Skip to content

Releases: redpanda-data/redpanda-operator

operator: v25.3.1

12 Dec 17:17
@github-actions github-actions
operator/v25.3.1
8cbe368
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
operator: v25.3.1 Latest
Latest

Added

  • ShadowLink CRD for controlling 25.3 shadow link settings. See documentation for details.

Changed

  • Use the kube-system namespace by default for leader election when the operator is running in cluster-scoped mode.
Assets 3
Loading

charts/redpanda: v25.3.1

12 Dec 17:24
@github-actions github-actions
charts/redpanda/v25.3.1
8cbe368
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
charts/redpanda: v25.3.1

Changed

  • Bump chart version to install 25.3.x releases by default
Loading

operator: v25.2.1

03 Dec 16:02
@github-actions github-actions
operator/v25.2.1
fc3b163
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
operator: v25.2.1

Added

  • Roles can be declaratively managed using RedpandaRole CRD
  • Add experimental support for node pools. To enable node pool support you must install the experimental NodePool CRDs and run the controller with the --enable-v2-nodepools flag.
  • Added a new Console CRD for managing a Redpanda Console deployments. For examples, see acceptance/features/console.feature.
  • Added status.managedPrincipals field to RedpandaRole CRD to track whether the operator is managing role membership. The operator now properly reconciles membership changes when spec.principals is updated, including adding, removing, or clearing all principals.

Changed

  • By default, the operator now reconciles resources (Redpanda, Topic, etc) across all namespaces.

    The --namespace flag may be used to scope the operator's watches to a single namespace.

  • Client certificates are now named $FULLNAME-$CERT-client-cert.

Deprecated

  • The Redpanda console stanza (.spec.clusterSpec.console) is now deprecated in favor of the stand-alone Console CRD.
  • Deprecated various fields in multiple CRDs for kafka, adminAPI, and schemaRegistry under the static configuration of clusterSource so that various fields that were only specifiable via an in-cluster secret can now be pulled via either external secret provider, in-cluster secret, config map, or inlined value.
  • The entirety of the spec.clusterSpec.console block in the Redpanda CR is now deprecated and will be removed in the future. Any Redpanda CR that contains one will automatically be migrated to a standalone Console CR with a back reference to the parent Redpanda CR. Note that these will not be automatically deleted when the console stanza is removed or when the parent Redpanda CR is deleted.

Fixed

  • Fix a bug with the way the config-watcher sidecar syncs users. The Kubernetes mechanism for writing out a changed secret is involves re-creating a symlink in the secrets directory that points to the mounted secret. Previously the config-watcher only detected changes to the entire directory and could potentially miss syncs, this resyncs everything anytime the symlink is recreated.
  • mTLS client certificates are now generated per certificate, as required, instead of using a single and potentially invalid certificate.
Loading

charts/redpanda: v25.2.1

03 Dec 16:17
@github-actions github-actions
charts/redpanda/v25.2.1
fc3b163
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
charts/redpanda: v25.2.1

Added

  • Added a chart wide podTemplate field which may be used to control Pod attributes chart wide.

    This field has a lower precedence than statefulset.podTemplate and
    post_install_job.podTemplate but will still be merged with them.

  • podTemplate, statefulset.podTemplate, and post_install_job.podTemplate may now contain template expressions with in string fields

    To compensate for some of the functionality that was lost with the removal of
    fields like extraVolumes, we've upgraded podTemplate fields to support
    templating. Rather than allowing full control over a structured value, we've
    reduced the scope to only string fields. This is significantly more
    maintainable and less error prone.

    As an example, the below snippet will apply the release name as an annotation
    to all Pods created by the chart.

    podTemplate:
  annotations:
    "keys-cannot-be-templated": '{{ .Release.Name }}' # But values can!

    See values.yaml for additional examples.

  • statefulset.initContainers.configurator.additionalCLIArgs is added to the helm values, to enable the init container to construct an external secret evaluator.

In the v2 operator, this value is defaulted from the operator's settings.

Changed

  • Promoted the config-watcher sidecar into a real go binary that handles user management and simplifies cluster health checks so they no longer fail when the sole issue is that other nodes in the cluster are unavailable. Additionally the new sidecar subsumes the behavior of the statefulset.sideCars.controllers stanza which should now be specified via their own enabled flags.

  • clusterDomain now defaults to cluster.local. (A trialing . has been added) and the chart no longer adds trailing .'s to internal domains.

    For users not experiencing issues with trailing .'s this change has no
    effect. For users that have had issues with trailing .'s, it's now possible
    to opt-out of this behavior by explicitly setting clusterDomain to cluster.local.

    For users that override clusterDomain, copied a previous releases
    values.yaml, or use the --reuse-values flag, trailing .'s will be tripped
    from domains upon updating. This behavior may be opted into by appending a
    . to clusterDomain prior to upgrading.

  • Bump AppVersion to v24.3.6 Redpanda release

  • Bump Redpanda operator side car container tag to v2.3.7-24.3.6.

  • values.schema.json is now "closed" (additionalProperties: false)

    Any unexpected values will result in a validation error,previously they would
    have been ignored.

  • Update Console depedency to latest version with breaking change. Please visit Console change-log.

  • The name of the container running redpanda is now always set to redpanda.

  • bumped appVersion to v25.1.1.

  • serviceAccount.create now defaults to true.

    The previous behavior resulted in using the default service account and
    extending it with all bindings generated from the chart. Such behavior is
    unlikely to be desired.

  • rpk debug bundle --namespace $NAMESPACE now works by default.

    The chart now creates a set of Roles and RoleBindings that satisfy the
    requirements of running rpk debug bundle from any redpanda Pod. These
    permissions may be disabled by specifying rbac.rpkDebugBundle=false.

    Additionally, the redpanda container now always has a Kubernetes
    ServiceAccount token mounted to it to ensure rpk debug bundle can be
    executed successfully.

  • Update Console depedency to latest version v3.1.0. Please visit Console change-log.

  • The generated bootstrap user password secret is now immutable. It was always intended to be a single-time generation, and now that is enforced at the Kubernetes API layer.

  • Cluster configuration syncing now sends the entire config instead of a minimal patch

    Due to numerous divergences in how the operator, redpanda and their
    respective underlying YAML serde libraries handle marshalling data, computing
    a minimal diff has generally resulted in nasty bugs not worth the few bytes
    and CPU cycles we were initially trying to save.

  • The console integration (console.enabled=true) now uses the chart managed bootstrap user rather than the first user from auth.sasl.users.

  • Client certificates are now named $FULLNAME-$CERT-client-cert.

Deprecated

  • .statefulset.sidecars.controllers.image is now deprecated. It may be specified but will not be respected. Use .statefulset.sidecars.image instead.
    • statefulset.sideCars.controllers.createRBAC is deprecated and no longer respected. In most cases, setting this field to false would result in a broken deployment. RBAC may be controlled via rbac.enabled or per controller via statefulset.sideCars.controllers.{pvcUnbinder,brokerDecommissioner}.enabled.
  • statefulset.sideCars.controllers.run has been unused for many releases and is now deprecated. Individual controllers may be enabled/disabled by setting their enabled field: statefulset.sideCars.pvcUnbinder.enabled, statefulset.sideCars.brokerDecommissioner.enabled.

Removed

  • Connectors sub-chart integration.

    The connectors chart may still be deployed separately, though it is not
    officially support. If possible, it is recommended to migrate to redpanda
    connect.

  • Removed the deprecated fields license_key and license_secret_ref in favor
    of enterprise.license and enterprise.licenseSecretRef, respectively.

  • statefulset.securityContext, statefulset.sideCars.configWatcher.securityContext have been removed.

    These fields previously served as both PodSecurityContext and SecurityContext
    across the entire chart which led to confusing semantics that couldn't be
    fixed without breaking backwards compatiblity.

    The top level podTemplate field may be used to control
    PodSecurityContexts and SecurityContexts across the chart.

  • Fields that would be better served through podTemplate have been removed in favor of using podTemplate.

    Removed fields:

    • nodeSelector -> podTemplate.spec.nodeSelector
    • affinity -> podTemplate.spec.affinity
    • tolerations -> podTemplate.spec.tolerations
    • imagePullSecrets -> podTemplate.spec.imagePullSecrets
    • statefulset.annotations -> statefulset.podTemplate.annotations
    • statefulset.startupProbe -> statefulset.podTemplate.spec.containers[0].startupProbe
    • statefulset.livenessProbe -> statefulset.podTemplate.spec.containers[0].livenessProbe
    • statefulset.readinessProbe -> statefulset.podTemplate.spec.containers[1].readinessProbe
    • statefulset.podAffinity -> statefulset.podTemplate.spec.affinity.podAffinity
    • statefulset.nodeSelector -> statefulset.podTemplate.spec.nodeSelector
    • statefulset.priorityClassName -> statefulset.podTemplate.spec.priorityClassName
    • statefulset.tolerations -> statefulset.podTemplate.spec.tolerations
    • statefulset.topologySpreadConstraints -> statefulset.podTemplate.spec.topologySpreadConstraints
    • statefulset.terminationGracePeriodSeconds -> statefulset.podTemplate.spec.terminationGracePeriodSeconds
    • statefulset.extraVolumes -> statefulset.podTemplate.spec.volumes
    • statefulset.extraVolumesMounts -> statefulset.podTemplate.spec.containers[*].volumeMounts
    • statefulset.initContainers.*.extraVolumesMounts -> statefulset.podTemplate.spec.initContainers[*].volumeMounts
    • statefulset.initContainers.*.resources -> statefulset.podTemplate.spec.initContainers[*].resources
    • statefulset.initContainers.extraInitContainers -> statefulset.podTemplate.spec.initContainers
    • statefulset.sidecars.configWatcher.extraVolumeMounts -> statefulset.podTemplate.spec.containers[*].volumeMounts
    • statefulset.sidecars.configWatcher.resources -> statefulset.podTemplate.spec.containers[*].resources
    • statefulset.sidecars.configWatcher.securityContext -> statefulset.podTemplate.spec.containers[*].securityContext
    • statefulset.sidecars.controllers.resources -> statefulset.podTemplate.spec.containers[*].resources
    • statefulset.sidecars.controllers.securityContext -> statefulset.podTemplate.spec.containers[*].securityContext
    • statefulset.sidecars.extraVolumeMounts -> statefulset.podTemplate.spec.containers[*].volumeMounts
    • statefulset.sidecars.resources -> statefulset.podTemplate.spec.containers[*].resources
    • statefulset.sidecars.securityContext -> statefulset.podTemplate.spec.containers[*].securityContext

  • Removed regex validation of all image tags.

  • The unrespectedkafkaEndpoint listener parameter has been removed from values.yaml

Fixed

  • Reverse order of applying resources to first create ClusterRole and then ClusterRoleBinding.
    When Redpanda custom resource has enabled RBAC the reconciliation was blocked due
    ClusterRoleBinding referencing not yet created ClusterRole.

  • Fixed an issue where not explicitly specifying a SASL auth mechanism when SASL is enabled caused Console to fail to start up.

  • Prevent broker nodes from restarting when solely the cluster replica amount changes

  • authentication_method is no longer set on http_api as redpanda itself does not support authentication on the http API.

  • Fixed rack awareness by mounting a service account token to the initcontainer when rack awareness is enabled.

  • Broken Issuers and Certificates are no longer needlessly generated when tls.<cert>.issuerRef is provided.

  • Fixed the security contexts' of set-datadir-ownership and set-tiered-storage-cache-dir-ownership.

  • The schema_registry_client and pandaproxy_client stanzas of redpanda.yaml
    now respect listeners.kafka.tls.trustStore, when provided.
    See also helm-chart 1573 issue.

  • Corrected naming of Roles to use Fullname instead of Name, which ensures they are unique within their namespace.

  • Upda...

Read more
Loading

charts/console: v3.3.0

03 Dec 16:13
@github-actions github-actions
charts/console/v3.3.0
fc3b163
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
charts/console: v3.3.0

Changed

  • Bump console chart version with new release of Console.
Loading

charts/redpanda: v5.9.30

02 Dec 17:12
@github-actions github-actions
charts/redpanda/v5.9.30
1632585

Choose a tag to compare

View all tags
charts/redpanda: v5.9.30

Changed

  • Bump Redpanda operator sidecar container tag to v2.3.15-24.3.18.

Deprecated

    • statefulset.sideCars.controllers.createRBAC is deprecated and no longer respected. In most cases, setting this field to false would result in a broken deployment. RBAC may be controlled via rbac.enabled or per controller via statefulset.sideCars.controllers.{pvcUnbinder,brokerDecommissioner}.enabled.
  • statefulset.sideCars.controllers.run has been unused for many releases and is now deprecated. Individual controllers may be enabled/disabled by setting their enabled field: statefulset.sideCars.pvcUnbinder.enabled, statefulset.sideCars.brokerDecommissioner.enabled.
Loading

operator: v2.3.15-24.3.18

25 Nov 08:00
@github-actions github-actions
operator/v2.3.15-24.3.18
634f74e

Choose a tag to compare

View all tags
operator: v2.3.15-24.3.18

Changed

  • Bump Redpanda helm chart dependency to 5.9.29

Fixed

  • ClusterRoles for the PVCUnbinder and BrokerDecommissioner are now enabled / disabled when their respective controller is enabled / disabled.

    Previously ClusterRoles were always generated and could only be disabled by setting statefulset.sideCars.controllers.createRBAC to false which rendered the sidecar inoperable.

Loading

charts/redpanda: v5.9.29

22 Nov 06:09
@github-actions github-actions
charts/redpanda/v5.9.29
84531a1

Choose a tag to compare

View all tags
charts/redpanda: v5.9.29

Changed

  • Bump Redpanda operator sidecar container tag to v2.3.14-24.3.17.
Loading

charts/redpanda: v5.10.6

22 Nov 06:11
@github-actions github-actions
charts/redpanda/v5.10.6
0832ae8

Choose a tag to compare

View all tags
charts/redpanda: v5.10.6

Changed

  • Bump Redpanda operator sidecar container tag to 2.4.5

Deprecated

    • statefulset.sideCars.controllers.createRBAC is deprecated and no longer respected. In most cases, setting this field to false would result in a broken deployment. RBAC may be controlled via rbac.enabled or per controller via statefulset.sideCars.controllers.{pvcUnbinder,brokerDecommissioner}.enabled.
  • statefulset.sideCars.controllers.run has been unused for many releases and is now deprecated. Individual controllers may be enabled/disabled by setting their enabled field: statefulset.sideCars.pvcUnbinder.enabled, statefulset.sideCars.brokerDecommissioner.enabled.
Loading

operator: v2.4.6

17 Nov 20:48
@github-actions github-actions
operator/v2.4.6
2ec5666

Choose a tag to compare

View all tags
operator: v2.4.6

Changed

  • Client certificates are now named $FULLNAME-$CERT-client-cert.
  • Bump Redpanda helm chart dependency to 5.10.5

Fixed

  • ClusterRoles for the PVCUnbinder and BrokerDecommissioner are now enabled / disabled when their respective controller is enabled / disabled.

    Previously ClusterRoles were always generated and could only be disabled by setting statefulset.sideCars.controllers.createRBAC to false which rendered the sidecar inoperable.

  • Fix a bug with the way the config-watcher sidecar syncs users. The Kubernetes mechanism for writing out a changed secret is involves re-creating a symlink in the secrets directory that points to the mounted secret. Previously the config-watcher only detected changes to the entire directory and could potentially miss syncs, this resyncs everything anytime the symlink is recreated.

  • mTLS client certificates are now generated per certificate, as required, instead of using a single and potentially invalid certificate.

Loading