redpanda: abstract listener configurations

This commit slims down the `values.go` file of redpanda by consolidating all
the disparate listener types into a single type with a type parameter for their
authentication method.

In doing so, two long standing buglets have been fixed:
- The previously unused `kafkaEndpoint` parameter has been removed.
- The pandaproxy / http listener's `authentication_method` has been removed as
  redpanda doesn't support auth on it.

Author: chrisseto

.changes/unreleased/charts-redpanda-Fixed-20250414-111129.yaml

@@ -0,0 +1,4 @@
+project: charts/redpanda
+kind: Fixed
+body: '`authentication_method` is no longer set on `http_api` as redpanda itself does not support authentication on the http API.'
+time: 2025-04-14T11:11:29.214567-04:00

.changes/unreleased/charts-redpanda-Removed-20250414-110855.yaml

@@ -0,0 +1,4 @@
+project: charts/redpanda
+kind: Removed
+body: The unrespected`kafkaEndpoint` listener parameter has been removed from `values.yaml`
+time: 2025-04-14T11:08:55.846041-04:00

charts/redpanda/CHANGELOG.md

@@ -113,13 +113,15 @@ of `enterprise.license` and `enterprise.licenseSecretRef`, respectively.
   - `statefulset.sidecars.resources` -> `statefulset.podTemplate.spec.containers[*].resources`
   - `statefulset.sidecars.securityContext` -> `statefulset.podTemplate.spec.containers[*].securityContext`
 * Removed regex validation of all image tags.
+* The unrespected`kafkaEndpoint` listener parameter has been removed from `values.yaml`
 ### Fixed
 * Reverse order of applying resources to first create ClusterRole and then ClusterRoleBinding.
   When Redpanda custom resource has enabled RBAC the reconciliation was blocked due
   ClusterRoleBinding referencing not yet created ClusterRole.
 
 * Fixed an issue where not explicitly specifying a SASL auth mechanism when SASL is enabled caused Console to fail to start up.
 * Prevent broker nodes from restarting when solely the cluster replica amount changes
+* `authentication_method` is no longer set on `http_api` as redpanda itself does not support authentication on the http API.
 * Fixed rack awareness by mounting a service account token to the initcontainer when rack awareness is enabled.
 * Broken `Issuer`s and `Certificate`s are no longer needlessly generated when `tls.<cert>.issuerRef` is provided.
 * Fixed the security contexts' of `set-datadir-ownership` and `set-tiered-storage-cache-dir-ownership`.

charts/redpanda/README.md

@@ -331,7 +331,7 @@ Listener settings.  Override global settings configured above for individual lis
 **Default:**
 
 ```
-{"admin":{"external":{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}},"port":9644,"tls":{"cert":"default","requireClientAuth":false}},"http":{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30082],"authenticationMethod":null,"port":8083,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8082,"tls":{"cert":"default","requireClientAuth":false}},"kafka":{"authenticationMethod":null,"external":{"default":{"advertisedPorts":[31092],"authenticationMethod":null,"port":9094,"tls":{"cert":"external"}}},"port":9093,"tls":{"cert":"default","requireClientAuth":false}},"rpc":{"port":33145,"tls":{"cert":"default","requireClientAuth":false}},"schemaRegistry":{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30081],"authenticationMethod":null,"port":8084,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8081,"tls":{"cert":"default","requireClientAuth":false}}}
+{"admin":{"external":{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}},"port":9644,"tls":{"cert":"default","requireClientAuth":false}},"http":{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30082],"authenticationMethod":null,"port":8083,"tls":{"cert":"external","requireClientAuth":false}}},"port":8082,"tls":{"cert":"default","requireClientAuth":false}},"kafka":{"authenticationMethod":null,"external":{"default":{"advertisedPorts":[31092],"authenticationMethod":null,"port":9094,"tls":{"cert":"external"}}},"port":9093,"tls":{"cert":"default","requireClientAuth":false}},"rpc":{"port":33145,"tls":{"cert":"default","requireClientAuth":false}},"schemaRegistry":{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30081],"authenticationMethod":null,"port":8084,"tls":{"cert":"external","requireClientAuth":false}}},"port":8081,"tls":{"cert":"default","requireClientAuth":false}}}
 ```
 
