diff --git a/CHANGELOG.md b/CHANGELOG.md index dbcf48da0..ad58a0d78 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ `statefulset.podTemplate.spec.securityContext` and `statefulset.podTemplate.spec.containers[*].securityContext` may be used to set/override the pod and container security contexts respectively. +* `appProtocol` added to the `listeners.admin` configuration #### Changed * The container name of the post-upgrade job is now statically set to `post-upgrade` to facilitate strategic merge patching. diff --git a/charts/redpanda/service_internal.go b/charts/redpanda/service_internal.go index 9c94de6fe..ff1c9bd28 100644 --- a/charts/redpanda/service_internal.go +++ b/charts/redpanda/service_internal.go @@ -38,14 +38,16 @@ func ServiceInternal(dot *helmette.Dot) *corev1.Service { // the stateful set and allow the serviceMonitor to target the pods. // This service should not be used by any client application. values := helmette.Unwrap[Values](dot.Values) - ports := []corev1.ServicePort{} + ports = append(ports, corev1.ServicePort{ - Name: "admin", - Protocol: "TCP", - Port: values.Listeners.Admin.Port, - TargetPort: intstr.FromInt32(values.Listeners.Admin.Port), + Name: "admin", + Protocol: "TCP", + AppProtocol: values.Listeners.Admin.AppProtocol, + Port: values.Listeners.Admin.Port, + TargetPort: intstr.FromInt32(values.Listeners.Admin.Port), }) + if values.Listeners.HTTP.Enabled { ports = append(ports, corev1.ServicePort{ Name: "http", diff --git a/charts/redpanda/templates/_service.internal.go.tpl b/charts/redpanda/templates/_service.internal.go.tpl index 7d2333875..9c63aac1c 100644 --- a/charts/redpanda/templates/_service.internal.go.tpl +++ b/charts/redpanda/templates/_service.internal.go.tpl @@ -17,7 +17,7 @@ {{- $_is_returning := false -}} {{- $values := $dot.Values.AsMap -}} {{- $ports := (list ) -}} -{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "admin" "protocol" "TCP" "port" ($values.listeners.admin.port | int) "targetPort" ($values.listeners.admin.port | int) )))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "admin" "protocol" "TCP" "appProtocol" $values.listeners.admin.appProtocol "port" ($values.listeners.admin.port | int) "targetPort" ($values.listeners.admin.port | int) )))) -}} {{- if $values.listeners.http.enabled -}} {{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "http" "protocol" "TCP" "port" ($values.listeners.http.port | int) "targetPort" ($values.listeners.http.port | int) )))) -}} {{- end -}} diff --git a/charts/redpanda/testdata/template-cases.golden.txtar b/charts/redpanda/testdata/template-cases.golden.txtar index 62158d8ee..378f6a5b6 100644 --- a/charts/redpanda/testdata/template-cases.golden.txtar +++ b/charts/redpanda/testdata/template-cases.golden.txtar @@ -553,7 +553,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -1882,7 +1883,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -3013,7 +3015,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -4452,7 +4455,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -5737,7 +5741,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -7318,7 +7323,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -8801,7 +8807,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -10373,7 +10380,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -11854,7 +11862,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -13365,7 +13374,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -14925,7 +14935,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -16386,7 +16397,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -17718,7 +17730,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -19067,7 +19080,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -20252,7 +20266,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -21940,7 +21955,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -23382,7 +23398,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -24812,7 +24829,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -26300,7 +26318,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -27844,7 +27863,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -29388,7 +29408,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -30882,7 +30903,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -32406,7 +32428,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -33962,7 +33985,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -35518,7 +35542,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -37025,7 +37050,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -38562,7 +38588,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -40118,7 +40145,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -41674,7 +41702,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -43181,7 +43210,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -44661,7 +44691,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -46088,7 +46119,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -47516,7 +47548,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -49006,7 +49039,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -50455,7 +50489,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -52130,7 +52165,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -53771,7 +53807,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -55287,7 +55324,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -56859,7 +56897,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -58292,7 +58331,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -59756,7 +59796,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -61232,7 +61273,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -62710,7 +62752,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -64032,7 +64075,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -65479,7 +65523,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -67032,7 +67077,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -68558,7 +68604,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -70003,7 +70050,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -71451,7 +71499,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -72936,7 +72985,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -74366,7 +74416,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -75241,6 +75292,1434 @@ spec: secret: defaultMode: 288 secretName: redpanda-external-cert +-- testdata/TestTemplate/app-protocol-regression.yaml.golden -- +--- +# Source: redpanda/templates/poddisruptionbudget.yaml +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.15 + name: redpanda + namespace: default +spec: + maxUnavailable: 1 + selector: + matchLabels: + app.kubernetes.io/component: redpanda-statefulset + app.kubernetes.io/instance: redpanda + app.kubernetes.io/name: redpanda + redpanda.com/poddisruptionbudget: redpanda +--- +# Source: redpanda/charts/console/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: true +metadata: + name: redpanda-console + labels: + helm.sh/chart: console-0.7.26 + app.kubernetes.io/name: console + app.kubernetes.io/instance: redpanda + app.kubernetes.io/version: "v2.4.6" + app.kubernetes.io/managed-by: Helm +--- +# Source: redpanda/templates/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.15 + name: redpanda-sts-lifecycle + namespace: default +stringData: + common.sh: |- + #!/usr/bin/env bash + + # the SERVICE_NAME comes from the metadata.name of the pod, essentially the POD_NAME + CURL_URL="https://${SERVICE_NAME}.redpanda.default.svc.cluster.local:9644" + + # commands used throughout + CURL_NODE_ID_CMD="curl --silent --fail --cacert /etc/tls/certs/default/ca.crt ${CURL_URL}/v1/node_config" + + CURL_MAINTENANCE_DELETE_CMD_PREFIX='curl -X DELETE --silent -o /dev/null -w "%{http_code}"' + CURL_MAINTENANCE_PUT_CMD_PREFIX='curl -X PUT --silent -o /dev/null -w "%{http_code}"' + CURL_MAINTENANCE_GET_CMD="curl -X GET --silent --cacert /etc/tls/certs/default/ca.crt ${CURL_URL}/v1/maintenance" + postStart.sh: |- + #!/usr/bin/env bash + # This code should be similar if not exactly the same as that found in the panda-operator, see + # https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go + + # path below should match the path defined on the statefulset + source /var/lifecycle/common.sh + + postStartHook () { + set -x + + touch /tmp/postStartHookStarted + + until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do + sleep 0.5 + done + + echo "Clearing maintenance mode on node ${NODE_ID}" + CURL_MAINTENANCE_DELETE_CMD="${CURL_MAINTENANCE_DELETE_CMD_PREFIX} --cacert /etc/tls/certs/default/ca.crt ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" + # a 400 here would mean not in maintenance mode + until [ "${status:-}" = '"200"' ] || [ "${status:-}" = '"400"' ]; do + status=$(${CURL_MAINTENANCE_DELETE_CMD}) + sleep 0.5 + done + + touch /tmp/postStartHookFinished + } + + postStartHook + true + preStop.sh: |- + #!/usr/bin/env bash + # This code should be similar if not exactly the same as that found in the panda-operator, see + # https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go + + touch /tmp/preStopHookStarted + + # path below should match the path defined on the statefulset + source /var/lifecycle/common.sh + + set -x + + preStopHook () { + until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do + sleep 0.5 + done + + echo "Setting maintenance mode on node ${NODE_ID}" + CURL_MAINTENANCE_PUT_CMD="${CURL_MAINTENANCE_PUT_CMD_PREFIX} --cacert /etc/tls/certs/default/ca.crt ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" + until [ "${status:-}" = '"200"' ]; do + status=$(${CURL_MAINTENANCE_PUT_CMD}) + sleep 0.5 + done + + until [ "${finished:-}" = "true" ] || [ "${draining:-}" = "false" ]; do + res=$(${CURL_MAINTENANCE_GET_CMD}) + finished=$(echo $res | grep -o '\"finished\":[^,}]*' | grep -o '[^: ]*$') + draining=$(echo $res | grep -o '\"draining\":[^,}]*' | grep -o '[^: ]*$') + sleep 0.5 + done + + touch /tmp/preStopHookFinished + } + preStopHook + true +type: Opaque +--- +# Source: redpanda/templates/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.15 + name: redpanda-config-watcher + namespace: default +stringData: + sasl-user.sh: |- + #!/usr/bin/env bash + + trap 'error_handler $? $LINENO' ERR + + error_handler() { + echo "Error: ($1) occurred at line $2" + } + + set -e + + # rpk cluster health can exit non-zero if it's unable to dial brokers. This + # can happen for many reasons but we never want this script to crash as it + # would take down yet another broker and make a bad situation worse. + # Instead, just wait for the command to eventually exit zero. + echo "Waiting for cluster to be ready" + until rpk cluster health --watch --exit-when-healthy; do + echo "rpk cluster health failed. Waiting 5 seconds before trying again..." + sleep 5 + done + echo "Nothing to do. Sleeping..." + sleep infinity +type: Opaque +--- +# Source: redpanda/templates/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.15 + name: redpanda-configurator + namespace: default +stringData: + configurator.sh: |- + set -xe + SERVICE_NAME=$1 + KUBERNETES_NODE_NAME=$2 + POD_ORDINAL=${SERVICE_NAME##*-} + BROKER_INDEX=`expr $POD_ORDINAL + 1` + + CONFIG=/etc/redpanda/redpanda.yaml + + # Setup config files + cp /tmp/base-config/redpanda.yaml "${CONFIG}" + cp /tmp/base-config/bootstrap.yaml /etc/redpanda/.bootstrap.yaml + + LISTENER="{\"address\":\"${SERVICE_NAME}.redpanda.default.svc.cluster.local.\",\"name\":\"internal\",\"port\":9093}" + rpk redpanda config --config "$CONFIG" set redpanda.advertised_kafka_api[0] "$LISTENER" + + ADVERTISED_KAFKA_ADDRESSES=() + + PREFIX_TEMPLATE="" + ADVERTISED_KAFKA_ADDRESSES+=("{\"address\":\"${SERVICE_NAME}\",\"name\":\"default\",\"port\":31092}") + + PREFIX_TEMPLATE="" + ADVERTISED_KAFKA_ADDRESSES+=("{\"address\":\"${SERVICE_NAME}\",\"name\":\"default\",\"port\":31092}") + + PREFIX_TEMPLATE="" + ADVERTISED_KAFKA_ADDRESSES+=("{\"address\":\"${SERVICE_NAME}\",\"name\":\"default\",\"port\":31092}") + + rpk redpanda config --config "$CONFIG" set redpanda.advertised_kafka_api[1] "${ADVERTISED_KAFKA_ADDRESSES[$POD_ORDINAL]}" + + LISTENER="{\"address\":\"${SERVICE_NAME}.redpanda.default.svc.cluster.local.\",\"name\":\"internal\",\"port\":8082}" + rpk redpanda config --config "$CONFIG" set pandaproxy.advertised_pandaproxy_api[0] "$LISTENER" + + ADVERTISED_HTTP_ADDRESSES=() + + PREFIX_TEMPLATE="" + ADVERTISED_HTTP_ADDRESSES+=("{\"address\":\"${SERVICE_NAME}\",\"name\":\"default\",\"port\":30082}") + + PREFIX_TEMPLATE="" + ADVERTISED_HTTP_ADDRESSES+=("{\"address\":\"${SERVICE_NAME}\",\"name\":\"default\",\"port\":30082}") + + PREFIX_TEMPLATE="" + ADVERTISED_HTTP_ADDRESSES+=("{\"address\":\"${SERVICE_NAME}\",\"name\":\"default\",\"port\":30082}") + + rpk redpanda config --config "$CONFIG" set pandaproxy.advertised_pandaproxy_api[1] "${ADVERTISED_HTTP_ADDRESSES[$POD_ORDINAL]}" +type: Opaque +--- +# Source: redpanda/templates/configmap.yaml +apiVersion: v1 +data: + bootstrap.yaml: |- + audit_enabled: false + compacted_log_segment_size: 67108864 + default_topic_replications: 3 + enable_rack_awareness: false + enable_sasl: false + group_topic_partitions: 16 + kafka_batch_max_bytes: 1048576 + kafka_connection_rate_limit: 1000 + kafka_enable_authorization: false + log_segment_size: 134217728 + log_segment_size_max: 268435456 + log_segment_size_min: 16777216 + max_compacted_log_segment_size: 536870912 + storage_min_free_bytes: 1073741824 + topic_partitions_per_shard: 1000 + redpanda.yaml: |- + config_file: /etc/redpanda/redpanda.yaml + pandaproxy: + pandaproxy_api: + - address: 0.0.0.0 + name: internal + port: 8082 + - address: 0.0.0.0 + name: default + port: 8083 + pandaproxy_api_tls: + - cert_file: /etc/tls/certs/default/tls.crt + enabled: true + key_file: /etc/tls/certs/default/tls.key + name: internal + require_client_auth: false + truststore_file: /etc/tls/certs/default/ca.crt + - cert_file: /etc/tls/certs/external/tls.crt + enabled: true + key_file: /etc/tls/certs/external/tls.key + name: default + require_client_auth: false + truststore_file: /etc/tls/certs/external/ca.crt + pandaproxy_client: + broker_tls: + cert_file: /etc/tls/certs/default/tls.crt + enabled: true + key_file: /etc/tls/certs/default/tls.key + require_client_auth: false + truststore_file: /etc/tls/certs/default/ca.crt + brokers: + - address: redpanda-0.redpanda.default.svc.cluster.local. + port: 9093 + - address: redpanda-1.redpanda.default.svc.cluster.local. + port: 9093 + - address: redpanda-2.redpanda.default.svc.cluster.local. + port: 9093 + redpanda: + admin: + - address: 0.0.0.0 + name: internal + port: 9644 + - address: 0.0.0.0 + name: default + port: 9645 + admin_api_tls: + - cert_file: /etc/tls/certs/default/tls.crt + enabled: true + key_file: /etc/tls/certs/default/tls.key + name: internal + require_client_auth: false + truststore_file: /etc/tls/certs/default/ca.crt + - cert_file: /etc/tls/certs/external/tls.crt + enabled: true + key_file: /etc/tls/certs/external/tls.key + name: default + require_client_auth: false + truststore_file: /etc/tls/certs/external/ca.crt + audit_enabled: false + compacted_log_segment_size: 67108864 + crash_loop_limit: 5 + default_topic_replications: 3 + empty_seed_starts_cluster: false + enable_sasl: false + group_topic_partitions: 16 + kafka_api: + - address: 0.0.0.0 + name: internal + port: 9093 + - address: 0.0.0.0 + name: default + port: 9094 + kafka_api_tls: + - cert_file: /etc/tls/certs/default/tls.crt + enabled: true + key_file: /etc/tls/certs/default/tls.key + name: internal + require_client_auth: false + truststore_file: /etc/tls/certs/default/ca.crt + - cert_file: /etc/tls/certs/external/tls.crt + enabled: true + key_file: /etc/tls/certs/external/tls.key + name: default + require_client_auth: false + truststore_file: /etc/tls/certs/external/ca.crt + kafka_batch_max_bytes: 1048576 + kafka_connection_rate_limit: 1000 + kafka_enable_authorization: false + log_segment_size: 134217728 + log_segment_size_max: 268435456 + log_segment_size_min: 16777216 + max_compacted_log_segment_size: 536870912 + rpc_server: + address: 0.0.0.0 + port: 33145 + rpc_server_tls: + cert_file: /etc/tls/certs/default/tls.crt + enabled: true + key_file: /etc/tls/certs/default/tls.key + require_client_auth: false + truststore_file: /etc/tls/certs/default/ca.crt + seed_servers: + - host: + address: redpanda-0.redpanda.default.svc.cluster.local. + port: 33145 + - host: + address: redpanda-1.redpanda.default.svc.cluster.local. + port: 33145 + - host: + address: redpanda-2.redpanda.default.svc.cluster.local. + port: 33145 + storage_min_free_bytes: 1073741824 + topic_partitions_per_shard: 1000 + rpk: + additional_start_flags: + - --default-log-level=info + - --memory=2048M + - --reserve-memory=205M + - --smp=1 + admin_api: + addresses: + - redpanda-0.redpanda.default.svc.cluster.local.:9644 + - redpanda-1.redpanda.default.svc.cluster.local.:9644 + - redpanda-2.redpanda.default.svc.cluster.local.:9644 + tls: + truststore_file: /etc/tls/certs/default/ca.crt + enable_memory_locking: false + kafka_api: + brokers: + - redpanda-0.redpanda.default.svc.cluster.local.:9093 + - redpanda-1.redpanda.default.svc.cluster.local.:9093 + - redpanda-2.redpanda.default.svc.cluster.local.:9093 + tls: + truststore_file: /etc/tls/certs/default/ca.crt + overprovisioned: false + tune_aio_events: true + schema_registry: + schema_registry_api: + - address: 0.0.0.0 + name: internal + port: 8081 + - address: 0.0.0.0 + name: default + port: 8084 + schema_registry_api_tls: + - cert_file: /etc/tls/certs/default/tls.crt + enabled: true + key_file: /etc/tls/certs/default/tls.key + name: internal + require_client_auth: false + truststore_file: /etc/tls/certs/default/ca.crt + - cert_file: /etc/tls/certs/external/tls.crt + enabled: true + key_file: /etc/tls/certs/external/tls.key + name: default + require_client_auth: false + truststore_file: /etc/tls/certs/external/ca.crt + schema_registry_client: + broker_tls: + cert_file: /etc/tls/certs/default/tls.crt + enabled: true + key_file: /etc/tls/certs/default/tls.key + require_client_auth: false + truststore_file: /etc/tls/certs/default/ca.crt + brokers: + - address: redpanda-0.redpanda.default.svc.cluster.local. + port: 9093 + - address: redpanda-1.redpanda.default.svc.cluster.local. + port: 9093 + - address: redpanda-2.redpanda.default.svc.cluster.local. + port: 9093 +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.15 + name: redpanda + namespace: default +--- +# Source: redpanda/templates/configmap.yaml +apiVersion: v1 +data: + profile: |- + admin_api: + addresses: + - redpanda-0:31644 + - redpanda-1:31644 + - redpanda-2:31644 + tls: + ca_file: ca.crt + kafka_api: + brokers: + - redpanda-0:31092 + - redpanda-1:31092 + - redpanda-2:31092 + tls: + ca_file: ca.crt + name: default +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.15 + name: redpanda-rpk + namespace: default +--- +# Source: redpanda/templates/console/configmap-and-deployment.yaml +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: redpanda-console + labels: + helm.sh/chart: console-0.7.26 + app.kubernetes.io/name: console + app.kubernetes.io/instance: redpanda + app.kubernetes.io/version: "v2.4.6" + app.kubernetes.io/managed-by: Helm + +data: + config.yaml: | + # from .Values.console.config + kafka: + brokers: + - redpanda-0.redpanda.default.svc.cluster.local.:9093 + - redpanda-1.redpanda.default.svc.cluster.local.:9093 + - redpanda-2.redpanda.default.svc.cluster.local.:9093 + sasl: + enabled: false + schemaRegistry: + enabled: true + tls: + caFilepath: /mnt/cert/schemaregistry/default/ca.crt + certFilepath: "" + enabled: true + insecureSkipTlsVerify: false + keyFilepath: "" + urls: + - https://redpanda-0.redpanda.default.svc.cluster.local.:8081 + - https://redpanda-1.redpanda.default.svc.cluster.local.:8081 + - https://redpanda-2.redpanda.default.svc.cluster.local.:8081 + tls: + caFilepath: /mnt/cert/kafka/default/ca.crt + certFilepath: "" + enabled: true + insecureSkipTlsVerify: false + keyFilepath: "" + redpanda: + adminApi: + enabled: true + tls: + caFilepath: /mnt/cert/adminapi/default/ca.crt + certFilepath: "" + enabled: true + insecureSkipTlsVerify: false + keyFilepath: "" + urls: + - https://redpanda.default.svc.cluster.local.:9644 +--- +# Source: redpanda/charts/console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: redpanda-console + labels: + helm.sh/chart: console-0.7.26 + app.kubernetes.io/name: console + app.kubernetes.io/instance: redpanda + app.kubernetes.io/version: "v2.4.6" + app.kubernetes.io/managed-by: Helm + +spec: + type: ClusterIP + ports: + - port: 8080 + targetPort: + protocol: TCP + name: http + selector: + app.kubernetes.io/name: console + app.kubernetes.io/instance: redpanda +--- +# Source: redpanda/templates/service.internal.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.15 + monitoring.redpanda.com/enabled: "false" + name: redpanda + namespace: default +spec: + clusterIP: None + ports: + - appProtocol: http + name: admin + port: 9644 + protocol: TCP + targetPort: 9644 + - name: http + port: 8082 + protocol: TCP + targetPort: 8082 + - name: kafka + port: 9093 + protocol: TCP + targetPort: 9093 + - name: rpc + port: 33145 + protocol: TCP + targetPort: 33145 + - name: schemaregistry + port: 8081 + protocol: TCP + targetPort: 8081 + publishNotReadyAddresses: true + selector: + app.kubernetes.io/component: redpanda-statefulset + app.kubernetes.io/instance: redpanda + app.kubernetes.io/name: redpanda + type: ClusterIP +--- +# Source: redpanda/templates/service.nodeport.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.15 + name: redpanda-external + namespace: default +spec: + externalTrafficPolicy: Local + ports: + - name: admin-default + nodePort: 31644 + port: 9645 + protocol: TCP + targetPort: 0 + - name: kafka-default + nodePort: 31092 + port: 9094 + protocol: TCP + targetPort: 0 + - name: http-default + nodePort: 30082 + port: 8083 + protocol: TCP + targetPort: 0 + - name: schema-default + nodePort: 30081 + port: 8084 + protocol: TCP + targetPort: 0 + publishNotReadyAddresses: true + selector: + app.kubernetes.io/component: redpanda-statefulset + app.kubernetes.io/instance: redpanda + app.kubernetes.io/name: redpanda + sessionAffinity: None + type: NodePort +--- +# Source: redpanda/templates/console/configmap-and-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redpanda-console + labels: + helm.sh/chart: console-0.7.26 + app.kubernetes.io/name: console + app.kubernetes.io/instance: redpanda + app.kubernetes.io/version: "v2.4.6" + app.kubernetes.io/managed-by: Helm + +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: console + app.kubernetes.io/instance: redpanda + template: + metadata: + annotations: + checksum/config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum-redpanda-chart/config: 65c19475911973d228c79e8d6f1a08b7e0be76e606004dd39d0407f94b49e6c7 + labels: + app.kubernetes.io/name: console + app.kubernetes.io/instance: redpanda + spec: + serviceAccountName: redpanda-console + automountServiceAccountToken: true + securityContext: + fsGroup: 99 + runAsUser: 99 + volumes: + - name: configs + configMap: + name: redpanda-console + - name: kafka-default-cert + secret: + defaultMode: 272 + secretName: redpanda-default-cert + - name: schemaregistry-default-cert + secret: + defaultMode: 272 + secretName: redpanda-default-cert + - name: adminapi-default-cert + secret: + defaultMode: 272 + secretName: redpanda-default-cert + containers: + - name: console + args: + - "--config.filepath=/etc/console/configs/config.yaml" + securityContext: + runAsNonRoot: true + image: docker.redpanda.com/redpandadata/console:v2.4.6 + imagePullPolicy: IfNotPresent + ports: + - name: http + containerPort: 8080 + protocol: TCP + volumeMounts: + - name: configs + mountPath: /etc/console/configs + readOnly: true + - mountPath: /mnt/cert/kafka/default + name: kafka-default-cert + readOnly: true + - mountPath: /mnt/cert/schemaregistry/default + name: schemaregistry-default-cert + readOnly: true + - mountPath: /mnt/cert/adminapi/default + name: adminapi-default-cert + readOnly: true + livenessProbe: + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + readinessProbe: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + resources: + {} + env: + - name: KAFKA_TLS_CAFILEPATH + value: /mnt/cert/kafka/default/ca.crt + - name: KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH + value: /mnt/cert/schemaregistry/default/ca.crt + priorityClassName: +--- +# Source: redpanda/templates/statefulset.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.15 + name: redpanda + namespace: default +spec: + podManagementPolicy: Parallel + replicas: 3 + selector: + matchLabels: + app.kubernetes.io/component: redpanda-statefulset + app.kubernetes.io/instance: redpanda + app.kubernetes.io/name: redpanda + serviceName: redpanda + template: + metadata: + annotations: + config.redpanda.com/checksum: 4998796f275bb3f6796333a9d20d48935b40690523108f270b2aec177b1356e6 + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda-statefulset + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.15 + redpanda.com/poddisruptionbudget: redpanda + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: redpanda-statefulset + app.kubernetes.io/instance: redpanda + app.kubernetes.io/name: redpanda + topologyKey: kubernetes.io/hostname + containers: + - command: + - rpk + - redpanda + - start + - --advertise-rpc-addr=$(SERVICE_NAME).redpanda.default.svc.cluster.local.:33145 + env: + - name: SERVICE_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + image: docker.redpanda.com/redpandadata/redpanda:v24.2.2 + lifecycle: + postStart: + exec: + command: + - /bin/bash + - -c + - | + timeout -v 45 bash -x /var/lifecycle/postStart.sh + true + preStop: + exec: + command: + - /bin/bash + - -c + - | + timeout -v 45 bash -x /var/lifecycle/preStop.sh + true # do not fail and cause the pod to terminate + livenessProbe: + exec: + command: + - /bin/sh + - -c + - curl --silent --fail -k -m 5 --cacert /etc/tls/certs/default/ca.crt + "https://${SERVICE_NAME}.redpanda.default.svc.cluster.local.:9644/v1/status/ready" + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + name: redpanda + ports: + - containerPort: 9644 + name: admin + - containerPort: 9645 + name: admin-default + - containerPort: 8082 + name: http + - containerPort: 8083 + name: http-default + - containerPort: 9093 + name: kafka + - containerPort: 9094 + name: kafka-default + - containerPort: 33145 + name: rpc + - containerPort: 8081 + name: schemaregistry + - containerPort: 8084 + name: schema-default + readinessProbe: + exec: + command: + - /bin/sh + - -c + - | + set -x + RESULT=$(rpk cluster health) + echo $RESULT + echo $RESULT | grep 'Healthy:.*true' + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 0 + resources: + limits: + cpu: 1 + memory: 2.5Gi + securityContext: + runAsGroup: 101 + runAsUser: 101 + startupProbe: + exec: + command: + - /bin/sh + - -c + - | + set -e + RESULT=$(curl --silent --fail -k -m 5 --cacert /etc/tls/certs/default/ca.crt "https://${SERVICE_NAME}.redpanda.default.svc.cluster.local.:9644/v1/status/ready") + echo $RESULT + echo $RESULT | grep ready + failureThreshold: 120 + initialDelaySeconds: 1 + periodSeconds: 10 + volumeMounts: + - mountPath: /etc/tls/certs/default + name: redpanda-default-cert + - mountPath: /etc/tls/certs/external + name: redpanda-external-cert + - mountPath: /etc/redpanda + name: config + - mountPath: /tmp/base-config + name: redpanda + - mountPath: /var/lifecycle + name: lifecycle-scripts + - mountPath: /var/lib/redpanda/data + name: datadir + - args: + - -c + - trap "exit 0" TERM; exec /etc/secrets/config-watcher/scripts/sasl-user.sh + & wait $! + command: + - /bin/sh + env: [] + image: docker.redpanda.com/redpandadata/redpanda:v24.2.2 + name: config-watcher + resources: {} + securityContext: {} + volumeMounts: + - mountPath: /etc/tls/certs/default + name: redpanda-default-cert + - mountPath: /etc/tls/certs/external + name: redpanda-external-cert + - mountPath: /etc/redpanda + name: config + - mountPath: /etc/secrets/config-watcher/scripts + name: redpanda-config-watcher + imagePullSecrets: null + initContainers: + - command: + - /bin/bash + - -c + - rpk redpanda tune all + image: docker.redpanda.com/redpandadata/redpanda:v24.2.2 + name: tuning + resources: {} + securityContext: + capabilities: + add: + - SYS_RESOURCE + privileged: true + runAsGroup: 0 + runAsUser: 0 + volumeMounts: + - mountPath: /etc/tls/certs/default + name: redpanda-default-cert + - mountPath: /etc/tls/certs/external + name: redpanda-external-cert + - mountPath: /etc/redpanda + name: redpanda + - command: + - /bin/bash + - -c + - trap "exit 0" TERM; exec $CONFIGURATOR_SCRIPT "${SERVICE_NAME}" "${KUBERNETES_NODE_NAME}" + & wait $! + env: + - name: CONFIGURATOR_SCRIPT + value: /etc/secrets/configurator/scripts/configurator.sh + - name: SERVICE_NAME + valueFrom: + configMapKeyRef: null + fieldRef: + fieldPath: metadata.name + resourceFieldRef: null + secretKeyRef: null + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: HOST_IP_ADDRESS + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + image: docker.redpanda.com/redpandadata/redpanda:v24.2.2 + name: redpanda-configurator + resources: {} + securityContext: + allowPrivilegeEscalation: null + runAsGroup: 101 + runAsNonRoot: null + runAsUser: 101 + volumeMounts: + - mountPath: /etc/tls/certs/default + name: redpanda-default-cert + - mountPath: /etc/tls/certs/external + name: redpanda-external-cert + - mountPath: /etc/redpanda + name: config + - mountPath: /tmp/base-config + name: redpanda + - mountPath: /etc/secrets/configurator/scripts/ + name: redpanda-configurator + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + serviceAccountName: default + terminationGracePeriodSeconds: 90 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: redpanda-statefulset + app.kubernetes.io/instance: redpanda + app.kubernetes.io/name: redpanda + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: redpanda-default-cert + secret: + defaultMode: 288 + secretName: redpanda-default-cert + - name: redpanda-external-cert + secret: + defaultMode: 288 + secretName: redpanda-external-cert + - name: lifecycle-scripts + secret: + defaultMode: 509 + secretName: redpanda-sts-lifecycle + - configMap: + name: redpanda + name: redpanda + - emptyDir: {} + name: config + - name: redpanda-configurator + secret: + defaultMode: 509 + secretName: redpanda-configurator + - name: redpanda-config-watcher + secret: + defaultMode: 509 + secretName: redpanda-config-watcher + - name: datadir + persistentVolumeClaim: + claimName: datadir + updateStrategy: + type: RollingUpdate + volumeClaimTemplates: + - metadata: + annotations: null + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/name: redpanda + name: datadir + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi + status: {} +--- +# Source: redpanda/templates/console/configmap-and-deployment.yaml +# before license changes, this was not printing a secret, so we gather in which case to print +# for now only if we have a license do we print, however, this may be an issue for some +# since if we do include a license we MUST also print all secret items. +--- +# Source: redpanda/templates/cert-issuers.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.15 + name: redpanda-default-root-certificate + namespace: default +spec: + commonName: redpanda-default-root-certificate + duration: 43800h + isCA: true + issuerRef: + group: cert-manager.io + kind: Issuer + name: redpanda-default-selfsigned-issuer + privateKey: + algorithm: ECDSA + size: 256 + secretName: redpanda-default-root-certificate +--- +# Source: redpanda/templates/cert-issuers.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.15 + name: redpanda-external-root-certificate + namespace: default +spec: + commonName: redpanda-external-root-certificate + duration: 43800h + isCA: true + issuerRef: + group: cert-manager.io + kind: Issuer + name: redpanda-external-selfsigned-issuer + privateKey: + algorithm: ECDSA + size: 256 + secretName: redpanda-external-root-certificate +--- +# Source: redpanda/templates/certs.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.15 + name: redpanda-default-cert + namespace: default +spec: + dnsNames: + - redpanda-cluster.redpanda.default.svc.cluster.local + - redpanda-cluster.redpanda.default.svc + - redpanda-cluster.redpanda.default + - '*.redpanda-cluster.redpanda.default.svc.cluster.local' + - '*.redpanda-cluster.redpanda.default.svc' + - '*.redpanda-cluster.redpanda.default' + - redpanda.default.svc.cluster.local + - redpanda.default.svc + - redpanda.default + - '*.redpanda.default.svc.cluster.local' + - '*.redpanda.default.svc' + - '*.redpanda.default' + duration: 43800h + isCA: false + issuerRef: + group: cert-manager.io + kind: Issuer + name: redpanda-default-root-issuer + privateKey: + algorithm: ECDSA + size: 256 + secretName: redpanda-default-cert +--- +# Source: redpanda/templates/certs.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.15 + name: redpanda-external-cert + namespace: default +spec: + dnsNames: + - redpanda-cluster.redpanda.default.svc.cluster.local + - redpanda-cluster.redpanda.default.svc + - redpanda-cluster.redpanda.default + - '*.redpanda-cluster.redpanda.default.svc.cluster.local' + - '*.redpanda-cluster.redpanda.default.svc' + - '*.redpanda-cluster.redpanda.default' + - redpanda.default.svc.cluster.local + - redpanda.default.svc + - redpanda.default + - '*.redpanda.default.svc.cluster.local' + - '*.redpanda.default.svc' + - '*.redpanda.default' + duration: 43800h + isCA: false + issuerRef: + group: cert-manager.io + kind: Issuer + name: redpanda-external-root-issuer + privateKey: + algorithm: ECDSA + size: 256 + secretName: redpanda-external-cert +--- +# Source: redpanda/templates/cert-issuers.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.15 + name: redpanda-default-selfsigned-issuer + namespace: default +spec: + selfSigned: {} +--- +# Source: redpanda/templates/cert-issuers.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.15 + name: redpanda-default-root-issuer + namespace: default +spec: + ca: + secretName: redpanda-default-root-certificate +--- +# Source: redpanda/templates/cert-issuers.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.15 + name: redpanda-external-selfsigned-issuer + namespace: default +spec: + selfSigned: {} +--- +# Source: redpanda/templates/cert-issuers.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.15 + name: redpanda-external-root-issuer + namespace: default +spec: + ca: + secretName: redpanda-external-root-certificate +--- +# Source: redpanda/charts/console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "redpanda-console-test-connection" + labels: + helm.sh/chart: console-0.7.26 + app.kubernetes.io/name: console + app.kubernetes.io/instance: redpanda + app.kubernetes.io/version: "v2.4.6" + app.kubernetes.io/managed-by: Helm + + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['redpanda-console:8080'] + restartPolicy: Never + priorityClassName: +--- +# Source: redpanda/templates/post-install-upgrade-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + helm.sh/hook: post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-5" + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.15 + name: redpanda-configuration + namespace: default +spec: + template: + metadata: + annotations: {} + creationTimestamp: null + generateName: redpanda-post- + labels: + app.kubernetes.io/component: redpanda-post-install + app.kubernetes.io/instance: redpanda + app.kubernetes.io/name: redpanda + spec: + affinity: {} + containers: + - args: + - | + set -e + if [[ -n "$REDPANDA_LICENSE" ]] then + rpk cluster license set "$REDPANDA_LICENSE" + fi + + + + + rpk cluster config export -f /tmp/cfg.yml + + + for KEY in "${!RPK_@}"; do + config="${KEY#*RPK_}" + rpk redpanda config set --config /tmp/cfg.yml "${config,,}" "${!KEY}" + done + + + rpk cluster config import -f /tmp/cfg.yml + command: + - bash + - -c + env: [] + image: docker.redpanda.com/redpandadata/redpanda:v24.2.2 + name: post-install + resources: {} + securityContext: + runAsGroup: 101 + runAsUser: 101 + volumeMounts: + - mountPath: /etc/redpanda + name: config + - mountPath: /etc/tls/certs/default + name: redpanda-default-cert + - mountPath: /etc/tls/certs/external + name: redpanda-external-cert + imagePullSecrets: null + nodeSelector: {} + restartPolicy: Never + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + serviceAccountName: default + tolerations: null + volumes: + - configMap: + name: redpanda + name: config + - name: redpanda-default-cert + secret: + defaultMode: 288 + secretName: redpanda-default-cert + - name: redpanda-external-cert + secret: + defaultMode: 288 + secretName: redpanda-external-cert +--- +# Source: redpanda/templates/post-upgrade.yaml +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-10" + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.15 + name: redpanda-post-upgrade + namespace: default +spec: + backoffLimit: null + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda-post-upgrade + app.kubernetes.io/instance: redpanda + app.kubernetes.io/name: redpanda + name: redpanda + spec: + affinity: {} + containers: + - args: + - | + set -e + + rpk cluster config set default_topic_replications 3 + rpk cluster config set storage_min_free_bytes 1073741824 + if [ -d "/etc/secrets/users/" ]; then + IFS=":" read -r USER_NAME PASSWORD MECHANISM < <(grep "" $(find /etc/secrets/users/* -print)) + curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \ + --cacert /etc/tls/certs/default/ca.crt \ + -X PUT -u ${USER_NAME}:${PASSWORD} \ + https://redpanda.default.svc.cluster.local.:9644/v1/debug/restart_service?service=schema-registry || true + fi + command: + - /bin/bash + - -c + env: [] + image: docker.redpanda.com/redpandadata/redpanda:v24.2.2 + name: post-upgrade + securityContext: + runAsGroup: 101 + runAsUser: 101 + volumeMounts: + - mountPath: /etc/redpanda + name: config + - mountPath: /etc/tls/certs/default + name: redpanda-default-cert + - mountPath: /etc/tls/certs/external + name: redpanda-external-cert + imagePullSecrets: null + nodeSelector: {} + restartPolicy: Never + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + serviceAccountName: default + tolerations: [] + volumes: + - configMap: + name: redpanda + name: config + - name: redpanda-default-cert + secret: + defaultMode: 288 + secretName: redpanda-default-cert + - name: redpanda-external-cert + secret: + defaultMode: 288 + secretName: redpanda-external-cert -- testdata/TestTemplate/default-sasl-mechanism-regression.yaml.golden -- --- # Source: redpanda/templates/poddisruptionbudget.yaml @@ -75922,7 +77401,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -77405,7 +78885,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -78870,7 +80351,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -80312,7 +81794,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -81742,7 +83225,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -83207,7 +84691,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -84649,7 +86134,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -86067,7 +87553,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -87532,7 +89019,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -88974,7 +90462,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -90392,7 +91881,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -91864,7 +93354,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -93313,7 +94804,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -94740,7 +96232,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -96214,7 +97707,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -97665,7 +99159,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -99092,7 +100587,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -100566,7 +102062,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -102017,7 +103514,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -103444,7 +104942,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -104675,7 +106174,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -105952,7 +107452,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -107458,7 +108959,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -109031,7 +110533,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -110456,7 +111959,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -111928,7 +113432,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -113377,7 +114882,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -114804,7 +116310,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -116278,7 +117785,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -117729,7 +119237,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 @@ -119156,7 +120665,8 @@ metadata: spec: clusterIP: None ports: - - name: admin + - appProtocol: null + name: admin port: 9644 protocol: TCP targetPort: 9644 diff --git a/charts/redpanda/testdata/template-cases.txtar b/charts/redpanda/testdata/template-cases.txtar index 6138640c4..9c0664c73 100644 --- a/charts/redpanda/testdata/template-cases.txtar +++ b/charts/redpanda/testdata/template-cases.txtar @@ -266,3 +266,12 @@ post_upgrade_job: value: "HELM" securityContext: privileged: false + +-- app-protocol-regression -- +# Regression test for admin.appProtocol +# ASSERT-NO-ERROR +# ASSERT-GOLDEN +# ASSERT-FIELD-EQUALS ["v1/Service", "default/redpanda", "{.spec.ports[*].appProtocol}", "http"] +listeners: + admin: + appProtocol: http \ No newline at end of file diff --git a/charts/redpanda/values.go b/charts/redpanda/values.go index 5e845f657..20859603e 100644 --- a/charts/redpanda/values.go +++ b/charts/redpanda/values.go @@ -1030,9 +1030,10 @@ func (t *ExternalTLS) IsEnabled(i *InternalTLS, tls *TLS) bool { } type AdminListeners struct { - External ExternalListeners[AdminExternal] `json:"external"` - Port int32 `json:"port" jsonschema:"required"` - TLS InternalTLS `json:"tls" jsonschema:"required"` + External ExternalListeners[AdminExternal] `json:"external"` + Port int32 `json:"port" jsonschema:"required"` + AppProtocol *string `json:"appProtocol,omitempty"` + TLS InternalTLS `json:"tls" jsonschema:"required"` } func (l *AdminListeners) ConsoleTLS(tls *TLS) config.RedpandaAdminAPITLS { diff --git a/charts/redpanda/values.schema.json b/charts/redpanda/values.schema.json index 0d67aa521..24a2662a4 100644 --- a/charts/redpanda/values.schema.json +++ b/charts/redpanda/values.schema.json @@ -922,6 +922,9 @@ "properties": { "admin": { "properties": { + "appProtocol": { + "type": "string" + }, "external": { "minProperties": 1, "patternProperties": { diff --git a/charts/redpanda/values.yaml b/charts/redpanda/values.yaml index e54700c37..c1f8f1081 100644 --- a/charts/redpanda/values.yaml +++ b/charts/redpanda/values.yaml @@ -957,6 +957,8 @@ listeners: admin: # -- The port for both internal and external connections to the Admin API. port: 9644 + # -- Optional instrumentation hint - https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol + # appProtocol: # -- Optional external access settings. external: # -- Name of the external listener. diff --git a/charts/redpanda/values_partial.gen.go b/charts/redpanda/values_partial.gen.go index 4139f0dfd..2d723f9d1 100644 --- a/charts/redpanda/values_partial.gen.go +++ b/charts/redpanda/values_partial.gen.go @@ -380,9 +380,10 @@ type PartialSecurityContext struct { } type PartialAdminListeners struct { - External PartialExternalListeners[PartialAdminExternal] "json:\"external,omitempty\"" - Port *int32 "json:\"port,omitempty\" jsonschema:\"required\"" - TLS *PartialInternalTLS "json:\"tls,omitempty\" jsonschema:\"required\"" + External PartialExternalListeners[PartialAdminExternal] "json:\"external,omitempty\"" + Port *int32 "json:\"port,omitempty\" jsonschema:\"required\"" + AppProtocol *string "json:\"appProtocol,omitempty\"" + TLS *PartialInternalTLS "json:\"tls,omitempty\" jsonschema:\"required\"" } type PartialHTTPListeners struct {