[WIP] operator: add console stanza -> CRD migration

Reconciling a Redpanda will now produce a Console CR with a clusterRef pointing
back at the cluster itself.

TODO LIST:
- [ ] Conversions are fallible, figure out how to log errors without flood the log (rate.Limit?)
	- As everything is wrapped in a runtime.Extension, it's pretty easy to make an invalid config.
- [ ] Acceptance tests that upgrade the operator and show a functioning console CRD and one with migration warnings.
- [ ] Figure out how to remove the console Stanza w/o removing the Console CRD (ideally an opt in method?)
- [ ] Clean up naming of CRD conversion?

Author: chrisseto

operator/api/redpanda/v1alpha2/console_types.go

@@ -10,13 +10,18 @@
 package v1alpha2
 
 import (
+	"encoding/json"
+
+	"github.com/cockroachdb/errors"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	applycorev1 "k8s.io/client-go/applyconfigurations/core/v1"
 	"k8s.io/utils/ptr"
 
+	"github.com/redpanda-data/redpanda-operator/charts/console/v3"
 	"github.com/redpanda-data/redpanda-operator/operator/pkg/functional"
 )
 
@@ -121,10 +126,16 @@ type ConsoleValues struct {
 	SecretMounts                 []SecretMount                     `json:"secretMounts,omitempty"`
 	Secret                       SecretConfig                      `json:"secret,omitempty"`
 	LicenseSecretRef             *corev1.SecretKeySelector         `json:"licenseSecretRef,omitempty"`
-	LivenessProbe                *corev1.Probe                     `json:"livenessProbe,omitempty"`
-	ReadinessProbe               *corev1.Probe                     `json:"readinessProbe,omitempty"`
+	LivenessProbe                *ProbeApplyConfiguration          `json:"livenessProbe,omitempty"`
+	ReadinessProbe               *ProbeApplyConfiguration          `json:"readinessProbe,omitempty"`
 	Deployment                   *DeploymentConfig                 `json:"deployment,omitempty"`
 	Strategy                     *appsv1.DeploymentStrategy        `json:"strategy,omitempty"`
+	// Warnings is a slice of human readable warnings generated by the automatic
+	// migration of a Console V2 config to a Console V3 config. If warnings are
+	// present, they will describe which fields from the original config have
+	// been dropped and why.
+	// Setting this field has no effect.
+	Warnings []string `json:"warnings,omitempty"`
 }
 
 type AutoScaling struct {
@@ -237,3 +248,85 @@ type RedpandaAdminAPISecrets struct {
 	TLSCert  *string `json:"tlsCert,omitempty"`
 	TLSKey   *string `json:"tlsKey,omitempty"`
 }
+
+// ProbeApplyConfiguration is a wrapper type that allows including a partial
+// [corev1.Probe] in a CRD.
+type ProbeApplyConfiguration struct {
+	*applycorev1.ProbeApplyConfiguration `json:",inline"`
+}
+
+func (ac *ProbeApplyConfiguration) DeepCopy() *ProbeApplyConfiguration {
+	// For some inexplicable reason, apply configs don't have deepcopy
+	// generated for them.
+	//
+	// DeepCopyInto can be generated with just DeepCopy implemented. Sadly, the
+	// easiest way to implement DeepCopy is to run this type through JSON. It's
+	// highly unlikely that we'll hit a panic but it is possible to do so with
+	// invalid values for resource.Quantity and the like.
+	out := new(ProbeApplyConfiguration)
+	data, err := json.Marshal(ac)
+	if err != nil {
+		panic(err)
+	}
+	if err := json.Unmarshal(data, out); err != nil {
+		panic(err)
+	}
+	return out
+}
+
+// ConvertConsoleSubchartToConsoleValues "migrates" the Console field
+// ([RedpandaConsole]) of a [Redpanda] into a Console v3 compliant
+// [ConsoleValues].
+func ConvertConsoleSubchartToConsoleValues(src *RedpandaConsole) (*ConsoleValues, error) {
+	// By the redpanda chart's default values, console is enabled by default
+	// and must be explicitly opted out of.
+	if src == nil {
+		// Empty values is valid.
+		return &ConsoleValues{}, nil
+	}
+
+	// If the console integration is opted out of, return nil.
+	if !ptr.Deref(src.Enabled, true) {
+		return nil, nil
+	}
+
+	out, err := autoconv_RedpandaConsole_To_ConsoleValues(src)
+	if err != nil {
+		return nil, err
+	}
+
+	// Extract out .Console and .Config. .Console will be migrated and then
+	// merged into .Config as Config is meant to house V3 configurations.
+	var v2Config map[string]any
+	if src.Console != nil && len(src.Console.Raw) > 0 {
+		if err := json.Unmarshal(src.Console.Raw, &v2Config); err != nil {
+			return nil, errors.WithStack(err)
+		}
+	}
+
+	var v3Config map[string]any
+	if src.Config != nil && len(src.Config.Raw) > 0 {
+		if err := json.Unmarshal(src.Config.Raw, &v3Config); err != nil {
+			return nil, errors.WithStack(err)
+		}
+	}
+
+	migrated, warnings, err := console.ConfigFromV2(v2Config)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	merged := functional.MergeMaps(migrated, v3Config)
+
+	marshalled, err := json.Marshal(merged)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	out.Config = &runtime.RawExtension{Raw: marshalled}
+	// Unlike the docs migrate, warnings get their own field. We can't set
+	// comments of a Kubernetes resource.
+	out.Warnings = warnings
+
+	return out, nil
+}

