redpanda-data
diff --git a/‎.changes/unreleased/operator-Added-20251001-165206.yaml‎
Lines changed: 4 additions & 0 deletions b/‎.changes/unreleased/operator-Added-20251001-165206.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.changes/unreleased/operator-Deprecated-20251001-170958.yaml‎
Lines changed: 4 additions & 0 deletions b/‎.changes/unreleased/operator-Deprecated-20251001-170958.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎acceptance/features/console.feature‎
Lines changed: 80 additions & 0 deletions b/‎acceptance/features/console.feature‎
Lines changed: 80 additions & 0 deletions
diff --git a/‎acceptance/main_test.go‎
Lines changed: 8 additions & 0 deletions b/‎acceptance/main_test.go‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎acceptance/steps/console.go‎
Lines changed: 26 additions & 0 deletions b/‎acceptance/steps/console.go‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎acceptance/steps/k8s.go‎
Lines changed: 33 additions & 0 deletions b/‎acceptance/steps/k8s.go‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎acceptance/steps/manifest.go‎
Lines changed: 17 additions & 1 deletion b/‎acceptance/steps/manifest.go‎
Lines changed: 17 additions & 1 deletion
diff --git a/‎acceptance/steps/register.go‎
Lines changed: 5 additions & 0 deletions b/‎acceptance/steps/register.go‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎charts/console/chart/chart.go‎
Lines changed: 4 additions & 0 deletions b/‎charts/console/chart/chart.go‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎charts/console/chart/templates/_chart.chart.tpl‎
Lines changed: 3 additions & 0 deletions b/‎charts/console/chart/templates/_chart.chart.tpl‎
Lines changed: 3 additions & 0 deletions
@@ -0,0 +1,4 @@
+project: operator
+kind: Added
+body: Added a new `Console` CRD for managing a [Redpanda Console](https://github.com/redpanda-data/console/) deployments. For examples, see [`acceptance/features/console.feature`](../acceptance/features/console.feature).
+time: 2025-10-01T16:52:06.679323-04:00
@@ -0,0 +1,4 @@
+project: operator
+kind: Deprecated
+body: The Redpanda console stanza (`.spec.clusterSpec.console`) is now deprecated in favor of the stand-alone Console CRD.
+time: 2025-10-01T17:09:58.327552-04:00
@@ -0,0 +1,80 @@
+@cluster:basic
+Feature: Console CRDs
+  Background: Cluster available
+    Given cluster "basic" is available
+
+  Scenario: Using clusterRef
+    When I apply Kubernetes manifest:
+    ```yaml
+    ---
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: Console
+    metadata:
+      name: console
+    spec:
+      cluster:
+        clusterRef:
+          name: basic
+    ```
+    Then Console "console" will be healthy
+    # These steps demonstrate that console is correctly connected to Redpanda (Kafka, Schema Registry, and Admin API).
+    And I exec "curl localhost:8080/api/schema-registry/mode" in a Pod matching "app.kubernetes.io/instance=console", it will output:
+    ```
+    {"mode":"READWRITE"}
+    ```
+    And I exec "curl localhost:8080/api/topics" in a Pod matching "app.kubernetes.io/instance=console", it will output:
+    ```
+    {"topics":[{"topicName":"_schemas","isInternal":false,"partitionCount":1,"replicationFactor":1,"cleanupPolicy":"compact","documentation":"NOT_CONFIGURED","logDirSummary":{"totalSizeBytes":117}}]}
+    ```
+    And I exec "curl localhost:8080/api/console/endpoints | grep -o '{[^{}]*DebugBundleService[^{}]*}'" in a Pod matching "app.kubernetes.io/instance=console", it will output:
+    ```
+    {"endpoint":"redpanda.api.console.v1alpha1.DebugBundleService","method":"POST","isSupported":true}
+    ```
+
+  Scenario: Using staticConfig
+    When I apply Kubernetes manifest:
+    ```yaml
+    ---
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: Console
+    metadata:
+      name: console
+    spec:
+      cluster:
+        staticConfiguration:
+          kafka:
+            brokers:
+            - basic-0.basic.${NAMESPACE}.svc.cluster.local.:9093
+            tls:
+              caCertSecretRef:
+                name: "basic-default-cert"
+                key: "ca.crt"
+          admin:
+            urls:
+            - https://basic-0.basic.${NAMESPACE}.svc.cluster.local.:9644
+            tls:
+              caCertSecretRef:
+                name: "basic-default-cert"
+                key: "ca.crt"
+          schemaRegistry:
+            urls:
+            - https://basic-0.basic.${NAMESPACE}.svc.cluster.local.:8081
+            tls:
+              caCertSecretRef:
+                name: "basic-default-cert"
+                key: "ca.crt"
+    ```
+    Then Console "console" will be healthy
+    # These steps demonstrate that console is correctly connected to Redpanda (Kafka, Schema Registry, and Admin API).
+    And I exec "curl localhost:8080/api/schema-registry/mode" in a Pod matching "app.kubernetes.io/instance=console", it will output:
+    ```
+    {"mode":"READWRITE"}
+    ```
+    And I exec "curl localhost:8080/api/topics" in a Pod matching "app.kubernetes.io/instance=console", it will output:
+    ```
+    {"topics":[{"topicName":"_schemas","isInternal":false,"partitionCount":1,"replicationFactor":1,"cleanupPolicy":"compact","documentation":"NOT_CONFIGURED","logDirSummary":{"totalSizeBytes":117}}]}
+    ```
+    And I exec "curl localhost:8080/api/console/endpoints | grep -o '{[^{}]*DebugBundleService[^{}]*}'" in a Pod matching "app.kubernetes.io/instance=console", it will output:
+    ```
+    {"endpoint":"redpanda.api.console.v1alpha1.DebugBundleService","method":"POST","isSupported":true}
+    ```
@@ -69,6 +69,14 @@ var setupSuite = sync.OnceValues(func() (*framework.Suite, error) {
 			CreateNamespace: true,
 			Values: map[string]any{
 				"installCRDs": true,
+				"global": map[string]any{
+					// Make leader election more aggressive as cert-manager appears to
+					// not release it when uninstalled.
+					"leaderElection": map[string]any{
+						"renewDeadline": "10s",
+						"retryPeriod":   "5s",
+					},
+				},
 			},
 		}).
 		OnFeature(func(ctx context.Context, t framework.TestingT, tags ...framework.ParsedTag) {
 
