operator: Require Redpanda license for stretch cluster

Author: RafalKorepta

go.work.sum

@@ -23,8 +23,6 @@ buf.build/gen/go/redpandadata/common/connectrpc/go v1.16.2-20240508150812-e0d0fb
 buf.build/gen/go/redpandadata/common/connectrpc/go v1.18.1-20240917150400-3f349e63f44a.1 h1:EPRfGAJDTnM3J3MPGMPEs+HBezpiE/8lTWB3kdlQTGI=
 buf.build/gen/go/redpandadata/common/connectrpc/go v1.18.1-20240917150400-3f349e63f44a.1/go.mod h1:ZNgPT3k1W0p+EkMibCzOqoHOhNDi1ym6RH7/kGEHeKE=
 buf.build/gen/go/redpandadata/common/protocolbuffers/go v1.34.2-20240715174743-9c0afe867874.2/go.mod h1:wThyg02xJx4K/DA5fg0QlKts8XVPyTT86JC8hPfEzno=
-buf.build/gen/go/redpandadata/core/protocolbuffers/go v1.36.11-20260108182238-df92733e0119.1 h1:Hpbojb8tNZa89EzngrN24YIC1cAqV6cmHfRlbvOoOGo=
-buf.build/gen/go/redpandadata/core/protocolbuffers/go v1.36.11-20260108182238-df92733e0119.1/go.mod h1:5sjUVquVwNxt3Q/EhE/UW0BBJ5sgPiaVTw8//wxRULI=
 buf.build/gen/go/redpandadata/dataplane/connectrpc/go v1.16.2-20240620104934-3415ce922cfb.1/go.mod h1:R0DNyd3sxZqaTQrcjSgGaJqHndFCf3kKHBbXgKYzKDY=
 buf.build/gen/go/redpandadata/dataplane/protocolbuffers/go v1.34.2-20240620104934-3415ce922cfb.2/go.mod h1:AcLjVYZHtwlZvBrjuqyjtZtHv9BbDaHD6C92lO/gJFI=
 buf.build/gen/go/redpandadata/dataplane/protocolbuffers/go v1.36.2-20250404200318-65f29ddd7b29.1/go.mod h1:zTNjffbkXs9K5/sbSlagide7l0hSTs+Oa1j39yENO8M=
@@ -1050,6 +1048,7 @@ github.com/Microsoft/hcsshim v0.8.21/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwT
 github.com/Microsoft/hcsshim v0.8.23/go.mod h1:4zegtUJth7lAvFyc6cH2gGQ5B3OFQim01nnU2M8jKDg=
 github.com/Microsoft/hcsshim v0.9.2/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc=
 github.com/Microsoft/hcsshim v0.9.3/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc=
+github.com/Microsoft/hcsshim v0.11.7 h1:vl/nj3Bar/CvJSYo7gIQPyRWc9f3c6IeSNavBTSZNZQ=
 github.com/Microsoft/hcsshim v0.11.7/go.mod h1:MV8xMfmECjl5HdO7U/3/hFVnkmSBjAjmA09d4bExKcU=
 github.com/Microsoft/hcsshim v0.12.3 h1:LS9NXqXhMoqNCplK1ApmVSfB4UnVLRDWRapB6EIlxE0=
 github.com/Microsoft/hcsshim v0.12.3/go.mod h1:Iyl1WVpZzr+UkzjekHZbV8o5Z9ZkxNGx6CtY2Qg/JVQ=
@@ -3586,8 +3585,6 @@ google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/
 google.golang.org/protobuf v1.36.7/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
-google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
-google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
 gopkg.in/alecthomas/kingpin.v1 v1.3.7/go.mod h1:vs0oy7ub8knYaut5kITUTmx/WeE4xRuEeOR34yEAWEA=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=

operator/chart/README.md

@@ -144,6 +144,22 @@ Specifies whether to install experimental CRDs. If this is true both experimenta
 
 **Default:** `false`
 
+### [enterprise](https://artifacthub.io/packages/helm/redpanda-data/operator?modal=values&path=enterprise)
+
+Enterprise (optional) For details, see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition).
+
+**Default:**
+
+```
+{"licenseSecretRef":{"key":""}}
+```
+
+### [enterprise.licenseSecretRef](https://artifacthub.io/packages/helm/redpanda-data/operator?modal=values&path=enterprise.licenseSecretRef)
+
+Secret name and key where the license key is stored.
+
+**Default:** `{"key":""}`
+
 ### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/operator?modal=values&path=fullnameOverride)
 
 Overrides the `redpanda-operator.fullname` template.

operator/chart/deployment.go

@@ -42,6 +42,8 @@ const (
 	DefaultAPITokenMountPath = "/var/run/secrets/kubernetes.io/serviceaccount"
 
 	webhookCertificatePath = "/tmp/k8s-webhook-server/serving-certs"
+
+	licenseFilePath = "/redpanda/license"
 )
 
 func Deployment(dot *helmette.Dot) *appsv1.Deployment {
@@ -224,6 +226,19 @@ func operatorPodVolumes(dot *helmette.Dot) []corev1.Volume {
 		serviceAccountTokenVolume(),
 	}
 
+	if values.Enterprise.LicenseSecretRef != nil &&
+		!helmette.Empty(values.Enterprise.LicenseSecretRef.Name) {
+		vol = append(vol, corev1.Volume{
+			Name: "license",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					DefaultMode: ptr.To(int32(420)),
+					SecretName:  values.Enterprise.LicenseSecretRef.Name,
+				},
+			},
+		})
+	}
+
 	if !values.Webhook.Enabled {
 		return vol
 	}
@@ -304,6 +319,15 @@ func operatorPodVolumesMounts(dot *helmette.Dot) []corev1.VolumeMount {
 
 	volMount := []corev1.VolumeMount{serviceAccountTokenVolumeMount()}
 
+	if values.Enterprise.LicenseSecretRef != nil &&
+		!helmette.Empty(values.Enterprise.LicenseSecretRef.Name) {
+		volMount = append(volMount, corev1.VolumeMount{
+			Name:      "license",
+			MountPath: licenseFilePath,
+			ReadOnly:  true,
+		})
+	}
+
 	if !values.Webhook.Enabled {
 		return volMount
 	}
@@ -337,6 +361,15 @@ func operatorArguments(dot *helmette.Dot) []string {
 		"--enable-vectorized-controllers": fmt.Sprintf("%t", values.VectorizedControllers.Enabled),
 	}
 
+	if values.Enterprise.LicenseSecretRef != nil &&
+		!helmette.Empty(values.Enterprise.LicenseSecretRef.Name) {
+		if values.Enterprise.LicenseSecretRef.Key != "" {
+			defaults["--license-file-path"] = fmt.Sprintf("%s/%s", licenseFilePath, values.Enterprise.LicenseSecretRef.Key)
+		} else {
+			defaults["--license-file-path"] = fmt.Sprintf("%s/%s", licenseFilePath, values.Enterprise.LicenseSecretRef.Name)
+		}
+	}
+
 	if values.Webhook.Enabled {
 		defaults["--webhook-cert-path"] = webhookCertificatePath
 	}

operator/chart/templates/_deployment.go.tpl

@@ -112,6 +112,9 @@
 {{- $_is_returning := false -}}
 {{- $values := $dot.Values.AsMap -}}
 {{- $vol := (list (get (fromJson (include "operator.serviceAccountTokenVolume" (dict "a" (list)))) "r")) -}}
+{{- if (and (ne (toJson $values.enterprise.licenseSecretRef) "null") (not (empty $values.enterprise.licenseSecretRef.name))) -}}
+{{- $vol = (concat (default (list) $vol) (list (mustMergeOverwrite (dict "name" "") (mustMergeOverwrite (dict) (dict "secret" (mustMergeOverwrite (dict) (dict "defaultMode" ((420 | int) | int) "secretName" $values.enterprise.licenseSecretRef.name)))) (dict "name" "license")))) -}}
+{{- end -}}
 {{- if (not $values.webhook.enabled) -}}
 {{- $_is_returning = true -}}
 {{- (dict "r" $vol) | toJson -}}
@@ -148,6 +151,9 @@
 {{- $_is_returning := false -}}
 {{- $values := $dot.Values.AsMap -}}
 {{- $volMount := (list (get (fromJson (include "operator.serviceAccountTokenVolumeMount" (dict "a" (list)))) "r")) -}}
+{{- if (and (ne (toJson $values.enterprise.licenseSecretRef) "null") (not (empty $values.enterprise.licenseSecretRef.name))) -}}
+{{- $volMount = (concat (default (list) $volMount) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" "license" "mountPath" "/redpanda/license" "readOnly" true)))) -}}
+{{- end -}}
 {{- if (not $values.webhook.enabled) -}}
 {{- $_is_returning = true -}}
 {{- (dict "r" $volMount) | toJson -}}
@@ -166,6 +172,13 @@
 {{- $_is_returning := false -}}
 {{- $values := $dot.Values.AsMap -}}
 {{- $defaults := (dict "--health-probe-bind-address" ":8081" "--metrics-bind-address" ":8443" "--leader-elect" "" "--enable-console" "true" "--log-level" $values.logLevel "--webhook-enabled" (printf "%t" $values.webhook.enabled) "--configurator-tag" (get (fromJson (include "operator.containerTag" (dict "a" (list $dot)))) "r") "--configurator-base-image" $values.image.repository "--enable-vectorized-controllers" (printf "%t" $values.vectorizedControllers.enabled)) -}}
+{{- if (and (ne (toJson $values.enterprise.licenseSecretRef) "null") (not (empty $values.enterprise.licenseSecretRef.name))) -}}
+{{- if (ne $values.enterprise.licenseSecretRef.key "") -}}
+{{- $_ := (set $defaults "--license-file-path" (printf "%s/%s" "/redpanda/license" $values.enterprise.licenseSecretRef.key)) -}}
+{{- else -}}
+{{- $_ := (set $defaults "--license-file-path" (printf "%s/%s" "/redpanda/license" $values.enterprise.licenseSecretRef.name)) -}}
+{{- end -}}
+{{- end -}}
 {{- if $values.webhook.enabled -}}
 {{- $_ := (set $defaults "--webhook-cert-path" "/tmp/k8s-webhook-server/serving-certs") -}}
 {{- end -}}