 ### [listeners.admin](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin)
@@ -405,7 +405,7 @@ HTTP API listeners (aka PandaProxy).
 **Default:**
 
 ```
-{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30082],"authenticationMethod":null,"port":8083,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8082,"tls":{"cert":"default","requireClientAuth":false}}
+{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30082],"authenticationMethod":null,"port":8083,"tls":{"cert":"external","requireClientAuth":false}}},"port":8082,"tls":{"cert":"default","requireClientAuth":false}}
 ```
 
 ### [listeners.kafka](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka)
@@ -453,7 +453,7 @@ Schema registry listeners.
 **Default:**
 
 ```
-{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30081],"authenticationMethod":null,"port":8084,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8081,"tls":{"cert":"default","requireClientAuth":false}}
+{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30081],"authenticationMethod":null,"port":8084,"tls":{"cert":"external","requireClientAuth":false}}},"port":8081,"tls":{"cert":"default","requireClientAuth":false}}
 ```
 
 ### [logging](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging)

charts/redpanda/chart_test.go

@@ -807,22 +807,22 @@ func mTLSValuesUsingCertManager() *redpanda.PartialValues {
 		External:      &redpanda.PartialExternalConfig{Enabled: ptr.To(false)},
 		ClusterDomain: ptr.To("cluster.local"),
 		Listeners: &redpanda.PartialListeners{
-			Admin: &redpanda.PartialAdminListeners{
+			Admin: &redpanda.PartialListenerConfig[redpanda.NoAuth]{
 				TLS: &redpanda.PartialInternalTLS{
 					RequireClientAuth: ptr.To(true),
 				},
 			},
-			HTTP: &redpanda.PartialHTTPListeners{
+			HTTP: &redpanda.PartialListenerConfig[redpanda.HTTPAuthenticationMethod]{
 				TLS: &redpanda.PartialInternalTLS{
 					RequireClientAuth: ptr.To(true),
 				},
 			},
-			Kafka: &redpanda.PartialKafkaListeners{
+			Kafka: &redpanda.PartialListenerConfig[redpanda.KafkaAuthenticationMethod]{
 				TLS: &redpanda.PartialInternalTLS{
 					RequireClientAuth: ptr.To(true),
 				},
 			},
-			SchemaRegistry: &redpanda.PartialSchemaRegistryListeners{
+			SchemaRegistry: &redpanda.PartialListenerConfig[redpanda.NoAuth]{
 				TLS: &redpanda.PartialInternalTLS{
 					RequireClientAuth: ptr.To(true),
 				},
@@ -856,7 +856,7 @@ func mTLSValuesWithProvidedCerts(serverTLSSecretName, clientTLSSecretName string
 			},
 		},
 		Listeners: &redpanda.PartialListeners{
-			Admin: &redpanda.PartialAdminListeners{
+			Admin: &redpanda.PartialListenerConfig[redpanda.NoAuth]{
 				//External: redpanda.PartialExternalListeners[redpanda.PartialAdminExternal]{
 				//	"default": redpanda.PartialAdminExternal{Enabled: ptr.To(false), Port: ptr.To(int32(0))},
 				//},
@@ -865,7 +865,7 @@ func mTLSValuesWithProvidedCerts(serverTLSSecretName, clientTLSSecretName string
 					Cert:              ptr.To("provided"),
 				},
 			},
-			HTTP: &redpanda.PartialHTTPListeners{
+			HTTP: &redpanda.PartialListenerConfig[redpanda.HTTPAuthenticationMethod]{
 				//External: redpanda.PartialExternalListeners[redpanda.PartialHTTPExternal]{
 				//	"default": redpanda.PartialHTTPExternal{Enabled: ptr.To(false), Port: ptr.To(int32(0))},
 				//},
@@ -874,7 +874,7 @@ func mTLSValuesWithProvidedCerts(serverTLSSecretName, clientTLSSecretName string
 					Cert:              ptr.To("provided"),
 				},
 			},
-			Kafka: &redpanda.PartialKafkaListeners{
+			Kafka: &redpanda.PartialListenerConfig[redpanda.KafkaAuthenticationMethod]{
 				//External: redpanda.PartialExternalListeners[redpanda.PartialKafkaExternal]{
 				//	"default": redpanda.PartialKafkaExternal{Enabled: ptr.To(false), Port: ptr.To(int32(0))},
 				//},
@@ -883,7 +883,7 @@ func mTLSValuesWithProvidedCerts(serverTLSSecretName, clientTLSSecretName string
 					Cert:              ptr.To("provided"),
 				},
 			},
-			SchemaRegistry: &redpanda.PartialSchemaRegistryListeners{
+			SchemaRegistry: &redpanda.PartialListenerConfig[redpanda.NoAuth]{
 				//External: redpanda.PartialExternalListeners[redpanda.PartialSchemaRegistryExternal]{
 				//	"default": redpanda.PartialSchemaRegistryExternal{Enabled: ptr.To(false), Port: ptr.To(int32(0))},
 				//},

