From d4891dcbb60cc6c16ed0855f1525807f5587959c Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 5 Feb 2026 15:16:55 +0100 Subject: [PATCH 1/6] docs(maintenance): Add CRD maintenance page --- modules/concepts/pages/maintenance/crds.adoc | 31 ++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 modules/concepts/pages/maintenance/crds.adoc diff --git a/modules/concepts/pages/maintenance/crds.adoc b/modules/concepts/pages/maintenance/crds.adoc new file mode 100644 index 000000000..df3dbfd44 --- /dev/null +++ b/modules/concepts/pages/maintenance/crds.adoc @@ -0,0 +1,31 @@ += CustomResourceDefinition (CRD) maintenance +:k8s-webhook-config: https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/#configure-customresourcedefinition-to-use-conversion-webhooks + +Since SDP 25.11.0 some operators maintain the CRD on their own without relying on Helm or other deployment tools. +The primary reason for this is that the operator is able to inject a {k8s-webhook-config}[conversion webhook configuration] with an up-to-date `caBundle`. +The operator generates a CA (and a leaf certificate) used by the conversion webhook automatically which is additionally rotated every 24 hours. +This requires the operator to continuously update the `caBundle` field of the webhook configuration. + +This maintenance process can be disabled via a Helm value if desired. + +[WARNING] +==== +It should be noted that when CRD maintenance is disabled, the operator will not deploy and manage the CRDs. +The CRDs need to be deployed manually and the conversion webhook is disabled. +As a result, only custom resources of the stored version can be used. +Only use this setting if you know what you are doing! +==== + +[NOTE] +==== +The following section describe the available fields as well as their default and supported values. +==== + +[source,yaml] +---- +maintenance: + customResourceDefinitions: + maintain: true # <1> +---- + +<1> Boolean: `true`, `false` From d4bc8775458e474520aedc9bbfa161085454e181 Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 5 Feb 2026 15:17:30 +0100 Subject: [PATCH 2/6] docs(maintenance): Add EoS check page --- modules/concepts/pages/maintenance/eos.adoc | 25 +++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 modules/concepts/pages/maintenance/eos.adoc diff --git a/modules/concepts/pages/maintenance/eos.adoc b/modules/concepts/pages/maintenance/eos.adoc new file mode 100644 index 000000000..f79707ed9 --- /dev/null +++ b/modules/concepts/pages/maintenance/eos.adoc @@ -0,0 +1,25 @@ += End-of-Support (EoS) check + +Since SDP 25.11.0 operators emit a warning message on startup and in a regular interval when it may have reached end-of-support. +Most of our operators reach end-of-support one year after they have been released which roughly translates to three SDP releases. +This is in accordance with our xref:compliance:policies.adoc[support policy]. + +The interval can be adjusted or the check can be disabled completely via Helm values. + +[NOTE] +==== +The following sections describe the available fields as well as their default and supported values. +==== + +[source,yaml] +---- +maintenance: + endOfSupportCheck: + enabled: true # <1> + mode: offline # <2> + interval: 24h # <3> +---- + +<1> Boolean: `true`, `false` +<2> Enum: `offline` (currently no other options available) +<3> Duration: Any duration according to xref:reference:duration.adoc[this format] From 96cfc0e6b796876910188bce7e8d714a3b6e187f Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 5 Feb 2026 15:17:53 +0100 Subject: [PATCH 3/6] docs(nav): Add maintenance nav links --- modules/concepts/nav.adoc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/concepts/nav.adoc b/modules/concepts/nav.adoc index c81bfa18c..b420d8ba0 100644 --- a/modules/concepts/nav.adoc +++ b/modules/concepts/nav.adoc @@ -26,4 +26,7 @@ *** xref:observability/logging.adoc[Logging] *** xref:observability/containerdebug.adoc[Container environment] *** xref:observability/telemetry.adoc[Telemetry] +** Maintenance +*** xref:maintenance/crds.adoc[CRD maintenance] +*** xref:maintenance/eos.adoc[End-of-Support check] ** xref:container-images.adoc[] From 936a5db0148264fce15786faac76d7737d87bc3f Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 5 Feb 2026 16:32:02 +0100 Subject: [PATCH 4/6] chore: Apply suggestion Co-authored-by: Malte Sander --- modules/concepts/pages/maintenance/crds.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/concepts/pages/maintenance/crds.adoc b/modules/concepts/pages/maintenance/crds.adoc index df3dbfd44..de98145ca 100644 --- a/modules/concepts/pages/maintenance/crds.adoc +++ b/modules/concepts/pages/maintenance/crds.adoc @@ -1,7 +1,7 @@ = CustomResourceDefinition (CRD) maintenance :k8s-webhook-config: https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/#configure-customresourcedefinition-to-use-conversion-webhooks -Since SDP 25.11.0 some operators maintain the CRD on their own without relying on Helm or other deployment tools. +Starting with SDP 25.11.0, specific operators now manage their own CRD lifecycle independently of Helm or other deployment tools. The primary reason for this is that the operator is able to inject a {k8s-webhook-config}[conversion webhook configuration] with an up-to-date `caBundle`. The operator generates a CA (and a leaf certificate) used by the conversion webhook automatically which is additionally rotated every 24 hours. This requires the operator to continuously update the `caBundle` field of the webhook configuration. From 9b30d85a01371d4cc07e234c4d02627f9d046982 Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 5 Feb 2026 16:32:20 +0100 Subject: [PATCH 5/6] chore: Apply suggestion Co-authored-by: Malte Sander --- modules/concepts/pages/maintenance/crds.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/concepts/pages/maintenance/crds.adoc b/modules/concepts/pages/maintenance/crds.adoc index de98145ca..d04d60d04 100644 --- a/modules/concepts/pages/maintenance/crds.adoc +++ b/modules/concepts/pages/maintenance/crds.adoc @@ -3,8 +3,8 @@ Starting with SDP 25.11.0, specific operators now manage their own CRD lifecycle independently of Helm or other deployment tools. The primary reason for this is that the operator is able to inject a {k8s-webhook-config}[conversion webhook configuration] with an up-to-date `caBundle`. -The operator generates a CA (and a leaf certificate) used by the conversion webhook automatically which is additionally rotated every 24 hours. -This requires the operator to continuously update the `caBundle` field of the webhook configuration. +The operator automatically generates a dedicated CA and leaf certificate for the conversion webhook, rotating them every 24 hours. +To maintain secure communication, the operator must continuously inject the up-to-date caBundle into the CRD's webhook configuration. This maintenance process can be disabled via a Helm value if desired. From c9bdb7511c519fad542b85306721511494bb9736 Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 5 Feb 2026 16:32:35 +0100 Subject: [PATCH 6/6] chore: Apply suggestion Co-authored-by: Malte Sander --- modules/concepts/pages/maintenance/eos.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/concepts/pages/maintenance/eos.adoc b/modules/concepts/pages/maintenance/eos.adoc index f79707ed9..3a5d84753 100644 --- a/modules/concepts/pages/maintenance/eos.adoc +++ b/modules/concepts/pages/maintenance/eos.adoc @@ -1,7 +1,7 @@ = End-of-Support (EoS) check -Since SDP 25.11.0 operators emit a warning message on startup and in a regular interval when it may have reached end-of-support. -Most of our operators reach end-of-support one year after they have been released which roughly translates to three SDP releases. +Starting with SDP 25.11.0, operators emit a warning message on startup and in a regular interval when it may have reached end-of-support. +Most of the operators reach end-of-support one year after they have been released, which roughly translates to three SDP releases. This is in accordance with our xref:compliance:policies.adoc[support policy]. The interval can be adjusted or the check can be disabled completely via Helm values.