diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc index bda2f674c3..683964011a 100644 --- a/modules/ROOT/nav.adoc +++ b/modules/ROOT/nav.adoc @@ -66,7 +66,6 @@ ** xref:deploy:redpanda/index.adoc[Redpanda] *** xref:deploy:redpanda/kubernetes/index.adoc[Kubernetes] **** xref:deploy:redpanda/kubernetes/k-deployment-overview.adoc[Overview] -**** xref:deploy:redpanda/kubernetes/k-25.2-beta.adoc[Try v25.2] **** xref:deploy:redpanda/kubernetes/get-started-dev.adoc[Get Started] ***** xref:deploy:redpanda/kubernetes/aks-guide.adoc[Azure AKS] ***** xref:deploy:redpanda/kubernetes/eks-guide.adoc[Amazon EKS] @@ -131,9 +130,10 @@ **** xref:manage:kubernetes/security/tls/index.adoc[TLS Encryption] ***** xref:manage:kubernetes/security/tls/k-cert-manager.adoc[Use cert-manager] ***** xref:manage:kubernetes/security/tls/k-secrets.adoc[Use Secrets] -**** xref:manage:kubernetes/security/authentication/index.adoc[Authentication] +**** xref:manage:kubernetes/security/authentication/index.adoc[Authentication and Authorization] ***** xref:manage:kubernetes/security/authentication/k-authentication.adoc[Enable Authentication] -***** xref:manage:kubernetes/security/authentication/k-user-controller.adoc[Manage Users and ACLs] +***** xref:manage:kubernetes/security/authentication/k-user-controller.adoc[Manage Users and ACLs (Operator)] +***** xref:manage:kubernetes/security/authorization/k-role-controller.adoc[Manage Roles and ACLs (Operator)] **** xref:manage:kubernetes/security/k-audit-logging.adoc[Audit Logging] *** xref:manage:kubernetes/k-rack-awareness.adoc[Rack Awareness] *** xref:manage:kubernetes/k-remote-read-replicas.adoc[Remote Read Replicas] diff --git a/modules/deploy/pages/redpanda/kubernetes/k-25.2-beta.adoc b/modules/deploy/pages/redpanda/kubernetes/k-25.2-beta.adoc deleted file mode 100644 index 6002d8efae..0000000000 --- a/modules/deploy/pages/redpanda/kubernetes/k-25.2-beta.adoc +++ /dev/null @@ -1,332 +0,0 @@ -= Try the 25.2 Beta of the Redpanda Operator -:page-beta: true -:description: Deploy the 25.2 beta release of the Redpanda Operator. This version of the Redpanda Operator is cluster scope so a single instance of the Operator can manage multiple Redpanda resources in different namespaces. - -{description} - -This beta version is available for testing and feedback. It is not supported by Redpanda and should not be used in production environments. To give feedback on beta releases, reach out to the Redpanda team in https://redpanda.com/slack[Redpanda Community Slack^]. - -== Prerequisites - -Make sure that your Kubernetes cluster meets the xref:./k-requirements.adoc[requirements]. - -== Deploy Redpanda Operator v25.2.1-beta1 in cluster scope - -To deploy the Redpanda Operator in cluster scope (managing Redpanda resources across all namespaces), do the following: - -. Make sure that you have permission to install custom resource definitions (CRDs): -+ -```bash -kubectl auth can-i create CustomResourceDefinition --all-namespaces -``` -+ -You should see `yes` in the output. -+ -You need these cluster-level permissions to install glossterm:cert-manager[^] and Redpanda Operator CRDs in the next steps. - -. Install cert-manager: -+ -```bash -helm repo add jetstack https://charts.jetstack.io -helm repo update -helm install cert-manager jetstack/cert-manager \ - --set crds.enabled=true \ - --namespace cert-manager \ - --create-namespace -``` -+ -TLS is enabled by default and cert-manager is used to manage TLS certificates. - -. Deploy the Redpanda Operator: -+ -[,bash,subs="attributes+"] ----- -helm repo add redpanda https://charts.redpanda.com -helm upgrade --install redpanda-controller redpanda/operator \ - --namespace \ - --create-namespace \ - --version {operator-beta-tag} \ - --set crds.enabled=true ----- - -. Ensure that the Deployment is successfully rolled out: -+ -```bash -kubectl --namespace rollout status --watch deployment/redpanda-controller-operator -``` -+ -[.no-copy] ----- -deployment "redpanda-controller-operator" successfully rolled out ----- - -. Define a xref:reference:k-crd.adoc[Redpanda custom resource] to deploy a Redpanda cluster. -+ -.`redpanda-cluster.yaml` -[,yaml,subs="attributes+"] ----- -apiVersion: cluster.redpanda.com/v1alpha2 -kind: Redpanda -metadata: - name: redpanda - namespace: <1> ----- -+ -<1> Add your namespace. - -. If you want to use enterprise features in Redpanda, add the details of a Secret that stores your Enterprise Edition license key. -+ -.`redpanda-cluster.yaml` -[,yaml,subs="attributes+"] ----- -apiVersion: cluster.redpanda.com/v1alpha2 -kind: Redpanda -metadata: - name: redpanda - namespace: -spec: - clusterSpec: - enterprise: - licenseSecretRef: - name: - key: ----- -+ -For details, see xref:get-started:licensing/add-license-redpanda/kubernetes.adoc[]. - -. Apply the Redpanda resource: -+ -```bash -kubectl apply -f redpanda-cluster.yaml -``` - -. Wait for the Redpanda Operator to deploy the cluster: -+ -```bash -kubectl get redpanda --namespace --watch -``` -+ -[.no-copy] ----- -NAME READY STATUS -redpanda True Redpanda reconciliation succeeded ----- -+ -This step may take a few minutes. You can watch for new Pods to make sure that the deployment is progressing: -+ -```bash -kubectl get pod --namespace -``` -+ -If it's taking too long, see xref:manage:kubernetes/troubleshooting/k-troubleshoot.adoc[Troubleshooting]. - -=== Deploy multiple Redpanda clusters - -You can deploy more than one Redpanda cluster in the same Kubernetes cluster by using a different namespace and unique node ports. - -. Define a new Redpanda resource in a unique namespace. -+ -NOTE: Make sure to also use unique node ports for the listeners in your Redpanda resource so that they don't conflict with any existing node ports in your other Redpanda clusters. -+ -.`redpanda-cluster-two.yaml` -[source,yaml,subs="attributes+"] ----- -apiVersion: cluster.redpanda.com/v1alpha2 -kind: Redpanda -metadata: - name: redpanda-two - namespace: -spec: - clusterSpec: - listeners: - kafka: - external: - default: - advertisedPorts: [31093] - admin: - external: - default: - advertisedPorts: [31645] - http: - external: - default: - advertisedPorts: [30083] - rpc: - port: 33146 - schemaRegistry: - external: - default: - advertisedPorts: [30084] ----- - -. Apply the Redpanda resource: -+ -```bash -kubectl apply -f redpanda-cluster-two.yaml -``` - -== Deploy Redpanda Operator v25.2.1-beta1 in namespace scope - -To deploy the Redpanda Operator in namespace scope (managing only resources within its deployment namespace), do the following: - -. Make sure that you have permission to install custom resource definitions (CRDs): -+ -```bash -kubectl auth can-i create CustomResourceDefinition --all-namespaces -``` -+ -You should see `yes` in the output. -+ -You need these cluster-level permissions to install glossterm:cert-manager[^] and Redpanda Operator CRDs in the next steps. - -. Install cert-manager: -+ -```bash -helm repo add jetstack https://charts.jetstack.io -helm repo update -helm install cert-manager jetstack/cert-manager \ - --set crds.enabled=true \ - --namespace cert-manager \ - --create-namespace -``` -+ -TLS is enabled by default and cert-manager is used to manage TLS certificates. - -. Deploy the Redpanda Operator: -+ -[,bash,subs="attributes+"] ----- -helm upgrade --install redpanda-controller redpanda/operator \ - --namespace \ - --create-namespace \ - --version {latest-operator-version} \ - --set crds.enabled=true \ - --set 'additionalCmdFlags=["--namespace="]' <1> ----- -+ -<1> This flag restricts the Redpanda Operator to manage resources only within the specified namespace. -+ -WARNING: Do not run multiple Redpanda Operators in different scopes (cluster and namespace scope) in the same cluster as this can cause resource conflicts. - -. Ensure that the Deployment is successfully rolled out: -+ -```bash -kubectl --namespace rollout status --watch deployment/redpanda-controller-operator -``` -+ -[.no-copy] ----- -deployment "redpanda-controller-operator" successfully rolled out ----- - -. Define a xref:reference:k-crd.adoc[Redpanda custom resource] to deploy a Redpanda cluster in the same namespace as the namespace-scoped Redpanda Operator. -+ -.`redpanda-cluster.yaml` -[,yaml,subs="attributes+"] ----- -apiVersion: cluster.redpanda.com/v1alpha2 -kind: Redpanda -metadata: - name: redpanda - namespace: ----- - -. Apply the Redpanda resource: -+ -```bash -kubectl apply -f redpanda-cluster.yaml -``` - -. Wait for the Redpanda Operator to deploy the cluster: -+ -```bash -kubectl get redpanda --namespace --watch -``` -+ -[.no-copy] ----- -NAME READY STATUS -redpanda True Redpanda reconciliation succeeded ----- -+ -This step may take a few minutes. You can watch for new Pods to make sure that the deployment is progressing: -+ -```bash -kubectl get pod --namespace -``` -+ -If it's taking too long, see xref:manage:kubernetes/troubleshooting/k-troubleshoot.adoc[Troubleshooting]. - -== Uninstall Redpanda - -When you finish testing Redpanda, you can uninstall it from your Kubernetes cluster. - -Follow the steps in **exact order** to avoid race conditions between -the Redpanda Operator's reconciliation loop and Kubernetes garbage collection. - -. Delete all Redpanda-related custom resources: -+ -[,bash,role="no-wrap"] ----- -kubectl delete users --namespace --all -kubectl delete topics --namespace --all -kubectl delete schemas --namespace --all -kubectl delete redpanda --namespace --all ----- - -. Make sure requests for those resources return no results. For example, if you had a Redpanda cluster named `redpanda` in the namespace ``, run: -+ -[,bash] ----- -kubectl get redpanda --namespace ----- - -. Uninstall the Redpanda Operator Helm release: -+ -[,bash] ----- -helm uninstall redpanda-controller --namespace ----- -+ -Helm does not uninstall CRDs by default when using `helm uninstall` to avoid accidentally deleting existing custom resources. - -. Remove the CRDs. -.. List all Redpanda CRDs installed by the operator: -+ -[,bash] ----- -kubectl api-resources --api-group='cluster.redpanda.com' ----- -+ -This command displays all CRDs defined by the Redpanda Operator. For example: -+ -[,bash,role="no-wrap"] ----- -NAME SHORTNAMES APIVERSION NAMESPACED KIND -redpandas rp cluster.redpanda.com/v1alpha2 true Redpanda -schemas sc cluster.redpanda.com/v1alpha2 true Schema -topics cluster.redpanda.com/v1alpha2 true Topic -users rpu cluster.redpanda.com/v1alpha2 true User ----- - -.. Delete the CRDs: -+ -[,bash] ----- -kubectl get crds -o name | grep cluster.redpanda.com | xargs kubectl delete ----- -+ -This command lists all CRDs with the `cluster.redpanda.com` domain suffix and deletes them, ensuring only Redpanda CRDs are removed. Helm does not delete CRDs automatically to prevent data loss, so you must run this step manually. - -. (Optional) Delete any leftover PVCs or Secrets in the namespace: -+ -CAUTION: The following command deletes all PVCs and Secrets in the namespace, which may remove unrelated resources if the namespace is shared with other applications. -+ -[,bash] ----- -kubectl delete pvc,secret --all --namespace ----- - -== Next steps - -To give feedback about this beta version, reach out to the Redpanda team in https://redpanda.com/slack[Redpanda Community Slack^]. diff --git a/modules/deploy/pages/redpanda/kubernetes/k-deployment-overview.adoc b/modules/deploy/pages/redpanda/kubernetes/k-deployment-overview.adoc index a881637748..43d8270224 100644 --- a/modules/deploy/pages/redpanda/kubernetes/k-deployment-overview.adoc +++ b/modules/deploy/pages/redpanda/kubernetes/k-deployment-overview.adoc @@ -41,7 +41,7 @@ To deploy Redpanda in Kubernetes, you can choose between Helm for its simplicity | Multi-tenancy management | ✅ | ⚠️ -| Helm requires separate releases to manage multiple clusters, making management more complex. The Redpanda Operator simplifies this through declarative custom resources. +| Helm requires separate releases to manage multiple clusters, making management more complex. The Redpanda Operator simplifies multi-tenancy by managing clusters across different namespaces from a single operator instance. |=== @@ -50,7 +50,7 @@ TIP: If you are already using the Redpanda Helm chart and want to migrate to the [[helm-and-redpanda-operator]] === Redpanda Operator -The Redpanda Operator is designed for production-grade Redpanda deployments, offering enhanced lifecycle management, automation, and GitOps compatibility. +The Redpanda Operator is designed for production-grade Redpanda deployments, offering enhanced lifecycle management, automation, and GitOps compatibility. The Redpanda Operator defaults to cluster scope, enabling it to manage multiple Redpanda clusters across different namespaces from a single operator instance. The Redpanda Operator directly reconciles Redpanda resources, performing tasks such as installations, updates, and cleanup. diff --git a/modules/deploy/pages/redpanda/kubernetes/k-production-deployment.adoc b/modules/deploy/pages/redpanda/kubernetes/k-production-deployment.adoc index c8b14db923..393ac88948 100644 --- a/modules/deploy/pages/redpanda/kubernetes/k-production-deployment.adoc +++ b/modules/deploy/pages/redpanda/kubernetes/k-production-deployment.adoc @@ -1,7 +1,7 @@ = Deploy Redpanda for Production in Kubernetes :description: Deploy a Redpanda cluster in