{ "description": "User defines the CRD for a Redpanda user.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "Defines the desired state of the Redpanda user.", "properties": { "authentication": { "description": "Authentication defines the authentication information for a user. If no\nAuthentication credentials are specified, then no user will be created.\nThis is useful when wanting to manage ACLs for an already-existing user.", "properties": { "password": { "description": "Password specifies where a password is read from.", "properties": { "value": { "description": "Value is a hardcoded value to use for the given password. It should only be used for testing purposes.\nIn production, use ValueFrom.", "type": "string" }, "valueFrom": { "description": "ValueFrom specifies a source for a password to be fetched from when specifying or generating user credentials.", "properties": { "secretKeyRef": { "description": "SecretKeyRef specifies the secret used in reading a User password.\nIf the Secret exists and has a value in it, then that value is used.\nIf the Secret does not exist, or is empty, a password is generated and\nstored based on this configuration.", "properties": { "key": { "description": "The key of the secret to select from. Must be a valid secret key.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the Secret or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "required": [ "secretKeyRef" ], "type": "object", "additionalProperties": false } }, "required": [ "valueFrom" ], "type": "object", "x-kubernetes-validations": [ { "message": "valueFrom must not be empty if no value supplied", "rule": "self.value != \"\" || has(self.valueFrom)" } ], "additionalProperties": false }, "type": { "default": "scram-sha-512", "description": "SASL mechanism to use for the user credentials. Valid values are:\n- scram-sha-512\n- scram-sha-256", "enum": [ "scram-sha-256", "scram-sha-512", "SCRAM-SHA-256", "SCRAM-SHA-512" ], "type": "string" } }, "required": [ "password" ], "type": "object", "additionalProperties": false }, "authorization": { "description": "Authorization rules defined for this user.", "properties": { "acls": { "description": "List of ACL rules which should be applied to this user.", "items": { "description": "ACLRule defines an ACL rule applied to the given user.\n\nValidations taken from https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=75978240", "properties": { "host": { "default": "*", "description": "The host from which the action described in the ACL rule is allowed or denied.\nIf not set, it defaults to *, allowing or denying the action from any host.", "type": "string" }, "operations": { "description": "List of operations which will be allowed or denied. Valid values are resource type dependent, but include:\n- Read\n- Write\n- Delete\n- Alter\n- Describe\n- IdempotentWrite\n- ClusterAction\n- Create\n- AlterConfigs\n- DescribeConfigs", "items": { "description": "ACLOperation specifies the type of operation for an ACL.", "type": "string" }, "maxItems": 11, "minItems": 1, "type": "array" }, "resource": { "description": "Indicates the resource for which given ACL rule applies.", "properties": { "name": { "description": "Name of resource for which given ACL rule applies. If using type `cluster` this must not be specified.\nCan be combined with patternType field to use prefix pattern.", "type": "string" }, "patternType": { "default": "literal", "description": "Describes the pattern used in the resource field. The supported types are literal\nand prefixed. With literal pattern type, the resource field will be used as a definition\nof a full topic name. With prefix pattern type, the resource name will be used only as\na prefix. Prefixed patterns can only be specified when using types `topic`, `group`, or\n`transactionalId`. Default value is literal. Valid values:\n- literal\n- prefixed", "enum": [ "literal", "prefixed" ], "type": "string" }, "type": { "description": "Type specifies the type of resource an ACL is applied to. Valid values:\n- topic\n- group\n- cluster\n- transactionalId", "enum": [ "topic", "group", "cluster", "transactionalId" ], "type": "string" } }, "required": [ "name", "type" ], "type": "object", "x-kubernetes-validations": [ { "message": "prefixed pattern type only supported for ['group', 'topic', 'transactionalId']", "rule": "self.type in ['group', 'topic', 'transactionalId'] ? true : !has(self.patternType) || self.patternType != 'prefixed'" }, { "message": "name must not be specified for type ['cluster']", "rule": "self.type == \"cluster\" ? (self.name == \"\") : true" }, { "message": "acl rules on non-cluster resources must specify a name", "rule": "self.type == \"cluster\" ? true : (self.name != \"\")" } ], "additionalProperties": false }, "type": { "description": "Type specifies the type of ACL rule to create. Valid values are:\n- allow\n- deny", "enum": [ "allow", "deny" ], "type": "string" } }, "required": [ "operations", "resource", "type" ], "type": "object", "x-kubernetes-validations": [ { "message": "supported topic operations are ['Alter', 'AlterConfigs', 'Create', 'Delete', 'Describe', 'DescribeConfigs', 'Read', 'Write']", "rule": "self.resource.type == 'topic' ? self.operations.all(o, o in ['Alter', 'AlterConfigs', 'Create', 'Delete', 'Describe', 'DescribeConfigs', 'Read', 'Write']) : true" }, { "message": "supported group operations are ['Delete', 'Describe', 'Read']", "rule": "self.resource.type == 'group' ? self.operations.all(o, o in ['Delete', 'Describe', 'Read']) : true" }, { "message": "supported transactionalId operations are ['Describe', 'Write']", "rule": "self.resource.type == 'transactionalId' ? self.operations.all(o, o in ['Describe', 'Write']) : true" }, { "message": "supported cluster operations are ['Alter', 'AlterConfigs', 'ClusterAction', 'Create', 'Describe', 'DescribeConfigs', 'IdempotentWrite']", "rule": "self.resource.type == 'cluster' ? self.operations.all(o, o in ['Alter', 'AlterConfigs', 'ClusterAction', 'Create', 'Describe', 'DescribeConfigs', 'IdempotentWrite']) : true" } ], "additionalProperties": false }, "maxItems": 1024, "type": "array" }, "type": { "default": "simple", "description": "Type specifies the type of authorization to use for User ACLs. If unspecified, defaults to `simple`. Valid values are:\n- simple", "enum": [ "simple" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "cluster": { "description": "ClusterSource is a reference to the cluster where the user should be created.\nIt is used in constructing the client created to configure a cluster.", "properties": { "clusterRef": { "description": "ClusterRef is a reference to the cluster where the object should be created.\nIt is used in constructing the client created to configure a cluster.\nThis takes precedence over StaticConfigurationSource.", "properties": { "name": { "description": "Name specifies the name of the cluster being referenced.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "staticConfiguration": { "description": "StaticConfiguration holds connection parameters to Kafka and Admin APIs.", "properties": { "admin": { "description": "AdminAPISpec is the configuration information for communicating with the Admin\nAPI of a Redpanda cluster where the object should be created.", "properties": { "sasl": { "description": "Defines authentication configuration settings for Redpanda clusters that have authentication enabled.", "properties": { "mechanism": { "description": "Specifies the SASL/SCRAM authentication mechanism.", "type": "string" }, "passwordSecretRef": { "description": "Specifies the password.", "properties": { "key": { "description": "Key in Secret data to get value from", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "token": { "description": "Specifies token for token-based authentication (only used if no username/password are provided).", "properties": { "key": { "description": "Key in Secret data to get value from", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "username": { "description": "Specifies the username.", "type": "string" } }, "required": [ "mechanism" ], "type": "object", "additionalProperties": false }, "tls": { "description": "Defines TLS configuration settings for Redpanda clusters that have TLS enabled.", "properties": { "caCertSecretRef": { "description": "CaCert is the reference for certificate authority used to establish TLS connection to Redpanda", "properties": { "key": { "description": "Key in Secret data to get value from", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "certSecretRef": { "description": "Cert is the reference for client public certificate to establish mTLS connection to Redpanda", "properties": { "key": { "description": "Key in Secret data to get value from", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "insecureSkipTlsVerify": { "description": "InsecureSkipTLSVerify can skip verifying Redpanda self-signed certificate when establish TLS connection to Redpanda", "type": "boolean" }, "keySecretRef": { "description": "Key is the reference for client private certificate to establish mTLS connection to Redpanda", "properties": { "key": { "description": "Key in Secret data to get value from", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "urls": { "description": "Specifies a list of broker addresses in the format :", "items": { "type": "string" }, "type": "array" } }, "required": [ "urls" ], "type": "object", "additionalProperties": false }, "kafka": { "description": "Kafka is the configuration information for communicating with the Kafka\nAPI of a Redpanda cluster where the object should be created.", "properties": { "brokers": { "description": "Specifies a list of broker addresses in the format :", "items": { "type": "string" }, "type": "array" }, "sasl": { "description": "Defines authentication configuration settings for Redpanda clusters that have authentication enabled.", "properties": { "awsMskIam": { "description": "KafkaSASLAWSMskIam is the config for AWS IAM SASL mechanism,\nsee: https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html", "properties": { "accessKey": { "type": "string" }, "secretKeySecretRef": { "description": "SecretKeyRef contains enough information to inspect or modify the referred Secret data\nSee https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference.", "properties": { "key": { "description": "Key in Secret data to get value from", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "sessionTokenSecretRef": { "description": "SessionToken, if non-empty, is a session / security token to use for authentication.\nSee: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html", "properties": { "key": { "description": "Key in Secret data to get value from", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "userAgent": { "description": "UserAgent is the user agent to for the client to use when connecting\nto Kafka, overriding the default \"franz-go//\".\n\nSetting a UserAgent allows authorizing based on the aws:UserAgent\ncondition key; see the following link for more details:\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-useragent", "type": "string" } }, "required": [ "accessKey", "secretKeySecretRef", "sessionTokenSecretRef", "userAgent" ], "type": "object", "additionalProperties": false }, "gssapi": { "description": "KafkaSASLGSSAPI represents the Kafka Kerberos config.", "properties": { "authType": { "type": "string" }, "enableFast": { "description": "EnableFAST enables FAST, which is a pre-authentication framework for Kerberos.\nIt includes a mechanism for tunneling pre-authentication exchanges using armored KDC messages.\nFAST provides increased resistance to passive password guessing attacks.", "type": "boolean" }, "kerberosConfigPath": { "type": "string" }, "keyTabPath": { "type": "string" }, "passwordSecretRef": { "description": "SecretKeyRef contains enough information to inspect or modify the referred Secret data\nSee https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference.", "properties": { "key": { "description": "Key in Secret data to get value from", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "realm": { "type": "string" }, "serviceName": { "type": "string" }, "username": { "type": "string" } }, "required": [ "authType", "enableFast", "kerberosConfigPath", "keyTabPath", "passwordSecretRef", "realm", "serviceName", "username" ], "type": "object", "additionalProperties": false }, "mechanism": { "description": "Specifies the SASL/SCRAM authentication mechanism.", "type": "string" }, "oauth": { "description": "KafkaSASLOAuthBearer is the config struct for the SASL OAuthBearer mechanism", "properties": { "tokenSecretRef": { "description": "SecretKeyRef contains enough information to inspect or modify the referred Secret data\nSee https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference.", "properties": { "key": { "description": "Key in Secret data to get value from", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false } }, "required": [ "tokenSecretRef" ], "type": "object", "additionalProperties": false }, "passwordSecretRef": { "description": "Specifies the password.", "properties": { "key": { "description": "Key in Secret data to get value from", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "username": { "description": "Specifies the username.", "type": "string" } }, "required": [ "mechanism" ], "type": "object", "additionalProperties": false }, "tls": { "description": "Defines TLS configuration settings for Redpanda clusters that have TLS enabled.", "properties": { "caCertSecretRef": { "description": "CaCert is the reference for certificate authority used to establish TLS connection to Redpanda", "properties": { "key": { "description": "Key in Secret data to get value from", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "certSecretRef": { "description": "Cert is the reference for client public certificate to establish mTLS connection to Redpanda", "properties": { "key": { "description": "Key in Secret data to get value from", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "insecureSkipTlsVerify": { "description": "InsecureSkipTLSVerify can skip verifying Redpanda self-signed certificate when establish TLS connection to Redpanda", "type": "boolean" }, "keySecretRef": { "description": "Key is the reference for client private certificate to establish mTLS connection to Redpanda", "properties": { "key": { "description": "Key in Secret data to get value from", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "required": [ "brokers" ], "type": "object", "additionalProperties": false }, "schemaRegistry": { "description": "SchemaRegistry is the configuration information for communicating with the Schema Registry\nAPI of a Redpanda cluster where the object should be created.", "properties": { "sasl": { "description": "Defines authentication configuration settings for Redpanda clusters that have authentication enabled.", "properties": { "mechanism": { "description": "Specifies the SASL/SCRAM authentication mechanism.", "type": "string" }, "passwordSecretRef": { "description": "Specifies the password.", "properties": { "key": { "description": "Key in Secret data to get value from", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "token": { "description": "SecretKeyRef contains enough information to inspect or modify the referred Secret data\nSee https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference.", "properties": { "key": { "description": "Key in Secret data to get value from", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "username": { "description": "Specifies the username.", "type": "string" } }, "required": [ "mechanism" ], "type": "object", "additionalProperties": false }, "tls": { "description": "Defines TLS configuration settings for Redpanda clusters that have TLS enabled.", "properties": { "caCertSecretRef": { "description": "CaCert is the reference for certificate authority used to establish TLS connection to Redpanda", "properties": { "key": { "description": "Key in Secret data to get value from", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "certSecretRef": { "description": "Cert is the reference for client public certificate to establish mTLS connection to Redpanda", "properties": { "key": { "description": "Key in Secret data to get value from", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "insecureSkipTlsVerify": { "description": "InsecureSkipTLSVerify can skip verifying Redpanda self-signed certificate when establish TLS connection to Redpanda", "type": "boolean" }, "keySecretRef": { "description": "Key is the reference for client private certificate to establish mTLS connection to Redpanda", "properties": { "key": { "description": "Key in Secret data to get value from", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "urls": { "description": "Specifies a list of broker addresses in the format :", "items": { "type": "string" }, "type": "array" } }, "required": [ "urls" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "x-kubernetes-validations": [ { "message": "spec.cluster.staticConfiguration.admin: required value", "rule": "!has(self.staticConfiguration) || has(self.staticConfiguration.admin)" }, { "message": "spec.cluster.staticConfiguration.kafka: required value", "rule": "!has(self.staticConfiguration) || has(self.staticConfiguration.kafka)" }, { "message": "either clusterRef or staticConfiguration must be set", "rule": "has(self.clusterRef) || has(self.staticConfiguration)" }, { "message": "ClusterSource is immutable", "rule": "self == oldSelf" } ], "additionalProperties": false }, "template": { "description": "Template to specify how user secrets are generated.", "properties": { "secret": { "description": "Specifies how the Secret with a user password is generated.", "properties": { "metadata": { "description": "Metadata specifies additional metadata to associate with a resource.", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "description": "Annotations specifies the Kubernetes annotations to apply to a managed resource.", "type": "object" }, "labels": { "additionalProperties": { "type": "string" }, "description": "Labels specifies the Kubernetes labels to apply to a managed resource.", "type": "object" } }, "type": "object", "additionalProperties": false } }, "required": [ "metadata" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "required": [ "cluster" ], "type": "object", "additionalProperties": false }, "status": { "default": { "conditions": [ { "lastTransitionTime": "1970-01-01T00:00:00Z", "message": "Waiting for controller", "reason": "Pending", "status": "Unknown", "type": "Synced" } ] }, "description": "Represents the current status of the Redpanda user.", "properties": { "conditions": { "description": "Conditions holds the conditions for the Redpanda user.", "items": { "description": "Condition contains details for one aspect of the current state of this API Resource.", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": "integer" }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "managedAcls": { "description": "ManagedACLs returns whether the user has managed ACLs that need\nto be cleaned up.", "type": "boolean" }, "managedUser": { "description": "ManagedUser returns whether the user has a managed SCRAM user that need\nto be cleaned up.", "type": "boolean" }, "observedGeneration": { "description": "Specifies the last observed generation.", "format": "int64", "type": "integer" } }, "type": "object", "additionalProperties": false } }, "required": [ "spec" ], "type": "object" }