redpanda-data · birdayz · Feb 4, 2025 · Feb 25, 2025 · Jan 31, 2025 · Jan 31, 2025
@@ -31,21 +31,30 @@ steps:
     agents:
       queue: pipeline-uploader
     # Run for:
-    # - all pull requests that aren't from forks.
+    # - all pull requests that aren't from forks
     # - nightly test schedule
+    # - changes to main or release/* branches (webhooks are from github)
     if: |
-      (build.pull_request.id != null && !build.pull_request.repository.fork) || (build.source == "schedule" && build.env("K8S_NIGHTLY") == "1")
+      (build.pull_request.id != null && !build.pull_request.repository.fork) ||
+      (build.source == "schedule" && build.env("K8S_NIGHTLY") == "1") ||
+      ((build.branch == "main" || build.branch =~ /^release\//) && build.source == "webhook")
     command: buildkite-agent pipeline upload .buildkite/testsuite.yml
 
+    # NOTE: This build IS NOT dependent on tests passing due to their current flakey state.
+    # It's recommended to check that tests have passed for the given commit before using it.
   - key: release-nightly
-    label: ":gandalf: Nightly Operator release"
+    label: ":gandalf: Nightly Releases"
     timeout_in_minutes: 10
     agents:
       queue: v6-amd64-builders-m6id
     commands:
       - |
-        TAG_NAME=$(ci/scripts/tag-check.sh) ./ci/scripts/run-in-nix-docker.sh task ci:configure ci:publish-k8s-nightly-artifacts
-    if: build.branch == "main" && build.source == "schedule" && build.env("NIGHTLY_RELEASE") == "true"
+        ./ci/scripts/run-in-nix-docker.sh task ci:configure ci:publish-nightly-artifacts
+    # Build nightly releases whenever NIGHTLY_RELEASE is set and it's triggered
+    # from a schedule or the BK UI. Notably, we permit building nightlies from
+    # any branch as the version stamps contain enough information to easily
+    # track down the source.
+    if: build.env("NIGHTLY_RELEASE") == "true" && (build.source == "schedule" || build.source == "ui")
     plugins:
       - seek-oss/aws-sm#v2.3.2: &aws-sm-plugin
           json-to-env:
@@ -58,24 +67,28 @@ steps:
             - secret-id: sdlc/prod/buildkite/redpanda_second_sample_license
             - secret-id: sdlc/prod/buildkite/slack_vbot_token
       - https://$GITHUB_API_TOKEN@github.com/redpanda-data/step-slack-notify-buildkite-plugin.git#main:
-          message: "Nightly release failed"
+          message: "Nightly releases failed"
           channel_name: "kubernetes-tests"
           slack_token_env_var_name: "SLACK_VBOT_TOKEN"
           conditions:
             failed: true
-            branches:
-              - main
 
-  # Legacy pipeline that appears to be responsible for minting releases,
-  # provided that kuttl-v1 tests pass.
-  # TODO: Scope this to just producing releases, both nightly and on tag.
-  - key: k8s-operator
-    label: Operator v1 E2E tests or release
+    # NOTE: This build IS NOT dependent on tests passing due to their current flakey state.
+    # Manually verify that the test suite has successfully run on the RC before tagging.
+  - key: operator-release
+    label: Operator Release
     timeout_in_minutes: 180
-    if: build.env("NIGHTLY_RELEASE") != "true" && build.pull_request.id == null
-    commands:
-      - |
-        TAG_NAME=$(ci/scripts/tag-check.sh) ./ci/scripts/run-in-nix-docker.sh task ci:configure ci:k8s
+    if: |
+      // Only run if:
+      // 1. There's a tag and it's of the form 'v*' or 'operator/v*'
+      // 2. Source branch is main or release/*
+      // 3. NIGHTLY_RELEASE envvar isn't set (paranoid check)
+      // 4. This isn't a pull request (paranoid check)
+      (build.tag =~ /^v/ || build.tag =~ /^operator\/v/) &&
+      (build.branch == "main" || build.branch =~ /^release\//) &&
+      build.pull_request.id == null &&
+      build.env("NIGHTLY_RELEASE") != "true"
+    command: ./ci/scripts/run-in-nix-docker.sh task ci:configure ci:publish-operator-image
     agents:
       queue: v6-amd64-builders-m6id
     plugins:
@@ -100,10 +113,8 @@ steps:
             - secret-id: sdlc/prod/buildkite/teleport_bot_token
             - secret-id: sdlc/prod/buildkite/test_result_dsn
       - https://$GITHUB_API_TOKEN@github.com/redpanda-data/step-slack-notify-buildkite-plugin.git#main:
-          message: ":cloud: K8s Operator v1 e2e tests Jobs failed"
+          message: ":cloud: Operator Release Job Failed"
           channel_name: "kubernetes-tests"
           slack_token_env_var_name: "SLACK_VBOT_TOKEN"
           conditions:
             failed: true
-            branches:
-              - main
@@ -217,7 +217,7 @@ steps:
           failed: true
         message: ':cloud: Kuttl-V1-Nodepools Tests Job Failed'
         slack_token_env_var_name: SLACK_VBOT_TOKEN
-    soft_fail: true
+    soft_fail: false
     timeout_in_minutes: 30
   - continue_on_failure: true
     wait: null

@@ -0,0 +1,10 @@
+project: charts/operator
+kind: Removed
+body: |
+    `gcr.io/kubebuilder/kube-rbac-proxy` container is deprecated and has been removed from the Redpanda
+    operator helm chart. The same ports will continue to serve metrics using kubebuilder's built in RBAC.
+
+    Any existing prometheus rules don't need to be adjusted.
+
+    For more details see: https://github.com/kubernetes-sigs/kubebuilder/discussions/3907
+time: 2025-02-26T18:20:37.65853+01:00
@@ -0,0 +1,14 @@
+project: charts/redpanda
+kind: Changed
+body: |-
+    `clusterDomain` now defaults to `cluster.local.` (A trialing `.` has been added) and the chart no longer adds trailing `.`'s to internal domains.
+
+      For users not experiencing issues with trailing `.`'s this change has no
+      effect. For users that have had issues with trailing `.`'s, it's now possible
+      to opt-out of this behavior by explicitly setting `clusterDomain` to `cluster.local`.
+
+      For users that override `clusterDomain`, copied a previous releases
+      values.yaml, or use the `--reuse-values` flag, trailing `.`'s will be tripped
+      from domains upon updating. This behavior may be opted into by appending a
+      `.` to `clusterDomain` prior to upgrading.
+time: 2025-02-26T13:59:13.035962-05:00
@@ -0,0 +1,4 @@
+project: operator
+kind: Changed
+body: Bumped the internal chart version to v5.9.20.
+time: 2025-02-07T15:56:51.723249-05:00
@@ -0,0 +1,7 @@
+project: operator
+kind: Fixed
+body: |-
+    Toggling `useFlux`, in either direction, no longer causes the bootstrap user's password to be regenerated.
+
+      Manual mitigation steps are available [here](https://github.com/redpanda-data/helm-charts/issues/1596#issuecomment-2628356953).
+time: 2025-02-07T16:01:09.025536-05:00
@@ -0,0 +1,10 @@
+project: operator
+kind: Removed
+body: |
+    `gcr.io/kubebuilder/kube-rbac-proxy` container is deprecated and has been removed from the Redpanda
+    operator helm chart. The same ports will continue to serve metrics using kubebuilder's built in RBAC.
+
+    Any existing prometheus rules don't need to be adjusted.
+
+    For more details see: https://github.com/kubernetes-sigs/kubebuilder/discussions/3907
+time: 2025-02-26T18:20:37.658528+01:00
@@ -4,23 +4,31 @@ linters:
 
   enable:
   - errcheck
+  - gci
+  - gocritic
   - gofumpt
-  - goimports
   - gosec
   - gosimple
   - govet
   - importas
   - ineffassign
   - misspell
-  - gocritic
   - staticcheck
   - stylecheck
   - unparam
   - unused
 
 linters-settings:
-  goimports:
-    local-prefixes: github.com/redpanda-data/redpanda-operator,github.com/redpanda-data/helm-charts
+  gci:
+    sections:
+    - standard
+    - default
+    - prefix(github.com/redpanda-data/redpanda-operator)
+
+    custom-order: true
+    skip-generated: true
+    no-inline-comments: false
+    no-prefix-comments: false
 
   gosec:
     excludes:
@@ -30,11 +38,24 @@ linters-settings:
       G306: "0644" # Maximum allowed os.WriteFile Permissions
 
   importas:
+    # Disallow not using aliases for all matches of the below alias list.
+    no-unaliased: true
+    # Enforce standard import aliases for k8s type packages of (group)(version)
     alias:
     - pkg: k8s.io/api/(\w+)/(v\d)
       alias: $1$2
     - pkg: k8s.io/apimachinery/pkg/apis/meta/v1
       alias: metav1
+    - pkg: k8s.io/client-go/applyconfigurations/(\w+)/(v\w+)
+      alias: apply$1$2
+    - pkg: github.com/redpanda-data/redpanda-operator/operator/api/(\w+)/(v\w+)
+      alias: $1$2
+    - pkg: github.com/cert-manager/cert-manager/pkg/apis/meta/v1
+      alias: cmmetav1
+    - pkg: github.com/cert-manager/cert-manager/pkg/apis/certmanager/(v\w+)
+      alias: certmanager$1
+    - pkg: github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/(v\w+)
+      alias: monitoring$1
 
