villebro opened a new pull request, #92: URL: https://github.com/apache/superset-kubernetes-operator/pull/92
## Summary Pre-flight cleanups before calling the 0.1.0 vote on `[email protected]`. The audit covered codebase hygiene, feature parity against the upstream Apache Superset Helm chart (`apache/superset/helm/superset` at `0.15.5` / `appVersion: 5.0.0`), accuracy of the Helm migration guide, and alignment between the documented security posture and the implementation. Two reviewer passes added several substantive items — most notably an ASF source-release artifact pipeline (signed `.tar.gz`, `.asc`, `.sha512`, `dist.apache.org` staging) which the previous release docs and scripts did not produce, and a per-component `image.pullPolicy` field that the migration guide claimed existed but didn't. A follow-up consistency sweep across types, CRD, docs, and merge functions came back clean — no other phantom-field mismatches. No behavior changes for existing CRs. The new `pullPolicy` override is additive and falls back to `spec.image.pullPolicy` when unset. ## Details ### API - New `<component>.image.pullPolicy` field on `ImageOverrideSpec`, mirroring the existing `repository` / `tag` overrides. Resolves into the per-component `FlatComponentSpec.Image` via `flatSpecFromResolution`; falls back to `spec.image.pullPolicy` when unset. Closes the migration-guide claim that previously referenced a non-existent `podTemplate.container.imagePullPolicy`. ### Release tooling - `scripts/release-rc.sh` — portable `sed_inplace` wrapper (was `sed -i ''`, BSD-only and broken on Linux runners). Switched the regen step to `make codegen`. Added `make check-license` and `make lint` to the pre-tag checks. `CHART_VERSION` now defaults to the operator `VERSION` so the source archive can't capture a stale `0.0.0-dev` `Chart.yaml`. - `scripts/release-source.sh` (new) — wraps `git archive` + `gpg` + `shasum` in `--rc` and `--finalize` modes. Always runs `shasum` from the file's own directory so the `.sha512` carries a bare filename; in `--finalize` mode reuses the staged RC tarball bytes (detached signatures verify contents, not filename) and regenerates `.sha512` under the final name. Self-verifies before exiting. - `Makefile` — `make helm` now passes `--app-version $(VERSION)` to `helm package`, matching what `docs/contributing/releasing.md` already claimed. ### Docs - `docs/reference/security.md` — "Prod vs Dev Mode" → "Production/Staging vs Development Mode" with `Staging` called out explicitly. Added `previousSecretKeyFrom`, `lifecycle.clone.source.passwordFrom`, and `websocketServer.configFrom` to the secret-handling allowlist. Split "Networking requires webServer" into separate Ingress and Gateway CEL bullets. Defense-in-depth note about Kyverno/OPA/VAP layered on CEL. Named the leader-election `Role`/`RoleBinding` and clarified namespace-scoping. PSA `restricted` recommendation for the operator namespace. New `## Supply Chain` section covering distroless variant, multi-arch, Cosign keyless signing, Renovate policy, SBOM/SLSA as future work. - `docs/user-guide/migration.md` — comparison-target callout (chart `0.15.5` / app `5.0.0`); strengthened websocket-Ingress callout; sharpened `bootstrapScript` and `serviceAccount.create: false` rows; new rows for the chart's default `wait-for-postgres` / `wait-for-postgres-redis` initContainers and `automountServiceAccountToken`; new `## Known Parity Gaps` section. Per-component `image.pullPolicy` is now documented as supported (no longer a gap). - `docs/contributing/releasing.md` — new `## Reviewing the Changelog` section with first-RC vs subsequent-RC flow guidance. New `## ASF Source Release Artifacts` section: `release-source.sh` invocation, dist.apache.org SVN staging, KEYS upkeep, full `[VOTE]` email template with verification recipe, vote thresholds (72h, ≥3 binding +1s, no -1s). "Finalizing a Release" extended with `release-source.sh --finalize`. - `docs/contributing/development-guidelines.md` — new "Changelog entry" subsection covering when contributors add a bullet under `## [Unreleased]`. ### Other - `CHANGELOG.md` (new) — Keep-a-Changelog stub with an empty `## [Unreleased]` section, ready to be populated as PRs land. - `Makefile:209` — dropped the operator-sdk scaffold TODO. ## Out of scope (deferred to follow-up PRs) - `automountServiceAccountToken` field on `PodTemplate`. - `deploymentTemplate.labels` / `annotations` for chart parity. - Managed `bootstrapScript` mechanism. - SBOM and SLSA build-provenance generation in `release.yml`. - Auto-invoking `release-source.sh` from `release-rc.sh` (kept independent so the pre-tag script doesn't depend on a local GPG key). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
