stackabletech
diff --git a/‎crates/stackable-operator/CHANGELOG.md‎
Lines changed: 10 additions & 1 deletion b/‎crates/stackable-operator/CHANGELOG.md‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎crates/stackable-operator/crds/ListenerClass.yaml‎
Lines changed: 15 additions & 0 deletions b/‎crates/stackable-operator/crds/ListenerClass.yaml‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎crates/stackable-operator/src/client.rs‎
Lines changed: 19 additions & 0 deletions b/‎crates/stackable-operator/src/client.rs‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎crates/stackable-operator/src/crd/listener/class/mod.rs‎
Lines changed: 14 additions & 0 deletions b/‎crates/stackable-operator/src/crd/listener/class/mod.rs‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎crates/stackable-webhook/CHANGELOG.md‎
Lines changed: 15 additions & 0 deletions b/‎crates/stackable-webhook/CHANGELOG.md‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎crates/stackable-webhook/src/constants.rs‎
Lines changed: 0 additions & 21 deletions b/‎crates/stackable-webhook/src/constants.rs‎
Lines changed: 0 additions & 21 deletions
diff --git a/‎crates/stackable-webhook/src/lib.rs‎
Lines changed: 19 additions & 6 deletions b/‎crates/stackable-webhook/src/lib.rs‎
Lines changed: 19 additions & 6 deletions
@@ -11,15 +11,23 @@ All notable changes to this project will be documented in this file.
   - `Label::stackable_vendor`: stackable.tech/vendor=Stackable
   - `Label::instance`: app.kubernetes.io/instance
   - `Label::name`: app.kubernetes.io/name
+- BREAKING: Add new ListenerClass `.spec.pinnedNodePorts` field ([#1105]).
 
+[#1105]: https://github.com/stackabletech/operator-rs/pull/1105
 [#1106]: https://github.com/stackabletech/operator-rs/pull/1106
 
 ## [0.99.0] - 2025-10-06
 
 ### Added
 
+- Add `CustomResourceDefinitionMaintainer` which applies and patches CRDs triggered by TLS
+  certificate rotations of the `ConversionWebhookServer`. It additionally provides a `oneshot`
+  channel which can for example be used to trigger creation/patching of any custom resources deployed by
+  the operator ([#1099]).
+- Add a `Client::create_if_missing` associated function to create a resource if it doesn't
+  exist ([#1099]).
 - Add CLI argument and env var to disable the end-of-support checker: `EOS_DISABLED` (`--eos-disabled`) ([#1101]).
-- Add end-of-support checker ([#1096]).
+- Add end-of-support checker ([#1096], [#1103]).
   - The EoS checker can be constructed using `EndOfSupportChecker::new()`.
   - Add new `MaintenanceOptions` and `EndOfSupportOptions` structs.
   - Add new CLI arguments and env vars:
@@ -38,6 +46,7 @@ All notable changes to this project will be documented in this file.
 
 [#1096]: https://github.com/stackabletech/operator-rs/pull/1096
 [#1098]: https://github.com/stackabletech/operator-rs/pull/1098
+[#1099]: https://github.com/stackabletech/operator-rs/pull/1099
 [#1101]: https://github.com/stackabletech/operator-rs/pull/1101
 [#1103]: https://github.com/stackabletech/operator-rs/pull/1103
 
 
@@ -253,6 +253,25 @@ impl Client {
             })
     }
 
+    /// Optionally creates a resource if it does not exist yet.
+    ///
+    /// The name used for lookup is extracted from the resource via [`ResourceExt::name_any()`].
+    /// This function either returns the existing resource or the newly created one.
+    pub async fn create_if_missing<T>(&self, resource: &T) -> Result<T>
+    where
+        T: Clone + Debug + DeserializeOwned + Resource + Serialize + GetApi,
+        <T as Resource>::DynamicType: Default,
+    {
+        if let Some(r) = self
+            .get_opt(&resource.name_any(), resource.get_namespace())
+            .await?
+        {
+            return Ok(r);
+        }
+
+        self.create(resource).await
+    }
+
     /// Patches a resource using the `MERGE` patch strategy described
     /// in [JSON Merge Patch](https://tools.ietf.org/html/rfc7386)
     /// This will fail for objects that do not exist yet.
 
@@ -66,5 +66,19 @@ pub mod versioned {
         /// Defaults to `HostnameConservative`.
         #[serde(default = "ListenerClassSpec::default_preferred_address_type")]
         pub preferred_address_type: core_v1alpha1::PreferredAddressType,
+
+        /// Whether or not a Pod exposed using a NodePort should be pinned to a specific Kubernetes node.
+        ///
+        /// By pinning the Pod to a specific (stable) Kubernetes node, stable addresses can be
+        /// provided using NodePorts. The pinning is achieved by listener-operator setting the
+        /// `volume.kubernetes.io/selected-node` annotation on the Listener PVC.
+        ///
+        /// However, this only works on setups with long-living nodes. If your nodes are rotated on
+        /// a regular basis, the Pods previously running on a removed node will be stuck in Pending
+        /// until you delete the PVC with the pinning.
+        ///
+        /// Because of this we don't enable pinning by default to support all environments.
+        #[serde(default)]
+        pub pinned_node_ports: bool,
     }
 }
@@ -4,6 +4,21 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Changed
+
+- BREAKING: `ConversionWebhookServer::new` now returns a pair of values ([#1099]):
+  - The conversion webhook server itself
+  - A `mpsc::Receiver<Certificate>` to provide consumers the newly generated TLS certificate
+- BREAKING: Constants for ports, IP addresses and socket addresses are now associated constants on
+  `(Conversion)WebhookServer` instead of free-standing ones ([#1099]).
+
+### Removed
+
+- BREAKING: The `maintain_crds` and `field_manager` fields in `ConversionWebhookOptions`
+  are removed ([#1099]).
+
+[#1099]: https://github.com/stackabletech/operator-rs/pull/1099
+
 ## [0.6.0] - 2025-09-09
 
 ### Added
 
@@ -26,6 +26,9 @@
 //! enable complete control over these details if needed.
 //!
 //! [1]: crate::servers::ConversionWebhookServer
+use std::net::{IpAddr, Ipv4Addr, SocketAddr};
+
+use ::x509_cert::Certificate;
 use axum::{Router, routing::get};
 use futures_util::{FutureExt as _, pin_mut, select};
 use snafu::{ResultExt, Snafu};
@@ -35,19 +38,16 @@ use tokio::{
     sync::mpsc,
 };
 use tower::ServiceBuilder;
-use x509_cert::Certificate;
 
-// use tower_http::trace::TraceLayer;
+// Selected re-exports
+pub use crate::options::WebhookOptions;
 use crate::tls::TlsServer;
 
-pub mod constants;
+pub mod maintainer;
 pub mod options;
 pub mod servers;
 pub mod tls;
 
-// Selected re-exports
-pub use crate::options::WebhookOptions;
-
 /// A generic webhook handler receiving a request and sending back a response.
 ///
 /// This trait is not intended to be implemented by external crates and this
@@ -86,6 +86,19 @@ pub struct WebhookServer {
 }
 
 impl WebhookServer {
+    /// The default HTTPS port `8443`
+    pub const DEFAULT_HTTPS_PORT: u16 = 8443;
+    /// The default IP address [`Ipv4Addr::UNSPECIFIED`] (`0.0.0.0`) the webhook server binds to,
+    /// which represents binding on all network addresses.
+    //
+    // TODO: We might want to switch to `Ipv6Addr::UNSPECIFIED)` here, as this *normally* binds to IPv4
+    // and IPv6. However, it's complicated and depends on the underlying system...
+    // If we do so, we should set `set_only_v6(false)` on the socket to not rely on system defaults.
+    pub const DEFAULT_LISTEN_ADDRESS: IpAddr = IpAddr::V4(Ipv4Addr::UNSPECIFIED);
+    /// The default socket address `0.0.0.0:8443` the webhook server binds to.
+    pub const DEFAULT_SOCKET_ADDRESS: SocketAddr =
+        SocketAddr::new(Self::DEFAULT_LISTEN_ADDRESS, Self::DEFAULT_HTTPS_PORT);
+
     /// Creates a new ready-to-use webhook server.
     ///
     /// The server listens on `socket_addr` which is provided via the [`WebhookOptions`] and handles