
+  # rand 0.8.5 is unsound when log+thread_rng features are enabled and a custom logger calls rand::rng().
+  #
+  # This version is pulled in transitively via num-bigint-dig -> rsa -> stackable-certs and cannot be
+  # updated until the upstream rsa crate bumps its rand dependency.
+  "RUSTSEC-2026-0097",
+
+  # https://rustsec.org/advisories/RUSTSEC-2026-0173
+  # The author of `proc-macro-error2` has [confirmed](https://github.com/GnomedDev/proc-macro-error-2/issues/17#issuecomment-4643215473)
+  # that the crate is no longer maintained and recommends that users migrate away from it.
+  #
+  # There currently is no way for us to negate this advisory, because that crate is not used
+  # directly by us. We need to wait for new versions of oci-spec and getset. See the following
+  # issue which tracks moving to a newer getset version: https://github.com/youki-dev/oci-spec-rs/issues/340
+  #
+  # proc-macro-error2 v2.0.1
+  #  └── getset v0.1.6
+  #      └── oci-spec v0.9.0
+  #          └── boil v0.2.1
+  #
+  # Alternate crates are:
+  #
+  # - https://crates.io/crates/manyhow
+  # - https://github.com/SergioBenitez/proc-macro2-diagnostics
+  "RUSTSEC-2026-0173",
+]
 
 [bans]
 multiple-versions = "allow"
@@ -31,7 +82,7 @@ allow = [
   "LicenseRef-webpki",
   "MIT",
   "MPL-2.0",
-  "OpenSSL",           # Needed for the ring and/or aws-lc-sys crate. See https://github.com/stackabletech/operator-templating/pull/464 for details
+  "OpenSSL", # Needed for the ring and/or aws-lc-sys crate. See https://github.com/stackabletech/operator-templating/pull/464 for details
   "Unicode-3.0",
   "Unicode-DFS-2016",
   "Zlib",
@@ -52,6 +103,7 @@ license-files = [{ path = "LICENSE", hash = 0x001c7e6c }]
 [sources]
 unknown-registry = "deny"
 unknown-git = "deny"
+allow-git = ["https://github.com/kube-rs/kube-rs"]
 
 [sources.allow-org]
 github = ["stackabletech"]

airflow/boil-config.toml

@@ -1,6 +1,7 @@
+# syntax=docker/dockerfile:1.16.0@sha256:e2dd261f92e4b763d789984f6eab84be66ab4f5f08052316d8eb8f173593acf7
+# check=error=true;skip=InvalidDefaultArgInFrom
 
 ARG GOLANG_VERSION
-
 FROM oci.stackable.tech/sdp/library/golang:${GOLANG_VERSION} AS golang-image
 
 FROM local-image/stackable-devel AS multilog-builder

deny.toml

@@ -4,6 +4,15 @@
 
 All notable changes to this project will be documented in this file.
 
+## [0.2.2] - 2026-06-12
+
+[See complete diff](https://github.com/stackabletech/docker-images/compare/boil-0.2.1..boil-0.2.2)
+
+### Features
+
+- Improve empty image version filter error ([#1527](https://github.com/stackabletech/docker-images/pull/1527)).
+- Add new image check command ([#1464](https://github.com/stackabletech/docker-images/pull/1464)).
+
 ## [0.2.1] - 2026-04-17
 
 [See complete diff](https://github.com/stackabletech/docker-images/compare/boil-0.2.0..boil-0.2.1)
@@ -12,6 +21,10 @@ All notable changes to this project will be documented in this file.
 
 - Relax vendor version constraint ([#1469](https://github.com/stackabletech/docker-images/pull/1469)).
 
+### Miscellaneous
+
+- Vendor openssl for better portability ([#1459](https://github.com/stackabletech/docker-images/pull/1459)).
+
 ## [0.2.0] - 2026-04-14
 
 [See complete diff](https://github.com/stackabletech/docker-images/compare/boil-0.1.7..boil-0.2.0)

opa/Dockerfile

@@ -1,6 +1,6 @@
 [package]
 name = "boil"
-version = "0.2.1" # Managed by .scripts/release_boil.sh
+version = "0.2.2" # Managed by .scripts/release_boil.sh
 edition = "2024"
 authors.workspace = true
 license.workspace = true

rust/boil/CHANGELOG.md

@@ -70,14 +70,17 @@ pub enum Error {
 
 #[derive(Debug, Snafu)]
 pub enum TargetsError {
-    #[snafu(display("encountered invalid image version"))]
-    InvalidImageVersion { source: ImageConfigError },
-
     #[snafu(display("failed to read image config"))]
     ReadImageConfig { source: ImageConfigError },
 
     #[snafu(display("failed to resolve parent directory of image config at {path}", path = path.display()))]
     ResolveParentDirectory { path: PathBuf },
+
+    #[snafu(display("provided filter version(s) ({image_name}={versions}) yielded empty list", versions = versions.join(", ")))]
+    EmptyFilter {
+        versions: Vec<String>,
+        image_name: String,
+    },
 }
 
 #[derive(Debug, Default)]
@@ -187,9 +190,15 @@ impl Targets {
                 ImageConfig::from_file(image_config_path).context(ReadImageConfigSnafu)?;
 
             // Create a list of image versions we need to generate targets for in the bakefile.
-            image_config
-                .filter_by_version(&image.versions)
-                .context(InvalidImageVersionSnafu)?;
+            image_config.filter_by_version(&image.versions);
+
+            ensure!(
+                !image_config.versions.is_empty(),
+                EmptyFilterSnafu {
+                    versions: image.versions.clone(),
+                    image_name: image.name.clone(),
+                }
+            );
 
             targets.insert_targets(image.name.clone(), image_config, &options, true)?;
         }
@@ -222,9 +231,15 @@ impl Targets {
                     let mut image_config =
                         ImageConfig::from_file(image_config_path).context(ReadImageConfigSnafu)?;
 
-                    image_config
-                        .filter_by_version(&[image_version])
-                        .context(InvalidImageVersionSnafu)?;
+                    image_config.filter_by_version(&[image_version]);
+
+                    ensure!(
+                        !image_config.versions.is_empty(),
+                        EmptyFilterSnafu {
+                            versions: vec![image_version.clone()],
+                            image_name: image_name.clone(),
+                        }
+                    );
 
                     // Wowzers, recursion!
                     self.insert_targets(image_name.clone(), image_config, options, false)?;