Kubernetes. :tags: ["Kubernetes"] -:page-aliases: deploy:deployment-option/self-hosted/kubernetes/kubernetes-best-practices.adoc, deploy:deployment-option/self-hosted/kubernetes/redpanda-cluster-recommendations.adoc, deploy:deployment-option/self-hosted/kubernetes/kubernetes-deploy.adoc, deploy:deployment-option/self-hosted/kubernetes/k-25.1-beta.adoc, deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc +:page-aliases: deploy:deployment-option/self-hosted/kubernetes/kubernetes-best-practices.adoc, deploy:deployment-option/self-hosted/kubernetes/redpanda-cluster-recommendations.adoc, deploy:deployment-option/self-hosted/kubernetes/kubernetes-deploy.adoc, deploy:deployment-option/self-hosted/kubernetes/k-25.1-beta.adoc, deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc, deploy:redpanda/kubernetes/k-25.2-beta.adoc :page-toclevels: 1 :env-kubernetes: true :page-categories: Deployment, GitOps @@ -18,7 +18,7 @@ You must already have a ConfigMap that stores your `io-config.yaml` file. See xr To deploy Redpanda and Redpanda Console, you can use the following tools: -- *Redpanda Operator*: The Redpanda Operator extends Kubernetes with custom resource definitions (CRDs), allowing you to define Redpanda clusters as native Kubernetes resources. The resource that the Redpanda Operator uses to represent a Redpanda cluster is the Redpanda resource. +- *Redpanda Operator*: The Redpanda Operator extends Kubernetes with custom resource definitions (CRDs), allowing you to define Redpanda clusters as native Kubernetes resources. The resource that the Redpanda Operator uses to represent a Redpanda cluster is the Redpanda resource. The Redpanda Operator can be deployed in either cluster scope (managing resources across all namespaces) or namespace scope (managing resources within a single namespace). - *Helm*: https://helm.sh/docs[Helm^] is a package manager for Kubernetes, which simplifies the process of defining, installing, and upgrading Kubernetes applications. Helm uses charts, a collection of files that describe a related set of Kubernetes resources, to deploy applications in a Kubernetes cluster. TIP: For more details about the differences between these two methods, see xref:deploy:redpanda/kubernetes/k-deployment-overview.adoc[]. @@ -29,7 +29,12 @@ Operator:: + -- -NOTE: The Redpanda Operator is namespace scoped. You must install the Redpanda Operator in the same namespace as your Redpanda resource (Redpanda cluster). +The Redpanda Operator can be deployed in two different scopes: + +- *Cluster scope* (recommended): The Redpanda Operator manages Redpanda resources across all namespaces in your Kubernetes cluster. This provides centralized management and is ideal for production environments. +- *Namespace scope*: The Redpanda Operator manages Redpanda resources only within a specific namespace. This provides better isolation and is suitable when you need strict namespace boundaries. + +WARNING: Do not run multiple Redpanda Operators in different scopes (cluster and namespace scope) in the same cluster as this can cause resource conflicts. . Make sure that you have permission to install custom resource definitions (CRDs): + @@ -54,7 +59,7 @@ helm install cert-manager jetstack/cert-manager \ + The Redpanda Helm chart enables TLS by default and uses cert-manager to manage TLS certificates. -. Deploy the Redpanda Operator. +. Deploy the Redpanda Operator in your chosen scope: + include::deploy:partial$kubernetes/deploy-operator.adoc[] @@ -78,6 +83,7 @@ apiVersion: cluster.redpanda.com/v1alpha2 kind: Redpanda metadata: name: redpanda + namespace: spec: clusterSpec: #enterprise: @@ -99,6 +105,7 @@ spec: ---- + - `metadata.name`: Name to assign the Redpanda cluster. +- `metadata.namespace`: For cluster-scoped deployment, specify any namespace. For namespace-scoped deployment, must be the same namespace where the Redpanda Operator is deployed. - xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-api-redpanda-v1alpha2-redpandaclusterspec[`spec.clusterSpec`]: This is where you can override default values in the Redpanda Helm chart. Here, you mount the <> to the Pods that run Redpanda. For other configuration details, see <>. - `spec.clusterSpec.enterprise`: If you want to use enterprise features in Redpanda, uncomment this section and add the details of a Secret that stores your Enterprise Edition license key. For details, see xref:get-started:licensing/index.adoc[]. - `spec.clusterSpec.image.tag`: Deploys the latest version of Redpanda. @@ -107,15 +114,13 @@ spec: . Apply the Redpanda resource: + ```bash -kubectl apply -f redpanda-cluster.yaml --namespace +kubectl apply -f redpanda-cluster.yaml ``` -+ -NOTE: The Redpanda resource must be deployed in the same namespace as the Redpanda Operator. Each new deployment of Redpanda requires a separate namespace. . Wait for the Redpanda Operator to deploy Redpanda using the Helm chart: + ```bash -kubectl get redpanda --namespace --watch +kubectl get redpanda --namespace --watch ``` + [.no-copy] @@ -127,7 +132,7 @@ redpanda True Redpanda reconciliation succeeded This step may take a few minutes. You can watch for new Pods to make sure that the deployment is progressing: + ```bash -kubectl get pod --namespace +kubectl get pod --namespace ``` + If it's taking too long, see xref:manage:kubernetes/troubleshooting/k-troubleshoot.adoc[Troubleshooting]. @@ -135,7 +140,7 @@ If it's taking too long, see xref:manage:kubernetes/troubleshooting/k-troublesho . Verify that each Redpanda broker is scheduled on only one Kubernetes node: + ```bash -kubectl get pod --namespace \ +kubectl get pod --namespace \ -o=custom-columns=NODE:.spec.nodeName,NAME:.metadata.name -l \ app.kubernetes.io/component=redpanda-statefulset ``` @@ -250,6 +255,160 @@ example-worker redpanda-2 -- ==== +== Deploy multiple Redpanda clusters + +You can deploy multiple Redpanda clusters in the same Kubernetes cluster. This is useful for creating separate environments (such as production, staging, and development) or for organizing clusters by application or team. + +[tabs] +==== +Operator:: ++ +-- + +When using the Redpanda Operator, you can deploy multiple Redpanda clusters by creating separate Redpanda custom resources. + +*Requirements:* + +- Use a cluster-scoped Redpanda Operator deployment (recommended) or separate namespace-scoped operators in different namespaces +- Each cluster must be deployed in a unique namespace +- Configure unique external port numbers for each cluster to avoid conflicts + +. Create a second Redpanda cluster in a different namespace: ++ +.`redpanda-cluster-two.yaml` +[,yaml,subs="attributes+"] +---- +apiVersion: cluster.redpanda.com/v1alpha2 +kind: Redpanda +metadata: + name: redpanda-staging + namespace: redpanda-staging +spec: + clusterSpec: + image: + tag: {latest-redpanda-tag} + listeners: + kafka: + external: + default: + advertisedPorts: [31093] <1> + admin: + external: + default: + advertisedPorts: [31645] <1> + http: + external: + default: + advertisedPorts: [30083] <1> + rpc: + port: 33146 <1> + schemaRegistry: + external: + default: + advertisedPorts: [30084] <1> + statefulset: + extraVolumes: |- + - name: redpanda-io-config + configMap: + name: redpanda-io-config + extraVolumeMounts: |- + - name: redpanda-io-config + mountPath: /etc/redpanda-io-config + additionalRedpandaCmdFlags: + - "--io-properties-file=/etc/redpanda-io-config/io-config.yaml" +---- ++ +<1> Configure unique port numbers for each cluster to avoid conflicts. Ensure these ports don't conflict with your first cluster's configuration. + +. Apply the second Redpanda resource: ++ +```bash +kubectl apply -f redpanda-cluster-two.yaml +``` + +. Wait for the second cluster to be ready: ++ +```bash +kubectl get redpanda --namespace redpanda-staging --watch +``` + +-- +Helm:: ++ +-- + +When using Helm, deploy multiple Redpanda clusters by using separate namespaces and unique release names for each deployment. + +*Requirements:* + +- Each cluster must be deployed in a unique namespace +- Use unique Helm release names for each deployment +- Configure unique external port numbers for each cluster to avoid conflicts + +. Create configuration values for your second cluster: ++ +.`redpanda-staging-values.yaml` +[,yaml,subs="attributes+"] +---- +image: + tag: {latest-redpanda-tag} +nameOverride: 'redpanda-staging' +fullnameOverride: 'redpanda-staging' +listeners: + kafka: + external: + default: + advertisedPorts: [31093] <1> + admin: + external: + default: + advertisedPorts: [31645] <1> + http: + external: + default: + advertisedPorts: [30083] <1> + rpc: + port: 33146 <1> + schemaRegistry: + external: + default: + advertisedPorts: [30084] <1> +statefulset: + extraVolumes: |- + - name: redpanda-io-config + configMap: + name: redpanda-io-config + extraVolumeMounts: |- + - name: redpanda-io-config + mountPath: /etc/redpanda-io-config + additionalRedpandaCmdFlags: + - "--io-properties-file=/etc/redpanda-io-config/io-config.yaml" +---- ++ +<1> Configure unique port numbers for each cluster to avoid conflicts. Ensure these ports don't conflict with your first cluster's configuration. + +. Install the second Redpanda cluster using a unique release name and namespace: ++ +[source,bash,subs="attributes+"] +---- +helm install redpanda-staging redpanda/redpanda \ + --version {latest-redpanda-helm-chart-version} \ + --namespace redpanda-staging \ + --create-namespace \ + --values redpanda-staging-values.yaml +---- + +. Wait for the second cluster to be ready: ++ +```bash +kubectl --namespace redpanda-staging rollout status statefulset redpanda-staging --watch +``` + +-- +==== + +IMPORTANT: When deploying multiple clusters, ensure that external listener ports are unique across all clusters to prevent conflicts. Also consider resource allocation and node capacity when planning multiple cluster deployments. + [[config]] == Production considerations @@ -593,7 +752,6 @@ rbac: annotations: {} ---- -NOTE: If you use the Redpanda Operator, you must also deploy the Redpanda Operator Helm chart with `rbac.createRPKBundleCRs` set to `true` to give it the required roles. See also: xref:manage:kubernetes/k-rack-awareness.adoc[] diff --git a/modules/deploy/partials/kubernetes/deploy-operator.adoc b/modules/deploy/partials/kubernetes/deploy-operator.adoc index 314f94489e..dfb8419915 100644 --- a/modules/deploy/partials/kubernetes/deploy-operator.adoc +++ b/modules/deploy/partials/kubernetes/deploy-operator.adoc @@ -1,4 +1,7 @@ +:latest-operator-version: 25.2.0 ifdef::latest-operator-version[] +.. To deploy in cluster scope, use: ++ [,bash,subs="attributes+"] ---- helm repo add redpanda https://charts.redpanda.com @@ -13,15 +16,21 @@ helm upgrade --install redpanda-controller redpanda/operator \ <1> This flag specifies the exact version of the Redpanda Operator Helm chart to use for deployment. By setting this value, you pin the chart to a specific version, which prevents automatic updates that might introduce breaking changes or new features that have not been tested in your environment. <2> This flag ensures that the CRDs are installed as part of the Redpanda Operator deployment. + -:note-caption: Older versions of the Redpanda Operator -+ -[NOTE] -======== -The `--set crds.enabled=true` flag is only supported in Redpanda Operator **v25.1.1 and later**. +This command deploys the Redpanda Operator in cluster scope (default in v25.2+), allowing it to manage Redpanda clusters across multiple namespaces. -If you deploy an earlier version (such as v2.4.x), you must install the CRDs separately. See the xref:25.1@ROOT:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[v2.4.x deployment documentation] for more information. -======== -:note-caption: Note +.. To deploy in namespace scope (managing only resources within its deployment namespace), use: ++ +[,bash,subs="attributes+"] +---- +helm upgrade --install redpanda-controller redpanda/operator \ + --namespace \ + --create-namespace \ + --version {latest-operator-version} \ + --set crds.enabled=true \ + --set 'additionalCmdFlags=["--namespace="]' <1> +---- ++ +<1> This flag restricts the Redpanda Operator to manage resources only within the specified namespace. endif::[] ifndef::latest-operator-version[] [,bash,subs="attributes+"] diff --git a/modules/get-started/pages/release-notes/operator.adoc b/modules/get-started/pages/release-notes/operator.adoc index 18cede9410..83d5734b1b 100644 --- a/modules/get-started/pages/release-notes/operator.adoc +++ b/modules/get-started/pages/release-notes/operator.adoc @@ -9,11 +9,11 @@ See also: * xref:upgrade:k-compatibility.adoc[] * xref:upgrade:k-rolling-upgrade.adoc[] -== Redpanda Operator v25.2.x (beta) +NOTE: Redpanda Console v3 is **not yet available when deploying with the Redpanda Operator**. The Redpanda Operator continues to deploy Redpanda Console v2. To try Redpanda Console v3, you can deploy the link:https://artifacthub.io/packages/helm/redpanda-data/console[standalone Redpanda Console Helm chart^] or xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[deploy Redpanda using the Redpanda Helm chart] instead of the Redpanda Operator. -link:https://github.com/redpanda-data/redpanda-operator/blob/release/v25.2.x/operator/CHANGELOG.md[Changelog^]. +== Redpanda Operator v25.2.x -See also: xref:deploy:redpanda/kubernetes/k-25.2-beta.adoc[]. +link:https://github.com/redpanda-data/redpanda-operator/blob/release/v25.2.x/operator/CHANGELOG.md[Changelog^] === Cluster scope by default @@ -25,15 +25,32 @@ Starting in v25.2, the Redpanda Operator defaults to cluster scope instead of na * **Cross-namespace management**: Deploy the operator in a dedicated namespace (such as `redpanda-system`) while managing clusters in application namespaces. * **Simplified RBAC for debug bundles**: The Redpanda Operator now provides all required permissions for `rpk` debug bundle collection by default. The `rbac.createRPKBundleCRs` flag is no longer needed. -== Redpanda Operator v25.1.x (GA) +==== Migration considerations -link:https://github.com/redpanda-data/redpanda-operator/blob/release/v25.1.x/operator/CHANGELOG.md[Changelog^] +If you're upgrading from a previous version that used namespace-scoped operators: + +* **No manual steps required**: The Redpanda Operator automatically reconciles existing Redpanda clusters across namespaces. +* **New deployments default to cluster scope**: Regardless of which namespace you deploy the Redpanda Operator to (including `default`). +* **Delete extra Redpanda Operator deployments**: After upgrading, ensure only one Redpanda Operator remains in the cluster (the one running in cluster scope). Use `helm uninstall` to remove any other Redpanda Operator deployments from previous namespace-scoped installations. + +To maintain namespace scope, use the `--set 'additionalCmdFlags=["--namespace="]'` flag when installing or upgrading the Redpanda Operator. The `--namespace` flag in the helm command only specifies which namespace to deploy the Redpanda Operator into and does not affect its operational scope. + +WARNING: Do not run multiple Redpanda Operators in different scopes (cluster and namespace scope) in the same cluster as this can cause resource conflicts. + +==== RBAC requirements -=== Redpanda Console v3 +Important RBAC considerations for v25.2+: -Redpanda Console v3 is **not yet available when deploying with the Redpanda Operator**, due to pending CRD updates. The Redpanda Operator continues to deploy Redpanda Console v2. xref:24.3@ROOT:console:index.adoc[View the Redpanda Console v2 documentation]. +* **ClusterRole permissions always required**: Regardless of whether you use cluster or namespace scope, the Redpanda Operator always needs ClusterRole permissions. +* **Automatic configuration**: These permissions are automatically configured when you install the Redpanda Operator. -To try Redpanda Console v3 in Kubernetes, you can xref:deploy:redpanda/kubernetes/k-production-deployment.adoc[deploy Redpanda using the Redpanda Helm chart] instead of the Redpanda Operator. Redpanda Console v3 introduces support for unified authentication and authorization with Redpanda, including user impersonation. +=== Declarative RedpandaRole management + +Redpanda Operator v25.2.x now includes a RedpandaRole custom resource. The RedpandaRole resource allows you to declaratively manage Redpanda roles and permissions in Kubernetes, making it easier to control access and automate security policies for your Redpanda clusters. See the xref:manage:kubernetes/security/authorization/k-redpanda-role.adoc[RedpandaRole documentation] for details. + +== Redpanda Operator v25.1.x (GA) + +link:https://github.com/redpanda-data/redpanda-operator/blob/release/v25.1.x/operator/CHANGELOG.md[Changelog^] === Multiple Operator instances (deprecated) diff --git a/modules/manage/examples/kubernetes/role-crds.feature b/modules/manage/examples/kubernetes/role-crds.feature new file mode 100644 index 0000000000..5d8d2942bd --- /dev/null +++ b/modules/manage/examples/kubernetes/role-crds.feature @@ -0,0 +1,110 @@ +@cluster:sasl @variant:vectorized +Feature: Role CRDs + Background: Cluster available + Given cluster "sasl" is available + + @skip:gke @skip:aks @skip:eks + Scenario: Manage roles + Given there is no role "admin-role" in cluster "sasl" + And there are the following pre-existing users in cluster "sasl" + | name | password | mechanism | + | alice | password | SCRAM-SHA-256 | + | bob | password | SCRAM-SHA-256 | + When I apply Kubernetes manifest: + """ +# tag::manage-roles-with-principals[] + # In this example manifest, a role called "admin-role" is created in a cluster called "sasl". + # The role includes two principals (alice and bob) who will inherit the role's permissions. + --- + apiVersion: cluster.redpanda.com/v1alpha2 + kind: RedpandaRole + metadata: + name: admin-role + spec: + cluster: + clusterRef: + name: sasl + principals: + - User:alice + - User:bob +# end::manage-roles-with-principals[] + """ + And role "admin-role" is successfully synced + Then role "admin-role" should exist in cluster "sasl" + And role "admin-role" should have members "alice and bob" in cluster "sasl" + + @skip:gke @skip:aks @skip:eks + Scenario: Manage roles with authorization + Given there is no role "read-only-role" in cluster "sasl" + And there are the following pre-existing users in cluster "sasl" + | name | password | mechanism | + | charlie | password | SCRAM-SHA-256 | + When I create topic "public-test" in cluster "sasl" + And I apply Kubernetes manifest: + """ +# tag::manage-roles-with-authorization[] + # In this example manifest, a role called "read-only-role" is created in a cluster called "sasl". + # The role includes authorization rules that allow reading from topics with names starting with "public-". + --- + apiVersion: cluster.redpanda.com/v1alpha2 + kind: RedpandaRole + metadata: + name: read-only-role + spec: + cluster: + clusterRef: + name: sasl + principals: + - User:charlie + authorization: + acls: + - type: allow + resource: + type: topic + name: public- + patternType: prefixed + operations: [Read, Describe] +# end::manage-roles-with-authorization[] + """ + And role "read-only-role" is successfully synced + Then role "read-only-role" should exist in cluster "sasl" + And role "read-only-role" should have ACLs for topic pattern "public-" in cluster "sasl" + And "charlie" should be able to read from topic "public-test" in cluster "sasl" + + @skip:gke @skip:aks @skip:eks + Scenario: Manage authorization-only roles + Given there are the following pre-existing users in cluster "sasl" + | name | password | mechanism | + | travis | password | SCRAM-SHA-256 | + And there is a pre-existing role "travis-role" in cluster "sasl" + When I apply Kubernetes manifest: + """ +# tag::manage-authz-only-roles[] + # In this example manifest, a role CRD called "travis-role" manages ACLs for an existing role. + # The role includes authorization rules that allow reading from topics with names starting with "some-topic". + # This example assumes that you already have a role called "travis-role" in your cluster. + --- + apiVersion: cluster.redpanda.com/v1alpha2 + kind: RedpandaRole + metadata: + name: travis-role + spec: + cluster: + clusterRef: + name: sasl + principals: + - User:travis + authorization: + acls: + - type: allow + resource: + type: topic + name: some-topic + patternType: prefixed + operations: [Read] +# end::manage-authz-only-roles[] + """ + And role "travis-role" is successfully synced + And I delete the CRD role "travis-role" + Then there should still be role "travis-role" in cluster "sasl" + And there should be no ACLs for role "travis-role" in cluster "sasl" \ No newline at end of file diff --git a/modules/manage/pages/kubernetes/k-rack-awareness.adoc b/modules/manage/pages/kubernetes/k-rack-awareness.adoc index ab7377dee4..65eb182b14 100644 --- a/modules/manage/pages/kubernetes/k-rack-awareness.adoc +++ b/modules/manage/pages/kubernetes/k-rack-awareness.adoc @@ -17,7 +17,6 @@ You must have the following: * https://kubernetes.io/docs/tasks/tools/#kubectl[Kubectl^]: Ensure you have the `kubectl` command-line tool installed and configured to communicate with your cluster. -* If you use the xref:deploy:deployment-option/self-hosted/kubernetes/kubernetes-deploy.adoc[Redpanda Operator], you must deploy it with the `--set rbac.createRPKBundleCRs=true` flag to give it the required ClusterRoles to read node labels and annotations. == Annotate or label Node resources diff --git a/modules/manage/pages/kubernetes/security/authentication/index.adoc b/modules/manage/pages/kubernetes/security/authentication/index.adoc index b8ac87f4f1..74badb6dbb 100644 --- a/modules/manage/pages/kubernetes/security/authentication/index.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/index.adoc @@ -1,6 +1,6 @@ -= Authentication for Redpanda in Kubernetes += Authentication and Authorization for Redpanda in Kubernetes :page-layout: index -:description: Learn how to configure authentication for Redpanda in Kubernetes using Helm values or the User resource with the Redpanda Operator. +:description: Learn how to configure authentication and authorization for Redpanda in Kubernetes using Helm values or the User resource with the Redpanda Operator. :page-aliases: security:sasl-kubernetes.adoc, manage:kubernetes/security/sasl-kubernetes.adoc, security:kubernetes-sasl.adoc, manage:kubernetes/security/authentication/sasl-kubernetes.adoc, reference:redpanda-operator/kubernetes-mtls.adoc, reference:redpanda-operator/kubernetes-sasl.adoc -Redpanda offers two methods to manage authentication in a Kubernetes environment. These options allow administrators to control user access and permissions, ensuring secure communication with the Redpanda cluster. \ No newline at end of file +Redpanda offers two methods to manage authentication and authorization in a Kubernetes environment. These options allow administrators to control user access and permissions, ensuring secure communication with the Redpanda cluster. \ No newline at end of file diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index 5c46594f18..5063b1420f 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -5,6 +5,8 @@ With the Redpanda Operator, you can declaratively create and manage Redpanda users and glossterm:ACL[,access control lists (ACLs)] using xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-user[User custom resources] (resources) in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding user in sync with the User resource. +For role-based access control where you want to define permissions once and apply them to multiple users, see xref:manage:kubernetes/security/authorization/k-role-controller.adoc[Manage Roles and ACLs]. + == Prerequisites You must have the following: @@ -267,8 +269,32 @@ Deleting a User resource will have different impacts depending on how it is conf - **Authorization-only**: When a User resource that manages only ACLs is deleted, the ACLs are removed, but the user remains in the cluster. - **Full user management (both authentication and authorization)**: When the resource manages both users and ACLs, the user and its associated ACLs are removed. +== Best practices + +When working with User resources, consider the following best practices: + +=== User design + +- *Principle of least privilege*: Grant only the minimum permissions necessary for users to perform their tasks. +- *Descriptive usernames*: Use clear, consistent naming conventions that identify the user's purpose or role. +- *Avoid shared accounts*: Create individual user accounts rather than sharing credentials between multiple people or applications. + +=== Permission management + +- *Consider roles for shared permissions*: When multiple users need the same set of permissions, consider using xref:manage:kubernetes/security/authorization/k-role-controller.adoc[RedpandaRole resources] instead of duplicating ACLs across individual User resources. +- *User-specific permissions*: Use User resource ACLs for permissions that are specific to individual users and don't need to be shared. +- *Avoid conflicts*: If using both Role and User resources, be careful not to create conflicting ACLs for the same users. + +=== Secret management + +- *Use Kubernetes Secrets*: Store passwords in Kubernetes Secrets rather than hardcoding them in manifests. +- *Regular rotation*: Implement a regular password rotation strategy for production environments. + == Suggested reading * xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-user[User resource] * xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userlist[UserList resource] -* xref:manage:kubernetes/security/authentication/k-authentication.adoc[] \ No newline at end of file +* xref:manage:kubernetes/security/authorization/k-role-controller.adoc[Manage Roles and ACLs] +* xref:manage:kubernetes/security/authentication/k-authentication.adoc[] +* xref:manage:security/authorization/rbac.adoc[Role-Based Access Control (RBAC)] +* xref:manage:security/authorization/acl.adoc[Access Control Lists (ACLs)] \ No newline at end of file diff --git a/modules/manage/pages/kubernetes/security/authorization/k-role-controller.adoc b/modules/manage/pages/kubernetes/security/authorization/k-role-controller.adoc new file mode 100644 index 0000000000..89ce6e0c08 --- /dev/null +++ b/modules/manage/pages/kubernetes/security/authorization/k-role-controller.adoc @@ -0,0 +1,223 @@ += Manage Roles with the Redpanda Operator +:description: Use the RedpandaRole resource to declaratively create and manage roles as part of a Redpanda deployment. Each RedpandaRole resource defines a set of permissions that can be assigned to multiple users, providing role-based access control (RBAC) for your Redpanda cluster. +:page-categories: Management, Security +:env-kubernetes: true + +With the Redpanda Operator, you can declaratively create and manage Redpanda roles using xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-role[RedpandaRole custom resources] (resources) in Kubernetes. Each RedpandaRole resource defines a set of permissions that can be assigned to multiple users, providing role-based access control (RBAC) for your Redpanda cluster. The role controller, a component of the Redpanda Operator, keeps the corresponding Redpanda role in sync with the RedpandaRole resource. + +NOTE: RedpandaRole resources do not create users. Users must already exist in the Redpanda cluster before they can be assigned to roles, unless they are OIDC principals. OIDC principals do not need to be created as users in the cluster. Use xref:manage:kubernetes/security/authentication/k-user-controller.adoc[User resources] to create and manage Redpanda users. + +== What are roles and why use them? + +Think of roles like job titles in a company. Instead of giving each employee individual permissions for every door, system, and resource, you create job titles (roles) like "Developer," "Manager," or "Security Guard." Each job title comes with a specific set of permissions, and you assign employees to those job titles. + +In Redpanda, roles work the same way: + +* **Without roles**: You set up permissions individually for each user. If you have 10 developers who all need the same access to certain topics, you configure the same permissions 10 times. + +* **With roles**: You create a "Developer" role once with all the necessary permissions, then assign all 10 developers to that role. When you need to change what developers can access, you update the role once instead of updating 10 individual users. + +== Prerequisites + +You must have the following: + +* *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[kubectl^] command-line tool installed and configured to communicate with your cluster. +* *Redpanda Operator*: Ensure you have at least version 25.2 of the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator]. +* *Redpanda cluster with SASL enabled*: Ensure you have a Redpanda resource deployed with xref:manage:kubernetes/security/authentication/k-authentication.adoc#enable[SASL authentication enabled]. +* *Existing users*: If you plan to assign users to roles, ensure the users already exist in your Redpanda cluster. You can create users using xref:manage:kubernetes/security/authentication/k-user-controller.adoc[User resources]. + +== Create a role + +You can use the RedpandaRole resource to: + +- <> +- <> +- <> + +Each Role instance is responsible for managing both the role membership (principals) and the role's ACLs within the Redpanda cluster. You cannot use one RedpandaRole resource to manage the principals and another resource to manage the ACLs. Only one Role instance is allowed per role in the Redpanda cluster. + +[[with-authorization]] +=== Create a role with authorization rules + +- *Use case*: You want to create a role that defines permissions and assign users to inherit those permissions. This is the most common use case for role-based access control, where you define permissions once and apply them to multiple users. +- *What happens when deleted*: Both the role and its associated ACLs are removed. Users assigned to the role lose the permissions granted by this role but retain any other permissions they have. + +This example shows how to create a role with both principals and authorization rules. + +.`read-only-role.yaml` +[,yaml,indent=0] +---- +include::manage:example$kubernetes/role-crds.feature[tags=manage-roles-with-authorization,indent=0] +---- + +[[with-principals]] +=== Create a role with principals + +- *Use case*: You want to create a role and assign users (principals) to it. This is useful for grouping users together without necessarily defining permissions at the role level, allowing you to manage group membership centrally. +- *What happens when deleted*: The role is deleted, but users assigned to the role remain in the cluster. Any ACLs defined at the user level are unaffected. + +This example shows how to create a role and assign principals to it. + +.`admin-role.yaml` +[,yaml,indent=0] +---- +include::manage:example$kubernetes/role-crds.feature[tags=manage-roles-with-principals,indent=0] +---- + +[[authorization-only]] +=== Create authorization rules for an existing role + +- *Use case*: You want to manage ACLs for an existing role in the Redpanda cluster, but not modify the role's membership. Use this option if role membership is managed by another process or tool, and you only want to control what resources the role can access. +- *What happens when deleted*: The ACLs are removed, but the role and its members remain. This is useful when you want to revoke permissions but retain the role structure for future use. + +This example shows how to manage only the ACLs for an existing role in the Redpanda cluster. + +.`authorization-only-role.yaml` +[,yaml,indent=0] +---- +include::manage:example$kubernetes/role-crds.feature[tags=manage-authz-only-roles,indent=0] +---- + +== Configuration + +The following sections provide guidance on setting up role membership, managing authorization rules, and defining ACLs within your Kubernetes environment. These recommendations ensure proper role management while minimizing manual interventions and preventing potential security issues. + +You can find all configuration options for the RedpandaRedpandaRole resource in the xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-role[CRD reference]. + +=== Choose a role name + +The `metadata.name` field in the RedpandaRedpandaRole resource is used to specify the role name. Keep in mind the following best practices when choosing a role name: + +- *Unique*: Ensure each role has a unique name to avoid conflicts. The role name must be unique within the Redpanda cluster. +- *Descriptive*: Choose a name that identifies the purpose or permissions of the role. For example, use names like `data-readers` or `topic-admins`. +- *Stable*: Avoid changing role names frequently. Role names are tied to authorization rules (ACLs) and user assignments. Renaming a role involves deleting and recreating the role. + +[,yaml] +---- +metadata: + name: read-only-role +---- + +In this example, `read-only-role` is the role name, which will be referenced in authorization rules and user assignments. + +=== Configure principals + +The xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rolespec[`spec.principals`] field allows you to specify which users are assigned to the role. Principals are specified in the format `User:`. + +IMPORTANT: Users must already exist in the Redpanda cluster before they can be assigned to a role. The RedpandaRole resource does not create users that don't exist. + +[source,yaml] +---- +spec: + principals: + - User:alice + - User:bob +---- + +When users are assigned to a role, they inherit all the permissions defined in the role's ACLs. If a role has no ACLs defined, the users gain no additional permissions from the role membership. + +=== Define authorization rules + +The xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-roleauthorizationspec[`spec.authorization`] field allows you to manage ACLs for the role. ACLs define the permissions that all members of the role have over specific resources in Redpanda, such as topics, consumer groups, and clusters. + +You can define ACLs for a role by specifying which resources members can access and the operations they are permitted to perform. Here's an example configuration for managing ACLs: + +[source,yaml] +---- +spec: + authorization: + acls: + - type: allow + resource: + type: topic + name: public- + patternType: prefixed + operations: [Read, Describe] +---- + +- `type`: Defines whether the ACL allows or denies access. Acceptable values: `allow`, `deny`. +- `resource.type`: Specifies the resource type. Acceptable values: `topic`, `group`, `cluster`, `transactionalId`. +- `patternType`: Specifies how the resource name is interpreted. Acceptable values: `literal`, `prefixed`. Default: `literal`. ++ +TIP: Using `literal` names for resources ensures that only the exact resources you intend are accessible. Use `prefixed` patterns cautiously to avoid accidental permission grants. +- `operations`: Lists the allowed operations, such as `Read`, `Write`, `Create`, and `Delete`. + +You can find all configuration options for authorization in the xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-roleauthorizationspec[RoleAuthorizationSpec] of the CRD reference. + +For more details about ACLs, including supported operations and resources in Redpanda, see xref:manage:security/authorization/acl.adoc[]. + +== Deploy a RedpandaRole resource + +To deploy a RedpandaRole resource, apply the manifest to the same namespace as your Redpanda cluster: + +[,bash] +---- +kubectl apply -f .yaml --namespace +---- + +- Replace `` with the filename of your manifest. +- Replace `` with the namespace in which you deployed Redpanda. + +== Verify a role + +After deploying a RedpandaRole resource, verify that the Redpanda Operator reconciled it: + +[,bash] +---- +kubectl logs -l app.kubernetes.io/name=operator -c manager --namespace +---- + +== Update a role + +To update a role, edit the RedpandaRole resource configuration and apply the changes. + +[,bash] +---- +kubectl apply -f .yaml --namespace +---- + +== Delete a role + +To delete a role, delete the RedpandaRole resource: + +[,bash] +---- +kubectl delete -f .yaml --namespace +---- + +When a RedpandaRole resource is deleted, its underlying data is removed as well. If the role has ACLs, those ACLs are also removed. + +Deleting a RedpandaRole resource has different impacts depending on how it is configured: + +- **Principals-only**: When a RedpandaRole resource that manages only principals is deleted, the role is removed from the cluster. However, any ACLs not managed by the same resource will remain in place. +- **Authorization-only**: When a RedpandaRole resource that manages only ACLs is deleted, the ACLs are removed, but the role and its members remain in the cluster. +- **Full role management (both principals and authorization)**: When the resource manages both membership and ACLs, the role and its associated ACLs are removed. + +== Best practices + +When working with RedpandaRole resources, consider the following best practices: + +=== Role design + +- *Principle of least privilege*: Grant only the minimum permissions necessary for users to perform their tasks. +- *Logical grouping*: Create roles that align with job functions or responsibilities rather than individual users. +- *Naming conventions*: Use consistent, descriptive names that indicate the role's purpose, such as `topic-readers` or `admin-users`. + +=== Permission management + +- *Prefer role-based over user-based ACLs*: When possible, assign permissions to roles rather than individual users to simplify management. +- *Use specific resource patterns*: Prefer `literal` patterns over `prefixed` patterns unless you specifically need pattern matching. +- *Regular reviews*: Periodically review role permissions to ensure they remain appropriate and necessary. + +=== Integration with User resources + +- *Consistent management*: If you're using both Role and User resources, establish clear guidelines about which permissions are managed at the role level versus the user level. +- *Avoid conflicts*: Be careful not to create conflicting ACLs between Role and User resources for the same users. + +== Suggested reading + +* xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-role[RedpandaRole resource] +* xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rolelist[RoleList resource] +* xref:manage:kubernetes/security/authentication/k-user-controller.adoc[Manage Users and ACLs] +* xref:manage:security/authorization/rbac.adoc[Role-Based Access Control (RBAC)] +* xref:manage:security/authorization/acl.adoc[Access Control Lists (ACLs)] diff --git a/modules/migrate/pages/kubernetes/helm-to-operator.adoc b/modules/migrate/pages/kubernetes/helm-to-operator.adoc index 5b59da8b85..e3a46521ed 100644 --- a/modules/migrate/pages/kubernetes/helm-to-operator.adoc +++ b/modules/migrate/pages/kubernetes/helm-to-operator.adoc @@ -88,7 +88,7 @@ You should see `yes` in the output. + You need these cluster-level permissions to install the Redpanda Operator CRDs in the next steps. -. Install the Redpanda Operator *in the same namespace as your Redpanda Helm chart*: +. Install the Redpanda Operator. Starting in v25.2, the Redpanda Operator can manage Redpanda clusters in any namespace: + include::deploy:partial$kubernetes/deploy-operator.adoc[] @@ -138,7 +138,7 @@ spec: TIP: The Redpanda CRD is compatible with the version of the Helm chart defined in the operator. For details on the structure and configuration options of the Redpanda custom resource, refer to the xref:reference:k-crd.adoc#redpandaclusterspec[Redpanda Operator CRD reference]. -- -. Adopt the Redpanda cluster by creating an instance of the Redpanda custom resource in the same namespace as the Redpanda Operator: +. Adopt the Redpanda cluster by creating an instance of the Redpanda custom resource: + ```bash kubectl apply -f redpanda-cluster.yaml --namespace diff --git a/modules/reference/pages/k-crd.adoc b/modules/reference/pages/k-crd.adoc index 73cfd173cc..9e576efde3 100644 --- a/modules/reference/pages/k-crd.adoc +++ b/modules/reference/pages/k-crd.adoc @@ -4,27 +4,61 @@ :description: Custom resource definitions for Redpanda resources. Use the Redpanda resources to create and manage Redpanda clusters, users and topics with the Redpanda Operator. :page-aliases: reference:k-topic-crd.adoc - -Package v1alpha2 defines the v1alpha2 schema for the Redpanda API. It is part of an evolving API architecture, representing an initial stage that may be subject to change based on user feedback and further development. - .Resource Types +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-console[$$Console$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpanda[$$Redpanda$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandarole[$$RedpandaRole$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-schema[$$Schema$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topic[$$Topic$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-user[$$User$$] +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclaccessfilter"] +== ACLAccessFilter + +Filter an ACL based on its access type, operation, principal, and host. + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclfilter[$$ACLFilter$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | The host to match. If not set, will default to match all hosts + +with the specified `operation` and `permissionType`. Note that + +the asterisk `*` is literal and matches hosts that are set to `*` + +| *`operation`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-acloperation[$$ACLOperation$$]__ | The ACL operation to match + +| *`permissionType`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-acltype[$$ACLType$$]__ | The permission type + +| *`principal`* __string__ | The name of the principal, if not set will default to match + +all principals with the specified `operation` and `permissionType` + +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-acloperation"] == ACLOperation (string) ACLOperation specifies the type of operation for an ACL. +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclaccessfilter[$$ACLAccessFilter$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] + + +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclresourcefilter"] +== ACLResourceFilter .Appears in: -- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclfilter[$$ACLFilter$$] +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`name`* __string__ | +| *`patternType`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-patterntype[$$PatternType$$]__ | +| *`resourceType`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-resourcetype[$$ResourceType$$]__ | +|=== [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclresourcespec"] @@ -68,6 +102,7 @@ Validations taken from https://cwiki.apache.org/confluence/pages/viewpage.action .Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-roleauthorizationspec[$$RoleAuthorizationSpec$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userauthorizationspec[$$UserAuthorizationSpec$$] [cols="25a,75a", options="header"] @@ -101,6 +136,7 @@ ACLType specifies the type, either allow or deny of an ACL rule. .Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclaccessfilter[$$ACLAccessFilter$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] @@ -118,10 +154,19 @@ Admin configures settings for the Admin API listeners. [cols="25a,75a", options="header"] |=== | Field | Description -| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listener. + -| *`port`* __integer__ | Specifies the container port number for the internal listener. + -| *`tls`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + +| *`enabled`* __boolean__ | Specifies whether this Listener is enabled. + +| *`authenticationMethod`* __string__ | Specifies the authentication method for this listener. For example, 'mtls_identity', `sasl` or `http_basic`. + | *`appProtocol`* __string__ | +| *`port`* __integer__ | Specifies the container port number for this listener. + +| *`tls`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + +| *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of + +Services. This field accepts a string template that dynamically + +constructs Service addresses based on various parameters such as Service + +name and port number. + +For historical backwards compatibility, this field is present on both + +internal and external listeners. However, it is ignored when specified + +on internal listeners. + +| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listeners. + |=== @@ -210,6 +255,24 @@ Auth configures authentication in the Helm values. See https://docs.redpanda.com |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-authenticationsecrets"] +== AuthenticationSecrets + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretconfig[$$SecretConfig$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`jwtSigningKey`* __string__ | +| *`oidc`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-oidcloginsecrets[$$OIDCLoginSecrets$$]__ | +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-authorizationtype"] == AuthorizationType (string) @@ -224,6 +287,28 @@ AuthorizationType specifies the type of authorization to use in creating a user. +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-autoscaling"] +== AutoScaling + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolespec[$$ConsoleSpec$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolevalues[$$ConsoleValues$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`enabled`* __boolean__ | +| *`minReplicas`* __integer__ | +| *`maxReplicas`* __integer__ | +| *`targetCPUUtilizationPercentage`* __integer__ | +| *`targetMemoryUtilizationPercentage`* __integer__ | +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-bootstrapuser"] == BootstrapUser @@ -370,6 +455,10 @@ ClusterRef represents a reference to a cluster that is being targeted. [cols="25a,75a", options="header"] |=== | Field | Description +| *`group`* __string__ | Group is used to override the object group that this reference points to. + +If unspecified, defaults to "cluster.redpanda.com". + +| *`kind`* __string__ | Kind is used to override the object kind that this reference points to. + +If unspecified, defaults to "Redpanda". + | *`name`* __string__ | Name specifies the name of the cluster being referenced. + |=== @@ -384,6 +473,8 @@ ClusterSource defines how to connect to a particular Redpanda cluster. .Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolespec[$$ConsoleSpec$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rolespec[$$RoleSpec$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-schemaspec[$$SchemaSpec$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec[$$TopicSpec$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userspec[$$UserSpec$$] @@ -492,8 +583,11 @@ ConfigWatcher configures a sidecar that watches for changes to the Secret in `au | Field | Description | *`enabled`* __boolean__ | Specifies whether the sidecar is enabled. + | *`extraVolumeMounts`* __string__ | Specifies additional volumes to mount to the sidecar. + +DEPRECATED: Use sideCars.extraVolumeMounts + | *`resources`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#resourcerequirements-v1-core[$$ResourceRequirements$$]__ | Specifies resource requests for the sidecar container. + +DEPRECATED: Use sideCars.resources + | *`securityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#securitycontext-v1-core[$$SecurityContext$$]__ | Specifies the container's security context, including privileges and access levels of the container and its processes. + +DEPRECATED: Use sideCars.securityContext + |=== @@ -595,6 +689,36 @@ never used. Prefer Create. + |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-console"] +== Console + +Redpanda defines the CRD for Redpanda clusters. + + + + + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`apiVersion`* __string__ | `cluster.redpanda.com/v1alpha2` +| *`kind`* __string__ | `Console` +| *`kind`* __string__ | Kind is a string value representing the REST resource this object represents. + +Servers may infer this from the endpoint the client submits requests to. + +Cannot be updated. + +In CamelCase. + +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +| *`apiVersion`* __string__ | APIVersion defines the versioned schema of this representation of an object. + +Servers should convert recognized schemas to the latest internal value, and + +may reject unrecognized values. + +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to the Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolespec[$$ConsoleSpec$$]__ | +| *`status`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolestatus[$$ConsoleStatus$$]__ | +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolecreateobj"] == ConsoleCreateObj @@ -612,6 +736,134 @@ ConsoleCreateObj represents configuration options for creating Kubernetes object |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolespec"] +== ConsoleSpec + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-console[$$Console$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`replicaCount`* __integer__ | +| *`image`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-image[$$Image$$]__ | +| *`imagePullSecrets`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#localobjectreference-v1-core[$$LocalObjectReference$$] array__ | +| *`automountServiceAccountToken`* __boolean__ | +| *`serviceAccount`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-serviceaccountconfig[$$ServiceAccountConfig$$]__ | +| *`commonLabels`* __object (keys:string, values:string)__ | +| *`annotations`* __object (keys:string, values:string)__ | +| *`podAnnotations`* __object (keys:string, values:string)__ | +| *`podLabels`* __object (keys:string, values:string)__ | +| *`podSecurityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#podsecuritycontext-v1-core[$$PodSecurityContext$$]__ | +| *`securityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#securitycontext-v1-core[$$SecurityContext$$]__ | +| *`service`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-serviceconfig[$$ServiceConfig$$]__ | +| *`ingress`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-ingressconfig[$$IngressConfig$$]__ | +| *`resources`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#resourcerequirements-v1-core[$$ResourceRequirements$$]__ | +| *`autoscaling`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-autoscaling[$$AutoScaling$$]__ | +| *`nodeSelector`* __object (keys:string, values:string)__ | +| *`tolerations`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#toleration-v1-core[$$Toleration$$] array__ | +| *`affinity`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#affinity-v1-core[$$Affinity$$]__ | +| *`topologySpreadConstraints`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#topologyspreadconstraint-v1-core[$$TopologySpreadConstraint$$] array__ | +| *`priorityClassName`* __string__ | +| *`config`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#rawextension-runtime-pkg[$$RawExtension$$]__ | +| *`extraEnv`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#envvar-v1-core[$$EnvVar$$] array__ | +| *`extraEnvFrom`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#envfromsource-v1-core[$$EnvFromSource$$] array__ | +| *`extraVolumes`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#volume-v1-core[$$Volume$$] array__ | +| *`extraVolumeMounts`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#volumemount-v1-core[$$VolumeMount$$] array__ | +| *`extraContainers`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#container-v1-core[$$Container$$] array__ | +| *`extraContainerPorts`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#containerport-v1-core[$$ContainerPort$$] array__ | +| *`secretMounts`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretmount[$$SecretMount$$] array__ | +| *`secret`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretconfig[$$SecretConfig$$]__ | +| *`licenseSecretRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#secretkeyselector-v1-core[$$SecretKeySelector$$]__ | +| *`livenessProbe`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#probe-v1-core[$$Probe$$]__ | +| *`readinessProbe`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#probe-v1-core[$$Probe$$]__ | +| *`deployment`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-deploymentconfig[$$DeploymentConfig$$]__ | +| *`strategy`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#deploymentstrategy-v1-apps[$$DeploymentStrategy$$]__ | +| *`cluster`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-clustersource[$$ClusterSource$$]__ | +|=== + + +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolestatus"] +== ConsoleStatus + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-console[$$Console$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`observedGeneration`* __integer__ | The generation observed by the Console controller. + +| *`replicas`* __integer__ | Total number of non-terminating Pods targeted by this Console's Deployment. + +| *`updatedReplicas`* __integer__ | Total number of non-terminating pods targeted by this Console's Deployment that have the desired template spec. + +| *`readyReplicas`* __integer__ | Total number of non-terminating pods targeted by this Console's Deployment with a Ready Condition. + +| *`availableReplicas`* __integer__ | Total number of available non-terminating pods (ready for at least minReadySeconds) targeted by this Console's Deployment. + +| *`unavailableReplicas`* __integer__ | Total number of unavailable pods targeted by this deployment. This is the total number of + +pods that are still required for the deployment to have 100% available capacity. They may + +either be pods that are running but not yet available or pods that still have not been created. + +|=== + + +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolevalues"] +== ConsoleValues + +ConsoleValues is a CRD friendly equivalent of [console.PartialValues]. Any +member that is optional at the top level, either by being a pointer, map, or +slice, is NOT further partial-ized. This allows us to enforce validation +constraints without accidentally polluting the defaults of the chart. + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolespec[$$ConsoleSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`replicaCount`* __integer__ | +| *`image`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-image[$$Image$$]__ | +| *`imagePullSecrets`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#localobjectreference-v1-core[$$LocalObjectReference$$] array__ | +| *`automountServiceAccountToken`* __boolean__ | +| *`serviceAccount`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-serviceaccountconfig[$$ServiceAccountConfig$$]__ | +| *`commonLabels`* __object (keys:string, values:string)__ | +| *`annotations`* __object (keys:string, values:string)__ | +| *`podAnnotations`* __object (keys:string, values:string)__ | +| *`podLabels`* __object (keys:string, values:string)__ | +| *`podSecurityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#podsecuritycontext-v1-core[$$PodSecurityContext$$]__ | +| *`securityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#securitycontext-v1-core[$$SecurityContext$$]__ | +| *`service`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-serviceconfig[$$ServiceConfig$$]__ | +| *`ingress`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-ingressconfig[$$IngressConfig$$]__ | +| *`resources`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#resourcerequirements-v1-core[$$ResourceRequirements$$]__ | +| *`autoscaling`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-autoscaling[$$AutoScaling$$]__ | +| *`nodeSelector`* __object (keys:string, values:string)__ | +| *`tolerations`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#toleration-v1-core[$$Toleration$$] array__ | +| *`affinity`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#affinity-v1-core[$$Affinity$$]__ | +| *`topologySpreadConstraints`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#topologyspreadconstraint-v1-core[$$TopologySpreadConstraint$$] array__ | +| *`priorityClassName`* __string__ | +| *`config`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#rawextension-runtime-pkg[$$RawExtension$$]__ | +| *`extraEnv`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#envvar-v1-core[$$EnvVar$$] array__ | +| *`extraEnvFrom`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#envfromsource-v1-core[$$EnvFromSource$$] array__ | +| *`extraVolumes`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#volume-v1-core[$$Volume$$] array__ | +| *`extraVolumeMounts`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#volumemount-v1-core[$$VolumeMount$$] array__ | +| *`extraContainers`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#container-v1-core[$$Container$$] array__ | +| *`extraContainerPorts`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#containerport-v1-core[$$ContainerPort$$] array__ | +| *`secretMounts`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretmount[$$SecretMount$$] array__ | +| *`secret`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretconfig[$$SecretConfig$$]__ | +| *`licenseSecretRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#secretkeyselector-v1-core[$$SecretKeySelector$$]__ | +| *`livenessProbe`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#probe-v1-core[$$Probe$$]__ | +| *`readinessProbe`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#probe-v1-core[$$Probe$$]__ | +| *`deployment`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-deploymentconfig[$$DeploymentConfig$$]__ | +| *`strategy`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#deploymentstrategy-v1-apps[$$DeploymentStrategy$$]__ | +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-containerresources"] == ContainerResources @@ -648,6 +900,25 @@ CredentialSecretRef can be used to set cloud_storage_secret_key from referenced |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-deploymentconfig"] +== DeploymentConfig + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolespec[$$ConsoleSpec$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolevalues[$$ConsoleValues$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`command`* __string array__ | +| *`extraArgs`* __string array__ | +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-enablable"] == Enablable @@ -760,12 +1031,19 @@ ExternalListener configures settings for the external listeners. [cols="25a,75a", options="header"] |=== | Field | Description -| *`enabled`* __boolean__ | -| *`authenticationMethod`* __string__ | Specifies the authentication method for the external listener. For example, 'mtls_identity' or `sasl`. + -| *`port`* __integer__ | Specifies the container port number for the external listener. + -| *`tls`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the external listener. + +| *`enabled`* __boolean__ | Specifies whether this Listener is enabled. + +| *`authenticationMethod`* __string__ | Specifies the authentication method for this listener. For example, 'mtls_identity', `sasl` or `http_basic`. + +| *`appProtocol`* __string__ | +| *`port`* __integer__ | Specifies the container port number for this listener. + +| *`tls`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + +| *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of + +Services. This field accepts a string template that dynamically + +constructs Service addresses based on various parameters such as Service + +name and port number. + +For historical backwards compatibility, this field is present on both + +internal and external listeners. However, it is ignored when specified + +on internal listeners. + | *`advertisedPorts`* __integer array__ | Specifies the network port that the external Service listens on. + -| *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of Services. This field accepts a string template that dynamically constructs Service addresses based on various parameters such as Service name and port number. + | *`nodePort`* __integer__ | |=== @@ -787,6 +1065,18 @@ ExternalService allows you to enable or disable the creation of an external Serv |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-filtertype"] +== FilterType (string) + +FilterType specifies the type, either include or exclude of a consumer group filter. + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-namefilter[$$NameFilter$$] + + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-fsvalidator"] == FsValidator @@ -820,13 +1110,100 @@ HTTP configures settings for the HTTP Proxy listeners. [cols="25a,75a", options="header"] |=== | Field | Description -| *`authenticationMethod`* __string__ | Specifies the authentication method for the external listener. For example, 'mtls_identity' or `sasl`. + -| *`enabled`* __boolean__ | Specifies whether the HTTP Proxy is enabled. + -| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listener. + -| *`kafkaEndpoint`* __string__ | Configures the listener to use for HTTP connections. For example `default` for the internal listener. + -| *`port`* __integer__ | Specifies the container port number for the internal listener. + +| *`enabled`* __boolean__ | Specifies whether this Listener is enabled. + +| *`authenticationMethod`* __string__ | Specifies the authentication method for this listener. For example, 'mtls_identity', `sasl` or `http_basic`. + +| *`appProtocol`* __string__ | +| *`port`* __integer__ | Specifies the container port number for this listener. + | *`tls`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + -| *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of Services. This field accepts a string template that dynamically constructs Service addresses based on various parameters such as Service name and port number. + +| *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of + +Services. This field accepts a string template that dynamically + +constructs Service addresses based on various parameters such as Service + +name and port number. + +For historical backwards compatibility, this field is present on both + +internal and external listeners. However, it is ignored when specified + +on internal listeners. + +| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listeners. + +| *`kafkaEndpoint`* __string__ | Configures the listener to use for HTTP connections. For example `default` for the internal listener. + +deprecated and not respected. + +|=== + + +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-image"] +== Image + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolespec[$$ConsoleSpec$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolevalues[$$ConsoleValues$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`registry`* __string__ | +| *`repository`* __string__ | +| *`pullPolicy`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#pullpolicy-v1-core[$$PullPolicy$$]__ | +| *`tag`* __string__ | +|=== + + +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-ingressconfig"] +== IngressConfig + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolespec[$$ConsoleSpec$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolevalues[$$ConsoleValues$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`enabled`* __boolean__ | +| *`className`* __string__ | +| *`annotations`* __object (keys:string, values:string)__ | +| *`hosts`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-ingresshost[$$IngressHost$$] array__ | +| *`tls`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#ingresstls-v1-networking[$$IngressTLS$$] array__ | +|=== + + +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-ingresshost"] +== IngressHost + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-ingressconfig[$$IngressConfig$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | +| *`paths`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-ingresspath[$$IngressPath$$] array__ | +|=== + + +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-ingresspath"] +== IngressPath + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-ingresshost[$$IngressHost$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`path`* __string__ | +| *`pathType`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#pathtype-v1-networking[$$PathType$$]__ | |=== @@ -902,11 +1279,19 @@ Kafka configures settings for the Kafka API listeners. [cols="25a,75a", options="header"] |=== | Field | Description -| *`authenticationMethod`* __string__ | Specifies the authentication method for the external listener. For example, 'mtls_identity' or `sasl`. + -| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listener. + -| *`port`* __integer__ | Specifies the container port number for the internal listener. + +| *`enabled`* __boolean__ | Specifies whether this Listener is enabled. + +| *`authenticationMethod`* __string__ | Specifies the authentication method for this listener. For example, 'mtls_identity', `sasl` or `http_basic`. + +| *`appProtocol`* __string__ | +| *`port`* __integer__ | Specifies the container port number for this listener. + | *`tls`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + -| *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of Services. This field accepts a string template that dynamically constructs Service addresses based on various parameters such as Service name and port number. + +| *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of + +Services. This field accepts a string template that dynamically + +constructs Service addresses based on various parameters such as Service + +name and port number. + +For historical backwards compatibility, this field is present on both + +internal and external listeners. However, it is ignored when specified + +on internal listeners. + +| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listeners. + |=== @@ -1027,6 +1412,28 @@ KafkaSASLOAuthBearer is the config struct for the SASL OAuthBearer mechanism |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasecrets"] +== KafkaSecrets + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretconfig[$$SecretConfig$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`saslPassword`* __string__ | +| *`awsMskIamSecretKey`* __string__ | +| *`tlsCa`* __string__ | +| *`tlsCert`* __string__ | +| *`tlsKey`* __string__ | +| *`tlsPassphrase`* __string__ | +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-licensesecretref"] == LicenseSecretRef @@ -1045,6 +1452,38 @@ LicenseSecretRef is deprecated. Use `EnterpriseLicenseSecretRef` instead. |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listener"] +== Listener + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-admin[$$Admin$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-http[$$HTTP$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafka[$$Kafka$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-schemaregistry[$$SchemaRegistry$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`enabled`* __boolean__ | Specifies whether this Listener is enabled. + +| *`authenticationMethod`* __string__ | Specifies the authentication method for this listener. For example, 'mtls_identity', `sasl` or `http_basic`. + +| *`appProtocol`* __string__ | +| *`port`* __integer__ | Specifies the container port number for this listener. + +| *`tls`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + +| *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of + +Services. This field accepts a string template that dynamically + +constructs Service addresses based on various parameters such as Service + +name and port number. + +For historical backwards compatibility, this field is present on both + +internal and external listeners. However, it is ignored when specified + +on internal listeners. + +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls"] == ListenerTLS @@ -1057,6 +1496,7 @@ ListenerTLS configures TLS configuration for each listener in the Helm values. - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-http[$$HTTP$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafka[$$Kafka$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listener[$$Listener$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rpc[$$RPC$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-schemaregistry[$$SchemaRegistry$$] @@ -1195,38 +1635,22 @@ Monitoring configures monitoring resources for Redpanda. See https://docs.redpan |=== -[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-nodepoolstatus"] -== NodePoolStatus -NodePoolStatus defines the observed state of any node pools tied to this cluster + +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-oidcloginsecrets"] +== OIDCLoginSecrets + + .Appears in: -- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandastatus[$$RedpandaStatus$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-authenticationsecrets[$$AuthenticationSecrets$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`name`* __string__ | Name is the name of the pool + -| *`replicas`* __integer__ | Replicas is the number of actual replicas currently across + -the node pool. This differs from DesiredReplicas during + -a scaling operation, but should be the same once the cluster + -has quiesced. + -| *`desiredReplicas`* __integer__ | DesiredReplicas is the number of replicas that ought to be + -run for the cluster. It combines the desired replicas across + -all node pools. + -| *`outOfDateReplicas`* __integer__ | OutOfDateReplicas is the number of replicas that don't currently + -match their node pool definitions. If OutOfDateReplicas is not 0 + -it should mean that the operator will soon roll this many pods. + -| *`upToDateReplicas`* __integer__ | UpToDateReplicas is the number of replicas that currently match + -their node pool definitions. + -| *`condemnedReplicas`* __integer__ | CondemnedReplicas is the number of replicas that will be decommissioned + -as part of a scaling down operation. + -| *`readyReplicas`* __integer__ | ReadyReplicas is the number of replicas whose readiness probes are + -currently passing. + -| *`runningReplicas`* __integer__ | RunningReplicas is the number of replicas that are actively in a running + -state. + +| *`clientSecret`* __string__ | |=== @@ -1246,6 +1670,7 @@ Password specifies a password for the user. | *`value`* __string__ | Value is a hardcoded value to use for the given password. It should only be used for testing purposes. + In production, use ValueFrom. + | *`valueFrom`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-passwordsource[$$PasswordSource$$]__ | ValueFrom specifies a source for a password to be fetched from when specifying or generating user credentials. + +| *`noGenerate`* __boolean__ | NoGenerate when set to true does not create kubernetes secret when ValueFrom points to none-existent secret. + |=== @@ -1277,7 +1702,9 @@ PatternType specifies the type of pattern applied for ACL resource matching. .Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclresourcefilter[$$ACLResourceFilter$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclresourcespec[$$ACLResourceSpec$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-namefilter[$$NameFilter$$] @@ -1358,6 +1785,60 @@ PodTemplate will pass label and annotation to Statefulset Pod template. |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-poolconfigurator"] +== PoolConfigurator + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-poolinitcontainers[$$PoolInitContainers$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`additionalCLIArgs`* __string array__ | Chart default: [] + +|=== + + +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-poolfsvalidator"] +== PoolFSValidator + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-poolinitcontainers[$$PoolInitContainers$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`enabled`* __boolean__ | Chart default: false + +| *`expectedFS`* __string__ | Chart default: xfs + +|=== + + + + +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-poolsetdatadirownership"] +== PoolSetDataDirOwnership + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-poolinitcontainers[$$PoolInitContainers$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`enabled`* __boolean__ | Chart default: false + +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-postinstalljob"] == PostInstallJob @@ -1464,8 +1945,10 @@ RPControllers configures additional controllers that can be deployed as sidecars |=== | Field | Description | *`enabled`* __boolean__ | Specifies whether the Controllers are enabled. + -| *`resources`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#resourcerequirements-v1-core[$$ResourceRequirements$$]__ | -| *`securityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#securitycontext-v1-core[$$SecurityContext$$]__ | +| *`resources`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#resourcerequirements-v1-core[$$ResourceRequirements$$]__ | Specifies resource requests for the sidecar container. + +DEPRECATED: Use sideCars.resources + +| *`securityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#securitycontext-v1-core[$$SecurityContext$$]__ | Specifies the container's security context, including privileges and access levels of the container and its processes. + +DEPRECATED: Use sideCars.securityContext + | *`image`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaimage[$$RedpandaImage$$]__ | | *`healthProbeAddress`* __string__ | | *`metricsAddress`* __string__ | @@ -1545,6 +2028,26 @@ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api- |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaadminapisecrets"] +== RedpandaAdminAPISecrets + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandasecrets[$$RedpandaSecrets$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`password`* __string__ | +| *`tlsCa`* __string__ | +| *`tlsCert`* __string__ | +| *`tlsKey`* __string__ | +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec"] == RedpandaClusterSpec @@ -1574,6 +2077,7 @@ For descriptions and default values, see xref:k-redpanda-helm-spec.adoc[]. | *`enterprise`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-enterprise[$$Enterprise$$]__ | Defines an Enterprise license. + | *`rackAwareness`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rackawareness[$$RackAwareness$$]__ | Defines rack awareness settings. + | *`console`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaconsole[$$RedpandaConsole$$]__ | Defines Redpanda Console settings. + +Deprecated: Use the dedicated Console CRD. + | *`connectors`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaconnectors[$$RedpandaConnectors$$]__ | Defines Redpanda Connector settings. + Deprecated, ignored, and unused as of v25.1.1 + | *`auth`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-auth[$$Auth$$]__ | Defines authentication settings for listeners. + @@ -1775,6 +2279,53 @@ Defined by the `--reserve-memory` parameter. Represents the memory available for |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandarole"] +== RedpandaRole + +RedpandaRole defines the CRD for a Redpanda role. + + + + + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`apiVersion`* __string__ | `cluster.redpanda.com/v1alpha2` +| *`kind`* __string__ | `RedpandaRole` +| *`kind`* __string__ | Kind is a string value representing the REST resource this object represents. + +Servers may infer this from the endpoint the client submits requests to. + +Cannot be updated. + +In CamelCase. + +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +| *`apiVersion`* __string__ | APIVersion defines the versioned schema of this representation of an object. + +Servers should convert recognized schemas to the latest internal value, and + +may reject unrecognized values. + +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to the Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rolespec[$$RoleSpec$$]__ | Defines the desired state of the Redpanda role. + +| *`status`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rolestatus[$$RoleStatus$$]__ | Represents the current status of the Redpanda role. + +|=== + + +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandasecrets"] +== RedpandaSecrets + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretconfig[$$SecretConfig$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`adminApi`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaadminapisecrets[$$RedpandaAdminAPISecrets$$]__ | +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaspec"] == RedpandaSpec @@ -1809,8 +2360,6 @@ RedpandaStatus defines the observed state of Redpanda | *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#condition-v1-meta[$$Condition$$] array__ | Conditions holds the conditions for the Redpanda. + | *`license`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandalicensestatus[$$RedpandaLicenseStatus$$]__ | LicenseStatus contains information about the current state of any + installed license in the Redpanda cluster. + -| *`nodePools`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-nodepoolstatus[$$NodePoolStatus$$] array__ | NodePools contains information about the node pools associated + -with this cluster. + | *`configVersion`* __string__ | ConfigVersion contains the configuration version written in + Redpanda used for restarting broker nodes as necessary. + | *`observedGeneration`* __integer__ | Specifies the last observed generation. + @@ -1838,6 +2387,8 @@ deprecated + |=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-resourcetemplate"] == ResourceTemplate @@ -1864,6 +2415,7 @@ ResourceType specifies the type of resource an ACL is applied to. .Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclresourcefilter[$$ACLResourceFilter$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclresourcespec[$$ACLResourceSpec$$] @@ -1911,6 +2463,67 @@ and `Requests`. |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-roleauthorizationspec"] +== RoleAuthorizationSpec + +RoleAuthorizationSpec defines authorization rules for this role. + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rolespec[$$RoleSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`acls`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] array__ | List of ACL rules which should be applied to this role. + +|=== + + +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rolespec"] +== RoleSpec + +RoleSpec defines the configuration of a Redpanda role. + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandarole[$$RedpandaRole$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`cluster`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-clustersource[$$ClusterSource$$]__ | ClusterSource is a reference to the cluster where the role should be created. + +It is used in constructing the client created to configure a cluster. + +| *`principals`* __string array__ | Principals defines the list of users assigned to this role. + +Format: Type:Name (e.g., User:john, User:jane). If type is omitted, defaults to User. + +| *`authorization`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-roleauthorizationspec[$$RoleAuthorizationSpec$$]__ | Authorization rules defined for this role. If specified, the operator will manage ACLs for this role. + +If omitted, ACLs should be managed separately using Redpanda's ACL management. + +|=== + + +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rolestatus"] +== RoleStatus + +RoleStatus defines the observed state of a Redpanda role + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandarole[$$RedpandaRole$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`observedGeneration`* __integer__ | Specifies the last observed generation. + +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#condition-v1-meta[$$Condition$$] array__ | Conditions holds the conditions for the Redpanda role. + +| *`managedAcls`* __boolean__ | ManagedACLs returns whether