redpanda-data · JakeSCahill · Oct 23, 2024 · Sep 10, 2024 · Sep 18, 2024 · Sep 18, 2024
@@ -1,25 +1,6 @@
 processor:
   # RE2 regular expressions describing types that should be excluded from the generated documentation.
   ignoreTypes:
-    - "User$"
-    - "UserList$"
-    - "UserSpec$"
-    - "UserStatus$"
-    - "UserAuthenticationSpec$"
-    - "UserAuthorizationSpec$"
-    - "UserTemplateSpec$"
-    - "Password$"
-    - "PasswordSource$"
-    - "ACLRule$"
-    - "ACLType$"
-    - "ACLOperation$"
-    - "PatternType$"
-    - "ResourceType$"
-    - "ACLResourceSpec$"
-    - "ClusterSource$"
-    - "AdminAPISpec$"
-    - "AdminSASL$"
-    - "MetadataTemplate$"
 render:
   kubernetesVersion: 1.23
   knownTypes:

@@ -0,0 +1,55 @@
+---
+  name: Fetch and Save K8s Acceptance Tests
+  on:
+    workflow_dispatch:  # Allows manual trigger of the workflow
+    repository_dispatch:  # Allows other repositories to trigger this workflow
+      types: [trigger-acceptance-test-pull]
+  jobs:
+    fetch-and-save:
+      runs-on: ubuntu-latest
+      steps:
+        - name: configure aws credentials
+          uses: aws-actions/configure-aws-credentials@v4
+          with:
+            aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }}
+            aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }}
+            aws-region: us-west-2
+        - name: get secrets from aws sm
+          uses: aws-actions/aws-secretsmanager-get-secrets@v2
+          with:
+            secret-ids: |
+              ,sdlc/prod/github/actions_bot_token
+            parse-json-secrets: true
+
+        - name: Checkout the repository
+          uses: actions/checkout@v4
+          with:
+            ref: api
+            token: ${{ env.ACTIONS_BOT_TOKEN }}
+            path: redpanda-docs
+
+        - name: Set up Node.js
+          uses: actions/setup-node@v4
+          with:
+            node-version: '18'
+
+        - name: Install dependencies
+          run: |
+            cd ./redpanda-docs/scripts/fetch-from-github
+            npm install
+
+        - name: Run the script and save the output
+          run: node ./redpanda-docs/scripts/fetch-from-github/fetch.js redpanda-data redpanda-operator acceptance/features ../../modules/manage/examples/kubernetes
+          env:
+            VBOT_GITHUB_API_TOKEN: ${{ env.ACTIONS_BOT_TOKEN }}
+
+        - name: Create pull request
+          uses: peter-evans/create-pull-request@v6
+          with:
+            commit-message: "auto-docs: Update K8s acceptance tests"
+            token: ${{ env.ACTIONS_BOT_TOKEN }}
+            branch: update-acceptance-tests
+            title: "auto-docs: Update K8s acceptance tests"
+            body: "This PR auto-updates the acceptance tests that we use as examples in our Kubernetes docs."
+            labels: auto-docs
+            reviewers: JakeSCahill
@@ -113,7 +113,9 @@
 **** xref:manage:kubernetes/security/tls/index.adoc[TLS Encryption]
 ***** xref:manage:kubernetes/security/tls/k-cert-manager.adoc[Use cert-manager]
 ***** xref:manage:kubernetes/security/tls/k-secrets.adoc[Use Secrets]
-**** xref:manage:kubernetes/security/authentication/k-authentication.adoc[Authentication]
+**** xref:manage:kubernetes/security/authentication/index.adoc[Authentication]
+***** xref:manage:kubernetes/security/authentication/k-authentication.adoc[Enable Authentication]
+***** xref:manage:kubernetes/security/authentication/k-user-controller.adoc[Manage Users and ACLs]
 **** xref:manage:kubernetes/security/k-audit-logging.adoc[Audit Logging]
 *** xref:manage:kubernetes/k-rack-awareness.adoc[Rack Awareness]
 *** xref:manage:kubernetes/k-remote-read-replicas.adoc[Remote Read Replicas]

@@ -122,9 +122,9 @@ spec:
 ----
 +
 - `metadata.name`: Name to assign the Redpanda cluster. This name is also assigned to the Helm release.
-- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-src-go-k8s-apis-redpanda-v1alpha1-chartref[`spec.chartRef`]: Information about the Helm chart that will be used to deploy Redpanda.
+- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-api-redpanda-v1alpha2-chartref[`spec.chartRef`]: Information about the Helm chart that will be used to deploy Redpanda.
 - `spec.chartRef.chartVersion`: This field specifies the exact version of the Redpanda Helm chart to use for deployment. By setting this value, you <<version-pinning, pin the chart to a specific version>>, which prevents automatic updates that might introduce breaking changes or new features that have not been tested in your environment.
-- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-src-go-k8s-apis-redpanda-v1alpha1-redpandaclusterspec[`spec.clusterSpec`]: This is where you can override default values in the Redpanda Helm chart.
+- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-api-redpanda-v1alpha2-redpandaclusterspec[`spec.clusterSpec`]: This is where you can override default values in the Redpanda Helm chart. Here, you mount the <<prerequisites, I/O configuration file>> to the Pods that run Redpanda. For other configuration details, see <<Production considerations>>.
 - `spec.clusterSpec.enterprise`: If you want to use enterprise features in Redpanda, uncomment this section and add the details of a Secret that stores your Enterprise Edition license key. For details, see xref:get-started:licensing/add-license-redpanda/kubernetes.adoc[].
 - `spec.clusterSpec.statefulset`: Here, you mount the <<prerequisites, I/O configuration file>> to the Pods that run Redpanda. For other configuration details, see <<Production considerations>>.
 

@@ -7,6 +7,16 @@ This topic includes new content added in version {page-component-version}. For a
 * xref:redpanda-cloud:get-started:whats-new-cloud.adoc[] 
 * xref:redpanda-cloud:get-started:cloud-overview.adoc#redpanda-cloud-vs-self-managed-feature-compatibility[Redpanda Cloud vs Self-Managed feature compatibility]
 
+== Declarative user and ACL management in Kubernetes
+
+Redpanda now supports declarative management of users and access control lists (ACLs) using the new User resource with the Redpanda Operator. This feature allows you to:
+
+- Create and manage Redpanda users and their authentication settings.
+- Define and manage ACLs to control access to Redpanda resources.
+- Automatically reconcile changes to users and ACLs using the Redpanda Operator.
+
+To learn more, see the xref:manage:kubernetes/security/authentication/k-user-controller.adoc[User resource documentation].
+
 == Licensing updates
 
 This release includes several updates to xref:get-started:licensing/overview.adoc[Redpanda's licensing system] to both improve transparency and make it easier to manage licenses across Redpanda clusters and Redpanda Console.

@@ -0,0 +1,86 @@
+@cluster:sasl
+Feature: User CRDs
+  Background: Cluster available
+    Given cluster "sasl" is available
+
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Manage users
+    Given there is no user "bob" in cluster "sasl"
+    And there is no user "james" in cluster "sasl"
+    And there is no user "alice" in cluster "sasl"
+    When I create CRD-based users for cluster "sasl":
+      | name  | password | mechanism     | acls |
+      | bob   |          | SCRAM-SHA-256 |      |
+      | james |          | SCRAM-SHA-512 |      |
+      | alice | qwerty   | SCRAM-SHA-512 |      |
+    Then "bob" should exist and be able to authenticate to the "sasl" cluster
+    And "james" should exist and be able to authenticate to the "sasl" cluster
+    And "alice" should exist and be able to authenticate to the "sasl" cluster
+
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Manage authentication-only users
+    Given there is no user "jason" in cluster "sasl"
+    And there are already the following ACLs in cluster "sasl":
+      | user   | acls |
+      | jason  | [{"type":"allow","resource":{"type":"cluster"},"operations":["Read"]}] |
+    When I apply Kubernetes manifest:
+    """
+    # tag::manage-authn-only-manifest[]
+    # In this example manifest, a user called "jason" is created in a cluster called "sasl".
+    # The user's password is defined in a Secret called "jason-password".
+    # This example assumes that you will create ACLs for this user separately.
+    ---
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: User
+    metadata:
+      name: jason
+    spec:
+      cluster:
+        clusterRef:
+          name: sasl
+      authentication:
+        type: scram-sha-512
+        password:
+          valueFrom:
+            secretKeyRef:
+              name: jason-password
+              key: password
+    # end::manage-authn-only-manifest[]
+    """
+    And user "jason" is successfully synced
+    And I delete the CRD user "jason"
+    Then there should be ACLs in the cluster "sasl" for user "jason"
+
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Manage authorization-only users
+    Given there are the following pre-existing users in cluster "sasl"
+      | name    | password | mechanism     |
+      | travis  | password | SCRAM-SHA-256 |
+    When I apply Kubernetes manifest:
+    """
+    # tag::manage-authz-only-manifest[]
+    # In this example manifest, an ACL called "travis" is created in a cluster called "sasl".
+    # The ACL give an existing user called "travis" permissions to read from all topics whose names start with some-topic.
+    # This example assumes that you already have a user called "travis" in your cluster.
+    ---
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: User
+    metadata:
+      name: travis
+    spec:
+      cluster:
+        clusterRef:
+          name: sasl
+      authorization:
+        acls:
+        - type: allow
+          resource:
+            type: topic
+            name: some-topic
+            patternType: prefixed
+          operations: [Read]
+    # end::manage-authz-only-manifest[]
+    """
+    And user "travis" is successfully synced
+    And I delete the CRD user "travis"
+    Then "travis" should be able to authenticate to the "sasl" cluster with password "password" and mechanism "SCRAM-SHA-256"
@@ -5,21 +5,24 @@
 :env-kubernetes: true
 :page-aliases: manage:kubernetes/manage-topics.adoc
 
-The Redpanda Operator allows you to declaratively create and manage Kafka topics using xref:reference:k-crd.adoc##k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topic[Topic custom resources] (resources) in Kubernetes. Each Topic resource is mapped to a topic in your Redpanda cluster. The topic controller, a component of the Redpanda Operator, keeps the corresponding Kafka topic in sync with the Topic resource. This resource allows you to create topics as part of a Redpanda deployment.
+The Redpanda Operator allows you to declaratively create and manage Kafka topics using xref:reference:k-crd.adoc##k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topic[Topic custom resources] (resources) in Kubernetes. Each Topic resource is mapped to a topic in your Redpanda cluster. The topic controller, a component of the Redpanda Operator, keeps the corresponding Kafka topic in sync with the Topic resource. This resource allows you to create topics as part of a Redpanda deployment.
 
 == Prerequisites
 
 You must have the following:
 
-* Kubernetes cluster: Ensure you have a running Kubernetes cluster, either locally, such as with minikube or kind, or remotely.
+* *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[`kubectl`^] command-line tool installed and configured to communicate with your cluster.
 
-* https://kubernetes.io/docs/tasks/tools/#kubectl[Kubectl^]: Ensure you have the `kubectl` command-line tool installed and configured to communicate with your cluster.
-
-* Redpanda: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/kubernetes-deploy.adoc[Redpanda Operator and a Redpanda resource deployed] in your Kubernetes cluster.
+* *Redpanda*: Ensure you have the xref:deploy:deployment-option/self-hosted/kubernetes/kubernetes-deploy.adoc[Redpanda Operator and a Redpanda resource deployed] in your Kubernetes cluster.
 
 == Limitations
 
-You cannot create access control lists (ACLs) directly in the Topic resource. To create ACLs for your topics, you must use `rpk` or another Kafka client. For details about ACLs, see xref:security/authorization/index.adoc[].
+You cannot create access control lists (ACLs) directly in the Topic resource. To create ACLs for your topics, you can use:
+
+- xref:manage:kubernetes/security/authentication/k-user-controller.adoc[The User resource]
+- xref:get-started:rpk-install.adoc[`rpk`] or another Kafka client
+
+For details about ACLs, see xref:security/authorization/index.adoc[].
 
 == Create a topic
 
@@ -44,23 +47,23 @@ spec:
   interval:
 ----
 
-- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topicspec[`metadata.name`] (*required*): The name of the Topic resource. If the <<overwrite, `overwriteTopicName`>> property is not set, the name of the Topic resource is also given to the topic in Redpanda.
+- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec[`metadata.name`] (*required*): The name of the Topic resource. If the <<overwrite, `overwriteTopicName`>> property is not set, the name of the Topic resource is also given to the topic in Redpanda.
 +
 Valid names must consist of lowercase alphanumeric characters, hyphens (-), or periods (.). Names cannot start or end with a non-alphanumeric character. Underscores (_) are not allowed. For example, `chat-room` is a valid name, whereas `chat_room` is not. To use other characters such as underscores in your topic names, use the <<overwrite, `overwriteTopicName`>> property.
 
-- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-kafkaapispec[`spec.kafkaApiSpec`] (*required*): Configuration details for connecting to Redpanda brokers.
+- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkaapispec[`spec.kafkaApiSpec`] (*required*): Configuration details for connecting to Redpanda brokers.
 
-- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topicspec[`spec.partitions`]: The number of topic shards distributed across the brokers in a Redpanda cluster. This value cannot be decreased post-creation. Overrides the default cluster property xref:reference:cluster-properties.adoc#default_topic_partitions[`default_topic_partitions`].
+- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec[`spec.partitions`]: The number of topic shards distributed across the brokers in a Redpanda cluster. This value cannot be decreased post-creation. Overrides the default cluster property xref:reference:cluster-properties.adoc#default_topic_partitions[`default_topic_partitions`].
 
-- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topicspec[`spec.replicationFactor`]: Specifies the number of topic replicas. The value must be an odd number. Overrides the default cluster property xref:reference:cluster-properties.adoc#default_topic_replications[`default_topic_replications`].
+- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec[`spec.replicationFactor`]: Specifies the number of topic replicas. The value must be an odd number. Overrides the default cluster property xref:reference:cluster-properties.adoc#default_topic_replications[`default_topic_replications`].
 
-- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topicspec[`spec.additionalConfig`]: A map of any topic-specific configuration options. See xref:reference:topic-properties.adoc[].
+- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec[`spec.additionalConfig`]: A map of any topic-specific configuration options. See xref:reference:topic-properties.adoc[].
 
-- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topicspec[`spec.metricsNamespace`]: The fully-qualified name of the topic metrics for use in multi-operator environments. Defaults to `redpanda-operator`.
+- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec[`spec.metricsNamespace`]: The fully-qualified name of the topic metrics for use in multi-operator environments. Defaults to `redpanda-operator`.
 
-- [[overwrite]]xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topicspec[`spec.overwriteTopicName`]: Overwrites the topic name in `metadata.name`.
+- [[overwrite]]xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec[`spec.overwriteTopicName`]: Overwrites the topic name in `metadata.name`.
 
-- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-src-go-k8s-api-redpanda-v1alpha2-topicspec[`spec.interval`]: Sets the reconciliation interval for the topic controller. Default is 3 seconds (`3s`).
+- xref:reference:k-crd.adoc#k8s-api-github.aaakk.us.kg-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec[`spec.interval`]: Sets the reconciliation interval for the topic controller. Default is 3 seconds (`3s`).
 
 The default settings are best suited to a one-broker cluster in a development environment. To learn how to modify the default values in the configuration file, see xref:manage:cluster-maintenance/cluster-property-configuration.adoc[Configure Cluster Properties]. Even if you set default values that work for most topics, you may still want to change some properties for a specific topic.
 

@@ -0,0 +1,6 @@
+= Authentication for Redpanda in Kubernetes
+:page-layout: index
+:description: Learn how to configure authentication for Redpanda in Kubernetes using Helm values or the User resource with the Redpanda Operator.
+:page-aliases: security:sasl-kubernetes.adoc, manage:kubernetes/security/sasl-kubernetes.adoc, security:kubernetes-sasl.adoc, manage:kubernetes/security/authentication/sasl-kubernetes.adoc, reference:redpanda-operator/kubernetes-mtls.adoc, reference:redpanda-operator/kubernetes-sasl.adoc
+
+Redpanda offers two methods to manage authentication in a Kubernetes environment. These options allow administrators to control user access and permissions, ensuring secure communication with the Redpanda cluster.
@@ -1,8 +1,7 @@
 = Configure Authentication for Redpanda in Kubernetes
-:description: Learn how to configure authentication for Redpanda in Kubernetes.
+:description: Use Helm values or the Redpanda resource manifest to enable authentication for Redpanda. This method provides a way to configure authentication during the initial deployment or updates to the cluster configuration.
 :page-context-links: [{"name": "Linux", "to": "manage:security/authentication.adoc" },{"name": "Kubernetes", "to": "manage:kubernetes/security/authentication/k-authentication.adoc" } ]
 :tags: ["Kubernetes", "Helm configuration"]
-:page-aliases: security:sasl-kubernetes.adoc, manage:kubernetes/security/sasl-kubernetes.adoc, security:kubernetes-sasl.adoc, manage:kubernetes/security/authentication/sasl-kubernetes.adoc, reference:redpanda-operator/kubernetes-mtls.adoc, reference:redpanda-operator/kubernetes-sasl.adoc
 :page-categories: Management, Security
 :env-kubernetes: true
 :page-toclevels: 3