diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc index 33b3801117..683964011a 100644 --- a/modules/ROOT/nav.adoc +++ b/modules/ROOT/nav.adoc @@ -130,9 +130,10 @@ **** xref:manage:kubernetes/security/tls/index.adoc[TLS Encryption] ***** xref:manage:kubernetes/security/tls/k-cert-manager.adoc[Use cert-manager] ***** xref:manage:kubernetes/security/tls/k-secrets.adoc[Use Secrets] -**** xref:manage:kubernetes/security/authentication/index.adoc[Authentication] +**** xref:manage:kubernetes/security/authentication/index.adoc[Authentication and Authorization] ***** xref:manage:kubernetes/security/authentication/k-authentication.adoc[Enable Authentication] -***** xref:manage:kubernetes/security/authentication/k-user-controller.adoc[Manage Users and ACLs] +***** xref:manage:kubernetes/security/authentication/k-user-controller.adoc[Manage Users and ACLs (Operator)] +***** xref:manage:kubernetes/security/authorization/k-role-controller.adoc[Manage Roles and ACLs (Operator)] **** xref:manage:kubernetes/security/k-audit-logging.adoc[Audit Logging] *** xref:manage:kubernetes/k-rack-awareness.adoc[Rack Awareness] *** xref:manage:kubernetes/k-remote-read-replicas.adoc[Remote Read Replicas] diff --git a/modules/manage/examples/kubernetes/role-crds.feature b/modules/manage/examples/kubernetes/role-crds.feature new file mode 100644 index 0000000000..9ac39d3042 --- /dev/null +++ b/modules/manage/examples/kubernetes/role-crds.feature @@ -0,0 +1,109 @@ +@cluster:roles +Feature: Role CRDs + Background: Cluster available + Given cluster "roles" is available + + @skip:gke @skip:aks @skip:eks + Scenario: Manage roles + Given there is no role "admin-role" in cluster "roles" + And there are the following pre-existing users in cluster "roles" + | name | password | mechanism | + | alice | password | SCRAM-SHA-256 | + | bob | password | SCRAM-SHA-256 | + When I apply Kubernetes manifest: + """ +# tag::manage-roles-with-principals[] + # In this example manifest, a role called "admin-role" is created in a cluster called "roles". + # The role includes two principals (alice and bob) who will inherit the role's permissions. + --- + apiVersion: cluster.redpanda.com/v1alpha2 + kind: Role + metadata: + name: admin-role + spec: + cluster: + clusterRef: + name: roles + principals: + - User:alice + - User:bob +# end::manage-roles-with-principals[] + """ + And role "admin-role" is successfully synced + Then role "admin-role" should exist in cluster "roles" + And role "admin-role" should have members "alice" and "bob" in cluster "roles" + + @skip:gke @skip:aks @skip:eks + Scenario: Manage roles with authorization + Given there is no role "read-only-role" in cluster "roles" + And there are the following pre-existing users in cluster "roles" + | name | password | mechanism | + | charlie | password | SCRAM-SHA-256 | + When I apply Kubernetes manifest: + """ +# tag::manage-roles-with-authorization[] + # In this example manifest, a role called "read-only-role" is created in a cluster called "roles". + # The role includes authorization rules that allow reading from topics with names starting with "public-". + --- + apiVersion: cluster.redpanda.com/v1alpha2 + kind: Role + metadata: + name: read-only-role + spec: + cluster: + clusterRef: + name: roles + principals: + - User:charlie + authorization: + acls: + - type: allow + resource: + type: topic + name: public- + patternType: prefixed + operations: [Read, Describe] +# end::manage-roles-with-authorization[] + """ + And role "read-only-role" is successfully synced + Then role "read-only-role" should exist in cluster "roles" + And role "read-only-role" should have ACLs for topic pattern "public-" in cluster "roles" + And user "charlie" should be able to read from topic "public-test" in cluster "roles" + + @skip:gke @skip:aks @skip:eks + Scenario: Manage authorization-only roles + Given there are the following pre-existing users in cluster "roles" + | name | password | mechanism | + | travis | password | SCRAM-SHA-256 | + And there is a pre-existing role "travis-role" in cluster "roles" + When I apply Kubernetes manifest: + """ +# tag::manage-authz-only-roles[] + # In this example manifest, a role CRD called "travis-role" manages ACLs for an existing role. + # The role includes authorization rules that allow reading from topics with names starting with "some-topic". + # This example assumes that you already have a role called "travis-role" in your cluster. + --- + apiVersion: cluster.redpanda.com/v1alpha2 + kind: Role + metadata: + name: travis-role + spec: + cluster: + clusterRef: + name: roles + principals: + - User:travis + authorization: + acls: + - type: allow + resource: + type: topic + name: some-topic + patternType: prefixed + operations: [Read] +# end::manage-authz-only-roles[] + """ + And role "travis-role" is successfully synced + And I delete the CRD role "travis-role" + Then there should still be role "travis-role" in cluster "roles" + And there should be no ACLs for role "travis-role" in cluster "roles" \ No newline at end of file diff --git a/modules/manage/pages/kubernetes/security/authentication/index.adoc b/modules/manage/pages/kubernetes/security/authentication/index.adoc index b8ac87f4f1..74badb6dbb 100644 --- a/modules/manage/pages/kubernetes/security/authentication/index.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/index.adoc @@ -1,6 +1,6 @@ -= Authentication for Redpanda in Kubernetes += Authentication and Authorization for Redpanda in Kubernetes :page-layout: index -:description: Learn how to configure authentication for Redpanda in Kubernetes using Helm values or the User resource with the Redpanda Operator. +:description: Learn how to configure authentication and authorization for Redpanda in Kubernetes using Helm values or the User resource with the Redpanda Operator. :page-aliases: security:sasl-kubernetes.adoc, manage:kubernetes/security/sasl-kubernetes.adoc, security:kubernetes-sasl.adoc, manage:kubernetes/security/authentication/sasl-kubernetes.adoc, reference:redpanda-operator/kubernetes-mtls.adoc, reference:redpanda-operator/kubernetes-sasl.adoc -Redpanda offers two methods to manage authentication in a Kubernetes environment. These options allow administrators to control user access and permissions, ensuring secure communication with the Redpanda cluster. \ No newline at end of file +Redpanda offers two methods to manage authentication and authorization in a Kubernetes environment. These options allow administrators to control user access and permissions, ensuring secure communication with the Redpanda cluster. \ No newline at end of file diff --git a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc index 5c46594f18..491ed5ea5a 100644 --- a/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc +++ b/modules/manage/pages/kubernetes/security/authentication/k-user-controller.adoc @@ -5,6 +5,8 @@ With the Redpanda Operator, you can declaratively create and manage Redpanda users and glossterm:ACL[,access control lists (ACLs)] using xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-user[User custom resources] (resources) in Kubernetes. Each User resource is mapped to a user in your Redpanda cluster. The user controller, a component of the Redpanda Operator, keeps the corresponding user in sync with the User resource. +For role-based access control where you want to define permissions once and apply them to multiple users, see xref:manage:kubernetes/security/authorization/k-role-controller.adoc[Manage Roles and ACLs]. + == Prerequisites You must have the following: @@ -267,8 +269,32 @@ Deleting a User resource will have different impacts depending on how it is conf - **Authorization-only**: When a User resource that manages only ACLs is deleted, the ACLs are removed, but the user remains in the cluster. - **Full user management (both authentication and authorization)**: When the resource manages both users and ACLs, the user and its associated ACLs are removed. +== Best practices + +When working with User resources, consider the following best practices: + +=== User design + +- *Principle of least privilege*: Grant only the minimum permissions necessary for users to perform their tasks. +- *Descriptive usernames*: Use clear, consistent naming conventions that identify the user's purpose or role. +- *Avoid shared accounts*: Create individual user accounts rather than sharing credentials between multiple people or applications. + +=== Permission management + +- *Consider roles for shared permissions*: When multiple users need the same set of permissions, consider using xref:manage:kubernetes/security/authorization/k-role-controller.adoc[Role resources] instead of duplicating ACLs across individual User resources. +- *User-specific permissions*: Use User resource ACLs for permissions that are specific to individual users and don't need to be shared. +- *Avoid conflicts*: If using both Role and User resources, be careful not to create conflicting ACLs for the same users. + +=== Secret management + +- *Use Kubernetes Secrets*: Store passwords in Kubernetes Secrets rather than hardcoding them in manifests. +- *Regular rotation*: Implement a regular password rotation strategy for production environments. + == Suggested reading * xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-user[User resource] * xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userlist[UserList resource] -* xref:manage:kubernetes/security/authentication/k-authentication.adoc[] \ No newline at end of file +* xref:manage:kubernetes/security/authorization/k-role-controller.adoc[Manage Roles and ACLs] +* xref:manage:kubernetes/security/authentication/k-authentication.adoc[] +* xref:manage:security/authorization/rbac.adoc[Role-Based Access Control (RBAC)] +* xref:manage:security/authorization/acl.adoc[Access Control Lists (ACLs)] \ No newline at end of file diff --git a/modules/manage/pages/kubernetes/security/authorization/k-role-controller.adoc b/modules/manage/pages/kubernetes/security/authorization/k-role-controller.adoc new file mode 100644 index 0000000000..1627088bf3 --- /dev/null +++ b/modules/manage/pages/kubernetes/security/authorization/k-role-controller.adoc @@ -0,0 +1,223 @@ += Manage Roles with the Redpanda Operator +:description: Use the Role resource to declaratively create and manage roles as part of a Redpanda deployment. Each Role resource defines a set of permissions that can be assigned to multiple users, providing role-based access control (RBAC) for your Redpanda cluster. +:page-categories: Management, Security +:env-kubernetes: true + +With the Redpanda Operator, you can declaratively create and manage Redpanda roles using xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-role[Role custom resources] (resources) in Kubernetes. Each Role resource defines a set of permissions that can be assigned to multiple users, providing role-based access control (RBAC) for your Redpanda cluster. The role controller, a component of the Redpanda Operator, keeps the corresponding Redpanda role in sync with the Role resource. + +NOTE: Role resources do not create users. Users must already exist in the Redpanda cluster before they can be assigned to roles. Use xref:manage:kubernetes/security/authentication/k-user-controller.adoc[User resources] to create and manage users. + +== What are roles and why use them? + +Think of roles like job titles in a company. Instead of giving each employee individual permissions for every door, system, and resource, you create job titles (roles) like "Developer," "Manager," or "Security Guard." Each job title comes with a specific set of permissions, and you assign employees to those job titles. + +In Redpanda, roles work the same way: + +* **Without roles**: You set up permissions individually for each user. If you have 10 developers who all need the same access to certain topics, you configure the same permissions 10 times. + +* **With roles**: You create a "Developer" role once with all the necessary permissions, then assign all 10 developers to that role. When you need to change what developers can access, you update the role once instead of updating 10 individual users. + +== Prerequisites + +You must have the following: + +* *Kubectl*: Ensure you have the https://kubernetes.io/docs/tasks/tools/#kubectl[kubectl^] command-line tool installed and configured to communicate with your cluster. +* *Redpanda Operator*: Ensure you have at least version 25.2 of the xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc[Redpanda Operator]. +* *Redpanda cluster with SASL enabled*: Ensure you have a Redpanda resource deployed with xref:manage:kubernetes/security/authentication/k-authentication.adoc#enable[SASL authentication enabled]. +* *Existing users*: If you plan to assign users to roles, ensure the users already exist in your Redpanda cluster. You can create users using xref:manage:kubernetes/security/authentication/k-user-controller.adoc[User resources]. + +== Create a role + +You can use the Role resource to: + +- <> +- <> +- <> + +Each Role instance is responsible for managing both the role membership (principals) and the role's ACLs within the Redpanda cluster. You cannot use one Role resource to manage the principals and another resource to manage the ACLs. Only one Role instance is allowed per role in the Redpanda cluster. + +[[with-authorization]] +=== Create a role with authorization rules + +- *Use case*: You want to create a role that defines permissions and assign users to inherit those permissions. This is the most common use case for role-based access control, where you define permissions once and apply them to multiple users. +- *What happens when deleted*: Both the role and its associated ACLs are removed. Users assigned to the role lose the permissions granted by this role but retain any other permissions they have. + +This example shows how to create a role with both principals and authorization rules. + +.`read-only-role.yaml` +[,yaml,indent=0] +---- +include::manage:example$kubernetes/role-crds.feature[tags=manage-roles-with-authorization,indent=0] +---- + +[[with-principals]] +=== Create a role with principals + +- *Use case*: You want to create a role and assign users (principals) to it. This is useful for grouping users together without necessarily defining permissions at the role level, allowing you to manage group membership centrally. +- *What happens when deleted*: The role is deleted, but users assigned to the role remain in the cluster. Any ACLs defined at the user level are unaffected. + +This example shows how to create a role and assign principals to it. + +.`admin-role.yaml` +[,yaml,indent=0] +---- +include::manage:example$kubernetes/role-crds.feature[tags=manage-roles-with-principals,indent=0] +---- + +[[authorization-only]] +=== Create authorization rules for an existing role + +- *Use case*: You want to manage ACLs for an existing role in the Redpanda cluster, but not modify the role's membership. Use this option if role membership is managed by another process or tool, and you only want to control what resources the role can access. +- *What happens when deleted*: The ACLs are removed, but the role and its members remain. This is useful when you want to revoke permissions but retain the role structure for future use. + +This example shows how to manage only the ACLs for an existing role in the Redpanda cluster. + +.`authorization-only-role.yaml` +[,yaml,indent=0] +---- +include::manage:example$kubernetes/role-crds.feature[tags=manage-authz-only-roles,indent=0] +---- + +== Configuration + +The following sections provide guidance on setting up role membership, managing authorization rules, and defining ACLs within your Kubernetes environment. These recommendations ensure proper role management while minimizing manual interventions and preventing potential security issues. + +You can find all configuration options for the Role resource in the xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-role[CRD reference]. + +=== Choose a role name + +The `metadata.name` field in the Role resource is used to specify the role name. Keep in mind the following best practices when choosing a role name: + +- *Unique*: Ensure each role has a unique name to avoid conflicts. The role name must be unique within the Redpanda cluster. +- *Descriptive*: Choose a name that identifies the purpose or permissions of the role. For example, use names like `data-readers` or `topic-admins`. +- *Stable*: Avoid changing role names frequently. Role names are tied to authorization rules (ACLs) and user assignments. Renaming a role involves deleting and recreating the role. + +[,yaml] +---- +metadata: + name: read-only-role +---- + +In this example, `read-only-role` is the role name, which will be referenced in authorization rules and user assignments. + +=== Configure principals + +The xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rolespec[`spec.principals`] field allows you to specify which users are assigned to the role. Principals are specified in the format `User:`. + +IMPORTANT: Users must already exist in the Redpanda cluster before they can be assigned to a role. The Role resource does not create users that don't exist. + +[source,yaml] +---- +spec: + principals: + - User:alice + - User:bob +---- + +When users are assigned to a role, they inherit all the permissions defined in the role's ACLs. If a role has no ACLs defined, the users gain no additional permissions from the role membership. + +=== Define authorization rules + +The xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-roleauthorizationspec[`spec.authorization`] field allows you to manage ACLs for the role. ACLs define the permissions that all members of the role have over specific resources in Redpanda, such as topics, consumer groups, and clusters. + +You can define ACLs for a role by specifying which resources members can access and the operations they are permitted to perform. Here's an example configuration for managing ACLs: + +[source,yaml] +---- +spec: + authorization: + acls: + - type: allow + resource: + type: topic + name: public- + patternType: prefixed + operations: [Read, Describe] +---- + +- `type`: Defines whether the ACL is `allow` or `deny`. +- `resource.type`: Specifies the resource type (topic, group, cluster, transactionalId). +- `patternType`: Specifies if the resource name is treated as a `literal` or a `prefixed` pattern. Default: `literal`. ++ +TIP: Using `literal` names for resources ensures that only the exact resources you intend are accessible. Use `prefixed` patterns cautiously to avoid accidental permission grants. +- `operations`: Lists the allowed operations, such as `Read`, `Write`, `Create`, and `Delete`. + +You can find all configuration options for authorization in the xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-roleauthorizationspec[RoleAuthorizationSpec] of the CRD reference. + +For more details about ACLs, including supported operations and resources in Redpanda, see xref:manage:security/authorization/acl.adoc[]. + +== Deploy a Role resource + +To deploy a Role resource, apply the manifest to the same namespace as your Redpanda cluster: + +[,bash] +---- +kubectl apply -f .yaml --namespace +---- + +- Replace `` with the filename of your manifest. +- Replace `` with the namespace in which you deployed Redpanda. + +== Verify a role + +After deploying a Role resource, verify that the Redpanda Operator reconciled it: + +[,bash] +---- +kubectl logs -l app.kubernetes.io/name=operator -c manager --namespace +---- + +== Update a role + +To update a role, edit the Role resource configuration and apply the changes. + +[,bash] +---- +kubectl apply -f .yaml --namespace +---- + +== Delete a role + +To delete a role, delete the Role resource: + +[,bash] +---- +kubectl delete -f .yaml --namespace +---- + +When a Role resource is deleted, its underlying data is removed as well. If the role has ACLs, those ACLs are also removed. + +Deleting a Role resource has different impacts depending on how it is configured: + +- **Principals-only**: When a Role resource that manages only principals is deleted, the role is removed from the cluster. However, any ACLs not managed by the same resource will remain in place. +- **Authorization-only**: When a Role resource that manages only ACLs is deleted, the ACLs are removed, but the role and its members remain in the cluster. +- **Full role management (both principals and authorization)**: When the resource manages both membership and ACLs, the role and its associated ACLs are removed. + +== Best practices + +When working with Role resources, consider the following best practices: + +=== Role design + +- *Principle of least privilege*: Grant only the minimum permissions necessary for users to perform their tasks. +- *Logical grouping*: Create roles that align with job functions or responsibilities rather than individual users. +- *Naming conventions*: Use consistent, descriptive names that indicate the role's purpose, such as `topic-readers` or `admin-users`. + +=== Permission management + +- *Prefer role-based over user-based ACLs*: When possible, assign permissions to roles rather than individual users to simplify management. +- *Use specific resource patterns*: Prefer `literal` patterns over `prefixed` patterns unless you specifically need pattern matching. +- *Regular reviews*: Periodically review role permissions to ensure they remain appropriate and necessary. + +=== Integration with User resources + +- *Consistent management*: If you're using both Role and User resources, establish clear guidelines about which permissions are managed at the role level versus the user level. +- *Avoid conflicts*: Be careful not to create conflicting ACLs between Role and User resources for the same users. + +== Suggested reading + +* xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-role[Role resource] +* xref:reference:k-crd.adoc#k8s-api-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rolelist[RoleList resource] +* xref:manage:kubernetes/security/authentication/k-user-controller.adoc[Manage Users and ACLs] +* xref:manage:security/authorization/rbac.adoc[Role-Based Access Control (RBAC)] +* xref:manage:security/authorization/acl.adoc[Access Control Lists (ACLs)] diff --git a/modules/reference/pages/k-crd.adoc b/modules/reference/pages/k-crd.adoc index 73cfd173cc..b0f4c03aec 100644 --- a/modules/reference/pages/k-crd.adoc +++ b/modules/reference/pages/k-crd.adoc @@ -5,16 +5,41 @@ :page-aliases: reference:k-topic-crd.adoc -Package v1alpha2 defines the v1alpha2 schema for the Redpanda API. It is part of an evolving API architecture, representing an initial stage that may be subject to change based on user feedback and further development. .Resource Types - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpanda[$$Redpanda$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-role[$$Role$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-schema[$$Schema$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topic[$$Topic$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-user[$$User$$] +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclaccessfilter"] +== ACLAccessFilter + +Filter an ACL based on its access + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclfilter[$$ACLFilter$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | The host to match. If not set, will default to match all hosts + +with the specified `operation` and `permissionType`. Note that + +the asterisk `*` is literal and matches hosts that are set to `*` + +| *`operation`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-acloperation[$$ACLOperation$$]__ | The ACL operation to match + +| *`permissionType`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-acltype[$$ACLType$$]__ | The permission type + +| *`principal`* __string__ | The name of the principal, if not set will default to match + +all principals with the specified `operation` and `permissionType` + +|=== + + + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-acloperation"] == ACLOperation (string) @@ -23,10 +48,30 @@ ACLOperation specifies the type of operation for an ACL. .Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclaccessfilter[$$ACLAccessFilter$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclresourcefilter"] +== ACLResourceFilter + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclfilter[$$ACLFilter$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`name`* __string__ | +| *`patternType`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-patterntype[$$PatternType$$]__ | +| *`resourceType`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-resourcetype[$$ResourceType$$]__ | +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclresourcespec"] == ACLResourceSpec @@ -68,6 +113,7 @@ Validations taken from https://cwiki.apache.org/confluence/pages/viewpage.action .Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-roleauthorizationspec[$$RoleAuthorizationSpec$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userauthorizationspec[$$UserAuthorizationSpec$$] [cols="25a,75a", options="header"] @@ -101,6 +147,7 @@ ACLType specifies the type, either allow or deny of an ACL rule. .Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclaccessfilter[$$ACLAccessFilter$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] @@ -118,10 +165,19 @@ Admin configures settings for the Admin API listeners. [cols="25a,75a", options="header"] |=== | Field | Description -| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listener. + -| *`port`* __integer__ | Specifies the container port number for the internal listener. + -| *`tls`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + +| *`enabled`* __boolean__ | Specifies whether this Listener is enabled. + +| *`authenticationMethod`* __string__ | Specifies the authentication method for this listener. For example, 'mtls_identity', `sasl` or `http_basic`. + | *`appProtocol`* __string__ | +| *`port`* __integer__ | Specifies the container port number for this listener. + +| *`tls`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + +| *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of + +Services. This field accepts a string template that dynamically + +constructs Service addresses based on various parameters such as Service + +name and port number. + +For historical backwards compatibility, this field is present on both + +internal and external listeners. However, it is ignored when specified + +on internal listeners. + +| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listeners. + |=== @@ -370,6 +426,10 @@ ClusterRef represents a reference to a cluster that is being targeted. [cols="25a,75a", options="header"] |=== | Field | Description +| *`group`* __string__ | Group is used to override the object group that this reference points to. + +If unspecified, defaults to "cluster.redpanda.com". + +| *`kind`* __string__ | Kind is used to override the object kind that this reference points to. + +If unspecified, defaults to "Redpanda". + | *`name`* __string__ | Name specifies the name of the cluster being referenced. + |=== @@ -384,6 +444,7 @@ ClusterSource defines how to connect to a particular Redpanda cluster. .Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rolespec[$$RoleSpec$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-schemaspec[$$SchemaSpec$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec[$$TopicSpec$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-userspec[$$UserSpec$$] @@ -492,8 +553,11 @@ ConfigWatcher configures a sidecar that watches for changes to the Secret in `au | Field | Description | *`enabled`* __boolean__ | Specifies whether the sidecar is enabled. + | *`extraVolumeMounts`* __string__ | Specifies additional volumes to mount to the sidecar. + +DEPRECATED: Use sideCars.extraVolumeMounts + | *`resources`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#resourcerequirements-v1-core[$$ResourceRequirements$$]__ | Specifies resource requests for the sidecar container. + +DEPRECATED: Use sideCars.resources + | *`securityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#securitycontext-v1-core[$$SecurityContext$$]__ | Specifies the container's security context, including privileges and access levels of the container and its processes. + +DEPRECATED: Use sideCars.securityContext + |=== @@ -760,12 +824,19 @@ ExternalListener configures settings for the external listeners. [cols="25a,75a", options="header"] |=== | Field | Description -| *`enabled`* __boolean__ | -| *`authenticationMethod`* __string__ | Specifies the authentication method for the external listener. For example, 'mtls_identity' or `sasl`. + -| *`port`* __integer__ | Specifies the container port number for the external listener. + -| *`tls`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the external listener. + +| *`enabled`* __boolean__ | Specifies whether this Listener is enabled. + +| *`authenticationMethod`* __string__ | Specifies the authentication method for this listener. For example, 'mtls_identity', `sasl` or `http_basic`. + +| *`appProtocol`* __string__ | +| *`port`* __integer__ | Specifies the container port number for this listener. + +| *`tls`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + +| *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of + +Services. This field accepts a string template that dynamically + +constructs Service addresses based on various parameters such as Service + +name and port number. + +For historical backwards compatibility, this field is present on both + +internal and external listeners. However, it is ignored when specified + +on internal listeners. + | *`advertisedPorts`* __integer array__ | Specifies the network port that the external Service listens on. + -| *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of Services. This field accepts a string template that dynamically constructs Service addresses based on various parameters such as Service name and port number. + | *`nodePort`* __integer__ | |=== @@ -787,6 +858,18 @@ ExternalService allows you to enable or disable the creation of an external Serv |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-filtertype"] +== FilterType (string) + +FilterType specifies the type, either include or exclude of a consumer group filter. + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-namefilter[$$NameFilter$$] + + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-fsvalidator"] == FsValidator @@ -820,13 +903,21 @@ HTTP configures settings for the HTTP Proxy listeners. [cols="25a,75a", options="header"] |=== | Field | Description -| *`authenticationMethod`* __string__ | Specifies the authentication method for the external listener. For example, 'mtls_identity' or `sasl`. + -| *`enabled`* __boolean__ | Specifies whether the HTTP Proxy is enabled. + -| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listener. + -| *`kafkaEndpoint`* __string__ | Configures the listener to use for HTTP connections. For example `default` for the internal listener. + -| *`port`* __integer__ | Specifies the container port number for the internal listener. + +| *`enabled`* __boolean__ | Specifies whether this Listener is enabled. + +| *`authenticationMethod`* __string__ | Specifies the authentication method for this listener. For example, 'mtls_identity', `sasl` or `http_basic`. + +| *`appProtocol`* __string__ | +| *`port`* __integer__ | Specifies the container port number for this listener. + | *`tls`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + -| *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of Services. This field accepts a string template that dynamically constructs Service addresses based on various parameters such as Service name and port number. + +| *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of + +Services. This field accepts a string template that dynamically + +constructs Service addresses based on various parameters such as Service + +name and port number. + +For historical backwards compatibility, this field is present on both + +internal and external listeners. However, it is ignored when specified + +on internal listeners. + +| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listeners. + +| *`kafkaEndpoint`* __string__ | Configures the listener to use for HTTP connections. For example `default` for the internal listener. + +deprecated and not respected. + |=== @@ -902,11 +993,19 @@ Kafka configures settings for the Kafka API listeners. [cols="25a,75a", options="header"] |=== | Field | Description -| *`authenticationMethod`* __string__ | Specifies the authentication method for the external listener. For example, 'mtls_identity' or `sasl`. + -| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listener. + -| *`port`* __integer__ | Specifies the container port number for the internal listener. + +| *`enabled`* __boolean__ | Specifies whether this Listener is enabled. + +| *`authenticationMethod`* __string__ | Specifies the authentication method for this listener. For example, 'mtls_identity', `sasl` or `http_basic`. + +| *`appProtocol`* __string__ | +| *`port`* __integer__ | Specifies the container port number for this listener. + | *`tls`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + -| *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of Services. This field accepts a string template that dynamically constructs Service addresses based on various parameters such as Service name and port number. + +| *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of + +Services. This field accepts a string template that dynamically + +constructs Service addresses based on various parameters such as Service + +name and port number. + +For historical backwards compatibility, this field is present on both + +internal and external listeners. However, it is ignored when specified + +on internal listeners. + +| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listeners. + |=== @@ -1045,6 +1144,38 @@ LicenseSecretRef is deprecated. Use `EnterpriseLicenseSecretRef` instead. |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listener"] +== Listener + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-admin[$$Admin$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-http[$$HTTP$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafka[$$Kafka$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-schemaregistry[$$SchemaRegistry$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`enabled`* __boolean__ | Specifies whether this Listener is enabled. + +| *`authenticationMethod`* __string__ | Specifies the authentication method for this listener. For example, 'mtls_identity', `sasl` or `http_basic`. + +| *`appProtocol`* __string__ | +| *`port`* __integer__ | Specifies the container port number for this listener. + +| *`tls`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + +| *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of + +Services. This field accepts a string template that dynamically + +constructs Service addresses based on various parameters such as Service + +name and port number. + +For historical backwards compatibility, this field is present on both + +internal and external listeners. However, it is ignored when specified + +on internal listeners. + +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls"] == ListenerTLS @@ -1057,6 +1188,7 @@ ListenerTLS configures TLS configuration for each listener in the Helm values. - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-http[$$HTTP$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafka[$$Kafka$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listener[$$Listener$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rpc[$$RPC$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-schemaregistry[$$SchemaRegistry$$] @@ -1195,39 +1327,6 @@ Monitoring configures monitoring resources for Redpanda. See https://docs.redpan |=== -[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-nodepoolstatus"] -== NodePoolStatus - -NodePoolStatus defines the observed state of any node pools tied to this cluster - - - -.Appears in: -- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandastatus[$$RedpandaStatus$$] - -[cols="25a,75a", options="header"] -|=== -| Field | Description -| *`name`* __string__ | Name is the name of the pool + -| *`replicas`* __integer__ | Replicas is the number of actual replicas currently across + -the node pool. This differs from DesiredReplicas during + -a scaling operation, but should be the same once the cluster + -has quiesced. + -| *`desiredReplicas`* __integer__ | DesiredReplicas is the number of replicas that ought to be + -run for the cluster. It combines the desired replicas across + -all node pools. + -| *`outOfDateReplicas`* __integer__ | OutOfDateReplicas is the number of replicas that don't currently + -match their node pool definitions. If OutOfDateReplicas is not 0 + -it should mean that the operator will soon roll this many pods. + -| *`upToDateReplicas`* __integer__ | UpToDateReplicas is the number of replicas that currently match + -their node pool definitions. + -| *`condemnedReplicas`* __integer__ | CondemnedReplicas is the number of replicas that will be decommissioned + -as part of a scaling down operation. + -| *`readyReplicas`* __integer__ | ReadyReplicas is the number of replicas whose readiness probes are + -currently passing. + -| *`runningReplicas`* __integer__ | RunningReplicas is the number of replicas that are actively in a running + -state. + -|=== [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-password"] @@ -1246,6 +1345,7 @@ Password specifies a password for the user. | *`value`* __string__ | Value is a hardcoded value to use for the given password. It should only be used for testing purposes. + In production, use ValueFrom. + | *`valueFrom`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-passwordsource[$$PasswordSource$$]__ | ValueFrom specifies a source for a password to be fetched from when specifying or generating user credentials. + +| *`noGenerate`* __boolean__ | NoGenerate when set to true does not create kubernetes secret when ValueFrom points to none-existent secret. + |=== @@ -1277,7 +1377,9 @@ PatternType specifies the type of pattern applied for ACL resource matching. .Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclresourcefilter[$$ACLResourceFilter$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclresourcespec[$$ACLResourceSpec$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-namefilter[$$NameFilter$$] @@ -1358,6 +1460,60 @@ PodTemplate will pass label and annotation to Statefulset Pod template. |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-poolconfigurator"] +== PoolConfigurator + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-poolinitcontainers[$$PoolInitContainers$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`additionalCLIArgs`* __string array__ | Chart default: [] + +|=== + + +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-poolfsvalidator"] +== PoolFSValidator + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-poolinitcontainers[$$PoolInitContainers$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`enabled`* __boolean__ | Chart default: false + +| *`expectedFS`* __string__ | Chart default: xfs + +|=== + + + + +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-poolsetdatadirownership"] +== PoolSetDataDirOwnership + + + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-poolinitcontainers[$$PoolInitContainers$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`enabled`* __boolean__ | Chart default: false + +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-postinstalljob"] == PostInstallJob @@ -1464,8 +1620,10 @@ RPControllers configures additional controllers that can be deployed as sidecars |=== | Field | Description | *`enabled`* __boolean__ | Specifies whether the Controllers are enabled. + -| *`resources`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#resourcerequirements-v1-core[$$ResourceRequirements$$]__ | -| *`securityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#securitycontext-v1-core[$$SecurityContext$$]__ | +| *`resources`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#resourcerequirements-v1-core[$$ResourceRequirements$$]__ | Specifies resource requests for the sidecar container. + +DEPRECATED: Use sideCars.resources + +| *`securityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#securitycontext-v1-core[$$SecurityContext$$]__ | Specifies the container's security context, including privileges and access levels of the container and its processes. + +DEPRECATED: Use sideCars.securityContext + | *`image`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaimage[$$RedpandaImage$$]__ | | *`healthProbeAddress`* __string__ | | *`metricsAddress`* __string__ | @@ -1809,8 +1967,6 @@ RedpandaStatus defines the observed state of Redpanda | *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#condition-v1-meta[$$Condition$$] array__ | Conditions holds the conditions for the Redpanda. + | *`license`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandalicensestatus[$$RedpandaLicenseStatus$$]__ | LicenseStatus contains information about the current state of any + installed license in the Redpanda cluster. + -| *`nodePools`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-nodepoolstatus[$$NodePoolStatus$$] array__ | NodePools contains information about the node pools associated + -with this cluster. + | *`configVersion`* __string__ | ConfigVersion contains the configuration version written in + Redpanda used for restarting broker nodes as necessary. + | *`observedGeneration`* __integer__ | Specifies the last observed generation. + @@ -1838,6 +1994,8 @@ deprecated + |=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-resourcetemplate"] == ResourceTemplate @@ -1864,6 +2022,7 @@ ResourceType specifies the type of resource an ACL is applied to. .Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclresourcefilter[$$ACLResourceFilter$$] - xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclresourcespec[$$ACLResourceSpec$$] @@ -1911,6 +2070,97 @@ and `Requests`. |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-role"] +== Role + +Role defines the CRD for a Redpanda role. + + + + + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`apiVersion`* __string__ | `cluster.redpanda.com/v1alpha2` +| *`kind`* __string__ | `Role` +| *`kind`* __string__ | Kind is a string value representing the REST resource this object represents. + +Servers may infer this from the endpoint the client submits requests to. + +Cannot be updated. + +In CamelCase. + +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + +| *`apiVersion`* __string__ | APIVersion defines the versioned schema of this representation of an object. + +Servers should convert recognized schemas to the latest internal value, and + +may reject unrecognized values. + +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to the Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rolespec[$$RoleSpec$$]__ | Defines the desired state of the Redpanda role. + +| *`status`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rolestatus[$$RoleStatus$$]__ | Represents the current status of the Redpanda role. + +|=== + + +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-roleauthorizationspec"] +== RoleAuthorizationSpec + +RoleAuthorizationSpec defines authorization rules for this role. + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rolespec[$$RoleSpec$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`acls`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-aclrule[$$ACLRule$$] array__ | List of ACL rules which should be applied to this role. + +|=== + + +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rolespec"] +== RoleSpec + +RoleSpec defines the configuration of a Redpanda role. + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-role[$$Role$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`cluster`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-clustersource[$$ClusterSource$$]__ | ClusterSource is a reference to the cluster where the role should be created. + +It is used in constructing the client created to configure a cluster. + +| *`principals`* __string array__ | Principals defines the list of users assigned to this role. + +Format: Type:Name (e.g., User:john, User:jane). If type is omitted, defaults to User. + +| *`authorization`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-roleauthorizationspec[$$RoleAuthorizationSpec$$]__ | Authorization rules defined for this role. If specified, the operator will manage ACLs for this role. + +If omitted, ACLs should be managed separately using Redpanda's ACL management. + +|=== + + +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rolestatus"] +== RoleStatus + +RoleStatus defines the observed state of a Redpanda role + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-role[$$Role$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`observedGeneration`* __integer__ | Specifies the last observed generation. + +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#condition-v1-meta[$$Condition$$] array__ | Conditions holds the conditions for the Redpanda role. + +| *`managedAcls`* __boolean__ | ManagedACLs returns whether the role has managed ACLs that need + +to be cleaned up. + +| *`managedRole`* __boolean__ | ManagedRole returns whether the role has been created in Redpanda and needs + +to be cleaned up. + +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-sasl"] == SASL @@ -2012,12 +2262,21 @@ SchemaRegistry configures settings for the Schema Registry listeners. [cols="25a,75a", options="header"] |=== | Field | Description -| *`authenticationMethod`* __string__ | Specifies the authentication method for the external listener. For example, 'mtls_identity' or `sasl`. + -| *`enabled`* __boolean__ | Specifies whether the Schema Registry is enabled. + -| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listener. + -| *`kafkaEndpoint`* __string__ | Configures the listener to use for HTTP connections. For example `default` for the internal listener. + -| *`port`* __integer__ | Specifies the container port number for the internal listener. + +| *`enabled`* __boolean__ | Specifies whether this Listener is enabled. + +| *`authenticationMethod`* __string__ | Specifies the authentication method for this listener. For example, 'mtls_identity', `sasl` or `http_basic`. + +| *`appProtocol`* __string__ | +| *`port`* __integer__ | Specifies the container port number for this listener. + | *`tls`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$]__ | Configures TLS settings for the internal listener. + +| *`prefixTemplate`* __string__ | Specifies the template used for generating the advertised addresses of + +Services. This field accepts a string template that dynamically + +constructs Service addresses based on various parameters such as Service + +name and port number. + +For historical backwards compatibility, this field is present on both + +internal and external listeners. However, it is ignored when specified + +on internal listeners. + +| *`external`* __object (keys:string, values:xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externallistener[$$ExternalListener$$])__ | Defines settings for the external listeners. + +| *`kafkaEndpoint`* __string__ | Configures the listener to use for HTTP connections. For example `default` for the internal listener. + +deprecated and not respected. + |=== @@ -2283,8 +2542,10 @@ SideCarObj represents a generic sidecar object. This is a placeholder for now. |=== | Field | Description | *`enabled`* __boolean__ | -| *`resources`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#resourcerequirements-v1-core[$$ResourceRequirements$$]__ | -| *`securityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#securitycontext-v1-core[$$SecurityContext$$]__ | +| *`resources`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#resourcerequirements-v1-core[$$ResourceRequirements$$]__ | Specifies resource requests for the sidecar container. + +DEPRECATED: Use sideCars.resources + +| *`securityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#securitycontext-v1-core[$$SecurityContext$$]__ | Specifies the container's security context, including privileges and access levels of the container and its processes. + +DEPRECATED: Use sideCars.securityContext + |=== @@ -2302,6 +2563,10 @@ SideCars configures the additional sidecar containers that run alongside the mai |=== | Field | Description | *`image`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-redpandaimage[$$RedpandaImage$$]__ | +| *`extraVolumeMounts`* __string__ | Specifies additional volumes to mount to the sidecar. + +| *`resources`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#resourcerequirements-v1-core[$$ResourceRequirements$$]__ | Specifies resource requests for the sidecar container. + +| *`securityContext`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#securitycontext-v1-core[$$SecurityContext$$]__ | Specifies the container's security context, including privileges and access levels of the container and its processes. + +| *`args`* __string array__ | | *`configWatcher`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-configwatcher[$$ConfigWatcher$$]__ | Configures the `config-watcher` sidecar. The `config-watcher` sidecar polls the Secret resource in `auth.sasl.secretRef` for changes and triggers a rolling upgrade to add the new superusers to the Redpanda cluster. + | *`rpkStatus`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-sidecarobj[$$SideCarObj$$]__ | | *`controllers`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-rpcontrollers[$$RPControllers$$]__ | @@ -2431,6 +2696,8 @@ TLS configures TLS in the Helm values. See https://docs.redpanda.com/current/man |=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-tiered"] == Tiered @@ -2535,6 +2802,8 @@ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api- |=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-topicspec"] == TopicSpec @@ -2619,6 +2888,23 @@ TopologySpreadConstraints configures topology spread constraints to control how |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-truststore"] +== TrustStore + +TrustStore is a mapping from a value on either a Secret or ConfigMap to the +`truststore_path` field of a listener. + + + +.Appears in: +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-listenertls[$$ListenerTLS$$] + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`configMapKeyRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#configmapkeyselector-v1-core[$$ConfigMapKeySelector$$]__ | +| *`secretKeyRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#secretkeyselector-v1-core[$$SecretKeySelector$$]__ | +|=== [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-tuning"] diff --git a/tests/setup-tests/fetch-versions-and-rpk.json b/tests/setup-tests/fetch-versions-and-rpk.json index 102d64df43..54d3745abd 100644 --- a/tests/setup-tests/fetch-versions-and-rpk.json +++ b/tests/setup-tests/fetch-versions-and-rpk.json @@ -56,7 +56,7 @@ "description": "Use doc-tools to install any additional test dependencies.", "runShell": { "command": "npx doc-tools install-test-dependencies", - "timeout": 120000 + "timeout": 420000 } }, {