From d71de071adda8e450e55dffb4771e759c1048bd6 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Mon, 12 May 2025 14:38:06 +0200
Subject: [PATCH 1/7] chore(airflow): Move runtime constraint files
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Natalie Klestrup Röijezon <nat.roijezon@stackable.tech>
Co-authored-by: Maxi Wittich <maximilian.wittich@stackable.tech>
---
 .../constraints/2.10.4/constraints-python3.12.txt}                | 0
 .../constraints/2.10.5/constraints-python3.12.txt}                | 0
 .../constraints/2.9.3/constraints-python3.9.txt}                  | 0
 3 files changed, 0 insertions(+), 0 deletions(-)
 rename airflow/{constraints-2.10.4-python3.12.txt => stackable/constraints/2.10.4/constraints-python3.12.txt} (100%)
 rename airflow/{constraints-2.10.5-python3.12.txt => stackable/constraints/2.10.5/constraints-python3.12.txt} (100%)
 rename airflow/{constraints-2.9.3-python3.9.txt => stackable/constraints/2.9.3/constraints-python3.9.txt} (100%)

diff --git a/airflow/constraints-2.10.4-python3.12.txt b/airflow/stackable/constraints/2.10.4/constraints-python3.12.txt
similarity index 100%
rename from airflow/constraints-2.10.4-python3.12.txt
rename to airflow/stackable/constraints/2.10.4/constraints-python3.12.txt
diff --git a/airflow/constraints-2.10.5-python3.12.txt b/airflow/stackable/constraints/2.10.5/constraints-python3.12.txt
similarity index 100%
rename from airflow/constraints-2.10.5-python3.12.txt
rename to airflow/stackable/constraints/2.10.5/constraints-python3.12.txt
diff --git a/airflow/constraints-2.9.3-python3.9.txt b/airflow/stackable/constraints/2.9.3/constraints-python3.9.txt
similarity index 100%
rename from airflow/constraints-2.9.3-python3.9.txt
rename to airflow/stackable/constraints/2.9.3/constraints-python3.9.txt

From 717defc444c24445163b64a8394fc28391a08052 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Mon, 12 May 2025 14:38:27 +0200
Subject: [PATCH 2/7] chore(airflow): Add build constraint files

---
 .../constraints/2.10.4/build-constraints-python3.12.txt          | 1 +
 .../constraints/2.10.5/build-constraints-python3.12.txt          | 1 +
 .../stackable/constraints/2.9.3/build-constraints-python3.9.txt  | 1 +
 3 files changed, 3 insertions(+)
 create mode 100644 airflow/stackable/constraints/2.10.4/build-constraints-python3.12.txt
 create mode 100644 airflow/stackable/constraints/2.10.5/build-constraints-python3.12.txt
 create mode 100644 airflow/stackable/constraints/2.9.3/build-constraints-python3.9.txt

diff --git a/airflow/stackable/constraints/2.10.4/build-constraints-python3.12.txt b/airflow/stackable/constraints/2.10.4/build-constraints-python3.12.txt
new file mode 100644
index 000000000..0d2d86dd6
--- /dev/null
+++ b/airflow/stackable/constraints/2.10.4/build-constraints-python3.12.txt
@@ -0,0 +1 @@
+Cython==3.1.0
diff --git a/airflow/stackable/constraints/2.10.5/build-constraints-python3.12.txt b/airflow/stackable/constraints/2.10.5/build-constraints-python3.12.txt
new file mode 100644
index 000000000..0d2d86dd6
--- /dev/null
+++ b/airflow/stackable/constraints/2.10.5/build-constraints-python3.12.txt
@@ -0,0 +1 @@
+Cython==3.1.0
diff --git a/airflow/stackable/constraints/2.9.3/build-constraints-python3.9.txt b/airflow/stackable/constraints/2.9.3/build-constraints-python3.9.txt
new file mode 100644
index 000000000..41ed75c95
--- /dev/null
+++ b/airflow/stackable/constraints/2.9.3/build-constraints-python3.9.txt
@@ -0,0 +1 @@
+Cython==3.0.12

From f7ceb9f4945d0426d3d03e353fac7db5fe778fe2 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Mon, 12 May 2025 14:40:50 +0200
Subject: [PATCH 3/7] chore(airflow): Use uv to install dependencies

---
 airflow/Dockerfile  | 20 +++++++++++++-------
 airflow/versions.py |  3 +++
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/airflow/Dockerfile b/airflow/Dockerfile
index fffa6fc25..ed241ff18 100644
--- a/airflow/Dockerfile
+++ b/airflow/Dockerfile
@@ -31,9 +31,7 @@ ARG TARGETARCH
 ARG STACKABLE_USER_UID
 ARG S3FS
 ARG CYCLONEDX_BOM
-
-COPY airflow/constraints-${PRODUCT}-python${PYTHON}.txt /tmp/constraints.txt
-COPY --from=opa-auth-manager-builder /tmp/opa-auth-manager/dist/opa_auth_manager-0.1.0-py3-none-any.whl /tmp/
+ARG UV
 
 # The mysql provider is currently excluded.
 # Requires implementation of https://github.com/apache/airflow/blob/2.2.5/scripts/docker/install_mysql.sh
@@ -62,19 +60,27 @@ RUN microdnf update && \
     microdnf clean all && \
     rm -rf /var/cache/yum
 
+COPY airflow/stackable/constraints/${PRODUCT}/constraints-python${PYTHON}.txt /tmp/constraints.txt
+COPY airflow/stackable/constraints/${PRODUCT}/build-constraints-python${PYTHON}.txt /tmp/build-constraints.txt
+COPY --from=opa-auth-manager-builder /tmp/opa-auth-manager/dist/opa_auth_manager-0.1.0-py3-none-any.whl /tmp/
+
 RUN <<EOF
 python${PYTHON} -m venv --system-site-packages /stackable/app
 
 source /stackable/app/bin/activate
 
+# Upgrade pip to the latest version
+# Also install uv to get support for build constraints
 pip install --no-cache-dir --upgrade pip
-pip install --no-cache-dir apache-airflow[${AIRFLOW_EXTRAS}]==${PRODUCT} --constraint /tmp/constraints.txt
+pip install --no-cache-dir uv==${UV}
+
+uv pip install --no-cache-dir apache-airflow[${AIRFLOW_EXTRAS}]==${PRODUCT} --constraint /tmp/constraints.txt --build-constraints /tmp/build-constraints.txt
 # Needed for pandas S3 integration to e.g. write and read csv and parquet files to/from S3
-pip install --no-cache-dir s3fs==${S3FS} cyclonedx-bom==${CYCLONEDX_BOM}
+uv pip install --no-cache-dir s3fs==${S3FS} cyclonedx-bom==${CYCLONEDX_BOM}
 # Needed for OIDC
-pip install --no-cache-dir Flask_OIDC==2.2.0 Flask-OpenID==1.3.1
+uv pip install --no-cache-dir Flask_OIDC==2.2.0 Flask-OpenID==1.3.1
 
-pip install --no-cache-dir /tmp/opa_auth_manager-0.1.0-py3-none-any.whl
+uv pip install --no-cache-dir /tmp/opa_auth_manager-0.1.0-py3-none-any.whl
 
 # Create the SBOM for Airflow
 # Important: All `pip install` commands must be above this line, otherwise the SBOM will be incomplete
diff --git a/airflow/versions.py b/airflow/versions.py
index f2cc93f0b..ee7fdc2c9 100644
--- a/airflow/versions.py
+++ b/airflow/versions.py
@@ -8,6 +8,7 @@
         "statsd_exporter": "0.28.0",
         "tini": "0.19.0",
         "vector": "0.46.1",
+        "uv": "0.7.3",
     },
     {
         "product": "2.10.4",
@@ -18,6 +19,7 @@
         "statsd_exporter": "0.28.0",
         "tini": "0.19.0",
         "vector": "0.46.1",
+        "uv": "0.7.3",
     },
     {
         "product": "2.10.5",
@@ -28,5 +30,6 @@
         "statsd_exporter": "0.28.0",
         "tini": "0.19.0",
         "vector": "0.46.1",
+        "uv": "0.7.3",
     },
 ]

From c8f3399ee708c963ba834d6d09b7f07373c3e026 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Mon, 12 May 2025 15:10:33 +0200
Subject: [PATCH 4/7] chore(superset): Move runtime constraint files

---
 .../constraints/4.0.2/constraints.txt}                            | 0
 .../constraints/4.1.1/constraints.txt}                            | 0
 .../constraints/4.1.2/constraints.txt}                            | 0
 3 files changed, 0 insertions(+), 0 deletions(-)
 rename superset/{constraints-4.0.2.txt => stackable/constraints/4.0.2/constraints.txt} (100%)
 rename superset/{constraints-4.1.1.txt => stackable/constraints/4.1.1/constraints.txt} (100%)
 rename superset/{constraints-4.1.2.txt => stackable/constraints/4.1.2/constraints.txt} (100%)

diff --git a/superset/constraints-4.0.2.txt b/superset/stackable/constraints/4.0.2/constraints.txt
similarity index 100%
rename from superset/constraints-4.0.2.txt
rename to superset/stackable/constraints/4.0.2/constraints.txt
diff --git a/superset/constraints-4.1.1.txt b/superset/stackable/constraints/4.1.1/constraints.txt
similarity index 100%
rename from superset/constraints-4.1.1.txt
rename to superset/stackable/constraints/4.1.1/constraints.txt
diff --git a/superset/constraints-4.1.2.txt b/superset/stackable/constraints/4.1.2/constraints.txt
similarity index 100%
rename from superset/constraints-4.1.2.txt
rename to superset/stackable/constraints/4.1.2/constraints.txt

