init files for template

Author: jacobecox

redpanda/versions/1.0.0/Chart.yaml

@@ -0,0 +1,17 @@
+apiVersion: v2
+name: redpanda
+description: Kafka-compatible event streaming platform with built-in Schema Registry and no ZooKeeper.
+type: application
+version: 1.0.0
+appVersion: "26.1"
+
+dependencies:
+  - name: cpln-common
+    version: 1.0.0
+    repository: "oci://ghcr.io/controlplane-com/templates"
+
+annotations:
+  created: "2026-06-04"
+  lastModified: "2026-06-04"
+  category: "event-streaming"
+  createsGvc: false

redpanda/versions/1.0.0/templates/_helpers.tpl

@@ -0,0 +1,46 @@
+{{/*
+Release name
+*/}}
+{{- define "redpanda.name" -}}
+{{- printf "%s" .Release.Name -}}
+{{- end }}
+
+{{/*
+Broker cluster workload name
+*/}}
+{{- define "redpanda.clusterName" -}}
+{{- printf "%s-%s" (include "redpanda.name" .) .Values.redpanda.name -}}
+{{- end }}
+
+{{/*
+Console workload name
+*/}}
+{{- define "redpanda.consoleName" -}}
+{{- printf "%s-%s" (include "redpanda.name" .) .Values.redpanda_console.name -}}
+{{- end }}
+
+{{/*
+Default replication factor: min(3, replicas). Redpanda rejects a replication factor greater
+than the number of brokers, so we clamp to the cluster size.
+*/}}
+{{- define "redpanda.defaultReplicationFactor" -}}
+{{- $replicas := .Values.redpanda.replicas | int -}}
+{{- if lt $replicas 3 -}}{{ $replicas }}{{- else -}}3{{- end -}}
+{{- end }}
+
+{{/*
+Validate replica count — Raft consensus requires an odd number for quorum.
+*/}}
+{{- define "redpanda.validateReplicas" -}}
+{{- $replicas := .Values.redpanda.replicas | int -}}
+{{- if or (eq $replicas 2) (eq $replicas 4) (gt $replicas 5) -}}
+  {{- fail "redpanda.replicas must be 1, 3, or 5 — Raft consensus requires an odd number for quorum." -}}
+{{- end -}}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "redpanda.tags" -}}
+{{- include "cpln-common.tags" . }}
+{{- end }}

redpanda/versions/1.0.0/templates/domain.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.redpanda.listeners.kafka.external }}
+kind: domain
+name: {{ .Values.redpanda.listeners.kafka.external.directReplicaRouting.publicAddress }}
+description: {{ .Values.redpanda.listeners.kafka.external.directReplicaRouting.publicAddress }}
+spec:
+  acceptAllHosts: false
+  acceptAllSubdomains: false
+  certChallengeType: dns01
+  dnsMode: cname
+  ports:
+    - number: {{ .Values.redpanda.listeners.kafka.external.directReplicaRouting.containerPort }}
+      protocol: tcp
+      routes:
+        - port: {{ .Values.redpanda.listeners.kafka.external.directReplicaRouting.containerPort }}
+          prefix: /
+          workloadLink: //gvc/{{ .Values.global.cpln.gvc }}/workload/{{ include "redpanda.clusterName" . }}
+      tls:
+        cipherSuites:
+          - ECDHE-ECDSA-AES256-GCM-SHA384
+          - ECDHE-ECDSA-CHACHA20-POLY1305
+          - ECDHE-ECDSA-AES128-GCM-SHA256
+          - ECDHE-RSA-AES256-GCM-SHA384
+          - ECDHE-RSA-CHACHA20-POLY1305
+          - ECDHE-RSA-AES128-GCM-SHA256
+          - AES256-GCM-SHA384
+          - AES128-GCM-SHA256
+        minProtocolVersion: TLSV1_2
+  workloadLink: //gvc/{{ .Values.global.cpln.gvc }}/workload/{{ include "redpanda.clusterName" . }}
+{{- end }}

