From 71f4d8c24ca7f13ecd1daf5bf655e81cc08cf80f Mon Sep 17 00:00:00 2001 From: Chris Seto Date: Wed, 17 Jul 2024 11:53:29 -0400 Subject: [PATCH] redpanda: handle cert = "" Prior to this commit, the redpanda chart would fail to render if the admin's internal TLS set cert to "" due to the order of operations in post_upgrade_job.go. The regression appeared during the conversion to go as there was previously no error handling if an invalid certificate was referenced. This failure surfaced during an attempted release of the operator as a helm test for the operator chart did exactly this. (See https://github.com/redpanda-data/helm-charts/pull/1422) This commit corrects the issue by checking TLS.IsEnabled _before_ calling MustGet which will only trigger a failure if TLS is enabled and references an invalid certificate. --- CHANGELOG.md | 12 +- .../operator/files/three_node_redpanda.yaml | 4 +- .../ci/40-empty-string-tls-novalues.yaml | 57 + charts/redpanda/post_upgrade_job.go | 14 +- .../redpanda/templates/post_upgrade_job.yaml | 8 +- ...-cluster-no-tls-no-sasl-values.yaml.golden | 2 +- ...ode-cluster-no-tls-sasl-values.yaml.golden | 2 +- .../14-prometheus-no-tls-values.yaml.golden | 2 +- .../40-empty-string-tls-novalues.yaml.golden | 1379 +++++++++++++++++ 9 files changed, 1465 insertions(+), 15 deletions(-) create mode 100644 charts/redpanda/ci/40-empty-string-tls-novalues.yaml create mode 100644 charts/redpanda/testdata/ci/40-empty-string-tls-novalues.yaml.golden diff --git a/CHANGELOG.md b/CHANGELOG.md index 12c35ac0d1..d456e938ef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,16 @@ ## Redpanda Chart -### [Unreleased](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-FILLMEIN) - YYYY-MM-DD +### [Unreleased](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.8.13) - YYYY-MM-DD +#### Added +#### Changed +#### Fixed +* Fixed a regression where `post_upgrade_job` would fail if TLS on the admin + listener was disabled but had `cert` set to an invalid cert (e.g. `""`) +* Fixed mTLS configurations between Redpanda and Console [#1402](https://github.com/redpanda-data/helm-charts/pull/1402) +#### Removed + +### [5.8.12](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.8.12) - 2024-07-10 #### Added @@ -61,6 +70,7 @@ #### Added #### Changed #### Fixed +* Added missing permissions for the NodeWatcher controller (`rbac.createAdditionalControllerCRs`) #### Removed ### [0.4.25](https://github.com/redpanda-data/helm-charts/releases/tag/operator-0.4.25) - 2024-07-17 diff --git a/charts/operator/files/three_node_redpanda.yaml b/charts/operator/files/three_node_redpanda.yaml index 846543aa3b..d8784868dc 100644 --- a/charts/operator/files/three_node_redpanda.yaml +++ b/charts/operator/files/three_node_redpanda.yaml @@ -16,7 +16,7 @@ spec: external: {} port: 9644 tls: - # TODO(chrisseto): Uncomment this once the redpanda chart is fixed. + # TODO(chrisseto): Uncomment once #1428 is released # cert: "" enabled: false requireClientAuth: false @@ -27,7 +27,7 @@ spec: kafkaEndpoint: kafka-default port: 8082 tls: - # TODO(chrisseto): Uncomment this once the redpanda chart is fixed. + # TODO(chrisseto): Uncomment once #1428 is released # cert: "" enabled: false requireClientAuth: false diff --git a/charts/redpanda/ci/40-empty-string-tls-novalues.yaml b/charts/redpanda/ci/40-empty-string-tls-novalues.yaml new file mode 100644 index 0000000000..f96a88383b --- /dev/null +++ b/charts/redpanda/ci/40-empty-string-tls-novalues.yaml @@ -0,0 +1,57 @@ +# Copied from charts/operator/files/three_node_redpanda.yaml. The inclusion of +# tls.enabled: false and tls.cert: "" triggered failures. +console: + enabled: false +image: + repository: docker.redpanda.com/redpandadata/redpanda + tag: v23.2.2 +listeners: + admin: + external: {} + port: 9644 + tls: + cert: "" + enabled: false + requireClientAuth: false + http: + authenticationMethod: none + enabled: true + external: {} + kafkaEndpoint: kafka-default + port: 8082 + tls: + cert: "" + enabled: false + requireClientAuth: false + kafka: + authenticationMethod: none + external: {} + port: 9092 + tls: + cert: kafka-internal-0 + enabled: true + requireClientAuth: true + rpc: + port: 33145 +logging: + logLevel: trace + usageStats: + enabled: false +resources: + cpu: + cores: 1 + memory: + container: + max: 2Gi + min: 2Gi +statefulset: + replicas: 3 +storage: + persistentVolume: + enabled: true + size: 100Gi +tls: + certs: + kafka-internal-0: + caEnabled: true + enabled: true diff --git a/charts/redpanda/post_upgrade_job.go b/charts/redpanda/post_upgrade_job.go index 37f38642c7..72cd6fbd18 100644 --- a/charts/redpanda/post_upgrade_job.go +++ b/charts/redpanda/post_upgrade_job.go @@ -112,16 +112,20 @@ func PostUpgradeJobScript(dot *helmette.Dot) string { if RedpandaAtLeast_23_2_1(dot) { service := values.Listeners.Admin - cert := values.TLS.Certs.MustGet(service.TLS.Cert) caCert := "" - if cert.CAEnabled { - caCert = fmt.Sprintf("--cacert /etc/tls/certs/%s/ca.crt", service.TLS.Cert) - } - scheme := "http" + if service.TLS.IsEnabled(&values.TLS) { scheme = "https" + + // NB: Only call MustGet _after_ we've checked that TLS is enabled + // as setting cert to "" is a valid way to disable TLS. + cert := values.TLS.Certs.MustGet(service.TLS.Cert) + + if cert.CAEnabled { + caCert = fmt.Sprintf("--cacert /etc/tls/certs/%s/ca.crt", service.TLS.Cert) + } } url := fmt.Sprintf("%s://%s:%d/v1/debug/restart_service?service=schema-registry", scheme, InternalDomain(dot), int64(service.Port)) diff --git a/charts/redpanda/templates/post_upgrade_job.yaml b/charts/redpanda/templates/post_upgrade_job.yaml index ea513b34ec..9e54500e9e 100644 --- a/charts/redpanda/templates/post_upgrade_job.yaml +++ b/charts/redpanda/templates/post_upgrade_job.yaml @@ -69,14 +69,14 @@ {{- end -}} {{- if (get (fromJson (include "redpanda.RedpandaAtLeast_23_2_1" (dict "a" (list $dot) ))) "r") -}} {{- $service := $values.listeners.admin -}} -{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $values.tls.certs) $service.tls.cert) ))) "r") -}} {{- $caCert := "" -}} -{{- if $cert.caEnabled -}} -{{- $caCert = (printf "--cacert /etc/tls/certs/%s/ca.crt" $service.tls.cert) -}} -{{- end -}} {{- $scheme := "http" -}} {{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $service.tls $values.tls) ))) "r") -}} {{- $scheme = "https" -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $values.tls.certs) $service.tls.cert) ))) "r") -}} +{{- if $cert.caEnabled -}} +{{- $caCert = (printf "--cacert /etc/tls/certs/%s/ca.crt" $service.tls.cert) -}} +{{- end -}} {{- end -}} {{- $url := (printf "%s://%s:%d/v1/debug/restart_service?service=schema-registry" $scheme (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") (($service.port | int) | int64)) -}} {{- $script = (concat (default (list ) $script) (list `if [ -d "/etc/secrets/users/" ]; then` ` IFS=":" read -r USER_NAME PASSWORD MECHANISM < <(grep "" $(find /etc/secrets/users/* -print))` ` curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \` (printf ` %s \` $caCert) ` -X PUT -u ${USER_NAME}:${PASSWORD} \` (printf ` %s || true` $url) `fi`)) -}} diff --git a/charts/redpanda/testdata/ci/02-one-node-cluster-no-tls-no-sasl-values.yaml.golden b/charts/redpanda/testdata/ci/02-one-node-cluster-no-tls-no-sasl-values.yaml.golden index cf5816e6a2..0fe5066aa6 100644 --- a/charts/redpanda/testdata/ci/02-one-node-cluster-no-tls-no-sasl-values.yaml.golden +++ b/charts/redpanda/testdata/ci/02-one-node-cluster-no-tls-no-sasl-values.yaml.golden @@ -1055,7 +1055,7 @@ spec: if [ -d "/etc/secrets/users/" ]; then IFS=":" read -r USER_NAME PASSWORD MECHANISM < <(grep "" $(find /etc/secrets/users/* -print)) curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \ - --cacert /etc/tls/certs/default/ca.crt \ + \ -X PUT -u ${USER_NAME}:${PASSWORD} \ http://redpanda.default.svc.cluster.local.:9644/v1/debug/restart_service?service=schema-registry || true fi diff --git a/charts/redpanda/testdata/ci/04-one-node-cluster-no-tls-sasl-values.yaml.golden b/charts/redpanda/testdata/ci/04-one-node-cluster-no-tls-sasl-values.yaml.golden index e446b9b89d..69fdd6f66d 100644 --- a/charts/redpanda/testdata/ci/04-one-node-cluster-no-tls-sasl-values.yaml.golden +++ b/charts/redpanda/testdata/ci/04-one-node-cluster-no-tls-sasl-values.yaml.golden @@ -1184,7 +1184,7 @@ spec: if [ -d "/etc/secrets/users/" ]; then IFS=":" read -r USER_NAME PASSWORD MECHANISM < <(grep "" $(find /etc/secrets/users/* -print)) curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \ - --cacert /etc/tls/certs/default/ca.crt \ + \ -X PUT -u ${USER_NAME}:${PASSWORD} \ http://redpanda.default.svc.cluster.local.:9644/v1/debug/restart_service?service=schema-registry || true fi diff --git a/charts/redpanda/testdata/ci/14-prometheus-no-tls-values.yaml.golden b/charts/redpanda/testdata/ci/14-prometheus-no-tls-values.yaml.golden index 91c898785c..e8031226bb 100644 --- a/charts/redpanda/testdata/ci/14-prometheus-no-tls-values.yaml.golden +++ b/charts/redpanda/testdata/ci/14-prometheus-no-tls-values.yaml.golden @@ -1100,7 +1100,7 @@ spec: if [ -d "/etc/secrets/users/" ]; then IFS=":" read -r USER_NAME PASSWORD MECHANISM < <(grep "" $(find /etc/secrets/users/* -print)) curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \ - --cacert /etc/tls/certs/default/ca.crt \ + \ -X PUT -u ${USER_NAME}:${PASSWORD} \ http://redpanda.default.svc.cluster.local.:9644/v1/debug/restart_service?service=schema-registry || true fi diff --git a/charts/redpanda/testdata/ci/40-empty-string-tls-novalues.yaml.golden b/charts/redpanda/testdata/ci/40-empty-string-tls-novalues.yaml.golden new file mode 100644 index 0000000000..c73dedc304 --- /dev/null +++ b/charts/redpanda/testdata/ci/40-empty-string-tls-novalues.yaml.golden @@ -0,0 +1,1379 @@ +--- +# Source: redpanda/templates/poddisruptionbudget.yaml +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda + namespace: default +spec: + maxUnavailable: 1 + selector: + matchLabels: + app.kubernetes.io/component: redpanda-statefulset + app.kubernetes.io/instance: redpanda + app.kubernetes.io/name: redpanda + redpanda.com/poddisruptionbudget: redpanda +status: + currentHealthy: 0 + desiredHealthy: 0 + disruptionsAllowed: 0 + expectedPods: 0 +--- +# Source: redpanda/templates/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda-sts-lifecycle + namespace: default +stringData: + common.sh: |- + #!