@@ -0,0 +1,26 @@
+package steps
+
+import (
+	"context"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	framework "github.com/redpanda-data/redpanda-operator/harpoon"
+	redpandav1alpha2 "github.com/redpanda-data/redpanda-operator/operator/api/redpanda/v1alpha2"
+)
+
+func consoleIsHealthy(ctx context.Context, t framework.TestingT, name string) {
+	key := t.ResourceKey(name)
+
+	t.Logf("Checking console %q is healthy", name)
+	require.Eventually(t, func() bool {
+		var console redpandav1alpha2.Console
+		require.NoError(t, t.Get(ctx, key, &console))
+
+		upToDate := console.Generation == console.Status.ObservedGeneration
+		hasHealthyReplicas := console.Status.ReadyReplicas == console.Status.Replicas
+
+		return upToDate && hasHealthyReplicas
+	}, time.Minute, 10*time.Second)
+}
@@ -1,19 +1,25 @@
 package steps
 
 import (
+	"bytes"
 	"context"
 	"fmt"
 	"reflect"
 	"strings"
 	"time"
 
+	"github.com/cucumber/godog"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/util/jsonpath"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	framework "github.com/redpanda-data/redpanda-operator/harpoon"
 	redpandav1alpha2 "github.com/redpanda-data/redpanda-operator/operator/api/redpanda/v1alpha2"
+	"github.com/redpanda-data/redpanda-operator/pkg/kube"
 )
 
 // this is a nasty hack due to the fact that we can't disable the linter for typecheck
@@ -147,3 +153,30 @@ func execJSONPath(ctx context.Context, t framework.TestingT, jsonPath, groupVers
 	}
 	return nil
 }
+
+func iExecInPodMatching(
+	ctx context.Context,
+	t framework.TestingT,
+	cmd,
+	selectorStr string,
+	expected *godog.DocString,
+) {
+	selector, err := labels.Parse(selectorStr)
+	require.NoError(t, err)
+
+	ctl, err := kube.FromRESTConfig(t.RestConfig())
+	require.NoError(t, err)
+
+	pods, err := kube.List[corev1.PodList](ctx, ctl, t.Namespace(), client.MatchingLabelsSelector{Selector: selector})
+	require.NoError(t, err)
+
+	require.True(t, len(pods.Items) > 0, "selector %q found no Pods", selector.String())
+
+	var stdout bytes.Buffer
+	require.NoError(t, ctl.Exec(ctx, &pods.Items[0], kube.ExecOptions{
+		Command: []string{"sh", "-c", cmd},
+		Stdout:  &stdout,
+	}))
+
+	assert.Equal(t, strings.TrimSpace(expected.Content), strings.TrimSpace(stdout.String()))
+}
@@ -12,6 +12,7 @@ package steps
 import (
 	"context"
 	"os"
+	"regexp"
 	"strings"
 
 	"github.com/cucumber/godog"
@@ -21,11 +22,26 @@ import (
 	framework "github.com/redpanda-data/redpanda-operator/harpoon"
 )
 
+// substRE is a regular expression used to match placeholders in YAML manifests in the form of: ${KEY_NAME}
+// os.Expand is not used as it's matching is too permissive.
+var substRE = regexp.MustCompile(`\$\{[A-Z_]+\}`)
+
 func iApplyKubernetesManifest(ctx context.Context, t framework.TestingT, manifest *godog.DocString) {
 	file, err := os.CreateTemp("", "manifest-*.yaml")
 	require.NoError(t, err)
 
-	_, err = file.Write(normalizeContent(t, manifest.Content))
+	content := substRE.ReplaceAllStringFunc(manifest.Content, func(match string) string {
+		key := match[2 : len(match)-1] // ${FOO} -> FOO
+		switch key {
+		case "NAMESPACE":
+			return t.Namespace()
+		}
+
+		t.Fatalf("unhandled expansion: %s", key)
+		return "UNREACHABLE"
+	})
+
+	_, err = file.Write(normalizeContent(t, content))
 	require.NoError(t, err)
 	require.NoError(t, file.Close())
 
 
@@ -15,6 +15,8 @@ func init() {
 	// General scenario steps
 	framework.RegisterStep(`^(vectorized )?cluster "([^"]*)" is available$`, checkClusterAvailability)
 	framework.RegisterStep(`^I apply Kubernetes manifest:$`, iApplyKubernetesManifest)
+	framework.RegisterStep(`^I exec "([^"]+)" in a Pod matching "([^"]+)", it will output:$`, iExecInPodMatching)
+
 	framework.RegisterStep(`^I store "([^"]*)" of Kubernetes object with type "([^"]*)" and name "([^"]*)" as "([^"]*)"$`, recordVariable)
 	framework.RegisterStep(`^the recorded value "([^"]*)" has the same value as "([^"]*)" of the Kubernetes object with type "([^"]*)" and name "([^"]*)"$`, assertVariableValue)
 	framework.RegisterStep(`^the recorded value "([^"]*)" is one less than "([^"]*)" of the Kubernetes object with type "([^"]*)" and name "([^"]*)"$`, assertVariableValueIncremented)
@@ -92,4 +94,7 @@ func init() {
 	framework.RegisterStep(`^I can upgrade to the latest operator with the values:$`, iCanUpgradeToTheLatestOperatorWithTheValues)
 	framework.RegisterStep(`^I install redpanda helm chart version "([^"]*)" with the values:$`, iInstallRedpandaHelmChartVersionWithTheValues)
 	framework.RegisterStep(`^I install local CRDs from "([^"]*)"`, iInstallLocalCRDs)
+
+	// Console scenario steps
+	framework.RegisterStep(`^Console "([^"]+)" will be healthy`, consoleIsHealthy)
 }
@@ -56,6 +56,10 @@ func DotToState(dot *helmette.Dot) *console.RenderState {
 	values := helmette.Unwrap[Values](dot.Values)
 	templater := &templater{Dot: dot, FauxDot: newFauxDot(dot)}
 
+	if values.RenderValues.Secret.Authentication.JWTSigningKey == "" {
+		values.RenderValues.Secret.Authentication.JWTSigningKey = helmette.RandAlphaNum(32)
+	}
+
 	return &console.RenderState{
 		ReleaseName: dot.Release.Name,
 		Namespace:   dot.Release.Namespace,
 
@@ -18,6 +18,9 @@
 {{- $_is_returning := false -}}
 {{- $values := $dot.Values.AsMap -}}
 {{- $templater := (mustMergeOverwrite (dict "Dot" (coalesce nil) "FauxDot" (coalesce nil)) (dict "Dot" $dot "FauxDot" (get (fromJson (include "chart.newFauxDot" (dict "a" (list $dot)))) "r"))) -}}
+{{- if (eq $values.secret.authentication.jwtSigningKey "") -}}
+{{- $_ := (set $values.secret.authentication "jwtSigningKey" (randAlphaNum (32 | int))) -}}
+{{- end -}}
 {{- $_is_returning = true -}}
 {{- (dict "r" (mustMergeOverwrite (dict "ReleaseName" "" "Namespace" "" "Template" (coalesce nil) "CommonLabels" (coalesce nil) "Values" (dict "replicaCount" 0 "nameOverride" "" "commonLabels" (coalesce nil) "fullnameOverride" "" "image" (dict "registry" "" "repository" "" "pullPolicy" "" "tag" "") "imagePullSecrets" (coalesce nil) "automountServiceAccountToken" false "serviceAccount" (dict "create" false "automountServiceAccountToken" false "annotations" (coalesce nil) "name" "") "annotations" (coalesce nil) "podAnnotations" (coalesce nil) "podLabels" (coalesce nil) "podSecurityContext" (dict) "securityContext" (dict) "service" (dict "type" "" "port" 0 "annotations" (coalesce nil)) "ingress" (dict "enabled" false "annotations" (coalesce nil) "hosts" (coalesce nil) "tls" (coalesce nil)) "resources" (dict) "autoscaling" (dict "enabled" false "minReplicas" 0 "maxReplicas" 0 "targetCPUUtilizationPercentage" (coalesce nil)) "nodeSelector" (coalesce nil) "tolerations" (coalesce nil) "affinity" (dict) "topologySpreadConstraints" (coalesce nil) "priorityClassName" "" "config" (coalesce nil) "extraEnv" (coalesce nil) "extraEnvFrom" (coalesce nil) "extraVolumes" (coalesce nil) "extraVolumeMounts" (coalesce nil) "extraContainers" (coalesce nil) "initContainers" (dict "extraInitContainers" (coalesce nil)) "secretMounts" (coalesce nil) "secret" (dict "create" false "kafka" (dict) "authentication" (dict "jwtSigningKey" "" "oidc" (dict)) "license" "" "redpanda" (dict "adminApi" (dict)) "serde" (dict) "schemaRegistry" (dict)) "livenessProbe" (dict) "readinessProbe" (dict) "configmap" (dict "create" false) "deployment" (dict "create" false) "strategy" (dict))) (dict "ReleaseName" $dot.Release.Name "Namespace" $dot.Release.Namespace "Values" $values "Template" (list "chart.templater.Template" $templater) "CommonLabels" (dict "helm.sh/chart" (get (fromJson (include "chart.ChartLabel" (dict "a" (list $dot)))) "r") "app.kubernetes.io/managed-by" $dot.Release.Service "app.kubernetes.io/version" $dot.Chart.AppVersion)))) | toJson -}}
 {{- break -}}