{ "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "The specification of the user.", "properties": { "authentication": { "description": "Authentication mechanism enabled for this Kafka user. The supported authentication mechanisms are `scram-sha-512`, `tls`, and `tls-external`. \n\n* `scram-sha-512` generates a secret with SASL SCRAM-SHA-512 credentials.\n* `tls` generates a secret with user certificate for mutual TLS authentication.\n* `tls-external` does not generate a user certificate. But prepares the user for using mutual TLS authentication using a user certificate generated outside the User Operator.\n ACLs and quotas set for this user are configured in the `CN=` format.\n\nAuthentication is optional. If authentication is not configured, no credentials are generated. ACLs and quotas set for the user are configured in the `` format suitable for SASL authentication.", "properties": { "password": { "description": "Specify the password for the user. If not set, a new password is generated by the User Operator.", "properties": { "valueFrom": { "description": "Secret from which the password should be read.", "properties": { "secretKeyRef": { "description": "Selects a key of a Secret in the resource's namespace.", "properties": { "key": { "type": "string" }, "name": { "type": "string" }, "optional": { "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "required": [ "valueFrom" ], "type": "object", "additionalProperties": false }, "type": { "description": "Authentication type.", "enum": [ "tls", "tls-external", "scram-sha-512" ], "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "authorization": { "description": "Authorization rules for this Kafka user.", "properties": { "acls": { "description": "List of ACL rules which should be applied to this user.", "items": { "properties": { "host": { "description": "The host from which the action described in the ACL rule is allowed or denied. If not set, it defaults to `*`, allowing or denying the action from any host.", "type": "string" }, "operations": { "description": "List of operations to allow or deny. Supported operations are: Read, Write, Create, Delete, Alter, Describe, ClusterAction, AlterConfigs, DescribeConfigs, IdempotentWrite and All. Only certain operations work with the specified resource.", "items": { "enum": [ "Read", "Write", "Create", "Delete", "Alter", "Describe", "ClusterAction", "AlterConfigs", "DescribeConfigs", "IdempotentWrite", "All" ], "type": "string" }, "type": "array" }, "resource": { "description": "Indicates the resource for which given ACL rule applies.", "properties": { "name": { "description": "Name of resource for which given ACL rule applies. Can be combined with `patternType` field to use prefix pattern.", "type": "string" }, "patternType": { "description": "Describes the pattern used in the resource field. The supported types are `literal` and `prefix`. With `literal` pattern type, the resource field will be used as a definition of a full name. With `prefix` pattern type, the resource name will be used only as a prefix. Default value is `literal`.", "enum": [ "literal", "prefix" ], "type": "string" }, "type": { "description": "Resource type. The available resource types are `topic`, `group`, `cluster`, and `transactionalId`.", "enum": [ "topic", "group", "cluster", "transactionalId" ], "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "type": { "description": "The type of the rule. ACL rules with type `allow` are used to allow user to execute the specified operations. ACL rules with type `deny` are used to deny user to execute the specified operations. Default value is `allow`.", "enum": [ "allow", "deny" ], "type": "string" } }, "required": [ "resource", "operations" ], "type": "object", "additionalProperties": false }, "type": "array" }, "type": { "description": "Authorization type. Currently the only supported type is `simple`. `simple` authorization type uses the Kafka Admin API for managing the ACL rules.", "enum": [ "simple" ], "type": "string" } }, "required": [ "acls", "type" ], "type": "object", "additionalProperties": false }, "quotas": { "description": "Quotas on requests to control the broker resources used by clients. Network bandwidth and request rate quotas can be enforced.Kafka documentation for Kafka User quotas can be found at http://kafka.apache.org/documentation/#design_quotas.", "properties": { "consumerByteRate": { "description": "A quota on the maximum bytes per-second that each client group can fetch from a broker before the clients in the group are throttled. Defined on a per-broker basis.", "minimum": 0, "type": "integer" }, "controllerMutationRate": { "description": "A quota on the rate at which mutations are accepted for the create topics request, the create partitions request and the delete topics request. The rate is accumulated by the number of partitions created or deleted.", "minimum": 0, "type": "number" }, "producerByteRate": { "description": "A quota on the maximum bytes per-second that each client group can publish to a broker before the clients in the group are throttled. Defined on a per-broker basis.", "minimum": 0, "type": "integer" }, "requestPercentage": { "description": "A quota on the maximum CPU utilization of each client group as a percentage of network and I/O threads.", "minimum": 0, "type": "integer" } }, "type": "object", "additionalProperties": false }, "template": { "description": "Template to specify how Kafka User `Secrets` are generated.", "properties": { "secret": { "description": "Template for KafkaUser resources. The template allows users to specify how the `Secret` with password or TLS certificates is generated.", "properties": { "metadata": { "description": "Metadata applied to the resource.", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "description": "Annotations added to the Kubernetes resource.", "type": "object" }, "labels": { "additionalProperties": { "type": "string" }, "description": "Labels added to the Kubernetes resource.", "type": "object" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "status": { "description": "The status of the Kafka User.", "properties": { "conditions": { "description": "List of status conditions.", "items": { "properties": { "lastTransitionTime": { "description": "Last time the condition of a type changed from one status to another. The required format is 'yyyy-MM-ddTHH:mm:ssZ', in the UTC time zone.", "type": "string" }, "message": { "description": "Human-readable message indicating details about the condition's last transition.", "type": "string" }, "reason": { "description": "The reason for the condition's last transition (a single word in CamelCase).", "type": "string" }, "status": { "description": "The status of the condition, either True, False or Unknown.", "type": "string" }, "type": { "description": "The unique identifier of a condition, used to distinguish between other conditions in the resource.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "observedGeneration": { "description": "The generation of the CRD that was last reconciled by the operator.", "type": "integer" }, "secret": { "description": "The name of `Secret` where the credentials are stored.", "type": "string" }, "username": { "description": "Username.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "spec" ], "type": "object" }