chore: Remove hardcoded uid and gid

Author: lfrancke

CHANGELOG.md

@@ -25,6 +25,10 @@
 - test: Bump OPA to `1.4.2` ([#624]).
 - Deprecate airflow `2.10.4` ([#625]).
 - Move the git-sync implementation to operator-rs ([#623]). The functionality should not have changed.
+- BREAKING: Previously this operator would hardcode the UID and GID of the Pods being created to 1000/0, this has changed now ([#636])
+  - The `runAsUser` and `runAsGroup` fields will not be set anymore by the operator
+  - The defaults from the docker images itself will now apply, which will be different from 1000/0 going forward
+  - This is marked as breaking because tools and policies might exist, which require these fields to be set
 
 ### Fixed
 
@@ -41,6 +45,7 @@
 [#623]: https://github.com/stackabletech/airflow-operator/pull/623
 [#624]: https://github.com/stackabletech/airflow-operator/pull/624
 [#625]: https://github.com/stackabletech/airflow-operator/pull/625
+[#636]: https://github.com/stackabletech/airflow-operator/pull/636
 
 ## [25.3.0] - 2025-03-21
 

rust/operator-binary/src/airflow_controller.rs

@@ -81,7 +81,7 @@ use crate::{
     config::{self, PYTHON_IMPORTS},
     controller_commons::{self, CONFIG_VOLUME_NAME, LOG_CONFIG_VOLUME_NAME, LOG_VOLUME_NAME},
     crd::{
-        self, AIRFLOW_CONFIG_FILENAME, AIRFLOW_UID, APP_NAME, AirflowClusterStatus, AirflowConfig,
+        self, AIRFLOW_CONFIG_FILENAME, APP_NAME, AirflowClusterStatus, AirflowConfig,
         AirflowConfigOptions, AirflowExecutor, AirflowRole, CONFIG_PATH, Container, ExecutorConfig,
         ExecutorConfigFragment, HTTP_PORT, HTTP_PORT_NAME, LISTENER_VOLUME_DIR,
         LISTENER_VOLUME_NAME, LOG_CONFIG_DIR, METRICS_PORT, METRICS_PORT_NAME, OPERATOR_NAME,
@@ -936,13 +936,7 @@ fn build_server_rolegroup_statefulset(
         .image_pull_secrets_from_product_image(resolved_product_image)
         .affinity(&merged_airflow_config.affinity)
         .service_account_name(service_account.name_any())
-        .security_context(
-            PodSecurityContextBuilder::new()
-                .run_as_user(AIRFLOW_UID)
-                .run_as_group(0)
-                .fs_group(1000)
-                .build(),
-        );
+        .security_context(PodSecurityContextBuilder::new().fs_group(1000).build());
 
     let mut airflow_container = ContainerBuilder::new(&Container::Airflow.to_string())
         .context(InvalidContainerNameSnafu)?;
@@ -1233,13 +1227,7 @@ fn build_executor_template_config_map(
         .affinity(&merged_executor_config.affinity)
         .service_account_name(sa_name)
         .restart_policy("Never")
-        .security_context(
-            PodSecurityContextBuilder::new()
-                .run_as_user(AIRFLOW_UID)
-                .run_as_group(0)
-                .fs_group(1000)
-                .build(),
-        );
+        .security_context(PodSecurityContextBuilder::new().fs_group(1000).build());
 
     add_executor_graceful_shutdown_config(merged_executor_config, &mut pb)
         .context(GracefulShutdownSnafu)?;

rust/operator-binary/src/crd/mod.rs

@@ -57,7 +57,6 @@ pub mod affinity;
 pub mod authentication;
 pub mod authorization;
 
-pub const AIRFLOW_UID: i64 = 1000;
 pub const APP_NAME: &str = "airflow";
 pub const OPERATOR_NAME: &str = "airflow.stackable.tech";
 pub const CONFIG_PATH: &str = "/stackable/app/config";