redpanda-data · andrewstucki · Oct 2, 2025
@@ -0,0 +1,28 @@
+apiVersion: redpanda.vectorized.io/v1alpha1
+kind: Cluster
+metadata:
+  name: basic
+spec:
+  image: "redpandadata/redpanda"
+  version: "v25.2.1"
+  replicas: 1
+  resources:
+    requests:
+      cpu: "100m"
+      memory: 256Mi
+    limits:
+      cpu: "100m"
+      memory: 256Mi
+  configuration:
+    rpcServer:
+      port: 33145
+    kafkaApi:
+      - port: 9092
+    adminApi:
+      - port: 9644
+    schemaRegistryApi:
+      - port: 8081
+    developerMode: true
+    additionalCommandlineArguments:
+      dump-memory-diagnostics-on-alloc-failure-kind: all
+      abort-on-seastar-bad-alloc: ''
@@ -21,6 +21,8 @@ spec:
       - port: 9092
     adminApi:
       - port: 9644
+    schemaRegistryApi:
+      - port: 8081
     developerMode: true
     additionalCommandlineArguments:
       dump-memory-diagnostics-on-alloc-failure-kind: all

@@ -0,0 +1,100 @@
+@cluster:vectorized/basic
+Feature: Vectorized Schema CRDs
+  Background: Vectorized Cluster available
+    Given vectorized cluster "basic" is available
+
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Manage customer profile vectorized schema (Avro)
+    Given there is no schema "customer-profile" in vectorized cluster "basic"
+    When I apply Kubernetes manifest:
+    """
+    ---
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: Schema
+    metadata:
+      name: customer-profile
+    spec:
+      cluster:
+        clusterRef:
+          group: redpanda.vectorized.io
+          kind: Cluster
+          name: basic
+      schemaType: avro
+      compatibilityLevel: Backward
+      text: |
+        {
+          "type": "record",
+          "name": "CustomerProfile",
+          "fields": [
+            { "type": "string", "name": "customer_id" },
+            { "type": "string", "name": "name" },
+            { "type": "int", "name": "age" }
+          ]
+        }
+    """
+    And schema "customer-profile" is successfully synced
+    Then I should be able to check compatibility against "customer-profile" in vectorized cluster "basic"
+
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Manage product catalog vectorized schema (Protobuf)
+    Given there is no schema "product-catalog" in vectorized cluster "basic"
+    When I apply Kubernetes manifest:
+    """
+    ---
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: Schema
+    metadata:
+      name: product-catalog
+    spec:
+      cluster:
+        clusterRef:
+          group: redpanda.vectorized.io
+          kind: Cluster
+          name: basic
+      schemaType: protobuf
+      compatibilityLevel: Backward
+      text: |
+        syntax = "proto3";
+
+        message Product {
+          int32 product_id = 1;
+          string product_name = 2;
+          double price = 3;
+          string category = 4;
+        }
+    """
+    And schema "product-catalog" is successfully synced
+    Then I should be able to check compatibility against "product-catalog" in vectorized cluster "basic"
+
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Manage order event vectorized schema (JSON)
+    Given there is no schema "order-event" in vectorized cluster "basic"
+    When I apply Kubernetes manifest:
+    """
+    ---
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: Schema
+    metadata:
+      name: order-event
+    spec:
+      cluster:
+        clusterRef:
+          group: redpanda.vectorized.io
+          kind: Cluster
+          name: basic
+      schemaType: json
+      compatibilityLevel: None
+      text: |
+        {
+          "$schema": "http://json-schema.org/draft-07/schema#",
+          "type": "object",
+          "properties": {
+            "order_id": { "type": "string" },
+            "total": { "type": "number" }
+          },
+          "required": ["order_id", "total"],
+          "additionalProperties": false
+        }
+    """
+    And schema "order-event" is successfully synced
+    Then I should be able to check compatibility against "order-event" in vectorized cluster "basic"
@@ -0,0 +1,26 @@
+@cluster:vectorized/basic
+Feature: Vectorized Topic CRDs
+  Background: Vectorized Cluster available
+    Given vectorized cluster "basic" is available
+
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Manage vectorized topics
+    Given there is no topic "topic1" in vectorized cluster "basic"
+    When I apply Kubernetes manifest:
+    """
+    ---
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: Topic
+    metadata:
+      name: topic1
+    spec:
+      cluster:
+        clusterRef:
+          group: redpanda.vectorized.io
+          kind: Cluster
+          name: basic
+      partitions: 1
+      replicationFactor: 1
+    """
+    And topic "topic1" is successfully synced
+    Then I should be able to produce and consume from "topic1" in vectorized cluster "basic"
@@ -0,0 +1,87 @@
+@cluster:vectorized/sasl
+Feature: Vectorized User CRDs
+  Background: Vectorized Cluster available
+    Given vectorized cluster "sasl" is available
+
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Manage vectorized users
+    Given there is no user "bob" in vectorized cluster "sasl"
+    And there is no user "james" in vectorized cluster "sasl"
+    And there is no user "alice" in vectorized cluster "sasl"
+    When I create CRD-based users for vectorized cluster "sasl":
+      | name  | password | mechanism     | acls |
+      | bob   |          | SCRAM-SHA-256 |      |
+      | james |          | SCRAM-SHA-512 |      |
+      | alice | qwerty   | SCRAM-SHA-512 |      |
+    Then "bob" should exist and be able to authenticate to the vectorized "sasl" cluster
+    And "james" should exist and be able to authenticate to the vectorized "sasl" cluster
+    And "alice" should exist and be able to authenticate to the vectorized "sasl" cluster
+
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Manage authentication-only vectorized users
+    Given there is no user "jason" in vectorized cluster "sasl"
+    And there are already the following ACLs in vectorized cluster "sasl":
+      | user   | acls |
+      | jason  | [{"type":"allow","resource":{"type":"cluster"},"operations":["Read"]}] |
+    When I apply Kubernetes manifest:
+    """
+    ---
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: User
+    metadata:
+      name: jason
+    spec:
+      cluster:
+        clusterRef:
+          group: redpanda.vectorized.io
+          kind: Cluster
+          name: sasl
+      authentication:
+        type: scram-sha-512
+        password:
+          valueFrom:
+            secretKeyRef:
+              name: jason-password
+              key: password
+    """
+    And user "jason" is successfully synced
+    And I delete the CRD user "jason"
+    Then there should be ACLs in the vectorized cluster "sasl" for user "jason"
+
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Manage authorization-only vectorized users
+    Given there are the following pre-existing users in vectorized cluster "sasl"
+      | name    | password | mechanism     |
+      | travis  | password | SCRAM-SHA-256 |
+    When I apply Kubernetes manifest:
+    """
+    ---
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: User
+    metadata:
+      name: travis
+    spec:
+      cluster:
+        clusterRef:
+          group: redpanda.vectorized.io
+          kind: Cluster
+          name: sasl
+      authentication:
+        type: scram-sha-512
+        password:
+          valueFrom:
+            secretKeyRef:
+              name: travis-password
+              key: password
+      authorization:
+        acls:
+        - type: allow
+          resource:
+            type: topic
+            name: some-topic
+            patternType: prefixed
+          operations: [Read]
+    """
+    And user "travis" is successfully synced
+    And I delete the CRD user "travis"
+    Then "travis" should be able to authenticate to the vectorized "sasl" cluster with password "password" and mechanism "SCRAM-SHA-256"
@@ -137,6 +137,10 @@ func ClusterTag(ctx context.Context, t framework.TestingT, args ...string) conte
 	require.Greater(t, len(args), 0, "clusters tags can only be used with additional arguments")
 	name := args[0]
 
+	if variant := t.Variant(); variant != "" {
+		name = filepath.Join(variant, name)
+	}
+
 	t.Logf("Installing cluster %q", name)
 	t.ApplyManifest(ctx, filepath.Join("clusters", name))
 	t.Logf("Finished installing cluster %q", name)

@@ -13,7 +13,6 @@ import (
 	"context"
 	"fmt"
 	"math/rand/v2"
-	"strings"
 	"time"
 
 	"github.com/redpanda-data/common-go/rpadmin"
@@ -29,9 +28,7 @@ import (
 )
 
 func checkClusterAvailability(ctx context.Context, t framework.TestingT, version, clusterName string) {
-	version = strings.TrimSpace(version)
-
-	if version == "vectorized" {
+	if getVersion(t, version) == "vectorized" {
 		checkV1ClusterAvailability(ctx, t, clusterName)
 		return
 	}

@@ -199,10 +199,15 @@ func (c *clusterClients) checkSchema(ctx context.Context, schema string, exists
 		t.Logf("Pulling list of schema subjects from cluster")
 		schemaRegistry := c.SchemaRegistry(ctx)
 		subjects, err = schemaRegistry.Subjects(ctx)
-		require.NoError(t, err)
+		if err != nil {
+			// just retry on error, sometimes v1 stuff is slow to come up even after
+			// the broker is marked as healthy
+			return false
+		}
 
 		return exists == slices.Contains(subjects, schema)
 	}, 10*time.Second, 1*time.Second, message) {
+		require.NoError(t, err)
 		t.Errorf("Final list of schema subjects: %v", subjects)
 	}
 }
@@ -293,7 +298,7 @@ func (c *clusterClients) checkRole(ctx context.Context, role string, exists bool
 }
 
 func versionedClientsForCluster(ctx context.Context, version, cluster string) *clusterClients {
-	version = strings.TrimSpace(version)
+	version = getVersion(framework.T(ctx), version)
 
 	framework.T(ctx).Logf("Got versioned cluster %q", version)
 
@@ -392,7 +397,7 @@ func v1ClientsForCluster(ctx context.Context, cluster string) *clusterClients {
 	return clients
 }
 
-func usersFromACLTable(t framework.TestingT, cluster string, table *godog.Table) []*redpandav1alpha2.User {
+func usersFromACLTable(t framework.TestingT, version, cluster string, table *godog.Table) []*redpandav1alpha2.User {
 	var users []*redpandav1alpha2.User
 
 	for i, row := range table.Rows {
@@ -404,13 +409,13 @@ func usersFromACLTable(t framework.TestingT, cluster string, table *godog.Table)
 		name, acls := row.Cells[0].Value, row.Cells[1].Value
 		name, acls = strings.TrimSpace(name), strings.TrimSpace(acls)
 
-		users = append(users, userFromRow(t, cluster, name, "", "", acls))
+		users = append(users, userFromRow(t, version, cluster, name, "", "", acls))
 	}
 
 	return users
 }
 
-func usersFromAuthTable(t framework.TestingT, cluster string, table *godog.Table) []*redpandav1alpha2.User {
+func usersFromAuthTable(t framework.TestingT, version, cluster string, table *godog.Table) []*redpandav1alpha2.User {
 	var users []*redpandav1alpha2.User
 
 	for i, row := range table.Rows {
@@ -422,13 +427,13 @@ func usersFromAuthTable(t framework.TestingT, cluster string, table *godog.Table
 		name, password, mechanism := row.Cells[0].Value, row.Cells[1].Value, row.Cells[2].Value
 		name, password, mechanism = strings.TrimSpace(name), strings.TrimSpace(password), strings.TrimSpace(mechanism)
 
-		users = append(users, userFromRow(t, cluster, name, password, mechanism, ""))
+		users = append(users, userFromRow(t, version, cluster, name, password, mechanism, ""))
 	}
 
 	return users
 }
 
-func usersFromFullTable(t framework.TestingT, cluster string, table *godog.Table) []*redpandav1alpha2.User {
+func usersFromFullTable(t framework.TestingT, version, cluster string, table *godog.Table) []*redpandav1alpha2.User {
 	var users []*redpandav1alpha2.User
 
 	for i, row := range table.Rows {
@@ -440,13 +445,15 @@ func usersFromFullTable(t framework.TestingT, cluster string, table *godog.Table
 		name, password, mechanism, acls := row.Cells[0].Value, row.Cells[1].Value, row.Cells[2].Value, row.Cells[3].Value
 		name, password, mechanism, acls = strings.TrimSpace(name), strings.TrimSpace(password), strings.TrimSpace(mechanism), strings.TrimSpace(acls)
 
-		users = append(users, userFromRow(t, cluster, name, password, mechanism, acls))
+		users = append(users, userFromRow(t, version, cluster, name, password, mechanism, acls))
 	}
 
 	return users
 }
 
-func userFromRow(t framework.TestingT, cluster, name, password, mechanism, acls string) *redpandav1alpha2.User {
+func userFromRow(t framework.TestingT, version, cluster, name, password, mechanism, acls string) *redpandav1alpha2.User {
+	version = getVersion(t, version)
+
 	user := &redpandav1alpha2.User{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: t.Namespace(),
@@ -460,6 +467,12 @@ func userFromRow(t framework.TestingT, cluster, name, password, mechanism, acls
 			},
 		},
 	}
+
+	if version == "vectorized" {
+		user.Spec.ClusterSource.ClusterRef.Group = ptr.To("redpanda.vectorized.io")
+		user.Spec.ClusterSource.ClusterRef.Kind = ptr.To("Cluster")
+	}
+
 	if mechanism != "" || password != "" {
 		user.Spec.Authentication = &redpandav1alpha2.UserAuthenticationSpec{
 			Type: ptr.To(redpandav1alpha2.SASLMechanism(mechanism)),
@@ -619,3 +632,12 @@ func removeAllFinalizers(ctx context.Context, t framework.TestingT, gvk schema.G
 		}
 	}
 }
+
+func getVersion(t framework.TestingT, version string) string {
+	version = strings.TrimSpace(version)
+	if version != "" {
+		return version
+	}
+
+	return t.Variant()
+}