Redpanda Operator CRD Reference
redpanda.vectorized.io/v1alpha1
Package v1alpha1 contains API Schema definitions for the redpanda v1alpha1 API group
Resource Types
AdminAPI
AdminAPI configures listener for the Redpanda Admin API
Appears in:
| Field | Description |
|---|---|
|
|
|
External enables user to expose Redpanda admin API outside of a Kubernetes cluster. For more information please go to ExternalConnectivityConfig |
|
Configuration of TLS for Admin API |
AdminAPITLS
AdminAPITLS configures TLS for Redpanda Admin API
If Enabled is set to true, one-way TLS verification is enabled. In that case, a key pair ('tls.crt', 'tls.key') and CA certificate 'ca.crt' are generated and stored in a Secret named <redpanda-cluster-name>-admin-api-node and namespace as the Redpanda cluster. 'ca.crt' must be used by a client as a truststore when communicating with Redpanda.
If RequireClientAuth is set to true, two-way TLS verification is enabled. In that case, a client certificate is generated, which can be retrieved from the Secret named <redpanda-cluster-name>-admin-api-client'.
All TLS secrets are stored in the same namespace as the Redpanda cluster.
Additionally all mentioned certificates beside PEM version will have JKS and PKCS#12 certificate. Both stores are protected with the password that is the same as the name of the Cluster custom resource.
Appears in:
| Field | Description |
|---|---|
|
|
|
BasicAuthConfig
BasicAuthConfig are credentials that will be required by the user in order to scrape the endpoint
Appears in:
| Field | Description |
|---|---|
|
|
|
CloudConfig
CloudConfig contains configurations for Redpanda cloud. If you’re running a self-hosted installation, you can ignore this
Appears in:
| Field | Description |
|---|---|
|
CloudStorageConfig
CloudStorageConfig configures the Data Archiving feature in Redpanda https://vectorized.io/docs/data-archiving
Appears in:
| Field | Description |
|---|---|
|
Enables data archiving feature |
|
Cloud storage access key |
|
Reference to (Kubernetes) Secret containing the cloud storage secret key. SecretKeyRef must contain the name and namespace of the Secret. The Secret must contain a data entry of the form: data[ |
|
Cloud storage region |
|
Cloud storage bucket |
|
Reconciliation period (default - 10s) |
|
Number of simultaneous uploads per shard (default - 20) |
|
Disable TLS (can be used in tests) |
|
Path to certificate that should be used to validate server certificate |
|
API endpoint for data storage |
|
Used to override TLS port (443) |
|
Cache directory that will be mounted for Redpanda |
|
Determines how to load credentials for archival storage. Supported values are config_file (default), aws_instance_metadata, sts, gcp_instance_metadata (see the cloud_storage_credentials_source property at https://docs.redpanda.com/docs/reference/cluster-properties/). When using config_file then accessKey and secretKeyRef are mandatory. |
Cluster
Cluster is the Schema for the clusters API
apiVersion: redpanda.vectorized.io/v1alpha1
kind: Cluster
metadata:
spec:Appears in:
| Field | Description |
|---|---|
|
|
|
|
|
Refer to Kubernetes API documentation for fields of |
|
ClusterCondition
ClusterCondition contains details for the current conditions of the cluster
Appears in:
| Field | Description |
|---|---|
|
Type is the type of the condition |
|
Last time the condition transitioned from one status to another |
|
Unique, one-word, CamelCase reason for the condition’s last transition |
|
Human-readable message indicating details about last transition |
ClusterConditionType_Underlying type:_ string
ClusterConditionType is a valid value for ClusterCondition.Type
Appears in:
ClusterList
ClusterList contains a list of Cluster
apiVersion: redpanda.vectorized.io/v1alpha1
kind: ClusterList
metadata:
items:| Field | Description |
|---|---|
|
|
|
|
|
Refer to Kubernetes API documentation for fields of |
|
ClusterSpec
ClusterSpec defines the desired state of Cluster
Appears in:
| Field | Description |
| — | — |
| annotations object (keys:string, values:string) | If specified, Redpanda Pod annotations |
| image string | Image is the fully qualified name of the Redpanda container |
| version string | Version is the Redpanda container tag |
| replicas integer | Replicas determine how big the cluster will be. |
| podDisruptionBudget PDBConfig | PodDisruptionBudget specifies whether PDB resource should be created for the cluster and how should it be configured. By default this is enabled and defaults to MaxUnavailable=1 |
| resources RedpandaResourceRequirements | Resources used by redpanda process running in container. Beware that there are multiple containers running in the redpanda pod and these can be enabled/disabled and configured from the sidecars field. These containers have separate resources settings and the amount of resources assigned to these containers will be required on the cluster on top of the resources defined here |
| sidecars Sidecars | Sidecars is list of sidecars run alongside redpanda container |
| configuration RedpandaConfig | Configuration represent redpanda specific configuration |
| tolerations Toleration array | If specified, Redpanda Pod tolerations |
| nodeSelector object (keys:string, values:string) | If specified, Redpanda Pod node selectors. For reference please visit https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node |
| storage StorageSpec | Storage spec for cluster |
| cloudStorage CloudStorageConfig | Cloud storage configuration for cluster |
| superUsers Superuser array | List of superusers |
| enableSasl boolean | SASL enablement flag Deprecated: replaced by "kafkaEnableAuthorization" |
| kafkaEnableAuthorization boolean | Enable authorization for Kafka connections. Values are:
-
nil: Ignored. Authorization is enabled withenable_sasl: true -
true: authorization is required -
false: authorization is disabled; See alsoenableSaslandconfiguration.kafkaApi[].authenticationMethod| |additionalConfigurationobject (keys:string, values:string) | For configuration parameters not exposed, a map can be provided for string values. Such values are passed transparently to Redpanda. The key format is "<subsystem>.field", e.g., additionalConfiguration: redpanda.enable_idempotence: "true" redpanda.default_topic_partitions: "3" pandaproxy_client.produce_batch_size_bytes: "2097152" Notes: 1. versioning is not supported for map keys 2. key names not supported by Redpanda will lead to failure on start up 3. updating this map requires a manual restart of the Redpanda pods. Please be aware of sync period when one Redpandais POD is restarted 4. cannot have keys that conflict with existing struct fields - it leads to panic By default if Replicas is 3 or more and redpanda.default_topic_partitions is not set default webhook is setting redpanda.default_topic_partitions to 3. | |dnsTrailingDotDisabledboolean | DNSTrailingDotDisabled gives ability to turn off the fully-qualified DNS name. http://www.dns-sd.org/trailingdotsindomainnames.html | |restartConfigRestartConfig | RestartConfig allows to control the behavior of the cluster when restarting | |licenseRefSecretKeyRef | If key is not provided in the SecretRef, Secret data should have key "license" | |initialValidationForVolumeboolean | When InitialValidationForVolume is enabled the mounted Redpanda data folder will be checked if: - it is dir - it has XFS file system - it can create test file and delete it |
Connect
Connect defines configurable fields for Kafka Connect
Appears in:
| Field | Description |
|---|---|
|
|
|
|
|
|
|
|
|
ConnectCluster
ConnectCluster defines configurable fields for the Kafka Connect cluster
Appears in:
| Field | Description |
|---|---|
|
|
|
|
TLS configures mTLS auth |
|
|
BasicAuthRef configures basic auth credentials referenced by Secret Expects to have keys "username", "password" |
|
TokenRef configures token header auth referenced by Secret Expects to have key "token" |
ConnectClusterTLS
ConnectClusterTLS defines TLS certificates for the Kafka Connect cluster
Appears in:
| Field | Description |
|---|---|
|
|
|
SecretKeyRef configures certificate used for mTLS auth referenced by Secret Expects to have keys "tls.crt", "tls.key", "ca.crt" |
|
Connectivity
Connectivity defines internal/external hosts
Appears in:
| Field | Description |
|---|---|
|
|
|
Console
Console is the Schema for the consoles API
apiVersion: redpanda.vectorized.io/v1alpha1
kind: Console
metadata:
spec:Appears in:
| Field | Description |
|---|---|
|
|
|
|
|
Refer to Kubernetes API documentation for fields of |
|
ConsoleList
ConsoleList contains a list of Console
apiVersion: redpanda.vectorized.io/v1alpha1
kind: ConsoleList
metadata:
items:| Field | Description |
|---|---|
|
|
|
|
|
Refer to Kubernetes API documentation for fields of |
|
ConsoleSpec
ConsoleSpec defines the desired state of Console Most of the fields here are copied from Console config REF https://github.com/redpanda-data/console/blob/master/backend/pkg/api/config.go
Appears in:
| Field | Description |
|---|---|
|
Prefix for all exported prometheus metrics |
|
Only relevant for developers, who might want to run the frontend separately |
|
|
|
|
|
The referenced Redpanda Cluster |
|
|
|
|
|
|
|
If you don’t provide an enterprise license, Console ignores configurations for enterprise features REF https://docs.redpanda.com/docs/console/reference/config/ If key is not provided in the SecretRef, Secret data should have key "license" |
|
Login contains all configurations in order to protect Console with a login screen Configure one or more of the below identity providers in order to support SSO This feature requires an Enterprise license REF https://docs.redpanda.com/docs/console/single-sign-on/identity-providers/google/ |
|
Ingress contains configuration for the Console ingress. |
|
Cloud contains configurations for Redpanda cloud. If you’re running a self-hosted installation, you can ignore this |
|
Redpanda contains configurations that are Redpanda specific |
|
SecretStore contains the configuration for the cloud provider secret manager |
CredentialsSource_Underlying type:_ string
CredentialsSource represents a mechanism for loading credentials for archival storage
Appears in:
Deployment
Deployment defines configurable fields for the Console Deployment resource
Appears in:
| Field | Description |
|---|---|
|
|
|
|
|
|
|
Enterprise
Enterprise defines configurable fields for features that require license
Appears in:
| Field | Description |
|---|---|
|
Console uses role-based access control (RBAC) to restrict system access to authorized users |
EnterpriseLogin
EnterpriseLogin defines configurable fields to enable SSO Authentication for supported login providers
Appears in:
| Field | Description |
|---|---|
|
|
|
JWTSecret is the Secret that is used to sign and encrypt the JSON Web tokens that are used by the backend for session management If not provided, the default key is "jwt" |
|
|
|
EnterpriseLoginGoogle
EnterpriseLoginGoogle defines configurable fields for Google provider
Appears in:
| Field | Description |
|---|---|
|
|
|
ClientCredentials is the Secret that contains SSO credentials The Secret should contain keys "clientId", "clientSecret" |
|
Use Google groups in your RBAC role bindings. |
EnterpriseLoginGoogleDirectory
EnterpriseLoginGoogleDirectory defines configurable fields for enabling RBAC Google groups sync
Appears in:
| Field | Description |
|---|---|
|
ServiceAccountRef is the ConfigMap that contains the Google Service Account json The ConfigMap should contain "sa.json" key |
|
TargetPrincipal is the user that shall be impersonated by the service account |
EnterpriseLoginRedpandaCloud
EnterpriseLoginRedpandaCloud defines configurable fields for RedpandaCloud SSO provider
Appears in:
| Field | Description |
|---|---|
|
|
|
Domain is the domain of the auth server |
|
Audience is the domain where this auth is intended for |
|
AllowedOrigins indicates if response is allowed from given origin |
EnterpriseRBAC
EnterpriseRBAC defines configurable fields for specifying RBAC Authorization
Appears in:
| Field | Description |
|---|---|
|
|
|
RoleBindingsRef is the ConfigMap that contains the RBAC file The ConfigMap should contain "rbac.yaml" key |
ExternalConnectivityConfig
ExternalConnectivityConfig adds listener that can be reached outside of a kubernetes cluster. The Service type NodePort will be used to create unique ports on each Kubernetes nodes. Those nodes need to be reachable from the client perspective. Setting up any additional resources in cloud or premise is the responsibility of the Redpanda operator user e.g. allow to reach the nodes by creating new rule in AWS security group. Inside the container the Configuration.KafkaAPI.Port + 1 will be used as a external listener. This port is tight to the autogenerated host port. The collision between Kafka external, Kafka internal, Admin, Pandaproxy, Schema Registry and RPC port is checked in the webhook. An optional endpointTemplate can be used to configure advertised addresses for Kafka API and Pandaproxy, while it is disallowed for other listeners.
Appears in:
| Field | Description |
|---|---|
|
Enabled enables the external connectivity feature |
|
Subdomain can be used to change the behavior of an advertised KafkaAPI. Each broker advertises Kafka API as follows ENDPOINT.SUBDOMAIN:EXTERNAL_KAFKA_API_PORT. If Subdomain is empty then each broker advertises Kafka API as PUBLIC_NODE_IP:EXTERNAL_KAFKA_API_PORT. If TLS is enabled then this subdomain will be requested as a subject alternative name. |
|
EndpointTemplate is a Golang template string that allows customizing each broker advertised address. Redpanda uses the format BROKER_ID.SUBDOMAIN:EXTERNAL_KAFKA_API_PORT by default for advertised addresses. When an EndpointTemplate is provided, then the BROKER_ID part is replaced with the endpoint computed from the template. The following variables are available to the template: - Index: the Redpanda broker progressive number - HostIP: the ip address of the Node, as reported in pod status |
Common template functions from Sprig (http://masterminds.github.io/sprig/) are also available. The set of available functions is limited to hermetic functions because template application needs to be deterministic. |
|
|
The preferred address type to be assigned to the external advertised addresses. The valid types are ExternalDNS, ExternalIP, InternalDNS, InternalIP, and Hostname. When the address of the preferred type is not found the advertised addresses remains empty. The default preferred address type is ExternalIP. This option only applies when Subdomain is empty. |
|
Configures a load balancer for bootstrapping |
IngressConfig
IngressConfig defines ingress specification
Appears in:
| Field | Description |
|---|---|
|
Indicates if ingress is enabled (true when unspecified). |
|
Optional annotations for the generated ingress. |
|
If present, it’s appended to the subdomain to form the ingress hostname. |
KafkaAPI
KafkaAPI configures listener for the Kafka API
Appears in:
| Field | Description |
|---|---|
|
|
|
External enables user to expose Redpanda nodes outside of a Kubernetes cluster. For more information please go to ExternalConnectivityConfig |
|
Configuration of TLS for Kafka API |
|
AuthenticationMethod can enable authentication method per Kafka listener. Available options are: none, sasl, mtls_identity. https://docs.redpanda.com/docs/security/authentication/ |
KafkaAPITLS
KafkaAPITLS configures TLS for redpanda Kafka API
If Enabled is set to true, one-way TLS verification is enabled. In that case, a key pair ('tls.crt', 'tls.key') and CA certificate 'ca.crt' are generated and stored in a Secret with the same name and namespace as the Redpanda cluster. 'ca.crt', must be used by a client as a trustore when communicating with Redpanda.
If RequireClientAuth is set to true, two-way TLS verification is enabled. In that case, a node and three client certificates are created. The node certificate is used by redpanda nodes.
The three client certificates are the following: 1. operator client certificate is for internal use of this kubernetes operator 2. admin client certificate is meant to be used by your internal infrastructure, other than operator. It’s possible that you might not need this client certificate in your setup. The client certificate can be retrieved from the Secret named <redpanda-cluster-name>-admin-client'. 3. user client certificate is available for Redpanda users to call KafkaAPI. The client certificate can be retrieved from the Secret named <redpanda-cluster-name>-user-client'.
All TLS secrets are stored in the same namespace as the Redpanda cluster.
Additionally all mentioned certificates beside PEM version will have JKS and PKCS#12 certificate. Both stores are protected with the password that is the same as the name of the Cluster custom resource.
Appears in:
| Field | Description |
|---|---|
|
|
|
References cert-manager Issuer or ClusterIssuer. When provided, this issuer will be used to issue node certificates. Typically you want to provide the issuer when a generated self-signed one is not enough and you need to have a verifiable chain with a proper CA certificate. |
|
If provided, operator uses certificate in this secret instead of issuing its own node certificate. The secret is expected to provide the following keys: 'ca.crt', 'tls.key' and 'tls.crt' If NodeSecretRef points to secret in different namespace, operator will duplicate the secret to the same namespace as redpanda CRD to be able to mount it to the nodes |
|
Enables two-way verification on the server side. If enabled, all Kafka API clients are required to have a valid client certificate. |
LoadBalancerConfig
LoadBalancerConfig defines the load balancer specification
Appears in:
| Field | Description |
|---|---|
|
If specified, sets the load balancer service annotations. Example usage includes configuring the load balancer to be an internal one through provider-specific annotations. |
|
The port used to communicate to the load balancer. |
LoadBalancerStatus
LoadBalancerStatus reports the load balancer status as generated by the load balancer core service
Appears in:
| Field | Description |
|---|---|
|
Ingress is a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points. |
NamespaceNameRef
NamespaceNameRef contains namespace and name to inspect or modify the referred object REF https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference
Appears in:
| Field | Description |
|---|---|
|
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
NodesList
NodesList shows where client of Cluster custom resource can reach various listeners of Redpanda cluster
Appears in:
| Field | Description |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
PDBConfig
PDBConfig specifies how the PodDisruptionBudget should be created for the redpanda cluster. PDB will be created for the deployed cluster if Enabled is set to true.
Appears in:
| Field | Description |
|---|---|
|
Enabled specifies whether PDB should be generated for the cluster. It defaults to true |
|
An eviction is allowed if at least "minAvailable" pods selected by "selector" will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying "100%". This is a mutually exclusive setting with "maxUnavailable". you can read more in https://kubernetes.io/docs/tasks/run-application/configure-pdb/ |
|
An eviction is allowed if at most "maxUnavailable" pods selected by "selector" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with "minAvailable". This property defaults to 1. you can read more in https://kubernetes.io/docs/tasks/run-application/configure-pdb/ |
PandaproxyAPI
PandaproxyAPI configures listener for the Pandaproxy API
Appears in:
| Field | Description |
|---|---|
|
|
|
External enables user to expose Redpanda nodes outside of a Kubernetes cluster. For more information please go to ExternalConnectivityConfig |
|
Configuration of TLS for Pandaproxy API |
|
AuthenticationMethod can enable authentication method per pandaproxy listener. Available options are: none, http_basic. |
PandaproxyAPITLS
PandaproxyAPITLS configures the TLS of the Pandaproxy API
If Enabled is set to true, one-way TLS verification is enabled. In that case, a key pair ('tls.crt', 'tls.key') and CA certificate 'ca.crt' are generated and stored in a Secret named <redpanda-cluster-name>-proxy-api-node' and namespace as the Redpanda cluster. 'ca.crt' must be used by a client as a truststore when communicating with Redpanda.
If RequireClientAuth is set to true, two-way TLS verification is enabled. If ClientCACertRef is provided, the operator will configure the Pandaproxy to use the CA cert it contains. Otherwise, a client certificate is generated, which can be retrieved from the Secret named <redpanda-cluster-name>-proxy-api-client'.
All TLS secrets are stored in the same namespace as the Redpanda cluster.
Additionally all mentioned certificates beside PEM version will have JKS and PKCS#12 certificate. Both stores are protected with the password that is the same as the name of the Cluster custom resource.
Appears in:
| Field | Description |
|---|---|
|
|
|
References cert-manager Issuer or ClusterIssuer. When provided, this issuer will be used to issue node certificates. Typically you want to provide the issuer when a generated self-signed one is not enough and you need to have a verifiable chain with a proper CA certificate. |
|
If provided, operator uses certificate in this secret instead of issuing its own node certificate. The secret is expected to provide the following keys: 'ca.crt', 'tls.key' and 'tls.crt' If NodeSecretRef points to secret in different namespace, operator will duplicate the secret to the same namespace as redpanda CRD to be able to mount it to the nodes |
|
If ClientCACertRef points to a secret containing the trusted CA certificates. If provided and RequireClientAuth is true, the operator uses the certificate in this secret instead of issuing client certificates. The secret is expected to provide the following keys: 'ca.crt'. |
|
Enables two-way verification on the server side. If enabled, all Pandaproxy API clients are required to have a valid client certificate. |
PandaproxyExternalConnectivityConfig
PandaproxyExternalConnectivityConfig allows to customize pandaproxy specific external connectivity.
Appears in:
| Field | Description |
|---|---|
|
Enabled enables the external connectivity feature |
|
Subdomain can be used to change the behavior of an advertised KafkaAPI. Each broker advertises Kafka API as follows ENDPOINT.SUBDOMAIN:EXTERNAL_KAFKA_API_PORT. If Subdomain is empty then each broker advertises Kafka API as PUBLIC_NODE_IP:EXTERNAL_KAFKA_API_PORT. If TLS is enabled then this subdomain will be requested as a subject alternative name. |
|
EndpointTemplate is a Golang template string that allows customizing each broker advertised address. Redpanda uses the format BROKER_ID.SUBDOMAIN:EXTERNAL_KAFKA_API_PORT by default for advertised addresses. When an EndpointTemplate is provided, then the BROKER_ID part is replaced with the endpoint computed from the template. The following variables are available to the template: - Index: the Redpanda broker progressive number - HostIP: the ip address of the Node, as reported in pod status |
Common template functions from Sprig (http://masterminds.github.io/sprig/) are also available. The set of available functions is limited to hermetic functions because template application needs to be deterministic. |
|
|
The preferred address type to be assigned to the external advertised addresses. The valid types are ExternalDNS, ExternalIP, InternalDNS, InternalIP, and Hostname. When the address of the preferred type is not found the advertised addresses remains empty. The default preferred address type is ExternalIP. This option only applies when Subdomain is empty. |
|
Configures a load balancer for bootstrapping |
|
Configures a ingress resource |
PrometheusConfig
PrometheusConfig is configuration of prometheus instance
Appears in:
| Field | Description |
|---|---|
|
Address to Prometheus endpoint |
|
Jobs is the list of Prometheus Jobs that we want to discover so that we can then scrape the discovered targets ourselves. |
|
PrometheusEndpointConfig
PrometheusEndpointConfig configures the Prometheus endpoint that shall be exposed in Redpanda Cloud so that users can scrape this URL to collect their dataplane’s metrics in their own time-series database.
Appears in:
| Field | Description |
|---|---|
|
|
|
|
|
|
|
PrometheusScraperJobConfig
PrometheusScraperJobConfig is the configuration object that determines what Prometheus targets we should scrape.
Appears in:
| Field | Description |
|---|---|
|
JobName refers to the Prometheus job name whose discovered targets we want to scrape |
|
KeepLabels is a list of label keys that are added by Prometheus when scraping the target and should remain for all metrics as exposed to the Prometheus endpoint. |
Redpanda
Redpanda defines configurable fields that are Redpanda specific
Appears in:
| Field | Description |
|---|---|
|
RedpandaAdmin
RedpandaAdmin defines API configuration that enables additional features that are Redpanda specific
Appears in:
| Field | Description |
|---|---|
|
RedpandaConfig
RedpandaConfig is the definition of the main configuration
Appears in:
| Field | Description |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
Number of partitions in the internal group membership topic |
|
Enable auto-creation of topics. Reference https://kafka.apache.org/documentation/#brokerconfigs_auto.create.topics.enable |
|
Additional command line arguments that we pass to the redpanda binary These are applied last and will override any other command line arguments that may be defined, including the ones added when setting |
RedpandaResourceRequirements
RedpandaResourceRequirements extends corev1.ResourceRequirements to allow specification of resources directly passed to Redpanda that are different to Requests or Limits.
Appears in:
| Field | Description |
| — | — |
| limits object (keys:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcename-v1-core[ResourceName^], values:Quantity) | Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| requests object (keys:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcename-v1-core[ResourceName^], values:Quantity) | Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| claims ResourceClaim array | Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.
This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.
This field is immutable. |
| redpanda object (keys:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcename-v1-core[ResourceName^], values:Quantity) | Redpanda describes the amount of compute resources passed to redpanda. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
RestartConfig
RestartConfig contains strategies to configure how the cluster behaves when restarting, because of upgrades or other lifecycle events.
Appears in:
| Field | Description |
| — | — |
| disableMaintenanceModeHooks boolean | DisableMaintenanceModeHooks deactivates the preStop and postStart hooks that force nodes to enter maintenance mode when stopping and exit maintenance mode when up again |
| underReplicatedPartitionThreshold integer | UnderReplicatedPartitionThreshold controls when rolling update will continue with restarts. The procedure can be described as follows:
-
Rolling update checks if Pod specification needs to be replaced and deletes it 2. Deleted Redpanda Pod is put into maintenance mode (postStart hook will disable maintenance mode when new Pod starts) 3. Rolling update waits for Pod to be in Ready state 4. Rolling update checks if cluster is in healthy state 5. Rolling update checks if restarted Redpanda Pod admin API Ready endpoint returns HTTP 200 response 6. Using UnderReplicatedPartitionThreshold each under replicated partition metric is compared with the threshold 7. Rolling update moves to the next Redpanda pod The metric
vectorized_cluster_partition_under_replicated_replicasis used in the comparison Mentioned metrics has the following help description:vectorized_cluster_partition_under_replicated_replicasNumber of under replicated replicas By default, the UnderReplicatedPartitionThreshold will be 0, which means all partitions needs to catch up without any lag. |
Schema
Schema defines configurable fields for Schema Registry
Appears in:
| Field | Description |
|---|---|
|
|
|
Indication on whether to use the schema registry CA as trust when connecting to the schema registry. If not set, the public CAs will be used. |
SchemaRegistryAPI
SchemaRegistryAPI configures the schema registry API
Appears in:
| Field | Description |
|---|---|
|
Port will set the schema registry listener port in Redpanda configuration. If not set the default will be 8081 |
External enables user to expose Redpanda nodes outside of a Kubernetes cluster. For more information please go to ExternalConnectivityConfig |
|
TLS is the configuration for schema registry |
|
|
AuthenticationMethod can enable authentication method per schema registry listener. Available options are: none, http_basic. |
SchemaRegistryAPITLS
SchemaRegistryAPITLS configures the TLS of the Pandaproxy API
If Enabled is set to true, one-way TLS verification is enabled. In that case, a key pair ('tls.crt', 'tls.key') and CA certificate 'ca.crt' are generated and stored in a Secret named <redpanda-cluster-name>-schema-registry-node' and namespace as the Redpanda cluster. 'ca.crt' must be used by a client as a truststore when communicating with Schema registry.
If RequireClientAuth is set to true, two-way TLS verification is enabled. If ClientCACertRef is provided, the operator will configure the Schema Registry to use the CA cert it contains. Otherwise a client certificate is generated, which can be retrieved from the Secret named <redpanda-cluster-name>-schema-registry-client'.
All TLS secrets are stored in the same namespace as the Redpanda cluster.
Additionally all mentioned certificates beside PEM version will have JKS and PKCS#12 certificate. Both stores are protected with the password that is the same as the name of the Cluster custom resource.
Appears in:
| Field | Description |
|---|---|
|
|
|
References cert-manager Issuer or ClusterIssuer. When provided, this issuer will be used to issue node certificates. Typically you want to provide the issuer when a generated self-signed one is not enough and you need to have a verifiable chain with a proper CA certificate. |
|
If provided, operator uses certificate in this secret instead of issuing its own node certificate. The secret is expected to provide the following keys: 'ca.crt', 'tls.key' and 'tls.crt' If NodeSecretRef points to secret in different namespace, operator will duplicate the secret to the same namespace as redpanda CRD to be able to mount it to the nodes |
|
If ClientCACertRef points to a secret containing the trusted CA certificates. If provided and RequireClientAuth is true, the operator uses the certificate in this secret instead of issuing client certificates. The secret is expected to provide the following keys: 'ca.crt'. |
|
Enables two-way verification on the server side. If enabled, all SchemaRegistry clients are required to have a valid client certificate. |
SchemaRegistryExternalConnectivityConfig
SchemaRegistryExternalConnectivityConfig defines the external connectivity options for schema registry.
Appears in:
| Field | Description |
|---|---|
|
Enabled enables the external connectivity feature |
|
Subdomain can be used to change the behavior of an advertised KafkaAPI. Each broker advertises Kafka API as follows ENDPOINT.SUBDOMAIN:EXTERNAL_KAFKA_API_PORT. If Subdomain is empty then each broker advertises Kafka API as PUBLIC_NODE_IP:EXTERNAL_KAFKA_API_PORT. If TLS is enabled then this subdomain will be requested as a subject alternative name. |
|
EndpointTemplate is a Golang template string that allows customizing each broker advertised address. Redpanda uses the format BROKER_ID.SUBDOMAIN:EXTERNAL_KAFKA_API_PORT by default for advertised addresses. When an EndpointTemplate is provided, then the BROKER_ID part is replaced with the endpoint computed from the template. The following variables are available to the template: - Index: the Redpanda broker progressive number - HostIP: the ip address of the Node, as reported in pod status |
Common template functions from Sprig (http://masterminds.github.io/sprig/) are also available. The set of available functions is limited to hermetic functions because template application needs to be deterministic. |
|
|
The preferred address type to be assigned to the external advertised addresses. The valid types are ExternalDNS, ExternalIP, InternalDNS, InternalIP, and Hostname. When the address of the preferred type is not found the advertised addresses remains empty. The default preferred address type is ExternalIP. This option only applies when Subdomain is empty. |
|
Configures a load balancer for bootstrapping |
|
Indicates that the node port for the service needs not to be generated. |
|
Indicates the global endpoint that (together with subdomain), should be advertised for schema registry. |
SchemaRegistryStatus
SchemaRegistryStatus reports addresses where schema registry can be reached
Appears in:
| Field | Description |
|---|---|
|
|
|
External address should be registered in DNS provider using all public IP of a nodes that Redpanda is scheduled on. |
The External is empty when subdomain is not provided. |
|
|
ExternalNodeIPs is only filled when the Schema Registry external connectivity feature flag is enabled, but the subdomain is empty. This gives user ability to register all addresses individually in DNS provider of choice. |
SecretKeyRef
SecretKeyRef contains enough information to inspect or modify the referred Secret data REF https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference
Appears in:
| Field | Description |
|---|---|
|
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
Key in Secret data to get value from |
SecretManagerAWS
SecretManagerAWS is the configuration object for using Amazon’s secret manager.
Appears in:
| Field | Description |
| — | — |
| enabled boolean | Enabled is whether AWS secret manager is enabled. Only one store can be enabled at a time. |
| region string | Region in which service is deployed so that related resources like secrets are put to the same region |
| kmsKeyId string | KmsKeyID is the ARN, key ID, or alias of the KMS key that Secrets Manager uses to encrypt the secret value in the secret.
To use a KMS key in a different account, use the key ARN or the alias ARN.
If you don’t specify this value, then Secrets Manager uses the key aws/secretsmanager. If that key doesn’t yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value.
If the secret is in a different Amazon Web Services account from the credentials calling the API, then you can’t use aws/secretsmanager to encrypt the secret, and you must create and use a customer managed KMS key. |
| AWSCredentialsRef LocalObjectReference | AWSCredentialsRef refers to Kubernetes secret where AWS access key id and secret access key is taken and used as environments variable |
| serviceAccountRoleARNAnnotation string | ServiceAccountRoleARNAnnotation will be included in the Service Account definition. That Kubernetes Service Account will be used in Kubernetes Deployment Spec of Console Ref https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html |
| tags object (keys:string, values:string) | Tags is a list of tags to attach to the secret. Each tag is a key and value a pair of strings in a JSON text string, for example:
[{"Key":"CostCenter","Value":"12345"},{"Key":"environment","Value":"production"}]
Secrets Manager tag key names are case sensitive. A tag with the key "ABC" is a different tag from one with key "abc".
Tags can be used for permissions, so that you can namespace your secrets within a single secret store. Console will also only allow the deletion of secrets that posses the configured tags. Tags default to: "owner": "console" |
SecretManagerGCP
SecretManagerGCP is the configuration object for using Google Cloud’s secret manager.
Appears in:
| Field | Description |
| — | — |
| enabled boolean | Enabled is whether GCP secret manager is enabled. Only one store can be enabled at a time. |
| credentialsSecretRef SecretKeyRef | CredentialsSecretRef points to Kubernetes secret where service account will be mounted to Console and used to authenticate again GCP API. |
| serviceAccountNameAnnotation string | ServiceAccountNameAnnotation will be included in the Service Account definition. That Kubernetes Service Account will be used in Kubernetes Deployment Spec of Console Ref https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity |
| projectId string | ProjectID is the GCP project in which to store the secrets. |
| labels object (keys:string, values:string) | Labels help you to organize your project, add arbitrary labels as key/value pairs to your resources. Use labels to indicate different environments, services, teams, and so on. Console may use additional labels for each secret.
Use a label with key "owner" to namespace secrets within a secret manager. This label will always be set for the creation and listing of all secrets. If you change the value after secrets have been created, Console will no longer return them and consider them as managed by another application. The owner label is optional but recommended.
Labels default to: "owner": "console" |
SecretStore
SecretStore contains the configuration for the secret manager that shall be used by Console to manage secrets for other components such as Kafka connect.
Appears in:
| Field | Description |
| — | — |
| enabled boolean | |
| secretNamePrefix string | SecretNamePrefix is the prefix that shall be used for each secret name that will be stored. The prefix is used for namespacing your secrets, so that one secret store can be used by multiple tenants. For AWS it’s common to use a path-like structure whereas GCP does not allow slashes.
Examples: AWS: redpanda/analytics/prod/console/ GCP: redpanda-analytics-prod-console-
Changing this prefix won’t let you access secrets created under a different prefix. |
| gcpSecretManager SecretManagerGCP | |
| awsSecretManager SecretManagerAWS | |
| kafkaConnect SecretStoreKafkaConnect | |
SecretStoreKafkaConnect
SecretStoreKafkaConnect is a configuration block that specifies what configured Kafka connect clusters support loading secrets from the configured secret store. The frontend will only store sensitive connector configurations in the secret store if the respective kafka connect cluster is listed in this configuration.
Appears in:
| Field | Description |
|---|---|
|
|
|
Clusters is the list of Kafka connect clusters which the secret store shall be used for. |
SecretStoreKafkaConnectCluster
SecretStoreKafkaConnectCluster configures the Kafka connect clusters that support loading secrets from the configured secret store.
Appears in:
| Field | Description |
|---|---|
|
Name refers to the Kafka connect cluster name that has been given in the connect configuration. This name must match some cluster name or the configuration will be rejected. |
|
SecretNamePrefixAppend is an optional string that shall be appended to the global secretNamePrefix. This config is helpful if you want to use a specific prefix for secrets belonging to this Kafka connect cluster. You may want to do this if you want to restrict the permissions for the kafka connect workers reading these secrets. |
Example: secretstore.secretNamePrefix is set to: "redpanda/prod/" secretstore.kafkaConnect.clusters.dwh.secretNamePrefixAppend is set to: "dwh/" => Secrets will be created with the prefix "redpanda/prod/dwh/" so that you can apply special iam permissions in your cloud account. |
Server
Server is the Console app HTTP server config REF https://github.com/cloudhut/common/blob/b601d681e8599cee4255899def813142c0218e8b/rest/config.go
Appears in:
| Field | Description |
|---|---|
|
Timeout for graceful shutdowns |
|
HTTP server listen address |
|
HTTP server listen port |
|
Read timeout for HTTP server |
|
Write timeout for HTTP server |
|
Idle timeout for HTTP server |
|
Compression level applied to all http responses. Valid values are: 0-9 (0=completely disable compression middleware, 1=weakest compression, 9=best compression) |
|
Sets the subpath (root prefix) under which Kowl is reachable. If you want to host Kowl under 'your.domain.com/kowl/' you’d set the base path to 'kowl/'. The default is an empty string which makes Kowl reachable under just 'domain.com/'. When using this setting (or letting the 'X-Forwarded-Prefix' header set it for you) remember to either leave 'strip-prefix' enabled, or use a proxy that can strip the base-path/prefix before it reaches Kowl. |
|
server.set-base-path-from-x-forwarded-prefix", true, "When set to true, Kowl will use the 'X-Forwarded-Prefix' header as the base path. (When enabled the 'base-path' setting won’t be used) |
|
If a base-path is set (either by the 'base-path' setting, or by the 'X-Forwarded-Prefix' header), they will be removed from the request url. You probably want to leave this enabled, unless you are using a proxy that can remove the prefix automatically (like Traefik’s 'StripPrefix' option) |
Sidecar
Sidecar is a container running alongside redpanda, there’s couple of them added by default via defaulting webhook
Appears in:
| Field | Description |
|---|---|
|
Enabled if false, the sidecar won’t be added to the pod running redpanda node |
|
Resources are resource requirements and limits for the container running this sidecar. For the default sidecars this is defaulted |
Sidecars
Sidecars is definition of sidecars running alongside redpanda process
Appears in:
| Field | Description |
|---|---|
|
RpkStatus is sidecar running rpk status collecting status information from the running node |
SocketAddress
SocketAddress provide the way to configure the port
Appears in:
| Field | Description |
|---|---|
|
StorageSpec
StorageSpec defines the storage specification of the Cluster
Appears in:
| Field | Description |
|---|---|
|
Storage capacity requested |
|
Storage class name - https://kubernetes.io/docs/concepts/storage/storage-classes/ |