stackabletech · sbernauer · Aug 27, 2025 · Aug 27, 2025 · Aug 27, 2025 · Aug 27, 2025
diff --git a/crates/stackable-operator/CHANGELOG.md b/crates/stackable-operator/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Added
+
+- BREAKING: Add a new CLI flag/env to disabling CRD maintenance: `--disable-crd-maintenance` ([#1085]).
+
+[#1085]: https://github.com/stackabletech/operator-rs/pull/1085
+
 ## [0.96.0] - 2025-08-25
 
 ### Added

diff --git a/crates/stackable-operator/src/cli.rs b/crates/stackable-operator/src/cli.rs
@@ -245,6 +245,17 @@ pub struct ProductOperatorRun {
     /// Provides a specific namespace to watch (instead of watching all namespaces)
     #[arg(long, env, default_value = "")]
     pub watch_namespace: WatchNamespace,
+
+    /// Don't maintain the CustomResourceDefinitions (CRDs) the operator is responsible for.
+    ///
+    /// Maintenance includes creating the CRD initially, adding new versions and keeping the TLS
+    /// certificate of webhooks up to date. Turning this off can be desirable to reduce the RBAC
+    /// permission of the operators.
+    ///
+    /// WARNING: If you disable CRD maintenance you are responsible for maintaining it, including
+    /// the points above.
+    #[arg(long, env)]
+    pub disable_crd_maintenance: bool,
 }
 
 /// All the CLI arguments that all (or at least most) Stackable applications use.

diff --git a/crates/stackable-webhook/CHANGELOG.md b/crates/stackable-webhook/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Added
+
+- BREAKING: Support disabling CRD maintenance using a new boolean flag in `ConversionWebhookServer::new` ([#1085]).
+
+[#1085]: https://github.com/stackabletech/operator-rs/pull/1085
+
 ## [0.5.0] - 2025-08-21
 
 ### Changed

diff --git a/crates/stackable-webhook/src/servers/conversion.rs b/crates/stackable-webhook/src/servers/conversion.rs
@@ -91,17 +91,22 @@ pub struct ConversionWebhookServer {
     options: ConversionWebhookOptions,
     router: Router,
     client: Client,
+    maintain_crds: bool,
 }
 
 impl ConversionWebhookServer {
     /// Creates a new conversion webhook server, which expects POST requests being made to the
     /// `/convert/{crd name}` endpoint.
     ///
-    /// You need to provide two things for every CRD passed in via the `crds_and_handlers` argument:
+    /// You need to provide a few things for every CRD passed in via the `crds_and_handlers` argument:
     ///
     /// 1. The CRD
     /// 2. A conversion function to convert between CRD versions. Typically you would use the
-    ///   the auto-generated `try_convert` function on CRD spec definition structs for this.
+    ///    the auto-generated `try_convert` function on CRD spec definition structs for this.
+    /// 3. A [`kube::Client`] used to create/update the CRDs.
+    /// 4. If we should maintain the CRDs. Use `stackable_operator::cli::ProductOperatorRun::disable_crd_maintenance`
+    /// for this.
+    // # Because of https://github.com/rust-lang/cargo/issues/3475 we can not use a real link here
     ///
     /// The [`ConversionWebhookServer`] takes care of reconciling the CRDs into the Kubernetes
     /// cluster and takes care of adding itself as conversion webhook. This includes TLS
@@ -165,6 +170,7 @@ impl ConversionWebhookServer {
         crds_and_handlers: impl IntoIterator<Item = (CustomResourceDefinition, H)>,
         options: ConversionWebhookOptions,
         client: Client,
+        maintain_crds: bool,
     ) -> Result<Self, ConversionWebhookError>
     where
         H: WebhookHandler<ConversionReview, ConversionReview> + Clone + Send + Sync + 'static,
@@ -190,6 +196,7 @@ impl ConversionWebhookServer {
             router,
             client,
             crds,
+            maintain_crds,
         })
     }
 
@@ -201,6 +208,7 @@ impl ConversionWebhookServer {
             router,
             client,
             crds,
+            maintain_crds,
         } = self;
 
         let ConversionWebhookOptions {
@@ -233,28 +241,34 @@ impl ConversionWebhookServer {
             .recv()
             .await
             .context(ReceiveCertificateFromChannelSnafu)?;
-        Self::reconcile_crds(
-            &client,
-            field_manager,
-            &crds,
-            operator_namespace,
-            operator_service_name,
-            current_cert,
-        )
-        .await
-        .context(ReconcileCrdsSnafu)?;
-
-        try_join!(
-            Self::run_webhook_server(server),
-            Self::run_crd_reconciliation_loop(
-                cert_rx,
+        if maintain_crds {
+            Self::reconcile_crds(
                 &client,
                 field_manager,
                 &crds,
                 operator_namespace,
                 operator_service_name,
-            ),
-        )?;
+                current_cert,
+            )
+            .await
+            .context(ReconcileCrdsSnafu)?;
+        }
+
+        if maintain_crds {
+            try_join!(
+                Self::run_webhook_server(server),
+                Self::run_crd_reconciliation_loop(
+                    cert_rx,
+                    &client,
+                    field_manager,
+                    &crds,
+                    operator_namespace,
+                    operator_service_name,
+                ),
+            )?;
+        } else {
+            Self::run_webhook_server(server).await?;
+        };
 
         Ok(())
     }