refactor: extract dereference/validate pipeline from reconcile

CHANGELOG.md

@@ -15,10 +15,12 @@ All notable changes to this project will be documented in this file.
   `security.properties`).
   Previously, arbitrary file names were silently accepted and ignored ([#1027]).
 - Bump `stackable-operator` to 0.111.1 ([#1027], [#1028]).
+- Internal operator refactoring: introduce dereference() and validate() steps in the reconciler ([#1034]).
 
 [#1020]: https://github.com/stackabletech/zookeeper-operator/pull/1020
 [#1027]: https://github.com/stackabletech/zookeeper-operator/pull/1027
 [#1028]: https://github.com/stackabletech/zookeeper-operator/pull/1028
+[#1034]: https://github.com/stackabletech/zookeeper-operator/pull/1034
 
 ## [26.3.0] - 2026-03-16
 

rust/operator-binary/src/crd/security.rs

@@ -19,28 +19,21 @@ use stackable_operator::{
             },
         },
     },
-    client::Client,
     commons::secret_class::SecretClassVolumeProvisionParts,
     crd::authentication::core,
     k8s_openapi::api::core::v1::Volume,
     shared::time::Duration,
 };
 
 use crate::{
-    crd::{
-        authentication::{self, ResolvedAuthenticationClasses},
-        tls, v1alpha1,
-    },
+    crd::{authentication::ResolvedAuthenticationClasses, tls, v1alpha1},
     zk_controller::LISTENER_VOLUME_NAME,
 };
 
 type Result<T, E = Error> = std::result::Result<T, E>;
 
 #[derive(Snafu, Debug)]
 pub enum Error {
-    #[snafu(display("failed to process authentication class"))]
-    InvalidAuthenticationClassConfiguration { source: authentication::Error },
-
     #[snafu(display("failed to build TLS volume for {volume_name:?}"))]
     BuildTlsVolume {
         source: SecretOperatorVolumeSourceBuilderError,
@@ -96,19 +89,15 @@ impl ZookeeperSecurity {
     pub const STORE_PASSWORD_ENV: &'static str = "STORE_PASSWORD";
     pub const SYSTEM_TRUST_STORE_DIR: &'static str = "/etc/pki/java/cacerts";
 
-    /// Create a `ZookeeperSecurity` struct from the Zookeeper custom resource and resolve
-    /// all provided `AuthenticationClass` references.
-    pub async fn new_from_zookeeper_cluster(
-        client: &Client,
+    /// Build a `ZookeeperSecurity` from a [`v1alpha1::ZookeeperCluster`] and already-resolved
+    /// [`ResolvedAuthenticationClasses`]. Synchronous; intended to be called from the validate
+    /// step of the controllers.
+    pub fn new(
         zk: &v1alpha1::ZookeeperCluster,
-    ) -> Result<Self, Error> {
-        Ok(ZookeeperSecurity {
-            resolved_authentication_classes: authentication::resolve_authentication_classes(
-                client,
-                &zk.spec.cluster_config.authentication,
-            )
-            .await
-            .context(InvalidAuthenticationClassConfigurationSnafu)?,
+        resolved_authentication_classes: ResolvedAuthenticationClasses,
+    ) -> Self {
+        ZookeeperSecurity {
+            resolved_authentication_classes,
             server_secret_class: zk
                 .spec
                 .cluster_config
@@ -122,7 +111,7 @@ impl ZookeeperSecurity {
                 .as_ref()
                 .map(|tls| tls.quorum_secret_class.clone())
                 .unwrap_or_else(tls::quorum_tls_default),
-        })
+        }
     }
 
     /// Check if TLS encryption is enabled. This could be due to: