diff --git a/.changes/unreleased/operator-Deprecated-20251111-122215.yaml b/.changes/unreleased/operator-Deprecated-20251111-122215.yaml new file mode 100644 index 000000000..5d27c0326 --- /dev/null +++ b/.changes/unreleased/operator-Deprecated-20251111-122215.yaml @@ -0,0 +1,4 @@ +project: operator +kind: Deprecated +body: Deprecated various fields in multiple CRDs for `kafka`, `adminAPI`, and `schemaRegistry` under the static configuration of `clusterSource` so that various fields that were only specifiable via an in-cluster secret can now be pulled via either external secret provider, in-cluster secret, config map, or inlined value. +time: 2025-11-11T12:22:15.813496-05:00 diff --git a/acceptance/steps/helpers.go b/acceptance/steps/helpers.go index e17ffed68..beb7fe975 100644 --- a/acceptance/steps/helpers.go +++ b/acceptance/steps/helpers.go @@ -370,7 +370,7 @@ func clientsForCluster(ctx context.Context, cluster string) *clusterClients { t.Logf("Created fake user %q looking for cluster %q in namespace %q", referencer.Name, cluster, t.Namespace()) t.Logf("Fake user cluster ref: name=%q", referencer.Spec.ClusterSource.ClusterRef.Name) - factory := client.NewFactory(t.RestConfig(), t).WithDialer(kube.NewPodDialer(t.RestConfig()).DialContext) + factory := client.NewFactory(t.RestConfig(), t, nil).WithDialer(kube.NewPodDialer(t.RestConfig()).DialContext) clients := &clusterClients{ resourceTarget: referencer, @@ -415,7 +415,7 @@ func v1ClientsForCluster(ctx context.Context, cluster string) *clusterClients { t.Logf("Created fake user %q looking for cluster %q in namespace %q", referencer.Name, cluster, t.Namespace()) t.Logf("Fake v1 user cluster ref: name=%q", referencer.Spec.ClusterSource.ClusterRef.Name) - factory := client.NewFactory(t.RestConfig(), t).WithDialer(kube.NewPodDialer(t.RestConfig()).DialContext) + factory := client.NewFactory(t.RestConfig(), t, nil).WithDialer(kube.NewPodDialer(t.RestConfig()).DialContext) clients := &clusterClients{ resourceTarget: referencer, diff --git a/charts/console/chart/templates/_console.config.tpl b/charts/console/chart/templates/_console.config.tpl index 8531a4da1..ee7346e96 100644 --- a/charts/console/chart/templates/_console.config.tpl +++ b/charts/console/chart/templates/_console.config.tpl @@ -106,7 +106,7 @@ {{- end -}} {{- if (ne (toJson $schema.sasl) "null") -}} {{- $_ := (set $cfg "authentication" (mustMergeOverwrite (dict) (dict "basic" (mustMergeOverwrite (dict) (dict "username" $schema.sasl.username))))) -}} -{{- $_ := (get (fromJson (include "console.configMapper.addEnv" (dict "a" (list $m "SCHEMAREGISTRY_AUTHENTICATION_BASIC_PASSWORD" $schema.sasl.passwordSecretRef)))) "r") -}} +{{- $_ := (get (fromJson (include "console.configMapper.addEnv" (dict "a" (list $m "SCHEMAREGISTRY_AUTHENTICATION_BASIC_PASSWORD" $schema.sasl.password)))) "r") -}} {{- $_ := (get (fromJson (include "console.configMapper.addEnv" (dict "a" (list $m "SCHEMAREGISTRY_AUTHENTICATION_BEARERTOKEN" $schema.sasl.token)))) "r") -}} {{- end -}} {{- $_is_returning = true -}} @@ -129,15 +129,15 @@ {{- if $tls.insecureSkipTlsVerify -}} {{- $_ := (set $out "insecureSkipTlsVerify" $tls.insecureSkipTlsVerify) -}} {{- end -}} -{{- $ca_7 := (get (fromJson (include "console.volumes.MaybeAdd" (dict "a" (list $m.Volumes $tls.caCertSecretRef)))) "r") -}} +{{- $ca_7 := (get (fromJson (include "console.volumes.MaybeAdd" (dict "a" (list $m.Volumes $tls.caCert)))) "r") -}} {{- if (ne (toJson $ca_7) "null") -}} {{- $_ := (set $out "caFilepath" $ca_7) -}} {{- end -}} -{{- $cert_8 := (get (fromJson (include "console.volumes.MaybeAddSecret" (dict "a" (list $m.Volumes $tls.certSecretRef)))) "r") -}} +{{- $cert_8 := (get (fromJson (include "console.volumes.MaybeAddSecret" (dict "a" (list $m.Volumes $tls.cert)))) "r") -}} {{- if (ne (toJson $cert_8) "null") -}} {{- $_ := (set $out "certFilepath" $cert_8) -}} {{- end -}} -{{- $key_9 := (get (fromJson (include "console.volumes.MaybeAddSecret" (dict "a" (list $m.Volumes $tls.keySecretRef)))) "r") -}} +{{- $key_9 := (get (fromJson (include "console.volumes.MaybeAddSecret" (dict "a" (list $m.Volumes $tls.key)))) "r") -}} {{- if (ne (toJson $key_9) "null") -}} {{- $_ := (set $out "keyFilepath" $key_9) -}} {{- end -}} @@ -150,9 +150,15 @@ {{- define "console.configMapper.addEnv" -}} {{- $m := (index .a 0) -}} {{- $name := (index .a 1) -}} -{{- $ref := (index .a 2) -}} +{{- $secretRef := (index .a 2) -}} {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} +{{- if (or (eq (toJson $secretRef) "null") (eq (toJson $secretRef.secretKeyRef) "null")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $ref := $secretRef.secretKeyRef -}} {{- if (or (eq $ref.key "") (eq $ref.name "")) -}} {{- $_is_returning = true -}} {{- (dict "r" (list)) | toJson -}} @@ -181,7 +187,7 @@ {{- $skr_11 := $ref.secretKeyRef -}} {{- if (ne (toJson $skr_11) "null") -}} {{- $_is_returning = true -}} -{{- (dict "r" (get (fromJson (include "console.volumes.MaybeAddSecret" (dict "a" (list $v (mustMergeOverwrite (dict "name" "") (dict "name" $skr_11.name "key" $skr_11.key)))))) "r")) | toJson -}} +{{- (dict "r" (get (fromJson (include "console.volumes.MaybeAddSecret" (dict "a" (list $v (mustMergeOverwrite (dict) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "") (mustMergeOverwrite (dict) (dict "name" $skr_11.name)) (dict "key" $skr_11.key)))))))) "r")) | toJson -}} {{- break -}} {{- end -}} {{- $_is_returning = true -}} @@ -200,9 +206,9 @@ {{- (dict "r" (coalesce nil)) | toJson -}} {{- break -}} {{- end -}} -{{- $_238___ok_12 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $v.ConfigMaps $ref.name (coalesce nil))))) "r") -}} -{{- $_ := (index $_238___ok_12 0) -}} -{{- $ok_12 := (index $_238___ok_12 1) -}} +{{- $_245___ok_12 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $v.ConfigMaps $ref.name (coalesce nil))))) "r") -}} +{{- $_ := (index $_245___ok_12 0) -}} +{{- $ok_12 := (index $_245___ok_12 1) -}} {{- if (not $ok_12) -}} {{- $_ := (set $v.ConfigMaps $ref.name (dict)) -}} {{- end -}} @@ -215,17 +221,23 @@ {{- define "console.volumes.MaybeAddSecret" -}} {{- $v := (index .a 0) -}} -{{- $ref := (index .a 1) -}} +{{- $secretRef := (index .a 1) -}} {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} +{{- if (or (eq (toJson $secretRef) "null") (eq (toJson $secretRef.secretKeyRef) "null")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $ref := $secretRef.secretKeyRef -}} {{- if (or (eq (toJson $ref) "null") ((and (eq $ref.key "") (eq $ref.name "")))) -}} {{- $_is_returning = true -}} {{- (dict "r" (coalesce nil)) | toJson -}} {{- break -}} {{- end -}} -{{- $_250___ok_13 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $v.Secrets $ref.name (coalesce nil))))) "r") -}} -{{- $_ := (index $_250___ok_13 0) -}} -{{- $ok_13 := (index $_250___ok_13 1) -}} +{{- $_262___ok_13 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $v.Secrets $ref.name (coalesce nil))))) "r") -}} +{{- $_ := (index $_262___ok_13 0) -}} +{{- $ok_13 := (index $_262___ok_13 1) -}} {{- if (not $ok_13) -}} {{- $_ := (set $v.Secrets $ref.name (dict)) -}} {{- end -}} diff --git a/charts/console/config.go b/charts/console/config.go index 5b1838f82..e2550d59a 100644 --- a/charts/console/config.go +++ b/charts/console/config.go @@ -123,7 +123,7 @@ func (m *configMapper) configureKafka(kafka *ir.KafkaAPISpec) *PartialKafka { // TODO all the other ones...... } if kafka.SASL.Password != nil { - m.addEnv("KAFKA_SASL_PASSWORD", *kafka.SASL.Password) + m.addEnv("KAFKA_SASL_PASSWORD", kafka.SASL.Password) } } @@ -187,7 +187,12 @@ func (m *configMapper) configureTLS(tls *ir.CommonTLS) *PartialTLS { return out } -func (m *configMapper) addEnv(name string, ref ir.SecretKeyRef) { +func (m *configMapper) addEnv(name string, secretRef *ir.ValueSource) { + if secretRef == nil || secretRef.SecretKeyRef == nil { + return + } + ref := secretRef.SecretKeyRef + if ref.Key == "" || ref.Name == "" { return } @@ -212,7 +217,7 @@ type volumes struct { ConfigMaps map[string]map[string]bool } -func (v *volumes) MaybeAdd(ref *ir.ObjectKeyRef) *string { +func (v *volumes) MaybeAdd(ref *ir.ValueSource) *string { if ref == nil { return nil } @@ -222,9 +227,11 @@ func (v *volumes) MaybeAdd(ref *ir.ObjectKeyRef) *string { } if skr := ref.SecretKeyRef; skr != nil { - return v.MaybeAddSecret(&ir.SecretKeyRef{ - Name: skr.Name, - Key: skr.Key, + return v.MaybeAddSecret(&ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{Name: skr.Name}, + Key: skr.Key, + }, }) } @@ -242,7 +249,12 @@ func (v *volumes) MaybeAddConfigMap(ref *corev1.ConfigMapKeySelector) *string { return ptr.To(fmt.Sprintf("%s/configmaps/%s/%s", v.Dir, ref.Name, ref.Key)) } -func (v *volumes) MaybeAddSecret(ref *ir.SecretKeyRef) *string { +func (v *volumes) MaybeAddSecret(secretRef *ir.ValueSource) *string { + if secretRef == nil || secretRef.SecretKeyRef == nil { + return nil + } + ref := secretRef.SecretKeyRef + if ref == nil || (ref.Key == "" && ref.Name == "") { return nil } diff --git a/charts/console/config_test.go b/charts/console/config_test.go index 39d5b448b..bed1cc5d0 100644 --- a/charts/console/config_test.go +++ b/charts/console/config_test.go @@ -40,12 +40,11 @@ func TestStaticConfig(t *testing.T) { Kafka: &ir.KafkaAPISpec{ Brokers: []string{"broker-0.svc.cluster.local", "broker-1.svc.cluster.local"}, TLS: &ir.CommonTLS{ - Key: &ir.SecretKeyRef{Name: "kafka-cert", Key: "tls.key"}, - CaCert: &ir.ObjectKeyRef{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: "kafka-cert"}, - Key: "ca.crt", - }, + Key: &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{LocalObjectReference: corev1.LocalObjectReference{Name: "kafka-cert"}, Key: "tls.key"}, + }, + CaCert: &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{LocalObjectReference: corev1.LocalObjectReference{Name: "kafka-cert"}, Key: "ca.crt"}, }, InsecureSkipTLSVerify: true, }, @@ -97,8 +96,13 @@ func TestStaticConfig(t *testing.T) { Kafka: &ir.KafkaAPISpec{ Brokers: []string{"broker:9092"}, SASL: &ir.KafkaSASL{ - Username: "test-user", - Password: &ir.SecretKeyRef{Name: "kafka-sasl", Key: "password"}, + Username: "test-user", + Password: &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{Name: "kafka-sasl"}, + Key: "password", + }, + }, Mechanism: "PLAIN", }, }, @@ -134,19 +138,25 @@ func TestStaticConfig(t *testing.T) { Admin: &ir.AdminAPISpec{ URLs: []string{"https://admin:9644"}, TLS: &ir.CommonTLS{ - CaCert: &ir.ObjectKeyRef{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: "admin-ca"}, - Key: "ca.crt", - }, + CaCert: &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{LocalObjectReference: corev1.LocalObjectReference{Name: "admin-ca"}, Key: "ca.crt"}, + }, + Cert: &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{LocalObjectReference: corev1.LocalObjectReference{Name: "admin-cert"}, Key: "tls.crt"}, + }, + Key: &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{LocalObjectReference: corev1.LocalObjectReference{Name: "admin-cert"}, Key: "tls.key"}, }, - Cert: &ir.SecretKeyRef{Name: "admin-cert", Key: "tls.crt"}, - Key: &ir.SecretKeyRef{Name: "admin-cert", Key: "tls.key"}, InsecureSkipTLSVerify: true, }, Auth: &ir.AdminAuth{ Username: "admin-user", - Password: ir.SecretKeyRef{Name: "admin-creds", Key: "password"}, + Password: &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{Name: "admin-creds"}, + Key: "password", + }, + }, }, }, }, @@ -224,17 +234,24 @@ func TestStaticConfig(t *testing.T) { SchemaRegistry: &ir.SchemaRegistrySpec{ URLs: []string{"https://schema:8081"}, TLS: &ir.CommonTLS{ - CaCert: &ir.ObjectKeyRef{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: "schema-ca"}, - Key: "ca.crt", - }, + CaCert: &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{LocalObjectReference: corev1.LocalObjectReference{Name: "schema-ca"}, Key: "ca.crt"}, }, }, SASL: &ir.SchemaRegistrySASL{ - Username: "schema-user", - Password: ir.SecretKeyRef{Name: "schema-creds", Key: "password"}, - AuthToken: ir.SecretKeyRef{Name: "schema-creds", Key: "token"}, + Username: "schema-user", + Password: &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{Name: "schema-creds"}, + Key: "password", + }, + }, + AuthToken: &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{Name: "schema-creds"}, + Key: "token", + }, + }, }, }, Kafka: &ir.KafkaAPISpec{ @@ -314,11 +331,8 @@ func TestStaticConfig(t *testing.T) { SchemaRegistry: &ir.SchemaRegistrySpec{ URLs: []string{"https://schema:8081"}, TLS: &ir.CommonTLS{ - CaCert: &ir.ObjectKeyRef{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: "schema-ca"}, - Key: "ca.crt", - }, + CaCert: &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{LocalObjectReference: corev1.LocalObjectReference{Name: "schema-ca"}, Key: "ca.crt"}, }, InsecureSkipTLSVerify: true, }, @@ -372,44 +386,49 @@ func TestStaticConfig(t *testing.T) { Kafka: &ir.KafkaAPISpec{ Brokers: []string{"kafka-0:9092", "kafka-1:9092"}, TLS: &ir.CommonTLS{ - CaCert: &ir.ObjectKeyRef{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: "kafka-tls"}, - Key: "ca.crt", - }, + CaCert: &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{LocalObjectReference: corev1.LocalObjectReference{Name: "kafka-tls"}, Key: "ca.crt"}, + }, + Cert: &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{LocalObjectReference: corev1.LocalObjectReference{Name: "kafka-tls"}, Key: "tls.crt"}, + }, + Key: &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{LocalObjectReference: corev1.LocalObjectReference{Name: "kafka-tls"}, Key: "tls.key"}, }, - Cert: &ir.SecretKeyRef{Name: "kafka-tls", Key: "tls.crt"}, - Key: &ir.SecretKeyRef{Name: "kafka-tls", Key: "tls.key"}, }, SASL: &ir.KafkaSASL{ - Username: "kafka-user", - Password: &ir.SecretKeyRef{Name: "kafka-auth", Key: "password"}, + Username: "kafka-user", + Password: &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{Name: "kafka-auth"}, + Key: "password", + }, + }, Mechanism: "SCRAM-SHA-256", }, }, Admin: &ir.AdminAPISpec{ URLs: []string{"https://admin:9644"}, TLS: &ir.CommonTLS{ - CaCert: &ir.ObjectKeyRef{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: "admin-tls"}, - Key: "ca.crt", - }, + CaCert: &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{LocalObjectReference: corev1.LocalObjectReference{Name: "admin-tls"}, Key: "ca.crt"}, }, }, Auth: &ir.AdminAuth{ Username: "admin", - Password: ir.SecretKeyRef{Name: "admin-auth", Key: "password"}, + Password: &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{Name: "admin-auth"}, + Key: "password", + }, + }, }, }, SchemaRegistry: &ir.SchemaRegistrySpec{ URLs: []string{"https://schema:8081"}, TLS: &ir.CommonTLS{ - CaCert: &ir.ObjectKeyRef{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: "schema-tls"}, - Key: "ca.crt", - }, + CaCert: &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{LocalObjectReference: corev1.LocalObjectReference{Name: "schema-tls"}, Key: "ca.crt"}, }, }, }, @@ -527,22 +546,16 @@ func TestStaticConfig(t *testing.T) { Kafka: &ir.KafkaAPISpec{ Brokers: []string{"kafka:9092"}, TLS: &ir.CommonTLS{ - CaCert: &ir.ObjectKeyRef{ - ConfigMapKeyRef: &corev1.ConfigMapKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: "kafka-ca-config"}, - Key: "ca.crt", - }, + CaCert: &ir.ValueSource{ + ConfigMapKeyRef: &corev1.ConfigMapKeySelector{LocalObjectReference: corev1.LocalObjectReference{Name: "kafka-ca-config"}, Key: "ca.crt"}, }, }, }, Admin: &ir.AdminAPISpec{ URLs: []string{"https://admin:9644"}, TLS: &ir.CommonTLS{ - CaCert: &ir.ObjectKeyRef{ - ConfigMapKeyRef: &corev1.ConfigMapKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: "admin-ca-config"}, - Key: "ca.crt", - }, + CaCert: &ir.ValueSource{ + ConfigMapKeyRef: &corev1.ConfigMapKeySelector{LocalObjectReference: corev1.LocalObjectReference{Name: "admin-ca-config"}, Key: "ca.crt"}, }, }, }, @@ -609,6 +622,7 @@ func TestStaticConfig(t *testing.T) { Brokers: []string{"kafka:9092"}, SASL: &ir.KafkaSASL{ Username: "user", + Password: &ir.ValueSource{}, }, }, Admin: &ir.AdminAPISpec{ @@ -618,8 +632,8 @@ func TestStaticConfig(t *testing.T) { URLs: []string{"schema:8081"}, SASL: &ir.SchemaRegistrySASL{ Username: "schema-user", - Password: ir.SecretKeyRef{}, - AuthToken: ir.SecretKeyRef{}, + Password: &ir.ValueSource{}, + AuthToken: &ir.ValueSource{}, }, }, }, @@ -666,9 +680,11 @@ func TestConfigMapper_addEnv(t *testing.T) { mapper := &configMapper{} // Test with valid secret ref - mapper.addEnv("TEST_VAR", ir.SecretKeyRef{ - Name: "test-secret", - Key: "test-key", + mapper.addEnv("TEST_VAR", &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{Name: "test-secret"}, + Key: "test-key", + }, }) require.Len(t, mapper.Env, 1) @@ -677,15 +693,23 @@ func TestConfigMapper_addEnv(t *testing.T) { require.Equal(t, "test-key", mapper.Env[0].ValueFrom.SecretKeyRef.Key) // Test with empty secret ref (should not add) - mapper.addEnv("EMPTY_VAR", ir.SecretKeyRef{}) + mapper.addEnv("EMPTY_VAR", &ir.ValueSource{}) require.Len(t, mapper.Env, 1) // Test with empty name - mapper.addEnv("EMPTY_NAME", ir.SecretKeyRef{Key: "key"}) + mapper.addEnv("EMPTY_NAME", &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + Key: "key", + }, + }) require.Len(t, mapper.Env, 1) // Test with empty key - mapper.addEnv("EMPTY_KEY", ir.SecretKeyRef{Name: "name"}) + mapper.addEnv("EMPTY_KEY", &ir.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{Name: "name"}, + }, + }) require.Len(t, mapper.Env, 1) } @@ -703,7 +727,7 @@ func TestVolumes_MaybeAdd(t *testing.T) { require.Empty(t, v.Secrets) // Test with valid ref - result = v.MaybeAdd(&ir.ObjectKeyRef{ + result = v.MaybeAdd(&ir.ValueSource{ SecretKeyRef: &corev1.SecretKeySelector{ LocalObjectReference: corev1.LocalObjectReference{Name: "secret-name"}, Key: "secret-key", @@ -715,7 +739,7 @@ func TestVolumes_MaybeAdd(t *testing.T) { require.Equal(t, map[string]bool{"secret-key": true}, v.Secrets["secret-name"]) // Test adding another key to same secret - result2 := v.MaybeAdd(&ir.ObjectKeyRef{ + result2 := v.MaybeAdd(&ir.ValueSource{ SecretKeyRef: &corev1.SecretKeySelector{ LocalObjectReference: corev1.LocalObjectReference{Name: "secret-name"}, Key: "another-key", @@ -726,7 +750,7 @@ func TestVolumes_MaybeAdd(t *testing.T) { require.Equal(t, map[string]bool{"secret-key": true, "another-key": true}, v.Secrets["secret-name"]) // Test with ConfigMap reference - result3 := v.MaybeAdd(&ir.ObjectKeyRef{ + result3 := v.MaybeAdd(&ir.ValueSource{ ConfigMapKeyRef: &corev1.ConfigMapKeySelector{ LocalObjectReference: corev1.LocalObjectReference{Name: "config-name"}, Key: "config-key", diff --git a/charts/console/go.mod b/charts/console/go.mod index 62597c142..540c38bea 100644 --- a/charts/console/go.mod +++ b/charts/console/go.mod @@ -23,10 +23,21 @@ require ( require ( buf.build/gen/go/redpandadata/core/connectrpc/go v1.19.1-20251031193904-15e1d027dabd.2 // indirect buf.build/gen/go/redpandadata/core/protocolbuffers/go v1.36.10-20251031193904-15e1d027dabd.1 // indirect + cloud.google.com/go/auth v0.16.1 // indirect + cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect + cloud.google.com/go/compute/metadata v0.6.0 // indirect + cloud.google.com/go/iam v1.5.2 // indirect + cloud.google.com/go/secretmanager v1.14.7 // indirect connectrpc.com/connect v1.19.1 // indirect dario.cat/mergo v1.0.2 // indirect github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 // indirect github.com/BurntSushi/toml v1.5.0 // indirect github.com/MakeNowJust/heredoc v1.0.0 // indirect github.com/Masterminds/goutils v1.1.1 // indirect @@ -34,6 +45,20 @@ require ( github.com/Masterminds/sprig/v3 v3.3.0 // indirect github.com/Masterminds/squirrel v1.5.4 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect + github.com/aws/aws-sdk-go-v2 v1.36.5 // indirect + github.com/aws/aws-sdk-go-v2/config v1.29.17 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.70 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.32 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.36 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.36 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.17 // indirect + github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.3 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.25.5 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.3 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.34.0 // indirect + github.com/aws/smithy-go v1.22.4 // indirect github.com/bahlo/generic-list-go v0.2.0 // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/buger/jsonparser v1.1.1 // indirect @@ -51,6 +76,7 @@ require ( github.com/evanphx/json-patch/v5 v5.9.11 // indirect github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect github.com/fatih/color v1.18.0 // indirect + github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fsnotify/fsnotify v1.9.0 // indirect github.com/fxamacker/cbor/v2 v2.8.0 // indirect github.com/getsentry/sentry-go v0.27.0 // indirect @@ -65,6 +91,7 @@ require ( github.com/go-viper/mapstructure/v2 v2.3.0 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang-jwt/jwt/v5 v5.2.2 // indirect github.com/gonvenience/bunt v1.3.5 // indirect github.com/gonvenience/neat v1.3.13 // indirect github.com/gonvenience/term v1.0.2 // indirect @@ -74,18 +101,27 @@ require ( github.com/google/btree v1.1.3 // indirect github.com/google/gnostic-models v0.6.9 // indirect github.com/google/go-cmp v0.7.0 // indirect + github.com/google/s2a-go v0.1.9 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/uuid v1.6.0 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect + github.com/googleapis/gax-go/v2 v2.14.2 // indirect github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect github.com/gosuri/uitable v0.0.4 // indirect github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect + github.com/hashicorp/go-uuid v1.0.3 // indirect github.com/homeport/dyff v1.7.1 // indirect github.com/huandu/xstrings v1.5.0 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/invopop/jsonschema v0.12.0 // indirect + github.com/jcmturner/aescts/v2 v2.0.0 // indirect + github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect + github.com/jcmturner/gofork v1.7.6 // indirect + github.com/jcmturner/gokrb5/v8 v8.4.4 // indirect + github.com/jcmturner/rpc/v2 v2.0.3 // indirect github.com/jmoiron/sqlx v1.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect @@ -98,6 +134,7 @@ require ( github.com/knadh/koanf/v2 v2.2.1 // indirect github.com/kr/pretty v0.3.1 // indirect github.com/kr/text v0.2.0 // indirect + github.com/kylelemons/godebug v1.1.0 // indirect github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect github.com/lib/pq v1.10.9 // indirect @@ -124,10 +161,13 @@ require ( github.com/opencontainers/go-digest v1.0.1-0.20231025023718-d50d2fec9c98 // indirect github.com/opencontainers/image-spec v1.1.1 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect + github.com/pierrec/lz4/v4 v4.1.22 // indirect + github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/redpanda-data/common-go/net v0.1.1-0.20240429123545-4da3d2b371f7 // indirect github.com/redpanda-data/common-go/rpadmin v0.1.17-0.20250918052456-493894730cb7 // indirect + github.com/redpanda-data/common-go/secrets v0.1.4 // indirect github.com/rivo/uniseg v0.4.7 // indirect github.com/rogpeppe/go-internal v1.14.1 // indirect github.com/rubenv/sql-migrate v1.8.0 // indirect @@ -141,12 +181,21 @@ require ( github.com/spf13/cobra v1.9.1 // indirect github.com/spf13/pflag v1.0.7 // indirect github.com/texttheater/golang-levenshtein v1.0.1 // indirect + github.com/tidwall/gjson v1.18.0 // indirect + github.com/tidwall/match v1.1.1 // indirect + github.com/tidwall/pretty v1.2.1 // indirect + github.com/twmb/franz-go v1.19.5 // indirect + github.com/twmb/franz-go/pkg/kmsg v1.11.2 // indirect + github.com/twmb/franz-go/pkg/sasl/kerberos v1.1.0 // indirect + github.com/twmb/franz-go/pkg/sr v1.5.0 // indirect github.com/twmb/tlscfg v1.2.1 // indirect github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 // indirect github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect github.com/x448/float16 v0.8.4 // indirect github.com/xlab/treeprint v1.2.0 // indirect go.opentelemetry.io/auto/sdk v1.1.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect go.opentelemetry.io/otel v1.36.0 // indirect go.opentelemetry.io/otel/log v0.11.0 // indirect go.opentelemetry.io/otel/metric v1.36.0 // indirect @@ -167,6 +216,8 @@ require ( golang.org/x/term v0.33.0 // indirect golang.org/x/text v0.27.0 // indirect golang.org/x/time v0.11.0 // indirect + google.golang.org/api v0.233.0 // indirect + google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250908214217-97024824d090 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250826171959-ef028d996bc1 // indirect google.golang.org/grpc v1.73.0 // indirect diff --git a/charts/console/go.sum b/charts/console/go.sum index 4a3100b76..df4745b29 100644 --- a/charts/console/go.sum +++ b/charts/console/go.sum @@ -2,6 +2,18 @@ buf.build/gen/go/redpandadata/core/connectrpc/go v1.19.1-20251031193904-15e1d027 buf.build/gen/go/redpandadata/core/connectrpc/go v1.19.1-20251031193904-15e1d027dabd.2/go.mod h1:YY+peV2t5WRrsN5JCawfDfdePKQVNhaO+0l/9Tsi+oY= buf.build/gen/go/redpandadata/core/protocolbuffers/go v1.36.10-20251031193904-15e1d027dabd.1 h1:qbwdlxQSRcBFlq8Kcl532kcMuR+64TuvnhLC49FxzJE= buf.build/gen/go/redpandadata/core/protocolbuffers/go v1.36.10-20251031193904-15e1d027dabd.1/go.mod h1:QenSPzqxZpyo9hHIpRzTetvDchelVDzimnmaggHKenc= +cloud.google.com/go v0.121.1 h1:S3kTQSydxmu1JfLRLpKtxRPA7rSrYPRPEUmL/PavVUw= +cloud.google.com/go v0.121.1/go.mod h1:nRFlrHq39MNVWu+zESP2PosMWA0ryJw8KUBZ2iZpxbw= +cloud.google.com/go/auth v0.16.1 h1:XrXauHMd30LhQYVRHLGvJiYeczweKQXZxsTbV9TiguU= +cloud.google.com/go/auth v0.16.1/go.mod h1:1howDHJ5IETh/LwYs3ZxvlkXF48aSqqJUM+5o02dNOI= +cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc= +cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c= +cloud.google.com/go/compute/metadata v0.6.0 h1:A6hENjEsCDtC1k8byVsgwvVcioamEHvZ4j01OwKxG9I= +cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg= +cloud.google.com/go/iam v1.5.2 h1:qgFRAGEmd8z6dJ/qyEchAuL9jpswyODjA2lS+w234g8= +cloud.google.com/go/iam v1.5.2/go.mod h1:SE1vg0N81zQqLzQEwxL2WI6yhetBdbNQuTvIKCSkUHE= +cloud.google.com/go/secretmanager v1.14.7 h1:VkscIRzj7GcmZyO4z9y1EH7Xf81PcoiAo7MtlD+0O80= +cloud.google.com/go/secretmanager v1.14.7/go.mod h1:uRuB4F6NTFbg0vLQ6HsT7PSsfbY7FqHbtJP1J94qxGc= connectrpc.com/connect v1.19.1 h1:R5M57z05+90EfEvCY1b7hBxDVOUl45PrtXtAV2fOC14= connectrpc.com/connect v1.19.1/go.mod h1:tN20fjdGlewnSFeZxLKb0xwIZ6ozc3OQs2hTXy4du9w= dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8= @@ -10,8 +22,24 @@ filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk= github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.1 h1:DSDNVxqkoXJiko6x8a90zidoYqnYYa6c1MTzDKzKkTo= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.1/go.mod h1:zGqV2R4Cr/k8Uye5w+dgQ06WJtEcbQG/8J7BB6hnCr4= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2 h1:F0gBpfdPLGsw+nsgk6aqqkZS1jiixa5WwFe3fk/T3Ys= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2/go.mod h1:SqINnQ9lVVdRlyC8cd1lCI0SdX4n2paeABd2K8ggfnE= +github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY= +github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY= +github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0 h1:xnO4sFyG8UH2fElBkcqLTOZsAajvKfnSlgBBW8dXYjw= +github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0/go.mod h1:XD3DIOOVgBCO03OleB1fHjgktVRFxlT++KwKgIOewdM= +github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 h1:FbH3BbSb4bvGluTesZZ+ttN/MDsnMmQP36OSnDuSXqw= +github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1/go.mod h1:9V2j0jn9jDEkCkv8w/bKTNppX/d0FVA1ud77xCIP4KA= github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg= github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM= +github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE= +github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 h1:H5xDQaE3XowWfhZRUpnfC+rGZMEVoSiji+b+/HFAPU4= +github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg= github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU= @@ -32,6 +60,34 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= +github.com/aws/aws-sdk-go-v2 v1.36.5 h1:0OF9RiEMEdDdZEMqF9MRjevyxAQcf6gY+E7vwBILFj0= +github.com/aws/aws-sdk-go-v2 v1.36.5/go.mod h1:EYrzvCCN9CMUTa5+6lf6MM4tq3Zjp8UhSGR/cBsjai0= +github.com/aws/aws-sdk-go-v2/config v1.29.17 h1:jSuiQ5jEe4SAMH6lLRMY9OVC+TqJLP5655pBGjmnjr0= +github.com/aws/aws-sdk-go-v2/config v1.29.17/go.mod h1:9P4wwACpbeXs9Pm9w1QTh6BwWwJjwYvJ1iCt5QbCXh8= +github.com/aws/aws-sdk-go-v2/credentials v1.17.70 h1:ONnH5CM16RTXRkS8Z1qg7/s2eDOhHhaXVd72mmyv4/0= +github.com/aws/aws-sdk-go-v2/credentials v1.17.70/go.mod h1:M+lWhhmomVGgtuPOhO85u4pEa3SmssPTdcYpP/5J/xc= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.32 h1:KAXP9JSHO1vKGCr5f4O6WmlVKLFFXgWYAGoJosorxzU= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.32/go.mod h1:h4Sg6FQdexC1yYG9RDnOvLbW1a/P986++/Y/a+GyEM8= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.36 h1:SsytQyTMHMDPspp+spo7XwXTP44aJZZAC7fBV2C5+5s= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.36/go.mod h1:Q1lnJArKRXkenyog6+Y+zr7WDpk4e6XlR6gs20bbeNo= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.36 h1:i2vNHQiXUvKhs3quBR6aqlgJaiaexz/aNvdCktW/kAM= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.36/go.mod h1:UdyGa7Q91id/sdyHPwth+043HhmP6yP9MBHgbZM0xo8= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 h1:CXV68E2dNqhuynZJPB80bhPQwAKqBWVer887figW6Jc= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4/go.mod h1:/xFi9KtvBXP97ppCz1TAEvU1Uf66qvid89rbem3wCzQ= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.17 h1:t0E6FzREdtCsiLIoLCWsYliNsRBgyGD/MCK571qk4MI= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.17/go.mod h1:ygpklyoaypuyDvOM5ujWGrYWpAK3h7ugnmKCU/76Ys4= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.3 h1:CyA6J82ePPoh1Nj8ErOR2e/JRlzfFzWpGwGMFzFjwZg= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.3/go.mod h1:EliITPlGcBz0FRiVl7lRLtzI1cnDybFcfLYMZedOInE= +github.com/aws/aws-sdk-go-v2/service/sso v1.25.5 h1:AIRJ3lfb2w/1/8wOOSqYb9fUKGwQbtysJ2H1MofRUPg= +github.com/aws/aws-sdk-go-v2/service/sso v1.25.5/go.mod h1:b7SiVprpU+iGazDUqvRSLf5XmCdn+JtT1on7uNL6Ipc= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.3 h1:BpOxT3yhLwSJ77qIY3DoHAQjZsc4HEGfMCE4NGy3uFg= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.3/go.mod h1:vq/GQR1gOFLquZMSrxUK/cpvKCNVYibNyJ1m7JrU88E= +github.com/aws/aws-sdk-go-v2/service/sts v1.34.0 h1:NFOJ/NXEGV4Rq//71Hs1jC/NvPs1ezajK+yQmkwnPV0= +github.com/aws/aws-sdk-go-v2/service/sts v1.34.0/go.mod h1:7ph2tGpfQvwzgistp2+zga9f+bCjlQJPkPUmMgDSD7w= +github.com/aws/smithy-go v1.22.4 h1:uqXzVZNuNexwc/xrh6Tb56u89WDlJY6HS+KC0S4QSjw= +github.com/aws/smithy-go v1.22.4/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI= github.com/bahlo/generic-list-go v0.2.0 h1:5sz/EEAK+ls5wF+NeqDpk5+iNdMDXrh3z3nPnH1Wvgk= github.com/bahlo/generic-list-go v0.2.0/go.mod h1:2KvAjgMlE5NNynlg/5iLrrCCZ2+5xWbdbCW3pNTGyYg= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -160,6 +216,8 @@ github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8= +github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/gonvenience/bunt v1.3.5 h1:wSQquifvwEWtzn27k1ngLfeLaStyt0k1b/K6TrlCNAs= @@ -186,14 +244,22 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a h1://KbezygeMJZCSHH+HgUZiTeSoiuFspbMg1ge+eFj18= github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA= +github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0= +github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/enterprise-certificate-proxy v0.3.6 h1:GW/XbdyBFQ8Qe+YAmFU9uHLo7OnF5tL52HFAgMmyrf4= +github.com/googleapis/enterprise-certificate-proxy v0.3.6/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA= +github.com/googleapis/gax-go/v2 v2.14.2 h1:eBLnkZ9635krYIPD+ag1USrOAI0Nr0QYF3+/3GqO0k0= +github.com/googleapis/gax-go/v2 v2.14.2/go.mod h1:ON64QhlJkhVtSqp4v1uaK92VyZ2gmvDQsweuyLV+8+w= github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE= github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= +github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= +github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM= github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo= github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA= github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= @@ -208,6 +274,9 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= +github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/golang-lru/arc/v2 v2.0.7 h1:QxkVTxwColcduO+LP7eJO56r2hFiG8zEbfAAzRv52KQ= github.com/hashicorp/golang-lru/arc/v2 v2.0.7/go.mod h1:Pe7gBlGdc8clY5LJ0LpJXMt5AmgmWNH1g+oFFVUHOEc= github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k= @@ -222,14 +291,30 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/invopop/jsonschema v0.12.0 h1:6ovsNSuvn9wEQVOyc72aycBMVQFKz7cPdMJn10CvzRI= github.com/invopop/jsonschema v0.12.0/go.mod h1:ffZ5Km5SWWRAIN6wbDXItl95euhFz2uON45H2qjYt+0= +github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8= +github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs= +github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo= +github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM= +github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg= +github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo= +github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o= +github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg= +github.com/jcmturner/gokrb5/v8 v8.4.3/go.mod h1:dqRwJGXznQrzw6cWmyo6kH+E7jksEQG/CyVWsJEsJO0= +github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8= +github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= +github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= +github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o= github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6 h1:IsMZxCuZqKuao2vNdfD82fjjgPLfyHLpR41Z88viRWs= +github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6/go.mod h1:3VeWNIJaW+O5xpRQbPp0Ybqu1vJd/pm7s2F473HRrkw= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU= github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= github.com/knadh/koanf/maps v0.1.2 h1:RBfmAW5CnZT+PJ1CVc1QSJKf4Xu9kxfQgYVQSu8hpbo= @@ -251,6 +336,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 h1:SOEGU9fKiNWd/HOJuq6+3iTQz8KNCLtVX6idSoTLdUw= github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o= github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk= @@ -336,8 +423,13 @@ github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+v github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE= +github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= +github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU= +github.com/pierrec/lz4/v4 v4.1.22/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4= github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -368,6 +460,8 @@ github.com/redpanda-data/common-go/net v0.1.1-0.20240429123545-4da3d2b371f7 h1:M github.com/redpanda-data/common-go/net v0.1.1-0.20240429123545-4da3d2b371f7/go.mod h1:UJIi/yUxGOBYXUrfUsOkxfYxcb/ll7mZrwae/i+U2kc= github.com/redpanda-data/common-go/rpadmin v0.1.17-0.20250918052456-493894730cb7 h1:RGdPbgiCplZvFQ40r7n0SlEP9R4w5kCGrADOV+W7/7o= github.com/redpanda-data/common-go/rpadmin v0.1.17-0.20250918052456-493894730cb7/go.mod h1:NMOb9iySu0qkqREwoZaN0WANeqaGEZKDtKMecSobToQ= +github.com/redpanda-data/common-go/secrets v0.1.4 h1:CGp3KolGnjcJvIafTwf7Hlj5ztLOJCjgkegRu7IAkSw= +github.com/redpanda-data/common-go/secrets v0.1.4/go.mod h1:WjUU/5saSXwItZx6veFOGbQZUgPQz4MQ65z22y0Ky84= github.com/redpanda-data/console/backend v0.0.0-20250915195818-3cd9fabec94b h1:zwQznaAIBpxCL9FDaILJT+L7b3YGAD6QxK21hFzhEls= github.com/redpanda-data/console/backend v0.0.0-20250915195818-3cd9fabec94b/go.mod h1:dWaJBv8Eqpe21aREHEPlacC6bNoxWArvlcgWEB6t+3w= github.com/redpanda-data/redpanda-operator/gotohelm v1.2.1-0.20250909192010-c59ff494d04a h1:cBI+h6YFt1y45nvGQ4oFOEhPcQa/ih3DiNFJpFm5XVE= @@ -404,6 +498,8 @@ github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An github.com/spf13/pflag v1.0.7 h1:vN6T9TfwStFPFM5XzjsvmzZkLuaLX+HS+0SeFLRgU6M= github.com/spf13/pflag v1.0.7/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= @@ -411,6 +507,9 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/testcontainers/testcontainers-go v0.39.0 h1:uCUJ5tA+fcxbFAB0uP3pIK3EJ2IjjDUHFSZ1H1UxAts= @@ -419,10 +518,27 @@ github.com/testcontainers/testcontainers-go/modules/k3s v0.39.0 h1:oZfauL/CPwI+H github.com/testcontainers/testcontainers-go/modules/k3s v0.39.0/go.mod h1:mlHF/P+wcE0+qeEsVYfifeXOOkAFhSmtpBJyDvbzhAc= github.com/texttheater/golang-levenshtein v1.0.1 h1:+cRNoVrfiwufQPhoMzB6N0Yf/Mqajr6t1lOv8GyGE2U= github.com/texttheater/golang-levenshtein v1.0.1/go.mod h1:PYAKrbF5sAiq9wd+H82hs7gNaen0CplQ9uvm6+enD/8= +github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY= +github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= +github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= +github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= +github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4= +github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= github.com/tklauser/go-sysconf v0.3.15 h1:VE89k0criAymJ/Os65CSn1IXaol+1wrsFHEB8Ol49K4= github.com/tklauser/go-sysconf v0.3.15/go.mod h1:Dmjwr6tYFIseJw7a3dRLJfsHAMXZ3nEnL/aZY+0IuI4= github.com/tklauser/numcpus v0.10.0 h1:18njr6LDBk1zuna922MgdjQuJFjrdppsZG60sHGfjso= github.com/tklauser/numcpus v0.10.0/go.mod h1:BiTKazU708GQTYF4mB+cmlpT2Is1gLk7XVuEeem8LsQ= +github.com/twmb/franz-go v1.7.0/go.mod h1:PMze0jNfNghhih2XHbkmTFykbMF5sJqmNJB31DOOzro= +github.com/twmb/franz-go v1.19.5 h1:W7+o8D0RsQsedqib71OVlLeZ0zI6CbFra7yTYhZTs5Y= +github.com/twmb/franz-go v1.19.5/go.mod h1:4kFJ5tmbbl7asgwAGVuyG1ZMx0NNpYk7EqflvWfPCpM= +github.com/twmb/franz-go/pkg/kmsg v1.2.0/go.mod h1:SxG/xJKhgPu25SamAq0rrucfp7lbzCpEXOC+vH/ELrY= +github.com/twmb/franz-go/pkg/kmsg v1.11.2 h1:hIw75FpwcAjgeyfIGFqivAvwC5uNIOWRGvQgZhH4mhg= +github.com/twmb/franz-go/pkg/kmsg v1.11.2/go.mod h1:CFfkkLysDNmukPYhGzuUcDtf46gQSqCZHMW1T4Z+wDE= +github.com/twmb/franz-go/pkg/sasl/kerberos v1.1.0 h1:alKdbddkPw3rDh+AwmUEwh6HNYgTvDSFIe/GWYRR9RM= +github.com/twmb/franz-go/pkg/sasl/kerberos v1.1.0/go.mod h1:k8BoBjyUbFj34f0rRbn+Ky12sZFAPbmShrg0karAIMo= +github.com/twmb/franz-go/pkg/sr v1.5.0 h1:KQH8veHxKyAjT4U4/rziJnSEfafuluznLoxhrp0yJfo= +github.com/twmb/franz-go/pkg/sr v1.5.0/go.mod h1:O4o4mUMNfmyEt2HcuM+qZdc6KrcStvjgxWR6Cfvmukw= github.com/twmb/tlscfg v1.2.1 h1:IU2efmP9utQEIV2fufpZjPq7xgcZK4qu25viD51BB44= github.com/twmb/tlscfg v1.2.1/go.mod h1:GameEQddljI+8Es373JfQEBvtI4dCTLKWGJbqT2kErs= github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 h1:JwtAtbp7r/7QSyGz8mKUbYJBg2+6Cd7OjM8o/GNOcVo= @@ -435,6 +551,7 @@ github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0= github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= @@ -443,6 +560,8 @@ go.opentelemetry.io/contrib/bridges/prometheus v0.61.0 h1:RyrtJzu5MAmIcbRrwg75b+ go.opentelemetry.io/contrib/bridges/prometheus v0.61.0/go.mod h1:tirr4p9NXbzjlbruiRGp53IzlYrDk5CO2fdHj0sSSaY= go.opentelemetry.io/contrib/exporters/autoexport v0.57.0 h1:jmTVJ86dP60C01K3slFQa2NQ/Aoi7zA+wy7vMOKD9H4= go.opentelemetry.io/contrib/exporters/autoexport v0.57.0/go.mod h1:EJBheUMttD/lABFyLXhce47Wr6DPWYReCzaZiXadH7g= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q= go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg= @@ -496,18 +615,31 @@ go.yaml.in/yaml/v3 v3.0.3/go.mod h1:tBHosrYAkRZjRAOREWbDnBXUf08JOwYq++0QNwQiWzI= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220817201139-bc19a97f63c8/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM= golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY= golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o= golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w= golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220725212005-46097bf591d3/go.mod h1:AaygXjzTFtRAg2ttMY5RMuhpJ3cNnI0XpyFJD1iQRSM= +golang.org/x/net v0.0.0-20220812174116-3211cb980234/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw= golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA= golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= @@ -515,20 +647,35 @@ golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKl golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw= golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k= golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg= golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4= golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU= golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0= @@ -537,12 +684,17 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo= golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/api v0.233.0 h1:iGZfjXAJiUFSSaekVB7LzXl6tRfEKhUN7FkZN++07tI= +google.golang.org/api v0.233.0/go.mod h1:TCIVLLlcwunlMpZIhIp7Ltk77W+vUSdUKAAIlbxY44c= +google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4= +google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s= google.golang.org/genproto/googleapis/api v0.0.0-20250908214217-97024824d090 h1:d8Nakh1G+ur7+P3GcMjpRDEkoLUcLW2iU92XVqR+XMQ= google.golang.org/genproto/googleapis/api v0.0.0-20250908214217-97024824d090/go.mod h1:U8EXRNSd8sUYyDfs/It7KVWodQr+Hf9xtxyxWudSwEw= google.golang.org/genproto/googleapis/rpc v0.0.0-20250826171959-ef028d996bc1 h1:pmJpJEvT846VzausCQ5d7KreSROcDqmO388w5YbnltA= diff --git a/charts/redpanda/chart/templates/_render_state.go.tpl b/charts/redpanda/chart/templates/_render_state.go.tpl index d4d60a13b..fd35a0a93 100644 --- a/charts/redpanda/chart/templates/_render_state.go.tpl +++ b/charts/redpanda/chart/templates/_render_state.go.tpl @@ -55,7 +55,7 @@ {{- $_ := (set $kafkaSpec "tls" (get (fromJson (include "redpanda.InternalTLS.ToCommonTLS" (dict "a" (list $r.Values.listeners.kafka.tls $r $r.Values.tls)))) "r")) -}} {{- end -}} {{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $r.Values.auth)))) "r") -}} -{{- $_ := (set $kafkaSpec "sasl" (mustMergeOverwrite (dict "mechanism" "") (dict "username" $username "passwordSecretRef" (mustMergeOverwrite (dict "name" "") (dict "namespace" $r.Release.Namespace "name" $passwordRef.name "key" $passwordRef.key)) "mechanism" (toString (get (fromJson (include "redpanda.BootstrapUser.GetMechanism" (dict "a" (list $r.Values.auth.sasl.bootstrapUser)))) "r"))))) -}} +{{- $_ := (set $kafkaSpec "sasl" (mustMergeOverwrite (dict "mechanism" "") (dict "username" $username "passwordSecretRef" (mustMergeOverwrite (dict) (dict "namespace" $r.Release.Namespace "secretKeyRef" (mustMergeOverwrite (dict "key" "") (mustMergeOverwrite (dict) (dict "name" $passwordRef.name)) (dict "key" $passwordRef.key)))) "mechanism" (toString (get (fromJson (include "redpanda.BootstrapUser.GetMechanism" (dict "a" (list $r.Values.auth.sasl.bootstrapUser)))) "r"))))) -}} {{- end -}} {{- $adminTLS := (coalesce nil) -}} {{- $adminSchema := "http" -}} @@ -64,11 +64,11 @@ {{- $adminTLS = (get (fromJson (include "redpanda.InternalTLS.ToCommonTLS" (dict "a" (list $r.Values.listeners.admin.tls $r $r.Values.tls)))) "r") -}} {{- end -}} {{- $adminAuth := (coalesce nil) -}} -{{- $_142_adminAuthEnabled__ := (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" (index $r.Values.config.cluster "admin_api_require_auth") false)))) "r") -}} -{{- $adminAuthEnabled := (index $_142_adminAuthEnabled__ 0) -}} -{{- $_ := (index $_142_adminAuthEnabled__ 1) -}} +{{- $_144_adminAuthEnabled__ := (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" (index $r.Values.config.cluster "admin_api_require_auth") false)))) "r") -}} +{{- $adminAuthEnabled := (index $_144_adminAuthEnabled__ 0) -}} +{{- $_ := (index $_144_adminAuthEnabled__ 1) -}} {{- if $adminAuthEnabled -}} -{{- $adminAuth = (mustMergeOverwrite (dict "passwordSecretRef" (dict "name" "")) (dict "username" $username "passwordSecretRef" (mustMergeOverwrite (dict "name" "") (dict "namespace" $r.Release.Namespace "name" $passwordRef.name "key" $passwordRef.key)))) -}} +{{- $adminAuth = (mustMergeOverwrite (dict) (dict "username" $username "passwordSecretRef" (mustMergeOverwrite (dict) (dict "namespace" $r.Release.Namespace "secretKeyRef" (mustMergeOverwrite (dict "key" "") (mustMergeOverwrite (dict) (dict "name" $passwordRef.name)) (dict "key" $passwordRef.key)))))) -}} {{- end -}} {{- $adminSpec := (mustMergeOverwrite (dict "urls" (coalesce nil)) (dict "tls" $adminTLS "sasl" $adminAuth "urls" (list (printf "%s://%s:%d" $adminSchema (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $r)))) "r") ($r.Values.listeners.admin.port | int))))) -}} {{- $schemaRegistrySpec := (coalesce nil) -}} @@ -89,7 +89,7 @@ {{- end -}} {{- $schemaRegistrySpec = (mustMergeOverwrite (dict "urls" (coalesce nil)) (dict "urls" $schemaURLs "tls" $schemaTLS)) -}} {{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $r.Values.auth)))) "r") -}} -{{- $_ := (set $schemaRegistrySpec "sasl" (mustMergeOverwrite (dict "passwordSecretRef" (dict "name" "") "token" (dict "name" "")) (dict "username" $username "passwordSecretRef" (mustMergeOverwrite (dict "name" "") (dict "namespace" $r.Release.Namespace "name" $passwordRef.name "key" $passwordRef.key))))) -}} +{{- $_ := (set $schemaRegistrySpec "sasl" (mustMergeOverwrite (dict) (dict "username" $username "password" (mustMergeOverwrite (dict) (dict "namespace" $r.Release.Namespace "secretKeyRef" (mustMergeOverwrite (dict "key" "") (mustMergeOverwrite (dict) (dict "name" $passwordRef.name)) (dict "key" $passwordRef.key))))))) -}} {{- end -}} {{- end -}} {{- $_is_returning = true -}} diff --git a/charts/redpanda/chart/templates/_values.go.tpl b/charts/redpanda/chart/templates/_values.go.tpl index 40f4ec117..234b49cda 100644 --- a/charts/redpanda/chart/templates/_values.go.tpl +++ b/charts/redpanda/chart/templates/_values.go.tpl @@ -1062,21 +1062,21 @@ {{- (dict "r" (coalesce nil)) | toJson -}} {{- break -}} {{- end -}} -{{- $spec := (mustMergeOverwrite (dict "insecureSkipTlsVerify" false) (dict)) -}} +{{- $spec := (mustMergeOverwrite (dict) (dict)) -}} {{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert)))) "r") -}} {{- $secretName := (get (fromJson (include "redpanda.TLSCert.ServerSecretName" (dict "a" (list $cert $state $t.cert)))) "r") -}} {{- if (ne (toJson $t.trustStore) "null") -}} -{{- $_ := (set $spec "caCertSecretRef" (mustMergeOverwrite (dict) (dict "namespace" $state.Release.Namespace "configMapKeyRef" $t.trustStore.configMapKeyRef "secretKeyRef" $t.trustStore.secretKeyRef))) -}} +{{- $_ := (set $spec "caCert" (mustMergeOverwrite (dict) (dict "namespace" $state.Release.Namespace "configMapKeyRef" $t.trustStore.configMapKeyRef "secretKeyRef" $t.trustStore.secretKeyRef))) -}} {{- else -}}{{- if $cert.caEnabled -}} -{{- $_ := (set $spec "caCertSecretRef" (mustMergeOverwrite (dict) (dict "namespace" $state.Release.Namespace "secretKeyRef" (mustMergeOverwrite (dict "key" "") (mustMergeOverwrite (dict) (dict "name" $secretName)) (dict "key" "ca.crt"))))) -}} +{{- $_ := (set $spec "caCert" (mustMergeOverwrite (dict) (dict "namespace" $state.Release.Namespace "secretKeyRef" (mustMergeOverwrite (dict "key" "") (mustMergeOverwrite (dict) (dict "name" $secretName)) (dict "key" "ca.crt"))))) -}} {{- else -}} -{{- $_ := (set $spec "caCertSecretRef" (mustMergeOverwrite (dict) (dict "namespace" $state.Release.Namespace "secretKeyRef" (mustMergeOverwrite (dict "key" "") (mustMergeOverwrite (dict) (dict "name" $secretName)) (dict "key" "cert.crt"))))) -}} +{{- $_ := (set $spec "caCert" (mustMergeOverwrite (dict) (dict "namespace" $state.Release.Namespace "secretKeyRef" (mustMergeOverwrite (dict "key" "") (mustMergeOverwrite (dict) (dict "name" $secretName)) (dict "key" "cert.crt"))))) -}} {{- end -}} {{- end -}} {{- if $t.requireClientAuth -}} {{- $clientSecretName := (get (fromJson (include "redpanda.TLSCert.ClientSecretName" (dict "a" (list $cert $state $t.cert)))) "r") -}} -{{- $_ := (set $spec "certSecretRef" (mustMergeOverwrite (dict "name" "") (dict "namespace" $state.Release.Namespace "name" $clientSecretName "key" "tls.crt"))) -}} -{{- $_ := (set $spec "keySecretRef" (mustMergeOverwrite (dict "name" "") (dict "namespace" $state.Release.Namespace "name" $clientSecretName "key" "tls.key"))) -}} +{{- $_ := (set $spec "cert" (mustMergeOverwrite (dict) (dict "namespace" $state.Release.Namespace "secretKeyRef" (mustMergeOverwrite (dict "key" "") (mustMergeOverwrite (dict) (dict "name" $clientSecretName)) (dict "key" "tls.crt"))))) -}} +{{- $_ := (set $spec "key" (mustMergeOverwrite (dict) (dict "namespace" $state.Release.Namespace "secretKeyRef" (mustMergeOverwrite (dict "key" "") (mustMergeOverwrite (dict) (dict "name" $clientSecretName)) (dict "key" "tls.key"))))) -}} {{- end -}} {{- $_is_returning = true -}} {{- (dict "r" $spec) | toJson -}} @@ -1333,9 +1333,9 @@ {{- $result := (dict) -}} {{- range $k, $v := $c -}} {{- if (not (empty $v)) -}} -{{- $_1842___ok_15 := (get (fromJson (include "_shims.asnumeric" (dict "a" (list $v)))) "r") -}} -{{- $_ := ((index $_1842___ok_15 0) | float64) -}} -{{- $ok_15 := (index $_1842___ok_15 1) -}} +{{- $_1846___ok_15 := (get (fromJson (include "_shims.asnumeric" (dict "a" (list $v)))) "r") -}} +{{- $_ := ((index $_1846___ok_15 0) | float64) -}} +{{- $ok_15 := (index $_1846___ok_15 1) -}} {{- if $ok_15 -}} {{- $_ := (set $result $k $v) -}} {{- else -}}{{- if (kindIs "bool" $v) -}} @@ -1361,9 +1361,9 @@ {{- $_is_returning := false -}} {{- $result := (dict) -}} {{- range $k, $v := $c -}} -{{- $_1862_b_16_ok_17 := (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $v false)))) "r") -}} -{{- $b_16 := (index $_1862_b_16_ok_17 0) -}} -{{- $ok_17 := (index $_1862_b_16_ok_17 1) -}} +{{- $_1866_b_16_ok_17 := (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $v false)))) "r") -}} +{{- $b_16 := (index $_1866_b_16_ok_17 0) -}} +{{- $ok_17 := (index $_1866_b_16_ok_17 1) -}} {{- if $ok_17 -}} {{- $_ := (set $result $k $b_16) -}} {{- continue -}} @@ -1406,15 +1406,15 @@ {{- $config := (index .a 1) -}} {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} -{{- $_1907___hasAccessKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_access_key" (coalesce nil))))) "r") -}} -{{- $_ := (index $_1907___hasAccessKey 0) -}} -{{- $hasAccessKey := (index $_1907___hasAccessKey 1) -}} -{{- $_1908___hasSecretKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_secret_key" (coalesce nil))))) "r") -}} -{{- $_ := (index $_1908___hasSecretKey 0) -}} -{{- $hasSecretKey := (index $_1908___hasSecretKey 1) -}} -{{- $_1909___hasSharedKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_azure_shared_key" (coalesce nil))))) "r") -}} -{{- $_ := (index $_1909___hasSharedKey 0) -}} -{{- $hasSharedKey := (index $_1909___hasSharedKey 1) -}} +{{- $_1911___hasAccessKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_access_key" (coalesce nil))))) "r") -}} +{{- $_ := (index $_1911___hasAccessKey 0) -}} +{{- $hasAccessKey := (index $_1911___hasAccessKey 1) -}} +{{- $_1912___hasSecretKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_secret_key" (coalesce nil))))) "r") -}} +{{- $_ := (index $_1912___hasSecretKey 0) -}} +{{- $hasSecretKey := (index $_1912___hasSecretKey 1) -}} +{{- $_1913___hasSharedKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_azure_shared_key" (coalesce nil))))) "r") -}} +{{- $_ := (index $_1913___hasSharedKey 0) -}} +{{- $hasSharedKey := (index $_1913___hasSharedKey 1) -}} {{- $envvars := (coalesce nil) -}} {{- if (and (not $hasAccessKey) (get (fromJson (include "redpanda.SecretRef.IsValid" (dict "a" (list $tsc.accessKey)))) "r")) -}} {{- $envvars = (concat (default (list) $envvars) (list (mustMergeOverwrite (dict "name" "") (dict "name" "REDPANDA_CLOUD_STORAGE_ACCESS_KEY" "valueFrom" (get (fromJson (include "redpanda.SecretRef.AsSource" (dict "a" (list $tsc.accessKey)))) "r"))))) -}} @@ -1437,12 +1437,12 @@ {{- $c := (index .a 0) -}} {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} -{{- $_1945___containerExists := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c "cloud_storage_azure_container" (coalesce nil))))) "r") -}} -{{- $_ := (index $_1945___containerExists 0) -}} -{{- $containerExists := (index $_1945___containerExists 1) -}} -{{- $_1946___accountExists := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c "cloud_storage_azure_storage_account" (coalesce nil))))) "r") -}} -{{- $_ := (index $_1946___accountExists 0) -}} -{{- $accountExists := (index $_1946___accountExists 1) -}} +{{- $_1949___containerExists := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c "cloud_storage_azure_container" (coalesce nil))))) "r") -}} +{{- $_ := (index $_1949___containerExists 0) -}} +{{- $containerExists := (index $_1949___containerExists 1) -}} +{{- $_1950___accountExists := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c "cloud_storage_azure_storage_account" (coalesce nil))))) "r") -}} +{{- $_ := (index $_1950___accountExists 0) -}} +{{- $accountExists := (index $_1950___accountExists 1) -}} {{- $_is_returning = true -}} {{- (dict "r" (and $containerExists $accountExists)) | toJson -}} {{- break -}} @@ -1453,9 +1453,9 @@ {{- $c := (index .a 0) -}} {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} -{{- $_1951_value_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c `cloud_storage_cache_size` (coalesce nil))))) "r") -}} -{{- $value := (index $_1951_value_ok 0) -}} -{{- $ok := (index $_1951_value_ok 1) -}} +{{- $_1955_value_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c `cloud_storage_cache_size` (coalesce nil))))) "r") -}} +{{- $value := (index $_1955_value_ok 0) -}} +{{- $ok := (index $_1955_value_ok 1) -}} {{- if (not $ok) -}} {{- $_is_returning = true -}} {{- (dict "r" (coalesce nil)) | toJson -}} diff --git a/charts/redpanda/go.mod b/charts/redpanda/go.mod index 39fbd3700..eee7d66fc 100644 --- a/charts/redpanda/go.mod +++ b/charts/redpanda/go.mod @@ -131,9 +131,15 @@ require ( github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect + github.com/hashicorp/go-uuid v1.0.3 // indirect github.com/homeport/dyff v1.7.1 // indirect github.com/huandu/xstrings v1.5.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/jcmturner/aescts/v2 v2.0.0 // indirect + github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect + github.com/jcmturner/gofork v1.7.6 // indirect + github.com/jcmturner/gokrb5/v8 v8.4.4 // indirect + github.com/jcmturner/rpc/v2 v2.0.3 // indirect github.com/jmoiron/sqlx v1.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect @@ -202,6 +208,7 @@ require ( github.com/tidwall/pretty v1.2.1 // indirect github.com/twmb/franz-go/pkg/kadm v1.16.0 // indirect github.com/twmb/franz-go/pkg/kmsg v1.11.2 // indirect + github.com/twmb/franz-go/pkg/sasl/kerberos v1.1.0 // indirect github.com/twmb/tlscfg v1.2.1 // indirect github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 // indirect github.com/x448/float16 v0.8.4 // indirect diff --git a/charts/redpanda/go.sum b/charts/redpanda/go.sum index 1e8298875..92829d0ad 100644 --- a/charts/redpanda/go.sum +++ b/charts/redpanda/go.sum @@ -279,6 +279,8 @@ github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyE github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= +github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= +github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM= github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo= github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA= github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= @@ -293,6 +295,9 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= +github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/golang-lru/arc/v2 v2.0.7 h1:QxkVTxwColcduO+LP7eJO56r2hFiG8zEbfAAzRv52KQ= github.com/hashicorp/golang-lru/arc/v2 v2.0.7/go.mod h1:Pe7gBlGdc8clY5LJ0LpJXMt5AmgmWNH1g+oFFVUHOEc= github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k= @@ -309,6 +314,19 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/invopop/jsonschema v0.12.0 h1:6ovsNSuvn9wEQVOyc72aycBMVQFKz7cPdMJn10CvzRI= github.com/invopop/jsonschema v0.12.0/go.mod h1:ffZ5Km5SWWRAIN6wbDXItl95euhFz2uON45H2qjYt+0= +github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8= +github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs= +github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo= +github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM= +github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg= +github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo= +github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o= +github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg= +github.com/jcmturner/gokrb5/v8 v8.4.3/go.mod h1:dqRwJGXznQrzw6cWmyo6kH+E7jksEQG/CyVWsJEsJO0= +github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8= +github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= +github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= +github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o= github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= @@ -321,6 +339,7 @@ github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6 h1:IsMZxCuZqKu github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6/go.mod h1:3VeWNIJaW+O5xpRQbPp0Ybqu1vJd/pm7s2F473HRrkw= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU= github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= github.com/knadh/koanf/maps v0.1.2 h1:RBfmAW5CnZT+PJ1CVc1QSJKf4Xu9kxfQgYVQSu8hpbo= @@ -434,6 +453,7 @@ github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+v github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE= +github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU= github.com/pierrec/lz4/v4 v4.1.22/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4= @@ -547,12 +567,16 @@ github.com/tklauser/go-sysconf v0.3.15 h1:VE89k0criAymJ/Os65CSn1IXaol+1wrsFHEB8O github.com/tklauser/go-sysconf v0.3.15/go.mod h1:Dmjwr6tYFIseJw7a3dRLJfsHAMXZ3nEnL/aZY+0IuI4= github.com/tklauser/numcpus v0.10.0 h1:18njr6LDBk1zuna922MgdjQuJFjrdppsZG60sHGfjso= github.com/tklauser/numcpus v0.10.0/go.mod h1:BiTKazU708GQTYF4mB+cmlpT2Is1gLk7XVuEeem8LsQ= +github.com/twmb/franz-go v1.7.0/go.mod h1:PMze0jNfNghhih2XHbkmTFykbMF5sJqmNJB31DOOzro= github.com/twmb/franz-go v1.19.5 h1:W7+o8D0RsQsedqib71OVlLeZ0zI6CbFra7yTYhZTs5Y= github.com/twmb/franz-go v1.19.5/go.mod h1:4kFJ5tmbbl7asgwAGVuyG1ZMx0NNpYk7EqflvWfPCpM= github.com/twmb/franz-go/pkg/kadm v1.16.0 h1:STMs1t5lYR5mR974PSiwNzE5TvsosByTp+rKXLOhAjE= github.com/twmb/franz-go/pkg/kadm v1.16.0/go.mod h1:MUdcUtnf9ph4SFBLLA/XxE29rvLhWYLM9Ygb8dfSCvw= +github.com/twmb/franz-go/pkg/kmsg v1.2.0/go.mod h1:SxG/xJKhgPu25SamAq0rrucfp7lbzCpEXOC+vH/ELrY= github.com/twmb/franz-go/pkg/kmsg v1.11.2 h1:hIw75FpwcAjgeyfIGFqivAvwC5uNIOWRGvQgZhH4mhg= github.com/twmb/franz-go/pkg/kmsg v1.11.2/go.mod h1:CFfkkLysDNmukPYhGzuUcDtf46gQSqCZHMW1T4Z+wDE= +github.com/twmb/franz-go/pkg/sasl/kerberos v1.1.0 h1:alKdbddkPw3rDh+AwmUEwh6HNYgTvDSFIe/GWYRR9RM= +github.com/twmb/franz-go/pkg/sasl/kerberos v1.1.0/go.mod h1:k8BoBjyUbFj34f0rRbn+Ky12sZFAPbmShrg0karAIMo= github.com/twmb/franz-go/pkg/sr v1.5.0 h1:KQH8veHxKyAjT4U4/rziJnSEfafuluznLoxhrp0yJfo= github.com/twmb/franz-go/pkg/sr v1.5.0/go.mod h1:O4o4mUMNfmyEt2HcuM+qZdc6KrcStvjgxWR6Cfvmukw= github.com/twmb/tlscfg v1.2.1 h1:IU2efmP9utQEIV2fufpZjPq7xgcZK4qu25viD51BB44= @@ -632,6 +656,9 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220817201139-bc19a97f63c8/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM= golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY= golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o= @@ -643,10 +670,16 @@ golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w= golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220725212005-46097bf591d3/go.mod h1:AaygXjzTFtRAg2ttMY5RMuhpJ3cNnI0XpyFJD1iQRSM= +golang.org/x/net v0.0.0-20220812174116-3211cb980234/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw= golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA= golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= @@ -662,23 +695,29 @@ golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k= golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg= golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4= golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU= golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0= diff --git a/charts/redpanda/render_state.go b/charts/redpanda/render_state.go index bbcc1470b..3d6310650 100644 --- a/charts/redpanda/render_state.go +++ b/charts/redpanda/render_state.go @@ -116,10 +116,12 @@ func (r *RenderState) AsStaticConfigSource() ir.StaticConfigurationSource { if r.Values.Auth.IsSASLEnabled() { kafkaSpec.SASL = &ir.KafkaSASL{ Username: username, - Password: &ir.SecretKeyRef{ + Password: &ir.ValueSource{ Namespace: r.Release.Namespace, - Name: passwordRef.Name, - Key: passwordRef.Key, + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{Name: passwordRef.Name}, + Key: passwordRef.Key, + }, }, Mechanism: ir.SASLMechanism(r.Values.Auth.SASL.BootstrapUser.GetMechanism()), } @@ -138,10 +140,12 @@ func (r *RenderState) AsStaticConfigSource() ir.StaticConfigurationSource { if adminAuthEnabled { adminAuth = &ir.AdminAuth{ Username: username, - Password: ir.SecretKeyRef{ + Password: &ir.ValueSource{ Namespace: r.Release.Namespace, - Name: passwordRef.Name, - Key: passwordRef.Key, + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{Name: passwordRef.Name}, + Key: passwordRef.Key, + }, }, } } @@ -181,10 +185,12 @@ func (r *RenderState) AsStaticConfigSource() ir.StaticConfigurationSource { if r.Values.Auth.IsSASLEnabled() { schemaRegistrySpec.SASL = &ir.SchemaRegistrySASL{ Username: username, - Password: ir.SecretKeyRef{ + Password: &ir.ValueSource{ Namespace: r.Release.Namespace, - Name: passwordRef.Name, - Key: passwordRef.Key, + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{Name: passwordRef.Name}, + Key: passwordRef.Key, + }, }, } } diff --git a/charts/redpanda/values.go b/charts/redpanda/values.go index 2215121ae..b2d6c2dbc 100644 --- a/charts/redpanda/values.go +++ b/charts/redpanda/values.go @@ -1515,13 +1515,13 @@ func (t *InternalTLS) ToCommonTLS(state *RenderState, tls *TLS) *ir.CommonTLS { if t.TrustStore != nil { // Only one of ConfigMapKeyRef or SecretKeyRef should actually be set. // Copy both to simplify the logic. - spec.CaCert = &ir.ObjectKeyRef{ + spec.CaCert = &ir.ValueSource{ Namespace: state.Release.Namespace, ConfigMapKeyRef: t.TrustStore.ConfigMapKeyRef, SecretKeyRef: t.TrustStore.SecretKeyRef, } } else if cert.CAEnabled { - spec.CaCert = &ir.ObjectKeyRef{ + spec.CaCert = &ir.ValueSource{ Namespace: state.Release.Namespace, SecretKeyRef: &corev1.SecretKeySelector{ LocalObjectReference: corev1.LocalObjectReference{ @@ -1531,7 +1531,7 @@ func (t *InternalTLS) ToCommonTLS(state *RenderState, tls *TLS) *ir.CommonTLS { }, } } else { - spec.CaCert = &ir.ObjectKeyRef{ + spec.CaCert = &ir.ValueSource{ Namespace: state.Release.Namespace, SecretKeyRef: &corev1.SecretKeySelector{ LocalObjectReference: corev1.LocalObjectReference{ @@ -1546,16 +1546,20 @@ func (t *InternalTLS) ToCommonTLS(state *RenderState, tls *TLS) *ir.CommonTLS { if t.RequireClientAuth { clientSecretName := cert.ClientSecretName(state, t.Cert) - spec.Cert = &ir.SecretKeyRef{ + spec.Cert = &ir.ValueSource{ Namespace: state.Release.Namespace, - Name: clientSecretName, - Key: "tls.crt", + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{Name: clientSecretName}, + Key: "tls.crt", + }, } - spec.Key = &ir.SecretKeyRef{ + spec.Key = &ir.ValueSource{ Namespace: state.Release.Namespace, - Name: clientSecretName, - Key: "tls.key", + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{Name: clientSecretName}, + Key: "tls.key", + }, } } diff --git a/gen/go.mod b/gen/go.mod index 9b83cee8a..7feadaaa9 100644 --- a/gen/go.mod +++ b/gen/go.mod @@ -132,10 +132,16 @@ require ( github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect + github.com/hashicorp/go-uuid v1.0.3 // indirect github.com/homeport/dyff v1.7.1 // indirect github.com/huandu/xstrings v1.5.0 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/jcmturner/aescts/v2 v2.0.0 // indirect + github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect + github.com/jcmturner/gofork v1.7.6 // indirect + github.com/jcmturner/gokrb5/v8 v8.4.4 // indirect + github.com/jcmturner/rpc/v2 v2.0.3 // indirect github.com/jmoiron/sqlx v1.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect @@ -210,6 +216,8 @@ require ( github.com/twmb/franz-go v1.19.5 // indirect github.com/twmb/franz-go/pkg/kadm v1.16.0 // indirect github.com/twmb/franz-go/pkg/kmsg v1.11.2 // indirect + github.com/twmb/franz-go/pkg/sasl/kerberos v1.1.0 // indirect + github.com/twmb/franz-go/pkg/sr v1.5.0 // indirect github.com/twmb/tlscfg v1.2.1 // indirect github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 // indirect github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect diff --git a/gen/go.sum b/gen/go.sum index e5c95b84e..8d618e27d 100644 --- a/gen/go.sum +++ b/gen/go.sum @@ -305,6 +305,8 @@ github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyE github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= +github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= +github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM= github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo= github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA= github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= @@ -319,6 +321,7 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/golang-lru/arc/v2 v2.0.7 h1:QxkVTxwColcduO+LP7eJO56r2hFiG8zEbfAAzRv52KQ= @@ -343,6 +346,9 @@ github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8 github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM= github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg= github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo= +github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o= +github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg= +github.com/jcmturner/gokrb5/v8 v8.4.3/go.mod h1:dqRwJGXznQrzw6cWmyo6kH+E7jksEQG/CyVWsJEsJO0= github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8= github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= @@ -359,6 +365,7 @@ github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6 h1:IsMZxCuZqKu github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6/go.mod h1:3VeWNIJaW+O5xpRQbPp0Ybqu1vJd/pm7s2F473HRrkw= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU= github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= github.com/knadh/koanf/maps v0.1.2 h1:RBfmAW5CnZT+PJ1CVc1QSJKf4Xu9kxfQgYVQSu8hpbo= @@ -486,6 +493,7 @@ github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+v github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE= +github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU= github.com/pierrec/lz4/v4 v4.1.22/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4= @@ -603,10 +611,12 @@ github.com/tklauser/go-sysconf v0.3.15 h1:VE89k0criAymJ/Os65CSn1IXaol+1wrsFHEB8O github.com/tklauser/go-sysconf v0.3.15/go.mod h1:Dmjwr6tYFIseJw7a3dRLJfsHAMXZ3nEnL/aZY+0IuI4= github.com/tklauser/numcpus v0.10.0 h1:18njr6LDBk1zuna922MgdjQuJFjrdppsZG60sHGfjso= github.com/tklauser/numcpus v0.10.0/go.mod h1:BiTKazU708GQTYF4mB+cmlpT2Is1gLk7XVuEeem8LsQ= +github.com/twmb/franz-go v1.7.0/go.mod h1:PMze0jNfNghhih2XHbkmTFykbMF5sJqmNJB31DOOzro= github.com/twmb/franz-go v1.19.5 h1:W7+o8D0RsQsedqib71OVlLeZ0zI6CbFra7yTYhZTs5Y= github.com/twmb/franz-go v1.19.5/go.mod h1:4kFJ5tmbbl7asgwAGVuyG1ZMx0NNpYk7EqflvWfPCpM= github.com/twmb/franz-go/pkg/kadm v1.16.0 h1:STMs1t5lYR5mR974PSiwNzE5TvsosByTp+rKXLOhAjE= github.com/twmb/franz-go/pkg/kadm v1.16.0/go.mod h1:MUdcUtnf9ph4SFBLLA/XxE29rvLhWYLM9Ygb8dfSCvw= +github.com/twmb/franz-go/pkg/kmsg v1.2.0/go.mod h1:SxG/xJKhgPu25SamAq0rrucfp7lbzCpEXOC+vH/ELrY= github.com/twmb/franz-go/pkg/kmsg v1.11.2 h1:hIw75FpwcAjgeyfIGFqivAvwC5uNIOWRGvQgZhH4mhg= github.com/twmb/franz-go/pkg/kmsg v1.11.2/go.mod h1:CFfkkLysDNmukPYhGzuUcDtf46gQSqCZHMW1T4Z+wDE= github.com/twmb/franz-go/pkg/sasl/kerberos v1.1.0 h1:alKdbddkPw3rDh+AwmUEwh6HNYgTvDSFIe/GWYRR9RM= @@ -690,6 +700,9 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220817201139-bc19a97f63c8/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM= golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY= golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o= @@ -701,10 +714,16 @@ golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w= golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220725212005-46097bf591d3/go.mod h1:AaygXjzTFtRAg2ttMY5RMuhpJ3cNnI0XpyFJD1iQRSM= +golang.org/x/net v0.0.0-20220812174116-3211cb980234/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw= golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA= golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= @@ -720,23 +739,29 @@ golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k= golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg= golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4= golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU= golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0= diff --git a/harpoon/go.mod b/harpoon/go.mod index 73f5a9eaa..b2e6ac546 100644 --- a/harpoon/go.mod +++ b/harpoon/go.mod @@ -34,9 +34,11 @@ require ( github.com/containerd/errdefs v1.0.