From 289a7429db106e9d9966a45295fbc8581fbebbc3 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 25 Mar 2026 14:54:33 +0100 Subject: [PATCH 01/10] chore: Describe RBAC rules, remove unnecessary rules --- .../helm/secret-operator/templates/roles.yaml | 61 ++++++++++++++++++- 1 file changed, 59 insertions(+), 2 deletions(-) diff --git a/deploy/helm/secret-operator/templates/roles.yaml b/deploy/helm/secret-operator/templates/roles.yaml index 14970b11..6df6a075 100644 --- a/deploy/helm/secret-operator/templates/roles.yaml +++ b/deploy/helm/secret-operator/templates/roles.yaml @@ -55,10 +55,30 @@ rules: - list - watch {{- end }} + # Secrets: read/written by several subsystems: + # - autoTLS backend: reads and writes the CA Secret using the kube entry API, which issues + # replace() (HTTP PUT) when updating an existing entry — this requires the `update` verb + # in addition to the SSA verbs (create + patch). Also reads ConfigMap/Secret trust roots. + # - kerberosKeytab backend: reads the admin keytab Secret. + # - k8sSearch backend: lists Secrets by label selector. + # - certManager backend: reads the Secret provisioned by cert-manager. + # - truststore controller: applies Secrets via SSA (create + patch) and watches them via .owns(). - apiGroups: - "" resources: - secrets + verbs: + - get + - list + - watch + - create + - patch + - update + # Events (core v1): required by the external-provisioner sidecar container, which runs under the + # same ServiceAccount and uses the legacy core/v1 events API (distinct from events.k8s.io below). + - apiGroups: + - "" + resources: - events verbs: - get @@ -67,6 +87,9 @@ rules: - create - patch - update + # ConfigMaps: applied by the truststore controller via SSA (create + patch) and watched via + # .owns() and .watches(). Also read by the autoTLS backend for additional trust roots and + # by the k8sSearch backend for the trust-store ConfigMap. - apiGroups: - "" resources: @@ -77,6 +100,8 @@ rules: - get - watch - list + # PersistentVolumes: managed by the external-provisioner sidecar container (not the operator + # binary directly). The sidecar creates, patches, and deletes PVs on behalf of the CSI driver. - apiGroups: - "" resources: @@ -88,10 +113,13 @@ rules: - patch - create - delete + # Nodes: read by the CSI node service to look up node IPs for certificate SANs, and by the + # external-provisioner sidecar for topology-aware scheduling. + # PersistentVolumeClaims: read by the CSI controller service during CreateVolume to locate the + # owning Pod and resolve listener scope, and by the external-provisioner sidecar for PVC binding. - apiGroups: - "" resources: - - configmaps - nodes - persistentvolumeclaims verbs: @@ -105,6 +133,9 @@ rules: - nodes/proxy verbs: - get + # CSINodes: used by the external-provisioner sidecar and node-driver-registrar for + # topology-aware volume scheduling. + # StorageClasses: used by the external-provisioner sidecar to read provisioner configuration. - apiGroups: - storage.k8s.io resources: @@ -114,6 +145,9 @@ rules: - get - list - watch + # Pods: read by the CSI controller and node services to resolve secret scope (node IPs, service + # names). Patched with expiry annotations so the restarter can evict pods before their + # certificates expire. - apiGroups: - "" resources: @@ -121,11 +155,15 @@ rules: verbs: - get - patch + # SecretClasses: the primary configuration CRD. + # - watched via .watches_stream() in the truststore controller to trigger re-reconciliation + # when a referenced SecretClass changes. + # - read in reconcile() to initialise the secret backend. + # - create + patch (when CRD maintenance is enabled): used to deploy the default "tls" SecretClass. - apiGroups: - secrets.stackable.tech resources: - secretclasses - - truststores verbs: {{- if .Values.maintenance.customResourceDefinitions.maintain }} - create @@ -134,6 +172,20 @@ rules: - get - watch - list + # TrustStores: the primary reconciled resource in the truststore controller + # (Controller::new watches this type). The operator only reconciles existing TrustStores; + # it never creates them, so no create/patch is needed here. + - apiGroups: + - secrets.stackable.tech + resources: + - truststores + verbs: + - get + - watch + - list + # ListenerClasses, Listeners, PodListeners: read during volume provisioning to resolve + # listener-scoped addresses (IPs/hostnames) for inclusion in TLS SANs and for topology + # node pinning. - apiGroups: - listeners.stackable.tech resources: @@ -142,6 +194,9 @@ rules: - podlisteners verbs: - get + # cert-manager Certificates: applied via SSA (create + patch) by the certManager backend + # when provisioning a certificate, and read back (get) to check topology node affinity for + # re-scheduling decisions. - apiGroups: - cert-manager.io resources: @@ -150,6 +205,8 @@ rules: - get - patch - create + # Events (events.k8s.io): used by the kube-rs controller event recorder (distinct from + # the legacy core/v1 events used by the external-provisioner sidecar above). - apiGroups: - events.k8s.io resources: From 69b8773525a244fdab5bafd9c107f0411bf3f69d Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 25 Mar 2026 14:57:11 +0100 Subject: [PATCH 02/10] chore: Update changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f4502480..9a35c3bb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Changed + +- Helm deployed RBAC permissions documented, with unnecessary permissions removed ([#693]). + +[#693]: https://github.com/stackabletech/secret-operator/pull/693 + ## [26.3.0] - 2026-03-16 ## [26.3.0-rc1] - 2026-03-16 From 7bcd54ad88deeef363e55004a3d1d1ac8a54373d Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Thu, 9 Apr 2026 10:36:40 +0200 Subject: [PATCH 03/10] chore: Add missing rule comments --- deploy/helm/secret-operator/templates/roles.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deploy/helm/secret-operator/templates/roles.yaml b/deploy/helm/secret-operator/templates/roles.yaml index 6df6a075..fd08ee3b 100644 --- a/deploy/helm/secret-operator/templates/roles.yaml +++ b/deploy/helm/secret-operator/templates/roles.yaml @@ -215,6 +215,9 @@ rules: - create - patch {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} + # OpenShift SecurityContextConstraints: allows the operator's ServiceAccount to use the + # custom SCC defined above, which grants host-path volumes and bidirectional mount propagation + # required by the CSI driver. - apiGroups: - security.openshift.io resourceNames: From d0ca7ffefafde120d76c60380bc57ce1e44a8674 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Thu, 9 Apr 2026 10:41:23 +0200 Subject: [PATCH 04/10] chore: Clarify the get for secretclasses --- deploy/helm/secret-operator/templates/roles.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deploy/helm/secret-operator/templates/roles.yaml b/deploy/helm/secret-operator/templates/roles.yaml index fd08ee3b..ea613992 100644 --- a/deploy/helm/secret-operator/templates/roles.yaml +++ b/deploy/helm/secret-operator/templates/roles.yaml @@ -156,9 +156,9 @@ rules: - get - patch # SecretClasses: the primary configuration CRD. - # - watched via .watches_stream() in the truststore controller to trigger re-reconciliation - # when a referenced SecretClass changes. - # - read in reconcile() to initialise the secret backend. + # - get: fetched by the CSI controller to initialize the secret backend, and by the truststore + # controller during reconciliation. + # - watch + list: watched by the truststore controller to re-reconcile when a SecretClass changes. # - create + patch (when CRD maintenance is enabled): used to deploy the default "tls" SecretClass. - apiGroups: - secrets.stackable.tech From adefa2ad495b6654e2e7e56ad1dcc7c587da7b63 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Thu, 9 Apr 2026 10:45:17 +0200 Subject: [PATCH 05/10] chore: Clarify the verbs for nodes and pvcs --- deploy/helm/secret-operator/templates/roles.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/deploy/helm/secret-operator/templates/roles.yaml b/deploy/helm/secret-operator/templates/roles.yaml index ea613992..509085ca 100644 --- a/deploy/helm/secret-operator/templates/roles.yaml +++ b/deploy/helm/secret-operator/templates/roles.yaml @@ -113,10 +113,11 @@ rules: - patch - create - delete - # Nodes: read by the CSI node service to look up node IPs for certificate SANs, and by the - # external-provisioner sidecar for topology-aware scheduling. - # PersistentVolumeClaims: read by the CSI controller service during CreateVolume to locate the - # owning Pod and resolve listener scope, and by the external-provisioner sidecar for PVC binding. + # Nodes are fetched to look up node IPs for certificate SANs. The external-provisioner + # sidecar lists and watches Nodes for CSI volume topology (--feature-gates=Topology=true). + # PersistentVolumeClaims are read by the CSI controller during CreateVolume to locate the + # owning Pod and resolve listener scope. The external-provisioner sidecar watches PVCs to + # trigger PV provisioning. - apiGroups: - "" resources: From 6a6b29216bd95512b25e7e4214e5d046597c6be4 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Thu, 