charts/console: add v2 -> v3 config migration

Add `ConfigFromV2` as a utility function in `charts/console` for migrating V2
configs to V3 configs.

The migration is based off Jake Cahill's implementation in the docs repo but
has been transposed to JQ to improve maintainablity. Other data manipulation
DSLs (JSONpath, custom)  where considered but JQ's ubiquity and power is
difficult to compete with.

Author: chrisseto

acceptance/go.mod

@@ -143,6 +143,8 @@ require (
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/invopop/jsonschema v0.12.0 // indirect
+	github.com/itchyny/gojq v0.12.17 // indirect
+	github.com/itchyny/timefmt-go v0.1.6 // indirect
 	github.com/jcmturner/aescts/v2 v2.0.0 // indirect
 	github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
 	github.com/jcmturner/gofork v1.7.6 // indirect

acceptance/go.sum

@@ -355,6 +355,10 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/invopop/jsonschema v0.12.0 h1:6ovsNSuvn9wEQVOyc72aycBMVQFKz7cPdMJn10CvzRI=
 github.com/invopop/jsonschema v0.12.0/go.mod h1:ffZ5Km5SWWRAIN6wbDXItl95euhFz2uON45H2qjYt+0=
+github.com/itchyny/gojq v0.12.17 h1:8av8eGduDb5+rvEdaOO+zQUjA04MS0m3Ps8HiD+fceg=
+github.com/itchyny/gojq v0.12.17/go.mod h1:WBrEMkgAfAGO1LUcGOckBl5O726KPp+OlkKug0I/FEY=
+github.com/itchyny/timefmt-go v0.1.6 h1:ia3s54iciXDdzWzwaVKXZPbiXzxxnv1SPGFfM/myJ5Q=
+github.com/itchyny/timefmt-go v0.1.6/go.mod h1:RRDZYC5s9ErkjQvTvvU7keJjxUYzIISJGxm9/mAERQg=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
 github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=

charts/console/go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/cloudhut/common v0.11.0
 	github.com/cockroachdb/errors v1.11.3
 	github.com/google/gofuzz v1.2.0
+	github.com/itchyny/gojq v0.12.17
 	github.com/redpanda-data/console/backend v0.0.0-20250915195818-3cd9fabec94b
 	github.com/redpanda-data/redpanda-operator/gotohelm v1.2.1-0.20250909192010-c59ff494d04a
 	github.com/redpanda-data/redpanda-operator/pkg v0.0.0-20250124085449-058118a82f50
@@ -86,6 +87,7 @@ require (
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/invopop/jsonschema v0.12.0 // indirect
+	github.com/itchyny/timefmt-go v0.1.6 // indirect
 	github.com/jmoiron/sqlx v1.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect

charts/console/go.sum

@@ -222,6 +222,10 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/invopop/jsonschema v0.12.0 h1:6ovsNSuvn9wEQVOyc72aycBMVQFKz7cPdMJn10CvzRI=
 github.com/invopop/jsonschema v0.12.0/go.mod h1:ffZ5Km5SWWRAIN6wbDXItl95euhFz2uON45H2qjYt+0=
+github.com/itchyny/gojq v0.12.17 h1:8av8eGduDb5+rvEdaOO+zQUjA04MS0m3Ps8HiD+fceg=
+github.com/itchyny/gojq v0.12.17/go.mod h1:WBrEMkgAfAGO1LUcGOckBl5O726KPp+OlkKug0I/FEY=
+github.com/itchyny/timefmt-go v0.1.6 h1:ia3s54iciXDdzWzwaVKXZPbiXzxxnv1SPGFfM/myJ5Q=
+github.com/itchyny/timefmt-go v0.1.6/go.mod h1:RRDZYC5s9ErkjQvTvvU7keJjxUYzIISJGxm9/mAERQg=
 github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
 github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=

charts/console/migrate_nogotohelm.go

@@ -0,0 +1,283 @@
+// Copyright 2025 Redpanda Data, Inc.
+//
+// Use of this software is governed by the Business Source License
+// included in the file licenses/BSL.md
+//
+// As of the Change Date specified in that file, in accordance with
+// the Business Source License, use of this software will be governed
+// by the Apache License, Version 2.0
+
+//go:build !gotohelm
+
+package console
+
+import (
+	"strings"
+
+	"github.com/cockroachdb/errors"
+	"github.com/itchyny/gojq"
+)
+
+// ConfigFromV2 transforms a Console v2 configuration into a v3 configuration.
+// It additionally returns a string slice containing human readable
+// descriptions of fields that could not be migrated.
+//
+// Unknown or invalid data is left in place for Console itself handle (by crashing / logging).
+//
+// V2 Config:
+// - https://github.com/redpanda-data/console/blob/v2.8.10/backend/pkg/config/config.go
+// - https://github.com/redpanda-data/console-enterprise/blob/v2.8.10/backend/pkg/config/config.go
+//
+// V3 Config:
+// - https://github.com/redpanda-data/console/blob/v3.2.2/backend/pkg/config/config.go
+// - https://github.com/redpanda-data/console-enterprise/blob/v3.2.2/backend/pkg/config/config.go
+func ConfigFromV2(v2 map[string]any) (map[string]any, []string, error) {
+	v3 := make(map[string]any)
+
+	for _, m := range mappings {
+		val, ok, err := execQueryScalar[any](v2, m.code)
+		if err != nil {
+			return nil, nil, errors.Wrapf(err, "failed to execute query for path %v", m.dst)
+		}
+		if !ok {
+			continue
+		}
+		if err := setPath(v3, m.dst, val); err != nil {
+			return nil, nil, errors.Wrapf(err, "failed to set path %v", m.dst)
+		}
+	}
+
+	// Generate warnings
+	var warnings []string
+	for _, code := range warningQueries {
+		results, err := execQuery[string](v2, code)
+		if err != nil {
+			return nil, nil, errors.Wrap(err, "failed to generate warnings")
+		}
+		warnings = append(warnings, results...)
+	}
+
+	return v3, warnings, nil
+}
+
+type mappingSpec struct {
+	dst   string
+	query string
+}
+
+type mapping struct {
+	dst  []string
+	code *gojq.Code
+}
+
+// mappings is a slice of destination path to JQ query that together migrate a
+// Console v2 config to a Console v3 config. Its behavior is exactly the same
+// as the converter in our public docs (Thanks Jake!)
+// https://github.com/redpanda-data/docs-ui/blob/d55545f392e0a9aaa0dbd193606a2b629d779699/console-config-migrator/main.go#L25
+// Due to module dependency conflicts and the quasi closed source nature of
+// console typing the configurations was deemed a non-option. JQ was elected as
+// it's relatively well known and substantially easier to comprehend than
+// map[string]any manipulations.
+var mappings = compileMappings([]mappingSpec{
+	// Authentication
+	{"authentication.jwtSigningKey", ".login.jwtSecret"},
+	{"authentication.useSecureCookies", ".login.useSecureCookies"},
+	{"authentication.basic", ".login.plain"},
+	{"authentication.oidc", `.login // {} | to_entries | sort_by(.key) | map(select(.value.enabled?) | .value) | first | del(.realm, .directory)`},
+
+	// Schema Registry
+	{"schemaRegistry.authentication.basic.username", ".kafka.schemaRegistry.username"},
+	{"schemaRegistry.authentication.basic.password", ".kafka.schemaRegistry.password"},
+	{"schemaRegistry.authentication.bearerToken", ".kafka.schemaRegistry.bearerToken"},
+	{"schemaRegistry.authentication.impersonateUser", `.kafka.schemaRegistry | select(.) | .username == null`},
+	{"schemaRegistry", `.kafka.schemaRegistry | del(.username, .password, .bearerToken)`},
+
+	// Kafka
+	{"kafka.sasl.enabled", "true"},
+	{"kafka.sasl.impersonateUser", "true"},
+	{"kafka", `.kafka | del(.schemaRegistry, .protobuf, .cbor, .messagePack)`},
+
+	// Serde
+	{"serde.protobuf", ".kafka.protobuf"},
+	{"serde.cbor", ".kafka.cbor"},
+	{"serde.messagePack", ".kafka.messagePack"},
+	{"serde.maxDeserializationPayloadSize", ".console.maxDeserializationPayloadSize"},
+
+	// Connect rename
+	{"kafkaConnect", ".connect"},
+
+	// Redpanda adminApi
+	{"redpanda", `.redpanda | del(.adminApi.username, .adminApi.password)`},
+	{"redpanda.adminApi.authentication.basic.username", ".redpanda.adminApi.username"},
+	{"redpanda.adminApi.authentication.basic.password", ".redpanda.adminApi.password"},
+	{"redpanda.adminApi.authentication.impersonateUser", `.redpanda.adminApi | select(.) | .username == null`},
+
+	// RoleBindings
+	{"authorization.roleBindings", `.roleBindings | map({
+		roleName: .roleName,
+		users: [.subjects[] | select(.kind == "user" or .kind == null) | {
+			name: .name,
+			loginType: (if .provider == "Plain" then "basic" else "oidc" end)
