sync: redpanda chart v5.9.22

Taskfile.yaml

@@ -125,7 +125,7 @@ tasks:
         --create-namespace \
         --namespace cert-manager \
         --set installCRDs=true \
-        --version v1.11.0 \
+        --version v1.12.16 \
         --wait \
         --wait-for-jobs
 
@@ -161,41 +161,63 @@ tasks:
       - kind delete cluster --name {{.KIND_CLUSTERNAME}}
 
   sync:charts:
-    - task: sync:operator:chart
-    - task: sync:redpanda:chart
-
-  sync:operator:chart:
-    vars:
-      OPERATOR_TMP_PATH:
-        sh: mktemp --directory --tmpdir "operator-XXXXXXXXXX"
-      OPERATOR_SHA: e92ffb8a05a6a35011a24bcda65c094cc6464187 # operator v0.4.41
     cmds:
-      - defer: rm -r {{.OPERATOR_TMP_PATH}}
-      - curl -Lo {{.OPERATOR_TMP_PATH}}operator.zip https://github.com/redpanda-data/redpanda-operator/archive/{{.OPERATOR_SHA}}.zip
-      - unzip {{.OPERATOR_TMP_PATH}}operator.zip -d {{.OPERATOR_TMP_PATH}}
-      - rsync -avz
-        {{.OPERATOR_TMP_PATH}}/redpanda-operator-{{.OPERATOR_SHA}}/charts/operator
-        {{.OPERATOR_TMP_PATH}}/redpanda-operator-{{.OPERATOR_SHA}}/charts/connectors
-        {{.OPERATOR_TMP_PATH}}/redpanda-operator-{{.OPERATOR_SHA}}/charts/console
-        charts/
-        # Clear out all go files, we just want the templates, Chart.yaml's, etc.
-        # Task's globbing is unreliable.
-      - bash -O globstar -c "rm charts/{connectors,console,operator}/**/*.{go,txtar}"
-      - bash -O globstar -c "rm charts/{connectors,console,operator}/go.{mod,sum}"
+    - task: sync:redpanda:chart
+    - task: sync:operator:chart
+    - task: sync:connectors:chart
+    - task: sync:operator:chart
 
   sync:redpanda:chart:
+    - task: sync:chart
+      vars:
+        REF: charts/redpanda/v5.9.22
+        LOCAL_DIR: charts/redpanda
+        REMOTE_DIR: charts/redpanda
+
+  sync:connectors:chart:
+    - task: sync:chart
+      vars:
+        REF: charts/redpanda/v5.9.21 # No recent release of connectors so pinning to this just because.
+        LOCAL_DIR: charts/connectors
+        REMOTE_DIR: charts/connectors
+
+  sync:operator:chart:
+    - task: sync:chart
+      vars:
+        REF: 6c588ebe8dd6267fb1d45dbb0176f006c5731e1e # operator/v0.4.40
+        LOCAL_DIR: charts/operator
+        REMOTE_DIR: charts/operator
+
+  sync:console:chart:
+    - task: sync:chart
+      vars:
+        REF: charts/redpanda/v5.9.21 # No recent release of console so pinning to this just beacuse
+        LOCAL_DIR: charts/console
+        REMOTE_DIR: charts/console
+
+  sync:chart:
+    internal: true
     vars:
-      REDPANDA_TMP_PATH:
-        sh: mktemp --directory --tmpdir "redpanda-XXXXXXXXXX"
-      REDPANDA_SHA: e92ffb8a05a6a35011a24bcda65c094cc6464187 # redpanda v5.9.21
+      REF: '{{ .REF }}'
+      LOCAL_DIR: '{{ .LOCAL_DIR }}'
+      REMOTE_DIR: '{{ .REMOTE_DIR }}'
+    required: [REF, LOCAL_DIR, REMOTE_DIR]
+    run: when_changed
+    label: 'sync:chart:{{ .LOCAL_DIR }}'
     cmds:
-      - defer: rm -r {{.OPERATOR_TMP_PATH}}
-      - curl -Lo {{.REDPANDA_TMP_PATH}}operator.zip https://github.com/redpanda-data/redpanda-operator/archive/{{.REDPANDA_SHA}}.zip
-      - unzip {{.REDPANDA_TMP_PATH}}operator.zip -d {{.REDPANDA_TMP_PATH}}
-      - rsync -avz
-        {{.REDPANDA_TMP_PATH}}/redpanda-operator-{{.REDPANDA_SHA}}/charts/redpanda
-        charts/
-        # Clear out all go files, we just want the templates, Chart.yaml's, etc.
-        # Task's globbing is unreliable.
-      - bash -O globstar -c "rm charts/redpanda/**/*.{go,txtar}"
-      - bash -O globstar -c "rm charts/redpanda/go.{mod,sum}"
+      - rm -rf '{{ .SRC_DIR }}/{{ .LOCAL_DIR }}'
+      - mkdir -p '{{ .SRC_DIR }}/{{ .LOCAL_DIR }}'
+      - |
+        cd {{ .LOCAL_DIR }} && \
+        curl -Lo - 'https://github.com/redpanda-data/redpanda-operator/archive/{{ .REF }}.tar.gz' | \
+        tar \
+          --gunzip \
+          --extract \
+          --wildcards \
+          --exclude '*.go' \
+          --exclude 'go.mod' \
+          --exclude 'go.sum' \
+          --exclude '*.txtar' \
+          --exclude '.changes' \
+          --strip-components {{ (.REMOTE_DIR | split "/" | len) | add 1 }} \
+          '*/{{ .REMOTE_DIR }}'

charts/redpanda/CHANGELOG.md

@@ -5,6 +5,32 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 and is generated by [Changie](https://github.com/miniscruff/changie).
 
 
+## v5.9.22 - 2025-05-01
+### Changed
+* `serviceAccount.create` now defaults to `true`.
+
+  The previous behavior resulted in using the `default` service account and
+  extending it with all bindings generated from the chart. Such behavior is
+  unlikely to be desired.
+* `rpk debug bundle --namespace $NAMESPACE` now works by default.
+
+  The chart now creates a set of `Roles` and `RoleBindings` that satisfy the
+  requirements of running `rpk debug bundle` from any redpanda Pod. These
+  permissions may be disabled by specifying `rbac.rpkDebugBundle=false`.
+
+  Additionally, the redpanda container now always has a Kubernetes
+  ServiceAccount token mounted to it to ensure `rpk debug bundle` can be
+  executed successfully.
+### Fixed
+* Fixed an issue where not explicitly specifying a SASL auth mechanism when SASL is enabled caused Console to fail to start up.
+* Prevent broker nodes from restarting when solely the cluster replica amount changes
+* Fixed rack awareness by mounting a service account token to the initcontainer when rack awareness is enabled.
+* Broken `Issuer`s and `Certificate`s are no longer needlessly generated when `tls.<cert>.issuerRef` is provided.
+* The `schema_registry_client` and `pandaproxy_client` stanzas of `redpanda.yaml`
+  now respect `listeners.kafka.tls.trustStore`, when provided.
+  See also [helm-chart 1573 issue](https://github.com/redpanda-data/helm-charts/issues/1573).
+
+
 ## v5.9.21 - 2025-03-03
 ### Changed
 * Promoted the config-watcher sidecar into a real go binary that handles user management and simplifies cluster health checks so they no longer fail when the sole issue is that other nodes in the cluster are unavailable. Additionally the new sidecar subsumes the behavior of the `statefulset.sideCars.controllers` stanza which should now be specified via their own `enabled` flags.

charts/redpanda/Chart.yaml

@@ -23,11 +23,11 @@ type: application
 # The chart version and the app version are not the same and will not track
 # together. The chart version is a semver representation of changes to this
 # chart.
-version: 5.9.21
+version: 5.9.22
 
 # The app version is the default version of Redpanda to install.
 # ** NOTE for maintainers: please ensure the artifacthub image annotation is updated before merging
-appVersion: v24.3.6
+appVersion: v24.3.11
 
 # kubeVersion must be suffixed with "-0" to be able to match cloud providers
 # kubernetes versions like "v1.23.8-gke.1900". Their suffix is interpreted as a
@@ -56,6 +56,6 @@ annotations:
       url: https://helm.sh/docs/intro/install/
   artifacthub.io/images: |
     - name: redpanda
-      image: docker.redpanda.com/redpandadata/redpanda:v24.3.6
+      image: docker.redpanda.com/redpandadata/redpanda:v24.3.11
     - name: busybox
       image: busybox:latest

charts/redpanda/README.md

@@ -3,7 +3,7 @@
 description: Find the default values and descriptions of settings in the Redpanda Helm chart.
 ---
 
-![Version: 5.9.21](https://img.shields.io/badge/Version-5.9.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v24.3.6](https://img.shields.io/badge/AppVersion-v24.3.6-informational?style=flat-square)
+![Version: 5.9.22](https://img.shields.io/badge/Version-5.9.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v24.3.11](https://img.shields.io/badge/AppVersion-v24.3.11-informational?style=flat-square)
 
 This page describes the official Redpanda Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/redpanda/values.yaml). Each of the settings is listed and described on this page, along with any default values.
 
@@ -604,7 +604,7 @@ Role Based Access Control.
 **Default:**
 
 ```
-{"annotations":{},"enabled":false}
+{"annotations":{},"enabled":true,"rpkDebugBundle":true}
 ```
 
 ### [rbac.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.annotations)
@@ -615,9 +615,15 @@ Annotations to add to the `rbac` resources.
 
 ### [rbac.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.enabled)
 
-Enable for features that need extra privileges. If you use the Redpanda Operator, you must deploy it with the `--set rbac.createRPKBundleCRs=true` flag to give it the required ClusterRoles.
+Controls whether or not Roles, ClusterRoles, and bindings thereof will be generated. Disabling this very likely result in a non-functional deployment. If you use the Redpanda Operator, you must deploy it with the `--set rbac.createRPKBundleCRs=true` flag to give it the required ClusterRoles.
 
-**Default:** `false`
+**Default:** `true`
+
+### [rbac.rpkDebugBundle](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.rpkDebugBundle)
+
+Controls whether or not a Role and RoleBinding will be generated for the permissions required by `rpk debug bundle`. Disabling will not affect the redpanda deployment itself but a bundle is required to engage with our support.
+
+**Default:** `true`
 
 ### [resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources)
 
@@ -705,7 +711,7 @@ Service account management.
 **Default:**
 
 ```
-{"annotations":{},"automountServiceAccountToken":false,"create":false,"name":""}
+{"annotations":{},"create":true,"name":""}
 ```
 
 ### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.annotations)
@@ -714,17 +720,11 @@ Annotations to add to the service account.
 
 **Default:** `{}`
 
-### [serviceAccount.automountServiceAccountToken](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.automountServiceAccountToken)
-
-Specifies whether a service account should automount API-Credentials. The token is used in sidecars.controllers
-
-**Default:** `false`
-
 ### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.create)
 
 Specifies whether a service account should be created.
 
-**Default:** `false`
+**Default:** `true`
 
 ### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.name)
 

charts/redpanda/files/decommission.ClusterRole.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: decommission
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumes
+    verbs:
+      - patch

charts/redpanda/files/decommission.Role.yaml

@@ -0,0 +1,40 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: decommission
+  namespace: default
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumeclaims
+    verbs:
+      - delete
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets
+    verbs:
+      - get
+      - list
+      - watch

charts/redpanda/files/pvcunbinder.ClusterRole.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pvcunbinder
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumes
+    verbs:
+      - get
+      - list
+      - patch
+      - watch

charts/redpanda/files/pvcunbinder.Role.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pvcunbinder
+  namespace: default
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumeclaims
+      - pods
+    verbs:
+      - delete
+      - get
+      - list
+      - watch

charts/redpanda/files/rack-awareness.ClusterRole.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: rack-awareness
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get

charts/redpanda/files/rpk-debug-bundle.Role.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: rpk-debug-bundle
+  namespace: default
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - endpoints
+      - events
+      - limitranges
+      - persistentvolumeclaims
+      - pods
+      - pods/log
+      - replicationcontrollers
+      - resourcequotas
+      - serviceaccounts
+      - services
+    verbs:
+      - get
+      - list

charts/redpanda/files/sidecar.Role.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: sidecar
+  namespace: default
+rules:
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch