working version

Author: jacobecox

redpanda/versions/1.0.0/templates/domain.yaml

@@ -27,3 +27,31 @@ spec:
         minProtocolVersion: TLSV1_2
   workloadLink: //gvc/{{ .Values.global.cpln.gvc }}/workload/{{ include "redpanda.clusterName" . }}
 {{- end }}
+{{- if .Values.redpanda_console.domain }}
+
+---
+kind: domain
+name: {{ .Values.redpanda_console.domain }}
+description: {{ .Values.redpanda_console.domain }}
+spec:
+  acceptAllHosts: false
+  dnsMode: cname
+  ports:
+    - number: 443
+      protocol: http2
+      routes:
+        - port: 8080
+          prefix: /
+          workloadLink: //gvc/{{ .Values.global.cpln.gvc }}/workload/{{ include "redpanda.consoleName" . }}
+      tls:
+        cipherSuites:
+          - ECDHE-ECDSA-AES256-GCM-SHA384
+          - ECDHE-ECDSA-CHACHA20-POLY1305
+          - ECDHE-ECDSA-AES128-GCM-SHA256
+          - ECDHE-RSA-AES256-GCM-SHA384
+          - ECDHE-RSA-CHACHA20-POLY1305
+          - ECDHE-RSA-AES128-GCM-SHA256
+          - AES256-GCM-SHA384
+          - AES128-GCM-SHA256
+        minProtocolVersion: TLSV1_2
+{{- end }}

redpanda/versions/1.0.0/templates/identity.yaml

@@ -1,4 +1,4 @@
 kind: identity
 name: {{ include "redpanda.name" . }}
-description: {{ include "redpanda.clusterName" . }} identity
+description: Redpanda identity
 gvc: {{ .Values.global.cpln.gvc }}

redpanda/versions/1.0.0/templates/policy.yaml

@@ -1,6 +1,6 @@
 kind: policy
 name: {{ include "redpanda.name" . }}
-description: {{ include "redpanda.name" . }}
+description: Redpanda secrets access policy
 origin: default
 bindings:
   - permissions:
@@ -11,3 +11,6 @@ targetKind: secret
 targetLinks:
   - //secret/{{ include "redpanda.name" . }}-init
   - //secret/{{ include "redpanda.name" . }}-secrets
+  {{- if .Values.redpanda_console.enabled }}
+  - //secret/{{ include "redpanda.name" . }}-console-config
+  {{- end }}

redpanda/versions/1.0.0/templates/secret-console-config.yaml

@@ -2,7 +2,7 @@
 {{- $adminUser := index .Values.redpanda.auth.users 0 }}
 kind: secret
 name: {{ include "redpanda.name" . }}-console-config
-description: {{ include "redpanda.name" . }}-console-config
+description: Redpanda console configuration
 type: opaque
 data:
   encoding: plain
@@ -14,7 +14,7 @@ data:
         enabled: true
         mechanism: {{ .Values.redpanda.auth.saslMechanism }}
         username: {{ $adminUser.username }}
-        password: $(REDPANDA_CONSOLE_PASSWORD)
+        password: {{ $adminUser.password }}
     redpanda:
       adminApi:
         enabled: true
@@ -25,7 +25,7 @@ data:
       urls:
         - http://{{ include "redpanda.clusterName" . }}:{{ .Values.redpanda.listeners.schemaRegistry.port }}
       authentication:
-        method: http_basic
-        username: {{ $adminUser.username }}
-        password: $(REDPANDA_CONSOLE_PASSWORD)
+        basic:
+          username: {{ $adminUser.username }}
+          password: {{ $adminUser.password }}
 {{- end }}

redpanda/versions/1.0.0/templates/secret-init.yaml

@@ -1,6 +1,6 @@
 kind: secret
 name: {{ include "redpanda.name" . }}-init
-description: {{ include "redpanda.name" . }}-init
+description: Redpanda broker startup script
 type: opaque
 data:
   encoding: plain
@@ -34,7 +34,7 @@ data:
     {{- end }}
       seed_servers:
     ${SEED_SERVERS}
-      rpc_api:
+      rpc_server:
         address: 0.0.0.0
         port: 33145
       advertised_rpc_api:
@@ -60,7 +60,7 @@ data:
           port: {{ .Values.redpanda.listeners.kafka.external.directReplicaRouting.containerPort }}
           name: external
     {{- end }}
-      admin_api:
+      admin:
         - address: 0.0.0.0
           port: {{ .Values.redpanda.listeners.adminApi.port }}
       default_topic_replications: {{ include "redpanda.defaultReplicationFactor" . }}
@@ -79,14 +79,30 @@ data:
         - address: 0.0.0.0
           port: {{ .Values.redpanda.listeners.schemaRegistry.port }}
           authentication_method: http_basic
+
+    # Redpanda v25.2+ removed ephemeral credentials for internal clients.
+    # The schema registry client needs explicit SASL credentials to reach the Kafka API.
+    schema_registry_client:
+      scram_username: {{ (index .Values.redpanda.auth.users 0).username }}
+      scram_password: ${REDPANDA_{{ (index .Values.redpanda.auth.users 0).username | upper | replace "-" "_" }}_PASSWORD}
+      sasl_mechanism: {{ .Values.redpanda.auth.saslMechanism }}
     {{- if .Values.redpanda.listeners.pandaproxy.enabled }}
 
     pandaproxy:
       pandaproxy_api:
         - address: 0.0.0.0
           port: {{ .Values.redpanda.listeners.pandaproxy.port }}
           authentication_method: http_basic
+
+    pandaproxy_client:
+      scram_username: {{ (index .Values.redpanda.auth.users 0).username }}
+      scram_password: ${REDPANDA_{{ (index .Values.redpanda.auth.users 0).username | upper | replace "-" "_" }}_PASSWORD}
+      sasl_mechanism: {{ .Values.redpanda.auth.saslMechanism }}
     {{- end }}
     REDPANDA_CFG
 
-    exec redpanda start --config /etc/redpanda/redpanda.yaml
+    # Remove stale pid lock from previous container; safe because our new container process
+    # tree is separate — once the old container exits, the kernel releases the flock.
+    rm -f /var/lib/redpanda/data/pid.lock
+
+    exec redpanda --redpanda-cfg /etc/redpanda/redpanda.yaml --smp {{ .Values.redpanda.smp }} --reserve-memory {{ .Values.redpanda.reserveMemory }}

redpanda/versions/1.0.0/templates/secret-secrets.yaml

@@ -1,6 +1,6 @@
 kind: secret
 name: {{ include "redpanda.name" . }}-secrets
-description: {{ include "redpanda.name" . }}-secrets
+description: Redpanda user credentials
 type: dictionary
 data:
 {{- range .Values.redpanda.auth.users }}

redpanda/versions/1.0.0/templates/volumesets.yaml

@@ -1,6 +1,6 @@
 kind: volumeset
 name: {{ include "redpanda.name" . }}-data
-description: {{ include "redpanda.clusterName" . }} data
+description: Redpanda volume set
 gvc: {{ .Values.global.cpln.gvc }}
 spec:
   initialCapacity: {{ .Values.redpanda.volume.initialCapacity }}

redpanda/versions/1.0.0/templates/workload-redpanda-cluster.yaml

@@ -1,7 +1,7 @@
 {{- include "redpanda.validateReplicas" . }}
 kind: workload
 name: {{ include "redpanda.clusterName" . }}
-description: {{ include "redpanda.clusterName" . }}
+description: Redpanda broker cluster
 gvc: {{ .Values.global.cpln.gvc }}
 tags:
   # Brokers must resolve peer FQDNs for Raft consensus before they are Ready.
@@ -25,11 +25,16 @@ spec:
               - '-c'
               - |
                 ORDINAL=$(echo "$HOSTNAME" | awk -F'-' '{print $NF}')
+                CLUSTER_NAME=$(echo "$HOSTNAME" | sed 's/-[0-9]*$//')
                 ADMIN="localhost:{{ .Values.redpanda.listeners.adminApi.port }}"
-                until curl -sf "http://${ADMIN}/v1/health" | grep -q '"is_healthy":true'; do sleep 2; done
+                ADMIN_HOSTS=""
+                for i in $(seq 0 $(( {{ .Values.redpanda.replicas }} - 1 ))); do
+                  ADMIN_HOSTS="${ADMIN_HOSTS:+${ADMIN_HOSTS},}${CLUSTER_NAME}-${i}.${CLUSTER_NAME}:{{ .Values.redpanda.listeners.adminApi.port }}"
+                done
+                until curl -sf "http://${ADMIN}/v1/cluster/health_overview" 2>/dev/null | grep -qE '"is_healthy"\s*:\s*true'; do sleep 2; done
                 [ "$ORDINAL" != "0" ] && exit 0
                 {{- range .Values.redpanda.auth.users }}
-                rpk security user create {{ .username }} --password "$REDPANDA_{{ .username | upper | replace "-" "_" }}_PASSWORD" --mechanism {{ $.Values.redpanda.auth.saslMechanism }} --api-addr "$ADMIN" || true
+                rpk security user create {{ .username }} --password "$REDPANDA_{{ .username | upper | replace "-" "_" }}_PASSWORD" --mechanism {{ $.Values.redpanda.auth.saslMechanism }} -X admin.hosts="${ADMIN_HOSTS}" || true
                 {{- end }}
         # Transfer all partition leadership off this broker before Kubernetes sends
         # SIGTERM. By the time SIGTERM arrives the broker holds no leadership, so
@@ -39,7 +44,7 @@ spec:
             command:
               - /bin/bash
               - '-c'
-              - rpk cluster maintenance enable --wait --api-addr localhost:{{ .Values.redpanda.listeners.adminApi.port }} || true
+              - rpk cluster maintenance enable --wait -X admin.hosts=localhost:{{ .Values.redpanda.listeners.adminApi.port }} || true
       cpu: '{{ .Values.redpanda.cpu }}'
       {{- if .Values.redpanda.minCpu }}
       minCpu: '{{ .Values.redpanda.minCpu }}'
@@ -91,9 +96,11 @@ spec:
         initialDelaySeconds: 20
         periodSeconds: 10
         successThreshold: 1
-        httpGet:
-          path: /v1/health
-          port: {{ .Values.redpanda.listeners.adminApi.port }}
+        exec:
+          command:
+            - /bin/bash
+            - '-c'
+            - curl -sf http://localhost:{{ .Values.redpanda.listeners.adminApi.port }}/v1/cluster/health_overview | grep -qE '"is_healthy"\s*:\s*true'
         timeoutSeconds: 5
       volumes:
         - path: /var/lib/redpanda/data

redpanda/versions/1.0.0/templates/workload-redpanda-console.yaml

@@ -1,53 +1,8 @@
 {{- if .Values.redpanda_console.enabled }}
 {{- $adminUser := index .Values.redpanda.auth.users 0 }}
-{{- if .Values.redpanda_console.domain }}
-kind: domain
-name: {{ .Values.redpanda_console.domain }}
-description: {{ .Values.redpanda_console.domain }}
-spec:
-  acceptAllHosts: false
-  dnsMode: cname
-  ports:
-    - number: 443
-      protocol: http2
-      routes:
-        - port: 8080
-          prefix: /
-          workloadLink: //gvc/{{ .Values.global.cpln.gvc }}/workload/{{ include "redpanda.consoleName" . }}
-      tls:
-        cipherSuites:
-          - ECDHE-ECDSA-AES256-GCM-SHA384
-          - ECDHE-ECDSA-CHACHA20-POLY1305
-          - ECDHE-ECDSA-AES128-GCM-SHA256
-          - ECDHE-RSA-AES256-GCM-SHA384
-          - ECDHE-RSA-CHACHA20-POLY1305
-          - ECDHE-RSA-AES128-GCM-SHA256
-          - AES256-GCM-SHA384
-          - AES128-GCM-SHA256
-        minProtocolVersion: TLSV1_2
----
-{{- end }}
-kind: policy
-name: {{ include "redpanda.consoleName" . }}
-origin: default
-bindings:
-  - permissions:
-      - reveal
-    principalLinks:
-      - //gvc/{{ .Values.global.cpln.gvc }}/identity/{{ include "redpanda.consoleName" . }}
-targetKind: secret
-targetLinks:
-  - //secret/{{ include "redpanda.name" . }}-secrets
-  - //secret/{{ include "redpanda.name" . }}-console-config
----
-kind: identity
-name: {{ include "redpanda.consoleName" . }}
-description: {{ include "redpanda.consoleName" . }} identity
-gvc: {{ .Values.global.cpln.gvc }}
----
 kind: workload
 name: {{ include "redpanda.consoleName" . }}
-description: {{ include "redpanda.consoleName" . }}
+description: Redpanda Console
 gvc: {{ .Values.global.cpln.gvc }}
 tags:
   {{- include "redpanda.tags" . | nindent 2 }}
@@ -105,7 +60,7 @@ spec:
       inboundAllowType: {{ default "[]" .Values.redpanda_console.firewall.internal_inboundAllowType }}
     {{- end }}
   {{- end }}
-  identityLink: //gvc/{{ .Values.global.cpln.gvc }}/identity/{{ include "redpanda.consoleName" . }}
+  identityLink: //gvc/{{ .Values.global.cpln.gvc }}/identity/{{ include "redpanda.name" . }}
   loadBalancer:
     direct:
       enabled: false

redpanda/versions/1.0.0/values.yaml

@@ -9,6 +9,11 @@ redpanda:
   memory: 4Gi
   minCpu: 500m
   minMemory: 2Gi
+  # smp: number of Seastar reactor threads — must match the container's vCPU count (floor of cpu limit).
+  # Without this, Seastar uses all node CPUs and divides memory across them, starving each shard.
+  smp: 1
+  # reserveMemory: memory set aside for the OS; Redpanda uses (memory - reserveMemory).
+  reserveMemory: 1G
 
   volume:
     initialCapacity: 10 # In GB