stackabletech · sbernauer · Jun 27, 2025 · Jun 30, 2025 · Jun 30, 2025 · Jun 30, 2025
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -11,6 +11,7 @@ repository = "https://github.com/stackabletech/operator-rs"
 [workspace.dependencies]
 product-config = { git = "https://github.com/stackabletech/product-config.git", tag = "0.7.0" }
 
+arc-swap = "1.7"
 axum = { version = "0.8.1", features = ["http2"] }
 chrono = { version = "0.4.38", default-features = false }
 clap = { version = "4.5.17", features = ["derive", "cargo", "env"] }

diff --git a/crates/stackable-certs/src/ca/consts.rs b/crates/stackable-certs/src/ca/consts.rs
@@ -1,6 +1,6 @@
 use stackable_operator::time::Duration;
 
-/// The default CA validity time span of one hour (3600 seconds).
+/// The default CA validity time span
 pub const DEFAULT_CA_VALIDITY: Duration = Duration::from_hours_unchecked(1);
 
 /// The root CA subject name containing only the common name.

diff --git a/crates/stackable-certs/src/ca/mod.rs b/crates/stackable-certs/src/ca/mod.rs
@@ -38,7 +38,7 @@ pub enum Error {
     #[snafu(display("failed to generate RSA signing key"))]
     GenerateRsaSigningKey { source: rsa::Error },
 
-    #[snafu(display("failed to generate ECDSA signign key"))]
+    #[snafu(display("failed to generate ECDSA signing key"))]
     GenerateEcdsaSigningKey { source: ecdsa::Error },
 
     #[snafu(display("failed to parse {subject:?} as subject"))]

diff --git a/crates/stackable-operator/CHANGELOG.md b/crates/stackable-operator/CHANGELOG.md
@@ -7,7 +7,9 @@ All notable changes to this project will be documented in this file.
 ### Changed
 
 - Update `kube` to `1.1.0` ([#1049]).
-- BREAKING: Return type for `ListenerOperatorVolumeSourceBuilder::new()` is no onger a `Result` ([#1058]).
+- BREAKING: Return type for `ListenerOperatorVolumeSourceBuilder::new()` is no longer a `Result` ([#1058]).
+- BREAKING: Require two new CLI arguments: `--operator-namespace` and `-operator-service-name`.
+  These are required, so that the operator knows what Service it needs to enter as CRD conversion webhook ([#1066]).
 
 ### Fixed
 
@@ -23,6 +25,7 @@ All notable changes to this project will be documented in this file.
 [#1058]: https://github.com/stackabletech/operator-rs/pull/1058
 [#1060]: https://github.com/stackabletech/operator-rs/pull/1060
 [#1064]: https://github.com/stackabletech/operator-rs/pull/1064
+[#1066]: https://github.com/stackabletech/operator-rs/pull/1066
 
 ## [0.93.2] - 2025-05-26
 

diff --git a/crates/stackable-operator/src/cli.rs b/crates/stackable-operator/src/cli.rs
@@ -163,7 +163,7 @@ pub enum Command<Run: Args = ProductOperatorRun> {
 /// Can be embedded into an extended argument set:
 ///
 /// ```rust
-/// # use stackable_operator::cli::{Command, ProductOperatorRun, ProductConfigPath};
+/// # use stackable_operator::cli::{Command, OperatorEnvironmentOpts, ProductOperatorRun, ProductConfigPath};
 /// use clap::Parser;
 /// use stackable_operator::namespace::WatchNamespace;
 /// use stackable_telemetry::tracing::TelemetryOptions;
@@ -176,14 +176,31 @@ pub enum Command<Run: Args = ProductOperatorRun> {
 ///     common: ProductOperatorRun,
 /// }
 ///
-/// let opts = Command::<Run>::parse_from(["foobar-operator", "run", "--name", "foo", "--product-config", "bar", "--watch-namespace", "foobar"]);
+/// let opts = Command::<Run>::parse_from([
+///     "foobar-operator",
+///     "run",
+///     "--name",
+///     "foo",
+///     "--product-config",
+///     "bar",
+///     "--watch-namespace",
+///     "foobar",
+///     "--operator-namespace",
+///     "stackable-operators",
+///     "--operator-service-name",
+///     "foo-operator",
+/// ]);
 /// assert_eq!(opts, Command::Run(Run {
 ///     name: "foo".to_string(),
 ///     common: ProductOperatorRun {
 ///         product_config: ProductConfigPath::from("bar".as_ref()),
 ///         watch_namespace: WatchNamespace::One("foobar".to_string()),
 ///         telemetry_arguments: TelemetryOptions::default(),
 ///         cluster_info_opts: Default::default(),
+///         operator_environment: OperatorEnvironmentOpts {
+///             operator_namespace: "stackable-operators".to_string(),
+///             operator_service_name: "foo-operator".to_string(),
+///         },
 ///     },
 /// }));
 /// ```
@@ -216,6 +233,9 @@ pub struct ProductOperatorRun {
     #[arg(long, env, default_value = "")]
     pub watch_namespace: WatchNamespace,
 
+    #[command(flatten)]
+    pub operator_environment: OperatorEnvironmentOpts,
+
     #[command(flatten)]
     pub telemetry_arguments: TelemetryOptions,
 
@@ -278,6 +298,18 @@ impl ProductConfigPath {
     }
 }
 
+#[derive(clap::Parser, Debug, PartialEq, Eq)]
+pub struct OperatorEnvironmentOpts {
+    /// The namespace the operator is running in, usually `stackable-operators`.
+    #[arg(long, env)]
+    pub operator_namespace: String,
+
+    /// The name of the service the operator is reachable at, usually
+    /// something like `<product>-operator`.
+    #[arg(long, env)]
+    pub operator_service_name: String,
+}
+
 #[cfg(test)]
 mod tests {
     use std::{env, fs::File};
@@ -292,6 +324,8 @@ mod tests {
     const DEPLOY_FILE_PATH: &str = "deploy_config_spec_properties.yaml";
     const DEFAULT_FILE_PATH: &str = "default_file_path_properties.yaml";
     const WATCH_NAMESPACE: &str = "WATCH_NAMESPACE";
+    const OPERATOR_NAMESPACE: &str = "OPERATOR_NAMESPACE";
+    const OPERATOR_SERVICE_NAME: &str = "OPERATOR_SERVICE_NAME";
 
     #[test]
     fn verify_cli() {
@@ -388,6 +422,10 @@ mod tests {
             "bar",
             "--watch-namespace",
             "foo",
+            "--operator-namespace",
+            "stackable-operators",
+            "--operator-service-name",
+            "foo-operator",
         ]);
         assert_eq!(
             opts,
@@ -396,23 +434,42 @@ mod tests {
                 watch_namespace: WatchNamespace::One("foo".to_string()),
                 cluster_info_opts: Default::default(),
                 telemetry_arguments: Default::default(),
+                operator_environment: OperatorEnvironmentOpts {
+                    operator_namespace: "stackable-operators".to_string(),
+                    operator_service_name: "foo-operator".to_string(),
+                }
             }
         );
 
         // no cli / no env
-        let opts = ProductOperatorRun::parse_from(["run", "--product-config", "bar"]);
+        let opts = ProductOperatorRun::parse_from([
+            "run",
+            "--product-config",
+            "bar",
+            "--operator-namespace",
+            "stackable-operators",
+            "--operator-service-name",
+            "foo-operator",
+        ]);
         assert_eq!(
             opts,
             ProductOperatorRun {
                 product_config: ProductConfigPath::from("bar".as_ref()),
                 watch_namespace: WatchNamespace::All,
                 cluster_info_opts: Default::default(),
                 telemetry_arguments: Default::default(),
+                operator_environment: OperatorEnvironmentOpts {
+                    operator_namespace: "stackable-operators".to_string(),
+                    operator_service_name: "foo-operator".to_string(),
+                }
             }
         );
 