operator/api/redpanda/v1alpha2/console_types_test.go

@@ -0,0 +1,46 @@
+// Copyright 2025 Redpanda Data, Inc.
+//
+// Use of this software is governed by the Business Source License
+// included in the file licenses/BSL.md
+//
+// As of the Change Date specified in that file, in accordance with
+// the Business Source License, use of this software will be governed
+// by the Apache License, Version 2.0
+
+package v1alpha2
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"golang.org/x/tools/txtar"
+	"sigs.k8s.io/yaml"
+
+	"github.com/redpanda-data/redpanda-operator/pkg/testutil"
+)
+
+func TestConvertConsoleSubchartToConsoleValues(t *testing.T) {
+	cases, err := txtar.ParseFile("testdata/console-migration-cases.txtar")
+	require.NoError(t, err)
+
+	goldens := testutil.NewTxTar(t, "testdata/console-migration-cases.golden.txtar")
+
+	for i, tc := range cases.Files {
+		t.Run(tc.Name, func(t *testing.T) {
+			var in RedpandaConsole
+			require.NoError(t, yaml.Unmarshal(tc.Data, &in))
+
+			out, err := ConvertConsoleSubchartToConsoleValues(&in)
+			require.NoError(t, err)
+
+			actual, err := yaml.Marshal(out)
+			require.NoError(t, err)
+
+			// Add a bit of extra padding to make it easier to navigate the golden file.
+			actual = append(actual, '\n')
+
+			goldens.AssertGolden(t, testutil.YAML, fmt.Sprintf("%02d-%s", i, tc.Name), actual)
+		})
+	}
+}

operator/api/redpanda/v1alpha2/conversion.go

@@ -13,6 +13,7 @@ import (
 	"encoding/json"
 
 	"github.com/cockroachdb/errors"
+	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 
@@ -39,7 +40,13 @@ var (
 	ConvertStaticConfigToIR func(namespace string, src *StaticConfigurationSource) *ir.StaticConfigurationSource
 
 	// Private conversions for tuning / customizing conversions.
-	// Naming conversion: `autoconv_<Type>_To_<pkg>_<Type>`
+	// Naming convention: `autoconv_<Type>_To_<pkg>_<Type>`
+
+	// goverter:map . LicenseSecretRef | convertConsoleLicenseSecretRef
+	// goverter:ignore Config
+	// goverter:ignore Warnings
+	// goverter:ignore ExtraContainerPorts
+	autoconv_RedpandaConsole_To_ConsoleValues func(*RedpandaConsole) (*ConsoleValues, error)
 
 	// goverter:ignore Create
 	// Ability to disable creation of Deployment is not exposed through the Console CRD.
@@ -69,6 +76,33 @@ func getNamespace(namespace string) string {
 	return namespace
 }
 
