docs: Mention how CRD maintenance can be disabled

Techassi · Techassi · commit f8a405c8d2a6 · 2025-11-12T16:49:39.000+01:00
diff --git a/modules/ROOT/partials/release-notes/release-25.11.adoc b/modules/ROOT/partials/release-notes/release-25.11.adoc
@@ -508,6 +508,30 @@ See the xref:secret-operator:secretclass.adoc#ca-rotation[SecretClass] and xref:
    The resources are automatically converted by the operator.
 ** The operator now deploys the CRDs for SecretClass and TrustStore by itself instead of relying on the Helm chart.
    This enables the operator to automatically rotate and update the TLS certificate (`caBundle`) used for the conversion webhook.
+   The maintenance of CRDs (and default custom resources) can be disabled via Helm:
++
+--
+[source,yaml]
+----
+maintenance:
+  customResourceDefinitions:
+    maintain: false
+----
+
+[WARNING]
+====
+When CRD maintenance is disabled, the operator will *not* deploy and manage the CRD.
+The CRDs need to be deployed manually and the conversion webhook is disabled.
+As a result, only `v1alpha1` SecretClasses can be used.
+Only use this setting if you know what you are doing!
+====
+
+[NOTE]
+====
+Currently the maintenance of CRDs and the deployment of default custom resources, such as the `tls` SecretClass are tied together.
+This is slated to be changed in an upcoming SDP release.
+====
+--
 
 +
 See https://github.com/stackabletech/secret-operator/pull/634[secret-operator#634].