/usr/bin/env bash + + # the SERVICE_NAME comes from the metadata.name of the pod, essentially the POD_NAME + CURL_URL="http://${SERVICE_NAME}.redpanda.default.svc.cluster.local:9644" + + # commands used throughout + CURL_NODE_ID_CMD="curl --silent --fail ${CURL_URL}/v1/node_config" + + CURL_MAINTENANCE_DELETE_CMD_PREFIX='curl -X DELETE --silent -o /dev/null -w "%{http_code}"' + CURL_MAINTENANCE_PUT_CMD_PREFIX='curl -X PUT --silent -o /dev/null -w "%{http_code}"' + CURL_MAINTENANCE_GET_CMD="curl -X GET --silent ${CURL_URL}/v1/maintenance" + postStart.sh: |- + #!/usr/bin/env bash + # This code should be similar if not exactly the same as that found in the panda-operator, see + # https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go + + # path below should match the path defined on the statefulset + source /var/lifecycle/common.sh + + postStartHook () { + set -x + + touch /tmp/postStartHookStarted + + until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do + sleep 0.5 + done + + echo "Clearing maintenance mode on node ${NODE_ID}" + CURL_MAINTENANCE_DELETE_CMD="${CURL_MAINTENANCE_DELETE_CMD_PREFIX} ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" + # a 400 here would mean not in maintenance mode + until [ "${status:-}" = '"200"' ] || [ "${status:-}" = '"400"' ]; do + status=$(${CURL_MAINTENANCE_DELETE_CMD}) + sleep 0.5 + done + + touch /tmp/postStartHookFinished + } + + postStartHook + true + preStop.sh: |- + #!/usr/bin/env bash + # This code should be similar if not exactly the same as that found in the panda-operator, see + # https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go + + touch /tmp/preStopHookStarted + + # path below should match the path defined on the statefulset + source /var/lifecycle/common.sh + + set -x + + preStopHook () { + until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do + sleep 0.5 + done + + echo "Setting maintenance mode on node ${NODE_ID}" + CURL_MAINTENANCE_PUT_CMD="${CURL_MAINTENANCE_PUT_CMD_PREFIX} ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" + until [ "${status:-}" = '"200"' ]; do + status=$(${CURL_MAINTENANCE_PUT_CMD}) + sleep 0.5 + done + + until [ "${finished:-}" = "true" ] || [ "${draining:-}" = "false" ]; do + res=$(${CURL_MAINTENANCE_GET_CMD}) + finished=$(echo $res | grep -o '\"finished\":[^,}]*' | grep -o '[^: ]*$') + draining=$(echo $res | grep -o '\"draining\":[^,}]*' | grep -o '[^: ]*$') + sleep 0.5 + done + + touch /tmp/preStopHookFinished + } + preStopHook + true +type: Opaque +--- +# Source: redpanda/templates/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda-config-watcher + namespace: default +stringData: + sasl-user.sh: |- + #!/usr/bin/env bash + + trap 'error_handler $? $LINENO' ERR + + error_handler() { + echo "Error: ($1) occurred at line $2" + } + + set -e + + # rpk cluster health can exit non-zero if it's unable to dial brokers. This + # can happen for many reasons but we never want this script to crash as it + # would take down yet another broker and make a bad situation worse. + # Instead, just wait for the command to eventually exit zero. + echo "Waiting for cluster to be ready" + until rpk cluster health --watch --exit-when-healthy; do + echo "rpk cluster health failed. Waiting 5 seconds before trying again..." + sleep 5 + done + echo "Nothing to do. Sleeping..." + sleep infinity +type: Opaque +--- +# Source: redpanda/templates/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda-configurator + namespace: default +stringData: + configurator.sh: |- + set -xe + SERVICE_NAME=$1 + KUBERNETES_NODE_NAME=$2 + POD_ORDINAL=${SERVICE_NAME##*-} + BROKER_INDEX=`expr $POD_ORDINAL + 1` + + CONFIG=/etc/redpanda/redpanda.yaml + + # Setup config files + cp /tmp/base-config/redpanda.yaml "${CONFIG}" + cp /tmp/base-config/bootstrap.yaml /etc/redpanda/.bootstrap.yaml + + LISTENER="{\"address\":\"${SERVICE_NAME}.redpanda.default.svc.cluster.local.\",\"name\":\"internal\",\"port\":9092}" + rpk redpanda config --config "$CONFIG" set redpanda.advertised_kafka_api[0] "$LISTENER" + + ADVERTISED_KAFKA_ADDRESSES=() + + PREFIX_TEMPLATE="" + ADVERTISED_KAFKA_ADDRESSES+=("{\"address\":\"${SERVICE_NAME}\",\"name\":\"default\",\"port\":31092}") + + PREFIX_TEMPLATE="" + ADVERTISED_KAFKA_ADDRESSES+=("{\"address\":\"${SERVICE_NAME}\",\"name\":\"default\",\"port\":31092}") + + PREFIX_TEMPLATE="" + ADVERTISED_KAFKA_ADDRESSES+=("{\"address\":\"${SERVICE_NAME}\",\"name\":\"default\",\"port\":31092}") + + rpk redpanda config --config "$CONFIG" set redpanda.advertised_kafka_api[1] "${ADVERTISED_KAFKA_ADDRESSES[$POD_ORDINAL]}" + + LISTENER="{\"address\":\"${SERVICE_NAME}.redpanda.default.svc.cluster.local.\",\"name\":\"internal\",\"port\":8082}" + rpk redpanda config --config "$CONFIG" set pandaproxy.advertised_pandaproxy_api[0] "$LISTENER" + + ADVERTISED_HTTP_ADDRESSES=() + + PREFIX_TEMPLATE="" + ADVERTISED_HTTP_ADDRESSES+=("{\"address\":\"${SERVICE_NAME}\",\"name\":\"default\",\"port\":30082}") + + PREFIX_TEMPLATE="" + ADVERTISED_HTTP_ADDRESSES+=("{\"address\":\"${SERVICE_NAME}\",\"name\":\"default\",\"port\":30082}") + + PREFIX_TEMPLATE="" + ADVERTISED_HTTP_ADDRESSES+=("{\"address\":\"${SERVICE_NAME}\",\"name\":\"default\",\"port\":30082}") + + rpk redpanda config --config "$CONFIG" set pandaproxy.advertised_pandaproxy_api[1] "${ADVERTISED_HTTP_ADDRESSES[$POD_ORDINAL]}" +type: Opaque +--- +# Source: redpanda/templates/configmap.yaml +apiVersion: v1 +data: + bootstrap.yaml: |- + compacted_log_segment_size: 67108864 + default_topic_replications: 3 + enable_rack_awareness: false + enable_sasl: false + group_topic_partitions: 16 + kafka_batch_max_bytes: 1048576 + kafka_connection_rate_limit: 1000 + kafka_enable_authorization: false + log_segment_size: 134217728 + log_segment_size_max: 268435456 + log_segment_size_min: 16777216 + max_compacted_log_segment_size: 536870912 + storage_min_free_bytes: 5368709120 + topic_partitions_per_shard: 1000 + redpanda.yaml: |- + config_file: /etc/redpanda/redpanda.yaml + pandaproxy: + pandaproxy_api: + - address: 0.0.0.0 + authentication_method: none + name: internal + port: 8082 + - address: 0.0.0.0 + name: default + port: 8083 + pandaproxy_api_tls: null + pandaproxy_client: + broker_tls: + cert_file: /etc/tls/certs/kafka-internal-0/tls.crt + enabled: true + key_file: /etc/tls/certs/kafka-internal-0/tls.key + require_client_auth: true + truststore_file: /etc/tls/certs/kafka-internal-0/ca.crt + brokers: + - address: redpanda-0.redpanda.default.svc.cluster.local. + port: 9092 + - address: redpanda-1.redpanda.default.svc.cluster.local. + port: 9092 + - address: redpanda-2.redpanda.default.svc.cluster.local. + port: 9092 + redpanda: + admin: + - address: 0.0.0.0 + name: internal + port: 9644 + - address: 0.0.0.0 + name: default + port: 9645 + admin_api_tls: null + compacted_log_segment_size: 67108864 + crash_loop_limit: 5 + default_topic_replications: 3 + empty_seed_starts_cluster: false + enable_sasl: false + group_topic_partitions: 16 + kafka_api: + - address: 0.0.0.0 + authentication_method: none + name: internal + port: 9092 + - address: 0.0.0.0 + name: default + port: 9094 + kafka_api_tls: + - cert_file: /etc/tls/certs/kafka-internal-0/tls.crt + enabled: true + key_file: /etc/tls/certs/kafka-internal-0/tls.key + name: internal + require_client_auth: true + truststore_file: /etc/tls/certs/kafka-internal-0/ca.crt + - cert_file: /etc/tls/certs/external/tls.crt + enabled: true + key_file: /etc/tls/certs/external/tls.key + name: default + require_client_auth: false + truststore_file: /etc/tls/certs/external/ca.crt + kafka_batch_max_bytes: 1048576 + kafka_connection_rate_limit: 1000 + kafka_enable_authorization: false + log_segment_size: 134217728 + log_segment_size_max: 268435456 + log_segment_size_min: 16777216 + max_compacted_log_segment_size: 536870912 + rpc_server: + address: 0.0.0.0 + port: 33145 + rpc_server_tls: + cert_file: /etc/tls/certs/default/tls.crt + enabled: true + key_file: /etc/tls/certs/default/tls.key + require_client_auth: false + truststore_file: /etc/tls/certs/default/ca.crt + seed_servers: + - host: + address: redpanda-0.redpanda.default.svc.cluster.local. + port: 33145 + - host: + address: redpanda-1.redpanda.default.svc.cluster.local. + port: 33145 + - host: + address: redpanda-2.redpanda.default.svc.cluster.local. + port: 33145 + storage_min_free_bytes: 5368709120 + topic_partitions_per_shard: 1000 + rpk: + additional_start_flags: + - --default-log-level=trace + - --memory=1638M + - --reserve-memory=204M + - --smp=1 + admin_api: + addresses: + - redpanda-0.redpanda.default.svc.cluster.local.:9644 + - redpanda-1.redpanda.default.svc.cluster.local.:9644 + - redpanda-2.redpanda.default.svc.cluster.local.:9644 + tls: null + enable_memory_locking: false + kafka_api: + brokers: + - redpanda-0.redpanda.default.svc.cluster.local.:9092 + - redpanda-1.redpanda.default.svc.cluster.local.:9092 + - redpanda-2.redpanda.default.svc.cluster.local.:9092 + tls: + cert_file: /etc/tls/certs/redpanda-client/tls.crt + key_file: /etc/tls/certs/redpanda-client/tls.key + truststore_file: /etc/tls/certs/kafka-internal-0/ca.crt + overprovisioned: false + tune_aio_events: true + schema_registry: + schema_registry_api: + - address: 0.0.0.0 + name: internal + port: 8081 + - address: 0.0.0.0 + name: default + port: 8084 + schema_registry_api_tls: + - cert_file: /etc/tls/certs/default/tls.crt + enabled: true + key_file: /etc/tls/certs/default/tls.key + name: internal + require_client_auth: false + truststore_file: /etc/tls/certs/default/ca.crt + - cert_file: /etc/tls/certs/external/tls.crt + enabled: true + key_file: /etc/tls/certs/external/tls.key + name: default + require_client_auth: false + truststore_file: /etc/tls/certs/external/ca.crt + schema_registry_client: + broker_tls: + cert_file: /etc/tls/certs/kafka-internal-0/tls.crt + enabled: true + key_file: /etc/tls/certs/kafka-internal-0/tls.key + require_client_auth: true + truststore_file: /etc/tls/certs/kafka-internal-0/ca.crt + brokers: + - address: redpanda-0.redpanda.default.svc.cluster.local. + port: 9092 + - address: redpanda-1.redpanda.default.svc.cluster.local. + port: 9092 + - address: redpanda-2.redpanda.default.svc.cluster.local. + port: 9092 +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda + namespace: default +--- +# Source: redpanda/templates/configmap.yaml +apiVersion: v1 +data: + profile: |- + admin_api: + addresses: + - redpanda-0:31644 + - redpanda-1:31644 + - redpanda-2:31644 + tls: null + kafka_api: + brokers: + - redpanda-0:31092 + - redpanda-1:31092 + - redpanda-2:31092 + tls: + ca_file: ca.crt + cert_file: /etc/tls/certs/redpanda-client/tls.crt + key_file: /etc/tls/certs/redpanda-client/tls.key + name: default +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda-rpk + namespace: default +--- +# Source: redpanda/templates/service.internal.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + monitoring.redpanda.com/enabled: "false" + name: redpanda + namespace: default +spec: + clusterIP: None + ports: + - name: admin + port: 9644 + protocol: TCP + targetPort: 9644 + - name: http + port: 8082 + protocol: TCP + targetPort: 8082 + - name: kafka + port: 9092 + protocol: TCP + targetPort: 9092 + - name: rpc + port: 33145 + protocol: TCP + targetPort: 33145 + - name: schemaregistry + port: 8081 + protocol: TCP + targetPort: 8081 + publishNotReadyAddresses: true + selector: + app.kubernetes.io/component: redpanda-statefulset + app.kubernetes.io/instance: redpanda + app.kubernetes.io/name: redpanda + type: ClusterIP +status: + loadBalancer: {} +--- +# Source: redpanda/templates/service.nodeport.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda-external + namespace: default +spec: + externalTrafficPolicy: Local + ports: + - name: admin-default + nodePort: 31644 + port: 9645 + protocol: TCP + targetPort: 0 + - name: kafka-default + nodePort: 31092 + port: 9094 + protocol: TCP + targetPort: 0 + - name: http-default + nodePort: 30082 + port: 8083 + protocol: TCP + targetPort: 0 + - name: schema-default + nodePort: 30081 + port: 8084 + protocol: TCP + targetPort: 0 + publishNotReadyAddresses: true + selector: + app.kubernetes.io/component: redpanda-statefulset + app.kubernetes.io/instance: redpanda + app.kubernetes.io/name: redpanda + sessionAffinity: None + type: NodePort +status: + loadBalancer: {} +--- +# Source: redpanda/templates/statefulset.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda + namespace: default +spec: + podManagementPolicy: Parallel + replicas: 3 + selector: + matchLabels: + app.kubernetes.io/component: redpanda-statefulset + app.kubernetes.io/instance: redpanda + app.kubernetes.io/name: redpanda + serviceName: redpanda + template: + metadata: + annotations: + config.redpanda.com/checksum: 7d7e998dba100735893ba73afa92e160d57f0e0f45ce15680dfef3e05bebb3fc + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda-statefulset + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + redpanda.com/poddisruptionbudget: redpanda + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: redpanda-statefulset + app.kubernetes.io/instance: redpanda + app.kubernetes.io/name: redpanda + topologyKey: kubernetes.io/hostname + containers: + - command: + - rpk + - redpanda + - start + - --advertise-rpc-addr=$(SERVICE_NAME).redpanda.default.svc.cluster.local.:33145 + env: + - name: SERVICE_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + image: docker.redpanda.com/redpandadata/redpanda:v23.2.2 + lifecycle: + postStart: + exec: + command: + - /bin/bash + - -c + - | + timeout -v 45 bash -x /var/lifecycle/postStart.sh + true + preStop: + exec: + command: + - /bin/bash + - -c + - | + timeout -v 45 bash -x /var/lifecycle/preStop.sh + true # do not fail and cause the pod to terminate + livenessProbe: + exec: + command: + - /bin/sh + - -c + - curl --silent --fail -k -m 5 "http://${SERVICE_NAME}.redpanda.default.svc.cluster.local.:9644/v1/status/ready" + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + name: redpanda + ports: + - containerPort: 9644 + name: admin + - containerPort: 9645 + name: admin-default + - containerPort: 8082 + name: http + - containerPort: 8083 + name: http-default + - containerPort: 9092 + name: kafka + - containerPort: 9094 + name: kafka-default + - containerPort: 33145 + name: rpc + - containerPort: 8081 + name: schemaregistry + - containerPort: 8084 + name: schema-default + readinessProbe: + exec: + command: + - /bin/sh + - -c + - | + set -x + RESULT=$(rpk cluster health) + echo $RESULT + echo $RESULT | grep 'Healthy:.*true' + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 0 + resources: + limits: + cpu: 1 + memory: 2Gi + requests: + cpu: 1 + memory: 2Gi + securityContext: + allowPrivilegeEscalation: null + runAsGroup: 101 + runAsNonRoot: null + runAsUser: 101 + startupProbe: + exec: + command: + - /bin/sh + - -c + - | + set -e + RESULT=$(curl --silent --fail -k -m 5 "http://${SERVICE_NAME}.redpanda.default.svc.cluster.local.:9644/v1/status/ready") + echo $RESULT + echo $RESULT | grep ready + failureThreshold: 120 + initialDelaySeconds: 1 + periodSeconds: 10 + volumeMounts: + - mountPath: /etc/tls/certs/default + name: redpanda-default-cert + - mountPath: /etc/tls/certs/external + name: redpanda-external-cert + - mountPath: /etc/tls/certs/kafka-internal-0 + name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/redpanda-client + name: mtls-client + - mountPath: /etc/redpanda + name: config + - mountPath: /tmp/base-config + name: redpanda + - mountPath: /var/lifecycle + name: lifecycle-scripts + - mountPath: /var/lib/redpanda/data + name: datadir + - args: + - -c + - trap "exit 0" TERM; exec /etc/secrets/config-watcher/scripts/sasl-user.sh + & wait $! + command: + - /bin/sh + image: docker.redpanda.com/redpandadata/redpanda:v23.2.2 + name: config-watcher + resources: {} + securityContext: {} + volumeMounts: + - mountPath: /etc/tls/certs/default + name: redpanda-default-cert + - mountPath: /etc/tls/certs/external + name: redpanda-external-cert + - mountPath: /etc/tls/certs/kafka-internal-0 + name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/redpanda-client + name: mtls-client + - mountPath: /etc/redpanda + name: config + - mountPath: /etc/secrets/config-watcher/scripts + name: redpanda-config-watcher + imagePullSecrets: null + initContainers: + - command: + - /bin/bash + - -c + - rpk redpanda tune all + image: docker.redpanda.com/redpandadata/redpanda:v23.2.2 + name: tuning + resources: {} + securityContext: + capabilities: + add: + - SYS_RESOURCE + privileged: true + runAsGroup: 0 + runAsUser: 0 + volumeMounts: + - mountPath: /etc/tls/certs/default + name: redpanda-default-cert + - mountPath: /etc/tls/certs/external + name: redpanda-external-cert + - mountPath: /etc/tls/certs/kafka-internal-0 + name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/redpanda-client + name: mtls-client + - mountPath: /etc/redpanda + name: redpanda + - command: + - /bin/bash + - -c + - trap "exit 0" TERM; exec $CONFIGURATOR_SCRIPT "${SERVICE_NAME}" "${KUBERNETES_NODE_NAME}" + & wait $! + env: + - name: CONFIGURATOR_SCRIPT + value: /etc/secrets/configurator/scripts/configurator.sh + - name: SERVICE_NAME + valueFrom: + configMapKeyRef: null + fieldRef: + fieldPath: metadata.name + resourceFieldRef: null + secretKeyRef: null + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: HOST_IP_ADDRESS + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + image: docker.redpanda.com/redpandadata/redpanda:v23.2.2 + name: redpanda-configurator + resources: {} + securityContext: + allowPrivilegeEscalation: null + runAsGroup: 101 + runAsNonRoot: null + runAsUser: 101 + volumeMounts: + - mountPath: /etc/tls/certs/default + name: redpanda-default-cert + - mountPath: /etc/tls/certs/external + name: redpanda-external-cert + - mountPath: /etc/tls/certs/kafka-internal-0 + name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/redpanda-client + name: mtls-client + - mountPath: /etc/redpanda + name: config + - mountPath: /tmp/base-config + name: redpanda + - mountPath: /etc/secrets/configurator/scripts/ + name: redpanda-configurator + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + serviceAccountName: default + terminationGracePeriodSeconds: 90 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: redpanda-statefulset + app.kubernetes.io/instance: redpanda + app.kubernetes.io/name: redpanda + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: redpanda-default-cert + secret: + defaultMode: 288 + secretName: redpanda-default-cert + - name: redpanda-external-cert + secret: + defaultMode: 288 + secretName: redpanda-external-cert + - name: redpanda-kafka-internal-0-cert + secret: + defaultMode: 288 + secretName: redpanda-kafka-internal-0-cert + - name: lifecycle-scripts + secret: + defaultMode: 509 + secretName: redpanda-sts-lifecycle + - configMap: + name: redpanda + name: redpanda + - emptyDir: {} + name: config + - name: redpanda-configurator + secret: + defaultMode: 509 + secretName: redpanda-configurator + - name: redpanda-config-watcher + secret: + defaultMode: 509 + secretName: redpanda-config-watcher + - name: redpanda-fs-validator + secret: + defaultMode: 509 + secretName: redpanda-fs-validator + - name: datadir + persistentVolumeClaim: + claimName: datadir + updateStrategy: + type: RollingUpdate + volumeClaimTemplates: + - metadata: + annotations: null + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/name: redpanda + name: datadir + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 100Gi + status: {} +status: + availableReplicas: 0 + replicas: 0 +--- +# Source: redpanda/templates/cert-issuers.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda-default-root-certificate + namespace: default +spec: + commonName: redpanda-default-root-certificate + duration: 43800h + isCA: true + issuerRef: + group: cert-manager.io + kind: Issuer + name: redpanda-default-selfsigned-issuer + privateKey: + algorithm: ECDSA + size: 256 + secretName: redpanda-default-root-certificate +status: {} +--- +# Source: redpanda/templates/cert-issuers.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda-external-root-certificate + namespace: default +spec: + commonName: redpanda-external-root-certificate + duration: 43800h + isCA: true + issuerRef: + group: cert-manager.io + kind: Issuer + name: redpanda-external-selfsigned-issuer + privateKey: + algorithm: ECDSA + size: 256 + secretName: redpanda-external-root-certificate +status: {} +--- +# Source: redpanda/templates/cert-issuers.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda-kafka-internal-0-root-certificate + namespace: default +spec: + commonName: redpanda-kafka-internal-0-root-certificate + duration: 43800h + isCA: true + issuerRef: + group: cert-manager.io + kind: Issuer + name: redpanda-kafka-internal-0-selfsigned-issuer + privateKey: + algorithm: ECDSA + size: 256 + secretName: redpanda-kafka-internal-0-root-certificate +status: {} +--- +# Source: redpanda/templates/certs.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda-default-cert + namespace: default +spec: + dnsNames: + - redpanda-cluster.redpanda.default.svc.cluster.local + - redpanda-cluster.redpanda.default.svc + - redpanda-cluster.redpanda.default + - '*.redpanda-cluster.redpanda.default.svc.cluster.local' + - '*.redpanda-cluster.redpanda.default.svc' + - '*.redpanda-cluster.redpanda.default' + - redpanda.default.svc.cluster.local + - redpanda.default.svc + - redpanda.default + - '*.redpanda.default.svc.cluster.local' + - '*.redpanda.default.svc' + - '*.redpanda.default' + duration: 43800h + isCA: false + issuerRef: + group: cert-manager.io + kind: Issuer + name: redpanda-default-root-issuer + privateKey: + algorithm: ECDSA + size: 256 + secretName: redpanda-default-cert +status: {} +--- +# Source: redpanda/templates/certs.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda-external-cert + namespace: default +spec: + dnsNames: + - redpanda-cluster.redpanda.default.svc.cluster.local + - redpanda-cluster.redpanda.default.svc + - redpanda-cluster.redpanda.default + - '*.redpanda-cluster.redpanda.default.svc.cluster.local' + - '*.redpanda-cluster.redpanda.default.svc' + - '*.redpanda-cluster.redpanda.default' + - redpanda.default.svc.cluster.local + - redpanda.default.svc + - redpanda.default + - '*.redpanda.default.svc.cluster.local' + - '*.redpanda.default.svc' + - '*.redpanda.default' + duration: 43800h + isCA: false + issuerRef: + group: cert-manager.io + kind: Issuer + name: redpanda-external-root-issuer + privateKey: + algorithm: ECDSA + size: 256 + secretName: redpanda-external-cert +status: {} +--- +# Source: redpanda/templates/certs.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda-kafka-internal-0-cert + namespace: default +spec: + dnsNames: + - redpanda-cluster.redpanda.default.svc.cluster.local + - redpanda-cluster.redpanda.default.svc + - redpanda-cluster.redpanda.default + - '*.redpanda-cluster.redpanda.default.svc.cluster.local' + - '*.redpanda-cluster.redpanda.default.svc' + - '*.redpanda-cluster.redpanda.default' + - redpanda.default.svc.cluster.local + - redpanda.default.svc + - redpanda.default + - '*.redpanda.default.svc.cluster.local' + - '*.redpanda.default.svc' + - '*.redpanda.default' + duration: 43800h + isCA: false + issuerRef: + group: cert-manager.io + kind: Issuer + name: redpanda-kafka-internal-0-root-issuer + privateKey: + algorithm: ECDSA + size: 256 + secretName: redpanda-kafka-internal-0-cert +status: {} +--- +# Source: redpanda/templates/certs.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda-client +spec: + commonName: redpanda-client + duration: 43800h + isCA: false + issuerRef: + group: cert-manager.io + kind: Issuer + name: redpanda-kafka-internal-0-root-issuer + privateKey: + algorithm: ECDSA + size: 256 + secretName: redpanda-client +status: {} +--- +# Source: redpanda/templates/cert-issuers.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda-default-selfsigned-issuer + namespace: default +spec: + selfSigned: {} +status: {} +--- +# Source: redpanda/templates/cert-issuers.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda-default-root-issuer + namespace: default +spec: + ca: + secretName: redpanda-default-root-certificate +status: {} +--- +# Source: redpanda/templates/cert-issuers.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda-external-selfsigned-issuer + namespace: default +spec: + selfSigned: {} +status: {} +--- +# Source: redpanda/templates/cert-issuers.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda-external-root-issuer + namespace: default +spec: + ca: + secretName: redpanda-external-root-certificate +status: {} +--- +# Source: redpanda/templates/cert-issuers.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda-kafka-internal-0-selfsigned-issuer + namespace: default +spec: + selfSigned: {} +status: {} +--- +# Source: redpanda/templates/cert-issuers.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda-kafka-internal-0-root-issuer + namespace: default +spec: + ca: + secretName: redpanda-kafka-internal-0-root-certificate +status: {} +--- +# Source: redpanda/templates/post-install-upgrade-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + helm.sh/hook: post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-5" + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda-configuration + namespace: default +spec: + template: + metadata: + creationTimestamp: null + generateName: redpanda-post- + labels: + app.kubernetes.io/component: redpanda-post-install + app.kubernetes.io/instance: redpanda + app.kubernetes.io/name: redpanda + spec: + affinity: {} + containers: + - args: + - | + set -e + if [[ -n "$REDPANDA_LICENSE" ]] then + rpk cluster license set "$REDPANDA_LICENSE" + fi + + + + + rpk cluster config export -f /tmp/cfg.yml + + + for KEY in "${!RPK_@}"; do + config="${KEY#*RPK_}" + rpk redpanda config set --config /tmp/cfg.yml "${config,,}" "${!KEY}" + done + + + rpk cluster config import -f /tmp/cfg.yml + command: + - bash + - -c + env: [] + image: docker.redpanda.com/redpandadata/redpanda:v23.2.2 + name: redpanda-post-install + resources: {} + securityContext: + runAsGroup: 101 + runAsUser: 101 + volumeMounts: + - mountPath: /etc/redpanda + name: config + - mountPath: /etc/tls/certs/default + name: redpanda-default-cert + - mountPath: /etc/tls/certs/external + name: redpanda-external-cert + - mountPath: /etc/tls/certs/kafka-internal-0 + name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/redpanda-client + name: mtls-client + imagePullSecrets: null + nodeSelector: {} + restartPolicy: Never + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + serviceAccountName: default + tolerations: null + volumes: + - configMap: + name: redpanda + name: config + - name: redpanda-default-cert + secret: + defaultMode: 288 + secretName: redpanda-default-cert + - name: redpanda-external-cert + secret: + defaultMode: 288 + secretName: redpanda-external-cert + - name: redpanda-kafka-internal-0-cert + secret: + defaultMode: 288 + secretName: redpanda-kafka-internal-0-cert +status: {} +--- +# Source: redpanda/templates/post-upgrade.yaml +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-10" + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda + app.kubernetes.io/instance: redpanda + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: redpanda + helm.sh/chart: redpanda-5.8.12 + name: redpanda-post-upgrade + namespace: default +spec: + backoffLimit: null + template: + metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: redpanda-post-upgrade + app.kubernetes.io/instance: redpanda + app.kubernetes.io/name: redpanda + name: redpanda + spec: + affinity: {} + containers: + - args: + - | + set -e + + rpk cluster config set default_topic_replications 3 + rpk cluster config set storage_min_free_bytes 5368709120 + if [ -d "/etc/secrets/users/" ]; then + IFS=":" read -r USER_NAME PASSWORD MECHANISM < <(grep "" $(find /etc/secrets/users/* -print)) + curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \ + \ + -X PUT -u ${USER_NAME}:${PASSWORD} \ + http://redpanda.default.svc.cluster.local.:9644/v1/debug/restart_service?service=schema-registry || true + fi + command: + - /bin/bash + - -c + env: null + envFrom: null + image: docker.redpanda.com/redpandadata/redpanda:v23.2.2 + name: redpanda-post-upgrade + resources: null + securityContext: + runAsGroup: 101 + runAsUser: 101 + volumeMounts: + - mountPath: /etc/redpanda + name: config + - mountPath: /etc/tls/certs/default + name: redpanda-default-cert + - mountPath: /etc/tls/certs/external + name: redpanda-external-cert + - mountPath: /etc/tls/certs/kafka-internal-0 + name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/redpanda-client + name: mtls-client + imagePullSecrets: null + nodeSelector: {} + restartPolicy: Never + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + serviceAccountName: default + tolerations: [] + volumes: + - configMap: + name: redpanda + name: config + - name: redpanda-default-cert + secret: + defaultMode: 288 + secretName: redpanda-default-cert + - name: redpanda-external-cert + secret: + defaultMode: 288 + secretName: redpanda-external-cert + - name: redpanda-kafka-internal-0-cert + secret: + defaultMode: 288 + secretName: redpanda-kafka-internal-0-cert +status: {}