In previous versions of the operator, when some of our synchronization code was ported to the kube library, a bug disallowing setting the field manager was introduced (see redpanda-data/common-go#126 for the relevant fix in the kube package as it exists today). Additionally, we have been inconsistent with the way we have set the field manager across our kube.Ctl usage.

This was resulting in some really odd behavior with the Kubernetes API server mangling resources due to conflicting field management versions. For example, service ports get merged via an identity of their (protocol, port) tuple. Having an old field manager saying it owned the service port (tcp, 9092) which was named "kafka" and then applying, with the new manager, a version of our CRD where the port was overwritten to be 19092 was resulting in the API server seeing both, due to the conflicting field manager names, ports (tcp, 9092) and (tcp, 19092) named "kafka", which failed validation.

This has an even more difficult to resolve knock-on effect when the resources being merged don't fail validation immediately. For example, StatefulSets will gladly take duplicated port names in their pod template container definitions. However, when they go to actually provision the Pods, then they will fail to.

What this means is that we have to:

1. Clear all of the field managers that are mis-named
2. Assume ownership over all fields as they currently exist in the resources that we have created via server-side apply, so that
3. When re-reconciliation kicks in, not only will resources that would otherwise fail validation succeed, but resources that are mangled due to things like pod template container ports being merged, will get cleared up due to our proper field owner owning all of the relevant spec fields.

The way this is resolved is through a post-upgrade migration job that was added to remove any unwanted field managers of any relevant resources related to Redpanda and Console CRDs, and forcibly assume ownership over their fields with the proper field manager. Subsequently our reconcilers will pick up and fix any malformed resources.

Author: andrewstucki

.changes/unreleased/operator-Fixed-20260129-122815.yaml

@@ -0,0 +1,4 @@
+project: operator
+kind: Fixed
+body: In previous versions of the operator a field manager was unknowingly changed for resources that were synchronized via server-side apply. This can cause problems with modifying fields such as Service and StatefulSet port definitions. A post-upgrade migration job was added to remove any unwanted field managers.
+time: 2026-01-29T12:28:15.717527-05:00

acceptance/features/upgrade-regressions.feature

@@ -0,0 +1,97 @@
+@operator:none @vcluster
+# Note: use the same version of RP across upgrades to minimize
+# issues not related to operator upgrade regressions.
+Feature: Operator upgrade regressions
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Regression - field managers
+    Given I helm install "redpanda-operator" "redpanda/operator" --version v25.1.3 with values:
+    """
+    crds:
+      enabled: true
+    """
+    And I apply Kubernetes manifest:
+    """
+    ---
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: Redpanda
+    metadata:
+      name: operator-upgrade
+    spec:
+      clusterSpec:
+        image:
+          repository: redpandadata/redpanda
+          tag: v25.2.11
+        console:
+          enabled: false
+        statefulset:
+          replicas: 1
+          sideCars:
+            image:
+              tag: dev
+              repository: localhost/redpanda-operator
+    """
+    And cluster "operator-upgrade" is available
+    And service "operator-upgrade" should have field managers:
+    """
+    cluster.redpanda.com/operator
+    """
+    And service "operator-upgrade" should not have field managers:
+    """
+    *kube.Ctl
+    """
+    Then I helm upgrade "redpanda-operator" "redpanda/operator" --version v25.2.1 with values:
+    """
+    crds:
+      enabled: true
+    """
+    And cluster "operator-upgrade" should be stable with 1 nodes
+    And service "operator-upgrade" should have field managers:
+    """
+    cluster.redpanda.com/operator
+    *kube.Ctl
+    """
+    And I apply Kubernetes manifest:
+    """
+    ---
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: Redpanda
+    metadata:
+      name: operator-upgrade
+    spec:
+      clusterSpec:
+        image:
+          repository: redpandadata/redpanda
+          tag: v25.2.11
+        listeners:
+          kafka:
+            port: 19093
+        console:
+          enabled: false
+        statefulset:
+          replicas: 1
+          sideCars:
+            image:
+              tag: dev
+              repository: localhost/redpanda-operator
+    """
+    And cluster "operator-upgrade" should have sync error:
+    """
+    Service "operator-upgrade" is invalid: spec.ports[3].name: Duplicate value: "kafka"
+    """
+    Then I helm upgrade "redpanda-operator" "../operator/chart" with values:
+    """
+    image:
+      tag: dev
+      repository: localhost/redpanda-operator
+    crds:
+      enabled: true
+    """
+    And service "operator-upgrade" should have field managers:
+    """
+    cluster.redpanda.com/operator
+    """
+    And service "operator-upgrade" should not have field managers:
+    """
+    *kube.Ctl
+    """
+    And cluster "operator-upgrade" should be stable with 1 nodes

acceptance/steps/register.go

@@ -117,6 +117,11 @@ func init() {
 	framework.RegisterStep(`^Console "([^"]+)" will be healthy`, consoleIsHealthy)
 	framework.RegisterStep(`^the migrated console cluster "([^"]+)" should have (\d+) warning(s)?$`, consoleHasWarnings)
 
+	// Regression steps
+	framework.RegisterStep(`^service "([^"]*)" should have field managers:$`, checkResourceFieldManagers)
+	framework.RegisterStep(`^service "([^"]*)" should not have field managers:$`, checkResourceNoFieldManagers)
+	framework.RegisterStep(`^cluster "([^"]*)" should have sync error:$`, checkClusterHasSyncError)
+
 	// Debug steps
 	framework.RegisterStep(`^I become debuggable$`, sleepALongTime)
 }

acceptance/steps/regression.go

@@ -0,0 +1,109 @@
+// Copyright 2026 Redpanda Data, Inc.
+//
+// Use of this software is governed by the Business Source License
+// included in the file licenses/BSL.md
+//
+// As of the Change Date specified in that file, in accordance with
+// the Business Source License, use of this software will be governed
+// by the Apache License, Version 2.0
+
+package steps
+
+import (
+	"context"
+	"fmt"
+	"slices"
+	"strings"
+	"time"
+
+	"github.com/cucumber/godog"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	framework "github.com/redpanda-data/redpanda-operator/harpoon"
+	redpandav1alpha2 "github.com/redpanda-data/redpanda-operator/operator/api/redpanda/v1alpha2"
+)
+
+func checkClusterHasSyncError(ctx context.Context, t framework.TestingT, clusterName string, errdoc *godog.DocString) {
+	errorString := strings.TrimSpace(errdoc.Content)
+
+	var cluster redpandav1alpha2.Redpanda
+
+	key := t.ResourceKey(clusterName)
+
+	t.Logf("Checking cluster %q has sync error", clusterName)
+	require.Eventually(t, func() bool {
+		require.NoError(t, t.Get(ctx, key, &cluster))
+		hasCondition := t.HasCondition(metav1.Condition{
+			Type:   "ResourcesSynced",
+			Status: metav1.ConditionFalse,
+			Reason: "Error",
+		}, cluster.Status.Conditions)
+
+		t.Logf(`Checking cluster resource conditions contains an errored "ResourcesSynced"? %v`, hasCondition)
+		if !hasCondition {
+			return false
+		}
+
+		for _, condition := range cluster.Status.Conditions {
+			if condition.Type == "ResourcesSynced" && condition.Status == metav1.ConditionFalse && condition.Reason == "Error" {
+				t.Logf("Found error message: %q", condition.Message)
+				return strings.Contains(condition.Message, errorString)
+			}
+		}
+
+		return false
+	}, 5*time.Minute, 5*time.Second, "%s", delayLog(func() string {
+		return fmt.Sprintf(`Cluster %q never contained an error on the condition reason "ResourcesSynced" with a matching error string: %q, final Conditions: %+v`, key.String(), errorString, cluster.Status.Conditions)
+	}))
+}
+
+func checkResourceNoFieldManagers(ctx context.Context, t framework.TestingT, clusterName string, list *godog.DocString) {
+	fieldManagerCheck(ctx, t, false, clusterName, list.Content)
+}
+
+func checkResourceFieldManagers(ctx context.Context, t framework.TestingT, clusterName string, list *godog.DocString) {
+	fieldManagerCheck(ctx, t, true, clusterName, list.Content)
+}
+
+func fieldManagerCheck(ctx context.Context, t framework.TestingT, presence bool, clusterName, managerList string) {
+	managers := []string{}
+	for _, line := range strings.Split(strings.TrimSpace(managerList), "\n") {
+		if manager := strings.TrimSpace(line); manager != "" {
+			managers = append(managers, manager)
+		}
+	}
+
+	var cluster corev1.Service
+
+	key := t.ResourceKey(clusterName)
+
+	t.Logf("Checking resource %q field manager", clusterName)
+	require.Eventually(t, func() bool {
+		require.NoError(t, t.Get(ctx, key, &cluster))
+
+		fieldManagers := cluster.GetManagedFields()
+		for _, manager := range managers {
+			if !slices.ContainsFunc(fieldManagers, func(entry metav1.ManagedFieldsEntry) bool {
+				return entry.Manager == manager
+			}) {
+				t.Logf(`Resource %q does not contain the field manager %q`, key.String(), manager)
+				// negation because if we are checking for presence, then we want to return that the condition
+				// is not met
+				return !presence
+			}
+			t.Logf(`Found field manager %q in resource %q`, manager, key.String())
+		}
+		return presence
+	}, 5*time.Minute, 5*time.Second, "%s", delayLog(func() string {
+		finalManagers := []string{}
+		for _, entry := range cluster.GetManagedFields() {
+			finalManagers = append(finalManagers, entry.Manager)
+		}
+		if presence {
+			return fmt.Sprintf(`Resource %q never contained all of the field managers: %+v, was: %+v`, key.String(), managers, finalManagers)
+		}
+		return fmt.Sprintf(`Resource %q never lacked all of the field managers: %+v, was: %+v`, key.String(), managers, finalManagers)
+	}))
+}

charts/redpanda/render_state_nogotohelm.go

@@ -27,6 +27,7 @@ import (
 	k8sapierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/utils/ptr"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/redpanda-data/redpanda-operator/gotohelm/helmette"
 	"github.com/redpanda-data/redpanda-operator/pkg/kube"
@@ -49,6 +50,8 @@ var (
 	}
 )
 
+const DefaultFieldOwner = client.FieldOwner("cluster.redpanda.com/operator")
+
 // FetchSASLUsers attempts to locate an existing SASL users secret in the cluster.
 // If found, it is used to populate the first user in the secret for use.
 func (r *RenderState) FetchSASLUsers() (username, password, mechanism string, err error) {
@@ -253,7 +256,9 @@ func certificatesFor(state *RenderState, name string) (certSecret, certKey, clie
 
 // KubeCTL constructs a kube.Ctl from the RenderState's kubeconfig.
 func (r *RenderState) KubeCTL() (*kube.Ctl, error) {
-	return kube.FromRESTConfig(r.Dot.KubeConfig)
+	return kube.FromRESTConfig(r.Dot.KubeConfig, kube.Options{
+		FieldManager: string(DefaultFieldOwner),
+	})
 }
 
 // RenderNodePools can be used to render node pools programmatically from Go.

operator/chart/chart.go

@@ -61,6 +61,8 @@ func render(dot *helmette.Dot) []kube.Object {
 		Deployment(dot),
 		PreInstallCRDJob(dot),
 		CRDJobServiceAccount(dot),
+		PostUpgradeMigrationJob(dot),
+		MigrationJobServiceAccount(dot),
 	}
 
 	for _, cr := range ClusterRoles(dot) {

operator/chart/post_upgrade_migration_job.go

@@ -0,0 +1,85 @@
+// Copyright 2026 Redpanda Data, Inc.
+//
+// Use of this software is governed by the Business Source License
+// included in the file licenses/BSL.md
+//
+// As of the Change Date specified in that file, in accordance with
+// the Business Source License, use of this software will be governed
+// by the Apache License, Version 2.0
+
+// +gotohelm:filename=_post-upgrade-migration-job.go.tpl
+package operator
+
+import (
+	"fmt"
+
+	batchv1 "k8s.io/api/batch/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
+
+	"github.com/redpanda-data/redpanda-operator/gotohelm/helmette"
+)
+
+// This is a post-upgrade job to make sure it just runs once.
+func PostUpgradeMigrationJob(dot *helmette.Dot) *batchv1.Job {
+	values := helmette.Unwrap[Values](dot.Values)
+
+	return &batchv1.Job{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "batch/v1",
+			Kind:       "Job",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      fmt.Sprintf("%s-migration", Fullname(dot)),
+			Namespace: dot.Release.Namespace,
+			Labels: helmette.Merge(
+				Labels(dot),
+			),
+			Annotations: map[string]string{
+				"helm.sh/hook":               "post-upgrade",
+				"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed",
+				// run this after the CRD job
+				"helm.sh/hook-weight": "-4",
+			},
+		},
+		Spec: batchv1.JobSpec{
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: values.PodAnnotations,
+					Labels:      helmette.Merge(SelectorLabels(dot), values.PodLabels),
+				},
+				Spec: corev1.PodSpec{
+					RestartPolicy:                 corev1.RestartPolicyOnFailure,
+					AutomountServiceAccountToken:  ptr.To(false),
+					TerminationGracePeriodSeconds: ptr.To(int64(10)),
+					ImagePullSecrets:              values.ImagePullSecrets,
+					ServiceAccountName:            MigrationJobServiceAccountName(dot),
+					NodeSelector:                  values.NodeSelector,
+					Tolerations:                   values.Tolerations,
+					Volumes:                       []corev1.Volume{serviceAccountTokenVolume()},
+					Containers:                    migrationJobContainers(dot),
+				},
+			},
+		},
+	}
+}
+
+func migrationJobContainers(dot *helmette.Dot) []corev1.Container {
+	values := helmette.Unwrap[Values](dot.Values)
+
+	args := []string{"migration"}
+
+	return []corev1.Container{
+		{
+			Name:            "migration",
+			Image:           containerImage(dot),
+			ImagePullPolicy: values.Image.PullPolicy,
+			Command:         []string{"/redpanda-operator"},
+			Args:            args,
+			SecurityContext: &corev1.SecurityContext{AllowPrivilegeEscalation: ptr.To(false)},
+			VolumeMounts:    []corev1.VolumeMount{serviceAccountTokenVolumeMount()},
+			Resources:       values.Resources,
+		},
+	}
+}

operator/chart/rbac.go

@@ -28,7 +28,7 @@ type RBACBundle struct {
 func rbacBundles(dot *helmette.Dot) []RBACBundle {
 	values := helmette.Unwrap[Values](dot.Values)
 
-	return []RBACBundle{
+	bundles := []RBACBundle{
 		{
 			Name:    Fullname(dot),
 			Enabled: true,
@@ -77,6 +77,21 @@ func rbacBundles(dot *helmette.Dot) []RBACBundle {
 			},
 		},
 	}
+
+	// the migration job needs the same general RBAC policy as the operator itself
+	bundles = append(bundles, RBACBundle{
+		Name:    MigrationJobServiceAccountName(dot),
+		Enabled: true,
+		Subject: MigrationJobServiceAccountName(dot),
+		Annotations: map[string]string{
+			"helm.sh/hook":               "post-upgrade",
+			"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed",
+			"helm.sh/hook-weight":        "-10",
+		},
+		RuleFiles: bundles[0].RuleFiles,
+	})
+
+	return bundles
 }
 
 func ClusterRoles(dot *helmette.Dot) []rbacv1.ClusterRole {