From 092fd0346fab94a75ec8199499f2a5ba4c88ad85 Mon Sep 17 00:00:00 2001 From: Kat Batuigas Date: Thu, 2 Oct 2025 00:02:01 -0700 Subject: [PATCH 01/10] Address coderabbit suggestion on removing internal only value NETWORK_ACCESS_MODE_UNSPECIFIED --- .../overlays/update-api-gateway-access.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 cloud-controlplane/overlays/update-api-gateway-access.yaml diff --git a/cloud-controlplane/overlays/update-api-gateway-access.yaml b/cloud-controlplane/overlays/update-api-gateway-access.yaml new file mode 100644 index 0000000..ebfee10 --- /dev/null +++ b/cloud-controlplane/overlays/update-api-gateway-access.yaml @@ -0,0 +1,11 @@ +# This overlay updates the Cluster object in response examples to only use a +# user-facing value for the api_gateway_access field. +overlay: 1.0.0 +info: + title: Update API Gateway Access Values in Response Examples + version: 1.0.0 + +actions: + # Target api_gateway_access fields that are descendants of any example field within responses + - target: "$..responses..example..api_gateway_access[?(@ == 'NETWORK_ACCESS_MODE_UNSPECIFIED')]" + update: "NETWORK_ACCESS_MODE_PUBLIC" \ No newline at end of file From 04574e9a5e0b5630a35e0917729b191f7373cc5e Mon Sep 17 00:00:00 2001 From: Kat Batuigas Date: Thu, 2 Oct 2025 00:02:26 -0700 Subject: [PATCH 02/10] RESOURCE_TYPE_ANY is not available when creating a new ACL --- .../overlays/remove-resource-type-any.yaml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 cloud-dataplane/overlays/remove-resource-type-any.yaml diff --git a/cloud-dataplane/overlays/remove-resource-type-any.yaml b/cloud-dataplane/overlays/remove-resource-type-any.yaml new file mode 100644 index 0000000..bdfa53a --- /dev/null +++ b/cloud-dataplane/overlays/remove-resource-type-any.yaml @@ -0,0 +1,24 @@ +# This overlay removes the RESOURCE_TYPE_ANY value as an available option for the +# resource_type field in the CreateACLRequest schema. +overlay: 1.0.0 +info: + title: Remove RESOURCE_TYPE_ANY from Create ACL Request Body + version: 1.0.0 + +actions: + # Replace the $ref with an inline enum that excludes RESOURCE_TYPE_ANY + - target: "$.components.schemas.CreateACLRequest.properties.resource_type" + update: + description: |- + The type of resource (topic, consumer group, etc.) this + ACL targets. + enum: + - "RESOURCE_TYPE_TOPIC" + - "RESOURCE_TYPE_GROUP" + - "RESOURCE_TYPE_CLUSTER" + - "RESOURCE_TYPE_TRANSACTIONAL_ID" + - "RESOURCE_TYPE_DELEGATION_TOKEN" + - "RESOURCE_TYPE_USER" + - "RESOURCE_TYPE_REGISTRY" + - "RESOURCE_TYPE_SUBJECT" + type: "string" \ No newline at end of file From c50fead26235a6487883600bea83cd140b36df7d Mon Sep 17 00:00:00 2001 From: Kat Batuigas Date: Thu, 2 Oct 2025 13:16:18 -0700 Subject: [PATCH 03/10] Tiny changes to force deploy preview with overlays applied --- cloud-controlplane/cloud-controlplane.yaml | 4 ++-- cloud-dataplane/cloud-dataplane.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cloud-controlplane/cloud-controlplane.yaml b/cloud-controlplane/cloud-controlplane.yaml index 23f156a..16d0342 100644 --- a/cloud-controlplane/cloud-controlplane.yaml +++ b/cloud-controlplane/cloud-controlplane.yaml @@ -24,8 +24,8 @@ components: properties: allowed_principals: description: The ARN of the principals that can access the Redpanda AWS PrivateLink Endpoint Service. To grant permissions to all principals, use an asterisk (*). - example: - - arn:aws:iam::account-number-without-hyphens:user/username or arn:aws:iam::account-number-without-hyphens:root + example: | + - `arn:aws:iam::account-number-without-hyphens:user/username` or `arn:aws:iam::account-number-without-hyphens:root` items: type: string type: array diff --git a/cloud-dataplane/cloud-dataplane.yaml b/cloud-dataplane/cloud-dataplane.yaml index 89b1d9f..f8c4f3f 100644 --- a/cloud-dataplane/cloud-dataplane.yaml +++ b/cloud-dataplane/cloud-dataplane.yaml @@ -683,7 +683,7 @@ components: { "reason": "API_DISABLED" "domain": "googleapis.com" "metadata": { - "resource": "projects/123", + "resource": "projects/1234", "service": "pubsub.googleapis.com" } } From d1c85e2012d51477aab100d704f8b6f91c7f5cb5 Mon Sep 17 00:00:00 2001 From: Kat Batuigas Date: Mon, 6 Oct 2025 15:00:48 -0700 Subject: [PATCH 04/10] Fix JSONPath --- .../overlays/update-api-gateway-access.yaml | 5 ++-- .../overlays/remove-resource-type-any.yaml | 27 ++++++++++--------- 2 files changed, 17 insertions(+), 15 deletions(-) diff --git a/cloud-controlplane/overlays/update-api-gateway-access.yaml b/cloud-controlplane/overlays/update-api-gateway-access.yaml index ebfee10..c45c3b1 100644 --- a/cloud-controlplane/overlays/update-api-gateway-access.yaml +++ b/cloud-controlplane/overlays/update-api-gateway-access.yaml @@ -7,5 +7,6 @@ info: actions: # Target api_gateway_access fields that are descendants of any example field within responses - - target: "$..responses..example..api_gateway_access[?(@ == 'NETWORK_ACCESS_MODE_UNSPECIFIED')]" - update: "NETWORK_ACCESS_MODE_PUBLIC" \ No newline at end of file + - target: "$..responses..example*[?(@.api_gateway_access == 'NETWORK_ACCESS_MODE_UNSPECIFIED')]" + update: + api_gateway_access: "NETWORK_ACCESS_MODE_PUBLIC" \ No newline at end of file diff --git a/cloud-dataplane/overlays/remove-resource-type-any.yaml b/cloud-dataplane/overlays/remove-resource-type-any.yaml index bdfa53a..d2c3b40 100644 --- a/cloud-dataplane/overlays/remove-resource-type-any.yaml +++ b/cloud-dataplane/overlays/remove-resource-type-any.yaml @@ -9,16 +9,17 @@ actions: # Replace the $ref with an inline enum that excludes RESOURCE_TYPE_ANY - target: "$.components.schemas.CreateACLRequest.properties.resource_type" update: - description: |- - The type of resource (topic, consumer group, etc.) this - ACL targets. - enum: - - "RESOURCE_TYPE_TOPIC" - - "RESOURCE_TYPE_GROUP" - - "RESOURCE_TYPE_CLUSTER" - - "RESOURCE_TYPE_TRANSACTIONAL_ID" - - "RESOURCE_TYPE_DELEGATION_TOKEN" - - "RESOURCE_TYPE_USER" - - "RESOURCE_TYPE_REGISTRY" - - "RESOURCE_TYPE_SUBJECT" - type: "string" \ No newline at end of file + resource_type: + description: |- + The type of resource (topic, consumer group, etc.) this + ACL targets. + enum: + - "RESOURCE_TYPE_TOPIC" + - "RESOURCE_TYPE_GROUP" + - "RESOURCE_TYPE_CLUSTER" + - "RESOURCE_TYPE_TRANSACTIONAL_ID" + - "RESOURCE_TYPE_DELEGATION_TOKEN" + - "RESOURCE_TYPE_USER" + - "RESOURCE_TYPE_REGISTRY" + - "RESOURCE_TYPE_SUBJECT" + type: "string" \ No newline at end of file From ff90cb68ca00950191537cb642b30aa5dd0dece8 Mon Sep 17 00:00:00 2001 From: Kat Batuigas Date: Mon, 6 Oct 2025 15:17:12 -0700 Subject: [PATCH 05/10] Apply suggestions from automated review --- cloud-controlplane/cloud-controlplane.yaml | 8 +++-- .../overlays/remove-resource-type-any.yaml | 29 +++++++++---------- 2 files changed, 19 insertions(+), 18 deletions(-) diff --git a/cloud-controlplane/cloud-controlplane.yaml b/cloud-controlplane/cloud-controlplane.yaml index 16d0342..0c3be87 100644 --- a/cloud-controlplane/cloud-controlplane.yaml +++ b/cloud-controlplane/cloud-controlplane.yaml @@ -24,8 +24,9 @@ components: properties: allowed_principals: description: The ARN of the principals that can access the Redpanda AWS PrivateLink Endpoint Service. To grant permissions to all principals, use an asterisk (*). - example: | - - `arn:aws:iam::account-number-without-hyphens:user/username` or `arn:aws:iam::account-number-without-hyphens:root` + example: + - arn:aws:iam::account-number-without-hyphens:user/username + - arn:aws:iam::account-number-without-hyphens:root items: type: string type: array @@ -102,7 +103,8 @@ components: allowed_principals: description: The ARN of the principals that can access Redpanda AWS PrivateLink Endpoint Service. To grant permissions to all principals, use an asterisk (*). example: - - arn:aws:iam::account-number-without-hyphens:user/username or arn:aws:iam::account-number-without-hyphens:root + - arn:aws:iam::account-number-without-hyphens:user/username + - arn:aws:iam::account-number-without-hyphens:root items: type: string type: array diff --git a/cloud-dataplane/overlays/remove-resource-type-any.yaml b/cloud-dataplane/overlays/remove-resource-type-any.yaml index d2c3b40..f0079ce 100644 --- a/cloud-dataplane/overlays/remove-resource-type-any.yaml +++ b/cloud-dataplane/overlays/remove-resource-type-any.yaml @@ -7,19 +7,18 @@ info: actions: # Replace the $ref with an inline enum that excludes RESOURCE_TYPE_ANY - - target: "$.components.schemas.CreateACLRequest.properties.resource_type" + - target: "$.components.schemas.CreateACLRequest.properties.resource_type.$ref" update: - resource_type: - description: |- - The type of resource (topic, consumer group, etc.) this - ACL targets. - enum: - - "RESOURCE_TYPE_TOPIC" - - "RESOURCE_TYPE_GROUP" - - "RESOURCE_TYPE_CLUSTER" - - "RESOURCE_TYPE_TRANSACTIONAL_ID" - - "RESOURCE_TYPE_DELEGATION_TOKEN" - - "RESOURCE_TYPE_USER" - - "RESOURCE_TYPE_REGISTRY" - - "RESOURCE_TYPE_SUBJECT" - type: "string" \ No newline at end of file + description: |- + The type of resource (topic, consumer group, etc.) this + ACL targets. + enum: + - "RESOURCE_TYPE_TOPIC" + - "RESOURCE_TYPE_GROUP" + - "RESOURCE_TYPE_CLUSTER" + - "RESOURCE_TYPE_TRANSACTIONAL_ID" + - "RESOURCE_TYPE_DELEGATION_TOKEN" + - "RESOURCE_TYPE_USER" + - "RESOURCE_TYPE_REGISTRY" + - "RESOURCE_TYPE_SUBJECT" + type: "string" \ No newline at end of file From b9a0c4f62d12a79c072426d6131c5198032e9202 Mon Sep 17 00:00:00 2001 From: Kat Batuigas Date: Mon, 6 Oct 2025 15:28:12 -0700 Subject: [PATCH 06/10] Fix workflow errors --- cloud-controlplane/cloud-controlplane.yaml | 8 ++++---- cloud-dataplane/overlays/remove-resource-type-any.yaml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cloud-controlplane/cloud-controlplane.yaml b/cloud-controlplane/cloud-controlplane.yaml index 0c3be87..a4379cc 100644 --- a/cloud-controlplane/cloud-controlplane.yaml +++ b/cloud-controlplane/cloud-controlplane.yaml @@ -25,8 +25,8 @@ components: allowed_principals: description: The ARN of the principals that can access the Redpanda AWS PrivateLink Endpoint Service. To grant permissions to all principals, use an asterisk (*). example: - - arn:aws:iam::account-number-without-hyphens:user/username - - arn:aws:iam::account-number-without-hyphens:root + - "arn:aws:iam::account-number-without-hyphens:user/username" + - "arn:aws:iam::account-number-without-hyphens:root" items: type: string type: array @@ -103,8 +103,8 @@ components: allowed_principals: description: The ARN of the principals that can access Redpanda AWS PrivateLink Endpoint Service. To grant permissions to all principals, use an asterisk (*). example: - - arn:aws:iam::account-number-without-hyphens:user/username - - arn:aws:iam::account-number-without-hyphens:root + - "arn:aws:iam::account-number-without-hyphens:user/username" + - "arn:aws:iam::account-number-without-hyphens:root" items: type: string type: array diff --git a/cloud-dataplane/overlays/remove-resource-type-any.yaml b/cloud-dataplane/overlays/remove-resource-type-any.yaml index f0079ce..bdfa53a 100644 --- a/cloud-dataplane/overlays/remove-resource-type-any.yaml +++ b/cloud-dataplane/overlays/remove-resource-type-any.yaml @@ -7,7 +7,7 @@ info: actions: # Replace the $ref with an inline enum that excludes RESOURCE_TYPE_ANY - - target: "$.components.schemas.CreateACLRequest.properties.resource_type.$ref" + - target: "$.components.schemas.CreateACLRequest.properties.resource_type" update: description: |- The type of resource (topic, consumer group, etc.) this From a4d233d70df892e85685ea302d9b9aa6ee805311 Mon Sep 17 00:00:00 2001 From: Kat Batuigas Date: Mon, 6 Oct 2025 15:37:01 -0700 Subject: [PATCH 07/10] Fix syntax error --- cloud-controlplane/cloud-controlplane.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/cloud-controlplane/cloud-controlplane.yaml b/cloud-controlplane/cloud-controlplane.yaml index a4379cc..23f156a 100644 --- a/cloud-controlplane/cloud-controlplane.yaml +++ b/cloud-controlplane/cloud-controlplane.yaml @@ -25,8 +25,7 @@ components: allowed_principals: description: The ARN of the principals that can access the Redpanda AWS PrivateLink Endpoint Service. To grant permissions to all principals, use an asterisk (*). example: - - "arn:aws:iam::account-number-without-hyphens:user/username" - - "arn:aws:iam::account-number-without-hyphens:root" + - arn:aws:iam::account-number-without-hyphens:user/username or arn:aws:iam::account-number-without-hyphens:root items: type: string type: array @@ -103,8 +102,7 @@ components: allowed_principals: description: The ARN of the principals that can access Redpanda AWS PrivateLink Endpoint Service. To grant permissions to all principals, use an asterisk (*). example: - - "arn:aws:iam::account-number-without-hyphens:user/username" - - "arn:aws:iam::account-number-without-hyphens:root" + - arn:aws:iam::account-number-without-hyphens:user/username or arn:aws:iam::account-number-without-hyphens:root items: type: string type: array From 795cad158f9d14939fc2beb407dc079a6cad25e7 Mon Sep 17 00:00:00 2001 From: Kat Batuigas Date: Mon, 6 Oct 2025 15:55:41 -0700 Subject: [PATCH 08/10] Try using a new component schema instead --- .../overlays/remove-resource-type-any.yaml | 30 +++++++++++-------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/cloud-dataplane/overlays/remove-resource-type-any.yaml b/cloud-dataplane/overlays/remove-resource-type-any.yaml index bdfa53a..c92e597 100644 --- a/cloud-dataplane/overlays/remove-resource-type-any.yaml +++ b/cloud-dataplane/overlays/remove-resource-type-any.yaml @@ -6,19 +6,23 @@ info: version: 1.0.0 actions: + - target: "$.components.schemas" + update: + CreateACLResourceType: + description: |- + The type of resource (topic, consumer group, etc.) this + ACL targets. + enum: + - "RESOURCE_TYPE_TOPIC" + - "RESOURCE_TYPE_GROUP" + - "RESOURCE_TYPE_CLUSTER" + - "RESOURCE_TYPE_TRANSACTIONAL_ID" + - "RESOURCE_TYPE_DELEGATION_TOKEN" + - "RESOURCE_TYPE_USER" + - "RESOURCE_TYPE_REGISTRY" + - "RESOURCE_TYPE_SUBJECT" + type: "string" # Replace the $ref with an inline enum that excludes RESOURCE_TYPE_ANY - target: "$.components.schemas.CreateACLRequest.properties.resource_type" update: - description: |- - The type of resource (topic, consumer group, etc.) this - ACL targets. - enum: - - "RESOURCE_TYPE_TOPIC" - - "RESOURCE_TYPE_GROUP" - - "RESOURCE_TYPE_CLUSTER" - - "RESOURCE_TYPE_TRANSACTIONAL_ID" - - "RESOURCE_TYPE_DELEGATION_TOKEN" - - "RESOURCE_TYPE_USER" - - "RESOURCE_TYPE_REGISTRY" - - "RESOURCE_TYPE_SUBJECT" - type: "string" \ No newline at end of file + $ref: '#/components/schemas/CreateACLResourceType' \ No newline at end of file From 91c497f7e9f1d89b108f3c3f3d0232bf6f24e832 Mon Sep 17 00:00:00 2001 From: Kat Batuigas Date: Thu, 9 Oct 2025 10:13:56 -0700 Subject: [PATCH 09/10] Fix api_gateway_access --- cloud-controlplane/overlays/update-api-gateway-access.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloud-controlplane/overlays/update-api-gateway-access.yaml b/cloud-controlplane/overlays/update-api-gateway-access.yaml index c45c3b1..75f0980 100644 --- a/cloud-controlplane/overlays/update-api-gateway-access.yaml +++ b/cloud-controlplane/overlays/update-api-gateway-access.yaml @@ -7,6 +7,6 @@ info: actions: # Target api_gateway_access fields that are descendants of any example field within responses - - target: "$..responses..example*[?(@.api_gateway_access == 'NETWORK_ACCESS_MODE_UNSPECIFIED')]" + - target: "$..responses..example..*[?(@.api_gateway_access == 'NETWORK_ACCESS_MODE_UNSPECIFIED')]" update: api_gateway_access: "NETWORK_ACCESS_MODE_PUBLIC" \ No newline at end of file From 6c7eea978e6fe41b5864db8033c31f6832f5506c Mon Sep 17 00:00:00 2001 From: Kat Batuigas Date: Thu, 9 Oct 2025 15:04:24 -0700 Subject: [PATCH 10/10] Note about manually updating resource types --- cloud-dataplane/overlays/remove-resource-type-any.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cloud-dataplane/overlays/remove-resource-type-any.yaml b/cloud-dataplane/overlays/remove-resource-type-any.yaml index c92e597..7b9a8b9 100644 --- a/cloud-dataplane/overlays/remove-resource-type-any.yaml +++ b/cloud-dataplane/overlays/remove-resource-type-any.yaml @@ -5,6 +5,8 @@ info: title: Remove RESOURCE_TYPE_ANY from Create ACL Request Body version: 1.0.0 +# Note that we will have to manually update this enum if the Cloud team adds +# new resource types in the future. actions: - target: "$.components.schemas" update: