From fa9c584c424a253ae44748777c2d467cf9441443 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Wed, 27 Aug 2025 10:01:25 +0200 Subject: [PATCH 1/8] feat!: Add a new CLI flag/env to disabling CRD maintenance --- crates/stackable-operator/CHANGELOG.md | 6 +++ crates/stackable-operator/src/cli.rs | 11 ++++ crates/stackable-webhook/CHANGELOG.md | 6 +++ .../src/servers/conversion.rs | 52 ++++++++++++------- 4 files changed, 56 insertions(+), 19 deletions(-) diff --git a/crates/stackable-operator/CHANGELOG.md b/crates/stackable-operator/CHANGELOG.md index 5382a1f7c..1ff69660c 100644 --- a/crates/stackable-operator/CHANGELOG.md +++ b/crates/stackable-operator/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Added + +- BREAKING: Add a new CLI flag/env to disabling CRD maintenance: `--disable-crd-maintenance` ([#10XX]). + +[#10XX]: https://github.com/stackabletech/operator-rs/pull/10XX + ## [0.96.0] - 2025-08-25 ### Added diff --git a/crates/stackable-operator/src/cli.rs b/crates/stackable-operator/src/cli.rs index 3c91bae9d..b03961345 100644 --- a/crates/stackable-operator/src/cli.rs +++ b/crates/stackable-operator/src/cli.rs @@ -245,6 +245,17 @@ pub struct ProductOperatorRun { /// Provides a specific namespace to watch (instead of watching all namespaces) #[arg(long, env, default_value = "")] pub watch_namespace: WatchNamespace, + + /// Don't maintain the CustomResourceDefinitions (CRDs) the operator is responsible for. + /// + /// Maintenance includes creating the CRD initially, adding new versions and keeping the TLS + /// certificate of webhooks up to date. Turning this off can be desirable to reduce the RBAC + /// permission of the operators. + /// + /// WARNING: If you disable CRD maintenance you are responsible for maintaining it, including + /// the points above. + #[arg(long, env)] + pub disable_crd_maintenance: bool, } /// All the CLI arguments that all (or at least most) Stackable applications use. diff --git a/crates/stackable-webhook/CHANGELOG.md b/crates/stackable-webhook/CHANGELOG.md index c0571e4a7..0a5fb806a 100644 --- a/crates/stackable-webhook/CHANGELOG.md +++ b/crates/stackable-webhook/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Added + +- BREAKING: Support disabling CRD maintenance using a new boolean flag in `ConversionWebhookServer::new` ([#10XX]). + +[#10XX]: https://github.com/stackabletech/operator-rs/pull/10XX + ## [0.5.0] - 2025-08-21 ### Changed diff --git a/crates/stackable-webhook/src/servers/conversion.rs b/crates/stackable-webhook/src/servers/conversion.rs index ed6b63579..190a86e3f 100644 --- a/crates/stackable-webhook/src/servers/conversion.rs +++ b/crates/stackable-webhook/src/servers/conversion.rs @@ -91,17 +91,22 @@ pub struct ConversionWebhookServer { options: ConversionWebhookOptions, router: Router, client: Client, + maintain_crds: bool, } impl ConversionWebhookServer { /// Creates a new conversion webhook server, which expects POST requests being made to the /// `/convert/{crd name}` endpoint. /// - /// You need to provide two things for every CRD passed in via the `crds_and_handlers` argument: + /// You need to provide a few things for every CRD passed in via the `crds_and_handlers` argument: /// /// 1. The CRD /// 2. A conversion function to convert between CRD versions. Typically you would use the - /// the auto-generated `try_convert` function on CRD spec definition structs for this. + /// the auto-generated `try_convert` function on CRD spec definition structs for this. + /// 3. A [`kube::Client`] used to create/update the CRDs. + /// 4. If we should maintain the CRDs. Use `stackable_operator::cli::ProductOperatorRun::disable_crd_maintenance` + /// for this. + // # Because of https://github.com/rust-lang/cargo/issues/3475 we can not use a real link here /// /// The [`ConversionWebhookServer`] takes care of reconciling the CRDs into the Kubernetes /// cluster and takes care of adding itself as conversion webhook. This includes TLS @@ -165,6 +170,7 @@ impl ConversionWebhookServer { crds_and_handlers: impl IntoIterator, options: ConversionWebhookOptions, client: Client, + maintain_crds: bool, ) -> Result where H: WebhookHandler + Clone + Send + Sync + 'static, @@ -190,6 +196,7 @@ impl ConversionWebhookServer { router, client, crds, + maintain_crds, }) } @@ -201,6 +208,7 @@ impl ConversionWebhookServer { router, client, crds, + maintain_crds, } = self; let ConversionWebhookOptions { @@ -233,28 +241,34 @@ impl ConversionWebhookServer { .recv() .await .context(ReceiveCertificateFromChannelSnafu)?; - Self::reconcile_crds( - &client, - field_manager, - &crds, - operator_namespace, - operator_service_name, - current_cert, - ) - .await - .context(ReconcileCrdsSnafu)?; - - try_join!