charts/redpanda/ci/12-external-cert-secrets-values.yaml

@@ -56,7 +56,6 @@ listeners:
   schemaRegistry:
     enabled: true
     port: 8081
-    kafkaEndpoint: default
     tls:
       # Optional flag to override the global TLS enabled flag.
       # enabled: true
@@ -75,7 +74,6 @@ listeners:
   http:
     enabled: true
     port: 8082
-    kafkaEndpoint: default
     tls:
       # Optional flag to override the global TLS enabled flag.
       # enabled: true

charts/redpanda/ci/40-empty-string-tls-novalues.yaml

@@ -17,7 +17,6 @@ listeners:
     authenticationMethod: none
     enabled: true
     external: {}
-    kafkaEndpoint: kafka-default
     port: 8082
     tls:
       cert: ""

charts/redpanda/configmap.tpl.go

@@ -506,8 +506,13 @@ func kafkaClient(dot *helmette.Dot) map[string]any {
 func configureListeners(redpanda map[string]any, dot *helmette.Dot) {
 	values := helmette.Unwrap[Values](dot.Values)
 
-	redpanda["admin"] = values.Listeners.Admin.Listeners()
-	redpanda["kafka_api"] = values.Listeners.Kafka.Listeners(&values.Auth)
+	var defaultKafkaAuth *KafkaAuthenticationMethod
+	if values.Auth.SASL.Enabled {
+		defaultKafkaAuth = ptr.To(SASLKafkaAuthenticationMethod)
+	}
+
+	redpanda["admin"] = values.Listeners.Admin.Listeners(nil /* No auth on admin API */)
+	redpanda["kafka_api"] = values.Listeners.Kafka.Listeners(defaultKafkaAuth)
 	redpanda["rpc_server"] = rpcListeners(dot)
 
 	// Backwards compatibility layer, if any of the *_tls keys are an empty
@@ -534,7 +539,12 @@ func pandaProxyListener(dot *helmette.Dot) map[string]any {
 
 	pandaProxy := map[string]any{}
 
-	pandaProxy["pandaproxy_api"] = values.Listeners.HTTP.Listeners(values.Auth.IsSASLEnabled())
+	var pandaProxyAuth *HTTPAuthenticationMethod
+	if values.Auth.IsSASLEnabled() {
+		pandaProxyAuth = ptr.To(BasicHTTPAuthenticationMethod)
+	}
+
+	pandaProxy["pandaproxy_api"] = values.Listeners.HTTP.Listeners(pandaProxyAuth)
 	pandaProxy["pandaproxy_api_tls"] = nil
 	if tls := values.Listeners.HTTP.ListenersTLS(&values.TLS); len(tls) > 0 {
 		pandaProxy["pandaproxy_api_tls"] = tls
@@ -546,8 +556,7 @@ func schemaRegistry(dot *helmette.Dot) map[string]any {
 	values := helmette.Unwrap[Values](dot.Values)
 
 	schemaReg := map[string]any{}
-
-	schemaReg["schema_registry_api"] = values.Listeners.SchemaRegistry.Listeners(values.Auth.IsSASLEnabled())
+	schemaReg["schema_registry_api"] = values.Listeners.SchemaRegistry.Listeners(nil /* No auth on admin API */)
 	schemaReg["schema_registry_api_tls"] = nil
 	if tls := values.Listeners.SchemaRegistry.ListenersTLS(&values.TLS); len(tls) > 0 {
 		schemaReg["schema_registry_api_tls"] = tls
@@ -606,14 +615,6 @@ func createInternalListenerTLSCfg(tls *TLS, internal InternalTLS) map[string]any
 	}
 }
 
-func createInternalListenerCfg(port int32) map[string]any {
-	return map[string]any{
-		"name":    "internal",
-		"address": "0.0.0.0",
-		"port":    port,
-	}
-}
-
 // RedpandaAdditionalStartFlags returns a string slice of flags suitable for use
 // as `additional_start_flags`. User provided flags will override any of those
 // set by default.

charts/redpanda/service.loadbalancer.go

@@ -15,7 +15,6 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/utils/ptr"
 
 	"github.com/redpanda-data/redpanda-operator/gotohelm/helmette"
@@ -84,65 +83,10 @@ func LoadBalancerServices(dot *helmette.Dot) []*corev1.Service {
 		// in helm. TODO setup a linter that barks about this? Also a helper
 		// for getting the sorted keys of a map?
 		var ports []corev1.ServicePort
-		for name, listener := range helmette.SortedMap(values.Listeners.Admin.External) {
-			if !ptr.Deref(listener.Enabled, values.External.Enabled) {
-				continue
-			}
-
-			fallbackPorts := append(listener.AdvertisedPorts, values.Listeners.Admin.Port)
-
-			ports = append(ports, corev1.ServicePort{
-				Name:       fmt.Sprintf("admin-%s", name),
-				Protocol:   corev1.ProtocolTCP,
-				TargetPort: intstr.FromInt32(listener.Port),
-				Port:       ptr.Deref(listener.NodePort, fallbackPorts[0]),
-			})
-		}
-
-		for name, listener := range helmette.SortedMap(values.Listeners.Kafka.External) {
-			if !ptr.Deref(listener.Enabled, values.External.Enabled) {
-				continue
-			}
-
-			fallbackPorts := append(listener.AdvertisedPorts, listener.Port)
-
-			ports = append(ports, corev1.ServicePort{
-				Name:       fmt.Sprintf("kafka-%s", name),
-				Protocol:   corev1.ProtocolTCP,
-				TargetPort: intstr.FromInt32(listener.Port),
-				Port:       ptr.Deref(listener.NodePort, fallbackPorts[0]),
-			})
-		}
-
-		for name, listener := range helmette.SortedMap(values.Listeners.HTTP.External) {
-			if !ptr.Deref(listener.Enabled, values.External.Enabled) {
-				continue
-			}
-
-			fallbackPorts := append(listener.AdvertisedPorts, listener.Port)
-
-			ports = append(ports, corev1.ServicePort{
-				Name:       fmt.Sprintf("http-%s", name),
-				Protocol:   corev1.ProtocolTCP,
-				TargetPort: intstr.FromInt32(listener.Port),
-				Port:       ptr.Deref(listener.NodePort, fallbackPorts[0]),
-			})
-		}
-
-		for name, listener := range helmette.SortedMap(values.Listeners.SchemaRegistry.External) {
-			if !ptr.Deref(listener.Enabled, values.External.Enabled) {
-				continue
-			}
-
-			fallbackPorts := append(listener.AdvertisedPorts, listener.Port)
-
-			ports = append(ports, corev1.ServicePort{
-				Name:       fmt.Sprintf("schema-%s", name),
-				Protocol:   corev1.ProtocolTCP,
-				TargetPort: intstr.FromInt32(listener.Port),
-				Port:       ptr.Deref(listener.NodePort, fallbackPorts[0]),
-			})
-		}
+		ports = append(ports, values.Listeners.Admin.ServicePorts("admin", &values.External)...)
+		ports = append(ports, values.Listeners.Kafka.ServicePorts("kafka", &values.External)...)
+		ports = append(ports, values.Listeners.HTTP.ServicePorts("http", &values.External)...)
+		ports = append(ports, values.Listeners.SchemaRegistry.ServicePorts("schema", &values.External)...)
 
 		svc := &corev1.Service{
 			TypeMeta: metav1.TypeMeta{