9 Apr 2026 11:01:45 +0200 Subject: [PATCH 06/10] chore: Simplify rule comments --- .../helm/secret-operator/templates/roles.yaml | 69 +++++++------------ 1 file changed, 26 insertions(+), 43 deletions(-) diff --git a/deploy/helm/secret-operator/templates/roles.yaml b/deploy/helm/secret-operator/templates/roles.yaml index 509085ca..61e32a84 100644 --- a/deploy/helm/secret-operator/templates/roles.yaml +++ b/deploy/helm/secret-operator/templates/roles.yaml @@ -43,26 +43,23 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: - # Required to maintain the CRD. The operator needs to do this, as it needs to enter e.g. it's - # generated certificate in the conversion webhook. + # Required for maintaining the CRDs (including the conversion webhook configuration) and + # for the startup condition check. {{- if .Values.maintenance.customResourceDefinitions.maintain }} - apiGroups: [apiextensions.k8s.io] resources: [customresourcedefinitions] verbs: + # Required to maintain the CRD (e.g. conversion webhook certificate). - create - patch # Required for startup condition - list - watch {{- end }} - # Secrets: read/written by several subsystems: - # - autoTLS backend: reads and writes the CA Secret using the kube entry API, which issues - # replace() (HTTP PUT) when updating an existing entry — this requires the `update` verb - # in addition to the SSA verbs (create + patch). Also reads ConfigMap/Secret trust roots. - # - kerberosKeytab backend: reads the admin keytab Secret. - # - k8sSearch backend: lists Secrets by label selector. - # - certManager backend: reads the Secret provisioned by cert-manager. - # - truststore controller: applies Secrets via SSA (create + patch) and watches them via .owns(). + # Secrets are read and written by multiple backends (autoTLS CA storage, Kerberos keytab, + # k8sSearch, cert-manager). The autoTLS backend uses replace (HTTP PUT) for CA entries, + # requiring the update verb in addition to SSA verbs. The truststore controller applies + # trust-store Secrets via SSA and watches them for changes. - apiGroups: - "" resources: @@ -74,8 +71,7 @@ rules: - create - patch - update - # Events (core v1): required by the external-provisioner sidecar container, which runs under the - # same ServiceAccount and uses the legacy core/v1 events API (distinct from events.k8s.io below). + # Required by the external-provisioner sidecar, which uses the legacy core/v1 events API. - apiGroups: - "" resources: @@ -87,9 +83,8 @@ rules: - create - patch - update - # ConfigMaps: applied by the truststore controller via SSA (create + patch) and watched via - # .owns() and .watches(). Also read by the autoTLS backend for additional trust roots and - # by the k8sSearch backend for the trust-store ConfigMap. + # ConfigMaps are applied by the truststore controller via SSA and watched for changes. + # Also read by the autoTLS backend for trust roots and by the k8sSearch backend. - apiGroups: - "" resources: @@ -100,8 +95,7 @@ rules: - get - watch - list - # PersistentVolumes: managed by the external-provisioner sidecar container (not the operator - # binary directly). The sidecar creates, patches, and deletes PVs on behalf of the CSI driver. + # PersistentVolumes are managed by the external-provisioner sidecar on behalf of the CSI driver. - apiGroups: - "" resources: @@ -127,16 +121,15 @@ rules: - get - list - watch - # For automatic cluster domain detection + # For automatic cluster domain detection. - apiGroups: - "" resources: - nodes/proxy verbs: - get - # CSINodes: used by the external-provisioner sidecar and node-driver-registrar for - # topology-aware volume scheduling. - # StorageClasses: used by the external-provisioner sidecar to read provisioner configuration. + # Required by the external-provisioner sidecar to discover driver topology keys (CSINodes) + # and determine volume binding mode (StorageClasses). - apiGroups: - storage.k8s.io resources: @@ -146,9 +139,8 @@ rules: - get - list - watch - # Pods: read by the CSI controller and node services to resolve secret scope (node IPs, service - # names). Patched with expiry annotations so the restarter can evict pods before their - # certificates expire. + # Pods are read by the CSI driver to resolve secret scope. Patched with expiry annotations + # so the restarter can evict pods before their certificates expire. - apiGroups: - "" resources: @@ -156,11 +148,9 @@ rules: verbs: - get - patch - # SecretClasses: the primary configuration CRD. - # - get: fetched by the CSI controller to initialize the secret backend, and by the truststore - # controller during reconciliation. - # - watch + list: watched by the truststore controller to re-reconcile when a SecretClass changes. - # - create + patch (when CRD maintenance is enabled): used to deploy the default "tls" SecretClass. + # SecretClasses are the primary configuration CRD. Read by the CSI controller and the + # truststore controller. Watched to retrigger reconciliation when a SecretClass changes. + # The operator creates the default "tls" SecretClass at startup when CRD maintenance is enabled. - apiGroups: - secrets.stackable.tech resources: @@ -173,9 +163,7 @@ rules: - get - watch - list - # TrustStores: the primary reconciled resource in the truststore controller - # (Controller::new watches this type). The operator only reconciles existing TrustStores; - # it never creates them, so no create/patch is needed here. + # TrustStores are the primary reconciled resource in the truststore controller. - apiGroups: - secrets.stackable.tech resources: @@ -184,9 +172,7 @@ rules: - get - watch - list - # ListenerClasses, Listeners, PodListeners: read during volume provisioning to resolve - # listener-scoped addresses (IPs/hostnames) for inclusion in TLS SANs and for topology - # node pinning. + # Read during volume provisioning to resolve listener-scoped addresses for TLS SANs. - apiGroups: - listeners.stackable.tech resources: @@ -195,9 +181,8 @@ rules: - podlisteners verbs: - get - # cert-manager Certificates: applied via SSA (create + patch) by the certManager backend - # when provisioning a certificate, and read back (get) to check topology node affinity for - # re-scheduling decisions. + # cert-manager Certificates are applied via SSA by the cert-manager backend when provisioning + # a certificate, and read back to check node affinity for scheduling decisions. - apiGroups: - cert-manager.io resources: @@ -206,8 +191,7 @@ rules: - get - patch - create - # Events (events.k8s.io): used by the kube-rs controller event recorder (distinct from - # the legacy core/v1 events used by the external-provisioner sidecar above). + # Publish reconciliation errors as Kubernetes Events. - apiGroups: - events.k8s.io resources: @@ -216,9 +200,8 @@ rules: - create - patch {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} - # OpenShift SecurityContextConstraints: allows the operator's ServiceAccount to use the - # custom SCC defined above, which grants host-path volumes and bidirectional mount propagation - # required by the CSI driver. + # Required on OpenShift to allow the secret-operator pods to run with the custom SCC + # defined above (host-path volumes and bidirectional mount propagation for the CSI driver). - apiGroups: - security.openshift.io resourceNames: From dd3f765c0b58de92f7169eff9a608df3daa73efc Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Thu, 9 Apr 2026 11:03:59 +0200 Subject: [PATCH 07/10] fix: Always allow customresourcedefinitions list/watch Required for the startup condition regardless of whether crd maintenance is enabled --- deploy/helm/secret-operator/templates/roles.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/helm/secret-operator/templates/roles.yaml b/deploy/helm/secret-operator/templates/roles.yaml index 61e32a84..e42c6c42 100644 --- a/deploy/helm/secret-operator/templates/roles.yaml +++ b/deploy/helm/secret-operator/templates/roles.yaml @@ -45,17 +45,17 @@ metadata: rules: # Required for maintaining the CRDs (including the conversion webhook configuration) and # for the startup condition check. - {{- if .Values.maintenance.customResourceDefinitions.maintain }} - apiGroups: [apiextensions.k8s.io] resources: [customresourcedefinitions] verbs: + {{- if .Values.maintenance.customResourceDefinitions.maintain }} # Required to maintain the CRD (e.g. conversion webhook certificate). - create - patch + {{- end }} # Required for startup condition - list - watch - {{- end }} # Secrets are read and written by multiple backends (autoTLS CA storage, Kerberos keytab, # k8sSearch, cert-manager). The autoTLS backend uses replace (HTTP PUT) for CA entries, # requiring the update verb in addition to SSA verbs. The truststore controller applies From 6b15e21907b6adfbd3f3ca372e149604ba5a6f93 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Thu, 9 Apr 2026 11:13:11 +0200 Subject: [PATCH 08/10] chore: Clarify why the legacy events rule is still required --- deploy/helm/secret-operator/templates/roles.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/deploy/helm/secret-operator/templates/roles.yaml b/deploy/helm/secret-operator/templates/roles.yaml index e42c6c42..b43ec121 100644 --- a/deploy/helm/secret-operator/templates/roles.yaml +++ b/deploy/helm/secret-operator/templates/roles.yaml @@ -71,7 +71,9 @@ rules: - create - patch - update - # Required by the external-provisioner sidecar, which uses the legacy core/v1 events API. + # Required by the external-provisioner sidecar, which still uses the legacy core/v1 events + # API (not events.k8s.io). See upstream RBAC: + # https://github.com/kubernetes-csi/external-provisioner/blob/v5.3.0/deploy/kubernetes/rbac.yaml - apiGroups: - "" resources: From b6a1a4b33b7337d4be197f462de736802b528b5b Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Thu, 9 Apr 2026 13:34:35 +0200 Subject: [PATCH 09/10] chore: Update changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9a35c3bb..73bdfca5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ All notable changes to this project will be documented in this file. ### Changed -- Helm deployed RBAC permissions documented, with unnecessary permissions removed ([#693]). +- Document Helm deployed RBAC permissions and remove unnecessary permissions ([#693]). [#693]: https://github.com/stackabletech/secret-operator/pull/693 From 17a267be1f14f6ea674113618b8945f2737c53df Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Thu, 9 Apr 2026 13:34:54 +0200 Subject: [PATCH 10/10] chore(nix): Update crate hashes --- Cargo.nix | 18 +++++++++--------- crate-hashes.json | 18 +++++++++--------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/Cargo.nix b/Cargo.nix index 41fb7218..c3518d07 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -5507,7 +5507,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "k8s_version"; authors = [ @@ -11579,7 +11579,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_certs"; authors = [ @@ -11765,7 +11765,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_operator"; authors = [ @@ -11937,7 +11937,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; procMacro = true; libName = "stackable_operator_derive"; @@ -12272,7 +12272,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_shared"; authors = [ @@ -12463,7 +12463,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_telemetry"; authors = [ @@ -12573,7 +12573,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_versioned"; authors = [ @@ -12617,7 +12617,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; procMacro = true; libName = "stackable_versioned_macros"; @@ -12685,7 +12685,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_webhook"; authors = [ diff --git a/crate-hashes.json b/crate-hashes.json index 4285dcd3..d0fa9a3c 100644 --- a/crate-hashes.json +++ b/crate-hashes.json @@ -6,15 +6,15 @@ "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", "git+https://github.com/stackabletech/krb5-rs.git?tag=v0.1.0#krb5-sys@0.1.0": "148zr0q04163hpirkrff5q7cbxqgwzzxh0091zr4g23x7l64jh39", "git+https://github.com/stackabletech/krb5-rs.git?tag=v0.1.0#krb5@0.1.0": "148zr0q04163hpirkrff5q7cbxqgwzzxh0091zr4g23x7l64jh39", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#k8s-version@0.1.3": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-certs@0.4.0": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator-derive@0.3.1": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator@0.108.0": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-shared@0.1.0": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-telemetry@0.6.2": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned-macros@0.8.3": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned@0.8.3": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-webhook@0.9.0": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#k8s-version@0.1.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-certs@0.4.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator-derive@0.3.1": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator@0.108.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-shared@0.1.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-telemetry@0.6.2": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned-macros@0.8.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned@0.8.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-webhook@0.9.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-telemetry-0.6.1#stackable-telemetry@0.6.1": "0hiymhr40ix4jv9dmvp5d009xs6v0frvllr2xkf5mw43rcg44mgd", "git+https://github.com/stackabletech/product-config.git?tag=0.8.0#product-config@0.8.0": "1dz70kapm2wdqcr7ndyjji0lhsl98bsq95gnb2lw487wf6yr7987" } \ No newline at end of file