+// convertConsoleLicenseSecretRef extracts either the LicenseSecretRef or
+// Enterprise.LicenseSecret from a [RedpandaConsole] into a
+// [corev1.SecretKeySelector].
+func convertConsoleLicenseSecretRef(src *RedpandaConsole) (*corev1.SecretKeySelector, error) {
+	// If LicenseSecreRef is set, accept that.
+	if src.LicenseSecretRef != nil {
+		return src.LicenseSecretRef, nil
+	}
+
+	// Short circuit if Enterprise isn't specified.
+	if src.Enterprise == nil || len(src.Enterprise.Raw) != 0 {
+		return nil, nil
+	}
+
+	// Otherwise attempt to extract a secret reference from the Enterprise block.
+	type ConsoleEnterprise struct {
+		LicenseSecret *corev1.SecretKeySelector
+	}
+
+	enterprise, err := convertRuntimeRawExtension[ConsoleEnterprise](src.Enterprise)
+	if err != nil {
+		return nil, err
+	}
+
+	return enterprise.LicenseSecret, nil
+}
+
 // Manually implemented conversion routines
 // Naming conversion: `conv_<Type>_To_<pkg>_<Type>`
 
@@ -90,22 +124,46 @@ func conv_SecretKeyRef_To_ir_ObjectKeyRef(skr *SecretKeyRef, namespace string) *
 	}
 }
 
-func conv_runtime_RawExtension_To_mapany(ext *runtime.RawExtension) (map[string]any, error) {
-	if ext == nil {
-		return nil, nil
-	}
-
-	var out map[string]any
-	if err := json.Unmarshal(ext.Raw, &out); err != nil {
-		return nil, errors.WithStack(err)
-	}
-	return out, nil
-}
-
 var (
 	conv_corev1_Volume_To_corev1_Volume                             = convertDeepCopier[corev1.Volume]
 	conv_corev1_EnvVar_To_corev1EnvVar                              = convertDeepCopier[corev1.EnvVar]
 	conv_corev1_ResourceRequirements_To_corev1_ResourceRequirements = convertDeepCopier[corev1.ResourceRequirements]
+
+	//  RawExtension -> Custom type (RedpandaConsole -> Console)
+
+	conv_runtime_RawExtension_To_mapstringany         = convertRuntimeRawExtension[map[string]any]
+	conv_runtime_RawExtension_To_mapstringstring      = convertRuntimeRawExtension[map[string]string]
+	conv_runtime_RawExtension_To_Image                = convertRuntimeRawExtension[*Image]
+	conv_runtime_RawExtension_To_ServiceAccountConfig = convertRuntimeRawExtension[*ServiceAccountConfig]
+	conv_runtime_RawExtension_To_Service              = convertRuntimeRawExtension[*ServiceConfig]
+	conv_runtime_RawExtension_To_Ingress              = convertRuntimeRawExtension[*IngressConfig]
+	conv_runtime_RawExtension_To_Autoscaling          = convertRuntimeRawExtension[*AutoScaling]
+	conv_runtime_RawExtension_To_SecretMounts         = convertRuntimeRawExtension[SecretMount]
+	conv_runtime_RawExtension_To_Secret               = convertRuntimeRawExtension[SecretConfig]
+	conv_runtime_RawExtension_To_Deployment           = convertRuntimeRawExtension[*DeploymentConfig]
+
+	// RawExtension -> built in types (RedpandaConsole -> Console)
+
+	conv_runtime_RawExtension_To_corev1_Affinity                  = convertRuntimeRawExtension[*corev1.Affinity]
+	conv_runtime_RawExtension_To_corev1_Container                 = convertRuntimeRawExtension[corev1.Container]
+	conv_runtime_RawExtension_To_corev1_EnvFromSource             = convertRuntimeRawExtension[corev1.EnvFromSource]
+	conv_runtime_RawExtension_To_corev1_EnvVar                    = convertRuntimeRawExtension[corev1.EnvVar]
+	conv_runtime_RawExtension_To_corev1_LocalObjectReference      = convertRuntimeRawExtension[corev1.LocalObjectReference]
+	conv_runtime_RawExtension_To_corev1_PodSecurityContext        = convertRuntimeRawExtension[*corev1.PodSecurityContext]
+	conv_runtime_RawExtension_To_corev1_Resources                 = convertRuntimeRawExtension[*corev1.ResourceRequirements]
+	conv_runtime_RawExtension_To_corev1_SecurityContext           = convertRuntimeRawExtension[*corev1.SecurityContext]
+	conv_runtime_RawExtension_To_corev1_Strategy                  = convertRuntimeRawExtension[*appsv1.DeploymentStrategy]
+	conv_runtime_RawExtension_To_corev1_Tolerations               = convertRuntimeRawExtension[corev1.Toleration]
+	conv_runtime_RawExtension_To_corev1_TopologySpreadConstraints = convertRuntimeRawExtension[[]corev1.TopologySpreadConstraint]
+	conv_runtime_RawExtension_To_corev1_Volume                    = convertRuntimeRawExtension[corev1.Volume]
+	conv_runtime_RawExtension_To_corev1_VolumeMount               = convertRuntimeRawExtension[corev1.VolumeMount]
+
+	// TODO THIS IS BAD AND BROKEN (Will write 0s for unspecified fields and generate invalid options).
+	// ConsolePartialValues really needs to have ApplyConfigs for most k8s types.
+	// Upgrade gen partial to pull an overridden type from a comment or field tag?
+	conv_LivenessProbe_To_ProbeApplyConfiguration  = convertViaMarshaling[*LivenessProbe, *ProbeApplyConfiguration]
+	conv_ProbeApplyConfiguration_To_corev1_Probe   = convertViaMarshaling[ProbeApplyConfiguration, corev1.Probe]
+	conv_ReadinessProbe_To_ProbeApplyConfiguration = convertViaMarshaling[*ReadinessProbe, *ProbeApplyConfiguration]
 )
 
 type deepCopier[T any] interface {
@@ -116,3 +174,33 @@ type deepCopier[T any] interface {
 func convertDeepCopier[T any, P deepCopier[T]](in T) T {
 	return *P(&in).DeepCopy()
 }
+
+func convertRuntimeRawExtension[T any](ext *runtime.RawExtension) (T, error) {
+	if ext == nil {
+		var zero T
+		return zero, nil
+	}
+
+	var out T
+	if err := json.Unmarshal(ext.Raw, &out); err != nil {
+		var zero T
+		return zero, errors.Wrapf(err, "unmarshalling %T into %T", ext, zero)
+	}
+	return out, nil
+}
+
+func convertViaMarshaling[From any, To any](src From) (To, error) {
+	marshalled, err := json.Marshal(src)
+	if err != nil {
+		var zero To
+		return zero, errors.Wrapf(err, "marshalling: %T", src)
+	}
+
+	var out To
+	if err := json.Unmarshal(marshalled, &out); err != nil {
+		var zero To
+		return zero, errors.Wrapf(err, "unmarshalling %T into %T", src, zero)
+	}
+
+	return out, nil
+}

operator/api/redpanda/v1alpha2/redpanda_clusterspec_types.go

@@ -196,7 +196,7 @@ type RedpandaConsole struct {
 	// Specifies whether the Redpanda Console subchart should be deployed.
 	Enabled *bool `json:"enabled,omitempty"`
 	// Sets the number of replicas for the Redpanda Console Deployment resource.
-	ReplicaCount *int `json:"replicaCount,omitempty"`
+	ReplicaCount *int32 `json:"replicaCount,omitempty"`
 	// Specifies a custom name for the Redpanda Console resources, overriding the default naming convention.
 	NameOverride *string `json:"nameOverride,omitempty"`
 	// Specifies a full custom name, which overrides the entire naming convention including release name and chart name.

operator/api/redpanda/v1alpha2/testdata/console-migration-cases.golden.txtar

@@ -0,0 +1,64 @@
+-- 00-empty --
+config:
+  kafka:
+    sasl:
+      enabled: true
+      impersonateUser: true
+secret: {}
+
+-- 01-disabled --
+null
+
+-- 02-configured --
+config:
+  authentication:
+    jwtSigningKey: secret123
+    useSecureCookies: true
+  authorization:
+    roleBindings:
+    - roleName: admin
+      users:
+      - loginType: oidc
+        name: devs
+  kafka:
+    sasl:
+      enabled: true
+      impersonateUser: true
+secret: {}
+
+-- 03-config-and-console --
+config:
+  authentication:
+    someOtherSetting:
+    - absolutely
+  kafka:
+    sasl:
+      enabled: true
+      impersonateUser: true
+secret: {}
+
+-- 04-enterprise-and-license-ref --
+config:
+  kafka:
+    sasl:
+      enabled: true
+      impersonateUser: true
+licenseSecretRef:
+  key: license
+  name: license
+secret: {}
+
+-- 05-migration-warnings --
+config:
+  authorization:
+    roleBindings:
+    - roleName: admin
+      users: []
+  kafka:
+    sasl:
+      enabled: true
+      impersonateUser: true
+secret: {}
+warnings:
+- Removed group subject from role binding 'admin'. Groups are not supported in v3.
+