the role has managed ACLs that need + +to be cleaned up. + +| *`managedRole`* __boolean__ | ManagedRole returns whether the role has been created in Redpanda and needs + +to be cleaned up. + +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-sasl"] == SASL @@ -2012,12 +2625,21 @@ SchemaRegistry configures settings for the Schema Registry listeners. [cols="25a,75a", options="header"] |=== | Field | Description -| *`authenticationMethod`* __string__ | Specifies the authentication method for the external listener. For example, 'mtls_identity' or `sasl`. + -| *`enabled`* __boolean__ | Specifies whether the Schema Registry is enabled. + -| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listener. + -| *`kafkaEndpoint`* __string__ | Configures the listener to use for HTTP connections. For example `default` for the internal listener. + -| *`port`* __integer__ | Specifies the container port number for the internal listener. + +| *`enabled`* __boolean__ | Specifies whether this Listener is enabled. + +| *`authenticationMethod`* __string__ | Specifies the authentication method for this listener. For example, 'mtls_identity', `sasl` or `http_basic`. + +| *`appProtocol`* __string__ | +| *`port`* __integer__ | Specifies the container port number for this listener. + | *`tls`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + +| *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of + +Services. This field accepts a string template that dynamically + +constructs Service addresses based on various parameters such as Service + +name and port number. + +For historical backwards compatibility, this field is present on both + +internal and external listeners. However, it is ignored when specified + +on internal listeners. + +| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listeners. + +| *`kafkaEndpoint`* __string__ | Configures the listener to use for HTTP connections. For example `default` for the internal listener. + +deprecated and not respected. + |=== @@ -2041,6 +2663,27 @@ SchemaRegistrySASL configures credentials to connect to Redpanda cluster that ha |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-schemaregistrysecrets"] +== SchemaRegistrySecrets + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretconfig[$$SecretConfig$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`bearerToken`* __string__ | +| *`password`* __string__ | +| *`tlsCa`* __string__ | +| *`tlsCert`* __string__ | +| *`tlsKey`* __string__ | +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-schemaregistryspec"] == SchemaRegistrySpec @@ -2115,6 +2758,30 @@ SchemaType specifies the type of the given schema. +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretconfig"] +== SecretConfig + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolespec[$$ConsoleSpec$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolevalues[$$ConsoleValues$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`create`* __boolean__ | +| *`kafka`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasecrets[$$KafkaSecrets$$]__ | +| *`authentication`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-authenticationsecrets[$$AuthenticationSecrets$$]__ | +| *`license`* __string__ | +| *`redpanda`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandasecrets[$$RedpandaSecrets$$]__ | +| *`serde`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-serdesecrets[$$SerdeSecrets$$]__ | +| *`schemaRegistry`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-schemaregistrysecrets[$$SchemaRegistrySecrets$$]__ | +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref"] == SecretKeyRef @@ -2141,6 +2808,28 @@ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/nam |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretmount"] +== SecretMount + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolespec[$$ConsoleSpec$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolevalues[$$ConsoleValues$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`name`* __string__ | +| *`secretName`* __string__ | +| *`path`* __string__ | +| *`subPath`* __string__ | +| *`defaultMode`* __integer__ | +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretref"] == SecretRef @@ -2177,6 +2866,23 @@ SecretRef configures the Secret resource that contains existing TLS certificates |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-serdesecrets"] +== SerdeSecrets + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretconfig[$$SecretConfig$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`protobufGitBasicAuthPassword`* __string__ | +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-service"] == Service @@ -2215,6 +2921,48 @@ ServiceAccount configures Service Accounts. |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-serviceaccountconfig"] +== ServiceAccountConfig + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolespec[$$ConsoleSpec$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolevalues[$$ConsoleValues$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`automountServiceAccountToken`* __boolean__ | +| *`annotations`* __object (keys:string, values:string)__ | +| *`name`* __string__ | +|=== + + +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-serviceconfig"] +== ServiceConfig + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolespec[$$ConsoleSpec$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolevalues[$$ConsoleValues$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#servicetype-v1-core[$$ServiceType$$]__ | +| *`port`* __integer__ | +| *`nodePort`* __integer__ | +| *`targetPort`* __integer__ | +| *`annotations`* __object (keys:string, values:string)__ | +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-serviceinternal"] == ServiceInternal @@ -2283,8 +3031,10 @@ SideCarObj represents a generic sidecar object. This is a placeholder for now. |=== | Field | Description | *`enabled`* __boolean__ | -| *`resources`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#resourcerequirements-v1-core[$$ResourceRequirements$$]__ | -| *`securityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#securitycontext-v1-core[$$SecurityContext$$]__ | +| *`resources`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#resourcerequirements-v1-core[$$ResourceRequirements$$]__ | Specifies resource requests for the sidecar container. + +DEPRECATED: Use sideCars.resources + +| *`securityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#securitycontext-v1-core[$$SecurityContext$$]__ | Specifies the container's security context, including privileges and access levels of the container and its processes. + +DEPRECATED: Use sideCars.securityContext + |=== @@ -2302,6 +3052,10 @@ SideCars configures the additional sidecar containers that run alongside the mai |=== | Field | Description | *`image`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaimage[$$RedpandaImage$$]__ | +| *`extraVolumeMounts`* __string__ | Specifies additional volumes to mount to the sidecar. + +| *`resources`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#resourcerequirements-v1-core[$$ResourceRequirements$$]__ | Specifies resource requests for the sidecar container. + +| *`securityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#securitycontext-v1-core[$$SecurityContext$$]__ | Specifies the container's security context, including privileges and access levels of the container and its processes. + +| *`args`* __string array__ | | *`configWatcher`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-configwatcher[$$ConfigWatcher$$]__ | Configures the `config-watcher` sidecar. The `config-watcher` sidecar polls the Secret resource in `auth.sasl.secretRef` for changes and triggers a rolling upgrade to add the new superusers to the Redpanda cluster. + | *`rpkStatus`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-sidecarobj[$$SideCarObj$$]__ | | *`controllers`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rpcontrollers[$$RPControllers$$]__ | @@ -2431,6 +3185,8 @@ TLS configures TLS in the Helm values. See https://docs.redpanda.com/current/man |=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-tiered"] == Tiered @@ -2619,6 +3375,23 @@ TopologySpreadConstraints configures topology spread constraints to control how |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-truststore"] +== TrustStore + +TrustStore is a mapping from a value on either a Secret or ConfigMap to the +`truststore_path` field of a listener. + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`configMapKeyRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#configmapkeyselector-v1-core[$$ConfigMapKeySelector$$]__ | +| *`secretKeyRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#secretkeyselector-v1-core[$$SecretKeySelector$$]__ | +|=== [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-tuning"] diff --git a/modules/troubleshoot/partials/debug-bundle/generate-rpk.adoc b/modules/troubleshoot/partials/debug-bundle/generate-rpk.adoc index 246a6db53b..ad103dc9c8 100644 --- a/modules/troubleshoot/partials/debug-bundle/generate-rpk.adoc +++ b/modules/troubleshoot/partials/debug-bundle/generate-rpk.adoc @@ -48,7 +48,7 @@ spec: kubectl apply -f redpanda-cluster.yaml --namespace ``` -NOTE: You must deploy the Redpanda Operator with the `--set rbac.createRPKBundleCRs=true` flag to give it the required ClusterRoles. + -- Helm:: diff --git a/modules/troubleshoot/partials/errors-and-solutions.adoc b/modules/troubleshoot/partials/errors-and-solutions.adoc index a06ea4f0cf..cce84a11e6 100644 --- a/modules/troubleshoot/partials/errors-and-solutions.adoc +++ b/modules/troubleshoot/partials/errors-and-solutions.adoc @@ -245,18 +245,7 @@ helm repo update //end::deployment-name-exists[] -//tag::deployment-forbidden-debug-bundle[] -=== redpanda-rpk-debug-bundle is forbidden -If you see this error, your Redpanda Operator's RBAC settings are out of sync with the Pod-level RBAC in the Redpanda resource: - -[.no-copy] ----- -… forbidden: user "…-operator" … attempting to grant RBAC permissions not currently held … ----- - -To fix this error, make sure you haven't disabled xref:reference:k-operator-helm-spec.adoc#rbac-createrpkbundlecrs[`rbac.createRPKBundleCRs`] in the Redpanda Operator chart while still leaving xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rbac[`spec.clusterSpec.rbac.rpkDebugBundle`] enabled in your Redpanda resource. Either enable both or disable both. -//end::deployment-forbidden-debug-bundle[] //tag::deployment-data-dir-not-writable[] === Fatal error during checker "Data directory is writable" execution diff --git a/modules/upgrade/pages/k-compatibility.adoc b/modules/upgrade/pages/k-compatibility.adoc index 9196c021f7..5807fe0799 100644 --- a/modules/upgrade/pages/k-compatibility.adoc +++ b/modules/upgrade/pages/k-compatibility.adoc @@ -13,7 +13,7 @@ The Redpanda Helm chart and Redpanda Operator are versioned and tested alongside Starting from version 25.1.1, the Redpanda Operator and Redpanda Helm chart follow a new versioning scheme aligned with Redpanda core releases: -- `v25.1` refers to the Redpanda core feature release deployed by default. +- `25.1` refers to the Redpanda core feature release deployed by default. - The patch version denotes the patch version for either the operator or Helm chart. It is not the patch version of Redpanda core. @@ -37,7 +37,13 @@ Redpanda Core has no direct dependency on Kubernetes. Compatibility is influence |=== |Redpanda Core / `rpk` |Helm Chart |Operator Helm Chart |Operator |Helm CLI |Kubernetes -.1+|25.2.x +.2+|25.2.x + +|25.2.x +|25.2.x +|25.2.x +|3.12+ +d|1.30.x - 1.33.x{fn-k8s-compatibility} |25.1.x |25.2-beta1, 25.1.x @@ -123,12 +129,12 @@ Upgrading the Helm chart may also upgrade Redpanda Console. Because of this buil |Redpanda Console |Helm Chart |Operator |v3.x.x -|25.1.x +|25.2.x, 25.1.x |Not yet supported |v2.x.x |5.10.1, 5.9.x, 5.8.x -|25.1.x, 2.4.x, 2.3.x, 2.2.x +|25.2.x, 25.1.x, 2.4.x, 2.3.x, 2.2.x |=== diff --git a/modules/upgrade/pages/k-upgrade-operator.adoc b/modules/upgrade/pages/k-upgrade-operator.adoc index 5c28bcf83d..8ff194ac8a 100644 --- a/modules/upgrade/pages/k-upgrade-operator.adoc +++ b/modules/upgrade/pages/k-upgrade-operator.adoc @@ -7,7 +7,7 @@ . Make sure to https://github.com/redpanda-data/redpanda-operator/releases[review the release notes^] to understand any significant changes, bug fixes, or potential disruptions that could affect your existing deployment. -. xref:upgrade:k-compatibility.adoc[Review the Kubernetes compatibility matrix] and determine the version of the Redpanda Operator that is compatible with the Helm chart version you plan to use. The Redpanda Operator must be able to understand and manage the Helm chart and the Redpanda version you are deploying. +. xref:upgrade:k-compatibility.adoc[Review the Kubernetes compatibility matrix]. . Back up your current Helm values for the Redpanda Operator Helm chart: + diff --git a/tests/setup-tests/fetch-versions-and-rpk.json b/tests/setup-tests/fetch-versions-and-rpk.json index 102d64df43..54d3745abd 100644 --- a/tests/setup-tests/fetch-versions-and-rpk.json +++ b/tests/setup-tests/fetch-versions-and-rpk.json @@ -56,7 +56,7 @@ "description": "Use doc-tools to install any additional test dependencies.", "runShell": { "command": "npx doc-tools install-test-dependencies", - "timeout": 120000 + "timeout": 420000 } }, {