chore!: Put clientAuthenticationMethod field behind opt-in (#1194)

* fix!: Put clientAuthenticationMethod field behind opt-in

* changelog

* changelog

* Shorten generic name to OidcProductSpecificOptions

Author: sbernauer

crates/stackable-operator/CHANGELOG.md

@@ -14,14 +14,23 @@ All notable changes to this project will be documented in this file.
 
 - BREAKING: Change signature of `ContainerBuilder::add_env_vars` from `Vec<EnvVar>` to `IntoIterator<Item = EnvVar>` ([#1163]).
 - BREAKING: Remove `EXPERIMENTAL_` prefix in `CONFIG_OVERRIDE_FILE_HEADER_KEY` and `CONFIG_OVERRIDE_FILE_FOOTER_KEY` ([#1191]).
-- BREAKING: Bump `kube` from a custom version (`fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5`, which is between `3.0.1` and `3.1.0` and was needed to pull in schema fixes) to `3.1.0`. This means that the CRD schema generation bugs [#1934](https://github.com/kube-rs/kube/pull/1934) and [#1942](https://github.com/kube-rs/kube/pull/1942) are fixed ([#1192]).
+- BREAKING: Bump `kube` from a custom version (`fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5`, which is between `3.0.1` and `3.1.0`
+  and was needed to pull in schema fixes) to `3.1.0`. This means that the CRD schema generation bugs
+  [#1934](https://github.com/kube-rs/kube/pull/1934) and [#1942](https://github.com/kube-rs/kube/pull/1942) are fixed ([#1192]).
 - BREAKING: Add `ConfigOverrides` type parameter to `CommonConfiguration`, `Role` and `RoleGroup`.
   The `config_overrides` field is now generic instead of `HashMap<String, HashMap<String, String>>` ([#1177]).
+- BREAKING: In [#1178] the `clientAuthenticationMethod` was added to the `ClientAuthenticationOptions` struct,
+  resulting it to show up in all product CRDs. even those that don't support configuring the client authentication method.
+  With this change, operators need to opt-in to the `clientAuthenticationMethod` field by using the new
+  `ClientAuthenticationMethodOption` struct for the generic type `ProductSpecificClientAuthenticationOptions` on
+  `ClientAuthenticationOptions`. That way the struct definitions (as well as docs etc.) remain in stackable-operator,
+  but operators can decide if they want to offer support for this field or not ([#1194]).
 
 [#1163]: https://github.com/stackabletech/operator-rs/pull/1163
 [#1177]: https://github.com/stackabletech/operator-rs/pull/1177
 [#1191]: https://github.com/stackabletech/operator-rs/pull/1191
 [#1192]: https://github.com/stackabletech/operator-rs/pull/1192
+[#1194]: https://github.com/stackabletech/operator-rs/pull/1194
 
 ## [0.109.0] - 2026-04-07
 

crates/stackable-operator/src/commons/random_secret_creation.rs

@@ -34,7 +34,7 @@ pub enum Error {
 ///
 /// However, there is one special handling needed:
 ///
-/// We can't mark Secrets as immutable, as this caused problems, see https://github.com/stackabletech/issues/issues/843.
+/// We can't mark Secrets as immutable, as this caused problems, see <https://github.com/stackabletech/issues/issues/843>.
 /// As Secrets have been created as immutable up to SDP release 26.3.0, we need to delete the, to be
 /// able to re-create them as mutable. This function detects old (immutable) Secrets and re-creates
 /// them as mutable. The contents of the Secret will be kept to prevent unnecessary Secret content

crates/stackable-operator/src/crd/authentication/core/mod.rs

@@ -128,7 +128,7 @@ pub mod versioned {
     #[derive(Clone, Debug, Deserialize, Eq, JsonSchema, PartialEq, Serialize)]
     #[serde(rename_all = "camelCase")]
     #[schemars(description = "")]
-    pub struct ClientAuthenticationDetails<O = ()> {
+    pub struct ClientAuthenticationDetails<OidcProductSpecificOptions = ()> {
         /// Name of the [`AuthenticationClass`] used to authenticate users.
         ///
         /// To get the concrete [`AuthenticationClass`], we must resolve it. This resolution can be
@@ -152,6 +152,6 @@ pub mod versioned {
         #[schemars(
             description = "This field contains OIDC-specific configuration. It is only required in case OIDC is used."
         )]
-        oidc: Option<oidc::v1alpha1::ClientAuthenticationOptions<O>>,
+        oidc: Option<oidc::v1alpha1::ClientAuthenticationOptions<OidcProductSpecificOptions>>,
     }
 }

crates/stackable-operator/src/crd/authentication/core/v1alpha1_impl.rs

@@ -30,7 +30,7 @@ impl AuthenticationClass {
     }
 }
 
-impl<O> ClientAuthenticationDetails<O> {
+impl<OidcProductSpecificOptions> ClientAuthenticationDetails<OidcProductSpecificOptions> {
     /// Resolves this specific [`AuthenticationClass`]. Usually products support
     /// a list of authentication classes, which individually need to be resolved.crate::client
     pub async fn resolve_class(
@@ -50,7 +50,7 @@ impl<O> ClientAuthenticationDetails<O> {
     pub fn oidc_or_error(
         &self,
         auth_class_name: &str,
-    ) -> Result<&oidc_v1alpha1::ClientAuthenticationOptions<O>> {
+    ) -> Result<&oidc_v1alpha1::ClientAuthenticationOptions<OidcProductSpecificOptions>> {
         self.oidc
             .as_ref()
             .with_context(|| OidcAuthenticationDetailsNotSpecifiedSnafu {

crates/stackable-operator/src/crd/authentication/oidc/mod.rs

@@ -135,7 +135,7 @@ pub mod versioned {
         Clone, Debug, Deserialize, Eq, Hash, JsonSchema, Ord, PartialEq, PartialOrd, Serialize,
     )]
     #[serde(rename_all = "camelCase")]
-    pub struct ClientAuthenticationOptions<T = ()> {
+    pub struct ClientAuthenticationOptions<ProductSpecificClientAuthenticationOptions = ()> {
         /// A reference to the OIDC client credentials secret. The secret contains
         /// the client id and secret.
         #[serde(rename = "clientCredentialsSecret")]
@@ -151,6 +151,20 @@ pub mod versioned {
         #[serde(default)]
         pub extra_scopes: Vec<String>,
 
+        /// If desired, operators can add custom fields that are only needed for this specific product.
+        /// They need to create a struct holding them and pass that as `ProductSpecific`.
+        ///
+        /// In case you only need the `clientAuthenticationMethod` field, you can use
+        /// [`ClientAuthenticationMethodOption`] directly.
+        #[serde(flatten)]
+        pub product_specific_fields: ProductSpecificClientAuthenticationOptions,
+    }
+
+    #[derive(
+        Clone, Debug, Deserialize, Eq, Hash, JsonSchema, Ord, PartialEq, PartialOrd, Serialize,
+    )]
+    #[serde(rename_all = "camelCase")]
+    pub struct ClientAuthenticationMethodOption {
         /// The OAuth2 client authentication method to use for token endpoint requests.
         /// Defaults to [`ClientAuthenticationMethod::ClientSecretBasic`].
         ///
@@ -169,10 +183,5 @@ pub mod versioned {
         )]
         #[serde(default)]
         pub client_authentication_method: ClientAuthenticationMethod,
-
-        // If desired, operators can add custom fields that are only needed for this specific product.
-        // They need to create a struct holding them and pass that as `T`.
-        #[serde(flatten)]
-        pub product_specific_fields: T,
     }
 }

crates/xtask/src/crd/dummy.rs

@@ -5,7 +5,7 @@ use stackable_operator::{
     commons::resources::{JvmHeapLimits, Resources},
     config::fragment::Fragment,
     config_overrides::{JsonConfigOverrides, KeyValueConfigOverrides, KeyValueOverridesProvider},
-    crd::git_sync::v1alpha2::GitSync,
+    crd::{authentication, authentication::oidc, git_sync::v1alpha2::GitSync},
     database_connections::{
         databases::{
             derby::DerbyConnection, mysql::MysqlConnection, postgresql::PostgresqlConnection,
@@ -107,8 +107,9 @@ pub mod versioned {
         pub object_overrides: ObjectOverrides,
 
         // Already versioned
-        client_authentication_details:
-            stackable_operator::crd::authentication::core::v1alpha1::ClientAuthenticationDetails,
+        client_authentication_details: authentication::core::v1alpha1::ClientAuthenticationDetails<
+            oidc::v1alpha1::ClientAuthenticationMethodOption,
+        >,
     }
 
     #[derive(Debug, Default, PartialEq, Fragment, JsonSchema)]