Stage console, redpanda, and operator releases (#1194) (#1195)

This stages the releases for Console 3.3.0, Redpanda 25.2.1, and Operator 25.2.1 charts. As upstream Console changed some its Go versioning and requires go 1.25, this also updates our go version and all of the nix tooling that is involved.

(cherry picked from commit 71dada0)

Co-authored-by: Andrew Stucki <[email protected]>

Author: github-actions[bot]

.changes/charts/console/v3.3.0.md

@@ -0,0 +1,3 @@
+## [v3.3.0](https://github.com/redpanda-data/redpanda-operator/releases/tag/charts%2Fconsole%2Fv3.3.0) - 2025-12-02
+### Changed
+* Bump console chart version with new release of Console.

.changes/charts/redpanda/v25.2.1.md

@@ -0,0 +1,149 @@
+## [v25.2.1](https://github.com/redpanda-data/redpanda-operator/releases/tag/charts%2Fredpanda%2Fv25.2.1) - 2025-12-02
+### Added
+* Added a chart wide `podTemplate` field which may be used to control Pod attributes chart wide.
+
+  This field has a lower precedence than `statefulset.podTemplate` and
+  `post_install_job.podTemplate` but will still be merged with them.
+* `podTemplate`, `statefulset.podTemplate`, and `post_install_job.podTemplate` may now contain template expressions **with in string fields**
+
+  To compensate for some of the functionality that was lost with the removal of
+  fields like `extraVolumes`, we've upgraded `podTemplate` fields to support
+  templating. Rather than allowing full control over a structured value, we've
+  reduced the scope to only string fields. This is significantly more
+  maintainable and less error prone.
+
+  As an example, the below snippet will apply the release name as an annotation
+  to all Pods created by the chart.
+
+  ```yaml
+  podTemplate:
+    annotations:
+      "keys-cannot-be-templated": '{{ .Release.Name }}' # But values can!
+  ```
+
+  See `values.yaml` for additional examples.
+* statefulset.initContainers.configurator.additionalCLIArgs is added to the helm values, to enable the init container to construct an external secret evaluator.
+
+In the v2 operator, this value is defaulted from the operator's settings.
+### Changed
+* Promoted the config-watcher sidecar into a real go binary that handles user management and simplifies cluster health checks so they no longer fail when the sole issue is that other nodes in the cluster are unavailable. Additionally the new sidecar subsumes the behavior of the `statefulset.sideCars.controllers` stanza which should now be specified via their own `enabled` flags.
+* `clusterDomain` now defaults to `cluster.local.` (A trialing `.` has been added) and the chart no longer adds trailing `.`'s to internal domains.
+
+  For users not experiencing issues with trailing `.`'s this change has no
+  effect. For users that have had issues with trailing `.`'s, it's now possible
+  to opt-out of this behavior by explicitly setting `clusterDomain` to `cluster.local`.
+
+  For users that override `clusterDomain`, copied a previous releases
+  values.yaml, or use the `--reuse-values` flag, trailing `.`'s will be tripped
+  from domains upon updating. This behavior may be opted into by appending a
+  `.` to `clusterDomain` prior to upgrading.
+* Bump AppVersion to v24.3.6 Redpanda release
+* Bump Redpanda operator side car container tag to `v2.3.7-24.3.6`.
+* `values.schema.json` is now "closed" (`additionalProperties: false`)
+
+  Any unexpected values will result in a validation error,previously they would
+  have been ignored.
+* Update Console depedency to latest version with breaking change. Please visit Console change-log.
+* The name of the container running redpanda is now always set to `redpanda`.
+* bumped `appVersion` to [v25.1.1](https://github.com/redpanda-data/redpanda/releases/tag/v25.1.1).
+* `serviceAccount.create` now defaults to `true`.
+
+  The previous behavior resulted in using the `default` service account and
+  extending it with all bindings generated from the chart. Such behavior is
+  unlikely to be desired.
+* `rpk debug bundle --namespace $NAMESPACE` now works by default.
+
+  The chart now creates a set of `Roles` and `RoleBindings` that satisfy the
+  requirements of running `rpk debug bundle` from any redpanda Pod. These
+  permissions may be disabled by specifying `rbac.rpkDebugBundle=false`.
+
+  Additionally, the redpanda container now always has a Kubernetes
+  ServiceAccount token mounted to it to ensure `rpk debug bundle` can be
+  executed successfully.
+* Update Console depedency to latest version `v3.1.0`. Please visit Console change-log.
+* The generated bootstrap user password secret is now immutable. It was always intended to be a single-time generation, and now that is enforced at the Kubernetes API layer.
+* Cluster configuration syncing now sends the entire config instead of a minimal patch
+
+  Due to numerous divergences in how the operator, redpanda and their
+  respective underlying YAML serde libraries handle marshalling data, computing
+  a minimal diff has generally resulted in nasty bugs not worth the few bytes
+  and CPU cycles we were initially trying to save.
+* The console integration (`console.enabled=true`) now uses the chart managed bootstrap user rather than the first user from `auth.sasl.users`.
+* Client certificates are now named `$FULLNAME-$CERT-client-cert`.
+### Deprecated
+* `.statefulset.sidecars.controllers.image` is now deprecated. It may be specified but will not be respected. Use `.statefulset.sidecars.image` instead.
+* - `statefulset.sideCars.controllers.createRBAC` is deprecated and no longer respected. In most cases, setting this field to `false` would result in a broken deployment. RBAC may be controlled via `rbac.enabled` or per controller via `statefulset.sideCars.controllers.{pvcUnbinder,brokerDecommissioner}.enabled`.
+* `statefulset.sideCars.controllers.run` has been unused for many releases and is now deprecated. Individual controllers may be enabled/disabled by setting their enabled field: `statefulset.sideCars.pvcUnbinder.enabled`, `statefulset.sideCars.brokerDecommissioner.enabled`.
+### Removed
+* Connectors sub-chart integration.
+
+  The connectors chart may still be deployed separately, though it is not
