operator: implement Console controller

This commit adds a standalone `Console` CR and its controller. Unlike the
console stanza in the redpanda chart, this CR deploys console V3.

This commit does NOT include a migration from the subchart to the new CR. That
will be implemented later.

Author: chrisseto

.changes/unreleased/operator-Added-20251001-165206.yaml

@@ -0,0 +1,4 @@
+project: operator
+kind: Added
+body: Added a new `Console` CRD for managing a [Redpanda Console](https://github.com/redpanda-data/console/) deployments. For examples, see [`acceptance/features/console.feature`](../acceptance/features/console.feature).
+time: 2025-10-01T16:52:06.679323-04:00

.changes/unreleased/operator-Deprecated-20251001-170958.yaml

@@ -0,0 +1,4 @@
+project: operator
+kind: Deprecated
+body: The Redpanda console stanza (`.spec.clusterSpec.console`) is now deprecated in favor of the stand-alone Console CRD.
+time: 2025-10-01T17:09:58.327552-04:00

acceptance/features/console.feature

@@ -0,0 +1,80 @@
+@cluster:basic
+Feature: Console CRDs
+  Background: Cluster available
+    Given cluster "basic" is available
+
+  Scenario: Using clusterRef
+    When I apply Kubernetes manifest:
+    ```yaml
+    ---
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: Console
+    metadata:
+      name: console
+    spec:
+      cluster:
+        clusterRef:
+          name: basic
+    ```
+    Then Console "console" will be healthy
+    # These steps demonstrate that console is correctly connected to Redpanda (Kafka, Schema Registry, and Admin API).
+    And I exec "curl localhost:8080/api/schema-registry/mode" in a Pod matching "app.kubernetes.io/instance=console", it will output:
+    ```
+    {"mode":"READWRITE"}
+    ```
+    And I exec "curl localhost:8080/api/topics" in a Pod matching "app.kubernetes.io/instance=console", it will output:
+    ```
+    {"topics":[{"topicName":"_schemas","isInternal":false,"partitionCount":1,"replicationFactor":1,"cleanupPolicy":"compact","documentation":"NOT_CONFIGURED","logDirSummary":{"totalSizeBytes":117}}]}
+    ```
+    And I exec "curl localhost:8080/api/console/endpoints | grep -o '{[^{}]*DebugBundleService[^{}]*}'" in a Pod matching "app.kubernetes.io/instance=console", it will output:
+    ```
+    {"endpoint":"redpanda.api.console.v1alpha1.DebugBundleService","method":"POST","isSupported":true}
+    ```
+
+  Scenario: Using staticConfig
+    When I apply Kubernetes manifest:
+    ```yaml
+    ---
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: Console
+    metadata:
+      name: console
+    spec:
+      cluster:
+        staticConfiguration:
+          kafka:
+            brokers:
+            - basic-0.basic.${NAMESPACE}.svc.cluster.local.:9093
+            tls:
+              caCertSecretRef:
+                name: "basic-default-cert"
+                key: "ca.crt"
+          admin:
+            urls:
+            - https://basic-0.basic.${NAMESPACE}.svc.cluster.local.:9644
+            tls:
+              caCertSecretRef:
+                name: "basic-default-cert"
+                key: "ca.crt"
+          schemaRegistry:
+            urls:
+            - https://basic-0.basic.${NAMESPACE}.svc.cluster.local.:8081
+            tls:
+              caCertSecretRef:
+                name: "basic-default-cert"
+                key: "ca.crt"
+    ```
+    Then Console "console" will be healthy
+    # These steps demonstrate that console is correctly connected to Redpanda (Kafka, Schema Registry, and Admin API).
+    And I exec "curl localhost:8080/api/schema-registry/mode" in a Pod matching "app.kubernetes.io/instance=console", it will output:
+    ```
+    {"mode":"READWRITE"}
+    ```
+    And I exec "curl localhost:8080/api/topics" in a Pod matching "app.kubernetes.io/instance=console", it will output:
+    ```
+    {"topics":[{"topicName":"_schemas","isInternal":false,"partitionCount":1,"replicationFactor":1,"cleanupPolicy":"compact","documentation":"NOT_CONFIGURED","logDirSummary":{"totalSizeBytes":117}}]}
+    ```
+    And I exec "curl localhost:8080/api/console/endpoints | grep -o '{[^{}]*DebugBundleService[^{}]*}'" in a Pod matching "app.kubernetes.io/instance=console", it will output:
+    ```
+    {"endpoint":"redpanda.api.console.v1alpha1.DebugBundleService","method":"POST","isSupported":true}
+    ```

acceptance/main_test.go

@@ -68,6 +68,14 @@ var setupSuite = sync.OnceValues(func() (*framework.Suite, error) {
 			CreateNamespace: true,
 			Values: map[string]any{
 				"installCRDs": true,
+				"global": map[string]any{
+					// Make leader election more aggressive as cert-manager appears to
+					// not release it when uninstalled.
+					"leaderElection": map[string]any{
+						"renewDeadline": "10s",
+						"retryPeriod":   "5s",
+					},
+				},
 			},
 		}).
 		OnFeature(func(ctx context.Context, t framework.TestingT, tags ...framework.ParsedTag) {

acceptance/steps/console.go

@@ -0,0 +1,26 @@
+package steps
+
+import (
+	"context"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	framework "github.com/redpanda-data/redpanda-operator/harpoon"
+	redpandav1alpha2 "github.com/redpanda-data/redpanda-operator/operator/api/redpanda/v1alpha2"
+)
+
+func consoleIsHealthy(ctx context.Context, t framework.TestingT, name string) {
+	key := t.ResourceKey(name)
+
+	t.Logf("Checking console %q is healthy", name)
+	require.Eventually(t, func() bool {
+		var console redpandav1alpha2.Console
+		require.NoError(t, t.Get(ctx, key, &console))
+
+		upToDate := console.Generation == console.Status.ObservedGeneration
+		hasHealthyReplicas := console.Status.ReadyReplicas == console.Status.Replicas
+
+		return upToDate && hasHealthyReplicas
+	}, time.Minute, 10*time.Second)
+}

acceptance/steps/k8s.go

@@ -1,19 +1,25 @@
 package steps
 
 import (
+	"bytes"
 	"context"
 	"fmt"
 	"reflect"
 	"strings"
 	"time"
 
+	"github.com/cucumber/godog"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/util/jsonpath"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	framework "github.com/redpanda-data/redpanda-operator/harpoon"
 	redpandav1alpha2 "github.com/redpanda-data/redpanda-operator/operator/api/redpanda/v1alpha2"
+	"github.com/redpanda-data/redpanda-operator/pkg/kube"
 )
 
 // this is a nasty hack due to the fact that we can't disable the linter for typecheck
@@ -147,3 +153,30 @@ func execJSONPath(ctx context.Context, t framework.TestingT, jsonPath, groupVers
 	}
 	return nil
 }
+
+func iExecInPodMatching(
+	ctx context.Context,
+	t framework.TestingT,
+	cmd,
+	selectorStr string,
+	expected *godog.DocString,
+) {
+	selector, err := labels.Parse(selectorStr)
+	require.NoError(t, err)
+
+	ctl, err := kube.FromRESTConfig(t.RestConfig())
+	require.NoError(t, err)
+
+	pods, err := kube.List[corev1.PodList](ctx, ctl, client.MatchingLabelsSelector{Selector: selector}, client.InNamespace(t.Namespace()))
+	require.NoError(t, err)
+
+	require.True(t, len(pods.Items) > 0, "selector %q found no Pods", selector.String())
+
+	var stdout bytes.Buffer
+	require.NoError(t, ctl.Exec(ctx, &pods.Items[0], kube.ExecOptions{
+		Command: []string{"sh", "-c", cmd},
+		Stdout:  &stdout,
+	}))
+
+	assert.Equal(t, strings.TrimSpace(expected.Content), strings.TrimSpace(stdout.String()))
+}

acceptance/steps/manifest.go

@@ -23,7 +23,17 @@ func iApplyKubernetesManifest(ctx context.Context, t framework.TestingT, manifes
 	file, err := os.CreateTemp("", "manifest-*.yaml")
 	require.NoError(t, err)
 
-	_, err = file.Write([]byte(manifest.Content))
+	content := os.Expand(manifest.Content, func(key string) string {
+		switch key {
+		case "NAMESPACE":
+			return t.Namespace()
+		}
+
+		t.Fatalf("unhandled expansion: %s", key)
+		return "UNREACHABLE"
+	})
+
+	_, err = file.Write([]byte(content))
 	require.NoError(t, err)
 	require.NoError(t, file.Close())
 

acceptance/steps/register.go

@@ -15,6 +15,7 @@ func init() {
 	// General scenario steps
 	framework.RegisterStep(`^cluster "([^"]*)" is available$`, checkClusterAvailability)
 	framework.RegisterStep(`^I apply Kubernetes manifest:$`, iApplyKubernetesManifest)
+	framework.RegisterStep(`^I exec "([^"]+)" in a Pod matching "([^"]+)", it will output:$`, iExecInPodMatching)
 
 	framework.RegisterStep(`^I store "([^"]*)" of Kubernetes object with type "([^"]*)" and name "([^"]*)" as "([^"]*)"$`, recordVariable)
 	framework.RegisterStep(`^the recorded value "([^"]*)" has the same value as "([^"]*)" of the Kubernetes object with type "([^"]*)" and name "([^"]*)"$`, assertVariableValue)
@@ -93,4 +94,7 @@ func init() {
 	framework.RegisterStep(`^I can upgrade to the latest operator with the values:$`, iCanUpgradeToTheLatestOperatorWithTheValues)
 	framework.RegisterStep(`^I install redpanda helm chart version "([^"]*)" with the values:$`, iInstallRedpandaHelmChartVersionWithTheValues)
 	framework.RegisterStep(`^I install local CRDs from "([^"]*)"`, iInstallLocalCRDs)
+
+	// Console scenario steps
+	framework.RegisterStep(`^Console "([^"]+)" will be healthy`, consoleIsHealthy)
 }

charts/console/chart/chart.go

@@ -56,6 +56,10 @@ func DotToState(dot *helmette.Dot) *console.RenderState {
 	values := helmette.Unwrap[Values](dot.Values)
 	templater := &templater{Dot: dot, FauxDot: newFauxDot(dot)}
 
+	if values.RenderValues.Secret.Authentication.JWTSigningKey == "" {
+		values.RenderValues.Secret.Authentication.JWTSigningKey = helmette.RandAlphaNum(32)
+	}
+
 	return &console.RenderState{
 		ReleaseName: dot.Release.Name,
 		Namespace:   dot.Release.Namespace,

charts/console/chart/templates/_chart.chart.tpl

@@ -18,6 +18,9 @@
 {{- $_is_returning := false -}}
 {{- $values := $dot.Values.AsMap -}}
 {{- $templater := (mustMergeOverwrite (dict "Dot" (coalesce nil) "FauxDot" (coalesce nil)) (dict "Dot" $dot "FauxDot" (get (fromJson (include "chart.newFauxDot" (dict "a" (list $dot)))) "r"))) -}}
+{{- if (eq $values.secret.authentication.jwtSigningKey "") -}}
+{{- $_ := (set $values.secret.authentication "jwtSigningKey" (randAlphaNum (32 | int))) -}}
+{{- end -}}
 {{- $_is_returning = true -}}
 {{- (dict "r" (mustMergeOverwrite (dict "ReleaseName" "" "Namespace" "" "Template" (coalesce nil) "CommonLabels" (coalesce nil) "Values" (dict "replicaCount" 0 "nameOverride" "" "commonLabels" (coalesce nil) "fullnameOverride" "" "image" (dict "registry" "" "repository" "" "pullPolicy" "" "tag" "") "imagePullSecrets" (coalesce nil) "automountServiceAccountToken" false "serviceAccount" (dict "create" false "automountServiceAccountToken" false "annotations" (coalesce nil) "name" "") "annotations" (coalesce nil) "podAnnotations" (coalesce nil) "podLabels" (coalesce nil) "podSecurityContext" (dict) "securityContext" (dict) "service" (dict "type" "" "port" 0 "annotations" (coalesce nil)) "ingress" (dict "enabled" false "annotations" (coalesce nil) "hosts" (coalesce nil) "tls" (coalesce nil)) "resources" (dict) "autoscaling" (dict "enabled" false "minReplicas" 0 "maxReplicas" 0 "targetCPUUtilizationPercentage" (coalesce nil)) "nodeSelector" (coalesce nil) "tolerations" (coalesce nil) "affinity" (dict) "topologySpreadConstraints" (coalesce nil) "priorityClassName" "" "config" (coalesce nil) "extraEnv" (coalesce nil) "extraEnvFrom" (coalesce nil) "extraVolumes" (coalesce nil) "extraVolumeMounts" (coalesce nil) "extraContainers" (coalesce nil) "initContainers" (dict "extraInitContainers" (coalesce nil)) "secretMounts" (coalesce nil) "secret" (dict "create" false "kafka" (dict) "authentication" (dict "jwtSigningKey" "" "oidc" (dict)) "license" "" "redpanda" (dict "adminApi" (dict)) "serde" (dict) "schemaRegistry" (dict)) "livenessProbe" (dict) "readinessProbe" (dict) "configmap" (dict "create" false) "deployment" (dict "create" false) "strategy" (dict))) (dict "ReleaseName" $dot.Release.Name "Namespace" $dot.Release.Namespace "Values" $values "Template" (list "chart.templater.Template" $templater) "CommonLabels" (dict "helm.sh/chart" (get (fromJson (include "chart.ChartLabel" (dict "a" (list $dot)))) "r") "app.kubernetes.io/managed-by" $dot.Release.Service "app.kubernetes.io/version" $dot.Chart.AppVersion)))) | toJson -}}
 {{- break -}}