   gocritic:
     disable-all: true

@@ -20,13 +20,33 @@ vars:
     sh: shopt -s globstar; dirname $(ls **/go.mod | grep -o '^[^s].*')
   PKG: './...'
   MOD: '{{default ._MOD .MOD}}'
+  TIMESTAMP: # Timestamp used for any build artifacts.
+    # MacOS' man page isn't helpful. https://man7.org/linux/man-pages/man1/date.1.html
+    # Roughly ISO 8601
+    sh: date -u '+%Y-%m-%dT%T:%SZ'
+  COMMIT: # The commit to bake into any build artifacts.
+    sh: git rev-parse HEAD
+  # Version stamps for baking into build artifacts and use as tags.
+  # `git describe --dirty` can generate 1 of 4 outputs:
+  # 1. v0.0.0 - HEAD is tagged as v0.0.0 and no changes are in the index.
+  # 2. v0.0.0-dirty - HEAD is tagged as v0.0.0 and there are changes in the index.
+  # 3. v0.0.0-<N>-g<commit> - HEAD is at <commit> which is N commits away from v0.0.0; no changes in index.
+  # 4. v0.0.0-<N>-g<commit>-dirty - HEAD is at <commit> which is N commits away from v0.0.0; changes in index.
+  # `--tags` is required to match tags with `/`'s in them which we have due to go modules' tagging conventions.
+  # `--match` is used to target tags that apply to a specific module.
+  # `--always` is a fallback to print out the commit if no tag is found.
+  # `sed` is used to trim off the qualifying parts of the tag so we just get the "version".
+  OPERATOR_VERSION:
+    sh: git describe --dirty --tags --match 'v*' --match 'operator/v*' | sed 's#^operator/##'
+  OPERATOR_CHART_VERSION:
+    # NB: OPERATOR_CHART_VERSION is currently only used for the operator chart's nightly releases.
+    sh: git describe --dirty --tags --match 'charts/operator/v*' --always | sed 's#^charts/operator/##'
 
 includes:
   build: taskfiles/build.yml
   charts: taskfiles/charts.yml
   ci: taskfiles/ci.yml
   dev: taskfiles/dev.yml
-  goreleaser: taskfiles/goreleaser.yml
   k8s: taskfiles/k8s.yml
 
 tasks:
@@ -118,17 +138,15 @@ tasks:
 
   build:
     cmds:
-      - task: build:binaries
+      - task: build:operator
 
-  build:binaries:
+  build:image:
+    aliases:
+    - build:images
     cmds:
-      # TODO(chrisseto): Ditch goreleaser in favor of just go build in task
-      # files. We're not using it for anything other than an arch build matrix.
-      - task: goreleaser:build-operator-binaries
-
-  build:images:
-    cmds:
-      - task: k8s:build-operator-images
+      - task: build:operator-image
+        vars:
+          CLI_ARGS: '--load {{.CLI_ARGS}}'
 
   test:unit:
     desc: "Run all unit tests (~5m)"
@@ -154,11 +172,8 @@ tasks:
       GO_TEST_RUNNER: '{{default "go test" .GO_TEST_RUNNER}}'
       CLI_ARGS: '{{.CLI_ARGS}} -tags=acceptance -run "^TestAcceptance" -timeout 20m -v'
     cmds:
-    - task: k8s:build-operator-images
-    - kind delete cluster --name acceptance || true
-    - kind create cluster --name acceptance
-    - defer: kind delete cluster --name acceptance
-    - kind load --name acceptance docker-image localhost/redpanda-operator:dev localhost/configurator:dev
+    - task: build:image
+    - kind load docker-image localhost/redpanda-operator:dev
     - task: test:unit
       vars:
         GO_TEST_RUNNER:

@@ -0,0 +1,26 @@
+Feature: Metrics endpoint has authentication and authorization
+
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Reject request without TLS
+    Given the operator is running
+    Then its metrics endpoint should reject http request with status code "400"
+
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Reject unauthenticated token
+    Given the operator is running
+    Then its metrics endpoint should reject authorization random token request with status code "500"
+
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Accept request
+    Given the operator is running
+    When I apply Kubernetes manifest:
+    """
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: testing
+    """
+    And "testing" service account has bounded "redpanda-operator-metrics-reader" cluster role
+    Then its metrics endpoint should accept https request with "testing" service account token
+
+