( - Self::run_webhook_server(server), - Self::run_crd_reconciliation_loop( - cert_rx, + if maintain_crds { + Self::reconcile_crds( &client, field_manager, &crds, operator_namespace, operator_service_name, - ), - )?; + current_cert, + ) + .await + .context(ReconcileCrdsSnafu)?; + } + + if maintain_crds { + try_join!( + Self::run_webhook_server(server), + Self::run_crd_reconciliation_loop( + cert_rx, + &client, + field_manager, + &crds, + operator_namespace, + operator_service_name, + ), + )?; + } else { + Self::run_webhook_server(server).await?; + }; Ok(()) } From 666c1b9df6331a98c8ac3d25e6758f2c938b3fc2 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Wed, 27 Aug 2025 10:05:45 +0200 Subject: [PATCH 2/8] changelog --- crates/stackable-operator/CHANGELOG.md | 4 ++-- crates/stackable-webhook/CHANGELOG.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/crates/stackable-operator/CHANGELOG.md b/crates/stackable-operator/CHANGELOG.md index 1ff69660c..15f0b4cfb 100644 --- a/crates/stackable-operator/CHANGELOG.md +++ b/crates/stackable-operator/CHANGELOG.md @@ -6,9 +6,9 @@ All notable changes to this project will be documented in this file. ### Added -- BREAKING: Add a new CLI flag/env to disabling CRD maintenance: `--disable-crd-maintenance` ([#10XX]). +- BREAKING: Add a new CLI flag/env to disabling CRD maintenance: `--disable-crd-maintenance` ([#1085]). -[#10XX]: https://github.com/stackabletech/operator-rs/pull/10XX +[#1085]: https://github.com/stackabletech/operator-rs/pull/1085 ## [0.96.0] - 2025-08-25 diff --git a/crates/stackable-webhook/CHANGELOG.md b/crates/stackable-webhook/CHANGELOG.md index 0a5fb806a..a8eaa8c35 100644 --- a/crates/stackable-webhook/CHANGELOG.md +++ b/crates/stackable-webhook/CHANGELOG.md @@ -6,9 +6,9 @@ All notable changes to this project will be documented in this file. ### Added -- BREAKING: Support disabling CRD maintenance using a new boolean flag in `ConversionWebhookServer::new` ([#10XX]). +- BREAKING: Support disabling CRD maintenance using a new boolean flag in `ConversionWebhookServer::new` ([#1085]). -[#10XX]: https://github.com/stackabletech/operator-rs/pull/10XX +[#1085]: https://github.com/stackabletech/operator-rs/pull/1085 ## [0.5.0] - 2025-08-21 From 35511198d5966513fd90f1ffbcb2d6e91c707725 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Wed, 27 Aug 2025 10:31:43 +0200 Subject: [PATCH 3/8] Update docs --- crates/stackable-operator/src/cli.rs | 1 + crates/stackable-webhook/src/servers/conversion.rs | 9 +++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/crates/stackable-operator/src/cli.rs b/crates/stackable-operator/src/cli.rs index b03961345..c3fdaeb56 100644 --- a/crates/stackable-operator/src/cli.rs +++ b/crates/stackable-operator/src/cli.rs @@ -208,6 +208,7 @@ pub enum Command { /// operator_namespace: "stackable-operators".to_string(), /// operator_service_name: "foo-operator".to_string(), /// }, +/// disable_crd_maintenance: false, /// }, /// })); /// ``` diff --git a/crates/stackable-webhook/src/servers/conversion.rs b/crates/stackable-webhook/src/servers/conversion.rs index 190a86e3f..b16199dd8 100644 --- a/crates/stackable-webhook/src/servers/conversion.rs +++ b/crates/stackable-webhook/src/servers/conversion.rs @@ -124,14 +124,18 @@ impl ConversionWebhookServer { /// use stackable_operator::{ /// kube::Client, /// crd::s3::{S3Connection, S3ConnectionVersion}, - /// cli::OperatorEnvironmentOptions, + /// cli::ProductOperatorRun, /// }; /// /// # async fn test() { /// // Things that should already be in you operator: /// const OPERATOR_NAME: &str = "product-operator"; /// let client = Client::try_default().await.expect("failed to create Kubernetes client"); - /// let operator_environment = OperatorEnvironmentOptions::parse(); + /// let ProductOperatorRun { + /// operator_environment, + /// disable_crd_maintenance, + /// .. + /// } = ProductOperatorRun::parse(); /// /// let crds_and_handlers = [ /// ( @@ -155,6 +159,7 @@ impl ConversionWebhookServer { /// crds_and_handlers, /// options, /// client, + /// !disable_crd_maintenance, /// ) /// .await /// .expect("failed to create ConversionWebhookServer"); From 3dfba2443822002cf215cd418f5032e9da58974f Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Wed, 27 Aug 2025 12:00:03 +0200 Subject: [PATCH 4/8] Update crates/stackable-operator/src/cli.rs Co-authored-by: Techassi --- crates/stackable-operator/src/cli.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crates/stackable-operator/src/cli.rs b/crates/stackable-operator/src/cli.rs index c3fdaeb56..d3d244edb 100644 --- a/crates/stackable-operator/src/cli.rs +++ b/crates/stackable-operator/src/cli.rs @@ -251,10 +251,10 @@ pub struct ProductOperatorRun { /// /// Maintenance includes creating the CRD initially, adding new versions and keeping the TLS /// certificate of webhooks up to date. Turning this off can be desirable to reduce the RBAC - /// permission of the operators. + /// permissions of the operator. /// - /// WARNING: If you disable CRD maintenance you are responsible for maintaining it, including - /// the points above. + /// WARNING: If you disable CRD maintenance you are responsible for maintaining it, including, + /// but not limited to, the points above. #[arg(long, env)] pub disable_crd_maintenance: bool, } From 1bb078bba32170a1121ca6b78035da57661041c2 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Wed, 27 Aug 2025 12:00:18 +0200 Subject: [PATCH 5/8] Update crates/stackable-webhook/src/servers/conversion.rs Co-authored-by: Techassi --- crates/stackable-webhook/src/servers/conversion.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/stackable-webhook/src/servers/conversion.rs b/crates/stackable-webhook/src/servers/conversion.rs index b16199dd8..6d733114c 100644 --- a/crates/stackable-webhook/src/servers/conversion.rs +++ b/crates/stackable-webhook/src/servers/conversion.rs @@ -104,7 +104,7 @@ impl ConversionWebhookServer { /// 2. A conversion function to convert between CRD versions. Typically you would use the /// the auto-generated `try_convert` function on CRD spec definition structs for this. /// 3. A [`kube::Client`] used to create/update the CRDs. - /// 4. If we should maintain the CRDs. Use `stackable_operator::cli::ProductOperatorRun::disable_crd_maintenance` + /// 4. If the CRDs should be maintained automatically. Use `stackable_operator::cli::ProductOperatorRun::disable_crd_maintenance` /// for this. // # Because of https://github.com/rust-lang/cargo/issues/3475 we can not use a real link here /// From a53cf8fc3c39a061c0192e8177b5e68c41b0c0ef Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Wed, 27 Aug 2025 12:02:05 +0200 Subject: [PATCH 6/8] collapse ifs --- crates/stackable-webhook/src/servers/conversion.rs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/crates/stackable-webhook/src/servers/conversion.rs b/crates/stackable-webhook/src/servers/conversion.rs index 6d733114c..98c5ca34c 100644 --- a/crates/stackable-webhook/src/servers/conversion.rs +++ b/crates/stackable-webhook/src/servers/conversion.rs @@ -246,6 +246,7 @@ impl ConversionWebhookServer { .recv() .await .context(ReceiveCertificateFromChannelSnafu)?; + if maintain_crds { Self::reconcile_crds( &client, @@ -257,9 +258,7 @@ impl ConversionWebhookServer { ) .await .context(ReconcileCrdsSnafu)?; - } - if maintain_crds { try_join!