From f9edf9749723d796ae997e423c0711f19447fad9 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Tue, 10 Sep 2024 15:50:43 +0100 Subject: [PATCH 01/46] First draft --- .../authentication/k-user-controller.adoc | 188 ++++++++++++++++++ 1 file changed, 188 insertions(+) create mode 100644 modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc new file mode 100644 index 000000000..6a0b56338 --- /dev/null +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -0,0 +1,188 @@ += Manage Users with the Redpanda Operator +:description: Use the User resource to declaratively create and manage Kafka users as part of a Redpanda deployment. Each User resource is mapped to a user in your Redpanda cluster. The user controller keeps the corresponding Kafka user in sync with the User resource. +:page-categories: Management, Development +:env-kubernetes: true + +The Redpanda Operator allows you to declaratively create and manage Kafka users using xref:reference.adoc[User custom resources] in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding Kafka user in sync with the User resource. This resource allows you to create users as part of a Redpanda deployment. + +== Prerequisites + +You must have the following: + +* *Kubernetes cluster*: Ensure you have a running Kubernetes cluster, either locally (e.g., minikube or kind) or remotely. +* *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[kubectl^] command-line tool installed and configured to communicate with your cluster. +* *Redpanda*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator and a Redpanda resource deployed] in your Kubernetes cluster. + +== Limitations + +You cannot create access control lists (ACLs) directly in the User resource. To create ACLs for your users, use `rpk` or another Kafka client. For details about ACLs, see xref:manage:security/authorization/acl.adoc[]. + +== Create a user + +You can create a user using a User resource: + +[source,yaml] +---- +apiVersion: cluster.redpanda.com/v1alpha2 +kind: User +metadata: + name: my-user +spec: + cluster: + clusterRef: + name: redpanda-cluster + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: user-secret + key: password +---- + +- `metadata.name` (*required*): The name of the User resource, which will map to the corresponding user in the Redpanda cluster. +- `spec.cluster.clusterRef.name` (*required*): The reference to the Redpanda cluster where the user should be created. +- `spec.authentication` (*optional*): Defines the user authentication method. It supports SCRAM-SHA-256 and SCRAM-SHA-512. +- `spec.password.valueFrom.secretKeyRef`: Specifies where the password for the user is stored. + +=== Example User resource + +This example creates a user named `my-user` with SCRAM-SHA-512 authentication: + +.example-user.yaml +[source,yaml] +---- +apiVersion: cluster.redpanda.com/v1alpha2 +kind: User +metadata: + name: my-user +spec: + cluster: + clusterRef: + name: redpanda-cluster + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: user-secret + key: password +---- + +[bash] +---- +kubectl apply -f example-user.yaml --namespace +---- + +Replace `` with the namespace in which you deployed Redpanda. + +=== Specify authentication type + +You can specify the authentication type for a user using the `spec.authentication.type` field. Supported values include `scram-sha-256`, `scram-sha-512`, and their uppercase variants. + +If no authentication credentials are provided, no user will be created, but ACLs can still be managed for existing users. + +=== Manage user secrets + +Redpanda users require a password, which can be provided directly, using the `spec.password.value` field, or through a Kubernetes Secret, using the `spec.password.valueFrom.secretKeyRef`. + +For example, to use a Kubernetes Secret for the password, ensure the secret exists and reference it like so: + +[source,yaml] +---- +password: + valueFrom: + secretKeyRef: + name: user-secret + key: password +---- + +.Example Kubernetes Secret for the user password +[source,yaml] +---- +apiVersion: v1 +kind: Secret +metadata: + name: user-secret +type: Opaque +data: + # base64-encoded password + password: cGFzc3dvcmQ= +---- + +== Verify a user + +After deploying a User resource, verify that the Redpanda Operator reconciled it: + +[bash] +---- +kubectl logs -l app.kubernetes.io/name=operator -c manager --namespace +---- + +Example output: + +[source,json] +---- +{ + "level": "info", + "ts": "2024-09-25T16:20:09.538Z", + "logger": "UserReconciler.Reconcile", + "msg": "Starting reconcile loop", + "controller": "user", + "User": { + "name": "my-user", + "namespace": "" + }, + "reconcileID": "c0cf9abc-a553-48b7-9b6e-2de3cdfb4432" +} +{ + "level": "info", + "ts": "2024-09-25T16:20:09.581Z", + "logger": "UserReconciler.Reconcile", + "msg": "Reconciliation finished in 43.436125ms, next run in 3s", +} +---- + +== Update a user + +To update a user, edit the User resource configuration and apply the changes. + +For example, to change the authentication method: + +.`updated-user.yaml` +[source,yaml] +---- +apiVersion: cluster.redpanda.com/v1alpha2 +kind: User +metadata: + name: my-user +spec: + authentication: + type: scram-sha-256 + cluster: + clusterRef: + name: redpanda-cluster +---- + +Apply the changes: + +[bash] +---- +kubectl apply -f updated-user.yaml --namespace +---- + +== Delete a user + +To delete a user, delete the User resource: + +[bash] +---- +kubectl delete -f example-user.yaml --namespace +---- + +When a user is deleted, its underlying data is removed as well. If the user has ACLs, those ACLs are also removed. + +== Suggested reading + +* xref:reference:k-user-crd.adoc[] +* xref:manage:kubernetes/security/authentication/k-authentication.adoc[] \ No newline at end of file From d27912c447551e2220fbe6dff396c566fc2b1bdf Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Wed, 18 Sep 2024 17:04:19 +0100 Subject: [PATCH 02/46] First draft --- .github/crd-config/config.yaml | 19 - .../authentication/k-user-controller.adoc | 4 - modules/reference/pages/k-crd.adoc | 457 +++++++++++++++++- 3 files changed, 456 insertions(+), 24 deletions(-) diff --git a/.github/crd-config/config.yaml b/.github/crd-config/config.yaml index c2bb6d748..e802f1ff9 100644 --- a/.github/crd-config/config.yaml +++ b/.github/crd-config/config.yaml @@ -1,25 +1,6 @@ processor: # RE2 regular expressions describing types that should be excluded from the generated documentation. ignoreTypes: - - "User$" - - "UserList$" - - "UserSpec$" - - "UserStatus$" - - "UserAuthenticationSpec$" - - "UserAuthorizationSpec$" - - "UserTemplateSpec$" - - "Password$" - - "PasswordSource$" - - "ACLRule$" - - "ACLType$" - - "ACLOperation$" - - "PatternType$" - - "ResourceType$" - - "ACLResourceSpec$" - - "ClusterSource$" - - "AdminAPISpec$" - - "AdminSASL$" - - "MetadataTemplate$" render: kubernetesVersion: 1.23 knownTypes: diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index 6a0b56338..6328d8ee8 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -13,10 +13,6 @@ You must have the following: * *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[kubectl^] command-line tool installed and configured to communicate with your cluster. * *Redpanda*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator and a Redpanda resource deployed] in your Kubernetes cluster. -== Limitations - -You cannot create access control lists (ACLs) directly in the User resource. To create ACLs for your users, use `rpk` or another Kafka client. For details about ACLs, see xref:manage:security/authorization/acl.adoc[]. - == Create a user You can create a user using a User resource: diff --git a/modules/reference/pages/k-crd.adoc b/modules/reference/pages/k-crd.adoc index a8850ba0c..686f96406 100644 --- a/modules/reference/pages/k-crd.adoc +++ b/modules/reference/pages/k-crd.adoc @@ -12,6 +12,79 @@ Package v1alpha2 defines the v1alpha2 schema for the Redpanda API. It is part of - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandalist[$$RedpandaList$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topic[$$Topic$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topiclist[$$TopicList$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-user[$$User$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userlist[$$UserList$$] + + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-acloperation"] +== ACLOperation (string) + +ACLOperation specifies the type of operation for an ACL. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] + + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclresourcespec"] +== ACLResourceSpec + +ACLResourceSpec indicates the resource for which given ACL rule applies. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resourcetype[$$ResourceType$$]__ | +| *`name`* __string__ | Name of resource for which given ACL rule applies. + +Can be combined with patternType field to use prefix pattern. + +| *`patternType`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-patterntype[$$PatternType$$]__ | Describes the pattern used in the resource field. The supported types are literal + +and prefixed. With literal pattern type, the resource field will be used as a definition + +of a full topic name. With prefix pattern type, the resource name will be used only as + +a prefix. Default value is literal. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclrule"] +== ACLRule + +ACLRule defines an ACL rule applied to the given user. + + +Validations taken from https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=75978240 + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthorizationspec[$$UserAuthorizationSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-acltype[$$ACLType$$]__ | +| *`resource`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclresourcespec[$$ACLResourceSpec$$]__ | Indicates the resource for which given ACL rule applies. + +| *`host`* __string__ | The host from which the action described in the ACL rule is allowed or denied. + +If not set, it defaults to *, allowing or denying the action from any host. + +| *`operations`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-acloperation[$$ACLOperation$$] array__ | List of operations which will be allowed or denied. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-acltype"] +== ACLType (string) + +ACLType specifies the type, either allow or deny of an ACL rule. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] @@ -35,6 +108,45 @@ Admin configures settings for the Admin API listeners. |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminapispec"] +== AdminAPISpec + +AdminAPISpec defines client configuration for connecting to Redpanda's admin API. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-staticconfigurationsource[$$StaticConfigurationSource$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`urls`* __string array__ | Specifies a list of broker addresses in the format : + +| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-commontls[$$CommonTLS$$]__ | Defines TLS configuration settings for Redpanda clusters that have TLS enabled. + +| *`sasl`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminsasl[$$AdminSASL$$]__ | Defines authentication configuration settings for Redpanda clusters that have authentication enabled. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminsasl"] +== AdminSASL + +AdminSASL configures credentials to connect to Redpanda cluster that has authentication enabled. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminapispec[$$AdminAPISpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __string__ | Specifies the username. + +| *`passwordSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Specifies the password. + +| *`mechanism`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-saslmechanism[$$SASLMechanism$$]__ | Specifies the SASL/SCRAM authentication mechanism. + +| *`token`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | +|=== + + [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-auditlogging"] == AuditLogging @@ -81,8 +193,37 @@ Auth configures authentication in the Helm values. See https://docs.redpanda.com |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-authorizationtype"] +== AuthorizationType (string) + +AuthorizationType specifies the type of authorization to use in creating a user. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthorizationspec[$$UserAuthorizationSpec$$] + + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-bootstrapuser"] +== BootstrapUser + +BootstrapUser configures the user used to bootstrap Redpanda when SASL is enabled. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-sasl[$$SASL$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretKeyRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#secretkeyselector-v1-core[$$SecretKeySelector$$]__ | Specifies the location where the generated password will be written or a pre-existing + +password will be read from. + +| *`mechanism`* __string__ | Specifies the authentication mechanism to use for the bootstrap user. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + +|=== [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-budget"] @@ -165,9 +306,44 @@ for hooks) during Helm actions. Defaults to `15m0s`. + |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clusterref"] +== ClusterRef + +ClusterRef represents a reference to a cluster that is being targeted. +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clustersource[$$ClusterSource$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`name`* __string__ | Name specifies the name of the cluster being referenced. + +|=== + + + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clustersource"] +== ClusterSource + +ClusterSource defines how to connect to a particular Redpanda cluster. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec[$$UserSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`clusterRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clusterref[$$ClusterRef$$]__ | ClusterRef is a reference to the cluster where the object should be created. + +It is used in constructing the client created to configure a cluster. + +This takes precedence over StaticConfigurationSource. + +| *`staticConfiguration`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-staticconfigurationsource[$$StaticConfigurationSource$$]__ | StaticConfiguration holds connection parameters to Kafka and Admin APIs. + +|=== + [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-commontls"] == CommonTLS @@ -177,6 +353,7 @@ CommonTLS specifies TLS configuration settings for Redpanda clusters that have a .Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminapispec[$$AdminAPISpec$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkaapispec[$$KafkaAPISpec$$] [cols="25a,75a", options="header"] @@ -948,6 +1125,24 @@ Memory configures memory resources. |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-metadatatemplate"] +== MetadataTemplate + +MetadataTemplate defines additional metadata to associate with a resource. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resourcetemplate[$$ResourceTemplate$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`labels`* __object (keys:string, values:string)__ | Labels specifies the Kubernetes labels to apply to a managed resource. + +| *`annotations`* __object (keys:string, values:string)__ | Annotations specifies the Kubernetes annotations to apply to a managed resource. + +|=== + + [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-migration"] == Migration @@ -991,6 +1186,56 @@ Monitoring configures monitoring resources for Redpanda. See https://docs.redpan |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-password"] +== Password + +Password specifies a password for the user. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthenticationspec[$$UserAuthenticationSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`value`* __string__ | +| *`valueFrom`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-passwordsource[$$PasswordSource$$]__ | +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-passwordsource"] +== PasswordSource + +PasswordSource contains the source for a password. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-password[$$Password$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretKeyRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#secretkeyselector-v1-core[$$SecretKeySelector$$]__ | SecretKeyRef specifies the secret used in reading a User password. + +If the Secret exists and has a value in it, then that value is used. + +If the Secret does not exist, or is empty, a password is generated and + +stored based on this configuration. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-patterntype"] +== PatternType (string) + +PatternType specifies the type of pattern applied for ACL resource matching. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclresourcespec[$$ACLResourceSpec$$] + + + [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-persistentvolume"] == PersistentVolume @@ -1540,6 +1785,34 @@ decommissioned from the cluster and provides its ordinal number. + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resourcetemplate"] +== ResourceTemplate + +ResourceTemplate specifies additional configuration for a resource. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usertemplatespec[$$UserTemplateSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-metadatatemplate[$$MetadataTemplate$$]__ | Refer to the Kubernetes API documentation for fields of `metadata`. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resourcetype"] +== ResourceType (string) + +ResourceType specifies the type of resource an ACL is applied to. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclresourcespec[$$ACLResourceSpec$$] + [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resources"] @@ -1577,6 +1850,7 @@ SASL configures SASL authentication in the Helm values. | *`mechanism`* __string__ | Specifies the default authentication mechanism to use for superusers. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + | *`secretRef`* __string__ | If `users` is empty, `secretRef` specifies the name of the Secret that contains your superuser credentials in the format ::. Otherwise, `secretRef` specifies the name of the Secret that the chart creates to store the credentials in `users`. + | *`users`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usersitems[$$UsersItems$$] array__ | Specifies a list of superuser credentials. + +| *`bootstrapUser`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-bootstrapuser[$$BootstrapUser$$]__ | Specifies configuration about the bootstrap user. + |=== @@ -1588,7 +1862,9 @@ SASLMechanism specifies a SASL auth mechanism. .Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminsasl[$$AdminSASL$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasasl[$$KafkaSASL$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthenticationspec[$$UserAuthenticationSpec$$] @@ -1623,6 +1899,7 @@ See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. .Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminsasl[$$AdminSASL$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-commontls[$$CommonTLS$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasasl[$$KafkaSASL$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasaslawsmskiam[$$KafkaSASLAWSMskIam$$] @@ -1866,6 +2143,25 @@ into this StatefulSet's PodTemplate. + |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-staticconfigurationsource"] +== StaticConfigurationSource + +StaticConfigurationSource configures connections to a Redpanda cluster via hard-coded +connection strings and manually configured TLS and authentication parameters. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clustersource[$$ClusterSource$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`kafka`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkaapispec[$$KafkaAPISpec$$]__ | Kafka is the configuration information for communicating with the Kafka + +API of a Redpanda cluster where the object should be created. + +| *`admin`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminapispec[$$AdminAPISpec$$]__ | AdminAPISpec is the configuration information for communicating with the Admin + +API of a Redpanda cluster where the object should be created. + +|=== [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-storage"] @@ -2184,6 +2480,165 @@ and will be removed in a future version. + |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-user"] +== User + +User defines the CRD for a Redpanda user. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userlist[$$UserList$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`apiVersion`* __string__ | `cluster.redpanda.com/v1alpha2` +| *`kind`* __string__ | `User` +| *`kind`* __string__ | Kind is a string value representing the REST resource this object represents. + +Servers may infer this from the endpoint the client submits requests to. + +Cannot be updated. + +In CamelCase. + +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +| *`apiVersion`* __string__ | APIVersion defines the versioned schema of this representation of an object. + +Servers should convert recognized schemas to the latest internal value, and + +may reject unrecognized values. + +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to the Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec[$$UserSpec$$]__ | Defines the desired state of the Redpanda user. + +| *`status`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userstatus[$$UserStatus$$]__ | Represents the current status of the Redpanda user. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthenticationspec"] +== UserAuthenticationSpec + +UserAuthenticationSpec defines the authentication mechanism enabled for this Redpanda user. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec[$$UserSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-saslmechanism[$$SASLMechanism$$]__ | +| *`password`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-password[$$Password$$]__ | Password specifies where a password is read from. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthorizationspec"] +== UserAuthorizationSpec + +UserAuthorizationSpec defines authorization rules for this user. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec[$$UserSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-authorizationtype[$$AuthorizationType$$]__ | +| *`acls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] array__ | List of ACL rules which should be applied to this user. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userlist"] +== UserList + +UserList contains a list of Redpanda user objects. + + + + + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`apiVersion`* __string__ | `cluster.redpanda.com/v1alpha2` +| *`kind`* __string__ | `UserList` +| *`kind`* __string__ | Kind is a string value representing the REST resource this object represents. + +Servers may infer this from the endpoint the client submits requests to. + +Cannot be updated. + +In CamelCase. + +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +| *`apiVersion`* __string__ | APIVersion defines the versioned schema of this representation of an object. + +Servers should convert recognized schemas to the latest internal value, and + +may reject unrecognized values. + +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#listmeta-v1-meta[$$ListMeta$$]__ | Refer to the Kubernetes API documentation for fields of `metadata`. + +| *`items`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-user[$$User$$] array__ | Specifies a list of Redpanda user resources. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec"] +== UserSpec + +UserSpec defines the configuration of a Redpanda user. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-user[$$User$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`cluster`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clustersource[$$ClusterSource$$]__ | ClusterSource is a reference to the cluster where the user should be created. + +It is used in constructing the client created to configure a cluster. + +| *`authentication`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthenticationspec[$$UserAuthenticationSpec$$]__ | Authentication defines the authentication information for a user. If no + +Authentication credentials are specified, then no user will be created. + +This is useful when wanting to manage ACLs for an already-existing user. + +| *`authorization`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthorizationspec[$$UserAuthorizationSpec$$]__ | Authorization rules defined for this user. + +| *`template`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usertemplatespec[$$UserTemplateSpec$$]__ | Template to specify how user secrets are generated. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userstatus"] +== UserStatus + +UserStatus defines the observed state of a Redpanda user + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-user[$$User$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`observedGeneration`* __integer__ | Specifies the last observed generation. + +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#condition-v1-meta[$$Condition$$] array__ | Conditions holds the conditions for the Redpanda user. + +| *`managedAcls`* __boolean__ | ManagedACLs returns whether the user has managed ACLs that need + +to be cleaned up. + +| *`managedUser`* __boolean__ | ManagedUser returns whether the user has a managed SCRAM user that need + +to be cleaned up. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usertemplatespec"] +== UserTemplateSpec + +UserTemplateSpec defines the template metadata (labels and annotations) +for any subresources, such as Secrets, created by a User object. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec[$$UserSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secret`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resourcetemplate[$$ResourceTemplate$$]__ | Specifies how the Secret with a user password is generated. + +|=== + + [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usersitems"] == UsersItems @@ -2200,4 +2655,4 @@ UsersItems configures a list of superusers in the Helm values. | *`mechanism`* __string__ | Specifies the authentication mechanism to use for superusers. Overrides the default in `SASL`. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + | *`name`* __string__ | Specifies the name of the superuser. + | *`password`* __string__ | Specifies the superuser password. + -|=== +|=== \ No newline at end of file From 8aa1a583e6d52131b336661b90a1a61e49e8ac56 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 08:43:02 -0400 Subject: [PATCH 03/46] Add examples --- .../manage/examples/kubernetes/user.feature | 85 ++++++++++++++ .../pages/kubernetes/k-manage-topics.adoc | 6 +- .../authentication/k-user-controller.adoc | 104 ++++++++---------- modules/manage/partials/authentication.adoc | 1 + 4 files changed, 136 insertions(+), 60 deletions(-) create mode 100644 modules/manage/examples/kubernetes/user.feature diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user.feature new file mode 100644 index 000000000..14852ba0d --- /dev/null +++ b/modules/manage/examples/kubernetes/user.feature @@ -0,0 +1,85 @@ +@cluster:sasl +Feature: User CRDs + Background: Cluster available + Given cluster "sasl" is available + + @skip:gke @skip:aks @skip:eks + Scenario: Manage users + Given there is no user "bob" in cluster "sasl" + And there is no user "james" in cluster "sasl" + And there is no user "alice" in cluster "sasl" + When I create CRD-based users for cluster "sasl": + | name | password | mechanism | acls | + | bob | | SCRAM-SHA-256 | | + | james | | SCRAM-SHA-512 | | + | alice | qwerty | SCRAM-SHA-512 | | + Then "bob" should exist and be able to authenticate to the "sasl" cluster + And "james" should exist and be able to authenticate to the "sasl" cluster + And "alice" should exist and be able to authenticate to the "sasl" cluster + + @skip:gke @skip:aks @skip:eks + Scenario: Manage authentication-only users + Given there is no user "jason" in cluster "sasl" + And there are already the following ACLs in cluster "sasl": + | user | acls | + | jason | [{"type":"allow","resource":{"type":"cluster"},"operations":["Read"]}] | + When I apply Kubernetes manifest: + """ +# tag::manage-authn-only-manifest[] +# In this example manifest, a user called "jason" is created in a cluster called "sasl". +# The user's password is defined in a Secret called "jason-password". + --- + apiVersion: cluster.redpanda.com/v1alpha2 + kind: User + metadata: + name: jason + spec: + cluster: + clusterRef: + name: sasl + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: jason-password + key: password +# end::manage-auth-only-manifest[] + """ +# end::scenario[] + And user "jason" is successfully synced + And I delete the CRD user "jason" + Then there should be ACLs in the cluster "sasl" for user "jason" + + @skip:gke @skip:aks @skip:eks + Scenario: Manage authorization-only users + Given there are the following pre-existing users in cluster "sasl" + | name | password | mechanism | + | travis | password | SCRAM-SHA-256 | + When I apply Kubernetes manifest: + """ +# tag::manage-authz-only-manifest[] +# In this example manifest, an ACL called "travis" is created in a cluster called "sasl". +# The ACL give an existing user called "travis" permissions to read from all topics whose names start with some-topic. + --- + apiVersion: cluster.redpanda.com/v1alpha2 + kind: User + metadata: + name: travis + spec: + cluster: + clusterRef: + name: sasl + authorization: + acls: + - type: allow + resource: + type: topic + name: some-topic + patternType: prefixed + operations: [Read] +# end::manage-authz-only-manifest[] + """ + And user "travis" is successfully synced + And I delete the CRD user "travis" + Then "travis" should be able to authenticate to the "sasl" cluster with password "password" and mechanism "SCRAM-SHA-256" diff --git a/modules/manage/pages/kubernetes/k-manage-topics.adoc b/modules/manage/pages/kubernetes/k-manage-topics.adoc index 3dc1e6a03..d22d1bc09 100644 --- a/modules/manage/pages/kubernetes/k-manage-topics.adoc +++ b/modules/manage/pages/kubernetes/k-manage-topics.adoc @@ -11,11 +11,11 @@ The Redpanda Operator allows you to declaratively create and manage Kafka topics You must have the following: -* Kubernetes cluster: Ensure you have a running Kubernetes cluster, either locally, such as with minikube or kind, or remotely. +* *Kubernetes cluster*: Ensure you have a running Kubernetes cluster, either locally, such as with minikube or kind, or remotely. -* https://kubernetes.io/docs/tasks/tools/#kubectl[Kubectl^]: Ensure you have the `kubectl` command-line tool installed and configured to communicate with your cluster. +* *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[`kubectl`^] command-line tool installed and configured to communicate with your cluster. -* Redpanda: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/kubernetes-deploy.adoc[Redpanda Operator and a Redpanda resource deployed] in your Kubernetes cluster. +* *Redpanda*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/kubernetes-deploy.adoc[Redpanda Operator and a Redpanda resource deployed] in your Kubernetes cluster. == Limitations diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index 6328d8ee8..38b568143 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -3,79 +3,48 @@ :page-categories: Management, Development :env-kubernetes: true -The Redpanda Operator allows you to declaratively create and manage Kafka users using xref:reference.adoc[User custom resources] in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding Kafka user in sync with the User resource. This resource allows you to create users as part of a Redpanda deployment. +The Redpanda Operator allows you to declaratively create and manage Kafka users using xref:reference:k-crd.adoc[User custom resources] in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding Kafka user in sync with the User resource. This resource allows you to create users as part of a Redpanda deployment. == Prerequisites You must have the following: -* *Kubernetes cluster*: Ensure you have a running Kubernetes cluster, either locally (e.g., minikube or kind) or remotely. +* *Kubernetes cluster*: Ensure you have a running Kubernetes cluster, either locally (minikube or kind) or remotely. * *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[kubectl^] command-line tool installed and configured to communicate with your cluster. -* *Redpanda*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator and a Redpanda resource deployed] in your Kubernetes cluster. +* *Redpanda Operator*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator]. +* *Redpanda cluster with SASL enabled*: Ensure you have a Redpanda resource deployed with xref:manage:kubernetes/security/authentication/k-authentication.adoc#enable[SASL authentication enabled]. == Create a user -You can create a user using a User resource: +You can create a new user using a User resource: -[source,yaml] +.`new-user.yaml` +[,yaml] ---- -apiVersion: cluster.redpanda.com/v1alpha2 -kind: User -metadata: - name: my-user -spec: - cluster: - clusterRef: - name: redpanda-cluster - authentication: - type: scram-sha-512 - password: - valueFrom: - secretKeyRef: - name: user-secret - key: password +include::manage:example$kubernetes/user.feature[tags=manage-authn-only-manifest,indent=0] ---- -- `metadata.name` (*required*): The name of the User resource, which will map to the corresponding user in the Redpanda cluster. -- `spec.cluster.clusterRef.name` (*required*): The reference to the Redpanda cluster where the user should be created. -- `spec.authentication` (*optional*): Defines the user authentication method. It supports SCRAM-SHA-256 and SCRAM-SHA-512. -- `spec.password.valueFrom.secretKeyRef`: Specifies where the password for the user is stored. +== Create an access control list (ACL) -=== Example User resource - -This example creates a user named `my-user` with SCRAM-SHA-512 authentication: - -.example-user.yaml -[source,yaml] ----- -apiVersion: cluster.redpanda.com/v1alpha2 -kind: User -metadata: - name: my-user -spec: - cluster: - clusterRef: - name: redpanda-cluster - authentication: - type: scram-sha-512 - password: - valueFrom: - secretKeyRef: - name: user-secret - key: password ----- +You can create a new ACL for existing users in your cluster using the User resource. Give the User resource the same name as your existing user. -[bash] +.`new-acl.yaml` +[,yaml] ---- -kubectl apply -f example-user.yaml --namespace +include::manage:example$kubernetes/user.feature[tags=manage-authz-only-manifest,indent=0] ---- -Replace `` with the namespace in which you deployed Redpanda. - === Specify authentication type You can specify the authentication type for a user using the `spec.authentication.type` field. Supported values include `scram-sha-256`, `scram-sha-512`, and their uppercase variants. +[,yaml] +---- +spec: + authentication: + type: scram-sha-512 +---- + If no authentication credentials are provided, no user will be created, but ACLs can still be managed for existing users. === Manage user secrets @@ -86,11 +55,20 @@ For example, to use a Kubernetes Secret for the password, ensure the secret exis [source,yaml] ---- -password: - valueFrom: - secretKeyRef: - name: user-secret - key: password +spec: + authentication: + password: + valueFrom: + secretKeyRef: + name: user-secret + key: password +---- + +To create the Secret: + +[,bash] +---- +kubectl --namespace create secret generic user-secret--from-file=password.txt ---- .Example Kubernetes Secret for the user password @@ -106,6 +84,18 @@ data: password: cGFzc3dvcmQ= ---- +== Deploy a User resource + +To deploy a User resource, apply the manifest to the same namespace as your Redpanda cluster: + +[bash] +---- +kubectl apply -f .yaml --namespace +---- + +- Replace `` with the filename of your manifest. +- Replace `` with the namespace in which you deployed Redpanda. + == Verify a user After deploying a User resource, verify that the Redpanda Operator reconciled it: @@ -180,5 +170,5 @@ When a user is deleted, its underlying data is removed as well. If the user has == Suggested reading -* xref:reference:k-user-crd.adoc[] +* xref:reference:k-crd.adoc[] * xref:manage:kubernetes/security/authentication/k-authentication.adoc[] \ No newline at end of file diff --git a/modules/manage/partials/authentication.adoc b/modules/manage/partials/authentication.adoc index a75ce2485..c1ca5a27a 100644 --- a/modules/manage/partials/authentication.adoc +++ b/modules/manage/partials/authentication.adoc @@ -43,6 +43,7 @@ You must have the following: * https://kubernetes.io/docs/tasks/tools/#kubectl[Kubectl^]. Ensure you have the `kubectl` command-line tool installed and configured to communicate with your cluster. endif::[] +[[enable]] == Enable authentication ifndef::env-kubernetes[] From 529c0b9a1f53d76334d7cd6db16aacfd3e3ec463 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 08:44:13 -0400 Subject: [PATCH 04/46] Fix tag --- modules/manage/examples/kubernetes/user.feature | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user.feature index 14852ba0d..f5b6709f0 100644 --- a/modules/manage/examples/kubernetes/user.feature +++ b/modules/manage/examples/kubernetes/user.feature @@ -46,7 +46,6 @@ Feature: User CRDs key: password # end::manage-auth-only-manifest[] """ -# end::scenario[] And user "jason" is successfully synced And I delete the CRD user "jason" Then there should be ACLs in the cluster "sasl" for user "jason" From ee585927e42fe03a43cb97bd9f0eae278e732a83 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 08:45:49 -0400 Subject: [PATCH 05/46] Fix tag --- modules/manage/examples/kubernetes/user.feature | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user.feature index f5b6709f0..805a0bf5a 100644 --- a/modules/manage/examples/kubernetes/user.feature +++ b/modules/manage/examples/kubernetes/user.feature @@ -28,6 +28,7 @@ Feature: User CRDs # tag::manage-authn-only-manifest[] # In this example manifest, a user called "jason" is created in a cluster called "sasl". # The user's password is defined in a Secret called "jason-password". +# This example assumes that you will create ACLs for this user separately. --- apiVersion: cluster.redpanda.com/v1alpha2 kind: User @@ -60,6 +61,7 @@ Feature: User CRDs # tag::manage-authz-only-manifest[] # In this example manifest, an ACL called "travis" is created in a cluster called "sasl". # The ACL give an existing user called "travis" permissions to read from all topics whose names start with some-topic. +# This example assumes that you already have a user called "travis" in your cluster. --- apiVersion: cluster.redpanda.com/v1alpha2 kind: User From 064e0f8e49a1177b7abf40650b00cea000ec5395 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 11:15:28 -0400 Subject: [PATCH 06/46] Explain the three options for using the User resource --- .../authentication/k-user-controller.adoc | 140 +++++++++++++----- 1 file changed, 105 insertions(+), 35 deletions(-) diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index 38b568143..97420fb09 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -1,9 +1,9 @@ = Manage Users with the Redpanda Operator -:description: Use the User resource to declaratively create and manage Kafka users as part of a Redpanda deployment. Each User resource is mapped to a user in your Redpanda cluster. The user controller keeps the corresponding Kafka user in sync with the User resource. +:description: Use the User resource to declaratively create and manage Redpanda users as part of a Redpanda deployment. Each User resource is mapped to a user in your Redpanda cluster. The user controller keeps the corresponding user in sync with the User resource. :page-categories: Management, Development :env-kubernetes: true -The Redpanda Operator allows you to declaratively create and manage Kafka users using xref:reference:k-crd.adoc[User custom resources] in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding Kafka user in sync with the User resource. This resource allows you to create users as part of a Redpanda deployment. +The Redpanda Operator allows you to declaratively create and manage Redpanda users using xref:reference:k-crd.adoc[User custom resources] (resources) in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding user in sync with the User resource. This resource allows you to create users as part of a Redpanda deployment. == Prerequisites @@ -14,9 +14,21 @@ You must have the following: * *Redpanda Operator*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator]. * *Redpanda cluster with SASL enabled*: Ensure you have a Redpanda resource deployed with xref:manage:kubernetes/security/authentication/k-authentication.adoc#enable[SASL authentication enabled]. -== Create a user +== User resource management -You can create a new user using a User resource: +When using the Redpanda User resource, each User instance is responsible for managing both the user credentials (authentication) and the user's access control lists (ACLs) within the Redpanda cluster. You can choose to manage authentication or ACLs separately or you can manage both together. + +[NOTE] +==== +You cannot use one User resource to manage the user and another User resource to manage the ACLs. Only one User instance is allowed per user in the Redpanda cluster. +==== + +=== Manage new users (authentication only) + +- *Use case*: You want to create and manage user credentials (authentication) without managing ACLs. Use this option If you have a separate process to manage ACLs or if you're working in an environment where access control is handled externally. +- *What happens when deleted*: The user is deleted, but any manually created ACLs for that user will remain in the cluster. + +This example shows how to manage the creation and authentication of a user without configuring ACLs. .`new-user.yaml` [,yaml] @@ -24,9 +36,12 @@ You can create a new user using a User resource: include::manage:example$kubernetes/user.feature[tags=manage-authn-only-manifest,indent=0] ---- -== Create an access control list (ACL) +=== Manage existing users (authorization only) -You can create a new ACL for existing users in your cluster using the User resource. Give the User resource the same name as your existing user. +- *Use case*: You want to manage ACLs for an existing user in the Redpanda cluster, but not modify the user's credentials. Use this option if user credentials are managed by another process or tool, and you only want to control what resources the user can access (authorization). +- *What happens when deleted*: The ACLs are removed, but the user remains. This is useful when you want to revoke access but retain the user's credentials for future use. + +This example shows how to manage only the ACLs for an existing user in the Redpanda cluster. .`new-acl.yaml` [,yaml] @@ -34,11 +49,52 @@ You can create a new ACL for existing users in your cluster using the User resou include::manage:example$kubernetes/user.feature[tags=manage-authz-only-manifest,indent=0] ---- -=== Specify authentication type +=== Manage both authentication and authorization + +- *Use case*: You want to manage both user credentials and ACLs within the same resource. +- *What happens when deleted*: Both the user and the associated ACLs are removed. + +This example shows how to manage both authentication and ACLs for a user within the same User resource. + +.`new-user-and-acl.yaml` +[source,yaml] +---- +# In this example manifest, the user "full-user" is created and managed for both authentication and authorization. +# The user is granted both read and write access to the topic critical-topic. +apiVersion: cluster.redpanda.com/v1alpha2 +kind: User +metadata: + name: full-user +spec: + cluster: + clusterRef: + name: sasl + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: full-user-secret + key: password + authorization: + acls: + - type: allow + resource: + type: topic + name: critical-topic + patternType: literal + operations: [Read,Write] +---- + +== Configuration advice + +The following sections provide guidance on setting up user authentication, managing secrets, and defining access control lists (ACLs) within your Kubernetes environment. These recommendations ensure proper user management while minimizing manual interventions and preventing potential security issues. By following these best practices, you can ensure that user access and permissions are correctly configured and maintained across your Redpanda cluster. + +=== Choose an authentication type You can specify the authentication type for a user using the `spec.authentication.type` field. Supported values include `scram-sha-256`, `scram-sha-512`, and their uppercase variants. -[,yaml] +[source,yaml] ---- spec: authentication: @@ -64,14 +120,14 @@ spec: key: password ---- -To create the Secret: +To create the Secret from a file: -[,bash] +[source,bash] ---- -kubectl --namespace create secret generic user-secret--from-file=password.txt +kubectl --namespace create secret generic user-secret --from-file= ---- -.Example Kubernetes Secret for the user password +.Example: Kubernetes Secret for User Password [source,yaml] ---- apiVersion: v1 @@ -80,10 +136,37 @@ metadata: name: user-secret type: Opaque data: - # base64-encoded password - password: cGFzc3dvcmQ= + password: cGFzc3dvcmQ= # base64-encoded password ---- +=== Define ACLs + +The `spec.authorization` field allows you to manage ACLs for users. ACLs define the permissions users have over specific resources in Redpanda, such as topics, consumer groups, and clusters. + +You can define ACLs for a user by specifying which resources they can access and the operations they are permitted to perform. Here's an example configuration for managing ACLs: + +[source,yaml] +---- +spec: + authorization: + acls: + - type: allow + resource: + type: topic + name: my-topic + patternType: literal + operations: [Read, Write] +---- + +- `type`: Defines whether the ACL is `allow` or `deny`. +- `resource.type`: Specifies the resource type. +- `patternType`: Specifies if the resource name is treated as a `literal` or a `prefixed` pattern. +- `operations`: Lists the allowed operations, such as `Read`, `Write`, `Create`, and `Delete`. + +For more details about ACLs, including supported operations and resources in Redpanda, see xref:manage:security/authorization/acl.adoc[]. + +TIP: Use specific resource names where possible. Using `literal` names for resources ensures that only the exact resources you intend are accessible. Use `prefixed` patterns cautiously to avoid accidental permission grants. + == Deploy a User resource To deploy a User resource, apply the manifest to the same namespace as your Redpanda cluster: @@ -133,28 +216,9 @@ Example output: To update a user, edit the User resource configuration and apply the changes. -For example, to change the authentication method: - -.