feat(stackable-operator): Support gitsync via SSH

crates/stackable-operator/CHANGELOG.md

@@ -13,6 +13,7 @@ All notable changes to this project will be documented in this file.
 
 - BREAKING: `ClusterResources` now requires the objects added to implement `DeepMerge`.
   This is very likely a stackable-operator internal change, but technically breaking ([#1118]).
+- Add support for the SSH protocol for pulling git content ([#1121]).
 - Depend on the patched version of kube-rs available at <https://github.com/stackabletech/kube-rs>,
   ensuring the operators automatically benefit from the fixes ([#1124]).
 
@@ -21,6 +22,7 @@ All notable changes to this project will be documented in this file.
 - BREAKING: `ClusterResources` no longer derives `Eq` ([#1118]).
 
 [#1118]: https://github.com/stackabletech/operator-rs/pull/1118
+[#1121]: https://github.com/stackabletech/operator-rs/pull/1121
 [#1124]: https://github.com/stackabletech/operator-rs/pull/1124
 
 ## [0.100.3] - 2025-10-31

crates/stackable-operator/crds/DummyCluster.yaml

@@ -75,6 +75,83 @@ spec:
               domainName:
                 description: A validated domain name type conforming to RFC 1123, so e.g. not an IP address
                 type: string
+              gitSync:
+                properties:
+                  branch:
+                    default: main
+                    description: |-
+                      The branch to clone; defaults to `main`.
+
+                      Since git-sync v4.x.x this field is mapped to the flag `--ref`.
+                    type: string
+                  credentials:
+                    anyOf:
+                    - required:
+                      - basicAuthSecretName
+                    - required:
+                      - sshPrivateKeySecretName
+                    description: An optional secret used for git access.
+                    nullable: true
+                    properties:
+                      basicAuthSecretName:
+                        description: |-
+                          The name of the Secret used to access the repository via Basic Authentication if it is not public.
+
+                          The referenced Secret must include two fields: `user` and `password`.
+                          The `password` field can either be an actual password (not recommended) or a GitHub token,
+                          as described in the git-sync [documentation].
+
+                          [documentation]: https://github.com/kubernetes/git-sync/tree/v4.2.4?tab=readme-ov-file#manual
+                        type: string
+                      sshPrivateKeySecretName:
+                        description: |-
+                          The name of the Secret used for SSH access to the repository.
+
+                          The referenced Secret must include two fields: `key` and `knownHosts`.
+
+                          [documentation]: https://github.com/kubernetes/git-sync/tree/v4.2.4?tab=readme-ov-file#manual
+                        type: string
+                    type: object
+                  depth:
+                    default: 1
+                    description: The depth of syncing, i.e. the number of commits to clone; defaults to 1.
+                    format: uint32
+                    minimum: 0.0
+                    type: integer
+                  gitFolder:
+                    default: /
+                    description: |-
+                      Location in the Git repository containing the resource; defaults to the root folder.
+
+                      It can optionally start with `/`, however, no trailing slash is recommended.
+                      An empty string (``) or slash (`/`) corresponds to the root folder in Git.
+                    type: string
+                  gitSyncConf:
+                    additionalProperties:
+                      type: string
+                    default: {}
+                    description: |-
+                      A map of optional configuration settings that are listed in the git-sync [documentation].
+
+                      Also read the git-sync [example] in our documentation. These settings are not verified.
+
+                      [documentation]: https://github.com/kubernetes/git-sync/tree/v4.2.4?tab=readme-ov-file#manual
+                      [example]: https://docs.stackable.tech/home/nightly/airflow/usage-guide/mounting-dags#_example
+                    type: object
+                  repo:
+                    description: 'The git repository URL that will be cloned, for example: `https://github.com/stackabletech/airflow-operator` or `ssh://git@github.com:stackable-airflow/dags.git`.'
+                    format: uri
+                    type: string
+                  wait:
+                    default: 20s
+                    description: |-
+                      The synchronization interval, e.g. `20s` or `5m`; defaults to `20s`.
+
+                      Since git-sync v4.x.x this field is mapped to the flag `--period`.
+                    type: string
+                required:
+                - repo
+                type: object
               hostName:
                 type: string
               kerberosRealmName:
@@ -1402,6 +1479,7 @@ spec:
             - clientAuthenticationDetails
             - clusterOperation
             - domainName
+            - gitSync
             - hostName
             - kerberosRealmName
             - opaConfig

crates/stackable-operator/src/crd/git_sync/mod.rs

@@ -20,7 +20,7 @@ pub mod versioned {
     #[derive(Clone, Debug, Deserialize, JsonSchema, PartialEq, Eq, Serialize)]
     #[serde(rename_all = "camelCase")]
     pub struct GitSync {
-        /// The git repository URL that will be cloned, for example: `https://github.com/stackabletech/airflow-operator`.
+        /// The git repository URL that will be cloned, for example: `https://github.com/stackabletech/airflow-operator` or `ssh://git@github.com:stackable-airflow/dags.git`.
         pub repo: Url,
 
         /// The branch to clone; defaults to `main`.
@@ -46,15 +46,6 @@ pub mod versioned {
         #[serde(default = "GitSync::default_wait")]
         pub wait: Duration,
 
-        /// The name of the Secret used to access the repository if it is not public.
-        ///
-        /// The referenced Secret must include two fields: `user` and `password`.
-        /// The `password` field can either be an actual password (not recommended) or a GitHub token,
-        /// as described in the git-sync [documentation].
-        ///
-        /// [documentation]: https://github.com/kubernetes/git-sync/tree/v4.2.4?tab=readme-ov-file#manual
-        pub credentials_secret: Option<String>,
-
         /// A map of optional configuration settings that are listed in the git-sync [documentation].
         ///
         /// Also read the git-sync [example] in our documentation. These settings are not verified.
@@ -63,5 +54,37 @@ pub mod versioned {
         /// [example]: DOCS_BASE_URL_PLACEHOLDER/airflow/usage-guide/mounting-dags#_example
         #[serde(default)]
         pub git_sync_conf: BTreeMap<String, String>,
+
+        /// An optional secret used for git access.
+        pub credentials: Option<Credentials>,
+    }
+
+    #[derive(strum::Display, Clone, Debug, Deserialize, Eq, JsonSchema, PartialEq, Serialize)]
+    #[serde(untagged)]
+    #[serde(rename_all = "camelCase")]
+    #[schemars(rename_all = "camelCase")]
+    pub enum Credentials {
+        BasicAuth {
+            /// The name of the Secret used to access the repository via Basic Authentication if it is not public.
+            ///
+            /// The referenced Secret must include two fields: `user` and `password`.
+            /// The `password` field can either be an actual password (not recommended) or a GitHub token,
+            /// as described in the git-sync [documentation].
+            ///
+            /// [documentation]: https://github.com/kubernetes/git-sync/tree/v4.2.4?tab=readme-ov-file#manual
+            #[serde(rename = "basicAuthSecretName")]
+            #[schemars(rename = "basicAuthSecretName")]
+            basic_auth_secret_name: String,
+        },
+        Ssh {
+            /// The name of the Secret used for SSH access to the repository.
+            ///
+            /// The referenced Secret must include two fields: `key` and `knownHosts`.
+            ///
+            /// [documentation]: https://github.com/kubernetes/git-sync/tree/v4.2.4?tab=readme-ov-file#manual
+            #[serde(rename = "sshPrivateKeySecretName")]
+            #[schemars(rename = "sshPrivateKeySecretName")]
+            ssh_private_key_secret_name: String,
+        },
     }
 }