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect + github.com/creack/pty v1.1.20 // indirect github.com/cucumber/gherkin/go/v26 v26.2.0 // indirect github.com/cyphar/filepath-securejoin v0.4.1 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect + github.com/dlclark/regexp2 v1.11.5 // indirect github.com/emicklei/go-restful/v3 v3.12.2 // indirect github.com/evanphx/json-patch v5.9.11+incompatible // indirect github.com/evanphx/json-patch/v5 v5.9.11 // indirect @@ -63,6 +65,7 @@ require ( github.com/google/btree v1.1.3 // indirect github.com/google/gnostic-models v0.6.9 // indirect github.com/google/go-cmp v0.7.0 // indirect + github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/uuid v1.6.0 // indirect github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect @@ -72,7 +75,6 @@ require ( github.com/hashicorp/go-immutable-radix v1.3.1 // indirect github.com/hashicorp/go-memdb v1.3.4 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect - github.com/hashicorp/go-uuid v1.0.3 // indirect github.com/hashicorp/golang-lru v1.0.2 // indirect github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect github.com/homeport/dyff v1.7.1 // indirect diff --git a/operator/api/applyconfiguration/redpanda/v1alpha2/adminsasl.go b/operator/api/applyconfiguration/redpanda/v1alpha2/adminsasl.go index 76bcf1e5f..72fccab24 100644 --- a/operator/api/applyconfiguration/redpanda/v1alpha2/adminsasl.go +++ b/operator/api/applyconfiguration/redpanda/v1alpha2/adminsasl.go @@ -18,10 +18,12 @@ import ( // AdminSASLApplyConfiguration represents a declarative configuration of the AdminSASL type for use // with apply. type AdminSASLApplyConfiguration struct { - Username *string `json:"username,omitempty"` - Password *SecretKeyRefApplyConfiguration `json:"passwordSecretRef,omitempty"` - Mechanism *redpandav1alpha2.SASLMechanism `json:"mechanism,omitempty"` - AuthToken *SecretKeyRefApplyConfiguration `json:"token,omitempty"` + Username *string `json:"username,omitempty"` + Mechanism *redpandav1alpha2.SASLMechanism `json:"mechanism,omitempty"` + Password *ValueSourceApplyConfiguration `json:"password,omitempty"` + AuthToken *ValueSourceApplyConfiguration `json:"authToken,omitempty"` + DeprecatedPassword *SecretKeyRefApplyConfiguration `json:"passwordSecretRef,omitempty"` + DeprecatedAuthToken *SecretKeyRefApplyConfiguration `json:"token,omitempty"` } // AdminSASLApplyConfiguration constructs a declarative configuration of the AdminSASL type for use with @@ -38,14 +40,6 @@ func (b *AdminSASLApplyConfiguration) WithUsername(value string) *AdminSASLApply return b } -// WithPassword sets the Password field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Password field is set to the value of the last call. -func (b *AdminSASLApplyConfiguration) WithPassword(value *SecretKeyRefApplyConfiguration) *AdminSASLApplyConfiguration { - b.Password = value - return b -} - // WithMechanism sets the Mechanism field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Mechanism field is set to the value of the last call. @@ -54,10 +48,34 @@ func (b *AdminSASLApplyConfiguration) WithMechanism(value redpandav1alpha2.SASLM return b } +// WithPassword sets the Password field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Password field is set to the value of the last call. +func (b *AdminSASLApplyConfiguration) WithPassword(value *ValueSourceApplyConfiguration) *AdminSASLApplyConfiguration { + b.Password = value + return b +} + // WithAuthToken sets the AuthToken field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the AuthToken field is set to the value of the last call. -func (b *AdminSASLApplyConfiguration) WithAuthToken(value *SecretKeyRefApplyConfiguration) *AdminSASLApplyConfiguration { +func (b *AdminSASLApplyConfiguration) WithAuthToken(value *ValueSourceApplyConfiguration) *AdminSASLApplyConfiguration { b.AuthToken = value return b } + +// WithDeprecatedPassword sets the DeprecatedPassword field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeprecatedPassword field is set to the value of the last call. +func (b *AdminSASLApplyConfiguration) WithDeprecatedPassword(value *SecretKeyRefApplyConfiguration) *AdminSASLApplyConfiguration { + b.DeprecatedPassword = value + return b +} + +// WithDeprecatedAuthToken sets the DeprecatedAuthToken field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeprecatedAuthToken field is set to the value of the last call. +func (b *AdminSASLApplyConfiguration) WithDeprecatedAuthToken(value *SecretKeyRefApplyConfiguration) *AdminSASLApplyConfiguration { + b.DeprecatedAuthToken = value + return b +} diff --git a/operator/api/applyconfiguration/redpanda/v1alpha2/commontls.go b/operator/api/applyconfiguration/redpanda/v1alpha2/commontls.go index 2e81018db..eaa353e27 100644 --- a/operator/api/applyconfiguration/redpanda/v1alpha2/commontls.go +++ b/operator/api/applyconfiguration/redpanda/v1alpha2/commontls.go @@ -15,9 +15,12 @@ package v1alpha2 // with apply. type CommonTLSApplyConfiguration struct { Enabled *bool `json:"enabled,omitempty"` - CaCert *SecretKeyRefApplyConfiguration `json:"caCertSecretRef,omitempty"` - Cert *SecretKeyRefApplyConfiguration `json:"certSecretRef,omitempty"` - Key *SecretKeyRefApplyConfiguration `json:"keySecretRef,omitempty"` + CaCert *ValueSourceApplyConfiguration `json:"caCert,omitempty"` + Cert *ValueSourceApplyConfiguration `json:"cert,omitempty"` + Key *ValueSourceApplyConfiguration `json:"key,omitempty"` + DeprecatedCaCert *SecretKeyRefApplyConfiguration `json:"caCertSecretRef,omitempty"` + DeprecatedCert *SecretKeyRefApplyConfiguration `json:"certSecretRef,omitempty"` + DeprecatedKey *SecretKeyRefApplyConfiguration `json:"keySecretRef,omitempty"` InsecureSkipTLSVerify *bool `json:"insecureSkipTlsVerify,omitempty"` } @@ -38,7 +41,7 @@ func (b *CommonTLSApplyConfiguration) WithEnabled(value bool) *CommonTLSApplyCon // WithCaCert sets the CaCert field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the CaCert field is set to the value of the last call. -func (b *CommonTLSApplyConfiguration) WithCaCert(value *SecretKeyRefApplyConfiguration) *CommonTLSApplyConfiguration { +func (b *CommonTLSApplyConfiguration) WithCaCert(value *ValueSourceApplyConfiguration) *CommonTLSApplyConfiguration { b.CaCert = value return b } @@ -46,7 +49,7 @@ func (b *CommonTLSApplyConfiguration) WithCaCert(value *SecretKeyRefApplyConfigu // WithCert sets the Cert field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Cert field is set to the value of the last call. -func (b *CommonTLSApplyConfiguration) WithCert(value *SecretKeyRefApplyConfiguration) *CommonTLSApplyConfiguration { +func (b *CommonTLSApplyConfiguration) WithCert(value *ValueSourceApplyConfiguration) *CommonTLSApplyConfiguration { b.Cert = value return b } @@ -54,11 +57,35 @@ func (b *CommonTLSApplyConfiguration) WithCert(value *SecretKeyRefApplyConfigura // WithKey sets the Key field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Key field is set to the value of the last call. -func (b *CommonTLSApplyConfiguration) WithKey(value *SecretKeyRefApplyConfiguration) *CommonTLSApplyConfiguration { +func (b *CommonTLSApplyConfiguration) WithKey(value *ValueSourceApplyConfiguration) *CommonTLSApplyConfiguration { b.Key = value return b } +// WithDeprecatedCaCert sets the DeprecatedCaCert field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeprecatedCaCert field is set to the value of the last call. +func (b *CommonTLSApplyConfiguration) WithDeprecatedCaCert(value *SecretKeyRefApplyConfiguration) *CommonTLSApplyConfiguration { + b.DeprecatedCaCert = value + return b +} + +// WithDeprecatedCert sets the DeprecatedCert field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeprecatedCert field is set to the value of the last call. +func (b *CommonTLSApplyConfiguration) WithDeprecatedCert(value *SecretKeyRefApplyConfiguration) *CommonTLSApplyConfiguration { + b.DeprecatedCert = value + return b +} + +// WithDeprecatedKey sets the DeprecatedKey field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeprecatedKey field is set to the value of the last call. +func (b *CommonTLSApplyConfiguration) WithDeprecatedKey(value *SecretKeyRefApplyConfiguration) *CommonTLSApplyConfiguration { + b.DeprecatedKey = value + return b +} + // WithInsecureSkipTLSVerify sets the InsecureSkipTLSVerify field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the InsecureSkipTLSVerify field is set to the value of the last call. diff --git a/operator/api/applyconfiguration/redpanda/v1alpha2/externalsecretkeyselector.go b/operator/api/applyconfiguration/redpanda/v1alpha2/externalsecretkeyselector.go new file mode 100644 index 000000000..b2334285d --- /dev/null +++ b/operator/api/applyconfiguration/redpanda/v1alpha2/externalsecretkeyselector.go @@ -0,0 +1,32 @@ +// Copyright 2025 Redpanda Data, Inc. +// +// Use of this software is governed by the Business Source License +// included in the file licenses/BSL.md +// +// As of the Change Date specified in that file, in accordance with +// the Business Source License, use of this software will be governed +// by the Apache License, Version 2.0 + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +// ExternalSecretKeySelectorApplyConfiguration represents a declarative configuration of the ExternalSecretKeySelector type for use +// with apply. +type ExternalSecretKeySelectorApplyConfiguration struct { + Name *string `json:"name,omitempty"` +} + +// ExternalSecretKeySelectorApplyConfiguration constructs a declarative configuration of the ExternalSecretKeySelector type for use with +// apply. +func ExternalSecretKeySelector() *ExternalSecretKeySelectorApplyConfiguration { + return &ExternalSecretKeySelectorApplyConfiguration{} +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *ExternalSecretKeySelectorApplyConfiguration) WithName(value string) *ExternalSecretKeySelectorApplyConfiguration { + b.Name = &value + return b +} diff --git a/operator/api/applyconfiguration/redpanda/v1alpha2/kafkasasl.go b/operator/api/applyconfiguration/redpanda/v1alpha2/kafkasasl.go index 72952a8d0..080e0a93b 100644 --- a/operator/api/applyconfiguration/redpanda/v1alpha2/kafkasasl.go +++ b/operator/api/applyconfiguration/redpanda/v1alpha2/kafkasasl.go @@ -18,12 +18,13 @@ import ( // KafkaSASLApplyConfiguration represents a declarative configuration of the KafkaSASL type for use // with apply. type KafkaSASLApplyConfiguration struct { - Username *string `json:"username,omitempty"` - Password *SecretKeyRefApplyConfiguration `json:"passwordSecretRef,omitempty"` - Mechanism *redpandav1alpha2.SASLMechanism `json:"mechanism,omitempty"` - OAUth *KafkaSASLOAuthBearerApplyConfiguration `json:"oauth,omitempty"` - GSSAPIConfig *KafkaSASLGSSAPIApplyConfiguration `json:"gssapi,omitempty"` - AWSMskIam *KafkaSASLAWSMskIamApplyConfiguration `json:"awsMskIam,omitempty"` + Username *string `json:"username,omitempty"` + Password *ValueSourceApplyConfiguration `json:"password,omitempty"` + Mechanism *redpandav1alpha2.SASLMechanism `json:"mechanism,omitempty"` + OAUth *KafkaSASLOAuthBearerApplyConfiguration `json:"oauth,omitempty"` + GSSAPIConfig *KafkaSASLGSSAPIApplyConfiguration `json:"gssapi,omitempty"` + AWSMskIam *KafkaSASLAWSMskIamApplyConfiguration `json:"awsMskIam,omitempty"` + DeprecatedPassword *SecretKeyRefApplyConfiguration `json:"passwordSecretRef,omitempty"` } // KafkaSASLApplyConfiguration constructs a declarative configuration of the KafkaSASL type for use with @@ -43,7 +44,7 @@ func (b *KafkaSASLApplyConfiguration) WithUsername(value string) *KafkaSASLApply // WithPassword sets the Password field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Password field is set to the value of the last call. -func (b *KafkaSASLApplyConfiguration) WithPassword(value *SecretKeyRefApplyConfiguration) *KafkaSASLApplyConfiguration { +func (b *KafkaSASLApplyConfiguration) WithPassword(value *ValueSourceApplyConfiguration) *KafkaSASLApplyConfiguration { b.Password = value return b } @@ -79,3 +80,11 @@ func (b *KafkaSASLApplyConfiguration) WithAWSMskIam(value *KafkaSASLAWSMskIamApp b.AWSMskIam = value return b } + +// WithDeprecatedPassword sets the DeprecatedPassword field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeprecatedPassword field is set to the value of the last call. +func (b *KafkaSASLApplyConfiguration) WithDeprecatedPassword(value *SecretKeyRefApplyConfiguration) *KafkaSASLApplyConfiguration { + b.DeprecatedPassword = value + return b +} diff --git a/operator/api/applyconfiguration/redpanda/v1alpha2/kafkasaslawsmskiam.go b/operator/api/applyconfiguration/redpanda/v1alpha2/kafkasaslawsmskiam.go index ee96329d1..593bb7756 100644 --- a/operator/api/applyconfiguration/redpanda/v1alpha2/kafkasaslawsmskiam.go +++ b/operator/api/applyconfiguration/redpanda/v1alpha2/kafkasaslawsmskiam.go @@ -14,10 +14,12 @@ package v1alpha2 // KafkaSASLAWSMskIamApplyConfiguration represents a declarative configuration of the KafkaSASLAWSMskIam type for use // with apply. type KafkaSASLAWSMskIamApplyConfiguration struct { - AccessKey *string `json:"accessKey,omitempty"` - SecretKey *SecretKeyRefApplyConfiguration `json:"secretKeySecretRef,omitempty"` - SessionToken *SecretKeyRefApplyConfiguration `json:"sessionTokenSecretRef,omitempty"` - UserAgent *string `json:"userAgent,omitempty"` + AccessKey *string `json:"accessKey,omitempty"` + SecretKey *ValueSourceApplyConfiguration `json:"secretKey,omitempty"` + DeprecatedSecretKey *SecretKeyRefApplyConfiguration `json:"secretKeySecretRef,omitempty"` + SessionToken *ValueSourceApplyConfiguration `json:"sessionToken,omitempty"` + DeprecatedSessionToken *SecretKeyRefApplyConfiguration `json:"sessionTokenSecretRef,omitempty"` + UserAgent *string `json:"userAgent,omitempty"` } // KafkaSASLAWSMskIamApplyConfiguration constructs a declarative configuration of the KafkaSASLAWSMskIam type for use with @@ -37,19 +39,35 @@ func (b *KafkaSASLAWSMskIamApplyConfiguration) WithAccessKey(value string) *Kafk // WithSecretKey sets the SecretKey field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the SecretKey field is set to the value of the last call. -func (b *KafkaSASLAWSMskIamApplyConfiguration) WithSecretKey(value *SecretKeyRefApplyConfiguration) *KafkaSASLAWSMskIamApplyConfiguration { +func (b *KafkaSASLAWSMskIamApplyConfiguration) WithSecretKey(value *ValueSourceApplyConfiguration) *KafkaSASLAWSMskIamApplyConfiguration { b.SecretKey = value return b } +// WithDeprecatedSecretKey sets the DeprecatedSecretKey field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeprecatedSecretKey field is set to the value of the last call. +func (b *KafkaSASLAWSMskIamApplyConfiguration) WithDeprecatedSecretKey(value *SecretKeyRefApplyConfiguration) *KafkaSASLAWSMskIamApplyConfiguration { + b.DeprecatedSecretKey = value + return b +} + // WithSessionToken sets the SessionToken field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the SessionToken field is set to the value of the last call. -func (b *KafkaSASLAWSMskIamApplyConfiguration) WithSessionToken(value *SecretKeyRefApplyConfiguration) *KafkaSASLAWSMskIamApplyConfiguration { +func (b *KafkaSASLAWSMskIamApplyConfiguration) WithSessionToken(value *ValueSourceApplyConfiguration) *KafkaSASLAWSMskIamApplyConfiguration { b.SessionToken = value return b } +// WithDeprecatedSessionToken sets the DeprecatedSessionToken field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeprecatedSessionToken field is set to the value of the last call. +func (b *KafkaSASLAWSMskIamApplyConfiguration) WithDeprecatedSessionToken(value *SecretKeyRefApplyConfiguration) *KafkaSASLAWSMskIamApplyConfiguration { + b.DeprecatedSessionToken = value + return b +} + // WithUserAgent sets the UserAgent field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the UserAgent field is set to the value of the last call. diff --git a/operator/api/applyconfiguration/redpanda/v1alpha2/kafkasaslgssapi.go b/operator/api/applyconfiguration/redpanda/v1alpha2/kafkasaslgssapi.go index 44472dc73..a0a3e2ca6 100644 --- a/operator/api/applyconfiguration/redpanda/v1alpha2/kafkasaslgssapi.go +++ b/operator/api/applyconfiguration/redpanda/v1alpha2/kafkasaslgssapi.go @@ -19,7 +19,8 @@ type KafkaSASLGSSAPIApplyConfiguration struct { KerberosConfigPath *string `json:"kerberosConfigPath,omitempty"` ServiceName *string `json:"serviceName,omitempty"` Username *string `json:"username,omitempty"` - Password *SecretKeyRefApplyConfiguration `json:"passwordSecretRef,omitempty"` + Password *ValueSourceApplyConfiguration `json:"password,omitempty"` + DeprecatedPassword *SecretKeyRefApplyConfiguration `json:"passwordSecretRef,omitempty"` Realm *string `json:"realm,omitempty"` EnableFast *bool `json:"enableFast,omitempty"` } @@ -73,11 +74,19 @@ func (b *KafkaSASLGSSAPIApplyConfiguration) WithUsername(value string) *KafkaSAS // WithPassword sets the Password field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Password field is set to the value of the last call. -func (b *KafkaSASLGSSAPIApplyConfiguration) WithPassword(value *SecretKeyRefApplyConfiguration) *KafkaSASLGSSAPIApplyConfiguration { +func (b *KafkaSASLGSSAPIApplyConfiguration) WithPassword(value *ValueSourceApplyConfiguration) *KafkaSASLGSSAPIApplyConfiguration { b.Password = value return b } +// WithDeprecatedPassword sets the DeprecatedPassword field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeprecatedPassword field is set to the value of the last call. +func (b *KafkaSASLGSSAPIApplyConfiguration) WithDeprecatedPassword(value *SecretKeyRefApplyConfiguration) *KafkaSASLGSSAPIApplyConfiguration { + b.DeprecatedPassword = value + return b +} + // WithRealm sets the Realm field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Realm field is set to the value of the last call. diff --git a/operator/api/applyconfiguration/redpanda/v1alpha2/kafkasasloauthbearer.go b/operator/api/applyconfiguration/redpanda/v1alpha2/kafkasasloauthbearer.go index 245cceaf1..91ac05dac 100644 --- a/operator/api/applyconfiguration/redpanda/v1alpha2/kafkasasloauthbearer.go +++ b/operator/api/applyconfiguration/redpanda/v1alpha2/kafkasasloauthbearer.go @@ -14,7 +14,8 @@ package v1alpha2 // KafkaSASLOAuthBearerApplyConfiguration represents a declarative configuration of the KafkaSASLOAuthBearer type for use // with apply. type KafkaSASLOAuthBearerApplyConfiguration struct { - Token *SecretKeyRefApplyConfiguration `json:"tokenSecretRef,omitempty"` + Token *ValueSourceApplyConfiguration `json:"token,omitempty"` + DeprecatedToken *SecretKeyRefApplyConfiguration `json:"tokenSecretRef,omitempty"` } // KafkaSASLOAuthBearerApplyConfiguration constructs a declarative configuration of the KafkaSASLOAuthBearer type for use with @@ -26,7 +27,15 @@ func KafkaSASLOAuthBearer() *KafkaSASLOAuthBearerApplyConfiguration { // WithToken sets the Token field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Token field is set to the value of the last call. -func (b *KafkaSASLOAuthBearerApplyConfiguration) WithToken(value *SecretKeyRefApplyConfiguration) *KafkaSASLOAuthBearerApplyConfiguration { +func (b *KafkaSASLOAuthBearerApplyConfiguration) WithToken(value *ValueSourceApplyConfiguration) *KafkaSASLOAuthBearerApplyConfiguration { b.Token = value return b } + +// WithDeprecatedToken sets the DeprecatedToken field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeprecatedToken field is set to the value of the last call. +func (b *KafkaSASLOAuthBearerApplyConfiguration) WithDeprecatedToken(value *SecretKeyRefApplyConfiguration) *KafkaSASLOAuthBearerApplyConfiguration { + b.DeprecatedToken = value + return b +} diff --git a/operator/api/applyconfiguration/redpanda/v1alpha2/schemaregistrysasl.go b/operator/api/applyconfiguration/redpanda/v1alpha2/schemaregistrysasl.go index e6eedc931..5f1c3b5fc 100644 --- a/operator/api/applyconfiguration/redpanda/v1alpha2/schemaregistrysasl.go +++ b/operator/api/applyconfiguration/redpanda/v1alpha2/schemaregistrysasl.go @@ -18,10 +18,12 @@ import ( // SchemaRegistrySASLApplyConfiguration represents a declarative configuration of the SchemaRegistrySASL type for use // with apply. type SchemaRegistrySASLApplyConfiguration struct { - Username *string `json:"username,omitempty"` - Password *SecretKeyRefApplyConfiguration `json:"passwordSecretRef,omitempty"` - Mechanism *redpandav1alpha2.SASLMechanism `json:"mechanism,omitempty"` - AuthToken *SecretKeyRefApplyConfiguration `json:"token,omitempty"` + Username *string `json:"username,omitempty"` + Password *ValueSourceApplyConfiguration `json:"password,omitempty"` + AuthToken *ValueSourceApplyConfiguration `json:"authToken,omitempty"` + Mechanism *redpandav1alpha2.SASLMechanism `json:"mechanism,omitempty"` + DeprecatedPassword *SecretKeyRefApplyConfiguration `json:"passwordSecretRef,omitempty"` + DeprecatedAuthToken *SecretKeyRefApplyConfiguration `json:"token,omitempty"` } // SchemaRegistrySASLApplyConfiguration constructs a declarative configuration of the SchemaRegistrySASL type for use with @@ -41,11 +43,19 @@ func (b *SchemaRegistrySASLApplyConfiguration) WithUsername(value string) *Schem // WithPassword sets the Password field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Password field is set to the value of the last call. -func (b *SchemaRegistrySASLApplyConfiguration) WithPassword(value *SecretKeyRefApplyConfiguration) *SchemaRegistrySASLApplyConfiguration { +func (b *SchemaRegistrySASLApplyConfiguration) WithPassword(value *ValueSourceApplyConfiguration) *SchemaRegistrySASLApplyConfiguration { b.Password = value return b } +// WithAuthToken sets the AuthToken field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the AuthToken field is set to the value of the last call. +func (b *SchemaRegistrySASLApplyConfiguration) WithAuthToken(value *ValueSourceApplyConfiguration) *SchemaRegistrySASLApplyConfiguration { + b.AuthToken = value + return b +} + // WithMechanism sets the Mechanism field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Mechanism field is set to the value of the last call. @@ -54,10 +64,18 @@ func (b *SchemaRegistrySASLApplyConfiguration) WithMechanism(value redpandav1alp return b } -// WithAuthToken sets the AuthToken field in the declarative configuration to the given value +// WithDeprecatedPassword sets the DeprecatedPassword field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the AuthToken field is set to the value of the last call. -func (b *SchemaRegistrySASLApplyConfiguration) WithAuthToken(value *SecretKeyRefApplyConfiguration) *SchemaRegistrySASLApplyConfiguration { - b.AuthToken = value +// If called multiple times, the DeprecatedPassword field is set to the value of the last call. +func (b *SchemaRegistrySASLApplyConfiguration) WithDeprecatedPassword(value *SecretKeyRefApplyConfiguration) *SchemaRegistrySASLApplyConfiguration { + b.DeprecatedPassword = value + return b +} + +// WithDeprecatedAuthToken sets the DeprecatedAuthToken field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DeprecatedAuthToken field is set to the value of the last call. +func (b *SchemaRegistrySASLApplyConfiguration) WithDeprecatedAuthToken(value *SecretKeyRefApplyConfiguration) *SchemaRegistrySASLApplyConfiguration { + b.DeprecatedAuthToken = value return b } diff --git a/operator/api/applyconfiguration/redpanda/v1alpha2/valuesource.go b/operator/api/applyconfiguration/redpanda/v1alpha2/valuesource.go new file mode 100644 index 000000000..5f5eb8053 --- /dev/null +++ b/operator/api/applyconfiguration/redpanda/v1alpha2/valuesource.go @@ -0,0 +1,63 @@ +// Copyright 2025 Redpanda Data, Inc. +// +// Use of this software is governed by the Business Source License +// included in the file licenses/BSL.md +// +// As of the Change Date specified in that file, in accordance with +// the Business Source License, use of this software will be governed +// by the Apache License, Version 2.0 + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha2 + +import ( + v1 "k8s.io/api/core/v1" +) + +// ValueSourceApplyConfiguration represents a declarative configuration of the ValueSource type for use +// with apply. +type ValueSourceApplyConfiguration struct { + Inline *string `json:"inline,omitempty"` + ConfigMapKeyRef *v1.ConfigMapKeySelector `json:"configMapKeyRef,omitempty"` + SecretKeyRef *v1.SecretKeySelector `json:"secretKeyRef,omitempty"` + ExternalSecretRefSelector *ExternalSecretKeySelectorApplyConfiguration `json:"externalSecretRef,omitempty"` +} + +// ValueSourceApplyConfiguration constructs a declarative configuration of the ValueSource type for use with +// apply. +func ValueSource() *ValueSourceApplyConfiguration { + return &ValueSourceApplyConfiguration{} +} + +// WithInline sets the Inline field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Inline field is set to the value of the last call. +func (b *ValueSourceApplyConfiguration) WithInline(value string) *ValueSourceApplyConfiguration { + b.Inline = &value + return b +} + +// WithConfigMapKeyRef sets the ConfigMapKeyRef field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ConfigMapKeyRef field is set to the value of the last call. +func (b *ValueSourceApplyConfiguration) WithConfigMapKeyRef(value v1.ConfigMapKeySelector) *ValueSourceApplyConfiguration { + b.ConfigMapKeyRef = &value + return b +} + +// WithSecretKeyRef sets the SecretKeyRef field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the SecretKeyRef field is set to the value of the last call. +func (b *ValueSourceApplyConfiguration) WithSecretKeyRef(value v1.SecretKeySelector) *ValueSourceApplyConfiguration { + b.SecretKeyRef = &value + return b +} + +// WithExternalSecretRefSelector sets the ExternalSecretRefSelector field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ExternalSecretRefSelector field is set to the value of the last call. +func (b *ValueSourceApplyConfiguration) WithExternalSecretRefSelector(value *ExternalSecretKeySelectorApplyConfiguration) *ValueSourceApplyConfiguration { + b.ExternalSecretRefSelector = value + return b +} diff --git a/operator/api/redpanda/v1alpha2/common.go b/operator/api/redpanda/v1alpha2/common.go index ad9b3bd3c..cf9ac2483 100644 --- a/operator/api/redpanda/v1alpha2/common.go +++ b/operator/api/redpanda/v1alpha2/common.go @@ -26,7 +26,6 @@ import ( var ErrUnsupportedSASLMechanism = errors.New("unsupported SASL mechanism") // KafkaAPISpec configures client configuration settings for connecting to Redpanda brokers. -// +kubebuilder:validation:XValidation:rule="has(self.tls) == has(oldSelf.tls)",message="kafka tls settings are immutable" type KafkaAPISpec struct { // Specifies a list of broker addresses in the format : // +kubebuilder:validation:MinItems=1 @@ -40,9 +39,9 @@ type KafkaAPISpec struct { } // KafkaSASL configures credentials to connect to Redpanda cluster that has authentication enabled. -// +kubebuilder:validation:XValidation:message="username and passwordSecretRef must be set when mechanism is plain",rule="self.mechanism.lowerAscii() != 'plain' || (self.username != \"\" && has(self.passwordSecretRef))" -// +kubebuilder:validation:XValidation:message="username and passwordSecretRef must be set when mechanism is sha-256",rule="self.mechanism.lowerAscii() != 'scram-sha-256' || (self.username != \"\" && has(self.passwordSecretRef))" -// +kubebuilder:validation:XValidation:message="username and passwordSecretRef must be set when mechanism is sha-512",rule="self.mechanism.lowerAscii() != 'scram-sha-512' || (self.username != \"\" && has(self.passwordSecretRef))" +// +kubebuilder:validation:XValidation:message="username and password must be set when mechanism is plain",rule="self.mechanism.lowerAscii() != 'plain' || (self.username != \"\" && (has(self.passwordSecretRef) || has(self.password)))" +// +kubebuilder:validation:XValidation:message="username and password must be set when mechanism is sha-256",rule="self.mechanism.lowerAscii() != 'scram-sha-256' || (self.username != \"\" && (has(self.passwordSecretRef) || has(self.password)))" +// +kubebuilder:validation:XValidation:message="username and password must be set when mechanism is sha-512",rule="self.mechanism.lowerAscii() != 'scram-sha-512' || (self.username != \"\" && (has(self.passwordSecretRef) || has(self.password)))" // +kubebuilder:validation:XValidation:message="oauth must be set when mechanism is oauth",rule="self.mechanism.lowerAscii() != 'oauthbearer' || has(self.oauth)" // +kubebuilder:validation:XValidation:message="gssapi must be set when mechanism is gssapi",rule="self.mechanism.lowerAscii() != 'gssapi' || has(self.gssapi)" // +kubebuilder:validation:XValidation:message="awsMskIam must be set when mechanism is aws_msk_iam",rule="self.mechanism.lowerAscii() != 'aws_msk_iam' || has(self.awsMskIam)" @@ -52,7 +51,8 @@ type KafkaSASL struct { Username string `json:"username,omitempty"` // Specifies the password. // +optional - Password *SecretKeyRef `json:"passwordSecretRef,omitempty"` + Password *ValueSource `json:"password,omitempty"` + // Specifies the SASL/SCRAM authentication mechanism. Mechanism SASLMechanism `json:"mechanism"` // +optional @@ -61,6 +61,9 @@ type KafkaSASL struct { GSSAPIConfig *KafkaSASLGSSAPI `json:"gssapi,omitempty"` // +optional AWSMskIam *KafkaSASLAWSMskIam `json:"awsMskIam,omitempty"` + + // Deprecated: used `password` instead + DeprecatedPassword *SecretKeyRef `json:"passwordSecretRef,omitempty"` } // SASLMechanism specifies a SASL auth mechanism. @@ -98,7 +101,9 @@ func (s *SASLMechanism) ScramToKafka() (kadm.ScramMechanism, error) { // KafkaSASLOAuthBearer is the config struct for the SASL OAuthBearer mechanism type KafkaSASLOAuthBearer struct { - Token SecretKeyRef `json:"tokenSecretRef"` + Token *ValueSource `json:"token,omitempty"` + // Deprecated: use `token` instead + DeprecatedToken *SecretKeyRef `json:"tokenSecretRef,omitempty"` } // KafkaSASLGSSAPI represents the Kafka Kerberos config. @@ -108,8 +113,10 @@ type KafkaSASLGSSAPI struct { KerberosConfigPath string `json:"kerberosConfigPath"` ServiceName string `json:"serviceName"` Username string `json:"username"` - Password SecretKeyRef `json:"passwordSecretRef"` - Realm string `json:"realm"` + Password *ValueSource `json:"password,omitempty"` + // Deprecated: use `password` instead + DeprecatedPassword *SecretKeyRef `json:"passwordSecretRef,omitempty"` + Realm string `json:"realm"` // EnableFAST enables FAST, which is a pre-authentication framework for Kerberos. // It includes a mechanism for tunneling pre-authentication exchanges using armored KDC messages. @@ -121,11 +128,16 @@ type KafkaSASLGSSAPI struct { // see: https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html type KafkaSASLAWSMskIam struct { AccessKey string `json:"accessKey"` - SecretKey SecretKeyRef `json:"secretKeySecretRef"` + SecretKey *ValueSource `json:"secretKey,omitempty"` + // Deprecated: use `secretKey` instead + DeprecatedSecretKey *SecretKeyRef `json:"secretKeySecretRef,omitempty"` // SessionToken, if non-empty, is a session / security token to use for authentication. // See: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html - SessionToken SecretKeyRef `json:"sessionTokenSecretRef"` + SessionToken *ValueSource `json:"sessionToken,omitempty"` + + // Deprecated: use `sessionToken` instead + DeprecatedSessionToken *SecretKeyRef `json:"sessionTokenSecretRef,omitempty"` // UserAgent is the user agent to for the client to use when connecting // to Kafka, overriding the default "franz-go//". @@ -147,17 +159,53 @@ type CommonTLS struct { // specification. Enabled bool `json:"enabled,omitempty"` // CaCert is the reference for certificate authority used to establish TLS connection to Redpanda - CaCert *SecretKeyRef `json:"caCertSecretRef,omitempty"` + CaCert *ValueSource `json:"caCert,omitempty"` // Cert is the reference for client public certificate to establish mTLS connection to Redpanda - Cert *SecretKeyRef `json:"certSecretRef,omitempty"` + Cert *ValueSource `json:"cert,omitempty"` // Key is the reference for client private certificate to establish mTLS connection to Redpanda - Key *SecretKeyRef `json:"keySecretRef,omitempty"` + Key *ValueSource `json:"key,omitempty"` + + // Deprecated: replaced by "caCert". + DeprecatedCaCert *SecretKeyRef `json:"caCertSecretRef,omitempty"` + // Deprecated: replaced by "cert". + DeprecatedCert *SecretKeyRef `json:"certSecretRef,omitempty"` + // Deprecated: replaced by "key". + DeprecatedKey *SecretKeyRef `json:"keySecretRef,omitempty"` + // InsecureSkipTLSVerify can skip verifying Redpanda self-signed certificate when establish TLS connection to Redpanda // +optional InsecureSkipTLSVerify bool `json:"insecureSkipTlsVerify,omitempty"` } -// SecretKeyRef contains enough information to inspect or modify the referred Secret data +// ValueSource represents where a value can be pulled from +// +structType=atomic +// +kubebuilder:validation:XValidation:message="one of inline, configMapKeyRef, secretKeyRef, or externalSecretRef must be set",rule="has(self.inline) || has(self.configMapKeyRef) || has(self.secretKeyRef) || has(self.externalSecretRef)" +// +kubebuilder:validation:XValidation:message="if inline is set no other field can be set",rule="!has(self.inline) || (has(self.inline) && !(has(self.configMapKeyRef) || has(self.secretKeyRef) || has(self.externalSecretRef)))" +// +kubebuilder:validation:XValidation:message="if configMapKeyRef is set no other field can be set",rule="!has(self.configMapKeyRef) || (has(self.configMapKeyRef) && !(has(self.inline) || has(self.secretKeyRef) || has(self.externalSecretRef)))" +// +kubebuilder:validation:XValidation:message="if secretKeyRef is set no other field can be set",rule="!has(self.secretKeyRef) || (has(self.secretKeyRef) && !(has(self.configMapKeyRef) || has(self.inline) || has(self.externalSecretRef)))" +// +kubebuilder:validation:XValidation:message="if externalSecretRef is set no other field can be set",rule="!has(self.externalSecretRef) || (has(self.externalSecretRef) && !(has(self.configMapKeyRef) || has(self.secretKeyRef) || has(self.inline)))" +type ValueSource struct { + // Inline is the raw value specified inline. + Inline *string `json:"inline,omitempty"` + // If the value is supplied by a kubernetes object reference, coordinates are embedded here. + // For target values, the string value fetched from the source will be treated as + // a raw string. + ConfigMapKeyRef *corev1.ConfigMapKeySelector `json:"configMapKeyRef,omitempty"` + // Should the value be contained in a k8s secret rather than configmap, we can refer + // to it here. + SecretKeyRef *corev1.SecretKeySelector `json:"secretKeyRef,omitempty"` + // If the value is supplied by an external source, coordinates are embedded here. + // Note: we interpret all fetched external secrets as raw string values + ExternalSecretRefSelector *ExternalSecretKeySelector `json:"externalSecretRef,omitempty"` +} + +// ExternalSecretKeySelector selects a key of an external Secret. +// +structType=atomic +type ExternalSecretKeySelector struct { + Name string `json:"name"` +} + +// Deprecated: SecretKeyRef contains enough information to inspect or modify the referred Secret data // See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. type SecretKeyRef struct { // Name of the referent. @@ -218,14 +266,19 @@ type AdminSASL struct { // Specifies the username. // +optional Username string `json:"username,omitempty"` - // Specifies the password. - // +optional - Password SecretKeyRef `json:"passwordSecretRef,omitempty"` // Specifies the SASL/SCRAM authentication mechanism. Mechanism SASLMechanism `json:"mechanism"` + // Specifies the password. + // +optional + Password *ValueSource `json:"password,omitempty"` // Specifies token for token-based authentication (only used if no username/password are provided). // +optional - AuthToken SecretKeyRef `json:"token,omitempty"` + AuthToken *ValueSource `json:"authToken,omitempty"` + + // Deprecated: use `password` instead + DeprecatedPassword *SecretKeyRef `json:"passwordSecretRef,omitempty"` + // Deprecated: use `authToken` instead + DeprecatedAuthToken *SecretKeyRef `json:"token,omitempty"` } // SchemaRegistrySpec defines client configuration for connecting to Redpanda's admin API. @@ -247,11 +300,16 @@ type SchemaRegistrySASL struct { Username string `json:"username,omitempty"` // Specifies the password. // +optional - Password SecretKeyRef `json:"passwordSecretRef,omitempty"` + Password *ValueSource `json:"password,omitempty"` + // +optional + AuthToken *ValueSource `json:"authToken,omitempty"` // Specifies the SASL/SCRAM authentication mechanism. Mechanism SASLMechanism `json:"mechanism"` - // +optional - AuthToken SecretKeyRef `json:"token,omitempty"` + + // Deprecated: use `password` instead + DeprecatedPassword *SecretKeyRef `json:"passwordSecretRef,omitempty"` + // Deprecated: use `authToken` instead + DeprecatedAuthToken *SecretKeyRef `json:"token,omitempty"` } // ClusterRef represents a reference to a cluster that is being targeted. diff --git a/operator/api/redpanda/v1alpha2/conversion.go b/operator/api/redpanda/v1alpha2/conversion.go index b8dfa0082..2d3efcfb1 100644 --- a/operator/api/redpanda/v1alpha2/conversion.go +++ b/operator/api/redpanda/v1alpha2/conversion.go @@ -38,6 +38,16 @@ var ( // goverter:context namespace ConvertStaticConfigToIR func(namespace string, src *StaticConfigurationSource) *ir.StaticConfigurationSource + // goverter:context namespace + ConvertKafkaAPISpecToIR func(namespace string, src *KafkaAPISpec) *ir.KafkaAPISpec + + // goverter:map SASL Auth + // goverter:context namespace + ConvertAdminAPISpecToIR func(namespace string, src *AdminAPISpec) *ir.AdminAPISpec + + // goverter:context namespace + ConvertSchemaRegistrySpecToIR func(namespace string, src *SchemaRegistrySpec) *ir.SchemaRegistrySpec + // Private conversions for tuning / customizing conversions. // Naming conversion: `autoconv__To__` @@ -49,17 +59,9 @@ var ( // Ability to disable creation of service account is not exposed through the Console CRD. autoconv_ServiceAccountConfig_To_console_PartialServiceAccountConfig func(*ServiceAccountConfig) *console.PartialServiceAccountConfig - // goverter:map SASL Auth - // goverter:context namespace - // AdminAPI auth isn't technically SASL; it's been renamed. - autoconv_AdminAPISpec_To_ir_AdminAPISpec func(_ *AdminAPISpec, namespace string) *ir.AdminAPISpec - // goverter:map Namespace | getNamespace // goverter:context namespace - autoconv_SecretKeyRef_To_ir_SecretKeyRef func(_ SecretKeyRef, namespace string) ir.SecretKeyRef - - // goverter:context namespace - autoconv_CommonTLS_To_ir_CommonTLS func(_ *CommonTLS, namespace string) *ir.CommonTLS + autoconv_ValueSource_To_ir_ValueSource func(_ *ValueSource, namespace string) *ir.ValueSource ) // getNamespace returns the namespace context argument to set fields on nested @@ -73,21 +75,160 @@ func getNamespace(namespace string) string { // Naming conversion: `conv__To__` //goverter:context namespace -func conv_SecretKeyRef_To_ir_ObjectKeyRef(skr *SecretKeyRef, namespace string) *ir.ObjectKeyRef { - if skr == nil { +func conv_CommonTLS_To_ir_CommonTLS(tls *CommonTLS, namespace string) *ir.CommonTLS { + if tls == nil { return nil } - // Internal type supports ConfigMaps and Secrets. Public API only supports - // Secrets. - return &ir.ObjectKeyRef{ - Namespace: namespace, - SecretKeyRef: &corev1.SecretKeySelector{ - Key: skr.Key, - LocalObjectReference: corev1.LocalObjectReference{ - Name: skr.Name, - }, - }, + + commonTLS := &ir.CommonTLS{ + CaCert: autoconv_ValueSource_To_ir_ValueSource(tls.CaCert, namespace), + Cert: autoconv_ValueSource_To_ir_ValueSource(tls.Cert, namespace), + Key: autoconv_ValueSource_To_ir_ValueSource(tls.Key, namespace), + } + + if tls.DeprecatedCaCert != nil { + commonTLS.CaCert = conv_SecretKeyRefPtr_To_ir_ValueSourcePtr(tls.DeprecatedCaCert, namespace) + } + if tls.DeprecatedCert != nil { + commonTLS.Cert = conv_SecretKeyRefPtr_To_ir_ValueSourcePtr(tls.DeprecatedCert, namespace) + } + if tls.DeprecatedKey != nil { + commonTLS.Key = conv_SecretKeyRefPtr_To_ir_ValueSourcePtr(tls.DeprecatedKey, namespace) } + + commonTLS.InsecureSkipTLSVerify = tls.InsecureSkipTLSVerify + + return commonTLS +} + +//goverter:context namespace +func conv_AdminSASL_To_ir_AdminAuth(sasl *AdminSASL, namespace string) *ir.AdminAuth { + if sasl == nil { + return nil + } + + irAuth := &ir.AdminAuth{ + Username: sasl.Username, + Password: autoconv_ValueSource_To_ir_ValueSource(sasl.Password, namespace), + AuthToken: autoconv_ValueSource_To_ir_ValueSource(sasl.AuthToken, namespace), + } + + if sasl.DeprecatedPassword != nil && sasl.DeprecatedPassword.Name != "" { + irAuth.Password = conv_SecretKeyRefPtr_To_ir_ValueSourcePtr(sasl.DeprecatedPassword, namespace) + } + + if sasl.DeprecatedAuthToken != nil && sasl.DeprecatedAuthToken.Name != "" { + irAuth.AuthToken = conv_SecretKeyRefPtr_To_ir_ValueSourcePtr(sasl.DeprecatedAuthToken, namespace) + } + + return irAuth +} + +//goverter:context namespace +func conv_SchemaRegistrySASL_To_ir_SchemaRegistrySASL(sasl *SchemaRegistrySASL, namespace string) *ir.SchemaRegistrySASL { + if sasl == nil { + return nil + } + + irSASL := &ir.SchemaRegistrySASL{ + Username: sasl.Username, + Password: autoconv_ValueSource_To_ir_ValueSource(sasl.Password, namespace), + AuthToken: autoconv_ValueSource_To_ir_ValueSource(sasl.AuthToken, namespace), + } + + if sasl.DeprecatedPassword != nil && sasl.DeprecatedPassword.Name != "" { + irSASL.Password = conv_SecretKeyRefPtr_To_ir_ValueSourcePtr(sasl.DeprecatedPassword, namespace) + } + + if sasl.DeprecatedAuthToken != nil && sasl.DeprecatedAuthToken.Name != "" { + irSASL.AuthToken = conv_SecretKeyRefPtr_To_ir_ValueSourcePtr(sasl.DeprecatedAuthToken, namespace) + } + + return irSASL +} + +//goverter:context namespace +func conv_KafkaSASL_To_ir_KafkaSASL(sasl *KafkaSASL, namespace string) *ir.KafkaSASL { + if sasl == nil { + return nil + } + + irSASL := &ir.KafkaSASL{ + Username: sasl.Username, + Mechanism: ir.SASLMechanism(sasl.Mechanism), + Password: autoconv_ValueSource_To_ir_ValueSource(sasl.Password, namespace), + OAUth: conv_KafkaSASLOauth_To_ir_KafkaSASLOauth(sasl.OAUth, namespace), + GSSAPIConfig: conv_KafkaSASLGSSAPI_To_ir_KafkaSASLGSSAPI(sasl.GSSAPIConfig, namespace), + AWSMskIam: conv_KafkaSASLAWSMskIam_To_ir_KafkaSASLAWSMskIam(sasl.AWSMskIam, namespace), + } + + if sasl.DeprecatedPassword != nil && sasl.DeprecatedPassword.Name != "" { + irSASL.Password = conv_SecretKeyRefPtr_To_ir_ValueSourcePtr(sasl.DeprecatedPassword, namespace) + } + + return irSASL +} + +func conv_KafkaSASLAWSMskIam_To_ir_KafkaSASLAWSMskIam(iam *KafkaSASLAWSMskIam, namespace string) *ir.KafkaSASLAWSMskIam { + if iam == nil { + return nil + } + + irIAM := &ir.KafkaSASLAWSMskIam{ + AccessKey: iam.AccessKey, + UserAgent: iam.UserAgent, + SecretKey: autoconv_ValueSource_To_ir_ValueSource(iam.SecretKey, namespace), + SessionToken: autoconv_ValueSource_To_ir_ValueSource(iam.SessionToken, namespace), + } + + if iam.DeprecatedSecretKey != nil && iam.DeprecatedSecretKey.Name != "" { + irIAM.SecretKey = conv_SecretKeyRefPtr_To_ir_ValueSourcePtr(iam.DeprecatedSecretKey, namespace) + } + + if iam.DeprecatedSessionToken != nil && iam.DeprecatedSessionToken.Name != "" { + irIAM.SessionToken = conv_SecretKeyRefPtr_To_ir_ValueSourcePtr(iam.DeprecatedSessionToken, namespace) + } + + return irIAM +} + +func conv_KafkaSASLOauth_To_ir_KafkaSASLOauth(oauth *KafkaSASLOAuthBearer, namespace string) *ir.KafkaSASLOAuthBearer { + if oauth == nil { + return nil + } + + irOauth := &ir.KafkaSASLOAuthBearer{ + Token: autoconv_ValueSource_To_ir_ValueSource(oauth.Token, namespace), + } + + if oauth.DeprecatedToken != nil && oauth.DeprecatedToken.Name != "" { + irOauth.Token = conv_SecretKeyRefPtr_To_ir_ValueSourcePtr(oauth.DeprecatedToken, namespace) + } + + return irOauth +} + +func conv_KafkaSASLGSSAPI_To_ir_KafkaSASLGSSAPI(gssAPI *KafkaSASLGSSAPI, namespace string) *ir.KafkaSASLGSSAPI { + if gssAPI == nil { + return nil + } + + irGSSAPI := &ir.KafkaSASLGSSAPI{ + AuthType: gssAPI.AuthType, + KeyTabPath: gssAPI.KeyTabPath, + KerberosConfigPath: gssAPI.KerberosConfigPath, + ServiceName: gssAPI.ServiceName, + Username: gssAPI.Username, + Password: autoconv_ValueSource_To_ir_ValueSource(gssAPI.Password, namespace), + Realm: gssAPI.Realm, + EnableFast: gssAPI.EnableFast, + } + + if gssAPI.DeprecatedPassword != nil && gssAPI.DeprecatedPassword.Name != "" { + irGSSAPI.Password = conv_SecretKeyRefPtr_To_ir_ValueSourcePtr(gssAPI.DeprecatedPassword, namespace) + } + + return irGSSAPI } func conv_runtime_RawExtension_To_mapany(ext *runtime.RawExtension) (map[string]any, error) { @@ -116,3 +257,20 @@ type deepCopier[T any] interface { func convertDeepCopier[T any, P deepCopier[T]](in T) T { return *P(&in).DeepCopy() } + +func conv_SecretKeyRefPtr_To_ir_ValueSourcePtr(skr *SecretKeyRef, namespace string) *ir.ValueSource { + if skr == nil { + return nil + } + // Internal type supports ConfigMaps and Secrets. Public API only supports + // Secrets. + return &ir.ValueSource{ + Namespace: namespace, + SecretKeyRef: &corev1.SecretKeySelector{ + Key: skr.Key, + LocalObjectReference: corev1.LocalObjectReference{ + Name: skr.Name, + }, + }, + } +} diff --git a/operator/api/redpanda/v1alpha2/testdata/crd-docs.adoc b/operator/api/redpanda/v1alpha2/testdata/crd-docs.adoc index 38248b289..00c4cfed7 100644 --- a/operator/api/redpanda/v1alpha2/testdata/crd-docs.adoc +++ b/operator/api/redpanda/v1alpha2/testdata/crd-docs.adoc @@ -266,9 +266,11 @@ AdminSASL configures credentials to connect to Redpanda cluster that has authent |=== | Field | Description | Default | Validation | *`username`* __string__ | Specifies the username. + | | -| *`passwordSecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Specifies the password. + | | | *`mechanism`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-saslmechanism[$$SASLMechanism$$]__ | Specifies the SASL/SCRAM authentication mechanism. + | | -| *`token`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Specifies token for token-based authentication (only used if no username/password are provided). + | | +| *`password`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-valuesource[$$ValueSource$$]__ | Specifies the password. + | | +| *`authToken`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-valuesource[$$ValueSource$$]__ | Specifies token for token-based authentication (only used if no username/password are provided). + | | +| *`passwordSecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Deprecated: use `password` instead + | | +| *`token`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Deprecated: use `authToken` instead + | | |=== @@ -633,9 +635,12 @@ results in attempting to create a connection using TLS - specifying "false" in s *not* disable TLS from being used. Leveraging this option is to support the use-case where a + connection is served by publically issued TLS certificates that don't require any additional certificate + specification. + | | -| *`caCertSecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + | | -| *`certSecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Cert is the reference for client public certificate to establish mTLS connection to Redpanda + | | -| *`keySecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Key is the reference for client private certificate to establish mTLS connection to Redpanda + | | +| *`caCert`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-valuesource[$$ValueSource$$]__ | CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + | | +| *`cert`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-valuesource[$$ValueSource$$]__ | Cert is the reference for client public certificate to establish mTLS connection to Redpanda + | | +| *`key`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-valuesource[$$ValueSource$$]__ | Key is the reference for client private certificate to establish mTLS connection to Redpanda + | | +| *`caCertSecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Deprecated: replaced by "caCert". + | | +| *`certSecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Deprecated: replaced by "cert". + | | +| *`keySecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Deprecated: replaced by "key". + | | | *`insecureSkipTlsVerify`* __boolean__ | InsecureSkipTLSVerify can skip verifying Redpanda self-signed certificate when establish TLS connection to Redpanda + | | |=== @@ -1208,6 +1213,27 @@ on internal listeners. + | | |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externalsecretkeyselector"] +==== ExternalSecretKeySelector + + + +ExternalSecretKeySelector selects a key of an external Secret. + + + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-valuesource[$$ValueSource$$] +**** + +[cols="20a,50a,15a,15a", options="header"] +|=== +| Field | Description | Default | Validation +| *`name`* __string__ | | | +|=== + + [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externalservice"] ==== ExternalService @@ -1549,11 +1575,12 @@ KafkaSASL configures credentials to connect to Redpanda cluster that has authent |=== | Field | Description | Default | Validation | *`username`* __string__ | Specifies the username. + | | -| *`passwordSecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Specifies the password. + | | +| *`password`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-valuesource[$$ValueSource$$]__ | Specifies the password. + | | | *`mechanism`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-saslmechanism[$$SASLMechanism$$]__ | Specifies the SASL/SCRAM authentication mechanism. + | | | *`oauth`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasasloauthbearer[$$KafkaSASLOAuthBearer$$]__ | | | | *`gssapi`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasaslgssapi[$$KafkaSASLGSSAPI$$]__ | | | | *`awsMskIam`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasaslawsmskiam[$$KafkaSASLAWSMskIam$$]__ | | | +| *`passwordSecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Deprecated: used `password` instead + | | |=== @@ -1576,9 +1603,11 @@ see: https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.ht |=== | Field | Description | Default | Validation | *`accessKey`* __string__ | | | -| *`secretKeySecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | | | -| *`sessionTokenSecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | SessionToken, if non-empty, is a session / security token to use for authentication. + +| *`secretKey`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-valuesource[$$ValueSource$$]__ | | | +| *`secretKeySecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Deprecated: use `secretKey` instead + | | +| *`sessionToken`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-valuesource[$$ValueSource$$]__ | SessionToken, if non-empty, is a session / security token to use for authentication. + See: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html + | | +| *`sessionTokenSecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Deprecated: use `sessionToken` instead + | | | *`userAgent`* __string__ | UserAgent is the user agent to for the client to use when connecting + to Kafka, overriding the default "franz-go//". + @@ -1611,7 +1640,8 @@ KafkaSASLGSSAPI represents the Kafka Kerberos config. | *`kerberosConfigPath`* __string__ | | | | *`serviceName`* __string__ | | | | *`username`* __string__ | | | -| *`passwordSecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | | | +| *`password`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-valuesource[$$ValueSource$$]__ | | | +| *`passwordSecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Deprecated: use `password` instead + | | | *`realm`* __string__ | | | | *`enableFast`* __boolean__ | EnableFAST enables FAST, which is a pre-authentication framework for Kerberos. + It includes a mechanism for tunneling pre-authentication exchanges using armored KDC messages. + @@ -1636,7 +1666,8 @@ KafkaSASLOAuthBearer is the config struct for the SASL OAuthBearer mechanism [cols="20a,50a,15a,15a", options="header"] |=== | Field | Description | Default | Validation -| *`tokenSecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | | | +| *`token`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-valuesource[$$ValueSource$$]__ | | | +| *`tokenSecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Deprecated: use `token` instead + | | |=== @@ -3090,9 +3121,11 @@ SchemaRegistrySASL configures credentials to connect to Redpanda cluster that ha |=== | Field | Description | Default | Validation | *`username`* __string__ | Specifies the username. + | | -| *`passwordSecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Specifies the password. + | | +| *`password`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-valuesource[$$ValueSource$$]__ | Specifies the password. + | | +| *`authToken`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-valuesource[$$ValueSource$$]__ | | | | *`mechanism`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-saslmechanism[$$SASLMechanism$$]__ | Specifies the SASL/SCRAM authentication mechanism. + | | -| *`token`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | | | +| *`passwordSecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Deprecated: use `password` instead + | | +| *`token`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-secretkeyref[$$SecretKeyRef$$]__ | Deprecated: use `authToken` instead + | | |=== @@ -3246,7 +3279,7 @@ SchemaType specifies the type of the given schema. -SecretKeyRef contains enough information to inspect or modify the referred Secret data +Deprecated: SecretKeyRef contains enough information to inspect or modify the referred Secret data See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. @@ -4213,3 +4246,37 @@ UsersItems configures a list of superusers in the Helm values. |=== +[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-valuesource"] +==== ValueSource + + + +ValueSource represents where a value can be pulled from + + + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-adminsasl[$$AdminSASL$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-commontls[$$CommonTLS$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasasl[$$KafkaSASL$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasaslawsmskiam[$$KafkaSASLAWSMskIam$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasaslgssapi[$$KafkaSASLGSSAPI$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-kafkasasloauthbearer[$$KafkaSASLOAuthBearer$$] +- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-schemaregistrysasl[$$SchemaRegistrySASL$$] +**** + +[cols="20a,50a,15a,15a", options="header"] +|=== +| Field | Description | Default | Validation +| *`inline`* __string__ | Inline is the raw value specified inline. + | | +| *`configMapKeyRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#configmapkeyselector-v1-core[$$ConfigMapKeySelector$$]__ | If the value is supplied by a kubernetes object reference, coordinates are embedded here. + +For target values, the string value fetched from the source will be treated as + +a raw string. + | | +| *`secretKeyRef`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#secretkeyselector-v1-core[$$SecretKeySelector$$]__ | Should the value be contained in a k8s secret rather than configmap, we can refer + +to it here. + | | +| *`externalSecretRef`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-externalsecretkeyselector[$$ExternalSecretKeySelector$$]__ | If the value is supplied by an external source, coordinates are embedded here. + +Note: we interpret all fetched external secrets as raw string values + | | +|=== + + diff --git a/operator/api/redpanda/v1alpha2/zz_generated.conversion.go b/operator/api/redpanda/v1alpha2/zz_generated.conversion.go index 852b124a7..ec128535a 100644 --- a/operator/api/redpanda/v1alpha2/zz_generated.conversion.go +++ b/operator/api/redpanda/v1alpha2/zz_generated.conversion.go @@ -14,6 +14,22 @@ import ( ) func init() { + ConvertAdminAPISpecToIR = func(context string, source *AdminAPISpec) *ir.AdminAPISpec { + var pIrAdminAPISpec *ir.AdminAPISpec + if source != nil { + var irAdminAPISpec ir.AdminAPISpec + if (*source).URLs != nil { + irAdminAPISpec.URLs = make([]string, len((*source).URLs)) + for i := 0; i < len((*source).URLs); i++ { + irAdminAPISpec.URLs[i] = (*source).URLs[i] + } + } + irAdminAPISpec.TLS = conv_CommonTLS_To_ir_CommonTLS((*source).TLS, context) + irAdminAPISpec.Auth = conv_AdminSASL_To_ir_AdminAuth((*source).SASL, context) + pIrAdminAPISpec = &irAdminAPISpec + } + return pIrAdminAPISpec + } ConvertConsoleToConsolePartialRenderValues = func(source *ConsoleValues) (*v3.PartialRenderValues, error) { var pConsolePartialRenderValues *v3.PartialRenderValues if source != nil { @@ -144,44 +160,48 @@ func init() { } return pConsolePartialRenderValues, nil } - ConvertStaticConfigToIR = func(context string, source *StaticConfigurationSource) *ir.StaticConfigurationSource { - var pIrStaticConfigurationSource *ir.StaticConfigurationSource + ConvertKafkaAPISpecToIR = func(context string, source *KafkaAPISpec) *ir.KafkaAPISpec { + var pIrKafkaAPISpec *ir.KafkaAPISpec if source != nil { - var irStaticConfigurationSource ir.StaticConfigurationSource - irStaticConfigurationSource.Kafka = pV1alpha2KafkaAPISpecToPIrKafkaAPISpec((*source).Kafka, context) - irStaticConfigurationSource.Admin = autoconv_AdminAPISpec_To_ir_AdminAPISpec((*source).Admin, context) - irStaticConfigurationSource.SchemaRegistry = pV1alpha2SchemaRegistrySpecToPIrSchemaRegistrySpec((*source).SchemaRegistry, context) - pIrStaticConfigurationSource = &irStaticConfigurationSource + var irKafkaAPISpec ir.KafkaAPISpec + if (*source).Brokers != nil { + irKafkaAPISpec.Brokers = make([]string, len((*source).Brokers)) + for i := 0; i < len((*source).Brokers); i++ { + irKafkaAPISpec.Brokers[i] = (*source).Brokers[i] + } + } + irKafkaAPISpec.TLS = conv_CommonTLS_To_ir_CommonTLS((*source).TLS, context) + irKafkaAPISpec.SASL = conv_KafkaSASL_To_ir_KafkaSASL((*source).SASL, context) + pIrKafkaAPISpec = &irKafkaAPISpec } - return pIrStaticConfigurationSource + return pIrKafkaAPISpec } - autoconv_AdminAPISpec_To_ir_AdminAPISpec = func(source *AdminAPISpec, context string) *ir.AdminAPISpec { - var pIrAdminAPISpec *ir.AdminAPISpec + ConvertSchemaRegistrySpecToIR = func(context string, source *SchemaRegistrySpec) *ir.SchemaRegistrySpec { + var pIrSchemaRegistrySpec *ir.SchemaRegistrySpec if source != nil { - var irAdminAPISpec ir.AdminAPISpec + var irSchemaRegistrySpec ir.SchemaRegistrySpec if (*source).URLs != nil { - irAdminAPISpec.URLs = make([]string, len((*source).URLs)) + irSchemaRegistrySpec.URLs = make([]string, len((*source).URLs)) for i := 0; i < len((*source).URLs); i++ { - irAdminAPISpec.URLs[i] = (*source).URLs[i] + irSchemaRegistrySpec.URLs[i] = (*source).URLs[i] } } - irAdminAPISpec.TLS = autoconv_CommonTLS_To_ir_CommonTLS((*source).TLS, context) - irAdminAPISpec.Auth = pV1alpha2AdminSASLToPIrAdminAuth((*source).SASL, context) - pIrAdminAPISpec = &irAdminAPISpec + irSchemaRegistrySpec.TLS = conv_CommonTLS_To_ir_CommonTLS((*source).TLS, context) + irSchemaRegistrySpec.SASL = conv_SchemaRegistrySASL_To_ir_SchemaRegistrySASL((*source).SASL, context) + pIrSchemaRegistrySpec = &irSchemaRegistrySpec } - return pIrAdminAPISpec + return pIrSchemaRegistrySpec } - autoconv_CommonTLS_To_ir_CommonTLS = func(source *CommonTLS, context string) *ir.CommonTLS { - var pIrCommonTLS *ir.CommonTLS + ConvertStaticConfigToIR = func(context string, source *StaticConfigurationSource) *ir.StaticConfigurationSource { + var pIrStaticConfigurationSource *ir.StaticConfigurationSource if source != nil { - var irCommonTLS ir.CommonTLS - irCommonTLS.CaCert = conv_SecretKeyRef_To_ir_ObjectKeyRef((*source).CaCert, context) - irCommonTLS.Cert = pV1alpha2SecretKeyRefToPIrSecretKeyRef((*source).Cert, context) - irCommonTLS.Key = pV1alpha2SecretKeyRefToPIrSecretKeyRef((*source).Key, context) - irCommonTLS.InsecureSkipTLSVerify = (*source).InsecureSkipTLSVerify - pIrCommonTLS = &irCommonTLS + var irStaticConfigurationSource ir.StaticConfigurationSource + irStaticConfigurationSource.Kafka = ConvertKafkaAPISpecToIR(context, (*source).Kafka) + irStaticConfigurationSource.Admin = ConvertAdminAPISpecToIR(context, (*source).Admin) + irStaticConfigurationSource.SchemaRegistry = ConvertSchemaRegistrySpecToIR(context, (*source).SchemaRegistry) + pIrStaticConfigurationSource = &irStaticConfigurationSource } - return pIrCommonTLS + return pIrStaticConfigurationSource } autoconv_DeploymentConfig_console_PartialDeploymentConfig = func(source *DeploymentConfig) *v3.PartialDeploymentConfig { var pConsolePartialDeploymentConfig *v3.PartialDeploymentConfig @@ -203,13 +223,6 @@ func init() { } return pConsolePartialDeploymentConfig } - autoconv_SecretKeyRef_To_ir_SecretKeyRef = func(source SecretKeyRef, context string) ir.SecretKeyRef { - var irSecretKeyRef ir.SecretKeyRef - irSecretKeyRef.Namespace = getNamespace(context) - irSecretKeyRef.Name = source.Name - irSecretKeyRef.Key = source.Key - return irSecretKeyRef - } autoconv_ServiceAccountConfig_To_console_PartialServiceAccountConfig = func(source *ServiceAccountConfig) *v3.PartialServiceAccountConfig { var pConsolePartialServiceAccountConfig *v3.PartialServiceAccountConfig if source != nil { @@ -232,6 +245,22 @@ func init() { } return pConsolePartialServiceAccountConfig } + autoconv_ValueSource_To_ir_ValueSource = func(source *ValueSource, context string) *ir.ValueSource { + var pIrValueSource *ir.ValueSource + if source != nil { + var irValueSource ir.ValueSource + irValueSource.Namespace = getNamespace(context) + if (*source).Inline != nil { + xstring := *(*source).Inline + irValueSource.Inline = &xstring + } + irValueSource.ConfigMapKeyRef = pV1ConfigMapKeySelectorToPV1ConfigMapKeySelector((*source).ConfigMapKeyRef) + irValueSource.SecretKeyRef = pV1SecretKeySelectorToPV1SecretKeySelector((*source).SecretKeyRef) + irValueSource.ExternalSecretRefSelector = pV1alpha2ExternalSecretKeySelectorToPIrExternalSecretKeySelector((*source).ExternalSecretRefSelector) + pIrValueSource = &irValueSource + } + return pIrValueSource + } } func intstrIntOrStringToIntstrIntOrString(source intstr.IntOrString) intstr.IntOrString { var intstrIntOrString intstr.IntOrString @@ -305,6 +334,20 @@ func pV1ConfigMapEnvSourceToPV1ConfigMapEnvSource(source *v1.ConfigMapEnvSource) } return pV1ConfigMapEnvSource } +func pV1ConfigMapKeySelectorToPV1ConfigMapKeySelector(source *v1.ConfigMapKeySelector) *v1.ConfigMapKeySelector { + var pV1ConfigMapKeySelector *v1.ConfigMapKeySelector + if source != nil { + var v1ConfigMapKeySelector v1.ConfigMapKeySelector + v1ConfigMapKeySelector.LocalObjectReference = v1LocalObjectReferenceToV1LocalObjectReference((*source).LocalObjectReference) + v1ConfigMapKeySelector.Key = (*source).Key + if (*source).Optional != nil { + xbool := *(*source).Optional + v1ConfigMapKeySelector.Optional = &xbool + } + pV1ConfigMapKeySelector = &v1ConfigMapKeySelector + } + return pV1ConfigMapKeySelector +} func pV1DeploymentStrategyToPV1DeploymentStrategy(source *v11.DeploymentStrategy) *v11.DeploymentStrategy { var pV1DeploymentStrategy *v11.DeploymentStrategy if source != nil { @@ -699,16 +742,6 @@ func pV1WindowsSecurityContextOptionsToPV1WindowsSecurityContextOptions(source * } return pV1WindowsSecurityContextOptions } -func pV1alpha2AdminSASLToPIrAdminAuth(source *AdminSASL, context string) *ir.AdminAuth { - var pIrAdminAuth *ir.AdminAuth - if source != nil { - var irAdminAuth ir.AdminAuth - irAdminAuth.Username = (*source).Username - irAdminAuth.Password = autoconv_SecretKeyRef_To_ir_SecretKeyRef((*source).Password, context) - pIrAdminAuth = &irAdminAuth - } - return pIrAdminAuth -} func pV1alpha2AuthenticationSecretsToPConsolePartialAuthenticationSecrets(source *AuthenticationSecrets) *v3.PartialAuthenticationSecrets { var pConsolePartialAuthenticationSecrets *v3.PartialAuthenticationSecrets if source != nil { @@ -750,6 +783,15 @@ func pV1alpha2AutoScalingToPConsolePartialAutoScaling(source *AutoScaling) *v3.P } return pConsolePartialAutoScaling } +func pV1alpha2ExternalSecretKeySelectorToPIrExternalSecretKeySelector(source *ExternalSecretKeySelector) *ir.ExternalSecretKeySelector { + var pIrExternalSecretKeySelector *ir.ExternalSecretKeySelector + if source != nil { + var irExternalSecretKeySelector ir.ExternalSecretKeySelector + irExternalSecretKeySelector.Name = (*source).Name + pIrExternalSecretKeySelector = &irExternalSecretKeySelector + } + return pIrExternalSecretKeySelector +} func pV1alpha2ImageToPConsolePartialImage(source *Image) *v3.PartialImage { var pConsolePartialImage *v3.PartialImage if source != nil { @@ -808,73 +850,6 @@ func pV1alpha2IngressConfigToPConsolePartialIngressConfig(source *IngressConfig) } return pConsolePartialIngressConfig } -func pV1alpha2KafkaAPISpecToPIrKafkaAPISpec(source *KafkaAPISpec, context string) *ir.KafkaAPISpec { - var pIrKafkaAPISpec *ir.KafkaAPISpec - if source != nil { - var irKafkaAPISpec ir.KafkaAPISpec - if (*source).Brokers != nil { - irKafkaAPISpec.Brokers = make([]string, len((*source).Brokers)) - for i := 0; i < len((*source).Brokers); i++ { - irKafkaAPISpec.Brokers[i] = (*source).Brokers[i] - } - } - irKafkaAPISpec.TLS = autoconv_CommonTLS_To_ir_CommonTLS((*source).TLS, context) - irKafkaAPISpec.SASL = pV1alpha2KafkaSASLToPIrKafkaSASL((*source).SASL, context) - pIrKafkaAPISpec = &irKafkaAPISpec - } - return pIrKafkaAPISpec -} -func pV1alpha2KafkaSASLAWSMskIamToPIrKafkaSASLAWSMskIam(source *KafkaSASLAWSMskIam, context string) *ir.KafkaSASLAWSMskIam { - var pIrKafkaSASLAWSMskIam *ir.KafkaSASLAWSMskIam - if source != nil { - var irKafkaSASLAWSMskIam ir.KafkaSASLAWSMskIam - irKafkaSASLAWSMskIam.AccessKey = (*source).AccessKey - irKafkaSASLAWSMskIam.SecretKey = autoconv_SecretKeyRef_To_ir_SecretKeyRef((*source).SecretKey, context) - irKafkaSASLAWSMskIam.SessionToken = autoconv_SecretKeyRef_To_ir_SecretKeyRef((*source).SessionToken, context) - irKafkaSASLAWSMskIam.UserAgent = (*source).UserAgent - pIrKafkaSASLAWSMskIam = &irKafkaSASLAWSMskIam - } - return pIrKafkaSASLAWSMskIam -} -func pV1alpha2KafkaSASLGSSAPIToPIrKafkaSASLGSSAPI(source *KafkaSASLGSSAPI, context string) *ir.KafkaSASLGSSAPI { - var pIrKafkaSASLGSSAPI *ir.KafkaSASLGSSAPI - if source != nil { - var irKafkaSASLGSSAPI ir.KafkaSASLGSSAPI - irKafkaSASLGSSAPI.AuthType = (*source).AuthType - irKafkaSASLGSSAPI.KeyTabPath = (*source).KeyTabPath - irKafkaSASLGSSAPI.KerberosConfigPath = (*source).KerberosConfigPath - irKafkaSASLGSSAPI.ServiceName = (*source).ServiceName - irKafkaSASLGSSAPI.Username = (*source).Username - irKafkaSASLGSSAPI.Password = autoconv_SecretKeyRef_To_ir_SecretKeyRef((*source).Password, context) - irKafkaSASLGSSAPI.Realm = (*source).Realm - irKafkaSASLGSSAPI.EnableFast = (*source).EnableFast - pIrKafkaSASLGSSAPI = &irKafkaSASLGSSAPI - } - return pIrKafkaSASLGSSAPI -} -func pV1alpha2KafkaSASLOAuthBearerToPIrKafkaSASLOAuthBearer(source *KafkaSASLOAuthBearer, context string) *ir.KafkaSASLOAuthBearer { - var pIrKafkaSASLOAuthBearer *ir.KafkaSASLOAuthBearer - if source != nil { - var irKafkaSASLOAuthBearer ir.KafkaSASLOAuthBearer - irKafkaSASLOAuthBearer.Token = autoconv_SecretKeyRef_To_ir_SecretKeyRef((*source).Token, context) - pIrKafkaSASLOAuthBearer = &irKafkaSASLOAuthBearer - } - return pIrKafkaSASLOAuthBearer -} -func pV1alpha2KafkaSASLToPIrKafkaSASL(source *KafkaSASL, context string) *ir.KafkaSASL { - var pIrKafkaSASL *ir.KafkaSASL - if source != nil { - var irKafkaSASL ir.KafkaSASL - irKafkaSASL.Username = (*source).Username - irKafkaSASL.Password = pV1alpha2SecretKeyRefToPIrSecretKeyRef((*source).Password, context) - irKafkaSASL.Mechanism = ir.SASLMechanism((*source).Mechanism) - irKafkaSASL.OAUth = pV1alpha2KafkaSASLOAuthBearerToPIrKafkaSASLOAuthBearer((*source).OAUth, context) - irKafkaSASL.GSSAPIConfig = pV1alpha2KafkaSASLGSSAPIToPIrKafkaSASLGSSAPI((*source).GSSAPIConfig, context) - irKafkaSASL.AWSMskIam = pV1alpha2KafkaSASLAWSMskIamToPIrKafkaSASLAWSMskIam((*source).AWSMskIam, context) - pIrKafkaSASL = &irKafkaSASL - } - return pIrKafkaSASL -} func pV1alpha2KafkaSecretsToPConsolePartialKafkaSecrets(source *KafkaSecrets) *v3.PartialKafkaSecrets { var pConsolePartialKafkaSecrets *v3.PartialKafkaSecrets if source != nil { @@ -952,17 +927,6 @@ func pV1alpha2RedpandaSecretsToPConsolePartialRedpandaSecrets(source *RedpandaSe } return pConsolePartialRedpandaSecrets } -func pV1alpha2SchemaRegistrySASLToPIrSchemaRegistrySASL(source *SchemaRegistrySASL, context string) *ir.SchemaRegistrySASL { - var pIrSchemaRegistrySASL *ir.SchemaRegistrySASL - if source != nil { - var irSchemaRegistrySASL ir.SchemaRegistrySASL - irSchemaRegistrySASL.Username = (*source).Username - irSchemaRegistrySASL.Password = autoconv_SecretKeyRef_To_ir_SecretKeyRef((*source).Password, context) - irSchemaRegistrySASL.AuthToken = autoconv_SecretKeyRef_To_ir_SecretKeyRef((*source).AuthToken, context) - pIrSchemaRegistrySASL = &irSchemaRegistrySASL - } - return pIrSchemaRegistrySASL -} func pV1alpha2SchemaRegistrySecretsToPConsolePartialSchemaRegistrySecrets(source *SchemaRegistrySecrets) *v3.PartialSchemaRegistrySecrets { var pConsolePartialSchemaRegistrySecrets *v3.PartialSchemaRegistrySecrets if source != nil { @@ -991,30 +955,6 @@ func pV1alpha2SchemaRegistrySecretsToPConsolePartialSchemaRegistrySecrets(source } return pConsolePartialSchemaRegistrySecrets } -func pV1alpha2SchemaRegistrySpecToPIrSchemaRegistrySpec(source *SchemaRegistrySpec, context string) *ir.SchemaRegistrySpec { - var pIrSchemaRegistrySpec *ir.SchemaRegistrySpec - if source != nil { - var irSchemaRegistrySpec ir.SchemaRegistrySpec - if (*source).URLs != nil { - irSchemaRegistrySpec.URLs = make([]string, len((*source).URLs)) - for i := 0; i < len((*source).URLs); i++ { - irSchemaRegistrySpec.URLs[i] = (*source).URLs[i] - } - } - irSchemaRegistrySpec.TLS = autoconv_CommonTLS_To_ir_CommonTLS((*source).TLS, context) - irSchemaRegistrySpec.SASL = pV1alpha2SchemaRegistrySASLToPIrSchemaRegistrySASL((*source).SASL, context) - pIrSchemaRegistrySpec = &irSchemaRegistrySpec - } - return pIrSchemaRegistrySpec -} -func pV1alpha2SecretKeyRefToPIrSecretKeyRef(source *SecretKeyRef, context string) *ir.SecretKeyRef { - var pIrSecretKeyRef *ir.SecretKeyRef - if source != nil { - irSecretKeyRef := autoconv_SecretKeyRef_To_ir_SecretKeyRef((*source), context) - pIrSecretKeyRef = &irSecretKeyRef - } - return pIrSecretKeyRef -} func pV1alpha2SerdeSecretsToPConsolePartialSerdeSecrets(source *SerdeSecrets) *v3.PartialSerdeSecrets { var pConsolePartialSerdeSecrets *v3.PartialSerdeSecrets if source != nil { diff --git a/operator/api/redpanda/v1alpha2/zz_generated.deepcopy.go b/operator/api/redpanda/v1alpha2/zz_generated.deepcopy.go index 0cd997b0e..e96ccd6fa 100644 --- a/operator/api/redpanda/v1alpha2/zz_generated.deepcopy.go +++ b/operator/api/redpanda/v1alpha2/zz_generated.deepcopy.go @@ -185,7 +185,7 @@ func (in *AdminAPISpec) DeepCopyInto(out *AdminAPISpec) { if in.SASL != nil { in, out := &in.SASL, &out.SASL *out = new(AdminSASL) - **out = **in + (*in).DeepCopyInto(*out) } } @@ -202,8 +202,26 @@ func (in *AdminAPISpec) DeepCopy() *AdminAPISpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AdminSASL) DeepCopyInto(out *AdminSASL) { *out = *in - out.Password = in.Password - out.AuthToken = in.AuthToken + if in.Password != nil { + in, out := &in.Password, &out.Password + *out = new(ValueSource) + (*in).DeepCopyInto(*out) + } + if in.AuthToken != nil { + in, out := &in.AuthToken, &out.AuthToken + *out = new(ValueSource) + (*in).DeepCopyInto(*out) + } + if in.DeprecatedPassword != nil { + in, out := &in.DeprecatedPassword, &out.DeprecatedPassword + *out = new(SecretKeyRef) + **out = **in + } + if in.DeprecatedAuthToken != nil { + in, out := &in.DeprecatedAuthToken, &out.DeprecatedAuthToken + *out = new(SecretKeyRef) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdminSASL. @@ -597,16 +615,31 @@ func (in *CommonTLS) DeepCopyInto(out *CommonTLS) { *out = *in if in.CaCert != nil { in, out := &in.CaCert, &out.CaCert - *out = new(SecretKeyRef) - **out = **in + *out = new(ValueSource) + (*in).DeepCopyInto(*out) } if in.Cert != nil { in, out := &in.Cert, &out.Cert - *out = new(SecretKeyRef) - **out = **in + *out = new(ValueSource) + (*in).DeepCopyInto(*out) } if in.Key != nil { in, out := &in.Key, &out.Key + *out = new(ValueSource) + (*in).DeepCopyInto(*out) + } + if in.DeprecatedCaCert != nil { + in, out := &in.DeprecatedCaCert, &out.DeprecatedCaCert + *out = new(SecretKeyRef) + **out = **in + } + if in.DeprecatedCert != nil { + in, out := &in.DeprecatedCert, &out.DeprecatedCert + *out = new(SecretKeyRef) + **out = **in + } + if in.DeprecatedKey != nil { + in, out := &in.DeprecatedKey, &out.DeprecatedKey *out = new(SecretKeyRef) **out = **in } @@ -1521,6 +1554,21 @@ func (in *ExternalListener) DeepCopy() *ExternalListener { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalSecretKeySelector) DeepCopyInto(out *ExternalSecretKeySelector) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretKeySelector. +func (in *ExternalSecretKeySelector) DeepCopy() *ExternalSecretKeySelector { + if in == nil { + return nil + } + out := new(ExternalSecretKeySelector) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExternalService) DeepCopyInto(out *ExternalService) { *out = *in @@ -1903,22 +1951,27 @@ func (in *KafkaSASL) DeepCopyInto(out *KafkaSASL) { *out = *in if in.Password != nil { in, out := &in.Password, &out.Password - *out = new(SecretKeyRef) - **out = **in + *out = new(ValueSource) + (*in).DeepCopyInto(*out) } if in.OAUth != nil { in, out := &in.OAUth, &out.OAUth *out = new(KafkaSASLOAuthBearer) - **out = **in + (*in).DeepCopyInto(*out) } if in.GSSAPIConfig != nil { in, out := &in.GSSAPIConfig, &out.GSSAPIConfig *out = new(KafkaSASLGSSAPI) - **out = **in + (*in).DeepCopyInto(*out) } if in.AWSMskIam != nil { in, out := &in.AWSMskIam, &out.AWSMskIam *out = new(KafkaSASLAWSMskIam) + (*in).DeepCopyInto(*out) + } + if in.DeprecatedPassword != nil { + in, out := &in.DeprecatedPassword, &out.DeprecatedPassword + *out = new(SecretKeyRef) **out = **in } } @@ -1936,8 +1989,26 @@ func (in *KafkaSASL) DeepCopy() *KafkaSASL { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KafkaSASLAWSMskIam) DeepCopyInto(out *KafkaSASLAWSMskIam) { *out = *in - out.SecretKey = in.SecretKey - out.SessionToken = in.SessionToken + if in.SecretKey != nil { + in, out := &in.SecretKey, &out.SecretKey + *out = new(ValueSource) + (*in).DeepCopyInto(*out) + } + if in.DeprecatedSecretKey != nil { + in, out := &in.DeprecatedSecretKey, &out.DeprecatedSecretKey + *out = new(SecretKeyRef) + **out = **in + } + if in.SessionToken != nil { + in, out := &in.SessionToken, &out.SessionToken + *out = new(ValueSource) + (*in).DeepCopyInto(*out) + } + if in.DeprecatedSessionToken != nil { + in, out := &in.DeprecatedSessionToken, &out.DeprecatedSessionToken + *out = new(SecretKeyRef) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KafkaSASLAWSMskIam. @@ -1953,7 +2024,16 @@ func (in *KafkaSASLAWSMskIam) DeepCopy() *KafkaSASLAWSMskIam { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KafkaSASLGSSAPI) DeepCopyInto(out *KafkaSASLGSSAPI) { *out = *in - out.Password = in.Password + if in.Password != nil { + in, out := &in.Password, &out.Password + *out = new(ValueSource) + (*in).DeepCopyInto(*out) + } + if in.DeprecatedPassword != nil { + in, out := &in.DeprecatedPassword, &out.DeprecatedPassword + *out = new(SecretKeyRef) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KafkaSASLGSSAPI. @@ -1969,7 +2049,16 @@ func (in *KafkaSASLGSSAPI) DeepCopy() *KafkaSASLGSSAPI { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KafkaSASLOAuthBearer) DeepCopyInto(out *KafkaSASLOAuthBearer) { *out = *in - out.Token = in.Token + if in.Token != nil { + in, out := &in.Token, &out.Token + *out = new(ValueSource) + (*in).DeepCopyInto(*out) + } + if in.DeprecatedToken != nil { + in, out := &in.DeprecatedToken, &out.DeprecatedToken + *out = new(SecretKeyRef) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KafkaSASLOAuthBearer. @@ -4264,8 +4353,26 @@ func (in *SchemaRegistry) DeepCopy() *SchemaRegistry { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SchemaRegistrySASL) DeepCopyInto(out *SchemaRegistrySASL) { *out = *in - out.Password = in.Password - out.AuthToken = in.AuthToken + if in.Password != nil { + in, out := &in.Password, &out.Password + *out = new(ValueSource) + (*in).DeepCopyInto(*out) + } + if in.AuthToken != nil { + in, out := &in.AuthToken, &out.AuthToken + *out = new(ValueSource) + (*in).DeepCopyInto(*out) + } + if in.DeprecatedPassword != nil { + in, out := &in.DeprecatedPassword, &out.DeprecatedPassword + *out = new(SecretKeyRef) + **out = **in + } + if in.DeprecatedAuthToken != nil { + in, out := &in.DeprecatedAuthToken, &out.DeprecatedAuthToken + *out = new(SecretKeyRef) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SchemaRegistrySASL. @@ -4334,7 +4441,7 @@ func (in *SchemaRegistrySpec) DeepCopyInto(out *SchemaRegistrySpec) { if in.SASL != nil { in, out := &in.SASL, &out.SASL *out = new(SchemaRegistrySASL) - **out = **in + (*in).DeepCopyInto(*out) } } @@ -6163,3 +6270,38 @@ func (in *UsersItems) DeepCopy() *UsersItems { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ValueSource) DeepCopyInto(out *ValueSource) { + *out = *in + if in.Inline != nil { + in, out := &in.Inline, &out.Inline + *out = new(string) + **out = **in + } + if in.ConfigMapKeyRef != nil { + in, out := &in.ConfigMapKeyRef, &out.ConfigMapKeyRef + *out = new(v1.ConfigMapKeySelector) + (*in).DeepCopyInto(*out) + } + if in.SecretKeyRef != nil { + in, out := &in.SecretKeyRef, &out.SecretKeyRef + *out = new(v1.SecretKeySelector) + (*in).DeepCopyInto(*out) + } + if in.ExternalSecretRefSelector != nil { + in, out := &in.ExternalSecretRefSelector, &out.ExternalSecretRefSelector + *out = new(ExternalSecretKeySelector) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValueSource. +func (in *ValueSource) DeepCopy() *ValueSource { + if in == nil { + return nil + } + out := new(ValueSource) + in.DeepCopyInto(out) + return out +} diff --git a/operator/cmd/run/run.go b/operator/cmd/run/run.go index 43d8c7045..282207efb 100644 --- a/operator/cmd/run/run.go +++ b/operator/cmd/run/run.go @@ -368,7 +368,7 @@ func Run( // Configure controllers that are always enabled (Redpanda, Topic, User, Schema). - factory := internalclient.NewFactory(mgr.GetConfig(), mgr.GetClient()).WithAdminClientTimeout(opts.rpClientTimeout) + factory := internalclient.NewFactory(mgr.GetConfig(), mgr.GetClient(), cloudExpander).WithAdminClientTimeout(opts.rpClientTimeout) cloudSecrets := lifecycle.CloudSecretsFlags{ CloudSecretsEnabled: opts.cloudSecretsEnabled, @@ -442,28 +442,28 @@ func Run( // ShadowLink Reconciler if opts.enableShadowLinksController { - if err := redpandacontrollers.SetupShadowLinkController(ctx, mgr, v1Controllers, v2Controllers); err != nil { + if err := redpandacontrollers.SetupShadowLinkController(ctx, mgr, cloudExpander, v1Controllers, v2Controllers); err != nil { setupLog.Error(err, "unable to create controller", "controller", "ShadowLink") return err } } - if err := redpandacontrollers.SetupTopicController(ctx, mgr, v1Controllers, v2Controllers); err != nil { + if err := redpandacontrollers.SetupTopicController(ctx, mgr, cloudExpander, v1Controllers, v2Controllers); err != nil { setupLog.Error(err, "unable to create controller", "controller", "Topic") return err } - if err := redpandacontrollers.SetupUserController(ctx, mgr, v1Controllers, v2Controllers); err != nil { + if err := redpandacontrollers.SetupUserController(ctx, mgr, cloudExpander, v1Controllers, v2Controllers); err != nil { setupLog.Error(err, "unable to create controller", "controller", "User") return err } - if err := redpandacontrollers.SetupRoleController(ctx, mgr, v1Controllers, v2Controllers); err != nil { + if err := redpandacontrollers.SetupRoleController(ctx, mgr, cloudExpander, v1Controllers, v2Controllers); err != nil { setupLog.Error(err, "unable to create controller", "controller", "RedpandaRole") return err } - if err := redpandacontrollers.SetupSchemaController(ctx, mgr, v1Controllers, v2Controllers); err != nil { + if err := redpandacontrollers.SetupSchemaController(ctx, mgr, cloudExpander, v1Controllers, v2Controllers); err != nil { setupLog.Error(err, "unable to create controller", "controller", "Schema") return err } diff --git a/operator/cmd/sidecar/sidecar.go b/operator/cmd/sidecar/sidecar.go index 5b0b3918a..5aacc3207 100644 --- a/operator/cmd/sidecar/sidecar.go +++ b/operator/cmd/sidecar/sidecar.go @@ -275,7 +275,9 @@ func Run( server, err := probes.NewServer(probes.Config{ Prober: probes.NewProber( - internalclient.NewFactory(mgr.GetConfig(), mgr.GetClient()), + // NB: no need for cloud expansion here due to the fact that the sidecar probes are + // meant to function via resolving connection params from the rpk file on disk. + internalclient.NewFactory(mgr.GetConfig(), mgr.GetClient(), nil), redpandaYAMLPath, probes.WithLogger(mgr.GetLogger().WithName("Prober")), ), diff --git a/operator/config/crd/bases/cluster.redpanda.com_consoles.yaml b/operator/config/crd/bases/cluster.redpanda.com_consoles.yaml index 5e3d4ae2a..52dd0ac3d 100644 --- a/operator/config/crd/bases/cluster.redpanda.com_consoles.yaml +++ b/operator/config/crd/bases/cluster.redpanda.com_consoles.yaml @@ -1013,12 +1013,207 @@ spec: description: Defines authentication configuration settings for Redpanda clusters that have authentication enabled. properties: + authToken: + description: Specifies token for token-based authentication + (only used if no username/password are provided). + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' mechanism: description: Specifies the SASL/SCRAM authentication mechanism. type: string - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value from @@ -1032,8 +1227,7 @@ spec: - name type: object token: - description: Specifies token for token-based authentication - (only used if no username/password are provided). + description: 'Deprecated: use `authToken` instead' properties: key: description: Key in Secret data to get value from @@ -1056,9 +1250,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -1071,9 +1362,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -1101,9 +1489,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -1149,10 +1634,107 @@ spec: properties: accessKey: type: string + secretKey: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' secretKeySecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `secretKey` instead' properties: key: description: Key in Secret data to get value @@ -1166,24 +1748,122 @@ spec: required: - name type: object - sessionTokenSecretRef: + sessionToken: description: |- SessionToken, if non-empty, is a session / security token to use for authentication. See: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html properties: - key: - description: Key in Secret data to get value - from - type: string - name: + configMapKeyRef: description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. type: string - required: - - name - type: object - userAgent: + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + sessionTokenSecretRef: + description: 'Deprecated: use `sessionToken` instead' + properties: + key: + description: Key in Secret data to get value + from + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + userAgent: description: |- UserAgent is the user agent to for the client to use when connecting to Kafka, overriding the default "franz-go//". @@ -1194,8 +1874,6 @@ spec: type: string required: - accessKey - - secretKeySecretRef - - sessionTokenSecretRef - userAgent type: object gssapi: @@ -1214,10 +1892,107 @@ spec: type: string keyTabPath: type: string + password: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' passwordSecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value @@ -1242,7 +2017,6 @@ spec: - enableFast - kerberosConfigPath - keyTabPath - - passwordSecretRef - realm - serviceName - username @@ -1255,10 +2029,107 @@ spec: description: KafkaSASLOAuthBearer is the config struct for the SASL OAuthBearer mechanism properties: + token: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' tokenSecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `token` instead' properties: key: description: Key in Secret data to get value @@ -1272,11 +2143,106 @@ spec: required: - name type: object - required: - - tokenSecretRef type: object - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: used `password` instead' properties: key: description: Key in Secret data to get value from @@ -1296,18 +2262,20 @@ spec: - mechanism type: object x-kubernetes-validations: - - message: username and passwordSecretRef must be set - when mechanism is plain + - message: username and password must be set when mechanism + is plain rule: self.mechanism.lowerAscii() != 'plain' || (self.username - != "" && has(self.passwordSecretRef)) - - message: username and passwordSecretRef must be set - when mechanism is sha-256 + != "" && (has(self.passwordSecretRef) || has(self.password))) + - message: username and password must be set when mechanism + is sha-256 rule: self.mechanism.lowerAscii() != 'scram-sha-256' - || (self.username != "" && has(self.passwordSecretRef)) - - message: username and passwordSecretRef must be set - when mechanism is sha-512 + || (self.username != "" && (has(self.passwordSecretRef) + || has(self.password))) + - message: username and password must be set when mechanism + is sha-512 rule: self.mechanism.lowerAscii() != 'scram-sha-512' - || (self.username != "" && has(self.passwordSecretRef)) + || (self.username != "" && (has(self.passwordSecretRef) + || has(self.password))) - message: oauth must be set when mechanism is oauth rule: self.mechanism.lowerAscii() != 'oauthbearer' || has(self.oauth) @@ -1320,9 +2288,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -1335,9 +2400,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -1365,9 +2527,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -1384,9 +2643,6 @@ spec: required: - brokers type: object - x-kubernetes-validations: - - message: kafka tls settings are immutable - rule: has(self.tls) == has(oldSelf.tls) schemaRegistry: description: |- SchemaRegistry is the configuration information for communicating with the Schema Registry @@ -1396,12 +2652,207 @@ spec: description: Defines authentication configuration settings for Redpanda clusters that have authentication enabled. properties: + authToken: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' mechanism: description: Specifies the SASL/SCRAM authentication mechanism. type: string - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value from @@ -1415,9 +2866,7 @@ spec: - name type: object token: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `authToken` instead' properties: key: description: Key in Secret data to get value from @@ -1440,9 +2889,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -1455,9 +3001,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -1485,9 +3128,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from diff --git a/operator/config/crd/bases/cluster.redpanda.com_redpandaroles.yaml b/operator/config/crd/bases/cluster.redpanda.com_redpandaroles.yaml index fab88658c..55b93856f 100644 --- a/operator/config/crd/bases/cluster.redpanda.com_redpandaroles.yaml +++ b/operator/config/crd/bases/cluster.redpanda.com_redpandaroles.yaml @@ -220,12 +220,207 @@ spec: description: Defines authentication configuration settings for Redpanda clusters that have authentication enabled. properties: + authToken: + description: Specifies token for token-based authentication + (only used if no username/password are provided). + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' mechanism: description: Specifies the SASL/SCRAM authentication mechanism. type: string - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value from @@ -239,8 +434,7 @@ spec: - name type: object token: - description: Specifies token for token-based authentication - (only used if no username/password are provided). + description: 'Deprecated: use `authToken` instead' properties: key: description: Key in Secret data to get value from @@ -263,9 +457,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -278,9 +569,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -308,9 +696,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -356,10 +841,107 @@ spec: properties: accessKey: type: string + secretKey: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' secretKeySecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `secretKey` instead' properties: key: description: Key in Secret data to get value @@ -373,10 +955,108 @@ spec: required: - name type: object - sessionTokenSecretRef: + sessionToken: description: |- SessionToken, if non-empty, is a session / security token to use for authentication. See: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + sessionTokenSecretRef: + description: 'Deprecated: use `sessionToken` instead' properties: key: description: Key in Secret data to get value @@ -401,8 +1081,6 @@ spec: type: string required: - accessKey - - secretKeySecretRef - - sessionTokenSecretRef - userAgent type: object gssapi: @@ -421,10 +1099,107 @@ spec: type: string keyTabPath: type: string + password: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' passwordSecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value @@ -449,7 +1224,6 @@ spec: - enableFast - kerberosConfigPath - keyTabPath - - passwordSecretRef - realm - serviceName - username @@ -462,10 +1236,107 @@ spec: description: KafkaSASLOAuthBearer is the config struct for the SASL OAuthBearer mechanism properties: + token: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' tokenSecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `token` instead' properties: key: description: Key in Secret data to get value @@ -479,11 +1350,106 @@ spec: required: - name type: object - required: - - tokenSecretRef type: object - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: used `password` instead' properties: key: description: Key in Secret data to get value from @@ -503,18 +1469,20 @@ spec: - mechanism type: object x-kubernetes-validations: - - message: username and passwordSecretRef must be set - when mechanism is plain + - message: username and password must be set when mechanism + is plain rule: self.mechanism.lowerAscii() != 'plain' || (self.username - != "" && has(self.passwordSecretRef)) - - message: username and passwordSecretRef must be set - when mechanism is sha-256 + != "" && (has(self.passwordSecretRef) || has(self.password))) + - message: username and password must be set when mechanism + is sha-256 rule: self.mechanism.lowerAscii() != 'scram-sha-256' - || (self.username != "" && has(self.passwordSecretRef)) - - message: username and passwordSecretRef must be set - when mechanism is sha-512 + || (self.username != "" && (has(self.passwordSecretRef) + || has(self.password))) + - message: username and password must be set when mechanism + is sha-512 rule: self.mechanism.lowerAscii() != 'scram-sha-512' - || (self.username != "" && has(self.passwordSecretRef)) + || (self.username != "" && (has(self.passwordSecretRef) + || has(self.password))) - message: oauth must be set when mechanism is oauth rule: self.mechanism.lowerAscii() != 'oauthbearer' || has(self.oauth) @@ -527,9 +1495,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -542,9 +1607,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -572,9 +1734,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -591,9 +1850,6 @@ spec: required: - brokers type: object - x-kubernetes-validations: - - message: kafka tls settings are immutable - rule: has(self.tls) == has(oldSelf.tls) schemaRegistry: description: |- SchemaRegistry is the configuration information for communicating with the Schema Registry @@ -603,12 +1859,207 @@ spec: description: Defines authentication configuration settings for Redpanda clusters that have authentication enabled. properties: + authToken: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' mechanism: description: Specifies the SASL/SCRAM authentication mechanism. type: string - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value from @@ -622,9 +2073,7 @@ spec: - name type: object token: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `authToken` instead' properties: key: description: Key in Secret data to get value from @@ -647,9 +2096,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -662,9 +2208,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -692,9 +2335,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from diff --git a/operator/config/crd/bases/cluster.redpanda.com_schemas.yaml b/operator/config/crd/bases/cluster.redpanda.com_schemas.yaml index df2bd5bf2..ec7f2245b 100644 --- a/operator/config/crd/bases/cluster.redpanda.com_schemas.yaml +++ b/operator/config/crd/bases/cluster.redpanda.com_schemas.yaml @@ -89,12 +89,207 @@ spec: description: Defines authentication configuration settings for Redpanda clusters that have authentication enabled. properties: + authToken: + description: Specifies token for token-based authentication + (only used if no username/password are provided). + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' mechanism: description: Specifies the SASL/SCRAM authentication mechanism. type: string - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value from @@ -108,8 +303,7 @@ spec: - name type: object token: - description: Specifies token for token-based authentication - (only used if no username/password are provided). + description: 'Deprecated: use `authToken` instead' properties: key: description: Key in Secret data to get value from @@ -132,9 +326,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -147,9 +438,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -177,9 +565,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -225,10 +710,107 @@ spec: properties: accessKey: type: string + secretKey: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' secretKeySecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `secretKey` instead' properties: key: description: Key in Secret data to get value @@ -242,10 +824,108 @@ spec: required: - name type: object - sessionTokenSecretRef: + sessionToken: description: |- SessionToken, if non-empty, is a session / security token to use for authentication. See: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + sessionTokenSecretRef: + description: 'Deprecated: use `sessionToken` instead' properties: key: description: Key in Secret data to get value @@ -270,8 +950,6 @@ spec: type: string required: - accessKey - - secretKeySecretRef - - sessionTokenSecretRef - userAgent type: object gssapi: @@ -290,10 +968,107 @@ spec: type: string keyTabPath: type: string + password: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' passwordSecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value @@ -318,7 +1093,6 @@ spec: - enableFast - kerberosConfigPath - keyTabPath - - passwordSecretRef - realm - serviceName - username @@ -331,10 +1105,107 @@ spec: description: KafkaSASLOAuthBearer is the config struct for the SASL OAuthBearer mechanism properties: + token: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' tokenSecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `token` instead' properties: key: description: Key in Secret data to get value @@ -348,11 +1219,106 @@ spec: required: - name type: object - required: - - tokenSecretRef type: object - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: used `password` instead' properties: key: description: Key in Secret data to get value from @@ -372,18 +1338,20 @@ spec: - mechanism type: object x-kubernetes-validations: - - message: username and passwordSecretRef must be set - when mechanism is plain + - message: username and password must be set when mechanism + is plain rule: self.mechanism.lowerAscii() != 'plain' || (self.username - != "" && has(self.passwordSecretRef)) - - message: username and passwordSecretRef must be set - when mechanism is sha-256 + != "" && (has(self.passwordSecretRef) || has(self.password))) + - message: username and password must be set when mechanism + is sha-256 rule: self.mechanism.lowerAscii() != 'scram-sha-256' - || (self.username != "" && has(self.passwordSecretRef)) - - message: username and passwordSecretRef must be set - when mechanism is sha-512 + || (self.username != "" && (has(self.passwordSecretRef) + || has(self.password))) + - message: username and password must be set when mechanism + is sha-512 rule: self.mechanism.lowerAscii() != 'scram-sha-512' - || (self.username != "" && has(self.passwordSecretRef)) + || (self.username != "" && (has(self.passwordSecretRef) + || has(self.password))) - message: oauth must be set when mechanism is oauth rule: self.mechanism.lowerAscii() != 'oauthbearer' || has(self.oauth) @@ -396,9 +1364,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -411,9 +1476,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -441,9 +1603,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -460,9 +1719,6 @@ spec: required: - brokers type: object - x-kubernetes-validations: - - message: kafka tls settings are immutable - rule: has(self.tls) == has(oldSelf.tls) schemaRegistry: description: |- SchemaRegistry is the configuration information for communicating with the Schema Registry @@ -472,12 +1728,207 @@ spec: description: Defines authentication configuration settings for Redpanda clusters that have authentication enabled. properties: + authToken: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' mechanism: description: Specifies the SASL/SCRAM authentication mechanism. type: string - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value from @@ -491,9 +1942,7 @@ spec: - name type: object token: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `authToken` instead' properties: key: description: Key in Secret data to get value from @@ -516,9 +1965,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -531,9 +2077,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -561,9 +2204,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from diff --git a/operator/config/crd/bases/cluster.redpanda.com_shadowlinks.yaml b/operator/config/crd/bases/cluster.redpanda.com_shadowlinks.yaml index 4091af113..22457bef1 100644 --- a/operator/config/crd/bases/cluster.redpanda.com_shadowlinks.yaml +++ b/operator/config/crd/bases/cluster.redpanda.com_shadowlinks.yaml @@ -219,12 +219,207 @@ spec: description: Defines authentication configuration settings for Redpanda clusters that have authentication enabled. properties: + authToken: + description: Specifies token for token-based authentication + (only used if no username/password are provided). + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' mechanism: description: Specifies the SASL/SCRAM authentication mechanism. type: string - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value from @@ -238,8 +433,7 @@ spec: - name type: object token: - description: Specifies token for token-based authentication - (only used if no username/password are provided). + description: 'Deprecated: use `authToken` instead' properties: key: description: Key in Secret data to get value from @@ -262,9 +456,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -277,9 +568,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -307,9 +695,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -355,10 +840,107 @@ spec: properties: accessKey: type: string + secretKey: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' secretKeySecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `secretKey` instead' properties: key: description: Key in Secret data to get value @@ -372,10 +954,108 @@ spec: required: - name type: object - sessionTokenSecretRef: + sessionToken: description: |- SessionToken, if non-empty, is a session / security token to use for authentication. See: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + sessionTokenSecretRef: + description: 'Deprecated: use `sessionToken` instead' properties: key: description: Key in Secret data to get value @@ -400,8 +1080,6 @@ spec: type: string required: - accessKey - - secretKeySecretRef - - sessionTokenSecretRef - userAgent type: object gssapi: @@ -420,10 +1098,107 @@ spec: type: string keyTabPath: type: string + password: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' passwordSecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value @@ -448,7 +1223,6 @@ spec: - enableFast - kerberosConfigPath - keyTabPath - - passwordSecretRef - realm - serviceName - username @@ -461,10 +1235,107 @@ spec: description: KafkaSASLOAuthBearer is the config struct for the SASL OAuthBearer mechanism properties: + token: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' tokenSecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `token` instead' properties: key: description: Key in Secret data to get value @@ -478,11 +1349,106 @@ spec: required: - name type: object - required: - - tokenSecretRef type: object - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: used `password` instead' properties: key: description: Key in Secret data to get value from @@ -502,18 +1468,20 @@ spec: - mechanism type: object x-kubernetes-validations: - - message: username and passwordSecretRef must be set - when mechanism is plain + - message: username and password must be set when mechanism + is plain rule: self.mechanism.lowerAscii() != 'plain' || (self.username - != "" && has(self.passwordSecretRef)) - - message: username and passwordSecretRef must be set - when mechanism is sha-256 + != "" && (has(self.passwordSecretRef) || has(self.password))) + - message: username and password must be set when mechanism + is sha-256 rule: self.mechanism.lowerAscii() != 'scram-sha-256' - || (self.username != "" && has(self.passwordSecretRef)) - - message: username and passwordSecretRef must be set - when mechanism is sha-512 + || (self.username != "" && (has(self.passwordSecretRef) + || has(self.password))) + - message: username and password must be set when mechanism + is sha-512 rule: self.mechanism.lowerAscii() != 'scram-sha-512' - || (self.username != "" && has(self.passwordSecretRef)) + || (self.username != "" && (has(self.passwordSecretRef) + || has(self.password))) - message: oauth must be set when mechanism is oauth rule: self.mechanism.lowerAscii() != 'oauthbearer' || has(self.oauth) @@ -526,29 +1494,223 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda properties: - key: - description: Key in Secret data to get value from - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - certSecretRef: - description: Cert is the reference for client public - certificate to establish mTLS connection to Redpanda - properties: - key: - description: Key in Secret data to get value from - type: string - name: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' + properties: + key: + description: Key in Secret data to get value from + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + cert: + description: Cert is the reference for client public + certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' + properties: + key: + description: Key in Secret data to get value from + type: string + name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names @@ -571,9 +1733,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -590,9 +1849,6 @@ spec: required: - brokers type: object - x-kubernetes-validations: - - message: kafka tls settings are immutable - rule: has(self.tls) == has(oldSelf.tls) schemaRegistry: description: |- SchemaRegistry is the configuration information for communicating with the Schema Registry @@ -602,12 +1858,207 @@ spec: description: Defines authentication configuration settings for Redpanda clusters that have authentication enabled. properties: + authToken: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' mechanism: description: Specifies the SASL/SCRAM authentication mechanism. type: string - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value from @@ -621,9 +2072,7 @@ spec: - name type: object token: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `authToken` instead' properties: key: description: Key in Secret data to get value from @@ -646,9 +2095,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -661,9 +2207,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -691,9 +2334,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean + key: + description: Key is the reference for client private + certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' keySecretRef: - description: Key is the reference for client private - certificate to establish mTLS connection to Redpanda + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -763,12 +2503,207 @@ spec: description: Defines authentication configuration settings for Redpanda clusters that have authentication enabled. properties: + authToken: + description: Specifies token for token-based authentication + (only used if no username/password are provided). + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' mechanism: description: Specifies the SASL/SCRAM authentication mechanism. type: string - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value from @@ -782,8 +2717,7 @@ spec: - name type: object token: - description: Specifies token for token-based authentication - (only used if no username/password are provided). + description: 'Deprecated: use `authToken` instead' properties: key: description: Key in Secret data to get value from @@ -806,9 +2740,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -821,9 +2852,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -851,9 +2979,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -899,10 +3124,107 @@ spec: properties: accessKey: type: string + secretKey: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' secretKeySecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `secretKey` instead' properties: key: description: Key in Secret data to get value @@ -916,10 +3238,108 @@ spec: required: - name type: object - sessionTokenSecretRef: + sessionToken: description: |- SessionToken, if non-empty, is a session / security token to use for authentication. See: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + sessionTokenSecretRef: + description: 'Deprecated: use `sessionToken` instead' properties: key: description: Key in Secret data to get value @@ -944,8 +3364,6 @@ spec: type: string required: - accessKey - - secretKeySecretRef - - sessionTokenSecretRef - userAgent type: object gssapi: @@ -964,10 +3382,107 @@ spec: type: string keyTabPath: type: string + password: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' passwordSecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value @@ -992,7 +3507,6 @@ spec: - enableFast - kerberosConfigPath - keyTabPath - - passwordSecretRef - realm - serviceName - username @@ -1005,10 +3519,107 @@ spec: description: KafkaSASLOAuthBearer is the config struct for the SASL OAuthBearer mechanism properties: + token: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' tokenSecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `token` instead' properties: key: description: Key in Secret data to get value @@ -1022,11 +3633,106 @@ spec: required: - name type: object - required: - - tokenSecretRef type: object - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: used `password` instead' properties: key: description: Key in Secret data to get value from @@ -1046,18 +3752,20 @@ spec: - mechanism type: object x-kubernetes-validations: - - message: username and passwordSecretRef must be set - when mechanism is plain + - message: username and password must be set when mechanism + is plain rule: self.mechanism.lowerAscii() != 'plain' || (self.username - != "" && has(self.passwordSecretRef)) - - message: username and passwordSecretRef must be set - when mechanism is sha-256 + != "" && (has(self.passwordSecretRef) || has(self.password))) + - message: username and password must be set when mechanism + is sha-256 rule: self.mechanism.lowerAscii() != 'scram-sha-256' - || (self.username != "" && has(self.passwordSecretRef)) - - message: username and passwordSecretRef must be set - when mechanism is sha-512 + || (self.username != "" && (has(self.passwordSecretRef) + || has(self.password))) + - message: username and password must be set when mechanism + is sha-512 rule: self.mechanism.lowerAscii() != 'scram-sha-512' - || (self.username != "" && has(self.passwordSecretRef)) + || (self.username != "" && (has(self.passwordSecretRef) + || has(self.password))) - message: oauth must be set when mechanism is oauth rule: self.mechanism.lowerAscii() != 'oauthbearer' || has(self.oauth) @@ -1070,9 +3778,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: + caCert: + description: CaCert is the reference for certificate + authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' caCertSecretRef: - description: CaCert is the reference for certificate - authority used to establish TLS connection to Redpanda + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -1085,9 +3890,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -1115,9 +4017,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -1134,9 +4133,6 @@ spec: required: - brokers type: object - x-kubernetes-validations: - - message: kafka tls settings are immutable - rule: has(self.tls) == has(oldSelf.tls) schemaRegistry: description: |- SchemaRegistry is the configuration information for communicating with the Schema Registry @@ -1146,12 +4142,207 @@ spec: description: Defines authentication configuration settings for Redpanda clusters that have authentication enabled. properties: + authToken: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' mechanism: description: Specifies the SASL/SCRAM authentication mechanism. type: string - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value from @@ -1165,9 +4356,7 @@ spec: - name type: object token: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `authToken` instead' properties: key: description: Key in Secret data to get value from @@ -1190,9 +4379,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -1205,9 +4491,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -1235,9 +4618,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from diff --git a/operator/config/crd/bases/cluster.redpanda.com_topics.yaml b/operator/config/crd/bases/cluster.redpanda.com_topics.yaml index b0d62f127..3214493f0 100644 --- a/operator/config/crd/bases/cluster.redpanda.com_topics.yaml +++ b/operator/config/crd/bases/cluster.redpanda.com_topics.yaml @@ -92,12 +92,207 @@ spec: description: Defines authentication configuration settings for Redpanda clusters that have authentication enabled. properties: + authToken: + description: Specifies token for token-based authentication + (only used if no username/password are provided). + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' mechanism: description: Specifies the SASL/SCRAM authentication mechanism. type: string - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value from @@ -111,8 +306,7 @@ spec: - name type: object token: - description: Specifies token for token-based authentication - (only used if no username/password are provided). + description: 'Deprecated: use `authToken` instead' properties: key: description: Key in Secret data to get value from @@ -135,9 +329,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -150,9 +441,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -180,9 +568,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -228,10 +713,107 @@ spec: properties: accessKey: type: string + secretKey: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' secretKeySecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `secretKey` instead' properties: key: description: Key in Secret data to get value @@ -245,10 +827,108 @@ spec: required: - name type: object - sessionTokenSecretRef: + sessionToken: description: |- SessionToken, if non-empty, is a session / security token to use for authentication. See: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + sessionTokenSecretRef: + description: 'Deprecated: use `sessionToken` instead' properties: key: description: Key in Secret data to get value @@ -273,8 +953,6 @@ spec: type: string required: - accessKey - - secretKeySecretRef - - sessionTokenSecretRef - userAgent type: object gssapi: @@ -293,10 +971,107 @@ spec: type: string keyTabPath: type: string + password: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' passwordSecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value @@ -321,7 +1096,6 @@ spec: - enableFast - kerberosConfigPath - keyTabPath - - passwordSecretRef - realm - serviceName - username @@ -334,10 +1108,107 @@ spec: description: KafkaSASLOAuthBearer is the config struct for the SASL OAuthBearer mechanism properties: + token: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' tokenSecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `token` instead' properties: key: description: Key in Secret data to get value @@ -351,11 +1222,106 @@ spec: required: - name type: object - required: - - tokenSecretRef type: object - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: used `password` instead' properties: key: description: Key in Secret data to get value from @@ -375,18 +1341,20 @@ spec: - mechanism type: object x-kubernetes-validations: - - message: username and passwordSecretRef must be set - when mechanism is plain + - message: username and password must be set when mechanism + is plain rule: self.mechanism.lowerAscii() != 'plain' || (self.username - != "" && has(self.passwordSecretRef)) - - message: username and passwordSecretRef must be set - when mechanism is sha-256 + != "" && (has(self.passwordSecretRef) || has(self.password))) + - message: username and password must be set when mechanism + is sha-256 rule: self.mechanism.lowerAscii() != 'scram-sha-256' - || (self.username != "" && has(self.passwordSecretRef)) - - message: username and passwordSecretRef must be set - when mechanism is sha-512 + || (self.username != "" && (has(self.passwordSecretRef) + || has(self.password))) + - message: username and password must be set when mechanism + is sha-512 rule: self.mechanism.lowerAscii() != 'scram-sha-512' - || (self.username != "" && has(self.passwordSecretRef)) + || (self.username != "" && (has(self.passwordSecretRef) + || has(self.password))) - message: oauth must be set when mechanism is oauth rule: self.mechanism.lowerAscii() != 'oauthbearer' || has(self.oauth) @@ -399,29 +1367,223 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda properties: - key: - description: Key in Secret data to get value from - type: string - name: + configMapKeyRef: description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - certSecretRef: - description: Cert is the reference for client public - certificate to establish mTLS connection to Redpanda - properties: - key: - description: Key in Secret data to get value from - type: string - name: + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' + properties: + key: + description: Key in Secret data to get value from + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + cert: + description: Cert is the reference for client public + certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' + properties: + key: + description: Key in Secret data to get value from + type: string + name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names @@ -444,9 +1606,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -463,9 +1722,6 @@ spec: required: - brokers type: object - x-kubernetes-validations: - - message: kafka tls settings are immutable - rule: has(self.tls) == has(oldSelf.tls) schemaRegistry: description: |- SchemaRegistry is the configuration information for communicating with the Schema Registry @@ -475,12 +1731,207 @@ spec: description: Defines authentication configuration settings for Redpanda clusters that have authentication enabled. properties: + authToken: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' mechanism: description: Specifies the SASL/SCRAM authentication mechanism. type: string - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value from @@ -494,9 +1945,7 @@ spec: - name type: object token: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `authToken` instead' properties: key: description: Key in Secret data to get value from @@ -519,9 +1968,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -534,9 +2080,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -564,9 +2207,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -629,10 +2369,103 @@ spec: properties: accessKey: type: string + secretKey: + description: ValueSource represents where a value can + be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be set + rule: '!has(self.inline) || (has(self.inline) && !