Operator v25.1.1-beta3

Added

• Added scheduled sync of ghost broker decommissioner to ensure it's running, even if no watches trigger the reconciler.
• v1 operator: ExternalSecretRefSelector is now provided for referring to external secrets in clusterConfiguration. This has an optional flag which is honoured if present - it turns errors into warnings if the secret can't be looked up.

Changed

• [Chart] Moved all template rendering into entry-point.yaml to match the redpanda and console charts.

• values.schema.json is now "closed" (additionalProperties: false)

  Any unexpected values will result in a validation error,previously they would
  have been ignored.

• The redpanda operator's helm chart has been merged into the operator itself.

  Going forward the chart's version and appVersion will always be equal.

• rbac.createRPKBundleCRs now defaults to true.

• The operator will now populate .Statefulset.SideCars.Image, if unspecified, with it's own image.

  The image and tag may be controlled with pre-existing
  --configurator-base-image and --configurator-tag flags, respectively.

  The previous behavior was to defer to the default of the redpanda chart which
  could result in out of sync RBAC requirements or regressions of
  sidecar/initcontainer behavior, if using an older redpanda chart.

Deprecated

• v1 operator: the clusterConfiguration field ExternalSecretRef is deprecated in favour of ExternalSecretRefSelector. Since this field was extremely new, it will be removed in the very near future.

Removed

• Removed bundled FluxCD controllers, bundled FluxCD CRDs, and support for delegating control to FluxCD.

  Previously reconciled FluxCD resources (HelmRepository, HelmRelease)
  will NOT be garbage collected upon upgrading. If the operator is
  coexisting with a FluxCD installation, please take care to manually remove
  the left over resources.

  chartRef.useFlux: true and chartRef.chartVersion are no longer
  supported. The controller will log errors and abort reconcilation until the
  fields are unset. Ensure that both have been removed from all Redpanda
  resources before upgrading.

  All other chartRef fields are deprecated and are no longer referenced.

  helmRelease, helmReleaseReady, helmRepository, helmRepositoryReady,
  and upgradeFailures are no longer set on RedpandaStatus, similar to their
  behavior when useFlux: false was set.

• gcr.io/kubebuilder/kube-rbac-proxy container is deprecated and has been removed from the Redpanda
  operator helm chart. The same ports will continue to serve metrics using kubebuilder's built in RBAC.

  Any existing prometheus rules don't need to be adjusted.

  For more details see: kubernetes-sigs/kubebuilder#3907

• The V1 operator now requires a minimum Redpanda version of 23.2; all feature-gated behaviour that supported older versions is now enabled unconditionally.

• The kube-prometheus-stack subchart has been removed.

  This integration was not being up kept and most use cases will be better served by deploying this chart themselves.

Fixed

• Certificate reloading for webhook and metrics endpoints should now behave correctly.
• The operator will restart the redpanda cluster on any change to the cluster configuration
• Expanded the set of rules in both Roles and ClusterRoles to be appropriately in sync with the redpanda helm chart.
• DeprecatedFullNameOverride was interpreted differently between rendering resources and creating
  kafka, admin and schema registry client. Now deprecated fullNameOverride will be used only
  if correct FullNameOverride is not provided and handled the same way for both
  client creation and render function.
• The Redpanda license was not set by operator. Now it will be set in the first reconciliation. After initial setup the consequent license re-set will be reconciled after client-go cache resync timeout (default 10h).
• The operator now unconditionally produces statefulsets that have environment variables available to the initContainer that are used for CEL-based config patching.

Previously it attempted to leave existing sts resources unpatched if it seemed like they had already been bootstrapped. With the adoption of CEL patching for node configuration, that left sts pods unable to restart.

• The operator now unconditionally produces an environment for the initContainer that supports CEL-based patching.

This is required to ensure that a pre-existing sts can roll over to new configuration correctly.

charts/redpanda v25.1.1-beta3

v25.1.1-beta3 - 2025-05-06

Added

• Added a chart wide podTemplate field which may be used to control Pod attributes chart wide.

  This field has a lower precedence than statefulset.podTemplate and
  post_install_job.podTemplate but will still be merged with them.

• podTemplate, statefulset.podTemplate, and post_install_job.podTemplate may now contain template expressions with in string fields

  To compensate for some of the functionality that was lost with the removal of
  fields like extraVolumes, we've upgraded podTemplate fields to support
  templating. Rather than allowing full control over a structured value, we've
  reduced the scope to only string fields. This is significantly more
  maintainable and less error prone.

  As an example, the below snippet will apply the release name as an annotation
  to all Pods created by the chart.

  podTemplate:
    annotations:
      "keys-cannot-be-templated": '{{ .Release.Name }}' # But values can!

  See values.yaml for additional examples.

Changed

• Promoted the config-watcher sidecar into a real go binary that handles user management and simplifies cluster health checks so they no longer fail when the sole issue is that other nodes in the cluster are unavailable. Additionally the new sidecar subsumes the behavior of the statefulset.sideCars.controllers stanza which should now be specified via their own enabled flags.

• clusterDomain now defaults to cluster.local. (A trialing . has been added) and the chart no longer adds trailing .'s to internal domains.

  For users not experiencing issues with trailing .'s this change has no
  effect. For users that have had issues with trailing .'s, it's now possible
  to opt-out of this behavior by explicitly setting clusterDomain to cluster.local.

  For users that override clusterDomain, copied a previous releases
  values.yaml, or use the --reuse-values flag, trailing .'s will be tripped
  from domains upon updating. This behavior may be opted into by appending a
  . to clusterDomain prior to upgrading.

• Bump AppVersion to v24.3.6 Redpanda release

• Bump Redpanda operator side car container tag to v2.3.7-24.3.6.

• values.schema.json is now "closed" (additionalProperties: false)

  Any unexpected values will result in a validation error,previously they would
  have been ignored.

• Update Console depedency to latest version with breaking change. Please visit Console change-log.

• The name of the container running redpanda is now always set to redpanda.

• bumped appVersion to v25.1.1.

• serviceAccount.create now defaults to true.

  The previous behavior resulted in using the default service account and
  extending it with all bindings generated from the chart. Such behavior is
  unlikely to be desired.

• rpk debug bundle --namespace $NAMESPACE now works by default.

  The chart now creates a set of Roles and RoleBindings that satisfy the
  requirements of running rpk debug bundle from any redpanda Pod. These
  permissions may be disabled by specifying rbac.rpkDebugBundle=false.

  Additionally, the redpanda container now always has a Kubernetes
  ServiceAccount token mounted to it to ensure rpk debug bundle can be
  executed successfully.

• Update Console depedency to latest version v3.1.0. Please visit Console change-log.

Deprecated

• .statefulset.sidecars.controllers.image is now deprecated. It may be specified but will not be respected. Use .statefulset.sidecars.image instead.

Removed

• Connectors sub-chart integration.

  The connectors chart may still be deployed separately, though it is not
  officially support. If possible, it is recommended to migrate to redpanda
  connect.

• Removed the deprecated fields license_key and license_secret_ref in favor
  of enterprise.license and enterprise.licenseSecretRef, respectively.

• statefulset.securityContext, statefulset.sideCars.configWatcher.securityContext have been removed.

  These fields previously served as both PodSecurityContext and SecurityContext
  across the entire chart which led to confusing semantics that couldn't be
  fixed without breaking backwards compatiblity.

  The top level podTemplate field may be used to control
  PodSecurityContexts and SecurityContexts across the chart.

• Fields that would be better served through podTemplate have been removed in favor of using podTemplate.

  Removed fields:

  • nodeSelector -> podTemplate.spec.nodeSelector
  • affinity -> podTemplate.spec.affinity
  • tolerations -> podTemplate.spec.tolerations
  • imagePullSecrets -> podTemplate.spec.imagePullSecrets
  • statefulset.annotations -> statefulset.podTemplate.annotations
  • statefulset.startupProbe -> statefulset.podTemplate.spec.containers[0].startupProbe
  • statefulset.livenessProbe -> statefulset.podTemplate.spec.containers[0].livenessProbe
  • statefulset.readinessProbe -> statefulset.podTemplate.spec.containers[1].readinessProbe
  • statefulset.podAffinity -> statefulset.podTemplate.spec.affinity.podAffinity
  • statefulset.nodeSelector -> statefulset.podTemplate.spec.nodeSelector
  • statefulset.priorityClassName -> statefulset.podTemplate.spec.priorityClassName
  • statefulset.tolerations -> statefulset.podTemplate.spec.tolerations
  • statefulset.topologySpreadConstraints -> statefulset.podTemplate.spec.topologySpreadConstraints
  • statefulset.terminationGracePeriodSeconds -> statefulset.podTemplate.spec.terminationGracePeriodSeconds
  • statefulset.extraVolumes -> statefulset.podTemplate.spec.volumes
  • statefulset.extraVolumesMounts -> statefulset.podTemplate.spec.containers[*].volumeMounts
  • statefulset.initContainers.*.extraVolumesMounts -> statefulset.podTemplate.spec.initContainers[*].volumeMounts
  • statefulset.initContainers.*.resources -> statefulset.podTemplate.spec.initContainers[*].resources
  • statefulset.initContainers.extraInitContainers -> statefulset.podTemplate.spec.initContainers
  • statefulset.sidecars.configWatcher.extraVolumeMounts -> statefulset.podTemplate.spec.containers[*].volumeMounts
  • statefulset.sidecars.configWatcher.resources -> statefulset.podTemplate.spec.containers[*].resources
  • statefulset.sidecars.configWatcher.securityContext -> statefulset.podTemplate.spec.containers[*].securityContext
  • statefulset.sidecars.controllers.resources -> statefulset.podTemplate.spec.containers[*].resources
  • statefulset.sidecars.controllers.securityContext -> statefulset.podTemplate.spec.containers[*].securityContext
  • statefulset.sidecars.extraVolumeMounts -> statefulset.podTemplate.spec.containers[*].volumeMounts
  • statefulset.sidecars.resources -> statefulset.podTemplate.spec.containers[*].resources
  • statefulset.sidecars.securityContext -> statefulset.podTemplate.spec.containers[*].securityContext

• Removed regex validation of all image tags.

Fixed

• Reverse order of applying resources to first create ClusterRole and then ClusterRoleBinding.
  When Redpanda custom resource has enabled RBAC the reconciliation was blocked due
  ClusterRoleBinding referencing not yet created ClusterRole.

• Fixed an issue where not explicitly specifying a SASL auth mechanism when SASL is enabled caused Console to fail to start up.

• Prevent broker nodes from restarting when solely the cluster replica amount changes

• Fixed rack awareness by mounting a service account token to the initcontainer when rack awareness is enabled.

• Broken Issuers and Certificates are no longer needlessly generated when tls.<cert>.issuerRef is provided.

• Fixed the security contexts' of set-datadir-ownership and set-tiered-storage-cache-dir-ownership.

• The schema_registry_client and pandaproxy_client stanzas of redpanda.yaml
  now respect listeners.kafka.tls.trustStore, when provided.
  See also helm-chart 1573 issue.

charts/console v3.1.0

Changed

• Bump AppVersion the new v3.1.0 Console release

Fixed

• • Correct the secret key reference for authentication JWT signing key.
  • Correct the environment variable reference schema registry password.
  • Add value for schema registry bearer token secret.

charts/redpanda v25.1.1-beta2

Added

• Added a chart wide podTemplate field which may be used to control Pod attributes chart wide.

  This field has a lower precedence than statefulset.podTemplate and
  post_install_job.podTemplate but will still be merged with them.

• podTemplate, statefulset.podTemplate, and post_install_job.podTemplate may now contain template expressions with in string fields

  To compensate for some of the functionality that was lost with the removal of
  fields like extraVolumes, we've upgraded podTemplate fields to support
  templating. Rather than allowing full control over a structured value, we've
  reduced the scope to only string fields. This is significantly more
  maintainable and less error prone.

  As an example, the below snippet will apply the release name as an annotation
  to all Pods created by the chart.

  podTemplate:
    annotations:
      "keys-cannot-be-templated": '{{ .Release.Name }}' # But values can!

  See values.yaml for additional examples.

Changed

• Promoted the config-watcher sidecar into a real go binary that handles user management and simplifies cluster health checks so they no longer fail when the sole issue is that other nodes in the cluster are unavailable. Additionally the new sidecar subsumes the behavior of the statefulset.sideCars.controllers stanza which should now be specified via their own enabled flags.

• clusterDomain now defaults to cluster.local. (A trialing . has been added) and the chart no longer adds trailing .'s to internal domains.

  For users not experiencing issues with trailing .'s this change has no
  effect. For users that have had issues with trailing .'s, it's now possible
  to opt-out of this behavior by explicitly setting clusterDomain to cluster.local.

  For users that override clusterDomain, copied a previous releases
  values.yaml, or use the --reuse-values flag, trailing .'s will be tripped
  from domains upon updating. This behavior may be opted into by appending a
  . to clusterDomain prior to upgrading.

• Bump AppVersion to v24.3.6 Redpanda release

• Bump Redpanda operator side car container tag to v2.3.7-24.3.6.

• values.schema.json is now "closed" (additionalProperties: false)

  Any unexpected values will result in a validation error,previously they would
  have been ignored.

• Update Console depedency to latest version with breaking change. Please visit Console change-log.

• The name of the container running redpanda is now always set to redpanda.

• bumped appVersion to v25.1.1.

• serviceAccount.create now defaults to true.

  The previous behavior resulted in using the default service account and
  extending it with all bindings generated from the chart. Such behavior is
  unlikely to be desired.

• rpk debug bundle --namespace $NAMESPACE now works by default.

  The chart now creates a set of Roles and RoleBindings that satisfy the
  requirements of running rpk debug bundle from any redpanda Pod. These
  permissions may be disabled by specifying rbac.rpkDebugBundle=false.

  Additionally, the redpanda container now always has a Kubernetes
  ServiceAccount token mounted to it to ensure rpk debug bundle can be
  executed successfully.

Deprecated

• .statefulset.sidecars.controllers.image is now deprecated. It may be specified but will not be respected. Use .statefulset.sidecars.image instead.

Removed

• Connectors sub-chart integration.

  The connectors chart may still be deployed separately, though it is not
  officially support. If possible, it is recommended to migrate to redpanda
  connect.

• Removed the deprecated fields license_key and license_secret_ref in favor
  of enterprise.license and enterprise.licenseSecretRef, respectively.

• statefulset.securityContext, statefulset.sideCars.configWatcher.securityContext have been removed.

  These fields previously served as both PodSecurityContext and SecurityContext
  across the entire chart which led to confusing semantics that couldn't be
  fixed without breaking backwards compatiblity.

  The top level podTemplate field may be used to control
  PodSecurityContexts and SecurityContexts across the chart.

• Fields that would be better served through podTemplate have been removed in favor of using podTemplate.

  Removed fields:

  • nodeSelector -> podTemplate.spec.nodeSelector
  • affinity -> podTemplate.spec.affinity
  • tolerations -> podTemplate.spec.tolerations
  • imagePullSecrets -> podTemplate.spec.imagePullSecrets
  • statefulset.annotations -> statefulset.podTemplate.annotations
  • statefulset.startupProbe -> statefulset.podTemplate.spec.containers[0].startupProbe
  • statefulset.livenessProbe -> statefulset.podTemplate.spec.containers[0].livenessProbe
  • statefulset.readinessProbe -> statefulset.podTemplate.spec.containers[1].readinessProbe
  • statefulset.podAffinity -> statefulset.podTemplate.spec.affinity.podAffinity
  • statefulset.nodeSelector -> statefulset.podTemplate.spec.nodeSelector
  • statefulset.priorityClassName -> statefulset.podTemplate.spec.priorityClassName
  • statefulset.tolerations -> statefulset.podTemplate.spec.tolerations
  • statefulset.topologySpreadConstraints -> statefulset.podTemplate.spec.topologySpreadConstraints
  • statefulset.terminationGracePeriodSeconds -> statefulset.podTemplate.spec.terminationGracePeriodSeconds
  • statefulset.extraVolumes -> statefulset.podTemplate.spec.volumes
  • statefulset.extraVolumesMounts -> statefulset.podTemplate.spec.containers[*].volumeMounts
  • statefulset.initContainers.*.extraVolumesMounts -> statefulset.podTemplate.spec.initContainers[*].volumeMounts
  • statefulset.initContainers.*.resources -> statefulset.podTemplate.spec.initContainers[*].resources
  • statefulset.initContainers.extraInitContainers -> statefulset.podTemplate.spec.initContainers
  • statefulset.sidecars.configWatcher.extraVolumeMounts -> statefulset.podTemplate.spec.containers[*].volumeMounts
  • statefulset.sidecars.configWatcher.resources -> statefulset.podTemplate.spec.containers[*].resources
  • statefulset.sidecars.configWatcher.securityContext -> statefulset.podTemplate.spec.containers[*].securityContext
  • statefulset.sidecars.controllers.resources -> statefulset.podTemplate.spec.containers[*].resources
  • statefulset.sidecars.controllers.securityContext -> statefulset.podTemplate.spec.containers[*].securityContext
  • statefulset.sidecars.extraVolumeMounts -> statefulset.podTemplate.spec.containers[*].volumeMounts
  • statefulset.sidecars.resources -> statefulset.podTemplate.spec.containers[*].resources
  • statefulset.sidecars.securityContext -> statefulset.podTemplate.spec.containers[*].securityContext

• Removed regex validation of all image tags.

Fixed

• Reverse order of applying resources to first create ClusterRole and then ClusterRoleBinding.
  When Redpanda custom resource has enabled RBAC the reconciliation was blocked due
  ClusterRoleBinding referencing not yet created ClusterRole.

• Fixed an issue where not explicitly specifying a SASL auth mechanism when SASL is enabled caused Console to fail to start up.

• Prevent broker nodes from restarting when solely the cluster replica amount changes

• Fixed rack awareness by mounting a service account token to the initcontainer when rack awareness is enabled.

• Broken Issuers and Certificates are no longer needlessly generated when tls.<cert>.issuerRef is provided.

• Fixed the security contexts' of set-datadir-ownership and set-tiered-storage-cache-dir-ownership.

• The schema_registry_client and pandaproxy_client stanzas of redpanda.yaml
  now respect listeners.kafka.tls.trustStore, when provided.
  See also helm-chart 1573 issue.

Operator v2.4.2

Added

• v1 operator: ExternalSecretRefSelector is now provided for referring to external secrets in clusterConfiguration. This has an optional flag which is honoured if present - it turns errors into warnings if the secret can't be looked up.

• [Chart] Added rbac.createCompatCRs which intentionally over scopes the operator's RBAC configuration to preserve compatibility with redpanda charts <= v5.10.1 and <=v5.9.22.

  rbac.createCompatCRs defaults to true to prevent unexpected breakages upon upgrading the operator.

Changed

• rbac.createRPKBundleCRs now defaults to true.
• Bumped the vendored redpanda chart version to v5.10.2

Deprecated

• v1 operator: the clusterConfiguration field ExternalSecretRef is deprecated in favour of ExternalSecretRefSelector. Since this field was extremely new, it will be removed in the very near future.

Fixed

• The operator will restart the redpanda cluster on any change to the cluster configuration
• Expanded the set of rules in both Roles and ClusterRoles to be appropriately in sync with the redpanda helm chart.
• DeprecatedFullNameOverride was interpreted differently between rendering resources and creating
  kafka, admin and schema registry client. Now deprecated fullNameOverride will be used only
  if correct FullNameOverride is not provided and handled the same way for both
  client creation and render function.
• Fields with embedded structs, such as auth.sasl.bootstrapUser.secretKeyRef and listeners.internal.tls.truststore.configMapKeyRef, are no longer discarded during rendering of resources.
• The Redpanda license was not set by operator. Now it will be set in the first reconciliation. After initial setup the consequent license re-set will be reconciled after client-go cache resync timeout (default 10h).

Operator: v2.3.9-24.3.11

Added

• Added scheduled sync of ghost broker decommissioner to ensure it's running, even if no watches trigger the reconciler.

• v1 operator: ExternalSecretRefSelector is now provided for referring to external secrets in clusterConfiguration. This has an optional flag which is honoured if present - it turns errors into warnings if the secret can't be looked up.

• [Chart] Added rbac.createCompatCRs which intentionally over scopes the operator's RBAC configuration to preserve compatibility with redpanda charts <= v5.10.1 and <=v5.9.22.

  rbac.createCompatCRs defaults to true to prevent unexpected breakages upon upgrading the operator.

Changed

• Reconciliation will attempt to create all resources regardless of errors encounter.
  All errors will be reported at the end of the reconciliation loop.

• [Chart] Moved all template rendering into entry-point.yaml to match the redpanda and console charts.

• The redpanda operator's helm chart has been merged into the operator itself.

  Going forward the chart's version and appVersion will always be equal.

• rbac.createRPKBundleCRs now defaults to true.

• Bumped internal chart version to v5.9.22

Deprecated

• v1 operator: the clusterConfiguration field ExternalSecretRef is deprecated in favour of ExternalSecretRefSelector. Since this field was extremely new, it will be removed in the very near future.

Fixed

• Reverse order of applying resources to first create ClusterRole and then ClusterRoleBinding.
  When Redpanda custom resource has enabled RBAC the reconciliation was blocked due
  ClusterRoleBinding referencing not yet created ClusterRole.

• Certificate reloading for webhook and metrics endpoints should now behave correctly.

• The operator will restart the redpanda cluster on any change to the cluster configuration

• Expanded the set of rules in both Roles and ClusterRoles to be appropriately in sync with the redpanda helm chart.

• DeprecatedFullNameOverride was interpreted differently between rendering resources and creating
  kafka, admin and schema registry client. Now deprecated fullNameOverride will be used only
  if correct FullNameOverride is not provided and handled the same way for both
  client creation and render function.

• The Redpanda license was not set by operator. Now it will be set in the first reconciliation. After initial setup the consequent license re-set will be reconciled after client-go cache resync timeout (default 10h).

charts/redpanda: v5.9.22

Changed

• serviceAccount.create now defaults to true.

  The previous behavior resulted in using the default service account and
  extending it with all bindings generated from the chart. Such behavior is
  unlikely to be desired.

• rpk debug bundle --namespace $NAMESPACE now works by default.

  The chart now creates a set of Roles and RoleBindings that satisfy the
  requirements of running rpk debug bundle from any redpanda Pod. These
  permissions may be disabled by specifying rbac.rpkDebugBundle=false.

  Additionally, the redpanda container now always has a Kubernetes
  ServiceAccount token mounted to it to ensure rpk debug bundle can be
  executed successfully.

Fixed

• Fixed an issue where not explicitly specifying a SASL auth mechanism when SASL is enabled caused Console to fail to start up.
• Prevent broker nodes from restarting when solely the cluster replica amount changes
• Fixed rack awareness by mounting a service account token to the initcontainer when rack awareness is enabled.
• Broken Issuers and Certificates are no longer needlessly generated when tls.<cert>.issuerRef is provided.
• The schema_registry_client and pandaproxy_client stanzas of redpanda.yaml
  now respect listeners.kafka.tls.trustStore, when provided.
  See also helm-chart 1573 issue.

charts/redpanda: v5.10.2

Changed

• serviceAccount.create now defaults to true.

  The previous behavior resulted in using the default service account and
  extending it with all bindings generated from the chart. Such behavior is
  unlikely to be desired.

• rpk debug bundle --namespace $NAMESPACE now works by default.

  The chart now creates a set of Roles and RoleBindings that satisfy the
  requirements of running rpk debug bundle from any redpanda Pod. These
  permissions may be disabled by specifying rbac.rpkDebugBundle=false.

  Additionally, the redpanda container now always has a Kubernetes
  ServiceAccount token mounted to it to ensure rpk debug bundle can be
  executed successfully.

Removed

• Removed regex validation of all image tags.

Fixed

• Fixed rack awareness by mounting a service account token to the initcontainer when rack awareness is enabled.
• Broken Issuers and Certificates are no longer needlessly generated when tls.<cert>.issuerRef is provided.
• The schema_registry_client and pandaproxy_client stanzas of redpanda.yaml
  now respect listeners.kafka.tls.trustStore, when provided.
  See also helm-chart 1573 issue.

Operator v25.1.1-beta2

Added

• Added scheduled sync of ghost broker decommissioner to ensure it's running, even if no watches trigger the reconciler.

Changed

• [Chart] Moved all template rendering into entry-point.yaml to match the redpanda and console charts.

• values.schema.json is now "closed" (additionalProperties: false)

  Any unexpected values will result in a validation error,previously they would
  have been ignored.

• The redpanda operator's helm chart has been merged into the operator itself.

  Going forward the chart's version and appVersion will always be equal.

• rbac.createRPKBundleCRs now defaults to true.

Removed

• Removed bundled FluxCD controllers, bundled FluxCD CRDs, and support for delegating control to FluxCD.

  Previously reconciled FluxCD resources (HelmRepository, HelmRelease)
  will NOT be garbage collected upon upgrading. If the operator is
  coexisting with a FluxCD installation, please take care to manually remove
  the left over resources.

  chartRef.useFlux: true and chartRef.chartVersion are no longer
  supported. The controller will log errors and abort reconcilation until the
  fields are unset. Ensure that both have been removed from all Redpanda
  resources before upgrading.

  All other chartRef fields are deprecated and are no longer referenced.

  helmRelease, helmReleaseReady, helmRepository, helmRepositoryReady,
  and upgradeFailures are no longer set on RedpandaStatus, similar to their
  behavior when useFlux: false was set.

• gcr.io/kubebuilder/kube-rbac-proxy container is deprecated and has been removed from the Redpanda
  operator helm chart. The same ports will continue to serve metrics using kubebuilder's built in RBAC.

  Any existing prometheus rules don't need to be adjusted.

  For more details see: kubernetes-sigs/kubebuilder#3907

• The V1 operator now requires a minimum Redpanda version of 23.2; all feature-gated behaviour that supported older versions is now enabled unconditionally.

• The kube-prometheus-stack subchart has been removed.

  This integration was not being up kept and most use cases will be better served by deploying this chart themselves.

Fixed

• Certificate reloading for webhook and metrics endpoints should now behave correctly.
• The operator will restart the redpanda cluster on any change to the cluster configuration
• Expanded the set of rules in both Roles and ClusterRoles to be appropriately in sync with the redpanda helm chart.
• DeprecatedFullNameOverride was interpreted differently between rendering resources and creating
  kafka, admin and schema registry client. Now deprecated fullNameOverride will be used only
  if correct FullNameOverride is not provided and handled the same way for both
  client creation and render function.

operator: v25.1.1-beta1

Added

• Added scheduled sync of ghost broker decommissioner to ensure it's running, even if no watches trigger the reconciler.

Changed

• Bumped internal redpanda chart to v5.9.19.
  chartRef now defaults to v5.9.19.
  When useFlux is false, the equivalent of chart v5.9.19 will be deployed.

• Bumped the internal chart version to v5.9.20.

• [Chart] Moved all template rendering into entry-point.yaml to match the redpanda and console charts.

• The redpanda operator's helm chart has been merged into the operator itself.

  Going forward the chart's version and appVersion will always be equal.

Removed

• Removed bundled FluxCD controllers, bundled FluxCD CRDs, and support for delegating control to FluxCD.

  Previously reconciled FluxCD resources (HelmRepository, HelmRelease)
  will NOT be garbage collected upon upgrading. If the operator is
  coexisting with a FluxCD installation, please take care to manually remove
  the left over resources.

  chartRef.useFlux: true and chartRef.chartVersion are no longer
  supported. The controller will log errors and abort reconcilation until the
  fields are unset. Ensure that both have been removed from all Redpanda
  resources before upgrading.

  All other chartRef fields are deprecated and are no longer referenced.

  helmRelease, helmReleaseReady, helmRepository, helmRepositoryReady,
  and upgradeFailures are no longer set on RedpandaStatus, similar to their
  behavior when useFlux: false was set.

• gcr.io/kubebuilder/kube-rbac-proxy container is deprecated and has been removed from the Redpanda
  operator helm chart. The same ports will continue to serve metrics using kubebuilder's built in RBAC.

Any existing prometheus rules don't need to be adjusted.

For more details see: kubernetes-sigs/kubebuilder#3907

• The V1 operator now requires a minimum Redpanda version of 23.2; all feature-gated behaviour that supported older versions is now enabled unconditionally.

Fixed

• Usage of tpl and include now function as expected when useFlux: false is set.

  {{ (get (fromJson (include "redpanda.Fullname" (dict "a" (list .)))) "r") }} would previously failure with fairly arcane errors.

  Now, the above example will correctly render to a string value. However,
  syntax errors and the like are still reported in an arcane fashion.

• Toggling useFlux, in either direction, no longer causes the bootstrap user's password to be regenerated.

  Manual mitigation steps are available here.

• Certificate reloading for webhook and metrics endpoints should now behave correctly.

• Expanded the set of rules in both Roles and ClusterRoles to be appropriately in sync with the redpanda helm chart.