feat: Version the CRD types

CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Changed
+
+- Version CRD structs and enums as v1alpha1 ([#636]).
+
+[#636]: https://github.com/stackabletech/secret-operator/pull/636
+
 ## [25.7.0] - 2025-07-23
 
 ## [25.7.0-rc1] - 2025-07-18

Cargo.toml

@@ -11,7 +11,7 @@ edition = "2021"
 repository = "https://github.com/stackabletech/secret-operator"
 
 [workspace.dependencies]
-stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", features = ["time", "telemetry"], tag = "stackable-operator-0.96.0" }
+stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", features = ["time", "telemetry", "versioned"], tag = "stackable-operator-0.96.0" }
 krb5 = { git = "https://github.com/stackabletech/krb5-rs.git", tag = "v0.1.0" }
 
 anyhow = "1.0"

rust/operator-binary/src/backend/cert_manager.rs

@@ -20,7 +20,7 @@ use super::{
     scope::SecretScope,
 };
 use crate::{
-    crd::{self, CertificateKeyGeneration},
+    crd::v1alpha1,
     external_crd::{self, cert_manager::CertificatePrivateKey},
     format::SecretData,
     utils::Unloggable,
@@ -99,7 +99,7 @@ impl SecretBackendError for Error {
 pub struct CertManager {
     // Not secret per se, but Client isn't Debug: https://github.com/stackabletech/secret-operator/issues/411
     pub client: Unloggable<stackable_operator::client::Client>,
-    pub config: crd::CertManagerBackend,
+    pub config: v1alpha1::CertManagerBackend,
 }
 
 #[async_trait]
@@ -160,7 +160,7 @@ impl SecretBackend for CertManager {
                     kind: Some(self.config.issuer.kind.to_string()),
                 },
                 private_key: match self.config.key_generation {
-                    CertificateKeyGeneration::Rsa { length } => CertificatePrivateKey {
+                    v1alpha1::CertificateKeyGeneration::Rsa { length } => CertificatePrivateKey {
                         algorithm: "RSA".to_string(),
                         size: length,
                     },

rust/operator-binary/src/backend/dynamic.rs

@@ -15,10 +15,7 @@ use super::{
     pod_info::{PodInfo, SchedulingPodInfo},
     tls,
 };
-use crate::{
-    crd::{self, SecretClass},
-    utils::Unloggable,
-};
+use crate::{crd::v1alpha1, utils::Unloggable};
 
 pub struct DynError(Box<dyn SecretBackendError>);
 
@@ -129,18 +126,18 @@ impl SecretBackendError for FromClassError {
 
 pub async fn from_class(
     client: &stackable_operator::client::Client,
-    class: SecretClass,
+    class: v1alpha1::SecretClass,
 ) -> Result<Box<Dynamic>, FromClassError> {
     Ok(match class.spec.backend {
-        crd::SecretClassBackend::K8sSearch(crd::K8sSearchBackend {
+        v1alpha1::SecretClassBackend::K8sSearch(v1alpha1::K8sSearchBackend {
             search_namespace,
             trust_store_config_map_name,
         }) => from(super::K8sSearch {
             client: Unloggable(client.clone()),
             search_namespace,
             trust_store_config_map_name,
         }),
-        crd::SecretClassBackend::AutoTls(crd::AutoTlsBackend {
+        v1alpha1::SecretClassBackend::AutoTls(v1alpha1::AutoTlsBackend {
             ca,
             additional_trust_roots,
             max_certificate_lifetime,
@@ -153,11 +150,11 @@ pub async fn from_class(
             )
             .await?,
         ),
-        crd::SecretClassBackend::CertManager(config) => from(super::CertManager {
+        v1alpha1::SecretClassBackend::CertManager(config) => from(super::CertManager {
             client: Unloggable(client.clone()),
             config,
         }),
-        crd::SecretClassBackend::KerberosKeytab(crd::KerberosKeytabBackend {
+        v1alpha1::SecretClassBackend::KerberosKeytab(v1alpha1::KerberosKeytabBackend {
             realm_name,
             kdc,
             admin,
@@ -185,14 +182,14 @@ pub enum FromSelectorError {
     #[snafu(display("failed to get {class}"))]
     GetSecretClass {
         source: stackable_operator::client::Error,
-        class: ObjectRef<SecretClass>,
+        class: ObjectRef<v1alpha1::SecretClass>,
     },
 
     #[snafu(display("failed to initialize backend for {class}"))]
     FromClass {
         #[snafu(source(from(FromClassError, Box::new)))]
         source: Box<FromClassError>,
-        class: ObjectRef<SecretClass>,
+        class: ObjectRef<v1alpha1::SecretClass>,
     },
 }
 
@@ -220,7 +217,7 @@ pub async fn from_selector(
 ) -> Result<Box<Dynamic>, FromSelectorError> {
     let class_ref = || ObjectRef::new(&selector.class);
     let class = client
-        .get::<SecretClass>(&selector.class, &())
+        .get::<v1alpha1::SecretClass>(&selector.class, &())
         .await
         .with_context(|_| from_selector_error::GetSecretClassSnafu { class: class_ref() })?;
     from_class(client, class)

rust/operator-binary/src/backend/k8s_search.rs

@@ -20,7 +20,7 @@ use super::{
     pod_info::{PodInfo, SchedulingPodInfo},
     scope::SecretScope,
 };
-use crate::{crd::SearchNamespace, format::SecretData, utils::Unloggable};
+use crate::{crd::v1alpha1, format::SecretData, utils::Unloggable};
 
 const LABEL_CLASS: &str = "secrets.stackable.tech/class";
 pub(super) const LABEL_SCOPE_NODE: &str = "secrets.stackable.tech/node";
@@ -89,7 +89,7 @@ impl SecretBackendError for Error {
 pub struct K8sSearch {
     // Not secret per se, but isn't Debug: https://github.com/stackabletech/secret-operator/issues/411
     pub client: Unloggable<stackable_operator::client::Client>,
-    pub search_namespace: SearchNamespace,
+    pub search_namespace: v1alpha1::SearchNamespace,
     pub trust_store_config_map_name: Option<String>,
 }
 

rust/operator-binary/src/backend/kerberos_keytab.rs

@@ -22,10 +22,7 @@ use super::{
     scope::SecretScope,
 };
 use crate::{
-    crd::{
-        ActiveDirectorySamAccountNameRules, InvalidKerberosPrincipal, KerberosKeytabBackendAdmin,
-        KerberosPrincipal,
-    },
+    crd::{KerberosPrincipal, v1alpha1},
     format::{SecretData, WellKnownSecretData, well_known},
     utils::Unloggable,
 };
@@ -62,7 +59,9 @@ pub enum Error {
     },
 
     #[snafu(display("generated invalid Kerberos principal for pod"))]
-    PodPrincipal { source: InvalidKerberosPrincipal },
+    PodPrincipal {
+        source: v1alpha1::InvalidKerberosPrincipal,
+    },
 
     #[snafu(display("failed to read the provisioned keytab"))]
     ReadProvisionedKeytab { source: std::io::Error },
@@ -106,7 +105,7 @@ impl SecretBackendError for Error {
 pub struct KerberosProfile {
     pub realm_name: KerberosRealmName,
     pub kdc: HostName,
-    pub admin: KerberosKeytabBackendAdmin,
+    pub admin: v1alpha1::KerberosKeytabBackendAdmin,
 }
 
 #[derive(Debug)]
@@ -169,10 +168,10 @@ impl SecretBackend for KerberosKeytab {
         } = self;
 
         let admin_server_clause = match admin {
-            KerberosKeytabBackendAdmin::Mit { kadmin_server } => {
+            v1alpha1::KerberosKeytabBackendAdmin::Mit { kadmin_server } => {
                 format!("  admin_server = {kadmin_server}")
             }
-            KerberosKeytabBackendAdmin::ActiveDirectory { .. } => String::new(),
+            v1alpha1::KerberosKeytabBackendAdmin::ActiveDirectory { .. } => String::new(),
         };
 
         let tmp = tempdir().context(TempSetupSnafu)?;
@@ -254,10 +253,10 @@ cluster.local = {realm_name}
                     })
                     .collect(),
                 admin_backend: match admin {
-                    KerberosKeytabBackendAdmin::Mit { .. } => {
+                    v1alpha1::KerberosKeytabBackendAdmin::Mit { .. } => {
                         stackable_krb5_provision_keytab::AdminBackend::Mit
                     }
-                    KerberosKeytabBackendAdmin::ActiveDirectory {
+                    v1alpha1::KerberosKeytabBackendAdmin::ActiveDirectory {
                         ldap_server,
                         ldap_tls_ca_secret,
                         password_cache_secret,
@@ -271,7 +270,7 @@ cluster.local = {realm_name}
                         user_distinguished_name: user_distinguished_name.clone(),
                         schema_distinguished_name: schema_distinguished_name.clone(),
                         generate_sam_account_name: generate_sam_account_name.clone().map(
-                            |ActiveDirectorySamAccountNameRules {
+                            |v1alpha1::ActiveDirectorySamAccountNameRules {
                                  prefix,
                                  total_length,
                              }| {

rust/operator-binary/src/backend/tls/ca.rs

@@ -38,7 +38,7 @@ use tracing::{info, info_span, warn};
 
 use crate::{
     backend::SecretBackendError,
-    crd::{AdditionalTrustRoot, CertificateKeyGeneration},
+    crd::v1alpha1,
     utils::{Asn1TimeParseError, Unloggable, asn1time_to_offsetdatetime},
 };
 
@@ -202,7 +202,7 @@ pub struct Config {
     pub rotate_if_ca_expires_before: Option<Duration>,
 
     /// Configuration how TLS private keys should be created.
-    pub key_generation: CertificateKeyGeneration,
+    pub key_generation: v1alpha1::CertificateKeyGeneration,
 }
 
 /// A single certificate authority certificate.
@@ -241,7 +241,7 @@ impl CertificateAuthority {
             Conf::new(ConfMethod::default()).expect("failed to initialize OpenSSL configuration");
 
         let private_key_length = match config.key_generation {
-            CertificateKeyGeneration::Rsa { length } => length,
+            v1alpha1::CertificateKeyGeneration::Rsa { length } => length,
         };
 
         let private_key = Rsa::generate(private_key_length)
@@ -348,7 +348,7 @@ impl Manager {
     pub async fn load_or_create(
         client: &stackable_operator::client::Client,
         secret_ref: &SecretReference,
-        additional_trust_roots: &[AdditionalTrustRoot],
+        additional_trust_roots: &[v1alpha1::AdditionalTrustRoot],
         config: &Config,
     ) -> Result<Self> {
         // Use entry API rather than apply so that we crash and retry on conflicts (to avoid creating spurious certs that we throw away immediately)
@@ -496,10 +496,10 @@ impl Manager {
         let mut additional_trusted_certificates = vec![];
         for entry in additional_trust_roots {
             let certs = match entry {
-                AdditionalTrustRoot::ConfigMap(config_map) => {
+                v1alpha1::AdditionalTrustRoot::ConfigMap(config_map) => {
                     Self::read_extra_trust_roots_from_config_map(client, config_map).await?
                 }
-                AdditionalTrustRoot::Secret(secret) => {
+                v1alpha1::AdditionalTrustRoot::Secret(secret) => {
                     Self::read_extra_trust_roots_from_secret(client, secret).await?
                 }
             };

rust/operator-binary/src/backend/tls/mod.rs

@@ -33,7 +33,7 @@ use super::{
     scope::SecretScope,
 };
 use crate::{
-    crd::{self, AdditionalTrustRoot, CertificateKeyGeneration},
+    crd::v1alpha1,
     format::{SecretData, WellKnownSecretData, well_known},
     utils::iterator_try_concat_bytes,
 };
@@ -150,7 +150,7 @@ impl SecretBackendError for Error {
 pub struct TlsGenerate {
     ca_manager: ca::Manager,
     max_cert_lifetime: Duration,
-    key_generation: CertificateKeyGeneration,
+    key_generation: v1alpha1::CertificateKeyGeneration,
 }
 
 impl TlsGenerate {
@@ -162,13 +162,13 @@ impl TlsGenerate {
     /// an independent self-signed CA.
     pub async fn get_or_create_k8s_certificate(
         client: &stackable_operator::client::Client,
-        crd::AutoTlsCa {
+        v1alpha1::AutoTlsCa {
             secret: ca_secret,
             auto_generate: auto_generate_ca,
             ca_certificate_lifetime,
             key_generation,
-        }: &crd::AutoTlsCa,
-        additional_trust_roots: &[AdditionalTrustRoot],
+        }: &v1alpha1::AutoTlsCa,
+        additional_trust_roots: &[v1alpha1::AdditionalTrustRoot],
         max_cert_lifetime: Duration,
     ) -> Result<Self> {
         Ok(Self {
@@ -260,7 +260,7 @@ impl SecretBackend for TlsGenerate {
             Conf::new(ConfMethod::default()).expect("failed to initialize OpenSSL configuration");
 
         let pod_key_length = match self.key_generation {
-            CertificateKeyGeneration::Rsa { length } => length,
+            v1alpha1::CertificateKeyGeneration::Rsa { length } => length,
         };
 
         let pod_key = Rsa::generate(pod_key_length)