(has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field can + be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) || + has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can be + set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' secretKeySecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `secretKey` instead' properties: key: description: Key in Secret data to get value from @@ -645,10 +2478,104 @@ spec: required: - name type: object - sessionTokenSecretRef: + sessionToken: description: |- SessionToken, if non-empty, is a session / security token to use for authentication. See: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be set + rule: '!has(self.inline) || (has(self.inline) && !(has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field can + be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) || + has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can be + set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + sessionTokenSecretRef: + description: 'Deprecated: use `sessionToken` instead' properties: key: description: Key in Secret data to get value from @@ -672,8 +2599,6 @@ spec: type: string required: - accessKey - - secretKeySecretRef - - sessionTokenSecretRef - userAgent type: object gssapi: @@ -692,10 +2617,234 @@ spec: type: string keyTabPath: type: string + password: + description: ValueSource represents where a value can + be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be set + rule: '!has(self.inline) || (has(self.inline) && !(has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field can + be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) || + has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can be + set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' passwordSecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `password` instead' + properties: + key: + description: Key in Secret data to get value from + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + realm: + type: string + serviceName: + type: string + username: + type: string + required: + - authType + - enableFast + - kerberosConfigPath + - keyTabPath + - realm + - serviceName + - username + type: object + mechanism: + description: Specifies the SASL/SCRAM authentication mechanism. + type: string + oauth: + description: KafkaSASLOAuthBearer is the config struct for + the SASL OAuthBearer mechanism + properties: + token: + description: ValueSource represents where a value can + be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be set + rule: '!has(self.inline) || (has(self.inline) && !(has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field can + be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) || + has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can be + set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + tokenSecretRef: + description: 'Deprecated: use `token` instead' properties: key: description: Key in Secret data to get value from @@ -708,50 +2857,101 @@ spec: required: - name type: object - realm: - type: string - serviceName: - type: string - username: - type: string - required: - - authType - - enableFast - - kerberosConfigPath - - keyTabPath - - passwordSecretRef - - realm - - serviceName - - username type: object - mechanism: - description: Specifies the SASL/SCRAM authentication mechanism. - type: string - oauth: - description: KafkaSASLOAuthBearer is the config struct for - the SASL OAuthBearer mechanism + password: + description: Specifies the password. properties: - tokenSecretRef: + configMapKeyRef: description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. properties: key: - description: Key in Secret data to get value from + description: The key to select. type: string name: + default: "" description: |- Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string required: - name type: object - required: - - tokenSecretRef + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, or + externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef) + - message: if inline is set no other field can be set + rule: '!has(self.inline) || (has(self.inline) && !(has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field can be + set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) || + has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field can + be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' passwordSecretRef: - description: Specifies the password. + description: 'Deprecated: used `password` instead' properties: key: description: Key in Secret data to get value from @@ -771,18 +2971,18 @@ spec: - mechanism type: object x-kubernetes-validations: - - message: username and passwordSecretRef must be set when mechanism - is plain + - message: username and password must be set when mechanism is + plain rule: self.mechanism.lowerAscii() != 'plain' || (self.username - != "" && has(self.passwordSecretRef)) - - message: username and passwordSecretRef must be set when mechanism - is sha-256 + != "" && (has(self.passwordSecretRef) || has(self.password))) + - message: username and password must be set when mechanism is + sha-256 rule: self.mechanism.lowerAscii() != 'scram-sha-256' || (self.username - != "" && has(self.passwordSecretRef)) - - message: username and passwordSecretRef must be set when mechanism - is sha-512 + != "" && (has(self.passwordSecretRef) || has(self.password))) + - message: username and password must be set when mechanism is + sha-512 rule: self.mechanism.lowerAscii() != 'scram-sha-512' || (self.username - != "" && has(self.passwordSecretRef)) + != "" && (has(self.passwordSecretRef) || has(self.password))) - message: oauth must be set when mechanism is oauth rule: self.mechanism.lowerAscii() != 'oauthbearer' || has(self.oauth) - message: gssapi must be set when mechanism is gssapi @@ -793,9 +2993,101 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, or + externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef) + - message: if inline is set no other field can be set + rule: '!has(self.inline) || (has(self.inline) && !(has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field can be + set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) || + has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field can + be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -808,9 +3100,101 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, or + externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef) + - message: if inline is set no other field can be set + rule: '!has(self.inline) || (has(self.inline) && !(has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field can be + set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) || + has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field can + be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -838,9 +3222,101 @@ spec: self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, or + externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef) + - message: if inline is set no other field can be set + rule: '!has(self.inline) || (has(self.inline) && !(has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field can be + set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) || + has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field can + be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -857,9 +3333,6 @@ spec: required: - brokers type: object - x-kubernetes-validations: - - message: kafka tls settings are immutable - rule: has(self.tls) == has(oldSelf.tls) metricsNamespace: description: |- Overwrites the fully-qualified @@ -1126,12 +3599,207 @@ spec: description: Defines authentication configuration settings for Redpanda clusters that have authentication enabled. properties: + authToken: + description: Specifies token for token-based authentication + (only used if no username/password are provided). + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' mechanism: description: Specifies the SASL/SCRAM authentication mechanism. type: string - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value from @@ -1145,8 +3813,7 @@ spec: - name type: object token: - description: Specifies token for token-based authentication - (only used if no username/password are provided). + description: 'Deprecated: use `authToken` instead' properties: key: description: Key in Secret data to get value from @@ -1169,9 +3836,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: + caCert: + description: CaCert is the reference for certificate + authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' caCertSecretRef: - description: CaCert is the reference for certificate - authority used to establish TLS connection to Redpanda + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -1184,9 +3948,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -1214,9 +4075,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -1262,10 +4220,107 @@ spec: properties: accessKey: type: string + secretKey: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' secretKeySecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `secretKey` instead' properties: key: description: Key in Secret data to get value @@ -1279,10 +4334,108 @@ spec: required: - name type: object - sessionTokenSecretRef: + sessionToken: description: |- SessionToken, if non-empty, is a session / security token to use for authentication. See: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + sessionTokenSecretRef: + description: 'Deprecated: use `sessionToken` instead' properties: key: description: Key in Secret data to get value @@ -1307,8 +4460,6 @@ spec: type: string required: - accessKey - - secretKeySecretRef - - sessionTokenSecretRef - userAgent type: object gssapi: @@ -1327,10 +4478,107 @@ spec: type: string keyTabPath: type: string + password: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' passwordSecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value @@ -1355,7 +4603,6 @@ spec: - enableFast - kerberosConfigPath - keyTabPath - - passwordSecretRef - realm - serviceName - username @@ -1368,10 +4615,107 @@ spec: description: KafkaSASLOAuthBearer is the config struct for the SASL OAuthBearer mechanism properties: + token: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' tokenSecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `token` instead' properties: key: description: Key in Secret data to get value @@ -1385,11 +4729,106 @@ spec: required: - name type: object - required: - - tokenSecretRef type: object - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: used `password` instead' properties: key: description: Key in Secret data to get value from @@ -1409,18 +4848,20 @@ spec: - mechanism type: object x-kubernetes-validations: - - message: username and passwordSecretRef must be set - when mechanism is plain + - message: username and password must be set when mechanism + is plain rule: self.mechanism.lowerAscii() != 'plain' || (self.username - != "" && has(self.passwordSecretRef)) - - message: username and passwordSecretRef must be set - when mechanism is sha-256 + != "" && (has(self.passwordSecretRef) || has(self.password))) + - message: username and password must be set when mechanism + is sha-256 rule: self.mechanism.lowerAscii() != 'scram-sha-256' - || (self.username != "" && has(self.passwordSecretRef)) - - message: username and passwordSecretRef must be set - when mechanism is sha-512 + || (self.username != "" && (has(self.passwordSecretRef) + || has(self.password))) + - message: username and password must be set when mechanism + is sha-512 rule: self.mechanism.lowerAscii() != 'scram-sha-512' - || (self.username != "" && has(self.passwordSecretRef)) + || (self.username != "" && (has(self.passwordSecretRef) + || has(self.password))) - message: oauth must be set when mechanism is oauth rule: self.mechanism.lowerAscii() != 'oauthbearer' || has(self.oauth) @@ -1433,9 +4874,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -1448,39 +4986,233 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from type: string - name: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + enabled: + description: |- + Enabled tells any connections derived from this configuration to leverage TLS even if no + certificate configuration is specified. It *only* is relevant if no other field is specified + in the TLS configuration block, as, for backwards compatibility reasons, any CA/Cert/Key-specification + results in attempting to create a connection using TLS - specifying "false" in such a case does + *not* disable TLS from being used. Leveraging this option is to support the use-case where a + connection is served by publically issued TLS certificates that don't require any additional certificate + specification. + type: boolean + insecureSkipTlsVerify: + description: InsecureSkipTLSVerify can skip verifying + Redpanda self-signed certificate when establish + TLS connection to Redpanda + type: boolean + key: + description: Key is the reference for client private + certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic type: object - enabled: - description: |- - Enabled tells any connections derived from this configuration to leverage TLS even if no - certificate configuration is specified. It *only* is relevant if no other field is specified - in the TLS configuration block, as, for backwards compatibility reasons, any CA/Cert/Key-specification - results in attempting to create a connection using TLS - specifying "false" in such a case does - *not* disable TLS from being used. Leveraging this option is to support the use-case where a - connection is served by publically issued TLS certificates that don't require any additional certificate - specification. - type: boolean - insecureSkipTlsVerify: - description: InsecureSkipTLSVerify can skip verifying - Redpanda self-signed certificate when establish - TLS connection to Redpanda - type: boolean + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' keySecretRef: - description: Key is the reference for client private - certificate to establish mTLS connection to Redpanda + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -1497,9 +5229,6 @@ spec: required: - brokers type: object - x-kubernetes-validations: - - message: kafka tls settings are immutable - rule: has(self.tls) == has(oldSelf.tls) schemaRegistry: description: |- SchemaRegistry is the configuration information for communicating with the Schema Registry @@ -1509,12 +5238,207 @@ spec: description: Defines authentication configuration settings for Redpanda clusters that have authentication enabled. properties: + authToken: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' mechanism: description: Specifies the SASL/SCRAM authentication mechanism. type: string - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value from @@ -1528,9 +5452,7 @@ spec: - name type: object token: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `authToken` instead' properties: key: description: Key in Secret data to get value from @@ -1553,9 +5475,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -1568,9 +5587,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -1598,9 +5714,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -1663,26 +5876,213 @@ spec: properties: accessKey: type: string + secretKey: + description: ValueSource represents where a value can + be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be set + rule: '!has(self.inline) || (has(self.inline) && !(has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field can + be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) || + has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can be + set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' secretKeySecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `secretKey` instead' properties: key: description: Key in Secret data to get value from type: string name: description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + sessionToken: + description: |- + SessionToken, if non-empty, is a session / security token to use for authentication. + See: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified inline. type: string - required: - - name + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be set + rule: '!has(self.inline) || (has(self.inline) && !(has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field can + be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) || + has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can be + set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' sessionTokenSecretRef: - description: |- - SessionToken, if non-empty, is a session / security token to use for authentication. - See: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html + description: 'Deprecated: use `sessionToken` instead' properties: key: description: Key in Secret data to get value from @@ -1706,8 +6106,6 @@ spec: type: string required: - accessKey - - secretKeySecretRef - - sessionTokenSecretRef - userAgent type: object gssapi: @@ -1726,10 +6124,103 @@ spec: type: string keyTabPath: type: string + password: + description: ValueSource represents where a value can + be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be set + rule: '!has(self.inline) || (has(self.inline) && !(has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field can + be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) || + has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can be + set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' passwordSecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value from @@ -1753,7 +6244,6 @@ spec: - enableFast - kerberosConfigPath - keyTabPath - - passwordSecretRef - realm - serviceName - username @@ -1765,10 +6255,103 @@ spec: description: KafkaSASLOAuthBearer is the config struct for the SASL OAuthBearer mechanism properties: + token: + description: ValueSource represents where a value can + be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be set + rule: '!has(self.inline) || (has(self.inline) && !(has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field can + be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) || + has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can be + set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' tokenSecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `token` instead' properties: key: description: Key in Secret data to get value from @@ -1781,11 +6364,101 @@ spec: required: - name type: object - required: - - tokenSecretRef type: object - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, or + externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef) + - message: if inline is set no other field can be set + rule: '!has(self.inline) || (has(self.inline) && !(has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field can be + set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) || + has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field can + be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: used `password` instead' properties: key: description: Key in Secret data to get value from @@ -1805,18 +6478,18 @@ spec: - mechanism type: object x-kubernetes-validations: - - message: username and passwordSecretRef must be set when mechanism - is plain + - message: username and password must be set when mechanism is + plain rule: self.mechanism.lowerAscii() != 'plain' || (self.username - != "" && has(self.passwordSecretRef)) - - message: username and passwordSecretRef must be set when mechanism - is sha-256 + != "" && (has(self.passwordSecretRef) || has(self.password))) + - message: username and password must be set when mechanism is + sha-256 rule: self.mechanism.lowerAscii() != 'scram-sha-256' || (self.username - != "" && has(self.passwordSecretRef)) - - message: username and passwordSecretRef must be set when mechanism - is sha-512 + != "" && (has(self.passwordSecretRef) || has(self.password))) + - message: username and password must be set when mechanism is + sha-512 rule: self.mechanism.lowerAscii() != 'scram-sha-512' || (self.username - != "" && has(self.passwordSecretRef)) + != "" && (has(self.passwordSecretRef) || has(self.password))) - message: oauth must be set when mechanism is oauth rule: self.mechanism.lowerAscii() != 'oauthbearer' || has(self.oauth) - message: gssapi must be set when mechanism is gssapi @@ -1827,9 +6500,101 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, or + externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef) + - message: if inline is set no other field can be set + rule: '!has(self.inline) || (has(self.inline) && !(has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field can be + set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) || + has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field can + be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -1842,9 +6607,101 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, or + externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef) + - message: if inline is set no other field can be set + rule: '!has(self.inline) || (has(self.inline) && !(has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field can be + set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) || + has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field can + be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -1872,9 +6729,101 @@ spec: self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, or + externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef) + - message: if inline is set no other field can be set + rule: '!has(self.inline) || (has(self.inline) && !(has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field can be + set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) || + has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field can + be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -1891,9 +6840,6 @@ spec: required: - brokers type: object - x-kubernetes-validations: - - message: kafka tls settings are immutable - rule: has(self.tls) == has(oldSelf.tls) metricsNamespace: description: |- Overwrites the fully-qualified diff --git a/operator/config/crd/bases/cluster.redpanda.com_users.yaml b/operator/config/crd/bases/cluster.redpanda.com_users.yaml index 7eb7c9eb4..bcff5d968 100644 --- a/operator/config/crd/bases/cluster.redpanda.com_users.yaml +++ b/operator/config/crd/bases/cluster.redpanda.com_users.yaml @@ -303,12 +303,207 @@ spec: description: Defines authentication configuration settings for Redpanda clusters that have authentication enabled. properties: + authToken: + description: Specifies token for token-based authentication + (only used if no username/password are provided). + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' mechanism: description: Specifies the SASL/SCRAM authentication mechanism. type: string - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value from @@ -322,8 +517,7 @@ spec: - name type: object token: - description: Specifies token for token-based authentication - (only used if no username/password are provided). + description: 'Deprecated: use `authToken` instead' properties: key: description: Key in Secret data to get value from @@ -346,9 +540,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -361,9 +652,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -391,9 +779,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -439,10 +924,107 @@ spec: properties: accessKey: type: string + secretKey: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' secretKeySecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `secretKey` instead' properties: key: description: Key in Secret data to get value @@ -456,10 +1038,108 @@ spec: required: - name type: object - sessionTokenSecretRef: + sessionToken: description: |- SessionToken, if non-empty, is a session / security token to use for authentication. See: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + sessionTokenSecretRef: + description: 'Deprecated: use `sessionToken` instead' properties: key: description: Key in Secret data to get value @@ -484,8 +1164,6 @@ spec: type: string required: - accessKey - - secretKeySecretRef - - sessionTokenSecretRef - userAgent type: object gssapi: @@ -504,10 +1182,107 @@ spec: type: string keyTabPath: type: string + password: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' passwordSecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value @@ -532,7 +1307,6 @@ spec: - enableFast - kerberosConfigPath - keyTabPath - - passwordSecretRef - realm - serviceName - username @@ -545,10 +1319,107 @@ spec: description: KafkaSASLOAuthBearer is the config struct for the SASL OAuthBearer mechanism properties: + token: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can + be set + rule: '!has(self.inline) || (has(self.inline) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other + field can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field + can be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other + field can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' tokenSecretRef: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `token` instead' properties: key: description: Key in Secret data to get value @@ -562,11 +1433,106 @@ spec: required: - name type: object - required: - - tokenSecretRef type: object - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: used `password` instead' properties: key: description: Key in Secret data to get value from @@ -586,18 +1552,20 @@ spec: - mechanism type: object x-kubernetes-validations: - - message: username and passwordSecretRef must be set - when mechanism is plain + - message: username and password must be set when mechanism + is plain rule: self.mechanism.lowerAscii() != 'plain' || (self.username - != "" && has(self.passwordSecretRef)) - - message: username and passwordSecretRef must be set - when mechanism is sha-256 + != "" && (has(self.passwordSecretRef) || has(self.password))) + - message: username and password must be set when mechanism + is sha-256 rule: self.mechanism.lowerAscii() != 'scram-sha-256' - || (self.username != "" && has(self.passwordSecretRef)) - - message: username and passwordSecretRef must be set - when mechanism is sha-512 + || (self.username != "" && (has(self.passwordSecretRef) + || has(self.password))) + - message: username and password must be set when mechanism + is sha-512 rule: self.mechanism.lowerAscii() != 'scram-sha-512' - || (self.username != "" && has(self.passwordSecretRef)) + || (self.username != "" && (has(self.passwordSecretRef) + || has(self.password))) - message: oauth must be set when mechanism is oauth rule: self.mechanism.lowerAscii() != 'oauthbearer' || has(self.oauth) @@ -610,9 +1578,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -625,9 +1690,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -655,9 +1817,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from @@ -674,9 +1933,6 @@ spec: required: - brokers type: object - x-kubernetes-validations: - - message: kafka tls settings are immutable - rule: has(self.tls) == has(oldSelf.tls) schemaRegistry: description: |- SchemaRegistry is the configuration information for communicating with the Schema Registry @@ -686,12 +1942,207 @@ spec: description: Defines authentication configuration settings for Redpanda clusters that have authentication enabled. properties: + authToken: + description: ValueSource represents where a value + can be pulled from + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' mechanism: description: Specifies the SASL/SCRAM authentication mechanism. type: string - passwordSecretRef: + password: description: Specifies the password. + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + passwordSecretRef: + description: 'Deprecated: use `password` instead' properties: key: description: Key in Secret data to get value from @@ -705,9 +2156,7 @@ spec: - name type: object token: - description: |- - SecretKeyRef contains enough information to inspect or modify the referred Secret data - See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. + description: 'Deprecated: use `authToken` instead' properties: key: description: Key in Secret data to get value from @@ -730,9 +2179,106 @@ spec: description: Defines TLS configuration settings for Redpanda clusters that have TLS enabled. properties: - caCertSecretRef: + caCert: description: CaCert is the reference for certificate authority used to establish TLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + caCertSecretRef: + description: 'Deprecated: replaced by "caCert".' properties: key: description: Key in Secret data to get value from @@ -745,9 +2291,106 @@ spec: required: - name type: object - certSecretRef: + cert: description: Cert is the reference for client public certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + certSecretRef: + description: 'Deprecated: replaced by "cert".' properties: key: description: Key in Secret data to get value from @@ -775,9 +2418,106 @@ spec: Redpanda self-signed certificate when establish TLS connection to Redpanda type: boolean - keySecretRef: + key: description: Key is the reference for client private certificate to establish mTLS connection to Redpanda + properties: + configMapKeyRef: + description: |- + If the value is supplied by a kubernetes object reference, coordinates are embedded here. + For target values, the string value fetched from the source will be treated as + a raw string. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + externalSecretRef: + description: |- + If the value is supplied by an external source, coordinates are embedded here. + Note: we interpret all fetched external secrets as raw string values + properties: + name: + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + inline: + description: Inline is the raw value specified + inline. + type: string + secretKeyRef: + description: |- + Should the value be contained in a k8s secret rather than configmap, we can refer + to it here. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: one of inline, configMapKeyRef, secretKeyRef, + or externalSecretRef must be set + rule: has(self.inline) || has(self.configMapKeyRef) + || has(self.secretKeyRef) || has(self.externalSecretRef) + - message: if inline is set no other field can be + set + rule: '!has(self.inline) || (has(self.inline) && + !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if configMapKeyRef is set no other field + can be set + rule: '!has(self.configMapKeyRef) || (has(self.configMapKeyRef) + && !(has(self.inline) || has(self.secretKeyRef) + || has(self.externalSecretRef)))' + - message: if secretKeyRef is set no other field can + be set + rule: '!has(self.secretKeyRef) || (has(self.secretKeyRef) + && !(has(self.configMapKeyRef) || has(self.inline) + || has(self.externalSecretRef)))' + - message: if externalSecretRef is set no other field + can be set + rule: '!has(self.externalSecretRef) || (has(self.externalSecretRef) + && !(has(self.configMapKeyRef) || has(self.secretKeyRef) + || has(self.inline)))' + keySecretRef: + description: 'Deprecated: replaced by "key".' properties: key: description: Key in Secret data to get value from diff --git a/operator/go.mod b/operator/go.mod index 0edc4429d..73d18e205 100644 --- a/operator/go.mod +++ b/operator/go.mod @@ -15,7 +15,6 @@ require ( github.com/go-logr/logr v1.4.3 github.com/google/gofuzz v1.2.0 github.com/imdario/mergo v0.3.16 - github.com/jcmturner/gokrb5/v8 v8.4.4 github.com/json-iterator/go v1.1.12 github.com/moby/moby v24.0.7+incompatible github.com/moby/sys/mountinfo v0.7.2 @@ -43,7 +42,6 @@ require ( github.com/twmb/franz-go v1.19.5 github.com/twmb/franz-go/pkg/kadm v1.16.0 github.com/twmb/franz-go/pkg/kmsg v1.11.2 - github.com/twmb/franz-go/pkg/sasl/kerberos v1.1.0 github.com/twmb/franz-go/pkg/sr v1.5.0 go.opentelemetry.io/otel v1.36.0 go.uber.org/zap v1.27.0 @@ -191,6 +189,7 @@ require ( github.com/jcmturner/aescts/v2 v2.0.0 // indirect github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect github.com/jcmturner/gofork v1.7.6 // indirect + github.com/jcmturner/gokrb5/v8 v8.4.4 // indirect github.com/jcmturner/rpc/v2 v2.0.3 // indirect github.com/jmoiron/sqlx v1.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect @@ -276,6 +275,7 @@ require ( github.com/tidwall/pretty v1.2.1 // indirect github.com/tklauser/go-sysconf v0.3.15 // indirect github.com/tklauser/numcpus v0.10.0 // indirect + github.com/twmb/franz-go/pkg/sasl/kerberos v1.1.0 // indirect github.com/twmb/tlscfg v1.2.1 // indirect github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 // indirect github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect diff --git a/operator/internal/controller/console/controller_test.go b/operator/internal/controller/console/controller_test.go index 287878f4f..0e64fee9e 100644 --- a/operator/internal/controller/console/controller_test.go +++ b/operator/internal/controller/console/controller_test.go @@ -58,9 +58,13 @@ func TestController(t *testing.T) { SASL: &redpandav1alpha2.KafkaSASL{ Username: "testuser", Mechanism: redpandav1alpha2.SASLMechanismPlain, - Password: &redpandav1alpha2.SecretKeyRef{ - Name: "kafka-secret", - Key: "password", + Password: &redpandav1alpha2.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "kafka-secret", + }, + Key: "password", + }, }, }, }, diff --git a/operator/internal/controller/decommissioning/statefulset_decommissioner_test.go b/operator/internal/controller/decommissioning/statefulset_decommissioner_test.go index 0ffa59318..dcbbf9abd 100644 --- a/operator/internal/controller/decommissioning/statefulset_decommissioner_test.go +++ b/operator/internal/controller/decommissioning/statefulset_decommissioner_test.go @@ -199,7 +199,7 @@ func (s *StatefulSetDecommissionerSuite) SetupSuite() { s.helm = helmClient dialer := kube.NewPodDialer(mgr.GetConfig()) - s.clientFactory = internalclient.NewFactory(mgr.GetConfig(), mgr.GetClient()).WithDialer(dialer.DialContext) + s.clientFactory = internalclient.NewFactory(mgr.GetConfig(), mgr.GetClient(), nil).WithDialer(dialer.DialContext) decommissioner := decommissioning.NewStatefulSetDecommissioner( mgr, diff --git a/operator/internal/controller/redpanda/redpanda_controller_test.go b/operator/internal/controller/redpanda/redpanda_controller_test.go index e4c142850..4063e06c0 100644 --- a/operator/internal/controller/redpanda/redpanda_controller_test.go +++ b/operator/internal/controller/redpanda/redpanda_controller_test.go @@ -897,7 +897,7 @@ func (s *RedpandaControllerSuite) SetupSuite() { s.env.SetupManager(s.setupRBAC(), func(mgr ctrl.Manager) error { dialer := kube.NewPodDialer(mgr.GetConfig()) - s.clientFactory = internalclient.NewFactory(mgr.GetConfig(), mgr.GetClient()).WithDialer(dialer.DialContext) + s.clientFactory = internalclient.NewFactory(mgr.GetConfig(), mgr.GetClient(), nil).WithDialer(dialer.DialContext) s.Require().NoError((&redpanda.NodePoolReconciler{ Client: mgr.GetClient(), diff --git a/operator/internal/controller/redpanda/resource_controller_test.go b/operator/internal/controller/redpanda/resource_controller_test.go index a4859103c..7f67b90de 100644 --- a/operator/internal/controller/redpanda/resource_controller_test.go +++ b/operator/internal/controller/redpanda/resource_controller_test.go @@ -95,7 +95,7 @@ func InitializeResourceReconcilerTest[T any, U Resource[T]](t *testing.T, ctx co require.NoError(t, err) require.NotNil(t, c) - factory := internalclient.NewFactory(cfg, c) + factory := internalclient.NewFactory(cfg, c, nil) // ensure we have a secret which we can pull a password from err = c.Create(ctx, &corev1.Secret{ @@ -126,9 +126,13 @@ func InitializeResourceReconcilerTest[T any, U Resource[T]](t *testing.T, ctx co Brokers: []string{kafkaAddress}, SASL: &redpandav1alpha2.KafkaSASL{ Username: "superuser", - Password: &redpandav1alpha2.SecretKeyRef{ - Name: "superuser", - Key: "password", + Password: &redpandav1alpha2.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "superuser", + }, + Key: "password", + }, }, Mechanism: redpandav1alpha2.SASLMechanismScramSHA256, }, @@ -137,9 +141,13 @@ func InitializeResourceReconcilerTest[T any, U Resource[T]](t *testing.T, ctx co URLs: []string{adminAPI}, SASL: &redpandav1alpha2.AdminSASL{ Username: "superuser", - Password: redpandav1alpha2.SecretKeyRef{ - Name: "superuser", - Key: "password", + Password: &redpandav1alpha2.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "superuser", + }, + Key: "password", + }, }, Mechanism: redpandav1alpha2.SASLMechanismScramSHA256, }, @@ -148,9 +156,13 @@ func InitializeResourceReconcilerTest[T any, U Resource[T]](t *testing.T, ctx co URLs: []string{schemaRegistry}, SASL: &redpandav1alpha2.SchemaRegistrySASL{ Username: "superuser", - Password: redpandav1alpha2.SecretKeyRef{ - Name: "superuser", - Key: "password", + Password: &redpandav1alpha2.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "superuser", + }, + Key: "password", + }, }, Mechanism: redpandav1alpha2.SASLMechanismScramSHA256, }, @@ -164,9 +176,13 @@ func InitializeResourceReconcilerTest[T any, U Resource[T]](t *testing.T, ctx co Brokers: []string{kafkaAddress}, SASL: &redpandav1alpha2.KafkaSASL{ Username: "superuser", - Password: &redpandav1alpha2.SecretKeyRef{ - Name: "invalidsuperuser", - Key: "password", + Password: &redpandav1alpha2.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "invalidsuperuser", + }, + Key: "password", + }, }, Mechanism: redpandav1alpha2.SASLMechanismScramSHA256, }, @@ -175,9 +191,13 @@ func InitializeResourceReconcilerTest[T any, U Resource[T]](t *testing.T, ctx co URLs: []string{adminAPI}, SASL: &redpandav1alpha2.AdminSASL{ Username: "superuser", - Password: redpandav1alpha2.SecretKeyRef{ - Name: "invalidsuperuser", - Key: "password", + Password: &redpandav1alpha2.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "invalidsuperuser", + }, + Key: "password", + }, }, Mechanism: redpandav1alpha2.SASLMechanismScramSHA256, }, @@ -186,9 +206,13 @@ func InitializeResourceReconcilerTest[T any, U Resource[T]](t *testing.T, ctx co URLs: []string{schemaRegistry}, SASL: &redpandav1alpha2.SchemaRegistrySASL{ Username: "superuser", - Password: redpandav1alpha2.SecretKeyRef{ - Name: "invalidsuperuser", - Key: "password", + Password: &redpandav1alpha2.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "invalidsuperuser", + }, + Key: "password", + }, }, Mechanism: redpandav1alpha2.SASLMechanismScramSHA256, }, diff --git a/operator/internal/controller/redpanda/role_controller.go b/operator/internal/controller/redpanda/role_controller.go index e63e98bc6..f841eb12a 100644 --- a/operator/internal/controller/redpanda/role_controller.go +++ b/operator/internal/controller/redpanda/role_controller.go @@ -29,6 +29,7 @@ import ( "github.com/redpanda-data/redpanda-operator/operator/pkg/client/kubernetes" "github.com/redpanda-data/redpanda-operator/operator/pkg/client/roles" "github.com/redpanda-data/redpanda-operator/operator/pkg/utils" + "github.com/redpanda-data/redpanda-operator/pkg/secrets" ) //+kubebuilder:rbac:groups=cluster.redpanda.com,resources=redpandaroles,verbs=get;list;watch;update;patch @@ -161,10 +162,10 @@ func (r *RoleReconciler) roleAndACLClients(ctx context.Context, request Resource return rolesClient, syncer, hasRole, nil } -func SetupRoleController(ctx context.Context, mgr ctrl.Manager, includeV1, includeV2 bool) error { +func SetupRoleController(ctx context.Context, mgr ctrl.Manager, expander *secrets.CloudExpander, includeV1, includeV2 bool) error { c := mgr.GetClient() config := mgr.GetConfig() - factory := internalclient.NewFactory(config, c) + factory := internalclient.NewFactory(config, c, expander) builder := ctrl.NewControllerManagedBy(mgr). For(&redpandav1alpha2.RedpandaRole{}). diff --git a/operator/internal/controller/redpanda/schema_controller.go b/operator/internal/controller/redpanda/schema_controller.go index 9af60bad1..e4d9a6f4a 100644 --- a/operator/internal/controller/redpanda/schema_controller.go +++ b/operator/internal/controller/redpanda/schema_controller.go @@ -25,6 +25,7 @@ import ( internalclient "github.com/redpanda-data/redpanda-operator/operator/pkg/client" "github.com/redpanda-data/redpanda-operator/operator/pkg/client/kubernetes" "github.com/redpanda-data/redpanda-operator/operator/pkg/utils" + "github.com/redpanda-data/redpanda-operator/pkg/secrets" ) //+kubebuilder:rbac:groups=cluster.redpanda.com,resources=schemas,verbs=get;list;watch;update;patch @@ -83,10 +84,10 @@ func (r *SchemaReconciler) DeleteResource(ctx context.Context, request ResourceR return nil } -func SetupSchemaController(ctx context.Context, mgr ctrl.Manager, includeV1, includeV2 bool) error { +func SetupSchemaController(ctx context.Context, mgr ctrl.Manager, expander *secrets.CloudExpander, includeV1, includeV2 bool) error { c := mgr.GetClient() config := mgr.GetConfig() - factory := internalclient.NewFactory(config, c) + factory := internalclient.NewFactory(config, c, expander) builder := ctrl.NewControllerManagedBy(mgr). For(&redpandav1alpha2.Schema{}) diff --git a/operator/internal/controller/redpanda/shadow_link_controller.go b/operator/internal/controller/redpanda/shadow_link_controller.go index 2deb0c1f8..ee863a984 100644 --- a/operator/internal/controller/redpanda/shadow_link_controller.go +++ b/operator/internal/controller/redpanda/shadow_link_controller.go @@ -24,6 +24,7 @@ import ( internalclient "github.com/redpanda-data/redpanda-operator/operator/pkg/client" "github.com/redpanda-data/redpanda-operator/operator/pkg/client/kubernetes" "github.com/redpanda-data/redpanda-operator/operator/pkg/utils" + "github.com/redpanda-data/redpanda-operator/pkg/secrets" ) // maxTopicAndTaskStatusEntries artificially limits the number of individual @@ -100,10 +101,10 @@ func (r *ShadowLinkReconciler) DeleteResource(ctx context.Context, request Resou return nil } -func SetupShadowLinkController(ctx context.Context, mgr ctrl.Manager, includeV1, includeV2 bool) error { +func SetupShadowLinkController(ctx context.Context, mgr ctrl.Manager, expander *secrets.CloudExpander, includeV1, includeV2 bool) error { c := mgr.GetClient() config := mgr.GetConfig() - factory := internalclient.NewFactory(config, c) + factory := internalclient.NewFactory(config, c, expander) builder := ctrl.NewControllerManagedBy(mgr). For(&redpandav1alpha2.ShadowLink{}) diff --git a/operator/internal/controller/redpanda/topic_controller.go b/operator/internal/controller/redpanda/topic_controller.go index 1ee420aa3..9da04be1b 100644 --- a/operator/internal/controller/redpanda/topic_controller.go +++ b/operator/internal/controller/redpanda/topic_controller.go @@ -36,6 +36,7 @@ import ( "github.com/redpanda-data/redpanda-operator/operator/internal/controller" internalclient "github.com/redpanda-data/redpanda-operator/operator/pkg/client" "github.com/redpanda-data/redpanda-operator/pkg/otelutil/log" + "github.com/redpanda-data/redpanda-operator/pkg/secrets" ) const ( @@ -118,12 +119,12 @@ func (r *TopicReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl return result, err } -func SetupTopicController(ctx context.Context, mgr ctrl.Manager, includeV1, includeV2 bool) error { +func SetupTopicController(ctx context.Context, mgr ctrl.Manager, expander *secrets.CloudExpander, includeV1, includeV2 bool) error { c := mgr.GetClient() config := mgr.GetConfig() r := &TopicReconciler{ Client: c, - Factory: internalclient.NewFactory(config, c), + Factory: internalclient.NewFactory(config, c, expander), Scheme: mgr.GetScheme(), EventRecorder: mgr.GetEventRecorderFor("TopicReconciler"), } diff --git a/operator/internal/controller/redpanda/topic_controller_test.go b/operator/internal/controller/redpanda/topic_controller_test.go index d41a8ce4d..881d4c20a 100644 --- a/operator/internal/controller/redpanda/topic_controller_test.go +++ b/operator/internal/controller/redpanda/topic_controller_test.go @@ -47,7 +47,7 @@ func TestReconcile(t *testing.T) { // nolint:funlen // These tests have clear su require.NoError(t, err) require.NotNil(t, c) - factory := internalclient.NewFactory(cfg, c) + factory := internalclient.NewFactory(cfg, c, nil) var kafkaAdmCl *kadm.Client var kafkaCl *kgo.Client diff --git a/operator/internal/controller/redpanda/user_controller.go b/operator/internal/controller/redpanda/user_controller.go index 61109fb8c..228940eae 100644 --- a/operator/internal/controller/redpanda/user_controller.go +++ b/operator/internal/controller/redpanda/user_controller.go @@ -29,6 +29,7 @@ import ( "github.com/redpanda-data/redpanda-operator/operator/pkg/client/kubernetes" "github.com/redpanda-data/redpanda-operator/operator/pkg/client/users" "github.com/redpanda-data/redpanda-operator/operator/pkg/utils" + "github.com/redpanda-data/redpanda-operator/pkg/secrets" ) //+kubebuilder:rbac:groups=cluster.redpanda.com,resources=users,verbs=get;list;watch;update;patch @@ -161,10 +162,10 @@ func (r *UserReconciler) userAndACLClients(ctx context.Context, request Resource return usersClient, syncer, hasUser, nil } -func SetupUserController(ctx context.Context, mgr ctrl.Manager, includeV1, includeV2 bool) error { +func SetupUserController(ctx context.Context, mgr ctrl.Manager, expander *secrets.CloudExpander, includeV1, includeV2 bool) error { c := mgr.GetClient() config := mgr.GetConfig() - factory := internalclient.NewFactory(config, c) + factory := internalclient.NewFactory(config, c, expander) builder := ctrl.NewControllerManagedBy(mgr). For(&redpandav1alpha2.User{}). diff --git a/operator/internal/probes/broker_test.go b/operator/internal/probes/broker_test.go index b89ea65b3..09faaf75f 100644 --- a/operator/internal/probes/broker_test.go +++ b/operator/internal/probes/broker_test.go @@ -176,7 +176,7 @@ func (s *ProberSuite) SetupSuite() { s.manager = mgr s.helm = helmClient dialer := kube.NewPodDialer(mgr.GetConfig()) - s.clientFactory = internalclient.NewFactory(mgr.GetConfig(), mgr.GetClient()).WithDialer(dialer.DialContext) + s.clientFactory = internalclient.NewFactory(mgr.GetConfig(), mgr.GetClient(), nil).WithDialer(dialer.DialContext) return nil }) diff --git a/operator/pkg/client/cluster.go b/operator/pkg/client/cluster.go index 559e2edeb..6893c0935 100644 --- a/operator/pkg/client/cluster.go +++ b/operator/pkg/client/cluster.go @@ -167,7 +167,7 @@ func (c *Factory) remoteClusterSettingsForCluster(ctx context.Context, cluster * return settings, err } - config, err := state.AsStaticConfigSource().Kafka.Load(ctx, c.Client) + config, err := state.AsStaticConfigSource().Kafka.Load(ctx, c.Client, c.secretExpander) if err != nil { return settings, err } diff --git a/operator/pkg/client/factory.go b/operator/pkg/client/factory.go index 2f46f3cbb..3f88cbb49 100644 --- a/operator/pkg/client/factory.go +++ b/operator/pkg/client/factory.go @@ -36,6 +36,8 @@ import ( "github.com/redpanda-data/redpanda-operator/operator/pkg/client/schemas" "github.com/redpanda-data/redpanda-operator/operator/pkg/client/shadow" "github.com/redpanda-data/redpanda-operator/operator/pkg/client/users" + "github.com/redpanda-data/redpanda-operator/pkg/ir" + pkgsecrets "github.com/redpanda-data/redpanda-operator/pkg/secrets" ) var ( @@ -113,21 +115,23 @@ type Factory struct { adminClientTimeout time.Duration dialer redpanda.DialContextFunc userAuth *UserAuth + secretExpander *pkgsecrets.CloudExpander } var _ ClientFactory = (*Factory)(nil) -func NewFactory(config *rest.Config, kubeclient client.Client) *Factory { +func NewFactory(config *rest.Config, kubeclient client.Client, expander *pkgsecrets.CloudExpander) *Factory { return &Factory{ config: rest.CopyConfig(config), fs: afero.NewOsFs(), Client: kubeclient, + secretExpander: expander, adminClientTimeout: 10 * time.Second, } } func NewRPKOnlyFactory() *Factory { - return NewFactory(&rest.Config{}, nil) + return NewFactory(&rest.Config{}, nil, nil) } func (c *Factory) WithDialer(dialer redpanda.DialContextFunc) *Factory { @@ -209,7 +213,7 @@ func (c *Factory) KafkaClient(ctx context.Context, obj any, opts ...kgo.Opt) (*k } if spec := c.getKafkaSpec(o); spec != nil { - return c.kafkaForSpec(ctx, o.GetNamespace(), c.getKafkaMetricNamespace(o), spec, opts...) + return c.kafkaForSpec(ctx, c.getKafkaMetricNamespace(o), spec, opts...) } return nil, ErrInvalidKafkaClientObject @@ -253,7 +257,7 @@ func (c *Factory) RedpandaAdminClient(ctx context.Context, obj any) (*rpadmin.Ad } if spec := c.getAdminSpec(o); spec != nil { - return c.redpandaAdminForSpec(ctx, o.GetNamespace(), spec) + return c.redpandaAdminForSpec(ctx, spec) } return nil, ErrInvalidRedpandaClientObject @@ -297,7 +301,7 @@ func (c *Factory) SchemaRegistryClient(ctx context.Context, obj any) (*sr.Client } if spec := c.getSchemaRegistrySpec(o); spec != nil { - return c.schemaRegistryForSpec(ctx, o.GetNamespace(), spec) + return c.schemaRegistryForSpec(ctx, spec) } return nil, ErrInvalidSchemaRegistryClientObject @@ -380,7 +384,7 @@ func (c *Factory) RemoteClusterSettings(ctx context.Context, obj redpandav1alpha } if spec := c.getRemoteKafkaSpec(o); spec != nil { - return c.remoteClusterSettingsForSpec(ctx, o.GetNamespace(), spec) + return c.remoteClusterSettingsForSpec(ctx, spec) } return settings, ErrInvalidKafkaClientObject @@ -482,32 +486,32 @@ func (c *Factory) getRemoteV2Cluster(ctx context.Context, obj client.Object) (*r return nil, nil } -func (c *Factory) getKafkaSpec(obj client.Object) *redpandav1alpha2.KafkaAPISpec { +func (c *Factory) getKafkaSpec(obj client.Object) *ir.KafkaAPISpec { if o, ok := obj.(redpandav1alpha2.ClusterReferencingObject); ok { if source := o.GetClusterSource(); source != nil { if spec := source.GetKafkaAPISpec(); spec != nil { - return spec + return redpandav1alpha2.ConvertKafkaAPISpecToIR(obj.GetNamespace(), spec) } } } if o, ok := obj.(redpandav1alpha2.KafkaConnectedObject); ok { - return o.GetKafkaAPISpec() + return redpandav1alpha2.ConvertKafkaAPISpecToIR(o.GetNamespace(), o.GetKafkaAPISpec()) } return nil } -func (c *Factory) getRemoteKafkaSpec(obj client.Object) *redpandav1alpha2.KafkaAPISpec { +func (c *Factory) getRemoteKafkaSpec(obj client.Object) *ir.KafkaAPISpec { if o, ok := obj.(redpandav1alpha2.RemoteClusterReferencingObject); ok { if source := o.GetRemoteClusterSource(); source != nil { if spec := source.GetKafkaAPISpec(); spec != nil { - return spec + return redpandav1alpha2.ConvertKafkaAPISpecToIR(obj.GetNamespace(), spec) } } } if o, ok := obj.(redpandav1alpha2.KafkaConnectedObject); ok { - return o.GetKafkaAPISpec() + return redpandav1alpha2.ConvertKafkaAPISpecToIR(o.GetNamespace(), o.GetKafkaAPISpec()) } return nil } @@ -519,20 +523,20 @@ func (c *Factory) getKafkaMetricNamespace(obj client.Object) *string { return nil } -func (c *Factory) getAdminSpec(obj client.Object) *redpandav1alpha2.AdminAPISpec { +func (c *Factory) getAdminSpec(obj client.Object) *ir.AdminAPISpec { if o, ok := obj.(redpandav1alpha2.ClusterReferencingObject); ok { if source := o.GetClusterSource(); source != nil { - return source.GetAdminAPISpec() + return redpandav1alpha2.ConvertAdminAPISpecToIR(obj.GetNamespace(), source.GetAdminAPISpec()) } } return nil } -func (c *Factory) getSchemaRegistrySpec(obj client.Object) *redpandav1alpha2.SchemaRegistrySpec { +func (c *Factory) getSchemaRegistrySpec(obj client.Object) *ir.SchemaRegistrySpec { if o, ok := obj.(redpandav1alpha2.ClusterReferencingObject); ok { if source := o.GetClusterSource(); source != nil { - return source.GetSchemaRegistrySpec() + return redpandav1alpha2.ConvertSchemaRegistrySpecToIR(o.GetNamespace(), source.GetSchemaRegistrySpec()) } } diff --git a/operator/pkg/client/factory_test.go b/operator/pkg/client/factory_test.go index 449daedf1..9e55ac183 100644 --- a/operator/pkg/client/factory_test.go +++ b/operator/pkg/client/factory_test.go @@ -130,7 +130,7 @@ func TestIntegrationFactoryOperatorV1(t *testing.T) { env.SetupManager("test", func(mgr ctrl.Manager) error { dialer := kube.NewPodDialer(mgr.GetConfig()) - clientFactory = NewFactory(mgr.GetConfig(), mgr.GetClient()).WithDialer(dialer.DialContext) + clientFactory = NewFactory(mgr.GetConfig(), mgr.GetClient(), nil).WithDialer(dialer.DialContext) r = &vectorized.ClusterReconciler{ Client: mgr.GetClient(), @@ -251,7 +251,7 @@ func TestIntegrationClientFactory(t *testing.T) { require.NoError(t, err) require.NoError(t, helmClient.RepoAdd(ctx, "redpandadata", "https://charts.redpanda.com")) - factory := NewFactory(restcfg, kubeClient).WithDialer(kube.NewPodDialer(restcfg).DialContext) + factory := NewFactory(restcfg, kubeClient, nil).WithDialer(kube.NewPodDialer(restcfg).DialContext) type credentials struct { Name string @@ -348,18 +348,22 @@ func TestIntegrationClientFactory(t *testing.T) { spec.SASL = &redpandav1alpha2.KafkaSASL{ Username: tt.Auth.Name, - Password: &redpandav1alpha2.SecretKeyRef{ - Name: "secret", - Key: "password", + Password: &redpandav1alpha2.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{Name: "secret"}, + Key: "password", + }, }, Mechanism: redpandav1alpha2.SASLMechanism(tt.Auth.Mechanism), } } if tt.TLS { spec.TLS = &redpandav1alpha2.CommonTLS{ - CaCert: &redpandav1alpha2.SecretKeyRef{ - Name: fmt.Sprintf("%s-default-root-certificate", name), - Key: corev1.TLSCertKey, + CaCert: &redpandav1alpha2.ValueSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{Name: fmt.Sprintf("%s-default-root-certificate", name)}, + Key: corev1.TLSCertKey, + }, }, } } @@ -437,7 +441,7 @@ func TestIntegrationClientFactoryTLSListeners(t *testing.T) { }) require.NoError(t, err) - factory := NewFactory(restcfg, kubeClient).WithDialer(kube.NewPodDialer(restcfg).DialContext) + factory := NewFactory(restcfg, kubeClient, nil).WithDialer(kube.NewPodDialer(restcfg).DialContext) values := map[string]any{} ensureMapAndSetValue(values, "tls", map[string]any{ diff --git a/operator/pkg/client/spec.go b/operator/pkg/client/spec.go index 09543fd0d..da7beba56 100644 --- a/operator/pkg/client/spec.go +++ b/operator/pkg/client/spec.go @@ -12,30 +12,34 @@ package client import ( "context" "crypto/tls" - "fmt" "net" "net/http" "time" "github.com/redpanda-data/common-go/rpadmin" - "github.com/redpanda-data/console/backend/pkg/config" "github.com/twmb/franz-go/pkg/kgo" "github.com/twmb/franz-go/pkg/sr" redpandav1alpha2 "github.com/redpanda-data/redpanda-operator/operator/api/redpanda/v1alpha2" "github.com/redpanda-data/redpanda-operator/operator/pkg/client/shadow" + "github.com/redpanda-data/redpanda-operator/pkg/ir" "github.com/redpanda-data/redpanda-operator/pkg/otelutil/log" ) // KafkaForSpec returns a simple kgo.Client able to communicate with the given cluster specified via KafkaAPISpec. -func (c *Factory) kafkaForSpec(ctx context.Context, namespace string, metricNamespace *string, spec *redpandav1alpha2.KafkaAPISpec, opts ...kgo.Opt) (*kgo.Client, error) { +func (c *Factory) kafkaForSpec(ctx context.Context, metricNamespace *string, spec *ir.KafkaAPISpec, opts ...kgo.Opt) (*kgo.Client, error) { logger := log.FromContext(ctx) - if len(spec.Brokers) == 0 { + configuration, err := spec.Load(ctx, c.Client, c.secretExpander) + if err != nil { + return nil, err + } + + if len(configuration.Brokers) == 0 { return nil, ErrEmptyBrokerList } kopts := []kgo.Opt{ - kgo.SeedBrokers(spec.Brokers...), + kgo.SeedBrokers(configuration.Brokers...), } metricsLabel := "redpanda_operator" @@ -49,7 +53,7 @@ func (c *Factory) kafkaForSpec(ctx context.Context, namespace string, metricName kopts = append(kopts, kgo.WithLogger(wrapLogger(logger)), kgo.WithHooks(hooks)) if spec.SASL != nil { - saslOpt, err := c.configureKafkaSpecSASL(ctx, namespace, spec) + saslOpt, err := spec.SASL.AsOption(ctx, c.Client, c.secretExpander) if err != nil { return nil, err } @@ -67,7 +71,7 @@ func (c *Factory) kafkaForSpec(ctx context.Context, namespace string, metricName } if spec.TLS != nil { - tlsConfig, err := c.configureSpecTLS(ctx, namespace, spec.TLS) + tlsConfig, err := spec.TLS.Config(ctx, c.Client, c.secretExpander) if err != nil { return nil, err } @@ -88,7 +92,7 @@ func (c *Factory) kafkaForSpec(ctx context.Context, namespace string, metricName return kgo.NewClient(append(opts, kopts...)...) } -func (c *Factory) redpandaAdminForSpec(ctx context.Context, namespace string, spec *redpandav1alpha2.AdminAPISpec) (*rpadmin.AdminAPI, error) { +func (c *Factory) redpandaAdminForSpec(ctx context.Context, spec *ir.AdminAPISpec) (*rpadmin.AdminAPI, error) { if len(spec.URLs) == 0 { return nil, ErrEmptyURLList } @@ -96,7 +100,7 @@ func (c *Factory) redpandaAdminForSpec(ctx context.Context, namespace string, sp var err error var tlsConfig *tls.Config if spec.TLS != nil { - tlsConfig, err = c.configureSpecTLS(ctx, namespace, spec.TLS) + tlsConfig, err = spec.TLS.Config(ctx, c.Client, c.secretExpander) if err != nil { return nil, err } @@ -104,7 +108,7 @@ func (c *Factory) redpandaAdminForSpec(ctx context.Context, namespace string, sp var auth rpadmin.Auth var username, password, token string - username, password, token, err = c.configureAdminSpecSASL(ctx, namespace, spec) + username, password, token, err = spec.Auth.AsCredentials(ctx, c.Client, c.secretExpander) if err != nil { return nil, err } @@ -138,7 +142,7 @@ func (c *Factory) redpandaAdminForSpec(ctx context.Context, namespace string, sp return client, nil } -func (c *Factory) schemaRegistryForSpec(ctx context.Context, namespace string, spec *redpandav1alpha2.SchemaRegistrySpec) (*sr.Client, error) { +func (c *Factory) schemaRegistryForSpec(ctx context.Context, spec *ir.SchemaRegistrySpec) (*sr.Client, error) { if len(spec.URLs) == 0 { return nil, ErrEmptyURLList } @@ -159,7 +163,7 @@ func (c *Factory) schemaRegistryForSpec(ctx context.Context, namespace string, s var err error var tlsConfig *tls.Config if spec.TLS != nil { - tlsConfig, err = c.configureSpecTLS(ctx, namespace, spec.TLS) + tlsConfig, err = spec.TLS.Config(ctx, c.Client, c.secretExpander) if err != nil { return nil, err } @@ -173,7 +177,7 @@ func (c *Factory) schemaRegistryForSpec(ctx context.Context, namespace string, s }), } - authOpt, err := c.configureSchemaRegistrySpecSASL(ctx, namespace, spec) + authOpt, err := spec.SASL.AsOption(ctx, c.Client, c.secretExpander) if err != nil { return nil, err } @@ -189,84 +193,35 @@ func (c *Factory) schemaRegistryForSpec(ctx context.Context, namespace string, s return sr.NewClient(opts...) } -func (c *Factory) remoteClusterSettingsForSpec(ctx context.Context, namespace string, spec *redpandav1alpha2.KafkaAPISpec) (shadow.RemoteClusterSettings, error) { +func (c *Factory) remoteClusterSettingsForSpec(ctx context.Context, spec *ir.KafkaAPISpec) (shadow.RemoteClusterSettings, error) { var settings shadow.RemoteClusterSettings - if len(spec.Brokers) == 0 { - return settings, ErrEmptyBrokerList - } - - settings.BootstrapServers = spec.Brokers - - if spec.SASL != nil { - auth, err := c.remoteClusterAuthSettingsForSpec(ctx, namespace, spec) - if err != nil { - return settings, err - } - settings.Authentication = auth + configuration, err := spec.Load(ctx, c.Client, c.secretExpander) + if err != nil { + return settings, err } - if spec.TLS != nil { - tls, err := c.remoteClusterTLSSettingsForSpec(ctx, namespace, spec.TLS) - if err != nil { - return settings, err - } - settings.TLSSettings = tls + if len(configuration.Brokers) == 0 { + return settings, ErrEmptyBrokerList } - return settings, nil -} - -func (c *Factory) remoteClusterTLSSettingsForSpec(ctx context.Context, namespace string, spec *redpandav1alpha2.CommonTLS) (*shadow.TLSSettings, error) { - // NB: we elide the check of the `Enabled` field because if any field is set, `Enabled` included, the spec is not nil - // and we should be leveraging TLS. - settings := &shadow.TLSSettings{} + settings.BootstrapServers = configuration.Brokers - // Root CA - if spec.CaCert != nil { - ca, err := spec.CaCert.GetValue(ctx, c.Client, namespace, "ca.crt") - if err != nil { - return nil, fmt.Errorf("failed to read ca certificate secret: %w", err) + if configuration.SASL != nil { + settings.Authentication = &shadow.AuthenticationSettings{ + Username: configuration.SASL.Username, + Password: configuration.SASL.Password, + Mechanism: redpandav1alpha2.SASLMechanism(configuration.SASL.Mechanism), } - - settings.CA = string(ca) } - // If configured load TLS cert & key - Mutual TLS - if spec.Cert != nil && spec.Key != nil { - // 1. Read certificates - cert, err := spec.Cert.GetValue(ctx, c.Client, namespace, "tls.crt") - if err != nil { - return nil, fmt.Errorf("failed to read certificate secret: %w", err) - } - - settings.Cert = string(cert) - - key, err := spec.Cert.GetValue(ctx, c.Client, namespace, "tls.key") - if err != nil { - return nil, fmt.Errorf("failed to read key certificate secret: %w", err) + if configuration.TLS != nil { + settings.TLSSettings = &shadow.TLSSettings{ + CA: configuration.TLS.CA, + Cert: configuration.TLS.Cert, + Key: configuration.TLS.Key, } - - settings.Key = string(key) } return settings, nil } - -func (c *Factory) remoteClusterAuthSettingsForSpec(ctx context.Context, namespace string, spec *redpandav1alpha2.KafkaAPISpec) (*shadow.AuthenticationSettings, error) { - switch spec.SASL.Mechanism { - case config.SASLMechanismPlain, config.SASLMechanismScramSHA256, config.SASLMechanismScramSHA512: - p, err := spec.SASL.Password.GetValue(ctx, c.Client, namespace, "password") - if err != nil { - return nil, fmt.Errorf("unable to fetch sasl plain password: %w", err) - } - - return &shadow.AuthenticationSettings{ - Username: spec.SASL.Username, - Password: string(p), - Mechanism: spec.SASL.Mechanism, - }, nil - } - - return nil, fmt.Errorf("unsupported sasl mechanism: %s", spec.SASL.Mechanism) -} diff --git a/operator/pkg/client/spec_sasl.go b/operator/pkg/client/spec_sasl.go deleted file mode 100644 index de92d1117..000000000 --- a/operator/pkg/client/spec_sasl.go +++ /dev/null @@ -1,206 +0,0 @@ -// Copyright 2025 Redpanda Data, Inc. -// -// Use of this software is governed by the Business Source License -// included in the file licenses/BSL.md -// -// As of the Change Date specified in that file, in accordance with -// the Business Source License, use of this software will be governed -// by the Apache License, Version 2.0 - -package client - -import ( - "context" - "fmt" - - krbclient "github.com/jcmturner/gokrb5/v8/client" - krbconfig "github.com/jcmturner/gokrb5/v8/config" - "github.com/jcmturner/gokrb5/v8/keytab" - "github.com/redpanda-data/console/backend/pkg/config" - "github.com/twmb/franz-go/pkg/kgo" - "github.com/twmb/franz-go/pkg/sasl" - "github.com/twmb/franz-go/pkg/sasl/aws" - "github.com/twmb/franz-go/pkg/sasl/kerberos" - "github.com/twmb/franz-go/pkg/sasl/oauth" - "github.com/twmb/franz-go/pkg/sasl/plain" - "github.com/twmb/franz-go/pkg/sasl/scram" - "github.com/twmb/franz-go/pkg/sr" - - redpandav1alpha2 "github.com/redpanda-data/redpanda-operator/operator/api/redpanda/v1alpha2" - "github.com/redpanda-data/redpanda-operator/pkg/otelutil/log" -) - -func (c *Factory) configureAdminSpecSASL(ctx context.Context, namespace string, spec *redpandav1alpha2.AdminAPISpec) (username, password, token string, err error) { - if spec.SASL == nil { - return "", "", "", nil - } - - //nolint:exhaustive // we don't need this to be exhaustive, as we only support 3 auth mechanisms in this API. - switch spec.SASL.Mechanism { - // SCRAM - case config.SASLMechanismScramSHA256, config.SASLMechanismScramSHA512: - p, err := spec.SASL.Password.GetValue(ctx, c.Client, namespace, "password") - if err != nil { - return "", "", "", fmt.Errorf("unable to fetch sasl password: %w", err) - } - - return spec.SASL.Username, string(p), "", nil - // OAUTH - case config.SASLMechanismOAuthBearer: - token, err := spec.SASL.AuthToken.GetValue(ctx, c.Client, namespace, "password") - if err != nil { - return "", "", "", fmt.Errorf("unable to fetch sasl token: %w", err) - } - return "", "", string(token), nil - } - - return "", "", "", fmt.Errorf("unsupported SASL mechanism: %s", spec.SASL.Mechanism) -} - -func (c *Factory) configureSchemaRegistrySpecSASL(ctx context.Context, namespace string, spec *redpandav1alpha2.SchemaRegistrySpec) (sr.ClientOpt, error) { - if spec.SASL == nil { - return nil, nil - } - - //nolint:exhaustive // we don't need this to be exhaustive, as we only support 3 auth mechanisms in this API. - switch spec.SASL.Mechanism { - // SCRAM - case config.SASLMechanismScramSHA256, config.SASLMechanismScramSHA512: - p, err := spec.SASL.Password.GetValue(ctx, c.Client, namespace, "password") - if err != nil { - return nil, fmt.Errorf("unable to fetch sasl password: %w", err) - } - - return sr.BasicAuth(spec.SASL.Username, string(p)), nil - // OAUTH - case config.SASLMechanismOAuthBearer: - token, err := spec.SASL.AuthToken.GetValue(ctx, c.Client, namespace, "password") - if err != nil { - return nil, fmt.Errorf("unable to fetch sasl token: %w", err) - } - return sr.BearerToken(string(token)), nil - } - - return nil, fmt.Errorf("unsupported SASL mechanism: %s", spec.SASL.Mechanism) -} - -func (c *Factory) configureKafkaSpecSASL(ctx context.Context, namespace string, spec *redpandav1alpha2.KafkaAPISpec) (kgo.Opt, error) { - logger := log.FromContext(ctx) - - switch spec.SASL.Mechanism { - // SASL Plain - case config.SASLMechanismPlain: - p, err := spec.SASL.Password.GetValue(ctx, c.Client, namespace, "password") - if err != nil { - return nil, fmt.Errorf("unable to fetch sasl plain password: %w", err) - } - - return kgo.SASL(plain.Auth{ - User: spec.SASL.Username, - Pass: string(p), - }.AsMechanism()), nil - - // SASL SCRAM - case config.SASLMechanismScramSHA256, config.SASLMechanismScramSHA512: - p, err := spec.SASL.Password.GetValue(ctx, c.Client, namespace, "password") - if err != nil { - return nil, fmt.Errorf("unable to fetch sasl scram password: %w", err) - } - - var mechanism sasl.Mechanism - scramAuth := scram.Auth{ - User: spec.SASL.Username, - Pass: string(p), - } - - if spec.SASL.Mechanism == config.SASLMechanismScramSHA256 { - logger.V(log.TraceLevel).Info("configuring SCRAM-SHA-256 mechanism") - mechanism = scramAuth.AsSha256Mechanism() - } - - if spec.SASL.Mechanism == config.SASLMechanismScramSHA512 { - logger.V(log.TraceLevel).Info("configuring SCRAM-SHA-512 mechanism") - mechanism = scramAuth.AsSha512Mechanism() - } - - return kgo.SASL(mechanism), nil - - // OAuth Bearer - case config.SASLMechanismOAuthBearer: - t, err := spec.SASL.OAUth.Token.GetValue(ctx, c.Client, namespace, "token") - if err != nil { - return nil, fmt.Errorf("unable to fetch token: %w", err) - } - - return kgo.SASL(oauth.Auth{ - Token: string(t), - }.AsMechanism()), nil - - // Kerberos - case config.SASLMechanismGSSAPI: - logger.V(log.TraceLevel).Info("configuring SCRAM-SHA-512 mechanism") - var krbClient *krbclient.Client - - kerbCfg, err := krbconfig.Load(spec.SASL.GSSAPIConfig.KerberosConfigPath) - if err != nil { - return nil, fmt.Errorf("creating kerberos config from specified config (%s) filepath: %w", spec.SASL.GSSAPIConfig.KerberosConfigPath, err) - } - - switch spec.SASL.GSSAPIConfig.AuthType { - case "USER_AUTH": - p, err := spec.SASL.GSSAPIConfig.Password.GetValue(ctx, c.Client, namespace, "password") - if err != nil { - return nil, fmt.Errorf("unable to fetch sasl gssapi password: %w", err) - } - - krbClient = krbclient.NewWithPassword( - spec.SASL.GSSAPIConfig.Username, - spec.SASL.GSSAPIConfig.Realm, - string(p), - kerbCfg, - krbclient.DisablePAFXFAST(!spec.SASL.GSSAPIConfig.EnableFast), - ) - - case "KEYTAB_AUTH": - ktb, err := keytab.Load(spec.SASL.GSSAPIConfig.KeyTabPath) - if err != nil { - return nil, fmt.Errorf("loading keytab from (%s) key tab path: %w", spec.SASL.GSSAPIConfig.KeyTabPath, err) - } - - krbClient = krbclient.NewWithKeytab( - spec.SASL.GSSAPIConfig.Username, - spec.SASL.GSSAPIConfig.Realm, - ktb, - kerbCfg, - krbclient.DisablePAFXFAST(!spec.SASL.GSSAPIConfig.EnableFast), - ) - } - - return kgo.SASL(kerberos.Auth{ - Client: krbClient, - Service: spec.SASL.GSSAPIConfig.ServiceName, - PersistAfterAuth: true, - }.AsMechanism()), nil - - // AWS MSK IAM - case config.SASLMechanismAWSManagedStreamingIAM: - s, err := spec.SASL.AWSMskIam.SecretKey.GetValue(ctx, c.Client, namespace, "secret") - if err != nil { - return nil, fmt.Errorf("unable to fetch aws msk secret key: %w", err) - } - - t, err := spec.SASL.AWSMskIam.SessionToken.GetValue(ctx, c.Client, namespace, "token") - if err != nil { - return nil, fmt.Errorf("unable to fetch aws msk secret key: %w", err) - } - - return kgo.SASL(aws.Auth{ - AccessKey: spec.SASL.AWSMskIam.AccessKey, - SecretKey: string(s), - SessionToken: string(t), - UserAgent: spec.SASL.AWSMskIam.UserAgent, - }.AsManagedStreamingIAMMechanism()), nil - } - - return nil, fmt.Errorf("unsupported sasl mechanism: %s", spec.SASL.Mechanism) -} diff --git a/operator/pkg/client/spec_test.go b/operator/pkg/client/spec_test.go index cf68f9b94..adba0634e 100644 --- a/operator/pkg/client/spec_test.go +++ b/operator/pkg/client/spec_test.go @@ -67,7 +67,7 @@ func TestShadowLinkClusterSettings_BootstrapRegression(t *testing.T) { c, err := client.New(cfg, client.Options{Scheme: controller.UnifiedScheme}) require.NoError(t, err) - factory := NewFactory(cfg, c) + factory := NewFactory(cfg, c, nil) settings, err := factory.RemoteClusterSettings(ctx, &redpandav1alpha2.ShadowLink{ Spec: redpandav1alpha2.ShadowLinkSpec{ diff --git a/operator/pkg/client/spec_tls.go b/operator/pkg/client/spec_tls.go index 063cdfd8c..26e9ee03e 100644 --- a/operator/pkg/client/spec_tls.go +++ b/operator/pkg/client/spec_tls.go @@ -12,14 +12,9 @@ package client import ( "context" "crypto/tls" - "crypto/x509" - "encoding/pem" - "fmt" "net" redpanda "github.com/redpanda-data/redpanda-operator/charts/redpanda/v25/client" - redpandav1alpha2 "github.com/redpanda-data/redpanda-operator/operator/api/redpanda/v1alpha2" - "github.com/redpanda-data/redpanda-operator/pkg/otelutil/log" ) func wrapTLSDialer(dialer redpanda.DialContextFunc, config *tls.Config) redpanda.DialContextFunc { @@ -44,61 +39,3 @@ func wrapTLSDialer(dialer redpanda.DialContextFunc, config *tls.Config) redpanda return tls.Client(conn, config), nil } } - -func (c *Factory) configureSpecTLS(ctx context.Context, namespace string, spec *redpandav1alpha2.CommonTLS) (*tls.Config, error) { - var caCertPool *x509.CertPool - - logger := log.FromContext(ctx) - - // Root CA - if spec.CaCert != nil { - ca, err := spec.CaCert.GetValue(ctx, c.Client, namespace, "ca.crt") - if err != nil { - return nil, fmt.Errorf("failed to read ca certificate secret: %w", err) - } - - caCertPool = x509.NewCertPool() - isSuccessful := caCertPool.AppendCertsFromPEM(ca) - if !isSuccessful { - logger.Info("failed to append ca file to cert pool, is this a valid PEM format?") - } - } - - // If configured load TLS cert & key - Mutual TLS - var certificates []tls.Certificate - if spec.Cert != nil && spec.Key != nil { - // 1. Read certificates - cert, err := spec.Cert.GetValue(ctx, c.Client, namespace, "tls.crt") - if err != nil { - return nil, fmt.Errorf("failed to read certificate secret: %w", err) - } - - certData := cert - - key, err := spec.Cert.GetValue(ctx, c.Client, namespace, "tls.key") - if err != nil { - return nil, fmt.Errorf("failed to read key certificate secret: %w", err) - } - - keyData := key - - // 2. Check if private key needs to be decrypted. Decrypt it if passphrase is given, otherwise return error - pemBlock, _ := pem.Decode(keyData) - if pemBlock == nil { - return nil, fmt.Errorf("no valid private key found") // nolint:goerr113 // this error will not be handled by operator - } - - tlsCert, err := tls.X509KeyPair(certData, keyData) - if err != nil { - return nil, fmt.Errorf("cannot parse pem: %w", err) - } - certificates = []tls.Certificate{tlsCert} - } - - return &tls.Config{ - //nolint:gosec // InsecureSkipVerify may be true upon user's responsibility. - InsecureSkipVerify: spec.InsecureSkipTLSVerify, - Certificates: certificates, - RootCAs: caCertPool, - }, nil -} diff --git a/operator/pkg/resources/certmanager/type_helpers.go b/operator/pkg/resources/certmanager/type_helpers.go index 5e8eff33e..080c7dd37 100644 --- a/operator/pkg/resources/certmanager/type_helpers.go +++ b/operator/pkg/resources/certmanager/type_helpers.go @@ -782,7 +782,7 @@ func getTLSConfig( if err != nil { return nil, err } - return commonTLS.Config(ctx, k8sClient) + return commonTLS.Config(ctx, k8sClient, nil) } func getTLSConfigValues( @@ -792,7 +792,7 @@ func getTLSConfigValues( if err != nil { return nil, err } - return commonTLS.Load(ctx, k8sClient) + return commonTLS.Load(ctx, k8sClient, nil) } func getCommonTLS(certs *apiCertificates) (*ir.CommonTLS, error) { @@ -802,7 +802,7 @@ func getCommonTLS(certs *apiCertificates) (*ir.CommonTLS, error) { } commonTLS := &ir.CommonTLS{ - CaCert: &ir.ObjectKeyRef{ + CaCert: &ir.ValueSource{ Namespace: nodeCertificateName.Namespace, SecretKeyRef: &corev1.SecretKeySelector{ LocalObjectReference: corev1.LocalObjectReference{ @@ -815,15 +815,19 @@ func getCommonTLS(certs *apiCertificates) (*ir.CommonTLS, error) { if len(certs.clientCertificates) > 0 { certObject := certs.clientCertificateNames()[0] - commonTLS.Cert = &ir.SecretKeyRef{ + commonTLS.Cert = &ir.ValueSource{ Namespace: certObject.Namespace, - Name: certObject.Name, - Key: corev1.TLSCertKey, + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{Name: certObject.Name}, + Key: corev1.TLSCertKey, + }, } - commonTLS.Key = &ir.SecretKeyRef{ + commonTLS.Key = &ir.ValueSource{ Namespace: certObject.Namespace, - Name: certObject.Name, - Key: corev1.TLSPrivateKeyKey, + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{Name: certObject.Name}, + Key: corev1.TLSPrivateKeyKey, + }, } } diff --git a/pkg/go.mod b/pkg/go.mod index d9a9d115d..f614949af 100644 --- a/pkg/go.mod +++ b/pkg/go.mod @@ -12,15 +12,20 @@ require ( github.com/google/cel-go v0.25.0 github.com/homeport/dyff v1.7.1 github.com/invopop/jsonschema v0.12.0 + github.com/jcmturner/gokrb5/v8 v8.4.4 github.com/lucasjones/reggen v0.0.0-20200904144131-37ba4fa293bb github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.76.2 github.com/redpanda-data/common-go/rpadmin v0.1.17-0.20250918052456-493894730cb7 github.com/redpanda-data/common-go/secrets v0.1.4 + github.com/redpanda-data/console/backend v0.0.0-20250915195818-3cd9fabec94b github.com/redpanda-data/redpanda/src/go/rpk v0.0.0-20250716004441-6e1647296ad6 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 github.com/spf13/pflag v1.0.7 github.com/stretchr/testify v1.10.0 github.com/testcontainers/testcontainers-go/modules/k3s v0.39.0 + github.com/twmb/franz-go v1.19.5 + github.com/twmb/franz-go/pkg/sasl/kerberos v1.1.0 + github.com/twmb/franz-go/pkg/sr v1.5.0 github.com/wk8/go-ordered-map/v2 v2.1.8 go.opentelemetry.io/collector/pdata v1.32.0 go.opentelemetry.io/contrib/bridges/prometheus v0.61.0 @@ -110,6 +115,7 @@ require ( github.com/cenkalti/backoff/v5 v5.0.2 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/chai2010/gettext-go v1.0.2 // indirect + github.com/cloudhut/common v0.11.0 // indirect github.com/cockroachdb/logtags v0.0.0-20230118201751-21c54148d20b // indirect github.com/cockroachdb/redact v1.1.5 // indirect github.com/containerd/containerd v1.7.27 // indirect @@ -118,11 +124,9 @@ require ( github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect github.com/cpuguy83/dockercfg v0.3.2 // indirect - github.com/creack/pty v1.1.20 // indirect github.com/cyphar/filepath-securejoin v0.4.1 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/distribution/reference v0.6.0 // indirect - github.com/dlclark/regexp2 v1.11.5 // indirect github.com/docker/docker v28.3.3+incompatible // indirect github.com/docker/go-connections v0.6.0 // indirect github.com/docker/go-units v0.5.0 // indirect @@ -136,6 +140,7 @@ require ( github.com/fsnotify/fsnotify v1.9.0 // indirect github.com/fxamacker/cbor/v2 v2.8.0 // indirect github.com/getsentry/sentry-go v0.27.0 // indirect + github.com/go-chi/chi/v5 v5.2.2 // indirect github.com/go-errors/errors v1.5.1 // indirect github.com/go-gorp/gorp/v3 v3.1.0 // indirect github.com/go-logr/stdr v1.2.2 // indirect @@ -143,6 +148,7 @@ require ( github.com/go-openapi/jsonpointer v0.21.1 // indirect github.com/go-openapi/jsonreference v0.21.0 // indirect github.com/go-openapi/swag v0.23.1 // indirect + github.com/go-viper/mapstructure/v2 v2.3.0 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v5 v5.2.2 // indirect @@ -154,7 +160,6 @@ require ( github.com/google/btree v1.1.3 // indirect github.com/google/gnostic-models v0.6.9 // indirect github.com/google/go-cmp v0.7.0 // indirect - github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a // indirect github.com/google/s2a-go v0.1.9 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/uuid v1.6.0 // indirect @@ -166,14 +171,25 @@ require ( github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect + github.com/hashicorp/go-uuid v1.0.3 // indirect github.com/hashicorp/golang-lru/arc/v2 v2.0.7 // indirect github.com/huandu/xstrings v1.5.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/jcmturner/aescts/v2 v2.0.0 // indirect + github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect + github.com/jcmturner/gofork v1.7.6 // indirect + github.com/jcmturner/rpc/v2 v2.0.3 // indirect github.com/jmoiron/sqlx v1.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect github.com/klauspost/compress v1.18.0 // indirect + github.com/knadh/koanf/maps v0.1.2 // indirect + github.com/knadh/koanf/parsers/yaml v1.0.0 // indirect + github.com/knadh/koanf/providers/confmap v1.0.0 // indirect + github.com/knadh/koanf/providers/env v1.1.0 // indirect + github.com/knadh/koanf/providers/file v1.2.0 // indirect + github.com/knadh/koanf/v2 v2.2.1 // indirect github.com/kr/pretty v0.3.1 // indirect github.com/kr/text v0.2.0 // indirect github.com/kylelemons/godebug v1.1.0 // indirect @@ -243,7 +259,6 @@ require ( github.com/tidwall/pretty v1.2.1 // indirect github.com/tklauser/go-sysconf v0.3.15 // indirect github.com/tklauser/numcpus v0.10.0 // indirect - github.com/twmb/franz-go v1.19.5 // indirect github.com/twmb/franz-go/pkg/kadm v1.16.0 // indirect github.com/twmb/franz-go/pkg/kmsg v1.11.2 // indirect github.com/twmb/tlscfg v1.2.1 // indirect diff --git a/pkg/go.sum b/pkg/go.sum index 2c21495d2..4998cd8dd 100644 --- a/pkg/go.sum +++ b/pkg/go.sum @@ -126,6 +126,8 @@ github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNS github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= github.com/chrisseto/rapid v0.0.0-20240815210052-cdeef406c65c h1:GZtcJAFTBCr16eM7ytFwWMg9oLaMsRfSsVyi3lTo+mw= github.com/chrisseto/rapid v0.0.0-20240815210052-cdeef406c65c/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04= +github.com/cloudhut/common v0.11.0 h1:N9yDk2fHhKjhzhKlZeMzrF5v1Q2kUm1EpnExAWAP+pc= +github.com/cloudhut/common v0.11.0/go.mod h1:VVehSv0ZPulx35rzCXdwjkjQ3pRKZQAXk2/v3EE+6WU= github.com/cockroachdb/errors v1.11.3 h1:5bA+k2Y6r+oz/6Z/RFlNeVCesGARKuC6YymtcDrbC/I= github.com/cockroachdb/errors v1.11.3/go.mod h1:m4UIW4CDjx+R5cybPsNrRbreomiFqt8o1h1wUVazSd8= github.com/cockroachdb/logtags v0.0.0-20230118201751-21c54148d20b h1:r6VH0faHjZeQy818SGhaone5OnYfxFR/+AzdY3sf5aE= @@ -201,6 +203,8 @@ github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vt github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= github.com/getsentry/sentry-go v0.27.0 h1:Pv98CIbtB3LkMWmXi4Joa5OOcwbmnX88sF5qbK3r3Ps= github.com/getsentry/sentry-go v0.27.0/go.mod h1:lc76E2QywIyW8WuBnwl8Lc4bkmQH4+w1gwTf25trprY= +github.com/go-chi/chi/v5 v5.2.2 h1:CMwsvRVTbXVytCk1Wd72Zy1LAsAh9GxMmSNWLHCG618= +github.com/go-chi/chi/v5 v5.2.2/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops= github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk= github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs= @@ -226,6 +230,8 @@ github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqw github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= +github.com/go-viper/mapstructure/v2 v2.3.0 h1:27XbWsHIqhbdR5TIC911OfYvgSaW93HM+dX7970Q7jk= +github.com/go-viper/mapstructure/v2 v2.3.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= @@ -272,6 +278,8 @@ github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyE github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= +github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= +github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM= github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo= github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA= github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= @@ -285,6 +293,9 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= +github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/golang-lru/arc/v2 v2.0.7 h1:QxkVTxwColcduO+LP7eJO56r2hFiG8zEbfAAzRv52KQ= github.com/hashicorp/golang-lru/arc/v2 v2.0.7/go.mod h1:Pe7gBlGdc8clY5LJ0LpJXMt5AmgmWNH1g+oFFVUHOEc= github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k= @@ -299,6 +310,19 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/invopop/jsonschema v0.12.0 h1:6ovsNSuvn9wEQVOyc72aycBMVQFKz7cPdMJn10CvzRI= github.com/invopop/jsonschema v0.12.0/go.mod h1:ffZ5Km5SWWRAIN6wbDXItl95euhFz2uON45H2qjYt+0= +github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8= +github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs= +github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo= +github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM= +github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg= +github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo= +github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o= +github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg= +github.com/jcmturner/gokrb5/v8 v8.4.3/go.mod h1:dqRwJGXznQrzw6cWmyo6kH+E7jksEQG/CyVWsJEsJO0= +github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8= +github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= +github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= +github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o= github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= @@ -311,8 +335,21 @@ github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6 h1:IsMZxCuZqKu github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6/go.mod h1:3VeWNIJaW+O5xpRQbPp0Ybqu1vJd/pm7s2F473HRrkw= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU= github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= +github.com/knadh/koanf/maps v0.1.2 h1:RBfmAW5CnZT+PJ1CVc1QSJKf4Xu9kxfQgYVQSu8hpbo= +github.com/knadh/koanf/maps v0.1.2/go.mod h1:npD/QZY3V6ghQDdcQzl1W4ICNVTkohC8E73eI2xW4yI= +github.com/knadh/koanf/parsers/yaml v1.0.0 h1:PXyeHCRhAMKyfLJaoTWsqUTxIFeDMmdAKz3XVEslZV4= +github.com/knadh/koanf/parsers/yaml v1.0.0/go.mod h1:Q63VAOh/s6XaQs6a0TB2w9GFUuuPGvfYrCSWb9eWAQU= +github.com/knadh/koanf/providers/confmap v1.0.0 h1:mHKLJTE7iXEys6deO5p6olAiZdG5zwp8Aebir+/EaRE= +github.com/knadh/koanf/providers/confmap v1.0.0/go.mod h1:txHYHiI2hAtF0/0sCmcuol4IDcuQbKTybiB1nOcUo1A= +github.com/knadh/koanf/providers/env v1.1.0 h1:U2VXPY0f+CsNDkvdsG8GcsnK4ah85WwWyJgef9oQMSc= +github.com/knadh/koanf/providers/env v1.1.0/go.mod h1:QhHHHZ87h9JxJAn2czdEl6pdkNnDh/JS1Vtsyt65hTY= +github.com/knadh/koanf/providers/file v1.2.0 h1:hrUJ6Y9YOA49aNu/RSYzOTFlqzXSCpmYIDXI7OJU6+U= +github.com/knadh/koanf/providers/file v1.2.0/go.mod h1:bp1PM5f83Q+TOUu10J/0ApLBd9uIzg+n9UgthfY+nRA= +github.com/knadh/koanf/v2 v2.2.1 h1:jaleChtw85y3UdBnI0wCqcg1sj1gPoz6D3caGNHtrNE= +github.com/knadh/koanf/v2 v2.2.1/go.mod h1:PSFru3ufQgTsI7IF+95rf9s8XA1+aHxKuO/W+dPoHEY= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= @@ -414,6 +451,7 @@ github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+v github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE= +github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU= github.com/pierrec/lz4/v4 v4.1.22/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4= @@ -452,6 +490,8 @@ github.com/redpanda-data/common-go/rpadmin v0.1.17-0.20250918052456-493894730cb7 github.com/redpanda-data/common-go/rpadmin v0.1.17-0.20250918052456-493894730cb7/go.mod h1:NMOb9iySu0qkqREwoZaN0WANeqaGEZKDtKMecSobToQ= github.com/redpanda-data/common-go/secrets v0.1.4 h1:CGp3KolGnjcJvIafTwf7Hlj5ztLOJCjgkegRu7IAkSw= github.com/redpanda-data/common-go/secrets v0.1.4/go.mod h1:WjUU/5saSXwItZx6veFOGbQZUgPQz4MQ65z22y0Ky84= +github.com/redpanda-data/console/backend v0.0.0-20250915195818-3cd9fabec94b h1:zwQznaAIBpxCL9FDaILJT+L7b3YGAD6QxK21hFzhEls= +github.com/redpanda-data/console/backend v0.0.0-20250915195818-3cd9fabec94b/go.mod h1:dWaJBv8Eqpe21aREHEPlacC6bNoxWArvlcgWEB6t+3w= github.com/redpanda-data/redpanda/src/go/rpk v0.0.0-20250716004441-6e1647296ad6 h1:SbcvWTYFEbH5+NQOl1To5jppEa8RCK1HAkRNfhdUGLg= github.com/redpanda-data/redpanda/src/go/rpk v0.0.0-20250716004441-6e1647296ad6/go.mod h1:/8XZuwUVFOGUkn31kglW28Xie5TrM7COtzRMA3GixaA= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= @@ -521,12 +561,18 @@ github.com/tklauser/go-sysconf v0.3.15 h1:VE89k0criAymJ/Os65CSn1IXaol+1wrsFHEB8O github.com/tklauser/go-sysconf v0.3.15/go.mod h1:Dmjwr6tYFIseJw7a3dRLJfsHAMXZ3nEnL/aZY+0IuI4= github.com/tklauser/numcpus v0.10.0 h1:18njr6LDBk1zuna922MgdjQuJFjrdppsZG60sHGfjso= github.com/tklauser/numcpus v0.10.0/go.mod h1:BiTKazU708GQTYF4mB+cmlpT2Is1gLk7XVuEeem8LsQ= +github.com/twmb/franz-go v1.7.0/go.mod h1:PMze0jNfNghhih2XHbkmTFykbMF5sJqmNJB31DOOzro= github.com/twmb/franz-go v1.19.5 h1:W7+o8D0RsQsedqib71OVlLeZ0zI6CbFra7yTYhZTs5Y= github.com/twmb/franz-go v1.19.5/go.mod h1:4kFJ5tmbbl7asgwAGVuyG1ZMx0NNpYk7EqflvWfPCpM= github.com/twmb/franz-go/pkg/kadm v1.16.0 h1:STMs1t5lYR5mR974PSiwNzE5TvsosByTp+rKXLOhAjE= github.com/twmb/franz-go/pkg/kadm v1.16.0/go.mod h1:MUdcUtnf9ph4SFBLLA/XxE29rvLhWYLM9Ygb8dfSCvw= +github.com/twmb/franz-go/pkg/kmsg v1.2.0/go.mod h1:SxG/xJKhgPu25SamAq0rrucfp7lbzCpEXOC+vH/ELrY= github.com/twmb/franz-go/pkg/kmsg v1.11.2 h1:hIw75FpwcAjgeyfIGFqivAvwC5uNIOWRGvQgZhH4mhg= github.com/twmb/franz-go/pkg/kmsg v1.11.2/go.mod h1:CFfkkLysDNmukPYhGzuUcDtf46gQSqCZHMW1T4Z+wDE= +github.com/twmb/franz-go/pkg/sasl/kerberos v1.1.0 h1:alKdbddkPw3rDh+AwmUEwh6HNYgTvDSFIe/GWYRR9RM= +github.com/twmb/franz-go/pkg/sasl/kerberos v1.1.0/go.mod h1:k8BoBjyUbFj34f0rRbn+Ky12sZFAPbmShrg0karAIMo= +github.com/twmb/franz-go/pkg/sr v1.5.0 h1:KQH8veHxKyAjT4U4/rziJnSEfafuluznLoxhrp0yJfo= +github.com/twmb/franz-go/pkg/sr v1.5.0/go.mod h1:O4o4mUMNfmyEt2HcuM+qZdc6KrcStvjgxWR6Cfvmukw= github.com/twmb/tlscfg v1.2.1 h1:IU2efmP9utQEIV2fufpZjPq7xgcZK4qu25viD51BB44= github.com/twmb/tlscfg v1.2.1/go.mod h1:GameEQddljI+8Es373JfQEBvtI4dCTLKWGJbqT2kErs= github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 h1:JwtAtbp7r/7QSyGz8mKUbYJBg2+6Cd7OjM8o/GNOcVo= @@ -606,6 +652,9 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220817201139-bc19a97f63c8/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM= golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY= golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o= @@ -617,10 +666,16 @@ golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w= golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220725212005-46097bf591d3/go.mod h1:AaygXjzTFtRAg2ttMY5RMuhpJ3cNnI0XpyFJD1iQRSM= +golang.org/x/net v0.0.0-20220812174116-3211cb980234/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw= golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA= golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= @@ -638,23 +693,29 @@ golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k= golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg= golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4= golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU= golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0= diff --git a/pkg/ir/staticconfig.go b/pkg/ir/staticconfig.go index afaab2a33..2731d4f97 100644 --- a/pkg/ir/staticconfig.go +++ b/pkg/ir/staticconfig.go @@ -14,12 +14,25 @@ import ( "crypto/tls" "crypto/x509" "encoding/pem" - "errors" - "fmt" + "github.com/cockroachdb/errors" + krbclient "github.com/jcmturner/gokrb5/v8/client" + krbconfig "github.com/jcmturner/gokrb5/v8/config" + "github.com/jcmturner/gokrb5/v8/keytab" + "github.com/redpanda-data/console/backend/pkg/config" + "github.com/twmb/franz-go/pkg/kgo" + "github.com/twmb/franz-go/pkg/sasl" + "github.com/twmb/franz-go/pkg/sasl/aws" + "github.com/twmb/franz-go/pkg/sasl/kerberos" + "github.com/twmb/franz-go/pkg/sasl/oauth" + "github.com/twmb/franz-go/pkg/sasl/plain" + "github.com/twmb/franz-go/pkg/sasl/scram" + "github.com/twmb/franz-go/pkg/sr" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/controller-runtime/pkg/client" + + "github.com/redpanda-data/redpanda-operator/pkg/secrets" ) // KafkaAPISpec configures client configuration settings for connecting to Redpanda brokers. @@ -40,19 +53,19 @@ type KafkaAPIConfiguration struct { SASL *AuthUser } -func (k *KafkaAPISpec) Load(ctx context.Context, client client.Reader) (*KafkaAPIConfiguration, error) { +func (k *KafkaAPISpec) Load(ctx context.Context, client client.Reader, expander *secrets.CloudExpander) (*KafkaAPIConfiguration, error) { config := &KafkaAPIConfiguration{ Brokers: k.Brokers, } if k.TLS != nil { - tls, err := k.TLS.Load(ctx, client) + tls, err := k.TLS.Load(ctx, client, expander) if err != nil { return nil, err } config.TLS = tls } if k.SASL != nil { - sasl, err := k.SASL.Load(ctx, client) + sasl, err := k.SASL.Load(ctx, client, expander) if err != nil { return nil, err } @@ -68,7 +81,7 @@ type KafkaSASL struct { Username string `json:"username,omitempty"` // Specifies the password. // +optional - Password *SecretKeyRef `json:"passwordSecretRef,omitempty"` + Password *ValueSource `json:"passwordSecretRef,omitempty"` // Specifies the SASL/SCRAM authentication mechanism. Mechanism SASLMechanism `json:"mechanism"` // +optional @@ -79,14 +92,130 @@ type KafkaSASL struct { AWSMskIam *KafkaSASLAWSMskIam `json:"awsMskIam,omitempty"` } +func (k *KafkaSASL) AsOption(ctx context.Context, client client.Reader, expander *secrets.CloudExpander) (kgo.Opt, error) { + switch k.Mechanism { + // SASL Plain + case config.SASLMechanismPlain: + p, err := k.Password.Load(ctx, client, expander) + if err != nil { + return nil, err + } + + return kgo.SASL(plain.Auth{ + User: k.Username, + Pass: p, + }.AsMechanism()), nil + + // SASL SCRAM + case config.SASLMechanismScramSHA256, config.SASLMechanismScramSHA512: + p, err := k.Password.Load(ctx, client, expander) + if err != nil { + return nil, err + } + + var mechanism sasl.Mechanism + scramAuth := scram.Auth{ + User: k.Username, + Pass: p, + } + + if k.Mechanism == config.SASLMechanismScramSHA256 { + mechanism = scramAuth.AsSha256Mechanism() + } + + if k.Mechanism == config.SASLMechanismScramSHA512 { + mechanism = scramAuth.AsSha512Mechanism() + } + + return kgo.SASL(mechanism), nil + + // OAuth Bearer + case config.SASLMechanismOAuthBearer: + t, err := k.OAUth.Token.Load(ctx, client, expander) + if err != nil { + return nil, errors.Newf("unable to fetch token: %w", err) + } + + return kgo.SASL(oauth.Auth{ + Token: t, + }.AsMechanism()), nil + + // Kerberos + case config.SASLMechanismGSSAPI: + var krbClient *krbclient.Client + + kerbCfg, err := krbconfig.Load(k.GSSAPIConfig.KerberosConfigPath) + if err != nil { + return nil, errors.Newf("creating kerberos config from specified config (%s) filepath: %w", k.GSSAPIConfig.KerberosConfigPath, err) + } + + switch k.GSSAPIConfig.AuthType { + case "USER_AUTH": + p, err := k.GSSAPIConfig.Password.Load(ctx, client, expander) + if err != nil { + return nil, errors.Newf("unable to fetch sasl gssapi password: %w", err) + } + + krbClient = krbclient.NewWithPassword( + k.GSSAPIConfig.Username, + k.GSSAPIConfig.Realm, + p, + kerbCfg, + krbclient.DisablePAFXFAST(!k.GSSAPIConfig.EnableFast), + ) + + case "KEYTAB_AUTH": + ktb, err := keytab.Load(k.GSSAPIConfig.KeyTabPath) + if err != nil { + return nil, errors.Newf("loading keytab from (%s) key tab path: %w", k.GSSAPIConfig.KeyTabPath, err) + } + + krbClient = krbclient.NewWithKeytab( + k.GSSAPIConfig.Username, + k.GSSAPIConfig.Realm, + ktb, + kerbCfg, + krbclient.DisablePAFXFAST(!k.GSSAPIConfig.EnableFast), + ) + } + + return kgo.SASL(kerberos.Auth{ + Client: krbClient, + Service: k.GSSAPIConfig.ServiceName, + PersistAfterAuth: true, + }.AsMechanism()), nil + + // AWS MSK IAM + case config.SASLMechanismAWSManagedStreamingIAM: + key, err := k.AWSMskIam.SecretKey.Load(ctx, client, expander) + if err != nil { + return nil, errors.Newf("unable to fetch aws msk secret key: %w", err) + } + + t, err := k.AWSMskIam.SessionToken.Load(ctx, client, expander) + if err != nil { + return nil, errors.Newf("unable to fetch aws msk secret key: %w", err) + } + + return kgo.SASL(aws.Auth{ + AccessKey: k.AWSMskIam.AccessKey, + SecretKey: key, + SessionToken: t, + UserAgent: k.AWSMskIam.UserAgent, + }.AsManagedStreamingIAMMechanism()), nil + } + + return nil, errors.Newf("unsupported sasl mechanism: %s", k.Mechanism) +} + type AuthUser struct { Username string Password string Mechanism string } -func (k *KafkaSASL) Load(ctx context.Context, client client.Reader) (*AuthUser, error) { - password, err := loadSecret(ctx, client, k.Password.Name, k.Password.Namespace, k.Password.Key) +func (k *KafkaSASL) Load(ctx context.Context, client client.Reader, expander *secrets.CloudExpander) (*AuthUser, error) { + password, err := k.Password.Load(ctx, client, expander) if err != nil { return nil, err } @@ -102,7 +231,7 @@ type SASLMechanism string // KafkaSASLOAuthBearer is the config struct for the SASL OAuthBearer mechanism type KafkaSASLOAuthBearer struct { - Token SecretKeyRef `json:"tokenSecretRef"` + Token *ValueSource `json:"token"` } // KafkaSASLGSSAPI represents the Kafka Kerberos config. @@ -112,7 +241,7 @@ type KafkaSASLGSSAPI struct { KerberosConfigPath string `json:"kerberosConfigPath"` ServiceName string `json:"serviceName"` Username string `json:"username"` - Password SecretKeyRef `json:"passwordSecretRef"` + Password *ValueSource `json:"password"` Realm string `json:"realm"` // EnableFAST enables FAST, which is a pre-authentication framework for Kerberos. @@ -125,11 +254,11 @@ type KafkaSASLGSSAPI struct { // see: https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html type KafkaSASLAWSMskIam struct { AccessKey string `json:"accessKey"` - SecretKey SecretKeyRef `json:"secretKeySecretRef"` + SecretKey *ValueSource `json:"secretKey"` // SessionToken, if non-empty, is a session / security token to use for authentication. // See: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html - SessionToken SecretKeyRef `json:"sessionTokenSecretRef"` + SessionToken *ValueSource `json:"sessionToken"` // UserAgent is the user agent to for the client to use when connecting // to Kafka, overriding the default "franz-go//". @@ -143,19 +272,60 @@ type KafkaSASLAWSMskIam struct { // CommonTLS specifies TLS configuration settings for Redpanda clusters that have authentication enabled. type CommonTLS struct { // CaCert is the reference for certificate authority used to establish TLS connection to Redpanda - CaCert *ObjectKeyRef `json:"caCertSecretRef,omitempty"` + CaCert *ValueSource `json:"caCert,omitempty"` // Cert is the reference for client public certificate to establish mTLS connection to Redpanda - Cert *SecretKeyRef `json:"certSecretRef,omitempty"` + Cert *ValueSource `json:"cert,omitempty"` // Key is the reference for client private certificate to establish mTLS connection to Redpanda - Key *SecretKeyRef `json:"keySecretRef,omitempty"` + Key *ValueSource `json:"key,omitempty"` // InsecureSkipTLSVerify can skip verifying Redpanda self-signed certificate when establish TLS connection to Redpanda // +optional - InsecureSkipTLSVerify bool `json:"insecureSkipTlsVerify"` + InsecureSkipTLSVerify bool `json:"insecureSkipTlsVerify,omitempty"` +} + +type ValueSource struct { + // Namespace of where the value comes from used in resolving kubernetes objects. + Namespace string `json:"namespace,omitempty"` + // Inline is the raw value specified inline. + Inline *string `json:"inline,omitempty"` + // If the value is supplied by a kubernetes object reference, coordinates are embedded here. + // For target values, the string value fetched from the source will be treated as + // a raw string. + ConfigMapKeyRef *corev1.ConfigMapKeySelector `json:"configMapKeyRef,omitempty"` + // Should the value be contained in a k8s secret rather than configmap, we can refer + // to it here. + SecretKeyRef *corev1.SecretKeySelector `json:"secretKeyRef,omitempty"` + // If the value is supplied by an external source, coordinates are embedded here. + // Note: we interpret all fetched external secrets as raw string values + ExternalSecretRefSelector *ExternalSecretKeySelector `json:"externalSecretRef,omitempty"` +} + +func (v *ValueSource) Load(ctx context.Context, client client.Reader, expander *secrets.CloudExpander) (string, error) { + if v.Inline != nil { + return *v.Inline, nil + } + if v.ConfigMapKeyRef != nil { + return loadConfigMap(ctx, client, v.ConfigMapKeyRef.Name, v.Namespace, v.ConfigMapKeyRef.Key) + } + if v.SecretKeyRef != nil { + return loadSecret(ctx, client, v.SecretKeyRef.Name, v.Namespace, v.SecretKeyRef.Key) + } + if v.ExternalSecretRefSelector != nil { + if expander == nil { + return "", errors.New("attempted to expand an external secret without enabling external secrets in the operator") + } + return expander.Expand(ctx, v.ExternalSecretRefSelector.Name) + } + return "", errors.New("called Load on an unset ValueSource") +} + +// ExternalSecretKeySelector selects a key of an external Secret. +type ExternalSecretKeySelector struct { + Name string `json:"name"` } // Config returns the materialized tls.Config for the CommonTLS object -func (c *CommonTLS) Config(ctx context.Context, client client.Reader) (*tls.Config, error) { - config, err := c.Load(ctx, client) +func (c *CommonTLS) Config(ctx context.Context, client client.Reader, expander *secrets.CloudExpander) (*tls.Config, error) { + config, err := c.Load(ctx, client, expander) if err != nil { return nil, err } @@ -191,7 +361,7 @@ func (c *CommonTLS) Config(ctx context.Context, client client.Reader) (*tls.Conf tlsCert, err := tls.X509KeyPair(certData, keyData) if err != nil { - return nil, fmt.Errorf("cannot parse pem: %w", err) + return nil, errors.Newf("cannot parse pem: %w", err) } certificates = []tls.Certificate{tlsCert} } @@ -204,38 +374,19 @@ func (c *CommonTLS) Config(ctx context.Context, client client.Reader) (*tls.Conf } // Load returns the materialized TLSConfig for the CommonTLS object -func (c *CommonTLS) Load(ctx context.Context, client client.Reader) (*TLSConfig, error) { +func (c *CommonTLS) Load(ctx context.Context, client client.Reader, expander *secrets.CloudExpander) (*TLSConfig, error) { tls := &TLSConfig{} if c.CaCert != nil { - key := "ca.crt" - if c.CaCert.ConfigMapKeyRef != nil { - if c.CaCert.ConfigMapKeyRef.Key != "" { - key = c.CaCert.ConfigMapKeyRef.Key - } - ca, err := loadConfigMap(ctx, client, c.CaCert.ConfigMapKeyRef.Name, c.CaCert.Namespace, key) - if err != nil { - return nil, err - } - tls.CA = ca - } else if c.CaCert.SecretKeyRef != nil { - if c.CaCert.SecretKeyRef.Key != "" { - key = c.CaCert.SecretKeyRef.Key - } - ca, err := loadSecret(ctx, client, c.CaCert.SecretKeyRef.Name, c.CaCert.Namespace, key) - if err != nil { - return nil, err - } - tls.CA = ca + cert, err := c.CaCert.Load(ctx, client, expander) + if err != nil { + return nil, err } + tls.CA = cert } if c.Cert != nil { - key := "tls.crt" - if c.Cert.Key != "" { - key = c.Cert.Key - } - cert, err := loadSecret(ctx, client, c.Cert.Name, c.Cert.Namespace, key) + cert, err := c.Cert.Load(ctx, client, expander) if err != nil { return nil, err } @@ -243,11 +394,7 @@ func (c *CommonTLS) Load(ctx context.Context, client client.Reader) (*TLSConfig, } if c.Key != nil { - key := "tls.key" - if c.Key.Key != "" { - key = c.Key.Key - } - key, err := loadSecret(ctx, client, c.Key.Name, c.Key.Namespace, key) + key, err := c.Key.Load(ctx, client, expander) if err != nil { return nil, err } @@ -257,26 +404,6 @@ func (c *CommonTLS) Load(ctx context.Context, client client.Reader) (*TLSConfig, return tls, nil } -type ObjectKeyRef struct { - Namespace string `json:"namespace,omitempty"` - ConfigMapKeyRef *corev1.ConfigMapKeySelector `json:"configMapKeyRef,omitempty"` - SecretKeyRef *corev1.SecretKeySelector `json:"secretKeyRef,omitempty"` -} - -// SecretKeyRef contains enough information to inspect or modify the referred Secret data -// See https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference. -type SecretKeyRef struct { - Namespace string `json:"namespace,omitempty"` - - // Name of the referent. - // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - Name string `json:"name"` - - // +optional - // Key in Secret data to get value from - Key string `json:"key,omitempty"` -} - // AdminAPISpec defines client configuration for connecting to Redpanda's admin API. type AdminAPISpec struct { // Specifies a list of broker addresses in the format : @@ -296,7 +423,36 @@ type AdminAuth struct { Username string `json:"username,omitempty"` // Specifies the password. // +optional - Password SecretKeyRef `json:"passwordSecretRef,omitempty"` + Password *ValueSource `json:"passwordSecretRef,omitempty"` + // Specifies an auth token. + // +optional + AuthToken *ValueSource `json:"token,omitempty"` +} + +// TODO: Move this to an AsOption method? +func (a *AdminAuth) AsCredentials(ctx context.Context, client client.Reader, expander *secrets.CloudExpander) (username, password, token string, err error) { + if a == nil { + return "", "", "", nil + } + + if a.Password != nil { + p, err := a.Password.Load(ctx, client, expander) + if err != nil { + return "", "", "", errors.Newf("unable to fetch sasl password: %w", err) + } + + return a.Username, p, "", nil + } + + if a.AuthToken != nil { + token, err := a.AuthToken.Load(ctx, client, expander) + if err != nil { + return "", "", "", errors.Newf("unable to fetch sasl token: %w", err) + } + return "", "", token, nil + } + + return "", "", "", errors.New("unsupported SASL mechanism, either password or auth token must be specified") } // SchemaRegistrySpec defines client configuration for connecting to Redpanda's admin API. @@ -318,9 +474,34 @@ type SchemaRegistrySASL struct { Username string `json:"username,omitempty"` // Specifies the password. // +optional - Password SecretKeyRef `json:"passwordSecretRef,omitempty"` + Password *ValueSource `json:"password,omitempty"` // +optional - AuthToken SecretKeyRef `json:"token,omitempty"` + AuthToken *ValueSource `json:"token,omitempty"` +} + +func (s *SchemaRegistrySASL) AsOption(ctx context.Context, client client.Reader, expander *secrets.CloudExpander) (sr.ClientOpt, error) { + if s == nil { + return nil, nil + } + + if s.Password != nil { + p, err := s.Password.Load(ctx, client, expander) + if err != nil { + return nil, errors.Newf("unable to fetch sasl password: %w", err) + } + + return sr.BasicAuth(s.Username, p), nil + } + + if s.AuthToken != nil { + token, err := s.AuthToken.Load(ctx, client, expander) + if err != nil { + return nil, errors.Newf("unable to fetch sasl token: %w", err) + } + return sr.BearerToken(token), nil + } + + return nil, errors.New("could not determine SASL mechanism") } // ClusterRef represents a reference to a cluster that is being targeted. @@ -371,12 +552,12 @@ type TLSConfig struct { func loadConfigMap(ctx context.Context, client client.Reader, name, namespace, key string) (string, error) { config := &corev1.ConfigMap{} if err := client.Get(ctx, types.NamespacedName{Namespace: namespace, Name: name}, config); err != nil { - return "", fmt.Errorf("getting ConfigMap %s/%s: %w", namespace, name, err) + return "", errors.Newf("getting ConfigMap %s/%s: %w", namespace, name, err) } value, ok := config.Data[key] if !ok { - return "", fmt.Errorf("getting value from ConfigMap %s/%s: key %s not found", namespace, name, key) //nolint:goerr113 // no need to declare new error type + return "", errors.Newf("getting value from ConfigMap %s/%s: key %s not found", namespace, name, key) //nolint:goerr113 // no need to declare new error type } return value, nil } @@ -384,12 +565,12 @@ func loadConfigMap(ctx context.Context, client client.Reader, name, namespace, k func loadSecret(ctx context.Context, client client.Reader, name, namespace, key string) (string, error) { secret := &corev1.Secret{} if err := client.Get(ctx, types.NamespacedName{Namespace: namespace, Name: name}, secret); err != nil { - return "", fmt.Errorf("getting Secret %s/%s: %w", namespace, name, err) + return "", errors.Newf("getting Secret %s/%s: %w", namespace, name, err) } value, ok := secret.Data[key] if !ok { - return "", fmt.Errorf("getting value from Secret %s/%s: key %s not found", namespace, name, key) //nolint:goerr113 // no need to declare new error type + return "", errors.Newf("getting value from Secret %s/%s: key %s not found", namespace, name, key) //nolint:goerr113 // no need to declare new error type } return string(value), nil }