redpanda/versions/1.0.0/templates/identity.yaml

@@ -0,0 +1,4 @@
+kind: identity
+name: {{ include "redpanda.name" . }}
+description: {{ include "redpanda.clusterName" . }} identity
+gvc: {{ .Values.global.cpln.gvc }}

redpanda/versions/1.0.0/templates/policy.yaml

@@ -0,0 +1,12 @@
+kind: policy
+name: {{ include "redpanda.name" . }}
+origin: default
+bindings:
+  - permissions:
+      - reveal
+    principalLinks:
+      - //gvc/{{ .Values.global.cpln.gvc }}/identity/{{ include "redpanda.name" . }}
+targetKind: secret
+targetLinks:
+  - //secret/{{ include "redpanda.name" . }}-init
+  - //secret/{{ include "redpanda.name" . }}-secrets

redpanda/versions/1.0.0/templates/secret-console-config.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.redpanda_console.enabled }}
+{{- $adminUser := index .Values.redpanda.auth.users 0 }}
+kind: secret
+name: {{ include "redpanda.name" . }}-console-config
+type: opaque
+data:
+  encoding: plain
+  payload: |
+    kafka:
+      brokers:
+        - {{ include "redpanda.clusterName" . }}:{{ .Values.redpanda.listeners.kafka.internal.port }}
+      sasl:
+        enabled: true
+        mechanism: {{ .Values.redpanda.auth.saslMechanism }}
+        username: {{ $adminUser.username }}
+        password: $(REDPANDA_CONSOLE_PASSWORD)
+    redpanda:
+      adminApi:
+        enabled: true
+        urls:
+          - http://{{ include "redpanda.clusterName" . }}:{{ .Values.redpanda.listeners.adminApi.port }}
+    schemaRegistry:
+      enabled: true
+      urls:
+        - http://{{ include "redpanda.clusterName" . }}:{{ .Values.redpanda.listeners.schemaRegistry.port }}
+      authentication:
+        method: http_basic
+        username: {{ $adminUser.username }}
+        password: $(REDPANDA_CONSOLE_PASSWORD)
+{{- end }}

redpanda/versions/1.0.0/templates/secret-init.yaml

@@ -0,0 +1,91 @@
+kind: secret
+name: {{ include "redpanda.name" . }}-init
+type: opaque
+data:
+  encoding: plain
+  payload: |
+    #!/bin/bash
+    set -euo pipefail
+
+    # Derive pod identity from hostname (e.g. myapp-cluster-2 -> ordinal=2, cluster=myapp-cluster)
+    ORDINAL=$(echo "$HOSTNAME" | awk -F'-' '{print $NF}')
+    CLUSTER_NAME=$(echo "$HOSTNAME" | sed 's/-[0-9]*$//')
+    NODE_FQDN="${HOSTNAME}.${CLUSTER_NAME}"
+
+    # Build seed_servers so every broker knows the full cluster topology on first boot
+    SEED_SERVERS=""
+    for i in $(seq 0 $(( {{ .Values.redpanda.replicas }} - 1 ))); do
+        SEED_SERVERS="${SEED_SERVERS}    - host:
+            address: ${CLUSTER_NAME}-${i}.${CLUSTER_NAME}
+            port: 33145
+    "
+    done
+
+    cat > /etc/redpanda/redpanda.yaml << REDPANDA_CFG
+    redpanda:
+      data_directory: /var/lib/redpanda/data
+      node_id: ${ORDINAL}
+      enable_sasl: true
+      superusers:
+        - {{ (index .Values.redpanda.auth.users 0).username }}
+    {{- range .Values.redpanda.auth.superusers }}
+        - {{ . }}
+    {{- end }}
+      seed_servers:
+    ${SEED_SERVERS}
+      rpc_api:
+        address: 0.0.0.0
+        port: 33145
+      advertised_rpc_api:
+        address: ${NODE_FQDN}
+        port: 33145
+      kafka_api:
+        - address: 0.0.0.0
+          port: {{ .Values.redpanda.listeners.kafka.internal.port }}
+          name: internal
+          authentication_method: sasl
+    {{- if .Values.redpanda.listeners.kafka.external }}
+        - address: 0.0.0.0
+          port: {{ .Values.redpanda.listeners.kafka.external.directReplicaRouting.containerPort }}
+          name: external
+          authentication_method: sasl
+    {{- end }}
+      advertised_kafka_api:
+        - address: ${NODE_FQDN}
+          port: {{ .Values.redpanda.listeners.kafka.internal.port }}
+          name: internal
+    {{- if .Values.redpanda.listeners.kafka.external }}
+        - address: ${ORDINAL}.{{ .Values.redpanda.listeners.kafka.external.directReplicaRouting.publicAddress }}
+          port: {{ .Values.redpanda.listeners.kafka.external.directReplicaRouting.containerPort }}
+          name: external
+    {{- end }}
+      admin_api:
+        - address: 0.0.0.0
+          port: {{ .Values.redpanda.listeners.adminApi.port }}
+      default_topic_replications: {{ include "redpanda.defaultReplicationFactor" . }}
+      transaction_coordinator_replication: {{ include "redpanda.defaultReplicationFactor" . }}
+      id_allocator_replication: {{ include "redpanda.defaultReplicationFactor" . }}
+      kafka_api_allow_everyone_if_no_acl_is_set_on_client_request: {{ .Values.redpanda.acl.allowEveryoneIfNoAclFound }}
+    {{- if .Values.redpanda.secrets.cluster_id }}
+      cluster_id: {{ .Values.redpanda.secrets.cluster_id | quote }}
+    {{- end }}
+    {{- range $key, $value := .Values.redpanda.extra_configurations }}
+      {{ $key }}: {{ $value }}
+    {{- end }}
+
+    schema_registry:
+      schema_registry_api:
+        - address: 0.0.0.0
+          port: {{ .Values.redpanda.listeners.schemaRegistry.port }}
+          authentication_method: http_basic
+    {{- if .Values.redpanda.listeners.pandaproxy.enabled }}
+
+    pandaproxy:
+      pandaproxy_api:
+        - address: 0.0.0.0
+          port: {{ .Values.redpanda.listeners.pandaproxy.port }}
+          authentication_method: http_basic
+    {{- end }}
+    REDPANDA_CFG
+
+    exec redpanda start --config /etc/redpanda/redpanda.yaml

redpanda/versions/1.0.0/templates/secret-secrets.yaml

@@ -0,0 +1,7 @@
+kind: secret
+name: {{ include "redpanda.name" . }}-secrets
+type: dictionary
+data:
+{{- range .Values.redpanda.auth.users }}
+  {{ .username }}-password: {{ .password }}
+{{- end }}

redpanda/versions/1.0.0/templates/volumesets.yaml

@@ -0,0 +1,14 @@
+kind: volumeset
+name: {{ include "redpanda.name" . }}-data
+description: {{ include "redpanda.clusterName" . }} data
+gvc: {{ .Values.global.cpln.gvc }}
+spec:
+  initialCapacity: {{ .Values.redpanda.volume.initialCapacity }}
+  performanceClass: {{ .Values.redpanda.volume.performanceClass }}
+  fileSystemType: {{ .Values.redpanda.volume.fileSystemType }}
+  {{- if and .Values.redpanda.volume.customEncryption .Values.redpanda.volume.customEncryption.enabled }}
+  customEncryption:
+    regions:
+      {{ .Values.redpanda.volume.customEncryption.region }}:
+        keyId: '{{ .Values.redpanda.volume.customEncryption.keyId }}'
+  {{- end }}