( Self::run_webhook_server(server), Self::run_crd_reconciliation_loop( From 72404a4dc7e67c88caec4037c37a6a8877be1519 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Wed, 27 Aug 2025 12:11:22 +0200 Subject: [PATCH 7/8] Move maintain_crds into ConversionWebhookOptions --- .../src/servers/conversion.rs | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/crates/stackable-webhook/src/servers/conversion.rs b/crates/stackable-webhook/src/servers/conversion.rs index 98c5ca34c..baa79c241 100644 --- a/crates/stackable-webhook/src/servers/conversion.rs +++ b/crates/stackable-webhook/src/servers/conversion.rs @@ -78,6 +78,12 @@ pub struct ConversionWebhookOptions { /// The name of the Kubernetes service which points to the operator/webhook. pub service_name: String, + /// If the CRDs should be maintained automatically. Use the (negated) value from + /// `stackable_operator::cli::ProductOperatorRun::disable_crd_maintenance` + /// for this. + // # Because of https://github.com/rust-lang/cargo/issues/3475 we can not use a real link here + pub maintain_crds: bool, + /// The field manager used to apply Kubernetes objects, typically the operator name, e.g. /// `airflow-operator`. pub field_manager: String, @@ -91,7 +97,6 @@ pub struct ConversionWebhookServer { options: ConversionWebhookOptions, router: Router, client: Client, - maintain_crds: bool, } impl ConversionWebhookServer { @@ -104,9 +109,6 @@ impl ConversionWebhookServer { /// 2. A conversion function to convert between CRD versions. Typically you would use the /// the auto-generated `try_convert` function on CRD spec definition structs for this. /// 3. A [`kube::Client`] used to create/update the CRDs. - /// 4. If the CRDs should be maintained automatically. Use `stackable_operator::cli::ProductOperatorRun::disable_crd_maintenance` - /// for this. - // # Because of https://github.com/rust-lang/cargo/issues/3475 we can not use a real link here /// /// The [`ConversionWebhookServer`] takes care of reconciling the CRDs into the Kubernetes /// cluster and takes care of adding itself as conversion webhook. This includes TLS @@ -149,9 +151,10 @@ impl ConversionWebhookServer { /// socket_addr: format!("0.0.0.0:{CONVERSION_WEBHOOK_HTTPS_PORT}") /// .parse() /// .expect("static address is always valid"), - /// field_manager: OPERATOR_NAME.to_owned(), /// namespace: operator_environment.operator_namespace, /// service_name: operator_environment.operator_service_name, + /// maintain_crds: !disable_crd_maintenance, + /// field_manager: OPERATOR_NAME.to_owned(), /// }; /// /// // Construct the conversion webhook server @@ -159,7 +162,6 @@ impl ConversionWebhookServer { /// crds_and_handlers, /// options, /// client, - /// !disable_crd_maintenance, /// ) /// .await /// .expect("failed to create ConversionWebhookServer"); @@ -175,7 +177,6 @@ impl ConversionWebhookServer { crds_and_handlers: impl IntoIterator, options: ConversionWebhookOptions, client: Client, - maintain_crds: bool, ) -> Result where H: WebhookHandler + Clone + Send + Sync + 'static, @@ -201,7 +202,6 @@ impl ConversionWebhookServer { router, client, crds, - maintain_crds, }) } @@ -213,14 +213,14 @@ impl ConversionWebhookServer { router, client, crds, - maintain_crds, } = self; let ConversionWebhookOptions { socket_addr, - field_manager, namespace: operator_namespace, service_name: operator_service_name, + maintain_crds, + field_manager, } = &options; // This is how Kubernetes calls us, so it decides about the naming. @@ -247,7 +247,7 @@ impl ConversionWebhookServer { .await .context(ReceiveCertificateFromChannelSnafu)?; - if maintain_crds { + if *maintain_crds { Self::reconcile_crds( &client, field_manager, From 6526947a4046249e827bab62d20c25f92b96fdaa Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Wed, 27 Aug 2025 14:54:00 +0200 Subject: [PATCH 8/8] Update crates/stackable-webhook/CHANGELOG.md Co-authored-by: Techassi --- crates/stackable-webhook/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/stackable-webhook/CHANGELOG.md b/crates/stackable-webhook/CHANGELOG.md index a8eaa8c35..5615c7219 100644 --- a/crates/stackable-webhook/CHANGELOG.md +++ b/crates/stackable-webhook/CHANGELOG.md @@ -6,7 +6,7 @@ All notable changes to this project will be documented in this file. ### Added -- BREAKING: Support disabling CRD maintenance using a new boolean flag in `ConversionWebhookServer::new` ([#1085]). +- BREAKING: Support disabling CRD maintenance using a new boolean flag in `ConversionWebhookOptions` ([#1085]). [#1085]: https://github.com/stackabletech/operator-rs/pull/1085