stackabletech · Techassi · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026
diff --git a/modules/concepts/nav.adoc b/modules/concepts/nav.adoc
@@ -26,4 +26,7 @@
 *** xref:observability/logging.adoc[Logging]
 *** xref:observability/containerdebug.adoc[Container environment]
 *** xref:observability/telemetry.adoc[Telemetry]
+** Maintenance
+*** xref:maintenance/crds.adoc[CRD maintenance]
+*** xref:maintenance/eos.adoc[End-of-Support check]
 ** xref:container-images.adoc[]
diff --git a/modules/concepts/pages/maintenance/crds.adoc b/modules/concepts/pages/maintenance/crds.adoc
@@ -0,0 +1,31 @@
+= CustomResourceDefinition (CRD) maintenance
+:k8s-webhook-config: https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/#configure-customresourcedefinition-to-use-conversion-webhooks
+
+Starting with SDP 25.11.0, specific operators now manage their own CRD lifecycle independently of Helm or other deployment tools.
+The primary reason for this is that the operator is able to inject a {k8s-webhook-config}[conversion webhook configuration] with an up-to-date `caBundle`.
+The operator automatically generates a dedicated CA and leaf certificate for the conversion webhook, rotating them every 24 hours.
+To maintain secure communication, the operator must continuously inject the up-to-date caBundle into the CRD's webhook configuration.
+
+This maintenance process can be disabled via a Helm value if desired.
+
+[WARNING]
+====
+It should be noted that when CRD maintenance is disabled, the operator will not deploy and manage the CRDs.
+The CRDs need to be deployed manually and the conversion webhook is disabled.
+As a result, only custom resources of the stored version can be used.
+Only use this setting if you know what you are doing!
+====
+
+[NOTE]
+====
+The following section describe the available fields as well as their default and supported values.
+====
+
+[source,yaml]
+----
+maintenance:
+  customResourceDefinitions:
+    maintain: true # <1>
+----
+
+<1> Boolean: `true`, `false`
diff --git a/modules/concepts/pages/maintenance/eos.adoc b/modules/concepts/pages/maintenance/eos.adoc
@@ -0,0 +1,25 @@
+= End-of-Support (EoS) check
+
+Starting with SDP 25.11.0, operators emit a warning message on startup and in a regular interval when it may have reached end-of-support.
+Most of the operators reach end-of-support one year after they have been released, which roughly translates to three SDP releases.
+This is in accordance with our xref:compliance:policies.adoc[support policy].
+
+The interval can be adjusted or the check can be disabled completely via Helm values.
+
+[NOTE]
+====
+The following sections describe the available fields as well as their default and supported values.
+====
+
+[source,yaml]
+----
+maintenance:
+  endOfSupportCheck:
+    enabled: true # <1>
+    mode: offline # <2>
+    interval: 24h # <3>
+----
+
+<1> Boolean: `true`, `false`
+<2> Enum: `offline` (currently no other options available)
+<3> Duration: Any duration according to xref:reference:duration.adoc[this format]