         // env with namespace
         unsafe { env::set_var(WATCH_NAMESPACE, "foo") };
+        unsafe { env::set_var(OPERATOR_SERVICE_NAME, "foo-operator") };
+        unsafe { env::set_var(OPERATOR_NAMESPACE, "stackable-operators") };
+
         let opts = ProductOperatorRun::parse_from(["run", "--product-config", "bar"]);
         assert_eq!(
             opts,
@@ -421,6 +478,10 @@ mod tests {
                 watch_namespace: WatchNamespace::One("foo".to_string()),
                 cluster_info_opts: Default::default(),
                 telemetry_arguments: Default::default(),
+                operator_environment: OperatorEnvironmentOpts {
+                    operator_namespace: "stackable-operators".to_string(),
+                    operator_service_name: "foo-operator".to_string(),
+                }
             }
         );
     }

diff --git a/crates/stackable-telemetry/src/instrumentation/axum/mod.rs b/crates/stackable-telemetry/src/instrumentation/axum/mod.rs
@@ -73,22 +73,6 @@ const OTEL_TRACE_ID_TO: &str = "opentelemetry.trace_id.to";
 /// # let _: Router = router;
 /// ```
 ///
-/// ### Example with Webhook
-///
-/// The usage is even simpler when combined with the `stackable_webhook` crate.
-/// The webhook server has built-in support to automatically emit HTTP spans on
-/// every incoming request.
-///
-/// ```
-/// use stackable_webhook::{WebhookServer, Options};
-/// use axum::Router;
-///
-/// let router = Router::new();
-/// let server = WebhookServer::new(router, Options::default());
-///
-/// # let _: WebhookServer = server;
-/// ```
-///
 /// This layer is implemented based on [this][1] official Tower guide.
 ///
 /// [1]: https://github.com/tower-rs/tower/blob/master/guides/building-a-middleware-from-scratch.md

diff --git a/crates/stackable-webhook/CHANGELOG.md b/crates/stackable-webhook/CHANGELOG.md
@@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Added
+
+- BREAKING: Re-write the `ConversionWebhookServer`.
+  It can now do CRD conversions, handle multiple CRDs and takes care of reconciling the CRDs ([#1066]).
+- BREAKING: The `TlsServer` can now handle certificate rotation.
+  To achieve this, a new `CertificateResolver` was added.
+  Also, `TlsServer::new` now returns an additional `mpsc::Receiver<Certificate>`, so that the caller
+  can get notified about certificate rotations happening ([#1066]).
+
 ### Fixed
 
 - Don't pull in the `aws-lc-rs` crate, as this currently fails to build in `make run-dev` ([#1043]).
@@ -15,13 +24,16 @@ All notable changes to this project will be documented in this file.
   deployed to Kubernetes (e.g. conversion or mutating - which this crate targets) need to be
   accessible by it, which is not the case when only using loopback.
   Also, the constant `DEFAULT_SOCKET_ADDR` has been renamed to `DEFAULT_SOCKET_ADDRESS` ([#1045]).
+- BREAKING: The `TlsServer` now requires you to pass SAN (subject alternative name) DNS entries,
+  so the caller will trust the issued certificate ([#1066]).
 
 [#1043]: https://github.com/stackabletech/operator-rs/pull/1043
 [#1045]: https://github.com/stackabletech/operator-rs/pull/1045
+[#1066]: https://github.com/stackabletech/operator-rs/pull/1066
 
 ## [0.3.1] - 2024-07-10
 
-## Changed
+### Changed
 
 - Remove instrumentation of long running functions, add more granular instrumentation of futures. Adjust span and event levels ([#811]).
 - Bump rust-toolchain to 1.79.0 ([#822]).

diff --git a/crates/stackable-webhook/Cargo.toml b/crates/stackable-webhook/Cargo.toml
@@ -11,13 +11,15 @@ stackable-certs = { path = "../stackable-certs", features = ["rustls"] }
 stackable-telemetry = { path = "../stackable-telemetry" }
 stackable-operator = { path = "../stackable-operator" }
 
+arc-swap.workspace = true
 axum.workspace = true
 futures-util.workspace = true
 hyper-util.workspace = true
 hyper.workspace = true
 k8s-openapi.workspace = true
 kube.workspace = true
 opentelemetry.workspace = true
+rand.workspace = true
 serde_json.workspace = true
 snafu.workspace = true
 tokio-rustls.workspace = true
@@ -26,3 +28,4 @@ tower-http.workspace = true
 tower.workspace = true
 tracing.workspace = true
 tracing-opentelemetry.workspace = true
+x509-cert.workspace = true