From 4467aa5b2daf7ba9dceabf75ea1a0c9ee03c9c34 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Mon, 12 May 2025 15:10:58 +0200
Subject: [PATCH 5/7] chore(superset): Add build constraints files

---
 superset/stackable/constraints/4.0.2/build-constraints.txt | 1 +
 superset/stackable/constraints/4.1.1/build-constraints.txt | 1 +
 superset/stackable/constraints/4.1.2/build-constraints.txt | 1 +
 3 files changed, 3 insertions(+)
 create mode 100644 superset/stackable/constraints/4.0.2/build-constraints.txt
 create mode 100644 superset/stackable/constraints/4.1.1/build-constraints.txt
 create mode 100644 superset/stackable/constraints/4.1.2/build-constraints.txt

diff --git a/superset/stackable/constraints/4.0.2/build-constraints.txt b/superset/stackable/constraints/4.0.2/build-constraints.txt
new file mode 100644
index 000000000..41ed75c95
--- /dev/null
+++ b/superset/stackable/constraints/4.0.2/build-constraints.txt
@@ -0,0 +1 @@
+Cython==3.0.12
diff --git a/superset/stackable/constraints/4.1.1/build-constraints.txt b/superset/stackable/constraints/4.1.1/build-constraints.txt
new file mode 100644
index 000000000..41ed75c95
--- /dev/null
+++ b/superset/stackable/constraints/4.1.1/build-constraints.txt
@@ -0,0 +1 @@
+Cython==3.0.12
diff --git a/superset/stackable/constraints/4.1.2/build-constraints.txt b/superset/stackable/constraints/4.1.2/build-constraints.txt
new file mode 100644
index 000000000..41ed75c95
--- /dev/null
+++ b/superset/stackable/constraints/4.1.2/build-constraints.txt
@@ -0,0 +1 @@
+Cython==3.0.12

From aa10479e625a6ae051d390150770766be117d60b Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Mon, 12 May 2025 15:11:20 +0200
Subject: [PATCH 6/7] chore(superset): Use uv to install dependencies

---
 superset/Dockerfile  | 22 ++++++++++++++--------
 superset/versions.py |  3 +++
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/superset/Dockerfile b/superset/Dockerfile
index 285e0c9b0..d69a039ef 100644
--- a/superset/Dockerfile
+++ b/superset/Dockerfile
@@ -41,9 +41,7 @@ ARG AUTHLIB
 ARG TARGETARCH
 ARG TARGETOS
 ARG CYCLONEDX_BOM
-
-COPY superset/constraints-${PRODUCT}.txt /tmp/constraints.txt
-COPY --from=opa-authorizer-builder /tmp/opa-authorizer/dist/opa_authorizer-0.1.0-py3-none-any.whl /tmp/
+ARG UV
 
 RUN microdnf update \
     && microdnf install \
@@ -68,6 +66,12 @@ RUN microdnf update \
     && microdnf clean all && \
     rm -rf /var/cache/yum
 
+COPY superset/stackable/constraints/${PRODUCT}/constraints.txt /tmp/constraints.txt
+COPY superset/stackable/constraints/${PRODUCT}/build-constraints.txt /tmp/build-constraints.txt
+COPY --from=opa-authorizer-builder /tmp/opa-authorizer/dist/opa_authorizer-0.1.0-py3-none-any.whl /tmp/
+
+# Upgrade pip to the latest version
+# Also install uv to get support for build constraints
 # DL3042 false-positive, --no-chache-dir is specified a few lines below.
 #        See https://github.com/hadolint/hadolint/issues/1042.
 # hadolint ignore=DL3042
@@ -78,10 +82,12 @@ RUN python3 -m venv /stackable/app \
         --upgrade \
         setuptools==75.2.0 \
         pip \
-    && pip install \
+        uv==${UV} \
+    && uv pip install \
         --no-cache-dir \
         --upgrade \
-        --constraint /tmp/constraints.txt \
+        --constraints /tmp/constraints.txt \
+        --build-constraints /tmp/build-constraints.txt \
         apache-superset==${PRODUCT} \
         gevent \
         psycopg2-binary \
@@ -104,15 +110,15 @@ RUN python3 -m venv /stackable/app \
     # We only want to bump this for the 4.0.x line, as the others already have updated and we don't want to accidentially downgrade the version
     && if [[ "$PRODUCT" =~ ^4\.0\..* ]]; \
         then echo "Superset 4.0.x detected, installing gunicorn 22.0.0 to fix CVE-2024-1135" \
-        && pip install gunicorn==22.0.0; \
+        && uv pip install gunicorn==22.0.0; \
     fi \
-    && pip install \
+    && uv pip install \
         --no-cache-dir \
         --upgrade \
         python-json-logger \
         cyclonedx-bom==${CYCLONEDX_BOM} \
     && if [ -n "$AUTHLIB" ]; then pip install Authlib==${AUTHLIB}; fi && \
-    pip install --no-cache-dir /tmp/opa_authorizer-0.1.0-py3-none-any.whl
+    uv pip install --no-cache-dir /tmp/opa_authorizer-0.1.0-py3-none-any.whl
 
 COPY --from=statsd_exporter-builder /statsd_exporter/statsd_exporter /stackable/statsd_exporter
 
diff --git a/superset/versions.py b/superset/versions.py
index 34caff7a4..3302ffcff 100644
--- a/superset/versions.py
+++ b/superset/versions.py
@@ -7,6 +7,7 @@
         "statsd_exporter": "0.28.0",
         "authlib": "1.2.1",  # https://github.com/dpgaspar/Flask-AppBuilder/blob/release/4.4.1/requirements/extra.txt#L7
         "stackable-base": "1.0.0",
+        "uv": "0.7.3",
     },
     {
         "product": "4.1.1",
@@ -16,6 +17,7 @@
         "statsd_exporter": "0.28.0",
         "authlib": "1.2.1",  # https://github.com/dpgaspar/Flask-AppBuilder/blob/release/4.5.0/requirements/extra.txt#L7
         "stackable-base": "1.0.0",
+        "uv": "0.7.3",
     },
     {
         "product": "4.1.2",
@@ -25,5 +27,6 @@
         "statsd_exporter": "0.28.0",
         "authlib": "1.2.1",  # https://github.com/dpgaspar/Flask-AppBuilder/blob/release/4.5.0/requirements/extra.txt#L7
         "stackable-base": "1.0.0",
+        "uv": "0.7.3",
     },
 ]

From 7533766120877d5a9089f81258e437e047d8d681 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Mon, 12 May 2025 18:13:16 +0200
Subject: [PATCH 7/7] chore: Update changelog

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c1e4b238c..015ab16ae 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -40,6 +40,7 @@ All notable changes to this project will be documented in this file.
 
 ### Changed
 
+- airflow,superset: Use `uv` to build the product ([#1116]).
 - ubi-rust-builder: Bump Rust toolchain to 1.85.0, cargo-cyclonedx to 0.5.7, and cargo-auditable to 0.6.6 ([#1050]).
 - ubi9-rust-builder: Bump base image and update protoc to `30.2` ([#1091]).
 - stackable-devel: Bump ubi9 base image ([#1103]).
@@ -53,6 +54,7 @@ All notable changes to this project will be documented in this file.
 
 ### Fixed
 
+- airflow: Pin Cython version ([#1116]).
 - druid: reduce docker image size by removing the recursive chown/chmods in the final image ([#1039]).
 - hadoop: reduce docker image size by removing the recursive chown/chmods in the final image ([#1029]).
 - hbase: reduce docker image size by removing the recursive chown/chmods in the final image ([#1028]).
@@ -63,6 +65,7 @@ All notable changes to this project will be documented in this file.
 - opa: reduce docker image size by removing the recursive chown/chmods in the final image ([#1038]).
 - opa: Manually install Go 1.23.9 ([#1103]).
 - spark-k8s: reduce docker image size by removing the recursive chown/chmods in the final image ([#1042]).
+- superset: Pin Cython version ([#1116]).
 - trino: reduce docker image size by removing the recursive chown/chmods in the final image ([#1025]).
 - zookeeper: reduce docker image size by removing the recursive chown/chmods in the final image ([#1043]).
 - Fixed two hardcoded username references ([#1052]).
@@ -104,6 +107,7 @@ All notable changes to this project will be documented in this file.
 [#1103]: https://github.com/stackabletech/docker-images/pull/1103
 [#1106]: https://github.com/stackabletech/docker-images/pull/1106
 [#1108]: https://github.com/stackabletech/docker-images/pull/1108
+[#1116]: https://github.com/stackabletech/docker-images/pull/1116
 
 ## [25.3.0] - 2025-03-21