`updated-user.yaml` -[source,yaml] ----- -apiVersion: cluster.redpanda.com/v1alpha2 -kind: User -metadata: - name: my-user -spec: - authentication: - type: scram-sha-256 - cluster: - clusterRef: - name: redpanda-cluster ----- - -Apply the changes: - [bash] ---- -kubectl apply -f updated-user.yaml --namespace +kubectl apply -f .yaml --namespace ---- == Delete a user @@ -166,7 +230,13 @@ To delete a user, delete the User resource: kubectl delete -f example-user.yaml --namespace ---- -When a user is deleted, its underlying data is removed as well. If the user has ACLs, those ACLs are also removed. +When a User resource is deleted, its underlying data is removed as well. If the user has ACLs, those ACLs are also removed. + +Deleting a User resource will have different impacts depending on how it is configured: + +- **Authentication-only**: When a User resource managing only authentication is deleted, the user is removed from the cluster. However, any ACLs not managed by the same resource will remain in place. +- **Authorization-only**: When a User resource managing only ACLs is deleted, the ACLs are removed, but the user remains in the cluster. +- **Full user management (both authentication and authorization)**: When the resource manages both, the user and its associated ACLs are removed. == Suggested reading From 6bc505bf00d0a6653748b408b4850cde0c29e57b Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 14:03:11 -0400 Subject: [PATCH 07/46] Add action to pull acceptance tests --- .github/workflows/fetch-acceptance-tests.yml | 55 ++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/fetch-acceptance-tests.yml diff --git a/.github/workflows/fetch-acceptance-tests.yml b/.github/workflows/fetch-acceptance-tests.yml new file mode 100644 index 000000000..a83d8991d --- /dev/null +++ b/.github/workflows/fetch-acceptance-tests.yml @@ -0,0 +1,55 @@ +--- + name: Fetch and Save K8s Acceptance Tests + on: + workflow_dispatch: # Allows manual trigger of the workflow + repository_dispatch: # Allows other repositories to trigger this workflow + types: [trigger-acceptance-test-pull] + jobs: + fetch-and-save: + runs-on: ubuntu-latest + steps: + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }} + aws-region: us-west-2 + - name: get secrets from aws sm + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + ,sdlc/prod/github/actions_bot_token + parse-json-secrets: true + + - name: Checkout the repository + uses: actions/checkout@v4 + with: + ref: api + token: ${{ env.ACTIONS_BOT_TOKEN }} + path: redpanda-docs + + - name: Set up Node.js + uses: actions/setup-node@v4 + with: + node-version: '18' + + - name: Install dependencies + run: | + cd ./redpanda-docs/scripts/fetch-from-github + npm install + + - name: Run the script and save the output + run: node ./redpanda-docs/scripts/fetch-from-github/fetch.js redpanda-data redpanda-operator acceptance/features ../../modules/manage/examples/kubernetes + env: + VBOT_GITHUB_API_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} + + - name: Create pull request + uses: peter-evans/create-pull-request@v6 + with: + commit-message: "auto-docs: Update K8s acceptance tests" + token: ${{ env.ACTIONS_BOT_TOKEN }} + branch: update-acceptance-tests + title: "auto-docs: Update K8s acceptance tests" + body: "This PR auto-updates the acceptance tests that we use as examples in our Kubernetes docs." + labels: auto-docs + reviewers: JakeSCahill \ No newline at end of file From a0f6862f598a527967aa974a67faa63c474943c5 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 16:05:42 -0400 Subject: [PATCH 08/46] Add details about autogenerated Secrets/passwords --- .../authentication/k-user-controller.adoc | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index 97420fb09..b81bc206c 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -14,7 +14,7 @@ You must have the following: * *Redpanda Operator*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator]. * *Redpanda cluster with SASL enabled*: Ensure you have a Redpanda resource deployed with xref:manage:kubernetes/security/authentication/k-authentication.adoc#enable[SASL authentication enabled]. -== User resource management +== Create a user When using the Redpanda User resource, each User instance is responsible for managing both the user credentials (authentication) and the user's access control lists (ACLs) within the Redpanda cluster. You can choose to manage authentication or ACLs separately or you can manage both together. @@ -105,9 +105,15 @@ If no authentication credentials are provided, no user will be created, but ACLs === Manage user secrets -Redpanda users require a password, which can be provided directly, using the `spec.password.value` field, or through a Kubernetes Secret, using the `spec.password.valueFrom.secretKeyRef`. +Redpanda users require a password, which you can provide directly, using the `spec.password.value` field, or through a Kubernetes Secret, using the `spec.password.valueFrom.secretKeyRef`. The Redpanda operator offers flexibility in how these secrets are handled: -For example, to use a Kubernetes Secret for the password, ensure the secret exists and reference it like so: +- If the Secret exists and the key exists within that Secret, the existing password will be used. +- If the Secret exists but the key does not exist, the Secret will be updated with an autogenerated password. +- If the Secret does not exist, a new Secret with the provided key will be created with an autogenerated password. + +This behavior ensures that you can manage user credentials securely and programmatically, while also automating password generation if necessary. + +To use an existing Kubernetes Secret, ensure that the Secret and key are both defined. For example: [source,yaml] ---- @@ -120,24 +126,16 @@ spec: key: password ---- -To create the Secret from a file: +This example assumes that a Kubernetes Secret named `user-secret` with a key `password` exists. If the Secret does not exist or the key is missing, the Redpanda Operator will handle it by creating or updating the Secret with an autogenerated password. The autogenerated password will follow best practices for secure password generation. + +If you need to create a Secret, you can use the following command as an example: [source,bash] ---- -kubectl --namespace create secret generic user-secret --from-file= +kubectl --namespace create secret generic user-secret --from-file=password.txt ---- -.Example: Kubernetes Secret for User Password -[source,yaml] ----- -apiVersion: v1 -kind: Secret -metadata: - name: user-secret -type: Opaque -data: - password: cGFzc3dvcmQ= # base64-encoded password ----- +In this example, the `password.txt` file contains the password you want to use. === Define ACLs From 0ff2e7dcead982cf9db75d40ad60a5c3e0a13bbe Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 17:17:25 -0400 Subject: [PATCH 09/46] Improve structure and add term --- .../manage/examples/kubernetes/user.feature | 2 +- .../pages/kubernetes/k-manage-topics.adoc | 2 -- .../authentication/k-user-controller.adoc | 25 +++++++++++-------- 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user.feature index 805a0bf5a..f95bb8403 100644 --- a/modules/manage/examples/kubernetes/user.feature +++ b/modules/manage/examples/kubernetes/user.feature @@ -45,7 +45,7 @@ Feature: User CRDs secretKeyRef: name: jason-password key: password -# end::manage-auth-only-manifest[] +# end::manage-authn-only-manifest[] """ And user "jason" is successfully synced And I delete the CRD user "jason" diff --git a/modules/manage/pages/kubernetes/k-manage-topics.adoc b/modules/manage/pages/kubernetes/k-manage-topics.adoc index d22d1bc09..f34b45cd9 100644 --- a/modules/manage/pages/kubernetes/k-manage-topics.adoc +++ b/modules/manage/pages/kubernetes/k-manage-topics.adoc @@ -11,8 +11,6 @@ The Redpanda Operator allows you to declaratively create and manage Kafka topics You must have the following: -* *Kubernetes cluster*: Ensure you have a running Kubernetes cluster, either locally, such as with minikube or kind, or remotely. - * *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[`kubectl`^] command-line tool installed and configured to communicate with your cluster. * *Redpanda*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/kubernetes-deploy.adoc[Redpanda Operator and a Redpanda resource deployed] in your Kubernetes cluster. diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index b81bc206c..d463879a4 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -3,27 +3,28 @@ :page-categories: Management, Development :env-kubernetes: true -The Redpanda Operator allows you to declaratively create and manage Redpanda users using xref:reference:k-crd.adoc[User custom resources] (resources) in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding user in sync with the User resource. This resource allows you to create users as part of a Redpanda deployment. +With the Redpanda Operator, you can declaratively create and manage Redpanda users and glossterm:ACL[,access control lists (ACLs)] using xref:reference:k-crd.adoc[User custom resources] (resources) in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding user in sync with the User resource. == Prerequisites You must have the following: -* *Kubernetes cluster*: Ensure you have a running Kubernetes cluster, either locally (minikube or kind) or remotely. * *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[kubectl^] command-line tool installed and configured to communicate with your cluster. * *Redpanda Operator*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator]. * *Redpanda cluster with SASL enabled*: Ensure you have a Redpanda resource deployed with xref:manage:kubernetes/security/authentication/k-authentication.adoc#enable[SASL authentication enabled]. == Create a user -When using the Redpanda User resource, each User instance is responsible for managing both the user credentials (authentication) and the user's access control lists (ACLs) within the Redpanda cluster. You can choose to manage authentication or ACLs separately or you can manage both together. +You can use the User resource to: -[NOTE] -==== -You cannot use one User resource to manage the user and another User resource to manage the ACLs. Only one User instance is allowed per user in the Redpanda cluster. -==== +- <> +- <> +- <> -=== Manage new users (authentication only) +Each User instance is responsible for managing both the user credentials (authentication) and the user's ACLs within the Redpanda cluster. You cannot use one User resource to manage the user and another User resource to manage the ACLs. Only one User instance is allowed per user in the Redpanda cluster. + +[[no-acl]] +=== Create a new user without any ACLs - *Use case*: You want to create and manage user credentials (authentication) without managing ACLs. Use this option If you have a separate process to manage ACLs or if you're working in an environment where access control is handled externally. - *What happens when deleted*: The user is deleted, but any manually created ACLs for that user will remain in the cluster. @@ -36,7 +37,8 @@ This example shows how to manage the creation and authentication of a user witho include::manage:example$kubernetes/user.feature[tags=manage-authn-only-manifest,indent=0] ---- -=== Manage existing users (authorization only) +[[only-acl]] +=== Create only ACLs for a user - *Use case*: You want to manage ACLs for an existing user in the Redpanda cluster, but not modify the user's credentials. Use this option if user credentials are managed by another process or tool, and you only want to control what resources the user can access (authorization). - *What happens when deleted*: The ACLs are removed, but the user remains. This is useful when you want to revoke access but retain the user's credentials for future use. @@ -49,7 +51,8 @@ This example shows how to manage only the ACLs for an existing user in the Redpa include::manage:example$kubernetes/user.feature[tags=manage-authz-only-manifest,indent=0] ---- -=== Manage both authentication and authorization +[[both]] +=== Create a new user and its ACLs - *Use case*: You want to manage both user credentials and ACLs within the same resource. - *What happens when deleted*: Both the user and the associated ACLs are removed. @@ -88,7 +91,7 @@ spec: == Configuration advice -The following sections provide guidance on setting up user authentication, managing secrets, and defining access control lists (ACLs) within your Kubernetes environment. These recommendations ensure proper user management while minimizing manual interventions and preventing potential security issues. By following these best practices, you can ensure that user access and permissions are correctly configured and maintained across your Redpanda cluster. +The following sections provide guidance on setting up user authentication, managing secrets, and defining ACLs within your Kubernetes environment. These recommendations ensure proper user management while minimizing manual interventions and preventing potential security issues. By following these best practices, you can ensure that user access and permissions are correctly configured and maintained across your Redpanda cluster. === Choose an authentication type From 0d4081f42f05f0c30f3b96921cb8dd98dfa0f046 Mon Sep 17 00:00:00 2001 From: Paulo Borges Date: Wed, 2 Oct 2024 12:26:09 -0300 Subject: [PATCH 10/46] Update config for new beta --- antora.yml | 8 +++++--- local-antora-playbook.yml | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/antora.yml b/antora.yml index 3d523ea36..199c01566 100644 --- a/antora.yml +++ b/antora.yml @@ -1,6 +1,8 @@ name: ROOT title: Self-Managed -version: 24.2 +version: 24.3 +display_version: '24.3 Beta' +prerelease: true start_page: home:index.adoc nav: - modules/ROOT/nav.adoc @@ -15,11 +17,11 @@ asciidoc: # Fallback versions # We try to fetch the latest from GitHub at build time # -- - full-version: 24.2.2 + full-version: 24.3.1 latest-release-commit: '72ba3d3' latest-operator-version: 'v2.2.0-24.2.2' latest-redpanda-helm-chart-version: 5.8.3 - redpanda-beta-version: 24.2.2-rc5 + redpanda-beta-version: 24.3.1-rc1 # -- supported-kubernetes-version: 1.21 supported-helm-version: 3.10.0 diff --git a/local-antora-playbook.yml b/local-antora-playbook.yml index cc6752aef..d32991c5d 100644 --- a/local-antora-playbook.yml +++ b/local-antora-playbook.yml @@ -15,7 +15,7 @@ content: - url: . branches: HEAD - url: https://github.com/redpanda-data/docs - branches: [v/*, api, shared, site-search,'!v-end-of-life/*'] + branches: [main,v/*, api, shared, site-search,'!v-end-of-life/*'] - url: https://github.com/redpanda-data/cloud-docs branches: main - url: https://github.com/redpanda-data/redpanda-labs From eb9b7ce1edf1188e27472951c868f76493177076 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Tue, 10 Sep 2024 15:50:43 +0100 Subject: [PATCH 11/46] First draft --- .../authentication/k-user-controller.adoc | 188 ++++++++++++++++++ 1 file changed, 188 insertions(+) create mode 100644 modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc new file mode 100644 index 000000000..6a0b56338 --- /dev/null +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -0,0 +1,188 @@ += Manage Users with the Redpanda Operator +:description: Use the User resource to declaratively create and manage Kafka users as part of a Redpanda deployment. Each User resource is mapped to a user in your Redpanda cluster. The user controller keeps the corresponding Kafka user in sync with the User resource. +:page-categories: Management, Development +:env-kubernetes: true + +The Redpanda Operator allows you to declaratively create and manage Kafka users using xref:reference.adoc[User custom resources] in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding Kafka user in sync with the User resource. This resource allows you to create users as part of a Redpanda deployment. + +== Prerequisites + +You must have the following: + +* *Kubernetes cluster*: Ensure you have a running Kubernetes cluster, either locally (e.g., minikube or kind) or remotely. +* *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[kubectl^] command-line tool installed and configured to communicate with your cluster. +* *Redpanda*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator and a Redpanda resource deployed] in your Kubernetes cluster. + +== Limitations + +You cannot create access control lists (ACLs) directly in the User resource. To create ACLs for your users, use `rpk` or another Kafka client. For details about ACLs, see xref:manage:security/authorization/acl.adoc[]. + +== Create a user + +You can create a user using a User resource: + +[source,yaml] +---- +apiVersion: cluster.redpanda.com/v1alpha2 +kind: User +metadata: + name: my-user +spec: + cluster: + clusterRef: + name: redpanda-cluster + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: user-secret + key: password +---- + +- `metadata.name` (*required*): The name of the User resource, which will map to the corresponding user in the Redpanda cluster. +- `spec.cluster.clusterRef.name` (*required*): The reference to the Redpanda cluster where the user should be created. +- `spec.authentication` (*optional*): Defines the user authentication method. It supports SCRAM-SHA-256 and SCRAM-SHA-512. +- `spec.password.valueFrom.secretKeyRef`: Specifies where the password for the user is stored. + +=== Example User resource + +This example creates a user named `my-user` with SCRAM-SHA-512 authentication: + +.example-user.yaml +[source,yaml] +---- +apiVersion: cluster.redpanda.com/v1alpha2 +kind: User +metadata: + name: my-user +spec: + cluster: + clusterRef: + name: redpanda-cluster + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: user-secret + key: password +---- + +[bash] +---- +kubectl apply -f example-user.yaml --namespace +---- + +Replace `` with the namespace in which you deployed Redpanda. + +=== Specify authentication type + +You can specify the authentication type for a user using the `spec.authentication.type` field. Supported values include `scram-sha-256`, `scram-sha-512`, and their uppercase variants. + +If no authentication credentials are provided, no user will be created, but ACLs can still be managed for existing users. + +=== Manage user secrets + +Redpanda users require a password, which can be provided directly, using the `spec.password.value` field, or through a Kubernetes Secret, using the `spec.password.valueFrom.secretKeyRef`. + +For example, to use a Kubernetes Secret for the password, ensure the secret exists and reference it like so: + +[source,yaml] +---- +password: + valueFrom: + secretKeyRef: + name: user-secret + key: password +---- + +.Example Kubernetes Secret for the user password +[source,yaml] +---- +apiVersion: v1 +kind: Secret +metadata: + name: user-secret +type: Opaque +data: + # base64-encoded password + password: cGFzc3dvcmQ= +---- + +== Verify a user + +After deploying a User resource, verify that the Redpanda Operator reconciled it: + +[bash] +---- +kubectl logs -l app.kubernetes.io/name=operator -c manager --namespace +---- + +Example output: + +[source,json] +---- +{ + "level": "info", + "ts": "2024-09-25T16:20:09.538Z", + "logger": "UserReconciler.Reconcile", + "msg": "Starting reconcile loop", + "controller": "user", + "User": { + "name": "my-user", + "namespace": "" + }, + "reconcileID": "c0cf9abc-a553-48b7-9b6e-2de3cdfb4432" +} +{ + "level": "info", + "ts": "2024-09-25T16:20:09.581Z", + "logger": "UserReconciler.Reconcile", + "msg": "Reconciliation finished in 43.436125ms, next run in 3s", +} +---- + +== Update a user + +To update a user, edit the User resource configuration and apply the changes. + +For example, to change the authentication method: + +.`updated-user.yaml` +[source,yaml] +---- +apiVersion: cluster.redpanda.com/v1alpha2 +kind: User +metadata: + name: my-user +spec: + authentication: + type: scram-sha-256 + cluster: + clusterRef: + name: redpanda-cluster +---- + +Apply the changes: + +[bash] +---- +kubectl apply -f updated-user.yaml --namespace +---- + +== Delete a user + +To delete a user, delete the User resource: + +[bash] +---- +kubectl delete -f example-user.yaml --namespace +---- + +When a user is deleted, its underlying data is removed as well. If the user has ACLs, those ACLs are also removed. + +== Suggested reading + +* xref:reference:k-user-crd.adoc[] +* xref:manage:kubernetes/security/authentication/k-authentication.adoc[] \ No newline at end of file From dcff66feb7c12030b8383f6186f94c9f50827252 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Wed, 18 Sep 2024 17:04:19 +0100 Subject: [PATCH 12/46] First draft --- .github/crd-config/config.yaml | 19 - .../authentication/k-user-controller.adoc | 4 - modules/reference/pages/k-crd.adoc | 457 +++++++++++++++++- 3 files changed, 456 insertions(+), 24 deletions(-) diff --git a/.github/crd-config/config.yaml b/.github/crd-config/config.yaml index c2bb6d748..e802f1ff9 100644 --- a/.github/crd-config/config.yaml +++ b/.github/crd-config/config.yaml @@ -1,25 +1,6 @@ processor: # RE2 regular expressions describing types that should be excluded from the generated documentation. ignoreTypes: - - "User$" - - "UserList$" - - "UserSpec$" - - "UserStatus$" - - "UserAuthenticationSpec$" - - "UserAuthorizationSpec$" - - "UserTemplateSpec$" - - "Password$" - - "PasswordSource$" - - "ACLRule$" - - "ACLType$" - - "ACLOperation$" - - "PatternType$" - - "ResourceType$" - - "ACLResourceSpec$" - - "ClusterSource$" - - "AdminAPISpec$" - - "AdminSASL$" - - "MetadataTemplate$" render: kubernetesVersion: 1.23 knownTypes: diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index 6a0b56338..6328d8ee8 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -13,10 +13,6 @@ You must have the following: * *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[kubectl^] command-line tool installed and configured to communicate with your cluster. * *Redpanda*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator and a Redpanda resource deployed] in your Kubernetes cluster. -== Limitations - -You cannot create access control lists (ACLs) directly in the User resource. To create ACLs for your users, use `rpk` or another Kafka client. For details about ACLs, see xref:manage:security/authorization/acl.adoc[]. - == Create a user You can create a user using a User resource: diff --git a/modules/reference/pages/k-crd.adoc b/modules/reference/pages/k-crd.adoc index a8850ba0c..686f96406 100644 --- a/modules/reference/pages/k-crd.adoc +++ b/modules/reference/pages/k-crd.adoc @@ -12,6 +12,79 @@ Package v1alpha2 defines the v1alpha2 schema for the Redpanda API. It is part of - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandalist[$$RedpandaList$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topic[$$Topic$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topiclist[$$TopicList$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-user[$$User$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userlist[$$UserList$$] + + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-acloperation"] +== ACLOperation (string) + +ACLOperation specifies the type of operation for an ACL. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] + + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclresourcespec"] +== ACLResourceSpec + +ACLResourceSpec indicates the resource for which given ACL rule applies. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resourcetype[$$ResourceType$$]__ | +| *`name`* __string__ | Name of resource for which given ACL rule applies. + +Can be combined with patternType field to use prefix pattern. + +| *`patternType`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-patterntype[$$PatternType$$]__ | Describes the pattern used in the resource field. The supported types are literal + +and prefixed. With literal pattern type, the resource field will be used as a definition + +of a full topic name. With prefix pattern type, the resource name will be used only as + +a prefix. Default value is literal. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclrule"] +== ACLRule + +ACLRule defines an ACL rule applied to the given user. + + +Validations taken from https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=75978240 + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthorizationspec[$$UserAuthorizationSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-acltype[$$ACLType$$]__ | +| *`resource`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclresourcespec[$$ACLResourceSpec$$]__ | Indicates the resource for which given ACL rule applies. + +| *`host`* __string__ | The host from which the action described in the ACL rule is allowed or denied. + +If not set, it defaults to *, allowing or denying the action from any host. + +| *`operations`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-acloperation[$$ACLOperation$$] array__ | List of operations which will be allowed or denied. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-acltype"] +== ACLType (string) + +ACLType specifies the type, either allow or deny of an ACL rule. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] @@ -35,6 +108,45 @@ Admin configures settings for the Admin API listeners. |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminapispec"] +== AdminAPISpec + +AdminAPISpec defines client configuration for connecting to Redpanda's admin API. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-staticconfigurationsource[$$StaticConfigurationSource$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`urls`* __string array__ | Specifies a list of broker addresses in the format : + +| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-commontls[$$CommonTLS$$]__ | Defines TLS configuration settings for Redpanda clusters that have TLS enabled. + +| *`sasl`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminsasl[$$AdminSASL$$]__ | Defines authentication configuration settings for Redpanda clusters that have authentication enabled. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminsasl"] +== AdminSASL + +AdminSASL configures credentials to connect to Redpanda cluster that has authentication enabled. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminapispec[$$AdminAPISpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __string__ | Specifies the username. + +| *`passwordSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Specifies the password. + +| *`mechanism`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-saslmechanism[$$SASLMechanism$$]__ | Specifies the SASL/SCRAM authentication mechanism. + +| *`token`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | +|=== + + [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-auditlogging"] == AuditLogging @@ -81,8 +193,37 @@ Auth configures authentication in the Helm values. See https://docs.redpanda.com |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-authorizationtype"] +== AuthorizationType (string) + +AuthorizationType specifies the type of authorization to use in creating a user. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthorizationspec[$$UserAuthorizationSpec$$] + + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-bootstrapuser"] +== BootstrapUser + +BootstrapUser configures the user used to bootstrap Redpanda when SASL is enabled. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-sasl[$$SASL$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretKeyRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#secretkeyselector-v1-core[$$SecretKeySelector$$]__ | Specifies the location where the generated password will be written or a pre-existing + +password will be read from. + +| *`mechanism`* __string__ | Specifies the authentication mechanism to use for the bootstrap user. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + +|=== [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-budget"] @@ -165,9 +306,44 @@ for hooks) during Helm actions. Defaults to `15m0s`. + |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clusterref"] +== ClusterRef + +ClusterRef represents a reference to a cluster that is being targeted. +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clustersource[$$ClusterSource$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`name`* __string__ | Name specifies the name of the cluster being referenced. + +|=== + + + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clustersource"] +== ClusterSource + +ClusterSource defines how to connect to a particular Redpanda cluster. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec[$$UserSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`clusterRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clusterref[$$ClusterRef$$]__ | ClusterRef is a reference to the cluster where the object should be created. + +It is used in constructing the client created to configure a cluster. + +This takes precedence over StaticConfigurationSource. + +| *`staticConfiguration`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-staticconfigurationsource[$$StaticConfigurationSource$$]__ | StaticConfiguration holds connection parameters to Kafka and Admin APIs. + +|=== + [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-commontls"] == CommonTLS @@ -177,6 +353,7 @@ CommonTLS specifies TLS configuration settings for Redpanda clusters that have a .Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminapispec[$$AdminAPISpec$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkaapispec[$$KafkaAPISpec$$] [cols="25a,75a", options="header"] @@ -948,6 +1125,24 @@ Memory configures memory resources. |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-metadatatemplate"] +== MetadataTemplate + +MetadataTemplate defines additional metadata to associate with a resource. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resourcetemplate[$$ResourceTemplate$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`labels`* __object (keys:string, values:string)__ | Labels specifies the Kubernetes labels to apply to a managed resource. + +| *`annotations`* __object (keys:string, values:string)__ | Annotations specifies the Kubernetes annotations to apply to a managed resource. + +|=== + + [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-migration"] == Migration @@ -991,6 +1186,56 @@ Monitoring configures monitoring resources for Redpanda. See https://docs.redpan |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-password"] +== Password + +Password specifies a password for the user. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthenticationspec[$$UserAuthenticationSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`value`* __string__ | +| *`valueFrom`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-passwordsource[$$PasswordSource$$]__ | +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-passwordsource"] +== PasswordSource + +PasswordSource contains the source for a password. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-password[$$Password$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretKeyRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#secretkeyselector-v1-core[$$SecretKeySelector$$]__ | SecretKeyRef specifies the secret used in reading a User password. + +If the Secret exists and has a value in it, then that value is used. + +If the Secret does not exist, or is empty, a password is generated and + +stored based on this configuration. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-patterntype"] +== PatternType (string) + +PatternType specifies the type of pattern applied for ACL resource matching. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclresourcespec[$$ACLResourceSpec$$] + + + [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-persistentvolume"] == PersistentVolume @@ -1540,6 +1785,34 @@ decommissioned from the cluster and provides its ordinal number. + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resourcetemplate"] +== ResourceTemplate + +ResourceTemplate specifies additional configuration for a resource. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usertemplatespec[$$UserTemplateSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-metadatatemplate[$$MetadataTemplate$$]__ | Refer to the Kubernetes API documentation for fields of `metadata`. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resourcetype"] +== ResourceType (string) + +ResourceType specifies the type of resource an ACL is applied to. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclresourcespec[$$ACLResourceSpec$$] + [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resources"] @@ -1577,6 +1850,7 @@ SASL configures SASL authentication in the Helm values. | *`mechanism`* __string__ | Specifies the default authentication mechanism to use for superusers. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + | *`secretRef`* __string__ | If `users` is empty, `secretRef` specifies the name of the Secret that contains your superuser credentials in the format ::. Otherwise, `secretRef` specifies the name of the Secret that the chart creates to store the credentials in `users`. + | *`users`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usersitems[$$UsersItems$$] array__ | Specifies a list of superuser credentials. + +| *`bootstrapUser`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-bootstrapuser[$$BootstrapUser$$]__ | Specifies configuration about the bootstrap user. + |=== @@ -1588,7 +1862,9 @@ SASLMechanism specifies a SASL auth mechanism. .Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminsasl[$$AdminSASL$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasasl[$$KafkaSASL$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthenticationspec[$$UserAuthenticationSpec$$] @@ -1623,6 +1899,7 @@ See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. .Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminsasl[$$AdminSASL$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-commontls[$$CommonTLS$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasasl[$$KafkaSASL$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasaslawsmskiam[$$KafkaSASLAWSMskIam$$] @@ -1866,6 +2143,25 @@ into this StatefulSet's PodTemplate. + |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-staticconfigurationsource"] +== StaticConfigurationSource + +StaticConfigurationSource configures connections to a Redpanda cluster via hard-coded +connection strings and manually configured TLS and authentication parameters. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clustersource[$$ClusterSource$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`kafka`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkaapispec[$$KafkaAPISpec$$]__ | Kafka is the configuration information for communicating with the Kafka + +API of a Redpanda cluster where the object should be created. + +| *`admin`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminapispec[$$AdminAPISpec$$]__ | AdminAPISpec is the configuration information for communicating with the Admin + +API of a Redpanda cluster where the object should be created. + +|=== [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-storage"] @@ -2184,6 +2480,165 @@ and will be removed in a future version. + |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-user"] +== User + +User defines the CRD for a Redpanda user. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userlist[$$UserList$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`apiVersion`* __string__ | `cluster.redpanda.com/v1alpha2` +| *`kind`* __string__ | `User` +| *`kind`* __string__ | Kind is a string value representing the REST resource this object represents. + +Servers may infer this from the endpoint the client submits requests to. + +Cannot be updated. + +In CamelCase. + +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +| *`apiVersion`* __string__ | APIVersion defines the versioned schema of this representation of an object. + +Servers should convert recognized schemas to the latest internal value, and + +may reject unrecognized values. + +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to the Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec[$$UserSpec$$]__ | Defines the desired state of the Redpanda user. + +| *`status`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userstatus[$$UserStatus$$]__ | Represents the current status of the Redpanda user. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthenticationspec"] +== UserAuthenticationSpec + +UserAuthenticationSpec defines the authentication mechanism enabled for this Redpanda user. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec[$$UserSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-saslmechanism[$$SASLMechanism$$]__ | +| *`password`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-password[$$Password$$]__ | Password specifies where a password is read from. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthorizationspec"] +== UserAuthorizationSpec + +UserAuthorizationSpec defines authorization rules for this user. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec[$$UserSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-authorizationtype[$$AuthorizationType$$]__ | +| *`acls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] array__ | List of ACL rules which should be applied to this user. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userlist"] +== UserList + +UserList contains a list of Redpanda user objects. + + + + + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`apiVersion`* __string__ | `cluster.redpanda.com/v1alpha2` +| *`kind`* __string__ | `UserList` +| *`kind`* __string__ | Kind is a string value representing the REST resource this object represents. + +Servers may infer this from the endpoint the client submits requests to. + +Cannot be updated. + +In CamelCase. + +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +| *`apiVersion`* __string__ | APIVersion defines the versioned schema of this representation of an object. + +Servers should convert recognized schemas to the latest internal value, and + +may reject unrecognized values. + +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#listmeta-v1-meta[$$ListMeta$$]__ | Refer to the Kubernetes API documentation for fields of `metadata`. + +| *`items`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-user[$$User$$] array__ | Specifies a list of Redpanda user resources. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec"] +== UserSpec + +UserSpec defines the configuration of a Redpanda user. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-user[$$User$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`cluster`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clustersource[$$ClusterSource$$]__ | ClusterSource is a reference to the cluster where the user should be created. + +It is used in constructing the client created to configure a cluster. + +| *`authentication`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthenticationspec[$$UserAuthenticationSpec$$]__ | Authentication defines the authentication information for a user. If no + +Authentication credentials are specified, then no user will be created. + +This is useful when wanting to manage ACLs for an already-existing user. + +| *`authorization`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthorizationspec[$$UserAuthorizationSpec$$]__ | Authorization rules defined for this user. + +| *`template`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usertemplatespec[$$UserTemplateSpec$$]__ | Template to specify how user secrets are generated. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userstatus"] +== UserStatus + +UserStatus defines the observed state of a Redpanda user + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-user[$$User$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`observedGeneration`* __integer__ | Specifies the last observed generation. + +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#condition-v1-meta[$$Condition$$] array__ | Conditions holds the conditions for the Redpanda user. + +| *`managedAcls`* __boolean__ | ManagedACLs returns whether the user has managed ACLs that need + +to be cleaned up. + +| *`managedUser`* __boolean__ | ManagedUser returns whether the user has a managed SCRAM user that need + +to be cleaned up. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usertemplatespec"] +== UserTemplateSpec + +UserTemplateSpec defines the template metadata (labels and annotations) +for any subresources, such as Secrets, created by a User object. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec[$$UserSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secret`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resourcetemplate[$$ResourceTemplate$$]__ | Specifies how the Secret with a user password is generated. + +|=== + + [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usersitems"] == UsersItems @@ -2200,4 +2655,4 @@ UsersItems configures a list of superusers in the Helm values. | *`mechanism`* __string__ | Specifies the authentication mechanism to use for superusers. Overrides the default in `SASL`. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + | *`name`* __string__ | Specifies the name of the superuser. + | *`password`* __string__ | Specifies the superuser password. + -|=== +|=== \ No newline at end of file From eea0939aa789e6837c80cd8f173eb3370e6bdbc9 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 08:43:02 -0400 Subject: [PATCH 13/46] Add examples --- .../manage/examples/kubernetes/user.feature | 85 ++++++++++++++ .../pages/kubernetes/k-manage-topics.adoc | 6 +- .../authentication/k-user-controller.adoc | 104 ++++++++---------- modules/manage/partials/authentication.adoc | 1 + 4 files changed, 136 insertions(+), 60 deletions(-) create mode 100644 modules/manage/examples/kubernetes/user.feature diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user.feature new file mode 100644 index 000000000..14852ba0d --- /dev/null +++ b/modules/manage/examples/kubernetes/user.feature @@ -0,0 +1,85 @@ +@cluster:sasl +Feature: User CRDs + Background: Cluster available + Given cluster "sasl" is available + + @skip:gke @skip:aks @skip:eks + Scenario: Manage users + Given there is no user "bob" in cluster "sasl" + And there is no user "james" in cluster "sasl" + And there is no user "alice" in cluster "sasl" + When I create CRD-based users for cluster "sasl": + | name | password | mechanism | acls | + | bob | | SCRAM-SHA-256 | | + | james | | SCRAM-SHA-512 | | + | alice | qwerty | SCRAM-SHA-512 | | + Then "bob" should exist and be able to authenticate to the "sasl" cluster + And "james" should exist and be able to authenticate to the "sasl" cluster + And "alice" should exist and be able to authenticate to the "sasl" cluster + + @skip:gke @skip:aks @skip:eks + Scenario: Manage authentication-only users + Given there is no user "jason" in cluster "sasl" + And there are already the following ACLs in cluster "sasl": + | user | acls | + | jason | [{"type":"allow","resource":{"type":"cluster"},"operations":["Read"]}] | + When I apply Kubernetes manifest: + """ +# tag::manage-authn-only-manifest[] +# In this example manifest, a user called "jason" is created in a cluster called "sasl". +# The user's password is defined in a Secret called "jason-password". + --- + apiVersion: cluster.redpanda.com/v1alpha2 + kind: User + metadata: + name: jason + spec: + cluster: + clusterRef: + name: sasl + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: jason-password + key: password +# end::manage-auth-only-manifest[] + """ +# end::scenario[] + And user "jason" is successfully synced + And I delete the CRD user "jason" + Then there should be ACLs in the cluster "sasl" for user "jason" + + @skip:gke @skip:aks @skip:eks + Scenario: Manage authorization-only users + Given there are the following pre-existing users in cluster "sasl" + | name | password | mechanism | + | travis | password | SCRAM-SHA-256 | + When I apply Kubernetes manifest: + """ +# tag::manage-authz-only-manifest[] +# In this example manifest, an ACL called "travis" is created in a cluster called "sasl". +# The ACL give an existing user called "travis" permissions to read from all topics whose names start with some-topic. + --- + apiVersion: cluster.redpanda.com/v1alpha2 + kind: User + metadata: + name: travis + spec: + cluster: + clusterRef: + name: sasl + authorization: + acls: + - type: allow + resource: + type: topic + name: some-topic + patternType: prefixed + operations: [Read] +# end::manage-authz-only-manifest[] + """ + And user "travis" is successfully synced + And I delete the CRD user "travis" + Then "travis" should be able to authenticate to the "sasl" cluster with password "password" and mechanism "SCRAM-SHA-256" diff --git a/modules/manage/pages/kubernetes/k-manage-topics.adoc b/modules/manage/pages/kubernetes/k-manage-topics.adoc index 3dc1e6a03..d22d1bc09 100644 --- a/modules/manage/pages/kubernetes/k-manage-topics.adoc +++ b/modules/manage/pages/kubernetes/k-manage-topics.adoc @@ -11,11 +11,11 @@ The Redpanda Operator allows you to declaratively create and manage Kafka topics You must have the following: -* Kubernetes cluster: Ensure you have a running Kubernetes cluster, either locally, such as with minikube or kind, or remotely. +* *Kubernetes cluster*: Ensure you have a running Kubernetes cluster, either locally, such as with minikube or kind, or remotely. -* https://kubernetes.io/docs/tasks/tools/#kubectl[Kubectl^]: Ensure you have the `kubectl` command-line tool installed and configured to communicate with your cluster. +* *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[`kubectl`^] command-line tool installed and configured to communicate with your cluster. -* Redpanda: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/kubernetes-deploy.adoc[Redpanda Operator and a Redpanda resource deployed] in your Kubernetes cluster. +* *Redpanda*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/kubernetes-deploy.adoc[Redpanda Operator and a Redpanda resource deployed] in your Kubernetes cluster. == Limitations diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index 6328d8ee8..38b568143 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -3,79 +3,48 @@ :page-categories: Management, Development :env-kubernetes: true -The Redpanda Operator allows you to declaratively create and manage Kafka users using xref:reference.adoc[User custom resources] in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding Kafka user in sync with the User resource. This resource allows you to create users as part of a Redpanda deployment. +The Redpanda Operator allows you to declaratively create and manage Kafka users using xref:reference:k-crd.adoc[User custom resources] in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding Kafka user in sync with the User resource. This resource allows you to create users as part of a Redpanda deployment. == Prerequisites You must have the following: -* *Kubernetes cluster*: Ensure you have a running Kubernetes cluster, either locally (e.g., minikube or kind) or remotely. +* *Kubernetes cluster*: Ensure you have a running Kubernetes cluster, either locally (minikube or kind) or remotely. * *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[kubectl^] command-line tool installed and configured to communicate with your cluster. -* *Redpanda*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator and a Redpanda resource deployed] in your Kubernetes cluster. +* *Redpanda Operator*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator]. +* *Redpanda cluster with SASL enabled*: Ensure you have a Redpanda resource deployed with xref:manage:kubernetes/security/authentication/k-authentication.adoc#enable[SASL authentication enabled]. == Create a user -You can create a user using a User resource: +You can create a new user using a User resource: -[source,yaml] +.`new-user.yaml` +[,yaml] ---- -apiVersion: cluster.redpanda.com/v1alpha2 -kind: User -metadata: - name: my-user -spec: - cluster: - clusterRef: - name: redpanda-cluster - authentication: - type: scram-sha-512 - password: - valueFrom: - secretKeyRef: - name: user-secret - key: password +include::manage:example$kubernetes/user.feature[tags=manage-authn-only-manifest,indent=0] ---- -- `metadata.name` (*required*): The name of the User resource, which will map to the corresponding user in the Redpanda cluster. -- `spec.cluster.clusterRef.name` (*required*): The reference to the Redpanda cluster where the user should be created. -- `spec.authentication` (*optional*): Defines the user authentication method. It supports SCRAM-SHA-256 and SCRAM-SHA-512. -- `spec.password.valueFrom.secretKeyRef`: Specifies where the password for the user is stored. +== Create an access control list (ACL) -=== Example User resource - -This example creates a user named `my-user` with SCRAM-SHA-512 authentication: - -.example-user.yaml -[source,yaml] ----- -apiVersion: cluster.redpanda.com/v1alpha2 -kind: User -metadata: - name: my-user -spec: - cluster: - clusterRef: - name: redpanda-cluster - authentication: - type: scram-sha-512 - password: - valueFrom: - secretKeyRef: - name: user-secret - key: password ----- +You can create a new ACL for existing users in your cluster using the User resource. Give the User resource the same name as your existing user. -[bash] +.`new-acl.yaml` +[,yaml] ---- -kubectl apply -f example-user.yaml --namespace +include::manage:example$kubernetes/user.feature[tags=manage-authz-only-manifest,indent=0] ---- -Replace `` with the namespace in which you deployed Redpanda. - === Specify authentication type You can specify the authentication type for a user using the `spec.authentication.type` field. Supported values include `scram-sha-256`, `scram-sha-512`, and their uppercase variants. +[,yaml] +---- +spec: + authentication: + type: scram-sha-512 +---- + If no authentication credentials are provided, no user will be created, but ACLs can still be managed for existing users. === Manage user secrets @@ -86,11 +55,20 @@ For example, to use a Kubernetes Secret for the password, ensure the secret exis [source,yaml] ---- -password: - valueFrom: - secretKeyRef: - name: user-secret - key: password +spec: + authentication: + password: + valueFrom: + secretKeyRef: + name: user-secret + key: password +---- + +To create the Secret: + +[,bash] +---- +kubectl --namespace create secret generic user-secret--from-file=password.txt ---- .Example Kubernetes Secret for the user password @@ -106,6 +84,18 @@ data: password: cGFzc3dvcmQ= ---- +== Deploy a User resource + +To deploy a User resource, apply the manifest to the same namespace as your Redpanda cluster: + +[bash] +---- +kubectl apply -f .yaml --namespace +---- + +- Replace `` with the filename of your manifest. +- Replace `` with the namespace in which you deployed Redpanda. + == Verify a user After deploying a User resource, verify that the Redpanda Operator reconciled it: @@ -180,5 +170,5 @@ When a user is deleted, its underlying data is removed as well. If the user has == Suggested reading -* xref:reference:k-user-crd.adoc[] +* xref:reference:k-crd.adoc[] * xref:manage:kubernetes/security/authentication/k-authentication.adoc[] \ No newline at end of file diff --git a/modules/manage/partials/authentication.adoc b/modules/manage/partials/authentication.adoc index ef553e050..f5171f923 100644 --- a/modules/manage/partials/authentication.adoc +++ b/modules/manage/partials/authentication.adoc @@ -43,6 +43,7 @@ You must have the following: * https://kubernetes.io/docs/tasks/tools/#kubectl[Kubectl^]. Ensure you have the `kubectl` command-line tool installed and configured to communicate with your cluster. endif::[] +[[enable]] == Enable authentication ifndef::env-kubernetes[] From fbc6488d8509d1e524c76770262fe425f54ced9c Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 08:44:13 -0400 Subject: [PATCH 14/46] Fix tag --- modules/manage/examples/kubernetes/user.feature | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user.feature index 14852ba0d..f5b6709f0 100644 --- a/modules/manage/examples/kubernetes/user.feature +++ b/modules/manage/examples/kubernetes/user.feature @@ -46,7 +46,6 @@ Feature: User CRDs key: password # end::manage-auth-only-manifest[] """ -# end::scenario[] And user "jason" is successfully synced And I delete the CRD user "jason" Then there should be ACLs in the cluster "sasl" for user "jason" From 3764a79d4d4c24ab1a98af31a8cb926eb723562f Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 08:45:49 -0400 Subject: [PATCH 15/46] Fix tag --- modules/manage/examples/kubernetes/user.feature | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user.feature index f5b6709f0..805a0bf5a 100644 --- a/modules/manage/examples/kubernetes/user.feature +++ b/modules/manage/examples/kubernetes/user.feature @@ -28,6 +28,7 @@ Feature: User CRDs # tag::manage-authn-only-manifest[] # In this example manifest, a user called "jason" is created in a cluster called "sasl". # The user's password is defined in a Secret called "jason-password". +# This example assumes that you will create ACLs for this user separately. --- apiVersion: cluster.redpanda.com/v1alpha2 kind: User @@ -60,6 +61,7 @@ Feature: User CRDs # tag::manage-authz-only-manifest[] # In this example manifest, an ACL called "travis" is created in a cluster called "sasl". # The ACL give an existing user called "travis" permissions to read from all topics whose names start with some-topic. +# This example assumes that you already have a user called "travis" in your cluster. --- apiVersion: cluster.redpanda.com/v1alpha2 kind: User From 2f1e8b8344f9383976d43406bdc8bca45d5bb34c Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 11:15:28 -0400 Subject: [PATCH 16/46] Explain the three options for using the User resource --- .../authentication/k-user-controller.adoc | 140 +++++++++++++----- 1 file changed, 105 insertions(+), 35 deletions(-) diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index 38b568143..97420fb09 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -1,9 +1,9 @@ = Manage Users with the Redpanda Operator -:description: Use the User resource to declaratively create and manage Kafka users as part of a Redpanda deployment. Each User resource is mapped to a user in your Redpanda cluster. The user controller keeps the corresponding Kafka user in sync with the User resource. +:description: Use the User resource to declaratively create and manage Redpanda users as part of a Redpanda deployment. Each User resource is mapped to a user in your Redpanda cluster. The user controller keeps the corresponding user in sync with the User resource. :page-categories: Management, Development :env-kubernetes: true -The Redpanda Operator allows you to declaratively create and manage Kafka users using xref:reference:k-crd.adoc[User custom resources] in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding Kafka user in sync with the User resource. This resource allows you to create users as part of a Redpanda deployment. +The Redpanda Operator allows you to declaratively create and manage Redpanda users using xref:reference:k-crd.adoc[User custom resources] (resources) in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding user in sync with the User resource. This resource allows you to create users as part of a Redpanda deployment. == Prerequisites @@ -14,9 +14,21 @@ You must have the following: * *Redpanda Operator*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator]. * *Redpanda cluster with SASL enabled*: Ensure you have a Redpanda resource deployed with xref:manage:kubernetes/security/authentication/k-authentication.adoc#enable[SASL authentication enabled]. -== Create a user +== User resource management -You can create a new user using a User resource: +When using the Redpanda User resource, each User instance is responsible for managing both the user credentials (authentication) and the user's access control lists (ACLs) within the Redpanda cluster. You can choose to manage authentication or ACLs separately or you can manage both together. + +[NOTE] +==== +You cannot use one User resource to manage the user and another User resource to manage the ACLs. Only one User instance is allowed per user in the Redpanda cluster. +==== + +=== Manage new users (authentication only) + +- *Use case*: You want to create and manage user credentials (authentication) without managing ACLs. Use this option If you have a separate process to manage ACLs or if you're working in an environment where access control is handled externally. +- *What happens when deleted*: The user is deleted, but any manually created ACLs for that user will remain in the cluster. + +This example shows how to manage the creation and authentication of a user without configuring ACLs. .`new-user.yaml` [,yaml] @@ -24,9 +36,12 @@ You can create a new user using a User resource: include::manage:example$kubernetes/user.feature[tags=manage-authn-only-manifest,indent=0] ---- -== Create an access control list (ACL) +=== Manage existing users (authorization only) -You can create a new ACL for existing users in your cluster using the User resource. Give the User resource the same name as your existing user. +- *Use case*: You want to manage ACLs for an existing user in the Redpanda cluster, but not modify the user's credentials. Use this option if user credentials are managed by another process or tool, and you only want to control what resources the user can access (authorization). +- *What happens when deleted*: The ACLs are removed, but the user remains. This is useful when you want to revoke access but retain the user's credentials for future use. + +This example shows how to manage only the ACLs for an existing user in the Redpanda cluster. .`new-acl.yaml` [,yaml] @@ -34,11 +49,52 @@ You can create a new ACL for existing users in your cluster using the User resou include::manage:example$kubernetes/user.feature[tags=manage-authz-only-manifest,indent=0] ---- -=== Specify authentication type +=== Manage both authentication and authorization + +- *Use case*: You want to manage both user credentials and ACLs within the same resource. +- *What happens when deleted*: Both the user and the associated ACLs are removed. + +This example shows how to manage both authentication and ACLs for a user within the same User resource. + +.`new-user-and-acl.yaml` +[source,yaml] +---- +# In this example manifest, the user "full-user" is created and managed for both authentication and authorization. +# The user is granted both read and write access to the topic critical-topic. +apiVersion: cluster.redpanda.com/v1alpha2 +kind: User +metadata: + name: full-user +spec: + cluster: + clusterRef: + name: sasl + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: full-user-secret + key: password + authorization: + acls: + - type: allow + resource: + type: topic + name: critical-topic + patternType: literal + operations: [Read,Write] +---- + +== Configuration advice + +The following sections provide guidance on setting up user authentication, managing secrets, and defining access control lists (ACLs) within your Kubernetes environment. These recommendations ensure proper user management while minimizing manual interventions and preventing potential security issues. By following these best practices, you can ensure that user access and permissions are correctly configured and maintained across your Redpanda cluster. + +=== Choose an authentication type You can specify the authentication type for a user using the `spec.authentication.type` field. Supported values include `scram-sha-256`, `scram-sha-512`, and their uppercase variants. -[,yaml] +[source,yaml] ---- spec: authentication: @@ -64,14 +120,14 @@ spec: key: password ---- -To create the Secret: +To create the Secret from a file: -[,bash] +[source,bash] ---- -kubectl --namespace create secret generic user-secret--from-file=password.txt +kubectl --namespace create secret generic user-secret --from-file= ---- -.Example Kubernetes Secret for the user password +.Example: Kubernetes Secret for User Password [source,yaml] ---- apiVersion: v1 @@ -80,10 +136,37 @@ metadata: name: user-secret type: Opaque data: - # base64-encoded password - password: cGFzc3dvcmQ= + password: cGFzc3dvcmQ= # base64-encoded password ---- +=== Define ACLs + +The `spec.authorization` field allows you to manage ACLs for users. ACLs define the permissions users have over specific resources in Redpanda, such as topics, consumer groups, and clusters. + +You can define ACLs for a user by specifying which resources they can access and the operations they are permitted to perform. Here's an example configuration for managing ACLs: + +[source,yaml] +---- +spec: + authorization: + acls: + - type: allow + resource: + type: topic + name: my-topic + patternType: literal + operations: [Read, Write] +---- + +- `type`: Defines whether the ACL is `allow` or `deny`. +- `resource.type`: Specifies the resource type. +- `patternType`: Specifies if the resource name is treated as a `literal` or a `prefixed` pattern. +- `operations`: Lists the allowed operations, such as `Read`, `Write`, `Create`, and `Delete`. + +For more details about ACLs, including supported operations and resources in Redpanda, see xref:manage:security/authorization/acl.adoc[]. + +TIP: Use specific resource names where possible. Using `literal` names for resources ensures that only the exact resources you intend are accessible. Use `prefixed` patterns cautiously to avoid accidental permission grants. + == Deploy a User resource To deploy a User resource, apply the manifest to the same namespace as your Redpanda cluster: @@ -133,28 +216,9 @@ Example output: To update a user, edit the User resource configuration and apply the changes. -For example, to change the authentication method: - -.`updated-user.yaml` -[source,yaml] ----- -apiVersion: cluster.redpanda.com/v1alpha2 -kind: User -metadata: - name: my-user -spec: - authentication: - type: scram-sha-256 - cluster: - clusterRef: - name: redpanda-cluster ----- - -Apply the changes: - [bash] ---- -kubectl apply -f updated-user.yaml --namespace +kubectl apply -f .yaml --namespace ---- == Delete a user @@ -166,7 +230,13 @@ To delete a user, delete the User resource: kubectl delete -f example-user.yaml --namespace ---- -When a user is deleted, its underlying data is removed as well. If the user has ACLs, those ACLs are also removed. +When a User resource is deleted, its underlying data is removed as well. If the user has ACLs, those ACLs are also removed. + +Deleting a User resource will have different impacts depending on how it is configured: + +- **Authentication-only**: When a User resource managing only authentication is deleted, the user is removed from the cluster. However, any ACLs not managed by the same resource will remain in place. +- **Authorization-only**: When a User resource managing only ACLs is deleted, the ACLs are removed, but the user remains in the cluster. +- **Full user management (both authentication and authorization)**: When the resource manages both, the user and its associated ACLs are removed. == Suggested reading From 9e92cd9b7b9ab347ac39a3edbccece0cbec64f84 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 14:03:11 -0400 Subject: [PATCH 17/46] Add action to pull acceptance tests --- .github/workflows/fetch-acceptance-tests.yml | 55 ++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/fetch-acceptance-tests.yml diff --git a/.github/workflows/fetch-acceptance-tests.yml b/.github/workflows/fetch-acceptance-tests.yml new file mode 100644 index 000000000..a83d8991d --- /dev/null +++ b/.github/workflows/fetch-acceptance-tests.yml @@ -0,0 +1,55 @@ +--- + name: Fetch and Save K8s Acceptance Tests + on: + workflow_dispatch: # Allows manual trigger of the workflow + repository_dispatch: # Allows other repositories to trigger this workflow + types: [trigger-acceptance-test-pull] + jobs: + fetch-and-save: + runs-on: ubuntu-latest + steps: + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }} + aws-region: us-west-2 + - name: get secrets from aws sm + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + ,sdlc/prod/github/actions_bot_token + parse-json-secrets: true + + - name: Checkout the repository + uses: actions/checkout@v4 + with: + ref: api + token: ${{ env.ACTIONS_BOT_TOKEN }} + path: redpanda-docs + + - name: Set up Node.js + uses: actions/setup-node@v4 + with: + node-version: '18' + + - name: Install dependencies + run: | + cd ./redpanda-docs/scripts/fetch-from-github + npm install + + - name: Run the script and save the output + run: node ./redpanda-docs/scripts/fetch-from-github/fetch.js redpanda-data redpanda-operator acceptance/features ../../modules/manage/examples/kubernetes + env: + VBOT_GITHUB_API_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} + + - name: Create pull request + uses: peter-evans/create-pull-request@v6 + with: + commit-message: "auto-docs: Update K8s acceptance tests" + token: ${{ env.ACTIONS_BOT_TOKEN }} + branch: update-acceptance-tests + title: "auto-docs: Update K8s acceptance tests" + body: "This PR auto-updates the acceptance tests that we use as examples in our Kubernetes docs." + labels: auto-docs + reviewers: JakeSCahill \ No newline at end of file From 4e0ad62371e12c2bd9f83dcb9b86e6fcc117fbf1 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 16:05:42 -0400 Subject: [PATCH 18/46] Add details about autogenerated Secrets/passwords --- .../authentication/k-user-controller.adoc | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index 97420fb09..b81bc206c 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -14,7 +14,7 @@ You must have the following: * *Redpanda Operator*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator]. * *Redpanda cluster with SASL enabled*: Ensure you have a Redpanda resource deployed with xref:manage:kubernetes/security/authentication/k-authentication.adoc#enable[SASL authentication enabled]. -== User resource management +== Create a user When using the Redpanda User resource, each User instance is responsible for managing both the user credentials (authentication) and the user's access control lists (ACLs) within the Redpanda cluster. You can choose to manage authentication or ACLs separately or you can manage both together. @@ -105,9 +105,15 @@ If no authentication credentials are provided, no user will be created, but ACLs === Manage user secrets -Redpanda users require a password, which can be provided directly, using the `spec.password.value` field, or through a Kubernetes Secret, using the `spec.password.valueFrom.secretKeyRef`. +Redpanda users require a password, which you can provide directly, using the `spec.password.value` field, or through a Kubernetes Secret, using the `spec.password.valueFrom.secretKeyRef`. The Redpanda operator offers flexibility in how these secrets are handled: -For example, to use a Kubernetes Secret for the password, ensure the secret exists and reference it like so: +- If the Secret exists and the key exists within that Secret, the existing password will be used. +- If the Secret exists but the key does not exist, the Secret will be updated with an autogenerated password. +- If the Secret does not exist, a new Secret with the provided key will be created with an autogenerated password. + +This behavior ensures that you can manage user credentials securely and programmatically, while also automating password generation if necessary. + +To use an existing Kubernetes Secret, ensure that the Secret and key are both defined. For example: [source,yaml] ---- @@ -120,24 +126,16 @@ spec: key: password ---- -To create the Secret from a file: +This example assumes that a Kubernetes Secret named `user-secret` with a key `password` exists. If the Secret does not exist or the key is missing, the Redpanda Operator will handle it by creating or updating the Secret with an autogenerated password. The autogenerated password will follow best practices for secure password generation. + +If you need to create a Secret, you can use the following command as an example: [source,bash] ---- -kubectl --namespace create secret generic user-secret --from-file= +kubectl --namespace create secret generic user-secret --from-file=password.txt ---- -.Example: Kubernetes Secret for User Password -[source,yaml] ----- -apiVersion: v1 -kind: Secret -metadata: - name: user-secret -type: Opaque -data: - password: cGFzc3dvcmQ= # base64-encoded password ----- +In this example, the `password.txt` file contains the password you want to use. === Define ACLs From 99d6caaf107338d185d1daefc256506fc6c575f0 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 17:17:25 -0400 Subject: [PATCH 19/46] Improve structure and add term --- .../manage/examples/kubernetes/user.feature | 2 +- .../pages/kubernetes/k-manage-topics.adoc | 2 -- .../authentication/k-user-controller.adoc | 25 +++++++++++-------- 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user.feature index 805a0bf5a..f95bb8403 100644 --- a/modules/manage/examples/kubernetes/user.feature +++ b/modules/manage/examples/kubernetes/user.feature @@ -45,7 +45,7 @@ Feature: User CRDs secretKeyRef: name: jason-password key: password -# end::manage-auth-only-manifest[] +# end::manage-authn-only-manifest[] """ And user "jason" is successfully synced And I delete the CRD user "jason" diff --git a/modules/manage/pages/kubernetes/k-manage-topics.adoc b/modules/manage/pages/kubernetes/k-manage-topics.adoc index d22d1bc09..f34b45cd9 100644 --- a/modules/manage/pages/kubernetes/k-manage-topics.adoc +++ b/modules/manage/pages/kubernetes/k-manage-topics.adoc @@ -11,8 +11,6 @@ The Redpanda Operator allows you to declaratively create and manage Kafka topics You must have the following: -* *Kubernetes cluster*: Ensure you have a running Kubernetes cluster, either locally, such as with minikube or kind, or remotely. - * *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[`kubectl`^] command-line tool installed and configured to communicate with your cluster. * *Redpanda*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/kubernetes-deploy.adoc[Redpanda Operator and a Redpanda resource deployed] in your Kubernetes cluster. diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index b81bc206c..d463879a4 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -3,27 +3,28 @@ :page-categories: Management, Development :env-kubernetes: true -The Redpanda Operator allows you to declaratively create and manage Redpanda users using xref:reference:k-crd.adoc[User custom resources] (resources) in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding user in sync with the User resource. This resource allows you to create users as part of a Redpanda deployment. +With the Redpanda Operator, you can declaratively create and manage Redpanda users and glossterm:ACL[,access control lists (ACLs)] using xref:reference:k-crd.adoc[User custom resources] (resources) in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding user in sync with the User resource. == Prerequisites You must have the following: -* *Kubernetes cluster*: Ensure you have a running Kubernetes cluster, either locally (minikube or kind) or remotely. * *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[kubectl^] command-line tool installed and configured to communicate with your cluster. * *Redpanda Operator*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator]. * *Redpanda cluster with SASL enabled*: Ensure you have a Redpanda resource deployed with xref:manage:kubernetes/security/authentication/k-authentication.adoc#enable[SASL authentication enabled]. == Create a user -When using the Redpanda User resource, each User instance is responsible for managing both the user credentials (authentication) and the user's access control lists (ACLs) within the Redpanda cluster. You can choose to manage authentication or ACLs separately or you can manage both together. +You can use the User resource to: -[NOTE] -==== -You cannot use one User resource to manage the user and another User resource to manage the ACLs. Only one User instance is allowed per user in the Redpanda cluster. -==== +- <> +- <> +- <> -=== Manage new users (authentication only) +Each User instance is responsible for managing both the user credentials (authentication) and the user's ACLs within the Redpanda cluster. You cannot use one User resource to manage the user and another User resource to manage the ACLs. Only one User instance is allowed per user in the Redpanda cluster. + +[[no-acl]] +=== Create a new user without any ACLs - *Use case*: You want to create and manage user credentials (authentication) without managing ACLs. Use this option If you have a separate process to manage ACLs or if you're working in an environment where access control is handled externally. - *What happens when deleted*: The user is deleted, but any manually created ACLs for that user will remain in the cluster. @@ -36,7 +37,8 @@ This example shows how to manage the creation and authentication of a user witho include::manage:example$kubernetes/user.feature[tags=manage-authn-only-manifest,indent=0] ---- -=== Manage existing users (authorization only) +[[only-acl]] +=== Create only ACLs for a user - *Use case*: You want to manage ACLs for an existing user in the Redpanda cluster, but not modify the user's credentials. Use this option if user credentials are managed by another process or tool, and you only want to control what resources the user can access (authorization). - *What happens when deleted*: The ACLs are removed, but the user remains. This is useful when you want to revoke access but retain the user's credentials for future use. @@ -49,7 +51,8 @@ This example shows how to manage only the ACLs for an existing user in the Redpa include::manage:example$kubernetes/user.feature[tags=manage-authz-only-manifest,indent=0] ---- -=== Manage both authentication and authorization +[[both]] +=== Create a new user and its ACLs - *Use case*: You want to manage both user credentials and ACLs within the same resource. - *What happens when deleted*: Both the user and the associated ACLs are removed. @@ -88,7 +91,7 @@ spec: == Configuration advice -The following sections provide guidance on setting up user authentication, managing secrets, and defining access control lists (ACLs) within your Kubernetes environment. These recommendations ensure proper user management while minimizing manual interventions and preventing potential security issues. By following these best practices, you can ensure that user access and permissions are correctly configured and maintained across your Redpanda cluster. +The following sections provide guidance on setting up user authentication, managing secrets, and defining ACLs within your Kubernetes environment. These recommendations ensure proper user management while minimizing manual interventions and preventing potential security issues. By following these best practices, you can ensure that user access and permissions are correctly configured and maintained across your Redpanda cluster. === Choose an authentication type From f0135160e1d3083188eb0b70fdedcda668210aea Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Tue, 15 Oct 2024 14:46:11 +0100 Subject: [PATCH 20/46] DOC-442 User resource docs --- modules/ROOT/nav.adoc | 4 +++- .../manage/examples/kubernetes/user.feature | 16 +++++++------- .../pages/kubernetes/k-manage-topics.adoc | 7 +++++- .../security/authentication/index.adoc | 6 +++++ .../authentication/k-authentication.adoc | 3 +-- .../authentication/k-user-controller.adoc | 22 +++++++++---------- 6 files changed, 35 insertions(+), 23 deletions(-) create mode 100644 modules/manage/pages/kubernetes/security/authentication/index.adoc diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc index b33aac11d..ef730d20b 100644 --- a/modules/ROOT/nav.adoc +++ b/modules/ROOT/nav.adoc @@ -108,7 +108,9 @@ **** xref:manage:kubernetes/security/tls/index.adoc[TLS Encryption] ***** xref:manage:kubernetes/security/tls/k-cert-manager.adoc[Use cert-manager] ***** xref:manage:kubernetes/security/tls/k-secrets.adoc[Use Secrets] -**** xref:manage:kubernetes/security/authentication/k-authentication.adoc[Authentication] +**** xref:manage:kubernetes/security/authentication/index.adoc[Authentication] +***** xref:manage:kubernetes/security/authentication/k-authentication.adoc[Enable Authentication] +***** xref:manage:kubernetes/security/authentication/k-user-controller.adoc[Manage Users and ACLs] **** xref:manage:kubernetes/security/k-audit-logging.adoc[Audit Logging] *** xref:manage:kubernetes/k-rack-awareness.adoc[Rack Awareness] *** xref:manage:kubernetes/k-remote-read-replicas.adoc[Remote Read Replicas] diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user.feature index f95bb8403..908e0646e 100644 --- a/modules/manage/examples/kubernetes/user.feature +++ b/modules/manage/examples/kubernetes/user.feature @@ -25,10 +25,10 @@ Feature: User CRDs | jason | [{"type":"allow","resource":{"type":"cluster"},"operations":["Read"]}] | When I apply Kubernetes manifest: """ -# tag::manage-authn-only-manifest[] -# In this example manifest, a user called "jason" is created in a cluster called "sasl". -# The user's password is defined in a Secret called "jason-password". -# This example assumes that you will create ACLs for this user separately. + # tag::manage-authn-only-manifest[] + # In this example manifest, a user called "jason" is created in a cluster called "sasl". + # The user's password is defined in a Secret called "jason-password". + # This example assumes that you will create ACLs for this user separately. --- apiVersion: cluster.redpanda.com/v1alpha2 kind: User @@ -58,10 +58,10 @@ Feature: User CRDs | travis | password | SCRAM-SHA-256 | When I apply Kubernetes manifest: """ -# tag::manage-authz-only-manifest[] -# In this example manifest, an ACL called "travis" is created in a cluster called "sasl". -# The ACL give an existing user called "travis" permissions to read from all topics whose names start with some-topic. -# This example assumes that you already have a user called "travis" in your cluster. + # tag::manage-authz-only-manifest[] + # In this example manifest, an ACL called "travis" is created in a cluster called "sasl". + # The ACL give an existing user called "travis" permissions to read from all topics whose names start with some-topic. + # This example assumes that you already have a user called "travis" in your cluster. --- apiVersion: cluster.redpanda.com/v1alpha2 kind: User diff --git a/modules/manage/pages/kubernetes/k-manage-topics.adoc b/modules/manage/pages/kubernetes/k-manage-topics.adoc index f34b45cd9..326c19ea3 100644 --- a/modules/manage/pages/kubernetes/k-manage-topics.adoc +++ b/modules/manage/pages/kubernetes/k-manage-topics.adoc @@ -17,7 +17,12 @@ You must have the following: == Limitations -You cannot create access control lists (ACLs) directly in the Topic resource. To create ACLs for your topics, you must use `rpk` or another Kafka client. For details about ACLs, see xref:security/authorization/index.adoc[]. +You cannot create access control lists (ACLs) directly in the Topic resource. To create ACLs for your topics, you can use: + +- xref:manage:kubernetes/security/authentication/k-user-controller.adoc[The User resource] +- xref:get-started:rpk-install.adoc[`rpk`] or another Kafka client + +For details about ACLs, see xref:security/authorization/index.adoc[]. == Create a topic diff --git a/modules/manage/pages/kubernetes/security/authentication/index.adoc b/modules/manage/pages/kubernetes/security/authentication/index.adoc new file mode 100644 index 000000000..b8ac87f4f --- /dev/null +++ b/modules/manage/pages/kubernetes/security/authentication/index.adoc @@ -0,0 +1,6 @@ += Authentication for Redpanda in Kubernetes +:page-layout: index +:description: Learn how to configure authentication for Redpanda in Kubernetes using Helm values or the User resource with the Redpanda Operator. +:page-aliases: security:sasl-kubernetes.adoc, manage:kubernetes/security/sasl-kubernetes.adoc, security:kubernetes-sasl.adoc, manage:kubernetes/security/authentication/sasl-kubernetes.adoc, reference:redpanda-operator/kubernetes-mtls.adoc, reference:redpanda-operator/kubernetes-sasl.adoc + +Redpanda offers two methods to manage authentication in a Kubernetes environment. These options allow administrators to control user access and permissions, ensuring secure communication with the Redpanda cluster. \ No newline at end of file diff --git a/modules/manage/pages/kubernetes/security/authentication/k-authentication.adoc b/modules/manage/pages/kubernetes/security/authentication/k-authentication.adoc index 8f97f12cd..56df29cc2 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-authentication.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-authentication.adoc @@ -1,8 +1,7 @@ = Configure Authentication for Redpanda in Kubernetes -:description: Learn how to configure authentication for Redpanda in Kubernetes. +:description: Use Helm values or the Redpanda resource manifest to enable authentication for Redpanda. This method provides a way to configure authentication during the initial deployment or updates to the cluster configuration. :page-context-links: [{"name": "Linux", "to": "manage:security/authentication.adoc" },{"name": "Kubernetes", "to": "manage:kubernetes/security/authentication/k-authentication.adoc" } ] :tags: ["Kubernetes", "Helm configuration"] -:page-aliases: security:sasl-kubernetes.adoc, manage:kubernetes/security/sasl-kubernetes.adoc, security:kubernetes-sasl.adoc, manage:kubernetes/security/authentication/sasl-kubernetes.adoc, reference:redpanda-operator/kubernetes-mtls.adoc, reference:redpanda-operator/kubernetes-sasl.adoc :page-categories: Management, Security :env-kubernetes: true :page-toclevels: 3 diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index d463879a4..d2ac0ad48 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -1,5 +1,5 @@ -= Manage Users with the Redpanda Operator -:description: Use the User resource to declaratively create and manage Redpanda users as part of a Redpanda deployment. Each User resource is mapped to a user in your Redpanda cluster. The user controller keeps the corresponding user in sync with the User resource. += Manage Users and ACLs with the Redpanda Operator +:description: Use the User resource to declaratively create and manage users and ACLs as part of a Redpanda deployment. Each User resource is mapped to a user in your Redpanda cluster. The user controller keeps the corresponding user in sync with the User resource. :page-categories: Management, Development :env-kubernetes: true @@ -21,24 +21,24 @@ You can use the User resource to: - <> - <> -Each User instance is responsible for managing both the user credentials (authentication) and the user's ACLs within the Redpanda cluster. You cannot use one User resource to manage the user and another User resource to manage the ACLs. Only one User instance is allowed per user in the Redpanda cluster. +Each User instance is responsible for managing both the user credentials (authentication) and the user's ACLs within the Redpanda cluster. You cannot use one User resource to manage the user and another resource to manage the ACLs. Only one User instance is allowed per user in the Redpanda cluster. [[no-acl]] === Create a new user without any ACLs - *Use case*: You want to create and manage user credentials (authentication) without managing ACLs. Use this option If you have a separate process to manage ACLs or if you're working in an environment where access control is handled externally. -- *What happens when deleted*: The user is deleted, but any manually created ACLs for that user will remain in the cluster. +- *What happens when deleted*: The user is deleted, but ACLs for that user will remain in the cluster. This example shows how to manage the creation and authentication of a user without configuring ACLs. .`new-user.yaml` -[,yaml] +[,yaml,indent=0] ---- include::manage:example$kubernetes/user.feature[tags=manage-authn-only-manifest,indent=0] ---- [[only-acl]] -=== Create only ACLs for a user +=== Create only ACLs - *Use case*: You want to manage ACLs for an existing user in the Redpanda cluster, but not modify the user's credentials. Use this option if user credentials are managed by another process or tool, and you only want to control what resources the user can access (authorization). - *What happens when deleted*: The ACLs are removed, but the user remains. This is useful when you want to revoke access but retain the user's credentials for future use. @@ -46,7 +46,7 @@ include::manage:example$kubernetes/user.feature[tags=manage-authn-only-manifest, This example shows how to manage only the ACLs for an existing user in the Redpanda cluster. .`new-acl.yaml` -[,yaml] +[,yaml,indent=0] ---- include::manage:example$kubernetes/user.feature[tags=manage-authz-only-manifest,indent=0] ---- @@ -60,7 +60,7 @@ include::manage:example$kubernetes/user.feature[tags=manage-authz-only-manifest, This example shows how to manage both authentication and ACLs for a user within the same User resource. .`new-user-and-acl.yaml` -[source,yaml] +[source,yaml,indent=0] ---- # In this example manifest, the user "full-user" is created and managed for both authentication and authorization. # The user is granted both read and write access to the topic critical-topic. @@ -235,9 +235,9 @@ When a User resource is deleted, its underlying data is removed as well. If the Deleting a User resource will have different impacts depending on how it is configured: -- **Authentication-only**: When a User resource managing only authentication is deleted, the user is removed from the cluster. However, any ACLs not managed by the same resource will remain in place. -- **Authorization-only**: When a User resource managing only ACLs is deleted, the ACLs are removed, but the user remains in the cluster. -- **Full user management (both authentication and authorization)**: When the resource manages both, the user and its associated ACLs are removed. +- **Authentication-only**: When a User resource that manages only authentication is deleted, the user is removed from the cluster. However, any ACLs not managed by the same resource will remain in place. +- **Authorization-only**: When a User resource that manages only ACLs is deleted, the ACLs are removed, but the user remains in the cluster. +- **Full user management (both authentication and authorization)**: When the resource manages both users and ACLs, the user and its associated ACLs are removed. == Suggested reading From f35f75d888af1a60c2cee202a8c61345c4878fb3 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Tue, 15 Oct 2024 15:25:16 +0100 Subject: [PATCH 21/46] Fix comments --- modules/manage/examples/kubernetes/user.feature | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user.feature index f95bb8403..a12fe2db7 100644 --- a/modules/manage/examples/kubernetes/user.feature +++ b/modules/manage/examples/kubernetes/user.feature @@ -26,9 +26,9 @@ Feature: User CRDs When I apply Kubernetes manifest: """ # tag::manage-authn-only-manifest[] -# In this example manifest, a user called "jason" is created in a cluster called "sasl". -# The user's password is defined in a Secret called "jason-password". -# This example assumes that you will create ACLs for this user separately. + # In this example manifest, a user called "jason" is created in a cluster called "sasl". + # The user's password is defined in a Secret called "jason-password". + # This example assumes that you will create ACLs for this user separately. --- apiVersion: cluster.redpanda.com/v1alpha2 kind: User @@ -59,9 +59,9 @@ Feature: User CRDs When I apply Kubernetes manifest: """ # tag::manage-authz-only-manifest[] -# In this example manifest, an ACL called "travis" is created in a cluster called "sasl". -# The ACL give an existing user called "travis" permissions to read from all topics whose names start with some-topic. -# This example assumes that you already have a user called "travis" in your cluster. + # In this example manifest, an ACL called "travis" is created in a cluster called "sasl". + # The ACL give an existing user called "travis" permissions to read from all topics whose names start with some-topic. + # This example assumes that you already have a user called "travis" in your cluster. --- apiVersion: cluster.redpanda.com/v1alpha2 kind: User From e5f67d791b8b292b54697a2a5ef819d5739522b9 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Tue, 15 Oct 2024 15:47:29 +0100 Subject: [PATCH 22/46] Fix comments --- modules/manage/examples/kubernetes/user.feature | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user.feature index a12fe2db7..986182ff1 100644 --- a/modules/manage/examples/kubernetes/user.feature +++ b/modules/manage/examples/kubernetes/user.feature @@ -25,7 +25,7 @@ Feature: User CRDs | jason | [{"type":"allow","resource":{"type":"cluster"},"operations":["Read"]}] | When I apply Kubernetes manifest: """ -# tag::manage-authn-only-manifest[] + # tag::manage-authn-only-manifest[] # In this example manifest, a user called "jason" is created in a cluster called "sasl". # The user's password is defined in a Secret called "jason-password". # This example assumes that you will create ACLs for this user separately. @@ -45,7 +45,7 @@ Feature: User CRDs secretKeyRef: name: jason-password key: password -# end::manage-authn-only-manifest[] + # end::manage-authn-only-manifest[] """ And user "jason" is successfully synced And I delete the CRD user "jason" @@ -58,7 +58,7 @@ Feature: User CRDs | travis | password | SCRAM-SHA-256 | When I apply Kubernetes manifest: """ -# tag::manage-authz-only-manifest[] + # tag::manage-authz-only-manifest[] # In this example manifest, an ACL called "travis" is created in a cluster called "sasl". # The ACL give an existing user called "travis" permissions to read from all topics whose names start with some-topic. # This example assumes that you already have a user called "travis" in your cluster. @@ -79,7 +79,7 @@ Feature: User CRDs name: some-topic patternType: prefixed operations: [Read] -# end::manage-authz-only-manifest[] + # end::manage-authz-only-manifest[] """ And user "travis" is successfully synced And I delete the CRD user "travis" From e5ac1d112e174e0f2690a16baa58153912eb1702 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Tue, 15 Oct 2024 15:57:02 +0100 Subject: [PATCH 23/46] Fix comments --- .../manage/examples/kubernetes/user.feature | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user.feature index 986182ff1..3712f6cb9 100644 --- a/modules/manage/examples/kubernetes/user.feature +++ b/modules/manage/examples/kubernetes/user.feature @@ -25,10 +25,10 @@ Feature: User CRDs | jason | [{"type":"allow","resource":{"type":"cluster"},"operations":["Read"]}] | When I apply Kubernetes manifest: """ - # tag::manage-authn-only-manifest[] - # In this example manifest, a user called "jason" is created in a cluster called "sasl". - # The user's password is defined in a Secret called "jason-password". - # This example assumes that you will create ACLs for this user separately. + # tag::manage-authn-only-manifest[] + # In this example manifest, a user called "jason" is created in a cluster called "sasl". + # The user's password is defined in a Secret called "jason-password". + # This example assumes that you will create ACLs for this user separately. --- apiVersion: cluster.redpanda.com/v1alpha2 kind: User @@ -45,7 +45,7 @@ Feature: User CRDs secretKeyRef: name: jason-password key: password - # end::manage-authn-only-manifest[] + # end::manage-authn-only-manifest[] """ And user "jason" is successfully synced And I delete the CRD user "jason" @@ -58,10 +58,10 @@ Feature: User CRDs | travis | password | SCRAM-SHA-256 | When I apply Kubernetes manifest: """ - # tag::manage-authz-only-manifest[] - # In this example manifest, an ACL called "travis" is created in a cluster called "sasl". - # The ACL give an existing user called "travis" permissions to read from all topics whose names start with some-topic. - # This example assumes that you already have a user called "travis" in your cluster. + # tag::manage-authz-only-manifest[] + # In this example manifest, an ACL called "travis" is created in a cluster called "sasl". + # The ACL give an existing user called "travis" permissions to read from all topics whose names start with some-topic. + # This example assumes that you already have a user called "travis" in your cluster. --- apiVersion: cluster.redpanda.com/v1alpha2 kind: User @@ -79,7 +79,7 @@ Feature: User CRDs name: some-topic patternType: prefixed operations: [Read] - # end::manage-authz-only-manifest[] + # end::manage-authz-only-manifest[] """ And user "travis" is successfully synced And I delete the CRD user "travis" From 7200db322c0ec5a5484bde2dacbf8604470b571b Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Tue, 15 Oct 2024 16:06:06 +0100 Subject: [PATCH 24/46] Update filename --- .../examples/kubernetes/{user.feature => user-crds.feature} | 0 .../kubernetes/security/authentication/k-user-controller.adoc | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) rename modules/manage/examples/kubernetes/{user.feature => user-crds.feature} (100%) diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user-crds.feature similarity index 100% rename from modules/manage/examples/kubernetes/user.feature rename to modules/manage/examples/kubernetes/user-crds.feature diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index d2ac0ad48..90237c4b3 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -34,7 +34,7 @@ This example shows how to manage the creation and authentication of a user witho .`new-user.yaml` [,yaml,indent=0] ---- -include::manage:example$kubernetes/user.feature[tags=manage-authn-only-manifest,indent=0] +include::manage:example$kubernetes/user-crds.feature[tags=manage-authn-only-manifest,indent=0] ---- [[only-acl]] @@ -48,7 +48,7 @@ This example shows how to manage only the ACLs for an existing user in the Redpa .`new-acl.yaml` [,yaml,indent=0] ---- -include::manage:example$kubernetes/user.feature[tags=manage-authz-only-manifest,indent=0] +include::manage:example$kubernetes/user-crds.feature[tags=manage-authz-only-manifest,indent=0] ---- [[both]] From 35d3728a09141ce8f59d0095d7c61941f5fbcfe8 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Tue, 15 Oct 2024 16:50:13 +0100 Subject: [PATCH 25/46] Add what's new --- modules/get-started/pages/whats-new.adoc | 76 ++---------------------- 1 file changed, 6 insertions(+), 70 deletions(-) diff --git a/modules/get-started/pages/whats-new.adoc b/modules/get-started/pages/whats-new.adoc index 6a83009f0..3fc155b11 100644 --- a/modules/get-started/pages/whats-new.adoc +++ b/modules/get-started/pages/whats-new.adoc @@ -7,76 +7,12 @@ This topic includes new content added in version {page-component-version}. For a * xref:redpanda-cloud:get-started:whats-new-cloud.adoc[] * xref:redpanda-cloud:get-started:cloud-overview.adoc#redpanda-cloud-vs-self-hosted-feature-compatibility[Redpanda Cloud vs self-hosted feature compatibility] -== FIPS compliance +== Declarative User and ACL management in Kubernetes -Redpanda now provides a FIPS 140-compliant binary to support running Redpanda in environments requiring FIPS-compliant software and to meet certain requirements for organizations undergoing certification through government compliance programs, such as FedRAMP. When using the FIPS binary, both Redpanda and `rpk` leverage FIPS-compliant OpenSSL libraries and ciphers for all encryption activity inside Redpanda, including encryption of data in transit. Install the `redpanda-fips` package to xref:manage:security/fips-compliance.adoc[run Redpanda in FIPS-compliance mode]. +Redpanda now supports declarative management of users and access control lists (ACLs) using the new User resource with the Redpanda Operator. This feature allows you to: -== Schema Registry support for JSON +- Create and manage Redpanda users and their authentication settings. +- Define and manage ACLs to control access to Redpanda resources. +- Automatically reconcile changes to users and ACLs using the Redpanda Operator. -Redpanda's xref:manage:schema-reg/schema-reg-overview.adoc[Schema Registry] now supports JSON serialization format, in addition to Avro and Protobuf. You can use a https://json-schema.org/[JSON Schema^] format to validate messages and ensure compatibility between schema versions. - -== Schema Registry read-only mode - -You can now put individual subjects or the entire Schema Registry into read-only or read-write mode with the xref:manage:schema-reg/schema-reg-api.adoc#use-readonly-mode-for-disaster-recovery[Schema Registry API] `/mode` endpoint or with xref:reference:rpk/rpk-registry/rpk-registry-mode-set.adoc[`rpk registry mode set`]. You can use the `READONLY` mode in an active/passive disaster recovery configuration. - -== TLS enhancements - -* *Minimum TLS version*: For enhanced security, Redpanda now has a cluster configuration property to xref:manage:security/encryption.adoc#manage-the-minimum-tls-version[control the minimum TLS version] to use for encryption. By default, xref:reference:properties/cluster-properties.adoc#tls_min_version[`tls_min_version`] is set to `v1.2`, which prevents client applications from using older TLS versions to connect to your clusters. - -* *Certificate revocation lists*: When enabling TLS encryption for the Kafka, Admin, HTTP Proxy or Schema Registry APIs, you can now xref:manage:security/encryption.adoc[add a certificate revocation list (CRL)] to your configuration. Redpanda uses the CRL to check and reject connections from entities using certificates already revoked by a certificate authority. - -== Data transforms enhancements - -Redpanda has a new xref:reference:data-transforms/js/index.adoc[JavaScript SDK] that you can use to build and deploy data transforms in Redpanda. To get started, see xref:develop:data-transforms/run-transforms-index.adoc[]. - -You can now deploy data transform functions that xref:develop:data-transforms/deploy.adoc#reprocess[reprocess existing records] from an input topic. Processing existing records can be useful, for example, to process historical data into a different format for a new consumer, to re-create lost data from an accidentally-deleted topic, or to resolve issues with a previous version of a transform that processed data incorrectly. - -The docs now also include an xref:develop:data-transforms/index.adoc[expanded guide] designed to help you master the creation, deployment, and management of data transforms in Redpanda. - -== Enhanced cache trimming - -Redpanda has two new properties that provide finer control over cache management. These settings allow you to define specific thresholds for triggering xref:manage:tiered-storage.adoc#cache-trimming[cache trimming] based on cache size and the number of objects, helping to optimize performance and prevent slow reads. - -- config_ref:cloud_storage_cache_trim_threshold_percent_size,true,properties/object-storage-properties[] -- config_ref:cloud_storage_cache_trim_threshold_percent_objects,true,properties/object-storage-properties[] - -== Client throughput management - -Redpanda now includes `rpk` and Redpanda Console support for managing xref:manage:cluster-maintenance/manage-throughput.adoc#client-throughput-limits[client throughput limits]. You can set client throughput quotas using `rpk` for an individual client based on client ID, as well as for a group of clients based on ID prefix matching. New xref:manage:cluster-maintenance/manage-throughput.adoc#monitor-client-throughput[metrics] are available for insights on client throughput utilization. - -Client throughput quotas, previously applied on a per-shard basis, now apply on a per-broker basis. Cluster configuration properties for managing client quotas are xref:upgrade:deprecated/index.adoc[deprecated], including `target_quota_byte_rate` which is disabled by default with the value `0`. - -== Self-test enhancements - -New tests are added to the xref:manage:cluster-maintenance/cluster-diagnostics.adoc[Redpanda self-test] suite: - -* Cloud storage tests to validate xref:manage:tiered-storage.adoc[Tiered Storage] configuration. -* 16K block size disk tests to better assess block storage performance, particularly in response to I/O depth changes. -* 4K block size disk test with dsync off to assess the impact of fdatasync on the storage layer. - -See the xref:reference:rpk/rpk-cluster/rpk-cluster-self-test-status.adoc[`rpk self test`] reference for usage and output examples. - -== Intra-broker partition balancing: beta - -xref:manage:cluster-maintenance/cluster-balancing.adoc#intra-broker-partition-balancing[Intra-broker partition balancing] is a new topic-aware partition balancer that balances partitions across cores within a Redpanda broker. This balancer considers core count changes as well as partition movement to rebalance partition replicas and improve performance. - -This is a beta feature for v24.2 and is not recommended for use for production clusters. - -== New commands - -The following `rpk` commands are new in this version: - -* xref:reference:rpk/rpk-cluster/rpk-cluster-quotas-alter.adoc[`rpk cluster quotas alter`] -* xref:reference:rpk/rpk-cluster/rpk-cluster-quotas-describe.adoc[`rpk cluster quotas describe`] -* xref:reference:rpk/rpk-cluster/rpk-cluster-quotas-import.adoc[`rpk cluster quotas import`] -* xref:reference:rpk/rpk-cluster/rpk-cluster-quotas.adoc[`rpk cluster quotas`] -* xref:reference:rpk/rpk-registry/rpk-registry-mode.adoc[`rpk registry mode`] -* xref:reference:rpk/rpk-registry/rpk-registry-mode-get.adoc[`rpk registry mode get`] -* xref:reference:rpk/rpk-registry/rpk-registry-mode-reset.adoc[`rpk registry mode reset`] -* xref:reference:rpk/rpk-registry/rpk-registry-mode-set.adoc[`rpk registry mode set`] -* xref:reference:rpk/rpk-transform/rpk-transform-pause.adoc[`rpk transform pause`] -* xref:reference:rpk/rpk-transform/rpk-transform-resume.adoc[`rpk transform resume`] - -== Doc enhancements - -The https://docs.redpanda.com/home/[Redpanda Docs home page] has been redesigned, so you can stay within the context of Redpanda Self-Managed, Redpanda Cloud, or Redpanda Connect docs. We hope that our docs help and inspire our users. Please share your feedback with the links at the bottom of any doc page. +To learn more, see the xref:manage:kubernetes/security/authentication/k-user-controller.adoc[User resource documentation]. From d066e5397eff01110f2a757310ada13ee78bd12a Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Tue, 10 Sep 2024 15:50:43 +0100 Subject: [PATCH 26/46] First draft --- .../authentication/k-user-controller.adoc | 188 ++++++++++++++++++ 1 file changed, 188 insertions(+) create mode 100644 modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc new file mode 100644 index 000000000..6a0b56338 --- /dev/null +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -0,0 +1,188 @@ += Manage Users with the Redpanda Operator +:description: Use the User resource to declaratively create and manage Kafka users as part of a Redpanda deployment. Each User resource is mapped to a user in your Redpanda cluster. The user controller keeps the corresponding Kafka user in sync with the User resource. +:page-categories: Management, Development +:env-kubernetes: true + +The Redpanda Operator allows you to declaratively create and manage Kafka users using xref:reference.adoc[User custom resources] in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding Kafka user in sync with the User resource. This resource allows you to create users as part of a Redpanda deployment. + +== Prerequisites + +You must have the following: + +* *Kubernetes cluster*: Ensure you have a running Kubernetes cluster, either locally (e.g., minikube or kind) or remotely. +* *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[kubectl^] command-line tool installed and configured to communicate with your cluster. +* *Redpanda*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator and a Redpanda resource deployed] in your Kubernetes cluster. + +== Limitations + +You cannot create access control lists (ACLs) directly in the User resource. To create ACLs for your users, use `rpk` or another Kafka client. For details about ACLs, see xref:manage:security/authorization/acl.adoc[]. + +== Create a user + +You can create a user using a User resource: + +[source,yaml] +---- +apiVersion: cluster.redpanda.com/v1alpha2 +kind: User +metadata: + name: my-user +spec: + cluster: + clusterRef: + name: redpanda-cluster + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: user-secret + key: password +---- + +- `metadata.name` (*required*): The name of the User resource, which will map to the corresponding user in the Redpanda cluster. +- `spec.cluster.clusterRef.name` (*required*): The reference to the Redpanda cluster where the user should be created. +- `spec.authentication` (*optional*): Defines the user authentication method. It supports SCRAM-SHA-256 and SCRAM-SHA-512. +- `spec.password.valueFrom.secretKeyRef`: Specifies where the password for the user is stored. + +=== Example User resource + +This example creates a user named `my-user` with SCRAM-SHA-512 authentication: + +.example-user.yaml +[source,yaml] +---- +apiVersion: cluster.redpanda.com/v1alpha2 +kind: User +metadata: + name: my-user +spec: + cluster: + clusterRef: + name: redpanda-cluster + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: user-secret + key: password +---- + +[bash] +---- +kubectl apply -f example-user.yaml --namespace +---- + +Replace `` with the namespace in which you deployed Redpanda. + +=== Specify authentication type + +You can specify the authentication type for a user using the `spec.authentication.type` field. Supported values include `scram-sha-256`, `scram-sha-512`, and their uppercase variants. + +If no authentication credentials are provided, no user will be created, but ACLs can still be managed for existing users. + +=== Manage user secrets + +Redpanda users require a password, which can be provided directly, using the `spec.password.value` field, or through a Kubernetes Secret, using the `spec.password.valueFrom.secretKeyRef`. + +For example, to use a Kubernetes Secret for the password, ensure the secret exists and reference it like so: + +[source,yaml] +---- +password: + valueFrom: + secretKeyRef: + name: user-secret + key: password +---- + +.Example Kubernetes Secret for the user password +[source,yaml] +---- +apiVersion: v1 +kind: Secret +metadata: + name: user-secret +type: Opaque +data: + # base64-encoded password + password: cGFzc3dvcmQ= +---- + +== Verify a user + +After deploying a User resource, verify that the Redpanda Operator reconciled it: + +[bash] +---- +kubectl logs -l app.kubernetes.io/name=operator -c manager --namespace +---- + +Example output: + +[source,json] +---- +{ + "level": "info", + "ts": "2024-09-25T16:20:09.538Z", + "logger": "UserReconciler.Reconcile", + "msg": "Starting reconcile loop", + "controller": "user", + "User": { + "name": "my-user", + "namespace": "" + }, + "reconcileID": "c0cf9abc-a553-48b7-9b6e-2de3cdfb4432" +} +{ + "level": "info", + "ts": "2024-09-25T16:20:09.581Z", + "logger": "UserReconciler.Reconcile", + "msg": "Reconciliation finished in 43.436125ms, next run in 3s", +} +---- + +== Update a user + +To update a user, edit the User resource configuration and apply the changes. + +For example, to change the authentication method: + +.`updated-user.yaml` +[source,yaml] +---- +apiVersion: cluster.redpanda.com/v1alpha2 +kind: User +metadata: + name: my-user +spec: + authentication: + type: scram-sha-256 + cluster: + clusterRef: + name: redpanda-cluster +---- + +Apply the changes: + +[bash] +---- +kubectl apply -f updated-user.yaml --namespace +---- + +== Delete a user + +To delete a user, delete the User resource: + +[bash] +---- +kubectl delete -f example-user.yaml --namespace +---- + +When a user is deleted, its underlying data is removed as well. If the user has ACLs, those ACLs are also removed. + +== Suggested reading + +* xref:reference:k-user-crd.adoc[] +* xref:manage:kubernetes/security/authentication/k-authentication.adoc[] \ No newline at end of file From 5babdfbd45d5dced53b0d685206745a093a7d441 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Wed, 18 Sep 2024 17:04:19 +0100 Subject: [PATCH 27/46] First draft --- .github/crd-config/config.yaml | 19 - .../authentication/k-user-controller.adoc | 4 - modules/reference/pages/k-crd.adoc | 457 +++++++++++++++++- 3 files changed, 456 insertions(+), 24 deletions(-) diff --git a/.github/crd-config/config.yaml b/.github/crd-config/config.yaml index c2bb6d748..e802f1ff9 100644 --- a/.github/crd-config/config.yaml +++ b/.github/crd-config/config.yaml @@ -1,25 +1,6 @@ processor: # RE2 regular expressions describing types that should be excluded from the generated documentation. ignoreTypes: - - "User$" - - "UserList$" - - "UserSpec$" - - "UserStatus$" - - "UserAuthenticationSpec$" - - "UserAuthorizationSpec$" - - "UserTemplateSpec$" - - "Password$" - - "PasswordSource$" - - "ACLRule$" - - "ACLType$" - - "ACLOperation$" - - "PatternType$" - - "ResourceType$" - - "ACLResourceSpec$" - - "ClusterSource$" - - "AdminAPISpec$" - - "AdminSASL$" - - "MetadataTemplate$" render: kubernetesVersion: 1.23 knownTypes: diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index 6a0b56338..6328d8ee8 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -13,10 +13,6 @@ You must have the following: * *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[kubectl^] command-line tool installed and configured to communicate with your cluster. * *Redpanda*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator and a Redpanda resource deployed] in your Kubernetes cluster. -== Limitations - -You cannot create access control lists (ACLs) directly in the User resource. To create ACLs for your users, use `rpk` or another Kafka client. For details about ACLs, see xref:manage:security/authorization/acl.adoc[]. - == Create a user You can create a user using a User resource: diff --git a/modules/reference/pages/k-crd.adoc b/modules/reference/pages/k-crd.adoc index a8850ba0c..686f96406 100644 --- a/modules/reference/pages/k-crd.adoc +++ b/modules/reference/pages/k-crd.adoc @@ -12,6 +12,79 @@ Package v1alpha2 defines the v1alpha2 schema for the Redpanda API. It is part of - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandalist[$$RedpandaList$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topic[$$Topic$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topiclist[$$TopicList$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-user[$$User$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userlist[$$UserList$$] + + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-acloperation"] +== ACLOperation (string) + +ACLOperation specifies the type of operation for an ACL. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] + + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclresourcespec"] +== ACLResourceSpec + +ACLResourceSpec indicates the resource for which given ACL rule applies. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resourcetype[$$ResourceType$$]__ | +| *`name`* __string__ | Name of resource for which given ACL rule applies. + +Can be combined with patternType field to use prefix pattern. + +| *`patternType`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-patterntype[$$PatternType$$]__ | Describes the pattern used in the resource field. The supported types are literal + +and prefixed. With literal pattern type, the resource field will be used as a definition + +of a full topic name. With prefix pattern type, the resource name will be used only as + +a prefix. Default value is literal. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclrule"] +== ACLRule + +ACLRule defines an ACL rule applied to the given user. + + +Validations taken from https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=75978240 + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthorizationspec[$$UserAuthorizationSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-acltype[$$ACLType$$]__ | +| *`resource`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclresourcespec[$$ACLResourceSpec$$]__ | Indicates the resource for which given ACL rule applies. + +| *`host`* __string__ | The host from which the action described in the ACL rule is allowed or denied. + +If not set, it defaults to *, allowing or denying the action from any host. + +| *`operations`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-acloperation[$$ACLOperation$$] array__ | List of operations which will be allowed or denied. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-acltype"] +== ACLType (string) + +ACLType specifies the type, either allow or deny of an ACL rule. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] @@ -35,6 +108,45 @@ Admin configures settings for the Admin API listeners. |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminapispec"] +== AdminAPISpec + +AdminAPISpec defines client configuration for connecting to Redpanda's admin API. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-staticconfigurationsource[$$StaticConfigurationSource$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`urls`* __string array__ | Specifies a list of broker addresses in the format : + +| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-commontls[$$CommonTLS$$]__ | Defines TLS configuration settings for Redpanda clusters that have TLS enabled. + +| *`sasl`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminsasl[$$AdminSASL$$]__ | Defines authentication configuration settings for Redpanda clusters that have authentication enabled. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminsasl"] +== AdminSASL + +AdminSASL configures credentials to connect to Redpanda cluster that has authentication enabled. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminapispec[$$AdminAPISpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __string__ | Specifies the username. + +| *`passwordSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Specifies the password. + +| *`mechanism`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-saslmechanism[$$SASLMechanism$$]__ | Specifies the SASL/SCRAM authentication mechanism. + +| *`token`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | +|=== + + [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-auditlogging"] == AuditLogging @@ -81,8 +193,37 @@ Auth configures authentication in the Helm values. See https://docs.redpanda.com |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-authorizationtype"] +== AuthorizationType (string) + +AuthorizationType specifies the type of authorization to use in creating a user. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthorizationspec[$$UserAuthorizationSpec$$] + + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-bootstrapuser"] +== BootstrapUser + +BootstrapUser configures the user used to bootstrap Redpanda when SASL is enabled. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-sasl[$$SASL$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretKeyRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#secretkeyselector-v1-core[$$SecretKeySelector$$]__ | Specifies the location where the generated password will be written or a pre-existing + +password will be read from. + +| *`mechanism`* __string__ | Specifies the authentication mechanism to use for the bootstrap user. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + +|=== [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-budget"] @@ -165,9 +306,44 @@ for hooks) during Helm actions. Defaults to `15m0s`. + |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clusterref"] +== ClusterRef + +ClusterRef represents a reference to a cluster that is being targeted. +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clustersource[$$ClusterSource$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`name`* __string__ | Name specifies the name of the cluster being referenced. + +|=== + + + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clustersource"] +== ClusterSource + +ClusterSource defines how to connect to a particular Redpanda cluster. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec[$$UserSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`clusterRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clusterref[$$ClusterRef$$]__ | ClusterRef is a reference to the cluster where the object should be created. + +It is used in constructing the client created to configure a cluster. + +This takes precedence over StaticConfigurationSource. + +| *`staticConfiguration`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-staticconfigurationsource[$$StaticConfigurationSource$$]__ | StaticConfiguration holds connection parameters to Kafka and Admin APIs. + +|=== + [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-commontls"] == CommonTLS @@ -177,6 +353,7 @@ CommonTLS specifies TLS configuration settings for Redpanda clusters that have a .Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminapispec[$$AdminAPISpec$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkaapispec[$$KafkaAPISpec$$] [cols="25a,75a", options="header"] @@ -948,6 +1125,24 @@ Memory configures memory resources. |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-metadatatemplate"] +== MetadataTemplate + +MetadataTemplate defines additional metadata to associate with a resource. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resourcetemplate[$$ResourceTemplate$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`labels`* __object (keys:string, values:string)__ | Labels specifies the Kubernetes labels to apply to a managed resource. + +| *`annotations`* __object (keys:string, values:string)__ | Annotations specifies the Kubernetes annotations to apply to a managed resource. + +|=== + + [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-migration"] == Migration @@ -991,6 +1186,56 @@ Monitoring configures monitoring resources for Redpanda. See https://docs.redpan |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-password"] +== Password + +Password specifies a password for the user. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthenticationspec[$$UserAuthenticationSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`value`* __string__ | +| *`valueFrom`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-passwordsource[$$PasswordSource$$]__ | +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-passwordsource"] +== PasswordSource + +PasswordSource contains the source for a password. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-password[$$Password$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretKeyRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#secretkeyselector-v1-core[$$SecretKeySelector$$]__ | SecretKeyRef specifies the secret used in reading a User password. + +If the Secret exists and has a value in it, then that value is used. + +If the Secret does not exist, or is empty, a password is generated and + +stored based on this configuration. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-patterntype"] +== PatternType (string) + +PatternType specifies the type of pattern applied for ACL resource matching. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclresourcespec[$$ACLResourceSpec$$] + + + [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-persistentvolume"] == PersistentVolume @@ -1540,6 +1785,34 @@ decommissioned from the cluster and provides its ordinal number. + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resourcetemplate"] +== ResourceTemplate + +ResourceTemplate specifies additional configuration for a resource. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usertemplatespec[$$UserTemplateSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-metadatatemplate[$$MetadataTemplate$$]__ | Refer to the Kubernetes API documentation for fields of `metadata`. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resourcetype"] +== ResourceType (string) + +ResourceType specifies the type of resource an ACL is applied to. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclresourcespec[$$ACLResourceSpec$$] + [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resources"] @@ -1577,6 +1850,7 @@ SASL configures SASL authentication in the Helm values. | *`mechanism`* __string__ | Specifies the default authentication mechanism to use for superusers. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + | *`secretRef`* __string__ | If `users` is empty, `secretRef` specifies the name of the Secret that contains your superuser credentials in the format ::. Otherwise, `secretRef` specifies the name of the Secret that the chart creates to store the credentials in `users`. + | *`users`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usersitems[$$UsersItems$$] array__ | Specifies a list of superuser credentials. + +| *`bootstrapUser`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-bootstrapuser[$$BootstrapUser$$]__ | Specifies configuration about the bootstrap user. + |=== @@ -1588,7 +1862,9 @@ SASLMechanism specifies a SASL auth mechanism. .Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminsasl[$$AdminSASL$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasasl[$$KafkaSASL$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthenticationspec[$$UserAuthenticationSpec$$] @@ -1623,6 +1899,7 @@ See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. .Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminsasl[$$AdminSASL$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-commontls[$$CommonTLS$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasasl[$$KafkaSASL$$] - xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasaslawsmskiam[$$KafkaSASLAWSMskIam$$] @@ -1866,6 +2143,25 @@ into this StatefulSet's PodTemplate. + |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-staticconfigurationsource"] +== StaticConfigurationSource + +StaticConfigurationSource configures connections to a Redpanda cluster via hard-coded +connection strings and manually configured TLS and authentication parameters. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clustersource[$$ClusterSource$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`kafka`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkaapispec[$$KafkaAPISpec$$]__ | Kafka is the configuration information for communicating with the Kafka + +API of a Redpanda cluster where the object should be created. + +| *`admin`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminapispec[$$AdminAPISpec$$]__ | AdminAPISpec is the configuration information for communicating with the Admin + +API of a Redpanda cluster where the object should be created. + +|=== [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-storage"] @@ -2184,6 +2480,165 @@ and will be removed in a future version. + |=== +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-user"] +== User + +User defines the CRD for a Redpanda user. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userlist[$$UserList$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`apiVersion`* __string__ | `cluster.redpanda.com/v1alpha2` +| *`kind`* __string__ | `User` +| *`kind`* __string__ | Kind is a string value representing the REST resource this object represents. + +Servers may infer this from the endpoint the client submits requests to. + +Cannot be updated. + +In CamelCase. + +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +| *`apiVersion`* __string__ | APIVersion defines the versioned schema of this representation of an object. + +Servers should convert recognized schemas to the latest internal value, and + +may reject unrecognized values. + +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to the Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec[$$UserSpec$$]__ | Defines the desired state of the Redpanda user. + +| *`status`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userstatus[$$UserStatus$$]__ | Represents the current status of the Redpanda user. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthenticationspec"] +== UserAuthenticationSpec + +UserAuthenticationSpec defines the authentication mechanism enabled for this Redpanda user. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec[$$UserSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-saslmechanism[$$SASLMechanism$$]__ | +| *`password`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-password[$$Password$$]__ | Password specifies where a password is read from. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthorizationspec"] +== UserAuthorizationSpec + +UserAuthorizationSpec defines authorization rules for this user. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec[$$UserSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-authorizationtype[$$AuthorizationType$$]__ | +| *`acls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] array__ | List of ACL rules which should be applied to this user. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userlist"] +== UserList + +UserList contains a list of Redpanda user objects. + + + + + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`apiVersion`* __string__ | `cluster.redpanda.com/v1alpha2` +| *`kind`* __string__ | `UserList` +| *`kind`* __string__ | Kind is a string value representing the REST resource this object represents. + +Servers may infer this from the endpoint the client submits requests to. + +Cannot be updated. + +In CamelCase. + +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +| *`apiVersion`* __string__ | APIVersion defines the versioned schema of this representation of an object. + +Servers should convert recognized schemas to the latest internal value, and + +may reject unrecognized values. + +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#listmeta-v1-meta[$$ListMeta$$]__ | Refer to the Kubernetes API documentation for fields of `metadata`. + +| *`items`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-user[$$User$$] array__ | Specifies a list of Redpanda user resources. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec"] +== UserSpec + +UserSpec defines the configuration of a Redpanda user. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-user[$$User$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`cluster`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clustersource[$$ClusterSource$$]__ | ClusterSource is a reference to the cluster where the user should be created. + +It is used in constructing the client created to configure a cluster. + +| *`authentication`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthenticationspec[$$UserAuthenticationSpec$$]__ | Authentication defines the authentication information for a user. If no + +Authentication credentials are specified, then no user will be created. + +This is useful when wanting to manage ACLs for an already-existing user. + +| *`authorization`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthorizationspec[$$UserAuthorizationSpec$$]__ | Authorization rules defined for this user. + +| *`template`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usertemplatespec[$$UserTemplateSpec$$]__ | Template to specify how user secrets are generated. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userstatus"] +== UserStatus + +UserStatus defines the observed state of a Redpanda user + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-user[$$User$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`observedGeneration`* __integer__ | Specifies the last observed generation. + +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#condition-v1-meta[$$Condition$$] array__ | Conditions holds the conditions for the Redpanda user. + +| *`managedAcls`* __boolean__ | ManagedACLs returns whether the user has managed ACLs that need + +to be cleaned up. + +| *`managedUser`* __boolean__ | ManagedUser returns whether the user has a managed SCRAM user that need + +to be cleaned up. + +|=== + + +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usertemplatespec"] +== UserTemplateSpec + +UserTemplateSpec defines the template metadata (labels and annotations) +for any subresources, such as Secrets, created by a User object. + + + +.Appears in: +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec[$$UserSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secret`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resourcetemplate[$$ResourceTemplate$$]__ | Specifies how the Secret with a user password is generated. + +|=== + + [id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usersitems"] == UsersItems @@ -2200,4 +2655,4 @@ UsersItems configures a list of superusers in the Helm values. | *`mechanism`* __string__ | Specifies the authentication mechanism to use for superusers. Overrides the default in `SASL`. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + | *`name`* __string__ | Specifies the name of the superuser. + | *`password`* __string__ | Specifies the superuser password. + -|=== +|=== \ No newline at end of file From 286c8b61e4b8dad399969409d2ac0e3a7f4d1e94 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 08:43:02 -0400 Subject: [PATCH 28/46] Add examples --- .../manage/examples/kubernetes/user.feature | 85 ++++++++++++++ .../pages/kubernetes/k-manage-topics.adoc | 6 +- .../authentication/k-user-controller.adoc | 104 ++++++++---------- modules/manage/partials/authentication.adoc | 1 + 4 files changed, 136 insertions(+), 60 deletions(-) create mode 100644 modules/manage/examples/kubernetes/user.feature diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user.feature new file mode 100644 index 000000000..14852ba0d --- /dev/null +++ b/modules/manage/examples/kubernetes/user.feature @@ -0,0 +1,85 @@ +@cluster:sasl +Feature: User CRDs + Background: Cluster available + Given cluster "sasl" is available + + @skip:gke @skip:aks @skip:eks + Scenario: Manage users + Given there is no user "bob" in cluster "sasl" + And there is no user "james" in cluster "sasl" + And there is no user "alice" in cluster "sasl" + When I create CRD-based users for cluster "sasl": + | name | password | mechanism | acls | + | bob | | SCRAM-SHA-256 | | + | james | | SCRAM-SHA-512 | | + | alice | qwerty | SCRAM-SHA-512 | | + Then "bob" should exist and be able to authenticate to the "sasl" cluster + And "james" should exist and be able to authenticate to the "sasl" cluster + And "alice" should exist and be able to authenticate to the "sasl" cluster + + @skip:gke @skip:aks @skip:eks + Scenario: Manage authentication-only users + Given there is no user "jason" in cluster "sasl" + And there are already the following ACLs in cluster "sasl": + | user | acls | + | jason | [{"type":"allow","resource":{"type":"cluster"},"operations":["Read"]}] | + When I apply Kubernetes manifest: + """ +# tag::manage-authn-only-manifest[] +# In this example manifest, a user called "jason" is created in a cluster called "sasl". +# The user's password is defined in a Secret called "jason-password". + --- + apiVersion: cluster.redpanda.com/v1alpha2 + kind: User + metadata: + name: jason + spec: + cluster: + clusterRef: + name: sasl + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: jason-password + key: password +# end::manage-auth-only-manifest[] + """ +# end::scenario[] + And user "jason" is successfully synced + And I delete the CRD user "jason" + Then there should be ACLs in the cluster "sasl" for user "jason" + + @skip:gke @skip:aks @skip:eks + Scenario: Manage authorization-only users + Given there are the following pre-existing users in cluster "sasl" + | name | password | mechanism | + | travis | password | SCRAM-SHA-256 | + When I apply Kubernetes manifest: + """ +# tag::manage-authz-only-manifest[] +# In this example manifest, an ACL called "travis" is created in a cluster called "sasl". +# The ACL give an existing user called "travis" permissions to read from all topics whose names start with some-topic. + --- + apiVersion: cluster.redpanda.com/v1alpha2 + kind: User + metadata: + name: travis + spec: + cluster: + clusterRef: + name: sasl + authorization: + acls: + - type: allow + resource: + type: topic + name: some-topic + patternType: prefixed + operations: [Read] +# end::manage-authz-only-manifest[] + """ + And user "travis" is successfully synced + And I delete the CRD user "travis" + Then "travis" should be able to authenticate to the "sasl" cluster with password "password" and mechanism "SCRAM-SHA-256" diff --git a/modules/manage/pages/kubernetes/k-manage-topics.adoc b/modules/manage/pages/kubernetes/k-manage-topics.adoc index 3dc1e6a03..d22d1bc09 100644 --- a/modules/manage/pages/kubernetes/k-manage-topics.adoc +++ b/modules/manage/pages/kubernetes/k-manage-topics.adoc @@ -11,11 +11,11 @@ The Redpanda Operator allows you to declaratively create and manage Kafka topics You must have the following: -* Kubernetes cluster: Ensure you have a running Kubernetes cluster, either locally, such as with minikube or kind, or remotely. +* *Kubernetes cluster*: Ensure you have a running Kubernetes cluster, either locally, such as with minikube or kind, or remotely. -* https://kubernetes.io/docs/tasks/tools/#kubectl[Kubectl^]: Ensure you have the `kubectl` command-line tool installed and configured to communicate with your cluster. +* *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[`kubectl`^] command-line tool installed and configured to communicate with your cluster. -* Redpanda: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/kubernetes-deploy.adoc[Redpanda Operator and a Redpanda resource deployed] in your Kubernetes cluster. +* *Redpanda*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/kubernetes-deploy.adoc[Redpanda Operator and a Redpanda resource deployed] in your Kubernetes cluster. == Limitations diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index 6328d8ee8..38b568143 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -3,79 +3,48 @@ :page-categories: Management, Development :env-kubernetes: true -The Redpanda Operator allows you to declaratively create and manage Kafka users using xref:reference.adoc[User custom resources] in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding Kafka user in sync with the User resource. This resource allows you to create users as part of a Redpanda deployment. +The Redpanda Operator allows you to declaratively create and manage Kafka users using xref:reference:k-crd.adoc[User custom resources] in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding Kafka user in sync with the User resource. This resource allows you to create users as part of a Redpanda deployment. == Prerequisites You must have the following: -* *Kubernetes cluster*: Ensure you have a running Kubernetes cluster, either locally (e.g., minikube or kind) or remotely. +* *Kubernetes cluster*: Ensure you have a running Kubernetes cluster, either locally (minikube or kind) or remotely. * *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[kubectl^] command-line tool installed and configured to communicate with your cluster. -* *Redpanda*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator and a Redpanda resource deployed] in your Kubernetes cluster. +* *Redpanda Operator*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator]. +* *Redpanda cluster with SASL enabled*: Ensure you have a Redpanda resource deployed with xref:manage:kubernetes/security/authentication/k-authentication.adoc#enable[SASL authentication enabled]. == Create a user -You can create a user using a User resource: +You can create a new user using a User resource: -[source,yaml] +.`new-user.yaml` +[,yaml] ---- -apiVersion: cluster.redpanda.com/v1alpha2 -kind: User -metadata: - name: my-user -spec: - cluster: - clusterRef: - name: redpanda-cluster - authentication: - type: scram-sha-512 - password: - valueFrom: - secretKeyRef: - name: user-secret - key: password +include::manage:example$kubernetes/user.feature[tags=manage-authn-only-manifest,indent=0] ---- -- `metadata.name` (*required*): The name of the User resource, which will map to the corresponding user in the Redpanda cluster. -- `spec.cluster.clusterRef.name` (*required*): The reference to the Redpanda cluster where the user should be created. -- `spec.authentication` (*optional*): Defines the user authentication method. It supports SCRAM-SHA-256 and SCRAM-SHA-512. -- `spec.password.valueFrom.secretKeyRef`: Specifies where the password for the user is stored. +== Create an access control list (ACL) -=== Example User resource - -This example creates a user named `my-user` with SCRAM-SHA-512 authentication: - -.example-user.yaml -[source,yaml] ----- -apiVersion: cluster.redpanda.com/v1alpha2 -kind: User -metadata: - name: my-user -spec: - cluster: - clusterRef: - name: redpanda-cluster - authentication: - type: scram-sha-512 - password: - valueFrom: - secretKeyRef: - name: user-secret - key: password ----- +You can create a new ACL for existing users in your cluster using the User resource. Give the User resource the same name as your existing user. -[bash] +.`new-acl.yaml` +[,yaml] ---- -kubectl apply -f example-user.yaml --namespace +include::manage:example$kubernetes/user.feature[tags=manage-authz-only-manifest,indent=0] ---- -Replace `` with the namespace in which you deployed Redpanda. - === Specify authentication type You can specify the authentication type for a user using the `spec.authentication.type` field. Supported values include `scram-sha-256`, `scram-sha-512`, and their uppercase variants. +[,yaml] +---- +spec: + authentication: + type: scram-sha-512 +---- + If no authentication credentials are provided, no user will be created, but ACLs can still be managed for existing users. === Manage user secrets @@ -86,11 +55,20 @@ For example, to use a Kubernetes Secret for the password, ensure the secret exis [source,yaml] ---- -password: - valueFrom: - secretKeyRef: - name: user-secret - key: password +spec: + authentication: + password: + valueFrom: + secretKeyRef: + name: user-secret + key: password +---- + +To create the Secret: + +[,bash] +---- +kubectl --namespace create secret generic user-secret--from-file=password.txt ---- .Example Kubernetes Secret for the user password @@ -106,6 +84,18 @@ data: password: cGFzc3dvcmQ= ---- +== Deploy a User resource + +To deploy a User resource, apply the manifest to the same namespace as your Redpanda cluster: + +[bash] +---- +kubectl apply -f .yaml --namespace +---- + +- Replace `` with the filename of your manifest. +- Replace `` with the namespace in which you deployed Redpanda. + == Verify a user After deploying a User resource, verify that the Redpanda Operator reconciled it: @@ -180,5 +170,5 @@ When a user is deleted, its underlying data is removed as well. If the user has == Suggested reading -* xref:reference:k-user-crd.adoc[] +* xref:reference:k-crd.adoc[] * xref:manage:kubernetes/security/authentication/k-authentication.adoc[] \ No newline at end of file diff --git a/modules/manage/partials/authentication.adoc b/modules/manage/partials/authentication.adoc index ef553e050..f5171f923 100644 --- a/modules/manage/partials/authentication.adoc +++ b/modules/manage/partials/authentication.adoc @@ -43,6 +43,7 @@ You must have the following: * https://kubernetes.io/docs/tasks/tools/#kubectl[Kubectl^]. Ensure you have the `kubectl` command-line tool installed and configured to communicate with your cluster. endif::[] +[[enable]] == Enable authentication ifndef::env-kubernetes[] From 4c72e8414e80544e21510b6eb59fbc28dd6be689 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 08:44:13 -0400 Subject: [PATCH 29/46] Fix tag --- modules/manage/examples/kubernetes/user.feature | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user.feature index 14852ba0d..f5b6709f0 100644 --- a/modules/manage/examples/kubernetes/user.feature +++ b/modules/manage/examples/kubernetes/user.feature @@ -46,7 +46,6 @@ Feature: User CRDs key: password # end::manage-auth-only-manifest[] """ -# end::scenario[] And user "jason" is successfully synced And I delete the CRD user "jason" Then there should be ACLs in the cluster "sasl" for user "jason" From e5b73b85e1403e282c9bc0e07bb189ac827058c6 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 08:45:49 -0400 Subject: [PATCH 30/46] Fix tag --- modules/manage/examples/kubernetes/user.feature | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user.feature index f5b6709f0..805a0bf5a 100644 --- a/modules/manage/examples/kubernetes/user.feature +++ b/modules/manage/examples/kubernetes/user.feature @@ -28,6 +28,7 @@ Feature: User CRDs # tag::manage-authn-only-manifest[] # In this example manifest, a user called "jason" is created in a cluster called "sasl". # The user's password is defined in a Secret called "jason-password". +# This example assumes that you will create ACLs for this user separately. --- apiVersion: cluster.redpanda.com/v1alpha2 kind: User @@ -60,6 +61,7 @@ Feature: User CRDs # tag::manage-authz-only-manifest[] # In this example manifest, an ACL called "travis" is created in a cluster called "sasl". # The ACL give an existing user called "travis" permissions to read from all topics whose names start with some-topic. +# This example assumes that you already have a user called "travis" in your cluster. --- apiVersion: cluster.redpanda.com/v1alpha2 kind: User From fa7ac8e7468c27aee182db8a17402a4d203ce51d Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 11:15:28 -0400 Subject: [PATCH 31/46] Explain the three options for using the User resource --- .../authentication/k-user-controller.adoc | 140 +++++++++++++----- 1 file changed, 105 insertions(+), 35 deletions(-) diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index 38b568143..97420fb09 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -1,9 +1,9 @@ = Manage Users with the Redpanda Operator -:description: Use the User resource to declaratively create and manage Kafka users as part of a Redpanda deployment. Each User resource is mapped to a user in your Redpanda cluster. The user controller keeps the corresponding Kafka user in sync with the User resource. +:description: Use the User resource to declaratively create and manage Redpanda users as part of a Redpanda deployment. Each User resource is mapped to a user in your Redpanda cluster. The user controller keeps the corresponding user in sync with the User resource. :page-categories: Management, Development :env-kubernetes: true -The Redpanda Operator allows you to declaratively create and manage Kafka users using xref:reference:k-crd.adoc[User custom resources] in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding Kafka user in sync with the User resource. This resource allows you to create users as part of a Redpanda deployment. +The Redpanda Operator allows you to declaratively create and manage Redpanda users using xref:reference:k-crd.adoc[User custom resources] (resources) in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding user in sync with the User resource. This resource allows you to create users as part of a Redpanda deployment. == Prerequisites @@ -14,9 +14,21 @@ You must have the following: * *Redpanda Operator*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator]. * *Redpanda cluster with SASL enabled*: Ensure you have a Redpanda resource deployed with xref:manage:kubernetes/security/authentication/k-authentication.adoc#enable[SASL authentication enabled]. -== Create a user +== User resource management -You can create a new user using a User resource: +When using the Redpanda User resource, each User instance is responsible for managing both the user credentials (authentication) and the user's access control lists (ACLs) within the Redpanda cluster. You can choose to manage authentication or ACLs separately or you can manage both together. + +[NOTE] +==== +You cannot use one User resource to manage the user and another User resource to manage the ACLs. Only one User instance is allowed per user in the Redpanda cluster. +==== + +=== Manage new users (authentication only) + +- *Use case*: You want to create and manage user credentials (authentication) without managing ACLs. Use this option If you have a separate process to manage ACLs or if you're working in an environment where access control is handled externally. +- *What happens when deleted*: The user is deleted, but any manually created ACLs for that user will remain in the cluster. + +This example shows how to manage the creation and authentication of a user without configuring ACLs. .`new-user.yaml` [,yaml] @@ -24,9 +36,12 @@ You can create a new user using a User resource: include::manage:example$kubernetes/user.feature[tags=manage-authn-only-manifest,indent=0] ---- -== Create an access control list (ACL) +=== Manage existing users (authorization only) -You can create a new ACL for existing users in your cluster using the User resource. Give the User resource the same name as your existing user. +- *Use case*: You want to manage ACLs for an existing user in the Redpanda cluster, but not modify the user's credentials. Use this option if user credentials are managed by another process or tool, and you only want to control what resources the user can access (authorization). +- *What happens when deleted*: The ACLs are removed, but the user remains. This is useful when you want to revoke access but retain the user's credentials for future use. + +This example shows how to manage only the ACLs for an existing user in the Redpanda cluster. .`new-acl.yaml` [,yaml] @@ -34,11 +49,52 @@ You can create a new ACL for existing users in your cluster using the User resou include::manage:example$kubernetes/user.feature[tags=manage-authz-only-manifest,indent=0] ---- -=== Specify authentication type +=== Manage both authentication and authorization + +- *Use case*: You want to manage both user credentials and ACLs within the same resource. +- *What happens when deleted*: Both the user and the associated ACLs are removed. + +This example shows how to manage both authentication and ACLs for a user within the same User resource. + +.`new-user-and-acl.yaml` +[source,yaml] +---- +# In this example manifest, the user "full-user" is created and managed for both authentication and authorization. +# The user is granted both read and write access to the topic critical-topic. +apiVersion: cluster.redpanda.com/v1alpha2 +kind: User +metadata: + name: full-user +spec: + cluster: + clusterRef: + name: sasl + authentication: + type: scram-sha-512 + password: + valueFrom: + secretKeyRef: + name: full-user-secret + key: password + authorization: + acls: + - type: allow + resource: + type: topic + name: critical-topic + patternType: literal + operations: [Read,Write] +---- + +== Configuration advice + +The following sections provide guidance on setting up user authentication, managing secrets, and defining access control lists (ACLs) within your Kubernetes environment. These recommendations ensure proper user management while minimizing manual interventions and preventing potential security issues. By following these best practices, you can ensure that user access and permissions are correctly configured and maintained across your Redpanda cluster. + +=== Choose an authentication type You can specify the authentication type for a user using the `spec.authentication.type` field. Supported values include `scram-sha-256`, `scram-sha-512`, and their uppercase variants. -[,yaml] +[source,yaml] ---- spec: authentication: @@ -64,14 +120,14 @@ spec: key: password ---- -To create the Secret: +To create the Secret from a file: -[,bash] +[source,bash] ---- -kubectl --namespace create secret generic user-secret--from-file=password.txt +kubectl --namespace create secret generic user-secret --from-file= ---- -.Example Kubernetes Secret for the user password +.Example: Kubernetes Secret for User Password [source,yaml] ---- apiVersion: v1 @@ -80,10 +136,37 @@ metadata: name: user-secret type: Opaque data: - # base64-encoded password - password: cGFzc3dvcmQ= + password: cGFzc3dvcmQ= # base64-encoded password ---- +=== Define ACLs + +The `spec.authorization` field allows you to manage ACLs for users. ACLs define the permissions users have over specific resources in Redpanda, such as topics, consumer groups, and clusters. + +You can define ACLs for a user by specifying which resources they can access and the operations they are permitted to perform. Here's an example configuration for managing ACLs: + +[source,yaml] +---- +spec: + authorization: + acls: + - type: allow + resource: + type: topic + name: my-topic + patternType: literal + operations: [Read, Write] +---- + +- `type`: Defines whether the ACL is `allow` or `deny`. +- `resource.type`: Specifies the resource type. +- `patternType`: Specifies if the resource name is treated as a `literal` or a `prefixed` pattern. +- `operations`: Lists the allowed operations, such as `Read`, `Write`, `Create`, and `Delete`. + +For more details about ACLs, including supported operations and resources in Redpanda, see xref:manage:security/authorization/acl.adoc[]. + +TIP: Use specific resource names where possible. Using `literal` names for resources ensures that only the exact resources you intend are accessible. Use `prefixed` patterns cautiously to avoid accidental permission grants. + == Deploy a User resource To deploy a User resource, apply the manifest to the same namespace as your Redpanda cluster: @@ -133,28 +216,9 @@ Example output: To update a user, edit the User resource configuration and apply the changes. -For example, to change the authentication method: - -.`updated-user.yaml` -[source,yaml] ----- -apiVersion: cluster.redpanda.com/v1alpha2 -kind: User -metadata: - name: my-user -spec: - authentication: - type: scram-sha-256 - cluster: - clusterRef: - name: redpanda-cluster ----- - -Apply the changes: - [bash] ---- -kubectl apply -f updated-user.yaml --namespace +kubectl apply -f .yaml --namespace ---- == Delete a user @@ -166,7 +230,13 @@ To delete a user, delete the User resource: kubectl delete -f example-user.yaml --namespace ---- -When a user is deleted, its underlying data is removed as well. If the user has ACLs, those ACLs are also removed. +When a User resource is deleted, its underlying data is removed as well. If the user has ACLs, those ACLs are also removed. + +Deleting a User resource will have different impacts depending on how it is configured: + +- **Authentication-only**: When a User resource managing only authentication is deleted, the user is removed from the cluster. However, any ACLs not managed by the same resource will remain in place. +- **Authorization-only**: When a User resource managing only ACLs is deleted, the ACLs are removed, but the user remains in the cluster. +- **Full user management (both authentication and authorization)**: When the resource manages both, the user and its associated ACLs are removed. == Suggested reading From db863f48cae3a71d2be27a581aaa599da07fb4ce Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 14:03:11 -0400 Subject: [PATCH 32/46] Add action to pull acceptance tests --- .github/workflows/fetch-acceptance-tests.yml | 55 ++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/fetch-acceptance-tests.yml diff --git a/.github/workflows/fetch-acceptance-tests.yml b/.github/workflows/fetch-acceptance-tests.yml new file mode 100644 index 000000000..a83d8991d --- /dev/null +++ b/.github/workflows/fetch-acceptance-tests.yml @@ -0,0 +1,55 @@ +--- + name: Fetch and Save K8s Acceptance Tests + on: + workflow_dispatch: # Allows manual trigger of the workflow + repository_dispatch: # Allows other repositories to trigger this workflow + types: [trigger-acceptance-test-pull] + jobs: + fetch-and-save: + runs-on: ubuntu-latest + steps: + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }} + aws-region: us-west-2 + - name: get secrets from aws sm + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + ,sdlc/prod/github/actions_bot_token + parse-json-secrets: true + + - name: Checkout the repository + uses: actions/checkout@v4 + with: + ref: api + token: ${{ env.ACTIONS_BOT_TOKEN }} + path: redpanda-docs + + - name: Set up Node.js + uses: actions/setup-node@v4 + with: + node-version: '18' + + - name: Install dependencies + run: | + cd ./redpanda-docs/scripts/fetch-from-github + npm install + + - name: Run the script and save the output + run: node ./redpanda-docs/scripts/fetch-from-github/fetch.js redpanda-data redpanda-operator acceptance/features ../../modules/manage/examples/kubernetes + env: + VBOT_GITHUB_API_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }} + + - name: Create pull request + uses: peter-evans/create-pull-request@v6 + with: + commit-message: "auto-docs: Update K8s acceptance tests" + token: ${{ env.ACTIONS_BOT_TOKEN }} + branch: update-acceptance-tests + title: "auto-docs: Update K8s acceptance tests" + body: "This PR auto-updates the acceptance tests that we use as examples in our Kubernetes docs." + labels: auto-docs + reviewers: JakeSCahill \ No newline at end of file From 23e70c093961adb183093a27d5a46422a801a10c Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 16:05:42 -0400 Subject: [PATCH 33/46] Add details about autogenerated Secrets/passwords --- .../authentication/k-user-controller.adoc | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index 97420fb09..b81bc206c 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -14,7 +14,7 @@ You must have the following: * *Redpanda Operator*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator]. * *Redpanda cluster with SASL enabled*: Ensure you have a Redpanda resource deployed with xref:manage:kubernetes/security/authentication/k-authentication.adoc#enable[SASL authentication enabled]. -== User resource management +== Create a user When using the Redpanda User resource, each User instance is responsible for managing both the user credentials (authentication) and the user's access control lists (ACLs) within the Redpanda cluster. You can choose to manage authentication or ACLs separately or you can manage both together. @@ -105,9 +105,15 @@ If no authentication credentials are provided, no user will be created, but ACLs === Manage user secrets -Redpanda users require a password, which can be provided directly, using the `spec.password.value` field, or through a Kubernetes Secret, using the `spec.password.valueFrom.secretKeyRef`. +Redpanda users require a password, which you can provide directly, using the `spec.password.value` field, or through a Kubernetes Secret, using the `spec.password.valueFrom.secretKeyRef`. The Redpanda operator offers flexibility in how these secrets are handled: -For example, to use a Kubernetes Secret for the password, ensure the secret exists and reference it like so: +- If the Secret exists and the key exists within that Secret, the existing password will be used. +- If the Secret exists but the key does not exist, the Secret will be updated with an autogenerated password. +- If the Secret does not exist, a new Secret with the provided key will be created with an autogenerated password. + +This behavior ensures that you can manage user credentials securely and programmatically, while also automating password generation if necessary. + +To use an existing Kubernetes Secret, ensure that the Secret and key are both defined. For example: [source,yaml] ---- @@ -120,24 +126,16 @@ spec: key: password ---- -To create the Secret from a file: +This example assumes that a Kubernetes Secret named `user-secret` with a key `password` exists. If the Secret does not exist or the key is missing, the Redpanda Operator will handle it by creating or updating the Secret with an autogenerated password. The autogenerated password will follow best practices for secure password generation. + +If you need to create a Secret, you can use the following command as an example: [source,bash] ---- -kubectl --namespace create secret generic user-secret --from-file= +kubectl --namespace create secret generic user-secret --from-file=password.txt ---- -.Example: Kubernetes Secret for User Password -[source,yaml] ----- -apiVersion: v1 -kind: Secret -metadata: - name: user-secret -type: Opaque -data: - password: cGFzc3dvcmQ= # base64-encoded password ----- +In this example, the `password.txt` file contains the password you want to use. === Define ACLs From a462856b08dc88607c942247052fa493d0ba0a0d Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 17:17:25 -0400 Subject: [PATCH 34/46] Improve structure and add term --- .../manage/examples/kubernetes/user.feature | 2 +- .../pages/kubernetes/k-manage-topics.adoc | 2 -- .../authentication/k-user-controller.adoc | 25 +++++++++++-------- 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user.feature index 805a0bf5a..f95bb8403 100644 --- a/modules/manage/examples/kubernetes/user.feature +++ b/modules/manage/examples/kubernetes/user.feature @@ -45,7 +45,7 @@ Feature: User CRDs secretKeyRef: name: jason-password key: password -# end::manage-auth-only-manifest[] +# end::manage-authn-only-manifest[] """ And user "jason" is successfully synced And I delete the CRD user "jason" diff --git a/modules/manage/pages/kubernetes/k-manage-topics.adoc b/modules/manage/pages/kubernetes/k-manage-topics.adoc index d22d1bc09..f34b45cd9 100644 --- a/modules/manage/pages/kubernetes/k-manage-topics.adoc +++ b/modules/manage/pages/kubernetes/k-manage-topics.adoc @@ -11,8 +11,6 @@ The Redpanda Operator allows you to declaratively create and manage Kafka topics You must have the following: -* *Kubernetes cluster*: Ensure you have a running Kubernetes cluster, either locally, such as with minikube or kind, or remotely. - * *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[`kubectl`^] command-line tool installed and configured to communicate with your cluster. * *Redpanda*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/kubernetes-deploy.adoc[Redpanda Operator and a Redpanda resource deployed] in your Kubernetes cluster. diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index b81bc206c..d463879a4 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -3,27 +3,28 @@ :page-categories: Management, Development :env-kubernetes: true -The Redpanda Operator allows you to declaratively create and manage Redpanda users using xref:reference:k-crd.adoc[User custom resources] (resources) in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding user in sync with the User resource. This resource allows you to create users as part of a Redpanda deployment. +With the Redpanda Operator, you can declaratively create and manage Redpanda users and glossterm:ACL[,access control lists (ACLs)] using xref:reference:k-crd.adoc[User custom resources] (resources) in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding user in sync with the User resource. == Prerequisites You must have the following: -* *Kubernetes cluster*: Ensure you have a running Kubernetes cluster, either locally (minikube or kind) or remotely. * *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[kubectl^] command-line tool installed and configured to communicate with your cluster. * *Redpanda Operator*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator]. * *Redpanda cluster with SASL enabled*: Ensure you have a Redpanda resource deployed with xref:manage:kubernetes/security/authentication/k-authentication.adoc#enable[SASL authentication enabled]. == Create a user -When using the Redpanda User resource, each User instance is responsible for managing both the user credentials (authentication) and the user's access control lists (ACLs) within the Redpanda cluster. You can choose to manage authentication or ACLs separately or you can manage both together. +You can use the User resource to: -[NOTE] -==== -You cannot use one User resource to manage the user and another User resource to manage the ACLs. Only one User instance is allowed per user in the Redpanda cluster. -==== +- <> +- <> +- <> -=== Manage new users (authentication only) +Each User instance is responsible for managing both the user credentials (authentication) and the user's ACLs within the Redpanda cluster. You cannot use one User resource to manage the user and another User resource to manage the ACLs. Only one User instance is allowed per user in the Redpanda cluster. + +[[no-acl]] +=== Create a new user without any ACLs - *Use case*: You want to create and manage user credentials (authentication) without managing ACLs. Use this option If you have a separate process to manage ACLs or if you're working in an environment where access control is handled externally. - *What happens when deleted*: The user is deleted, but any manually created ACLs for that user will remain in the cluster. @@ -36,7 +37,8 @@ This example shows how to manage the creation and authentication of a user witho include::manage:example$kubernetes/user.feature[tags=manage-authn-only-manifest,indent=0] ---- -=== Manage existing users (authorization only) +[[only-acl]] +=== Create only ACLs for a user - *Use case*: You want to manage ACLs for an existing user in the Redpanda cluster, but not modify the user's credentials. Use this option if user credentials are managed by another process or tool, and you only want to control what resources the user can access (authorization). - *What happens when deleted*: The ACLs are removed, but the user remains. This is useful when you want to revoke access but retain the user's credentials for future use. @@ -49,7 +51,8 @@ This example shows how to manage only the ACLs for an existing user in the Redpa include::manage:example$kubernetes/user.feature[tags=manage-authz-only-manifest,indent=0] ---- -=== Manage both authentication and authorization +[[both]] +=== Create a new user and its ACLs - *Use case*: You want to manage both user credentials and ACLs within the same resource. - *What happens when deleted*: Both the user and the associated ACLs are removed. @@ -88,7 +91,7 @@ spec: == Configuration advice -The following sections provide guidance on setting up user authentication, managing secrets, and defining access control lists (ACLs) within your Kubernetes environment. These recommendations ensure proper user management while minimizing manual interventions and preventing potential security issues. By following these best practices, you can ensure that user access and permissions are correctly configured and maintained across your Redpanda cluster. +The following sections provide guidance on setting up user authentication, managing secrets, and defining ACLs within your Kubernetes environment. These recommendations ensure proper user management while minimizing manual interventions and preventing potential security issues. By following these best practices, you can ensure that user access and permissions are correctly configured and maintained across your Redpanda cluster. === Choose an authentication type From cc2988ddd8d441f5b90d27282544ce4c01d8eed5 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Tue, 15 Oct 2024 14:46:11 +0100 Subject: [PATCH 35/46] DOC-442 User resource docs --- modules/ROOT/nav.adoc | 4 +++- .../manage/examples/kubernetes/user.feature | 16 +++++++------- .../pages/kubernetes/k-manage-topics.adoc | 7 +++++- .../security/authentication/index.adoc | 6 +++++ .../authentication/k-authentication.adoc | 3 +-- .../authentication/k-user-controller.adoc | 22 +++++++++---------- 6 files changed, 35 insertions(+), 23 deletions(-) create mode 100644 modules/manage/pages/kubernetes/security/authentication/index.adoc diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc index 2fc8a6e5c..1f2a47224 100644 --- a/modules/ROOT/nav.adoc +++ b/modules/ROOT/nav.adoc @@ -108,7 +108,9 @@ **** xref:manage:kubernetes/security/tls/index.adoc[TLS Encryption] ***** xref:manage:kubernetes/security/tls/k-cert-manager.adoc[Use cert-manager] ***** xref:manage:kubernetes/security/tls/k-secrets.adoc[Use Secrets] -**** xref:manage:kubernetes/security/authentication/k-authentication.adoc[Authentication] +**** xref:manage:kubernetes/security/authentication/index.adoc[Authentication] +***** xref:manage:kubernetes/security/authentication/k-authentication.adoc[Enable Authentication] +***** xref:manage:kubernetes/security/authentication/k-user-controller.adoc[Manage Users and ACLs] **** xref:manage:kubernetes/security/k-audit-logging.adoc[Audit Logging] *** xref:manage:kubernetes/k-rack-awareness.adoc[Rack Awareness] *** xref:manage:kubernetes/k-remote-read-replicas.adoc[Remote Read Replicas] diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user.feature index f95bb8403..908e0646e 100644 --- a/modules/manage/examples/kubernetes/user.feature +++ b/modules/manage/examples/kubernetes/user.feature @@ -25,10 +25,10 @@ Feature: User CRDs | jason | [{"type":"allow","resource":{"type":"cluster"},"operations":["Read"]}] | When I apply Kubernetes manifest: """ -# tag::manage-authn-only-manifest[] -# In this example manifest, a user called "jason" is created in a cluster called "sasl". -# The user's password is defined in a Secret called "jason-password". -# This example assumes that you will create ACLs for this user separately. + # tag::manage-authn-only-manifest[] + # In this example manifest, a user called "jason" is created in a cluster called "sasl". + # The user's password is defined in a Secret called "jason-password". + # This example assumes that you will create ACLs for this user separately. --- apiVersion: cluster.redpanda.com/v1alpha2 kind: User @@ -58,10 +58,10 @@ Feature: User CRDs | travis | password | SCRAM-SHA-256 | When I apply Kubernetes manifest: """ -# tag::manage-authz-only-manifest[] -# In this example manifest, an ACL called "travis" is created in a cluster called "sasl". -# The ACL give an existing user called "travis" permissions to read from all topics whose names start with some-topic. -# This example assumes that you already have a user called "travis" in your cluster. + # tag::manage-authz-only-manifest[] + # In this example manifest, an ACL called "travis" is created in a cluster called "sasl". + # The ACL give an existing user called "travis" permissions to read from all topics whose names start with some-topic. + # This example assumes that you already have a user called "travis" in your cluster. --- apiVersion: cluster.redpanda.com/v1alpha2 kind: User diff --git a/modules/manage/pages/kubernetes/k-manage-topics.adoc b/modules/manage/pages/kubernetes/k-manage-topics.adoc index f34b45cd9..326c19ea3 100644 --- a/modules/manage/pages/kubernetes/k-manage-topics.adoc +++ b/modules/manage/pages/kubernetes/k-manage-topics.adoc @@ -17,7 +17,12 @@ You must have the following: == Limitations -You cannot create access control lists (ACLs) directly in the Topic resource. To create ACLs for your topics, you must use `rpk` or another Kafka client. For details about ACLs, see xref:security/authorization/index.adoc[]. +You cannot create access control lists (ACLs) directly in the Topic resource. To create ACLs for your topics, you can use: + +- xref:manage:kubernetes/security/authentication/k-user-controller.adoc[The User resource] +- xref:get-started:rpk-install.adoc[`rpk`] or another Kafka client + +For details about ACLs, see xref:security/authorization/index.adoc[]. == Create a topic diff --git a/modules/manage/pages/kubernetes/security/authentication/index.adoc b/modules/manage/pages/kubernetes/security/authentication/index.adoc new file mode 100644 index 000000000..b8ac87f4f --- /dev/null +++ b/modules/manage/pages/kubernetes/security/authentication/index.adoc @@ -0,0 +1,6 @@ += Authentication for Redpanda in Kubernetes +:page-layout: index +:description: Learn how to configure authentication for Redpanda in Kubernetes using Helm values or the User resource with the Redpanda Operator. +:page-aliases: security:sasl-kubernetes.adoc, manage:kubernetes/security/sasl-kubernetes.adoc, security:kubernetes-sasl.adoc, manage:kubernetes/security/authentication/sasl-kubernetes.adoc, reference:redpanda-operator/kubernetes-mtls.adoc, reference:redpanda-operator/kubernetes-sasl.adoc + +Redpanda offers two methods to manage authentication in a Kubernetes environment. These options allow administrators to control user access and permissions, ensuring secure communication with the Redpanda cluster. \ No newline at end of file diff --git a/modules/manage/pages/kubernetes/security/authentication/k-authentication.adoc b/modules/manage/pages/kubernetes/security/authentication/k-authentication.adoc index 8f97f12cd..56df29cc2 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-authentication.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-authentication.adoc @@ -1,8 +1,7 @@ = Configure Authentication for Redpanda in Kubernetes -:description: Learn how to configure authentication for Redpanda in Kubernetes. +:description: Use Helm values or the Redpanda resource manifest to enable authentication for Redpanda. This method provides a way to configure authentication during the initial deployment or updates to the cluster configuration. :page-context-links: [{"name": "Linux", "to": "manage:security/authentication.adoc" },{"name": "Kubernetes", "to": "manage:kubernetes/security/authentication/k-authentication.adoc" } ] :tags: ["Kubernetes", "Helm configuration"] -:page-aliases: security:sasl-kubernetes.adoc, manage:kubernetes/security/sasl-kubernetes.adoc, security:kubernetes-sasl.adoc, manage:kubernetes/security/authentication/sasl-kubernetes.adoc, reference:redpanda-operator/kubernetes-mtls.adoc, reference:redpanda-operator/kubernetes-sasl.adoc :page-categories: Management, Security :env-kubernetes: true :page-toclevels: 3 diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index d463879a4..d2ac0ad48 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -1,5 +1,5 @@ -= Manage Users with the Redpanda Operator -:description: Use the User resource to declaratively create and manage Redpanda users as part of a Redpanda deployment. Each User resource is mapped to a user in your Redpanda cluster. The user controller keeps the corresponding user in sync with the User resource. += Manage Users and ACLs with the Redpanda Operator +:description: Use the User resource to declaratively create and manage users and ACLs as part of a Redpanda deployment. Each User resource is mapped to a user in your Redpanda cluster. The user controller keeps the corresponding user in sync with the User resource. :page-categories: Management, Development :env-kubernetes: true @@ -21,24 +21,24 @@ You can use the User resource to: - <> - <> -Each User instance is responsible for managing both the user credentials (authentication) and the user's ACLs within the Redpanda cluster. You cannot use one User resource to manage the user and another User resource to manage the ACLs. Only one User instance is allowed per user in the Redpanda cluster. +Each User instance is responsible for managing both the user credentials (authentication) and the user's ACLs within the Redpanda cluster. You cannot use one User resource to manage the user and another resource to manage the ACLs. Only one User instance is allowed per user in the Redpanda cluster. [[no-acl]] === Create a new user without any ACLs - *Use case*: You want to create and manage user credentials (authentication) without managing ACLs. Use this option If you have a separate process to manage ACLs or if you're working in an environment where access control is handled externally. -- *What happens when deleted*: The user is deleted, but any manually created ACLs for that user will remain in the cluster. +- *What happens when deleted*: The user is deleted, but ACLs for that user will remain in the cluster. This example shows how to manage the creation and authentication of a user without configuring ACLs. .`new-user.yaml` -[,yaml] +[,yaml,indent=0] ---- include::manage:example$kubernetes/user.feature[tags=manage-authn-only-manifest,indent=0] ---- [[only-acl]] -=== Create only ACLs for a user +=== Create only ACLs - *Use case*: You want to manage ACLs for an existing user in the Redpanda cluster, but not modify the user's credentials. Use this option if user credentials are managed by another process or tool, and you only want to control what resources the user can access (authorization). - *What happens when deleted*: The ACLs are removed, but the user remains. This is useful when you want to revoke access but retain the user's credentials for future use. @@ -46,7 +46,7 @@ include::manage:example$kubernetes/user.feature[tags=manage-authn-only-manifest, This example shows how to manage only the ACLs for an existing user in the Redpanda cluster. .`new-acl.yaml` -[,yaml] +[,yaml,indent=0] ---- include::manage:example$kubernetes/user.feature[tags=manage-authz-only-manifest,indent=0] ---- @@ -60,7 +60,7 @@ include::manage:example$kubernetes/user.feature[tags=manage-authz-only-manifest, This example shows how to manage both authentication and ACLs for a user within the same User resource. .`new-user-and-acl.yaml` -[source,yaml] +[source,yaml,indent=0] ---- # In this example manifest, the user "full-user" is created and managed for both authentication and authorization. # The user is granted both read and write access to the topic critical-topic. @@ -235,9 +235,9 @@ When a User resource is deleted, its underlying data is removed as well. If the Deleting a User resource will have different impacts depending on how it is configured: -- **Authentication-only**: When a User resource managing only authentication is deleted, the user is removed from the cluster. However, any ACLs not managed by the same resource will remain in place. -- **Authorization-only**: When a User resource managing only ACLs is deleted, the ACLs are removed, but the user remains in the cluster. -- **Full user management (both authentication and authorization)**: When the resource manages both, the user and its associated ACLs are removed. +- **Authentication-only**: When a User resource that manages only authentication is deleted, the user is removed from the cluster. However, any ACLs not managed by the same resource will remain in place. +- **Authorization-only**: When a User resource that manages only ACLs is deleted, the ACLs are removed, but the user remains in the cluster. +- **Full user management (both authentication and authorization)**: When the resource manages both users and ACLs, the user and its associated ACLs are removed. == Suggested reading From 8c758ba38938452da159bfa898d9bef502cbb212 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 11:15:28 -0400 Subject: [PATCH 36/46] Explain the three options for using the User resource --- .../kubernetes/security/authentication/k-user-controller.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index d2ac0ad48..e705e2863 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -13,7 +13,7 @@ You must have the following: * *Redpanda Operator*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator]. * *Redpanda cluster with SASL enabled*: Ensure you have a Redpanda resource deployed with xref:manage:kubernetes/security/authentication/k-authentication.adoc#enable[SASL authentication enabled]. -== Create a user +== User resource management You can use the User resource to: From e9070053433e187ea364da88c63f1568fadf5984 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Thu, 26 Sep 2024 16:05:42 -0400 Subject: [PATCH 37/46] Add details about autogenerated Secrets/passwords --- .../kubernetes/security/authentication/k-user-controller.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index e705e2863..d2ac0ad48 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -13,7 +13,7 @@ You must have the following: * *Redpanda Operator*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator]. * *Redpanda cluster with SASL enabled*: Ensure you have a Redpanda resource deployed with xref:manage:kubernetes/security/authentication/k-authentication.adoc#enable[SASL authentication enabled]. -== User resource management +== Create a user You can use the User resource to: From 25f21022878282dc8c8fa28445d04cb277c8e62e Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Tue, 15 Oct 2024 15:47:29 +0100 Subject: [PATCH 38/46] Fix comments --- modules/manage/examples/kubernetes/user.feature | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user.feature index 908e0646e..d6c464083 100644 --- a/modules/manage/examples/kubernetes/user.feature +++ b/modules/manage/examples/kubernetes/user.feature @@ -45,7 +45,7 @@ Feature: User CRDs secretKeyRef: name: jason-password key: password -# end::manage-authn-only-manifest[] + # end::manage-authn-only-manifest[] """ And user "jason" is successfully synced And I delete the CRD user "jason" @@ -79,7 +79,7 @@ Feature: User CRDs name: some-topic patternType: prefixed operations: [Read] -# end::manage-authz-only-manifest[] + # end::manage-authz-only-manifest[] """ And user "travis" is successfully synced And I delete the CRD user "travis" From 81b1c7c004e1a3b4fb63ba7b5baef58da9503c61 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Tue, 15 Oct 2024 15:57:02 +0100 Subject: [PATCH 39/46] Fix comments --- modules/manage/examples/kubernetes/user.feature | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user.feature index d6c464083..3712f6cb9 100644 --- a/modules/manage/examples/kubernetes/user.feature +++ b/modules/manage/examples/kubernetes/user.feature @@ -45,7 +45,7 @@ Feature: User CRDs secretKeyRef: name: jason-password key: password - # end::manage-authn-only-manifest[] + # end::manage-authn-only-manifest[] """ And user "jason" is successfully synced And I delete the CRD user "jason" @@ -79,7 +79,7 @@ Feature: User CRDs name: some-topic patternType: prefixed operations: [Read] - # end::manage-authz-only-manifest[] + # end::manage-authz-only-manifest[] """ And user "travis" is successfully synced And I delete the CRD user "travis" From f403c7036e767823eebbe1fb150a1437e9ebf75f Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Tue, 15 Oct 2024 16:06:06 +0100 Subject: [PATCH 40/46] Update filename --- .../examples/kubernetes/{user.feature => user-crds.feature} | 0 .../kubernetes/security/authentication/k-user-controller.adoc | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) rename modules/manage/examples/kubernetes/{user.feature => user-crds.feature} (100%) diff --git a/modules/manage/examples/kubernetes/user.feature b/modules/manage/examples/kubernetes/user-crds.feature similarity index 100% rename from modules/manage/examples/kubernetes/user.feature rename to modules/manage/examples/kubernetes/user-crds.feature diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index d2ac0ad48..90237c4b3 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -34,7 +34,7 @@ This example shows how to manage the creation and authentication of a user witho .`new-user.yaml` [,yaml,indent=0] ---- -include::manage:example$kubernetes/user.feature[tags=manage-authn-only-manifest,indent=0] +include::manage:example$kubernetes/user-crds.feature[tags=manage-authn-only-manifest,indent=0] ---- [[only-acl]] @@ -48,7 +48,7 @@ This example shows how to manage only the ACLs for an existing user in the Redpa .`new-acl.yaml` [,yaml,indent=0] ---- -include::manage:example$kubernetes/user.feature[tags=manage-authz-only-manifest,indent=0] +include::manage:example$kubernetes/user-crds.feature[tags=manage-authz-only-manifest,indent=0] ---- [[both]] From f941a6c774b3ecb98a23e53499c099b9563d8061 Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Tue, 15 Oct 2024 16:50:13 +0100 Subject: [PATCH 41/46] Add what's new --- modules/get-started/pages/whats-new.adoc | 76 ++---------------------- 1 file changed, 6 insertions(+), 70 deletions(-) diff --git a/modules/get-started/pages/whats-new.adoc b/modules/get-started/pages/whats-new.adoc index 388f57a5c..41ee90b92 100644 --- a/modules/get-started/pages/whats-new.adoc +++ b/modules/get-started/pages/whats-new.adoc @@ -7,76 +7,12 @@ This topic includes new content added in version {page-component-version}. For a * xref:redpanda-cloud:get-started:whats-new-cloud.adoc[] * xref:redpanda-cloud:get-started:cloud-overview.adoc#redpanda-cloud-vs-self-managed-feature-compatibility[Redpanda Cloud vs Self-Managed feature compatibility] -== FIPS compliance +== Declarative User and ACL management in Kubernetes -Redpanda now provides a FIPS 140-compliant binary to support running Redpanda in environments requiring FIPS-compliant software and to meet certain requirements for organizations undergoing certification through government compliance programs, such as FedRAMP. When using the FIPS binary, both Redpanda and `rpk` leverage FIPS-compliant OpenSSL libraries and ciphers for all encryption activity inside Redpanda, including encryption of data in transit. Install the `redpanda-fips` package to xref:manage:security/fips-compliance.adoc[run Redpanda in FIPS-compliance mode]. +Redpanda now supports declarative management of users and access control lists (ACLs) using the new User resource with the Redpanda Operator. This feature allows you to: -== Schema Registry support for JSON +- Create and manage Redpanda users and their authentication settings. +- Define and manage ACLs to control access to Redpanda resources. +- Automatically reconcile changes to users and ACLs using the Redpanda Operator. -Redpanda's xref:manage:schema-reg/schema-reg-overview.adoc[Schema Registry] now supports JSON serialization format, in addition to Avro and Protobuf. You can use a https://json-schema.org/[JSON Schema^] format to validate messages and ensure compatibility between schema versions. - -== Schema Registry read-only mode - -You can now put individual subjects or the entire Schema Registry into read-only or read-write mode with the xref:manage:schema-reg/schema-reg-api.adoc#use-readonly-mode-for-disaster-recovery[Schema Registry API] `/mode` endpoint or with xref:reference:rpk/rpk-registry/rpk-registry-mode-set.adoc[`rpk registry mode set`]. You can use the `READONLY` mode in an active/passive disaster recovery configuration. - -== TLS enhancements - -* *Minimum TLS version*: For enhanced security, Redpanda now has a cluster configuration property to xref:manage:security/encryption.adoc#manage-the-minimum-tls-version[control the minimum TLS version] to use for encryption. By default, xref:reference:properties/cluster-properties.adoc#tls_min_version[`tls_min_version`] is set to `v1.2`, which prevents client applications from using older TLS versions to connect to your clusters. - -* *Certificate revocation lists*: When enabling TLS encryption for the Kafka, Admin, HTTP Proxy or Schema Registry APIs, you can now xref:manage:security/encryption.adoc[add a certificate revocation list (CRL)] to your configuration. Redpanda uses the CRL to check and reject connections from entities using certificates already revoked by a certificate authority. - -== Data transforms enhancements - -Redpanda has a new xref:reference:data-transforms/js/index.adoc[JavaScript SDK] that you can use to build and deploy data transforms in Redpanda. To get started, see xref:develop:data-transforms/run-transforms-index.adoc[]. - -You can now deploy data transform functions that xref:develop:data-transforms/deploy.adoc#reprocess[reprocess existing records] from an input topic. Processing existing records can be useful, for example, to process historical data into a different format for a new consumer, to re-create lost data from an accidentally-deleted topic, or to resolve issues with a previous version of a transform that processed data incorrectly. - -The docs now also include an xref:develop:data-transforms/index.adoc[expanded guide] designed to help you master the creation, deployment, and management of data transforms in Redpanda. - -== Enhanced cache trimming - -Redpanda has two new properties that provide finer control over cache management. These settings allow you to define specific thresholds for triggering xref:manage:tiered-storage.adoc#cache-trimming[cache trimming] based on cache size and the number of objects, helping to optimize performance and prevent slow reads. - -- config_ref:cloud_storage_cache_trim_threshold_percent_size,true,properties/object-storage-properties[] -- config_ref:cloud_storage_cache_trim_threshold_percent_objects,true,properties/object-storage-properties[] - -== Client throughput management - -Redpanda now includes `rpk` and Redpanda Console support for managing xref:manage:cluster-maintenance/manage-throughput.adoc#client-throughput-limits[client throughput limits]. You can set client throughput quotas using `rpk` for an individual client based on client ID, as well as for a group of clients based on ID prefix matching. New xref:manage:cluster-maintenance/manage-throughput.adoc#monitor-client-throughput[metrics] are available for insights on client throughput utilization. - -Client throughput quotas, previously applied on a per-shard basis, now apply on a per-broker basis. Cluster configuration properties for managing client quotas are xref:upgrade:deprecated/index.adoc[deprecated], including `target_quota_byte_rate` which is disabled by default with the value `0`. - -== Self-test enhancements - -New tests are added to the xref:manage:cluster-maintenance/cluster-diagnostics.adoc[Redpanda self-test] suite: - -* Cloud storage tests to validate xref:manage:tiered-storage.adoc[Tiered Storage] configuration. -* 16K block size disk tests to better assess block storage performance, particularly in response to I/O depth changes. -* 4K block size disk test with dsync off to assess the impact of fdatasync on the storage layer. - -See the xref:reference:rpk/rpk-cluster/rpk-cluster-self-test-status.adoc[`rpk self test`] reference for usage and output examples. - -== Intra-broker partition balancing: beta - -xref:manage:cluster-maintenance/cluster-balancing.adoc#intra-broker-partition-balancing[Intra-broker partition balancing] is a new topic-aware partition balancer that balances partitions across cores within a Redpanda broker. This balancer considers core count changes as well as partition movement to rebalance partition replicas and improve performance. - -This is a beta feature for v24.2 and is not recommended for use for production clusters. - -== New commands - -The following `rpk` commands are new in this version: - -* xref:reference:rpk/rpk-cluster/rpk-cluster-quotas-alter.adoc[`rpk cluster quotas alter`] -* xref:reference:rpk/rpk-cluster/rpk-cluster-quotas-describe.adoc[`rpk cluster quotas describe`] -* xref:reference:rpk/rpk-cluster/rpk-cluster-quotas-import.adoc[`rpk cluster quotas import`] -* xref:reference:rpk/rpk-cluster/rpk-cluster-quotas.adoc[`rpk cluster quotas`] -* xref:reference:rpk/rpk-registry/rpk-registry-mode.adoc[`rpk registry mode`] -* xref:reference:rpk/rpk-registry/rpk-registry-mode-get.adoc[`rpk registry mode get`] -* xref:reference:rpk/rpk-registry/rpk-registry-mode-reset.adoc[`rpk registry mode reset`] -* xref:reference:rpk/rpk-registry/rpk-registry-mode-set.adoc[`rpk registry mode set`] -* xref:reference:rpk/rpk-transform/rpk-transform-pause.adoc[`rpk transform pause`] -* xref:reference:rpk/rpk-transform/rpk-transform-resume.adoc[`rpk transform resume`] - -== Doc enhancements - -The https://docs.redpanda.com/home/[Redpanda Docs home page] has been redesigned, so you can stay within the context of Redpanda Self-Managed, Redpanda Cloud, or Redpanda Connect docs. We hope that our docs help and inspire our users. Please share your feedback with the links at the bottom of any doc page. +To learn more, see the xref:manage:kubernetes/security/authentication/k-user-controller.adoc[User resource documentation]. From 30bed03cb9912a487da57fe021c6b36e6934ba67 Mon Sep 17 00:00:00 2001 From: Jake Cahill <45230295+JakeSCahill@users.noreply.github.com> Date: Tue, 15 Oct 2024 16:56:13 +0100 Subject: [PATCH 42/46] Apply suggestions from code review --- modules/get-started/pages/whats-new.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/get-started/pages/whats-new.adoc b/modules/get-started/pages/whats-new.adoc index 41ee90b92..b3a94d08e 100644 --- a/modules/get-started/pages/whats-new.adoc +++ b/modules/get-started/pages/whats-new.adoc @@ -7,7 +7,7 @@ This topic includes new content added in version {page-component-version}. For a * xref:redpanda-cloud:get-started:whats-new-cloud.adoc[] * xref:redpanda-cloud:get-started:cloud-overview.adoc#redpanda-cloud-vs-self-managed-feature-compatibility[Redpanda Cloud vs Self-Managed feature compatibility] -== Declarative User and ACL management in Kubernetes +== Declarative user and ACL management in Kubernetes Redpanda now supports declarative management of users and access control lists (ACLs) using the new User resource with the Redpanda Operator. This feature allows you to: From 611c231ddcc0147434767af9470bae16c2f3f7af Mon Sep 17 00:00:00 2001 From: JakeSCahill Date: Tue, 22 Oct 2024 09:52:11 +0100 Subject: [PATCH 43/46] Add more links --- .../kubernetes/k-production-deployment.adoc | 4 +- .../pages/kubernetes/k-manage-topics.adoc | 18 +- .../authentication/k-user-controller.adoc | 44 +- modules/reference/pages/k-crd.adoc | 869 +++++++++--------- .../pages/migrate/kubernetes/strimzi.adoc | 2 +- 5 files changed, 494 insertions(+), 443 deletions(-) diff --git a/modules/deploy/pages/deployment-option/self-hosted/kubernetes/k-production-deployment.adoc b/modules/deploy/pages/deployment-option/self-hosted/kubernetes/k-production-deployment.adoc index 6a43a4437..e0a921771 100644 --- a/modules/deploy/pages/deployment-option/self-hosted/kubernetes/k-production-deployment.adoc +++ b/modules/deploy/pages/deployment-option/self-hosted/kubernetes/k-production-deployment.adoc @@ -134,9 +134,9 @@ spec: ---- + - `metadata.name`: Name to assign the Redpanda cluster. This name is also assigned to the Helm release. -- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-src-go-k8s-apis-redpanda-v1alpha1-chartref[`spec.chartRef`]: Information about the Helm chart that will be used to deploy Redpanda. +- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-api-redpanda-v1alpha2-chartref[`spec.chartRef`]: Information about the Helm chart that will be used to deploy Redpanda. - `spec.chartRef.chartVersion`: This field specifies the exact version of the Redpanda Helm chart to use for deployment. By setting this value, you <>, which prevents automatic updates that might introduce breaking changes or new features that have not been tested in your environment. -- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-src-go-k8s-apis-redpanda-v1alpha1-redpandaclusterspec[`spec.clusterSpec`]: This is where you can override default values in the Redpanda Helm chart. Here, you mount the <> to the Pods that run Redpanda. For other configuration details, see <>. +- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-api-redpanda-v1alpha2-redpandaclusterspec[`spec.clusterSpec`]: This is where you can override default values in the Redpanda Helm chart. Here, you mount the <> to the Pods that run Redpanda. For other configuration details, see <>. . Apply the Redpanda resource: + diff --git a/modules/manage/pages/kubernetes/k-manage-topics.adoc b/modules/manage/pages/kubernetes/k-manage-topics.adoc index 326c19ea3..3d234d0c4 100644 --- a/modules/manage/pages/kubernetes/k-manage-topics.adoc +++ b/modules/manage/pages/kubernetes/k-manage-topics.adoc @@ -5,7 +5,7 @@ :env-kubernetes: true :page-aliases: manage:kubernetes/manage-topics.adoc -The Redpanda Operator allows you to declaratively create and manage Kafka topics using xref:reference:k-crd.adoc##k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topic[Topic custom resources] (resources) in Kubernetes. Each Topic resource is mapped to a topic in your Redpanda cluster. The topic controller, a component of the Redpanda Operator, keeps the corresponding Kafka topic in sync with the Topic resource. This resource allows you to create topics as part of a Redpanda deployment. +The Redpanda Operator allows you to declaratively create and manage Kafka topics using xref:reference:k-crd.adoc##k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topic[Topic custom resources] (resources) in Kubernetes. Each Topic resource is mapped to a topic in your Redpanda cluster. The topic controller, a component of the Redpanda Operator, keeps the corresponding Kafka topic in sync with the Topic resource. This resource allows you to create topics as part of a Redpanda deployment. == Prerequisites @@ -47,23 +47,23 @@ spec: interval: ---- -- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topicspec[`metadata.name`] (*required*): The name of the Topic resource. If the <> property is not set, the name of the Topic resource is also given to the topic in Redpanda. +- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec[`metadata.name`] (*required*): The name of the Topic resource. If the <> property is not set, the name of the Topic resource is also given to the topic in Redpanda. + Valid names must consist of lowercase alphanumeric characters, hyphens (-), or periods (.). Names cannot start or end with a non-alphanumeric character. Underscores (_) are not allowed. For example, `chat-room` is a valid name, whereas `chat_room` is not. To use other characters such as underscores in your topic names, use the <> property. -- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkaapispec[`spec.kafkaApiSpec`] (*required*): Configuration details for connecting to Redpanda brokers. +- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkaapispec[`spec.kafkaApiSpec`] (*required*): Configuration details for connecting to Redpanda brokers. -- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topicspec[`spec.partitions`]: The number of topic shards distributed across the brokers in a Redpanda cluster. This value cannot be decreased post-creation. Overrides the default cluster property xref:reference:cluster-properties.adoc#default_topic_partitions[`default_topic_partitions`]. +- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec[`spec.partitions`]: The number of topic shards distributed across the brokers in a Redpanda cluster. This value cannot be decreased post-creation. Overrides the default cluster property xref:reference:cluster-properties.adoc#default_topic_partitions[`default_topic_partitions`]. -- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topicspec[`spec.replicationFactor`]: Specifies the number of topic replicas. The value must be an odd number. Overrides the default cluster property xref:reference:cluster-properties.adoc#default_topic_replications[`default_topic_replications`]. +- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec[`spec.replicationFactor`]: Specifies the number of topic replicas. The value must be an odd number. Overrides the default cluster property xref:reference:cluster-properties.adoc#default_topic_replications[`default_topic_replications`]. -- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topicspec[`spec.additionalConfig`]: A map of any topic-specific configuration options. See xref:reference:topic-properties.adoc[]. +- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec[`spec.additionalConfig`]: A map of any topic-specific configuration options. See xref:reference:topic-properties.adoc[]. -- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topicspec[`spec.metricsNamespace`]: The fully-qualified name of the topic metrics for use in multi-operator environments. Defaults to `redpanda-operator`. +- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec[`spec.metricsNamespace`]: The fully-qualified name of the topic metrics for use in multi-operator environments. Defaults to `redpanda-operator`. -- [[overwrite]]xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topicspec[`spec.overwriteTopicName`]: Overwrites the topic name in `metadata.name`. +- [[overwrite]]xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec[`spec.overwriteTopicName`]: Overwrites the topic name in `metadata.name`. -- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topicspec[`spec.interval`]: Sets the reconciliation interval for the topic controller. Default is 3 seconds (`3s`). +- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec[`spec.interval`]: Sets the reconciliation interval for the topic controller. Default is 3 seconds (`3s`). The default settings are best suited to a one-broker cluster in a development environment. To learn how to modify the default values in the configuration file, see xref:manage:cluster-maintenance/cluster-property-configuration.adoc[Configure Cluster Properties]. Even if you set default values that work for most topics, you may still want to change some properties for a specific topic. diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index 90237c4b3..5a9455bed 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -43,6 +43,8 @@ include::manage:example$kubernetes/user-crds.feature[tags=manage-authn-only-mani - *Use case*: You want to manage ACLs for an existing user in the Redpanda cluster, but not modify the user's credentials. Use this option if user credentials are managed by another process or tool, and you only want to control what resources the user can access (authorization). - *What happens when deleted*: The ACLs are removed, but the user remains. This is useful when you want to revoke access but retain the user's credentials for future use. +When you create ACLs with the User resource, the specified ACLs are applied only to the user defined in the `metadata.name` field. For example, if you create ACLs for a user named `data-consumer`, those ACLs apply only to that user. Other users in the Redpanda cluster are not affected by these ACLs. + This example shows how to manage only the ACLs for an existing user in the Redpanda cluster. .`new-acl.yaml` @@ -93,9 +95,33 @@ spec: The following sections provide guidance on setting up user authentication, managing secrets, and defining ACLs within your Kubernetes environment. These recommendations ensure proper user management while minimizing manual interventions and preventing potential security issues. By following these best practices, you can ensure that user access and permissions are correctly configured and maintained across your Redpanda cluster. -=== Choose an authentication type +You can find all configuration options for the User resource in the xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-user[CRD reference]. + +=== Choose a username + +The `metadata.name` field in the User resource is used to specify the username. Keep in mind the following best practices when choosing a username: + +- Uniqueness: Ensure that each user has a unique name to avoid conflicts. The username must be unique within the Redpanda cluster. +- Descriptive: Choose a name that identifies the purpose or role of the user. For example, use names like `app-consumer` or `admin-user`. +- Stable: Avoid changing usernames frequently. Usernames are tied to authentication and authorization rules (ACLs). Renaming a user involves deleting and recreating the user. + +[,yaml] +---- +metadata: + name: full-user +---- + +In this example, `full-user` is the username, which will be referenced in both authentication and authorization rules. + +=== Configure authentication + +This section provides guidance on configuring authentication for users with the User resource. + +You can find all configuration options for authentication in the xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userauthenticationspec[UserAuthenticationSpec] of the CRD reference. + +==== Choose an authentication type -You can specify the authentication type for a user using the `spec.authentication.type` field. Supported values include `scram-sha-256`, `scram-sha-512`, and their uppercase variants. +You can specify the authentication type for a user using the xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userauthenticationspec[`spec.authentication.type`] field. Supported values include `scram-sha-256`, `scram-sha-512`, and their uppercase variants. [source,yaml] ---- @@ -106,9 +132,9 @@ spec: If no authentication credentials are provided, no user will be created, but ACLs can still be managed for existing users. -=== Manage user secrets +==== Manage user secrets -Redpanda users require a password, which you can provide directly, using the `spec.password.value` field, or through a Kubernetes Secret, using the `spec.password.valueFrom.secretKeyRef`. The Redpanda operator offers flexibility in how these secrets are handled: +Redpanda users require a password, which you can provide directly, using the xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-password[`spec.password.value`] field, or through a Kubernetes Secret, using the xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-password[`spec.password.valueFrom.secretKeyRef`]. The Redpanda operator offers flexibility in how these secrets are handled: - If the Secret exists and the key exists within that Secret, the existing password will be used. - If the Secret exists but the key does not exist, the Secret will be updated with an autogenerated password. @@ -142,7 +168,7 @@ In this example, the `password.txt` file contains the password you want to use. === Define ACLs -The `spec.authorization` field allows you to manage ACLs for users. ACLs define the permissions users have over specific resources in Redpanda, such as topics, consumer groups, and clusters. +The xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userauthorizationspec[`spec.authorization`] field allows you to manage ACLs for users. ACLs define the permissions users have over specific resources in Redpanda, such as topics, consumer groups, and clusters. You can define ACLs for a user by specifying which resources they can access and the operations they are permitted to perform. Here's an example configuration for managing ACLs: @@ -161,12 +187,14 @@ spec: - `type`: Defines whether the ACL is `allow` or `deny`. - `resource.type`: Specifies the resource type. -- `patternType`: Specifies if the resource name is treated as a `literal` or a `prefixed` pattern. +- `patternType`: Specifies if the resource name is treated as a `literal` or a `prefixed` pattern. Default: `literal`. ++ +TIP: Use specific resource names where possible. Using `literal` names for resources ensures that only the exact resources you intend are accessible. Use `prefixed` patterns cautiously to avoid accidental permission grants. - `operations`: Lists the allowed operations, such as `Read`, `Write`, `Create`, and `Delete`. -For more details about ACLs, including supported operations and resources in Redpanda, see xref:manage:security/authorization/acl.adoc[]. +You can find all configuration options for authorization in the xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userauthorizationspec[UserAuthorizationSpec] of the CRD reference. -TIP: Use specific resource names where possible. Using `literal` names for resources ensures that only the exact resources you intend are accessible. Use `prefixed` patterns cautiously to avoid accidental permission grants. +For more details about ACLs, including supported operations and resources in Redpanda, see xref:manage:security/authorization/acl.adoc[]. == Deploy a User resource diff --git a/modules/reference/pages/k-crd.adoc b/modules/reference/pages/k-crd.adoc index 686f96406..28ac982b8 100644 --- a/modules/reference/pages/k-crd.adoc +++ b/modules/reference/pages/k-crd.adoc @@ -8,16 +8,16 @@ Package v1alpha2 defines the v1alpha2 schema for the Redpanda API. It is part of an evolving API architecture, representing an initial stage that may be subject to change based on user feedback and further development. .Resource Types -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpanda[$$Redpanda$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandalist[$$RedpandaList$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topic[$$Topic$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topiclist[$$TopicList$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-user[$$User$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userlist[$$UserList$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpanda[$$Redpanda$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandalist[$$RedpandaList$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topic[$$Topic$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topiclist[$$TopicList$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-user[$$User$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userlist[$$UserList$$] -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-acloperation"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-acloperation"] == ACLOperation (string) ACLOperation specifies the type of operation for an ACL. @@ -25,11 +25,11 @@ ACLOperation specifies the type of operation for an ACL. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclresourcespec"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclresourcespec"] == ACLResourceSpec ACLResourceSpec indicates the resource for which given ACL rule applies. @@ -37,22 +37,22 @@ ACLResourceSpec indicates the resource for which given ACL rule applies. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`type`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resourcetype[$$ResourceType$$]__ | +| *`type`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-resourcetype[$$ResourceType$$]__ | | *`name`* __string__ | Name of resource for which given ACL rule applies. + Can be combined with patternType field to use prefix pattern. + -| *`patternType`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-patterntype[$$PatternType$$]__ | Describes the pattern used in the resource field. The supported types are literal + +| *`patternType`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-patterntype[$$PatternType$$]__ | Describes the pattern used in the resource field. The supported types are literal + and prefixed. With literal pattern type, the resource field will be used as a definition + of a full topic name. With prefix pattern type, the resource name will be used only as + a prefix. Default value is literal. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclrule"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclrule"] == ACLRule ACLRule defines an ACL rule applied to the given user. @@ -63,20 +63,20 @@ Validations taken from https://cwiki.apache.org/confluence/pages/viewpage.action .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthorizationspec[$$UserAuthorizationSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userauthorizationspec[$$UserAuthorizationSpec$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`type`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-acltype[$$ACLType$$]__ | -| *`resource`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclresourcespec[$$ACLResourceSpec$$]__ | Indicates the resource for which given ACL rule applies. + +| *`type`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-acltype[$$ACLType$$]__ | +| *`resource`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclresourcespec[$$ACLResourceSpec$$]__ | Indicates the resource for which given ACL rule applies. + | *`host`* __string__ | The host from which the action described in the ACL rule is allowed or denied. + If not set, it defaults to *, allowing or denying the action from any host. + -| *`operations`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-acloperation[$$ACLOperation$$] array__ | List of operations which will be allowed or denied. + +| *`operations`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-acloperation[$$ACLOperation$$] array__ | List of operations which will be allowed or denied. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-acltype"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-acltype"] == ACLType (string) ACLType specifies the type, either allow or deny of an ACL rule. @@ -84,11 +84,11 @@ ACLType specifies the type, either allow or deny of an ACL rule. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-admin"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-admin"] == Admin Admin configures settings for the Admin API listeners. @@ -96,19 +96,19 @@ Admin configures settings for the Admin API listeners. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-listeners[$$Listeners$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listeners[$$Listeners$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listener. + +| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listener. + | *`port`* __integer__ | Specifies the container port number for the internal listener. + -| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + +| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + | *`appProtocol`* __string__ | |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminapispec"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-adminapispec"] == AdminAPISpec AdminAPISpec defines client configuration for connecting to Redpanda's admin API. @@ -116,18 +116,18 @@ AdminAPISpec defines client configuration for connecting to Redpanda's admin API .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-staticconfigurationsource[$$StaticConfigurationSource$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-staticconfigurationsource[$$StaticConfigurationSource$$] [cols="25a,75a", options="header"] |=== | Field | Description | *`urls`* __string array__ | Specifies a list of broker addresses in the format : + -| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-commontls[$$CommonTLS$$]__ | Defines TLS configuration settings for Redpanda clusters that have TLS enabled. + -| *`sasl`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminsasl[$$AdminSASL$$]__ | Defines authentication configuration settings for Redpanda clusters that have authentication enabled. + +| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-commontls[$$CommonTLS$$]__ | Defines TLS configuration settings for Redpanda clusters that have TLS enabled. + +| *`sasl`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-adminsasl[$$AdminSASL$$]__ | Defines authentication configuration settings for Redpanda clusters that have authentication enabled. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminsasl"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-adminsasl"] == AdminSASL AdminSASL configures credentials to connect to Redpanda cluster that has authentication enabled. @@ -135,19 +135,19 @@ AdminSASL configures credentials to connect to Redpanda cluster that has authent .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminapispec[$$AdminAPISpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-adminapispec[$$AdminAPISpec$$] [cols="25a,75a", options="header"] |=== | Field | Description | *`username`* __string__ | Specifies the username. + -| *`passwordSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Specifies the password. + -| *`mechanism`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-saslmechanism[$$SASLMechanism$$]__ | Specifies the SASL/SCRAM authentication mechanism. + -| *`token`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | +| *`passwordSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Specifies the password. + +| *`mechanism`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-saslmechanism[$$SASLMechanism$$]__ | Specifies the SASL/SCRAM authentication mechanism. + +| *`token`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-auditlogging"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-auditlogging"] == AuditLogging AuditLogging configures how to perform audit logging for a redpanda cluster @@ -155,7 +155,7 @@ AuditLogging configures how to perform audit logging for a redpanda cluster .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== @@ -176,7 +176,7 @@ Redpanda will use the `internal_topic_replication_factor` cluster config value. |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-auth"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-auth"] == Auth Auth configures authentication in the Helm values. See https://docs.redpanda.com/current/manage/kubernetes/security/authentication/sasl-kubernetes/. @@ -184,16 +184,16 @@ Auth configures authentication in the Helm values. See https://docs.redpanda.com .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`sasl`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-sasl[$$SASL$$]__ | Configures SASL authentication in the Helm values. + +| *`sasl`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-sasl[$$SASL$$]__ | Configures SASL authentication in the Helm values. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-authorizationtype"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-authorizationtype"] == AuthorizationType (string) AuthorizationType specifies the type of authorization to use in creating a user. @@ -201,13 +201,13 @@ AuthorizationType specifies the type of authorization to use in creating a user. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthorizationspec[$$UserAuthorizationSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userauthorizationspec[$$UserAuthorizationSpec$$] -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-bootstrapuser"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-bootstrapuser"] == BootstrapUser BootstrapUser configures the user used to bootstrap Redpanda when SASL is enabled. @@ -215,7 +215,7 @@ BootstrapUser configures the user used to bootstrap Redpanda when SASL is enable .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-sasl[$$SASL$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-sasl[$$SASL$$] [cols="25a,75a", options="header"] |=== @@ -226,7 +226,7 @@ password will be read from. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-budget"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-budget"] == Budget Budget configures the management of disruptions affecting the Pods in the StatefulSet. @@ -234,7 +234,7 @@ Budget configures the management of disruptions affecting the Pods in the Statef .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] [cols="25a,75a", options="header"] |=== @@ -243,7 +243,7 @@ Budget configures the management of disruptions affecting the Pods in the Statef |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-cpu"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-cpu"] == CPU CPU configures CPU resources for containers. See https://docs.redpanda.com/current/manage/kubernetes/manage-resources/. @@ -251,7 +251,7 @@ CPU configures CPU resources for containers. See https://docs.redpanda.com/curre .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resources[$$Resources$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-resources[$$Resources$$] [cols="25a,75a", options="header"] |=== @@ -261,7 +261,7 @@ CPU configures CPU resources for containers. See https://docs.redpanda.com/curre |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-certificate"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-certificate"] == Certificate Certificate configures TLS certificates. @@ -269,14 +269,14 @@ Certificate configures TLS certificates. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-tls[$$TLS$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-tls[$$TLS$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`issuerRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-issuerref[$$IssuerRef$$]__ | Specify the name of an existing Issuer or ClusterIssuer resource to use to generate certificates. Requires cert-manager. See https://cert-manager.io/v1.1-docs. + -| *`secretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretref[$$SecretRef$$]__ | Specify the name of an existing Secret resource that contains your TLS certificate. + -| *`clientSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretref[$$SecretRef$$]__ | Specify the name of an existing Secret resource that contains your client TLS certificate. + +| *`issuerRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-issuerref[$$IssuerRef$$]__ | Specify the name of an existing Issuer or ClusterIssuer resource to use to generate certificates. Requires cert-manager. See https://cert-manager.io/v1.1-docs. + +| *`secretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretref[$$SecretRef$$]__ | Specify the name of an existing Secret resource that contains your TLS certificate. + +| *`clientSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretref[$$SecretRef$$]__ | Specify the name of an existing Secret resource that contains your client TLS certificate. + | *`duration`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#duration-v1-meta[$$Duration$$]__ | Specifies the validity duration of certificates generated with `issuerRef`. + | *`caEnabled`* __boolean__ | Specifies whether to include the `ca.crt` file in the trust stores of all listeners. Set to `true` only for certificates that are not authenticated using public certificate authorities (CAs). + | *`applyInternalDNSNames`* __boolean__ | Specifies you wish to have Kubernetes internal dns names (IE the headless service of the redpanda StatefulSet) included in `dnsNames` of the certificate even, when supplying an issuer. + @@ -284,7 +284,7 @@ Certificate configures TLS certificates. |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-chartref"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-chartref"] == ChartRef @@ -292,7 +292,7 @@ Certificate configures TLS certificates. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaspec[$$RedpandaSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaspec[$$RedpandaSpec$$] [cols="25a,75a", options="header"] |=== @@ -302,11 +302,29 @@ Certificate configures TLS certificates. | *`helmRepositoryName`* __string__ | Defines the chart repository to use. Defaults to `redpanda` if not defined. + | *`timeout`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#duration-v1-meta[$$Duration$$]__ | Specifies the time to wait for any individual Kubernetes operation (like Jobs + for hooks) during Helm actions. Defaults to `15m0s`. + -| *`upgrade`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-helmupgrade[$$HelmUpgrade$$]__ | Defines how to handle upgrades, including failures. + +| *`upgrade`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-helmupgrade[$$HelmUpgrade$$]__ | Defines how to handle upgrades, including failures. + +| *`useFlux`* __boolean__ | NOTE! Alpha feature + +UseFlux flag set to `false` will prevent helm controller from reconciling helm chart. The operator would be + +tight with `go` based Redpanda helm chart version. The rest of the ChartRef fields would be ignored. + + + +Before setting UseFlux flag to `false` please alight your ChartVersion to at least `5.9.3` + +version of the Redpanda chart. + + + +RedpandaStatus might not be accurate if flag is set to `false` and HelmRelease is manually deleted. + + + +To achieve dynamic switch for Flux controllers (HelmRelease and HelmRepository) the resources + +would not be removed, but they will be put in suspended mode (if flag is provided and set to `false`). + + + +https://fluxcd.io/flux/components/helm/helmreleases/#suspend + +https://fluxcd.io/flux/components/source/helmrepositories/#suspend + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clusterref"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-clusterref"] == ClusterRef ClusterRef represents a reference to a cluster that is being targeted. @@ -314,7 +332,7 @@ ClusterRef represents a reference to a cluster that is being targeted. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clustersource[$$ClusterSource$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-clustersource[$$ClusterSource$$] [cols="25a,75a", options="header"] |=== @@ -325,7 +343,7 @@ ClusterRef represents a reference to a cluster that is being targeted. -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clustersource"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-clustersource"] == ClusterSource ClusterSource defines how to connect to a particular Redpanda cluster. @@ -333,19 +351,20 @@ ClusterSource defines how to connect to a particular Redpanda cluster. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec[$$UserSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec[$$TopicSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userspec[$$UserSpec$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`clusterRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clusterref[$$ClusterRef$$]__ | ClusterRef is a reference to the cluster where the object should be created. + +| *`clusterRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-clusterref[$$ClusterRef$$]__ | ClusterRef is a reference to the cluster where the object should be created. + It is used in constructing the client created to configure a cluster. + This takes precedence over StaticConfigurationSource. + -| *`staticConfiguration`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-staticconfigurationsource[$$StaticConfigurationSource$$]__ | StaticConfiguration holds connection parameters to Kafka and Admin APIs. + +| *`staticConfiguration`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-staticconfigurationsource[$$StaticConfigurationSource$$]__ | StaticConfiguration holds connection parameters to Kafka and Admin APIs. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-commontls"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-commontls"] == CommonTLS CommonTLS specifies TLS configuration settings for Redpanda clusters that have authentication enabled. @@ -353,20 +372,20 @@ CommonTLS specifies TLS configuration settings for Redpanda clusters that have a .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminapispec[$$AdminAPISpec$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkaapispec[$$KafkaAPISpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-adminapispec[$$AdminAPISpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkaapispec[$$KafkaAPISpec$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`caCertSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + -| *`certSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Cert is the reference for client public certificate to establish mTLS connection to Redpanda + -| *`keySecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Key is the reference for client private certificate to establish mTLS connection to Redpanda + +| *`caCertSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + +| *`certSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Cert is the reference for client public certificate to establish mTLS connection to Redpanda + +| *`keySecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Key is the reference for client private certificate to establish mTLS connection to Redpanda + | *`insecureSkipTlsVerify`* __boolean__ | InsecureSkipTLSVerify can skip verifying Redpanda self-signed certificate when establish TLS connection to Redpanda + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-config"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-config"] == Config Config configures Redpanda config properties supported by Redpanda that may not work correctly in a Kubernetes cluster. Changing these values from the defaults comes with some risk. Use these properties to customize various Redpanda configurations that are not available in the `RedpandaClusterSpec`. These values have no impact on the configuration or behavior of the Kubernetes objects deployed by Helm, and therefore should not be modified for the purpose of configuring those objects. Instead, these settings get passed directly to the Redpanda binary at startup. @@ -374,7 +393,7 @@ Config configures Redpanda config properties supported by Redpanda that may not .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== @@ -388,7 +407,7 @@ Config configures Redpanda config properties supported by Redpanda that may not |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-configsynonyms"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-configsynonyms"] == ConfigSynonyms ConfigSynonyms was copied from https://github.com/twmb/franz-go/blob/01651affd204d4a3577a341e748c5d09b52587f8/pkg/kmsg/generated.go#L24569-L24578 @@ -396,7 +415,7 @@ ConfigSynonyms was copied from https://github.com/twmb/franz-go/blob/01651affd20 .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-configuration[$$Configuration$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-configuration[$$Configuration$$] [cols="25a,75a", options="header"] |=== @@ -408,7 +427,7 @@ ConfigSynonyms was copied from https://github.com/twmb/franz-go/blob/01651affd20 |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-configwatcher"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-configwatcher"] == ConfigWatcher ConfigWatcher configures a sidecar that watches for changes to the Secret in `auth.sasl.secretRef` and applies the changes to the Redpanda cluster. @@ -416,7 +435,7 @@ ConfigWatcher configures a sidecar that watches for changes to the Secret in `au .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-sidecars[$$SideCars$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-sidecars[$$SideCars$$] [cols="25a,75a", options="header"] |=== @@ -428,7 +447,7 @@ ConfigWatcher configures a sidecar that watches for changes to the Secret in `au |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-configuration"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-configuration"] == Configuration Configuration was copied from https://github.com/twmb/franz-go/blob/01651affd204d4a3577a341e748c5d09b52587f8/pkg/kmsg/generated.go#L24593-L24634 @@ -436,7 +455,7 @@ Configuration was copied from https://github.com/twmb/franz-go/blob/01651affd204 .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topicstatus[$$TopicStatus$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicstatus[$$TopicStatus$$] [cols="25a,75a", options="header"] |=== @@ -457,7 +476,7 @@ replaced in favor of Source. + This field has a default of -1. + | *`isSensitive`* __boolean__ | IsSensitive signifies whether this is a sensitive config key, which + is either a password or an unknown type. + -| *`configSynonyms`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-configsynonyms[$$ConfigSynonyms$$] array__ | ConfigSynonyms contains fallback key/value pairs for this config + +| *`configSynonyms`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-configsynonyms[$$ConfigSynonyms$$] array__ | ConfigSynonyms contains fallback key/value pairs for this config + entry, in order of preference. That is, if a config entry is both + dynamically configured and has a default, the top level return will be + the dynamic configuration, while its "synonym" will be the default. + @@ -467,7 +486,7 @@ the dynamic configuration, while its "synonym" will be the default. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-configurator"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-configurator"] == Configurator @@ -475,7 +494,7 @@ the dynamic configuration, while its "synonym" will be the default. + .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-initcontainers[$$InitContainers$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-initcontainers[$$InitContainers$$] [cols="25a,75a", options="header"] |=== @@ -485,7 +504,7 @@ the dynamic configuration, while its "synonym" will be the default. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-connectormonitoring"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-connectormonitoring"] == ConnectorMonitoring ConnectorMonitoring configures monitoring resources for Connectors. See https://docs.redpanda.com/current/manage/kubernetes/monitoring/monitor-redpanda/. @@ -493,7 +512,7 @@ ConnectorMonitoring configures monitoring resources for Connectors. See https:// .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaconnectors[$$RedpandaConnectors$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaconnectors[$$RedpandaConnectors$$] [cols="25a,75a", options="header"] |=== @@ -506,7 +525,7 @@ ConnectorMonitoring configures monitoring resources for Connectors. See https:// |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-connectorscreateobj"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-connectorscreateobj"] == ConnectorsCreateObj ConnectorsCreateObj configures Kubernetes resources for Redpanda Connectors. @@ -514,7 +533,7 @@ ConnectorsCreateObj configures Kubernetes resources for Redpanda Connectors. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaconnectors[$$RedpandaConnectors$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaconnectors[$$RedpandaConnectors$$] [cols="25a,75a", options="header"] |=== @@ -525,7 +544,7 @@ never used. Prefer Create. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-consolecreateobj"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolecreateobj"] == ConsoleCreateObj ConsoleCreateObj represents configuration options for creating Kubernetes objects such as ConfigMaps, Secrets, and Deployments. @@ -533,7 +552,7 @@ ConsoleCreateObj represents configuration options for creating Kubernetes object .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaconsole[$$RedpandaConsole$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaconsole[$$RedpandaConsole$$] [cols="25a,75a", options="header"] |=== @@ -542,7 +561,7 @@ ConsoleCreateObj represents configuration options for creating Kubernetes object |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-container"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-container"] == Container @@ -550,7 +569,7 @@ ConsoleCreateObj represents configuration options for creating Kubernetes object .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-podspec[$$PodSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-podspec[$$PodSpec$$] [cols="25a,75a", options="header"] |=== @@ -561,7 +580,7 @@ ConsoleCreateObj represents configuration options for creating Kubernetes object |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-containerresources"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-containerresources"] == ContainerResources ContainerResources defines resource limits for containers. @@ -569,7 +588,7 @@ ContainerResources defines resource limits for containers. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-memory[$$Memory$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-memory[$$Memory$$] [cols="25a,75a", options="header"] |=== @@ -579,7 +598,7 @@ ContainerResources defines resource limits for containers. |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-credentialsecretref"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-credentialsecretref"] == CredentialSecretRef CredentialSecretRef can be used to set cloud_storage_secret_key from referenced Kubernetes Secret @@ -587,17 +606,17 @@ CredentialSecretRef can be used to set cloud_storage_secret_key from referenced .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-tiered[$$Tiered$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-tiered[$$Tiered$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`accessKey`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretwithconfigfield[$$SecretWithConfigField$$]__ | -| *`secretKey`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretwithconfigfield[$$SecretWithConfigField$$]__ | +| *`accessKey`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretwithconfigfield[$$SecretWithConfigField$$]__ | +| *`secretKey`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretwithconfigfield[$$SecretWithConfigField$$]__ | |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-enablable"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-enablable"] == Enablable @@ -605,8 +624,8 @@ CredentialSecretRef can be used to set cloud_storage_secret_key from referenced .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaconsole[$$RedpandaConsole$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaconsole[$$RedpandaConsole$$] [cols="25a,75a", options="header"] |=== @@ -615,7 +634,7 @@ CredentialSecretRef can be used to set cloud_storage_secret_key from referenced |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-enterprise"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-enterprise"] == Enterprise Enterprise configures an Enterprise license key to enable Redpanda Enterprise features. Requires the post-install job to be enabled (default). See https://docs.redpanda.com/current/get-started/licenses/. @@ -623,17 +642,17 @@ Enterprise configures an Enterprise license key to enable Redpanda Enterprise fe .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== | Field | Description | *`license`* __string__ | Specifies the Enterprise license key. + -| *`licenseSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-enterpriselicensesecretref[$$EnterpriseLicenseSecretRef$$]__ | Defines a reference to a Secret resource that contains the Enterprise license key. + +| *`licenseSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-enterpriselicensesecretref[$$EnterpriseLicenseSecretRef$$]__ | Defines a reference to a Secret resource that contains the Enterprise license key. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-enterpriselicensesecretref"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-enterpriselicensesecretref"] == EnterpriseLicenseSecretRef EnterpriseLicenseSecretRef configures a reference to a Secret resource that contains the Enterprise license key. @@ -641,7 +660,7 @@ EnterpriseLicenseSecretRef configures a reference to a Secret resource that cont .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-enterprise[$$Enterprise$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-enterprise[$$Enterprise$$] [cols="25a,75a", options="header"] |=== @@ -651,7 +670,7 @@ EnterpriseLicenseSecretRef configures a reference to a Secret resource that cont |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-external"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-external"] == External External defines external connectivity settings in the Helm values. @@ -659,7 +678,7 @@ External defines external connectivity settings in the Helm values. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== @@ -668,15 +687,15 @@ External defines external connectivity settings in the Helm values. | *`annotations`* __object (keys:string, values:string)__ | Adds custom annotations to the external Service. + | *`domain`* __string__ | Specifies the domain to advertise to external clients. If specified, then it will be appended to the `external.addresses` values as each broker's advertised address. + | *`enabled`* __boolean__ | Specifies whether the external access is enabled. + -| *`service`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-externalservice[$$ExternalService$$]__ | Configures the external Service resource. + +| *`service`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externalservice[$$ExternalService$$]__ | Configures the external Service resource. + | *`sourceRanges`* __string array__ | Source range for external access. Only applicable when `external.type` is LoadBalancer. + | *`type`* __string__ | Specifies the external Service type. Only NodePort and LoadBalancer are supported. If undefined, then advertised listeners will be configured in Redpanda, but the Helm chart will not create a Service. NodePort is recommended in cases where latency is a priority. + -| *`externalDns`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-externaldns[$$ExternalDNS$$]__ | Defines externalDNS configurations. + +| *`externalDns`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externaldns[$$ExternalDNS$$]__ | Defines externalDNS configurations. + | *`prefixTemplate`* __string__ | Specifies a naming prefix template for external Services. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-externaldns"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externaldns"] == ExternalDNS ExternalDNS configures externalDNS. @@ -684,7 +703,7 @@ ExternalDNS configures externalDNS. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-external[$$External$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-external[$$External$$] [cols="25a,75a", options="header"] |=== @@ -693,7 +712,7 @@ ExternalDNS configures externalDNS. |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-externallistener"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener"] == ExternalListener ExternalListener configures settings for the external listeners. @@ -701,10 +720,10 @@ ExternalListener configures settings for the external listeners. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-admin[$$Admin$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-http[$$HTTP$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafka[$$Kafka$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-schemaregistry[$$SchemaRegistry$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-admin[$$Admin$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-http[$$HTTP$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafka[$$Kafka$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-schemaregistry[$$SchemaRegistry$$] [cols="25a,75a", options="header"] |=== @@ -712,14 +731,14 @@ ExternalListener configures settings for the external listeners. | *`enabled`* __boolean__ | | *`authenticationMethod`* __string__ | Specifies the authentication method for the external listener. For example, 'mtls_identity' or `sasl`. + | *`port`* __integer__ | Specifies the container port number for the external listener. + -| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the external listener. + +| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the external listener. + | *`advertisedPorts`* __integer array__ | Specifies the network port that the external Service listens on. + | *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of Services. This field accepts a string template that dynamically constructs Service addresses based on various parameters such as Service name and port number. + | *`nodePort`* __integer__ | |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-externalservice"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externalservice"] == ExternalService ExternalService allows you to enable or disable the creation of an external Service type. @@ -727,7 +746,7 @@ ExternalService allows you to enable or disable the creation of an external Serv .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-external[$$External$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-external[$$External$$] [cols="25a,75a", options="header"] |=== @@ -736,7 +755,7 @@ ExternalService allows you to enable or disable the creation of an external Serv |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-fsvalidator"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-fsvalidator"] == FsValidator @@ -744,7 +763,7 @@ ExternalService allows you to enable or disable the creation of an external Serv .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-initcontainers[$$InitContainers$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-initcontainers[$$InitContainers$$] [cols="25a,75a", options="header"] |=== @@ -756,7 +775,7 @@ ExternalService allows you to enable or disable the creation of an external Serv |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-http"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-http"] == HTTP HTTP configures settings for the HTTP Proxy listeners. @@ -764,22 +783,22 @@ HTTP configures settings for the HTTP Proxy listeners. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-listeners[$$Listeners$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listeners[$$Listeners$$] [cols="25a,75a", options="header"] |=== | Field | Description | *`authenticationMethod`* __string__ | Specifies the authentication method for the external listener. For example, 'mtls_identity' or `sasl`. + | *`enabled`* __boolean__ | Specifies whether the HTTP Proxy is enabled. + -| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listener. + +| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listener. + | *`kafkaEndpoint`* __string__ | Configures the listener to use for HTTP connections. For example `default` for the internal listener. + | *`port`* __integer__ | Specifies the container port number for the internal listener. + -| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + +| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + | *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of Services. This field accepts a string template that dynamically constructs Service addresses based on various parameters such as Service name and port number. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-helmupgrade"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-helmupgrade"] == HelmUpgrade HelmUpgrade configures the behavior and strategy for Helm chart upgrades. @@ -787,7 +806,7 @@ HelmUpgrade configures the behavior and strategy for Helm chart upgrades. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-chartref[$$ChartRef$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-chartref[$$ChartRef$$] [cols="25a,75a", options="header"] |=== @@ -799,7 +818,7 @@ HelmUpgrade configures the behavior and strategy for Helm chart upgrades. |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-initcontainerimage"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-initcontainerimage"] == InitContainerImage InitContainerImage configures the init container image used to perform initial setup tasks before the main containers start. @@ -807,7 +826,7 @@ InitContainerImage configures the init container image used to perform initial s .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] [cols="25a,75a", options="header"] |=== @@ -817,7 +836,7 @@ InitContainerImage configures the init container image used to perform initial s |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-initcontainers"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-initcontainers"] == InitContainers InitContainers configures the init container used to perform initial setup tasks before the main containers start. @@ -825,21 +844,21 @@ InitContainers configures the init container used to perform initial setup tasks .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`configurator`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-configurator[$$Configurator$$]__ | +| *`configurator`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-configurator[$$Configurator$$]__ | | *`extraInitContainers`* __string__ | -| *`setDataDirOwnership`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-setdatadirownership[$$SetDataDirOwnership$$]__ | Defines the settings related to ownership of the Redpanda data directory in environments where root access is restricted. + -| *`setTieredStorageCacheDirOwnership`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-settieredstoragecachedirownership[$$SetTieredStorageCacheDirOwnership$$]__ | Defines the settings related to ownership of the Tiered Storage cache in environments where root access is restricted. + -| *`fsValidator`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-fsvalidator[$$FsValidator$$]__ | Defines the setting for init container that not allow to start Redpanda until filesystem matches + -| *`tuning`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-tuning[$$Tuning$$]__ | Defines settings for the autotuner tool in Redpanda. The autotuner identifies the hardware configuration in the container and optimizes the Linux kernel to give you the best performance. + +| *`setDataDirOwnership`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-setdatadirownership[$$SetDataDirOwnership$$]__ | Defines the settings related to ownership of the Redpanda data directory in environments where root access is restricted. + +| *`setTieredStorageCacheDirOwnership`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-settieredstoragecachedirownership[$$SetTieredStorageCacheDirOwnership$$]__ | Defines the settings related to ownership of the Tiered Storage cache in environments where root access is restricted. + +| *`fsValidator`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-fsvalidator[$$FsValidator$$]__ | Defines the setting for init container that not allow to start Redpanda until filesystem matches + +| *`tuning`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-tuning[$$Tuning$$]__ | Defines settings for the autotuner tool in Redpanda. The autotuner identifies the hardware configuration in the container and optimizes the Linux kernel to give you the best performance. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-issuerref"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-issuerref"] == IssuerRef IssuerRef configures the Issuer or ClusterIssuer resource to use to generate certificates. Requires cert-manager. See https://cert-manager.io/v1.1-docs. @@ -847,7 +866,7 @@ IssuerRef configures the Issuer or ClusterIssuer resource to use to generate cer .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-certificate[$$Certificate$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-certificate[$$Certificate$$] [cols="25a,75a", options="header"] |=== @@ -858,7 +877,7 @@ IssuerRef configures the Issuer or ClusterIssuer resource to use to generate cer |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafka"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafka"] == Kafka Kafka configures settings for the Kafka API listeners. @@ -866,20 +885,20 @@ Kafka configures settings for the Kafka API listeners. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-listeners[$$Listeners$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listeners[$$Listeners$$] [cols="25a,75a", options="header"] |=== | Field | Description | *`authenticationMethod`* __string__ | Specifies the authentication method for the external listener. For example, 'mtls_identity' or `sasl`. + -| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listener. + +| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listener. + | *`port`* __integer__ | Specifies the container port number for the internal listener. + -| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + +| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + | *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of Services. This field accepts a string template that dynamically constructs Service addresses based on various parameters such as Service name and port number. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkaapispec"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkaapispec"] == KafkaAPISpec KafkaAPISpec configures client configuration settings for connecting to Redpanda brokers. @@ -887,15 +906,15 @@ KafkaAPISpec configures client configuration settings for connecting to Redpanda .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-staticconfigurationsource[$$StaticConfigurationSource$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topicspec[$$TopicSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-staticconfigurationsource[$$StaticConfigurationSource$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec[$$TopicSpec$$] [cols="25a,75a", options="header"] |=== | Field | Description | *`brokers`* __string array__ | Specifies a list of broker addresses in the format : + -| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-commontls[$$CommonTLS$$]__ | Defines TLS configuration settings for Redpanda clusters that have TLS enabled. + -| *`sasl`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasasl[$$KafkaSASL$$]__ | Defines authentication configuration settings for Redpanda clusters that have authentication enabled. + +| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-commontls[$$CommonTLS$$]__ | Defines TLS configuration settings for Redpanda clusters that have TLS enabled. + +| *`sasl`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasasl[$$KafkaSASL$$]__ | Defines authentication configuration settings for Redpanda clusters that have authentication enabled. + |=== @@ -903,7 +922,7 @@ KafkaAPISpec configures client configuration settings for connecting to Redpanda -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasasl"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasasl"] == KafkaSASL KafkaSASL configures credentials to connect to Redpanda cluster that has authentication enabled. @@ -911,21 +930,21 @@ KafkaSASL configures credentials to connect to Redpanda cluster that has authent .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkaapispec[$$KafkaAPISpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkaapispec[$$KafkaAPISpec$$] [cols="25a,75a", options="header"] |=== | Field | Description | *`username`* __string__ | Specifies the username. + -| *`passwordSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Specifies the password. + -| *`mechanism`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-saslmechanism[$$SASLMechanism$$]__ | Specifies the SASL/SCRAM authentication mechanism. + -| *`oauth`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasasloauthbearer[$$KafkaSASLOAuthBearer$$]__ | -| *`gssapi`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasaslgssapi[$$KafkaSASLGSSAPI$$]__ | -| *`awsMskIam`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasaslawsmskiam[$$KafkaSASLAWSMskIam$$]__ | +| *`passwordSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Specifies the password. + +| *`mechanism`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-saslmechanism[$$SASLMechanism$$]__ | Specifies the SASL/SCRAM authentication mechanism. + +| *`oauth`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasasloauthbearer[$$KafkaSASLOAuthBearer$$]__ | +| *`gssapi`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasaslgssapi[$$KafkaSASLGSSAPI$$]__ | +| *`awsMskIam`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasaslawsmskiam[$$KafkaSASLAWSMskIam$$]__ | |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasaslawsmskiam"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasaslawsmskiam"] == KafkaSASLAWSMskIam KafkaSASLAWSMskIam is the config for AWS IAM SASL mechanism, @@ -934,14 +953,14 @@ see: https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.ht .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasasl[$$KafkaSASL$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasasl[$$KafkaSASL$$] [cols="25a,75a", options="header"] |=== | Field | Description | *`accessKey`* __string__ | -| *`secretKeySecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | -| *`sessionTokenSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | SessionToken, if non-empty, is a session / security token to use for authentication. + +| *`secretKeySecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | +| *`sessionTokenSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | SessionToken, if non-empty, is a session / security token to use for authentication. + See: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html + | *`userAgent`* __string__ | UserAgent is the user agent to for the client to use when connecting + to Kafka, overriding the default "franz-go//". + @@ -953,7 +972,7 @@ https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-ke |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasaslgssapi"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasaslgssapi"] == KafkaSASLGSSAPI KafkaSASLGSSAPI represents the Kafka Kerberos config. @@ -961,7 +980,7 @@ KafkaSASLGSSAPI represents the Kafka Kerberos config. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasasl[$$KafkaSASL$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasasl[$$KafkaSASL$$] [cols="25a,75a", options="header"] |=== @@ -971,7 +990,7 @@ KafkaSASLGSSAPI represents the Kafka Kerberos config. | *`kerberosConfigPath`* __string__ | | *`serviceName`* __string__ | | *`username`* __string__ | -| *`passwordSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | +| *`passwordSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | | *`realm`* __string__ | | *`enableFast`* __boolean__ | EnableFAST enables FAST, which is a pre-authentication framework for Kerberos. + It includes a mechanism for tunneling pre-authentication exchanges using armored KDC messages. + @@ -979,7 +998,7 @@ FAST provides increased resistance to passive password guessing attacks. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasasloauthbearer"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasasloauthbearer"] == KafkaSASLOAuthBearer KafkaSASLOAuthBearer is the config struct for the SASL OAuthBearer mechanism @@ -987,16 +1006,16 @@ KafkaSASLOAuthBearer is the config struct for the SASL OAuthBearer mechanism .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasasl[$$KafkaSASL$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasasl[$$KafkaSASL$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`tokenSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | +| *`tokenSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-licensesecretref"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-licensesecretref"] == LicenseSecretRef LicenseSecretRef is deprecated. Use `EnterpriseLicenseSecretRef` instead. @@ -1004,7 +1023,7 @@ LicenseSecretRef is deprecated. Use `EnterpriseLicenseSecretRef` instead. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== @@ -1014,7 +1033,7 @@ LicenseSecretRef is deprecated. Use `EnterpriseLicenseSecretRef` instead. |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-listenertls"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls"] == ListenerTLS ListenerTLS configures TLS configuration for each listener in the Helm values. @@ -1022,12 +1041,12 @@ ListenerTLS configures TLS configuration for each listener in the Helm values. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-admin[$$Admin$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-http[$$HTTP$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafka[$$Kafka$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-rpc[$$RPC$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-schemaregistry[$$SchemaRegistry$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-admin[$$Admin$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-http[$$HTTP$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafka[$$Kafka$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rpc[$$RPC$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-schemaregistry[$$SchemaRegistry$$] [cols="25a,75a", options="header"] |=== @@ -1040,12 +1059,12 @@ ListenerTLS configures TLS configuration for each listener in the Helm values. Deprecated: Setting SecretRef has no affect and will be removed in + future releases. + | *`requireClientAuth`* __boolean__ | Indicates whether client authentication (mTLS) is required. + -| *`trustStore`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-truststore[$$TrustStore$$]__ | TrustStore allows setting the `truststore_path` on this listener. If + +| *`trustStore`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-truststore[$$TrustStore$$]__ | TrustStore allows setting the `truststore_path` on this listener. If + specified, this field takes precedence over [Certificate.CAEnabled]. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-listeners"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listeners"] == Listeners Listeners configures settings for listeners, including HTTP Proxy, Schema Registry, the Admin API and the Kafka API. See https://docs.redpanda.com/current/manage/kubernetes/networking/configure-listeners/. @@ -1053,20 +1072,20 @@ Listeners configures settings for listeners, including HTTP Proxy, Schema Regist .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`admin`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-admin[$$Admin$$]__ | Configures settings for the Admin API listeners. + -| *`http`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-http[$$HTTP$$]__ | Configures settings for the HTTP Proxy listeners. + -| *`kafka`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafka[$$Kafka$$]__ | Configures settings for the Kafka API listeners. + -| *`rpc`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-rpc[$$RPC$$]__ | Configures settings for the RPC API listener. + -| *`schemaRegistry`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-schemaregistry[$$SchemaRegistry$$]__ | Configures settings for the Schema Registry listeners. + +| *`admin`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-admin[$$Admin$$]__ | Configures settings for the Admin API listeners. + +| *`http`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-http[$$HTTP$$]__ | Configures settings for the HTTP Proxy listeners. + +| *`kafka`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafka[$$Kafka$$]__ | Configures settings for the Kafka API listeners. + +| *`rpc`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rpc[$$RPC$$]__ | Configures settings for the RPC API listener. + +| *`schemaRegistry`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-schemaregistry[$$SchemaRegistry$$]__ | Configures settings for the Schema Registry listeners. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-livenessprobe"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-livenessprobe"] == LivenessProbe LivenessProbe configures liveness probes to monitor the health of the Pods and restart them if necessary. @@ -1074,8 +1093,8 @@ LivenessProbe configures liveness probes to monitor the health of the Pods and r .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaconsole[$$RedpandaConsole$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaconsole[$$RedpandaConsole$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] [cols="25a,75a", options="header"] |=== @@ -1088,7 +1107,7 @@ LivenessProbe configures liveness probes to monitor the health of the Pods and r |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-logging"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-logging"] == Logging Logging configures logging settings in the Helm values. See https://docs.redpanda.com/current/manage/kubernetes/troubleshooting/troubleshoot/. @@ -1096,17 +1115,17 @@ Logging configures logging settings in the Helm values. See https://docs.redpand .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== | Field | Description | *`logLevel`* __string__ | Sets the verbosity level of logs. + -| *`usageStats`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usagestats[$$UsageStats$$]__ | Specifies whether to send usage statistics to Redpanda Data. + +| *`usageStats`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-usagestats[$$UsageStats$$]__ | Specifies whether to send usage statistics to Redpanda Data. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-memory"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-memory"] == Memory Memory configures memory resources. @@ -1114,18 +1133,18 @@ Memory configures memory resources. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resources[$$Resources$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-resources[$$Resources$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`container`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-containerresources[$$ContainerResources$$]__ | Defines resource limits for containers. + +| *`container`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-containerresources[$$ContainerResources$$]__ | Defines resource limits for containers. + | *`enable_memory_locking`* __boolean__ | Enables memory locking. For production, set to `true`. + -| *`redpanda`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandamemory[$$RedpandaMemory$$]__ | Allows you to optionally specify the memory size for both the Redpanda process and the underlying reserved memory used by Seastar. + +| *`redpanda`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandamemory[$$RedpandaMemory$$]__ | Allows you to optionally specify the memory size for both the Redpanda process and the underlying reserved memory used by Seastar. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-metadatatemplate"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-metadatatemplate"] == MetadataTemplate MetadataTemplate defines additional metadata to associate with a resource. @@ -1133,7 +1152,7 @@ MetadataTemplate defines additional metadata to associate with a resource. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resourcetemplate[$$ResourceTemplate$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-resourcetemplate[$$ResourceTemplate$$] [cols="25a,75a", options="header"] |=== @@ -1143,7 +1162,7 @@ MetadataTemplate defines additional metadata to associate with a resource. |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-migration"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-migration"] == Migration Migration can configure old Cluster and Console custom resource that will be disabled. @@ -1152,20 +1171,20 @@ With Migration the ChartRef and ClusterSpec still need to be correctly configure .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaspec[$$RedpandaSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaspec[$$RedpandaSpec$$] [cols="25a,75a", options="header"] |=== | Field | Description | *`enabled`* __boolean__ | -| *`clusterRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-vectorized-v1alpha1-namespacenameref[$$NamespaceNameRef$$]__ | ClusterRef by default will not be able to reach different namespaces, but it can be + +| *`clusterRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-vectorized-v1alpha1-namespacenameref[$$NamespaceNameRef$$]__ | ClusterRef by default will not be able to reach different namespaces, but it can be + overwritten by adding ClusterRole and ClusterRoleBinding to operator ServiceAccount. + -| *`consoleRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-vectorized-v1alpha1-namespacenameref[$$NamespaceNameRef$$]__ | ConsoleRef by default will not be able to reach different namespaces, but it can be + +| *`consoleRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-vectorized-v1alpha1-namespacenameref[$$NamespaceNameRef$$]__ | ConsoleRef by default will not be able to reach different namespaces, but it can be + overwritten by adding ClusterRole and ClusterRoleBinding to operator ServiceAccount. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-monitoring"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-monitoring"] == Monitoring Monitoring configures monitoring resources for Redpanda. See https://docs.redpanda.com/current/manage/kubernetes/monitoring/monitor-redpanda/. @@ -1173,7 +1192,7 @@ Monitoring configures monitoring resources for Redpanda. See https://docs.redpan .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== @@ -1186,7 +1205,7 @@ Monitoring configures monitoring resources for Redpanda. See https://docs.redpan |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-password"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-password"] == Password Password specifies a password for the user. @@ -1194,17 +1213,17 @@ Password specifies a password for the user. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthenticationspec[$$UserAuthenticationSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userauthenticationspec[$$UserAuthenticationSpec$$] [cols="25a,75a", options="header"] |=== | Field | Description | *`value`* __string__ | -| *`valueFrom`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-passwordsource[$$PasswordSource$$]__ | +| *`valueFrom`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-passwordsource[$$PasswordSource$$]__ | |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-passwordsource"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-passwordsource"] == PasswordSource PasswordSource contains the source for a password. @@ -1212,7 +1231,7 @@ PasswordSource contains the source for a password. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-password[$$Password$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-password[$$Password$$] [cols="25a,75a", options="header"] |=== @@ -1224,7 +1243,7 @@ stored based on this configuration. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-patterntype"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-patterntype"] == PatternType (string) PatternType specifies the type of pattern applied for ACL resource matching. @@ -1232,11 +1251,11 @@ PatternType specifies the type of pattern applied for ACL resource matching. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclresourcespec[$$ACLResourceSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclresourcespec[$$ACLResourceSpec$$] -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-persistentvolume"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-persistentvolume"] == PersistentVolume PersistentVolume configures configurations for a PersistentVolumeClaim to use to store the Redpanda data directory. @@ -1244,8 +1263,8 @@ PersistentVolume configures configurations for a PersistentVolumeClaim to use to .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-storage[$$Storage$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-tiered[$$Tiered$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-storage[$$Storage$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-tiered[$$Tiered$$] [cols="25a,75a", options="header"] |=== @@ -1259,7 +1278,7 @@ PersistentVolume configures configurations for a PersistentVolumeClaim to use to |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-podantiaffinity"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-podantiaffinity"] == PodAntiAffinity PodAntiAffinity configures Pod anti-affinity rules to prevent Pods from being scheduled together on the same node. @@ -1267,7 +1286,7 @@ PodAntiAffinity configures Pod anti-affinity rules to prevent Pods from being sc .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] [cols="25a,75a", options="header"] |=== @@ -1279,7 +1298,7 @@ PodAntiAffinity configures Pod anti-affinity rules to prevent Pods from being sc |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-podspec"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-podspec"] == PodSpec PodSpec is a subset of [corev1.PodSpec] that will be merged into the objects @@ -1291,17 +1310,17 @@ field. Ideally, a more generally applicable solution should be used. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-podtemplate[$$PodTemplate$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-podtemplate[$$PodTemplate$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`containers`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-container[$$Container$$] array__ | +| *`containers`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-container[$$Container$$] array__ | | *`securityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core[$$PodSecurityContext$$]__ | |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-podtemplate"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-podtemplate"] == PodTemplate PodTemplate will pass label and annotation to Statefulset Pod template. @@ -1309,20 +1328,20 @@ PodTemplate will pass label and annotation to Statefulset Pod template. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-postinstalljob[$$PostInstallJob$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-postupgradejob[$$PostUpgradeJob$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-postinstalljob[$$PostInstallJob$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-postupgradejob[$$PostUpgradeJob$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] [cols="25a,75a", options="header"] |=== | Field | Description | *`labels`* __object (keys:string, values:string)__ | | *`annotations`* __object (keys:string, values:string)__ | -| *`spec`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-podspec[$$PodSpec$$]__ | +| *`spec`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-podspec[$$PodSpec$$]__ | |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-postinstalljob"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-postinstalljob"] == PostInstallJob PostInstallJob configures configurations for the post-install job that run after installation of the Helm chart. @@ -1330,7 +1349,7 @@ PostInstallJob configures configurations for the post-install job that run after .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== @@ -1343,12 +1362,12 @@ PostInstallJob configures configurations for the post-install job that run after [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). + | *`securityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core[$$SecurityContext$$]__ | SecurityContext is deprecated. Prefer [PodTemplate.Spec.SecurityContext] + or [PodTemplate.Spec.Containers[*].SecurityContext]. + -| *`podTemplate`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-podtemplate[$$PodTemplate$$]__ | PodTemplate is a subset of Kubernetes' PodTemplate that will be merged + +| *`podTemplate`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-podtemplate[$$PodTemplate$$]__ | PodTemplate is a subset of Kubernetes' PodTemplate that will be merged + into this Job's PodTemplate. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-postupgradejob"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-postupgradejob"] == PostUpgradeJob PostUpgradeJob configures configurations for the post-upgrade job that run after each upgrade of the Helm chart. @@ -1356,7 +1375,7 @@ PostUpgradeJob configures configurations for the post-upgrade job that run after .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== @@ -1372,12 +1391,12 @@ PostUpgradeJob configures configurations for the post-upgrade job that run after [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). + | *`securityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core[$$SecurityContext$$]__ | SecurityContext is deprecated. Prefer [PodTemplate.Spec.SecurityContext] + or [PodTemplate.Spec.Containers[*].SecurityContext]. + -| *`podTemplate`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-podtemplate[$$PodTemplate$$]__ | PodTemplate is a subset of Kubernetes' PodTemplate that will be merged + +| *`podTemplate`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-podtemplate[$$PodTemplate$$]__ | PodTemplate is a subset of Kubernetes' PodTemplate that will be merged + into this Job's PodTemplate. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-rbac"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rbac"] == RBAC RBAC configures role-based access control (RBAC). @@ -1385,7 +1404,7 @@ RBAC configures role-based access control (RBAC). .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== @@ -1395,7 +1414,7 @@ RBAC configures role-based access control (RBAC). |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-rpc"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rpc"] == RPC RPC configures settings for the RPC API listeners. @@ -1403,17 +1422,17 @@ RPC configures settings for the RPC API listeners. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-listeners[$$Listeners$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listeners[$$Listeners$$] [cols="25a,75a", options="header"] |=== | Field | Description | *`port`* __integer__ | Specifies the container port number for the internal listener. + -| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + +| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-rpcontrollers"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rpcontrollers"] == RPControllers RPControllers configures additional controllers that can be deployed as sidecars in rp helm @@ -1421,7 +1440,7 @@ RPControllers configures additional controllers that can be deployed as sidecars .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-sidecars[$$SideCars$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-sidecars[$$SideCars$$] [cols="25a,75a", options="header"] |=== @@ -1429,7 +1448,7 @@ RPControllers configures additional controllers that can be deployed as sidecars | *`enabled`* __boolean__ | Specifies whether the Controllers are enabled. + | *`resources`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#resourcerequirements-v1-core[$$ResourceRequirements$$]__ | | *`securityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core[$$SecurityContext$$]__ | -| *`image`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaimage[$$RedpandaImage$$]__ | +| *`image`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaimage[$$RedpandaImage$$]__ | | *`healthProbeAddress`* __string__ | | *`metricsAddress`* __string__ | | *`run`* __string array__ | @@ -1437,7 +1456,7 @@ RPControllers configures additional controllers that can be deployed as sidecars |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-rackawareness"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rackawareness"] == RackAwareness RackAwareness configures rack awareness in the Helm values. See https://docs.redpanda.com/current/manage/kubernetes/kubernetes-rack-awareness/. @@ -1445,7 +1464,7 @@ RackAwareness configures rack awareness in the Helm values. See https://docs.red .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== @@ -1455,7 +1474,7 @@ RackAwareness configures rack awareness in the Helm values. See https://docs.red |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-readinessprobe"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-readinessprobe"] == ReadinessProbe ReadinessProbe configures readiness probes to determine when a Pod is ready to handle traffic. @@ -1463,8 +1482,8 @@ ReadinessProbe configures readiness probes to determine when a Pod is ready to h .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaconsole[$$RedpandaConsole$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaconsole[$$RedpandaConsole$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] [cols="25a,75a", options="header"] |=== @@ -1477,7 +1496,7 @@ ReadinessProbe configures readiness probes to determine when a Pod is ready to h |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpanda"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpanda"] == Redpanda Redpanda defines the CRD for Redpanda clusters. @@ -1485,7 +1504,7 @@ Redpanda defines the CRD for Redpanda clusters. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandalist[$$RedpandaList$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandalist[$$RedpandaList$$] [cols="25a,75a", options="header"] |=== @@ -1503,12 +1522,12 @@ may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to the Kubernetes API documentation for fields of `metadata`. -| *`spec`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaspec[$$RedpandaSpec$$]__ | Defines the desired state of the Redpanda cluster. + -| *`status`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandastatus[$$RedpandaStatus$$]__ | Represents the current status of the Redpanda cluster. + +| *`spec`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaspec[$$RedpandaSpec$$]__ | Defines the desired state of the Redpanda cluster. + +| *`status`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandastatus[$$RedpandaStatus$$]__ | Represents the current status of the Redpanda cluster. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec"] == RedpandaClusterSpec RedpandaClusterSpec defines the desired state of a Redpanda cluster. These settings are the same as those defined in the Redpanda Helm chart. The values in these settings are passed to the Redpanda Helm chart through Flux. For all default values and links to more documentation, see https://docs.redpanda.com/current/reference/redpanda-helm-spec/. @@ -1518,7 +1537,7 @@ For descriptions and default values, see xref:k-redpanda-helm-spec.adoc[]. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaspec[$$RedpandaSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaspec[$$RedpandaSpec$$] [cols="25a,75a", options="header"] |=== @@ -1530,41 +1549,41 @@ For descriptions and default values, see xref:k-redpanda-helm-spec.adoc[]. | *`commonLabels`* __object (keys:string, values:string)__ | Assigns custom labels to all resources generated by the Redpanda Helm chart. Specify labels as key/value pairs. + | *`nodeSelector`* __object (keys:string, values:string)__ | Specifies on which nodes a Pod should be scheduled. These key/value pairs ensure that Pods are scheduled onto nodes with the specified labels. + | *`tolerations`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#toleration-v1-core[$$Toleration$$] array__ | Specifies tolerations to allow Pods to be scheduled onto nodes where they otherwise wouldn’t. + -| *`image`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaimage[$$RedpandaImage$$]__ | Defines the container image settings to use for the Redpanda cluster. + +| *`image`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaimage[$$RedpandaImage$$]__ | Defines the container image settings to use for the Redpanda cluster. + | *`imagePullSecrets`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#localobjectreference-v1-core[$$LocalObjectReference$$] array__ | Specifies credentials for a private image repository. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/. + | *`license_key`* __string__ | Deprecated: Use `Enterprise` instead. + -| *`license_secret_ref`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-licensesecretref[$$LicenseSecretRef$$]__ | Deprecated: Use `EnterpriseLicenseSecretRef` instead. + -| *`enterprise`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-enterprise[$$Enterprise$$]__ | Defines an Enterprise license. + -| *`rackAwareness`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-rackawareness[$$RackAwareness$$]__ | Defines rack awareness settings. + -| *`console`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaconsole[$$RedpandaConsole$$]__ | Defines Redpanda Console settings. + -| *`connectors`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaconnectors[$$RedpandaConnectors$$]__ | Defines Redpanda Connector settings. + -| *`auth`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-auth[$$Auth$$]__ | Defines authentication settings for listeners. + -| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-tls[$$TLS$$]__ | Defines TLS settings for listeners. + -| *`external`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-external[$$External$$]__ | Defines external access settings. + -| *`logging`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-logging[$$Logging$$]__ | Defines the log level settings. + -| *`auditLogging`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-auditlogging[$$AuditLogging$$]__ | Defines the log level settings. + -| *`resources`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resources[$$Resources$$]__ | Defines container resource settings. + -| *`service`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-service[$$Service$$]__ | Defines settings for the headless ClusterIP Service. + -| *`storage`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-storage[$$Storage$$]__ | Defines storage settings for the Redpanda data directory and the Tiered Storage cache. + -| *`post_install_job`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-postinstalljob[$$PostInstallJob$$]__ | Defines settings for the post-install hook, which runs after each install or upgrade. For example, this job is responsible for setting the Enterprise license, if specified. + -| *`post_upgrade_job`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-postupgradejob[$$PostUpgradeJob$$]__ | Defines settings for the post-upgrade hook, which runs after each update. For example, this job is responsible for setting cluster configuration properties and restarting services such as Schema Registry, if required. + -| *`statefulset`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-statefulset[$$Statefulset$$]__ | Defines settings for the StatefulSet that manages Redpanda brokers. + -| *`tuning`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-tuning[$$Tuning$$]__ | Defines settings for the autotuner tool in Redpanda. The autotuner identifies the hardware configuration in the container and optimizes the Linux kernel to give you the best performance. + -| *`listeners`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-listeners[$$Listeners$$]__ | Defines settings for listeners, including HTTP Proxy, Schema Registry, the Admin API and the Kafka API. + -| *`config`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-config[$$Config$$]__ | Defines configuration properties supported by Redpanda that may not work correctly in a Kubernetes cluster. Changing these values from the defaults comes with some risk. Use these properties to customize various Redpanda configurations that are not available in the `RedpandaClusterSpec`. These values have no impact on the configuration or behavior of the Kubernetes objects deployed by Helm, and therefore should not be modified for the purpose of configuring those objects. Instead, these settings get passed directly to the Redpanda binary at startup. + -| *`rbac`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-rbac[$$RBAC$$]__ | Defines Role Based Access Control (RBAC) settings. + -| *`serviceAccount`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-serviceaccount[$$ServiceAccount$$]__ | Defines Service account settings. + -| *`monitoring`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-monitoring[$$Monitoring$$]__ | Defines settings for monitoring Redpanda. + +| *`license_secret_ref`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-licensesecretref[$$LicenseSecretRef$$]__ | Deprecated: Use `EnterpriseLicenseSecretRef` instead. + +| *`enterprise`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-enterprise[$$Enterprise$$]__ | Defines an Enterprise license. + +| *`rackAwareness`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rackawareness[$$RackAwareness$$]__ | Defines rack awareness settings. + +| *`console`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaconsole[$$RedpandaConsole$$]__ | Defines Redpanda Console settings. + +| *`connectors`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaconnectors[$$RedpandaConnectors$$]__ | Defines Redpanda Connector settings. + +| *`auth`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-auth[$$Auth$$]__ | Defines authentication settings for listeners. + +| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-tls[$$TLS$$]__ | Defines TLS settings for listeners. + +| *`external`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-external[$$External$$]__ | Defines external access settings. + +| *`logging`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-logging[$$Logging$$]__ | Defines the log level settings. + +| *`auditLogging`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-auditlogging[$$AuditLogging$$]__ | Defines the log level settings. + +| *`resources`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-resources[$$Resources$$]__ | Defines container resource settings. + +| *`service`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-service[$$Service$$]__ | Defines settings for the headless ClusterIP Service. + +| *`storage`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-storage[$$Storage$$]__ | Defines storage settings for the Redpanda data directory and the Tiered Storage cache. + +| *`post_install_job`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-postinstalljob[$$PostInstallJob$$]__ | Defines settings for the post-install hook, which runs after each install or upgrade. For example, this job is responsible for setting the Enterprise license, if specified. + +| *`post_upgrade_job`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-postupgradejob[$$PostUpgradeJob$$]__ | Defines settings for the post-upgrade hook, which runs after each update. For example, this job is responsible for setting cluster configuration properties and restarting services such as Schema Registry, if required. + +| *`statefulset`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-statefulset[$$Statefulset$$]__ | Defines settings for the StatefulSet that manages Redpanda brokers. + +| *`tuning`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-tuning[$$Tuning$$]__ | Defines settings for the autotuner tool in Redpanda. The autotuner identifies the hardware configuration in the container and optimizes the Linux kernel to give you the best performance. + +| *`listeners`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listeners[$$Listeners$$]__ | Defines settings for listeners, including HTTP Proxy, Schema Registry, the Admin API and the Kafka API. + +| *`config`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-config[$$Config$$]__ | Defines configuration properties supported by Redpanda that may not work correctly in a Kubernetes cluster. Changing these values from the defaults comes with some risk. Use these properties to customize various Redpanda configurations that are not available in the `RedpandaClusterSpec`. These values have no impact on the configuration or behavior of the Kubernetes objects deployed by Helm, and therefore should not be modified for the purpose of configuring those objects. Instead, these settings get passed directly to the Redpanda binary at startup. + +| *`rbac`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rbac[$$RBAC$$]__ | Defines Role Based Access Control (RBAC) settings. + +| *`serviceAccount`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-serviceaccount[$$ServiceAccount$$]__ | Defines Service account settings. + +| *`monitoring`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-monitoring[$$Monitoring$$]__ | Defines settings for monitoring Redpanda. + | *`force`* __boolean__ | Adds the `--force` flag in `helm upgrade` commands. Used for allowing a change of TLS configuration for the RPC listener. + Setting `force` to `true` will result in a short period of downtime. + | *`affinity`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#affinity-v1-core[$$Affinity$$]__ | Affinity constraints for scheduling Pods, can override this for + StatefulSets and Jobs. For details, see the [Kubernetes + documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). + -| *`tests`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-enablable[$$Enablable$$]__ | +| *`tests`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-enablable[$$Enablable$$]__ | |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaconnectors"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaconnectors"] == RedpandaConnectors RedpandaConnectors configures Redpanda Connectors. Redpanda Connectors is a package that includes Kafka Connect and built-in connectors, sometimes known as plugins. See https://docs.redpanda.com/current/deploy/deployment-option/self-hosted/kubernetes/k-deploy-connectors/. @@ -1572,21 +1591,21 @@ RedpandaConnectors configures Redpanda Connectors. Redpanda Connectors is a pack .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== | Field | Description | *`enabled`* __boolean__ | -| *`test`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-connectorscreateobj[$$ConnectorsCreateObj$$]__ | Specifies whether to create Helm tests. + -| *`monitoring`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-connectormonitoring[$$ConnectorMonitoring$$]__ | Specifies monitoring resources + +| *`test`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-connectorscreateobj[$$ConnectorsCreateObj$$]__ | Specifies whether to create Helm tests. + +| *`monitoring`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-connectormonitoring[$$ConnectorMonitoring$$]__ | Specifies monitoring resources + | *`connectors`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#rawextension-runtime-pkg[$$RawExtension$$]__ | Connectors specified manual configurations + | *`deployment`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#rawextension-runtime-pkg[$$RawExtension$$]__ | Connectors specified manual configurations + | *`nameOverride`* __string__ | Specifies a custom name for the Redpanda Console resources, overriding the default naming convention. + | *`fullnameOverride`* __string__ | Specifies a full custom name, which overrides the entire naming convention including release name and chart name. + | *`commonLabels`* __object (keys:string, values:string)__ | Assigns custom labels to all resources generated by the Connector Helm chart. Specify labels as key/value pairs. + | *`tolerations`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#toleration-v1-core[$$Toleration$$] array__ | Applies tolerations to allow Pods to be scheduled on nodes with matching taints, enabling control over where Pods can run. + -| *`image`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaimage[$$RedpandaImage$$]__ | Defines the container image settings to use for the Redpanda cluster. + +| *`image`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaimage[$$RedpandaImage$$]__ | Defines the container image settings to use for the Redpanda cluster. + | *`imagePullSecrets`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#localobjectreference-v1-core[$$LocalObjectReference$$] array__ | Specifies credentials for a private image repository. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/. + | *`auth`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#rawextension-runtime-pkg[$$RawExtension$$]__ | Specifies superuser credentials + | *`container`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#rawextension-runtime-pkg[$$RawExtension$$]__ | Specifies container information + @@ -1597,7 +1616,7 @@ RedpandaConnectors configures Redpanda Connectors. Redpanda Connectors is a pack |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaconsole"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaconsole"] == RedpandaConsole RedpandaConsole configures the Redpanda Console subchart of the Redpanda Helm chart. Use these settings to configure the subchart. For more details on each setting, see the Helm values for the Redpanda Console chart: https://artifacthub.io/packages/helm/redpanda-data/console?modal=values @@ -1605,7 +1624,7 @@ RedpandaConsole configures the Redpanda Console subchart of the Redpanda Helm ch .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== @@ -1639,9 +1658,9 @@ RedpandaConsole configures the Redpanda Console subchart of the Redpanda Helm ch | *`extraContainers`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#rawextension-runtime-pkg[$$RawExtension$$] array__ | Adds extra containers to the Pods that run Redpanda Console. + | *`initContainers`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#rawextension-runtime-pkg[$$RawExtension$$]__ | Specifies init containers for the Pods that run Redpanda Console. + | *`secretMounts`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#rawextension-runtime-pkg[$$RawExtension$$] array__ | Mounts additional Secret resources inside the containers that run Redpanda Console. + -| *`configmap`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-consolecreateobj[$$ConsoleCreateObj$$]__ | Deprecated: this field exists for storage backwards compatibility and is + +| *`configmap`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolecreateobj[$$ConsoleCreateObj$$]__ | Deprecated: this field exists for storage backwards compatibility and is + never used. Prefer ConfigMap (configmap). + -| *`configMap`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-consolecreateobj[$$ConsoleCreateObj$$]__ | Specifies whether a ConfigMap should be created for Redpanda Console. + +| *`configMap`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-consolecreateobj[$$ConsoleCreateObj$$]__ | Specifies whether a ConfigMap should be created for Redpanda Console. + | *`secret`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#rawextension-runtime-pkg[$$RawExtension$$]__ | Specifies whether a Secret should be created for Redpanda Console. + | *`deployment`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#rawextension-runtime-pkg[$$RawExtension$$]__ | Specifies whether a Deployment should be created for Redpanda Console. + | *`console`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#rawextension-runtime-pkg[$$RawExtension$$]__ | Configures custom settings for Redpanda Console. + @@ -1649,13 +1668,13 @@ never used. Prefer ConfigMap (configmap). + | *`enterprise`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#rawextension-runtime-pkg[$$RawExtension$$]__ | Settings for license key, as an alternative to secret.enterprise when a + license secret is available + | *`automountServiceAccountToken`* __boolean__ | Automount API credentials for the Service Account into the pod. + -| *`readinessProbe`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-readinessprobe[$$ReadinessProbe$$]__ | Settings for console's Deployment's readiness probe. + -| *`livenessProbe`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-livenessprobe[$$LivenessProbe$$]__ | Settings for console's Deployment's liveness probe. + -| *`tests`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-enablable[$$Enablable$$]__ | Controls the creation of helm tests for console. + +| *`readinessProbe`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-readinessprobe[$$ReadinessProbe$$]__ | Settings for console's Deployment's readiness probe. + +| *`livenessProbe`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-livenessprobe[$$LivenessProbe$$]__ | Settings for console's Deployment's liveness probe. + +| *`tests`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-enablable[$$Enablable$$]__ | Controls the creation of helm tests for console. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaimage"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaimage"] == RedpandaImage RedpandaImage configures the Redpanda container image settings in the Helm values. @@ -1663,9 +1682,9 @@ RedpandaImage configures the Redpanda container image settings in the Helm value .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-rpcontrollers[$$RPControllers$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaconnectors[$$RedpandaConnectors$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rpcontrollers[$$RPControllers$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaconnectors[$$RedpandaConnectors$$] [cols="25a,75a", options="header"] |=== @@ -1676,7 +1695,7 @@ RedpandaImage configures the Redpanda container image settings in the Helm value |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandalist"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandalist"] == RedpandaList RedpandaList contains a list of Redpanda objects. @@ -1701,11 +1720,11 @@ may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#listmeta-v1-meta[$$ListMeta$$]__ | Refer to the Kubernetes API documentation for fields of `metadata`. -| *`items`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpanda[$$Redpanda$$] array__ | Specifies a list of Redpanda resources. + +| *`items`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpanda[$$Redpanda$$] array__ | Specifies a list of Redpanda resources. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandamemory"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandamemory"] == RedpandaMemory RedpandaMemory allows you to optionally specify the memory size for both the Redpanda process and the underlying reserved memory used by Seastar. This section is omitted by default, and memory sizes are calculated automatically based on container memory. Configuring this section and setting `memory` and `reserveMemory` values will disable automatic calculation. @@ -1719,7 +1738,7 @@ If you are setting the following values manually, keep in mind the following gui .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-memory[$$Memory$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-memory[$$Memory$$] [cols="25a,75a", options="header"] |=== @@ -1729,7 +1748,7 @@ If you are setting the following values manually, keep in mind the following gui |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaspec"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaspec"] == RedpandaSpec RedpandaSpec defines the desired state of the Redpanda cluster. @@ -1737,20 +1756,18 @@ RedpandaSpec defines the desired state of the Redpanda cluster. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpanda[$$Redpanda$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpanda[$$Redpanda$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`chartRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-chartref[$$ChartRef$$]__ | Defines chart details, including the version and repository. + -| *`clusterSpec`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$]__ | Defines the Helm values to use to deploy the cluster. + -| *`migration`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-migration[$$Migration$$]__ | Migration flag that adjust Kubernetes core resources with annotation and labels, so + -flux controller can import resources. + -Doc: https://docs.redpanda.com/current/upgrade/migrate/kubernetes/operator/ + +| *`chartRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-chartref[$$ChartRef$$]__ | Defines chart details, including the version and repository. + +| *`clusterSpec`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$]__ | Defines the Helm values to use to deploy the cluster. + +| *`migration`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-migration[$$Migration$$]__ | Deprecated and Removed in v2.2.3-24.2.X. Downgrade to v2.2.2-24.2.4 perform the migration + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandastatus"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandastatus"] == RedpandaStatus RedpandaStatus defines the observed state of Redpanda @@ -1758,7 +1775,7 @@ RedpandaStatus defines the observed state of Redpanda .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpanda[$$Redpanda$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpanda[$$Redpanda$$] [cols="25a,75a", options="header"] |=== @@ -1785,7 +1802,7 @@ decommissioned from the cluster and provides its ordinal number. + -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resourcetemplate"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-resourcetemplate"] == ResourceTemplate ResourceTemplate specifies additional configuration for a resource. @@ -1793,17 +1810,17 @@ ResourceTemplate specifies additional configuration for a resource. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usertemplatespec[$$UserTemplateSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-usertemplatespec[$$UserTemplateSpec$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`metadata`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-metadatatemplate[$$MetadataTemplate$$]__ | Refer to the Kubernetes API documentation for fields of `metadata`. +| *`metadata`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-metadatatemplate[$$MetadataTemplate$$]__ | Refer to the Kubernetes API documentation for fields of `metadata`. |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resourcetype"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-resourcetype"] == ResourceType (string) ResourceType specifies the type of resource an ACL is applied to. @@ -1811,11 +1828,11 @@ ResourceType specifies the type of resource an ACL is applied to. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclresourcespec[$$ACLResourceSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclresourcespec[$$ACLResourceSpec$$] -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resources"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-resources"] == Resources Resources configures resource allocation. The default values are for a development environment. Production-level values and other considerations are documented, where those values are different from the default. @@ -1823,17 +1840,17 @@ Resources configures resource allocation. The default values are for a developme .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`cpu`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-cpu[$$CPU$$]__ | Specifies the number of CPU cores. + -| *`memory`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-memory[$$Memory$$]__ | Specifies the amount of memory. + +| *`cpu`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-cpu[$$CPU$$]__ | Specifies the number of CPU cores. + +| *`memory`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-memory[$$Memory$$]__ | Specifies the amount of memory. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-sasl"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-sasl"] == SASL SASL configures SASL authentication in the Helm values. @@ -1841,7 +1858,7 @@ SASL configures SASL authentication in the Helm values. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-auth[$$Auth$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-auth[$$Auth$$] [cols="25a,75a", options="header"] |=== @@ -1849,12 +1866,12 @@ SASL configures SASL authentication in the Helm values. | *`enabled`* __boolean__ | Enables SASL authentication. If you enable SASL authentication, you must provide a Secret name in `secretRef`. + | *`mechanism`* __string__ | Specifies the default authentication mechanism to use for superusers. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + | *`secretRef`* __string__ | If `users` is empty, `secretRef` specifies the name of the Secret that contains your superuser credentials in the format ::. Otherwise, `secretRef` specifies the name of the Secret that the chart creates to store the credentials in `users`. + -| *`users`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usersitems[$$UsersItems$$] array__ | Specifies a list of superuser credentials. + -| *`bootstrapUser`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-bootstrapuser[$$BootstrapUser$$]__ | Specifies configuration about the bootstrap user. + +| *`users`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-usersitems[$$UsersItems$$] array__ | Specifies a list of superuser credentials. + +| *`bootstrapUser`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-bootstrapuser[$$BootstrapUser$$]__ | Specifies configuration about the bootstrap user. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-saslmechanism"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-saslmechanism"] == SASLMechanism (string) SASLMechanism specifies a SASL auth mechanism. @@ -1862,13 +1879,13 @@ SASLMechanism specifies a SASL auth mechanism. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminsasl[$$AdminSASL$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasasl[$$KafkaSASL$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthenticationspec[$$UserAuthenticationSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-adminsasl[$$AdminSASL$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasasl[$$KafkaSASL$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userauthenticationspec[$$UserAuthenticationSpec$$] -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-schemaregistry"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-schemaregistry"] == SchemaRegistry SchemaRegistry configures settings for the Schema Registry listeners. @@ -1876,21 +1893,21 @@ SchemaRegistry configures settings for the Schema Registry listeners. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-listeners[$$Listeners$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listeners[$$Listeners$$] [cols="25a,75a", options="header"] |=== | Field | Description | *`authenticationMethod`* __string__ | Specifies the authentication method for the external listener. For example, 'mtls_identity' or `sasl`. + | *`enabled`* __boolean__ | Specifies whether the Schema Registry is enabled. + -| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listener. + +| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listener. + | *`kafkaEndpoint`* __string__ | Configures the listener to use for HTTP connections. For example `default` for the internal listener. + | *`port`* __integer__ | Specifies the container port number for the internal listener. + -| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + +| *`tls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretkeyref"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref"] == SecretKeyRef SecretKeyRef contains enough information to inspect or modify the referred Secret data @@ -1899,12 +1916,12 @@ See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminsasl[$$AdminSASL$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-commontls[$$CommonTLS$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasasl[$$KafkaSASL$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasaslawsmskiam[$$KafkaSASLAWSMskIam$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasaslgssapi[$$KafkaSASLGSSAPI$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkasasloauthbearer[$$KafkaSASLOAuthBearer$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-adminsasl[$$AdminSASL$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-commontls[$$CommonTLS$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasasl[$$KafkaSASL$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasaslawsmskiam[$$KafkaSASLAWSMskIam$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasaslgssapi[$$KafkaSASLGSSAPI$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasasloauthbearer[$$KafkaSASLOAuthBearer$$] [cols="25a,75a", options="header"] |=== @@ -1915,7 +1932,7 @@ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/nam |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretref"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretref"] == SecretRef SecretRef configures the Secret resource that contains existing TLS certificates. @@ -1923,7 +1940,7 @@ SecretRef configures the Secret resource that contains existing TLS certificates .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-certificate[$$Certificate$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-certificate[$$Certificate$$] [cols="25a,75a", options="header"] |=== @@ -1932,7 +1949,7 @@ SecretRef configures the Secret resource that contains existing TLS certificates |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-secretwithconfigfield"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretwithconfigfield"] == SecretWithConfigField @@ -1940,7 +1957,7 @@ SecretRef configures the Secret resource that contains existing TLS certificates .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-credentialsecretref[$$CredentialSecretRef$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-credentialsecretref[$$CredentialSecretRef$$] [cols="25a,75a", options="header"] |=== @@ -1951,7 +1968,7 @@ SecretRef configures the Secret resource that contains existing TLS certificates |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-service"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-service"] == Service @@ -1959,17 +1976,17 @@ SecretRef configures the Secret resource that contains existing TLS certificates .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== | Field | Description | *`name`* __string__ | -| *`internal`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-serviceinternal[$$ServiceInternal$$]__ | +| *`internal`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-serviceinternal[$$ServiceInternal$$]__ | |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-serviceaccount"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-serviceaccount"] == ServiceAccount ServiceAccount configures Service Accounts. @@ -1977,7 +1994,7 @@ ServiceAccount configures Service Accounts. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== @@ -1988,7 +2005,7 @@ ServiceAccount configures Service Accounts. |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-serviceinternal"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-serviceinternal"] == ServiceInternal @@ -1996,7 +2013,7 @@ ServiceAccount configures Service Accounts. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-service[$$Service$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-service[$$Service$$] [cols="25a,75a", options="header"] |=== @@ -2005,7 +2022,7 @@ ServiceAccount configures Service Accounts. |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-setdatadirownership"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-setdatadirownership"] == SetDataDirOwnership SetDataDirOwnership defines the settings related to ownership of the Redpanda data directory in environments where root access is restricted. @@ -2013,7 +2030,7 @@ SetDataDirOwnership defines the settings related to ownership of the Redpanda da .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-initcontainers[$$InitContainers$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-initcontainers[$$InitContainers$$] [cols="25a,75a", options="header"] |=== @@ -2024,7 +2041,7 @@ SetDataDirOwnership defines the settings related to ownership of the Redpanda da |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-settieredstoragecachedirownership"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-settieredstoragecachedirownership"] == SetTieredStorageCacheDirOwnership SetTieredStorageCacheDirOwnership configures the settings related to ownership of the Tiered Storage cache in environments where root access is restricted. @@ -2032,7 +2049,7 @@ SetTieredStorageCacheDirOwnership configures the settings related to ownership o .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-initcontainers[$$InitContainers$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-initcontainers[$$InitContainers$$] [cols="25a,75a", options="header"] |=== @@ -2042,7 +2059,7 @@ SetTieredStorageCacheDirOwnership configures the settings related to ownership o |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-sidecarobj"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-sidecarobj"] == SideCarObj SideCarObj represents a generic sidecar object. This is a placeholder for now. @@ -2050,7 +2067,7 @@ SideCarObj represents a generic sidecar object. This is a placeholder for now. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-sidecars[$$SideCars$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-sidecars[$$SideCars$$] [cols="25a,75a", options="header"] |=== @@ -2061,7 +2078,7 @@ SideCarObj represents a generic sidecar object. This is a placeholder for now. |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-sidecars"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-sidecars"] == SideCars SideCars configures the additional sidecar containers that run alongside the main Redpanda container in the Pod. @@ -2069,18 +2086,18 @@ SideCars configures the additional sidecar containers that run alongside the mai .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`configWatcher`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-configwatcher[$$ConfigWatcher$$]__ | Configures the `config-watcher` sidecar. The `config-watcher` sidecar polls the Secret resource in `auth.sasl.secretRef` for changes and triggers a rolling upgrade to add the new superusers to the Redpanda cluster. + -| *`rpkStatus`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-sidecarobj[$$SideCarObj$$]__ | -| *`controllers`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-rpcontrollers[$$RPControllers$$]__ | +| *`configWatcher`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-configwatcher[$$ConfigWatcher$$]__ | Configures the `config-watcher` sidecar. The `config-watcher` sidecar polls the Secret resource in `auth.sasl.secretRef` for changes and triggers a rolling upgrade to add the new superusers to the Redpanda cluster. + +| *`rpkStatus`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-sidecarobj[$$SideCarObj$$]__ | +| *`controllers`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rpcontrollers[$$RPControllers$$]__ | |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-startupprobe"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-startupprobe"] == StartupProbe StartupProbe configures the startup probe to determine when the Redpanda application within the Pod has started successfully. @@ -2088,7 +2105,7 @@ StartupProbe configures the startup probe to determine when the Redpanda applica .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] [cols="25a,75a", options="header"] |=== @@ -2101,7 +2118,7 @@ StartupProbe configures the startup probe to determine when the Redpanda applica |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-statefulset"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-statefulset"] == Statefulset Statefulset defines configurations for the StatefulSet in Helm values. @@ -2109,7 +2126,7 @@ Statefulset defines configurations for the StatefulSet in Helm values. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== @@ -2118,32 +2135,32 @@ Statefulset defines configurations for the StatefulSet in Helm values. | *`additionalRedpandaCmdFlags`* __string array__ | Includes additional command flags for Redpanda at startup to customize its runtime behavior. + | *`annotations`* __object (keys:string, values:string)__ | Adds annotations to the StatefulSet to provide additional information or metadata. + Please use PodTemplate to add additional annotation or labels for Pods managed by Statefulset. + -| *`podTemplate`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-podtemplate[$$PodTemplate$$]__ | PodTemplate is a subset of Kubernetes' PodTemplate that will be merged + +| *`podTemplate`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-podtemplate[$$PodTemplate$$]__ | PodTemplate is a subset of Kubernetes' PodTemplate that will be merged + into this StatefulSet's PodTemplate. + -| *`budget`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-budget[$$Budget$$]__ | Defines the management of disruptions affecting the Pods in the StatefulSet. + +| *`budget`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-budget[$$Budget$$]__ | Defines the management of disruptions affecting the Pods in the StatefulSet. + | *`extraVolumeMounts`* __string__ | Specifies extra volume mounts for the Pods. + | *`extraVolumes`* __string__ | Defines additional volumes for the Pods. + -| *`initContainerImage`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-initcontainerimage[$$InitContainerImage$$]__ | Defines the init container image used to perform initial setup tasks before the main containers start. + -| *`initContainers`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-initcontainers[$$InitContainers$$]__ | Configures the init container used to perform initial setup tasks before the main containers start. + -| *`livenessProbe`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-livenessprobe[$$LivenessProbe$$]__ | Defines liveness probes to monitor the health of the Pods and restart them if necessary. + +| *`initContainerImage`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-initcontainerimage[$$InitContainerImage$$]__ | Defines the init container image used to perform initial setup tasks before the main containers start. + +| *`initContainers`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-initcontainers[$$InitContainers$$]__ | Configures the init container used to perform initial setup tasks before the main containers start. + +| *`livenessProbe`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-livenessprobe[$$LivenessProbe$$]__ | Defines liveness probes to monitor the health of the Pods and restart them if necessary. + | *`nodeSelector`* __object (keys:string, values:string)__ | Applies node selectors to schedule Pods on specific nodes based on labels. + | *`podAffinity`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podaffinity-v1-core[$$PodAffinity$$]__ | Defines Pod affinity rules to influence the scheduling and placement of Pods relative to other Pods. + -| *`podAntiAffinity`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-podantiaffinity[$$PodAntiAffinity$$]__ | Defines Pod anti-affinity rules to prevent Pods from being scheduled together on the same node. + +| *`podAntiAffinity`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-podantiaffinity[$$PodAntiAffinity$$]__ | Defines Pod anti-affinity rules to prevent Pods from being scheduled together on the same node. + | *`priorityClassName`* __string__ | Defines the priority class name to assign priority levels to the Pods, influencing their scheduling order. + -| *`readinessProbe`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-readinessprobe[$$ReadinessProbe$$]__ | Defines readiness probes to determine when a Pod is ready to handle traffic. + +| *`readinessProbe`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-readinessprobe[$$ReadinessProbe$$]__ | Defines readiness probes to determine when a Pod is ready to handle traffic. + | *`replicas`* __integer__ | Specifies the number of replicas to determine the desired number of Pods (Redpanda brokers) in the StatefulSet. + | *`securityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core[$$SecurityContext$$]__ | Sets a security context for the Pods to define privilege and access control settings. + -| *`sideCars`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-sidecars[$$SideCars$$]__ | Defines the additional sidecar containers that run alongside the main Redpanda container in the Pod. + +| *`sideCars`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-sidecars[$$SideCars$$]__ | Defines the additional sidecar containers that run alongside the main Redpanda container in the Pod. + | *`skipChown`* __boolean__ | Specifies whether to skip the changing of file ownership (chown) during Pod initialization. + -| *`startupProbe`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-startupprobe[$$StartupProbe$$]__ | Configures the startup probe to determine when the Redpanda application within the Pod has started successfully. + +| *`startupProbe`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-startupprobe[$$StartupProbe$$]__ | Configures the startup probe to determine when the Redpanda application within the Pod has started successfully. + | *`tolerations`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#toleration-v1-core[$$Toleration$$] array__ | Applies tolerations to allow Pods to be scheduled on nodes with matching taints, enabling control over where Pods can run. + -| *`topologySpreadConstraints`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topologyspreadconstraints[$$TopologySpreadConstraints$$] array__ | Defines topology spread constraints to control how Pods are spread across different topology domains. + -| *`updateStrategy`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-updatestrategy[$$UpdateStrategy$$]__ | Defines the update strategy for the StatefulSet to manage how updates are rolled out to the Pods. + +| *`topologySpreadConstraints`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topologyspreadconstraints[$$TopologySpreadConstraints$$] array__ | Defines topology spread constraints to control how Pods are spread across different topology domains. + +| *`updateStrategy`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-updatestrategy[$$UpdateStrategy$$]__ | Defines the update strategy for the StatefulSet to manage how updates are rolled out to the Pods. + | *`terminationGracePeriodSeconds`* __integer__ | Specifies the termination grace period in seconds to control the time delay before forcefully terminating a Pod. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-staticconfigurationsource"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-staticconfigurationsource"] == StaticConfigurationSource StaticConfigurationSource configures connections to a Redpanda cluster via hard-coded @@ -2152,19 +2169,19 @@ connection strings and manually configured TLS and authentication parameters. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clustersource[$$ClusterSource$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-clustersource[$$ClusterSource$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`kafka`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkaapispec[$$KafkaAPISpec$$]__ | Kafka is the configuration information for communicating with the Kafka + +| *`kafka`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkaapispec[$$KafkaAPISpec$$]__ | Kafka is the configuration information for communicating with the Kafka + API of a Redpanda cluster where the object should be created. + -| *`admin`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-adminapispec[$$AdminAPISpec$$]__ | AdminAPISpec is the configuration information for communicating with the Admin + +| *`admin`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-adminapispec[$$AdminAPISpec$$]__ | AdminAPISpec is the configuration information for communicating with the Admin + API of a Redpanda cluster where the object should be created. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-storage"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-storage"] == Storage Storage configures storage-related settings in the Helm values. See https://docs.redpanda.com/current/manage/kubernetes/storage/. @@ -2172,18 +2189,18 @@ Storage configures storage-related settings in the Helm values. See https://docs .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== | Field | Description | *`hostPath`* __string__ | Specifies the absolute path on the worker node to store the Redpanda data directory. If unspecified, then an `emptyDir` volume is used. If specified but `persistentVolume.enabled` is true, `storage.hostPath` has no effect. + -| *`persistentVolume`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-persistentvolume[$$PersistentVolume$$]__ | Configures a PersistentVolumeClaim (PVC) template to create for each Pod. This PVC is used to store the Redpanda data directory. + -| *`tiered`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-tiered[$$Tiered$$]__ | Configures storage for the Tiered Storage cache. + +| *`persistentVolume`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-persistentvolume[$$PersistentVolume$$]__ | Configures a PersistentVolumeClaim (PVC) template to create for each Pod. This PVC is used to store the Redpanda data directory. + +| *`tiered`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-tiered[$$Tiered$$]__ | Configures storage for the Tiered Storage cache. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-tls"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-tls"] == TLS TLS configures TLS in the Helm values. See https://docs.redpanda.com/current/manage/kubernetes/security/tls/. @@ -2191,17 +2208,17 @@ TLS configures TLS in the Helm values. See https://docs.redpanda.com/current/man .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`certs`* __object (keys:string, values:xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-certificate[$$Certificate$$])__ | Lists all available certificates in the cluster. You can reference a specific certificate’s name in each listener’s `listeners..tls.cert` setting. + +| *`certs`* __object (keys:string, values:xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-certificate[$$Certificate$$])__ | Lists all available certificates in the cluster. You can reference a specific certificate’s name in each listener’s `listeners..tls.cert` setting. + | *`enabled`* __boolean__ | Enables TLS globally for all listeners. Each listener must include a certificate name in its `.tls` object. To allow you to enable TLS for individual listeners, certificates are always loaded, even if TLS is disabled. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-tiered"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-tiered"] == Tiered Tiered configures storage for the Tiered Storage cache. See https://docs.redpanda.com/current/manage/kubernetes/tiered-storage-kubernetes/. @@ -2209,7 +2226,7 @@ Tiered configures storage for the Tiered Storage cache. See https://docs.redpand .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-storage[$$Storage$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-storage[$$Storage$$] [cols="25a,75a", options="header"] |=== @@ -2222,13 +2239,13 @@ Tiered configures storage for the Tiered Storage cache. See https://docs.redpand - `emptyDir`: Mounts an empty directory every time the Pod starts. + - `persistentVolume`: Creates and mounts a PersistentVolumeClaim using the template defined in `persistentVolume`. + | *`hostPath`* __string__ | Specifies the absolute path on the worker node to store the Tiered Storage cache. + -| *`persistentVolume`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-persistentvolume[$$PersistentVolume$$]__ | Configures a PersistentVolumeClaim (PVC) template to create for each Pod. This PVC is used to store the Tiered Storage cache. + -| *`config`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-tieredconfig[$$TieredConfig$$]__ | Configures Tiered Storage, which requires an Enterprise license configured in `enterprise.licenseKey` or `enterprised.licenseSecretRef`. + -| *`credentialsSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-credentialsecretref[$$CredentialSecretRef$$]__ | CredentialSecretRef can be used to set `cloud_storage_secret_key` and/or `cloud_storage_access_key` from referenced Kubernetes Secret + +| *`persistentVolume`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-persistentvolume[$$PersistentVolume$$]__ | Configures a PersistentVolumeClaim (PVC) template to create for each Pod. This PVC is used to store the Tiered Storage cache. + +| *`config`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-tieredconfig[$$TieredConfig$$]__ | Configures Tiered Storage, which requires an Enterprise license configured in `enterprise.licenseKey` or `enterprised.licenseSecretRef`. + +| *`credentialsSecretRef`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-credentialsecretref[$$CredentialSecretRef$$]__ | CredentialSecretRef can be used to set `cloud_storage_secret_key` and/or `cloud_storage_access_key` from referenced Kubernetes Secret + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-tieredconfig"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-tieredconfig"] == TieredConfig TieredConfig configures Tiered Storage, which requires an Enterprise license configured in `enterprise.licenseKey` or `enterprise.licenseSecretRef`.TieredConfig is a top-level field of the Helm values. @@ -2236,12 +2253,12 @@ TieredConfig configures Tiered Storage, which requires an Enterprise license con .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-tiered[$$Tiered$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-tiered[$$Tiered$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`cloud_storage_enabled`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-apiutil-jsonboolean[$$JSONBoolean$$]__ | Enables Tiered Storage, if a license key is provided. See https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_enabled. + +| *`cloud_storage_enabled`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-apiutil-jsonboolean[$$JSONBoolean$$]__ | Enables Tiered Storage, if a license key is provided. See https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_enabled. + | *`cloud_storage_api_endpoint`* __string__ | See https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_api_endpoint. + | *`cloud_storage_api_endpoint_port`* __integer__ | See https://docs.redpanda.com/current/reference/cluster-properties/#cloud_storage_api_endpoint_port. + | *`cloud_storage_bucket`* __string__ | See https://docs.redpanda.com/current/reference/cluster-properties/#cloud_storage_bucket. + @@ -2275,7 +2292,7 @@ TieredConfig configures Tiered Storage, which requires an Enterprise license con |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topic"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topic"] == Topic Topic defines the CRD for Topic resources. See https://docs.redpanda.com/current/manage/kubernetes/manage-topics/. @@ -2283,7 +2300,7 @@ Topic defines the CRD for Topic resources. See https://docs.redpanda.com/current .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topiclist[$$TopicList$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topiclist[$$TopicList$$] [cols="25a,75a", options="header"] |=== @@ -2301,12 +2318,12 @@ may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to the Kubernetes API documentation for fields of `metadata`. -| *`spec`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topicspec[$$TopicSpec$$]__ | Defines the desired state of the Topic resource. + -| *`status`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topicstatus[$$TopicStatus$$]__ | Represents the current status of the Topic resource. + +| *`spec`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec[$$TopicSpec$$]__ | Defines the desired state of the Topic resource. + +| *`status`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicstatus[$$TopicStatus$$]__ | Represents the current status of the Topic resource. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topiclist"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topiclist"] == TopicList TopicList contains a list of Topic objects. @@ -2331,11 +2348,11 @@ may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#listmeta-v1-meta[$$ListMeta$$]__ | Refer to the Kubernetes API documentation for fields of `metadata`. -| *`items`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topic[$$Topic$$] array__ | Specifies a list of Topic resources. + +| *`items`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topic[$$Topic$$] array__ | Specifies a list of Topic resources. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topicspec"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec"] == TopicSpec TopicSpec defines the desired state of the topic. See https://docs.redpanda.com/current/manage/kubernetes/manage-topics/. @@ -2343,7 +2360,7 @@ TopicSpec defines the desired state of the topic. See https://docs.redpanda.com/ .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topic[$$Topic$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topic[$$Topic$$] [cols="25a,75a", options="header"] |=== @@ -2367,7 +2384,11 @@ Examples: + `redpanda.remote.read=true` + `redpanda.remote.recovery=true` + `redpanda.remote.delete=true` + -| *`kafkaApiSpec`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkaapispec[$$KafkaAPISpec$$]__ | Defines client configuration for connecting to Redpanda brokers. + +| *`cluster`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-clustersource[$$ClusterSource$$]__ | ClusterSource is a reference to the cluster where the user should be created. + +It is used in constructing the client created to configure a cluster. + +| *`kafkaApiSpec`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkaapispec[$$KafkaAPISpec$$]__ | Defines client configuration for connecting to Redpanda brokers. + +Deprecated: Use cluster.staticConfiguration.kafkaApiSpec if explicit connection + +configuration is required. Otherwise, prefer cluster.clusterRef. + | *`metricsNamespace`* __string__ | Overwrites the fully-qualified + name of the metric. This should be easier to identify if + multiple operator instances runs inside the same Kubernetes cluster. + @@ -2377,7 +2398,7 @@ Default is 3 seconds. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topicstatus"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicstatus"] == TopicStatus TopicStatus defines the observed state of the Topic resource. @@ -2385,18 +2406,18 @@ TopicStatus defines the observed state of the Topic resource. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topic[$$Topic$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topic[$$Topic$$] [cols="25a,75a", options="header"] |=== | Field | Description | *`observedGeneration`* __integer__ | ObservedGeneration is the last observed generation of the Topic. + | *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#condition-v1-meta[$$Condition$$] array__ | Conditions holds the conditions for the Topic. + -| *`topicConfiguration`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-configuration[$$Configuration$$] array__ | TopicConfiguration is the last snapshot of the topic configuration during successful reconciliation. + +| *`topicConfiguration`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-configuration[$$Configuration$$] array__ | TopicConfiguration is the last snapshot of the topic configuration during successful reconciliation. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topologyspreadconstraints"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topologyspreadconstraints"] == TopologySpreadConstraints TopologySpreadConstraints configures topology spread constraints to control how Pods are spread across different topology domains. @@ -2404,7 +2425,7 @@ TopologySpreadConstraints configures topology spread constraints to control how .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] [cols="25a,75a", options="header"] |=== @@ -2417,7 +2438,7 @@ TopologySpreadConstraints configures topology spread constraints to control how -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-tuning"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-tuning"] == Tuning Tuning configures settings for the autotuner tool in Redpanda. The autotuner identifies the hardware configuration in the container and optimizes the Linux kernel to give you the best performance. @@ -2425,8 +2446,8 @@ Tuning configures settings for the autotuner tool in Redpanda. The autotuner ide .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-initcontainers[$$InitContainers$$] -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-initcontainers[$$InitContainers$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[$$RedpandaClusterSpec$$] [cols="25a,75a", options="header"] |=== @@ -2442,7 +2463,7 @@ Tuning configures settings for the autotuner tool in Redpanda. The autotuner ide |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-updatestrategy"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-updatestrategy"] == UpdateStrategy UpdateStrategy configures the update strategy for the StatefulSet to manage how updates are rolled out to the Pods. @@ -2450,7 +2471,7 @@ UpdateStrategy configures the update strategy for the StatefulSet to manage how .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-statefulset[$$Statefulset$$] [cols="25a,75a", options="header"] |=== @@ -2459,7 +2480,7 @@ UpdateStrategy configures the update strategy for the StatefulSet to manage how |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usagestats"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-usagestats"] == UsageStats UsageStats configures the reporting of usage statistics. Redpanda Data uses these metrics to learn how the software is used, which can guide future improvements. @@ -2467,7 +2488,7 @@ UsageStats configures the reporting of usage statistics. Redpanda Data uses thes .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-logging[$$Logging$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-logging[$$Logging$$] [cols="25a,75a", options="header"] |=== @@ -2480,7 +2501,7 @@ and will be removed in a future version. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-user"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-user"] == User User defines the CRD for a Redpanda user. @@ -2488,7 +2509,7 @@ User defines the CRD for a Redpanda user. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userlist[$$UserList$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userlist[$$UserList$$] [cols="25a,75a", options="header"] |=== @@ -2506,12 +2527,12 @@ may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to the Kubernetes API documentation for fields of `metadata`. -| *`spec`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec[$$UserSpec$$]__ | Defines the desired state of the Redpanda user. + -| *`status`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userstatus[$$UserStatus$$]__ | Represents the current status of the Redpanda user. + +| *`spec`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userspec[$$UserSpec$$]__ | Defines the desired state of the Redpanda user. + +| *`status`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userstatus[$$UserStatus$$]__ | Represents the current status of the Redpanda user. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthenticationspec"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userauthenticationspec"] == UserAuthenticationSpec UserAuthenticationSpec defines the authentication mechanism enabled for this Redpanda user. @@ -2519,17 +2540,17 @@ UserAuthenticationSpec defines the authentication mechanism enabled for this Red .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec[$$UserSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userspec[$$UserSpec$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`type`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-saslmechanism[$$SASLMechanism$$]__ | -| *`password`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-password[$$Password$$]__ | Password specifies where a password is read from. + +| *`type`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-saslmechanism[$$SASLMechanism$$]__ | +| *`password`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-password[$$Password$$]__ | Password specifies where a password is read from. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthorizationspec"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userauthorizationspec"] == UserAuthorizationSpec UserAuthorizationSpec defines authorization rules for this user. @@ -2537,17 +2558,17 @@ UserAuthorizationSpec defines authorization rules for this user. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec[$$UserSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userspec[$$UserSpec$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`type`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-authorizationtype[$$AuthorizationType$$]__ | -| *`acls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] array__ | List of ACL rules which should be applied to this user. + +| *`type`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-authorizationtype[$$AuthorizationType$$]__ | +| *`acls`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] array__ | List of ACL rules which should be applied to this user. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userlist"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userlist"] == UserList UserList contains a list of Redpanda user objects. @@ -2572,11 +2593,11 @@ may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#listmeta-v1-meta[$$ListMeta$$]__ | Refer to the Kubernetes API documentation for fields of `metadata`. -| *`items`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-user[$$User$$] array__ | Specifies a list of Redpanda user resources. + +| *`items`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-user[$$User$$] array__ | Specifies a list of Redpanda user resources. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userspec"] == UserSpec UserSpec defines the configuration of a Redpanda user. @@ -2584,22 +2605,22 @@ UserSpec defines the configuration of a Redpanda user. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-user[$$User$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-user[$$User$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`cluster`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-clustersource[$$ClusterSource$$]__ | ClusterSource is a reference to the cluster where the user should be created. + +| *`cluster`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-clustersource[$$ClusterSource$$]__ | ClusterSource is a reference to the cluster where the user should be created. + It is used in constructing the client created to configure a cluster. + -| *`authentication`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthenticationspec[$$UserAuthenticationSpec$$]__ | Authentication defines the authentication information for a user. If no + +| *`authentication`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userauthenticationspec[$$UserAuthenticationSpec$$]__ | Authentication defines the authentication information for a user. If no + Authentication credentials are specified, then no user will be created. + This is useful when wanting to manage ACLs for an already-existing user. + -| *`authorization`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userauthorizationspec[$$UserAuthorizationSpec$$]__ | Authorization rules defined for this user. + -| *`template`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usertemplatespec[$$UserTemplateSpec$$]__ | Template to specify how user secrets are generated. + +| *`authorization`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userauthorizationspec[$$UserAuthorizationSpec$$]__ | Authorization rules defined for this user. + +| *`template`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-usertemplatespec[$$UserTemplateSpec$$]__ | Template to specify how user secrets are generated. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userstatus"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userstatus"] == UserStatus UserStatus defines the observed state of a Redpanda user @@ -2607,7 +2628,7 @@ UserStatus defines the observed state of a Redpanda user .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-user[$$User$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-user[$$User$$] [cols="25a,75a", options="header"] |=== @@ -2621,7 +2642,7 @@ to be cleaned up. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usertemplatespec"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-usertemplatespec"] == UserTemplateSpec UserTemplateSpec defines the template metadata (labels and annotations) @@ -2630,16 +2651,16 @@ for any subresources, such as Secrets, created by a User object. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-userspec[$$UserSpec$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userspec[$$UserSpec$$] [cols="25a,75a", options="header"] |=== | Field | Description -| *`secret`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-resourcetemplate[$$ResourceTemplate$$]__ | Specifies how the Secret with a user password is generated. + +| *`secret`* __xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-resourcetemplate[$$ResourceTemplate$$]__ | Specifies how the Secret with a user password is generated. + |=== -[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-usersitems"] +[id="{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-usersitems"] == UsersItems UsersItems configures a list of superusers in the Helm values. @@ -2647,7 +2668,7 @@ UsersItems configures a list of superusers in the Helm values. .Appears in: -- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-sasl[$$SASL$$] +- xref:{anchor_prefix}-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-sasl[$$SASL$$] [cols="25a,75a", options="header"] |=== @@ -2655,4 +2676,6 @@ UsersItems configures a list of superusers in the Helm values. | *`mechanism`* __string__ | Specifies the authentication mechanism to use for superusers. Overrides the default in `SASL`. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + | *`name`* __string__ | Specifies the name of the superuser. + | *`password`* __string__ | Specifies the superuser password. + -|=== \ No newline at end of file +|=== + + diff --git a/modules/upgrade/pages/migrate/kubernetes/strimzi.adoc b/modules/upgrade/pages/migrate/kubernetes/strimzi.adoc index 6037a8618..0020703b1 100644 --- a/modules/upgrade/pages/migrate/kubernetes/strimzi.adoc +++ b/modules/upgrade/pages/migrate/kubernetes/strimzi.adoc @@ -322,7 +322,7 @@ The Redpanda Operator does not support a custom resource for MirrorMaker2. Redpa The Redpanda Operator does not have an equivalent for KafkaNodePool resources in Strimzi. The Redpanda Helm chart allows you to deploy only homogenous broker configuration in a single Redpanda cluster, unlike the heterogeneous configurations available in KafkaNodePools. -Brokers in Redpanda are uniformly configured according to the specifications in xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha1-redpandaclusterspec[`RedpandaClusterSpec`]. Given this difference, you must adapt your Kafka setup to a unified broker configuration model by standardizing the broker settings that were previously varied across different KafkaNodePool resources. +Brokers in Redpanda are uniformly configured according to the specifications in xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaclusterspec[`RedpandaClusterSpec`]. Given this difference, you must adapt your Kafka setup to a unified broker configuration model by standardizing the broker settings that were previously varied across different KafkaNodePool resources. === Adjust monitoring and alerting From adeb512b61984f302b4b62b1a323c14679bc0037 Mon Sep 17 00:00:00 2001 From: Jake Cahill <45230295+JakeSCahill@users.noreply.github.com> Date: Tue, 22 Oct 2024 19:01:49 +0100 Subject: [PATCH 44/46] Apply suggestions from code review Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com> --- .../security/authentication/k-user-controller.adoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index 5a9455bed..463c712df 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -26,7 +26,7 @@ Each User instance is responsible for managing both the user credentials (authen [[no-acl]] === Create a new user without any ACLs -- *Use case*: You want to create and manage user credentials (authentication) without managing ACLs. Use this option If you have a separate process to manage ACLs or if you're working in an environment where access control is handled externally. +- *Use case*: You want to create and manage user credentials (authentication) without managing ACLs. Use this option if you have a separate process to manage ACLs or if you're working in an environment where access control is handled externally. - *What happens when deleted*: The user is deleted, but ACLs for that user will remain in the cluster. This example shows how to manage the creation and authentication of a user without configuring ACLs. @@ -54,7 +54,7 @@ include::manage:example$kubernetes/user-crds.feature[tags=manage-authz-only-mani ---- [[both]] -=== Create a new user and its ACLs +=== Create a new user and assign ACLs - *Use case*: You want to manage both user credentials and ACLs within the same resource. - *What happens when deleted*: Both the user and the associated ACLs are removed. @@ -91,7 +91,7 @@ spec: operations: [Read,Write] ---- -== Configuration advice +== Configuration best practices The following sections provide guidance on setting up user authentication, managing secrets, and defining ACLs within your Kubernetes environment. These recommendations ensure proper user management while minimizing manual interventions and preventing potential security issues. By following these best practices, you can ensure that user access and permissions are correctly configured and maintained across your Redpanda cluster. @@ -155,7 +155,7 @@ spec: key: password ---- -This example assumes that a Kubernetes Secret named `user-secret` with a key `password` exists. If the Secret does not exist or the key is missing, the Redpanda Operator will handle it by creating or updating the Secret with an autogenerated password. The autogenerated password will follow best practices for secure password generation. +This example is based on the assumption that a Kubernetes Secret named `user-secret` with a key `password` exists. If the Secret does not exist or the key is missing, the Redpanda Operator will handle it by creating or updating the Secret with an autogenerated password. The autogenerated password will follow best practices for secure password generation. If you need to create a Secret, you can use the following command as an example: From 99428524cd9f819e3004e49b77718450a4d2ab9e Mon Sep 17 00:00:00 2001 From: Jake Cahill <45230295+JakeSCahill@users.noreply.github.com> Date: Wed, 23 Oct 2024 12:21:45 +0100 Subject: [PATCH 45/46] Apply suggestions from code review --- .../security/authentication/k-user-controller.adoc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index 463c712df..f4e956c23 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -3,7 +3,7 @@ :page-categories: Management, Development :env-kubernetes: true -With the Redpanda Operator, you can declaratively create and manage Redpanda users and glossterm:ACL[,access control lists (ACLs)] using xref:reference:k-crd.adoc[User custom resources] (resources) in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding user in sync with the User resource. +With the Redpanda Operator, you can declaratively create and manage Redpanda users and glossterm:ACL[,access control lists (ACLs)] using xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-user[User custom resources] (resources) in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding user in sync with the User resource. == Prerequisites @@ -269,5 +269,6 @@ Deleting a User resource will have different impacts depending on how it is conf == Suggested reading -* xref:reference:k-crd.adoc[] +* xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-user[User resource] +* xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userlist[UserList resource] * xref:manage:kubernetes/security/authentication/k-authentication.adoc[] \ No newline at end of file From 9e120c6ac3f3c15493aae219657e4fe11ba09972 Mon Sep 17 00:00:00 2001 From: Jake Cahill <45230295+JakeSCahill@users.noreply.github.com> Date: Wed, 23 Oct 2024 12:33:01 +0100 Subject: [PATCH 46/46] Apply suggestions from code review --- .../security/authentication/k-user-controller.adoc | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index f4e956c23..6b1b6c98a 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -101,9 +101,9 @@ You can find all configuration options for the User resource in the xref:referen The `metadata.name` field in the User resource is used to specify the username. Keep in mind the following best practices when choosing a username: -- Uniqueness: Ensure that each user has a unique name to avoid conflicts. The username must be unique within the Redpanda cluster. -- Descriptive: Choose a name that identifies the purpose or role of the user. For example, use names like `app-consumer` or `admin-user`. -- Stable: Avoid changing usernames frequently. Usernames are tied to authentication and authorization rules (ACLs). Renaming a user involves deleting and recreating the user. +- *Unique*: Ensure each user has a unique name to avoid conflicts. The username must be unique within the Redpanda cluster. +- *Descriptive*: Choose a name that identifies the purpose or role of the user. For example, use names like `app-consumer` or `admin-user`. +- *Stable*: Avoid changing usernames frequently. Usernames are tied to authentication and authorization rules (ACLs). Renaming a user involves deleting and recreating the user. [,yaml] ---- @@ -200,7 +200,7 @@ For more details about ACLs, including supported operations and resources in Red To deploy a User resource, apply the manifest to the same namespace as your Redpanda cluster: -[bash] +[,bash] ---- kubectl apply -f .yaml --namespace ---- @@ -212,7 +212,7 @@ kubectl apply -f .yaml --namespace After deploying a User resource, verify that the Redpanda Operator reconciled it: -[bash] +[,bash] ---- kubectl logs -l app.kubernetes.io/name=operator -c manager --namespace ---- @@ -245,7 +245,7 @@ Example output: To update a user, edit the User resource configuration and apply the changes. -[bash] +[,bash] ---- kubectl apply -f .yaml --namespace ---- @@ -254,7 +254,7 @@ kubectl apply -f .yaml --namespace To delete a user, delete the User resource: -[bash] +[,bash] ---- kubectl delete -f example-user.yaml --namespace ----