From 04f449b706b97828ca606f6f960e5c4c343e2e60 Mon Sep 17 00:00:00 2001
From: Nikolai Rodionov <iam@allanger.xyz>
Date: Tue, 10 Mar 2026 16:57:40 +0100
Subject: [PATCH 01/10] WIP: Adding first controller

Signed-off-by: Nikolai Rodionov <iam@allanger.xyz>
---
 operator/.gitignore                     |    1 +
 operator/Cargo.lock                     | 4345 +++++++++++++++++++++++
 operator/Cargo.toml                     |   50 +
 operator/manifests/s3_instance.yaml     |   11 +
 operator/src/api/mod.rs                 |    1 +
 operator/src/api/v1beta1/mod.rs         |    1 +
 operator/src/api/v1beta1/s3_instance.rs |   38 +
 operator/src/conditions.rs              |   51 +
 operator/src/controller.rs              |   66 +
 operator/src/controllers/mod.rs         |    1 +
 operator/src/controllers/s3_instance.rs |  204 ++
 operator/src/crdgen.rs                  |    8 +
 operator/src/lib.rs                     |    1 +
 operator/src/s3/dummy.rs                |    0
 operator/src/s3/mod.rs                  |    8 +
 operator/src/s3/s3.rs                   |   52 +
 16 files changed, 4838 insertions(+)
 create mode 100644 operator/.gitignore
 create mode 100644 operator/Cargo.lock
 create mode 100644 operator/Cargo.toml
 create mode 100644 operator/manifests/s3_instance.yaml
 create mode 100644 operator/src/api/mod.rs
 create mode 100644 operator/src/api/v1beta1/mod.rs
 create mode 100644 operator/src/api/v1beta1/s3_instance.rs
 create mode 100644 operator/src/conditions.rs
 create mode 100644 operator/src/controller.rs
 create mode 100644 operator/src/controllers/mod.rs
 create mode 100644 operator/src/controllers/s3_instance.rs
 create mode 100644 operator/src/crdgen.rs
 create mode 100644 operator/src/lib.rs
 create mode 100644 operator/src/s3/dummy.rs
 create mode 100644 operator/src/s3/mod.rs
 create mode 100644 operator/src/s3/s3.rs

diff --git a/operator/.gitignore b/operator/.gitignore
new file mode 100644
index 0000000..ea8c4bf
--- /dev/null
+++ b/operator/.gitignore
@@ -0,0 +1 @@
+/target
diff --git a/operator/Cargo.lock b/operator/Cargo.lock
new file mode 100644
index 0000000..0a1ee41
--- /dev/null
+++ b/operator/Cargo.lock
@@ -0,0 +1,4345 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 4
+
+[[package]]
+name = "actix-codec"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f7b0a21988c1bf877cf4759ef5ddaac04c1c9fe808c9142ecb78ba97d97a28a"
+dependencies = [
+ "bitflags",
+ "bytes",
+ "futures-core",
+ "futures-sink",
+ "memchr",
+ "pin-project-lite",
+ "tokio",
+ "tokio-util",
+ "tracing",
+]
+
+[[package]]
+name = "actix-http"
+version = "3.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f860ee6746d0c5b682147b2f7f8ef036d4f92fe518251a3a35ffa3650eafdf0e"
+dependencies = [
+ "actix-codec",
+ "actix-rt",
+ "actix-service",
+ "actix-utils",
+ "base64",
+ "bitflags",
+ "brotli",
+ "bytes",
+ "bytestring",
+ "derive_more",
+ "encoding_rs",
+ "flate2",
+ "foldhash 0.1.5",
+ "futures-core",
+ "h2 0.3.27",
+ "http 0.2.12",
+ "httparse",
+ "httpdate",
+ "itoa",
+ "language-tags",
+ "local-channel",
+ "mime",
+ "percent-encoding",
+ "pin-project-lite",
+ "rand",
+ "sha1",
+ "smallvec",
+ "tokio",
+ "tokio-util",
+ "tracing",
+ "zstd",
+]
+
+[[package]]
+name = "actix-macros"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e01ed3140b2f8d422c68afa1ed2e85d996ea619c988ac834d255db32138655cb"
+dependencies = [
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "actix-router"
+version = "0.5.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "14f8c75c51892f18d9c46150c5ac7beb81c95f78c8b83a634d49f4ca32551fe7"
+dependencies = [
+ "bytestring",
+ "cfg-if",
+ "http 0.2.12",
+ "regex",
+ "regex-lite",
+ "serde",
+ "tracing",
+]
+
+[[package]]
+name = "actix-rt"
+version = "2.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92589714878ca59a7626ea19734f0e07a6a875197eec751bb5d3f99e64998c63"
+dependencies = [
+ "futures-core",
+ "tokio",
+]
+
+[[package]]
+name = "actix-server"
+version = "2.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a65064ea4a457eaf07f2fba30b4c695bf43b721790e9530d26cb6f9019ff7502"
+dependencies = [
+ "actix-rt",
+ "actix-service",
+ "actix-utils",
+ "futures-core",
+ "futures-util",
+ "mio",
+ "socket2 0.5.10",
+ "tokio",
+ "tracing",
+]
+
+[[package]]
+name = "actix-service"
+version = "2.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9e46f36bf0e5af44bdc4bdb36fbbd421aa98c79a9bce724e1edeb3894e10dc7f"
+dependencies = [
+ "futures-core",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "actix-utils"
+version = "3.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "88a1dcdff1466e3c2488e1cb5c36a71822750ad43839937f85d2f4d9f8b705d8"
+dependencies = [
+ "local-waker",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "actix-web"
+version = "4.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff87453bc3b56e9b2b23c1cc0b1be8797184accf51d2abe0f8a33ec275d316bf"
+dependencies = [
+ "actix-codec",
+ "actix-http",
+ "actix-macros",
+ "actix-router",
+ "actix-rt",
+ "actix-server",
+ "actix-service",
+ "actix-utils",
+ "actix-web-codegen",
+ "bytes",
+ "bytestring",
+ "cfg-if",
+ "cookie",
+ "derive_more",
+ "encoding_rs",
+ "foldhash 0.1.5",
+ "futures-core",
+ "futures-util",
+ "impl-more",
+ "itoa",
+ "language-tags",
+ "log",
+ "mime",
+ "once_cell",
+ "pin-project-lite",
+ "regex",
+ "regex-lite",
+ "serde",
+ "serde_json",
+ "serde_urlencoded",
+ "smallvec",
+ "socket2 0.6.3",
+ "time",
+ "tracing",
+ "url",
+]
+
+[[package]]
+name = "actix-web-codegen"
+version = "4.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f591380e2e68490b5dfaf1dd1aa0ebe78d84ba7067078512b4ea6e4492d622b8"
+dependencies = [
+ "actix-router",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "adler2"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa"
+
+[[package]]
+name = "ahash"
+version = "0.8.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a15f179cd60c4584b8a8c596927aadc462e27f2ca70c04e0071964a73ba7a75"
+dependencies = [
+ "cfg-if",
+ "getrandom 0.3.4",
+ "once_cell",
+ "version_check",
+ "zerocopy",
+]
+
+[[package]]
+name = "aho-corasick"
+version = "1.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ddd31a130427c27518df266943a5308ed92d4b226cc639f5a8f1002816174301"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "alloc-no-stdlib"
+version = "2.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cc7bb162ec39d46ab1ca8c77bf72e890535becd1751bb45f64c597edb4c8c6b3"
+
+[[package]]
+name = "alloc-stdlib"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94fb8275041c72129eb51b7d0322c29b8387a0386127718b096429201a5d6ece"
+dependencies = [
+ "alloc-no-stdlib",
+]
+
+[[package]]
+name = "allocator-api2"
+version = "0.2.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "683d7910e743518b0e34f1186f92494becacb047c7b6bf616c96772180fef923"
+
+[[package]]
+name = "anstream"
+version = "0.6.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "43d5b281e737544384e969a5ccad3f1cdd24b48086a0fc1b2a5262a26b8f4f4a"
+dependencies = [
+ "anstyle",
+ "anstyle-parse",
+ "anstyle-query",
+ "anstyle-wincon",
+ "colorchoice",
+ "is_terminal_polyfill",
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle"
+version = "1.0.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5192cca8006f1fd4f7237516f40fa183bb07f8fbdfedaa0036de5ea9b0b45e78"
+
+[[package]]
+name = "anstyle-parse"
+version = "0.2.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4e7644824f0aa2c7b9384579234ef10eb7efb6a0deb83f9630a49594dd9c15c2"
+dependencies = [
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle-query"
+version = "1.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "anstyle-wincon"
+version = "3.0.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d"
+dependencies = [
+ "anstyle",
+ "once_cell_polyfill",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "anyhow"
+version = "1.0.102"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
+
+[[package]]
+name = "assert-json-diff"
+version = "2.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "47e4f2b81832e72834d7518d8487a0396a28cc408186a2e8854c0f98011faf12"
+dependencies = [
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "async-broadcast"
+version = "0.7.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "435a87a52755b8f27fcf321ac4f04b2802e337c8c4872923137471ec39c37532"
+dependencies = [
+ "event-listener",
+ "event-listener-strategy",
+ "futures-core",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "async-stream"
+version = "0.3.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b5a71a6f37880a80d1d7f19efd781e4b5de42c88f0722cc13bcb6cc2cfe8476"
+dependencies = [
+ "async-stream-impl",
+ "futures-core",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "async-stream-impl"
+version = "0.3.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c7c24de15d275a1ecfd47a380fb4d5ec9bfe0933f309ed5e705b775596a3574d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "atomic-waker"
+version = "1.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
+
+[[package]]
+name = "autocfg"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
+
+[[package]]
+name = "aws-config"
+version = "1.8.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "11493b0bad143270fb8ad284a096dd529ba91924c5409adeac856cc1bf047dbc"
+dependencies = [
+ "aws-credential-types",
+ "aws-runtime",
+ "aws-sdk-sso",
+ "aws-sdk-ssooidc",
+ "aws-sdk-sts",
+ "aws-smithy-async",
+ "aws-smithy-http",
+ "aws-smithy-json",
+ "aws-smithy-runtime",
+ "aws-smithy-runtime-api",
+ "aws-smithy-types",
+ "aws-types",
+ "bytes",
+ "fastrand",
+ "hex",
+ "http 1.4.0",
+ "sha1",
+ "time",
+ "tokio",
+ "tracing",
+ "url",
+ "zeroize",
+]
+
+[[package]]
+name = "aws-credential-types"
+version = "1.2.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f20799b373a1be121fe3005fba0c2090af9411573878f224df44b42727fcaf7"
+dependencies = [
+ "aws-smithy-async",
+ "aws-smithy-runtime-api",
+ "aws-smithy-types",
+ "zeroize",
+]
+
+[[package]]
+name = "aws-lc-rs"
+version = "1.16.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94bffc006df10ac2a68c83692d734a465f8ee6c5b384d8545a636f81d858f4bf"
+dependencies = [
+ "aws-lc-sys",
+ "zeroize",
+]
+
+[[package]]
+name = "aws-lc-sys"
+version = "0.38.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4321e568ed89bb5a7d291a7f37997c2c0df89809d7b6d12062c81ddb54aa782e"
+dependencies = [
+ "cc",
+ "cmake",
+ "dunce",
+ "fs_extra",
+]
+
+[[package]]
+name = "aws-runtime"
+version = "1.7.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5fc0651c57e384202e47153c1260b84a9936e19803d747615edf199dc3b98d17"
+dependencies = [
+ "aws-credential-types",
+ "aws-sigv4",
+ "aws-smithy-async",
+ "aws-smithy-eventstream",
+ "aws-smithy-http",
+ "aws-smithy-runtime",
+ "aws-smithy-runtime-api",
+ "aws-smithy-types",
+ "aws-types",
+ "bytes",
+ "bytes-utils",
+ "fastrand",
+ "http 0.2.12",
+ "http 1.4.0",
+ "http-body 0.4.6",
+ "http-body 1.0.1",
+ "percent-encoding",
+ "pin-project-lite",
+ "tracing",
+ "uuid",
+]
+
+[[package]]
+name = "aws-sdk-s3"
+version = "1.125.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "223f5c95650d9557925a91f4c2db3def189e8f659452134a29e5cd2d37d708ed"
+dependencies = [
+ "aws-credential-types",
+ "aws-runtime",
+ "aws-sigv4",
+ "aws-smithy-async",
+ "aws-smithy-checksums",
+ "aws-smithy-eventstream",
+ "aws-smithy-http",
+ "aws-smithy-json",
+ "aws-smithy-observability",
+ "aws-smithy-runtime",
+ "aws-smithy-runtime-api",
+ "aws-smithy-types",
+ "aws-smithy-xml",
+ "aws-types",
+ "bytes",
+ "fastrand",
+ "hex",
+ "hmac",
+ "http 0.2.12",
+ "http 1.4.0",
+ "http-body 1.0.1",
+ "lru",
+ "percent-encoding",
+ "regex-lite",
+ "sha2",
+ "tracing",
+ "url",
+]
+
+[[package]]
+name = "aws-sdk-sso"
+version = "1.96.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f64a6eded248c6b453966e915d32aeddb48ea63ad17932682774eb026fbef5b1"
+dependencies = [
+ "aws-credential-types",
+ "aws-runtime",
+ "aws-smithy-async",
+ "aws-smithy-http",
+ "aws-smithy-json",
+ "aws-smithy-observability",
+ "aws-smithy-runtime",
+ "aws-smithy-runtime-api",
+ "aws-smithy-types",
+ "aws-types",
+ "bytes",
+ "fastrand",
+ "http 0.2.12",
+ "http 1.4.0",
+ "regex-lite",
+ "tracing",
+]
+
+[[package]]
+name = "aws-sdk-ssooidc"
+version = "1.98.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "db96d720d3c622fcbe08bae1c4b04a72ce6257d8b0584cb5418da00ae20a344f"
+dependencies = [
+ "aws-credential-types",
+ "aws-runtime",
+ "aws-smithy-async",
+ "aws-smithy-http",
+ "aws-smithy-json",
+ "aws-smithy-observability",
+ "aws-smithy-runtime",
+ "aws-smithy-runtime-api",
+ "aws-smithy-types",
+ "aws-types",
+ "bytes",
+ "fastrand",
+ "http 0.2.12",
+ "http 1.4.0",
+ "regex-lite",
+ "tracing",
+]
+
+[[package]]
+name = "aws-sdk-sts"
+version = "1.100.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fafbdda43b93f57f699c5dfe8328db590b967b8a820a13ccdd6687355dfcc7ca"
+dependencies = [
+ "aws-credential-types",
+ "aws-runtime",
+ "aws-smithy-async",
+ "aws-smithy-http",
+ "aws-smithy-json",
+ "aws-smithy-observability",
+ "aws-smithy-query",
+ "aws-smithy-runtime",
+ "aws-smithy-runtime-api",
+ "aws-smithy-types",
+ "aws-smithy-xml",
+ "aws-types",
+ "fastrand",
+ "http 0.2.12",
+ "http 1.4.0",
+ "regex-lite",
+ "tracing",
+]
+
+[[package]]
+name = "aws-sigv4"
+version = "1.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b0b660013a6683ab23797778e21f1f854744fdf05f68204b4cca4c8c04b5d1f4"
+dependencies = [
+ "aws-credential-types",
+ "aws-smithy-eventstream",
+ "aws-smithy-http",
+ "aws-smithy-runtime-api",
+ "aws-smithy-types",
+ "bytes",
+ "crypto-bigint 0.5.5",
+ "form_urlencoded",
+ "hex",
+ "hmac",
+ "http 0.2.12",
+ "http 1.4.0",
+ "p256",
+ "percent-encoding",
+ "ring",
+ "sha2",
+ "subtle",
+ "time",
+ "tracing",
+ "zeroize",
+]
+
+[[package]]
+name = "aws-smithy-async"
+version = "1.2.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2ffcaf626bdda484571968400c326a244598634dc75fd451325a54ad1a59acfc"
+dependencies = [
+ "futures-util",
+ "pin-project-lite",
+ "tokio",
+]
+
+[[package]]
+name = "aws-smithy-checksums"
+version = "0.64.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6750f3dd509b0694a4377f0293ed2f9630d710b1cebe281fa8bac8f099f88bc6"
+dependencies = [
+ "aws-smithy-http",
+ "aws-smithy-types",
+ "bytes",
+ "crc-fast",
+ "hex",
+ "http 1.4.0",
+ "http-body 1.0.1",
+ "http-body-util",
+ "md-5",
+ "pin-project-lite",
+ "sha1",
+ "sha2",
+ "tracing",
+]
+
+[[package]]
+name = "aws-smithy-eventstream"
+version = "0.60.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "faf09d74e5e32f76b8762da505a3cd59303e367a664ca67295387baa8c1d7548"
+dependencies = [
+ "aws-smithy-types",
+ "bytes",
+ "crc32fast",
+]
+
+[[package]]
+name = "aws-smithy-http"
+version = "0.63.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba1ab2dc1c2c3749ead27180d333c42f11be8b0e934058fb4b2258ee8dbe5231"
+dependencies = [
+ "aws-smithy-eventstream",
+ "aws-smithy-runtime-api",
+ "aws-smithy-types",
+ "bytes",
+ "bytes-utils",
+ "futures-core",
+ "futures-util",
+ "http 1.4.0",
+ "http-body 1.0.1",
+ "http-body-util",
+ "percent-encoding",
+ "pin-project-lite",
+ "pin-utils",
+ "tracing",
+]
+
+[[package]]
+name = "aws-smithy-http-client"
+version = "1.1.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6a2f165a7feee6f263028b899d0a181987f4fa7179a6411a32a439fba7c5f769"
+dependencies = [
+ "aws-smithy-async",
+ "aws-smithy-runtime-api",
+ "aws-smithy-types",
+ "h2 0.3.27",
+ "h2 0.4.13",
+ "http 0.2.12",
+ "http 1.4.0",
+ "http-body 0.4.6",
+ "hyper 0.14.32",
+ "hyper 1.8.1",
+ "hyper-rustls 0.24.2",
+ "hyper-rustls 0.27.7",
+ "hyper-util",
+ "pin-project-lite",
+ "rustls 0.21.12",
+ "rustls 0.23.37",
+ "rustls-native-certs",
+ "rustls-pki-types",
+ "tokio",
+ "tokio-rustls 0.26.4",
+ "tower",
+ "tracing",
+]
+
+[[package]]
+name = "aws-smithy-json"
+version = "0.62.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9648b0bb82a2eedd844052c6ad2a1a822d1f8e3adee5fbf668366717e428856a"
+dependencies = [
+ "aws-smithy-types",
+]
+
+[[package]]
+name = "aws-smithy-observability"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a06c2315d173edbf1920da8ba3a7189695827002e4c0fc961973ab1c54abca9c"
+dependencies = [
+ "aws-smithy-runtime-api",
+]
+
+[[package]]
+name = "aws-smithy-query"
+version = "0.60.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a56d79744fb3edb5d722ef79d86081e121d3b9422cb209eb03aea6aa4f21ebd"
+dependencies = [
+ "aws-smithy-types",
+ "urlencoding",
+]
+
+[[package]]
+name = "aws-smithy-runtime"
+version = "1.10.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "028999056d2d2fd58a697232f9eec4a643cf73a71cf327690a7edad1d2af2110"
+dependencies = [
+ "aws-smithy-async",
+ "aws-smithy-http",
+ "aws-smithy-http-client",
+ "aws-smithy-observability",
+ "aws-smithy-runtime-api",
+ "aws-smithy-types",
+ "bytes",
+ "fastrand",
+ "http 0.2.12",
+ "http 1.4.0",
+ "http-body 0.4.6",
+ "http-body 1.0.1",
+ "http-body-util",
+ "pin-project-lite",
+ "pin-utils",
+ "tokio",
+ "tracing",
+]
+
+[[package]]
+name = "aws-smithy-runtime-api"
+version = "1.11.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "876ab3c9c29791ba4ba02b780a3049e21ec63dabda09268b175272c3733a79e6"
+dependencies = [
+ "aws-smithy-async",
+ "aws-smithy-types",
+ "bytes",
+ "http 0.2.12",
+ "http 1.4.0",
+ "pin-project-lite",
+ "tokio",
+ "tracing",
+ "zeroize",
+]
+
+[[package]]
+name = "aws-smithy-types"
+version = "1.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d2b1117b3b2bbe166d11199b540ceed0d0f7676e36e7b962b5a437a9971eac75"
+dependencies = [
+ "base64-simd",
+ "bytes",
+ "bytes-utils",
+ "futures-core",
+ "http 0.2.12",
+ "http 1.4.0",
+ "http-body 0.4.6",
+ "http-body 1.0.1",
+ "http-body-util",
+ "itoa",
+ "num-integer",
+ "pin-project-lite",
+ "pin-utils",
+ "ryu",
+ "serde",
+ "time",
+ "tokio",
+ "tokio-util",
+]
+
+[[package]]
+name = "aws-smithy-xml"
+version = "0.60.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0ce02add1aa3677d022f8adf81dcbe3046a95f17a1b1e8979c145cd21d3d22b3"
+dependencies = [
+ "xmlparser",
+]
+
+[[package]]
+name = "aws-types"
+version = "1.3.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "47c8323699dd9b3c8d5b3c13051ae9cdef58fd179957c882f8374dd8725962d9"
+dependencies = [
+ "aws-credential-types",
+ "aws-smithy-async",
+ "aws-smithy-runtime-api",
+ "aws-smithy-types",
+ "rustc_version",
+ "tracing",
+]
+
+[[package]]
+name = "backon"
+version = "1.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cffb0e931875b666fc4fcb20fee52e9bbd1ef836fd9e9e04ec21555f9f85f7ef"
+dependencies = [
+ "fastrand",
+ "gloo-timers",
+ "tokio",
+]
+
+[[package]]
+name = "base16ct"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "349a06037c7bf932dd7e7d1f653678b2038b9ad46a74102f1fc7bd7872678cce"
+
+[[package]]
+name = "base64"
+version = "0.22.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
+
+[[package]]
+name = "base64-simd"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "339abbe78e73178762e23bea9dfd08e697eb3f3301cd4be981c0f78ba5859195"
+dependencies = [
+ "outref",
+ "vsimd",
+]
+
+[[package]]
+name = "base64ct"
+version = "1.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06"
+
+[[package]]
+name = "bindgen"
+version = "0.71.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f58bf3d7db68cfbac37cfc485a8d711e87e064c3d0fe0435b92f7a407f9d6b3"
+dependencies = [
+ "bitflags",
+ "cexpr",
+ "clang-sys",
+ "itertools 0.13.0",
+ "log",
+ "prettyplease",
+ "proc-macro2",
+ "quote",
+ "regex",
+ "rustc-hash",
+ "shlex",
+ "syn",
+]
+
+[[package]]
+name = "bitflags"
+version = "2.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af"
+
+[[package]]
+name = "block-buffer"
+version = "0.10.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "brotli"
+version = "8.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4bd8b9603c7aa97359dbd97ecf258968c95f3adddd6db2f7e7a5bef101c84560"
+dependencies = [
+ "alloc-no-stdlib",
+ "alloc-stdlib",
+ "brotli-decompressor",
+]
+
+[[package]]
+name = "brotli-decompressor"
+version = "5.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "874bb8112abecc98cbd6d81ea4fa7e94fb9449648c93cc89aa40c81c24d7de03"
+dependencies = [
+ "alloc-no-stdlib",
+ "alloc-stdlib",
+]
+
+[[package]]
+name = "bumpalo"
+version = "3.20.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d20789868f4b01b2f2caec9f5c4e0213b41e3e5702a50157d699ae31ced2fcb"
+
+[[package]]
+name = "bytes"
+version = "1.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33"
+
+[[package]]
+name = "bytes-utils"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7dafe3a8757b027e2be6e4e5601ed563c55989fcf1546e933c66c8eb3a058d35"
+dependencies = [
+ "bytes",
+ "either",
+]
+
+[[package]]
+name = "bytestring"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "113b4343b5f6617e7ad401ced8de3cc8b012e73a594347c307b90db3e9271289"
+dependencies = [
+ "bytes",
+]
+
+[[package]]
+name = "cbindgen"
+version = "0.28.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eadd868a2ce9ca38de7eeafdcec9c7065ef89b42b32f0839278d55f35c54d1ff"
+dependencies = [
+ "heck 0.4.1",
+ "indexmap",
+ "log",
+ "proc-macro2",
+ "quote",
+ "serde",
+ "serde_json",
+ "syn",
+ "tempfile",
+ "toml",
+]
+
+[[package]]
+name = "cc"
+version = "1.2.56"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "aebf35691d1bfb0ac386a69bac2fde4dd276fb618cf8bf4f5318fe285e821bb2"
+dependencies = [
+ "find-msvc-tools",
+ "jobserver",
+ "libc",
+ "shlex",
+]
+
+[[package]]
+name = "cexpr"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766"
+dependencies = [
+ "nom",
+]
+
+[[package]]
+name = "cfg-if"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
+
+[[package]]
+name = "clang-sys"
+version = "1.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b023947811758c97c59bf9d1c188fd619ad4718dcaa767947df1cadb14f39f4"
+dependencies = [
+ "glob",
+ "libc",
+ "libloading",
+]
+
+[[package]]
+name = "clap"
+version = "4.5.60"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2797f34da339ce31042b27d23607e051786132987f595b02ba4f6a6dffb7030a"
+dependencies = [
+ "clap_builder",
+ "clap_derive",
+]
+
+[[package]]
+name = "clap_builder"
+version = "4.5.60"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "24a241312cea5059b13574bb9b3861cabf758b879c15190b37b6d6fd63ab6876"
+dependencies = [
+ "anstream",
+ "anstyle",
+ "clap_lex",
+ "strsim",
+]
+
+[[package]]
+name = "clap_derive"
+version = "4.5.55"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a92793da1a46a5f2a02a6f4c46c6496b28c43638adea8306fcb0caa1634f24e5"
+dependencies = [
+ "heck 0.5.0",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "clap_lex"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3a822ea5bc7590f9d40f1ba12c0dc3c2760f3482c6984db1573ad11031420831"
+
+[[package]]
+name = "cmake"
+version = "0.1.57"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75443c44cd6b379beb8c5b45d85d0773baf31cce901fe7bb252f4eff3008ef7d"
+dependencies = [
+ "cc",
+]
+
+[[package]]
+name = "colorchoice"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75"
+
+[[package]]
+name = "concurrent-queue"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ca0197aee26d1ae37445ee532fefce43251d24cc7c166799f4d46817f1d3973"
+dependencies = [
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "const-oid"
+version = "0.9.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
+
+[[package]]
+name = "convert_case"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "633458d4ef8c78b72454de2d54fd6ab2e60f9e02be22f3c6104cdc8a4e0fceb9"
+dependencies = [
+ "unicode-segmentation",
+]
+
+[[package]]
+name = "cookie"
+version = "0.16.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e859cd57d0710d9e06c381b550c06e76992472a8c6d527aecd2fc673dcc231fb"
+dependencies = [
+ "percent-encoding",
+ "time",
+ "version_check",
+]
+
+[[package]]
+name = "core-foundation"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b2a6cd9ae233e7f62ba4e9353e81a88df7fc8a5987b8d445b4d90c879bd156f6"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "core-foundation-sys"
+version = "0.8.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
+
+[[package]]
+name = "cpufeatures"
+version = "0.2.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "59ed5838eebb26a2bb2e58f6d5b5316989ae9d08bab10e0e6d103e656d1b0280"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "crc"
+version = "3.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9710d3b3739c2e349eb44fe848ad0b7c8cb1e42bd87ee49371df2f7acaf3e675"
+dependencies = [
+ "crc-catalog",
+]
+
+[[package]]
+name = "crc-catalog"
+version = "2.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "19d374276b40fb8bbdee95aef7c7fa6b5316ec764510eb64b8dd0e2ed0d7e7f5"
+
+[[package]]
+name = "crc-fast"
+version = "1.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2fd92aca2c6001b1bf5ba0ff84ee74ec8501b52bbef0cac80bf25a6c1d87a83d"
+dependencies = [
+ "crc",
+ "digest",
+ "rustversion",
+ "spin",
+]
+
+[[package]]
+name = "crc32fast"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9481c1c90cbf2ac953f07c8d4a58aa3945c425b7185c9154d67a65e4230da511"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "crossbeam-utils"
+version = "0.8.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28"
+
+[[package]]
+name = "crypto-bigint"
+version = "0.4.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ef2b4b23cddf68b89b8f8069890e8c270d54e2d5fe1b143820234805e4cb17ef"
+dependencies = [
+ "generic-array",
+ "rand_core 0.6.4",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "crypto-bigint"
+version = "0.5.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76"
+dependencies = [
+ "rand_core 0.6.4",
+ "subtle",
+]
+
+[[package]]
+name = "crypto-common"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a"
+dependencies = [
+ "generic-array",
+ "typenum",
+]
+
+[[package]]
+name = "darling"
+version = "0.23.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "25ae13da2f202d56bd7f91c25fba009e7717a1e4a1cc98a76d844b65ae912e9d"
+dependencies = [
+ "darling_core",
+ "darling_macro",
+]
+
+[[package]]
+name = "darling_core"
+version = "0.23.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9865a50f7c335f53564bb694ef660825eb8610e0a53d3e11bf1b0d3df31e03b0"
+dependencies = [
+ "ident_case",
+ "proc-macro2",
+ "quote",
+ "strsim",
+ "syn",
+]
+
+[[package]]
+name = "darling_macro"
+version = "0.23.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ac3984ec7bd6cfa798e62b4a642426a5be0e68f9401cfc2a01e3fa9ea2fcdb8d"
+dependencies = [
+ "darling_core",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "der"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f1a467a65c5e759bce6e65eaf91cc29f466cdc57cb65777bd646872a8a1fd4de"
+dependencies = [
+ "const-oid",
+ "zeroize",
+]
+
+[[package]]
+name = "deranged"
+version = "0.5.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7cd812cc2bc1d69d4764bd80df88b4317eaef9e773c75226407d9bc0876b211c"
+dependencies = [
+ "powerfmt",
+]
+
+[[package]]
+name = "derive_more"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d751e9e49156b02b44f9c1815bcb94b984cdcc4396ecc32521c739452808b134"
+dependencies = [
+ "derive_more-impl",
+]
+
+[[package]]
+name = "derive_more-impl"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "799a97264921d8623a957f6c3b9011f3b5492f557bbb7a5a19b7fa6d06ba8dcb"
+dependencies = [
+ "convert_case",
+ "proc-macro2",
+ "quote",
+ "rustc_version",
+ "syn",
+ "unicode-xid",
+]
+
+[[package]]
+name = "digest"
+version = "0.10.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
+dependencies = [
+ "block-buffer",
+ "crypto-common",
+ "subtle",
+]
+
+[[package]]
+name = "displaydoc"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "dunce"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813"
+
+[[package]]
+name = "dyn-clone"
+version = "1.0.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d0881ea181b1df73ff77ffaaf9c7544ecc11e82fba9b5f27b262a3c73a332555"
+
+[[package]]
+name = "ecdsa"
+version = "0.14.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "413301934810f597c1d19ca71c8710e99a3f1ba28a0d2ebc01551a2daeea3c5c"
+dependencies = [
+ "der",
+ "elliptic-curve",
+ "rfc6979",
+ "signature",
+]
+
+[[package]]
+name = "educe"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d7bc049e1bd8cdeb31b68bbd586a9464ecf9f3944af3958a7a9d0f8b9799417"
+dependencies = [
+ "enum-ordinalize",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "either"
+version = "1.15.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719"
+
+[[package]]
+name = "elliptic-curve"
+version = "0.12.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e7bb888ab5300a19b8e5bceef25ac745ad065f3c9f7efc6de1b91958110891d3"
+dependencies = [
+ "base16ct",
+ "crypto-bigint 0.4.9",
+ "der",
+ "digest",
+ "ff",
+ "generic-array",
+ "group",
+ "pkcs8",
+ "rand_core 0.6.4",
+ "sec1",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "encoding_rs"
+version = "0.8.35"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75030f3c4f45dafd7586dd6780965a8c7e8e285a5ecb86713e63a79c5b2766f3"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "enum-ordinalize"
+version = "4.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4a1091a7bb1f8f2c4b28f1fe2cef4980ca2d410a3d727d67ecc3178c9b0800f0"
+dependencies = [
+ "enum-ordinalize-derive",
+]
+
+[[package]]
+name = "enum-ordinalize-derive"
+version = "4.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ca9601fb2d62598ee17836250842873a413586e5d7ed88b356e38ddbb0ec631"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "envtest"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ce14cfe6406ca36a47189f60910342384b7eee57138956e736c78c6cc7ef0bb1"
+dependencies = [
+ "k8s-openapi",
+ "kube",
+ "rust2go",
+ "serde",
+ "serde_json",
+ "thiserror 2.0.18",
+]
+
+[[package]]
+name = "equivalent"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
+
+[[package]]
+name = "errno"
+version = "0.3.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
+dependencies = [
+ "libc",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "event-listener"
+version = "5.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e13b66accf52311f30a0db42147dadea9850cb48cd070028831ae5f5d4b856ab"
+dependencies = [
+ "concurrent-queue",
+ "parking",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "event-listener-strategy"
+version = "0.5.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8be9f3dfaaffdae2972880079a491a1a8bb7cbed0b8dd7a347f668b4150a3b93"
+dependencies = [
+ "event-listener",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "fastrand"
+version = "2.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be"
+
+[[package]]
+name = "ff"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d013fc25338cc558c5c2cfbad646908fb23591e2404481826742b651c9af7160"
+dependencies = [
+ "rand_core 0.6.4",
+ "subtle",
+]
+
+[[package]]
+name = "find-msvc-tools"
+version = "0.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582"
+
+[[package]]
+name = "flate2"
+version = "1.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "843fba2746e448b37e26a819579957415c8cef339bf08564fe8b7ddbd959573c"
+dependencies = [
+ "crc32fast",
+ "miniz_oxide",
+]
+
+[[package]]
+name = "fnv"
+version = "1.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
+
+[[package]]
+name = "foldhash"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
+
+[[package]]
+name = "foldhash"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77ce24cb58228fbb8aa041425bb1050850ac19177686ea6e0f41a70416f56fdb"
+
+[[package]]
+name = "form_urlencoded"
+version = "1.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cb4cb245038516f5f85277875cdaa4f7d2c9a0fa0468de06ed190163b1581fcf"
+dependencies = [
+ "percent-encoding",
+]
+
+[[package]]
+name = "fs-set-times"
+version = "0.20.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94e7099f6313ecacbe1256e8ff9d617b75d1bcb16a6fddef94866d225a01a14a"
+dependencies = [
+ "io-lifetimes",
+ "rustix",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "fs_extra"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c"
+
+[[package]]
+name = "futures"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b147ee9d1f6d097cef9ce628cd2ee62288d963e16fb287bd9286455b241382d"
+dependencies = [
+ "futures-channel",
+ "futures-core",
+ "futures-executor",
+ "futures-io",
+ "futures-sink",
+ "futures-task",
+ "futures-util",
+]
+
+[[package]]
+name = "futures-channel"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d"
+dependencies = [
+ "futures-core",
+ "futures-sink",
+]
+
+[[package]]
+name = "futures-core"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7e3450815272ef58cec6d564423f6e755e25379b217b0bc688e295ba24df6b1d"
+
+[[package]]
+name = "futures-executor"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "baf29c38818342a3b26b5b923639e7b1f4a61fc5e76102d4b1981c6dc7a7579d"
+dependencies = [
+ "futures-core",
+ "futures-task",
+ "futures-util",
+]
+
+[[package]]
+name = "futures-io"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cecba35d7ad927e23624b22ad55235f2239cfa44fd10428eecbeba6d6a717718"
+
+[[package]]
+name = "futures-macro"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e835b70203e41293343137df5c0664546da5745f82ec9b84d40be8336958447b"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "futures-sink"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c39754e157331b013978ec91992bde1ac089843443c49cbc7f46150b0fad0893"
+
+[[package]]
+name = "futures-task"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393"
+
+[[package]]
+name = "futures-util"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "389ca41296e6190b48053de0321d02a77f32f8a5d2461dd38762c0593805c6d6"
+dependencies = [
+ "futures-channel",
+ "futures-core",
+ "futures-io",
+ "futures-macro",
+ "futures-sink",
+ "futures-task",
+ "memchr",
+ "pin-project-lite",
+ "slab",
+]
+
+[[package]]
+name = "generic-array"
+version = "0.14.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+dependencies = [
+ "typenum",
+ "version_check",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.2.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "wasi",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.3.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "r-efi 5.3.0",
+ "wasip2",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0de51e6874e94e7bf76d726fc5d13ba782deca734ff60d5bb2fb2607c7406555"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "r-efi 6.0.0",
+ "wasip2",
+ "wasip3",
+]
+
+[[package]]
+name = "glob"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280"
+
+[[package]]
+name = "gloo-timers"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbb143cf96099802033e0d4f4963b19fd2e0b728bcf076cd9cf7f6634f092994"
+dependencies = [
+ "futures-channel",
+ "futures-core",
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "group"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5dfbfb3a6cfbd390d5c9564ab283a0349b9b9fcd46a706c1eb10e0db70bfbac7"
+dependencies = [
+ "ff",
+ "rand_core 0.6.4",
+ "subtle",
+]
+
+[[package]]
+name = "h2"
+version = "0.3.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0beca50380b1fc32983fc1cb4587bfa4bb9e78fc259aad4a0032d2080309222d"
+dependencies = [
+ "bytes",
+ "fnv",
+ "futures-core",
+ "futures-sink",
+ "futures-util",
+ "http 0.2.12",
+ "indexmap",
+ "slab",
+ "tokio",
+ "tokio-util",
+ "tracing",
+]
+
+[[package]]
+name = "h2"
+version = "0.4.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2f44da3a8150a6703ed5d34e164b875fd14c2cdab9af1252a9a1020bde2bdc54"
+dependencies = [
+ "atomic-waker",
+ "bytes",
+ "fnv",
+ "futures-core",
+ "futures-sink",
+ "http 1.4.0",
+ "indexmap",
+ "slab",
+ "tokio",
+ "tokio-util",
+ "tracing",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.15.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
+dependencies = [
+ "foldhash 0.1.5",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.16.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100"
+dependencies = [
+ "allocator-api2",
+ "equivalent",
+ "foldhash 0.2.0",
+]
+
+[[package]]
+name = "heck"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8"
+
+[[package]]
+name = "heck"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
+
+[[package]]
+name = "hex"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
+
+[[package]]
+name = "hmac"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e"
+dependencies = [
+ "digest",
+]
+
+[[package]]
+name = "hostname"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "617aaa3557aef3810a6369d0a99fac8a080891b68bd9f9812a1eeda0c0730cbd"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "windows-link",
+]
+
+[[package]]
+name = "http"
+version = "0.2.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "601cbb57e577e2f5ef5be8e7b83f0f63994f25aa94d673e54a92d5c516d101f1"
+dependencies = [
+ "bytes",
+ "fnv",
+ "itoa",
+]
+
+[[package]]
+name = "http"
+version = "1.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3ba2a386d7f85a81f119ad7498ebe444d2e22c2af0b86b069416ace48b3311a"
+dependencies = [
+ "bytes",
+ "itoa",
+]
+
+[[package]]
+name = "http-body"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7ceab25649e9960c0311ea418d17bee82c0dcec1bd053b5f9a66e265a693bed2"
+dependencies = [
+ "bytes",
+ "http 0.2.12",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "http-body"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1efedce1fb8e6913f23e0c92de8e62cd5b772a67e7b3946df930a62566c93184"
+dependencies = [
+ "bytes",
+ "http 1.4.0",
+]
+
+[[package]]
+name = "http-body-util"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b021d93e26becf5dc7e1b75b1bed1fd93124b374ceb73f43d4d4eafec896a64a"
+dependencies = [
+ "bytes",
+ "futures-core",
+ "http 1.4.0",
+ "http-body 1.0.1",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "httparse"
+version = "1.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6dbf3de79e51f3d586ab4cb9d5c3e2c14aa28ed23d180cf89b4df0454a69cc87"
+
+[[package]]
+name = "httpdate"
+version = "1.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
+
+[[package]]
+name = "hyper"
+version = "0.14.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41dfc780fdec9373c01bae43289ea34c972e40ee3c9f6b3c8801a35f35586ce7"
+dependencies = [
+ "bytes",
+ "futures-channel",
+ "futures-core",
+ "futures-util",
+ "h2 0.3.27",
+ "http 0.2.12",
+ "http-body 0.4.6",
+ "httparse",
+ "httpdate",
+ "itoa",
+ "pin-project-lite",
+ "socket2 0.5.10",
+ "tokio",
+ "tower-service",
+ "tracing",
+ "want",
+]
+
+[[package]]
+name = "hyper"
+version = "1.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2ab2d4f250c3d7b1c9fcdff1cece94ea4e2dfbec68614f7b87cb205f24ca9d11"
+dependencies = [
+ "atomic-waker",
+ "bytes",
+ "futures-channel",
+ "futures-core",
+ "h2 0.4.13",
+ "http 1.4.0",
+ "http-body 1.0.1",
+ "httparse",
+ "itoa",
+ "pin-project-lite",
+ "pin-utils",
+ "smallvec",
+ "tokio",
+ "want",
+]
+
+[[package]]
+name = "hyper-rustls"
+version = "0.24.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec3efd23720e2049821a693cbc7e65ea87c72f1c58ff2f9522ff332b1491e590"
+dependencies = [
+ "futures-util",
+ "http 0.2.12",
+ "hyper 0.14.32",
+ "log",
+ "rustls 0.21.12",
+ "tokio",
+ "tokio-rustls 0.24.1",
+]
+
+[[package]]
+name = "hyper-rustls"
+version = "0.27.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3c93eb611681b207e1fe55d5a71ecf91572ec8a6705cdb6857f7d8d5242cf58"
+dependencies = [
+ "http 1.4.0",
+ "hyper 1.8.1",
+ "hyper-util",
+ "log",
+ "rustls 0.23.37",
+ "rustls-native-certs",
+ "rustls-pki-types",
+ "tokio",
+ "tokio-rustls 0.26.4",
+ "tower-service",
+]
+
+[[package]]
+name = "hyper-timeout"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b90d566bffbce6a75bd8b09a05aa8c2cb1fabb6cb348f8840c9e4c90a0d83b0"
+dependencies = [
+ "hyper 1.8.1",
+ "hyper-util",
+ "pin-project-lite",
+ "tokio",
+ "tower-service",
+]
+
+[[package]]
+name = "hyper-util"
+version = "0.1.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "96547c2556ec9d12fb1578c4eaf448b04993e7fb79cbaad930a656880a6bdfa0"
+dependencies = [
+ "base64",
+ "bytes",
+ "futures-channel",
+ "futures-util",
+ "http 1.4.0",
+ "http-body 1.0.1",
+ "hyper 1.8.1",
+ "ipnet",
+ "libc",
+ "percent-encoding",
+ "pin-project-lite",
+ "socket2 0.6.3",
+ "tokio",
+ "tower-service",
+ "tracing",
+]
+
+[[package]]
+name = "icu_collections"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c6b649701667bbe825c3b7e6388cb521c23d88644678e83c0c4d0a621a34b43"
+dependencies = [
+ "displaydoc",
+ "potential_utf",
+ "yoke",
+ "zerofrom",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_locale_core"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "edba7861004dd3714265b4db54a3c390e880ab658fec5f7db895fae2046b5bb6"
+dependencies = [
+ "displaydoc",
+ "litemap",
+ "tinystr",
+ "writeable",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f6c8828b67bf8908d82127b2054ea1b4427ff0230ee9141c54251934ab1b599"
+dependencies = [
+ "icu_collections",
+ "icu_normalizer_data",
+ "icu_properties",
+ "icu_provider",
+ "smallvec",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer_data"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7aedcccd01fc5fe81e6b489c15b247b8b0690feb23304303a9e560f37efc560a"
+
+[[package]]
+name = "icu_properties"
+version = "2.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "020bfc02fe870ec3a66d93e677ccca0562506e5872c650f893269e08615d74ec"
+dependencies = [
+ "icu_collections",
+ "icu_locale_core",
+ "icu_properties_data",
+ "icu_provider",
+ "zerotrie",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_properties_data"
+version = "2.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "616c294cf8d725c6afcd8f55abc17c56464ef6211f9ed59cccffe534129c77af"
+
+[[package]]
+name = "icu_provider"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85962cf0ce02e1e0a629cc34e7ca3e373ce20dda4c4d7294bbd0bf1fdb59e614"
+dependencies = [
+ "displaydoc",
+ "icu_locale_core",
+ "writeable",
+ "yoke",
+ "zerofrom",
+ "zerotrie",
+ "zerovec",
+]
+
+[[package]]
+name = "id-arena"
+version = "2.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954"
+
+[[package]]
+name = "ident_case"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
+
+[[package]]
+name = "idna"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b0875f23caa03898994f6ddc501886a45c7d3d62d04d2d90788d47be1b1e4de"
+dependencies = [
+ "idna_adapter",
+ "smallvec",
+ "utf8_iter",
+]
+
+[[package]]
+name = "idna_adapter"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344"
+dependencies = [
+ "icu_normalizer",
+ "icu_properties",
+]
+
+[[package]]
+name = "impl-more"
+version = "0.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e8a5a9a0ff0086c7a148acb942baaabeadf9504d10400b5a05645853729b9cd2"
+
+[[package]]
+name = "indexmap"
+version = "2.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7714e70437a7dc3ac8eb7e6f8df75fd8eb422675fc7678aff7364301092b1017"
+dependencies = [
+ "equivalent",
+ "hashbrown 0.16.1",
+ "serde",
+ "serde_core",
+]
+
+[[package]]
+name = "io-lifetimes"
+version = "2.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "06432fb54d3be7964ecd3649233cddf80db2832f47fec34c01f65b3d9d774983"
+
+[[package]]
+name = "ipnet"
+version = "2.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2"
+
+[[package]]
+name = "is_terminal_polyfill"
+version = "1.70.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695"
+
+[[package]]
+name = "itertools"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "413ee7dfc52ee1a4949ceeb7dbc8a33f2d6c088194d9f922fb8318faf1f01186"
+dependencies = [
+ "either",
+]
+
+[[package]]
+name = "itertools"
+version = "0.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b192c782037fadd9cfa75548310488aabdbf3d2da73885b31bd0abd03351285"
+dependencies = [
+ "either",
+]
+
+[[package]]
+name = "itoa"
+version = "1.0.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2"
+
+[[package]]
+name = "jiff"
+version = "0.2.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a3546dc96b6d42c5f24902af9e2538e82e39ad350b0c766eb3fbf2d8f3d8359"
+dependencies = [
+ "jiff-static",
+ "log",
+ "portable-atomic",
+ "portable-atomic-util",
+ "serde_core",
+]
+
+[[package]]
+name = "jiff-static"
+version = "0.2.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a8c8b344124222efd714b73bb41f8b5120b27a7cc1c75593a6ff768d9d05aa4"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "jobserver"
+version = "0.1.34"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9afb3de4395d6b3e67a780b6de64b51c978ecf11cb9a462c66be7d4ca9039d33"
+dependencies = [
+ "getrandom 0.3.4",
+ "libc",
+]
+
+[[package]]
+name = "js-sys"
+version = "0.3.91"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b49715b7073f385ba4bc528e5747d02e66cb39c6146efb66b781f131f0fb399c"
+dependencies = [
+ "once_cell",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "json-patch"
+version = "4.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f300e415e2134745ef75f04562dd0145405c2f7fd92065db029ac4b16b57fe90"
+dependencies = [
+ "jsonptr",
+ "serde",
+ "serde_json",
+ "thiserror 1.0.69",
+]
+
+[[package]]
+name = "jsonpath-rust"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "633a7320c4bb672863a3782e89b9094ad70285e097ff6832cddd0ec615beadfa"
+dependencies = [
+ "pest",
+ "pest_derive",
+ "regex",
+ "serde_json",
+ "thiserror 2.0.18",
+]
+
+[[package]]
+name = "jsonptr"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5a3cc660ba5d72bce0b3bb295bf20847ccbb40fd423f3f05b61273672e561fe"
+dependencies = [
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "k8s-openapi"
+version = "0.27.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "51b326f5219dd55872a72c1b6ddd1b830b8334996c667449c29391d657d78d5e"
+dependencies = [
+ "base64",
+ "jiff",
+ "schemars",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "kube"
+version = "3.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f96b537b4c4f61fc183594edbecbbefa3037e403feac0701bb24e6eff78e0034"
+dependencies = [
+ "k8s-openapi",
+ "kube-client",
+ "kube-core",
+ "kube-derive",
+ "kube-runtime",
+]
+
+[[package]]
+name = "kube-client"
+version = "3.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "af97b8b696eb737e5694f087c498ca725b172c2a5bc3a6916328d160225537ee"
+dependencies = [
+ "base64",
+ "bytes",
+ "either",
+ "futures",
+ "http 1.4.0",
+ "http-body 1.0.1",
+ "http-body-util",
+ "hyper 1.8.1",
+ "hyper-rustls 0.27.7",
+ "hyper-timeout",
+ "hyper-util",
+ "jiff",
+ "jsonpath-rust",
+ "k8s-openapi",
+ "kube-core",
+ "pem",
+ "rustls 0.23.37",
+ "secrecy",
+ "serde",
+ "serde_json",
+ "serde_yaml",
+ "thiserror 2.0.18",
+ "tokio",
+ "tokio-util",
+ "tower",
+ "tower-http",
+ "tracing",
+]
+
+[[package]]
+name = "kube-core"
+version = "3.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e7aeade7d2e9f165f96b3c1749ff01a8e2dc7ea954bd333bcfcecc37d5226bdd"
+dependencies = [
+ "derive_more",
+ "form_urlencoded",
+ "http 1.4.0",
+ "jiff",
+ "json-patch",
+ "k8s-openapi",
+ "schemars",
+ "serde",
+ "serde-value",
+ "serde_json",
+ "thiserror 2.0.18",
+]
+
+[[package]]
+name = "kube-derive"
+version = "3.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c98f59f4e68864624a0b993a1cc2424439ab7238eaede5c299e89943e2a093ff"
+dependencies = [
+ "darling",
+ "proc-macro2",
+ "quote",
+ "serde",
+ "serde_json",
+ "syn",
+]
+
+[[package]]
+name = "kube-runtime"
+version = "3.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc158473d6d86ec22692874bd5ddccf07474eab5c6bb41f226c522e945da5244"
+dependencies = [
+ "ahash",
+ "async-broadcast",
+ "async-stream",
+ "backon",
+ "educe",
+ "futures",
+ "hashbrown 0.16.1",
+ "hostname",
+ "json-patch",
+ "k8s-openapi",
+ "kube-client",
+ "parking_lot",
+ "pin-project",
+ "serde",
+ "serde_json",
+ "thiserror 2.0.18",
+ "tokio",
+ "tokio-util",
+ "tracing",
+]
+
+[[package]]
+name = "language-tags"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d4345964bb142484797b161f473a503a434de77149dd8c7427788c6e13379388"
+
+[[package]]
+name = "lazy_static"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
+
+[[package]]
+name = "leb128fmt"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"
+
+[[package]]
+name = "libc"
+version = "0.2.183"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b5b646652bf6661599e1da8901b3b9522896f01e736bad5f723fe7a3a27f899d"
+
+[[package]]
+name = "libloading"
+version = "0.8.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d7c4b02199fee7c5d21a5ae7d8cfa79a6ef5bb2fc834d6e9058e89c825efdc55"
+dependencies = [
+ "cfg-if",
+ "windows-link",
+]
+
+[[package]]
+name = "linux-raw-sys"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53"
+
+[[package]]
+name = "litemap"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6373607a59f0be73a39b6fe456b8192fcc3585f602af20751600e974dd455e77"
+
+[[package]]
+name = "local-channel"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6cbc85e69b8df4b8bb8b89ec634e7189099cea8927a276b7384ce5488e53ec8"
+dependencies = [
+ "futures-core",
+ "futures-sink",
+ "local-waker",
+]
+
+[[package]]
+name = "local-waker"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4d873d7c67ce09b42110d801813efbc9364414e356be9935700d368351657487"
+
+[[package]]
+name = "lock_api"
+version = "0.4.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "224399e74b87b5f3557511d98dff8b14089b3dadafcab6bb93eab67d3aace965"
+dependencies = [
+ "scopeguard",
+]
+
+[[package]]
+name = "log"
+version = "0.4.29"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
+
+[[package]]
+name = "lru"
+version = "0.16.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1dc47f592c06f33f8e3aea9591776ec7c9f9e4124778ff8a3c3b87159f7e593"
+dependencies = [
+ "hashbrown 0.16.1",
+]
+
+[[package]]
+name = "matchers"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d1525a2a28c7f4fa0fc98bb91ae755d1e2d1505079e05539e35bc876b5d65ae9"
+dependencies = [
+ "regex-automata",
+]
+
+[[package]]
+name = "md-5"
+version = "0.10.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d89e7ee0cfbedfc4da3340218492196241d89eefb6dab27de5df917a6d2e78cf"
+dependencies = [
+ "cfg-if",
+ "digest",
+]
+
+[[package]]
+name = "memchr"
+version = "2.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
+
+[[package]]
+name = "mime"
+version = "0.3.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
+
+[[package]]
+name = "minimal-lexical"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
+
+[[package]]
+name = "miniz_oxide"
+version = "0.8.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316"
+dependencies = [
+ "adler2",
+ "simd-adler32",
+]
+
+[[package]]
+name = "mio"
+version = "1.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a69bcab0ad47271a0234d9422b131806bf3968021e5dc9328caf2d4cd58557fc"
+dependencies = [
+ "libc",
+ "log",
+ "wasi",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "nom"
+version = "7.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a"
+dependencies = [
+ "memchr",
+ "minimal-lexical",
+]
+
+[[package]]
+name = "nu-ansi-term"
+version = "0.50.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "num-conv"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cf97ec579c3c42f953ef76dbf8d55ac91fb219dde70e49aa4a6b7d74e9919050"
+
+[[package]]
+name = "num-integer"
+version = "0.1.46"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7969661fd2958a5cb096e56c8e1ad0444ac2bbcd0061bd28660485a44879858f"
+dependencies = [
+ "num-traits",
+]
+
+[[package]]
+name = "num-traits"
+version = "0.2.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
+dependencies = [
+ "autocfg",
+]
+
+[[package]]
+name = "once_cell"
+version = "1.21.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
+
+[[package]]
+name = "once_cell_polyfill"
+version = "1.70.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
+
+[[package]]
+name = "openssl-probe"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe"
+
+[[package]]
+name = "ordered-float"
+version = "2.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "68f19d67e5a2795c94e73e0bb1cc1a7edeb2e28efd39e2e1c9b7a40c1108b11c"
+dependencies = [
+ "num-traits",
+]
+
+[[package]]
+name = "outref"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a80800c0488c3a21695ea981a54918fbb37abf04f4d0720c453632255e2ff0e"
+
+[[package]]
+name = "p256"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "51f44edd08f51e2ade572f141051021c5af22677e42b7dd28a88155151c33594"
+dependencies = [
+ "ecdsa",
+ "elliptic-curve",
+ "sha2",
+]
+
+[[package]]
+name = "parking"
+version = "2.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f38d5652c16fde515bb1ecef450ab0f6a219d619a7274976324d5e377f7dceba"
+
+[[package]]
+name = "parking_lot"
+version = "0.12.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93857453250e3077bd71ff98b6a65ea6621a19bb0f559a85248955ac12c45a1a"
+dependencies = [
+ "lock_api",
+ "parking_lot_core",
+]
+
+[[package]]
+name = "parking_lot_core"
+version = "0.9.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "redox_syscall",
+ "smallvec",
+ "windows-link",
+]
+
+[[package]]
+name = "pem"
+version = "3.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d30c53c26bc5b31a98cd02d20f25a7c8567146caf63ed593a9d87b2775291be"
+dependencies = [
+ "base64",
+ "serde_core",
+]
+
+[[package]]
+name = "percent-encoding"
+version = "2.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"
+
+[[package]]
+name = "pest"
+version = "2.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e0848c601009d37dfa3430c4666e147e49cdcf1b92ecd3e63657d8a5f19da662"
+dependencies = [
+ "memchr",
+ "ucd-trie",
+]
+
+[[package]]
+name = "pest_derive"
+version = "2.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "11f486f1ea21e6c10ed15d5a7c77165d0ee443402f0780849d1768e7d9d6fe77"
+dependencies = [
+ "pest",
+ "pest_generator",
+]
+
+[[package]]
+name = "pest_generator"
+version = "2.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8040c4647b13b210a963c1ed407c1ff4fdfa01c31d6d2a098218702e6664f94f"
+dependencies = [
+ "pest",
+ "pest_meta",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "pest_meta"
+version = "2.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "89815c69d36021a140146f26659a81d6c2afa33d216d736dd4be5381a7362220"
+dependencies = [
+ "pest",
+ "sha2",
+]
+
+[[package]]
+name = "pin-project"
+version = "1.1.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f1749c7ed4bcaf4c3d0a3efc28538844fb29bcdd7d2b67b2be7e20ba861ff517"
+dependencies = [
+ "pin-project-internal",
+]
+
+[[package]]
+name = "pin-project-internal"
+version = "1.1.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9b20ed30f105399776b9c883e68e536ef602a16ae6f596d2c473591d6ad64c6"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "pin-project-lite"
+version = "0.2.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a89322df9ebe1c1578d689c92318e070967d1042b512afbe49518723f4e6d5cd"
+
+[[package]]
+name = "pin-utils"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
+
+[[package]]
+name = "pkcs8"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9eca2c590a5f85da82668fa685c09ce2888b9430e83299debf1f34b65fd4a4ba"
+dependencies = [
+ "der",
+ "spki",
+]
+
+[[package]]
+name = "pkg-config"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"
+
+[[package]]
+name = "portable-atomic"
+version = "1.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49"
+
+[[package]]
+name = "portable-atomic-util"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7a9db96d7fa8782dd8c15ce32ffe8680bbd1e978a43bf51a34d39483540495f5"
+dependencies = [
+ "portable-atomic",
+]
+
+[[package]]
+name = "potential_utf"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b73949432f5e2a09657003c25bca5e19a0e9c84f8058ca374f49e0ebe605af77"
+dependencies = [
+ "zerovec",
+]
+
+[[package]]
+name = "powerfmt"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
+
+[[package]]
+name = "ppv-lite86"
+version = "0.2.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85eae3c4ed2f50dcfe72643da4befc30deadb458a9b590d720cde2f2b1e97da9"
+dependencies = [
+ "zerocopy",
+]
+
+[[package]]
+name = "prettyplease"
+version = "0.2.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b"
+dependencies = [
+ "proc-macro2",
+ "syn",
+]
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.106"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.45"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "r-efi"
+version = "5.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
+
+[[package]]
+name = "r-efi"
+version = "6.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf"
+
+[[package]]
+name = "rand"
+version = "0.9.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
+dependencies = [
+ "rand_chacha",
+ "rand_core 0.9.5",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
+dependencies = [
+ "ppv-lite86",
+ "rand_core 0.9.5",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.6.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
+dependencies = [
+ "getrandom 0.2.17",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c"
+dependencies = [
+ "getrandom 0.3.4",
+]
+
+[[package]]
+name = "redox_syscall"
+version = "0.5.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d"
+dependencies = [
+ "bitflags",
+]
+
+[[package]]
+name = "ref-cast"
+version = "1.0.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f354300ae66f76f1c85c5f84693f0ce81d747e2c3f21a45fef496d89c960bf7d"
+dependencies = [
+ "ref-cast-impl",
+]
+
+[[package]]
+name = "ref-cast-impl"
+version = "1.0.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7186006dcb21920990093f30e3dea63b7d6e977bf1256be20c3563a5db070da"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "regex"
+version = "1.12.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e10754a14b9137dd7b1e3e5b0493cc9171fdd105e0ab477f51b72e7f3ac0e276"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-automata",
+ "regex-syntax",
+]
+
+[[package]]
+name = "regex-automata"
+version = "0.4.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6e1dd4122fc1595e8162618945476892eefca7b88c52820e74af6262213cae8f"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-syntax",
+]
+
+[[package]]
+name = "regex-lite"
+version = "0.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cab834c73d247e67f4fae452806d17d3c7501756d98c8808d7c9c7aa7d18f973"
+
+[[package]]
+name = "regex-syntax"
+version = "0.8.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a"
+
+[[package]]
+name = "rfc6979"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7743f17af12fa0b03b803ba12cd6a8d9483a587e89c69445e3909655c0b9fabb"
+dependencies = [
+ "crypto-bigint 0.4.9",
+ "hmac",
+ "zeroize",
+]
+
+[[package]]
+name = "ring"
+version = "0.17.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7"
+dependencies = [
+ "cc",
+ "cfg-if",
+ "getrandom 0.2.17",
+ "libc",
+ "untrusted",
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "rust2go"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "021695cb0d56dbef5f29b24d2dd9a23552464500574260a41c198fe17c78a3fe"
+dependencies = [
+ "bindgen",
+ "fs-set-times",
+ "rust2go-cli",
+ "rust2go-convert",
+ "rust2go-macro",
+ "syn",
+]
+
+[[package]]
+name = "rust2go-cli"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8490df1c618176bfd681c0e27b46fa98f42739c441c12a8f7bc85eb6550e54fe"
+dependencies = [
+ "cbindgen",
+ "clap",
+ "itertools 0.14.0",
+ "rust2go-common",
+]
+
+[[package]]
+name = "rust2go-common"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a27eb858d3df960a07bc7f7e43f642d6a8368cc32110d7daacb6aa069eb7f9c5"
+dependencies = [
+ "heck 0.5.0",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "rust2go-convert"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "21ee4d6efac91720550e564892b1fddfe103683f7f0b19196f59dae1621e6e83"
+
+[[package]]
+name = "rust2go-macro"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a694d2aa8c7265126b0f3c712bd8411e5415d5e5f906fa2996a10beb81b5efca"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "rust2go-common",
+ "syn",
+]
+
+[[package]]
+name = "rustc-hash"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d"
+
+[[package]]
+name = "rustc_version"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cfcb3a22ef46e85b45de6ee7e79d063319ebb6594faafcf1c225ea92ab6e9b92"
+dependencies = [
+ "semver",
+]
+
+[[package]]
+name = "rustix"
+version = "1.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190"
+dependencies = [
+ "bitflags",
+ "errno",
+ "libc",
+ "linux-raw-sys",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "rustls"
+version = "0.21.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f56a14d1f48b391359b22f731fd4bd7e43c97f3c50eee276f3aa09c94784d3e"
+dependencies = [
+ "log",
+ "ring",
+ "rustls-webpki 0.101.7",
+ "sct",
+]
+
+[[package]]
+name = "rustls"
+version = "0.23.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "758025cb5fccfd3bc2fd74708fd4682be41d99e5dff73c377c0646c6012c73a4"
+dependencies = [
+ "aws-lc-rs",
+ "log",
+ "once_cell",
+ "ring",
+ "rustls-pki-types",
+ "rustls-webpki 0.103.9",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "rustls-native-certs"
+version = "0.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "612460d5f7bea540c490b2b6395d8e34a953e52b491accd6c86c8164c5932a63"
+dependencies = [
+ "openssl-probe",
+ "rustls-pki-types",
+ "schannel",
+ "security-framework",
+]
+
+[[package]]
+name = "rustls-pki-types"
+version = "1.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd"
+dependencies = [
+ "zeroize",
+]
+
+[[package]]
+name = "rustls-webpki"
+version = "0.101.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765"
+dependencies = [
+ "ring",
+ "untrusted",
+]
+
+[[package]]
+name = "rustls-webpki"
+version = "0.103.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53"
+dependencies = [
+ "aws-lc-rs",
+ "ring",
+ "rustls-pki-types",
+ "untrusted",
+]
+
+[[package]]
+name = "rustversion"
+version = "1.0.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d"
+
+[[package]]
+name = "ryu"
+version = "1.0.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9774ba4a74de5f7b1c1451ed6cd5285a32eddb5cccb8cc655a4e50009e06477f"
+
+[[package]]
+name = "s3-operator"
+version = "0.1.0"
+dependencies = [
+ "actix-web",
+ "anyhow",
+ "assert-json-diff",
+ "aws-config",
+ "aws-credential-types",
+ "aws-sdk-s3",
+ "clap",
+ "darling",
+ "envtest",
+ "futures",
+ "http 1.4.0",
+ "hyper 1.8.1",
+ "k8s-openapi",
+ "kube",
+ "schemars",
+ "serde",
+ "serde_json",
+ "serde_yaml",
+ "thiserror 2.0.18",
+ "tokio",
+ "tower-test",
+ "tracing",
+ "tracing-subscriber",
+]
+
+[[package]]
+name = "schannel"
+version = "0.1.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "891d81b926048e76efe18581bf793546b4c0eaf8448d72be8de2bbee5fd166e1"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "schemars"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a2b42f36aa1cd011945615b92222f6bf73c599a102a300334cd7f8dbeec726cc"
+dependencies = [
+ "dyn-clone",
+ "ref-cast",
+ "schemars_derive",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "schemars_derive"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7d115b50f4aaeea07e79c1912f645c7513d81715d0420f8bc77a18c6260b307f"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "serde_derive_internals",
+ "syn",
+]
+
+[[package]]
+name = "scopeguard"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
+
+[[package]]
+name = "sct"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414"
+dependencies = [
+ "ring",
+ "untrusted",
+]
+
+[[package]]
+name = "sec1"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3be24c1842290c45df0a7bf069e0c268a747ad05a192f2fd7dcfdbc1cba40928"
+dependencies = [
+ "base16ct",
+ "der",
+ "generic-array",
+ "pkcs8",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "secrecy"
+version = "0.10.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e891af845473308773346dc847b2c23ee78fe442e0472ac50e22a18a93d3ae5a"
+dependencies = [
+ "zeroize",
+]
+
+[[package]]
+name = "security-framework"
+version = "3.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d"
+dependencies = [
+ "bitflags",
+ "core-foundation",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
+[[package]]
+name = "security-framework-sys"
+version = "2.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ce2691df843ecc5d231c0b14ece2acc3efb62c0a398c7e1d875f3983ce020e3"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "semver"
+version = "1.0.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"
+
+[[package]]
+name = "serde"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
+dependencies = [
+ "serde_core",
+ "serde_derive",
+]
+
+[[package]]
+name = "serde-value"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f3a1a3341211875ef120e117ea7fd5228530ae7e7036a779fdc9117be6b3282c"
+dependencies = [
+ "ordered-float",
+ "serde",
+]
+
+[[package]]
+name = "serde_core"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
+dependencies = [
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_derive"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "serde_derive_internals"
+version = "0.29.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "18d26a20a969b9e3fdf2fc2d9f21eda6c40e2de84c9408bb5d3b05d499aae711"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "serde_json"
+version = "1.0.149"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86"
+dependencies = [
+ "itoa",
+ "memchr",
+ "serde",
+ "serde_core",
+ "zmij",
+]
+
+[[package]]
+name = "serde_spanned"
+version = "0.6.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bf41e0cfaf7226dca15e8197172c295a782857fcb97fad1808a166870dee75a3"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "serde_urlencoded"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd"
+dependencies = [
+ "form_urlencoded",
+ "itoa",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "serde_yaml"
+version = "0.9.34+deprecated"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
+dependencies = [
+ "indexmap",
+ "itoa",
+ "ryu",
+ "serde",
+ "unsafe-libyaml",
+]
+
+[[package]]
+name = "sha1"
+version = "0.10.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest",
+]
+
+[[package]]
+name = "sha2"
+version = "0.10.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest",
+]
+
+[[package]]
+name = "sharded-slab"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f40ca3c46823713e0d4209592e8d6e826aa57e928f09752619fc696c499637f6"
+dependencies = [
+ "lazy_static",
+]
+
+[[package]]
+name = "shlex"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+
+[[package]]
+name = "signal-hook-registry"
+version = "1.4.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c4db69cba1110affc0e9f7bcd48bbf87b3f4fc7c61fc9155afd4c469eb3d6c1b"
+dependencies = [
+ "errno",
+ "libc",
+]
+
+[[package]]
+name = "signature"
+version = "1.6.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "74233d3b3b2f6d4b006dc19dee745e73e2a6bfb6f93607cd3b02bd5b00797d7c"
+dependencies = [
+ "digest",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "simd-adler32"
+version = "0.3.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e320a6c5ad31d271ad523dcf3ad13e2767ad8b1cb8f047f75a8aeaf8da139da2"
+
+[[package]]
+name = "slab"
+version = "0.4.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c790de23124f9ab44544d7ac05d60440adc586479ce501c1d6d7da3cd8c9cf5"
+
+[[package]]
+name = "smallvec"
+version = "1.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
+
+[[package]]
+name = "socket2"
+version = "0.5.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e22376abed350d73dd1cd119b57ffccad95b4e585a7cda43e286245ce23c0678"
+dependencies = [
+ "libc",
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "socket2"
+version = "0.6.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3a766e1110788c36f4fa1c2b71b387a7815aa65f88ce0229841826633d93723e"
+dependencies = [
+ "libc",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "spin"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d5fe4ccb98d9c292d56fec89a5e07da7fc4cf0dc11e156b41793132775d3e591"
+
+[[package]]
+name = "spki"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "67cf02bbac7a337dc36e4f5a693db6c21e7863f45070f7064577eb4367a3212b"
+dependencies = [
+ "base64ct",
+ "der",
+]
+
+[[package]]
+name = "stable_deref_trait"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596"
+
+[[package]]
+name = "strsim"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
+
+[[package]]
+name = "subtle"
+version = "2.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
+
+[[package]]
+name = "syn"
+version = "2.0.117"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "sync_wrapper"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0bf256ce5efdfa370213c1dabab5935a12e49f2c58d15e9eac2870d3b4f27263"
+
+[[package]]
+name = "synstructure"
+version = "0.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "tempfile"
+version = "3.26.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "82a72c767771b47409d2345987fda8628641887d5466101319899796367354a0"
+dependencies = [
+ "fastrand",
+ "getrandom 0.4.2",
+ "once_cell",
+ "rustix",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "thiserror"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
+dependencies = [
+ "thiserror-impl 1.0.69",
+]
+
+[[package]]
+name = "thiserror"
+version = "2.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4"
+dependencies = [
+ "thiserror-impl 2.0.18",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "2.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "thread_local"
+version = "1.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f60246a4944f24f6e018aa17cdeffb7818b76356965d03b07d6a9886e8962185"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "time"
+version = "0.3.47"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "743bd48c283afc0388f9b8827b976905fb217ad9e647fae3a379a9283c4def2c"
+dependencies = [
+ "deranged",
+ "itoa",
+ "num-conv",
+ "powerfmt",
+ "serde_core",
+ "time-core",
+ "time-macros",
+]
+
+[[package]]
+name = "time-core"
+version = "0.1.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca"
+
+[[package]]
+name = "time-macros"
+version = "0.2.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2e70e4c5a0e0a8a4823ad65dfe1a6930e4f4d756dcd9dd7939022b5e8c501215"
+dependencies = [
+ "num-conv",
+ "time-core",
+]
+
+[[package]]
+name = "tinystr"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42d3e9c45c09de15d06dd8acf5f4e0e399e85927b7f00711024eb7ae10fa4869"
+dependencies = [
+ "displaydoc",
+ "zerovec",
+]
+
+[[package]]
+name = "tokio"
+version = "1.50.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "27ad5e34374e03cfffefc301becb44e9dc3c17584f414349ebe29ed26661822d"
+dependencies = [
+ "bytes",
+ "libc",
+ "mio",
+ "parking_lot",
+ "pin-project-lite",
+ "signal-hook-registry",
+ "socket2 0.6.3",
+ "tokio-macros",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "tokio-macros"
+version = "2.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c55a2eff8b69ce66c84f85e1da1c233edc36ceb85a2058d11b0d6a3c7e7569c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "tokio-rustls"
+version = "0.24.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081"
+dependencies = [
+ "rustls 0.21.12",
+ "tokio",
+]
+
+[[package]]
+name = "tokio-rustls"
+version = "0.26.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1729aa945f29d91ba541258c8df89027d5792d85a8841fb65e8bf0f4ede4ef61"
+dependencies = [
+ "rustls 0.23.37",
+ "tokio",
+]
+
+[[package]]
+name = "tokio-stream"
+version = "0.1.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32da49809aab5c3bc678af03902d4ccddea2a87d028d86392a4b1560c6906c70"
+dependencies = [
+ "futures-core",
+ "pin-project-lite",
+ "tokio",
+]
+
+[[package]]
+name = "tokio-test"
+version = "0.4.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f6d24790a10a7af737693a3e8f1d03faef7e6ca0cc99aae5066f533766de545"
+dependencies = [
+ "futures-core",
+ "tokio",
+ "tokio-stream",
+]
+
+[[package]]
+name = "tokio-util"
+version = "0.7.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ae9cec805b01e8fc3fd2fe289f89149a9b66dd16786abd8b19cfa7b48cb0098"
+dependencies = [
+ "bytes",
+ "futures-core",
+ "futures-sink",
+ "pin-project-lite",
+ "slab",
+ "tokio",
+]
+
+[[package]]
+name = "toml"
+version = "0.8.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dc1beb996b9d83529a9e75c17a1686767d148d70663143c7854d8b4a09ced362"
+dependencies = [
+ "serde",
+ "serde_spanned",
+ "toml_datetime",
+ "toml_edit",
+]
+
+[[package]]
+name = "toml_datetime"
+version = "0.6.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "22cddaf88f4fbc13c51aebbf5f8eceb5c7c5a9da2ac40a13519eb5b0a0e8f11c"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "toml_edit"
+version = "0.22.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41fe8c660ae4257887cf66394862d21dbca4a6ddd26f04a3560410406a2f819a"
+dependencies = [
+ "indexmap",
+ "serde",
+ "serde_spanned",
+ "toml_datetime",
+ "toml_write",
+ "winnow",
+]
+
+[[package]]
+name = "toml_write"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d99f8c9a7727884afe522e9bd5edbfc91a3312b36a77b5fb8926e4c31a41801"
+
+[[package]]
+name = "tower"
+version = "0.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebe5ef63511595f1344e2d5cfa636d973292adc0eec1f0ad45fae9f0851ab1d4"
+dependencies = [
+ "futures-core",
+ "futures-util",
+ "pin-project-lite",
+ "sync_wrapper",
+ "tokio",
+ "tokio-util",
+ "tower-layer",
+ "tower-service",
+ "tracing",
+]
+
+[[package]]
+name = "tower-http"
+version = "0.6.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
+dependencies = [
+ "base64",
+ "bitflags",
+ "bytes",
+ "http 1.4.0",
+ "http-body 1.0.1",
+ "mime",
+ "pin-project-lite",
+ "tower",
+ "tower-layer",
+ "tower-service",
+ "tracing",
+]
+
+[[package]]
+name = "tower-layer"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "121c2a6cda46980bb0fcd1647ffaf6cd3fc79a013de288782836f6df9c48780e"
+
+[[package]]
+name = "tower-service"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3"
+
+[[package]]
+name = "tower-test"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4546773ffeab9e4ea02b8872faa49bb616a80a7da66afc2f32688943f97efa7"
+dependencies = [
+ "futures-util",
+ "pin-project",
+ "tokio",
+ "tokio-test",
+ "tower-layer",
+ "tower-service",
+]
+
+[[package]]
+name = "tracing"
+version = "0.1.44"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "63e71662fa4b2a2c3a26f570f037eb95bb1f85397f3cd8076caed2f026a6d100"
+dependencies = [
+ "log",
+ "pin-project-lite",
+ "tracing-attributes",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-attributes"
+version = "0.1.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7490cfa5ec963746568740651ac6781f701c9c5ea257c58e057f3ba8cf69e8da"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "tracing-core"
+version = "0.1.36"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "db97caf9d906fbde555dd62fa95ddba9eecfd14cb388e4f491a66d74cd5fb79a"
+dependencies = [
+ "once_cell",
+ "valuable",
+]
+
+[[package]]
+name = "tracing-log"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee855f1f400bd0e5c02d150ae5de3840039a3f54b025156404e34c23c03f47c3"
+dependencies = [
+ "log",
+ "once_cell",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-serde"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "704b1aeb7be0d0a84fc9828cae51dab5970fee5088f83d1dd7ee6f6246fc6ff1"
+dependencies = [
+ "serde",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-subscriber"
+version = "0.3.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2f30143827ddab0d256fd843b7a66d164e9f271cfa0dde49142c5ca0ca291f1e"
+dependencies = [
+ "matchers",
+ "nu-ansi-term",
+ "once_cell",
+ "regex-automata",
+ "serde",
+ "serde_json",
+ "sharded-slab",
+ "smallvec",
+ "thread_local",
+ "tracing",
+ "tracing-core",
+ "tracing-log",
+ "tracing-serde",
+]
+
+[[package]]
+name = "try-lock"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
+
+[[package]]
+name = "typenum"
+version = "1.19.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "562d481066bde0658276a35467c4af00bdc6ee726305698a55b86e61d7ad82bb"
+
+[[package]]
+name = "ucd-trie"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2896d95c02a80c6d6a5d6e953d479f5ddf2dfdb6a244441010e373ac0fb88971"
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
+
+[[package]]
+name = "unicode-segmentation"
+version = "1.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6ccf251212114b54433ec949fd6a7841275f9ada20dddd2f29e9ceea4501493"
+
+[[package]]
+name = "unicode-xid"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
+
+[[package]]
+name = "unsafe-libyaml"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861"
+
+[[package]]
+name = "untrusted"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
+
+[[package]]
+name = "url"
+version = "2.5.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff67a8a4397373c3ef660812acab3268222035010ab8680ec4215f38ba3d0eed"
+dependencies = [
+ "form_urlencoded",
+ "idna",
+ "percent-encoding",
+ "serde",
+]
+
+[[package]]
+name = "urlencoding"
+version = "2.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "daf8dba3b7eb870caf1ddeed7bc9d2a049f3cfdfae7cb521b087cc33ae4c49da"
+
+[[package]]
+name = "utf8_iter"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
+
+[[package]]
+name = "utf8parse"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
+
+[[package]]
+name = "uuid"
+version = "1.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a68d3c8f01c0cfa54a75291d83601161799e4a89a39e0929f4b0354d88757a37"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "valuable"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba73ea9cf16a25df0c8caa16c51acb937d5712a8429db78a3ee29d5dcacd3a65"
+
+[[package]]
+name = "version_check"
+version = "0.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
+
+[[package]]
+name = "vsimd"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c3082ca00d5a5ef149bb8b555a72ae84c9c59f7250f013ac822ac2e49b19c64"
+
+[[package]]
+name = "want"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bfa7760aed19e106de2c7c0b581b509f2f25d3dacaf737cb82ac61bc6d760b0e"
+dependencies = [
+ "try-lock",
+]
+
+[[package]]
+name = "wasi"
+version = "0.11.1+wasi-snapshot-preview1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
+
+[[package]]
+name = "wasip2"
+version = "1.0.2+wasi-0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9517f9239f02c069db75e65f174b3da828fe5f5b945c4dd26bd25d89c03ebcf5"
+dependencies = [
+ "wit-bindgen",
+]
+
+[[package]]
+name = "wasip3"
+version = "0.4.0+wasi-0.3.0-rc-2026-01-06"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5428f8bf88ea5ddc08faddef2ac4a67e390b88186c703ce6dbd955e1c145aca5"
+dependencies = [
+ "wit-bindgen",
+]
+
+[[package]]
+name = "wasm-bindgen"
+version = "0.2.114"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6532f9a5c1ece3798cb1c2cfdba640b9b3ba884f5db45973a6f442510a87d38e"
+dependencies = [
+ "cfg-if",
+ "once_cell",
+ "rustversion",
+ "wasm-bindgen-macro",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-macro"
+version = "0.2.114"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "18a2d50fcf105fb33bb15f00e7a77b772945a2ee45dcf454961fd843e74c18e6"
+dependencies = [
+ "quote",
+ "wasm-bindgen-macro-support",
+]
+
+[[package]]
+name = "wasm-bindgen-macro-support"
+version = "0.2.114"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "03ce4caeaac547cdf713d280eda22a730824dd11e6b8c3ca9e42247b25c631e3"
+dependencies = [
+ "bumpalo",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-shared"
+version = "0.2.114"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75a326b8c223ee17883a4251907455a2431acc2791c98c26279376490c378c16"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "wasm-encoder"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "990065f2fe63003fe337b932cfb5e3b80e0b4d0f5ff650e6985b1048f62c8319"
+dependencies = [
+ "leb128fmt",
+ "wasmparser",
+]
+
+[[package]]
+name = "wasm-metadata"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bb0e353e6a2fbdc176932bbaab493762eb1255a7900fe0fea1a2f96c296cc909"
+dependencies = [
+ "anyhow",
+ "indexmap",
+ "wasm-encoder",
+ "wasmparser",
+]
+
+[[package]]
+name = "wasmparser"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe"
+dependencies = [
+ "bitflags",
+ "hashbrown 0.15.5",
+ "indexmap",
+ "semver",
+]
+
+[[package]]
+name = "windows-link"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
+
+[[package]]
+name = "windows-sys"
+version = "0.52.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
+dependencies = [
+ "windows-targets",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.59.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
+dependencies = [
+ "windows-targets",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.61.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
+dependencies = [
+ "windows-link",
+]
+
+[[package]]
+name = "windows-targets"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973"
+dependencies = [
+ "windows_aarch64_gnullvm",
+ "windows_aarch64_msvc",
+ "windows_i686_gnu",
+ "windows_i686_gnullvm",
+ "windows_i686_msvc",
+ "windows_x86_64_gnu",
+ "windows_x86_64_gnullvm",
+ "windows_x86_64_msvc",
+]
+
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
+
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
+
+[[package]]
+name = "windows_i686_gnu"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"
+
+[[package]]
+name = "windows_i686_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
+
+[[package]]
+name = "windows_i686_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
+
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
+
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
+
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
+
+[[package]]
+name = "winnow"
+version = "0.7.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "df79d97927682d2fd8adb29682d1140b343be4ac0f08fd68b7765d9c059d3945"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "wit-bindgen"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5"
+dependencies = [
+ "wit-bindgen-rust-macro",
+]
+
+[[package]]
+name = "wit-bindgen-core"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ea61de684c3ea68cb082b7a88508a8b27fcc8b797d738bfc99a82facf1d752dc"
+dependencies = [
+ "anyhow",
+ "heck 0.5.0",
+ "wit-parser",
+]
+
+[[package]]
+name = "wit-bindgen-rust"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7c566e0f4b284dd6561c786d9cb0142da491f46a9fbed79ea69cdad5db17f21"
+dependencies = [
+ "anyhow",
+ "heck 0.5.0",
+ "indexmap",
+ "prettyplease",
+ "syn",
+ "wasm-metadata",
+ "wit-bindgen-core",
+ "wit-component",
+]
+
+[[package]]
+name = "wit-bindgen-rust-macro"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c0f9bfd77e6a48eccf51359e3ae77140a7f50b1e2ebfe62422d8afdaffab17a"
+dependencies = [
+ "anyhow",
+ "prettyplease",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wit-bindgen-core",
+ "wit-bindgen-rust",
+]
+
+[[package]]
+name = "wit-component"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2"
+dependencies = [
+ "anyhow",
+ "bitflags",
+ "indexmap",
+ "log",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "wasm-encoder",
+ "wasm-metadata",
+ "wasmparser",
+ "wit-parser",
+]
+
+[[package]]
+name = "wit-parser"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ecc8ac4bc1dc3381b7f59c34f00b67e18f910c2c0f50015669dde7def656a736"
+dependencies = [
+ "anyhow",
+ "id-arena",
+ "indexmap",
+ "log",
+ "semver",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "unicode-xid",
+ "wasmparser",
+]
+
+[[package]]
+name = "writeable"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9edde0db4769d2dc68579893f2306b26c6ecfbe0ef499b013d731b7b9247e0b9"
+
+[[package]]
+name = "xmlparser"
+version = "0.13.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "66fee0b777b0f5ac1c69bb06d361268faafa61cd4682ae064a171c16c433e9e4"
+
+[[package]]
+name = "yoke"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72d6e5c6afb84d73944e5cedb052c4680d5657337201555f9f2a16b7406d4954"
+dependencies = [
+ "stable_deref_trait",
+ "yoke-derive",
+ "zerofrom",
+]
+
+[[package]]
+name = "yoke-derive"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b659052874eb698efe5b9e8cf382204678a0086ebf46982b79d6ca3182927e5d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+ "synstructure",
+]
+
+[[package]]
+name = "zerocopy"
+version = "0.8.42"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2578b716f8a7a858b7f02d5bd870c14bf4ddbbcf3a4c05414ba6503640505e3"
+dependencies = [
+ "zerocopy-derive",
+]
+
+[[package]]
+name = "zerocopy-derive"
+version = "0.8.42"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7e6cc098ea4d3bd6246687de65af3f920c430e236bee1e3bf2e441463f08a02f"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "zerofrom"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5"
+dependencies = [
+ "zerofrom-derive",
+]
+
+[[package]]
+name = "zerofrom-derive"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+ "synstructure",
+]
+
+[[package]]
+name = "zeroize"
+version = "1.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0"
+
+[[package]]
+name = "zerotrie"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a59c17a5562d507e4b54960e8569ebee33bee890c70aa3fe7b97e85a9fd7851"
+dependencies = [
+ "displaydoc",
+ "yoke",
+ "zerofrom",
+]
+
+[[package]]
+name = "zerovec"
+version = "0.11.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c28719294829477f525be0186d13efa9a3c602f7ec202ca9e353d310fb9a002"
+dependencies = [
+ "yoke",
+ "zerofrom",
+ "zerovec-derive",
+]
+
+[[package]]
+name = "zerovec-derive"
+version = "0.11.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eadce39539ca5cb3985590102671f2567e659fca9666581ad3411d59207951f3"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "zmij"
+version = "1.0.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8848ee67ecc8aedbaf3e4122217aff892639231befc6a1b58d29fff4c2cabaa"
+
+[[package]]
+name = "zstd"
+version = "0.13.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e91ee311a569c327171651566e07972200e76fcfe2242a4fa446149a3881c08a"
+dependencies = [
+ "zstd-safe",
+]
+
+[[package]]
+name = "zstd-safe"
+version = "7.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f49c4d5f0abb602a93fb8736af2a4f4dd9512e36f7f570d66e65ff867ed3b9d"
+dependencies = [
+ "zstd-sys",
+]
+
+[[package]]
+name = "zstd-sys"
+version = "2.0.16+zstd.1.5.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91e19ebc2adc8f83e43039e79776e3fda8ca919132d68a1fed6a5faca2683748"
+dependencies = [
+ "cc",
+ "pkg-config",
+]
diff --git a/operator/Cargo.toml b/operator/Cargo.toml
new file mode 100644
index 0000000..f98a2ce
--- /dev/null
+++ b/operator/Cargo.toml
@@ -0,0 +1,50 @@
+[package]
+name = "s3-operator"
+version = "0.1.0"
+authors = ["allanger <iam@allanger.xyz>"]
+edition = "2024"
+default-run = "controller"
+license = "GPLv3"
+publish = false
+
+[[bin]]
+doc = false
+name = "controller"
+path = "src/controller.rs"
+
+[[bin]]
+doc = false
+name = "crdgen"
+path = "src/crdgen.rs"
+
+[lib]
+name = "api"
+path = "src/lib.rs"
+
+[dependencies]
+kube = { version = "3.0.1", features = ["runtime", "derive", "client"] }
+k8s-openapi = { version = "0.27.0", features = ["latest", "schemars"] }
+schemars = { version = "1" }
+darling = "0.23.0"
+clap = { version = "4.5.60", features = ["derive"] }
+serde = { version = "1.0.228", features = ["serde_derive"] }
+serde_json = "1.0.149"
+serde_yaml = "0.9.34"
+thiserror = "2.0.18"
+tracing = "0.1.44"
+tokio = { version = "1.49.0", features = ["macros", "rt-multi-thread"] }
+anyhow = "1.0.102"
+futures = "0.3.32"
+actix-web = "4.13.0"
+tracing-subscriber = { version = "0.3.22", features = ["json", "env-filter"] }
+aws-config = { version = "1.8.15", features = ["behavior-version-latest"] }
+aws-sdk-s3 = "1.125.0"
+aws-credential-types = "1.2.14"
+
+[dev-dependencies]
+assert-json-diff = "2.0.2"
+envtest = "0.1.2"
+http = "1"
+hyper = "1"
+tower-test = "0.4.0"
+
diff --git a/operator/manifests/s3_instance.yaml b/operator/manifests/s3_instance.yaml
new file mode 100644
index 0000000..0115f25
--- /dev/null
+++ b/operator/manifests/s3_instance.yaml
@@ -0,0 +1,11 @@
+apiVersion: s3.badhouseplants.net/v1beta1
+kind: S3Instance
+metadata:
+  name: test
+spec:
+  endpoint: rustfs.badhouseplants.net:443
+  #region: us-east1
+  credentialsSecret:
+    namespace: default
+    name: test
+
diff --git a/operator/src/api/mod.rs b/operator/src/api/mod.rs
new file mode 100644
index 0000000..9f64fc8
--- /dev/null
+++ b/operator/src/api/mod.rs
@@ -0,0 +1 @@
+pub mod v1beta1;
diff --git a/operator/src/api/v1beta1/mod.rs b/operator/src/api/v1beta1/mod.rs
new file mode 100644
index 0000000..bc18982
--- /dev/null
+++ b/operator/src/api/v1beta1/mod.rs
@@ -0,0 +1 @@
+pub mod s3_instance;
diff --git a/operator/src/api/v1beta1/s3_instance.rs b/operator/src/api/v1beta1/s3_instance.rs
new file mode 100644
index 0000000..2a16a3c
--- /dev/null
+++ b/operator/src/api/v1beta1/s3_instance.rs
@@ -0,0 +1,38 @@
+use k8s_openapi::apimachinery::pkg::apis::meta::v1::Condition;
+use k8s_openapi::serde::{Deserialize, Serialize};
+use kube::CustomResource;
+use kube::{self};
+use schemars::JsonSchema;
+
+#[derive(CustomResource, Deserialize, Serialize, Clone, Debug, JsonSchema)]
+#[kube(
+    kind = "S3Instance",
+    group = "s3.badhouseplants.net",
+    version = "v1beta1",
+    shortname = "s3in",
+    doc = "Connect the operator to any s3 backend using this resource",
+    status = "S3InstanceStatus"
+)]
+#[serde(rename_all = "camelCase")]
+pub struct S3InstanceSpec {
+    pub endpoint: String,
+    pub region: String,
+    pub credentials_secret: NamespacedName,
+}
+
+/// The status object of `DbInstance`
+#[derive(Deserialize, Serialize, Clone, Default, Debug, JsonSchema)]
+pub struct S3InstanceStatus {
+    #[serde(default)]
+    pub ready: bool,
+    //#[schemars(schema_with = "conditions")]
+    pub conditions: Vec<Condition>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, JsonSchema)]
+pub struct NamespacedName {
+    #[serde(rename = "namespace")]
+    pub namespace: String,
+    #[serde(rename = "name")]
+    pub name: String,
+}
diff --git a/operator/src/conditions.rs b/operator/src/conditions.rs
new file mode 100644
index 0000000..0040160
--- /dev/null
+++ b/operator/src/conditions.rs
@@ -0,0 +1,51 @@
+use k8s_openapi::apimachinery::pkg::apis::meta::v1::{Condition, Time};
+use k8s_openapi::jiff::Timestamp;
+use kube::api::ObjectMeta;
+
+pub(crate) fn set_condition(
+    mut conditions: Vec<Condition>,
+    metadata: ObjectMeta,
+    condition_type: &str,
+    condition_status: String,
+    condition_reason: String,
+    condition_message: String,
+) -> Vec<Condition> {
+    if let Some(condition) = conditions.iter_mut().find(|c| c.type_ == condition_type) {
+        condition.status = condition_status;
+        condition.last_transition_time = Time::from(Timestamp::now());
+        condition.message = condition_message;
+        condition.reason = condition_reason;
+        condition.observed_generation = metadata.generation;
+    } else {
+        conditions.push(Condition {
+            last_transition_time: Time::from(Timestamp::now()),
+            message: condition_message,
+            observed_generation: metadata.generation,
+            reason: condition_reason,
+            status: condition_status,
+            type_: condition_type.to_string(),
+        });
+    }
+    conditions
+}
+
+pub(crate) fn is_condition_true(mut conditions: Vec<Condition>, condition_type: &str) -> bool {
+    if let Some(condition) = conditions.iter_mut().find(|c| c.type_ == condition_type) {
+        return condition.status == "True";
+    }
+    false
+}
+
+pub(crate) fn is_condition_false(mut conditions: Vec<Condition>, condition_type: &str) -> bool {
+    if let Some(condition) = conditions.iter_mut().find(|c| c.type_ == condition_type) {
+        return condition.status == "False";
+    }
+    false
+}
+
+pub(crate) fn is_condition_unknown(mut conditions: Vec<Condition>, condition_type: &str) -> bool {
+    if let Some(condition) = conditions.iter_mut().find(|c| c.type_ == condition_type) {
+        return condition.status == "Unknown";
+    }
+    false
+}
diff --git a/operator/src/controller.rs b/operator/src/controller.rs
new file mode 100644
index 0000000..b7af50d
--- /dev/null
+++ b/operator/src/controller.rs
@@ -0,0 +1,66 @@
+mod controllers;
+mod s3;
+mod conditions;
+use std::sync::Arc;
+
+use self::controllers::s3_instance::{State, error_policy, reconcile, run};
+use actix_web::{App, HttpRequest, HttpResponse, HttpServer, Responder, get, middleware};
+use actix_web::web::Data;
+use api::api::v1beta1::s3_instance::S3Instance;
+use clap::Parser;
+use futures::StreamExt;
+use kube::api::ListParams;
+use kube::runtime::Controller;
+use kube::runtime::events::{Recorder, Reporter};
+use kube::runtime::watcher::Config;
+use kube::{Api, Client};
+use tracing_subscriber::EnvFilter;
+
+/// Simple program to greet a person
+#[derive(Parser, Debug)]
+#[command(version, about, long_about = None)]
+struct Args {
+    #[arg(long, default_value_t = 60000)]
+    /// The address the metric endpoint binds to.
+    metrics_port: u16,
+    #[arg(long, default_value_t = 8081)]
+    /// The address the probe endpoint binds to.
+    health_probe_port: u16,
+    #[arg(long, default_value_t = true)]
+    /// Enabling this will ensure there is only one active controller manager.
+    // DB Operator feature flags
+    #[arg(long, default_value_t = false)]
+    /// If enabled, DB Operator will run full reconciliation only
+    /// when changes are detected
+    is_change_check_nabled: bool,
+}
+
+#[get("/health")]
+async fn health(_: HttpRequest) -> impl Responder {
+    HttpResponse::Ok().json("healthy")
+}
+
+#[tokio::main]
+async fn main() -> anyhow::Result<()> {
+    //
+    // Initiatilize Kubernetes controller state
+    //
+    tracing_subscriber::fmt().json().with_env_filter(EnvFilter::from_default_env()).init();
+    let state = State::default();
+    let client = Client::try_default()
+        .await
+        .expect("failed to create kube Client");
+    let dbin_controller = run(client, state);
+    // Start web server
+    let server = HttpServer::new(move || {
+        App::new()
+            .wrap(middleware::Logger::default().exclude("/health"))
+            .service(health)
+    })
+    .bind("0.0.0.0:8080")?
+    .shutdown_timeout(5);
+
+    // Both runtimes implements graceful shutdown, so poll until both are done
+    tokio::join!(dbin_controller, server.run()).1?;
+    Ok(())
+}
diff --git a/operator/src/controllers/mod.rs b/operator/src/controllers/mod.rs
new file mode 100644
index 0000000..3941471
--- /dev/null
+++ b/operator/src/controllers/mod.rs
@@ -0,0 +1 @@
+pub(crate) mod s3_instance;
diff --git a/operator/src/controllers/s3_instance.rs b/operator/src/controllers/s3_instance.rs
new file mode 100644
index 0000000..8c02308
--- /dev/null
+++ b/operator/src/controllers/s3_instance.rs
@@ -0,0 +1,204 @@
+use api::api::v1beta1::s3_instance::{S3Instance, S3InstanceStatus};
+use futures::StreamExt;
+use k8s_openapi::api::core::v1::Secret;
+use kube::runtime::Controller;
+use kube::runtime::watcher::Config;
+use kube::{Api, Client, Error, Resource, ResourceExt};
+use kube::api::{ListParams, PostParams};
+use kube::runtime::controller::Action;
+use kube::runtime::events::{Event, Recorder};
+use std::collections::BTreeMap;
+use std::sync::Arc;
+use std::time::Duration;
+use thiserror::Error;
+use tracing::*;
+use crate::conditions::{is_condition_unknown, set_condition};
+
+const TYPE_CONNECTED: &str = "Connected";
+const TYPE_SECRET_LABELED: &str = "SecretLabeled";
+const SECRET_LABEL: &str = "s3.badhouseplants.net/s3-instance";
+#[instrument(skip(ctx, obj), fields(trace_id))]
+pub(crate) async fn reconcile(
+    obj: Arc<S3Instance>,
+    ctx: Arc<Context>,
+) -> S3InstanceResult<Action> {
+    info!("Staring reconciling");
+    let s3_api: Api<S3Instance> = Api::all(ctx.client.clone());
+    let mut s3in = match s3_api.get(obj.name_any().as_str()).await {
+        Ok(res) => res,
+        Err(Error::Api(ae)) if ae.code == 404 =>{
+            info!("Object is not found, probably removed");
+            return Ok(Action::await_change());
+        }
+        Err(err) => {
+            error!("{}", err);
+            return Err(S3InstanceError::KubeError(err))
+        },
+    };
+
+    if s3in.metadata.deletion_timestamp.is_some() {
+        info!("Object is marked for deletion");
+        return Ok(Action::await_change());
+    }
+
+    match s3in.clone().status {
+        None => {
+                    let mut conditions = set_condition(vec![], s3in.metadata.clone(), TYPE_CONNECTED, "Unknown".to_string(), "Reconciling".to_string(), "Reconciliation started".to_string());
+        conditions = set_condition(conditions, s3in.metadata.clone(), TYPE_SECRET_LABELED, "Unknown".to_string(), "Reconciling".to_string(), "Reconciliation started".to_string());
+        let ready = false;
+        s3in.status = Some(S3InstanceStatus { ready, conditions });
+        match s3_api.replace_status(s3in.clone().name_any().as_str(), &Default::default(), &s3in).await {
+            Ok(_) => {
+                return Ok(Action::await_change());
+            },
+            Err(err) => {
+                error!("{}", err);
+                return Err(S3InstanceError::KubeError(err));
+            },
+        };
+        },
+        Some(status) => {
+            let secret_ns = s3in.clone().spec.credentials_secret.namespace;
+            let secret_name = s3in.clone().spec.credentials_secret.name;
+            let secret_api: Api<Secret> = Api::namespaced(ctx.client.clone(), &secret_ns);
+
+            let mut secret = match secret_api.get(&secret_name).await {
+                Ok(res) => res,
+                Err(Error::Api(ae)) if ae.code == 404 =>{
+                    info!("Object is not found, probably removed");
+                    match ctx.recorder.publish(&Event { type_: kube::runtime::events::EventType::Warning, reason: "S3InstanceReconciliation".to_string(), note: Some("Secret wasn't found".to_string()), action: "SecretLookUp".to_string(), secondary: None }, &s3in.clone().object_ref(&())).await{
+                        Ok(_) => info!("Event was published"),
+                        Err(err) => {
+                            error!("{}", err);
+                            return Err(S3InstanceError::KubeError(err))
+                        },
+                    };
+                    return Ok(Action::await_change());
+                }
+                Err(err) => {
+                    error!("{}", err);
+                    return Err(S3InstanceError::KubeError(err))
+                },
+            };
+
+            if is_condition_unknown(status.clone().conditions, TYPE_SECRET_LABELED) {
+                info!("Labeling the secret");
+                secret.metadata.labels.get_or_insert_with(BTreeMap::new).insert(SECRET_LABEL.to_string(), s3in.name_any());
+                if let Err(err) = secret_api.replace(&secret.name_any(), &PostParams::default(), &secret).await {
+                    error!("{}", err);
+                    return Err(S3InstanceError::KubeError(err));
+                };
+
+                secret = match secret_api.get(&secret_name).await {
+                    Ok(secret) => secret,
+                    Err(err) => {
+                        error!("{}", err);
+                        return Err(S3InstanceError::KubeError(err));
+                    },
+                }
+            }
+
+            match secret.metadata.labels {
+                Some(labels) => {
+                    if labels.contains_key(SECRET_LABEL) {
+                        if labels[SECRET_LABEL] != s3in.name_any() {
+                            set_condition(status.conditions, s3in.clone().metadata, TYPE_SECRET_LABELED, "False".to_string(), "S3InstanceReconciliation".to_string(), "Secret is already labeled".to_string());
+                            if let Err(err) = s3_api.replace_status(&s3in.name_any(), &PostParams::default(), &s3in).await {
+                                error!("{}", err);
+                                return Err(S3InstanceError::KubeError(err));
+                            };
+                            return Err(S3InstanceError::SecretIsAlreadyLabeled);
+                        } else {
+                        set_condition(status.conditions, s3in.clone().metadata, TYPE_SECRET_LABELED, "True".to_string(), "S3InstanceReconciliation".to_string(), "Secret is Successfully labeled".to_string());
+                        if let Err(err) = s3_api.replace_status(&s3in.name_any(), &PostParams::default(), &s3in).await {
+                            error!("{}", err);
+                            return Err(S3InstanceError::KubeError(err));
+                        };
+                        return Ok(Action::await_change());
+                        }
+                    } else {
+                        set_condition(status.conditions, s3in.clone().metadata, TYPE_SECRET_LABELED, "Unknown".to_string(), "S3InstanceReconciliation".to_string(), "Secret is not yet labeled".to_string());
+                        if let Err(err) = s3_api.replace_status(&s3in.name_any(), &PostParams::default(), &s3in).await {
+                            error!("{}", err);
+                            return Err(S3InstanceError::KubeError(err));
+                        };
+                        return Ok(Action::await_change());
+                    };
+                },
+                None => {
+                        set_condition(status.conditions, s3in.clone().metadata, TYPE_SECRET_LABELED, "Unknown".to_string(), "S3InstanceReconciliation".to_string(), "Secret is not yet labeled".to_string());
+                        if let Err(err) = s3_api.replace_status(&s3in.name_any(), &PostParams::default(), &s3in).await {
+                            error!("{}", err);
+                            return Err(S3InstanceError::KubeError(err));
+                        };
+                        return Ok(Action::await_change());
+                },
+            };
+            
+        }
+    };
+}
+
+pub(crate) fn error_policy(_: Arc<S3Instance>, _: &S3InstanceError, _: Arc<Context>) -> Action {
+    Action::requeue(Duration::from_secs(5 * 60))
+}
+
+#[instrument(skip(client, state), fields(trace_id))]
+pub async fn run(client: Client, state: State) {
+    let s3instances = Api::<S3Instance>::all(client.clone());
+    if let Err(err) = s3instances.list(&ListParams::default().limit(1)).await {
+        error!("{}", err);
+        std::process::exit(1);
+    }
+    Controller::new(s3instances, Config::default().any_semantic())
+        .shutdown_on_signal()
+        .run(reconcile, error_policy, state.to_context(client).await)
+        .filter_map(|x| async move { std::result::Result::ok(x) })
+        .for_each(|_| futures::future::ready(()))
+        .await;
+}
+/// State shared between the controller and the web server
+#[derive(Clone, Default)]
+pub(crate) struct State {}
+
+impl State {
+    pub async fn to_context(&self, client: Client) -> Arc<Context> {
+        Arc::new(Context {
+            client: client.clone(),
+            recorder: Recorder::new(client, "s3instance-controller".into()),
+        })
+    }
+}
+// Context for our reconciler
+#[derive(Clone)]
+pub(crate) struct Context {
+    /// Kubernetes client
+    pub client: Client,
+    /// Event recorder
+    pub recorder: Recorder,
+}
+
+#[derive(Error, Debug)]
+pub enum S3InstanceError {
+    #[error("SerializationError: {0}")]
+    SerializationError(#[source] serde_json::Error),
+
+    #[error("Kube Error: {0}")]
+    KubeError(#[source] kube::Error),
+
+    #[error("Finalizer Error: {0}")]
+    // NB: awkward type because finalizer::Error embeds the reconciler error (which is this)
+    // so boxing this error to break cycles
+    FinalizerError(#[source] Box<kube::runtime::finalizer::Error<S3InstanceError>>),
+
+    #[error("IllegalS3Instance")]
+    IllegalS3Instance,
+
+    #[error("SecretIsAlreadyLabeled")]
+    SecretIsAlreadyLabeled,
+
+    #[error("Invalid Secret: {0}")]
+    InvalidSecret(#[source] anyhow::Error),
+}
+
+pub type S3InstanceResult<T, E = S3InstanceError> = std::result::Result<T, E>;
diff --git a/operator/src/crdgen.rs b/operator/src/crdgen.rs
new file mode 100644
index 0000000..a628b75
--- /dev/null
+++ b/operator/src/crdgen.rs
@@ -0,0 +1,8 @@
+use api::api::v1beta1::s3_instance::S3Instance;
+use kube::CustomResourceExt;
+fn main() {
+    println!(
+        "---\n{}",
+        serde_yaml::to_string(&S3Instance::crd()).unwrap()
+    );
+}
diff --git a/operator/src/lib.rs b/operator/src/lib.rs
new file mode 100644
index 0000000..e5fdf85
--- /dev/null
+++ b/operator/src/lib.rs
@@ -0,0 +1 @@
+pub mod api;
diff --git a/operator/src/s3/dummy.rs b/operator/src/s3/dummy.rs
new file mode 100644
index 0000000..e69de29
diff --git a/operator/src/s3/mod.rs b/operator/src/s3/mod.rs
new file mode 100644
index 0000000..42fb2e7
--- /dev/null
+++ b/operator/src/s3/mod.rs
@@ -0,0 +1,8 @@
+use anyhow::Error;
+
+pub(crate) mod dummy;
+pub(crate) mod s3;
+
+pub(crate) trait S3Client {
+    async fn list_buckets(self) -> Result<Vec<String>, Error>;
+}
diff --git a/operator/src/s3/s3.rs b/operator/src/s3/s3.rs
new file mode 100644
index 0000000..447db19
--- /dev/null
+++ b/operator/src/s3/s3.rs
@@ -0,0 +1,52 @@
+use aws_config::{BehaviorVersion, Region};
+use aws_credential_types::Credentials;
+use aws_sdk_s3::{Client, config::SharedCredentialsProvider};
+
+use crate::s3::S3Client;
+
+pub(crate) struct S3Api {
+    client: aws_sdk_s3::Client,
+}
+
+impl S3Api {
+    pub(crate)async  fn new(
+        access_key: String,
+        secret_key: String,
+        endpoint: String,
+        region: String,
+    ) -> Self {
+        let session_token: Option<String> = None;
+    let creds = Credentials::new(
+        access_key,
+        secret_key,
+        session_token,
+        None,
+        "static",
+    );
+    let config = aws_config::defaults(BehaviorVersion::latest())
+        .credentials_provider(SharedCredentialsProvider::new(creds))
+        .region(Region::new(region))
+        .endpoint_url(endpoint)
+        .load()
+        .await;
+    let client = Client::new(&config);
+    Self { client }
+    }
+}
+
+impl S3Client for S3Api {
+    async fn list_buckets(self) -> Result<Vec<String>, anyhow::Error> {
+        let mut buckets = self.client.list_buckets().into_paginator().send();
+        let mut result: Vec<String> = vec![];
+
+        while let Some(Ok(output)) = buckets.next().await {
+            for bucket in output.buckets() {
+                if let Some(name) = bucket.clone().name {
+                    result.push(name);
+                }
+            }
+        }
+
+        Ok(result)
+    }
+}
-- 
2.49.1


From ac07b6d71251ba7e7f1878c85d4de0645e7a63b6 Mon Sep 17 00:00:00 2001
From: Nikolai Rodionov <iam@allanger.xyz>
Date: Tue, 10 Mar 2026 20:29:50 +0100
Subject: [PATCH 02/10] WIP: Something is still going on

Signed-off-by: Nikolai Rodionov <iam@allanger.xyz>
---
 operator/Cargo.lock                     |   1 +
 operator/Cargo.toml                     |   5 +-
 operator/manifests/s3_instance.yaml     |  12 +-
 operator/src/api/v1beta1/s3_instance.rs |   1 +
 operator/src/controller.rs              |   9 +-
 operator/src/controllers/s3_instance.rs | 367 ++++++++++++++++++------
 operator/src/s3/dummy.rs                |   1 +
 operator/src/s3/s3.rs                   |  26 +-
 8 files changed, 305 insertions(+), 117 deletions(-)

diff --git a/operator/Cargo.lock b/operator/Cargo.lock
index 0a1ee41..c7a84c9 100644
--- a/operator/Cargo.lock
+++ b/operator/Cargo.lock
@@ -3050,6 +3050,7 @@ dependencies = [
  "hyper 1.8.1",
  "k8s-openapi",
  "kube",
+ "rustls 0.23.37",
  "schemars",
  "serde",
  "serde_json",
diff --git a/operator/Cargo.toml b/operator/Cargo.toml
index f98a2ce..92170f5 100644
--- a/operator/Cargo.toml
+++ b/operator/Cargo.toml
@@ -22,7 +22,7 @@ name = "api"
 path = "src/lib.rs"
 
 [dependencies]
-kube = { version = "3.0.1", features = ["runtime", "derive", "client"] }
+kube = { version = "3.0.1", features = ["runtime", "derive", "client", "aws-lc-rs"] }
 k8s-openapi = { version = "0.27.0", features = ["latest", "schemars"] }
 schemars = { version = "1" }
 darling = "0.23.0"
@@ -37,9 +37,10 @@ anyhow = "1.0.102"
 futures = "0.3.32"
 actix-web = "4.13.0"
 tracing-subscriber = { version = "0.3.22", features = ["json", "env-filter"] }
-aws-config = { version = "1.8.15", features = ["behavior-version-latest"] }
+aws-config = { version = "1.8.15", features = ["behavior-version-latest", "rustls"] }
 aws-sdk-s3 = "1.125.0"
 aws-credential-types = "1.2.14"
+rustls = { version = "0.23.37", features = ["aws-lc-rs"] }
 
 [dev-dependencies]
 assert-json-diff = "2.0.2"
diff --git a/operator/manifests/s3_instance.yaml b/operator/manifests/s3_instance.yaml
index 0115f25..c8ae2a1 100644
--- a/operator/manifests/s3_instance.yaml
+++ b/operator/manifests/s3_instance.yaml
@@ -1,10 +1,20 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test
+  namespace: default
+stringData:
+  ACCESS_KEY: overlord
+  SECRET_KEY: 8zTYqC1x^&LQetsQ8GUYix7ypL7Q7v9p
+---
 apiVersion: s3.badhouseplants.net/v1beta1
 kind: S3Instance
 metadata:
   name: test
 spec:
   endpoint: rustfs.badhouseplants.net:443
-  #region: us-east1
+  region: us-east1
   credentialsSecret:
     namespace: default
     name: test
diff --git a/operator/src/api/v1beta1/s3_instance.rs b/operator/src/api/v1beta1/s3_instance.rs
index 2a16a3c..7312161 100644
--- a/operator/src/api/v1beta1/s3_instance.rs
+++ b/operator/src/api/v1beta1/s3_instance.rs
@@ -27,6 +27,7 @@ pub struct S3InstanceStatus {
     pub ready: bool,
     //#[schemars(schema_with = "conditions")]
     pub conditions: Vec<Condition>,
+    pub buckets: Option<Vec<String>>,
 }
 
 #[derive(Deserialize, Serialize, Clone, Debug, JsonSchema)]
diff --git a/operator/src/controller.rs b/operator/src/controller.rs
index b7af50d..d8cdfad 100644
--- a/operator/src/controller.rs
+++ b/operator/src/controller.rs
@@ -1,11 +1,11 @@
+mod conditions;
 mod controllers;
 mod s3;
-mod conditions;
 use std::sync::Arc;
 
 use self::controllers::s3_instance::{State, error_policy, reconcile, run};
-use actix_web::{App, HttpRequest, HttpResponse, HttpServer, Responder, get, middleware};
 use actix_web::web::Data;
+use actix_web::{App, HttpRequest, HttpResponse, HttpServer, Responder, get, middleware};
 use api::api::v1beta1::s3_instance::S3Instance;
 use clap::Parser;
 use futures::StreamExt;
@@ -45,7 +45,10 @@ async fn main() -> anyhow::Result<()> {
     //
     // Initiatilize Kubernetes controller state
     //
-    tracing_subscriber::fmt().json().with_env_filter(EnvFilter::from_default_env()).init();
+    tracing_subscriber::fmt()
+        .json()
+        .with_env_filter(EnvFilter::from_default_env())
+        .init();
     let state = State::default();
     let client = Client::try_default()
         .await
diff --git a/operator/src/controllers/s3_instance.rs b/operator/src/controllers/s3_instance.rs
index 8c02308..7508849 100644
--- a/operator/src/controllers/s3_instance.rs
+++ b/operator/src/controllers/s3_instance.rs
@@ -1,39 +1,41 @@
+use crate::conditions::{is_condition_unknown, set_condition};
+use crate::s3::S3Client;
+use crate::s3::s3::S3Api;
 use api::api::v1beta1::s3_instance::{S3Instance, S3InstanceStatus};
 use futures::StreamExt;
 use k8s_openapi::api::core::v1::Secret;
-use kube::runtime::Controller;
-use kube::runtime::watcher::Config;
-use kube::{Api, Client, Error, Resource, ResourceExt};
 use kube::api::{ListParams, PostParams};
+use kube::runtime::Controller;
 use kube::runtime::controller::Action;
 use kube::runtime::events::{Event, Recorder};
+use kube::runtime::watcher::Config;
+use kube::{Api, Client, Error, Resource, ResourceExt};
 use std::collections::BTreeMap;
 use std::sync::Arc;
 use std::time::Duration;
 use thiserror::Error;
 use tracing::*;
-use crate::conditions::{is_condition_unknown, set_condition};
 
 const TYPE_CONNECTED: &str = "Connected";
 const TYPE_SECRET_LABELED: &str = "SecretLabeled";
 const SECRET_LABEL: &str = "s3.badhouseplants.net/s3-instance";
+const ACCESS_KEY: &str = "ACCESS_KEY";
+const SECRET_KEY: &str = "SECRET_KEY";
+
 #[instrument(skip(ctx, obj), fields(trace_id))]
-pub(crate) async fn reconcile(
-    obj: Arc<S3Instance>,
-    ctx: Arc<Context>,
-) -> S3InstanceResult<Action> {
+pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3InstanceResult<Action> {
     info!("Staring reconciling");
     let s3_api: Api<S3Instance> = Api::all(ctx.client.clone());
     let mut s3in = match s3_api.get(obj.name_any().as_str()).await {
         Ok(res) => res,
-        Err(Error::Api(ae)) if ae.code == 404 =>{
+        Err(Error::Api(ae)) if ae.code == 404 => {
             info!("Object is not found, probably removed");
             return Ok(Action::await_change());
         }
         Err(err) => {
             error!("{}", err);
-            return Err(S3InstanceError::KubeError(err))
-        },
+            return Err(S3InstanceError::KubeError(err));
+        }
     };
 
     if s3in.metadata.deletion_timestamp.is_some() {
@@ -41,102 +43,277 @@ pub(crate) async fn reconcile(
         return Ok(Action::await_change());
     }
 
-    match s3in.clone().status {
+    let mut status = match s3in.clone().status {
         None => {
-                    let mut conditions = set_condition(vec![], s3in.metadata.clone(), TYPE_CONNECTED, "Unknown".to_string(), "Reconciling".to_string(), "Reconciliation started".to_string());
-        conditions = set_condition(conditions, s3in.metadata.clone(), TYPE_SECRET_LABELED, "Unknown".to_string(), "Reconciling".to_string(), "Reconciliation started".to_string());
-        let ready = false;
-        s3in.status = Some(S3InstanceStatus { ready, conditions });
-        match s3_api.replace_status(s3in.clone().name_any().as_str(), &Default::default(), &s3in).await {
-            Ok(_) => {
-                return Ok(Action::await_change());
-            },
-            Err(err) => {
-                error!("{}", err);
-                return Err(S3InstanceError::KubeError(err));
-            },
-        };
-        },
-        Some(status) => {
-            let secret_ns = s3in.clone().spec.credentials_secret.namespace;
-            let secret_name = s3in.clone().spec.credentials_secret.name;
-            let secret_api: Api<Secret> = Api::namespaced(ctx.client.clone(), &secret_ns);
+            info!("Status is not yet set, initializing the object");
+            return init_object(s3in, s3_api).await;
+        }
+        Some(status) => status,
+    };
 
-            let mut secret = match secret_api.get(&secret_name).await {
-                Ok(res) => res,
-                Err(Error::Api(ae)) if ae.code == 404 =>{
-                    info!("Object is not found, probably removed");
-                    match ctx.recorder.publish(&Event { type_: kube::runtime::events::EventType::Warning, reason: "S3InstanceReconciliation".to_string(), note: Some("Secret wasn't found".to_string()), action: "SecretLookUp".to_string(), secondary: None }, &s3in.clone().object_ref(&())).await{
-                        Ok(_) => info!("Event was published"),
-                        Err(err) => {
-                            error!("{}", err);
-                            return Err(S3InstanceError::KubeError(err))
-                        },
-                    };
-                    return Ok(Action::await_change());
-                }
+    let mut secret = match get_secret(ctx.clone(), s3in.clone()).await {
+        Ok(secret) => secret,
+        Err(err) => {
+            error!("{}", err);
+            ctx.recorder
+                .publish(
+                    &Event {
+                        type_: kube::runtime::events::EventType::Warning,
+                        reason: "S3InstanceReconciliation".to_string(),
+                        note: Some("Secret wasn't found".to_string()),
+                        action: "SecretLookUp".to_string(),
+                        secondary: None,
+                    },
+                    &s3in.clone().object_ref(&()),
+                )
+                .await
+                .unwrap();
+            return Err(S3InstanceError::KubeError(err));
+        }
+    };
+
+    if is_condition_unknown(status.clone().conditions, TYPE_SECRET_LABELED) {
+        if !is_secret_labeled(secret.clone()) {
+            info!("Labeling the secret");
+            secret = match label_secret(ctx.clone(), s3in.clone(), secret).await {
+                Ok(secret) => secret,
                 Err(err) => {
                     error!("{}", err);
-                    return Err(S3InstanceError::KubeError(err))
-                },
+                    return Err(S3InstanceError::KubeError(err));
+                }
             };
 
-            if is_condition_unknown(status.clone().conditions, TYPE_SECRET_LABELED) {
-                info!("Labeling the secret");
-                secret.metadata.labels.get_or_insert_with(BTreeMap::new).insert(SECRET_LABEL.to_string(), s3in.name_any());
-                if let Err(err) = secret_api.replace(&secret.name_any(), &PostParams::default(), &secret).await {
-                    error!("{}", err);
-                    return Err(S3InstanceError::KubeError(err));
-                };
-
-                secret = match secret_api.get(&secret_name).await {
-                    Ok(secret) => secret,
+            let conditions = set_condition(
+                status.clone().conditions,
+                obj.metadata.clone(),
+                TYPE_CONNECTED,
+                "Unknown".to_string(),
+                "Reconciling".to_string(),
+                "Reconciliation started".to_string(),
+            );
+            status.conditions = conditions;
+            s3in.status = Some(status);
+            match s3_api
+                .replace_status(&s3in.name_any(), &PostParams::default(), &s3in)
+                .await {
+                    Ok(_) => {
+                        return Ok(Action::await_change());
+                    },
                     Err(err) => {
                         error!("{}", err);
                         return Err(S3InstanceError::KubeError(err));
-                    },
-                }
-            }
+                    }
 
-            match secret.metadata.labels {
-                Some(labels) => {
-                    if labels.contains_key(SECRET_LABEL) {
-                        if labels[SECRET_LABEL] != s3in.name_any() {
-                            set_condition(status.conditions, s3in.clone().metadata, TYPE_SECRET_LABELED, "False".to_string(), "S3InstanceReconciliation".to_string(), "Secret is already labeled".to_string());
-                            if let Err(err) = s3_api.replace_status(&s3in.name_any(), &PostParams::default(), &s3in).await {
-                                error!("{}", err);
-                                return Err(S3InstanceError::KubeError(err));
-                            };
-                            return Err(S3InstanceError::SecretIsAlreadyLabeled);
-                        } else {
-                        set_condition(status.conditions, s3in.clone().metadata, TYPE_SECRET_LABELED, "True".to_string(), "S3InstanceReconciliation".to_string(), "Secret is Successfully labeled".to_string());
-                        if let Err(err) = s3_api.replace_status(&s3in.name_any(), &PostParams::default(), &s3in).await {
-                            error!("{}", err);
-                            return Err(S3InstanceError::KubeError(err));
-                        };
-                        return Ok(Action::await_change());
-                        }
-                    } else {
-                        set_condition(status.conditions, s3in.clone().metadata, TYPE_SECRET_LABELED, "Unknown".to_string(), "S3InstanceReconciliation".to_string(), "Secret is not yet labeled".to_string());
-                        if let Err(err) = s3_api.replace_status(&s3in.name_any(), &PostParams::default(), &s3in).await {
-                            error!("{}", err);
-                            return Err(S3InstanceError::KubeError(err));
-                        };
-                        return Ok(Action::await_change());
-                    };
-                },
-                None => {
-                        set_condition(status.conditions, s3in.clone().metadata, TYPE_SECRET_LABELED, "Unknown".to_string(), "S3InstanceReconciliation".to_string(), "Secret is not yet labeled".to_string());
-                        if let Err(err) = s3_api.replace_status(&s3in.name_any(), &PostParams::default(), &s3in).await {
-                            error!("{}", err);
-                            return Err(S3InstanceError::KubeError(err));
-                        };
-                        return Ok(Action::await_change());
-                },
-            };
-            
+                };
+        } else {
+            if is_secret_labeled_by_another_obj(s3in.clone(), secret.clone()) {
+                error!("{}", S3InstanceError::SecretIsAlreadyLabeled);
+                return Err(S3InstanceError::SecretIsAlreadyLabeled);
+            }
+        }
+    }
+    info!("Checking if the secret is labeled by another object");
+    if !is_secret_labeled_by_obj(s3in.clone(), secret.clone()) {
+        set_condition(
+            status.conditions,
+            s3in.clone().metadata,
+            TYPE_SECRET_LABELED,
+            "Unknown".to_string(),
+            "S3InstanceReconciliation".to_string(),
+            "Secret is not labeled".to_string(),
+        );
+        match s3_api
+            .replace_status(&s3in.clone().name_any(), &PostParams::default(), &s3in)
+            .await
+        {
+            Ok(_) => {
+                return Ok(Action::await_change());
+            }
+            Err(err) => {
+                error!("{}", err);
+                return Err(S3InstanceError::KubeError(err));
+            }
         }
     };
+
+    info!("Getting data from the secret");
+    // Getting data from the secret to initialize the clinet
+    let data = match secret.data {
+        Some(data) => data,
+        None => {
+            let err = anyhow::Error::msg("empty data");
+            error!("{}", err);
+            return Err(S3InstanceError::InvalidSecret(err));
+        }
+    };
+
+    let access_key = match data.get(ACCESS_KEY) {
+        Some(access_key) => serde_json::to_string(&access_key).unwrap(),
+        None => {
+            let err = anyhow::Error::msg("empty access key");
+            error!("{}", err);
+            return Err(S3InstanceError::InvalidSecret(err));
+        }
+    };
+    let secret_key = match data.get(SECRET_KEY) {
+        Some(secret_key) => serde_json::to_string(&secret_key).unwrap(),
+        None => {
+            let err = anyhow::Error::msg("empty secret key");
+            error!("{}", err);
+            return Err(S3InstanceError::InvalidSecret(err));
+        }
+    };
+
+    info!("Creating an s3 client");
+    let s3_client = S3Api::new(
+        access_key,
+        secret_key,
+        s3in.clone().spec.endpoint.to_string(),
+        s3in.clone().spec.region.to_string(),
+    )
+    .await;
+
+    info!("Getting buckets");
+    let buckets = match s3_client.list_buckets().await {
+        Ok(buckets) => buckets,
+        Err(err) => {
+            error!("{}", err);
+            return Err(S3InstanceError::IllegalS3Instance);
+        }
+    };
+
+    status.ready = true;
+    status.buckets = Some(buckets);
+    s3in.status = Some(status);
+    info!("Updating status of the s3in resource");
+    match s3_api
+        .replace(&s3in.name_any(), &PostParams::default(), &s3in)
+        .await
+    {
+        Ok(_) => {
+            return Ok(Action::requeue(Duration::from_secs(120)));
+        }
+        Err(err) => {
+            error!("{}", err);
+            return Err(S3InstanceError::IllegalS3Instance);
+        }
+    };
+}
+
+// Bootstrap the object by adding a default status to it
+async fn init_object(mut obj: S3Instance, api: Api<S3Instance>) -> Result<Action, S3InstanceError> {
+    let mut conditions = set_condition(
+        vec![],
+        obj.metadata.clone(),
+        TYPE_CONNECTED,
+        "Unknown".to_string(),
+        "Reconciling".to_string(),
+        "Reconciliation started".to_string(),
+    );
+    conditions = set_condition(
+        conditions,
+        obj.metadata.clone(),
+        TYPE_SECRET_LABELED,
+        "Unknown".to_string(),
+        "Reconciling".to_string(),
+        "Reconciliation started".to_string(),
+    );
+    let ready = false;
+    let buckets = None;
+    obj.status = Some(S3InstanceStatus {
+        ready,
+        conditions,
+        buckets,
+    });
+    match api
+        .replace_status(obj.clone().name_any().as_str(), &Default::default(), &obj)
+        .await
+    {
+        Ok(_) => Ok(Action::await_change()),
+        Err(err) => {
+            error!("{}", err);
+            Err(S3InstanceError::KubeError(err))
+        }
+    }
+}
+
+// Get the secret with credentials
+async fn get_secret(ctx: Arc<Context>, obj: S3Instance) -> Result<Secret, kube::Error> {
+    let secret_ns = obj.clone().spec.credentials_secret.namespace;
+    let api: Api<Secret> = Api::namespaced(ctx.client.clone(), &secret_ns);
+
+    let secret = match api.get(&obj.spec.credentials_secret.name).await {
+        Ok(secret) => secret,
+        Err(err) => {
+            return Err(err);
+        }
+    };
+
+    Ok(secret)
+}
+
+async fn label_secret(
+    ctx: Arc<Context>,
+    obj: S3Instance,
+    mut secret: Secret,
+) -> Result<Secret, kube::Error> {
+    let secret_ns = obj.clone().spec.credentials_secret.namespace;
+    let api: Api<Secret> = Api::namespaced(ctx.client.clone(), &secret_ns);
+
+    secret
+        .clone()
+        .metadata
+        .labels
+        .get_or_insert_with(BTreeMap::new)
+        .insert(SECRET_LABEL.to_string(), obj.name_any());
+
+    let mut labels = match &secret.clone().metadata.labels {
+        Some(labels) => labels.clone(),
+        None => {
+            let map: BTreeMap<String, String> = BTreeMap::new();
+            map
+        }
+    };
+    labels.insert(SECRET_LABEL.to_string(), obj.name_any());
+    secret.metadata.labels = Some(labels);
+    api.replace(&secret.name_any(), &PostParams::default(), &secret)
+        .await?;
+
+    let secret = match api.get(&obj.spec.credentials_secret.name).await {
+        Ok(secret) => secret,
+        Err(err) => {
+            return Err(err);
+        }
+    };
+    Ok(secret)
+}
+
+// Checks whether a secret ia already labeled by the operator
+fn is_secret_labeled(secret: Secret) -> bool {
+    match secret.metadata.labels {
+        Some(labels) => labels.get_key_value(SECRET_LABEL).is_some(),
+        None => false,
+    }
+}
+
+// Checks whether a secret is already labeled by another object
+fn is_secret_labeled_by_another_obj(obj: S3Instance, secret: Secret) -> bool {
+    match secret.metadata.labels {
+        Some(labels) => labels
+            .get(SECRET_LABEL)
+            .is_some_and(|label| label != &obj.name_any()),
+        None => false,
+    }
+}
+
+// Checks whether a secret is already labeled by this object
+fn is_secret_labeled_by_obj(obj: S3Instance, secret: Secret) -> bool {
+    match secret.metadata.labels {
+        Some(labels) => labels
+            .get(SECRET_LABEL)
+            .is_some_and(|label| label == &obj.name_any()),
+        None => false,
+    }
 }
 
 pub(crate) fn error_policy(_: Arc<S3Instance>, _: &S3InstanceError, _: Arc<Context>) -> Action {
diff --git a/operator/src/s3/dummy.rs b/operator/src/s3/dummy.rs
index e69de29..8b13789 100644
--- a/operator/src/s3/dummy.rs
+++ b/operator/src/s3/dummy.rs
@@ -0,0 +1 @@
+
diff --git a/operator/src/s3/s3.rs b/operator/src/s3/s3.rs
index 447db19..4afb0e3 100644
--- a/operator/src/s3/s3.rs
+++ b/operator/src/s3/s3.rs
@@ -9,28 +9,22 @@ pub(crate) struct S3Api {
 }
 
 impl S3Api {
-    pub(crate)async  fn new(
+    pub(crate) async fn new(
         access_key: String,
         secret_key: String,
         endpoint: String,
         region: String,
     ) -> Self {
         let session_token: Option<String> = None;
-    let creds = Credentials::new(
-        access_key,
-        secret_key,
-        session_token,
-        None,
-        "static",
-    );
-    let config = aws_config::defaults(BehaviorVersion::latest())
-        .credentials_provider(SharedCredentialsProvider::new(creds))
-        .region(Region::new(region))
-        .endpoint_url(endpoint)
-        .load()
-        .await;
-    let client = Client::new(&config);
-    Self { client }
+        let creds = Credentials::new(access_key, secret_key, session_token, None, "static");
+        let config = aws_config::defaults(BehaviorVersion::latest())
+            .credentials_provider(SharedCredentialsProvider::new(creds))
+            .region(Region::new(region))
+            .endpoint_url(endpoint)
+            .load()
+            .await;
+        let client = Client::new(&config);
+        Self { client }
     }
 }
 
-- 
2.49.1


From efa793cb8cb2db479ce9d4eee0444c0ce29cbab7 Mon Sep 17 00:00:00 2001
From: Nikolai Rodionov <iam@allanger.xyz>
Date: Tue, 10 Mar 2026 22:12:32 +0100
Subject: [PATCH 03/10] WIP: Adding first controller

Signed-off-by: Nikolai Rodionov <iam@allanger.xyz>
---
 operator/Cargo.lock                     |  1 -
 operator/Cargo.toml                     |  1 -
 operator/src/controllers/s3_instance.rs | 83 ++++++++++++++-----------
 operator/src/s3/s3.rs                   | 15 ++++-
 4 files changed, 60 insertions(+), 40 deletions(-)

diff --git a/operator/Cargo.lock b/operator/Cargo.lock
index c7a84c9..0a1ee41 100644
--- a/operator/Cargo.lock
+++ b/operator/Cargo.lock
@@ -3050,7 +3050,6 @@ dependencies = [
  "hyper 1.8.1",
  "k8s-openapi",
  "kube",
- "rustls 0.23.37",
  "schemars",
  "serde",
  "serde_json",
diff --git a/operator/Cargo.toml b/operator/Cargo.toml
index 92170f5..71143c8 100644
--- a/operator/Cargo.toml
+++ b/operator/Cargo.toml
@@ -40,7 +40,6 @@ tracing-subscriber = { version = "0.3.22", features = ["json", "env-filter"] }
 aws-config = { version = "1.8.15", features = ["behavior-version-latest", "rustls"] }
 aws-sdk-s3 = "1.125.0"
 aws-credential-types = "1.2.14"
-rustls = { version = "0.23.37", features = ["aws-lc-rs"] }
 
 [dev-dependencies]
 assert-json-diff = "2.0.2"
diff --git a/operator/src/controllers/s3_instance.rs b/operator/src/controllers/s3_instance.rs
index 7508849..cacc060 100644
--- a/operator/src/controllers/s3_instance.rs
+++ b/operator/src/controllers/s3_instance.rs
@@ -51,7 +51,7 @@ pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3Inst
         Some(status) => status,
     };
 
-    let mut secret = match get_secret(ctx.clone(), s3in.clone()).await {
+    let secret = match get_secret(ctx.clone(), s3in.clone()).await {
         Ok(secret) => secret,
         Err(err) => {
             error!("{}", err);
@@ -73,48 +73,54 @@ pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3Inst
     };
 
     if is_condition_unknown(status.clone().conditions, TYPE_SECRET_LABELED) {
-        if !is_secret_labeled(secret.clone()) {
-            info!("Labeling the secret");
-            secret = match label_secret(ctx.clone(), s3in.clone(), secret).await {
-                Ok(secret) => secret,
-                Err(err) => {
-                    error!("{}", err);
-                    return Err(S3InstanceError::KubeError(err));
-                }
-            };
-
-            let conditions = set_condition(
-                status.clone().conditions,
-                obj.metadata.clone(),
-                TYPE_CONNECTED,
-                "Unknown".to_string(),
-                "Reconciling".to_string(),
-                "Reconciliation started".to_string(),
-            );
-            status.conditions = conditions;
-            s3in.status = Some(status);
-            match s3_api
-                .replace_status(&s3in.name_any(), &PostParams::default(), &s3in)
-                .await {
-                    Ok(_) => {
-                        return Ok(Action::await_change());
-                    },
-                    Err(err) => {
-                        error!("{}", err);
-                        return Err(S3InstanceError::KubeError(err));
-                    }
-
-                };
-        } else {
+        if is_secret_labeled(secret.clone()) {
             if is_secret_labeled_by_another_obj(s3in.clone(), secret.clone()) {
                 error!("{}", S3InstanceError::SecretIsAlreadyLabeled);
                 return Err(S3InstanceError::SecretIsAlreadyLabeled);
             }
+            if is_secret_labeled_by_obj(s3in.clone(), secret.clone()) {
+                info!("Secret is already labeled");
+                status.conditions = set_condition(
+                    status.clone().conditions,
+                    obj.metadata.clone(),
+                    TYPE_SECRET_LABELED,
+                    "True".to_string(),
+                    "Reconciled".to_string(),
+                    "Secret is already labeled".to_string(),
+                );
+                s3in.status = Some(status.clone());
+            }
+        } else {
+            info!("Labeling the secret");
+            if let Err(err) = label_secret(ctx.clone(), s3in.clone(), secret).await {
+                error!("{}", err);
+                return Err(S3InstanceError::KubeError(err));
+            };
+            status.conditions = set_condition(
+                status.clone().conditions,
+                obj.metadata.clone(),
+                TYPE_SECRET_LABELED,
+                "True".to_string(),
+                "Reconciled".to_string(),
+                "Secret is labeled".to_string(),
+            );
+        };
+        match s3_api
+            .replace_status(&s3in.name_any(), &PostParams::default(), &s3in)
+            .await {
+                Ok(_) => {
+                    return Ok(Action::await_change());
+                },
+                Err(err) => {
+                    error!("{}", err);
+                    return Err(S3InstanceError::KubeError(err));
+                }
+
         }
-    }
+    };
     info!("Checking if the secret is labeled by another object");
     if !is_secret_labeled_by_obj(s3in.clone(), secret.clone()) {
-        set_condition(
+        status.conditions = set_condition(
             status.conditions,
             s3in.clone().metadata,
             TYPE_SECRET_LABELED,
@@ -122,6 +128,7 @@ pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3Inst
             "S3InstanceReconciliation".to_string(),
             "Secret is not labeled".to_string(),
         );
+        s3in.status = Some(status);
         match s3_api
             .replace_status(&s3in.clone().name_any(), &PostParams::default(), &s3in)
             .await
@@ -182,12 +189,14 @@ pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3Inst
         }
     };
 