+  officially support. If possible, it is recommended to migrate to redpanda
+  connect.
+* Removed the deprecated fields `license_key` and `license_secret_ref` in favor
+of `enterprise.license` and `enterprise.licenseSecretRef`, respectively.
+* `statefulset.securityContext`, `statefulset.sideCars.configWatcher.securityContext` have been removed.
+
+  These fields previously served as both PodSecurityContext and SecurityContext
+  across the entire chart which led to confusing semantics that couldn't be
+  fixed without breaking backwards compatiblity.
+
+  The top level `podTemplate` field may be used to control
+  PodSecurityContexts and SecurityContexts across the chart.
+* Fields that would be better served through `podTemplate` have been removed in favor of using `podTemplate`.
+
+  Removed fields:
+  - `nodeSelector` -> `podTemplate.spec.nodeSelector`
+  - `affinity` -> `podTemplate.spec.affinity`
+  - `tolerations` -> `podTemplate.spec.tolerations`
+  - `imagePullSecrets` -> `podTemplate.spec.imagePullSecrets`
+  - `statefulset.annotations` -> `statefulset.podTemplate.annotations`
+  - `statefulset.startupProbe` -> `statefulset.podTemplate.spec.containers[0].startupProbe`
+  - `statefulset.livenessProbe` -> `statefulset.podTemplate.spec.containers[0].livenessProbe`
+  - `statefulset.readinessProbe` -> `statefulset.podTemplate.spec.containers[1].readinessProbe`
+  - `statefulset.podAffinity` -> `statefulset.podTemplate.spec.affinity.podAffinity`
+  - `statefulset.nodeSelector` -> `statefulset.podTemplate.spec.nodeSelector`
+  - `statefulset.priorityClassName` -> `statefulset.podTemplate.spec.priorityClassName`
+  - `statefulset.tolerations` -> `statefulset.podTemplate.spec.tolerations`
+  - `statefulset.topologySpreadConstraints` -> `statefulset.podTemplate.spec.topologySpreadConstraints`
+  - `statefulset.terminationGracePeriodSeconds` -> `statefulset.podTemplate.spec.terminationGracePeriodSeconds`
+  - `statefulset.extraVolumes` -> `statefulset.podTemplate.spec.volumes`
+  - `statefulset.extraVolumesMounts` -> `statefulset.podTemplate.spec.containers[*].volumeMounts`
+  - `statefulset.initContainers.*.extraVolumesMounts` -> `statefulset.podTemplate.spec.initContainers[*].volumeMounts`
+  - `statefulset.initContainers.*.resources` -> `statefulset.podTemplate.spec.initContainers[*].resources`
+  - `statefulset.initContainers.extraInitContainers` -> `statefulset.podTemplate.spec.initContainers`
+  - `statefulset.sidecars.configWatcher.extraVolumeMounts` -> `statefulset.podTemplate.spec.containers[*].volumeMounts`
+  - `statefulset.sidecars.configWatcher.resources` -> `statefulset.podTemplate.spec.containers[*].resources`
+  - `statefulset.sidecars.configWatcher.securityContext` -> `statefulset.podTemplate.spec.containers[*].securityContext`
+  - `statefulset.sidecars.controllers.resources` -> `statefulset.podTemplate.spec.containers[*].resources`
+  - `statefulset.sidecars.controllers.securityContext` -> `statefulset.podTemplate.spec.containers[*].securityContext`
+  - `statefulset.sidecars.extraVolumeMounts` -> `statefulset.podTemplate.spec.containers[*].volumeMounts`
+  - `statefulset.sidecars.resources` -> `statefulset.podTemplate.spec.containers[*].resources`
+  - `statefulset.sidecars.securityContext` -> `statefulset.podTemplate.spec.containers[*].securityContext`
+* Removed regex validation of all image tags.
+* The unrespected`kafkaEndpoint` listener parameter has been removed from `values.yaml`
+### Fixed
+* Reverse order of applying resources to first create ClusterRole and then ClusterRoleBinding.
+  When Redpanda custom resource has enabled RBAC the reconciliation was blocked due
+  ClusterRoleBinding referencing not yet created ClusterRole.
+
+* Fixed an issue where not explicitly specifying a SASL auth mechanism when SASL is enabled caused Console to fail to start up.
+* Prevent broker nodes from restarting when solely the cluster replica amount changes
+* `authentication_method` is no longer set on `http_api` as redpanda itself does not support authentication on the http API.
+* Fixed rack awareness by mounting a service account token to the initcontainer when rack awareness is enabled.
+* Broken `Issuer`s and `Certificate`s are no longer needlessly generated when `tls.<cert>.issuerRef` is provided.
+* Fixed the security contexts' of `set-datadir-ownership` and `set-tiered-storage-cache-dir-ownership`.
+* The `schema_registry_client` and `pandaproxy_client` stanzas of `redpanda.yaml`
+  now respect `listeners.kafka.tls.trustStore`, when provided.
+  See also [helm-chart 1573 issue](https://github.com/redpanda-data/helm-charts/issues/1573).
+
+* Corrected naming of `Role`s to use Fullname instead of Name, which ensures they are unique within their namespace.
+* Updated naming of `ClusterRole`s to include the release namespace. This ensures that they are unique per release and permits installing the chart with the same name across different namespaces.
+* Crashes from the Sidecar container (e.g. due to a temporary API Server outage) no longer forcefully restart the redpanda container.
+* `ClusterRole`s for the PVCUnbinder and BrokerDecommissioner are now enabled / disabled when their respective controller is enabled / disabled.
+
+  Previously `ClusterRole`s were always generated and could only be disabled by setting `.statefulset.sideCars.controllers.createRBAC=false` which rendered the sidecar inoperable.
+* Cluster configuration synchronization now correctly handles aliased keys such as `schema_registry_normalize_on_startup`.
+* `statefulset.podTemplate.spec.volumes` can now be used to override chart generated volumes.
+* Fix a bug with the way the config-watcher sidecar syncs users. The Kubernetes mechanism for writing out a changed secret is involves re-creating a symlink in the secrets directory that points to the mounted secret. Previously the config-watcher only detected changes to the entire directory and could potentially miss syncs, this resyncs everything anytime the symlink is recreated. 
+* mTLS client certificates are now generated per certificate, as required, instead of using a single and potentially invalid certificate.

.changes/operator/v25.2.1.md

@@ -0,0 +1,18 @@
+## [v25.2.1](https://github.com/redpanda-data/redpanda-operator/releases/tag/operator%2Fv25.2.1) - 2025-12-02
+### Added
+* Roles can be declaratively managed using RedpandaRole CRD
+* Add experimental support for node pools. To enable node pool support you must install the experimental NodePool CRDs and run the controller with the --enable-v2-nodepools flag.
+* Added a new `Console` CRD for managing a [Redpanda Console](https://github.com/redpanda-data/console/) deployments. For examples, see [`acceptance/features/console.feature`](../acceptance/features/console.feature).
+* Added `status.managedPrincipals` field to RedpandaRole CRD to track whether the operator is managing role membership. The operator now properly reconciles membership changes when spec.principals is updated, including adding, removing, or clearing all principals.
+### Changed
+* By default, the operator now reconciles resources (`Redpanda`, `Topic`, etc) across _all namespaces_.
+
+  The `--namespace` flag may be used to scope the operator's watches to a single namespace.
+* Client certificates are now named `$FULLNAME-$CERT-client-cert`.
+### Deprecated
+* The Redpanda console stanza (`.spec.clusterSpec.console`) is now deprecated in favor of the stand-alone Console CRD.
+* Deprecated various fields in multiple CRDs for `kafka`, `adminAPI`, and `schemaRegistry` under the static configuration of `clusterSource` so that various fields that were only specifiable via an in-cluster secret can now be pulled via either external secret provider, in-cluster secret, config map, or inlined value.
+* The entirety of the `spec.clusterSpec.console` block in the Redpanda CR is now deprecated and will be removed in the future. Any Redpanda CR that contains one will automatically be migrated to a standalone Console CR with a back reference to the parent Redpanda CR. Note that these will *not* be automatically deleted when the `console` stanza is removed or when the parent Redpanda CR is deleted.
+### Fixed
+* Fix a bug with the way the config-watcher sidecar syncs users. The Kubernetes mechanism for writing out a changed secret is involves re-creating a symlink in the secrets directory that points to the mounted secret. Previously the config-watcher only detected changes to the entire directory and could potentially miss syncs, this resyncs everything anytime the symlink is recreated. 
+* mTLS client certificates are now generated per certificate, as required, instead of using a single and potentially invalid certificate.