From 9e6a5d726f12d60fbd6546957e82d7334ac47f23 Mon Sep 17 00:00:00 2001
From: Siegfried Weber <mail@siegfriedweber.net>
Date: Tue, 21 Apr 2026 16:53:45 +0200
Subject: [PATCH 1/2] feat: Support the annotation
 "secrets.stackable.tech/backend.autotls.cert.domain-components-in-subject-dn"

---
 .../src/builder/pod/volume.rs                   | 17 +++++++++++++++++
 .../src/kvp/annotation/mod.rs                   | 11 +++++++++++
 2 files changed, 28 insertions(+)

diff --git a/crates/stackable-operator/src/builder/pod/volume.rs b/crates/stackable-operator/src/builder/pod/volume.rs
index 214285ee4..743cb357d 100644
--- a/crates/stackable-operator/src/builder/pod/volume.rs
+++ b/crates/stackable-operator/src/builder/pod/volume.rs
@@ -280,6 +280,7 @@ pub struct SecretOperatorVolumeSourceBuilder {
     kerberos_service_names: Vec<String>,
     tls_pkcs12_password: Option<String>,
     auto_tls_cert_lifetime: Option<Duration>,
+    auto_tls_cert_domain_components_in_subject_dn: Option<bool>,
     provision_parts: SecretClassVolumeProvisionParts,
 }
 
@@ -302,6 +303,7 @@ impl SecretOperatorVolumeSourceBuilder {
             kerberos_service_names: Vec::new(),
             tls_pkcs12_password: None,
             auto_tls_cert_lifetime: None,
+            auto_tls_cert_domain_components_in_subject_dn: None,
             provision_parts,
         }
     }
@@ -311,6 +313,14 @@ impl SecretOperatorVolumeSourceBuilder {
         self
     }
 
+    pub fn with_auto_tls_cert_domain_components_in_subject_dn(
+        &mut self,
+        enabled: impl Into<bool>,
+    ) -> &mut Self {
+        self.auto_tls_cert_domain_components_in_subject_dn = Some(enabled.into());
+        self
+    }
+
     pub fn with_node_scope(&mut self) -> &mut Self {
         self.scopes.push(SecretOperatorVolumeScope::Node);
         self
@@ -391,6 +401,13 @@ impl SecretOperatorVolumeSourceBuilder {
             );
         }
 
+        if let Some(enabled) = self.auto_tls_cert_domain_components_in_subject_dn {
+            annotations.insert(
+                Annotation::auto_tls_cert_domain_components_in_subject_dn(enabled)
+                    .context(ParseAnnotationSnafu)?,
+            );
+        }
+
         Ok(EphemeralVolumeSource {
             volume_claim_template: Some(PersistentVolumeClaimTemplate {
                 metadata: Some(ObjectMetaBuilder::new().annotations(annotations).build()),
diff --git a/crates/stackable-operator/src/kvp/annotation/mod.rs b/crates/stackable-operator/src/kvp/annotation/mod.rs
index 2526583ed..1d4562945 100644
--- a/crates/stackable-operator/src/kvp/annotation/mod.rs
+++ b/crates/stackable-operator/src/kvp/annotation/mod.rs
@@ -166,6 +166,17 @@ impl Annotation {
             .expect("autoscaling retry annotation must be valid");
         Self(kvp)
     }
+
+    /// Constructs a `secrets.stackable.tech/backend.autotls.cert.lifetime` annotation.
+    pub fn auto_tls_cert_domain_components_in_subject_dn(
+        enabled: bool,
+    ) -> Result<Self, AnnotationError> {
+        let kvp = KeyValuePair::try_from((
+            "secrets.stackable.tech/backend.autotls.cert.domain-components-in-subject-dn",
+            enabled.to_string(),
+        ))?;
+        Ok(Self(kvp))
+    }
 }
 
 /// A validated set/list of Kubernetes annotations.

From 8eb179f9faf75afae2db8171445e84a6a54a4401 Mon Sep 17 00:00:00 2001
From: Siegfried Weber <mail@siegfriedweber.net>
Date: Wed, 27 May 2026 17:19:45 +0200
Subject: [PATCH 2/2] chore: Update changelog

---
 crates/stackable-operator/CHANGELOG.md        |  3 +++
 .../src/builder/pod/volume.rs                 |  7 +++---
 .../src/kvp/annotation/mod.rs                 | 25 +++++++++++++------
 3 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/crates/stackable-operator/CHANGELOG.md b/crates/stackable-operator/CHANGELOG.md
index 04a6b4fc7..1f99afaba 100644
--- a/crates/stackable-operator/CHANGELOG.md
+++ b/crates/stackable-operator/CHANGELOG.md
@@ -8,6 +8,8 @@ All notable changes to this project will be documented in this file.
 
 - Add `Client::{get_feature_gates,get_enabled_feature_gates,get_disabled_feature_gates}` associated
   functions to retrieve all, enabled, or disabled feature gates from the Kubernetes apiserver ([#1207]).
+- Support the annotation `secrets.stackable.tech/backend.autotls.cert.domain-components-in-subject-dn`
+  in the `SecretOperatorVolumeSourceBuilder` ([#1209]).
 
 ### Changed
 
@@ -15,6 +17,7 @@ All notable changes to this project will be documented in this file.
 
 [#1206]: https://github.com/stackabletech/operator-rs/pull/1206
 [#1207]: https://github.com/stackabletech/operator-rs/pull/1207
+[#1209]: https://github.com/stackabletech/operator-rs/pull/1209
 
 ## [0.111.1] - 2026-04-28
 
diff --git a/crates/stackable-operator/src/builder/pod/volume.rs b/crates/stackable-operator/src/builder/pod/volume.rs
index 743cb357d..b3757694d 100644
--- a/crates/stackable-operator/src/builder/pod/volume.rs
+++ b/crates/stackable-operator/src/builder/pod/volume.rs
@@ -402,10 +402,9 @@ impl SecretOperatorVolumeSourceBuilder {
         }
 
         if let Some(enabled) = self.auto_tls_cert_domain_components_in_subject_dn {
-            annotations.insert(
-                Annotation::auto_tls_cert_domain_components_in_subject_dn(enabled)
-                    .context(ParseAnnotationSnafu)?,
-            );
+            annotations.insert(Annotation::auto_tls_cert_domain_components_in_subject_dn(
+                enabled,
+            ));
         }
 
         Ok(EphemeralVolumeSource {
diff --git a/crates/stackable-operator/src/kvp/annotation/mod.rs b/crates/stackable-operator/src/kvp/annotation/mod.rs
index 1d4562945..b66913bfe 100644
--- a/crates/stackable-operator/src/kvp/annotation/mod.rs
+++ b/crates/stackable-operator/src/kvp/annotation/mod.rs
@@ -161,21 +161,23 @@ impl Annotation {
     pub fn autoscaling_retry(retry: bool) -> Self {
         // SAFETY: We use expect here, because the input parameter can only be one of two possible
         // values: true or false. This fact in combination with the known annotation key length
-        // allows use to use expect here, instead of bubbling up the error.
+        // allows us to use expect here, instead of bubbling up the error.
         let kvp = KeyValuePair::try_from(("autoscaling.stackable.tech/retry", retry.to_string()))
             .expect("autoscaling retry annotation must be valid");
         Self(kvp)
     }
 
-    /// Constructs a `secrets.stackable.tech/backend.autotls.cert.lifetime` annotation.
-    pub fn auto_tls_cert_domain_components_in_subject_dn(
-        enabled: bool,
-    ) -> Result<Self, AnnotationError> {
+    /// Constructs a `secrets.stackable.tech/backend.autotls.cert.domain-components-in-subject-dn` annotation.
+    pub fn auto_tls_cert_domain_components_in_subject_dn(enabled: bool) -> Self {
+        // SAFETY: We use expect here, because the input parameter can only be one of two possible
+        // values: true or false. This fact in combination with the known annotation key length
+        // allows us to use expect here, instead of bubbling up the error.
         let kvp = KeyValuePair::try_from((
             "secrets.stackable.tech/backend.autotls.cert.domain-components-in-subject-dn",
             enabled.to_string(),
-        ))?;
-        Ok(Self(kvp))
+        ))
+        .expect("annotation must be valid");
+        Self(kvp)
     }
 }
 
@@ -368,4 +370,13 @@ mod test {
 
         assert_eq!(annotations.len(), 2);
     }
+
+    #[test]
+    fn test_boolean_annotations() {
+        // Check that the functions do not fail for all possible inputs
+        for value in [false, true] {
+            Annotation::autoscaling_retry(value);
+            Annotation::auto_tls_cert_domain_components_in_subject_dn(value);
+        }
+    }
 }