operator: add PodDisruptionBudget support to Pipeline CRD

Add spec.budget field to Pipeline with maxUnavailable/minAvailable
options, following the convention used by Strimzi and Prometheus
Operator. The PDB is rendered by the Syncer alongside the Deployment
and ConfigMap, so it is automatically garbage-collected on CR deletion.

CRD validation enforces exactly one of maxUnavailable or minAvailable
via CEL rule. RBAC updated for policy/poddisruptionbudgets.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: david-yu

operator/api/redpanda/v1alpha2/pipeline_types.go

@@ -12,6 +12,7 @@ package v1alpha2
 import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/utils/ptr"
 
 	"github.com/redpanda-data/redpanda-operator/operator/pkg/functional"
@@ -178,11 +179,33 @@ type PipelineSpec struct {
 	// +optional
 	Zones []string `json:"zones,omitempty"`
 
+	// Budget configures a PodDisruptionBudget for the pipeline Deployment,
+	// protecting pipeline pods from voluntary disruptions such as node drains
+	// and cluster autoscaler evictions. When not set, no PDB is created.
+	// +optional
+	Budget *PipelineBudget `json:"budget,omitempty"`
+
 	// ClusterSource is a reference to the Redpanda cluster this pipeline connects to.
 	// +optional
 	ClusterSource *ClusterSource `json:"cluster,omitempty"`
 }
 
+// PipelineBudget configures a PodDisruptionBudget for the pipeline.
+// Exactly one of MaxUnavailable or MinAvailable must be specified.
+// +kubebuilder:validation:XValidation:message="exactly one of maxUnavailable or minAvailable must be set",rule="has(self.maxUnavailable) != has(self.minAvailable)"
+type PipelineBudget struct {
+	// MaxUnavailable is the maximum number of pipeline pods that can be
+	// unavailable during a voluntary disruption. Can be an absolute number
+	// (e.g. 1) or a percentage (e.g. "25%").
+	// +optional
+	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty"`
+	// MinAvailable is the minimum number of pipeline pods that must remain
+	// available during a voluntary disruption. Can be an absolute number
+	// (e.g. 2) or a percentage (e.g. "75%").
+	// +optional
+	MinAvailable *intstr.IntOrString `json:"minAvailable,omitempty"`
+}
+
 // PipelineStatus defines the observed state of a Connect resource.
 type PipelineStatus struct {
 	// ObservedGeneration is the last observed generation of the Connect resource.

operator/api/redpanda/v1alpha2/testdata/crd-docs.adoc

@@ -2325,6 +2325,35 @@ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-
 |===
 
 
+[id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-pipelinebudget"]
+==== PipelineBudget
+
+
+
+PipelineBudget configures a PodDisruptionBudget for the pipeline.
+Exactly one of MaxUnavailable or MinAvailable must be specified.
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-pipelinespec[$$PipelineSpec$$]
+****
+
+[cols="20a,50a,15a,15a", options="header"]
+|===
+| Field | Description | Default | Validation
+| *`maxUnavailable`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#intorstring-intstr-util[$$IntOrString$$]__ | MaxUnavailable is the maximum number of pipeline pods that can be +
+unavailable during a voluntary disruption. Can be an absolute number +
+(e.g. 1) or a percentage (e.g. "25%"). + |  | Optional: \{} +
+
+| *`minAvailable`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#intorstring-intstr-util[$$IntOrString$$]__ | MinAvailable is the minimum number of pipeline pods that must remain +
+available during a voluntary disruption. Can be an absolute number +
+(e.g. 2) or a percentage (e.g. "75%"). + |  | Optional: \{} +
+
+|===
+
+
 [id="{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-pipelinephase"]
 ==== PipelinePhase
 
@@ -2422,6 +2451,10 @@ be spread. When set, the controller configures: +
 - A topology spread constraint to distribute pods evenly across zones +
 The zone label used is "topology.kubernetes.io/zone". + |  | Optional: \{} +
 
+| *`budget`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-pipelinebudget[$$PipelineBudget$$]__ | Budget configures a PodDisruptionBudget for the pipeline Deployment, +
+protecting pipeline pods from voluntary disruptions such as node drains +
+and cluster autoscaler evictions. When not set, no PDB is created. + |  | Optional: \{} +
+
 | *`cluster`* __xref:{anchor_prefix}-github-com-redpanda-data-redpanda-operator-operator-api-redpanda-v1alpha2-clustersource[$$ClusterSource$$]__ | ClusterSource is a reference to the Redpanda cluster this pipeline connects to. + |  | Optional: \{} +
 
 |===

operator/api/redpanda/v1alpha2/zz_generated.deepcopy.go

@@ -30,11 +30,12 @@ package v1alpha2
 import (
 	"testing"
 
-	"github.com/redpanda-data/common-go/rp-controller-utils/deprecations"
 	"github.com/stretchr/testify/require"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/redpanda-data/common-go/rp-controller-utils/deprecations"
 )
 
 func TestDeprecatedFieldWarnings(t *testing.T) {

operator/api/redpanda/v1alpha2/zz_generated.deprecations_test.go

@@ -5,33 +5,22 @@ metadata:
   name: pipeline
 rules:
   - apiGroups:
-      - cluster.redpanda.com
+      - ""
     resources:
-      - pipelines
+      - configmaps
     verbs:
+      - create
+      - delete
       - get
       - list
-      - watch
-      - update
       - patch
-  - apiGroups:
-      - cluster.redpanda.com
-    resources:
-      - pipelines/status
-    verbs:
-      - get
-      - update
-      - patch
-  - apiGroups:
-      - cluster.redpanda.com
-    resources:
-      - pipelines/finalizers
-    verbs:
       - update
+      - watch
   - apiGroups:
-      - cluster.redpanda.com
+      - ""
     resources:
-      - redpandas
+      - pods
+      - secrets
     verbs:
       - get
       - list
@@ -41,37 +30,41 @@ rules:
     resources:
       - deployments
     verbs:
+      - create
+      - delete
       - get
       - list
-      - watch
-      - create
-      - update
       - patch
-      - delete
+      - update
+      - watch
   - apiGroups:
-      - ""
+      - cluster.redpanda.com
     resources:
-      - pods
+      - pipelines
     verbs:
       - get
       - list
+      - patch
+      - update
       - watch
   - apiGroups:
-      - ""
+      - cluster.redpanda.com
     resources:
-      - configmaps
+      - pipelines/finalizers
     verbs:
-      - get
-      - list
-      - watch
-      - create
       - update
+  - apiGroups:
+      - cluster.redpanda.com
+    resources:
+      - pipelines/status
+    verbs:
+      - get
       - patch
-      - delete
+      - update
   - apiGroups:
-      - ""
+      - cluster.redpanda.com
     resources:
-      - secrets
+      - redpandas
     verbs:
       - get
       - list
@@ -81,10 +74,22 @@ rules:
     resources:
       - podmonitors
     verbs:
+      - create
+      - delete
       - get
       - list
+      - patch
+      - update
       - watch
+  - apiGroups:
+      - policy
+    resources:
+      - poddisruptionbudgets
+    verbs:
       - create
-      - update
-      - patch
       - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch