Operator Custom Resource Definition (CRD)

port integer

external ExternalConnectivityConfig

External enables users to expose the Redpanda Admin API outside of a Kubernetes cluster. For more information go to ExternalConnectivityConfig

tls AdminAPITLS

Configuration of TLS for Admin API

enabled boolean

requireClientAuth boolean

username string

passwordRef SecretKeyRef

prometheusEndpoint PrometheusEndpointConfig

enabled boolean

Enables data archiving feature

accessKey string

Cloud storage access key

secretKeyRef ObjectReference

Reference to (Kubernetes) Secret containing the cloud storage secret key. SecretKeyRef must contain the name and namespace of the Secret. The Secret must contain a data entry of the form: data[<SecretKeyRef.Name>] = <secret key>

region string

Cloud storage region

bucket string

Cloud storage bucket

reconciliationIntervalMs integer

Reconciliation period (default - 10s)

maxConnections integer

Number of simultaneous uploads per shard (default - 20)

disableTLS boolean

Disable TLS (can be used in tests)

trustfile string

Path to certificate that should be used to validate server certificate

apiEndpoint string

API endpoint for data storage

apiEndpointPort integer

Used to override TLS port (443)

cacheStorage StorageSpec

Cache directory that will be mounted for Redpanda

credentialsSource CredentialsSource

Determines how to load credentials for archival storage. Supported values are config_file (default), aws_instance_metadata, sts, gcp_instance_metadata (see the cloud_storage_credentials_source property at https://docs.redpanda.com/docs/reference/cluster-properties/). When using config_file then accessKey and secretKeyRef are mandatory.

apiVersion string

redpanda.vectorized.io/v1alpha1

kind string

Cluster

metadata ObjectMeta

Refer to Kubernetes API documentation for fields of metadata.

spec ClusterSpec

type ClusterConditionType

Type is the type of the condition

lastTransitionTime Time

Last time the condition transitioned from one status to another

reason string

Unique, one-word, CamelCase reason for the condition’s last transition

message string

Human-readable message indicating details about last transition

apiVersion string

redpanda.vectorized.io/v1alpha1

kind string

ClusterList

metadata ListMeta

Refer to Kubernetes API documentation for fields of metadata.

items Cluster array

annotations object (keys:string, values:string)

If specified, Redpanda Pod annotations

image string

Image is the fully qualified name of the Redpanda container

version string

Version is the Redpanda container tag

replicas integer

Replicas determine how big the cluster will be.

podDisruptionBudget PDBConfig

PodDisruptionBudget specifies whether PDB resource should be created for the cluster and how should it be configured. By default this is enabled and defaults to MaxUnavailable=1

resources RedpandaResourceRequirements

Resources used by redpanda process running in container. Beware that there are multiple containers running in the redpanda pod and these can be enabled/disabled and configured from the sidecars field. These containers have separate resources settings and the amount of resources assigned to these containers will be required on the cluster on top of the resources defined here

sidecars Sidecars

Sidecars is list of sidecars run alongside redpanda container

configuration RedpandaConfig

Configuration represent redpanda specific configuration

tolerations Toleration array

If specified, Redpanda Pod tolerations

nodeSelector object (keys:string, values:string)

If specified, Redpanda Pod node selectors. For reference please visit https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node

storage StorageSpec

Storage spec for cluster

cloudStorage CloudStorageConfig

Cloud storage configuration for cluster

superUsers Superuser array

List of superusers

enableSasl boolean

SASL enablement flag Deprecated: replaced by "kafkaEnableAuthorization"

kafkaEnableAuthorization boolean

additionalConfiguration object (keys:string, values:string)

For configuration parameters not exposed, a map can be provided for string values. Such values are passed transparently to Redpanda. The key format is "<subsystem>.field", e.g. additionalConfiguration: redpanda.enable_idempotence: "true" redpanda.default_topic_partitions: "3" pandaproxy_client.produce_batch_size_bytes: "2097152". Notes: 1. versioning is not supported for map keys 2. key names not supported by Redpanda will lead to failure on start up 3. updating this map requires a manual restart of the Redpanda pods. Please be aware of sync period when one Redpandais POD is restarted 4. cannot have keys that conflict with existing struct fields - it leads to panic. By default if Replicas is 3 or more and redpanda.default_topic_partitions is not set default webhook is setting redpanda.default_topic_partitions to 3.

dnsTrailingDotDisabled boolean

DNSTrailingDotDisabled gives ability to turn off the fully-qualified DNS name. http://www.dns-sd.org/trailingdotsindomainnames.html

restartConfig RestartConfig

RestartConfig allows to control the behavior of the cluster when restarting

licenseRef SecretKeyRef

If key is not provided in the SecretRef, Secret data should have key "license"

initialValidationForVolume boolean

When InitialValidationForVolume is enabled the mounted Redpanda data folder will be checked if: - it is dir - it has XFS file system - it can create test file and delete it

enabled boolean

connectTimeout Duration

readTimeout Duration

requestTimeout Duration

clusters ConnectCluster array

name string

url string

tls ConnectClusterTLS

TLS configures mTLS auth

basicAuthRef ObjectReference

BasicAuthRef configures basic auth credentials referenced by Secret Expects to have keys "username", "password"

tokenRef ObjectReference

TokenRef configures token header auth referenced by Secret Expects to have key "token"

enabled boolean

secretKeyRef ObjectReference

SecretKeyRef configures certificate used for mTLS auth referenced by Secret Expects to have keys "tls.crt", "tls.key", "ca.crt"

insecureSkipTlsVerify boolean

internal string

external string

apiVersion string

redpanda.vectorized.io/v1alpha1

kind string

Console

metadata ObjectMeta

Refer to Kubernetes API documentation for fields of metadata.

spec ConsoleSpec

apiVersion string

redpanda.vectorized.io/v1alpha1

kind string

ConsoleList

metadata ListMeta

Refer to Kubernetes API documentation for fields of metadata.

items Console array

metricsNamespace string

Prefix for all exported prometheus metrics

serveFrontend boolean

Only relevant for developers, who might want to run the frontend separately

server Server

schema Schema

clusterRef NamespaceNameRef

The referenced Redpanda Cluster

deployment Deployment

connect Connect

enterprise Enterprise

licenseRef SecretKeyRef

If you don’t provide an enterprise license, Console ignores configurations for enterprise features REF https://docs.redpanda.com/docs/console/reference/config/ If key is not provided in the SecretRef, Secret data should have key "license"

login EnterpriseLogin

Login contains all configurations in order to protect Console with a login screen Configure one or more of the below identity providers in order to support SSO This feature requires an Enterprise license REF https://docs.redpanda.com/docs/console/single-sign-on/identity-providers/google/

ingress IngressConfig

Ingress contains configuration for the Console ingress.

cloud CloudConfig

Cloud contains configurations for Redpanda cloud. If you’re running a self-hosted installation, you can ignore this

redpanda Redpanda

Redpanda contains configurations that are Redpanda specific

secretStore SecretStore

SecretStore contains the configuration for the cloud provider secret manager

image string

replicas integer

maxUnavailable integer

maxSurge integer

rbac EnterpriseRBAC

Console uses role-based access control (RBAC) to restrict system access to authorized users

enabled boolean

jwtSecretRef SecretKeyRef

JWTSecret is the Secret that is used to sign and encrypt the JSON Web tokens that are used by the backend for session management If not provided, the default key is "jwt"

google EnterpriseLoginGoogle

redpandaCloud EnterpriseLoginRedpandaCloud

enabled boolean

clientCredentialsRef NamespaceNameRef

ClientCredentials is the Secret that contains SSO credentials The Secret should contain keys "clientId", "clientSecret"

directory EnterpriseLoginGoogleDirectory

Use Google groups in your RBAC role bindings.

serviceAccountRef LocalObjectReference

ServiceAccountRef is the ConfigMap that contains the Google Service Account json The ConfigMap should contain "sa.json" key

targetPrincipal string

TargetPrincipal is the user that shall be impersonated by the service account

enabled boolean

domain string

Domain is the domain of the auth server

audience string

Audience is the domain where this auth is intended for

allowedOrigins string array

AllowedOrigins indicates if response is allowed from given origin

enabled boolean

roleBindingsRef LocalObjectReference

RoleBindingsRef is the ConfigMap that contains the RBAC file The ConfigMap should contain "rbac.yaml" key

enabled boolean

Enabled enables the external connectivity feature

subdomain string

Subdomain can be used to change the behavior of an advertised KafkaAPI. Each broker advertises Kafka API as follows ENDPOINT.SUBDOMAIN:EXTERNAL_KAFKA_API_PORT. If Subdomain is empty then each broker advertises Kafka API as PUBLIC_NODE_IP:EXTERNAL_KAFKA_API_PORT. If TLS is enabled then this subdomain will be requested as a subject alternative name.

endpointTemplate string

EndpointTemplate is a Golang template string that allows customizing each broker advertised address. Redpanda uses the format BROKER_ID.SUBDOMAIN:EXTERNAL_KAFKA_API_PORT by default for advertised addresses. When an EndpointTemplate is provided, then the BROKER_ID part is replaced with the endpoint computed from the template. The following variables are available to the template: - Index: the Redpanda broker progressive number - HostIP: the ip address of the Node, as reported in pod status. Common template functions from Sprig (http://masterminds.github.io/sprig/) are also available. The set of available functions is limited to hermetic functions because template application needs to be deterministic.

preferredAddressType string

The preferred address type to be assigned to the external advertised addresses. The valid types are ExternalDNS, ExternalIP, InternalDNS, InternalIP, and Hostname. When the address of the preferred type is not found the advertised addresses remains empty. The default preferred address type is ExternalIP. This option only applies when Subdomain is empty.

bootstrapLoadBalancer LoadBalancerConfig

Configures a load balancer for bootstrapping

enabled boolean

Indicates if ingress is enabled (true when unspecified).

annotations object (keys:string, values:string)

Optional annotations for the generated ingress.

endpoint string

If present, it’s appended to the subdomain to form the ingress hostname.

port integer

external ExternalConnectivityConfig

External enables user to expose Redpanda nodes outside of a Kubernetes cluster. For more information please go to ExternalConnectivityConfig

tls KafkaAPITLS

Configuration of TLS for Kafka API

authenticationMethod string

AuthenticationMethod can enable authentication method per Kafka listener. Available options are: none, sasl, mtls_identity. https://docs.redpanda.com/docs/security/authentication/

enabled boolean

issuerRef ObjectReference

References cert-manager Issuer or ClusterIssuer. When provided, this issuer will be used to issue node certificates. Typically you want to provide the issuer when a generated self-signed one is not enough and you need to have a verifiable chain with a proper CA certificate.

nodeSecretRef ObjectReference

If provided, operator uses certificate in this secret instead of issuing its own node certificate. The secret is expected to provide the following keys: 'ca.crt', 'tls.key' and 'tls.crt' If NodeSecretRef points to secret in different namespace, operator will duplicate the secret to the same namespace as redpanda CRD to be able to mount it to the nodes

requireClientAuth boolean

Enables two-way verification on the server side. If enabled, all Kafka API clients are required to have a valid client certificate.

annotations object (keys:string, values:string)

If specified, sets the load balancer service annotations. Example usage includes configuring the load balancer to be an internal one through provider-specific annotations.

port integer

The port used to communicate to the load balancer.

ingress LoadBalancerIngress array

Ingress is a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points.

name string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

namespace string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

internal string array

external string array

externalBootstrap LoadBalancerStatus

externalAdmin string array

externalPandaproxy string array

pandaproxyIngress string

schemaRegistry SchemaRegistryStatus

enabled boolean

Enabled specifies whether PDB should be generated for the cluster. It defaults to true

minAvailable IntOrString

An eviction is allowed if at least "minAvailable" pods selected by "selector" will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying "100%". This is a mutually exclusive setting with "maxUnavailable". you can read more in https://kubernetes.io/docs/tasks/run-application/configure-pdb/

maxUnavailable IntOrString

An eviction is allowed if at most "maxUnavailable" pods selected by "selector" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with "minAvailable". This property defaults to 1. you can read more in https://kubernetes.io/docs/tasks/run-application/configure-pdb/

port integer

external PandaproxyExternalConnectivityConfig

External enables user to expose Redpanda nodes outside of a Kubernetes cluster. For more information please go to ExternalConnectivityConfig

tls PandaproxyAPITLS

Configuration of TLS for Pandaproxy API

authenticationMethod string

AuthenticationMethod can enable authentication method per pandaproxy listener. Available options are: none, http_basic.

enabled boolean

issuerRef ObjectReference

References cert-manager Issuer or ClusterIssuer. When provided, this issuer will be used to issue node certificates. Typically you want to provide the issuer when a generated self-signed one is not enough and you need to have a verifiable chain with a proper CA certificate.

nodeSecretRef ObjectReference

If provided, operator uses certificate in this secret instead of issuing its own node certificate. The secret is expected to provide the following keys: 'ca.crt', 'tls.key' and 'tls.crt' If NodeSecretRef points to secret in different namespace, operator will duplicate the secret to the same namespace as redpanda CRD to be able to mount it to the nodes

clientCACertRef TypedLocalObjectReference

If ClientCACertRef points to a secret containing the trusted CA certificates. If provided and RequireClientAuth is true, the operator uses the certificate in this secret instead of issuing client certificates. The secret is expected to provide the following keys: 'ca.crt'.

requireClientAuth boolean

Enables two-way verification on the server side. If enabled, all Pandaproxy API clients are required to have a valid client certificate.

enabled boolean

Enabled enables the external connectivity feature

subdomain string

Subdomain can be used to change the behavior of an advertised KafkaAPI. Each broker advertises Kafka API as follows ENDPOINT.SUBDOMAIN:EXTERNAL_KAFKA_API_PORT. If Subdomain is empty then each broker advertises Kafka API as PUBLIC_NODE_IP:EXTERNAL_KAFKA_API_PORT. If TLS is enabled then this subdomain will be requested as a subject alternative name.

endpointTemplate string

EndpointTemplate is a Golang template string that allows customizing each broker advertised address. Redpanda uses the format BROKER_ID.SUBDOMAIN:EXTERNAL_KAFKA_API_PORT by default for advertised addresses. When an EndpointTemplate is provided, then the BROKER_ID part is replaced with the endpoint computed from the template. The following variables are available to the template: - Index: the Redpanda broker progressive number - HostIP: the ip address of the Node, as reported in pod status. Common template functions from Sprig (http://masterminds.github.io/sprig/) are also available. The set of available functions is limited to hermetic functions because template application needs to be deterministic.

preferredAddressType string

The preferred address type to be assigned to the external advertised addresses. The valid types are ExternalDNS, ExternalIP, InternalDNS, InternalIP, and Hostname. When the address of the preferred type is not found the advertised addresses remains empty. The default preferred address type is ExternalIP. This option only applies when Subdomain is empty.

bootstrapLoadBalancer LoadBalancerConfig

Configures a load balancer for bootstrapping

ingress IngressConfig

Configures a ingress resource

address string

Address to Prometheus endpoint

jobs PrometheusScraperJobConfig array

Jobs is the list of Prometheus Jobs that we want to discover so that we can then scrape the discovered targets ourselves.

targetRefreshInterval Duration

enabled boolean

basicAuth BasicAuthConfig

responseCacheDuration Duration

prometheus PrometheusConfig

jobName string

JobName refers to the Prometheus job name whose discovered targets we want to scrape

keepLabels string array

KeepLabels is a list of label keys that are added by Prometheus when scraping the target and should remain for all metrics as exposed to the Prometheus endpoint.

adminApi RedpandaAdmin

enabled boolean

rpcServer SocketAddress

kafkaApi KafkaAPI array

adminApi AdminAPI array

pandaproxyApi PandaproxyAPI array

schemaRegistry SchemaRegistryAPI

developerMode boolean

groupTopicPartitions integer

Number of partitions in the internal group membership topic

autoCreateTopics boolean

Enable auto-creation of topics. Reference https://kafka.apache.org/documentation/#brokerconfigs_auto.create.topics.enable

additionalCommandlineArguments object (keys:string, values:string)

Additional command line arguments that we pass to the redpanda binary These are applied last and will override any other command line arguments that may be defined, including the ones added when setting DeveloperMode to true.

limits object (keys:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcename-v1-core[ResourceName], values:Quantity)

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests object (keys:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcename-v1-core[ResourceName], values:Quantity)

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

claims ResourceClaim array

Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.

This field is immutable.

redpanda object (keys:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcename-v1-core[ResourceName], values:Quantity)

Redpanda describes the amount of compute resources passed to redpanda. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

disableMaintenanceModeHooks boolean

DisableMaintenanceModeHooks deactivates the preStop and postStart hooks that force nodes to enter maintenance mode when stopping and exit maintenance mode when up again

underReplicatedPartitionThreshold integer

UnderReplicatedPartitionThreshold controls when rolling update will continue with restarts. The procedure can be described as follows: 1. Rolling update checks if Pod specification needs to be replaced and deletes it 2. Deleted Redpanda Pod is put into maintenance mode (postStart hook will disable maintenance mode when new Pod starts) 3. Rolling update waits for Pod to be in Ready state 4. Rolling update checks if cluster is in healthy state 5. Rolling update checks if restarted Redpanda Pod admin API Ready endpoint returns HTTP 200 response 6. Using UnderReplicatedPartitionThreshold each under replicated partition metric is compared with the threshold 7. Rolling update moves to the next Redpanda pod. The metric vectorized_cluster_partition_under_replicated_replicas is used in the comparison. Mentioned metrics has the following help description: vectorized_cluster_partition_under_replicated_replicas Number of under replicated replicas. By default, the UnderReplicatedPartitionThreshold will be 0, which means all partitions needs to catch up without any lag.

enabled boolean

useSchemaRegistryCA boolean

Indication on whether to use the schema registry CA as trust when connecting to the schema registry. If not set, the public CAs will be used.

port integer

Port will set the schema registry listener port in Redpanda configuration. If not set the default will be 8081

external SchemaRegistryExternalConnectivityConfig

External enables user to expose Redpanda nodes outside of a Kubernetes cluster. For more information please go to ExternalConnectivityConfig

tls SchemaRegistryAPITLS

TLS is the configuration for schema registry

authenticationMethod string

AuthenticationMethod can enable authentication method per schema registry listener. Available options are: none, http_basic.

enabled boolean

issuerRef ObjectReference

References cert-manager Issuer or ClusterIssuer. When provided, this issuer will be used to issue node certificates. Typically you want to provide the issuer when a generated self-signed one is not enough and you need to have a verifiable chain with a proper CA certificate.

nodeSecretRef ObjectReference

If provided, operator uses certificate in this secret instead of issuing its own node certificate. The secret is expected to provide the following keys: 'ca.crt', 'tls.key' and 'tls.crt' If NodeSecretRef points to secret in different namespace, operator will duplicate the secret to the same namespace as redpanda CRD to be able to mount it to the nodes

clientCACertRef TypedLocalObjectReference

If ClientCACertRef points to a secret containing the trusted CA certificates. If provided and RequireClientAuth is true, the operator uses the certificate in this secret instead of issuing client certificates. The secret is expected to provide the following keys: 'ca.crt'.

requireClientAuth boolean

Enables two-way verification on the server side. If enabled, all SchemaRegistry clients are required to have a valid client certificate.

enabled boolean

Enabled enables the external connectivity feature

subdomain string

Subdomain can be used to change the behavior of an advertised KafkaAPI. Each broker advertises Kafka API as follows ENDPOINT.SUBDOMAIN:EXTERNAL_KAFKA_API_PORT. If Subdomain is empty then each broker advertises Kafka API as PUBLIC_NODE_IP:EXTERNAL_KAFKA_API_PORT. If TLS is enabled then this subdomain will be requested as a subject alternative name.

endpointTemplate string

EndpointTemplate is a Golang template string that allows customizing each broker advertised address. Redpanda uses the format BROKER_ID.SUBDOMAIN:EXTERNAL_KAFKA_API_PORT by default for advertised addresses. When an EndpointTemplate is provided, then the BROKER_ID part is replaced with the endpoint computed from the template. The following variables are available to the template: - Index: the Redpanda broker progressive number - HostIP: the ip address of the Node, as reported in pod status. Common template functions from Sprig (http://masterminds.github.io/sprig/) are also available. The set of available functions is limited to hermetic functions because template application needs to be deterministic.

preferredAddressType string

The preferred address type to be assigned to the external advertised addresses. The valid types are ExternalDNS, ExternalIP, InternalDNS, InternalIP, and Hostname. When the address of the preferred type is not found the advertised addresses remains empty. The default preferred address type is ExternalIP. This option only applies when Subdomain is empty.

bootstrapLoadBalancer LoadBalancerConfig

Configures a load balancer for bootstrapping

staticNodePort boolean

Indicates that the node port for the service needs not to be generated.

endpoint string

Indicates the global endpoint that (together with subdomain), should be advertised for schema registry.

internal string

external string

External address should be registered in DNS provider using all public IP of a nodes that Redpanda is scheduled on.

The External is empty when subdomain is not provided.

externalNodeIPs string array

ExternalNodeIPs is only filled when the Schema Registry external connectivity feature flag is enabled, but the subdomain is empty. This gives user ability to register all addresses individually in DNS provider of choice.

name string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

namespace string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

key string

Key in Secret data to get value from

enabled boolean

Enabled is whether AWS secret manager is enabled. Only one store can be enabled at a time.

region string

Region in which service is deployed so that related resources like secrets are put to the same region

kmsKeyId string

KmsKeyID is the ARN, key ID, or alias of the KMS key that Secrets Manager uses to encrypt the secret value in the secret. To use a KMS key in a different account, use the key ARN or the alias ARN. If you don’t specify this value, then Secrets Manager uses the key aws/secretsmanager. If that key doesn’t yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value. If the secret is in a different Amazon Web Services account from the credentials calling the API, then you can’t use aws/secretsmanager to encrypt the secret, and you must create and use a customer managed KMS key.

AWSCredentialsRef LocalObjectReference

AWSCredentialsRef refers to Kubernetes secret where AWS access key id and secret access key is taken and used as environments variable

serviceAccountRoleARNAnnotation string

ServiceAccountRoleARNAnnotation will be included in the Service Account definition. That Kubernetes Service Account will be used in Kubernetes Deployment Spec of Console Ref https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

tags object (keys:string, values:string)

Tags is a list of tags to attach to the secret. Each tag is a key and value a pair of strings in a JSON text string, for example: [{"Key":"CostCenter","Value":"12345"},{"Key":"environment","Value":"production"}] Secrets Manager tag key names are case sensitive. A tag with the key "ABC" is a different tag from one with key "abc". Tags can be used for permissions, so that you can namespace your secrets within a single secret store. Console will also only allow the deletion of secrets that posses the configured tags. Tags default to: "owner": "console"

enabled boolean

Enabled is whether GCP secret manager is enabled. Only one store can be enabled at a time.

credentialsSecretRef SecretKeyRef

CredentialsSecretRef points to Kubernetes secret where service account will be mounted to Console and used to authenticate again GCP API.

serviceAccountNameAnnotation string

ServiceAccountNameAnnotation will be included in the Service Account definition. That Kubernetes Service Account will be used in Kubernetes Deployment Spec of Console Ref https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

projectId string

ProjectID is the GCP project in which to store the secrets.

labels object (keys:string, values:string)

Labels help you to organize your project, add arbitrary labels as key/value pairs to your resources. Use labels to indicate different environments, services, teams, and so on. Console may use additional labels for each secret. Use a label with key "owner" to namespace secrets within a secret manager. This label will always be set for the creation and listing of all secrets. If you change the value after secrets have been created, Console will no longer return them and consider them as managed by another application. The owner label is optional but recommended.

Labels default to: "owner": "console"

enabled boolean

secretNamePrefix string

SecretNamePrefix is the prefix that shall be used for each secret name that will be stored. The prefix is used for namespacing your secrets, so that one secret store can be used by multiple tenants. For AWS it’s common to use a path-like structure whereas GCP does not allow slashes. Examples: AWS: redpanda/analytics/prod/console/ GCP: redpanda-analytics-prod-console- Changing this prefix won’t let you access secrets created under a different prefix.

gcpSecretManager SecretManagerGCP

awsSecretManager SecretManagerAWS

kafkaConnect SecretStoreKafkaConnect

enabled boolean

clusters SecretStoreKafkaConnectCluster array

Clusters is the list of Kafka connect clusters which the secret store shall be used for.

name string

Name refers to the Kafka connect cluster name that has been given in the connect configuration. This name must match some cluster name or the configuration will be rejected.

secretNamePrefixAppend string

SecretNamePrefixAppend is an optional string that shall be appended to the global secretNamePrefix. This config is helpful if you want to use a specific prefix for secrets belonging to this Kafka connect cluster. You may want to do this if you want to restrict the permissions for the kafka connect workers reading these secrets. Example: secretstore.secretNamePrefix is set to: "redpanda/prod/" secretstore.kafkaConnect.clusters.dwh.secretNamePrefixAppend is set to: "dwh/" => Secrets will be created with the prefix "redpanda/prod/dwh/" so that you can apply special iam permissions in your cloud account.

gracefulShutdownTimeout Duration

Timeout for graceful shutdowns

listenAddress string

HTTP server listen address

listenPort integer

HTTP server listen port

readTimeout Duration

Read timeout for HTTP server

writeTimeout Duration

Write timeout for HTTP server

idleTimeout Duration

Idle timeout for HTTP server

compressionLevel integer

Compression level applied to all http responses. Valid values are: 0-9 (0=completely disable compression middleware, 1=weakest compression, 9=best compression)

basePath string

Sets the subpath (root prefix) under which Kowl is reachable. If you want to host Kowl under 'your.domain.com/kowl/' you’d set the base path to 'kowl/'. The default is an empty string which makes Kowl reachable under just 'domain.com/'. When using this setting (or letting the 'X-Forwarded-Prefix' header set it for you) remember to either leave 'strip-prefix' enabled, or use a proxy that can strip the base-path/prefix before it reaches Kowl.

setBasePathFromXForwardedPrefix boolean

server.set-base-path-from-x-forwarded-prefix", true, "When set to true, Kowl will use the 'X-Forwarded-Prefix' header as the base path. (When enabled the 'base-path' setting won’t be used)

stripPrefix boolean

If a base-path is set (either by the 'base-path' setting, or by the 'X-Forwarded-Prefix' header), they will be removed from the request url. You probably want to leave this enabled, unless you are using a proxy that can remove the prefix automatically (like Traefik’s 'StripPrefix' option)

enabled boolean

Enabled if false, the sidecar won’t be added to the pod running redpanda node

resources ResourceRequirements

Resources are resource requirements and limits for the container running this sidecar. For the default sidecars this is defaulted

rpkStatus Sidecar

RpkStatus is sidecar running rpk status collecting status information from the running node

port integer

capacity Quantity

Storage capacity requested

storageClassName string

Storage class name - https://kubernetes.io/docs/concepts/storage/storage-classes/

username string