stackabletech · adwk67 · Nov 27, 2025 · Dec 1, 2025 · Dec 1, 2025 · Dec 1, 2025
diff --git a/crates/stackable-operator/CHANGELOG.md b/crates/stackable-operator/CHANGELOG.md
@@ -13,12 +13,14 @@ All notable changes to this project will be documented in this file.
 
 - BREAKING: `ClusterResources` now requires the objects added to implement `DeepMerge`.
   This is very likely a stackable-operator internal change, but technically breaking ([#1118]).
+- Add support for the SSH protocol for pulling git content ([#1121]).
 
 ### Removed
 
 - BREAKING: `ClusterResources` no longer derives `Eq` ([#1118]).
 
 [#1118]: https://github.com/stackabletech/operator-rs/pull/1118
+[#1121]: https://github.com/stackabletech/operator-rs/pull/1121
 
 ## [0.100.3] - 2025-10-31
 

diff --git a/crates/stackable-operator/crds/DummyCluster.yaml b/crates/stackable-operator/crds/DummyCluster.yaml
@@ -75,6 +75,77 @@ spec:
               domainName:
                 description: A validated domain name type conforming to RFC 1123, so e.g. not an IP address
                 type: string
+              gitSync:
+                properties:
+                  branch:
+                    default: main
+                    description: |-
+                      The branch to clone; defaults to `main`.
+
+                      Since git-sync v4.x.x this field is mapped to the flag `--ref`.
+                    type: string
+                  credentialsSecret:
+                    description: |-
+                      The name of the Secret used to access the repository if it is not public.
+
+                      The referenced Secret must include two fields: `user` and `password`.
+                      The `password` field can either be an actual password (not recommended) or a GitHub token,
+                      as described in the git-sync [documentation].
+                      This cannot be provided if `ssh_secret` is also provided.
+
+                      [documentation]: https://github.com/kubernetes/git-sync/tree/v4.2.4?tab=readme-ov-file#manual
+                    nullable: true
+                    type: string
+                  depth:
+                    default: 1
+                    description: The depth of syncing, i.e. the number of commits to clone; defaults to 1.
+                    format: uint32
+                    minimum: 0.0
+                    type: integer
+                  gitFolder:
+                    default: /
+                    description: |-
+                      Location in the Git repository containing the resource; defaults to the root folder.
+
+                      It can optionally start with `/`, however, no trailing slash is recommended.
+                      An empty string (``) or slash (`/`) corresponds to the root folder in Git.
+                    type: string
+                  gitSyncConf:
+                    additionalProperties:
+                      type: string
+                    default: {}
+                    description: |-
+                      A map of optional configuration settings that are listed in the git-sync [documentation].
+
+                      Also read the git-sync [example] in our documentation. These settings are not verified.
+
+                      [documentation]: https://github.com/kubernetes/git-sync/tree/v4.2.4?tab=readme-ov-file#manual
+                      [example]: https://docs.stackable.tech/home/nightly/airflow/usage-guide/mounting-dags#_example
+                    type: object
+                  repo:
+                    description: 'The git repository URL that will be cloned, for example: `https://github.com/stackabletech/airflow-operator` or `ssh://git@github.com:stackable-airflow/dags.git`.'
+                    format: uri
+                    type: string
+                  sshSecret:
+                    description: |-
+                      The name of the Secret used for SSH access to the repository.
+
+                      The referenced Secret must include two fields: `key` and `knownHosts`.
+                      This cannot be provided if `credentials_secret` is also provided.
+
+                      [documentation]: https://github.com/kubernetes/git-sync/tree/v4.2.4?tab=readme-ov-file#manual
+                    nullable: true
+                    type: string
+                  wait:
+                    default: 20s
+                    description: |-
+                      The synchronization interval, e.g. `20s` or `5m`; defaults to `20s`.
+
+                      Since git-sync v4.x.x this field is mapped to the flag `--period`.
+                    type: string
+                required:
+                - repo
+                type: object
               hostName:
                 type: string
               kerberosRealmName:
@@ -1402,6 +1473,7 @@ spec:
             - clientAuthenticationDetails
             - clusterOperation
             - domainName
+            - gitSync
             - hostName
             - kerberosRealmName
             - opaConfig

diff --git a/crates/stackable-operator/src/crd/git_sync/mod.rs b/crates/stackable-operator/src/crd/git_sync/mod.rs
@@ -20,7 +20,7 @@ pub mod versioned {
     #[derive(Clone, Debug, Deserialize, JsonSchema, PartialEq, Eq, Serialize)]
     #[serde(rename_all = "camelCase")]
     pub struct GitSync {
-        /// The git repository URL that will be cloned, for example: `https://github.com/stackabletech/airflow-operator`.
+        /// The git repository URL that will be cloned, for example: `https://github.com/stackabletech/airflow-operator` or `ssh://git@github.com:stackable-airflow/dags.git`.
         pub repo: Url,
 
         /// The branch to clone; defaults to `main`.
@@ -51,6 +51,7 @@ pub mod versioned {
         /// The referenced Secret must include two fields: `user` and `password`.
         /// The `password` field can either be an actual password (not recommended) or a GitHub token,
         /// as described in the git-sync [documentation].
+        /// This cannot be provided if `ssh_secret` is also provided.
         ///
         /// [documentation]: https://github.com/kubernetes/git-sync/tree/v4.2.4?tab=readme-ov-file#manual
         pub credentials_secret: Option<String>,
@@ -63,5 +64,13 @@ pub mod versioned {
         /// [example]: DOCS_BASE_URL_PLACEHOLDER/airflow/usage-guide/mounting-dags#_example
         #[serde(default)]
         pub git_sync_conf: BTreeMap<String, String>,
+
+        /// The name of the Secret used for SSH access to the repository.
+        ///
+        /// The referenced Secret must include two fields: `key` and `knownHosts`.
+        /// This cannot be provided if `credentials_secret` is also provided.
+        ///
+        /// [documentation]: https://github.com/kubernetes/git-sync/tree/v4.2.4?tab=readme-ov-file#manual
+        pub ssh_secret: Option<String>,
     }
 }