+		}]
+	})?`},
+
+	// Copy remaining top-level fields (empty dst means merge into root)
+	{"", "del(.connect, .console, .enterprise, .kafka, .login, .roleBindings, .redpanda)"},
+})
+
+// warningQueries is a slice of JQ queries that produce warnings about
+// configurations that can not be migrate to Console V3.
+var warningQueries = compileWarnings([]string{
+	`.login // {} | to_entries | sort_by(.key) | map(select(.value.enabled?)) | select(length > 1) | "Elected '\(.[0].key)' as OIDC provider out of \(map(.key)). Only one provider is supported in v3."`,
+	`.login // {} | to_entries | sort_by(.key) | .[] | select(.value.enabled? and .value.realm? != null) |  "Removed 'realm' from '\(.key)'. OIDC groups are not supported in v3. Create Roles in Redpanda instead."`,
+	`.login // {} | to_entries | sort_by(.key) | .[] | select(.value.enabled? and .value.directory? != null) | select(length > 1) | "Removed 'directory' from '\(.key)'. OIDC groups are not supported in v3. Create Roles in Redpanda instead."`,
+	`.roleBindings.[]? | . as $binding | .subjects.[]? | select(.kind != "user") | "Removed group subject from role binding '\($binding.roleName)'. Groups are not supported in v3."`,
+})
+
+func compileMappings(specs []mappingSpec) []mapping {
+	mappings := make([]mapping, len(specs))
+	for i, spec := range specs {
+		var dst []string
+		if spec.dst != "" {
+			dst = strings.Split(spec.dst, ".")
+		}
+		mappings[i] = mapping{
+			dst:  dst,
+			code: mustCompile(spec.query),
+		}
+	}
+	return mappings
+}
+
+func compileWarnings(queries []string) []*gojq.Code {
+	compiled := make([]*gojq.Code, len(queries))
+	for i, query := range queries {
+		compiled[i] = mustCompile(query)
+	}
+	return compiled
+}
+
+func execQuery[T any](data map[string]any, code *gojq.Code) ([]T, error) {
+	iter := code.Run(data)
+
+	var results []T
+	for {
+		result, ok := iter.Next()
+		if !ok {
+			break
+		}
+
+		// gojq can produce some strange results:
+		// - errors are returned through Next and must be checked
+		// -
+		switch result := result.(type) {
+		// Errors are returned through .Next and need to be checked.
+		case error:
+			return nil, errors.WithStack(result)
+		// nil (untyped) can be returned directly. We don't want to emit nils, so skip.
+		case nil:
+			continue
+		// nil maps in an any box ( any(map[string]any(nil)) ) can also be
+		// returned. They need to be unboxed and explicitly checked.
+		case map[string]any:
+			if result == nil {
+				continue
+			}
+		}
+
+		results = append(results, result.(T))
+	}
+
+	return results, nil
+}
+
+func execQueryScalar[T comparable](data map[string]any, code *gojq.Code) (T, bool, error) {
+	var zero T
+	out, err := execQuery[T](data, code)
+	if err != nil {
+		return zero, false, err
+	}
+	if len(out) == 1 {
+		return out[0], out[0] != zero, nil
+	}
+	return zero, false, nil
+}
+
+func mustCompile(expr string) *gojq.Code {
+	query, err := gojq.Parse(expr)
+	if err != nil {
+		panic(err)
+	}
+
+	code, err := gojq.Compile(query)
+	if err != nil {
+		panic(err)
+	}
+	return code
+}
+
+// setPath sets a value in a nested map structure using a slice of keys.
+func setPath(m map[string]any, path []string, value any) error {
+	// Special case, if path is empty merge value into m.
+	if len(path) == 0 {
+		valueMap, ok := value.(map[string]any)
+		if !ok {
+			return errors.Newf("cannot merge non-map value into root: %T", value)
+		}
+		mergeMaps(m, valueMap)
+		return nil
+	}
+
+	curr := m
+	for i := 0; i < len(path)-1; i++ {
+		key := path[i]
+		if _, exists := curr[key]; !exists {
+			curr[key] = make(map[string]any)
+		}
+
+		next, ok := curr[key].(map[string]any)
+		if !ok {
+			return errors.Newf("cannot traverse through non-map at key %q: %T", key, curr[key])
+		}
+		curr = next
+	}
+
+	lastKey := path[len(path)-1]
+	existing, exists := curr[lastKey]
+	if !exists {
+		curr[lastKey] = value
+		return nil
+	}
+
+	// If both existing and new values are maps, merge them
+	existingMap, existingIsMap := existing.(map[string]any)
+	valueMap, valueIsMap := value.(map[string]any)
+	if existingIsMap && valueIsMap {
+		mergeMaps(existingMap, valueMap)
+	} else {
+		// Otherwise overwrite
+		curr[lastKey] = value
+	}
+
+	return nil
+}
+
+func mergeMaps(dst, src map[string]any) {
+	for k, v := range src {
+		existing, exists := dst[k]
+		if !exists {
+			dst[k] = v
+			continue
+		}
+
+		// If both are maps, merge recursively
+		dstMap, dstIsMap := existing.(map[string]any)
+		srcMap, srcIsMap := v.(map[string]any)
+		if dstIsMap && srcIsMap {
+			mergeMaps(dstMap, srcMap)
+		} else {
+			// Otherwise overwrite
+			dst[k] = v
+		}
+	}
+}

charts/console/migrate_test.go

@@ -0,0 +1,45 @@
+// Copyright 2025 Redpanda Data, Inc.
+//
+// Use of this software is governed by the Business Source License
+// included in the file licenses/BSL.md
+//
+// As of the Change Date specified in that file, in accordance with
+// the Business Source License, use of this software will be governed
+// by the Apache License, Version 2.0
+
+package console
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"golang.org/x/tools/txtar"
+	"sigs.k8s.io/yaml"
+
+	"github.com/redpanda-data/redpanda-operator/pkg/testutil"
+)
+
+func TestConfigFromV2(t *testing.T) {
+	cases, err := txtar.ParseFile("testdata/migrate-cases.txtar")
+	require.NoError(t, err)
+
+	goldens := testutil.NewTxTar(t, "testdata/migrate-cases.golden.txtar")
+
+	for _, tc := range cases.Files {
+		t.Run(tc.Name, func(t *testing.T) {
+			var input map[string]any
+			require.NoError(t, yaml.Unmarshal(tc.Data, &input))
+
+			converted, warnings, errJSONPath := ConfigFromV2(input)
+			require.NoError(t, errJSONPath)
+
+			actual, err := yaml.Marshal(map[string]any{
+				"output":   converted,
+				"warnings": warnings,
+			})
+			require.NoError(t, err)
+
+			goldens.AssertGolden(t, testutil.YAML, tc.Name, append(actual, '\n'))
+		})
+	}
+}