+    info!("{:?}", buckets);
     status.ready = true;
     status.buckets = Some(buckets);
     s3in.status = Some(status);
+
     info!("Updating status of the s3in resource");
     match s3_api
-        .replace(&s3in.name_any(), &PostParams::default(), &s3in)
+        .replace_status(&s3in.name_any(), &PostParams::default(), &s3in)
         .await
     {
         Ok(_) => {
diff --git a/operator/src/s3/s3.rs b/operator/src/s3/s3.rs
index 4afb0e3..cebab21 100644
--- a/operator/src/s3/s3.rs
+++ b/operator/src/s3/s3.rs
@@ -1,6 +1,7 @@
 use aws_config::{BehaviorVersion, Region};
 use aws_credential_types::Credentials;
 use aws_sdk_s3::{Client, config::SharedCredentialsProvider};
+use tracing::info;
 
 use crate::s3::S3Client;
 
@@ -32,7 +33,19 @@ impl S3Client for S3Api {
     async fn list_buckets(self) -> Result<Vec<String>, anyhow::Error> {
         let mut buckets = self.client.list_buckets().into_paginator().send();
         let mut result: Vec<String> = vec![];
-
+    
+        match buckets.next().await {
+            Some(output) => {
+                for bucket in match output.buckets().await {
+                    _ => {},
+                } {
+                    if let Some(name) = bucket.clone().name {
+                        result.push(name);
+                    }
+                }
+            },
+            None => todo!(),
+        };
         while let Some(Ok(output)) = buckets.next().await {
             for bucket in output.buckets() {
                 if let Some(name) = bucket.clone().name {
-- 
2.49.1


From ed3cada4dfe65b7db4b17287bedd63de68198ff1 Mon Sep 17 00:00:00 2001
From: Nikolai Rodionov <iam@allanger.xyz>
Date: Wed, 11 Mar 2026 10:17:21 +0100
Subject: [PATCH 04/10] WIP: Something is still going on

Signed-off-by: Nikolai Rodionov <iam@allanger.xyz>
---
 operator/src/api/v1beta1/s3_instance.rs | 12 ++++++-
 operator/src/controllers/s3_instance.rs | 10 ++++--
 operator/src/s3/s3.rs                   | 46 ++++++++++++++-----------
 3 files changed, 44 insertions(+), 24 deletions(-)

diff --git a/operator/src/api/v1beta1/s3_instance.rs b/operator/src/api/v1beta1/s3_instance.rs
index 7312161..97d33f9 100644
--- a/operator/src/api/v1beta1/s3_instance.rs
+++ b/operator/src/api/v1beta1/s3_instance.rs
@@ -11,13 +11,20 @@ use schemars::JsonSchema;
     version = "v1beta1",
     shortname = "s3in",
     doc = "Connect the operator to any s3 backend using this resource",
-    status = "S3InstanceStatus"
+    status = "S3InstanceStatus",
+    printcolumn = r#"{"name":"Endpoint","type":"string","description":"The URL of the instance","jsonPath":".spec.endpoint"}"#,
+    printcolumn = r#"{"name":"Region","type":"string","description":"The region of the instance","jsonPath":".spec.region"}"#,
+    printcolumn = r#"{"name":"Force Path Style","type":"boolean","description":"Is forcing path style","jsonPath":".spec.forcePathStyle"}"#,
+    printcolumn = r#"{"name":"Status","type":"boolean","description":"Is the S3Instance ready","jsonPath":".status.ready"}"#,
+    printcolumn = r#"{"name":"Total Buckets","type":"number","description":"How many buckets are there on the instance","jsonPath":".status.total_buckets"}"#
 )]
 #[serde(rename_all = "camelCase")]
 pub struct S3InstanceSpec {
     pub endpoint: String,
     pub region: String,
     pub credentials_secret: NamespacedName,
+    #[serde(default)]
+    pub force_path_style: bool,
 }
 
 /// The status object of `DbInstance`
@@ -27,7 +34,10 @@ pub struct S3InstanceStatus {
     pub ready: bool,
     //#[schemars(schema_with = "conditions")]
     pub conditions: Vec<Condition>,
+    #[serde(default)]
     pub buckets: Option<Vec<String>>,
+    #[serde(default)]
+    pub total_buckets: Option<usize>,
 }
 
 #[derive(Deserialize, Serialize, Clone, Debug, JsonSchema)]
diff --git a/operator/src/controllers/s3_instance.rs b/operator/src/controllers/s3_instance.rs
index cacc060..bee86ca 100644
--- a/operator/src/controllers/s3_instance.rs
+++ b/operator/src/controllers/s3_instance.rs
@@ -155,7 +155,7 @@ pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3Inst
     };
 
     let access_key = match data.get(ACCESS_KEY) {
-        Some(access_key) => serde_json::to_string(&access_key).unwrap(),
+        Some(access_key) => String::from_utf8(access_key.0.clone()).unwrap(), 
         None => {
             let err = anyhow::Error::msg("empty access key");
             error!("{}", err);
@@ -163,7 +163,7 @@ pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3Inst
         }
     };
     let secret_key = match data.get(SECRET_KEY) {
-        Some(secret_key) => serde_json::to_string(&secret_key).unwrap(),
+        Some(secret_key) => String::from_utf8(secret_key.0.clone()).unwrap(), 
         None => {
             let err = anyhow::Error::msg("empty secret key");
             error!("{}", err);
@@ -177,6 +177,7 @@ pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3Inst
         secret_key,
         s3in.clone().spec.endpoint.to_string(),
         s3in.clone().spec.region.to_string(),
+        s3in.clone().spec.force_path_style,
     )
     .await;
 
@@ -191,7 +192,8 @@ pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3Inst
 
     info!("{:?}", buckets);
     status.ready = true;
-    status.buckets = Some(buckets);
+    status.buckets = Some(buckets.clone());
+    status.total_buckets = Some(buckets.len());
     s3in.status = Some(status);
 
     info!("Updating status of the s3in resource");
@@ -229,10 +231,12 @@ async fn init_object(mut obj: S3Instance, api: Api<S3Instance>) -> Result<Action
     );
     let ready = false;
     let buckets = None;
+    let total_buckets = None;
     obj.status = Some(S3InstanceStatus {
         ready,
         conditions,
         buckets,
+        total_buckets,
     });
     match api
         .replace_status(obj.clone().name_any().as_str(), &Default::default(), &obj)
diff --git a/operator/src/s3/s3.rs b/operator/src/s3/s3.rs
index cebab21..d6a8180 100644
--- a/operator/src/s3/s3.rs
+++ b/operator/src/s3/s3.rs
@@ -1,7 +1,8 @@
 use aws_config::{BehaviorVersion, Region};
 use aws_credential_types::Credentials;
+use aws_sdk_s3::config::Builder;
 use aws_sdk_s3::{Client, config::SharedCredentialsProvider};
-use tracing::info;
+use tracing::*;
 
 use crate::s3::S3Client;
 
@@ -15,16 +16,21 @@ impl S3Api {
         secret_key: String,
         endpoint: String,
         region: String,
+        force_path_style: bool,
     ) -> Self {
-        let session_token: Option<String> = None;
-        let creds = Credentials::new(access_key, secret_key, session_token, None, "static");
+        info!(access_key);
+        info!(secret_key);
+        let creds = Credentials::new(access_key, secret_key, None, None, "static");
         let config = aws_config::defaults(BehaviorVersion::latest())
             .credentials_provider(SharedCredentialsProvider::new(creds))
             .region(Region::new(region))
             .endpoint_url(endpoint)
             .load()
             .await;
-        let client = Client::new(&config);
+        let conf = Builder::from(&config)
+            .force_path_style(force_path_style)
+            .build();
+        let client = Client::from_conf(conf);
         Self { client }
     }
 }
@@ -36,24 +42,24 @@ impl S3Client for S3Api {
     
         match buckets.next().await {
             Some(output) => {
-                for bucket in match output.buckets().await {
-                    _ => {},
-                } {
-                    if let Some(name) = bucket.clone().name {
-                        result.push(name);
-                    }
-                }
+                match output {
+                    Ok(buckets_res) => {
+                        buckets_res.buckets().iter().for_each(|bucket|  {
+                           if let Some(name) = bucket.name() {
+                               result.push(name.to_string());
+                           } 
+                        })
+                    },
+                    Err(err) => {
+                        error!{"{}", err};
+                        return Err(err.into());
+                    },
+                };
+            },
+            None => {
+                return Ok(result);
             },
-            None => todo!(),
         };
-        while let Some(Ok(output)) = buckets.next().await {
-            for bucket in output.buckets() {
-                if let Some(name) = bucket.clone().name {
-                    result.push(name);
-                }
-            }
-        }
-
         Ok(result)
     }
 }
-- 
2.49.1


From 9f5d105f5457104f9624cff08fa3befeddbb0bc0 Mon Sep 17 00:00:00 2001
From: Nikolai Rodionov <iam@allanger.xyz>
Date: Wed, 11 Mar 2026 13:45:06 +0100
Subject: [PATCH 05/10] WIP: Adding first controller

Signed-off-by: Nikolai Rodionov <iam@allanger.xyz>
---
 operator/manifests/s3_bucket.yaml       |  10 +
 operator/manifests/s3_instance.yaml     |   5 +-
 operator/src/api/v1beta1/mod.rs         |   1 +
 operator/src/api/v1beta1/s3_bucket.rs   |  49 +++
 operator/src/api/v1beta1/s3_instance.rs |   6 +-
 operator/src/controller.rs              |  22 +-
 operator/src/controllers/mod.rs         |   1 +
 operator/src/controllers/s3_bucket.rs   | 422 ++++++++++++++++++++++++
 operator/src/controllers/s3_instance.rs | 108 ++++--
 operator/src/crdgen.rs                  |   3 +-
 operator/src/s3/mod.rs                  |   1 +
 operator/src/s3/s3.rs                   |  12 +-
 12 files changed, 587 insertions(+), 53 deletions(-)
 create mode 100644 operator/manifests/s3_bucket.yaml
 create mode 100644 operator/src/api/v1beta1/s3_bucket.rs
 create mode 100644 operator/src/controllers/s3_bucket.rs

diff --git a/operator/manifests/s3_bucket.yaml b/operator/manifests/s3_bucket.yaml
new file mode 100644
index 0000000..e688b6a
--- /dev/null
+++ b/operator/manifests/s3_bucket.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: s3.badhouseplants.net/v1beta1
+kind: S3Bucket
+metadata:
+  name: test
+  namespace: default
+spec:
+  instance: test
+  cleanup: false
+  ownConfigmap: false
diff --git a/operator/manifests/s3_instance.yaml b/operator/manifests/s3_instance.yaml
index c8ae2a1..1dc7e74 100644
--- a/operator/manifests/s3_instance.yaml
+++ b/operator/manifests/s3_instance.yaml
@@ -13,8 +13,9 @@ kind: S3Instance
 metadata:
   name: test
 spec:
-  endpoint: rustfs.badhouseplants.net:443
-  region: us-east1
+  endpoint: https://rustfs.badhouseplants.net
+  forcePathStyle: true
+  region: us-east-1
   credentialsSecret:
     namespace: default
     name: test
diff --git a/operator/src/api/v1beta1/mod.rs b/operator/src/api/v1beta1/mod.rs
index bc18982..0a4836d 100644
--- a/operator/src/api/v1beta1/mod.rs
+++ b/operator/src/api/v1beta1/mod.rs
@@ -1 +1,2 @@
+pub mod s3_bucket;
 pub mod s3_instance;
diff --git a/operator/src/api/v1beta1/s3_bucket.rs b/operator/src/api/v1beta1/s3_bucket.rs
new file mode 100644
index 0000000..b3b38af
--- /dev/null
+++ b/operator/src/api/v1beta1/s3_bucket.rs
@@ -0,0 +1,49 @@
+use k8s_openapi::apimachinery::pkg::apis::meta::v1::Condition;
+use k8s_openapi::serde::{Deserialize, Serialize};
+use kube::CustomResource;
+use kube::{self};
+use schemars::JsonSchema;
+
+#[derive(CustomResource, Deserialize, Serialize, Clone, Debug, JsonSchema)]
+#[kube(
+    kind = "S3Bucket",
+    group = "s3.badhouseplants.net",
+    version = "v1beta1",
+    shortname = "bucket",
+    doc = "Manage buckets on the s3 instance",
+    namespaced,
+    status = "S3BucketStatus",
+    printcolumn = r#"{"name":"Instance","type":"string","description":"On which instance this bucket is created","jsonPath":".spec.instance"}"#,
+    printcolumn = r#"{"name":"Region","type":"string","description":"The region of the bucket","jsonPath":".status.region"}"#,
+    printcolumn = r#"{"name":"Total Objects","type":"number","description":"How many objects are there in the bucket","jsonPath":".status.total_objects"}"#,
+    printcolumn = r#"{"name":"Status","type":"boolean","description":"Is the S3Instance ready","jsonPath":".status.ready"}"#
+)]
+#[serde(rename_all = "camelCase")]
+pub struct S3BucketSpec {
+    /// On which instance this bucket should be created
+    pub instance: String,
+    /// Should perform a cleanup on delete?
+    /// It will remove all objects from the bucket
+    #[serde(default)]
+    pub cleanup: bool,
+    /// Should set the owner reference on the CM
+    #[serde(default)]
+    pub own_configmap: bool,
+}
+
+/// The status object of `DbInstance`
+#[derive(Deserialize, Serialize, Clone, Default, Debug, JsonSchema)]
+pub struct S3BucketStatus {
+    /// Is this bucket ready.
+    #[serde(default)]
+    pub ready: bool,
+    pub conditions: Vec<Condition>,
+    #[serde(default)]
+    pub size: Option<u32>,
+    #[serde(default)]
+    pub objects_buckets: Option<u32>,
+    #[serde(default)]
+    pub endpoint: Option<String>,
+    #[serde(default)]
+    pub region: Option<String>,
+}
diff --git a/operator/src/api/v1beta1/s3_instance.rs b/operator/src/api/v1beta1/s3_instance.rs
index 97d33f9..25a8bc8 100644
--- a/operator/src/api/v1beta1/s3_instance.rs
+++ b/operator/src/api/v1beta1/s3_instance.rs
@@ -14,9 +14,9 @@ use schemars::JsonSchema;
     status = "S3InstanceStatus",
     printcolumn = r#"{"name":"Endpoint","type":"string","description":"The URL of the instance","jsonPath":".spec.endpoint"}"#,
     printcolumn = r#"{"name":"Region","type":"string","description":"The region of the instance","jsonPath":".spec.region"}"#,
-    printcolumn = r#"{"name":"Force Path Style","type":"boolean","description":"Is forcing path style","jsonPath":".spec.forcePathStyle"}"#,
-    printcolumn = r#"{"name":"Status","type":"boolean","description":"Is the S3Instance ready","jsonPath":".status.ready"}"#,
-    printcolumn = r#"{"name":"Total Buckets","type":"number","description":"How many buckets are there on the instance","jsonPath":".status.total_buckets"}"#
+    printcolumn = r#"{"name":"Path Style","type":"boolean","description":"Is forcing path style","jsonPath":".spec.forcePathStyle"}"#,
+    printcolumn = r#"{"name":"Total Buckets","type":"number","description":"How many buckets are there on the instance","jsonPath":".status.total_buckets"}"#,
+    printcolumn = r#"{"name":"Status","type":"boolean","description":"Is the S3Instance ready","jsonPath":".status.ready"}"#
 )]
 #[serde(rename_all = "camelCase")]
 pub struct S3InstanceSpec {
diff --git a/operator/src/controller.rs b/operator/src/controller.rs
index d8cdfad..8270728 100644
--- a/operator/src/controller.rs
+++ b/operator/src/controller.rs
@@ -1,19 +1,12 @@
 mod conditions;
 mod controllers;
 mod s3;
-use std::sync::Arc;
 
-use self::controllers::s3_instance::{State, error_policy, reconcile, run};
-use actix_web::web::Data;
+use crate::controllers::{s3_bucket, s3_instance};
+
 use actix_web::{App, HttpRequest, HttpResponse, HttpServer, Responder, get, middleware};
-use api::api::v1beta1::s3_instance::S3Instance;
 use clap::Parser;
-use futures::StreamExt;
-use kube::api::ListParams;
-use kube::runtime::Controller;
-use kube::runtime::events::{Recorder, Reporter};
-use kube::runtime::watcher::Config;
-use kube::{Api, Client};
+use kube::Client;
 use tracing_subscriber::EnvFilter;
 
 /// Simple program to greet a person
@@ -42,18 +35,15 @@ async fn health(_: HttpRequest) -> impl Responder {
 
 #[tokio::main]
 async fn main() -> anyhow::Result<()> {
-    //
-    // Initiatilize Kubernetes controller state
-    //
     tracing_subscriber::fmt()
         .json()
         .with_env_filter(EnvFilter::from_default_env())
         .init();
-    let state = State::default();
     let client = Client::try_default()
         .await
         .expect("failed to create kube Client");
-    let dbin_controller = run(client, state);
+    let s3in_controller = s3_instance::run(client.clone());
+    let s3bucket_controller = s3_bucket::run(client.clone());
     // Start web server
     let server = HttpServer::new(move || {
         App::new()
@@ -64,6 +54,6 @@ async fn main() -> anyhow::Result<()> {
     .shutdown_timeout(5);
 
     // Both runtimes implements graceful shutdown, so poll until both are done
-    tokio::join!(dbin_controller, server.run()).1?;
+    tokio::join!(s3in_controller, s3bucket_controller, server.run()).2?;
     Ok(())
 }
diff --git a/operator/src/controllers/mod.rs b/operator/src/controllers/mod.rs
index 3941471..910ac74 100644
--- a/operator/src/controllers/mod.rs
+++ b/operator/src/controllers/mod.rs
@@ -1 +1,2 @@
+pub(crate) mod s3_bucket;
 pub(crate) mod s3_instance;
diff --git a/operator/src/controllers/s3_bucket.rs b/operator/src/controllers/s3_bucket.rs
new file mode 100644
index 0000000..dada8cd
--- /dev/null
+++ b/operator/src/controllers/s3_bucket.rs
@@ -0,0 +1,422 @@
+use crate::conditions::set_condition;
+use crate::controllers::s3_instance;
+use crate::s3::S3Client;
+use crate::s3::s3::S3Api;
+use api::api::v1beta1::s3_bucket::{S3Bucket, S3BucketStatus};
+use api::api::v1beta1::s3_instance::S3Instance;
+use futures::StreamExt;
+use k8s_openapi::api::core::v1::{ConfigMap, Secret};
+use k8s_openapi::apimachinery::pkg::apis::meta::v1::OwnerReference;
+use kube::api::{ListParams, ObjectMeta, PostParams};
+use kube::runtime::Controller;
+use kube::runtime::controller::Action;
+use kube::runtime::events::Recorder;
+use kube::runtime::watcher::Config;
+use kube::{Api, Client, Error, Resource, ResourceExt};
+use std::collections::BTreeMap;
+use std::sync::Arc;
+use std::time::Duration;
+use thiserror::Error;
+use tracing::*;
+
+const TYPE_INSTANCE_CONNECTED: &str = "InstanceConnected";
+const TYPE_CONFIGMAP_READY: &str = "ConfigMapReady";
+const TYPE_BUCKET_READY: &str = "BucketReady";
+const FIN_CLEANUP: &str = "s3.badhouseplants.net/bucket-cleanup";
+const CONFIGMAP_LABEL: &str = "s3.badhouseplants.net/s3-bucket";
+
+const AWS_REGION: &str = "AWS_REGION";
+const AWS_ENDPOINT_URL: &str = "AWS_ENDPOINT_URL";
+
+#[instrument(skip(ctx, obj), fields(trace_id))]
+pub(crate) async fn reconcile(obj: Arc<S3Bucket>, ctx: Arc<Context>) -> S3BucketResult<Action> {
+    info!("Staring reconciling");
+    let s3bucket_api: Api<S3Bucket> = Api::namespaced(ctx.client.clone(), &obj.namespace().unwrap());
+    let cm_api: Api<ConfigMap> = Api::namespaced(ctx.client.clone(), &obj.namespace().unwrap());
+    let s3in_api: Api<S3Instance> = Api::all(ctx.client.clone());
+
+    info!("Getting the S3Bucket resource");
+    let mut s3bucket = match s3bucket_api.get(&obj.name_any()).await {
+        Ok(s3bucket) => s3bucket,
+        Err(Error::Api(ae)) if ae.code == 404 => {
+            info!("Object is not found, probably removed");
+            return Ok(Action::await_change());
+        }
+        Err(err) => {
+            error!("{}", err);
+            return Err(S3BucketError::KubeError(err));
+        }
+    };
+
+    // On the first reconciliation status is None
+    // it needs to be initialized
+    let mut status = match s3bucket.clone().status {
+        None => {
+            info!("Status is not yet set, initializing the object");
+            return init_object(s3bucket, s3bucket_api).await;
+        }
+        Some(status) => status,
+    };
+
+    let configmap_name = format!("{}-bucket-info", s3bucket.name_any());
+    
+    info!("Getting the configmap");
+    // Get the cm, if it's already there, we need to validate, or create an empty one
+    let mut configmap = match get_configmap(cm_api.clone(), &configmap_name).await {
+        Ok(configmap) => configmap,
+        Err(Error::Api(ae)) if ae.code == 404 => {
+            info!("ConfigMap is not found, creating a new one");
+            let cm = ConfigMap{ 
+               metadata: ObjectMeta { 
+                   name: Some(configmap_name), 
+                   namespace: Some(s3bucket.clone().namespace().unwrap()),
+                   ..Default::default()
+               },
+               ..Default::default()
+            };
+            match create_configmap(cm_api.clone(), cm).await {
+                Ok(cm) => cm,
+                Err(err) => {
+                    error!("{}", err);
+                    return Err(S3BucketError::KubeError(err));
+                },
+            }
+        }
+        Err(err) => {
+            error!("{}", err);
+            return Err(S3BucketError::KubeError(err));
+        },
+    };
+
+    info!("Labeling the configmap");
+    configmap = match label_configmap(cm_api.clone(), &s3bucket.name_any(), configmap).await {
+        Ok(configmap) => configmap,
+        Err(err) => {
+            error!("{}", err);
+            return Err(S3BucketError::KubeError(err));
+        },
+    };
+
+    info!("Setting owner references to the configmap");
+    if s3bucket.spec.own_configmap {
+        configmap = match own_configmap(cm_api.clone(), s3bucket.clone(), configmap).await {
+            Ok(configmap) => configmap,
+            Err(err) => {
+                error!("{}", err);
+                return Err(S3BucketError::KubeError(err));
+            },
+        };
+    };
+
+    info!("Getting the S3Intsance");
+    let s3in = match s3in_api.get(&s3bucket.spec.instance).await {
+        Ok(s3in) => s3in,
+        Err(err) => {
+            error!("{}", err);
+            return Err(S3BucketError::KubeError(err));
+        }
+    };
+
+    info!("Updating the ConfigMap");
+    if let Err(err) = ensure_data_configmap(cm_api.clone(), s3in.clone(), configmap.clone()).await {
+        error!("{}", err);
+        return Err(S3BucketError::KubeError(err));
+    };
+
+    info!("Getting the s3instance secret");
+    let secret_ns = s3in.clone().spec.credentials_secret.namespace;
+    let secret_api: Api<Secret> = Api::namespaced(ctx.client.clone(), &secret_ns);
+
+    let secret = match s3_instance::get_secret(secret_api.clone(), s3in.clone()).await {
+        Ok(secret) => secret,
+        Err(err) => {
+            error!("{}", err);
+            return Err(S3BucketError::KubeError(err));
+        }
+    };
+
+    info!("Getting data from the secret");
+    // Getting data from the secret to initialize the clinet
+    let data = match secret.data {
+        Some(data) => data,
+        None => {
+            let err = anyhow::Error::msg("empty data");
+            error!("{}", err);
+            return Err(S3BucketError::InvalidSecret(err));
+        }
+    };
+
+    let access_key = match data.get(s3_instance::ACCESS_KEY) {
+        Some(access_key) => String::from_utf8(access_key.0.clone()).unwrap(), 
+        None => {
+            let err = anyhow::Error::msg("empty access key");
+            error!("{}", err);
+            return Err(S3BucketError::InvalidSecret(err));
+        }
+    };
+    let secret_key = match data.get(s3_instance::SECRET_KEY) {
+        Some(secret_key) => String::from_utf8(secret_key.0.clone()).unwrap(), 
+        None => {
+            let err = anyhow::Error::msg("empty secret key");
+            error!("{}", err);
+            return Err(S3BucketError::InvalidSecret(err));
+        }
+    };
+
+    info!("Creating an s3 client");
+    let s3_client = S3Api::new(
+        access_key,
+        secret_key,
+        s3in.clone().spec.endpoint.to_string(),
+        s3in.clone().spec.region.to_string(),
+        s3in.clone().spec.force_path_style,
+    )
+    .await;
+
+    info!("Getting buckets");
+    let buckets = match s3_client.clone().list_buckets().await {
+        Ok(buckets) => buckets,
+        Err(err) => {
+            error!("{}", err);
+            return Err(S3BucketError::IllegalS3Bucket);
+        }
+    };
+    let bucket_name = format!("{}-{}", s3bucket.namespace().unwrap(), s3bucket.name_any());
+    if buckets.contains(&bucket_name) {
+        info!("Bucket already exists");
+        return Ok(Action::await_change());
+    }
+    
+    if let Err(err) = s3_client.create_buckets(bucket_name).await {
+        error!("{}", err);
+        return Err(S3BucketError::IllegalS3Bucket);
+    }
+
+    status.ready = true;
+    status.objects_buckets = None;
+    status.endpoint = Some(s3in.clone().spec.endpoint);
+    status.size = None;
+    status.region = Some(s3in.spec.region);
+    
+    s3bucket.status = Some(status);
+    
+    
+    info!("Updating status of the s3bucket resource");
+    match s3bucket_api
+        .replace_status(&s3bucket.name_any(), &PostParams::default(), &s3bucket)
+        .await
+    {
+        Ok(_) => {
+            return Ok(Action::requeue(Duration::from_secs(120)));
+        }
+        Err(err) => {
+            error!("{}", err);
+            return Err(S3BucketError::KubeError(err));
+        }
+    };
+}
+
+// Bootstrap the object by adding a default status to it
+async fn init_object(mut obj: S3Bucket, api: Api<S3Bucket>) -> Result<Action, S3BucketError> {
+    let mut conditions = set_condition(
+        vec![],
+        obj.metadata.clone(),
+        TYPE_INSTANCE_CONNECTED,
+        "Unknown".to_string(),
+        "Reconciling".to_string(),
+        "Reconciliation started".to_string(),
+    );
+    conditions = set_condition(
+        conditions,
+        obj.metadata.clone(),
+        TYPE_BUCKET_READY,
+        "Unknown".to_string(),
+        "Reconciling".to_string(),
+        "Reconciliation started".to_string(),
+    );
+    conditions = set_condition(
+        conditions,
+        obj.metadata.clone(),
+        TYPE_CONFIGMAP_READY,
+        "Unknown".to_string(),
+        "Reconciling".to_string(),
+        "Reconciliation started".to_string(),
+    );
+    obj.status = Some(S3BucketStatus {
+        conditions,
+        ..S3BucketStatus::default()
+    });
+    match api
+        .replace_status(obj.clone().name_any().as_str(), &Default::default(), &obj)
+        .await
+    {
+        Ok(_) => Ok(Action::await_change()),
+        Err(err) => {
+            error!("{}", err);
+            Err(S3BucketError::KubeError(err))
+        }
+    }
+}
+
+// Get the configmap with the bucket data
+async fn get_configmap(api: Api<ConfigMap>, name: &str) -> Result<ConfigMap, kube::Error> {
+    info!("Getting a configmap: {}", name);
+    match api.get(name).await {
+        Ok(cm) => Ok(cm),
+        Err(err) => Err(err),
+    }
+}
+
+// Create ConfigMap
+async fn create_configmap(api: Api<ConfigMap>, cm: ConfigMap) -> Result<ConfigMap, kube::Error> {
+    match api.create(&PostParams::default(), &cm).await {
+        Ok(cm) => get_configmap(api, &cm.name_any()).await,
+        Err(err) => Err(err),
+    }
+}
+
+async fn label_configmap(
+    api: Api<ConfigMap>,
+    s3bucket_name: &str,
+    mut cm: ConfigMap,
+) -> Result<ConfigMap, kube::Error> {
+    let mut labels = match &cm.clone().metadata.labels {
+        Some(labels) => labels.clone(),
+        None => {
+            let map: BTreeMap<String, String> = BTreeMap::new();
+            map
+        }
+    };
+    labels.insert(CONFIGMAP_LABEL.to_string(), s3bucket_name.to_string());
+    cm.metadata.labels = Some(labels);
+    api.replace(&cm.name_any(), &PostParams::default(), &cm)
+        .await?;
+
+    let cm = match api.get(&cm.name_any()).await {
+        Ok(cm) => cm,
+        Err(err) => {
+            return Err(err);
+        }
+    };
+    Ok(cm)
+}
+
+async fn own_configmap(
+    api: Api<ConfigMap>,
+    s3bucket: S3Bucket,
+    mut cm: ConfigMap,
+) -> Result<ConfigMap, kube::Error> {
+    let mut owner_references = match &cm.clone().metadata.owner_references {
+        Some(owner_references) => owner_references.clone(),
+        None => {
+            let owner_references: Vec<OwnerReference> = vec![];
+            owner_references
+        }
+    };
+
+    if owner_references.iter().find(|or| or.uid == s3bucket.uid().unwrap()).is_some() {
+        return Ok(cm);
+    }
+
+    let new_owner_reference = OwnerReference{ 
+        api_version: S3Bucket::api_version(&()).into(),
+        kind: S3Bucket::kind(&()).into(), 
+        name: s3bucket.name_any(),
+        uid: s3bucket.uid().unwrap(),
+        ..Default::default()
+    };
+
+    owner_references.push(new_owner_reference);
+    cm.metadata.owner_references = Some(owner_references);
+    api.replace(&cm.name_any(), &PostParams::default(), &cm)
+        .await?;
+
+    let cm = match api.get(&cm.name_any()).await {
+        Ok(cm) => cm,
+        Err(err) => {
+            return Err(err);
+        }
+    };
+    Ok(cm)
+}
+
+async fn ensure_data_configmap(
+    api: Api<ConfigMap>,
+    s3in: S3Instance,
+    mut cm: ConfigMap,
+) -> Result<ConfigMap, kube::Error> {
+    let mut data = match &cm.clone().data {
+        Some(data) => data.clone(),
+        None => {
+            let map: BTreeMap<String, String> = BTreeMap::new();
+            map
+        }
+    };
+
+    data.insert(AWS_REGION.to_string(), s3in.spec.region);
+    data.insert(AWS_ENDPOINT_URL.to_string(), s3in.spec.endpoint);
+
+
+    cm.data = Some(data);
+    api.replace(&cm.name_any(), &PostParams::default(), &cm)
+        .await?;
+
+    match api.get(&cm.name_any()).await {
+        Ok(cm) => Ok(cm),
+        Err(err) => Err(err),
+    }
+}
+
+pub(crate) fn error_policy(_: Arc<S3Bucket>, _: &S3BucketError, _: Arc<Context>) -> Action {
+    Action::requeue(Duration::from_secs(5 * 60))
+}
+
+#[instrument(skip(client), fields(trace_id))]
+pub async fn run(client: Client) {
+    let s3buckets = Api::<S3Bucket>::all(client.clone());
+    if let Err(err) = s3buckets.list(&ListParams::default().limit(1)).await {
+        error!("{}", err);
+        std::process::exit(1);
+    }
+    let recorder = Recorder::new(client.clone(), "s3bucket-controller".into()); 
+    let context = Context { client, recorder };
+    Controller::new(s3buckets, Config::default().any_semantic())
+        .shutdown_on_signal()
+        .run(reconcile, error_policy, Arc::new(context))
+        .filter_map(|x| async move { std::result::Result::ok(x) })
+        .for_each(|_| futures::future::ready(()))
+        .await;
+}
+// Context for our reconciler
+#[derive(Clone)]
+pub(crate) struct Context {
+    /// Kubernetes client
+    pub client: Client,
+    /// Event recorder
+    pub recorder: Recorder,
+}
+
+#[derive(Error, Debug)]
+pub enum S3BucketError {
+    #[error("SerializationError: {0}")]
+    SerializationError(#[source] serde_json::Error),
+
+    #[error("Kube Error: {0}")]
+    KubeError(#[source] kube::Error),
+
+    #[error("Finalizer Error: {0}")]
+    // NB: awkward type because finalizer::Error embeds the reconciler error (which is this)
+    // so boxing this error to break cycles
+    FinalizerError(#[source] Box<kube::runtime::finalizer::Error<S3BucketError>>),
+
+    #[error("IllegalS3Bucket")]
+    IllegalS3Bucket,
+
+    #[error("SecretIsAlreadyLabeled")]
+    SecretIsAlreadyLabeled,
+
+    #[error("Invalid Secret: {0}")]
+    InvalidSecret(#[source] anyhow::Error),
+}
+
+pub type S3BucketResult<T, E = S3BucketError> = std::result::Result<T, E>;
diff --git a/operator/src/controllers/s3_instance.rs b/operator/src/controllers/s3_instance.rs
index bee86ca..99003af 100644
--- a/operator/src/controllers/s3_instance.rs
+++ b/operator/src/controllers/s3_instance.rs
@@ -1,4 +1,4 @@
-use crate::conditions::{is_condition_unknown, set_condition};
+use crate::conditions::{is_condition_true, is_condition_unknown, set_condition};
 use crate::s3::S3Client;
 use crate::s3::s3::S3Api;
 use api::api::v1beta1::s3_instance::{S3Instance, S3InstanceStatus};
@@ -18,13 +18,15 @@ use tracing::*;
 
 const TYPE_CONNECTED: &str = "Connected";
 const TYPE_SECRET_LABELED: &str = "SecretLabeled";
+const FIN_SECRET_LABEL: &str = "s3.badhouseplants.net/s3-label";
 const SECRET_LABEL: &str = "s3.badhouseplants.net/s3-instance";
-const ACCESS_KEY: &str = "ACCESS_KEY";
-const SECRET_KEY: &str = "SECRET_KEY";
+pub(crate) const ACCESS_KEY: &str = "ACCESS_KEY";
+pub(crate) const SECRET_KEY: &str = "SECRET_KEY";
 
 #[instrument(skip(ctx, obj), fields(trace_id))]
 pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3InstanceResult<Action> {
     info!("Staring reconciling");
+    info!("Getting the S3Instance resource");
     let s3_api: Api<S3Instance> = Api::all(ctx.client.clone());
     let mut s3in = match s3_api.get(obj.name_any().as_str()).await {
         Ok(res) => res,
@@ -38,10 +40,8 @@ pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3Inst
         }
     };
 
-    if s3in.metadata.deletion_timestamp.is_some() {
-        info!("Object is marked for deletion");
-        return Ok(Action::await_change());
-    }
+    let secret_ns = s3in.clone().spec.credentials_secret.namespace;
+    let secret_api: Api<Secret> = Api::namespaced(ctx.client.clone(), &secret_ns);
 
     let mut status = match s3in.clone().status {
         None => {
@@ -51,7 +51,7 @@ pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3Inst
         Some(status) => status,
     };
 
-    let secret = match get_secret(ctx.clone(), s3in.clone()).await {
+    let secret = match get_secret(secret_api.clone(), s3in.clone()).await {
         Ok(secret) => secret,
         Err(err) => {
             error!("{}", err);
@@ -71,7 +71,58 @@ pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3Inst
             return Err(S3InstanceError::KubeError(err));
         }
     };
+    
+    if s3in.metadata.deletion_timestamp.is_some() {
+        info!("Object is marked for deletion");
+        if let Some(mut finalizers) = s3in.clone().metadata.finalizers {
+            if finalizers.contains(&FIN_SECRET_LABEL.to_string()) {
+                match unlabel_secret(ctx.clone(), s3in.clone(), secret).await {
+                    Ok(_) => {
+                        if let Some(index) = finalizers.iter().position(|x| *x == FIN_SECRET_LABEL.to_string()) {
+                            finalizers.remove(index);
+                        };
+                    },
+                    Err(err) => {
+                        error!("{}", err);
+                        return Err(S3InstanceError::KubeError(err));
+                    },
+                };
+            }
+            s3in.metadata.finalizers = Some(finalizers);
+        };
+        match s3_api.replace(&s3in.name_any(), &PostParams::default(), &s3in).await {
+            Ok(_) => {
+                return Ok(Action::await_change());
+            },
+            Err(err) => {
+                error!("{}", err);
+                return Err(S3InstanceError::KubeError(err))
+            },
+        }
+    }
 
+    if is_condition_true(status.clone().conditions, TYPE_SECRET_LABELED) {
+        let mut current_finalizers = match s3in.clone().metadata.finalizers {
+            Some(finalizers) => finalizers,
+            None => vec![],
+        };
+
+        if !current_finalizers.contains(&FIN_SECRET_LABEL.to_string()) {
+            info!("Adding a finalizer");
+                current_finalizers.push(FIN_SECRET_LABEL.to_string());
+
+            s3in.metadata.finalizers = Some(current_finalizers);
+            match s3_api.replace(&s3in.name_any(), &PostParams::default(), &s3in).await {
+                Ok(_) => {
+                    return Ok(Action::await_change());
+                },
+                Err(err) => {
+                    error!("{}", err);
+                    return Err(S3InstanceError::KubeError(err))
+                },
+            }
+        }
+    }
     if is_condition_unknown(status.clone().conditions, TYPE_SECRET_LABELED) {
         if is_secret_labeled(secret.clone()) {
             if is_secret_labeled_by_another_obj(s3in.clone(), secret.clone()) {
@@ -88,7 +139,6 @@ pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3Inst
                     "Reconciled".to_string(),
                     "Secret is already labeled".to_string(),
                 );
-                s3in.status = Some(status.clone());
             }
         } else {
             info!("Labeling the secret");
@@ -105,6 +155,7 @@ pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3Inst
                 "Secret is labeled".to_string(),
             );
         };
+        s3in.status = Some(status);
         match s3_api
             .replace_status(&s3in.name_any(), &PostParams::default(), &s3in)
             .await {
@@ -190,7 +241,6 @@ pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3Inst
         }
     };
 
-    info!("{:?}", buckets);
     status.ready = true;
     status.buckets = Some(buckets.clone());
     status.total_buckets = Some(buckets.len());
@@ -251,9 +301,7 @@ async fn init_object(mut obj: S3Instance, api: Api<S3Instance>) -> Result<Action
 }
 
 // Get the secret with credentials
-async fn get_secret(ctx: Arc<Context>, obj: S3Instance) -> Result<Secret, kube::Error> {
-    let secret_ns = obj.clone().spec.credentials_secret.namespace;
-    let api: Api<Secret> = Api::namespaced(ctx.client.clone(), &secret_ns);
+pub(crate) async fn get_secret(api: Api<Secret>, obj: S3Instance) -> Result<Secret, kube::Error> {
 
     let secret = match api.get(&obj.spec.credentials_secret.name).await {
         Ok(secret) => secret,
@@ -265,6 +313,21 @@ async fn get_secret(ctx: Arc<Context>, obj: S3Instance) -> Result<Secret, kube::
     Ok(secret)
 }
 
+async fn unlabel_secret(
+    ctx: Arc<Context>,
+    obj: S3Instance,
+    mut secret: Secret,
+) -> Result<(), kube::Error> {
+    let secret_ns = obj.clone().spec.credentials_secret.namespace;
+    let api: Api<Secret> = Api::namespaced(ctx.client.clone(), &secret_ns);
+    if let Some(mut labels) = secret.clone().metadata.labels {
+        labels.remove(&SECRET_LABEL.to_string());
+        secret.metadata.labels = Some(labels);
+        api.replace(&secret.name_any(), &PostParams::default(), &secret)
+        .await?;
+    }
+    Ok(())
+}
 async fn label_secret(
     ctx: Arc<Context>,
     obj: S3Instance,
@@ -333,32 +396,23 @@ pub(crate) fn error_policy(_: Arc<S3Instance>, _: &S3InstanceError, _: Arc<Conte
     Action::requeue(Duration::from_secs(5 * 60))
 }
 
-#[instrument(skip(client, state), fields(trace_id))]
-pub async fn run(client: Client, state: State) {
+#[instrument(skip(client), fields(trace_id))]
+pub async fn run(client: Client) {
     let s3instances = Api::<S3Instance>::all(client.clone());
     if let Err(err) = s3instances.list(&ListParams::default().limit(1)).await {
         error!("{}", err);
         std::process::exit(1);
     }
+    let recorder = Recorder::new(client.clone(), "s3instance-controller".into()); 
+    let context = Context{ client, recorder };
     Controller::new(s3instances, Config::default().any_semantic())
         .shutdown_on_signal()
-        .run(reconcile, error_policy, state.to_context(client).await)
+        .run(reconcile, error_policy, Arc::new(context))
         .filter_map(|x| async move { std::result::Result::ok(x) })
         .for_each(|_| futures::future::ready(()))
         .await;
 }
-/// State shared between the controller and the web server
-#[derive(Clone, Default)]
-pub(crate) struct State {}
 
-impl State {
-    pub async fn to_context(&self, client: Client) -> Arc<Context> {
-        Arc::new(Context {
-            client: client.clone(),
-            recorder: Recorder::new(client, "s3instance-controller".into()),
-        })
-    }
-}
 // Context for our reconciler
 #[derive(Clone)]
 pub(crate) struct Context {
diff --git a/operator/src/crdgen.rs b/operator/src/crdgen.rs
index a628b75..6e8aadf 100644
--- a/operator/src/crdgen.rs
+++ b/operator/src/crdgen.rs
@@ -1,8 +1,9 @@
-use api::api::v1beta1::s3_instance::S3Instance;
+use api::api::v1beta1::{s3_bucket::S3Bucket, s3_instance::S3Instance};
 use kube::CustomResourceExt;
 fn main() {
     println!(
         "---\n{}",
         serde_yaml::to_string(&S3Instance::crd()).unwrap()
     );
+    println!("---\n{}", serde_yaml::to_string(&S3Bucket::crd()).unwrap());
 }
diff --git a/operator/src/s3/mod.rs b/operator/src/s3/mod.rs
index 42fb2e7..d9aa4ba 100644
--- a/operator/src/s3/mod.rs
+++ b/operator/src/s3/mod.rs
@@ -5,4 +5,5 @@ pub(crate) mod s3;
 
 pub(crate) trait S3Client {
     async fn list_buckets(self) -> Result<Vec<String>, Error>;
+    async fn create_buckets(self, bucket_name: String ) -> Result<(), Error>;
 }
diff --git a/operator/src/s3/s3.rs b/operator/src/s3/s3.rs
index d6a8180..31e2be5 100644
--- a/operator/src/s3/s3.rs
+++ b/operator/src/s3/s3.rs
@@ -2,10 +2,10 @@ use aws_config::{BehaviorVersion, Region};
 use aws_credential_types::Credentials;
 use aws_sdk_s3::config::Builder;
 use aws_sdk_s3::{Client, config::SharedCredentialsProvider};
-use tracing::*;
 
 use crate::s3::S3Client;
 
+#[derive(Clone)]
 pub(crate) struct S3Api {
     client: aws_sdk_s3::Client,
 }
@@ -18,8 +18,6 @@ impl S3Api {
         region: String,
         force_path_style: bool,
     ) -> Self {
-        info!(access_key);
-        info!(secret_key);
         let creds = Credentials::new(access_key, secret_key, None, None, "static");
         let config = aws_config::defaults(BehaviorVersion::latest())
             .credentials_provider(SharedCredentialsProvider::new(creds))
@@ -51,7 +49,6 @@ impl S3Client for S3Api {
                         })
                     },
                     Err(err) => {
-                        error!{"{}", err};
                         return Err(err.into());
                     },
                 };
@@ -62,4 +59,11 @@ impl S3Client for S3Api {
         };
         Ok(result)
     }
+
+    async fn create_buckets(self, bucket_name: String) -> Result<(), anyhow::Error> {
+        match self.client.create_bucket().bucket(bucket_name).send().await {
+            Ok(_) => Ok(()),
+            Err(err) => Err(err.into()),
+        }
+    }
 }
-- 
2.49.1


From 95977d20322bf79143e34bdb37661d174301d2ea Mon Sep 17 00:00:00 2001
From: Nikolai Rodionov <iam@allanger.xyz>
Date: Wed, 11 Mar 2026 15:50:21 +0100
Subject: [PATCH 06/10] WIP: Adding users

Signed-off-by: Nikolai Rodionov <iam@allanger.xyz>
---
 operator/Cargo.lock                        | 928 +++++++++++++++++++--
 operator/Cargo.toml                        |   3 +
 operator/manifests/s3_bucket.yaml          |   2 +-
 operator/manifests/s3_bucket_user.yaml     |   3 +
 operator/manifests/s3_instance.yaml        |   1 -
 operator/src/api/v1beta1/mod.rs            |   1 +
 operator/src/api/v1beta1/s3_bucket.rs      |  10 +-
 operator/src/api/v1beta1/s3_bucket_user.rs |  40 +
 operator/src/api/v1beta1/s3_instance.rs    |   1 +
 operator/src/controller.rs                 |   2 +-
 operator/src/controllers/mod.rs            |   1 +
 operator/src/controllers/s3_bucket.rs      | 115 ++-
 operator/src/controllers/s3_bucket_user.rs | 471 +++++++++++
 operator/src/controllers/s3_instance.rs    |   2 +-
 operator/src/crdgen.rs                     |   5 +
 operator/src/providers/dummy.rs            |  17 +
 operator/src/providers/minio.rs            |  47 ++
 operator/src/providers/mod.rs              |   9 +
 operator/src/providers/rustfs.rs           |  29 +
 operator/src/s3/mod.rs                     |   7 +-
 operator/src/s3/s3.rs                      |  69 --
 operator/src/s3/s3api.rs                   | 160 ++++
 22 files changed, 1763 insertions(+), 160 deletions(-)
 create mode 100644 operator/manifests/s3_bucket_user.yaml
 create mode 100644 operator/src/api/v1beta1/s3_bucket_user.rs
 create mode 100644 operator/src/controllers/s3_bucket_user.rs
 create mode 100644 operator/src/providers/dummy.rs
 create mode 100644 operator/src/providers/minio.rs
 create mode 100644 operator/src/providers/mod.rs
 create mode 100644 operator/src/providers/rustfs.rs
 delete mode 100644 operator/src/s3/s3.rs
 create mode 100644 operator/src/s3/s3api.rs

diff --git a/operator/Cargo.lock b/operator/Cargo.lock
index 0a1ee41..8aeb8d6 100644
--- a/operator/Cargo.lock
+++ b/operator/Cargo.lock
@@ -49,7 +49,7 @@ dependencies = [
  "mime",
  "percent-encoding",
  "pin-project-lite",
- "rand",
+ "rand 0.9.2",
  "sha1",
  "smallvec",
  "tokio",
@@ -65,7 +65,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e01ed3140b2f8d422c68afa1ed2e85d996ea619c988ac834d255db32138655cb"
 dependencies = [
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -182,7 +182,7 @@ dependencies = [
  "actix-router",
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -234,6 +234,15 @@ version = "0.2.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "683d7910e743518b0e34f1186f92494becacb047c7b6bf616c96772180fef923"
 
+[[package]]
+name = "android_system_properties"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "anstream"
 version = "0.6.21"
@@ -312,6 +321,17 @@ dependencies = [
  "pin-project-lite",
 ]
 
+[[package]]
+name = "async-recursion"
+version = "1.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b43422f69d8ff38f95f1b2bb76517c91589a924d1559a0e935d7c8ce0274c11"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
 [[package]]
 name = "async-stream"
 version = "0.3.6"
@@ -331,7 +351,18 @@ checksum = "c7c24de15d275a1ecfd47a380fb4d5ec9bfe0933f309ed5e705b775596a3574d"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "async-trait"
+version = "0.1.89"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9035ad2d096bed7955a320ee7e2230574d28fd3c3a0f186cbea1ff3c7eed5dbb"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -844,7 +875,7 @@ dependencies = [
  "regex",
  "rustc-hash",
  "shlex",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -889,6 +920,12 @@ version = "3.20.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5d20789868f4b01b2f2caec9f5c4e0213b41e3e5702a50157d699ae31ced2fcb"
 
+[[package]]
+name = "byteorder"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
+
 [[package]]
 name = "bytes"
 version = "1.11.1"
@@ -927,7 +964,7 @@ dependencies = [
  "quote",
  "serde",
  "serde_json",
- "syn",
+ "syn 2.0.117",
  "tempfile",
  "toml",
 ]
@@ -944,6 +981,12 @@ dependencies = [
  "shlex",
 ]
 
+[[package]]
+name = "cesu8"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6d43a04d8753f35258c91f8ec639f792891f748a1edbd759cf1dcea3382ad83c"
+
 [[package]]
 name = "cexpr"
 version = "0.6.0"
@@ -959,6 +1002,25 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
 
+[[package]]
+name = "cfg_aliases"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
+
+[[package]]
+name = "chrono"
+version = "0.4.44"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c673075a2e0e5f4a1dde27ce9dee1ea4558c7ffe648f576438a20ca1d2acc4b0"
+dependencies = [
+ "iana-time-zone",
+ "js-sys",
+ "num-traits",
+ "wasm-bindgen",
+ "windows-link",
+]
+
 [[package]]
 name = "clang-sys"
 version = "1.8.1"
@@ -1001,7 +1063,7 @@ dependencies = [
  "heck 0.5.0",
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -1025,6 +1087,16 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75"
 
+[[package]]
+name = "combine"
+version = "4.6.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba5a308b75df32fe02788e748662718f03fde005016435c444eea572398219fd"
+dependencies = [
+ "bytes",
+ "memchr",
+]
+
 [[package]]
 name = "concurrent-queue"
 version = "2.5.0"
@@ -1060,6 +1132,16 @@ dependencies = [
  "version_check",
 ]
 
+[[package]]
+name = "core-foundation"
+version = "0.9.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
 [[package]]
 name = "core-foundation"
 version = "0.10.1"
@@ -1179,7 +1261,7 @@ dependencies = [
  "proc-macro2",
  "quote",
  "strsim",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -1190,7 +1272,21 @@ checksum = "ac3984ec7bd6cfa798e62b4a642426a5be0e68f9401cfc2a01e3fa9ea2fcdb8d"
 dependencies = [
  "darling_core",
  "quote",
- "syn",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "dashmap"
+version = "6.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5041cc499144891f3790297212f32a74fb938e5136a14943f338ef9e0ae276cf"
+dependencies = [
+ "cfg-if",
+ "crossbeam-utils",
+ "hashbrown 0.14.5",
+ "lock_api",
+ "once_cell",
+ "parking_lot_core",
 ]
 
 [[package]]
@@ -1212,6 +1308,17 @@ dependencies = [
  "powerfmt",
 ]
 
+[[package]]
+name = "derivative"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fcc3dd5e9e9c0b295d6e1e4d811fb6f157d5ffd784b8d202fc62eac8035a770b"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 1.0.109",
+]
+
 [[package]]
 name = "derive_more"
 version = "2.1.1"
@@ -1231,7 +1338,7 @@ dependencies = [
  "proc-macro2",
  "quote",
  "rustc_version",
- "syn",
+ "syn 2.0.117",
  "unicode-xid",
 ]
 
@@ -1254,7 +1361,7 @@ checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -1290,7 +1397,7 @@ dependencies = [
  "enum-ordinalize",
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -1345,7 +1452,30 @@ checksum = "8ca9601fb2d62598ee17836250842873a413586e5d7ed88b356e38ddbb0ec631"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "env_filter"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7a1c3cc8e57274ec99de65301228b537f1e4eedc1b8e0f9411c6caac8ae7308f"
+dependencies = [
+ "log",
+ "regex",
+]
+
+[[package]]
+name = "env_logger"
+version = "0.11.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b2daee4ea451f429a58296525ddf28b45a3b64f1acf6587e2067437bb11e218d"
+dependencies = [
+ "anstream",
+ "anstyle",
+ "env_filter",
+ "jiff",
+ "log",
 ]
 
 [[package]]
@@ -1449,6 +1579,21 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "77ce24cb58228fbb8aa041425bb1050850ac19177686ea6e0f41a70416f56fdb"
 
+[[package]]
+name = "foreign-types"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
+dependencies = [
+ "foreign-types-shared",
+]
+
+[[package]]
+name = "foreign-types-shared"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
+
 [[package]]
 name = "form_urlencoded"
 version = "1.2.2"
@@ -1531,7 +1676,7 @@ checksum = "e835b70203e41293343137df5c0664546da5745f82ec9b84d40be8336958447b"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -1580,8 +1725,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0"
 dependencies = [
  "cfg-if",
+ "js-sys",
  "libc",
  "wasi",
+ "wasm-bindgen",
 ]
 
 [[package]]
@@ -1591,9 +1738,11 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd"
 dependencies = [
  "cfg-if",
+ "js-sys",
  "libc",
  "r-efi 5.3.0",
  "wasip2",
+ "wasm-bindgen",
 ]
 
 [[package]]
@@ -1676,6 +1825,12 @@ dependencies = [
  "tracing",
 ]
 
+[[package]]
+name = "hashbrown"
+version = "0.14.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1"
+
 [[package]]
 name = "hashbrown"
 version = "0.15.5"
@@ -1839,6 +1994,7 @@ dependencies = [
  "http 1.4.0",
  "http-body 1.0.1",
  "httparse",
+ "httpdate",
  "itoa",
  "pin-project-lite",
  "pin-utils",
@@ -1893,6 +2049,22 @@ dependencies = [
  "tower-service",
 ]
 
+[[package]]
+name = "hyper-tls"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0"
+dependencies = [
+ "bytes",
+ "http-body-util",
+ "hyper 1.8.1",
+ "hyper-util",
+ "native-tls",
+ "tokio",
+ "tokio-native-tls",
+ "tower-service",
+]
+
 [[package]]
 name = "hyper-util"
 version = "0.1.20"
@@ -1911,9 +2083,35 @@ dependencies = [
  "percent-encoding",
  "pin-project-lite",
  "socket2 0.6.3",
+ "system-configuration",
  "tokio",
  "tower-service",
  "tracing",
+ "windows-registry",
+]
+
+[[package]]
+name = "iana-time-zone"
+version = "0.1.65"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e31bc9ad994ba00e440a8aa5c9ef0ec67d5cb5e5cb0cc7f8b744a35b389cc470"
+dependencies = [
+ "android_system_properties",
+ "core-foundation-sys",
+ "iana-time-zone-haiku",
+ "js-sys",
+ "log",
+ "wasm-bindgen",
+ "windows-core",
+]
+
+[[package]]
+name = "iana-time-zone-haiku"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f"
+dependencies = [
+ "cc",
 ]
 
 [[package]]
@@ -2060,6 +2258,16 @@ version = "2.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2"
 
+[[package]]
+name = "iri-string"
+version = "0.7.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c91338f0783edbd6195decb37bae672fd3b165faffb89bf7b9e6942f8b1a731a"
+dependencies = [
+ "memchr",
+ "serde",
+]
+
 [[package]]
 name = "is_terminal_polyfill"
 version = "1.70.2"
@@ -2111,9 +2319,31 @@ checksum = "2a8c8b344124222efd714b73bb41f8b5120b27a7cc1c75593a6ff768d9d05aa4"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
+[[package]]
+name = "jni"
+version = "0.21.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a87aa2bb7d2af34197c04845522473242e1aa17c12f4935d5856491a7fb8c97"
+dependencies = [
+ "cesu8",
+ "cfg-if",
+ "combine",
+ "jni-sys",
+ "log",
+ "thiserror 1.0.69",
+ "walkdir",
+ "windows-sys 0.45.0",
+]
+
+[[package]]
+name = "jni-sys"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8eaf4bc02d17cbdd7ff4c7438cafcdf7fb9a4613313ad11b4f8fefe7d3fa0130"
+
 [[package]]
 name = "jobserver"
 version = "0.1.34"
@@ -2260,7 +2490,7 @@ dependencies = [
  "quote",
  "serde",
  "serde_json",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -2377,6 +2607,12 @@ dependencies = [
  "hashbrown 0.16.1",
 ]
 
+[[package]]
+name = "lru-slab"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154"
+
 [[package]]
 name = "matchers"
 version = "0.2.0"
@@ -2396,6 +2632,12 @@ dependencies = [
  "digest",
 ]
 
+[[package]]
+name = "md5"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "490cc448043f947bae3cbee9c203358d62dbee0db12107a74be5c30ccfd09771"
+
 [[package]]
 name = "memchr"
 version = "2.8.0"
@@ -2414,6 +2656,46 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
 
+[[package]]
+name = "minio"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3824101357fa899d01c729e4a245776e20a03f2f6645979e86b9d3d5d9c42741"
+dependencies = [
+ "async-recursion",
+ "async-trait",
+ "base64",
+ "byteorder",
+ "bytes",
+ "chrono",
+ "crc",
+ "dashmap",
+ "derivative",
+ "env_logger",
+ "futures",
+ "futures-util",
+ "hex",
+ "hmac",
+ "http 1.4.0",
+ "hyper 1.8.1",
+ "lazy_static",
+ "log",
+ "md5",
+ "multimap",
+ "percent-encoding",
+ "rand 0.8.5",
+ "regex",
+ "reqwest 0.12.28",
+ "serde",
+ "serde_json",
+ "sha2",
+ "tokio",
+ "tokio-stream",
+ "tokio-util",
+ "urlencoding",
+ "xmltree",
+]
+
 [[package]]
 name = "miniz_oxide"
 version = "0.8.9"
@@ -2436,6 +2718,32 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "multimap"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d87ecb2933e8aeadb3e3a02b828fed80a7528047e68b4f424523a0981a3a084"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "native-tls"
+version = "0.2.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "465500e14ea162429d264d44189adc38b199b62b1c21eea9f69e4b73cb03bbf2"
+dependencies = [
+ "libc",
+ "log",
+ "openssl",
+ "openssl-probe",
+ "openssl-sys",
+ "schannel",
+ "security-framework",
+ "security-framework-sys",
+ "tempfile",
+]
+
 [[package]]
 name = "nom"
 version = "7.1.3"
@@ -2491,12 +2799,50 @@ version = "1.70.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
 
+[[package]]
+name = "openssl"
+version = "0.10.75"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "08838db121398ad17ab8531ce9de97b244589089e290a384c900cb9ff7434328"
+dependencies = [
+ "bitflags",
+ "cfg-if",
+ "foreign-types",
+ "libc",
+ "once_cell",
+ "openssl-macros",
+ "openssl-sys",
+]
+
+[[package]]
+name = "openssl-macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
 [[package]]
 name = "openssl-probe"
 version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe"
 
+[[package]]
+name = "openssl-sys"
+version = "0.9.111"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "82cab2d520aa75e3c58898289429321eb788c3106963d0dc886ec7a5f4adc321"
+dependencies = [
+ "cc",
+ "libc",
+ "pkg-config",
+ "vcpkg",
+]
+
 [[package]]
 name = "ordered-float"
 version = "2.10.1"
@@ -2598,7 +2944,7 @@ dependencies = [
  "pest_meta",
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -2628,7 +2974,7 @@ checksum = "d9b20ed30f105399776b9c883e68e536ef602a16ae6f596d2c473591d6ad64c6"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -2705,7 +3051,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b"
 dependencies = [
  "proc-macro2",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -2717,6 +3063,62 @@ dependencies = [
  "unicode-ident",
 ]
 
+[[package]]
+name = "quinn"
+version = "0.11.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9e20a958963c291dc322d98411f541009df2ced7b5a4f2bd52337638cfccf20"
+dependencies = [
+ "bytes",
+ "cfg_aliases",
+ "pin-project-lite",
+ "quinn-proto",
+ "quinn-udp",
+ "rustc-hash",
+ "rustls 0.23.37",
+ "socket2 0.6.3",
+ "thiserror 2.0.18",
+ "tokio",
+ "tracing",
+ "web-time",
+]
+
+[[package]]
+name = "quinn-proto"
+version = "0.11.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"
+dependencies = [
+ "aws-lc-rs",
+ "bytes",
+ "getrandom 0.3.4",
+ "lru-slab",
+ "rand 0.9.2",
+ "ring",
+ "rustc-hash",
+ "rustls 0.23.37",
+ "rustls-pki-types",
+ "slab",
+ "thiserror 2.0.18",
+ "tinyvec",
+ "tracing",
+ "web-time",
+]
+
+[[package]]
+name = "quinn-udp"
+version = "0.5.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "addec6a0dcad8a8d96a771f815f0eaf55f9d1805756410b39f5fa81332574cbd"
+dependencies = [
+ "cfg_aliases",
+ "libc",
+ "once_cell",
+ "socket2 0.6.3",
+ "tracing",
+ "windows-sys 0.59.0",
+]
+
 [[package]]
 name = "quote"
 version = "1.0.45"
@@ -2738,16 +3140,37 @@ version = "6.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf"
 
+[[package]]
+name = "rand"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+dependencies = [
+ "libc",
+ "rand_chacha 0.3.1",
+ "rand_core 0.6.4",
+]
+
 [[package]]
 name = "rand"
 version = "0.9.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
 dependencies = [
- "rand_chacha",
+ "rand_chacha 0.9.0",
  "rand_core 0.9.5",
 ]
 
+[[package]]
+name = "rand_chacha"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+dependencies = [
+ "ppv-lite86",
+ "rand_core 0.6.4",
+]
+
 [[package]]
 name = "rand_chacha"
 version = "0.9.0"
@@ -2802,7 +3225,7 @@ checksum = "b7186006dcb21920990093f30e3dea63b7d6e977bf1256be20c3563a5db070da"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -2840,6 +3263,85 @@ version = "0.8.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a"
 
+[[package]]
+name = "reqwest"
+version = "0.12.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eddd3ca559203180a307f12d114c268abf583f59b03cb906fd0b3ff8646c1147"
+dependencies = [
+ "base64",
+ "bytes",
+ "futures-core",
+ "futures-util",
+ "http 1.4.0",
+ "http-body 1.0.1",
+ "http-body-util",
+ "hyper 1.8.1",
+ "hyper-tls",
+ "hyper-util",
+ "js-sys",
+ "log",
+ "native-tls",
+ "percent-encoding",
+ "pin-project-lite",
+ "rustls-pki-types",
+ "serde",
+ "serde_json",
+ "serde_urlencoded",
+ "sync_wrapper",
+ "tokio",
+ "tokio-native-tls",
+ "tokio-util",
+ "tower",
+ "tower-http",
+ "tower-service",
+ "url",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "wasm-streams",
+ "web-sys",
+]
+
+[[package]]
+name = "reqwest"
+version = "0.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ab3f43e3283ab1488b624b44b0e988d0acea0b3214e694730a055cb6b2efa801"
+dependencies = [
+ "base64",
+ "bytes",
+ "encoding_rs",
+ "futures-core",
+ "h2 0.4.13",
+ "http 1.4.0",
+ "http-body 1.0.1",
+ "http-body-util",
+ "hyper 1.8.1",
+ "hyper-rustls 0.27.7",
+ "hyper-util",
+ "js-sys",
+ "log",
+ "mime",
+ "percent-encoding",
+ "pin-project-lite",
+ "quinn",
+ "rustls 0.23.37",
+ "rustls-pki-types",
+ "rustls-platform-verifier",
+ "serde",
+ "serde_json",
+ "sync_wrapper",
+ "tokio",
+ "tokio-rustls 0.26.4",
+ "tower",
+ "tower-http",
+ "tower-service",
+ "url",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "web-sys",
+]
+
 [[package]]
 name = "rfc6979"
 version = "0.3.1"
@@ -2876,7 +3378,7 @@ dependencies = [
  "rust2go-cli",
  "rust2go-convert",
  "rust2go-macro",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -2900,7 +3402,7 @@ dependencies = [
  "heck 0.5.0",
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -2918,7 +3420,7 @@ dependencies = [
  "proc-macro2",
  "quote",
  "rust2go-common",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -2995,9 +3497,37 @@ version = "1.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd"
 dependencies = [
+ "web-time",
  "zeroize",
 ]
 
+[[package]]
+name = "rustls-platform-verifier"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d99feebc72bae7ab76ba994bb5e121b8d83d910ca40b36e0921f53becc41784"
+dependencies = [
+ "core-foundation 0.10.1",
+ "core-foundation-sys",
+ "jni",
+ "log",
+ "once_cell",
+ "rustls 0.23.37",
+ "rustls-native-certs",
+ "rustls-platform-verifier-android",
+ "rustls-webpki 0.103.9",
+ "security-framework",
+ "security-framework-sys",
+ "webpki-root-certs",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "rustls-platform-verifier-android"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f87165f0995f63a9fbeea62b64d10b4d9d8e78ec6d7d51fb2125fda7bb36788f"
+
 [[package]]
 name = "rustls-webpki"
 version = "0.101.7"
@@ -3042,6 +3572,7 @@ dependencies = [
  "aws-config",
  "aws-credential-types",
  "aws-sdk-s3",
+ "base64",
  "clap",
  "darling",
  "envtest",
@@ -3050,6 +3581,8 @@ dependencies = [
  "hyper 1.8.1",
  "k8s-openapi",
  "kube",
+ "minio",
+ "reqwest 0.13.2",
  "schemars",
  "serde",
  "serde_json",
@@ -3061,6 +3594,15 @@ dependencies = [
  "tracing-subscriber",
 ]
 
+[[package]]
+name = "same-file"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+dependencies = [
+ "winapi-util",
+]
+
 [[package]]
 name = "schannel"
 version = "0.1.28"
@@ -3092,7 +3634,7 @@ dependencies = [
  "proc-macro2",
  "quote",
  "serde_derive_internals",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -3141,7 +3683,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d"
 dependencies = [
  "bitflags",
- "core-foundation",
+ "core-foundation 0.10.1",
  "core-foundation-sys",
  "libc",
  "security-framework-sys",
@@ -3200,7 +3742,7 @@ checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -3211,7 +3753,7 @@ checksum = "18d26a20a969b9e3fdf2fc2d9f21eda6c40e2de84c9408bb5d3b05d499aae711"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -3390,6 +3932,17 @@ version = "2.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
 
+[[package]]
+name = "syn"
+version = "1.0.109"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
 [[package]]
 name = "syn"
 version = "2.0.117"
@@ -3406,6 +3959,9 @@ name = "sync_wrapper"
 version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0bf256ce5efdfa370213c1dabab5935a12e49f2c58d15e9eac2870d3b4f27263"
+dependencies = [
+ "futures-core",
+]
 
 [[package]]
 name = "synstructure"
@@ -3415,7 +3971,28 @@ checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "system-configuration"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a13f3d0daba03132c0aa9767f98351b3488edc2c100cda2d2ec2b04f3d8d3c8b"
+dependencies = [
+ "bitflags",
+ "core-foundation 0.9.4",
+ "system-configuration-sys",
+]
+
+[[package]]
+name = "system-configuration-sys"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e1d1b10ced5ca923a1fcb8d03e96b8d3268065d724548c0211415ff6ac6bac4"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
 ]
 
 [[package]]
@@ -3457,7 +4034,7 @@ checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -3468,7 +4045,7 @@ checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -3521,6 +4098,21 @@ dependencies = [
  "zerovec",
 ]
 
+[[package]]
+name = "tinyvec"
+version = "1.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bfa5fdc3bce6191a1dbc8c02d5c8bffcf557bafa17c124c5264a458f1b0613fa"
+dependencies = [
+ "tinyvec_macros",
+]
+
+[[package]]
+name = "tinyvec_macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
+
 [[package]]
 name = "tokio"
 version = "1.50.0"
@@ -3546,7 +4138,17 @@ checksum = "5c55a2eff8b69ce66c84f85e1da1c233edc36ceb85a2058d11b0d6a3c7e7569c"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "tokio-native-tls"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2"
+dependencies = [
+ "native-tls",
+ "tokio",
 ]
 
 [[package]]
@@ -3672,8 +4274,10 @@ dependencies = [
  "base64",
  "bitflags",
  "bytes",
+ "futures-util",
  "http 1.4.0",
  "http-body 1.0.1",
+ "iri-string",
  "mime",
  "pin-project-lite",
  "tower",
@@ -3728,7 +4332,7 @@ checksum = "7490cfa5ec963746568740651ac6781f701c9c5ea257c58e057f3ba8cf69e8da"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -3877,6 +4481,12 @@ version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ba73ea9cf16a25df0c8caa16c51acb937d5712a8429db78a3ee29d5dcacd3a65"
 
+[[package]]
+name = "vcpkg"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
+
 [[package]]
 name = "version_check"
 version = "0.9.5"
@@ -3889,6 +4499,16 @@ version = "0.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5c3082ca00d5a5ef149bb8b555a72ae84c9c59f7250f013ac822ac2e49b19c64"
 
+[[package]]
+name = "walkdir"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b"
+dependencies = [
+ "same-file",
+ "winapi-util",
+]
+
 [[package]]
 name = "want"
 version = "0.3.1"
@@ -3935,6 +4555,20 @@ dependencies = [
  "wasm-bindgen-shared",
 ]
 
+[[package]]
+name = "wasm-bindgen-futures"
+version = "0.4.64"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e9c5522b3a28661442748e09d40924dfb9ca614b21c00d3fd135720e48b67db8"
+dependencies = [
+ "cfg-if",
+ "futures-util",
+ "js-sys",
+ "once_cell",
+ "wasm-bindgen",
+ "web-sys",
+]
+
 [[package]]
 name = "wasm-bindgen-macro"
 version = "0.2.114"
@@ -3954,7 +4588,7 @@ dependencies = [
  "bumpalo",
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
  "wasm-bindgen-shared",
 ]
 
@@ -3989,6 +4623,19 @@ dependencies = [
  "wasmparser",
 ]
 
+[[package]]
+name = "wasm-streams"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "15053d8d85c7eccdbefef60f06769760a563c7f0a9d6902a13d35c7800b0ad65"
+dependencies = [
+ "futures-util",
+ "js-sys",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "web-sys",
+]
+
 [[package]]
 name = "wasmparser"
 version = "0.244.0"
@@ -4001,19 +4648,130 @@ dependencies = [
  "semver",
 ]
 
+[[package]]
+name = "web-sys"
+version = "0.3.91"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "854ba17bb104abfb26ba36da9729addc7ce7f06f5c0f90f3c391f8461cca21f9"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "web-time"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a6580f308b1fad9207618087a65c04e7a10bc77e02c8e84e9b00dd4b12fa0bb"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "webpki-root-certs"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "804f18a4ac2676ffb4e8b5b5fa9ae38af06df08162314f96a68d2a363e21a8ca"
+dependencies = [
+ "rustls-pki-types",
+]
+
+[[package]]
+name = "winapi-util"
+version = "0.1.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "windows-core"
+version = "0.62.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8e83a14d34d0623b51dce9581199302a221863196a1dde71a7663a4c2be9deb"
+dependencies = [
+ "windows-implement",
+ "windows-interface",
+ "windows-link",
+ "windows-result",
+ "windows-strings",
+]
+
+[[package]]
+name = "windows-implement"
+version = "0.60.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "053e2e040ab57b9dc951b72c264860db7eb3b0200ba345b4e4c3b14f67855ddf"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "windows-interface"
+version = "0.59.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f316c4a2570ba26bbec722032c4099d8c8bc095efccdc15688708623367e358"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
 [[package]]
 name = "windows-link"
 version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
 
+[[package]]
+name = "windows-registry"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "02752bf7fbdcce7f2a27a742f798510f3e5ad88dbe84871e5168e2120c3d5720"
+dependencies = [
+ "windows-link",
+ "windows-result",
+ "windows-strings",
+]
+
+[[package]]
+name = "windows-result"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7781fa89eaf60850ac3d2da7af8e5242a5ea78d1a11c49bf2910bb5a73853eb5"
+dependencies = [
+ "windows-link",
+]
+
+[[package]]
+name = "windows-strings"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7837d08f69c77cf6b07689544538e017c1bfcf57e34b4c0ff58e6c2cd3b37091"
+dependencies = [
+ "windows-link",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.45.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75283be5efb2831d37ea142365f009c02ec203cd29a3ebecbc093d52315b66d0"
+dependencies = [
+ "windows-targets 0.42.2",
+]
+
 [[package]]
 name = "windows-sys"
 version = "0.52.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
 dependencies = [
- "windows-targets",
+ "windows-targets 0.52.6",
 ]
 
 [[package]]
@@ -4022,7 +4780,7 @@ version = "0.59.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
 dependencies = [
- "windows-targets",
+ "windows-targets 0.52.6",
 ]
 
 [[package]]
@@ -4034,34 +4792,67 @@ dependencies = [
  "windows-link",
 ]
 
+[[package]]
+name = "windows-targets"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e5180c00cd44c9b1c88adb3693291f1cd93605ded80c250a75d472756b4d071"
+dependencies = [
+ "windows_aarch64_gnullvm 0.42.2",
+ "windows_aarch64_msvc 0.42.2",
+ "windows_i686_gnu 0.42.2",
+ "windows_i686_msvc 0.42.2",
+ "windows_x86_64_gnu 0.42.2",
+ "windows_x86_64_gnullvm 0.42.2",
+ "windows_x86_64_msvc 0.42.2",
+]
+
 [[package]]
 name = "windows-targets"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973"
 dependencies = [
- "windows_aarch64_gnullvm",
- "windows_aarch64_msvc",
- "windows_i686_gnu",
+ "windows_aarch64_gnullvm 0.52.6",
+ "windows_aarch64_msvc 0.52.6",
+ "windows_i686_gnu 0.52.6",
  "windows_i686_gnullvm",
- "windows_i686_msvc",
- "windows_x86_64_gnu",
- "windows_x86_64_gnullvm",
- "windows_x86_64_msvc",
+ "windows_i686_msvc 0.52.6",
+ "windows_x86_64_gnu 0.52.6",
+ "windows_x86_64_gnullvm 0.52.6",
+ "windows_x86_64_msvc 0.52.6",
 ]
 
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8"
+
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
 
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43"
+
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
 
+[[package]]
+name = "windows_i686_gnu"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f"
+
 [[package]]
 name = "windows_i686_gnu"
 version = "0.52.6"
@@ -4074,24 +4865,48 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
 
+[[package]]
+name = "windows_i686_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060"
+
 [[package]]
 name = "windows_i686_msvc"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
 
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36"
+
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
 
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3"
+
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
 
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0"
+
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.52.6"
@@ -4137,7 +4952,7 @@ dependencies = [
  "heck 0.5.0",
  "indexmap",
  "prettyplease",
- "syn",
+ "syn 2.0.117",
  "wasm-metadata",
  "wit-bindgen-core",
  "wit-component",
@@ -4153,7 +4968,7 @@ dependencies = [
  "prettyplease",
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
  "wit-bindgen-core",
  "wit-bindgen-rust",
 ]
@@ -4201,12 +5016,27 @@ version = "0.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9edde0db4769d2dc68579893f2306b26c6ecfbe0ef499b013d731b7b9247e0b9"
 
+[[package]]
+name = "xml-rs"
+version = "0.8.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3ae8337f8a065cfc972643663ea4279e04e7256de865aa66fe25cec5fb912d3f"
+
 [[package]]
 name = "xmlparser"
 version = "0.13.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "66fee0b777b0f5ac1c69bb06d361268faafa61cd4682ae064a171c16c433e9e4"
 
+[[package]]
+name = "xmltree"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b619f8c85654798007fb10afa5125590b43b088c225a25fc2fec100a9fad0fc6"
+dependencies = [
+ "xml-rs",
+]
+
 [[package]]
 name = "yoke"
 version = "0.8.1"
@@ -4226,7 +5056,7 @@ checksum = "b659052874eb698efe5b9e8cf382204678a0086ebf46982b79d6ca3182927e5d"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
  "synstructure",
 ]
 
@@ -4247,7 +5077,7 @@ checksum = "7e6cc098ea4d3bd6246687de65af3f920c430e236bee1e3bf2e441463f08a02f"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -4267,7 +5097,7 @@ checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
  "synstructure",
 ]
 
@@ -4307,7 +5137,7 @@ checksum = "eadce39539ca5cb3985590102671f2567e659fca9666581ad3411d59207951f3"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
diff --git a/operator/Cargo.toml b/operator/Cargo.toml
index 71143c8..238d4bb 100644
--- a/operator/Cargo.toml
+++ b/operator/Cargo.toml
@@ -40,6 +40,9 @@ tracing-subscriber = { version = "0.3.22", features = ["json", "env-filter"] }
 aws-config = { version = "1.8.15", features = ["behavior-version-latest", "rustls"] }
 aws-sdk-s3 = "1.125.0"
 aws-credential-types = "1.2.14"
+minio = "0.3.0"
+reqwest = { version = "0.13.2", features = ["json"] }
+base64 = "0.22.1"
 
 [dev-dependencies]
 assert-json-diff = "2.0.2"
diff --git a/operator/manifests/s3_bucket.yaml b/operator/manifests/s3_bucket.yaml
index e688b6a..d91fdf5 100644
--- a/operator/manifests/s3_bucket.yaml
+++ b/operator/manifests/s3_bucket.yaml
@@ -6,5 +6,5 @@ metadata:
   namespace: default
 spec:
   instance: test
-  cleanup: false
+  cleanup: true
   ownConfigmap: false
diff --git a/operator/manifests/s3_bucket_user.yaml b/operator/manifests/s3_bucket_user.yaml
new file mode 100644
index 0000000..e93ec75
--- /dev/null
+++ b/operator/manifests/s3_bucket_user.yaml
@@ -0,0 +1,3 @@
+spec:
+  bucket: test
+  policy: readWrite
diff --git a/operator/manifests/s3_instance.yaml b/operator/manifests/s3_instance.yaml
index 1dc7e74..eaae104 100644
--- a/operator/manifests/s3_instance.yaml
+++ b/operator/manifests/s3_instance.yaml
@@ -19,4 +19,3 @@ spec:
   credentialsSecret:
     namespace: default
     name: test
-
diff --git a/operator/src/api/v1beta1/mod.rs b/operator/src/api/v1beta1/mod.rs
index 0a4836d..93911b4 100644
--- a/operator/src/api/v1beta1/mod.rs
+++ b/operator/src/api/v1beta1/mod.rs
@@ -1,2 +1,3 @@
 pub mod s3_bucket;
+pub mod s3_bucket_user;
 pub mod s3_instance;
diff --git a/operator/src/api/v1beta1/s3_bucket.rs b/operator/src/api/v1beta1/s3_bucket.rs
index b3b38af..2e3a9ef 100644
--- a/operator/src/api/v1beta1/s3_bucket.rs
+++ b/operator/src/api/v1beta1/s3_bucket.rs
@@ -15,7 +15,8 @@ use schemars::JsonSchema;
     status = "S3BucketStatus",
     printcolumn = r#"{"name":"Instance","type":"string","description":"On which instance this bucket is created","jsonPath":".spec.instance"}"#,
     printcolumn = r#"{"name":"Region","type":"string","description":"The region of the bucket","jsonPath":".status.region"}"#,
-    printcolumn = r#"{"name":"Total Objects","type":"number","description":"How many objects are there in the bucket","jsonPath":".status.total_objects"}"#,
+    printcolumn = r#"{"name":"Bucket Name","type":"string","description":"The full name of the bucket","jsonPath":".status.bucketName"}"#,
+    printcolumn = r#"{"name":"Total Objects","type":"number","description":"How many objects are there in the bucket","jsonPath":".status.totalObjects"}"#,
     printcolumn = r#"{"name":"Status","type":"boolean","description":"Is the S3Instance ready","jsonPath":".status.ready"}"#
 )]
 #[serde(rename_all = "camelCase")]
@@ -33,17 +34,20 @@ pub struct S3BucketSpec {
 
 /// The status object of `DbInstance`
 #[derive(Deserialize, Serialize, Clone, Default, Debug, JsonSchema)]
+#[serde(rename_all = "camelCase")]
 pub struct S3BucketStatus {
     /// Is this bucket ready.
     #[serde(default)]
     pub ready: bool,
     pub conditions: Vec<Condition>,
     #[serde(default)]
-    pub size: Option<u32>,
+    pub size: Option<u64>,
     #[serde(default)]
-    pub objects_buckets: Option<u32>,
+    pub total_objects: Option<u64>,
     #[serde(default)]
     pub endpoint: Option<String>,
     #[serde(default)]
     pub region: Option<String>,
+    #[serde(default)]
+    pub bucket_name: Option<String>,
 }
diff --git a/operator/src/api/v1beta1/s3_bucket_user.rs b/operator/src/api/v1beta1/s3_bucket_user.rs
new file mode 100644
index 0000000..fa0adc1
--- /dev/null
+++ b/operator/src/api/v1beta1/s3_bucket_user.rs
@@ -0,0 +1,40 @@
+use k8s_openapi::apimachinery::pkg::apis::meta::v1::Condition;
+use k8s_openapi::serde::{Deserialize, Serialize};
+use kube::CustomResource;
+use kube::{self};
+use schemars::JsonSchema;
+
+#[derive(CustomResource, Deserialize, Serialize, Clone, Debug, JsonSchema)]
+#[kube(
+    kind = "S3BucketUser",
+    group = "s3.badhouseplants.net",
+    version = "v1beta1",
+    shortname = "s3bu",
+    doc = "Manage users that have access to s3 buckets",
+    namespaced,
+    status = "S3BucketUserStatus",
+    printcolumn = r#"{"name":"Status","type":"boolean","description":"Is the S3Instance ready","jsonPath":".status.ready"}"#
+)]
+#[serde(rename_all = "camelCase")]
+pub struct S3BucketUserSpec {
+    /// To which bucket access should be provided
+    pub bucket: String,
+    pub policy: String,
+    /// Should perform a cleanup on delete?
+    #[serde(default)]
+    pub cleanup: bool,
+    /// Should set the owner reference on the Secret
+    #[serde(default)]
+    pub own_secret: bool,
+}
+
+/// The status object of `DbInstance`
+#[derive(Deserialize, Serialize, Clone, Default, Debug, JsonSchema)]
+pub struct S3BucketUserStatus {
+    /// Is this bucket ready.
+    #[serde(default)]
+    pub ready: bool,
+    pub conditions: Vec<Condition>,
+    #[serde(default)]
+    pub access_key: Option<String>,
+}
diff --git a/operator/src/api/v1beta1/s3_instance.rs b/operator/src/api/v1beta1/s3_instance.rs
index 25a8bc8..34b83d2 100644
--- a/operator/src/api/v1beta1/s3_instance.rs
+++ b/operator/src/api/v1beta1/s3_instance.rs
@@ -25,6 +25,7 @@ pub struct S3InstanceSpec {
     pub credentials_secret: NamespacedName,
     #[serde(default)]
     pub force_path_style: bool,
+    pub provider: String,
 }
 
 /// The status object of `DbInstance`
diff --git a/operator/src/controller.rs b/operator/src/controller.rs
index 8270728..6886f99 100644
--- a/operator/src/controller.rs
+++ b/operator/src/controller.rs
@@ -1,7 +1,7 @@
 mod conditions;
 mod controllers;
 mod s3;
-
+mod providers;
 use crate::controllers::{s3_bucket, s3_instance};
 
 use actix_web::{App, HttpRequest, HttpResponse, HttpServer, Responder, get, middleware};
diff --git a/operator/src/controllers/mod.rs b/operator/src/controllers/mod.rs
index 910ac74..615aa45 100644
--- a/operator/src/controllers/mod.rs
+++ b/operator/src/controllers/mod.rs
@@ -1,2 +1,3 @@
 pub(crate) mod s3_bucket;
+//pub(crate) mod s3_bucket_user;
 pub(crate) mod s3_instance;
diff --git a/operator/src/controllers/s3_bucket.rs b/operator/src/controllers/s3_bucket.rs
index dada8cd..68baf3a 100644
--- a/operator/src/controllers/s3_bucket.rs
+++ b/operator/src/controllers/s3_bucket.rs
@@ -1,7 +1,7 @@
-use crate::conditions::set_condition;
+use crate::conditions::{is_condition_true, set_condition};
 use crate::controllers::s3_instance;
 use crate::s3::S3Client;
-use crate::s3::s3::S3Api;
+use crate::s3::s3api::S3Api;
 use api::api::v1beta1::s3_bucket::{S3Bucket, S3BucketStatus};
 use api::api::v1beta1::s3_instance::S3Instance;
 use futures::StreamExt;
@@ -19,8 +19,6 @@ use std::time::Duration;
 use thiserror::Error;
 use tracing::*;
 
-const TYPE_INSTANCE_CONNECTED: &str = "InstanceConnected";
-const TYPE_CONFIGMAP_READY: &str = "ConfigMapReady";
 const TYPE_BUCKET_READY: &str = "BucketReady";
 const FIN_CLEANUP: &str = "s3.badhouseplants.net/bucket-cleanup";
 const CONFIGMAP_LABEL: &str = "s3.badhouseplants.net/s3-bucket";
@@ -108,6 +106,37 @@ pub(crate) async fn reconcile(obj: Arc<S3Bucket>, ctx: Arc<Context>) -> S3Bucket
         };
     };
 
+    if is_condition_true(status.clone().conditions, TYPE_BUCKET_READY) {
+        let mut current_finalizers = match s3bucket.clone().metadata.finalizers {
+            Some(finalizers) => finalizers,
+            None => vec![],
+        };
+        if s3bucket.spec.cleanup {
+
+           if !current_finalizers.contains(&FIN_CLEANUP.to_string()) {
+               info!("Adding a finalizer");
+                   current_finalizers.push(FIN_CLEANUP.to_string());
+
+           }
+        } else {
+            if current_finalizers.contains(&FIN_CLEANUP.to_string()) {
+                if let Some(index) = current_finalizers.iter().position(|x| *x == FIN_CLEANUP.to_string()) {
+                    current_finalizers.remove(index);
+                };
+            }
+        };
+        s3bucket.metadata.finalizers = Some(current_finalizers);
+        match s3bucket_api.replace(&s3bucket.name_any(), &PostParams::default(), &s3bucket).await {
+            Ok(_) => {
+                return Ok(Action::await_change());
+            },
+            Err(err) => {
+                error!("{}", err);
+                return Err(S3BucketError::KubeError(err))
+            },
+        }
+    }; 
+
     info!("Getting the S3Intsance");
     let s3in = match s3in_api.get(&s3bucket.spec.instance).await {
         Ok(s3in) => s3in,
@@ -172,6 +201,37 @@ pub(crate) async fn reconcile(obj: Arc<S3Bucket>, ctx: Arc<Context>) -> S3Bucket
         s3in.clone().spec.force_path_style,
     )
     .await;
+    
+    let bucket_name = format!("{}-{}", s3bucket.namespace().unwrap(), s3bucket.name_any());
+
+    if s3bucket.metadata.deletion_timestamp.is_some() {
+        info!("Object is marked for deletion");
+        if let Some(mut finalizers) = s3bucket.clone().metadata.finalizers {
+            if finalizers.contains(&FIN_CLEANUP.to_string()) {
+                match s3_client.clone().delete_bucket(bucket_name.clone()).await {
+                    Ok(_) => {
+                        if let Some(index) = finalizers.iter().position(|x| *x == FIN_CLEANUP.to_string()) {
+                            finalizers.remove(index);
+                        };
+                    },
+                    Err(err) => {
+                        error!("{}", err);
+                        return Err(S3BucketError::IllegalS3Bucket);
+                    },
+                }
+            }
+            s3bucket.metadata.finalizers = Some(finalizers);
+        };
+        match s3bucket_api.replace(&s3bucket.name_any(), &PostParams::default(), &s3bucket).await {
+            Ok(_) => {
+                return Ok(Action::await_change());
+            },
+            Err(err) => {
+                error!("{}", err);
+                return Err(S3BucketError::KubeError(err))
+            },
+        }
+    }
 
     info!("Getting buckets");
     let buckets = match s3_client.clone().list_buckets().await {
@@ -181,26 +241,31 @@ pub(crate) async fn reconcile(obj: Arc<S3Bucket>, ctx: Arc<Context>) -> S3Bucket
             return Err(S3BucketError::IllegalS3Bucket);
         }
     };
-    let bucket_name = format!("{}-{}", s3bucket.namespace().unwrap(), s3bucket.name_any());
     if buckets.contains(&bucket_name) {
         info!("Bucket already exists");
-        return Ok(Action::await_change());
-    }
-    
-    if let Err(err) = s3_client.create_buckets(bucket_name).await {
-        error!("{}", err);
-        return Err(S3BucketError::IllegalS3Bucket);
+    } else {
+        if let Err(err) = s3_client.clone().create_bucket(bucket_name.clone()).await {
+            error!("{}", err);
+            return Err(S3BucketError::IllegalS3Bucket);
+        }
     }
 
     status.ready = true;
-    status.objects_buckets = None;
+    status.conditions = set_condition(
+        status.conditions,
+        s3bucket.metadata.clone(),
+        TYPE_BUCKET_READY,
+        "True".to_string(),
+        "Reconciled".to_string(),
+        "Bucket is ready".to_string(),
+    );
     status.endpoint = Some(s3in.clone().spec.endpoint);
-    status.size = None;
+    status.size = s3_client.clone().count_size(bucket_name.clone()).await.ok();
+    status.total_objects = s3_client.clone().count_objects(bucket_name.clone()).await.ok();
     status.region = Some(s3in.spec.region);
-    
+    status.bucket_name = Some(bucket_name.clone()); 
     s3bucket.status = Some(status);
-    
-    
+   
     info!("Updating status of the s3bucket resource");
     match s3bucket_api
         .replace_status(&s3bucket.name_any(), &PostParams::default(), &s3bucket)
@@ -218,30 +283,14 @@ pub(crate) async fn reconcile(obj: Arc<S3Bucket>, ctx: Arc<Context>) -> S3Bucket
 
 // Bootstrap the object by adding a default status to it
 async fn init_object(mut obj: S3Bucket, api: Api<S3Bucket>) -> Result<Action, S3BucketError> {
-    let mut conditions = set_condition(
+    let conditions = set_condition(
         vec![],
         obj.metadata.clone(),
-        TYPE_INSTANCE_CONNECTED,
-        "Unknown".to_string(),
-        "Reconciling".to_string(),
-        "Reconciliation started".to_string(),
-    );
-    conditions = set_condition(
-        conditions,
-        obj.metadata.clone(),
         TYPE_BUCKET_READY,
         "Unknown".to_string(),
         "Reconciling".to_string(),
         "Reconciliation started".to_string(),
     );
-    conditions = set_condition(
-        conditions,
-        obj.metadata.clone(),
-        TYPE_CONFIGMAP_READY,
-        "Unknown".to_string(),
-        "Reconciling".to_string(),
-        "Reconciliation started".to_string(),
-    );
     obj.status = Some(S3BucketStatus {
         conditions,
         ..S3BucketStatus::default()
diff --git a/operator/src/controllers/s3_bucket_user.rs b/operator/src/controllers/s3_bucket_user.rs
new file mode 100644
index 0000000..01d7ee1
--- /dev/null
+++ b/operator/src/controllers/s3_bucket_user.rs
@@ -0,0 +1,471 @@
+use crate::conditions::{is_condition_true, set_condition};
+use crate::controllers::s3_instance;
+use crate::s3::S3Client;
+use crate::s3::s3api::S3Api;
+use api::api::v1beta1::s3_bucket::{S3Bucket, S3BucketStatus};
+use api::api::v1beta1::s3_instance::S3Instance;
+use futures::StreamExt;
+use k8s_openapi::api::core::v1::{ConfigMap, Secret};
+use k8s_openapi::apimachinery::pkg::apis::meta::v1::OwnerReference;
+use kube::api::{ListParams, ObjectMeta, PostParams};
+use kube::runtime::Controller;
+use kube::runtime::controller::Action;
+use kube::runtime::events::Recorder;
+use kube::runtime::watcher::Config;
+use kube::{Api, Client, Error, Resource, ResourceExt};
+use std::collections::BTreeMap;
+use std::sync::Arc;
+use std::time::Duration;
+use thiserror::Error;
+use tracing::*;
+
+const TYPE_USER_READY: &str = "UserReady";
+const FIN_CLEANUP: &str = "s3.badhouseplants.net/user-cleanup";
+const SECRET_LABEL: &str = "s3.badhouseplants.net/s3-bucket";
+
+const AWS_ACCESS_KEY_ID: &str = "AWS_ACCESS_KEY_ID";
+const AWS_SECCRET_ACCESS_KEY: &str = "AWS_SECRET_ACCESS_KEY";
+
+#[instrument(skip(ctx, obj), fields(trace_id))]
+pub(crate) async fn reconcile(obj: Arc<S3BucketUser>, ctx: Arc<Context>) -> S3BucketResult<Action> {
+    info!("Staring reconciling");
+    let s3bucket_api: Api<S3Bucket> = Api::namespaced(ctx.client.clone(), &obj.namespace().unwrap());
+    let cm_api: Api<ConfigMap> = Api::namespaced(ctx.client.clone(), &obj.namespace().unwrap());
+    let s3in_api: Api<S3Instance> = Api::all(ctx.client.clone());
+
+    info!("Getting the S3Bucket resource");
+    let mut s3bucket = match s3bucket_api.get(&obj.name_any()).await {
+        Ok(s3bucket) => s3bucket,
+        Err(Error::Api(ae)) if ae.code == 404 => {
+            info!("Object is not found, probably removed");
+            return Ok(Action::await_change());
+        }
+        Err(err) => {
+            error!("{}", err);
+            return Err(S3BucketError::KubeError(err));
+        }
+    };
+
+    // On the first reconciliation status is None
+    // it needs to be initialized
+    let mut status = match s3bucket.clone().status {
+        None => {
+            info!("Status is not yet set, initializing the object");
+            return init_object(s3bucket, s3bucket_api).await;
+        }
+        Some(status) => status,
+    };
+
+    let configmap_name = format!("{}-bucket-info", s3bucket.name_any());
+    
+    info!("Getting the configmap");
+    // Get the cm, if it's already there, we need to validate, or create an empty one
+    let mut configmap = match get_configmap(cm_api.clone(), &configmap_name).await {
+        Ok(configmap) => configmap,
+        Err(Error::Api(ae)) if ae.code == 404 => {
+            info!("ConfigMap is not found, creating a new one");
+            let cm = ConfigMap{ 
+               metadata: ObjectMeta { 
+                   name: Some(configmap_name), 
+                   namespace: Some(s3bucket.clone().namespace().unwrap()),
+                   ..Default::default()
+               },
+               ..Default::default()
+            };
+            match create_configmap(cm_api.clone(), cm).await {
+                Ok(cm) => cm,
+                Err(err) => {
+                    error!("{}", err);
+                    return Err(S3BucketError::KubeError(err));
+                },
+            }
+        }
+        Err(err) => {
+            error!("{}", err);
+            return Err(S3BucketError::KubeError(err));
+        },
+    };
+
+    info!("Labeling the configmap");
+    configmap = match label_configmap(cm_api.clone(), &s3bucket.name_any(), configmap).await {
+        Ok(configmap) => configmap,
+        Err(err) => {
+            error!("{}", err);
+            return Err(S3BucketError::KubeError(err));
+        },
+    };
+
+    info!("Setting owner references to the configmap");
+    if s3bucket.spec.own_configmap {
+        configmap = match own_configmap(cm_api.clone(), s3bucket.clone(), configmap).await {
+            Ok(configmap) => configmap,
+            Err(err) => {
+                error!("{}", err);
+                return Err(S3BucketError::KubeError(err));
+            },
+        };
+    };
+
+    if is_condition_true(status.clone().conditions, TYPE_USER_READY) {
+        let mut current_finalizers = match s3bucket.clone().metadata.finalizers {
+            Some(finalizers) => finalizers,
+            None => vec![],
+        };
+        if s3bucket.spec.cleanup {
+
+           if !current_finalizers.contains(&FIN_CLEANUP.to_string()) {
+               info!("Adding a finalizer");
+                   current_finalizers.push(FIN_CLEANUP.to_string());
+
+           }
+        } else {
+            if current_finalizers.contains(&FIN_CLEANUP.to_string()) {
+                if let Some(index) = current_finalizers.iter().position(|x| *x == FIN_CLEANUP.to_string()) {
+                    current_finalizers.remove(index);
+                };
+            }
+        };
+        s3bucket.metadata.finalizers = Some(current_finalizers);
+        match s3bucket_api.replace(&s3bucket.name_any(), &PostParams::default(), &s3bucket).await {
+            Ok(_) => {
+                return Ok(Action::await_change());
+            },
+            Err(err) => {
+                error!("{}", err);
+                return Err(S3BucketError::KubeError(err))
+            },
+        }
+    }; 
+
+    info!("Getting the S3Intsance");
+    let s3in = match s3in_api.get(&s3bucket.spec.instance).await {
+        Ok(s3in) => s3in,
+        Err(err) => {
+            error!("{}", err);
+            return Err(S3BucketError::KubeError(err));
+        }
+    };
+
+    info!("Updating the ConfigMap");
+    if let Err(err) = ensure_data_configmap(cm_api.clone(), s3in.clone(), configmap.clone()).await {
+        error!("{}", err);
+        return Err(S3BucketError::KubeError(err));
+    };
+
+    info!("Getting the s3instance secret");
+    let secret_ns = s3in.clone().spec.credentials_secret.namespace;
+    let secret_api: Api<Secret> = Api::namespaced(ctx.client.clone(), &secret_ns);
+
+    let secret = match s3_instance::get_secret(secret_api.clone(), s3in.clone()).await {
+        Ok(secret) => secret,
+        Err(err) => {
+            error!("{}", err);
+            return Err(S3BucketError::KubeError(err));
+        }
+    };
+
+    info!("Getting data from the secret");
+    // Getting data from the secret to initialize the clinet
+    let data = match secret.data {
+        Some(data) => data,
+        None => {
+            let err = anyhow::Error::msg("empty data");
+            error!("{}", err);
+            return Err(S3BucketError::InvalidSecret(err));
+        }
+    };
+
+    let access_key = match data.get(s3_instance::ACCESS_KEY) {
+        Some(access_key) => String::from_utf8(access_key.0.clone()).unwrap(), 
+        None => {
+            let err = anyhow::Error::msg("empty access key");
+            error!("{}", err);
+            return Err(S3BucketError::InvalidSecret(err));
+        }
+    };
+    let secret_key = match data.get(s3_instance::SECRET_KEY) {
+        Some(secret_key) => String::from_utf8(secret_key.0.clone()).unwrap(), 
+        None => {
+            let err = anyhow::Error::msg("empty secret key");
+            error!("{}", err);
+            return Err(S3BucketError::InvalidSecret(err));
+        }
+    };
+
+    info!("Creating an s3 client");
+    let s3_client = S3Api::new(
+        access_key,
+        secret_key,
+        s3in.clone().spec.endpoint.to_string(),
+        s3in.clone().spec.region.to_string(),
+        s3in.clone().spec.force_path_style,
+    )
+    .await;
+    
+    let bucket_name = format!("{}-{}", s3bucket.namespace().unwrap(), s3bucket.name_any());
+
+    if s3bucket.metadata.deletion_timestamp.is_some() {
+        info!("Object is marked for deletion");
+        if let Some(mut finalizers) = s3bucket.clone().metadata.finalizers {
+            if finalizers.contains(&FIN_CLEANUP.to_string()) {
+                match s3_client.clone().delete_bucket(bucket_name.clone()).await {
+                    Ok(_) => {
+                        if let Some(index) = finalizers.iter().position(|x| *x == FIN_CLEANUP.to_string()) {
+                            finalizers.remove(index);
+                        };
+                    },
+                    Err(err) => {
+                        error!("{}", err);
+                        return Err(S3BucketError::IllegalS3Bucket);
+                    },
+                }
+            }
+            s3bucket.metadata.finalizers = Some(finalizers);
+        };
+        match s3bucket_api.replace(&s3bucket.name_any(), &PostParams::default(), &s3bucket).await {
+            Ok(_) => {
+                return Ok(Action::await_change());
+            },
+            Err(err) => {
+                error!("{}", err);
+                return Err(S3BucketError::KubeError(err))
+            },
+        }
+    }
+
+    info!("Getting buckets");
+    let buckets = match s3_client.clone().list_buckets().await {
+        Ok(buckets) => buckets,
+        Err(err) => {
+            error!("{}", err);
+            return Err(S3BucketError::IllegalS3Bucket);
+        }
+    };
+    if buckets.contains(&bucket_name) {
+        info!("Bucket already exists");
+    } else {
+        if let Err(err) = s3_client.clone().create_bucket(bucket_name.clone()).await {
+            error!("{}", err);
+            return Err(S3BucketError::IllegalS3Bucket);
+        }
+    }
+
+    status.ready = true;
+    status.conditions = set_condition(
+        status.conditions,
+        s3bucket.metadata.clone(),
+        TYPE_USER_READY,
+        "True".to_string(),
+        "Reconciled".to_string(),
+        "Bucket is ready".to_string(),
+    );
+    status.endpoint = Some(s3in.clone().spec.endpoint);
+    status.size = s3_client.clone().count_size(bucket_name.clone()).await.ok();
+    status.total_objects = s3_client.clone().count_objects(bucket_name.clone()).await.ok();
+    status.region = Some(s3in.spec.region);
+    status.bucket_name = Some(bucket_name.clone()); 
+    s3bucket.status = Some(status);
+   
+    info!("Updating status of the s3bucket resource");
+    match s3bucket_api
+        .replace_status(&s3bucket.name_any(), &PostParams::default(), &s3bucket)
+        .await
+    {
+        Ok(_) => {
+            return Ok(Action::requeue(Duration::from_secs(120)));
+        }
+        Err(err) => {
+            error!("{}", err);
+            return Err(S3BucketError::KubeError(err));
+        }
+    };
+}
+
+// Bootstrap the object by adding a default status to it
+async fn init_object(mut obj: S3Bucket, api: Api<S3Bucket>) -> Result<Action, S3BucketError> {
+    let conditions = set_condition(
+        vec![],
+        obj.metadata.clone(),
+        TYPE_USER_READY,
+        "Unknown".to_string(),
+        "Reconciling".to_string(),
+        "Reconciliation started".to_string(),
+    );
+    obj.status = Some(S3BucketStatus {
+        conditions,
+        ..S3BucketStatus::default()
+    });
+    match api
+        .replace_status(obj.clone().name_any().as_str(), &Default::default(), &obj)
+        .await
+    {
+        Ok(_) => Ok(Action::await_change()),
+        Err(err) => {
+            error!("{}", err);
+            Err(S3BucketError::KubeError(err))
+        }
+    }
+}
+
+// Get the configmap with the bucket data
+async fn get_configmap(api: Api<ConfigMap>, name: &str) -> Result<ConfigMap, kube::Error> {
+    info!("Getting a configmap: {}", name);
+    match api.get(name).await {
+        Ok(cm) => Ok(cm),
+        Err(err) => Err(err),
+    }
+}
+
+// Create ConfigMap
+async fn create_configmap(api: Api<ConfigMap>, cm: ConfigMap) -> Result<ConfigMap, kube::Error> {
+    match api.create(&PostParams::default(), &cm).await {
+        Ok(cm) => get_configmap(api, &cm.name_any()).await,
+        Err(err) => Err(err),
+    }
+}
+
+async fn label_configmap(
+    api: Api<ConfigMap>,
+    s3bucket_name: &str,
+    mut cm: ConfigMap,
+) -> Result<ConfigMap, kube::Error> {
+    let mut labels = match &cm.clone().metadata.labels {
+        Some(labels) => labels.clone(),
+        None => {
+            let map: BTreeMap<String, String> = BTreeMap::new();
+            map
+        }
+    };
+    labels.insert(SECRET_LABEL.to_string(), s3bucket_name.to_string());
+    cm.metadata.labels = Some(labels);
+    api.replace(&cm.name_any(), &PostParams::default(), &cm)
+        .await?;
+
+    let cm = match api.get(&cm.name_any()).await {
+        Ok(cm) => cm,
+        Err(err) => {
+            return Err(err);
+        }
+    };
+    Ok(cm)
+}
+
+async fn own_configmap(
+    api: Api<ConfigMap>,
+    s3bucket: S3Bucket,
+    mut cm: ConfigMap,
+) -> Result<ConfigMap, kube::Error> {
+    let mut owner_references = match &cm.clone().metadata.owner_references {
+        Some(owner_references) => owner_references.clone(),
+        None => {
+            let owner_references: Vec<OwnerReference> = vec![];
+            owner_references
+        }
+    };
+
+    if owner_references.iter().find(|or| or.uid == s3bucket.uid().unwrap()).is_some() {
+        return Ok(cm);
+    }
+
+    let new_owner_reference = OwnerReference{ 
+        api_version: S3Bucket::api_version(&()).into(),
+        kind: S3Bucket::kind(&()).into(), 
+        name: s3bucket.name_any(),
+        uid: s3bucket.uid().unwrap(),
+        ..Default::default()
+    };
+
+    owner_references.push(new_owner_reference);
+    cm.metadata.owner_references = Some(owner_references);
+    api.replace(&cm.name_any(), &PostParams::default(), &cm)
+        .await?;
+
+    let cm = match api.get(&cm.name_any()).await {
+        Ok(cm) => cm,
+        Err(err) => {
+            return Err(err);
+        }
+    };
+    Ok(cm)
+}
+
+async fn ensure_data_configmap(
+    api: Api<ConfigMap>,
+    s3in: S3Instance,
+    mut cm: ConfigMap,
+) -> Result<ConfigMap, kube::Error> {
+    let mut data = match &cm.clone().data {
+        Some(data) => data.clone(),
+        None => {
+            let map: BTreeMap<String, String> = BTreeMap::new();
+            map
+        }
+    };
+
+    data.insert(AWS_REGION.to_string(), s3in.spec.region);
+    data.insert(AWS_ENDPOINT_URL.to_string(), s3in.spec.endpoint);
+
+
+    cm.data = Some(data);
+    api.replace(&cm.name_any(), &PostParams::default(), &cm)
+        .await?;
+
+    match api.get(&cm.name_any()).await {
+        Ok(cm) => Ok(cm),
+        Err(err) => Err(err),
+    }
+}
+
+pub(crate) fn error_policy(_: Arc<S3Bucket>, _: &S3BucketError, _: Arc<Context>) -> Action {
+    Action::requeue(Duration::from_secs(5 * 60))
+}
+
+#[instrument(skip(client), fields(trace_id))]
+pub async fn run(client: Client) {
+    let s3buckets = Api::<S3Bucket>::all(client.clone());
+    if let Err(err) = s3buckets.list(&ListParams::default().limit(1)).await {
+        error!("{}", err);
+        std::process::exit(1);
+    }
+    let recorder = Recorder::new(client.clone(), "s3bucket-controller".into()); 
+    let context = Context { client, recorder };
+    Controller::new(s3buckets, Config::default().any_semantic())
+        .shutdown_on_signal()
+        .run(reconcile, error_policy, Arc::new(context))
+        .filter_map(|x| async move { std::result::Result::ok(x) })
+        .for_each(|_| futures::future::ready(()))
+        .await;
+}
+// Context for our reconciler
+#[derive(Clone)]
+pub(crate) struct Context {
+    /// Kubernetes client
+    pub client: Client,
+    /// Event recorder
+    pub recorder: Recorder,
+}
+
+#[derive(Error, Debug)]
+pub enum S3BucketError {
+    #[error("SerializationError: {0}")]
+    SerializationError(#[source] serde_json::Error),
+
+    #[error("Kube Error: {0}")]
+    KubeError(#[source] kube::Error),
+
+    #[error("Finalizer Error: {0}")]
+    // NB: awkward type because finalizer::Error embeds the reconciler error (which is this)
+    // so boxing this error to break cycles
+    FinalizerError(#[source] Box<kube::runtime::finalizer::Error<S3BucketError>>),
+
+    #[error("IllegalS3Bucket")]
+    IllegalS3Bucket,
+
+    #[error("SecretIsAlreadyLabeled")]
+    SecretIsAlreadyLabeled,
+
+    #[error("Invalid Secret: {0}")]
+    InvalidSecret(#[source] anyhow::Error),
+}
+
+pub type S3BucketResult<T, E = S3BucketError> = std::result::Result<T, E>;
diff --git a/operator/src/controllers/s3_instance.rs b/operator/src/controllers/s3_instance.rs
index 99003af..b0bffa4 100644
--- a/operator/src/controllers/s3_instance.rs
+++ b/operator/src/controllers/s3_instance.rs
@@ -1,6 +1,6 @@
 use crate::conditions::{is_condition_true, is_condition_unknown, set_condition};
 use crate::s3::S3Client;
-use crate::s3::s3::S3Api;
+use crate::s3::s3api::S3Api;
 use api::api::v1beta1::s3_instance::{S3Instance, S3InstanceStatus};
 use futures::StreamExt;
 use k8s_openapi::api::core::v1::Secret;
diff --git a/operator/src/crdgen.rs b/operator/src/crdgen.rs
index 6e8aadf..93e4aad 100644
--- a/operator/src/crdgen.rs
+++ b/operator/src/crdgen.rs
@@ -1,3 +1,4 @@
+use api::api::v1beta1::s3_bucket_user::S3BucketUser;
 use api::api::v1beta1::{s3_bucket::S3Bucket, s3_instance::S3Instance};
 use kube::CustomResourceExt;
 fn main() {
@@ -6,4 +7,8 @@ fn main() {
         serde_yaml::to_string(&S3Instance::crd()).unwrap()
     );
     println!("---\n{}", serde_yaml::to_string(&S3Bucket::crd()).unwrap());
+    println!(
+        "---\n{}",
+        serde_yaml::to_string(&S3BucketUser::crd()).unwrap()
+    );
 }
diff --git a/operator/src/providers/dummy.rs b/operator/src/providers/dummy.rs
new file mode 100644
index 0000000..b0eced6
--- /dev/null
+++ b/operator/src/providers/dummy.rs
@@ -0,0 +1,17 @@
+use super::ProviderAPI;
+
+pub(crate) struct Dummy {}
+
+impl ProviderAPI for Dummy{
+    async fn update_user() -> Result<(), anyhow::Error> {
+        todo!()
+    }
+
+    async fn delete_user() -> Result<(), anyhow::Error> {
+        todo!()
+    }
+
+    async fn create_user(&self, secret_key: String, access_key: String) -> Result<(), anyhow::Error> {
+        todo!()
+    }
+}
diff --git a/operator/src/providers/minio.rs b/operator/src/providers/minio.rs
new file mode 100644
index 0000000..61eb179
--- /dev/null
+++ b/operator/src/providers/minio.rs
@@ -0,0 +1,47 @@
+use super::ProviderAPI;
+use base64::Engine;
+use reqwest::Client;
+use base64::{Engine as _, engine::general_purpose};
+pub(crate) struct MinIO {
+    username: String,
+    password: String,
+    endpoint: String,
+    client: Client,
+}
+
+impl MinIO {
+    pub(crate) fn new(username: String, password: String, endpoint: String) -> Self {
+        let client = Client::new();
+        Self { username, password, endpoint, client }
+    }
+
+    fn auth(&self, req: reqwest::RequestBuilder) -> reqwest::RequestBuilder {
+        req.basic_auth(&self.username, Some(&self.password))
+    }
+}
+
+
+impl ProviderAPI for MinIO {
+    async fn update_user() -> Result<(), anyhow::Error> {
+        todo!()
+    }
+
+    async fn delete_user() -> Result<(), anyhow::Error> {
+        todo!()
+    }
+
+    async fn create_user(&self, secret_key: String, access_key: String) -> Result<(), anyhow::Error> {
+        let url = format!(
+            "{}/minio/admin/v3/add-user?accessKey={}",
+            self.endpoint, access_key
+        );
+        let payload = general_purpose::STANDARD.encode(secret_key);
+        self.auth(self.client.put(url))
+            .body(payload)
+            .send()
+            .await?
+            .error_for_status()?;
+
+        Ok(())
+    }
+}
diff --git a/operator/src/providers/mod.rs b/operator/src/providers/mod.rs
new file mode 100644
index 0000000..c731e28
--- /dev/null
+++ b/operator/src/providers/mod.rs
@@ -0,0 +1,9 @@
+pub(crate) mod dummy;
+pub(crate) mod rustfs;
+pub(crate) mod minio;
+
+pub(crate) trait ProviderAPI {
+    async fn create_user(&self, secret_key: String, access_key: String) -> Result<(), anyhow::Error>;
+    async fn update_user() -> Result<(), anyhow::Error>;
+    async fn delete_user() -> Result<(), anyhow::Error>;
+}
diff --git a/operator/src/providers/rustfs.rs b/operator/src/providers/rustfs.rs
new file mode 100644
index 0000000..34d9d9f
--- /dev/null
+++ b/operator/src/providers/rustfs.rs
@@ -0,0 +1,29 @@
+use super::ProviderAPI;
+
+pub(crate) struct RustFS {
+    username: String,
+    password: String,
+    endpoint: String,
+}
+
+impl RustFS {
+    pub(crate) fn new(username: String, password: String, endpoint: String) -> Self {
+        Self { username, password, endpoint }
+    }
+}
+
+
+impl ProviderAPI for RustFS {
+
+    async fn update_user() -> Result<(), anyhow::Error> {
+        todo!()
+    }
+
+    async fn delete_user() -> Result<(), anyhow::Error> {
+        todo!()
+    }
+
+    async fn create_user(&self, secret_key: String, access_key: String) -> Result<(), anyhow::Error> {
+        todo!()
+    }
+}
diff --git a/operator/src/s3/mod.rs b/operator/src/s3/mod.rs
index d9aa4ba..77ebfc1 100644
--- a/operator/src/s3/mod.rs
+++ b/operator/src/s3/mod.rs
@@ -1,9 +1,12 @@
 use anyhow::Error;
 
 pub(crate) mod dummy;
-pub(crate) mod s3;
+pub(crate) mod s3api;
 
 pub(crate) trait S3Client {
     async fn list_buckets(self) -> Result<Vec<String>, Error>;
-    async fn create_buckets(self, bucket_name: String ) -> Result<(), Error>;
+    async fn create_bucket(self, bucket_name: String ) -> Result<(), Error>;
+    async fn delete_bucket(self, bucket_name: String ) -> Result<(), Error>;
+    async fn count_objects(self, bucket_name: String) -> Result<u64, Error>;
+    async fn count_size(self, bucket_name: String) -> Result<u64, Error>;
 }
diff --git a/operator/src/s3/s3.rs b/operator/src/s3/s3.rs
deleted file mode 100644
index 31e2be5..0000000
--- a/operator/src/s3/s3.rs
+++ /dev/null
@@ -1,69 +0,0 @@
-use aws_config::{BehaviorVersion, Region};
-use aws_credential_types::Credentials;
-use aws_sdk_s3::config::Builder;
-use aws_sdk_s3::{Client, config::SharedCredentialsProvider};
-
-use crate::s3::S3Client;
-
-#[derive(Clone)]
-pub(crate) struct S3Api {
-    client: aws_sdk_s3::Client,
-}
-
-impl S3Api {
-    pub(crate) async fn new(
-        access_key: String,
-        secret_key: String,
-        endpoint: String,
-        region: String,
-        force_path_style: bool,
-    ) -> Self {
-        let creds = Credentials::new(access_key, secret_key, None, None, "static");
-        let config = aws_config::defaults(BehaviorVersion::latest())
-            .credentials_provider(SharedCredentialsProvider::new(creds))
-            .region(Region::new(region))
-            .endpoint_url(endpoint)
-            .load()
-            .await;
-        let conf = Builder::from(&config)
-            .force_path_style(force_path_style)
-            .build();
-        let client = Client::from_conf(conf);
-        Self { client }
-    }
-}
-
-impl S3Client for S3Api {
-    async fn list_buckets(self) -> Result<Vec<String>, anyhow::Error> {
-        let mut buckets = self.client.list_buckets().into_paginator().send();
-        let mut result: Vec<String> = vec![];
-    
-        match buckets.next().await {
-            Some(output) => {
-                match output {
-                    Ok(buckets_res) => {
-                        buckets_res.buckets().iter().for_each(|bucket|  {
-                           if let Some(name) = bucket.name() {
-                               result.push(name.to_string());
-                           } 
-                        })
-                    },
-                    Err(err) => {
-                        return Err(err.into());
-                    },
-                };
-            },
-            None => {
-                return Ok(result);
-            },
-        };
-        Ok(result)
-    }
-
-    async fn create_buckets(self, bucket_name: String) -> Result<(), anyhow::Error> {
-        match self.client.create_bucket().bucket(bucket_name).send().await {
-            Ok(_) => Ok(()),
-            Err(err) => Err(err.into()),
-        }
-    }
-}
diff --git a/operator/src/s3/s3api.rs b/operator/src/s3/s3api.rs
new file mode 100644
index 0000000..db40276
--- /dev/null
+++ b/operator/src/s3/s3api.rs
@@ -0,0 +1,160 @@
+use aws_config::{BehaviorVersion, Region};
+use aws_credential_types::Credentials;
+use aws_sdk_s3::config::Builder;
+use aws_sdk_s3::types::{Delete, ObjectIdentifier};
+use aws_sdk_s3::{Client, config::SharedCredentialsProvider};
+
+use crate::s3::S3Client;
+
+#[derive(Clone)]
+pub(crate) struct S3Api {
+    client: aws_sdk_s3::Client,
+}
+
+impl S3Api {
+    pub(crate) async fn new(
+        access_key: String,
+        secret_key: String,
+        endpoint: String,
+        region: String,
+        force_path_style: bool,
+    ) -> Self {
+        let creds = Credentials::new(access_key, secret_key, None, None, "static");
+        let config = aws_config::defaults(BehaviorVersion::latest())
+            .credentials_provider(SharedCredentialsProvider::new(creds))
+            .region(Region::new(region))
+            .endpoint_url(endpoint)
+            .load()
+            .await;
+        let conf = Builder::from(&config)
+            .force_path_style(force_path_style)
+            .build();
+        let client = Client::from_conf(conf);
+        Self { client }
+    }
+}
+
+impl S3Client for S3Api {
+    async fn list_buckets(self) -> Result<Vec<String>, anyhow::Error> {
+        let mut buckets = self.client.list_buckets().into_paginator().send();
+        let mut result: Vec<String> = vec![];
+    
+        match buckets.next().await {
+            Some(output) => {
+                match output {
+                    Ok(buckets_res) => {
+                        buckets_res.buckets().iter().for_each(|bucket|  {
+                           if let Some(name) = bucket.name() {
+                               result.push(name.to_string());
+                           } 
+                        })
+                    },
+                    Err(err) => {
+                        return Err(err.into());
+                    },
+                };
+            },
+            None => {
+                return Ok(result);
+            },
+        };
+        Ok(result)
+    }
+
+    async fn create_bucket(self, bucket_name: String) -> Result<(), anyhow::Error> {
+        match self.client.create_bucket().bucket(bucket_name).send().await {
+            Ok(_) => Ok(()),
+            Err(err) => Err(err.into()),
+        }
+    }
+
+    async fn count_objects(self, bucket_name: String) -> Result<u64, anyhow::Error> {
+        let mut total_count = 0u64;
+        let mut continuation_token = None;
+        loop {
+            let resp = self.client
+                .list_objects_v2()
+                .bucket(bucket_name.clone())
+                .set_continuation_token(continuation_token.clone())
+                .send()
+                .await?;
+
+            if let Some(contents) = resp.contents {
+                for _ in contents {
+                    total_count += 1;
+                }
+            }
+
+            if resp.is_truncated.unwrap() {
+                continuation_token = resp.next_continuation_token;
+            } else {
+                break;
+            }
+        };
+        Ok(total_count)
+    }
+
+    async fn count_size(self, bucket_name: String) -> Result<u64, anyhow::Error> {
+        let mut total_size = 0u64;
+        let mut continuation_token = None;
+        loop {
+            let resp = self.client
+                .list_objects_v2()
+                .bucket(bucket_name.clone())
+                .set_continuation_token(continuation_token.clone())
+                .send()
+                .await?;
+
+            if let Some(contents) = resp.contents {
+                for obj in contents {
+                    total_size += obj.size.unwrap() as u64;
+                }
+            }
+
+            if resp.is_truncated.unwrap() {
+                continuation_token = resp.next_continuation_token;
+            } else {
+                break;
+            }
+        };
+        Ok(total_size)
+    }
+
+    async fn delete_bucket(self, bucket_name: String ) -> Result<(), anyhow::Error> {
+        let mut continuation_token = None;
+        loop {
+            // List objects in the bucket
+            let resp = self.client.clone()
+                .list_objects_v2()
+                .bucket(bucket_name.clone())
+                .set_continuation_token(continuation_token.clone())
+                .send()
+                .await?;
+
+            let objects: Vec<ObjectIdentifier> = resp
+                .contents
+                .unwrap_or_default()
+                .into_iter()
+                .map(|obj| ObjectIdentifier::builder().key(obj.key.unwrap()).build())
+                .collect::<Result<Vec<ObjectIdentifier>, _>>()?;
+
+            if !objects.is_empty() {
+                // Delete objects in batch
+                self.client.clone()
+                    .delete_objects()
+                    .bucket(bucket_name.clone())
+                    .delete(Delete::builder().set_objects(Some(objects)).build()?)
+                    .send()
+                    .await?;
+            }
+
+            if resp.is_truncated.unwrap() {
+                continuation_token = resp.next_continuation_token;
+            } else {
+                break;
+            }
+        };
+        self.client.clone().delete_bucket().bucket(bucket_name.clone()).send().await?;
+        Ok(())
+    }
+}
-- 
2.49.1


From c4216a205f52b157f3ea4ccfffac1b8292939496 Mon Sep 17 00:00:00 2001
From: Nikolai Rodionov <iam@allanger.xyz>
Date: Wed, 11 Mar 2026 17:35:34 +0100
Subject: [PATCH 07/10] WIP: Trying to create users

Signed-off-by: Nikolai Rodionov <iam@allanger.xyz>
---
 operator/Cargo.lock                        |  43 ++-
 operator/Cargo.toml                        |   1 +
 operator/manifests/s3_bucket_user.yaml     |   6 +
 operator/manifests/s3_instance.yaml        |   1 +
 operator/src/api/v1beta1/s3_instance.rs    |   9 +-
 operator/src/controller.rs                 |   5 +-
 operator/src/controllers/mod.rs            |   2 +-
 operator/src/controllers/s3_bucket_user.rs | 329 ++++++++++-----------
 operator/src/providers/minio.rs            |  21 +-
 operator/src/providers/mod.rs              |   5 +
 10 files changed, 244 insertions(+), 178 deletions(-)

diff --git a/operator/Cargo.lock b/operator/Cargo.lock
index 8aeb8d6..2aca6ea 100644
--- a/operator/Cargo.lock
+++ b/operator/Cargo.lock
@@ -1008,6 +1008,17 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
 
+[[package]]
+name = "chacha20"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6f8d983286843e49675a4b7a2d174efe136dc93a18d69130dd18198a6c167601"
+dependencies = [
+ "cfg-if",
+ "cpufeatures 0.3.0",
+ "rand_core 0.10.0",
+]
+
 [[package]]
 name = "chrono"
 version = "0.4.44"
@@ -1167,6 +1178,15 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "cpufeatures"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b2a41393f66f16b0823bb79094d54ac5fbd34ab292ddafb9a0456ac9f87d201"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "crc"
 version = "3.3.0"
@@ -1754,6 +1774,7 @@ dependencies = [
  "cfg-if",
  "libc",
  "r-efi 6.0.0",
+ "rand_core 0.10.0",
  "wasip2",
  "wasip3",
 ]
@@ -3161,6 +3182,17 @@ dependencies = [
  "rand_core 0.9.5",
 ]
 
+[[package]]
+name = "rand"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bc266eb313df6c5c09c1c7b1fbe2510961e5bcd3add930c1e31f7ed9da0feff8"
+dependencies = [
+ "chacha20",
+ "getrandom 0.4.2",
+ "rand_core 0.10.0",
+]
+
 [[package]]
 name = "rand_chacha"
 version = "0.3.1"
@@ -3199,6 +3231,12 @@ dependencies = [
  "getrandom 0.3.4",
 ]
 
+[[package]]
+name = "rand_core"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c8d0fd677905edcbeedbf2edb6494d676f0e98d54d5cf9bda0b061cb8fb8aba"
+
 [[package]]
 name = "redox_syscall"
 version = "0.5.18"
@@ -3582,6 +3620,7 @@ dependencies = [
  "k8s-openapi",
  "kube",
  "minio",
+ "rand 0.10.0",
  "reqwest 0.13.2",
  "schemars",
  "serde",
@@ -3810,7 +3849,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba"
 dependencies = [
  "cfg-if",
- "cpufeatures",
+ "cpufeatures 0.2.17",
  "digest",
 ]
 
@@ -3821,7 +3860,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
 dependencies = [
  "cfg-if",
- "cpufeatures",
+ "cpufeatures 0.2.17",
  "digest",
 ]
 
diff --git a/operator/Cargo.toml b/operator/Cargo.toml
index 238d4bb..3acf246 100644
--- a/operator/Cargo.toml
+++ b/operator/Cargo.toml
@@ -43,6 +43,7 @@ aws-credential-types = "1.2.14"
 minio = "0.3.0"
 reqwest = { version = "0.13.2", features = ["json"] }
 base64 = "0.22.1"
+rand = "0.10.0"
 
 [dev-dependencies]
 assert-json-diff = "2.0.2"
diff --git a/operator/manifests/s3_bucket_user.yaml b/operator/manifests/s3_bucket_user.yaml
index e93ec75..9b7633b 100644
--- a/operator/manifests/s3_bucket_user.yaml
+++ b/operator/manifests/s3_bucket_user.yaml
@@ -1,3 +1,9 @@
+---
+apiVersion: s3.badhouseplants.net/v1beta1
+kind: S3BucketUser
+metadata:
+  name: test
+  namespace: default
 spec:
   bucket: test
   policy: readWrite
diff --git a/operator/manifests/s3_instance.yaml b/operator/manifests/s3_instance.yaml
index eaae104..b8416b7 100644
--- a/operator/manifests/s3_instance.yaml
+++ b/operator/manifests/s3_instance.yaml
@@ -16,6 +16,7 @@ spec:
   endpoint: https://rustfs.badhouseplants.net
   forcePathStyle: true
   region: us-east-1
+  provider: rustfs
   credentialsSecret:
     namespace: default
     name: test
diff --git a/operator/src/api/v1beta1/s3_instance.rs b/operator/src/api/v1beta1/s3_instance.rs
index 34b83d2..a5bcf32 100644
--- a/operator/src/api/v1beta1/s3_instance.rs
+++ b/operator/src/api/v1beta1/s3_instance.rs
@@ -4,6 +4,13 @@ use kube::CustomResource;
 use kube::{self};
 use schemars::JsonSchema;
 
+#[derive(Serialize, Deserialize, JsonSchema, Clone, Debug)]
+pub enum Provider {
+    #[serde(rename = "minio")]
+    Minio,
+    #[serde(rename = "rustfs")]
+    Rustfs,
+}
 #[derive(CustomResource, Deserialize, Serialize, Clone, Debug, JsonSchema)]
 #[kube(
     kind = "S3Instance",
@@ -25,7 +32,7 @@ pub struct S3InstanceSpec {
     pub credentials_secret: NamespacedName,
     #[serde(default)]
     pub force_path_style: bool,
-    pub provider: String,
+    pub provider: Provider,
 }
 
 /// The status object of `DbInstance`
diff --git a/operator/src/controller.rs b/operator/src/controller.rs
index 6886f99..6d3b186 100644
--- a/operator/src/controller.rs
+++ b/operator/src/controller.rs
@@ -2,7 +2,7 @@ mod conditions;
 mod controllers;
 mod s3;
 mod providers;
-use crate::controllers::{s3_bucket, s3_instance};
+use crate::controllers::{s3_bucket, s3_instance, s3_bucket_user};
 
 use actix_web::{App, HttpRequest, HttpResponse, HttpServer, Responder, get, middleware};
 use clap::Parser;
@@ -44,6 +44,7 @@ async fn main() -> anyhow::Result<()> {
         .expect("failed to create kube Client");
     let s3in_controller = s3_instance::run(client.clone());
     let s3bucket_controller = s3_bucket::run(client.clone());
+    let s3bucketuser_controller = s3_bucket_user::run(client.clone());
     // Start web server
     let server = HttpServer::new(move || {
         App::new()
@@ -54,6 +55,6 @@ async fn main() -> anyhow::Result<()> {
     .shutdown_timeout(5);
 
     // Both runtimes implements graceful shutdown, so poll until both are done
-    tokio::join!(s3in_controller, s3bucket_controller, server.run()).2?;
+    tokio::join!(s3in_controller, s3bucket_controller, s3bucketuser_controller, server.run()).3?;
     Ok(())
 }
diff --git a/operator/src/controllers/mod.rs b/operator/src/controllers/mod.rs
index 615aa45..bfc890e 100644
--- a/operator/src/controllers/mod.rs
+++ b/operator/src/controllers/mod.rs
@@ -1,3 +1,3 @@
 pub(crate) mod s3_bucket;
-//pub(crate) mod s3_bucket_user;
+pub(crate) mod s3_bucket_user;
 pub(crate) mod s3_instance;
diff --git a/operator/src/controllers/s3_bucket_user.rs b/operator/src/controllers/s3_bucket_user.rs
index 01d7ee1..2a876b9 100644
--- a/operator/src/controllers/s3_bucket_user.rs
+++ b/operator/src/controllers/s3_bucket_user.rs
@@ -1,11 +1,14 @@
 use crate::conditions::{is_condition_true, set_condition};
 use crate::controllers::s3_instance;
-use crate::s3::S3Client;
+use crate::providers::ProviderAPI;
+use crate::providers::minio::MinIO;
 use crate::s3::s3api::S3Api;
-use api::api::v1beta1::s3_bucket::{S3Bucket, S3BucketStatus};
-use api::api::v1beta1::s3_instance::S3Instance;
+use api::api::v1beta1::s3_bucket::S3Bucket;
+use api::api::v1beta1::s3_bucket_user::{S3BucketUser, S3BucketUserStatus};
+use api::api::v1beta1::s3_instance::{Provider, S3Instance};
 use futures::StreamExt;
-use k8s_openapi::api::core::v1::{ConfigMap, Secret};
+use k8s_openapi::ByteString;
+use k8s_openapi::api::core::v1::Secret;
 use k8s_openapi::apimachinery::pkg::apis::meta::v1::OwnerReference;
 use kube::api::{ListParams, ObjectMeta, PostParams};
 use kube::runtime::Controller;
@@ -13,6 +16,7 @@ use kube::runtime::controller::Action;
 use kube::runtime::events::Recorder;
 use kube::runtime::watcher::Config;
 use kube::{Api, Client, Error, Resource, ResourceExt};
+use rand::RngExt;
 use std::collections::BTreeMap;
 use std::sync::Arc;
 use std::time::Duration;
@@ -26,93 +30,98 @@ const SECRET_LABEL: &str = "s3.badhouseplants.net/s3-bucket";
 const AWS_ACCESS_KEY_ID: &str = "AWS_ACCESS_KEY_ID";
 const AWS_SECCRET_ACCESS_KEY: &str = "AWS_SECRET_ACCESS_KEY";
 
+const CHARSET: &[u8] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZ\
+                        abcdefghijklmnopqrstuvwxyz\
+                        0123456789)(*&^%$#@!~";
+const PASSWORD_LEN: usize = 40;
+
 #[instrument(skip(ctx, obj), fields(trace_id))]
-pub(crate) async fn reconcile(obj: Arc<S3BucketUser>, ctx: Arc<Context>) -> S3BucketResult<Action> {
+pub(crate) async fn reconcile(obj: Arc<S3BucketUser>, ctx: Arc<Context>) -> S3BucketUserResult<Action> {
     info!("Staring reconciling");
+    let s3bucketuser_api: Api<S3BucketUser> = Api::namespaced(ctx.client.clone(), &obj.namespace().unwrap());
     let s3bucket_api: Api<S3Bucket> = Api::namespaced(ctx.client.clone(), &obj.namespace().unwrap());
-    let cm_api: Api<ConfigMap> = Api::namespaced(ctx.client.clone(), &obj.namespace().unwrap());
+    let secret_api: Api<Secret> = Api::namespaced(ctx.client.clone(), &obj.namespace().unwrap());
     let s3in_api: Api<S3Instance> = Api::all(ctx.client.clone());
 
-    info!("Getting the S3Bucket resource");
-    let mut s3bucket = match s3bucket_api.get(&obj.name_any()).await {
-        Ok(s3bucket) => s3bucket,
+    info!("Getting the S3BucketUser resource");
+    let mut s3bucketuser = match s3bucketuser_api.get(&obj.name_any()).await {
+        Ok(s3bucketuser) => s3bucketuser,
         Err(Error::Api(ae)) if ae.code == 404 => {
             info!("Object is not found, probably removed");
             return Ok(Action::await_change());
         }
         Err(err) => {
             error!("{}", err);
-            return Err(S3BucketError::KubeError(err));
+            return Err(S3BucketUserError::KubeError(err));
         }
     };
 
     // On the first reconciliation status is None
     // it needs to be initialized
-    let mut status = match s3bucket.clone().status {
+    let mut status = match s3bucketuser.clone().status {
         None => {
             info!("Status is not yet set, initializing the object");
-            return init_object(s3bucket, s3bucket_api).await;
+            return init_object(s3bucketuser, s3bucketuser_api).await;
         }
         Some(status) => status,
     };
 
-    let configmap_name = format!("{}-bucket-info", s3bucket.name_any());
+    let secret_name = format!("{}-bucket-creds", s3bucketuser.name_any());
     
-    info!("Getting the configmap");
-    // Get the cm, if it's already there, we need to validate, or create an empty one
-    let mut configmap = match get_configmap(cm_api.clone(), &configmap_name).await {
-        Ok(configmap) => configmap,
+    info!("Getting the secret");
+    // Get the secret, if it's already there, we need to validate, or create an empty one
+    let mut secret = match get_secret(secret_api.clone(), &secret_name).await {
+        Ok(secret) => secret,
         Err(Error::Api(ae)) if ae.code == 404 => {
-            info!("ConfigMap is not found, creating a new one");
-            let cm = ConfigMap{ 
+            info!("Secret is not found, creating a new one");
+            let secret = Secret{ 
                metadata: ObjectMeta { 
-                   name: Some(configmap_name), 
-                   namespace: Some(s3bucket.clone().namespace().unwrap()),
+                   name: Some(secret_name), 
+                   namespace: Some(s3bucketuser.clone().namespace().unwrap()),
                    ..Default::default()
                },
                ..Default::default()
             };
-            match create_configmap(cm_api.clone(), cm).await {
+            match create_secret(secret_api.clone(), secret).await {
                 Ok(cm) => cm,
                 Err(err) => {
                     error!("{}", err);
-                    return Err(S3BucketError::KubeError(err));
+                    return Err(S3BucketUserError::KubeError(err));
                 },
             }
         }
         Err(err) => {
             error!("{}", err);
-            return Err(S3BucketError::KubeError(err));
+            return Err(S3BucketUserError::KubeError(err));
         },
     };
 
-    info!("Labeling the configmap");
-    configmap = match label_configmap(cm_api.clone(), &s3bucket.name_any(), configmap).await {
+    info!("Labeling the secret");
+    secret = match label_secret(secret_api.clone(), &s3bucketuser.name_any(), secret).await {
         Ok(configmap) => configmap,
         Err(err) => {
             error!("{}", err);
-            return Err(S3BucketError::KubeError(err));
+            return Err(S3BucketUserError::KubeError(err));
         },
     };
 
-    info!("Setting owner references to the configmap");
-    if s3bucket.spec.own_configmap {
-        configmap = match own_configmap(cm_api.clone(), s3bucket.clone(), configmap).await {
-            Ok(configmap) => configmap,
+    info!("Setting owner references to the secret");
+    if s3bucketuser.spec.own_secret {
+        secret = match own_secret(secret_api.clone(), s3bucketuser.clone(), secret).await {
+            Ok(secret) => secret,
             Err(err) => {
                 error!("{}", err);
-                return Err(S3BucketError::KubeError(err));
+                return Err(S3BucketUserError::KubeError(err));
             },
         };
     };
 
     if is_condition_true(status.clone().conditions, TYPE_USER_READY) {
-        let mut current_finalizers = match s3bucket.clone().metadata.finalizers {
+        let mut current_finalizers = match s3bucketuser.clone().metadata.finalizers {
             Some(finalizers) => finalizers,
             None => vec![],
         };
-        if s3bucket.spec.cleanup {
-
+        if s3bucketuser.spec.cleanup {
            if !current_finalizers.contains(&FIN_CLEANUP.to_string()) {
                info!("Adding a finalizer");
                    current_finalizers.push(FIN_CLEANUP.to_string());
@@ -125,53 +134,56 @@ pub(crate) async fn reconcile(obj: Arc<S3BucketUser>, ctx: Arc<Context>) -> S3Bu
                 };
             }
         };
-        s3bucket.metadata.finalizers = Some(current_finalizers);
-        match s3bucket_api.replace(&s3bucket.name_any(), &PostParams::default(), &s3bucket).await {
+        s3bucketuser.metadata.finalizers = Some(current_finalizers);
+        match s3bucketuser_api.replace(&s3bucketuser.name_any(), &PostParams::default(), &s3bucketuser).await {
             Ok(_) => {
                 return Ok(Action::await_change());
             },
             Err(err) => {
                 error!("{}", err);
-                return Err(S3BucketError::KubeError(err))
+                return Err(S3BucketUserError::KubeError(err))
             },
         }
     }; 
 
+    info!("Getting the S3Bucket");
+    let s3bucket = match s3bucket_api.get(&s3bucketuser.spec.bucket).await {
+        Ok(s3bucket) => s3bucket,
+        Err(err) => {
+            error!("{}", err);
+            return Err(S3BucketUserError::KubeError(err));
+        }
+    };
+
     info!("Getting the S3Intsance");
     let s3in = match s3in_api.get(&s3bucket.spec.instance).await {
         Ok(s3in) => s3in,
         Err(err) => {
             error!("{}", err);
-            return Err(S3BucketError::KubeError(err));
+            return Err(S3BucketUserError::KubeError(err));
         }
     };
 
-    info!("Updating the ConfigMap");
-    if let Err(err) = ensure_data_configmap(cm_api.clone(), s3in.clone(), configmap.clone()).await {
-        error!("{}", err);
-        return Err(S3BucketError::KubeError(err));
-    };
-
     info!("Getting the s3instance secret");
     let secret_ns = s3in.clone().spec.credentials_secret.namespace;
-    let secret_api: Api<Secret> = Api::namespaced(ctx.client.clone(), &secret_ns);
+    let s3in_secret_api: Api<Secret> = Api::namespaced(ctx.client.clone(), &secret_ns);
 
-    let secret = match s3_instance::get_secret(secret_api.clone(), s3in.clone()).await {
+    let s3in_secret = match s3_instance::get_secret(s3in_secret_api.clone(), s3in.clone()).await {
         Ok(secret) => secret,
         Err(err) => {
             error!("{}", err);
-            return Err(S3BucketError::KubeError(err));
+            return Err(S3BucketUserError::KubeError(err));
         }
     };
 
     info!("Getting data from the secret");
     // Getting data from the secret to initialize the clinet
-    let data = match secret.data {
+    let data = match s3in_secret.data {
         Some(data) => data,
         None => {
             let err = anyhow::Error::msg("empty data");
             error!("{}", err);
-            return Err(S3BucketError::InvalidSecret(err));
+            return Err(S3BucketUserError::InvalidSecret(err));
         }
     };
 
@@ -180,7 +192,7 @@ pub(crate) async fn reconcile(obj: Arc<S3BucketUser>, ctx: Arc<Context>) -> S3Bu
         None => {
             let err = anyhow::Error::msg("empty access key");
             error!("{}", err);
-            return Err(S3BucketError::InvalidSecret(err));
+            return Err(S3BucketUserError::InvalidSecret(err));
         }
     };
     let secret_key = match data.get(s3_instance::SECRET_KEY) {
@@ -188,10 +200,23 @@ pub(crate) async fn reconcile(obj: Arc<S3BucketUser>, ctx: Arc<Context>) -> S3Bu
         None => {
             let err = anyhow::Error::msg("empty secret key");
             error!("{}", err);
-            return Err(S3BucketError::InvalidSecret(err));
+            return Err(S3BucketUserError::InvalidSecret(err));
         }
     };
 
+    let provider = match s3in.spec.provider {
+        Provider::Minio => MinIO::new(access_key.clone(), secret_key.clone(), s3in.clone().spec.endpoint),
+        Provider::Rustfs => MinIO::new(access_key.clone(), secret_key.clone(), s3in.clone().spec.endpoint),
+    };
+
+    let username = format!("{}-{}", s3bucketuser.namespace().unwrap(), s3bucketuser.name_any());
+    let password = generate_password(); 
+
+    if let Err(err) = provider.create_user(password.clone(), username.to_string()).await {
+        error!("{}", err);
+        return Err(S3BucketUserError::IllegalS3BucketUser);
+    };
+
     info!("Creating an s3 client");
     let s3_client = S3Api::new(
         access_key,
@@ -201,53 +226,16 @@ pub(crate) async fn reconcile(obj: Arc<S3BucketUser>, ctx: Arc<Context>) -> S3Bu
         s3in.clone().spec.force_path_style,
     )
     .await;
-    
-    let bucket_name = format!("{}-{}", s3bucket.namespace().unwrap(), s3bucket.name_any());
-
-    if s3bucket.metadata.deletion_timestamp.is_some() {
-        info!("Object is marked for deletion");
-        if let Some(mut finalizers) = s3bucket.clone().metadata.finalizers {
-            if finalizers.contains(&FIN_CLEANUP.to_string()) {
-                match s3_client.clone().delete_bucket(bucket_name.clone()).await {
-                    Ok(_) => {
-                        if let Some(index) = finalizers.iter().position(|x| *x == FIN_CLEANUP.to_string()) {
-                            finalizers.remove(index);
-                        };
-                    },
-                    Err(err) => {
-                        error!("{}", err);
-                        return Err(S3BucketError::IllegalS3Bucket);
-                    },
-                }
-            }
-            s3bucket.metadata.finalizers = Some(finalizers);
-        };
-        match s3bucket_api.replace(&s3bucket.name_any(), &PostParams::default(), &s3bucket).await {
-            Ok(_) => {
-                return Ok(Action::await_change());
-            },
-            Err(err) => {
-                error!("{}", err);
-                return Err(S3BucketError::KubeError(err))
-            },
-        }
-    }
-
-    info!("Getting buckets");
-    let buckets = match s3_client.clone().list_buckets().await {
-        Ok(buckets) => buckets,
+    secret = match ensure_data_secret(secret_api, secret, username.clone(), password.clone()).await {
+        Ok(secret) => secret,
         Err(err) => {
             error!("{}", err);
-            return Err(S3BucketError::IllegalS3Bucket);
-        }
-    };
-    if buckets.contains(&bucket_name) {
-        info!("Bucket already exists");
-    } else {
-        if let Err(err) = s3_client.clone().create_bucket(bucket_name.clone()).await {
-            error!("{}", err);
-            return Err(S3BucketError::IllegalS3Bucket);
-        }
+            return Err(S3BucketUserError::KubeError(err))
+        },
+    }; 
+
+    if s3bucketuser.metadata.deletion_timestamp.is_some() {
+        todo!();
     }
 
     status.ready = true;
@@ -257,18 +245,14 @@ pub(crate) async fn reconcile(obj: Arc<S3BucketUser>, ctx: Arc<Context>) -> S3Bu
         TYPE_USER_READY,
         "True".to_string(),
         "Reconciled".to_string(),
-        "Bucket is ready".to_string(),
+        "User is ready".to_string(),
     );
-    status.endpoint = Some(s3in.clone().spec.endpoint);
-    status.size = s3_client.clone().count_size(bucket_name.clone()).await.ok();
-    status.total_objects = s3_client.clone().count_objects(bucket_name.clone()).await.ok();
-    status.region = Some(s3in.spec.region);
-    status.bucket_name = Some(bucket_name.clone()); 
-    s3bucket.status = Some(status);
+    status.access_key = Some(username.clone());
+    s3bucketuser.status = Some(status);
    
-    info!("Updating status of the s3bucket resource");
-    match s3bucket_api
-        .replace_status(&s3bucket.name_any(), &PostParams::default(), &s3bucket)
+    info!("Updating status of the s3bucket user resource");
+    match s3bucketuser_api
+        .replace_status(&s3bucketuser.name_any(), &PostParams::default(), &s3bucketuser)
         .await
     {
         Ok(_) => {
@@ -276,13 +260,13 @@ pub(crate) async fn reconcile(obj: Arc<S3BucketUser>, ctx: Arc<Context>) -> S3Bu
         }
         Err(err) => {
             error!("{}", err);
-            return Err(S3BucketError::KubeError(err));
+            return Err(S3BucketUserError::KubeError(err));
         }
     };
 }
 
 // Bootstrap the object by adding a default status to it
-async fn init_object(mut obj: S3Bucket, api: Api<S3Bucket>) -> Result<Action, S3BucketError> {
+async fn init_object(mut obj: S3BucketUser, api: Api<S3BucketUser>) -> Result<Action, S3BucketUserError> {
     let conditions = set_condition(
         vec![],
         obj.metadata.clone(),
@@ -291,9 +275,9 @@ async fn init_object(mut obj: S3Bucket, api: Api<S3Bucket>) -> Result<Action, S3
         "Reconciling".to_string(),
         "Reconciliation started".to_string(),
     );
-    obj.status = Some(S3BucketStatus {
+    obj.status = Some(S3BucketUserStatus {
         conditions,
-        ..S3BucketStatus::default()
+        ..S3BucketUserStatus::default()
     });
     match api
         .replace_status(obj.clone().name_any().as_str(), &Default::default(), &obj)
@@ -302,14 +286,14 @@ async fn init_object(mut obj: S3Bucket, api: Api<S3Bucket>) -> Result<Action, S3
         Ok(_) => Ok(Action::await_change()),
         Err(err) => {
             error!("{}", err);
-            Err(S3BucketError::KubeError(err))
+            Err(S3BucketUserError::KubeError(err))
         }
     }
 }
 
 // Get the configmap with the bucket data
-async fn get_configmap(api: Api<ConfigMap>, name: &str) -> Result<ConfigMap, kube::Error> {
-    info!("Getting a configmap: {}", name);
+async fn get_secret(api: Api<Secret>, name: &str) -> Result<Secret, kube::Error> {
+    info!("Getting a secret: {}", name);
     match api.get(name).await {
         Ok(cm) => Ok(cm),
         Err(err) => Err(err),
@@ -317,19 +301,19 @@ async fn get_configmap(api: Api<ConfigMap>, name: &str) -> Result<ConfigMap, kub
 }
 
 // Create ConfigMap
-async fn create_configmap(api: Api<ConfigMap>, cm: ConfigMap) -> Result<ConfigMap, kube::Error> {
-    match api.create(&PostParams::default(), &cm).await {
-        Ok(cm) => get_configmap(api, &cm.name_any()).await,
+async fn create_secret(api: Api<Secret>, secret: Secret) -> Result<Secret, kube::Error> {
+    match api.create(&PostParams::default(), &secret).await {
+        Ok(secret) => get_secret(api, &secret.name_any()).await,
         Err(err) => Err(err),
     }
 }
 
-async fn label_configmap(
-    api: Api<ConfigMap>,
+async fn label_secret(
+    api: Api<Secret>,
     s3bucket_name: &str,
-    mut cm: ConfigMap,
-) -> Result<ConfigMap, kube::Error> {
-    let mut labels = match &cm.clone().metadata.labels {
+    mut secret: Secret,
+) -> Result<Secret, kube::Error> {
+    let mut labels = match &secret.clone().metadata.labels {
         Some(labels) => labels.clone(),
         None => {
             let map: BTreeMap<String, String> = BTreeMap::new();
@@ -337,25 +321,25 @@ async fn label_configmap(
         }
     };
     labels.insert(SECRET_LABEL.to_string(), s3bucket_name.to_string());
-    cm.metadata.labels = Some(labels);
-    api.replace(&cm.name_any(), &PostParams::default(), &cm)
+    secret.metadata.labels = Some(labels);
+    api.replace(&secret.name_any(), &PostParams::default(), &secret)
         .await?;
 
-    let cm = match api.get(&cm.name_any()).await {
-        Ok(cm) => cm,
+    let secret = match api.get(&secret.name_any()).await {
+        Ok(secret) => secret,
         Err(err) => {
             return Err(err);
         }
     };
-    Ok(cm)
+    Ok(secret)
 }
 
-async fn own_configmap(
-    api: Api<ConfigMap>,
-    s3bucket: S3Bucket,
-    mut cm: ConfigMap,
-) -> Result<ConfigMap, kube::Error> {
-    let mut owner_references = match &cm.clone().metadata.owner_references {
+async fn own_secret(
+    api: Api<Secret>,
+    s3bucketuser: S3BucketUser,
+    mut secret: Secret,
+) -> Result<Secret, kube::Error> {
+    let mut owner_references = match &secret.clone().metadata.owner_references {
         Some(owner_references) => owner_references.clone(),
         None => {
             let owner_references: Vec<OwnerReference> = vec![];
@@ -363,79 +347,88 @@ async fn own_configmap(
         }
     };
 
-    if owner_references.iter().find(|or| or.uid == s3bucket.uid().unwrap()).is_some() {
-        return Ok(cm);
+    if owner_references.iter().find(|or| or.uid == s3bucketuser.uid().unwrap()).is_some() {
+        return Ok(secret);
     }
 
     let new_owner_reference = OwnerReference{ 
         api_version: S3Bucket::api_version(&()).into(),
         kind: S3Bucket::kind(&()).into(), 
-        name: s3bucket.name_any(),
-        uid: s3bucket.uid().unwrap(),
+        name: s3bucketuser.name_any(),
+        uid: s3bucketuser.uid().unwrap(),
         ..Default::default()
     };
 
     owner_references.push(new_owner_reference);
-    cm.metadata.owner_references = Some(owner_references);
-    api.replace(&cm.name_any(), &PostParams::default(), &cm)
+    secret.metadata.owner_references = Some(owner_references);
+    api.replace(&secret.name_any(), &PostParams::default(), &secret)
         .await?;
 
-    let cm = match api.get(&cm.name_any()).await {
-        Ok(cm) => cm,
+    let secret = match api.get(&secret.name_any()).await {
+        Ok(secret) => secret,
         Err(err) => {
             return Err(err);
         }
     };
-    Ok(cm)
+    Ok(secret)
 }
 
-async fn ensure_data_configmap(
-    api: Api<ConfigMap>,
-    s3in: S3Instance,
-    mut cm: ConfigMap,
-) -> Result<ConfigMap, kube::Error> {
-    let mut data = match &cm.clone().data {
+async fn ensure_data_secret(
+    api: Api<Secret>,
+    mut secret: Secret,
+    username: String,
+    password: String,
+) -> Result<Secret, kube::Error> {
+    let mut data = match &secret.clone().data {
         Some(data) => data.clone(),
         None => {
-            let map: BTreeMap<String, String> = BTreeMap::new();
+            let map: BTreeMap<String, ByteString> = BTreeMap::new();
             map
         }
     };
 
-    data.insert(AWS_REGION.to_string(), s3in.spec.region);
-    data.insert(AWS_ENDPOINT_URL.to_string(), s3in.spec.endpoint);
+    data.insert(AWS_ACCESS_KEY_ID.to_string(), ByteString(username.as_bytes().to_vec()));
+    data.insert(AWS_SECCRET_ACCESS_KEY.to_string(), ByteString(password.as_bytes().to_vec()));
 
-
-    cm.data = Some(data);
-    api.replace(&cm.name_any(), &PostParams::default(), &cm)
+    secret.data = Some(data);
+    api.replace(&secret.name_any(), &PostParams::default(), &secret)
         .await?;
 
-    match api.get(&cm.name_any()).await {
-        Ok(cm) => Ok(cm),
-        Err(err) => Err(err),
-    }
+    api.get(&secret.name_any()).await
 }
 
-pub(crate) fn error_policy(_: Arc<S3Bucket>, _: &S3BucketError, _: Arc<Context>) -> Action {
+fn generate_password() -> String {
+    let mut rng = rand::rng();
+    let password: String = (0..PASSWORD_LEN)
+        .map(|_| {
+            let idx = rng.random_range(0..CHARSET.len());
+            char::from(CHARSET[idx])
+        })
+        .collect();
+    password
+}
+
+pub(crate) fn error_policy(_: Arc<S3BucketUser>, _: &S3BucketUserError, _: Arc<Context>) -> Action {
     Action::requeue(Duration::from_secs(5 * 60))
 }
 
 #[instrument(skip(client), fields(trace_id))]
 pub async fn run(client: Client) {
-    let s3buckets = Api::<S3Bucket>::all(client.clone());
-    if let Err(err) = s3buckets.list(&ListParams::default().limit(1)).await {
+    let s3bucketusers = Api::<S3BucketUser>::all(client.clone());
+    if let Err(err) = s3bucketusers.list(&ListParams::default().limit(1)).await {
         error!("{}", err);
         std::process::exit(1);
     }
-    let recorder = Recorder::new(client.clone(), "s3bucket-controller".into()); 
+    let recorder = Recorder::new(client.clone(), "s3bucketuser-controller".into()); 
     let context = Context { client, recorder };
-    Controller::new(s3buckets, Config::default().any_semantic())
+    Controller::new(s3bucketusers, Config::default().any_semantic())
         .shutdown_on_signal()
         .run(reconcile, error_policy, Arc::new(context))
         .filter_map(|x| async move { std::result::Result::ok(x) })
         .for_each(|_| futures::future::ready(()))
         .await;
 }
+
 // Context for our reconciler
 #[derive(Clone)]
 pub(crate) struct Context {
@@ -446,7 +439,7 @@ pub(crate) struct Context {
 }
 
 #[derive(Error, Debug)]
-pub enum S3BucketError {
+pub enum S3BucketUserError {
     #[error("SerializationError: {0}")]
     SerializationError(#[source] serde_json::Error),
 
@@ -456,10 +449,10 @@ pub enum S3BucketError {
     #[error("Finalizer Error: {0}")]
     // NB: awkward type because finalizer::Error embeds the reconciler error (which is this)
     // so boxing this error to break cycles
-    FinalizerError(#[source] Box<kube::runtime::finalizer::Error<S3BucketError>>),
+    FinalizerError(#[source] Box<kube::runtime::finalizer::Error<S3BucketUserError>>),
 
-    #[error("IllegalS3Bucket")]
-    IllegalS3Bucket,
+    #[error("IllegalS3BucketUser")]
+    IllegalS3BucketUser,
 
     #[error("SecretIsAlreadyLabeled")]
     SecretIsAlreadyLabeled,
@@ -468,4 +461,4 @@ pub enum S3BucketError {
     InvalidSecret(#[source] anyhow::Error),
 }
 
-pub type S3BucketResult<T, E = S3BucketError> = std::result::Result<T, E>;
+pub type S3BucketUserResult<T, E = S3BucketUserError> = std::result::Result<T, E>;
diff --git a/operator/src/providers/minio.rs b/operator/src/providers/minio.rs
index 61eb179..d9de157 100644
--- a/operator/src/providers/minio.rs
+++ b/operator/src/providers/minio.rs
@@ -2,6 +2,8 @@ use super::ProviderAPI;
 use base64::Engine;
 use reqwest::Client;
 use base64::{Engine as _, engine::general_purpose};
+use serde::Serialize;
+use tracing::info;
 pub(crate) struct MinIO {
     username: String,
     password: String,
@@ -9,9 +11,19 @@ pub(crate) struct MinIO {
     client: Client,
 }
 
+#[derive(Serialize)]
+#[serde(rename_all = "camelCase")]
+struct CreateUserMinio {
+    secret_key: String,
+    policy: String,
+    status: String,
+}
+
 impl MinIO {
     pub(crate) fn new(username: String, password: String, endpoint: String) -> Self {
         let client = Client::new();
+        info!(username);
+        info!(password);
         Self { username, password, endpoint, client }
     }
 
@@ -32,12 +44,13 @@ impl ProviderAPI for MinIO {
 
     async fn create_user(&self, secret_key: String, access_key: String) -> Result<(), anyhow::Error> {
         let url = format!(
-            "{}/minio/admin/v3/add-user?accessKey={}",
+            "{}/rustfs/admin/v3/add-user?accessKey={}",
             self.endpoint, access_key
         );
-        let payload = general_purpose::STANDARD.encode(secret_key);
-        self.auth(self.client.put(url))
-            .body(payload)
+        let payload = CreateUserMinio{ secret_key, policy: "readWrite".to_string(), status: "enabled".to_string() };
+        self.client.put(url)
+            .json(&payload)
+            .basic_auth(self.username.clone(), Some(self.password.clone()))
             .send()
             .await?
             .error_for_status()?;
diff --git a/operator/src/providers/mod.rs b/operator/src/providers/mod.rs
index c731e28..4d969a6 100644
--- a/operator/src/providers/mod.rs
+++ b/operator/src/providers/mod.rs
@@ -1,3 +1,7 @@
+use api::api::v1beta1::s3_instance::Provider;
+
+use crate::providers::minio::MinIO;
+
 pub(crate) mod dummy;
 pub(crate) mod rustfs;
 pub(crate) mod minio;
@@ -7,3 +11,4 @@ pub(crate) trait ProviderAPI {
     async fn update_user() -> Result<(), anyhow::Error>;
     async fn delete_user() -> Result<(), anyhow::Error>;
 }
+
-- 
2.49.1


From d2861040028fd6c8b14dd05be8d0773c1fb07fe4 Mon Sep 17 00:00:00 2001
From: Nikolai Rodionov <iam@allanger.xyz>
Date: Wed, 11 Mar 2026 21:48:36 +0100
Subject: [PATCH 08/10] WIP: Adding users

Signed-off-by: Nikolai Rodionov <iam@allanger.xyz>
---
 operator/Cargo.lock                        |  13 ++
 operator/Cargo.toml                        |   8 ++
 operator/manifests/s3_instance.yaml        |   2 +-
 operator/src/controller.rs                 |  12 +-
 operator/src/controllers/s3_bucket.rs      | 104 +++++++++-------
 operator/src/controllers/s3_bucket_user.rs | 137 ++++++++++++++-------
 operator/src/controllers/s3_instance.rs    |  64 +++++-----
 operator/src/providers/dummy.rs            |   8 +-
 operator/src/providers/minio.rs            |  25 +++-
 operator/src/providers/mod.rs              |   9 +-
 operator/src/providers/rustfs.rs           | 137 ++++++++++++++++++++-
 operator/src/s3/mod.rs                     |   4 +-
 operator/src/s3/s3api.rs                   |  48 +++++---
 13 files changed, 411 insertions(+), 160 deletions(-)

diff --git a/operator/Cargo.lock b/operator/Cargo.lock
index 2aca6ea..24e7054 100644
--- a/operator/Cargo.lock
+++ b/operator/Cargo.lock
@@ -577,6 +577,12 @@ dependencies = [
  "tracing",
 ]
 
+[[package]]
+name = "aws-sig-auth"
+version = "0.60.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c471d4d8afed170d5bb40a2835159314b346f8bd20379a5e821c3dbb22e43b9"
+
 [[package]]
 name = "aws-sigv4"
 version = "1.4.2"
@@ -3610,11 +3616,17 @@ dependencies = [
  "aws-config",
  "aws-credential-types",
  "aws-sdk-s3",
+ "aws-sig-auth",
+ "aws-sigv4",
+ "aws-smithy-http",
+ "aws-types",
  "base64",
  "clap",
  "darling",
  "envtest",
  "futures",
+ "hex",
+ "hmac",
  "http 1.4.0",
  "hyper 1.8.1",
  "k8s-openapi",
@@ -3626,6 +3638,7 @@ dependencies = [
  "serde",
  "serde_json",
  "serde_yaml",
+ "sha2",
  "thiserror 2.0.18",
  "tokio",
  "tower-test",
diff --git a/operator/Cargo.toml b/operator/Cargo.toml
index 3acf246..c07d2ac 100644
--- a/operator/Cargo.toml
+++ b/operator/Cargo.toml
@@ -44,6 +44,14 @@ minio = "0.3.0"
 reqwest = { version = "0.13.2", features = ["json"] }
 base64 = "0.22.1"
 rand = "0.10.0"
+aws-sigv4 = { version = "1.4.2", features = ["sigv4a"] }
+http = "1"
+aws-sig-auth = "0.60.3"
+aws-smithy-http = "0.63.6"
+aws-types = "1.3.14"
+hmac = "0.12.1"
+sha2 = "0.10.9"
+hex = "0.4.3"
 
 [dev-dependencies]
 assert-json-diff = "2.0.2"
diff --git a/operator/manifests/s3_instance.yaml b/operator/manifests/s3_instance.yaml
index b8416b7..bac822f 100644
--- a/operator/manifests/s3_instance.yaml
+++ b/operator/manifests/s3_instance.yaml
@@ -6,7 +6,7 @@ metadata:
   namespace: default
 stringData:
   ACCESS_KEY: overlord
-  SECRET_KEY: 8zTYqC1x^&LQetsQ8GUYix7ypL7Q7v9p
+  SECRET_KEY: 's1cdlej3#^&LQetsQ8GUYix7ypLf#$#$wsdf'
 ---
 apiVersion: s3.badhouseplants.net/v1beta1
 kind: S3Instance
diff --git a/operator/src/controller.rs b/operator/src/controller.rs
index 6d3b186..1b5c561 100644
--- a/operator/src/controller.rs
+++ b/operator/src/controller.rs
@@ -1,8 +1,8 @@
 mod conditions;
 mod controllers;
-mod s3;
 mod providers;
-use crate::controllers::{s3_bucket, s3_instance, s3_bucket_user};
+mod s3;
+use crate::controllers::{s3_bucket, s3_bucket_user, s3_instance};
 
 use actix_web::{App, HttpRequest, HttpResponse, HttpServer, Responder, get, middleware};
 use clap::Parser;
@@ -55,6 +55,12 @@ async fn main() -> anyhow::Result<()> {
     .shutdown_timeout(5);
 
     // Both runtimes implements graceful shutdown, so poll until both are done
-    tokio::join!(s3in_controller, s3bucket_controller, s3bucketuser_controller, server.run()).3?;
+    tokio::join!(
+        s3in_controller,
+        s3bucket_controller,
+        s3bucketuser_controller,
+        server.run()
+    )
+    .3?;
     Ok(())
 }
diff --git a/operator/src/controllers/s3_bucket.rs b/operator/src/controllers/s3_bucket.rs
index 68baf3a..47ac1f2 100644
--- a/operator/src/controllers/s3_bucket.rs
+++ b/operator/src/controllers/s3_bucket.rs
@@ -29,7 +29,8 @@ const AWS_ENDPOINT_URL: &str = "AWS_ENDPOINT_URL";
 #[instrument(skip(ctx, obj), fields(trace_id))]
 pub(crate) async fn reconcile(obj: Arc<S3Bucket>, ctx: Arc<Context>) -> S3BucketResult<Action> {
     info!("Staring reconciling");
-    let s3bucket_api: Api<S3Bucket> = Api::namespaced(ctx.client.clone(), &obj.namespace().unwrap());
+    let s3bucket_api: Api<S3Bucket> =
+        Api::namespaced(ctx.client.clone(), &obj.namespace().unwrap());
     let cm_api: Api<ConfigMap> = Api::namespaced(ctx.client.clone(), &obj.namespace().unwrap());
     let s3in_api: Api<S3Instance> = Api::all(ctx.client.clone());
 
@@ -57,33 +58,33 @@ pub(crate) async fn reconcile(obj: Arc<S3Bucket>, ctx: Arc<Context>) -> S3Bucket
     };
 
     let configmap_name = format!("{}-bucket-info", s3bucket.name_any());
-    
+
     info!("Getting the configmap");
     // Get the cm, if it's already there, we need to validate, or create an empty one
     let mut configmap = match get_configmap(cm_api.clone(), &configmap_name).await {
         Ok(configmap) => configmap,
         Err(Error::Api(ae)) if ae.code == 404 => {
             info!("ConfigMap is not found, creating a new one");
-            let cm = ConfigMap{ 
-               metadata: ObjectMeta { 
-                   name: Some(configmap_name), 
-                   namespace: Some(s3bucket.clone().namespace().unwrap()),
-                   ..Default::default()
-               },
-               ..Default::default()
+            let cm = ConfigMap {
+                metadata: ObjectMeta {
+                    name: Some(configmap_name),
+                    namespace: Some(s3bucket.clone().namespace().unwrap()),
+                    ..Default::default()
+                },
+                ..Default::default()
             };
             match create_configmap(cm_api.clone(), cm).await {
                 Ok(cm) => cm,
                 Err(err) => {
                     error!("{}", err);
                     return Err(S3BucketError::KubeError(err));
-                },
+                }
             }
         }
         Err(err) => {
             error!("{}", err);
             return Err(S3BucketError::KubeError(err));
-        },
+        }
     };
 
     info!("Labeling the configmap");
@@ -92,7 +93,7 @@ pub(crate) async fn reconcile(obj: Arc<S3Bucket>, ctx: Arc<Context>) -> S3Bucket
         Err(err) => {
             error!("{}", err);
             return Err(S3BucketError::KubeError(err));
-        },
+        }
     };
 
     info!("Setting owner references to the configmap");
@@ -102,7 +103,7 @@ pub(crate) async fn reconcile(obj: Arc<S3Bucket>, ctx: Arc<Context>) -> S3Bucket
             Err(err) => {
                 error!("{}", err);
                 return Err(S3BucketError::KubeError(err));
-            },
+            }
         };
     };
 
@@ -112,30 +113,34 @@ pub(crate) async fn reconcile(obj: Arc<S3Bucket>, ctx: Arc<Context>) -> S3Bucket
             None => vec![],
         };
         if s3bucket.spec.cleanup {
-
-           if !current_finalizers.contains(&FIN_CLEANUP.to_string()) {
-               info!("Adding a finalizer");
-                   current_finalizers.push(FIN_CLEANUP.to_string());
-
-           }
+            if !current_finalizers.contains(&FIN_CLEANUP.to_string()) {
+                info!("Adding a finalizer");
+                current_finalizers.push(FIN_CLEANUP.to_string());
+            }
         } else {
             if current_finalizers.contains(&FIN_CLEANUP.to_string()) {
-                if let Some(index) = current_finalizers.iter().position(|x| *x == FIN_CLEANUP.to_string()) {
+                if let Some(index) = current_finalizers
+                    .iter()
+                    .position(|x| *x == FIN_CLEANUP.to_string())
+                {
                     current_finalizers.remove(index);
                 };
             }
         };
         s3bucket.metadata.finalizers = Some(current_finalizers);
-        match s3bucket_api.replace(&s3bucket.name_any(), &PostParams::default(), &s3bucket).await {
+        match s3bucket_api
+            .replace(&s3bucket.name_any(), &PostParams::default(), &s3bucket)
+            .await
+        {
             Ok(_) => {
                 return Ok(Action::await_change());
-            },
+            }
             Err(err) => {
                 error!("{}", err);
-                return Err(S3BucketError::KubeError(err))
-            },
+                return Err(S3BucketError::KubeError(err));
+            }
         }
-    }; 
+    };
 
     info!("Getting the S3Intsance");
     let s3in = match s3in_api.get(&s3bucket.spec.instance).await {
@@ -176,7 +181,7 @@ pub(crate) async fn reconcile(obj: Arc<S3Bucket>, ctx: Arc<Context>) -> S3Bucket
     };
 
     let access_key = match data.get(s3_instance::ACCESS_KEY) {
-        Some(access_key) => String::from_utf8(access_key.0.clone()).unwrap(), 
+        Some(access_key) => String::from_utf8(access_key.0.clone()).unwrap(),
         None => {
             let err = anyhow::Error::msg("empty access key");
             error!("{}", err);
@@ -184,7 +189,7 @@ pub(crate) async fn reconcile(obj: Arc<S3Bucket>, ctx: Arc<Context>) -> S3Bucket
         }
     };
     let secret_key = match data.get(s3_instance::SECRET_KEY) {
-        Some(secret_key) => String::from_utf8(secret_key.0.clone()).unwrap(), 
+        Some(secret_key) => String::from_utf8(secret_key.0.clone()).unwrap(),
         None => {
             let err = anyhow::Error::msg("empty secret key");
             error!("{}", err);
@@ -201,7 +206,7 @@ pub(crate) async fn reconcile(obj: Arc<S3Bucket>, ctx: Arc<Context>) -> S3Bucket
         s3in.clone().spec.force_path_style,
     )
     .await;
-    
+
     let bucket_name = format!("{}-{}", s3bucket.namespace().unwrap(), s3bucket.name_any());
 
     if s3bucket.metadata.deletion_timestamp.is_some() {
@@ -210,26 +215,32 @@ pub(crate) async fn reconcile(obj: Arc<S3Bucket>, ctx: Arc<Context>) -> S3Bucket
             if finalizers.contains(&FIN_CLEANUP.to_string()) {
                 match s3_client.clone().delete_bucket(bucket_name.clone()).await {
                     Ok(_) => {
-                        if let Some(index) = finalizers.iter().position(|x| *x == FIN_CLEANUP.to_string()) {
+                        if let Some(index) = finalizers
+                            .iter()
+                            .position(|x| *x == FIN_CLEANUP.to_string())
+                        {
                             finalizers.remove(index);
                         };
-                    },
+                    }
                     Err(err) => {
                         error!("{}", err);
                         return Err(S3BucketError::IllegalS3Bucket);
-                    },
+                    }
                 }
             }
             s3bucket.metadata.finalizers = Some(finalizers);
         };
-        match s3bucket_api.replace(&s3bucket.name_any(), &PostParams::default(), &s3bucket).await {
+        match s3bucket_api
+            .replace(&s3bucket.name_any(), &PostParams::default(), &s3bucket)
+            .await
+        {
             Ok(_) => {
                 return Ok(Action::await_change());
-            },
+            }
             Err(err) => {
                 error!("{}", err);
-                return Err(S3BucketError::KubeError(err))
-            },
+                return Err(S3BucketError::KubeError(err));
+            }
         }
     }
 
@@ -261,11 +272,15 @@ pub(crate) async fn reconcile(obj: Arc<S3Bucket>, ctx: Arc<Context>) -> S3Bucket
     );
     status.endpoint = Some(s3in.clone().spec.endpoint);
     status.size = s3_client.clone().count_size(bucket_name.clone()).await.ok();
-    status.total_objects = s3_client.clone().count_objects(bucket_name.clone()).await.ok();
+    status.total_objects = s3_client
+        .clone()
+        .count_objects(bucket_name.clone())
+        .await
+        .ok();
     status.region = Some(s3in.spec.region);
-    status.bucket_name = Some(bucket_name.clone()); 
+    status.bucket_name = Some(bucket_name.clone());
     s3bucket.status = Some(status);
-   
+
     info!("Updating status of the s3bucket resource");
     match s3bucket_api
         .replace_status(&s3bucket.name_any(), &PostParams::default(), &s3bucket)
@@ -363,13 +378,17 @@ async fn own_configmap(
         }
     };
 
-    if owner_references.iter().find(|or| or.uid == s3bucket.uid().unwrap()).is_some() {
+    if owner_references
+        .iter()
+        .find(|or| or.uid == s3bucket.uid().unwrap())
+        .is_some()
+    {
         return Ok(cm);
     }
 
-    let new_owner_reference = OwnerReference{ 
+    let new_owner_reference = OwnerReference {
         api_version: S3Bucket::api_version(&()).into(),
-        kind: S3Bucket::kind(&()).into(), 
+        kind: S3Bucket::kind(&()).into(),
         name: s3bucket.name_any(),
         uid: s3bucket.uid().unwrap(),
         ..Default::default()
@@ -405,7 +424,6 @@ async fn ensure_data_configmap(
     data.insert(AWS_REGION.to_string(), s3in.spec.region);
     data.insert(AWS_ENDPOINT_URL.to_string(), s3in.spec.endpoint);
 
-
     cm.data = Some(data);
     api.replace(&cm.name_any(), &PostParams::default(), &cm)
         .await?;
@@ -427,7 +445,7 @@ pub async fn run(client: Client) {
         error!("{}", err);
         std::process::exit(1);
     }
-    let recorder = Recorder::new(client.clone(), "s3bucket-controller".into()); 
+    let recorder = Recorder::new(client.clone(), "s3bucket-controller".into());
     let context = Context { client, recorder };
     Controller::new(s3buckets, Config::default().any_semantic())
         .shutdown_on_signal()
diff --git a/operator/src/controllers/s3_bucket_user.rs b/operator/src/controllers/s3_bucket_user.rs
index 2a876b9..d95e91f 100644
--- a/operator/src/controllers/s3_bucket_user.rs
+++ b/operator/src/controllers/s3_bucket_user.rs
@@ -2,6 +2,7 @@ use crate::conditions::{is_condition_true, set_condition};
 use crate::controllers::s3_instance;
 use crate::providers::ProviderAPI;
 use crate::providers::minio::MinIO;
+use crate::providers::rustfs::RustFS;
 use crate::s3::s3api::S3Api;
 use api::api::v1beta1::s3_bucket::S3Bucket;
 use api::api::v1beta1::s3_bucket_user::{S3BucketUser, S3BucketUserStatus};
@@ -36,10 +37,15 @@ const CHARSET: &[u8] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZ\
 const PASSWORD_LEN: usize = 40;
 
 #[instrument(skip(ctx, obj), fields(trace_id))]
-pub(crate) async fn reconcile(obj: Arc<S3BucketUser>, ctx: Arc<Context>) -> S3BucketUserResult<Action> {
+pub(crate) async fn reconcile(
+    obj: Arc<S3BucketUser>,
+    ctx: Arc<Context>,
+) -> S3BucketUserResult<Action> {
     info!("Staring reconciling");
-    let s3bucketuser_api: Api<S3BucketUser> = Api::namespaced(ctx.client.clone(), &obj.namespace().unwrap());
-    let s3bucket_api: Api<S3Bucket> = Api::namespaced(ctx.client.clone(), &obj.namespace().unwrap());
+    let s3bucketuser_api: Api<S3BucketUser> =
+        Api::namespaced(ctx.client.clone(), &obj.namespace().unwrap());
+    let s3bucket_api: Api<S3Bucket> =
+        Api::namespaced(ctx.client.clone(), &obj.namespace().unwrap());
     let secret_api: Api<Secret> = Api::namespaced(ctx.client.clone(), &obj.namespace().unwrap());
     let s3in_api: Api<S3Instance> = Api::all(ctx.client.clone());
 
@@ -67,33 +73,33 @@ pub(crate) async fn reconcile(obj: Arc<S3BucketUser>, ctx: Arc<Context>) -> S3Bu
     };
 
     let secret_name = format!("{}-bucket-creds", s3bucketuser.name_any());
-    
+
     info!("Getting the secret");
     // Get the secret, if it's already there, we need to validate, or create an empty one
     let mut secret = match get_secret(secret_api.clone(), &secret_name).await {
         Ok(secret) => secret,
         Err(Error::Api(ae)) if ae.code == 404 => {
             info!("Secret is not found, creating a new one");
-            let secret = Secret{ 
-               metadata: ObjectMeta { 
-                   name: Some(secret_name), 
-                   namespace: Some(s3bucketuser.clone().namespace().unwrap()),
-                   ..Default::default()
-               },
-               ..Default::default()
+            let secret = Secret {
+                metadata: ObjectMeta {
+                    name: Some(secret_name),
+                    namespace: Some(s3bucketuser.clone().namespace().unwrap()),
+                    ..Default::default()
+                },
+                ..Default::default()
             };
             match create_secret(secret_api.clone(), secret).await {
                 Ok(cm) => cm,
                 Err(err) => {
                     error!("{}", err);
                     return Err(S3BucketUserError::KubeError(err));
-                },
+                }
             }
         }
         Err(err) => {
             error!("{}", err);
             return Err(S3BucketUserError::KubeError(err));
-        },
+        }
     };
 
     info!("Labeling the secret");
@@ -102,7 +108,7 @@ pub(crate) async fn reconcile(obj: Arc<S3BucketUser>, ctx: Arc<Context>) -> S3Bu
         Err(err) => {
             error!("{}", err);
             return Err(S3BucketUserError::KubeError(err));
-        },
+        }
     };
 
     info!("Setting owner references to the secret");
@@ -112,7 +118,7 @@ pub(crate) async fn reconcile(obj: Arc<S3BucketUser>, ctx: Arc<Context>) -> S3Bu
             Err(err) => {
                 error!("{}", err);
                 return Err(S3BucketUserError::KubeError(err));
-            },
+            }
         };
     };
 
@@ -122,29 +128,38 @@ pub(crate) async fn reconcile(obj: Arc<S3BucketUser>, ctx: Arc<Context>) -> S3Bu
             None => vec![],
         };
         if s3bucketuser.spec.cleanup {
-           if !current_finalizers.contains(&FIN_CLEANUP.to_string()) {
-               info!("Adding a finalizer");
-                   current_finalizers.push(FIN_CLEANUP.to_string());
-
-           }
+            if !current_finalizers.contains(&FIN_CLEANUP.to_string()) {
+                info!("Adding a finalizer");
+                current_finalizers.push(FIN_CLEANUP.to_string());
+            }
         } else {
             if current_finalizers.contains(&FIN_CLEANUP.to_string()) {
-                if let Some(index) = current_finalizers.iter().position(|x| *x == FIN_CLEANUP.to_string()) {
+                if let Some(index) = current_finalizers
+                    .iter()
+                    .position(|x| *x == FIN_CLEANUP.to_string())
+                {
                     current_finalizers.remove(index);
                 };
             }
         };
         s3bucketuser.metadata.finalizers = Some(current_finalizers);
-        match s3bucketuser_api.replace(&s3bucketuser.name_any(), &PostParams::default(), &s3bucketuser).await {
+        match s3bucketuser_api
+            .replace(
+                &s3bucketuser.name_any(),
+                &PostParams::default(),
+                &s3bucketuser,
+            )
+            .await
+        {
             Ok(_) => {
                 return Ok(Action::await_change());
-            },
+            }
             Err(err) => {
                 error!("{}", err);
-                return Err(S3BucketUserError::KubeError(err))
-            },
+                return Err(S3BucketUserError::KubeError(err));
+            }
         }
-    }; 
+    };
 
     info!("Getting the S3Bucket");
     let s3bucket = match s3bucket_api.get(&s3bucketuser.spec.bucket).await {
@@ -188,7 +203,7 @@ pub(crate) async fn reconcile(obj: Arc<S3BucketUser>, ctx: Arc<Context>) -> S3Bu
     };
 
     let access_key = match data.get(s3_instance::ACCESS_KEY) {
-        Some(access_key) => String::from_utf8(access_key.0.clone()).unwrap(), 
+        Some(access_key) => String::from_utf8(access_key.0.clone()).unwrap(),
         None => {
             let err = anyhow::Error::msg("empty access key");
             error!("{}", err);
@@ -196,7 +211,7 @@ pub(crate) async fn reconcile(obj: Arc<S3BucketUser>, ctx: Arc<Context>) -> S3Bu
         }
     };
     let secret_key = match data.get(s3_instance::SECRET_KEY) {
-        Some(secret_key) => String::from_utf8(secret_key.0.clone()).unwrap(), 
+        Some(secret_key) => String::from_utf8(secret_key.0.clone()).unwrap(),
         None => {
             let err = anyhow::Error::msg("empty secret key");
             error!("{}", err);
@@ -205,14 +220,26 @@ pub(crate) async fn reconcile(obj: Arc<S3BucketUser>, ctx: Arc<Context>) -> S3Bu
     };
 
     let provider = match s3in.spec.provider {
-        Provider::Minio => MinIO::new(access_key.clone(), secret_key.clone(), s3in.clone().spec.endpoint),
-        Provider::Rustfs => MinIO::new(access_key.clone(), secret_key.clone(), s3in.clone().spec.endpoint),
+        Provider::Minio => todo!(),
+        Provider::Rustfs => RustFS::new(
+            access_key.clone(),
+            secret_key.clone(),
+            s3in.clone().spec.endpoint,
+            s3in.clone().spec.region,
+        ),
     };
 
-    let username = format!("{}-{}", s3bucketuser.namespace().unwrap(), s3bucketuser.name_any());
-    let password = generate_password(); 
+    let username = format!(
+        "{}-{}",
+        s3bucketuser.namespace().unwrap(),
+        s3bucketuser.name_any()
+    );
+    let password = generate_password();
 
-    if let Err(err) = provider.create_user(password.clone(), username.to_string()).await {
+    if let Err(err) = provider
+        .create_user(password.clone(), username.to_string())
+        .await
+    {
         error!("{}", err);
         return Err(S3BucketUserError::IllegalS3BucketUser);
     };
@@ -226,13 +253,14 @@ pub(crate) async fn reconcile(obj: Arc<S3BucketUser>, ctx: Arc<Context>) -> S3Bu
         s3in.clone().spec.force_path_style,
     )
     .await;
-    secret = match ensure_data_secret(secret_api, secret, username.clone(), password.clone()).await {
+    secret = match ensure_data_secret(secret_api, secret, username.clone(), password.clone()).await
+    {
         Ok(secret) => secret,
         Err(err) => {
             error!("{}", err);
-            return Err(S3BucketUserError::KubeError(err))
-        },
-    }; 
+            return Err(S3BucketUserError::KubeError(err));
+        }
+    };
 
     if s3bucketuser.metadata.deletion_timestamp.is_some() {
         todo!();
@@ -249,10 +277,14 @@ pub(crate) async fn reconcile(obj: Arc<S3BucketUser>, ctx: Arc<Context>) -> S3Bu
     );
     status.access_key = Some(username.clone());
     s3bucketuser.status = Some(status);
-   
+
     info!("Updating status of the s3bucket user resource");
     match s3bucketuser_api
-        .replace_status(&s3bucketuser.name_any(), &PostParams::default(), &s3bucketuser)
+        .replace_status(
+            &s3bucketuser.name_any(),
+            &PostParams::default(),
+            &s3bucketuser,
+        )
         .await
     {
         Ok(_) => {
@@ -266,7 +298,10 @@ pub(crate) async fn reconcile(obj: Arc<S3BucketUser>, ctx: Arc<Context>) -> S3Bu
 }
 
 // Bootstrap the object by adding a default status to it
-async fn init_object(mut obj: S3BucketUser, api: Api<S3BucketUser>) -> Result<Action, S3BucketUserError> {
+async fn init_object(
+    mut obj: S3BucketUser,
+    api: Api<S3BucketUser>,
+) -> Result<Action, S3BucketUserError> {
     let conditions = set_condition(
         vec![],
         obj.metadata.clone(),
@@ -347,13 +382,17 @@ async fn own_secret(
         }
     };
 
-    if owner_references.iter().find(|or| or.uid == s3bucketuser.uid().unwrap()).is_some() {
+    if owner_references
+        .iter()
+        .find(|or| or.uid == s3bucketuser.uid().unwrap())
+        .is_some()
+    {
         return Ok(secret);
     }
 
-    let new_owner_reference = OwnerReference{ 
+    let new_owner_reference = OwnerReference {
         api_version: S3Bucket::api_version(&()).into(),
-        kind: S3Bucket::kind(&()).into(), 
+        kind: S3Bucket::kind(&()).into(),
         name: s3bucketuser.name_any(),
         uid: s3bucketuser.uid().unwrap(),
         ..Default::default()
@@ -387,8 +426,14 @@ async fn ensure_data_secret(
         }
     };
 
-    data.insert(AWS_ACCESS_KEY_ID.to_string(), ByteString(username.as_bytes().to_vec()));
-    data.insert(AWS_SECCRET_ACCESS_KEY.to_string(), ByteString(password.as_bytes().to_vec()));
+    data.insert(
+        AWS_ACCESS_KEY_ID.to_string(),
+        ByteString(username.as_bytes().to_vec()),
+    );
+    data.insert(
+        AWS_SECCRET_ACCESS_KEY.to_string(),
+        ByteString(password.as_bytes().to_vec()),
+    );
 
     secret.data = Some(data);
     api.replace(&secret.name_any(), &PostParams::default(), &secret)
@@ -419,7 +464,7 @@ pub async fn run(client: Client) {
         error!("{}", err);
         std::process::exit(1);
     }
-    let recorder = Recorder::new(client.clone(), "s3bucketuser-controller".into()); 
+    let recorder = Recorder::new(client.clone(), "s3bucketuser-controller".into());
     let context = Context { client, recorder };
     Controller::new(s3bucketusers, Config::default().any_semantic())
         .shutdown_on_signal()
diff --git a/operator/src/controllers/s3_instance.rs b/operator/src/controllers/s3_instance.rs
index b0bffa4..3427dd3 100644
--- a/operator/src/controllers/s3_instance.rs
+++ b/operator/src/controllers/s3_instance.rs
@@ -71,33 +71,39 @@ pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3Inst
             return Err(S3InstanceError::KubeError(err));
         }
     };
-    
+
     if s3in.metadata.deletion_timestamp.is_some() {
         info!("Object is marked for deletion");
         if let Some(mut finalizers) = s3in.clone().metadata.finalizers {
             if finalizers.contains(&FIN_SECRET_LABEL.to_string()) {
                 match unlabel_secret(ctx.clone(), s3in.clone(), secret).await {
                     Ok(_) => {
-                        if let Some(index) = finalizers.iter().position(|x| *x == FIN_SECRET_LABEL.to_string()) {
+                        if let Some(index) = finalizers
+                            .iter()
+                            .position(|x| *x == FIN_SECRET_LABEL.to_string())
+                        {
                             finalizers.remove(index);
                         };
-                    },
+                    }
                     Err(err) => {
                         error!("{}", err);
                         return Err(S3InstanceError::KubeError(err));
-                    },
+                    }
                 };
             }
             s3in.metadata.finalizers = Some(finalizers);
         };
-        match s3_api.replace(&s3in.name_any(), &PostParams::default(), &s3in).await {
+        match s3_api
+            .replace(&s3in.name_any(), &PostParams::default(), &s3in)
+            .await
+        {
             Ok(_) => {
                 return Ok(Action::await_change());
-            },
+            }
             Err(err) => {
                 error!("{}", err);
-                return Err(S3InstanceError::KubeError(err))
-            },
+                return Err(S3InstanceError::KubeError(err));
+            }
         }
     }
 
@@ -109,17 +115,20 @@ pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3Inst
 
         if !current_finalizers.contains(&FIN_SECRET_LABEL.to_string()) {
             info!("Adding a finalizer");
-                current_finalizers.push(FIN_SECRET_LABEL.to_string());
+            current_finalizers.push(FIN_SECRET_LABEL.to_string());
 
             s3in.metadata.finalizers = Some(current_finalizers);
-            match s3_api.replace(&s3in.name_any(), &PostParams::default(), &s3in).await {
+            match s3_api
+                .replace(&s3in.name_any(), &PostParams::default(), &s3in)
+                .await
+            {
                 Ok(_) => {
                     return Ok(Action::await_change());
-                },
+                }
                 Err(err) => {
                     error!("{}", err);
-                    return Err(S3InstanceError::KubeError(err))
-                },
+                    return Err(S3InstanceError::KubeError(err));
+                }
             }
         }
     }
@@ -158,15 +167,15 @@ pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3Inst
         s3in.status = Some(status);
         match s3_api
             .replace_status(&s3in.name_any(), &PostParams::default(), &s3in)
-            .await {
-                Ok(_) => {
-                    return Ok(Action::await_change());
-                },
-                Err(err) => {
-                    error!("{}", err);
-                    return Err(S3InstanceError::KubeError(err));
-                }
-
+            .await
+        {
+            Ok(_) => {
+                return Ok(Action::await_change());
+            }
+            Err(err) => {
+                error!("{}", err);
+                return Err(S3InstanceError::KubeError(err));
+            }
         }
     };
     info!("Checking if the secret is labeled by another object");
@@ -206,7 +215,7 @@ pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3Inst
     };
 
     let access_key = match data.get(ACCESS_KEY) {
-        Some(access_key) => String::from_utf8(access_key.0.clone()).unwrap(), 
+        Some(access_key) => String::from_utf8(access_key.0.clone()).unwrap(),
         None => {
             let err = anyhow::Error::msg("empty access key");
             error!("{}", err);
@@ -214,7 +223,7 @@ pub(crate) async fn reconcile(obj: Arc<S3Instance>, ctx: Arc<Context>) -> S3Inst
         }
     };
     let secret_key = match data.get(SECRET_KEY) {
-        Some(secret_key) => String::from_utf8(secret_key.0.clone()).unwrap(), 
+        Some(secret_key) => String::from_utf8(secret_key.0.clone()).unwrap(),
         None => {
             let err = anyhow::Error::msg("empty secret key");
             error!("{}", err);
@@ -302,7 +311,6 @@ async fn init_object(mut obj: S3Instance, api: Api<S3Instance>) -> Result<Action
 
 // Get the secret with credentials
 pub(crate) async fn get_secret(api: Api<Secret>, obj: S3Instance) -> Result<Secret, kube::Error> {
-
     let secret = match api.get(&obj.spec.credentials_secret.name).await {
         Ok(secret) => secret,
         Err(err) => {
@@ -324,7 +332,7 @@ async fn unlabel_secret(
         labels.remove(&SECRET_LABEL.to_string());
         secret.metadata.labels = Some(labels);
         api.replace(&secret.name_any(), &PostParams::default(), &secret)
-        .await?;
+            .await?;
     }
     Ok(())
 }
@@ -403,8 +411,8 @@ pub async fn run(client: Client) {
         error!("{}", err);
         std::process::exit(1);
     }
-    let recorder = Recorder::new(client.clone(), "s3instance-controller".into()); 
-    let context = Context{ client, recorder };
+    let recorder = Recorder::new(client.clone(), "s3instance-controller".into());
+    let context = Context { client, recorder };
     Controller::new(s3instances, Config::default().any_semantic())
         .shutdown_on_signal()
         .run(reconcile, error_policy, Arc::new(context))
diff --git a/operator/src/providers/dummy.rs b/operator/src/providers/dummy.rs
index b0eced6..83acdf7 100644
--- a/operator/src/providers/dummy.rs
+++ b/operator/src/providers/dummy.rs
@@ -2,7 +2,7 @@ use super::ProviderAPI;
 
 pub(crate) struct Dummy {}
 
-impl ProviderAPI for Dummy{
+impl ProviderAPI for Dummy {
     async fn update_user() -> Result<(), anyhow::Error> {
         todo!()
     }
@@ -11,7 +11,11 @@ impl ProviderAPI for Dummy{
         todo!()
     }
 
-    async fn create_user(&self, secret_key: String, access_key: String) -> Result<(), anyhow::Error> {
+    async fn create_user(
+        &self,
+        secret_key: String,
+        access_key: String,
+    ) -> Result<(), anyhow::Error> {
         todo!()
     }
 }
diff --git a/operator/src/providers/minio.rs b/operator/src/providers/minio.rs
index d9de157..0c7d9dc 100644
--- a/operator/src/providers/minio.rs
+++ b/operator/src/providers/minio.rs
@@ -1,7 +1,7 @@
 use super::ProviderAPI;
 use base64::Engine;
-use reqwest::Client;
 use base64::{Engine as _, engine::general_purpose};
+use reqwest::Client;
 use serde::Serialize;
 use tracing::info;
 pub(crate) struct MinIO {
@@ -24,7 +24,12 @@ impl MinIO {
         let client = Client::new();
         info!(username);
         info!(password);
-        Self { username, password, endpoint, client }
+        Self {
+            username,
+            password,
+            endpoint,
+            client,
+        }
     }
 
     fn auth(&self, req: reqwest::RequestBuilder) -> reqwest::RequestBuilder {
@@ -32,7 +37,6 @@ impl MinIO {
     }
 }
 
-
 impl ProviderAPI for MinIO {
     async fn update_user() -> Result<(), anyhow::Error> {
         todo!()
@@ -42,13 +46,22 @@ impl ProviderAPI for MinIO {
         todo!()
     }
 
-    async fn create_user(&self, secret_key: String, access_key: String) -> Result<(), anyhow::Error> {
+    async fn create_user(
+        &self,
+        secret_key: String,
+        access_key: String,
+    ) -> Result<(), anyhow::Error> {
         let url = format!(
             "{}/rustfs/admin/v3/add-user?accessKey={}",
             self.endpoint, access_key
         );
-        let payload = CreateUserMinio{ secret_key, policy: "readWrite".to_string(), status: "enabled".to_string() };
-        self.client.put(url)
+        let payload = CreateUserMinio {
+            secret_key,
+            policy: "readWrite".to_string(),
+            status: "enabled".to_string(),
+        };
+        self.client
+            .put(url)
             .json(&payload)
             .basic_auth(self.username.clone(), Some(self.password.clone()))
             .send()
diff --git a/operator/src/providers/mod.rs b/operator/src/providers/mod.rs
index 4d969a6..7c0f4b9 100644
--- a/operator/src/providers/mod.rs
+++ b/operator/src/providers/mod.rs
@@ -3,12 +3,15 @@ use api::api::v1beta1::s3_instance::Provider;
 use crate::providers::minio::MinIO;
 
 pub(crate) mod dummy;
-pub(crate) mod rustfs;
 pub(crate) mod minio;
+pub(crate) mod rustfs;
 
 pub(crate) trait ProviderAPI {
-    async fn create_user(&self, secret_key: String, access_key: String) -> Result<(), anyhow::Error>;
+    async fn create_user(
+        &self,
+        secret_key: String,
+        access_key: String,
+    ) -> Result<(), anyhow::Error>;
     async fn update_user() -> Result<(), anyhow::Error>;
     async fn delete_user() -> Result<(), anyhow::Error>;
 }
-
diff --git a/operator/src/providers/rustfs.rs b/operator/src/providers/rustfs.rs
index 34d9d9f..5f81126 100644
--- a/operator/src/providers/rustfs.rs
+++ b/operator/src/providers/rustfs.rs
@@ -1,20 +1,50 @@
+use std::time::SystemTime;
+
 use super::ProviderAPI;
+use aws_credential_types::Credentials;
+use aws_sigv4::http_request::{SignableBody, SignableRequest, SigningSettings, sign};
+use aws_sigv4::sign::{v4, v4a};
+use http::HeaderValue;
+use reqwest::Client;
+use serde::Serialize;
+use sha2::{Digest, Sha256};
+use tracing::info;
 
 pub(crate) struct RustFS {
     username: String,
     password: String,
     endpoint: String,
+    region: String,
+    client: Client,
+}
+
+#[derive(Serialize)]
+#[serde(rename_all = "camelCase")]
+struct CreateUserRustfs {
+    secret_key: String,
+    status: String,
 }
 
 impl RustFS {
-    pub(crate) fn new(username: String, password: String, endpoint: String) -> Self {
-        Self { username, password, endpoint }
+    pub(crate) fn new(username: String, password: String, endpoint: String, region: String) -> Self {
+        let client = Client::new();
+        info!(username);
+        info!(password);
+        Self {
+            username,
+            region,
+            password,
+            endpoint,
+            client,
+        }
+    }
+
+    fn auth(&self, req: reqwest::RequestBuilder) -> reqwest::RequestBuilder {
+        req.basic_auth(&self.username, Some(&self.password))
     }
 }
 
-
 impl ProviderAPI for RustFS {
-
     async fn update_user() -> Result<(), anyhow::Error> {
         todo!()
     }
@@ -23,7 +53,102 @@ impl ProviderAPI for RustFS {
         todo!()
     }
 
-    async fn create_user(&self, secret_key: String, access_key: String) -> Result<(), anyhow::Error> {
-        todo!()
+    async fn create_user(
+        &self,
+        secret_key: String,
+        access_key: String,
+    ) -> Result<(), anyhow::Error> {
+        let s3req = S3Request::new(self.endpoint.clone(), self.region.clone(), self.password.clone(), self.username.clone());
+        let endpoint = format!(
+            "rustfs/admin/v3/add-user?accessKey={}",
+            access_key
+        );
+        info!("{}", endpoint);
+        let req = CreateUserRustfs {
+            secret_key,
+            status: "enabled".to_string(),
+        };
+        let body = serde_json::to_string(&req)?; 
+        info!("{}", body);
+        match s3req.request(endpoint, "PUT".to_string(), body).await {
+            Ok(_) => Ok(()),
+            Err(err) => Err(err),
+        }
     }
 }
+
+struct S3Request {
+    host: String,
+    region: String,
+    secret_key: String,
+    access_key: String,
+}
+
+impl S3Request {
+    fn new(host: String, region: String, secret_key: String, access_key: String) -> Self {
+        Self {
+            host,
+            region,
+            secret_key,
+            access_key,
+        }
+    }
+
+
+    async fn request(&self, endpoint: String, method: String, body: String) -> Result<(), anyhow::Error> {
+        let url = format!("{}/{}", self.host, endpoint);
+        let service = "s3";
+        // Create the HTTP request
+        let mut request = http::Request::builder()
+            .method(method.as_str())
+            .uri(&url)
+            .header("host", &self.host)
+            .body(body.clone())?;
+        let creds = Credentials::new(
+            self.access_key.clone(),
+            self.secret_key.clone(),
+            None,
+            None,
+            service,
+        );
+
+        let identity = creds.into();
+
+        // Set up signing parameters
+        let signing_settings = SigningSettings::default();
+        let signing_params = v4::SigningParams::builder() 
+            .identity(&identity)
+            .name(service)
+            .region(self.region.as_str())
+            .time(SystemTime::now())
+            .settings(signing_settings)
+            .build()?
+            .into();
+
+        let signable_request = SignableRequest::new(
+            request.method().as_str(),
+            request.uri().to_string(),
+            request
+                .headers()
+                .iter()
+                .map(|(k, v)| (k.as_str(), std::str::from_utf8(v.as_bytes()).unwrap())),
+            SignableBody::Bytes(body.as_bytes()),
+        )?;
+
+        let (signing_instructions, _signature) =
+            sign(signable_request, &signing_params)?.into_parts();
+        signing_instructions.apply_to_request_http1x(&mut request);
+
+        let headers = request.headers_mut();
+        info!("{:?}", headers);
+        let signature = headers.get("Signature").unwrap();
+        headers.insert("x-amz-content-sha-256", signature.clone());
+        
+        let reqwest_req: reqwest::Request = request.try_into()?;
+
+        info!("{:?}", reqwest_req.headers());
+        Client::new().execute(reqwest_req).await?;
+        Ok(())
+    }
+}
+
diff --git a/operator/src/s3/mod.rs b/operator/src/s3/mod.rs
index 77ebfc1..db65c54 100644
--- a/operator/src/s3/mod.rs
+++ b/operator/src/s3/mod.rs
@@ -5,8 +5,8 @@ pub(crate) mod s3api;
 
 pub(crate) trait S3Client {
     async fn list_buckets(self) -> Result<Vec<String>, Error>;
-    async fn create_bucket(self, bucket_name: String ) -> Result<(), Error>;
-    async fn delete_bucket(self, bucket_name: String ) -> Result<(), Error>;
+    async fn create_bucket(self, bucket_name: String) -> Result<(), Error>;
+    async fn delete_bucket(self, bucket_name: String) -> Result<(), Error>;
     async fn count_objects(self, bucket_name: String) -> Result<u64, Error>;
     async fn count_size(self, bucket_name: String) -> Result<u64, Error>;
 }
diff --git a/operator/src/s3/s3api.rs b/operator/src/s3/s3api.rs
index db40276..e4de82a 100644
--- a/operator/src/s3/s3api.rs
+++ b/operator/src/s3/s3api.rs
@@ -38,25 +38,23 @@ impl S3Client for S3Api {
     async fn list_buckets(self) -> Result<Vec<String>, anyhow::Error> {
         let mut buckets = self.client.list_buckets().into_paginator().send();
         let mut result: Vec<String> = vec![];
-    
+
         match buckets.next().await {
             Some(output) => {
                 match output {
-                    Ok(buckets_res) => {
-                        buckets_res.buckets().iter().for_each(|bucket|  {
-                           if let Some(name) = bucket.name() {
-                               result.push(name.to_string());
-                           } 
-                        })
-                    },
+                    Ok(buckets_res) => buckets_res.buckets().iter().for_each(|bucket| {
+                        if let Some(name) = bucket.name() {
+                            result.push(name.to_string());
+                        }
+                    }),
                     Err(err) => {
                         return Err(err.into());
-                    },
+                    }
                 };
-            },
+            }
             None => {
                 return Ok(result);
-            },
+            }
         };
         Ok(result)
     }
@@ -72,7 +70,8 @@ impl S3Client for S3Api {
         let mut total_count = 0u64;
         let mut continuation_token = None;
         loop {
-            let resp = self.client
+            let resp = self
+                .client
                 .list_objects_v2()
                 .bucket(bucket_name.clone())
                 .set_continuation_token(continuation_token.clone())
@@ -90,7 +89,7 @@ impl S3Client for S3Api {
             } else {
                 break;
             }
-        };
+        }
         Ok(total_count)
     }
 
@@ -98,7 +97,8 @@ impl S3Client for S3Api {
         let mut total_size = 0u64;
         let mut continuation_token = None;
         loop {
-            let resp = self.client
+            let resp = self
+                .client
                 .list_objects_v2()
                 .bucket(bucket_name.clone())
                 .set_continuation_token(continuation_token.clone())
@@ -116,15 +116,17 @@ impl S3Client for S3Api {
             } else {
                 break;
             }
-        };
+        }
         Ok(total_size)
     }
 
-    async fn delete_bucket(self, bucket_name: String ) -> Result<(), anyhow::Error> {
+    async fn delete_bucket(self, bucket_name: String) -> Result<(), anyhow::Error> {
         let mut continuation_token = None;
         loop {
             // List objects in the bucket
-            let resp = self.client.clone()
+            let resp = self
+                .client
+                .clone()
                 .list_objects_v2()
                 .bucket(bucket_name.clone())
                 .set_continuation_token(continuation_token.clone())
@@ -140,7 +142,8 @@ impl S3Client for S3Api {
 
             if !objects.is_empty() {
                 // Delete objects in batch
-                self.client.clone()
+                self.client
+                    .clone()
                     .delete_objects()
                     .bucket(bucket_name.clone())
                     .delete(Delete::builder().set_objects(Some(objects)).build()?)
@@ -153,8 +156,13 @@ impl S3Client for S3Api {
             } else {
                 break;
             }
-        };
-        self.client.clone().delete_bucket().bucket(bucket_name.clone()).send().await?;
+        }
+        self.client
+            .clone()
+            .delete_bucket()
+            .bucket(bucket_name.clone())
+            .send()
+            .await?;
         Ok(())
     }
 }
-- 
2.49.1


From bccc52ecb833b9df24d8cf6da1ad7ce591e45556 Mon Sep 17 00:00:00 2001
From: Nikolai Rodionov <iam@allanger.xyz>
Date: Thu, 12 Mar 2026 10:39:32 +0100
Subject: [PATCH 09/10] WIP: Trying to create users

Signed-off-by: Nikolai Rodionov <iam@allanger.xyz>
---
 operator/src/controllers/s3_bucket_user.rs | 30 +++++++---------------
 operator/src/providers/mod.rs              |  2 +-
 operator/src/providers/rustfs.rs           |  2 --
 3 files changed, 10 insertions(+), 24 deletions(-)

diff --git a/operator/src/controllers/s3_bucket_user.rs b/operator/src/controllers/s3_bucket_user.rs
index d95e91f..29d9a59 100644
--- a/operator/src/controllers/s3_bucket_user.rs
+++ b/operator/src/controllers/s3_bucket_user.rs
@@ -1,7 +1,6 @@
 use crate::conditions::{is_condition_true, set_condition};
 use crate::controllers::s3_instance;
 use crate::providers::ProviderAPI;
-use crate::providers::minio::MinIO;
 use crate::providers::rustfs::RustFS;
 use crate::s3::s3api::S3Api;
 use api::api::v1beta1::s3_bucket::S3Bucket;
@@ -9,7 +8,7 @@ use api::api::v1beta1::s3_bucket_user::{S3BucketUser, S3BucketUserStatus};
 use api::api::v1beta1::s3_instance::{Provider, S3Instance};
 use futures::StreamExt;
 use k8s_openapi::ByteString;
-use k8s_openapi::api::core::v1::Secret;
+use k8s_openapi::api::core::v1::{Pod, Secret};
 use k8s_openapi::apimachinery::pkg::apis::meta::v1::OwnerReference;
 use kube::api::{ListParams, ObjectMeta, PostParams};
 use kube::runtime::Controller;
@@ -48,7 +47,6 @@ pub(crate) async fn reconcile(
         Api::namespaced(ctx.client.clone(), &obj.namespace().unwrap());
     let secret_api: Api<Secret> = Api::namespaced(ctx.client.clone(), &obj.namespace().unwrap());
     let s3in_api: Api<S3Instance> = Api::all(ctx.client.clone());
-
     info!("Getting the S3BucketUser resource");
     let mut s3bucketuser = match s3bucketuser_api.get(&obj.name_any()).await {
         Ok(s3bucketuser) => s3bucketuser,
@@ -182,6 +180,7 @@ pub(crate) async fn reconcile(
     info!("Getting the s3instance secret");
     let secret_ns = s3in.clone().spec.credentials_secret.namespace;
     let s3in_secret_api: Api<Secret> = Api::namespaced(ctx.client.clone(), &secret_ns);
+    let pod_api: Api<Pod> = Api::namespaced(ctx.client.clone(), &secret_ns);
 
     let s3in_secret = match s3_instance::get_secret(s3in_secret_api.clone(), s3in.clone()).await {
         Ok(secret) => secret,
@@ -219,30 +218,19 @@ pub(crate) async fn reconcile(
         }
     };
 
-    let provider = match s3in.spec.provider {
-        Provider::Minio => todo!(),
-        Provider::Rustfs => RustFS::new(
-            access_key.clone(),
-            secret_key.clone(),
-            s3in.clone().spec.endpoint,
-            s3in.clone().spec.region,
-        ),
-    };
-
     let username = format!(
         "{}-{}",
         s3bucketuser.namespace().unwrap(),
         s3bucketuser.name_any()
     );
     let password = generate_password();
-
-    if let Err(err) = provider
-        .create_user(password.clone(), username.to_string())
-        .await
-    {
-        error!("{}", err);
-        return Err(S3BucketUserError::IllegalS3BucketUser);
-    };
+    
+    // Create a temporary alias 
+    Command::new("sh")
+        .arg("rc")
+        .arg("aliase")
+        .output()
+        .expect("failed to execute process")
 
     info!("Creating an s3 client");
     let s3_client = S3Api::new(
diff --git a/operator/src/providers/mod.rs b/operator/src/providers/mod.rs
index 7c0f4b9..701b479 100644
--- a/operator/src/providers/mod.rs
+++ b/operator/src/providers/mod.rs
@@ -1,11 +1,11 @@
 use api::api::v1beta1::s3_instance::Provider;
-
 use crate::providers::minio::MinIO;
 
 pub(crate) mod dummy;
 pub(crate) mod minio;
 pub(crate) mod rustfs;
 
+
 pub(crate) trait ProviderAPI {
     async fn create_user(
         &self,
diff --git a/operator/src/providers/rustfs.rs b/operator/src/providers/rustfs.rs
index 5f81126..3d4b4f2 100644
--- a/operator/src/providers/rustfs.rs
+++ b/operator/src/providers/rustfs.rs
@@ -94,7 +94,6 @@ impl S3Request {
         }
     }
 
-
     async fn request(&self, endpoint: String, method: String, body: String) -> Result<(), anyhow::Error> {
         let url = format!("{}/{}", self.host, endpoint);
         let service = "s3";
@@ -113,7 +112,6 @@ impl S3Request {
         );
 
         let identity = creds.into();
-
         // Set up signing parameters
         let signing_settings = SigningSettings::default();
         let signing_params = v4::SigningParams::builder() 
-- 
2.49.1


From 6bd0e280ed13e2c4accad45db0bb97721f88b6af Mon Sep 17 00:00:00 2001
From: Nikolai Rodionov <iam@allanger.xyz>
Date: Thu, 12 Mar 2026 14:16:40 +0100
Subject: [PATCH 10/10] A little bit of updates

Signed-off-by: Nikolai Rodionov <iam@allanger.xyz>
---
 operator/Cargo.lock                        |   1 +
 operator/Cargo.toml                        |   1 +
 operator/src/controllers/s3_bucket_user.rs |  29 ++--
 operator/src/providers/dummy.rs            |  21 ---
 operator/src/providers/minio.rs            |  73 ---------
 operator/src/providers/mod.rs              |  34 ++--
 operator/src/providers/rustfs.rs           | 173 ++++++---------------
 7 files changed, 86 insertions(+), 246 deletions(-)
 delete mode 100644 operator/src/providers/dummy.rs
 delete mode 100644 operator/src/providers/minio.rs

diff --git a/operator/Cargo.lock b/operator/Cargo.lock
index 24e7054..8c68020 100644
--- a/operator/Cargo.lock
+++ b/operator/Cargo.lock
@@ -3613,6 +3613,7 @@ dependencies = [
  "actix-web",
  "anyhow",
  "assert-json-diff",
+ "async-trait",
  "aws-config",
  "aws-credential-types",
  "aws-sdk-s3",
diff --git a/operator/Cargo.toml b/operator/Cargo.toml
index c07d2ac..24a549a 100644
--- a/operator/Cargo.toml
+++ b/operator/Cargo.toml
@@ -52,6 +52,7 @@ aws-types = "1.3.14"
 hmac = "0.12.1"
 sha2 = "0.10.9"
 hex = "0.4.3"
+async-trait = "0.1.89"
 
 [dev-dependencies]
 assert-json-diff = "2.0.2"
diff --git a/operator/src/controllers/s3_bucket_user.rs b/operator/src/controllers/s3_bucket_user.rs
index 29d9a59..cd0c7a1 100644
--- a/operator/src/controllers/s3_bucket_user.rs
+++ b/operator/src/controllers/s3_bucket_user.rs
@@ -1,11 +1,11 @@
 use crate::conditions::{is_condition_true, set_condition};
 use crate::controllers::s3_instance;
-use crate::providers::ProviderAPI;
+use crate::providers::{ProviderAPI, SupportedProvider};
 use crate::providers::rustfs::RustFS;
 use crate::s3::s3api::S3Api;
 use api::api::v1beta1::s3_bucket::S3Bucket;
 use api::api::v1beta1::s3_bucket_user::{S3BucketUser, S3BucketUserStatus};
-use api::api::v1beta1::s3_instance::{Provider, S3Instance};
+use api::api::v1beta1::s3_instance::S3Instance;
 use futures::StreamExt;
 use k8s_openapi::ByteString;
 use k8s_openapi::api::core::v1::{Pod, Secret};
@@ -141,7 +141,7 @@ pub(crate) async fn reconcile(
             }
         };
         s3bucketuser.metadata.finalizers = Some(current_finalizers);
-        match s3bucketuser_api
+        if let Err(err) = s3bucketuser_api
             .replace(
                 &s3bucketuser.name_any(),
                 &PostParams::default(),
@@ -149,13 +149,8 @@ pub(crate) async fn reconcile(
             )
             .await
         {
-            Ok(_) => {
-                return Ok(Action::await_change());
-            }
-            Err(err) => {
                 error!("{}", err);
                 return Err(S3BucketUserError::KubeError(err));
-            }
         }
     };
 
@@ -224,14 +219,18 @@ pub(crate) async fn reconcile(
         s3bucketuser.name_any()
     );
     let password = generate_password();
-    
-    // Create a temporary alias 
-    Command::new("sh")
-        .arg("rc")
-        .arg("aliase")
-        .output()
-        .expect("failed to execute process")
+   
+    let provider: SupportedProvider = match s3in.clone().spec.provider {
+        api::api::v1beta1::s3_instance::Provider::Minio => todo!(),
+        api::api::v1beta1::s3_instance::Provider::Rustfs => SupportedProvider::RustFS(RustFS::new(access_key.clone(), secret_key.clone(), s3in.spec.endpoint.clone(), s3in.spec.region.clone())),
+    };
 
+    info!("Creating a user");
+    if let Err(err) = provider.create_user(username.clone(), password.clone()) {
+        error!("{}", err);
+        return Err(S3BucketUserError::IllegalS3BucketUser);
+    }
+    
     info!("Creating an s3 client");
     let s3_client = S3Api::new(
         access_key,
diff --git a/operator/src/providers/dummy.rs b/operator/src/providers/dummy.rs
deleted file mode 100644
index 83acdf7..0000000
--- a/operator/src/providers/dummy.rs
+++ /dev/null
@@ -1,21 +0,0 @@
-use super::ProviderAPI;
-
-pub(crate) struct Dummy {}
-
-impl ProviderAPI for Dummy {
-    async fn update_user() -> Result<(), anyhow::Error> {
-        todo!()
-    }
-
-    async fn delete_user() -> Result<(), anyhow::Error> {
-        todo!()
-    }
-
-    async fn create_user(
-        &self,
-        secret_key: String,
-        access_key: String,
-    ) -> Result<(), anyhow::Error> {
-        todo!()
-    }
-}
diff --git a/operator/src/providers/minio.rs b/operator/src/providers/minio.rs
deleted file mode 100644
index 0c7d9dc..0000000
--- a/operator/src/providers/minio.rs
+++ /dev/null
@@ -1,73 +0,0 @@
-use super::ProviderAPI;
-use base64::Engine;
-use base64::{Engine as _, engine::general_purpose};
-use reqwest::Client;
-use serde::Serialize;
-use tracing::info;
-pub(crate) struct MinIO {
-    username: String,
-    password: String,
-    endpoint: String,
-    client: Client,
-}
-
-#[derive(Serialize)]
-#[serde(rename_all = "camelCase")]
-struct CreateUserMinio {
-    secret_key: String,
-    policy: String,
-    status: String,
-}
-
-impl MinIO {
-    pub(crate) fn new(username: String, password: String, endpoint: String) -> Self {
-        let client = Client::new();
-        info!(username);
-        info!(password);
-        Self {
-            username,
-            password,
-            endpoint,
-            client,
-        }
-    }
-
-    fn auth(&self, req: reqwest::RequestBuilder) -> reqwest::RequestBuilder {
-        req.basic_auth(&self.username, Some(&self.password))
-    }
-}
-
-impl ProviderAPI for MinIO {
-    async fn update_user() -> Result<(), anyhow::Error> {
-        todo!()
-    }
-
-    async fn delete_user() -> Result<(), anyhow::Error> {
-        todo!()
-    }
-
-    async fn create_user(
-        &self,
-        secret_key: String,
-        access_key: String,
-    ) -> Result<(), anyhow::Error> {
-        let url = format!(
-            "{}/rustfs/admin/v3/add-user?accessKey={}",
-            self.endpoint, access_key
-        );
-        let payload = CreateUserMinio {
-            secret_key,
-            policy: "readWrite".to_string(),
-            status: "enabled".to_string(),
-        };
-        self.client
-            .put(url)
-            .json(&payload)
-            .basic_auth(self.username.clone(), Some(self.password.clone()))
-            .send()
-            .await?
-            .error_for_status()?;
-
-        Ok(())
-    }
-}
diff --git a/operator/src/providers/mod.rs b/operator/src/providers/mod.rs
index 701b479..9ca9ee8 100644
--- a/operator/src/providers/mod.rs
+++ b/operator/src/providers/mod.rs
@@ -1,17 +1,29 @@
-use api::api::v1beta1::s3_instance::Provider;
-use crate::providers::minio::MinIO;
+use async_trait::async_trait;
+
+use crate::providers::rustfs::RustFS;
 
-pub(crate) mod dummy;
-pub(crate) mod minio;
 pub(crate) mod rustfs;
 
+pub(crate) enum SupportedProvider {
+    RustFS(RustFS),
+}
 
 pub(crate) trait ProviderAPI {
-    async fn create_user(
-        &self,
-        secret_key: String,
-        access_key: String,
-    ) -> Result<(), anyhow::Error>;
-    async fn update_user() -> Result<(), anyhow::Error>;
-    async fn delete_user() -> Result<(), anyhow::Error>;
+    fn create_user(&self, access_key: String, secret_key: String) -> Result<(), anyhow::Error>;
+    fn update_user(&self) -> Result<(), anyhow::Error>;
+    fn delete_user(&self) -> Result<(), anyhow::Error>;
+}
+
+impl ProviderAPI for SupportedProvider {
+    fn create_user(&self, access_key: String, secret_key: String) -> Result<(), anyhow::Error> {
+        match self {
+            SupportedProvider::RustFS(rust_fs) => rust_fs.create_user(access_key, secret_key),
+        }
+    }
+    fn update_user(&self) -> Result<(), anyhow::Error> {
+        todo!()
+    }
+    fn delete_user(&self) -> Result<(), anyhow::Error> {
+        todo!()
+    }
 }
diff --git a/operator/src/providers/rustfs.rs b/operator/src/providers/rustfs.rs
index 3d4b4f2..64051c1 100644
--- a/operator/src/providers/rustfs.rs
+++ b/operator/src/providers/rustfs.rs
@@ -1,13 +1,8 @@
-use std::time::SystemTime;
+use std::process::Command;
 
 use super::ProviderAPI;
-use aws_credential_types::Credentials;
-use aws_sigv4::http_request::{SignableBody, SignableRequest, SigningSettings, sign};
-use aws_sigv4::sign::{v4, v4a};
-use http::HeaderValue;
+use async_trait::async_trait;
 use reqwest::Client;
-use serde::Serialize;
-use sha2::{Digest, Sha256};
 use tracing::info;
 
 pub(crate) struct RustFS {
@@ -15,138 +10,64 @@ pub(crate) struct RustFS {
     password: String,
     endpoint: String,
     region: String,
-    client: Client,
-}
-
-#[derive(Serialize)]
-#[serde(rename_all = "camelCase")]
-struct CreateUserRustfs {
-    secret_key: String,
-    status: String,
 }
 
 impl RustFS {
-    pub(crate) fn new(username: String, password: String, endpoint: String, region: String) -> Self {
-        let client = Client::new();
-        info!(username);
-        info!(password);
+    pub(crate) fn new(
+        username: String,
+        password: String,
+        endpoint: String,
+        region: String,
+    ) -> Self {
         Self {
             username,
             region,
             password,
             endpoint,
-            client,
         }
     }
-
-    fn auth(&self, req: reqwest::RequestBuilder) -> reqwest::RequestBuilder {
-        req.basic_auth(&self.username, Some(&self.password))
-    }
 }
 
 impl ProviderAPI for RustFS {
-    async fn update_user() -> Result<(), anyhow::Error> {
-        todo!()
-    }
-
-    async fn delete_user() -> Result<(), anyhow::Error> {
-        todo!()
-    }
-
-    async fn create_user(
-        &self,
-        secret_key: String,
-        access_key: String,
-    ) -> Result<(), anyhow::Error> {
-        let s3req = S3Request::new(self.endpoint.clone(), self.region.clone(), self.password.clone(), self.username.clone());
-        let endpoint = format!(
-            "rustfs/admin/v3/add-user?accessKey={}",
-            access_key
-        );
-        info!("{}", endpoint);
-        let req = CreateUserRustfs {
-            secret_key,
-            status: "enabled".to_string(),
-        };
-        let body = serde_json::to_string(&req)?; 
-        info!("{}", body);
-        match s3req.request(endpoint, "PUT".to_string(), body).await {
-            Ok(_) => Ok(()),
-            Err(err) => Err(err),
-        }
-    }
-}
-
-struct S3Request {
-    host: String,
-    region: String,
-    secret_key: String,
-    access_key: String,
-}
-
-impl S3Request {
-    fn new(host: String, region: String, secret_key: String, access_key: String) -> Self {
-        Self {
-            host,
-            region,
-            secret_key,
-            access_key,
-        }
-    }
-
-    async fn request(&self, endpoint: String, method: String, body: String) -> Result<(), anyhow::Error> {
-        let url = format!("{}/{}", self.host, endpoint);
-        let service = "s3";
-        // Create the HTTP request
-        let mut request = http::Request::builder()
-            .method(method.as_str())
-            .uri(&url)
-            .header("host", &self.host)
-            .body(body.clone())?;
-        let creds = Credentials::new(
-            self.access_key.clone(),
-            self.secret_key.clone(),
-            None,
-            None,
-            service,
-        );
-
-        let identity = creds.into();
-        // Set up signing parameters
-        let signing_settings = SigningSettings::default();
-        let signing_params = v4::SigningParams::builder() 
-            .identity(&identity)
-            .name(service)
-            .region(self.region.as_str())
-            .time(SystemTime::now())
-            .settings(signing_settings)
-            .build()?
-            .into();
-
-        let signable_request = SignableRequest::new(
-            request.method().as_str(),
-            request.uri().to_string(),
-            request
-                .headers()
-                .iter()
-                .map(|(k, v)| (k.as_str(), std::str::from_utf8(v.as_bytes()).unwrap())),
-            SignableBody::Bytes(body.as_bytes()),
-        )?;
-
-        let (signing_instructions, _signature) =
-            sign(signable_request, &signing_params)?.into_parts();
-        signing_instructions.apply_to_request_http1x(&mut request);
-
-        let headers = request.headers_mut();
-        info!("{:?}", headers);
-        let signature = headers.get("Signature").unwrap();
-        headers.insert("x-amz-content-sha-256", signature.clone());
-        
-        let reqwest_req: reqwest::Request = request.try_into()?;
-
-        info!("{:?}", reqwest_req.headers());
-        Client::new().execute(reqwest_req).await?;
+    fn create_user(&self, access_key: String, secret_key: String) -> Result<(), anyhow::Error> {
+        info!("Preparing an alias");
+        let name = format!("{}-alias", access_key.clone());
+        let output = Command::new("rc")
+            .args([
+                "alias",
+                "set",
+                &name,
+                self.endpoint.as_str(),
+                self.username.as_str(),
+                self.password.as_str(),
+            ])
+            .output()?;
+        info!("{:?}", output);
+        info!("Creating a user");
+        let output = Command::new("rc")
+            .args([
+                "admin",
+                "user",
+                "add",
+                &name,
+                access_key.as_str(),
+                secret_key.as_str(),
+            ])
+            .output()?;
+        info!("{:?}", output);
+        info!("Removing the alias");
+        let output = Command::new("rc")
+            .args(["alias", "remove", &name])
+            .output()?;
+        info!("{:?}", output);
         Ok(())
     }
-}
 
+    fn update_user(&self) -> Result<(), anyhow::Error> {
+        todo!()
+    }
+
+    fn delete_user(&self) -> Result<(), anyhow::Error> {
+        todo!()
+    }
+}
-- 
2.49.1