operator: implement Console controller

This commit adds a standalone `Console` CR and its controller. Unlike the
console stanza in the redpanda chart, this CR deploys console V3.

This commit does NOT include a migration from the subchart to the new CR. That
will be implemented later.

Author: chrisseto

acceptance/features/console.feature

@@ -0,0 +1,44 @@
+@cluster:basic
+Feature: Console CRDs
+  Background: Cluster available
+    Given cluster "basic" is available
+
+  Scenario: Using clusterRef
+    When I apply Kubernetes manifest:
+    ```yaml
+    ---
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: Console
+    metadata:
+      name: console
+    spec:
+      cluster:
+        clusterRef:
+          name: basic
+    ```
+    Then Console "console" will be healthy
+    # These steps demonstrate that console is correct connected to Redpanda.
+    And I exec "curl localhost:8080/api/schema-registry/mode" in a Pod matching "app.kubernetes.io/instance=console", it will output:
+    ```
+    {"mode":"READWRITE"}
+    ```
+    And I exec "curl localhost:8080/api/topics" in a Pod matching "app.kubernetes.io/instance=console", it will output:
+    ```
+    {"topics":[{"topicName":"_schemas","isInternal":false,"partitionCount":1,"replicationFactor":1,"cleanupPolicy":"compact","documentation":"NOT_CONFIGURED","logDirSummary":{"totalSizeBytes":117}}]}
+    ```
+    And I exec "curl localhost:8080/api/console/endpoints" in a Pod matching "app.kubernetes.io/instance=console", it will output:
+    ```
+    {"distribution":"redpanda","endpointCompatibility":{"kafkaVersion":"between v0.11.0 and v1.0","endpoints":[{"endpoint":"/api/consumer-groups","method":"GET","isSupported":true},{"endpoint":"/api/consumer-groups/{groupId}","method":"PATCH","isSupported":true},{"endpoint":"/api/consumer-groups/{groupId}","method":"DELETE","isSupported":true},{"endpoint":"/api/users","method":"DELETE","isSupported":true},{"endpoint":"redpanda.api.console.v1alpha1.PipelineService","method":"POST","isSupported":false},{"endpoint":"redpanda.api.console.v1alpha1.SecurityService","method":"POST","isSupported":true},{"endpoint":"/api/topics/{topicName}/records","method":"DELETE","isSupported":true},{"endpoint":"/api/consumer-groups/{groupId}/offsets","method":"DELETE","isSupported":true},{"endpoint":"/api/operations/reassign-partitions","method":"PATCH","isSupported":true},{"endpoint":"/api/secrets","method":"POST","isSupported":false},{"endpoint":"/api/users","method":"GET","isSupported":true},{"endpoint":"redpanda.api.console.v1alpha1.TransformService","method":"POST","isSupported":false},{"endpoint":"redpanda.api.dataplane.v1.ACLService","method":"POST","isSupported":true},{"endpoint":"/api/secrets","method":"GET","isSupported":false},{"endpoint":"/api/secrets/{secretId}","method":"PUT","isSupported":false},{"endpoint":"/api/cluster/config","method":"GET","isSupported":true},{"endpoint":"/api/operations/reassign-partitions","method":"GET","isSupported":true},{"endpoint":"/api/quotas","method":"GET","isSupported":true},{"endpoint":"/api/users","method":"POST","isSupported":true},{"endpoint":"redpanda.api.console.v1alpha1.DebugBundleService","method":"POST","isSupported":true},{"endpoint":"/api/secrets/{secretId}","method":"DELETE","isSupported":false}]}}
+    ```
+
+  # Scenario: Using staticConfig
+  #   Given I apply Kubernetes manifest:
+  #   ```yaml
+  #   ---
+  #   apiVersion: cluster.redpanda.com/v1alpha2
+  #   kind: Console
+  #   metadata:
+  #     name: console
+  #   spec:
+  #     cluster:
+  #   ```

acceptance/main_test.go

@@ -67,6 +67,14 @@ var setupSuite = sync.OnceValues(func() (*framework.Suite, error) {
 			CreateNamespace: true,
 			Values: map[string]any{
 				"installCRDs": true,
+				"global": map[string]any{
+					// Make leader election more aggressive as cert-manager appears to
+					// not release it when uninstalled.
+					"leaderElection": map[string]any{
+						"renewDeadline": "10s",
+						"retryPeriod":   "5s",
+					},
+				},
 			},
 		}).
 		OnFeature(func(ctx context.Context, t framework.TestingT, tags ...framework.ParsedTag) {

acceptance/steps/console.go

@@ -0,0 +1,26 @@
+package steps
+
+import (
+	"context"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	framework "github.com/redpanda-data/redpanda-operator/harpoon"
+	redpandav1alpha2 "github.com/redpanda-data/redpanda-operator/operator/api/redpanda/v1alpha2"
+)
+
+func consoleIsHealthy(ctx context.Context, t framework.TestingT, name string) {
+	key := t.ResourceKey(name)
+
+	t.Logf("Checking console %q is healthy", name)
+	require.Eventually(t, func() bool {
+		var console redpandav1alpha2.Console
+		require.NoError(t, t.Get(ctx, key, &console))
+
+		upToDate := console.Generation == console.Status.ObservedGeneration
+		hasHealthyReplicas := console.Status.ReadyReplicas == console.Status.Replicas
+
+		return upToDate && hasHealthyReplicas
+	}, time.Minute, 10*time.Second)
+}

acceptance/steps/k8s.go

@@ -1,19 +1,25 @@
 package steps
 
 import (
+	"bytes"
 	"context"
 	"fmt"
 	"reflect"
 	"strings"
 	"time"
 
+	"github.com/cucumber/godog"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/util/jsonpath"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	framework "github.com/redpanda-data/redpanda-operator/harpoon"
 	redpandav1alpha2 "github.com/redpanda-data/redpanda-operator/operator/api/redpanda/v1alpha2"
+	"github.com/redpanda-data/redpanda-operator/pkg/kube"
 )
 
 // this is a nasty hack due to the fact that we can't disable the linter for typecheck
@@ -147,3 +153,30 @@ func execJSONPath(ctx context.Context, t framework.TestingT, jsonPath, groupVers
 	}
 	return nil
 }
+
+func iExecInPodMatching(
+	ctx context.Context,
+	t framework.TestingT,
+	cmd,
+	selectorStr string,
+	expected *godog.DocString,
+) {
+	selector, err := labels.Parse(selectorStr)
+	require.NoError(t, err)
+
+	ctl, err := kube.FromRESTConfig(t.RestConfig())
+	require.NoError(t, err)
+
+	pods, err := kube.List[corev1.PodList](ctx, ctl, client.MatchingLabelsSelector{Selector: selector}, client.InNamespace(t.Namespace()))
+	require.NoError(t, err)
+
+	require.True(t, len(pods.Items) > 0, "selector %q found no Pods", selector.String())
+
+	var stdout bytes.Buffer
+	require.NoError(t, ctl.Exec(ctx, &pods.Items[0], kube.ExecOptions{
+		Command: []string{"sh", "-c", cmd},
+		Stdout:  &stdout,
+	}))
+
+	assert.Equal(t, expected.Content, stdout.String())
+}

acceptance/steps/register.go

@@ -15,6 +15,7 @@ func init() {
 	// General scenario steps
 	framework.RegisterStep(`^cluster "([^"]*)" is available$`, checkClusterAvailability)
 	framework.RegisterStep(`^I apply Kubernetes manifest:$`, iApplyKubernetesManifest)
+	framework.RegisterStep(`^I exec "([^"]+)" in a Pod matching "([^"]+)", it will output:$`, iExecInPodMatching)
 
 	framework.RegisterStep(`^I store "([^"]*)" of Kubernetes object with type "([^"]*)" and name "([^"]*)" as "([^"]*)"$`, recordVariable)
 	framework.RegisterStep(`^the recorded value "([^"]*)" has the same value as "([^"]*)" of the Kubernetes object with type "([^"]*)" and name "([^"]*)"$`, assertVariableValue)
@@ -92,4 +93,7 @@ func init() {
 	framework.RegisterStep(`^I can upgrade to the latest operator with the values:$`, iCanUpgradeToTheLatestOperatorWithTheValues)
 	framework.RegisterStep(`^I install redpanda helm chart version "([^"]*)" with the values:$`, iInstallRedpandaHelmChartVersionWithTheValues)
 	framework.RegisterStep(`^I install local CRDs from "([^"]*)"`, iInstallLocalCRDs)
+
+	// Console scenario steps
+	framework.RegisterStep(`^Console "([^"]+)" will be healthy`, consoleIsHealthy)
 }

charts/console/chart/chart.go

@@ -56,6 +56,10 @@ func DotToState(dot *helmette.Dot) *console.RenderState {
 	values := helmette.Unwrap[Values](dot.Values)
 	templater := &templater{Dot: dot, FauxDot: newFauxDot(dot)}
 
+	if values.RenderValues.Secret.Authentication.JWTSigningKey == "" {
+		values.RenderValues.Secret.Authentication.JWTSigningKey = helmette.RandAlphaNum(32)
+	}
+
 	return &console.RenderState{
 		ReleaseName: dot.Release.Name,
 		Namespace:   dot.Release.Namespace,

charts/console/chart/templates/_chart.chart.tpl

@@ -18,6 +18,9 @@
 {{- $_is_returning := false -}}
 {{- $values := $dot.Values.AsMap -}}
 {{- $templater := (mustMergeOverwrite (dict "Dot" (coalesce nil) "FauxDot" (coalesce nil)) (dict "Dot" $dot "FauxDot" (get (fromJson (include "chart.newFauxDot" (dict "a" (list $dot)))) "r"))) -}}
+{{- if (eq $values.secret.authentication.jwtSigningKey "") -}}
+{{- $_ := (set $values.secret.authentication "jwtSigningKey" (randAlphaNum (32 | int))) -}}
+{{- end -}}
 {{- $_is_returning = true -}}
 {{- (dict "r" (mustMergeOverwrite (dict "ReleaseName" "" "Namespace" "" "Template" (coalesce nil) "CommonLabels" (coalesce nil) "Values" (dict "replicaCount" 0 "nameOverride" "" "commonLabels" (coalesce nil) "fullnameOverride" "" "image" (dict "registry" "" "repository" "" "pullPolicy" "" "tag" "") "imagePullSecrets" (coalesce nil) "automountServiceAccountToken" false "serviceAccount" (dict "create" false "automountServiceAccountToken" false "annotations" (coalesce nil) "name" "") "annotations" (coalesce nil) "podAnnotations" (coalesce nil) "podLabels" (coalesce nil) "podSecurityContext" (dict) "securityContext" (dict) "service" (dict "type" "" "port" 0 "annotations" (coalesce nil)) "ingress" (dict "enabled" false "annotations" (coalesce nil) "hosts" (coalesce nil) "tls" (coalesce nil)) "resources" (dict) "autoscaling" (dict "enabled" false "minReplicas" 0 "maxReplicas" 0 "targetCPUUtilizationPercentage" (coalesce nil)) "nodeSelector" (coalesce nil) "tolerations" (coalesce nil) "affinity" (dict) "topologySpreadConstraints" (coalesce nil) "priorityClassName" "" "config" (coalesce nil) "extraEnv" (coalesce nil) "extraEnvFrom" (coalesce nil) "extraVolumes" (coalesce nil) "extraVolumeMounts" (coalesce nil) "extraContainers" (coalesce nil) "initContainers" (dict "extraInitContainers" (coalesce nil)) "secretMounts" (coalesce nil) "secret" (dict "create" false "kafka" (dict) "authentication" (dict "jwtSigningKey" "" "oidc" (dict)) "license" "" "redpanda" (dict "adminApi" (dict)) "serde" (dict) "schemaRegistry" (dict)) "livenessProbe" (dict) "readinessProbe" (dict) "configmap" (dict "create" false) "deployment" (dict "create" false) "strategy" (dict))) (dict "ReleaseName" $dot.Release.Name "Namespace" $dot.Release.Namespace "Values" $values "Template" (list "chart.templater.Template" $templater) "CommonLabels" (dict "helm.sh/chart" (get (fromJson (include "chart.ChartLabel" (dict "a" (list $dot)))) "r") "app.kubernetes.io/managed-by" $dot.Release.Service "app.kubernetes.io/version" $dot.Chart.AppVersion)))) | toJson -}}
 {{- break -}}

charts/console/chart/templates/_console.render.tpl

@@ -87,6 +87,15 @@
 {{- end -}}
 {{- end -}}
 
+{{- define "console.Types" -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil))) (dict)) (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil))) (dict)) (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil))) (dict)) (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict) "status" (dict "loadBalancer" (dict))) (dict)) (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict) "status" (dict "loadBalancer" (dict))) (dict)) (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict "containers" (coalesce nil))) "strategy" (dict)) "status" (dict)) (dict)) (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict "scaleTargetRef" (dict "kind" "" "name" "") "maxReplicas" 0) "status" (dict "desiredReplicas" 0 "currentMetrics" (coalesce nil))) (dict)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
 {{- define "console.cleanForK8s" -}}
 {{- $s := (index .a 0) -}}
 {{- range $_ := (list 1) -}}

charts/console/chart/templates/_console.secret.tpl

@@ -10,12 +10,8 @@
 {{- (dict "r" (coalesce nil)) | toJson -}}
 {{- break -}}
 {{- end -}}
-{{- $jwtSigningKey := $state.Values.secret.authentication.jwtSigningKey -}}
-{{- if (eq $jwtSigningKey "") -}}
-{{- $jwtSigningKey = (randAlphaNum (32 | int)) -}}
-{{- end -}}
 {{- $_is_returning = true -}}
-{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil))) (mustMergeOverwrite (dict) (dict "apiVersion" "v1" "kind" "Secret")) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil)) (dict "name" (get (fromJson (include "console.RenderState.FullName" (dict "a" (list $state)))) "r") "labels" (get (fromJson (include "console.RenderState.Labels" (dict "a" (list $state (coalesce nil))))) "r") "namespace" $state.Namespace)) "type" "Opaque" "stringData" (dict "kafka-sasl-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.kafka.saslPassword "")))) "r") "kafka-sasl-aws-msk-iam-secret-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.kafka.awsMskIamSecretKey "")))) "r") "kafka-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.kafka.tlsCa "")))) "r") "kafka-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.kafka.tlsCert "")))) "r") "kafka-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.kafka.tlsKey "")))) "r") "schema-registry-bearertoken" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.schemaRegistry.bearerToken "")))) "r") "schema-registry-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.schemaRegistry.password "")))) "r") "schemaregistry-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.schemaRegistry.tlsCa "")))) "r") "schemaregistry-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.schemaRegistry.tlsCert "")))) "r") "schemaregistry-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.schemaRegistry.tlsKey "")))) "r") "authentication-jwt-signingkey" $jwtSigningKey "authentication-oidc-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.authentication.oidc.clientSecret "")))) "r") "license" $state.Values.secret.license "redpanda-admin-api-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.redpanda.adminApi.password "")))) "r") "redpanda-admin-api-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.redpanda.adminApi.tlsCa "")))) "r") "redpanda-admin-api-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.redpanda.adminApi.tlsCert "")))) "r") "redpanda-admin-api-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.redpanda.adminApi.tlsKey "")))) "r") "serde-protobuf-git-basicauth-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.serde.protobufGitBasicAuthPassword "")))) "r"))))) | toJson -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil))) (mustMergeOverwrite (dict) (dict "apiVersion" "v1" "kind" "Secret")) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil)) (dict "name" (get (fromJson (include "console.RenderState.FullName" (dict "a" (list $state)))) "r") "labels" (get (fromJson (include "console.RenderState.Labels" (dict "a" (list $state (coalesce nil))))) "r") "namespace" $state.Namespace)) "type" "Opaque" "stringData" (dict "kafka-sasl-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.kafka.saslPassword "")))) "r") "kafka-sasl-aws-msk-iam-secret-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.kafka.awsMskIamSecretKey "")))) "r") "kafka-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.kafka.tlsCa "")))) "r") "kafka-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.kafka.tlsCert "")))) "r") "kafka-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.kafka.tlsKey "")))) "r") "schema-registry-bearertoken" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.schemaRegistry.bearerToken "")))) "r") "schema-registry-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.schemaRegistry.password "")))) "r") "schemaregistry-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.schemaRegistry.tlsCa "")))) "r") "schemaregistry-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.schemaRegistry.tlsCert "")))) "r") "schemaregistry-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.schemaRegistry.tlsKey "")))) "r") "authentication-jwt-signingkey" $state.Values.secret.authentication.jwtSigningKey "authentication-oidc-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.authentication.oidc.clientSecret "")))) "r") "license" $state.Values.secret.license "redpanda-admin-api-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.redpanda.adminApi.password "")))) "r") "redpanda-admin-api-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.redpanda.adminApi.tlsCa "")))) "r") "redpanda-admin-api-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.redpanda.adminApi.tlsCert "")))) "r") "redpanda-admin-api-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.redpanda.adminApi.tlsKey "")))) "r") "serde-protobuf-git-basicauth-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $state.Values.secret.serde.protobufGitBasicAuthPassword "")))) "r"))))) | toJson -}}
 {{- break -}}
 {{- end -}}
 {{- end -}}

charts/console/chart/values.go

@@ -17,12 +17,10 @@ import (
 type Values struct {
 	console.RenderValues `json:",inline"`
 
-	Globals          map[string]any    `json:"global,omitempty"`
-	Enabled          *bool             `json:"enabled,omitempty"`
-	CommonLabels     map[string]string `json:"commonLabels"`
-	NameOverride     string            `json:"nameOverride"`
-	FullnameOverride string            `json:"fullnameOverride"`
-	Tests            Enableable        `json:"tests"`
+	Globals      map[string]any    `json:"global,omitempty"`
+	Enabled      *bool             `json:"enabled,omitempty"`
+	CommonLabels map[string]string `json:"commonLabels"`
+	Tests        Enableable        `json:"tests"`
 }
 
 type Enableable struct {