From 951450e765f0489a38475e4a4518c7866611517a Mon Sep 17 00:00:00 2001 From: Knative Automation Date: Sun, 14 Jan 2024 20:37:53 -0500 Subject: [PATCH 01/12] Update community files (#3601) Signed-off-by: Knative Automation --- OWNERS_ALIASES | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES index 52d3e60588..745269ebe3 100644 --- a/OWNERS_ALIASES +++ b/OWNERS_ALIASES @@ -74,12 +74,8 @@ aliases: - lberk - matzew eventing-rabbitmq-approvers: - - andrew-su - - chunyilyu - gabo1208 - - joeeltgroth - - salaboy - - xtreme-sameer-vohra + - tcnghia eventing-redis-approvers: - aavarghese - lionelvillard From e256d3af8ea0638e83be408a2f879b3196b53a25 Mon Sep 17 00:00:00 2001 From: Matthias Wessendorf Date: Mon, 15 Jan 2024 13:34:26 +0100 Subject: [PATCH 02/12] Bump strimzi 0.39.0 kafka 3.6.1 (#3565) * :dizzy: Bump Apache Kafka version Signed-off-by: Matthias Wessendorf * :dizzy: Bump Strimzi operator Signed-off-by: Matthias Wessendorf --------- Signed-off-by: Matthias Wessendorf --- test/kafka/kafka-ephemeral.yaml | 2 +- test/kafka/strimzi-cluster-operator.yaml | 15094 +++++++++++---------- 2 files changed, 7576 insertions(+), 7520 deletions(-) diff --git a/test/kafka/kafka-ephemeral.yaml b/test/kafka/kafka-ephemeral.yaml index 00523f2fe7..9d6f5c330a 100644 --- a/test/kafka/kafka-ephemeral.yaml +++ b/test/kafka/kafka-ephemeral.yaml @@ -18,7 +18,7 @@ metadata: name: my-cluster spec: kafka: - version: 3.6.0 + version: 3.6.1 replicas: 3 listeners: # PLAINTEXT diff --git a/test/kafka/strimzi-cluster-operator.yaml b/test/kafka/strimzi-cluster-operator.yaml index 5f5ac99e39..cb5398e141 100644 --- a/test/kafka/strimzi-cluster-operator.yaml +++ b/test/kafka/strimzi-cluster-operator.yaml @@ -1,69 +1,3 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: strimzi-cluster-operator - labels: - app: strimzi -subjects: - - kind: ServiceAccount - name: strimzi-cluster-operator - namespace: myproject -roleRef: - kind: ClusterRole - name: strimzi-cluster-operator-namespaced - apiGroup: rbac.authorization.k8s.io - ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: strimzi-cluster-operator - labels: - app: strimzi -data: - log4j2.properties: | - name = COConfig - monitorInterval = 30 - - appender.console.type = Console - appender.console.name = STDOUT - appender.console.layout.type = PatternLayout - appender.console.layout.pattern = %d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n - - rootLogger.level = ${env:STRIMZI_LOG_LEVEL:-INFO} - rootLogger.appenderRefs = stdout - rootLogger.appenderRef.console.ref = STDOUT - - # Kafka AdminClient logging is a bit noisy at INFO level - logger.kafka.name = org.apache.kafka - logger.kafka.level = WARN - - # Zookeeper is very verbose even on INFO level -> We set it to WARN by default - logger.zookeepertrustmanager.name = org.apache.zookeeper - logger.zookeepertrustmanager.level = WARN - - # Keeps separate level for Netty logging -> to not be changed by the root logger - logger.netty.name = io.netty - logger.netty.level = INFO - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: strimzi-kafka-broker - labels: - app: strimzi -rules: - - apiGroups: - - "" - resources: - # The Kafka Brokers require "get" permissions to view the node they are on - # This information is used to generate a Rack ID that is used for High Availability configurations - - nodes - verbs: - - get - ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -113,13 +47,13 @@ spec: properties: version: type: string - description: "The Kafka Connect version. Defaults to {DefaultKafkaVersion}. Consult the user documentation to understand the process required to upgrade or downgrade the version." + description: The Kafka Connect version. Defaults to the latest version. Consult the user documentation to understand the process required to upgrade or downgrade the version. replicas: type: integer description: The number of pods in the Kafka Connect group. Defaults to `3`. image: type: string - description: The docker image for the pods. + description: "The container image used for Kafka Connect pods. If no image name is explicitly specified, it is determined based on the `spec.version` configuration. The image names are specifically mapped to corresponding versions in the Cluster Operator configuration." bootstrapServers: type: string description: Bootstrap servers to connect to. This should be given as a comma separated list of __:__ pairs. @@ -884,7 +818,7 @@ spec: description: The pod's tolerations. priorityClassName: type: string - description: "The name of the priority class used to assign priority to the pods. For more information about priority classes, see {K8sPriorityClass}." + description: 'The name of the priority class used to assign priority to the pods. ' schedulerName: type: string description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used." @@ -1601,7 +1535,7 @@ spec: description: The pod's tolerations. priorityClassName: type: string - description: "The name of the priority class used to assign priority to the pods. For more information about priority classes, see {K8sPriorityClass}." + description: 'The name of the priority class used to assign priority to the pods. ' schedulerName: type: string description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used." @@ -1791,7 +1725,7 @@ spec: description: Annotations added to the Kubernetes resource. description: Metadata applied to the resource. description: Template for Secret of the Kafka Connect Cluster JMX authentication. - description: "Template for Kafka Connect and Kafka Mirror Maker 2 resources. The template allows users to specify how the `Deployment`, `Pods` and `Service` are generated." + description: "Template for Kafka Connect and Kafka Mirror Maker 2 resources. The template allows users to specify how the `Pods`, `Service`, and other services are generated." externalConfiguration: type: object properties: @@ -2009,7 +1943,7 @@ spec: optional: type: boolean description: Reference to the key in the ConfigMap containing the configuration. - description: "ConfigMap entry where the Prometheus JMX Exporter configuration is stored. For details of the structure of this configuration, see the {JMXExporter}." + description: 'ConfigMap entry where the Prometheus JMX Exporter configuration is stored. ' required: - type - valueFrom @@ -2074,65 +2008,36 @@ spec: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: strimzi-entity-operator + name: strimzi-kafka-broker labels: app: strimzi rules: - - apiGroups: - - "kafka.strimzi.io" - resources: - # The entity operator runs the KafkaTopic assembly operator, which needs to access and manage KafkaTopic resources - - kafkatopics - - kafkatopics/status - # The entity operator runs the KafkaUser assembly operator, which needs to access and manage KafkaUser resources - - kafkausers - - kafkausers/status - verbs: - - get - - list - - watch - - create - - patch - - update - - delete - - apiGroups: - - "" - resources: - - events - verbs: - # The entity operator needs to be able to create events - - create - apiGroups: - "" resources: - # The entity operator user-operator needs to access and manage secrets to store generated credentials - - secrets + # The Kafka Brokers require "get" permissions to view the node they are on + # This information is used to generate a Rack ID that is used for High Availability configurations + - nodes verbs: - get - - list - - watch - - create - - delete - - patch - - update --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: kafkatopics.kafka.strimzi.io + name: kafkausers.kafka.strimzi.io labels: app: strimzi strimzi.io/crd-install: "true" spec: group: kafka.strimzi.io names: - kind: KafkaTopic - listKind: KafkaTopicList - singular: kafkatopic - plural: kafkatopics + kind: KafkaUser + listKind: KafkaUserList + singular: kafkauser + plural: kafkausers shortNames: - - kt + - ku categories: - strimzi scope: Namespaced @@ -2146,94 +2051,17 @@ spec: status: {} additionalPrinterColumns: - name: Cluster - description: The name of the Kafka cluster this topic belongs to + description: The name of the Kafka cluster this user belongs to jsonPath: .metadata.labels.strimzi\.io/cluster type: string - - name: Partitions - description: The desired number of partitions in the topic - jsonPath: .spec.partitions - type: integer - - name: Replication factor - description: The desired number of replicas of each partition - jsonPath: .spec.replicas - type: integer - - name: Ready - description: The state of the custom resource - jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" + - name: Authentication + description: How the user is authenticated + jsonPath: .spec.authentication.type type: string - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - partitions: - type: integer - minimum: 1 - description: "The number of partitions the topic should have. This cannot be decreased after topic creation. It can be increased after topic creation, but it is important to understand the consequences that has, especially for topics with semantic partitioning. When absent this will default to the broker configuration for `num.partitions`." - replicas: - type: integer - minimum: 1 - maximum: 32767 - description: The number of replicas the topic should have. When absent this will default to the broker configuration for `default.replication.factor`. - config: - x-kubernetes-preserve-unknown-fields: true - type: object - description: The topic configuration. - topicName: - type: string - description: The name of the topic. When absent this will default to the metadata.name of the topic. It is recommended to not set this unless the topic name is not a valid Kubernetes resource name. - description: The specification of the topic. - status: - type: object - properties: - conditions: - type: array - items: - type: object - properties: - type: - type: string - description: "The unique identifier of a condition, used to distinguish between other conditions in the resource." - status: - type: string - description: "The status of the condition, either True, False or Unknown." - lastTransitionTime: - type: string - description: "Last time the condition of a type changed from one status to another. The required format is 'yyyy-MM-ddTHH:mm:ssZ', in the UTC time zone." - reason: - type: string - description: The reason for the condition's last transition (a single word in CamelCase). - message: - type: string - description: Human-readable message indicating details about the condition's last transition. - description: List of status conditions. - observedGeneration: - type: integer - description: The generation of the CRD that was last reconciled by the operator. - topicName: - type: string - description: Topic name. - description: The status of the topic. - - name: v1beta1 - served: true - storage: false - subresources: - status: {} - additionalPrinterColumns: - - name: Cluster - description: The name of the Kafka cluster this topic belongs to - jsonPath: .metadata.labels.strimzi\.io/cluster + - name: Authorization + description: How the user is authorised + jsonPath: .spec.authorization.type type: string - - name: Partitions - description: The desired number of partitions in the topic - jsonPath: .spec.partitions - type: integer - - name: Replication factor - description: The desired number of replicas of each partition - jsonPath: .spec.replicas - type: integer - name: Ready description: The state of the custom resource jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" @@ -2245,100 +2073,164 @@ spec: spec: type: object properties: - partitions: - type: integer - minimum: 1 - description: "The number of partitions the topic should have. This cannot be decreased after topic creation. It can be increased after topic creation, but it is important to understand the consequences that has, especially for topics with semantic partitioning. When absent this will default to the broker configuration for `num.partitions`." - replicas: - type: integer - minimum: 1 - maximum: 32767 - description: The number of replicas the topic should have. When absent this will default to the broker configuration for `default.replication.factor`. - config: - x-kubernetes-preserve-unknown-fields: true + authentication: type: object - description: The topic configuration. - topicName: - type: string - description: The name of the topic. When absent this will default to the metadata.name of the topic. It is recommended to not set this unless the topic name is not a valid Kubernetes resource name. - description: The specification of the topic. - status: - type: object - properties: - conditions: - type: array - items: - type: object - properties: - type: - type: string - description: "The unique identifier of a condition, used to distinguish between other conditions in the resource." - status: - type: string - description: "The status of the condition, either True, False or Unknown." - lastTransitionTime: - type: string - description: "Last time the condition of a type changed from one status to another. The required format is 'yyyy-MM-ddTHH:mm:ssZ', in the UTC time zone." - reason: - type: string - description: The reason for the condition's last transition (a single word in CamelCase). - message: - type: string - description: Human-readable message indicating details about the condition's last transition. - description: List of status conditions. - observedGeneration: - type: integer - description: The generation of the CRD that was last reconciled by the operator. - topicName: - type: string - description: Topic name. - description: The status of the topic. - - name: v1alpha1 - served: true - storage: false - subresources: - status: {} - additionalPrinterColumns: - - name: Cluster - description: The name of the Kafka cluster this topic belongs to - jsonPath: .metadata.labels.strimzi\.io/cluster - type: string - - name: Partitions - description: The desired number of partitions in the topic - jsonPath: .spec.partitions - type: integer - - name: Replication factor - description: The desired number of replicas of each partition - jsonPath: .spec.replicas - type: integer - - name: Ready - description: The state of the custom resource - jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" - type: string - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - partitions: - type: integer - minimum: 1 - description: "The number of partitions the topic should have. This cannot be decreased after topic creation. It can be increased after topic creation, but it is important to understand the consequences that has, especially for topics with semantic partitioning. When absent this will default to the broker configuration for `num.partitions`." - replicas: - type: integer - minimum: 1 - maximum: 32767 - description: The number of replicas the topic should have. When absent this will default to the broker configuration for `default.replication.factor`. - config: - x-kubernetes-preserve-unknown-fields: true + properties: + password: + type: object + properties: + valueFrom: + type: object + properties: + secretKeyRef: + type: object + properties: + key: + type: string + name: + type: string + optional: + type: boolean + description: Selects a key of a Secret in the resource's namespace. + description: Secret from which the password should be read. + required: + - valueFrom + description: "Specify the password for the user. If not set, a new password is generated by the User Operator." + type: + type: string + enum: + - tls + - tls-external + - scram-sha-512 + description: Authentication type. + required: + - type + description: "Authentication mechanism enabled for this Kafka user. The supported authentication mechanisms are `scram-sha-512`, `tls`, and `tls-external`. \n\n* `scram-sha-512` generates a secret with SASL SCRAM-SHA-512 credentials.\n* `tls` generates a secret with user certificate for mutual TLS authentication.\n* `tls-external` does not generate a user certificate. But prepares the user for using mutual TLS authentication using a user certificate generated outside the User Operator.\n ACLs and quotas set for this user are configured in the `CN=` format.\n\nAuthentication is optional. If authentication is not configured, no credentials are generated. ACLs and quotas set for the user are configured in the `` format suitable for SASL authentication." + authorization: type: object - description: The topic configuration. - topicName: - type: string - description: The name of the topic. When absent this will default to the metadata.name of the topic. It is recommended to not set this unless the topic name is not a valid Kubernetes resource name. - description: The specification of the topic. + properties: + acls: + type: array + items: + type: object + properties: + host: + type: string + description: The host from which the action described in the ACL rule is allowed or denied. + operation: + type: string + enum: + - Read + - Write + - Create + - Delete + - Alter + - Describe + - ClusterAction + - AlterConfigs + - DescribeConfigs + - IdempotentWrite + - All + description: "Operation which will be allowed or denied. Supported operations are: Read, Write, Create, Delete, Alter, Describe, ClusterAction, AlterConfigs, DescribeConfigs, IdempotentWrite and All." + operations: + type: array + items: + type: string + enum: + - Read + - Write + - Create + - Delete + - Alter + - Describe + - ClusterAction + - AlterConfigs + - DescribeConfigs + - IdempotentWrite + - All + description: "List of operations which will be allowed or denied. Supported operations are: Read, Write, Create, Delete, Alter, Describe, ClusterAction, AlterConfigs, DescribeConfigs, IdempotentWrite and All." + resource: + type: object + properties: + name: + type: string + description: Name of resource for which given ACL rule applies. Can be combined with `patternType` field to use prefix pattern. + patternType: + type: string + enum: + - literal + - prefix + description: "Describes the pattern used in the resource field. The supported types are `literal` and `prefix`. With `literal` pattern type, the resource field will be used as a definition of a full name. With `prefix` pattern type, the resource name will be used only as a prefix. Default value is `literal`." + type: + type: string + enum: + - topic + - group + - cluster + - transactionalId + description: "Resource type. The available resource types are `topic`, `group`, `cluster`, and `transactionalId`." + required: + - type + description: Indicates the resource for which given ACL rule applies. + type: + type: string + enum: + - allow + - deny + description: The type of the rule. Currently the only supported type is `allow`. ACL rules with type `allow` are used to allow user to execute the specified operations. Default value is `allow`. + required: + - resource + description: List of ACL rules which should be applied to this user. + type: + type: string + enum: + - simple + description: Authorization type. Currently the only supported type is `simple`. `simple` authorization type uses the Kafka Admin API for managing the ACL rules. + required: + - acls + - type + description: Authorization rules for this Kafka user. + quotas: + type: object + properties: + consumerByteRate: + type: integer + minimum: 0 + description: A quota on the maximum bytes per-second that each client group can fetch from a broker before the clients in the group are throttled. Defined on a per-broker basis. + controllerMutationRate: + type: number + minimum: 0 + description: "A quota on the rate at which mutations are accepted for the create topics request, the create partitions request and the delete topics request. The rate is accumulated by the number of partitions created or deleted." + producerByteRate: + type: integer + minimum: 0 + description: A quota on the maximum bytes per-second that each client group can publish to a broker before the clients in the group are throttled. Defined on a per-broker basis. + requestPercentage: + type: integer + minimum: 0 + description: A quota on the maximum CPU utilization of each client group as a percentage of network and I/O threads. + description: Quotas on requests to control the broker resources used by clients. Network bandwidth and request rate quotas can be enforced.Kafka documentation for Kafka User quotas can be found at http://kafka.apache.org/documentation/#design_quotas. + template: + type: object + properties: + secret: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for KafkaUser resources. The template allows users to specify how the `Secret` with password or TLS certificates is generated. + description: Template to specify how Kafka User `Secrets` are generated. + description: The specification of the user. status: type: object properties: @@ -2366,81 +2258,31 @@ spec: observedGeneration: type: integer description: The generation of the CRD that was last reconciled by the operator. - topicName: + username: type: string - description: Topic name. - description: The status of the topic. - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: strimzi-cluster-operator-leader-election - labels: - app: strimzi -rules: - - apiGroups: - - coordination.k8s.io - resources: - # The cluster operator needs to access and manage leases for leader election - # The "create" verb cannot be used with "resourceNames" - - leases - verbs: - - create - - apiGroups: - - coordination.k8s.io - resources: - # The cluster operator needs to access and manage leases for leader election - - leases - resourceNames: - # The default RBAC files give the operator only access to the Lease resource names strimzi-cluster-operator - # If you want to use another resource name or resource namespace, you have to configure the RBAC resources accordingly - - strimzi-cluster-operator - verbs: - - get - - list - - watch - - delete - - patch - - update - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: kafkamirrormaker2s.kafka.strimzi.io - labels: - app: strimzi - strimzi.io/crd-install: "true" -spec: - group: kafka.strimzi.io - names: - kind: KafkaMirrorMaker2 - listKind: KafkaMirrorMaker2List - singular: kafkamirrormaker2 - plural: kafkamirrormaker2s - shortNames: - - kmm2 - categories: - - strimzi - scope: Namespaced - conversion: - strategy: None - versions: - - name: v1beta2 + description: Username. + secret: + type: string + description: The name of `Secret` where the credentials are stored. + description: The status of the Kafka User. + - name: v1beta1 served: true - storage: true + storage: false subresources: status: {} - scale: - specReplicasPath: .spec.replicas - statusReplicasPath: .status.replicas - labelSelectorPath: .status.labelSelector additionalPrinterColumns: - - name: Desired replicas - description: The desired number of Kafka MirrorMaker 2 replicas - jsonPath: .spec.replicas - type: integer + - name: Cluster + description: The name of the Kafka cluster this user belongs to + jsonPath: .metadata.labels.strimzi\.io/cluster + type: string + - name: Authentication + description: How the user is authenticated + jsonPath: .spec.authentication.type + type: string + - name: Authorization + description: How the user is authorised + jsonPath: .spec.authorization.type + type: string - name: Ready description: The state of the custom resource jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" @@ -2452,538 +2294,371 @@ spec: spec: type: object properties: - version: - type: string - description: "The Kafka Connect version. Defaults to {DefaultKafkaVersion}. Consult the user documentation to understand the process required to upgrade or downgrade the version." - replicas: - type: integer - description: The number of pods in the Kafka Connect group. Defaults to `3`. - image: - type: string - description: The docker image for the pods. - connectCluster: - type: string - description: The cluster alias used for Kafka Connect. The value must match the alias of the *target* Kafka cluster as specified in the `spec.clusters` configuration. The target Kafka cluster is used by the underlying Kafka Connect framework for its internal topics. - clusters: - type: array - items: - type: object - properties: - alias: - type: string - pattern: "^[a-zA-Z0-9\\._\\-]{1,100}$" - description: Alias used to reference the Kafka cluster. - bootstrapServers: - type: string - description: A comma-separated list of `host:port` pairs for establishing the connection to the Kafka cluster. - tls: - type: object - properties: - trustedCertificates: - type: array - items: + authentication: + type: object + properties: + password: + type: object + properties: + valueFrom: + type: object + properties: + secretKeyRef: type: object properties: - certificate: + key: type: string - description: The name of the file certificate in the Secret. - secretName: + name: type: string - description: The name of the Secret containing the certificate. - required: - - certificate - - secretName - description: Trusted certificates for TLS connection. - description: TLS configuration for connecting MirrorMaker 2 connectors to a cluster. - authentication: + optional: + type: boolean + description: Selects a key of a Secret in the resource's namespace. + description: Secret from which the password should be read. + required: + - valueFrom + description: "Specify the password for the user. If not set, a new password is generated by the User Operator." + type: + type: string + enum: + - tls + - tls-external + - scram-sha-512 + description: Authentication type. + required: + - type + description: "Authentication mechanism enabled for this Kafka user. The supported authentication mechanisms are `scram-sha-512`, `tls`, and `tls-external`. \n\n* `scram-sha-512` generates a secret with SASL SCRAM-SHA-512 credentials.\n* `tls` generates a secret with user certificate for mutual TLS authentication.\n* `tls-external` does not generate a user certificate. But prepares the user for using mutual TLS authentication using a user certificate generated outside the User Operator.\n ACLs and quotas set for this user are configured in the `CN=` format.\n\nAuthentication is optional. If authentication is not configured, no credentials are generated. ACLs and quotas set for the user are configured in the `` format suitable for SASL authentication." + authorization: + type: object + properties: + acls: + type: array + items: type: object properties: - accessToken: - type: object - properties: - key: - type: string - description: The key under which the secret value is stored in the Kubernetes Secret. - secretName: - type: string - description: The name of the Kubernetes Secret containing the secret value. - required: - - key - - secretName - description: Link to Kubernetes Secret containing the access token which was obtained from the authorization server. - accessTokenIsJwt: - type: boolean - description: Configure whether access token should be treated as JWT. This should be set to `false` if the authorization server returns opaque tokens. Defaults to `true`. - audience: + host: type: string - description: "OAuth audience to use when authenticating against the authorization server. Some authorization servers require the audience to be explicitly set. The possible values depend on how the authorization server is configured. By default, `audience` is not specified when performing the token endpoint request." - certificateAndKey: - type: object - properties: - certificate: - type: string - description: The name of the file certificate in the Secret. - key: - type: string - description: The name of the private key in the Secret. - secretName: - type: string - description: The name of the Secret containing the certificate. - required: - - certificate - - key - - secretName - description: Reference to the `Secret` which holds the certificate and private key pair. - clientId: + description: The host from which the action described in the ACL rule is allowed or denied. + operation: type: string - description: OAuth Client ID which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. - clientSecret: - type: object - properties: - key: - type: string - description: The key under which the secret value is stored in the Kubernetes Secret. - secretName: - type: string - description: The name of the Kubernetes Secret containing the secret value. - required: - - key - - secretName - description: Link to Kubernetes Secret containing the OAuth client secret which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. - connectTimeoutSeconds: - type: integer - description: "The connect timeout in seconds when connecting to authorization server. If not set, the effective connect timeout is 60 seconds." - disableTlsHostnameVerification: - type: boolean - description: Enable or disable TLS hostname verification. Default value is `false`. - enableMetrics: - type: boolean - description: Enable or disable OAuth metrics. Default value is `false`. - httpRetries: - type: integer - description: "The maximum number of retries to attempt if an initial HTTP request fails. If not set, the default is to not attempt any retries." - httpRetryPauseMs: - type: integer - description: "The pause to take before retrying a failed HTTP request. If not set, the default is to not pause at all but to immediately repeat a request." - includeAcceptHeader: - type: boolean - description: Whether the Accept header should be set in requests to the authorization servers. The default value is `true`. - maxTokenExpirySeconds: - type: integer - description: Set or limit time-to-live of the access tokens to the specified number of seconds. This should be set if the authorization server returns opaque tokens. - passwordSecret: + enum: + - Read + - Write + - Create + - Delete + - Alter + - Describe + - ClusterAction + - AlterConfigs + - DescribeConfigs + - IdempotentWrite + - All + description: "Operation which will be allowed or denied. Supported operations are: Read, Write, Create, Delete, Alter, Describe, ClusterAction, AlterConfigs, DescribeConfigs, IdempotentWrite and All." + operations: + type: array + items: + type: string + enum: + - Read + - Write + - Create + - Delete + - Alter + - Describe + - ClusterAction + - AlterConfigs + - DescribeConfigs + - IdempotentWrite + - All + description: "List of operations which will be allowed or denied. Supported operations are: Read, Write, Create, Delete, Alter, Describe, ClusterAction, AlterConfigs, DescribeConfigs, IdempotentWrite and All." + resource: type: object properties: - password: - type: string - description: The name of the key in the Secret under which the password is stored. - secretName: + name: type: string - description: The name of the Secret containing the password. - required: - - password - - secretName - description: Reference to the `Secret` which holds the password. - readTimeoutSeconds: - type: integer - description: "The read timeout in seconds when connecting to authorization server. If not set, the effective read timeout is 60 seconds." - refreshToken: - type: object - properties: - key: + description: Name of resource for which given ACL rule applies. Can be combined with `patternType` field to use prefix pattern. + patternType: type: string - description: The key under which the secret value is stored in the Kubernetes Secret. - secretName: + enum: + - literal + - prefix + description: "Describes the pattern used in the resource field. The supported types are `literal` and `prefix`. With `literal` pattern type, the resource field will be used as a definition of a full name. With `prefix` pattern type, the resource name will be used only as a prefix. Default value is `literal`." + type: type: string - description: The name of the Kubernetes Secret containing the secret value. + enum: + - topic + - group + - cluster + - transactionalId + description: "Resource type. The available resource types are `topic`, `group`, `cluster`, and `transactionalId`." required: - - key - - secretName - description: Link to Kubernetes Secret containing the refresh token which can be used to obtain access token from the authorization server. - scope: - type: string - description: OAuth scope to use when authenticating against the authorization server. Some authorization servers require this to be set. The possible values depend on how authorization server is configured. By default `scope` is not specified when doing the token endpoint request. - tlsTrustedCertificates: - type: array - items: - type: object - properties: - certificate: - type: string - description: The name of the file certificate in the Secret. - secretName: - type: string - description: The name of the Secret containing the certificate. - required: - - certificate - - secretName - description: Trusted certificates for TLS connection to the OAuth server. - tokenEndpointUri: - type: string - description: Authorization server token endpoint URI. - type: + - type + description: Indicates the resource for which given ACL rule applies. + type: type: string enum: - - tls - - scram-sha-256 - - scram-sha-512 - - plain - - oauth - description: "Authentication type. Currently the supported types are `tls`, `scram-sha-256`, `scram-sha-512`, `plain`, and 'oauth'. `scram-sha-256` and `scram-sha-512` types use SASL SCRAM-SHA-256 and SASL SCRAM-SHA-512 Authentication, respectively. `plain` type uses SASL PLAIN Authentication. `oauth` type uses SASL OAUTHBEARER Authentication. The `tls` type uses TLS Client Authentication. The `tls` type is supported only over TLS connections." - username: - type: string - description: Username used for the authentication. + - allow + - deny + description: The type of the rule. Currently the only supported type is `allow`. ACL rules with type `allow` are used to allow user to execute the specified operations. Default value is `allow`. required: - - type - description: Authentication configuration for connecting to the cluster. - config: - x-kubernetes-preserve-unknown-fields: true - type: object - description: "The MirrorMaker 2 cluster config. Properties with the following prefixes cannot be set: ssl., sasl., security., listeners, plugin.path, rest., bootstrap.servers, consumer.interceptor.classes, producer.interceptor.classes (with the exception of: ssl.endpoint.identification.algorithm, ssl.cipher.suites, ssl.protocol, ssl.enabled.protocols)." - required: - - alias - - bootstrapServers - description: Kafka clusters for mirroring. - mirrors: + - resource + description: List of ACL rules which should be applied to this user. + type: + type: string + enum: + - simple + description: Authorization type. Currently the only supported type is `simple`. `simple` authorization type uses the Kafka Admin API for managing the ACL rules. + required: + - acls + - type + description: Authorization rules for this Kafka user. + quotas: + type: object + properties: + consumerByteRate: + type: integer + minimum: 0 + description: A quota on the maximum bytes per-second that each client group can fetch from a broker before the clients in the group are throttled. Defined on a per-broker basis. + controllerMutationRate: + type: number + minimum: 0 + description: "A quota on the rate at which mutations are accepted for the create topics request, the create partitions request and the delete topics request. The rate is accumulated by the number of partitions created or deleted." + producerByteRate: + type: integer + minimum: 0 + description: A quota on the maximum bytes per-second that each client group can publish to a broker before the clients in the group are throttled. Defined on a per-broker basis. + requestPercentage: + type: integer + minimum: 0 + description: A quota on the maximum CPU utilization of each client group as a percentage of network and I/O threads. + description: Quotas on requests to control the broker resources used by clients. Network bandwidth and request rate quotas can be enforced.Kafka documentation for Kafka User quotas can be found at http://kafka.apache.org/documentation/#design_quotas. + template: + type: object + properties: + secret: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for KafkaUser resources. The template allows users to specify how the `Secret` with password or TLS certificates is generated. + description: Template to specify how Kafka User `Secrets` are generated. + description: The specification of the user. + status: + type: object + properties: + conditions: type: array items: type: object properties: - sourceCluster: + type: type: string - description: The alias of the source cluster used by the Kafka MirrorMaker 2 connectors. The alias must match a cluster in the list at `spec.clusters`. - targetCluster: + description: "The unique identifier of a condition, used to distinguish between other conditions in the resource." + status: type: string - description: The alias of the target cluster used by the Kafka MirrorMaker 2 connectors. The alias must match a cluster in the list at `spec.clusters`. - sourceConnector: + description: "The status of the condition, either True, False or Unknown." + lastTransitionTime: + type: string + description: "Last time the condition of a type changed from one status to another. The required format is 'yyyy-MM-ddTHH:mm:ssZ', in the UTC time zone." + reason: + type: string + description: The reason for the condition's last transition (a single word in CamelCase). + message: + type: string + description: Human-readable message indicating details about the condition's last transition. + description: List of status conditions. + observedGeneration: + type: integer + description: The generation of the CRD that was last reconciled by the operator. + username: + type: string + description: Username. + secret: + type: string + description: The name of `Secret` where the credentials are stored. + description: The status of the Kafka User. + - name: v1alpha1 + served: true + storage: false + subresources: + status: {} + additionalPrinterColumns: + - name: Cluster + description: The name of the Kafka cluster this user belongs to + jsonPath: .metadata.labels.strimzi\.io/cluster + type: string + - name: Authentication + description: How the user is authenticated + jsonPath: .spec.authentication.type + type: string + - name: Authorization + description: How the user is authorised + jsonPath: .spec.authorization.type + type: string + - name: Ready + description: The state of the custom resource + jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" + type: string + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + authentication: + type: object + properties: + password: + type: object + properties: + valueFrom: + type: object + properties: + secretKeyRef: + type: object + properties: + key: + type: string + name: + type: string + optional: + type: boolean + description: Selects a key of a Secret in the resource's namespace. + description: Secret from which the password should be read. + required: + - valueFrom + description: "Specify the password for the user. If not set, a new password is generated by the User Operator." + type: + type: string + enum: + - tls + - tls-external + - scram-sha-512 + description: Authentication type. + required: + - type + description: "Authentication mechanism enabled for this Kafka user. The supported authentication mechanisms are `scram-sha-512`, `tls`, and `tls-external`. \n\n* `scram-sha-512` generates a secret with SASL SCRAM-SHA-512 credentials.\n* `tls` generates a secret with user certificate for mutual TLS authentication.\n* `tls-external` does not generate a user certificate. But prepares the user for using mutual TLS authentication using a user certificate generated outside the User Operator.\n ACLs and quotas set for this user are configured in the `CN=` format.\n\nAuthentication is optional. If authentication is not configured, no credentials are generated. ACLs and quotas set for the user are configured in the `` format suitable for SASL authentication." + authorization: + type: object + properties: + acls: + type: array + items: type: object properties: - tasksMax: - type: integer - minimum: 1 - description: The maximum number of tasks for the Kafka Connector. - config: - x-kubernetes-preserve-unknown-fields: true - type: object - description: "The Kafka Connector configuration. The following properties cannot be set: connector.class, tasks.max." - autoRestart: - type: object - properties: - enabled: - type: boolean - description: Whether automatic restart for failed connectors and tasks should be enabled or disabled. - maxRestarts: - type: integer - description: "The maximum number of connector restarts that the operator will try. If the connector remains in a failed state after reaching this limit, it must be restarted manually by the user. Defaults to an unlimited number of restarts." - description: Automatic restart of connector and tasks configuration. - pause: - type: boolean - description: Whether the connector should be paused. Defaults to false. - state: + host: type: string - enum: - - paused - - stopped - - running - description: The state the connector should be in. Defaults to running. - description: The specification of the Kafka MirrorMaker 2 source connector. - heartbeatConnector: - type: object - properties: - tasksMax: - type: integer - minimum: 1 - description: The maximum number of tasks for the Kafka Connector. - config: - x-kubernetes-preserve-unknown-fields: true - type: object - description: "The Kafka Connector configuration. The following properties cannot be set: connector.class, tasks.max." - autoRestart: - type: object - properties: - enabled: - type: boolean - description: Whether automatic restart for failed connectors and tasks should be enabled or disabled. - maxRestarts: - type: integer - description: "The maximum number of connector restarts that the operator will try. If the connector remains in a failed state after reaching this limit, it must be restarted manually by the user. Defaults to an unlimited number of restarts." - description: Automatic restart of connector and tasks configuration. - pause: - type: boolean - description: Whether the connector should be paused. Defaults to false. - state: + description: The host from which the action described in the ACL rule is allowed or denied. + operation: type: string enum: - - paused - - stopped - - running - description: The state the connector should be in. Defaults to running. - description: The specification of the Kafka MirrorMaker 2 heartbeat connector. - checkpointConnector: - type: object - properties: - tasksMax: - type: integer - minimum: 1 - description: The maximum number of tasks for the Kafka Connector. - config: - x-kubernetes-preserve-unknown-fields: true - type: object - description: "The Kafka Connector configuration. The following properties cannot be set: connector.class, tasks.max." - autoRestart: + - Read + - Write + - Create + - Delete + - Alter + - Describe + - ClusterAction + - AlterConfigs + - DescribeConfigs + - IdempotentWrite + - All + description: "Operation which will be allowed or denied. Supported operations are: Read, Write, Create, Delete, Alter, Describe, ClusterAction, AlterConfigs, DescribeConfigs, IdempotentWrite and All." + operations: + type: array + items: + type: string + enum: + - Read + - Write + - Create + - Delete + - Alter + - Describe + - ClusterAction + - AlterConfigs + - DescribeConfigs + - IdempotentWrite + - All + description: "List of operations which will be allowed or denied. Supported operations are: Read, Write, Create, Delete, Alter, Describe, ClusterAction, AlterConfigs, DescribeConfigs, IdempotentWrite and All." + resource: type: object properties: - enabled: - type: boolean - description: Whether automatic restart for failed connectors and tasks should be enabled or disabled. - maxRestarts: - type: integer - description: "The maximum number of connector restarts that the operator will try. If the connector remains in a failed state after reaching this limit, it must be restarted manually by the user. Defaults to an unlimited number of restarts." - description: Automatic restart of connector and tasks configuration. - pause: - type: boolean - description: Whether the connector should be paused. Defaults to false. - state: + name: + type: string + description: Name of resource for which given ACL rule applies. Can be combined with `patternType` field to use prefix pattern. + patternType: + type: string + enum: + - literal + - prefix + description: "Describes the pattern used in the resource field. The supported types are `literal` and `prefix`. With `literal` pattern type, the resource field will be used as a definition of a full name. With `prefix` pattern type, the resource name will be used only as a prefix. Default value is `literal`." + type: + type: string + enum: + - topic + - group + - cluster + - transactionalId + description: "Resource type. The available resource types are `topic`, `group`, `cluster`, and `transactionalId`." + required: + - type + description: Indicates the resource for which given ACL rule applies. + type: type: string enum: - - paused - - stopped - - running - description: The state the connector should be in. Defaults to running. - description: The specification of the Kafka MirrorMaker 2 checkpoint connector. - topicsPattern: - type: string - description: "A regular expression matching the topics to be mirrored, for example, \"topic1\\|topic2\\|topic3\". Comma-separated lists are also supported." - topicsBlacklistPattern: - type: string - description: A regular expression matching the topics to exclude from mirroring. Comma-separated lists are also supported. - topicsExcludePattern: - type: string - description: A regular expression matching the topics to exclude from mirroring. Comma-separated lists are also supported. - groupsPattern: - type: string - description: A regular expression matching the consumer groups to be mirrored. Comma-separated lists are also supported. - groupsBlacklistPattern: - type: string - description: A regular expression matching the consumer groups to exclude from mirroring. Comma-separated lists are also supported. - groupsExcludePattern: - type: string - description: A regular expression matching the consumer groups to exclude from mirroring. Comma-separated lists are also supported. - required: - - sourceCluster - - targetCluster - description: Configuration of the MirrorMaker 2 connectors. - resources: - type: object - properties: - claims: - type: array - items: - type: object - properties: - name: - type: string - limits: - x-kubernetes-preserve-unknown-fields: true - type: object - requests: - x-kubernetes-preserve-unknown-fields: true - type: object - description: The maximum limits for CPU and memory resources and the requested initial resources. - livenessProbe: + - allow + - deny + description: The type of the rule. Currently the only supported type is `allow`. ACL rules with type `allow` are used to allow user to execute the specified operations. Default value is `allow`. + required: + - resource + description: List of ACL rules which should be applied to this user. + type: + type: string + enum: + - simple + description: Authorization type. Currently the only supported type is `simple`. `simple` authorization type uses the Kafka Admin API for managing the ACL rules. + required: + - acls + - type + description: Authorization rules for this Kafka user. + quotas: type: object properties: - failureThreshold: - type: integer - minimum: 1 - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - initialDelaySeconds: + consumerByteRate: type: integer minimum: 0 - description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. - periodSeconds: - type: integer - minimum: 1 - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - successThreshold: - type: integer - minimum: 1 - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. - timeoutSeconds: - type: integer - minimum: 1 - description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. - description: Pod liveness checking. - readinessProbe: - type: object - properties: - failureThreshold: - type: integer - minimum: 1 - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - initialDelaySeconds: - type: integer + description: A quota on the maximum bytes per-second that each client group can fetch from a broker before the clients in the group are throttled. Defined on a per-broker basis. + controllerMutationRate: + type: number minimum: 0 - description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. - periodSeconds: - type: integer - minimum: 1 - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - successThreshold: + description: "A quota on the rate at which mutations are accepted for the create topics request, the create partitions request and the delete topics request. The rate is accumulated by the number of partitions created or deleted." + producerByteRate: type: integer - minimum: 1 - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. - timeoutSeconds: + minimum: 0 + description: A quota on the maximum bytes per-second that each client group can publish to a broker before the clients in the group are throttled. Defined on a per-broker basis. + requestPercentage: type: integer - minimum: 1 - description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. - description: Pod readiness checking. - jvmOptions: - type: object - properties: - "-XX": - x-kubernetes-preserve-unknown-fields: true - type: object - description: A map of -XX options to the JVM. - "-Xms": - type: string - pattern: "^[0-9]+[mMgG]?$" - description: -Xms option to to the JVM. - "-Xmx": - type: string - pattern: "^[0-9]+[mMgG]?$" - description: -Xmx option to to the JVM. - gcLoggingEnabled: - type: boolean - description: Specifies whether the Garbage Collection logging is enabled. The default is false. - javaSystemProperties: - type: array - items: - type: object - properties: - name: - type: string - description: The system property name. - value: - type: string - description: The system property value. - description: A map of additional system properties which will be passed using the `-D` option to the JVM. - description: JVM Options for pods. - jmxOptions: - type: object - properties: - authentication: - type: object - properties: - type: - type: string - enum: - - password - description: Authentication type. Currently the only supported types are `password`.`password` type creates a username and protected port with no TLS. - required: - - type - description: Authentication configuration for connecting to the JMX port. - description: JMX Options. - logging: + minimum: 0 + description: A quota on the maximum CPU utilization of each client group as a percentage of network and I/O threads. + description: Quotas on requests to control the broker resources used by clients. Network bandwidth and request rate quotas can be enforced.Kafka documentation for Kafka User quotas can be found at http://kafka.apache.org/documentation/#design_quotas. + template: type: object properties: - loggers: - x-kubernetes-preserve-unknown-fields: true - type: object - description: A Map from logger name to logger level. - type: - type: string - enum: - - inline - - external - description: "Logging type, must be either 'inline' or 'external'." - valueFrom: + secret: type: object properties: - configMapKeyRef: - type: object - properties: - key: - type: string - name: - type: string - optional: - type: boolean - description: Reference to the key in the ConfigMap containing the configuration. - description: '`ConfigMap` entry where the logging configuration is stored. ' - required: - - type - description: Logging configuration for Kafka Connect. - clientRackInitImage: - type: string - description: The image of the init container used for initializing the `client.rack`. - rack: - type: object - properties: - topologyKey: - type: string - example: topology.kubernetes.io/zone - description: "A key that matches labels assigned to the Kubernetes cluster nodes. The value of the label is used to set a broker's `broker.rack` config, and the `client.rack` config for Kafka Connect or MirrorMaker 2." - required: - - topologyKey - description: Configuration of the node label which will be used as the `client.rack` consumer configuration. - tracing: - type: object - properties: - type: - type: string - enum: - - jaeger - - opentelemetry - description: "Type of the tracing used. Currently the only supported type is `opentelemetry` for OpenTelemetry tracing. As of Strimzi 0.37.0, `jaeger` type is not supported anymore and this option is ignored." - required: - - type - description: The configuration of tracing in Kafka Connect. - template: - type: object - properties: - deployment: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - deploymentStrategy: - type: string - enum: - - RollingUpdate - - Recreate - description: Pod replacement strategy for deployment configuration changes. Valid values are `RollingUpdate` and `Recreate`. Defaults to `RollingUpdate`. - description: Template for Kafka Connect `Deployment`. - podSet: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for Kafka Connect `StrimziPodSet` resource. - pod: - type: object - properties: - metadata: + metadata: type: object properties: labels: @@ -2995,1411 +2670,769 @@ spec: type: object description: Annotations added to the Kubernetes resource. description: Metadata applied to the resource. - imagePullSecrets: - type: array - items: - type: object - properties: - name: - type: string - description: "List of references to secrets in the same namespace to use for pulling any of the images used by this Pod. When the `STRIMZI_IMAGE_PULL_SECRETS` environment variable in Cluster Operator and the `imagePullSecrets` option are specified, only the `imagePullSecrets` variable is used and the `STRIMZI_IMAGE_PULL_SECRETS` variable is ignored." - securityContext: - type: object - properties: - fsGroup: - type: integer - fsGroupChangePolicy: - type: string - runAsGroup: - type: integer - runAsNonRoot: - type: boolean - runAsUser: - type: integer - seLinuxOptions: - type: object - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - seccompProfile: - type: object - properties: - localhostProfile: - type: string - type: - type: string - supplementalGroups: - type: array - items: - type: integer - sysctls: - type: array - items: - type: object - properties: - name: - type: string - value: - type: string - windowsOptions: - type: object - properties: - gmsaCredentialSpec: - type: string - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - runAsUserName: - type: string - description: Configures pod-level security attributes and common container settings. - terminationGracePeriodSeconds: - type: integer - minimum: 0 - description: "The grace period is the duration in seconds after the processes running in the pod are sent a termination signal, and the time when the processes are forcibly halted with a kill signal. Set this value to longer than the expected cleanup time for your process. Value must be a non-negative integer. A zero value indicates delete immediately. You might need to increase the grace period for very large Kafka clusters, so that the Kafka brokers have enough time to transfer their work to another broker before they are terminated. Defaults to 30 seconds." - affinity: - type: object - properties: - nodeAffinity: - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - type: array - items: - type: object - properties: - preference: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchFields: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - weight: - type: integer - requiredDuringSchedulingIgnoredDuringExecution: - type: object - properties: - nodeSelectorTerms: - type: array - items: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchFields: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - podAffinity: - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - type: array - items: - type: object - properties: - podAffinityTerm: - type: object - properties: - labelSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - type: array - items: - type: string - topologyKey: - type: string - weight: - type: integer - requiredDuringSchedulingIgnoredDuringExecution: - type: array - items: - type: object - properties: - labelSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - type: array - items: - type: string - topologyKey: - type: string - podAntiAffinity: - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - type: array - items: - type: object - properties: - podAffinityTerm: - type: object - properties: - labelSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - type: array - items: - type: string - topologyKey: - type: string - weight: - type: integer - requiredDuringSchedulingIgnoredDuringExecution: - type: array - items: - type: object - properties: - labelSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - type: array - items: - type: string - topologyKey: - type: string - description: The pod's affinity rules. - tolerations: - type: array - items: - type: object - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - type: integer - value: - type: string - description: The pod's tolerations. - priorityClassName: - type: string - description: "The name of the priority class used to assign priority to the pods. For more information about priority classes, see {K8sPriorityClass}." - schedulerName: - type: string - description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used." - hostAliases: - type: array - items: - type: object - properties: - hostnames: - type: array - items: - type: string - ip: - type: string - description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified. - tmpDirSizeLimit: - type: string - pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" - description: Defines the total amount (for example `1Gi`) of local storage required for temporary EmptyDir volume (`/tmp`). Default value is `5Mi`. - enableServiceLinks: - type: boolean - description: Indicates whether information about services should be injected into Pod's environment variables. - topologySpreadConstraints: - type: array - items: - type: object - properties: - labelSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - matchLabelKeys: - type: array - items: - type: string - maxSkew: - type: integer - minDomains: - type: integer - nodeAffinityPolicy: - type: string - nodeTaintsPolicy: - type: string - topologyKey: - type: string - whenUnsatisfiable: - type: string - description: The pod's topology spread constraints. - description: Template for Kafka Connect `Pods`. - apiService: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - ipFamilyPolicy: - type: string - enum: - - SingleStack - - PreferDualStack - - RequireDualStack - description: "Specifies the IP Family Policy used by the service. Available options are `SingleStack`, `PreferDualStack` and `RequireDualStack`. `SingleStack` is for a single IP family. `PreferDualStack` is for two IP families on dual-stack configured clusters or a single IP family on single-stack clusters. `RequireDualStack` fails unless there are two IP families on dual-stack configured clusters. If unspecified, Kubernetes will choose the default value based on the service type." - ipFamilies: - type: array - items: - type: string - enum: - - IPv4 - - IPv6 - description: "Specifies the IP Families used by the service. Available options are `IPv4` and `IPv6`. If unspecified, Kubernetes will choose the default value based on the `ipFamilyPolicy` setting." - description: Template for Kafka Connect API `Service`. - headlessService: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - ipFamilyPolicy: - type: string - enum: - - SingleStack - - PreferDualStack - - RequireDualStack - description: "Specifies the IP Family Policy used by the service. Available options are `SingleStack`, `PreferDualStack` and `RequireDualStack`. `SingleStack` is for a single IP family. `PreferDualStack` is for two IP families on dual-stack configured clusters or a single IP family on single-stack clusters. `RequireDualStack` fails unless there are two IP families on dual-stack configured clusters. If unspecified, Kubernetes will choose the default value based on the service type." - ipFamilies: - type: array - items: - type: string - enum: - - IPv4 - - IPv6 - description: "Specifies the IP Families used by the service. Available options are `IPv4` and `IPv6`. If unspecified, Kubernetes will choose the default value based on the `ipFamilyPolicy` setting." - description: Template for Kafka Connect headless `Service`. - connectContainer: - type: object - properties: - env: - type: array - items: - type: object - properties: - name: - type: string - description: The environment variable key. - value: - type: string - description: The environment variable value. - description: Environment variables which should be applied to the container. - securityContext: - type: object - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - type: object - properties: - add: - type: array - items: - type: string - drop: - type: array - items: - type: string - privileged: - type: boolean - procMount: - type: string - readOnlyRootFilesystem: - type: boolean - runAsGroup: - type: integer - runAsNonRoot: - type: boolean - runAsUser: - type: integer - seLinuxOptions: - type: object - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - seccompProfile: - type: object - properties: - localhostProfile: - type: string - type: - type: string - windowsOptions: - type: object - properties: - gmsaCredentialSpec: - type: string - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - runAsUserName: - type: string - description: Security context for the container. - description: Template for the Kafka Connect container. - initContainer: - type: object - properties: - env: - type: array - items: - type: object - properties: - name: - type: string - description: The environment variable key. - value: - type: string - description: The environment variable value. - description: Environment variables which should be applied to the container. - securityContext: - type: object - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - type: object - properties: - add: - type: array - items: - type: string - drop: - type: array - items: - type: string - privileged: - type: boolean - procMount: - type: string - readOnlyRootFilesystem: - type: boolean - runAsGroup: - type: integer - runAsNonRoot: - type: boolean - runAsUser: - type: integer - seLinuxOptions: - type: object - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - seccompProfile: - type: object - properties: - localhostProfile: - type: string - type: - type: string - windowsOptions: - type: object - properties: - gmsaCredentialSpec: - type: string - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - runAsUserName: - type: string - description: Security context for the container. - description: Template for the Kafka init container. - podDisruptionBudget: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata to apply to the `PodDisruptionBudgetTemplate` resource. - maxUnavailable: - type: integer - minimum: 0 - description: "Maximum number of unavailable pods to allow automatic Pod eviction. A Pod eviction is allowed when the `maxUnavailable` number of pods or fewer are unavailable after the eviction. Setting this value to 0 prevents all voluntary evictions, so the pods must be evicted manually. Defaults to 1." - description: Template for Kafka Connect `PodDisruptionBudget`. - serviceAccount: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for the Kafka Connect service account. - clusterRoleBinding: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for the Kafka Connect ClusterRoleBinding. - buildPod: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - imagePullSecrets: - type: array - items: - type: object - properties: - name: - type: string - description: "List of references to secrets in the same namespace to use for pulling any of the images used by this Pod. When the `STRIMZI_IMAGE_PULL_SECRETS` environment variable in Cluster Operator and the `imagePullSecrets` option are specified, only the `imagePullSecrets` variable is used and the `STRIMZI_IMAGE_PULL_SECRETS` variable is ignored." - securityContext: - type: object - properties: - fsGroup: - type: integer - fsGroupChangePolicy: - type: string - runAsGroup: - type: integer - runAsNonRoot: - type: boolean - runAsUser: - type: integer - seLinuxOptions: - type: object - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - seccompProfile: - type: object - properties: - localhostProfile: - type: string - type: - type: string - supplementalGroups: - type: array - items: - type: integer - sysctls: - type: array - items: - type: object - properties: - name: - type: string - value: - type: string - windowsOptions: - type: object - properties: - gmsaCredentialSpec: - type: string - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - runAsUserName: - type: string - description: Configures pod-level security attributes and common container settings. - terminationGracePeriodSeconds: - type: integer - minimum: 0 - description: "The grace period is the duration in seconds after the processes running in the pod are sent a termination signal, and the time when the processes are forcibly halted with a kill signal. Set this value to longer than the expected cleanup time for your process. Value must be a non-negative integer. A zero value indicates delete immediately. You might need to increase the grace period for very large Kafka clusters, so that the Kafka brokers have enough time to transfer their work to another broker before they are terminated. Defaults to 30 seconds." - affinity: - type: object - properties: - nodeAffinity: - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - type: array - items: - type: object - properties: - preference: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchFields: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - weight: - type: integer - requiredDuringSchedulingIgnoredDuringExecution: - type: object - properties: - nodeSelectorTerms: - type: array - items: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchFields: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - podAffinity: - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - type: array - items: - type: object - properties: - podAffinityTerm: - type: object - properties: - labelSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - type: array - items: - type: string - topologyKey: - type: string - weight: - type: integer - requiredDuringSchedulingIgnoredDuringExecution: - type: array - items: - type: object - properties: - labelSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - type: array - items: - type: string - topologyKey: - type: string - podAntiAffinity: - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - type: array - items: - type: object - properties: - podAffinityTerm: - type: object - properties: - labelSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - type: array - items: - type: string - topologyKey: - type: string - weight: - type: integer - requiredDuringSchedulingIgnoredDuringExecution: - type: array - items: - type: object - properties: - labelSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - type: array - items: - type: string - topologyKey: - type: string - description: The pod's affinity rules. - tolerations: - type: array - items: - type: object - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - type: integer - value: - type: string - description: The pod's tolerations. - priorityClassName: - type: string - description: "The name of the priority class used to assign priority to the pods. For more information about priority classes, see {K8sPriorityClass}." - schedulerName: - type: string - description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used." - hostAliases: - type: array - items: - type: object - properties: - hostnames: - type: array - items: - type: string - ip: - type: string - description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified. - tmpDirSizeLimit: - type: string - pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" - description: Defines the total amount (for example `1Gi`) of local storage required for temporary EmptyDir volume (`/tmp`). Default value is `5Mi`. - enableServiceLinks: - type: boolean - description: Indicates whether information about services should be injected into Pod's environment variables. - topologySpreadConstraints: - type: array - items: - type: object - properties: - labelSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - matchLabelKeys: - type: array - items: - type: string - maxSkew: - type: integer - minDomains: - type: integer - nodeAffinityPolicy: - type: string - nodeTaintsPolicy: - type: string - topologyKey: - type: string - whenUnsatisfiable: - type: string - description: The pod's topology spread constraints. - description: Template for Kafka Connect Build `Pods`. The build pod is used only on Kubernetes. - buildContainer: - type: object - properties: - env: - type: array - items: - type: object - properties: - name: - type: string - description: The environment variable key. - value: - type: string - description: The environment variable value. - description: Environment variables which should be applied to the container. - securityContext: - type: object - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - type: object - properties: - add: - type: array - items: - type: string - drop: - type: array - items: - type: string - privileged: - type: boolean - procMount: - type: string - readOnlyRootFilesystem: - type: boolean - runAsGroup: - type: integer - runAsNonRoot: - type: boolean - runAsUser: - type: integer - seLinuxOptions: - type: object - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - seccompProfile: - type: object - properties: - localhostProfile: - type: string - type: - type: string - windowsOptions: - type: object - properties: - gmsaCredentialSpec: - type: string - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - runAsUserName: - type: string - description: Security context for the container. - description: Template for the Kafka Connect Build container. The build container is used only on Kubernetes. - buildConfig: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata to apply to the `PodDisruptionBudgetTemplate` resource. - pullSecret: - type: string - description: Container Registry Secret with the credentials for pulling the base image. - description: Template for the Kafka Connect BuildConfig used to build new container images. The BuildConfig is used only on OpenShift. - buildServiceAccount: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for the Kafka Connect Build service account. - jmxSecret: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for Secret of the Kafka Connect Cluster JMX authentication. - description: "Template for Kafka Connect and Kafka Mirror Maker 2 resources. The template allows users to specify how the `Deployment`, `Pods` and `Service` are generated." - externalConfiguration: + description: Template for KafkaUser resources. The template allows users to specify how the `Secret` with password or TLS certificates is generated. + description: Template to specify how Kafka User `Secrets` are generated. + description: The specification of the user. + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + description: "The unique identifier of a condition, used to distinguish between other conditions in the resource." + status: + type: string + description: "The status of the condition, either True, False or Unknown." + lastTransitionTime: + type: string + description: "Last time the condition of a type changed from one status to another. The required format is 'yyyy-MM-ddTHH:mm:ssZ', in the UTC time zone." + reason: + type: string + description: The reason for the condition's last transition (a single word in CamelCase). + message: + type: string + description: Human-readable message indicating details about the condition's last transition. + description: List of status conditions. + observedGeneration: + type: integer + description: The generation of the CRD that was last reconciled by the operator. + username: + type: string + description: Username. + secret: + type: string + description: The name of `Secret` where the credentials are stored. + description: The status of the Kafka User. + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: strimzi-cluster-operator-namespaced + labels: + app: strimzi +rules: + # Resources in this role are used by the operator based on an operand being deployed in some namespace. When needed, you + # can deploy the operator as a cluster-wide operator. But grant the rights listed in this role only on the namespaces + # where the operands will be deployed. That way, you can limit the access the operator has to other namespaces where it + # does not manage any clusters. + - apiGroups: + - "rbac.authorization.k8s.io" + resources: + # The cluster operator needs to access and manage rolebindings to grant Strimzi components cluster permissions + - rolebindings + verbs: + - get + - list + - watch + - create + - delete + - patch + - update + - apiGroups: + - "rbac.authorization.k8s.io" + resources: + # The cluster operator needs to access and manage roles to grant the entity operator permissions + - roles + verbs: + - get + - list + - watch + - create + - delete + - patch + - update + - apiGroups: + - "" + resources: + # The cluster operator needs to access and delete pods, this is to allow it to monitor pod health and coordinate rolling updates + - pods + # The cluster operator needs to access and manage service accounts to grant Strimzi components cluster permissions + - serviceaccounts + # The cluster operator needs to access and manage config maps for Strimzi components configuration + - configmaps + # The cluster operator needs to access and manage services and endpoints to expose Strimzi components to network traffic + - services + - endpoints + # The cluster operator needs to access and manage secrets to handle credentials + - secrets + # The cluster operator needs to access and manage persistent volume claims to bind them to Strimzi components for persistent data + - persistentvolumeclaims + verbs: + - get + - list + - watch + - create + - delete + - patch + - update + - apiGroups: + - "apps" + resources: + # The cluster operator needs to access and manage deployments to run deployment based Strimzi components + - deployments + # The cluster operator needs to access and manage stateful sets to run stateful sets based Strimzi components + - statefulsets + # The cluster operator needs to access replica-sets to manage Strimzi components and to determine error states + - replicasets + verbs: + - get + - list + - watch + - create + - delete + - patch + - update + - apiGroups: + - "apps" + resources: + # The Cluster Operator needs to scale Deployments while migrating Connect and Mirror Maker 2 clusters from Deployments to StrimziPodSets + - deployments/scale + verbs: + - get + - patch + - update + - apiGroups: + - "" # legacy core events api, used by topic operator + - "events.k8s.io" # new events api, used by cluster operator + resources: + # The cluster operator needs to be able to create events and delegate permissions to do so + - events + verbs: + - create + - apiGroups: + # Kafka Connect Build on OpenShift requirement + - build.openshift.io + resources: + - buildconfigs + - buildconfigs/instantiate + - builds + verbs: + - get + - list + - watch + - create + - delete + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + # The cluster operator needs to access and manage network policies to lock down communication between Strimzi components + - networkpolicies + # The cluster operator needs to access and manage ingresses which allow external access to the services in a cluster + - ingresses + verbs: + - get + - list + - watch + - create + - delete + - patch + - update + - apiGroups: + - route.openshift.io + resources: + # The cluster operator needs to access and manage routes to expose Strimzi components for external access + - routes + - routes/custom-host + verbs: + - get + - list + - watch + - create + - delete + - patch + - update + - apiGroups: + - image.openshift.io + resources: + # The cluster operator needs to verify the image stream when used for Kafka Connect image build + - imagestreams + verbs: + - get + - apiGroups: + - policy + resources: + # The cluster operator needs to access and manage pod disruption budgets this limits the number of concurrent disruptions + # that a Strimzi component experiences, allowing for higher availability + - poddisruptionbudgets + verbs: + - get + - list + - watch + - create + - delete + - patch + - update + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: strimzi-cluster-operator-watched + labels: + app: strimzi +subjects: + - kind: ServiceAccount + name: strimzi-cluster-operator + namespace: myproject +roleRef: + kind: ClusterRole + name: strimzi-cluster-operator-watched + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: kafkaconnectors.kafka.strimzi.io + labels: + app: strimzi + strimzi.io/crd-install: "true" +spec: + group: kafka.strimzi.io + names: + kind: KafkaConnector + listKind: KafkaConnectorList + singular: kafkaconnector + plural: kafkaconnectors + shortNames: + - kctr + categories: + - strimzi + scope: Namespaced + conversion: + strategy: None + versions: + - name: v1beta2 + served: true + storage: true + subresources: + status: {} + scale: + specReplicasPath: .spec.tasksMax + statusReplicasPath: .status.tasksMax + additionalPrinterColumns: + - name: Cluster + description: The name of the Kafka Connect cluster this connector belongs to + jsonPath: .metadata.labels.strimzi\.io/cluster + type: string + - name: Connector class + description: The class used by this connector + jsonPath: .spec.class + type: string + - name: Max Tasks + description: Maximum number of tasks + jsonPath: .spec.tasksMax + type: integer + - name: Ready + description: The state of the custom resource + jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" + type: string + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + class: + type: string + description: The Class for the Kafka Connector. + tasksMax: + type: integer + minimum: 1 + description: The maximum number of tasks for the Kafka Connector. + autoRestart: + type: object + properties: + enabled: + type: boolean + description: Whether automatic restart for failed connectors and tasks should be enabled or disabled. + maxRestarts: + type: integer + description: "The maximum number of connector restarts that the operator will try. If the connector remains in a failed state after reaching this limit, it must be restarted manually by the user. Defaults to an unlimited number of restarts." + description: Automatic restart of connector and tasks configuration. + config: + x-kubernetes-preserve-unknown-fields: true + type: object + description: "The Kafka Connector configuration. The following properties cannot be set: connector.class, tasks.max." + pause: + type: boolean + description: Whether the connector should be paused. Defaults to false. + state: + type: string + enum: + - paused + - stopped + - running + description: The state the connector should be in. Defaults to running. + description: The specification of the Kafka Connector. + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + description: "The unique identifier of a condition, used to distinguish between other conditions in the resource." + status: + type: string + description: "The status of the condition, either True, False or Unknown." + lastTransitionTime: + type: string + description: "Last time the condition of a type changed from one status to another. The required format is 'yyyy-MM-ddTHH:mm:ssZ', in the UTC time zone." + reason: + type: string + description: The reason for the condition's last transition (a single word in CamelCase). + message: + type: string + description: Human-readable message indicating details about the condition's last transition. + description: List of status conditions. + observedGeneration: + type: integer + description: The generation of the CRD that was last reconciled by the operator. + autoRestart: + type: object + properties: + count: + type: integer + description: The number of times the connector or task is restarted. + connectorName: + type: string + description: The name of the connector being restarted. + lastRestartTimestamp: + type: string + description: The last time the automatic restart was attempted. The required format is 'yyyy-MM-ddTHH:mm:ssZ' in the UTC time zone. + description: The auto restart status. + connectorStatus: + x-kubernetes-preserve-unknown-fields: true + type: object + description: "The connector status, as reported by the Kafka Connect REST API." + tasksMax: + type: integer + description: The maximum number of tasks for the Kafka Connector. + topics: + type: array + items: + type: string + description: The list of topics used by the Kafka Connector. + description: The status of the Kafka Connector. + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: strimzi-cluster-operator + labels: + app: strimzi +subjects: + - kind: ServiceAccount + name: strimzi-cluster-operator + namespace: myproject +roleRef: + kind: ClusterRole + name: strimzi-cluster-operator-namespaced + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: kafkatopics.kafka.strimzi.io + labels: + app: strimzi + strimzi.io/crd-install: "true" +spec: + group: kafka.strimzi.io + names: + kind: KafkaTopic + listKind: KafkaTopicList + singular: kafkatopic + plural: kafkatopics + shortNames: + - kt + categories: + - strimzi + scope: Namespaced + conversion: + strategy: None + versions: + - name: v1beta2 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Cluster + description: The name of the Kafka cluster this topic belongs to + jsonPath: .metadata.labels.strimzi\.io/cluster + type: string + - name: Partitions + description: The desired number of partitions in the topic + jsonPath: .spec.partitions + type: integer + - name: Replication factor + description: The desired number of replicas of each partition + jsonPath: .spec.replicas + type: integer + - name: Ready + description: The state of the custom resource + jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" + type: string + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partitions: + type: integer + minimum: 1 + description: "The number of partitions the topic should have. This cannot be decreased after topic creation. It can be increased after topic creation, but it is important to understand the consequences that has, especially for topics with semantic partitioning. When absent this will default to the broker configuration for `num.partitions`." + replicas: + type: integer + minimum: 1 + maximum: 32767 + description: The number of replicas the topic should have. When absent this will default to the broker configuration for `default.replication.factor`. + config: + x-kubernetes-preserve-unknown-fields: true + type: object + description: The topic configuration. + topicName: + type: string + description: The name of the topic. When absent this will default to the metadata.name of the topic. It is recommended to not set this unless the topic name is not a valid Kubernetes resource name. + description: The specification of the topic. + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + description: "The unique identifier of a condition, used to distinguish between other conditions in the resource." + status: + type: string + description: "The status of the condition, either True, False or Unknown." + lastTransitionTime: + type: string + description: "Last time the condition of a type changed from one status to another. The required format is 'yyyy-MM-ddTHH:mm:ssZ', in the UTC time zone." + reason: + type: string + description: The reason for the condition's last transition (a single word in CamelCase). + message: + type: string + description: Human-readable message indicating details about the condition's last transition. + description: List of status conditions. + observedGeneration: + type: integer + description: The generation of the CRD that was last reconciled by the operator. + topicName: + type: string + description: Topic name. + description: The status of the topic. + - name: v1beta1 + served: true + storage: false + subresources: + status: {} + additionalPrinterColumns: + - name: Cluster + description: The name of the Kafka cluster this topic belongs to + jsonPath: .metadata.labels.strimzi\.io/cluster + type: string + - name: Partitions + description: The desired number of partitions in the topic + jsonPath: .spec.partitions + type: integer + - name: Replication factor + description: The desired number of replicas of each partition + jsonPath: .spec.replicas + type: integer + - name: Ready + description: The state of the custom resource + jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" + type: string + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partitions: + type: integer + minimum: 1 + description: "The number of partitions the topic should have. This cannot be decreased after topic creation. It can be increased after topic creation, but it is important to understand the consequences that has, especially for topics with semantic partitioning. When absent this will default to the broker configuration for `num.partitions`." + replicas: + type: integer + minimum: 1 + maximum: 32767 + description: The number of replicas the topic should have. When absent this will default to the broker configuration for `default.replication.factor`. + config: + x-kubernetes-preserve-unknown-fields: true + type: object + description: The topic configuration. + topicName: + type: string + description: The name of the topic. When absent this will default to the metadata.name of the topic. It is recommended to not set this unless the topic name is not a valid Kubernetes resource name. + description: The specification of the topic. + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + description: "The unique identifier of a condition, used to distinguish between other conditions in the resource." + status: + type: string + description: "The status of the condition, either True, False or Unknown." + lastTransitionTime: + type: string + description: "Last time the condition of a type changed from one status to another. The required format is 'yyyy-MM-ddTHH:mm:ssZ', in the UTC time zone." + reason: + type: string + description: The reason for the condition's last transition (a single word in CamelCase). + message: + type: string + description: Human-readable message indicating details about the condition's last transition. + description: List of status conditions. + observedGeneration: + type: integer + description: The generation of the CRD that was last reconciled by the operator. + topicName: + type: string + description: Topic name. + description: The status of the topic. + - name: v1alpha1 + served: true + storage: false + subresources: + status: {} + additionalPrinterColumns: + - name: Cluster + description: The name of the Kafka cluster this topic belongs to + jsonPath: .metadata.labels.strimzi\.io/cluster + type: string + - name: Partitions + description: The desired number of partitions in the topic + jsonPath: .spec.partitions + type: integer + - name: Replication factor + description: The desired number of replicas of each partition + jsonPath: .spec.replicas + type: integer + - name: Ready + description: The state of the custom resource + jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" + type: string + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partitions: + type: integer + minimum: 1 + description: "The number of partitions the topic should have. This cannot be decreased after topic creation. It can be increased after topic creation, but it is important to understand the consequences that has, especially for topics with semantic partitioning. When absent this will default to the broker configuration for `num.partitions`." + replicas: + type: integer + minimum: 1 + maximum: 32767 + description: The number of replicas the topic should have. When absent this will default to the broker configuration for `default.replication.factor`. + config: + x-kubernetes-preserve-unknown-fields: true type: object - properties: - env: - type: array - items: - type: object - properties: - name: - type: string - description: Name of the environment variable which will be passed to the Kafka Connect pods. The name of the environment variable cannot start with `KAFKA_` or `STRIMZI_`. - valueFrom: - type: object - properties: - configMapKeyRef: - type: object - properties: - key: - type: string - name: - type: string - optional: - type: boolean - description: Reference to a key in a ConfigMap. - secretKeyRef: - type: object - properties: - key: - type: string - name: - type: string - optional: - type: boolean - description: Reference to a key in a Secret. - description: Value of the environment variable which will be passed to the Kafka Connect pods. It can be passed either as a reference to Secret or ConfigMap field. The field has to specify exactly one Secret or ConfigMap. - required: - - name - - valueFrom - description: Makes data from a Secret or ConfigMap available in the Kafka Connect pods as environment variables. - volumes: - type: array - items: - type: object - properties: - configMap: - type: object - properties: - defaultMode: - type: integer - items: - type: array - items: - type: object - properties: - key: - type: string - mode: - type: integer - path: - type: string - name: - type: string - optional: - type: boolean - description: Reference to a key in a ConfigMap. Exactly one Secret or ConfigMap has to be specified. - name: - type: string - description: Name of the volume which will be added to the Kafka Connect pods. - secret: - type: object - properties: - defaultMode: - type: integer - items: - type: array - items: - type: object - properties: - key: - type: string - mode: - type: integer - path: - type: string - optional: - type: boolean - secretName: - type: string - description: Reference to a key in a Secret. Exactly one Secret or ConfigMap has to be specified. - required: - - name - description: Makes data from a Secret or ConfigMap available in the Kafka Connect pods as volumes. - description: Pass data from Secrets or ConfigMaps to the Kafka Connect pods and use them to configure connectors. - metricsConfig: + description: The topic configuration. + topicName: + type: string + description: The name of the topic. When absent this will default to the metadata.name of the topic. It is recommended to not set this unless the topic name is not a valid Kubernetes resource name. + description: The specification of the topic. + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + description: "The unique identifier of a condition, used to distinguish between other conditions in the resource." + status: + type: string + description: "The status of the condition, either True, False or Unknown." + lastTransitionTime: + type: string + description: "Last time the condition of a type changed from one status to another. The required format is 'yyyy-MM-ddTHH:mm:ssZ', in the UTC time zone." + reason: + type: string + description: The reason for the condition's last transition (a single word in CamelCase). + message: + type: string + description: Human-readable message indicating details about the condition's last transition. + description: List of status conditions. + observedGeneration: + type: integer + description: The generation of the CRD that was last reconciled by the operator. + topicName: + type: string + description: Topic name. + description: The status of the topic. + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: strimzi-cluster-operator-kafka-client-delegation + labels: + app: strimzi +# The Kafka clients cluster role must be bound to the cluster operator service account so that it can delegate the +# cluster role to the Kafka clients using it for consuming from closest replica. +# This must be done to avoid escalating privileges which would be blocked by Kubernetes. +subjects: + - kind: ServiceAccount + name: strimzi-cluster-operator + namespace: myproject +roleRef: + kind: ClusterRole + name: strimzi-kafka-client + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: strimzi-cluster-operator-kafka-broker-delegation + labels: + app: strimzi +# The Kafka broker cluster role must be bound to the cluster operator service account so that it can delegate the cluster role to the Kafka brokers. +# This must be done to avoid escalating privileges which would be blocked by Kubernetes. +subjects: + - kind: ServiceAccount + name: strimzi-cluster-operator + namespace: myproject +roleRef: + kind: ClusterRole + name: strimzi-kafka-broker + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: strimzi-cluster-operator-leader-election + labels: + app: strimzi +subjects: + - kind: ServiceAccount + name: strimzi-cluster-operator + namespace: myproject +roleRef: + kind: ClusterRole + name: strimzi-cluster-operator-leader-election + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: strimzipodsets.core.strimzi.io + labels: + app: strimzi + strimzi.io/crd-install: "true" +spec: + group: core.strimzi.io + names: + kind: StrimziPodSet + listKind: StrimziPodSetList + singular: strimzipodset + plural: strimzipodsets + shortNames: + - sps + categories: + - strimzi + scope: Namespaced + conversion: + strategy: None + versions: + - name: v1beta2 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Pods + description: Number of pods managed by the StrimziPodSet + jsonPath: .status.pods + type: integer + - name: Ready Pods + description: Number of ready pods managed by the StrimziPodSet + jsonPath: .status.readyPods + type: integer + - name: Current Pods + description: Number of up-to-date pods managed by the StrimziPodSet + jsonPath: .status.currentPods + type: integer + - name: Age + description: Age of the StrimziPodSet + jsonPath: .metadata.creationTimestamp + type: date + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + selector: type: object properties: - type: - type: string - enum: - - jmxPrometheusExporter - description: Metrics type. Only 'jmxPrometheusExporter' supported currently. - valueFrom: - type: object - properties: - configMapKeyRef: - type: object - properties: - key: - type: string - name: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: type: string - optional: - type: boolean - description: Reference to the key in the ConfigMap containing the configuration. - description: "ConfigMap entry where the Prometheus JMX Exporter configuration is stored. For details of the structure of this configuration, see the {JMXExporter}." - required: - - type - - valueFrom - description: Metrics configuration. + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: "Selector is a label query which matches all the pods managed by this `StrimziPodSet`. Only `matchLabels` is supported. If `matchExpressions` is set, it will be ignored." + pods: + type: array + items: + x-kubernetes-preserve-unknown-fields: true + type: object + description: The Pods managed by this StrimziPodSet. required: - - connectCluster - description: The specification of the Kafka MirrorMaker 2 cluster. + - selector + - pods + description: The specification of the StrimziPodSet. status: type: object properties: @@ -4427,128 +3460,34 @@ spec: observedGeneration: type: integer description: The generation of the CRD that was last reconciled by the operator. - url: - type: string - description: The URL of the REST API endpoint for managing and monitoring Kafka Connect connectors. - autoRestartStatuses: - type: array - items: - type: object - properties: - count: - type: integer - description: The number of times the connector or task is restarted. - connectorName: - type: string - description: The name of the connector being restarted. - lastRestartTimestamp: - type: string - description: The last time the automatic restart was attempted. The required format is 'yyyy-MM-ddTHH:mm:ssZ' in the UTC time zone. - description: List of MirrorMaker 2 connector auto restart statuses. - connectorPlugins: - type: array - items: - type: object - properties: - type: - type: string - description: The type of the connector plugin. The available types are `sink` and `source`. - version: - type: string - description: The version of the connector plugin. - class: - type: string - description: The class of the connector plugin. - description: The list of connector plugins available in this Kafka Connect deployment. - connectors: - type: array - items: - x-kubernetes-preserve-unknown-fields: true - type: object - description: "List of MirrorMaker 2 connector statuses, as reported by the Kafka Connect REST API." - labelSelector: - type: string - description: Label selector for pods providing this resource. - replicas: + pods: type: integer - description: The current number of pods being used to provide this resource. - description: The status of the Kafka MirrorMaker 2 cluster. - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: strimzi-cluster-operator-entity-operator-delegation - labels: - app: strimzi -# The Entity Operator cluster role must be bound to the cluster operator service account so that it can delegate the cluster role to the Entity Operator. -# This must be done to avoid escalating privileges which would be blocked by Kubernetes. -subjects: - - kind: ServiceAccount - name: strimzi-cluster-operator - namespace: myproject -roleRef: - kind: ClusterRole - name: strimzi-entity-operator - apiGroup: rbac.authorization.k8s.io - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: strimzi-cluster-operator-global - labels: - app: strimzi -rules: - - apiGroups: - - "rbac.authorization.k8s.io" - resources: - # The cluster operator needs to create and manage cluster role bindings in the case of an install where a user - # has specified they want their cluster role bindings generated - - clusterrolebindings - verbs: - - get - - list - - watch - - create - - delete - - patch - - update - - apiGroups: - - storage.k8s.io - resources: - # The cluster operator requires "get" permissions to view storage class details - # This is because only a persistent volume of a supported storage class type can be resized - - storageclasses - verbs: - - get - - apiGroups: - - "" - resources: - # The cluster operator requires "list" permissions to view all nodes in a cluster - # The listing is used to determine the node addresses when NodePort access is configured - # These addresses are then exposed in the custom resource states - - nodes - verbs: - - list + description: Number of pods managed by this `StrimziPodSet` resource. + readyPods: + type: integer + description: Number of pods managed by this `StrimziPodSet` resource that are ready. + currentPods: + type: integer + description: Number of pods managed by this `StrimziPodSet` resource that have the current revision. + description: The status of the StrimziPodSet. --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: kafkabridges.kafka.strimzi.io + name: kafkamirrormaker2s.kafka.strimzi.io labels: app: strimzi strimzi.io/crd-install: "true" spec: group: kafka.strimzi.io names: - kind: KafkaBridge - listKind: KafkaBridgeList - singular: kafkabridge - plural: kafkabridges + kind: KafkaMirrorMaker2 + listKind: KafkaMirrorMaker2List + singular: kafkamirrormaker2 + plural: kafkamirrormaker2s shortNames: - - kb + - kmm2 categories: - strimzi scope: Namespaced @@ -4566,14 +3505,9 @@ spec: labelSelectorPath: .status.labelSelector additionalPrinterColumns: - name: Desired replicas - description: The desired number of Kafka Bridge replicas + description: The desired number of Kafka MirrorMaker 2 replicas jsonPath: .spec.replicas type: integer - - name: Bootstrap Servers - description: The boostrap servers - jsonPath: .spec.bootstrapServers - type: string - priority: 1 - name: Ready description: The state of the custom resource jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" @@ -4585,225 +3519,327 @@ spec: spec: type: object properties: + version: + type: string + description: The Kafka Connect version. Defaults to the latest version. Consult the user documentation to understand the process required to upgrade or downgrade the version. replicas: type: integer - minimum: 0 - description: The number of pods in the `Deployment`. Defaults to `1`. + description: The number of pods in the Kafka Connect group. Defaults to `3`. image: type: string - description: The docker image for the pods. - bootstrapServers: + description: "The container image used for Kafka Connect pods. If no image name is explicitly specified, it is determined based on the `spec.version` configuration. The image names are specifically mapped to corresponding versions in the Cluster Operator configuration." + connectCluster: type: string - description: A list of host:port pairs for establishing the initial connection to the Kafka cluster. - tls: - type: object - properties: - trustedCertificates: - type: array - items: + description: The cluster alias used for Kafka Connect. The value must match the alias of the *target* Kafka cluster as specified in the `spec.clusters` configuration. The target Kafka cluster is used by the underlying Kafka Connect framework for its internal topics. + clusters: + type: array + items: + type: object + properties: + alias: + type: string + pattern: "^[a-zA-Z0-9\\._\\-]{1,100}$" + description: Alias used to reference the Kafka cluster. + bootstrapServers: + type: string + description: A comma-separated list of `host:port` pairs for establishing the connection to the Kafka cluster. + tls: type: object properties: - certificate: + trustedCertificates: + type: array + items: + type: object + properties: + certificate: + type: string + description: The name of the file certificate in the Secret. + secretName: + type: string + description: The name of the Secret containing the certificate. + required: + - certificate + - secretName + description: Trusted certificates for TLS connection. + description: TLS configuration for connecting MirrorMaker 2 connectors to a cluster. + authentication: + type: object + properties: + accessToken: + type: object + properties: + key: + type: string + description: The key under which the secret value is stored in the Kubernetes Secret. + secretName: + type: string + description: The name of the Kubernetes Secret containing the secret value. + required: + - key + - secretName + description: Link to Kubernetes Secret containing the access token which was obtained from the authorization server. + accessTokenIsJwt: + type: boolean + description: Configure whether access token should be treated as JWT. This should be set to `false` if the authorization server returns opaque tokens. Defaults to `true`. + audience: type: string - description: The name of the file certificate in the Secret. - secretName: + description: "OAuth audience to use when authenticating against the authorization server. Some authorization servers require the audience to be explicitly set. The possible values depend on how the authorization server is configured. By default, `audience` is not specified when performing the token endpoint request." + certificateAndKey: + type: object + properties: + certificate: + type: string + description: The name of the file certificate in the Secret. + key: + type: string + description: The name of the private key in the Secret. + secretName: + type: string + description: The name of the Secret containing the certificate. + required: + - certificate + - key + - secretName + description: Reference to the `Secret` which holds the certificate and private key pair. + clientId: type: string - description: The name of the Secret containing the certificate. + description: OAuth Client ID which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. + clientSecret: + type: object + properties: + key: + type: string + description: The key under which the secret value is stored in the Kubernetes Secret. + secretName: + type: string + description: The name of the Kubernetes Secret containing the secret value. + required: + - key + - secretName + description: Link to Kubernetes Secret containing the OAuth client secret which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. + connectTimeoutSeconds: + type: integer + description: "The connect timeout in seconds when connecting to authorization server. If not set, the effective connect timeout is 60 seconds." + disableTlsHostnameVerification: + type: boolean + description: Enable or disable TLS hostname verification. Default value is `false`. + enableMetrics: + type: boolean + description: Enable or disable OAuth metrics. Default value is `false`. + httpRetries: + type: integer + description: "The maximum number of retries to attempt if an initial HTTP request fails. If not set, the default is to not attempt any retries." + httpRetryPauseMs: + type: integer + description: "The pause to take before retrying a failed HTTP request. If not set, the default is to not pause at all but to immediately repeat a request." + includeAcceptHeader: + type: boolean + description: Whether the Accept header should be set in requests to the authorization servers. The default value is `true`. + maxTokenExpirySeconds: + type: integer + description: Set or limit time-to-live of the access tokens to the specified number of seconds. This should be set if the authorization server returns opaque tokens. + passwordSecret: + type: object + properties: + password: + type: string + description: The name of the key in the Secret under which the password is stored. + secretName: + type: string + description: The name of the Secret containing the password. + required: + - password + - secretName + description: Reference to the `Secret` which holds the password. + readTimeoutSeconds: + type: integer + description: "The read timeout in seconds when connecting to authorization server. If not set, the effective read timeout is 60 seconds." + refreshToken: + type: object + properties: + key: + type: string + description: The key under which the secret value is stored in the Kubernetes Secret. + secretName: + type: string + description: The name of the Kubernetes Secret containing the secret value. + required: + - key + - secretName + description: Link to Kubernetes Secret containing the refresh token which can be used to obtain access token from the authorization server. + scope: + type: string + description: OAuth scope to use when authenticating against the authorization server. Some authorization servers require this to be set. The possible values depend on how authorization server is configured. By default `scope` is not specified when doing the token endpoint request. + tlsTrustedCertificates: + type: array + items: + type: object + properties: + certificate: + type: string + description: The name of the file certificate in the Secret. + secretName: + type: string + description: The name of the Secret containing the certificate. + required: + - certificate + - secretName + description: Trusted certificates for TLS connection to the OAuth server. + tokenEndpointUri: + type: string + description: Authorization server token endpoint URI. + type: + type: string + enum: + - tls + - scram-sha-256 + - scram-sha-512 + - plain + - oauth + description: "Authentication type. Currently the supported types are `tls`, `scram-sha-256`, `scram-sha-512`, `plain`, and 'oauth'. `scram-sha-256` and `scram-sha-512` types use SASL SCRAM-SHA-256 and SASL SCRAM-SHA-512 Authentication, respectively. `plain` type uses SASL PLAIN Authentication. `oauth` type uses SASL OAUTHBEARER Authentication. The `tls` type uses TLS Client Authentication. The `tls` type is supported only over TLS connections." + username: + type: string + description: Username used for the authentication. required: - - certificate - - secretName - description: Trusted certificates for TLS connection. - description: TLS configuration for connecting Kafka Bridge to the cluster. - authentication: - type: object - properties: - accessToken: - type: object - properties: - key: - type: string - description: The key under which the secret value is stored in the Kubernetes Secret. - secretName: - type: string - description: The name of the Kubernetes Secret containing the secret value. - required: - - key - - secretName - description: Link to Kubernetes Secret containing the access token which was obtained from the authorization server. - accessTokenIsJwt: - type: boolean - description: Configure whether access token should be treated as JWT. This should be set to `false` if the authorization server returns opaque tokens. Defaults to `true`. - audience: - type: string - description: "OAuth audience to use when authenticating against the authorization server. Some authorization servers require the audience to be explicitly set. The possible values depend on how the authorization server is configured. By default, `audience` is not specified when performing the token endpoint request." - certificateAndKey: - type: object - properties: - certificate: - type: string - description: The name of the file certificate in the Secret. - key: - type: string - description: The name of the private key in the Secret. - secretName: - type: string - description: The name of the Secret containing the certificate. - required: - - certificate - - key - - secretName - description: Reference to the `Secret` which holds the certificate and private key pair. - clientId: - type: string - description: OAuth Client ID which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. - clientSecret: - type: object - properties: - key: - type: string - description: The key under which the secret value is stored in the Kubernetes Secret. - secretName: - type: string - description: The name of the Kubernetes Secret containing the secret value. - required: - - key - - secretName - description: Link to Kubernetes Secret containing the OAuth client secret which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. - connectTimeoutSeconds: - type: integer - description: "The connect timeout in seconds when connecting to authorization server. If not set, the effective connect timeout is 60 seconds." - disableTlsHostnameVerification: - type: boolean - description: Enable or disable TLS hostname verification. Default value is `false`. - enableMetrics: - type: boolean - description: Enable or disable OAuth metrics. Default value is `false`. - httpRetries: - type: integer - description: "The maximum number of retries to attempt if an initial HTTP request fails. If not set, the default is to not attempt any retries." - httpRetryPauseMs: - type: integer - description: "The pause to take before retrying a failed HTTP request. If not set, the default is to not pause at all but to immediately repeat a request." - includeAcceptHeader: - type: boolean - description: Whether the Accept header should be set in requests to the authorization servers. The default value is `true`. - maxTokenExpirySeconds: - type: integer - description: Set or limit time-to-live of the access tokens to the specified number of seconds. This should be set if the authorization server returns opaque tokens. - passwordSecret: - type: object - properties: - password: - type: string - description: The name of the key in the Secret under which the password is stored. - secretName: - type: string - description: The name of the Secret containing the password. - required: - - password - - secretName - description: Reference to the `Secret` which holds the password. - readTimeoutSeconds: - type: integer - description: "The read timeout in seconds when connecting to authorization server. If not set, the effective read timeout is 60 seconds." - refreshToken: - type: object - properties: - key: - type: string - description: The key under which the secret value is stored in the Kubernetes Secret. - secretName: - type: string - description: The name of the Kubernetes Secret containing the secret value. - required: - - key - - secretName - description: Link to Kubernetes Secret containing the refresh token which can be used to obtain access token from the authorization server. - scope: - type: string - description: OAuth scope to use when authenticating against the authorization server. Some authorization servers require this to be set. The possible values depend on how authorization server is configured. By default `scope` is not specified when doing the token endpoint request. - tlsTrustedCertificates: - type: array - items: + - type + description: Authentication configuration for connecting to the cluster. + config: + x-kubernetes-preserve-unknown-fields: true + type: object + description: "The MirrorMaker 2 cluster config. Properties with the following prefixes cannot be set: ssl., sasl., security., listeners, plugin.path, rest., bootstrap.servers, consumer.interceptor.classes, producer.interceptor.classes (with the exception of: ssl.endpoint.identification.algorithm, ssl.cipher.suites, ssl.protocol, ssl.enabled.protocols)." + required: + - alias + - bootstrapServers + description: Kafka clusters for mirroring. + mirrors: + type: array + items: + type: object + properties: + sourceCluster: + type: string + description: The alias of the source cluster used by the Kafka MirrorMaker 2 connectors. The alias must match a cluster in the list at `spec.clusters`. + targetCluster: + type: string + description: The alias of the target cluster used by the Kafka MirrorMaker 2 connectors. The alias must match a cluster in the list at `spec.clusters`. + sourceConnector: type: object properties: - certificate: - type: string - description: The name of the file certificate in the Secret. - secretName: + tasksMax: + type: integer + minimum: 1 + description: The maximum number of tasks for the Kafka Connector. + config: + x-kubernetes-preserve-unknown-fields: true + type: object + description: "The Kafka Connector configuration. The following properties cannot be set: connector.class, tasks.max." + autoRestart: + type: object + properties: + enabled: + type: boolean + description: Whether automatic restart for failed connectors and tasks should be enabled or disabled. + maxRestarts: + type: integer + description: "The maximum number of connector restarts that the operator will try. If the connector remains in a failed state after reaching this limit, it must be restarted manually by the user. Defaults to an unlimited number of restarts." + description: Automatic restart of connector and tasks configuration. + pause: + type: boolean + description: Whether the connector should be paused. Defaults to false. + state: type: string - description: The name of the Secret containing the certificate. - required: - - certificate - - secretName - description: Trusted certificates for TLS connection to the OAuth server. - tokenEndpointUri: - type: string - description: Authorization server token endpoint URI. - type: - type: string - enum: - - tls - - scram-sha-256 - - scram-sha-512 - - plain - - oauth - description: "Authentication type. Currently the supported types are `tls`, `scram-sha-256`, `scram-sha-512`, `plain`, and 'oauth'. `scram-sha-256` and `scram-sha-512` types use SASL SCRAM-SHA-256 and SASL SCRAM-SHA-512 Authentication, respectively. `plain` type uses SASL PLAIN Authentication. `oauth` type uses SASL OAUTHBEARER Authentication. The `tls` type uses TLS Client Authentication. The `tls` type is supported only over TLS connections." - username: - type: string - description: Username used for the authentication. - required: - - type - description: Authentication configuration for connecting to the cluster. - http: - type: object - properties: - port: - type: integer - minimum: 1023 - description: The port which is the server listening on. - cors: - type: object - properties: - allowedOrigins: - type: array - items: + enum: + - paused + - stopped + - running + description: The state the connector should be in. Defaults to running. + description: The specification of the Kafka MirrorMaker 2 source connector. + heartbeatConnector: + type: object + properties: + tasksMax: + type: integer + minimum: 1 + description: The maximum number of tasks for the Kafka Connector. + config: + x-kubernetes-preserve-unknown-fields: true + type: object + description: "The Kafka Connector configuration. The following properties cannot be set: connector.class, tasks.max." + autoRestart: + type: object + properties: + enabled: + type: boolean + description: Whether automatic restart for failed connectors and tasks should be enabled or disabled. + maxRestarts: + type: integer + description: "The maximum number of connector restarts that the operator will try. If the connector remains in a failed state after reaching this limit, it must be restarted manually by the user. Defaults to an unlimited number of restarts." + description: Automatic restart of connector and tasks configuration. + pause: + type: boolean + description: Whether the connector should be paused. Defaults to false. + state: type: string - description: List of allowed origins. Java regular expressions can be used. - allowedMethods: - type: array - items: + enum: + - paused + - stopped + - running + description: The state the connector should be in. Defaults to running. + description: The specification of the Kafka MirrorMaker 2 heartbeat connector. + checkpointConnector: + type: object + properties: + tasksMax: + type: integer + minimum: 1 + description: The maximum number of tasks for the Kafka Connector. + config: + x-kubernetes-preserve-unknown-fields: true + type: object + description: "The Kafka Connector configuration. The following properties cannot be set: connector.class, tasks.max." + autoRestart: + type: object + properties: + enabled: + type: boolean + description: Whether automatic restart for failed connectors and tasks should be enabled or disabled. + maxRestarts: + type: integer + description: "The maximum number of connector restarts that the operator will try. If the connector remains in a failed state after reaching this limit, it must be restarted manually by the user. Defaults to an unlimited number of restarts." + description: Automatic restart of connector and tasks configuration. + pause: + type: boolean + description: Whether the connector should be paused. Defaults to false. + state: type: string - description: List of allowed HTTP methods. - required: - - allowedOrigins - - allowedMethods - description: CORS configuration for the HTTP Bridge. - description: The HTTP related configuration. - adminClient: - type: object - properties: - config: - x-kubernetes-preserve-unknown-fields: true - type: object - description: The Kafka AdminClient configuration used for AdminClient instances created by the bridge. - description: Kafka AdminClient related configuration. - consumer: - type: object - properties: - config: - x-kubernetes-preserve-unknown-fields: true - type: object - description: "The Kafka consumer configuration used for consumer instances created by the bridge. Properties with the following prefixes cannot be set: ssl., bootstrap.servers, group.id, sasl., security. (with the exception of: ssl.endpoint.identification.algorithm, ssl.cipher.suites, ssl.protocol, ssl.enabled.protocols)." - description: Kafka consumer related configuration. - producer: - type: object - properties: - config: - x-kubernetes-preserve-unknown-fields: true - type: object - description: "The Kafka producer configuration used for producer instances created by the bridge. Properties with the following prefixes cannot be set: ssl., bootstrap.servers, sasl., security. (with the exception of: ssl.endpoint.identification.algorithm, ssl.cipher.suites, ssl.protocol, ssl.enabled.protocols)." - description: Kafka producer related configuration. + enum: + - paused + - stopped + - running + description: The state the connector should be in. Defaults to running. + description: The specification of the Kafka MirrorMaker 2 checkpoint connector. + topicsPattern: + type: string + description: "A regular expression matching the topics to be mirrored, for example, \"topic1\\|topic2\\|topic3\". Comma-separated lists are also supported." + topicsBlacklistPattern: + type: string + description: A regular expression matching the topics to exclude from mirroring. Comma-separated lists are also supported. + topicsExcludePattern: + type: string + description: A regular expression matching the topics to exclude from mirroring. Comma-separated lists are also supported. + groupsPattern: + type: string + description: A regular expression matching the consumer groups to be mirrored. Comma-separated lists are also supported. + groupsBlacklistPattern: + type: string + description: A regular expression matching the consumer groups to exclude from mirroring. Comma-separated lists are also supported. + groupsExcludePattern: + type: string + description: A regular expression matching the consumer groups to exclude from mirroring. Comma-separated lists are also supported. + required: + - sourceCluster + - targetCluster + description: Configuration of the MirrorMaker 2 connectors. resources: type: object properties: @@ -4820,7 +3856,55 @@ spec: requests: x-kubernetes-preserve-unknown-fields: true type: object - description: CPU and memory resources to reserve. + description: The maximum limits for CPU and memory resources and the requested initial resources. + livenessProbe: + type: object + properties: + failureThreshold: + type: integer + minimum: 1 + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + initialDelaySeconds: + type: integer + minimum: 0 + description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. + periodSeconds: + type: integer + minimum: 1 + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + successThreshold: + type: integer + minimum: 1 + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. + timeoutSeconds: + type: integer + minimum: 1 + description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. + description: Pod liveness checking. + readinessProbe: + type: object + properties: + failureThreshold: + type: integer + minimum: 1 + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + initialDelaySeconds: + type: integer + minimum: 0 + description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. + periodSeconds: + type: integer + minimum: 1 + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + successThreshold: + type: integer + minimum: 1 + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. + timeoutSeconds: + type: integer + minimum: 1 + description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. + description: Pod readiness checking. jvmOptions: type: object properties: @@ -4851,7 +3935,22 @@ spec: type: string description: The system property value. description: A map of additional system properties which will be passed using the `-D` option to the JVM. - description: '**Currently not supported** JVM Options for pods.' + description: JVM Options for pods. + jmxOptions: + type: object + properties: + authentication: + type: object + properties: + type: + type: string + enum: + - password + description: Authentication type. Currently the only supported types are `password`.`password` type creates a username and protected port with no TLS. + required: + - type + description: Authentication configuration for connecting to the JMX port. + description: JMX Options. logging: type: object properties: @@ -4881,7 +3980,7 @@ spec: description: '`ConfigMap` entry where the logging configuration is stored. ' required: - type - description: Logging configuration for Kafka Bridge. + description: Logging configuration for Kafka Connect. clientRackInitImage: type: string description: The image of the init container used for initializing the `client.rack`. @@ -4894,58 +3993,19 @@ spec: description: "A key that matches labels assigned to the Kubernetes cluster nodes. The value of the label is used to set a broker's `broker.rack` config, and the `client.rack` config for Kafka Connect or MirrorMaker 2." required: - topologyKey - description: Configuration of the node label which will be used as the client.rack consumer configuration. - enableMetrics: - type: boolean - description: Enable the metrics for the Kafka Bridge. Default is false. - livenessProbe: - type: object - properties: - failureThreshold: - type: integer - minimum: 1 - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - initialDelaySeconds: - type: integer - minimum: 0 - description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. - periodSeconds: - type: integer - minimum: 1 - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - successThreshold: - type: integer - minimum: 1 - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. - timeoutSeconds: - type: integer - minimum: 1 - description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. - description: Pod liveness checking. - readinessProbe: + description: Configuration of the node label which will be used as the `client.rack` consumer configuration. + tracing: type: object properties: - failureThreshold: - type: integer - minimum: 1 - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - initialDelaySeconds: - type: integer - minimum: 0 - description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. - periodSeconds: - type: integer - minimum: 1 - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - successThreshold: - type: integer - minimum: 1 - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. - timeoutSeconds: - type: integer - minimum: 1 - description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. - description: Pod readiness checking. + type: + type: string + enum: + - jaeger + - opentelemetry + description: "Type of the tracing used. Currently the only supported type is `opentelemetry` for OpenTelemetry tracing. As of Strimzi 0.37.0, `jaeger` type is not supported anymore and this option is ignored." + required: + - type + description: The configuration of tracing in Kafka Connect. template: type: object properties: @@ -4970,7 +4030,23 @@ spec: - RollingUpdate - Recreate description: Pod replacement strategy for deployment configuration changes. Valid values are `RollingUpdate` and `Recreate`. Defaults to `RollingUpdate`. - description: Template for Kafka Bridge `Deployment`. + description: Template for Kafka Connect `Deployment`. + podSet: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for Kafka Connect `StrimziPodSet` resource. pod: type: object properties: @@ -5361,7 +4437,7 @@ spec: description: The pod's tolerations. priorityClassName: type: string - description: "The name of the priority class used to assign priority to the pods. For more information about priority classes, see {K8sPriorityClass}." + description: 'The name of the priority class used to assign priority to the pods. ' schedulerName: type: string description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used." @@ -5425,7 +4501,7 @@ spec: whenUnsatisfiable: type: string description: The pod's topology spread constraints. - description: Template for Kafka Bridge `Pods`. + description: Template for Kafka Connect `Pods`. apiService: type: object properties: @@ -5456,8 +4532,8 @@ spec: - IPv4 - IPv6 description: "Specifies the IP Families used by the service. Available options are `IPv4` and `IPv6`. If unspecified, Kubernetes will choose the default value based on the `ipFamilyPolicy` setting." - description: Template for Kafka Bridge API `Service`. - podDisruptionBudget: + description: Template for Kafka Connect API `Service`. + headlessService: type: object properties: metadata: @@ -5471,13 +4547,24 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object description: Annotations added to the Kubernetes resource. - description: Metadata to apply to the `PodDisruptionBudgetTemplate` resource. - maxUnavailable: - type: integer - minimum: 0 - description: "Maximum number of unavailable pods to allow automatic Pod eviction. A Pod eviction is allowed when the `maxUnavailable` number of pods or fewer are unavailable after the eviction. Setting this value to 0 prevents all voluntary evictions, so the pods must be evicted manually. Defaults to 1." - description: Template for Kafka Bridge `PodDisruptionBudget`. - bridgeContainer: + description: Metadata applied to the resource. + ipFamilyPolicy: + type: string + enum: + - SingleStack + - PreferDualStack + - RequireDualStack + description: "Specifies the IP Family Policy used by the service. Available options are `SingleStack`, `PreferDualStack` and `RequireDualStack`. `SingleStack` is for a single IP family. `PreferDualStack` is for two IP families on dual-stack configured clusters or a single IP family on single-stack clusters. `RequireDualStack` fails unless there are two IP families on dual-stack configured clusters. If unspecified, Kubernetes will choose the default value based on the service type." + ipFamilies: + type: array + items: + type: string + enum: + - IPv4 + - IPv6 + description: "Specifies the IP Families used by the service. Available options are `IPv4` and `IPv6`. If unspecified, Kubernetes will choose the default value based on the `ipFamilyPolicy` setting." + description: Template for Kafka Connect headless `Service`. + connectContainer: type: object properties: env: @@ -5550,39 +4637,7 @@ spec: runAsUserName: type: string description: Security context for the container. - description: Template for the Kafka Bridge container. - clusterRoleBinding: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for the Kafka Bridge ClusterRoleBinding. - serviceAccount: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for the Kafka Bridge service account. + description: Template for the Kafka Connect container. initContainer: type: object properties: @@ -5618,8 +4673,127 @@ spec: type: boolean procMount: type: string - readOnlyRootFilesystem: - type: boolean + readOnlyRootFilesystem: + type: boolean + runAsGroup: + type: integer + runAsNonRoot: + type: boolean + runAsUser: + type: integer + seLinuxOptions: + type: object + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + seccompProfile: + type: object + properties: + localhostProfile: + type: string + type: + type: string + windowsOptions: + type: object + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + description: Security context for the container. + description: Template for the Kafka init container. + podDisruptionBudget: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata to apply to the `PodDisruptionBudgetTemplate` resource. + maxUnavailable: + type: integer + minimum: 0 + description: "Maximum number of unavailable pods to allow automatic Pod eviction. A Pod eviction is allowed when the `maxUnavailable` number of pods or fewer are unavailable after the eviction. Setting this value to 0 prevents all voluntary evictions, so the pods must be evicted manually. Defaults to 1." + description: Template for Kafka Connect `PodDisruptionBudget`. + serviceAccount: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for the Kafka Connect service account. + clusterRoleBinding: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for the Kafka Connect ClusterRoleBinding. + buildPod: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + imagePullSecrets: + type: array + items: + type: object + properties: + name: + type: string + description: "List of references to secrets in the same namespace to use for pulling any of the images used by this Pod. When the `STRIMZI_IMAGE_PULL_SECRETS` environment variable in Cluster Operator and the `imagePullSecrets` option are specified, only the `imagePullSecrets` variable is used and the `STRIMZI_IMAGE_PULL_SECRETS` variable is ignored." + securityContext: + type: object + properties: + fsGroup: + type: integer + fsGroupChangePolicy: + type: string runAsGroup: type: integer runAsNonRoot: @@ -5644,6 +4818,19 @@ spec: type: string type: type: string + supplementalGroups: + type: array + items: + type: integer + sysctls: + type: array + items: + type: object + properties: + name: + type: string + value: + type: string windowsOptions: type: object properties: @@ -5655,756 +4842,631 @@ spec: type: boolean runAsUserName: type: string - description: Security context for the container. - description: Template for the Kafka Bridge init container. - description: Template for Kafka Bridge resources. The template allows users to specify how a `Deployment` and `Pod` is generated. - tracing: - type: object - properties: - type: - type: string - enum: - - jaeger - - opentelemetry - description: "Type of the tracing used. Currently the only supported type is `opentelemetry` for OpenTelemetry tracing. As of Strimzi 0.37.0, `jaeger` type is not supported anymore and this option is ignored." - required: - - type - description: The configuration of tracing in Kafka Bridge. - required: - - bootstrapServers - description: The specification of the Kafka Bridge. - status: - type: object - properties: - conditions: - type: array - items: - type: object - properties: - type: - type: string - description: "The unique identifier of a condition, used to distinguish between other conditions in the resource." - status: - type: string - description: "The status of the condition, either True, False or Unknown." - lastTransitionTime: - type: string - description: "Last time the condition of a type changed from one status to another. The required format is 'yyyy-MM-ddTHH:mm:ssZ', in the UTC time zone." - reason: - type: string - description: The reason for the condition's last transition (a single word in CamelCase). - message: - type: string - description: Human-readable message indicating details about the condition's last transition. - description: List of status conditions. - observedGeneration: - type: integer - description: The generation of the CRD that was last reconciled by the operator. - url: - type: string - description: The URL at which external client applications can access the Kafka Bridge. - labelSelector: - type: string - description: Label selector for pods providing this resource. - replicas: - type: integer - description: The current number of pods being used to provide this resource. - description: The status of the Kafka Bridge. - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: strimzi-cluster-operator - labels: - app: strimzi - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: strimzi-cluster-operator - labels: - app: strimzi -subjects: - - kind: ServiceAccount - name: strimzi-cluster-operator - namespace: myproject -roleRef: - kind: ClusterRole - name: strimzi-cluster-operator-global - apiGroup: rbac.authorization.k8s.io - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: strimzi-kafka-client - labels: - app: strimzi -rules: - - apiGroups: - - "" - resources: - # The Kafka clients (Connect, Mirror Maker, etc.) require "get" permissions to view the node they are on - # This information is used to generate a Rack ID (client.rack option) that is used for consuming from the closest - # replicas when enabled - - nodes - verbs: - - get - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: kafkausers.kafka.strimzi.io - labels: - app: strimzi - strimzi.io/crd-install: "true" -spec: - group: kafka.strimzi.io - names: - kind: KafkaUser - listKind: KafkaUserList - singular: kafkauser - plural: kafkausers - shortNames: - - ku - categories: - - strimzi - scope: Namespaced - conversion: - strategy: None - versions: - - name: v1beta2 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Cluster - description: The name of the Kafka cluster this user belongs to - jsonPath: .metadata.labels.strimzi\.io/cluster - type: string - - name: Authentication - description: How the user is authenticated - jsonPath: .spec.authentication.type - type: string - - name: Authorization - description: How the user is authorised - jsonPath: .spec.authorization.type - type: string - - name: Ready - description: The state of the custom resource - jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" - type: string - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - authentication: - type: object - properties: - password: - type: object - properties: - valueFrom: + description: Configures pod-level security attributes and common container settings. + terminationGracePeriodSeconds: + type: integer + minimum: 0 + description: "The grace period is the duration in seconds after the processes running in the pod are sent a termination signal, and the time when the processes are forcibly halted with a kill signal. Set this value to longer than the expected cleanup time for your process. Value must be a non-negative integer. A zero value indicates delete immediately. You might need to increase the grace period for very large Kafka clusters, so that the Kafka brokers have enough time to transfer their work to another broker before they are terminated. Defaults to 30 seconds." + affinity: type: object properties: - secretKeyRef: + nodeAffinity: + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + type: array + items: + type: object + properties: + preference: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchFields: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + weight: + type: integer + requiredDuringSchedulingIgnoredDuringExecution: + type: object + properties: + nodeSelectorTerms: + type: array + items: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchFields: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + podAffinity: type: object properties: - key: - type: string - name: - type: string - optional: - type: boolean - description: Selects a key of a Secret in the resource's namespace. - description: Secret from which the password should be read. - required: - - valueFrom - description: "Specify the password for the user. If not set, a new password is generated by the User Operator." - type: - type: string - enum: - - tls - - tls-external - - scram-sha-512 - description: Authentication type. - required: - - type - description: "Authentication mechanism enabled for this Kafka user. The supported authentication mechanisms are `scram-sha-512`, `tls`, and `tls-external`. \n\n* `scram-sha-512` generates a secret with SASL SCRAM-SHA-512 credentials.\n* `tls` generates a secret with user certificate for mutual TLS authentication.\n* `tls-external` does not generate a user certificate. But prepares the user for using mutual TLS authentication using a user certificate generated outside the User Operator.\n ACLs and quotas set for this user are configured in the `CN=` format.\n\nAuthentication is optional. If authentication is not configured, no credentials are generated. ACLs and quotas set for the user are configured in the `` format suitable for SASL authentication." - authorization: - type: object - properties: - acls: - type: array - items: - type: object - properties: - host: - type: string - description: The host from which the action described in the ACL rule is allowed or denied. - operation: - type: string - enum: - - Read - - Write - - Create - - Delete - - Alter - - Describe - - ClusterAction - - AlterConfigs - - DescribeConfigs - - IdempotentWrite - - All - description: "Operation which will be allowed or denied. Supported operations are: Read, Write, Create, Delete, Alter, Describe, ClusterAction, AlterConfigs, DescribeConfigs, IdempotentWrite and All." - operations: - type: array - items: - type: string - enum: - - Read - - Write - - Create - - Delete - - Alter - - Describe - - ClusterAction - - AlterConfigs - - DescribeConfigs - - IdempotentWrite - - All - description: "List of operations which will be allowed or denied. Supported operations are: Read, Write, Create, Delete, Alter, Describe, ClusterAction, AlterConfigs, DescribeConfigs, IdempotentWrite and All." - resource: + preferredDuringSchedulingIgnoredDuringExecution: + type: array + items: + type: object + properties: + podAffinityTerm: + type: object + properties: + labelSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + type: array + items: + type: string + topologyKey: + type: string + weight: + type: integer + requiredDuringSchedulingIgnoredDuringExecution: + type: array + items: + type: object + properties: + labelSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + type: array + items: + type: string + topologyKey: + type: string + podAntiAffinity: + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + type: array + items: + type: object + properties: + podAffinityTerm: + type: object + properties: + labelSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + type: array + items: + type: string + topologyKey: + type: string + weight: + type: integer + requiredDuringSchedulingIgnoredDuringExecution: + type: array + items: + type: object + properties: + labelSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + type: array + items: + type: string + topologyKey: + type: string + description: The pod's affinity rules. + tolerations: + type: array + items: type: object properties: - name: - type: string - description: Name of resource for which given ACL rule applies. Can be combined with `patternType` field to use prefix pattern. - patternType: - type: string - enum: - - literal - - prefix - description: "Describes the pattern used in the resource field. The supported types are `literal` and `prefix`. With `literal` pattern type, the resource field will be used as a definition of a full name. With `prefix` pattern type, the resource name will be used only as a prefix. Default value is `literal`." - type: + effect: type: string - enum: - - topic - - group - - cluster - - transactionalId - description: "Resource type. The available resource types are `topic`, `group`, `cluster`, and `transactionalId`." - required: - - type - description: Indicates the resource for which given ACL rule applies. - type: - type: string - enum: - - allow - - deny - description: The type of the rule. Currently the only supported type is `allow`. ACL rules with type `allow` are used to allow user to execute the specified operations. Default value is `allow`. - required: - - resource - description: List of ACL rules which should be applied to this user. - type: - type: string - enum: - - simple - description: Authorization type. Currently the only supported type is `simple`. `simple` authorization type uses the Kafka Admin API for managing the ACL rules. - required: - - acls - - type - description: Authorization rules for this Kafka user. - quotas: - type: object - properties: - consumerByteRate: - type: integer - minimum: 0 - description: A quota on the maximum bytes per-second that each client group can fetch from a broker before the clients in the group are throttled. Defined on a per-broker basis. - controllerMutationRate: - type: number - minimum: 0 - description: "A quota on the rate at which mutations are accepted for the create topics request, the create partitions request and the delete topics request. The rate is accumulated by the number of partitions created or deleted." - producerByteRate: - type: integer - minimum: 0 - description: A quota on the maximum bytes per-second that each client group can publish to a broker before the clients in the group are throttled. Defined on a per-broker basis. - requestPercentage: - type: integer - minimum: 0 - description: A quota on the maximum CPU utilization of each client group as a percentage of network and I/O threads. - description: Quotas on requests to control the broker resources used by clients. Network bandwidth and request rate quotas can be enforced.Kafka documentation for Kafka User quotas can be found at http://kafka.apache.org/documentation/#design_quotas. - template: - type: object - properties: - secret: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for KafkaUser resources. The template allows users to specify how the `Secret` with password or TLS certificates is generated. - description: Template to specify how Kafka User `Secrets` are generated. - description: The specification of the user. - status: - type: object - properties: - conditions: - type: array - items: - type: object - properties: - type: - type: string - description: "The unique identifier of a condition, used to distinguish between other conditions in the resource." - status: - type: string - description: "The status of the condition, either True, False or Unknown." - lastTransitionTime: - type: string - description: "Last time the condition of a type changed from one status to another. The required format is 'yyyy-MM-ddTHH:mm:ssZ', in the UTC time zone." - reason: - type: string - description: The reason for the condition's last transition (a single word in CamelCase). - message: - type: string - description: Human-readable message indicating details about the condition's last transition. - description: List of status conditions. - observedGeneration: - type: integer - description: The generation of the CRD that was last reconciled by the operator. - username: - type: string - description: Username. - secret: - type: string - description: The name of `Secret` where the credentials are stored. - description: The status of the Kafka User. - - name: v1beta1 - served: true - storage: false - subresources: - status: {} - additionalPrinterColumns: - - name: Cluster - description: The name of the Kafka cluster this user belongs to - jsonPath: .metadata.labels.strimzi\.io/cluster - type: string - - name: Authentication - description: How the user is authenticated - jsonPath: .spec.authentication.type - type: string - - name: Authorization - description: How the user is authorised - jsonPath: .spec.authorization.type - type: string - - name: Ready - description: The state of the custom resource - jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" - type: string - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - authentication: - type: object - properties: - password: - type: object - properties: - valueFrom: - type: object - properties: - secretKeyRef: - type: object - properties: - key: - type: string - name: - type: string - optional: - type: boolean - description: Selects a key of a Secret in the resource's namespace. - description: Secret from which the password should be read. - required: - - valueFrom - description: "Specify the password for the user. If not set, a new password is generated by the User Operator." - type: - type: string - enum: - - tls - - tls-external - - scram-sha-512 - description: Authentication type. - required: - - type - description: "Authentication mechanism enabled for this Kafka user. The supported authentication mechanisms are `scram-sha-512`, `tls`, and `tls-external`. \n\n* `scram-sha-512` generates a secret with SASL SCRAM-SHA-512 credentials.\n* `tls` generates a secret with user certificate for mutual TLS authentication.\n* `tls-external` does not generate a user certificate. But prepares the user for using mutual TLS authentication using a user certificate generated outside the User Operator.\n ACLs and quotas set for this user are configured in the `CN=` format.\n\nAuthentication is optional. If authentication is not configured, no credentials are generated. ACLs and quotas set for the user are configured in the `` format suitable for SASL authentication." - authorization: - type: object - properties: - acls: - type: array - items: - type: object - properties: - host: - type: string - description: The host from which the action described in the ACL rule is allowed or denied. - operation: - type: string - enum: - - Read - - Write - - Create - - Delete - - Alter - - Describe - - ClusterAction - - AlterConfigs - - DescribeConfigs - - IdempotentWrite - - All - description: "Operation which will be allowed or denied. Supported operations are: Read, Write, Create, Delete, Alter, Describe, ClusterAction, AlterConfigs, DescribeConfigs, IdempotentWrite and All." - operations: - type: array - items: - type: string - enum: - - Read - - Write - - Create - - Delete - - Alter - - Describe - - ClusterAction - - AlterConfigs - - DescribeConfigs - - IdempotentWrite - - All - description: "List of operations which will be allowed or denied. Supported operations are: Read, Write, Create, Delete, Alter, Describe, ClusterAction, AlterConfigs, DescribeConfigs, IdempotentWrite and All." - resource: + key: + type: string + operator: + type: string + tolerationSeconds: + type: integer + value: + type: string + description: The pod's tolerations. + priorityClassName: + type: string + description: 'The name of the priority class used to assign priority to the pods. ' + schedulerName: + type: string + description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used." + hostAliases: + type: array + items: type: object properties: - name: + hostnames: + type: array + items: + type: string + ip: type: string - description: Name of resource for which given ACL rule applies. Can be combined with `patternType` field to use prefix pattern. - patternType: + description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified. + tmpDirSizeLimit: + type: string + pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" + description: Defines the total amount (for example `1Gi`) of local storage required for temporary EmptyDir volume (`/tmp`). Default value is `5Mi`. + enableServiceLinks: + type: boolean + description: Indicates whether information about services should be injected into Pod's environment variables. + topologySpreadConstraints: + type: array + items: + type: object + properties: + labelSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + matchLabelKeys: + type: array + items: + type: string + maxSkew: + type: integer + minDomains: + type: integer + nodeAffinityPolicy: type: string - enum: - - literal - - prefix - description: "Describes the pattern used in the resource field. The supported types are `literal` and `prefix`. With `literal` pattern type, the resource field will be used as a definition of a full name. With `prefix` pattern type, the resource name will be used only as a prefix. Default value is `literal`." - type: + nodeTaintsPolicy: type: string - enum: - - topic - - group - - cluster - - transactionalId - description: "Resource type. The available resource types are `topic`, `group`, `cluster`, and `transactionalId`." - required: - - type - description: Indicates the resource for which given ACL rule applies. - type: - type: string - enum: - - allow - - deny - description: The type of the rule. Currently the only supported type is `allow`. ACL rules with type `allow` are used to allow user to execute the specified operations. Default value is `allow`. - required: - - resource - description: List of ACL rules which should be applied to this user. - type: - type: string - enum: - - simple - description: Authorization type. Currently the only supported type is `simple`. `simple` authorization type uses the Kafka Admin API for managing the ACL rules. - required: - - acls - - type - description: Authorization rules for this Kafka user. - quotas: - type: object - properties: - consumerByteRate: - type: integer - minimum: 0 - description: A quota on the maximum bytes per-second that each client group can fetch from a broker before the clients in the group are throttled. Defined on a per-broker basis. - controllerMutationRate: - type: number - minimum: 0 - description: "A quota on the rate at which mutations are accepted for the create topics request, the create partitions request and the delete topics request. The rate is accumulated by the number of partitions created or deleted." - producerByteRate: - type: integer - minimum: 0 - description: A quota on the maximum bytes per-second that each client group can publish to a broker before the clients in the group are throttled. Defined on a per-broker basis. - requestPercentage: - type: integer - minimum: 0 - description: A quota on the maximum CPU utilization of each client group as a percentage of network and I/O threads. - description: Quotas on requests to control the broker resources used by clients. Network bandwidth and request rate quotas can be enforced.Kafka documentation for Kafka User quotas can be found at http://kafka.apache.org/documentation/#design_quotas. - template: - type: object - properties: - secret: + topologyKey: + type: string + whenUnsatisfiable: + type: string + description: The pod's topology spread constraints. + description: Template for Kafka Connect Build `Pods`. The build pod is used only on Kubernetes. + buildContainer: type: object properties: - metadata: + env: + type: array + items: + type: object + properties: + name: + type: string + description: The environment variable key. + value: + type: string + description: The environment variable value. + description: Environment variables which should be applied to the container. + securityContext: type: object properties: - labels: - x-kubernetes-preserve-unknown-fields: true + allowPrivilegeEscalation: + type: boolean + capabilities: type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true + properties: + add: + type: array + items: + type: string + drop: + type: array + items: + type: string + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + type: integer + runAsNonRoot: + type: boolean + runAsUser: + type: integer + seLinuxOptions: type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for KafkaUser resources. The template allows users to specify how the `Secret` with password or TLS certificates is generated. - description: Template to specify how Kafka User `Secrets` are generated. - description: The specification of the user. - status: - type: object - properties: - conditions: - type: array - items: - type: object - properties: - type: - type: string - description: "The unique identifier of a condition, used to distinguish between other conditions in the resource." - status: - type: string - description: "The status of the condition, either True, False or Unknown." - lastTransitionTime: - type: string - description: "Last time the condition of a type changed from one status to another. The required format is 'yyyy-MM-ddTHH:mm:ssZ', in the UTC time zone." - reason: - type: string - description: The reason for the condition's last transition (a single word in CamelCase). - message: - type: string - description: Human-readable message indicating details about the condition's last transition. - description: List of status conditions. - observedGeneration: - type: integer - description: The generation of the CRD that was last reconciled by the operator. - username: - type: string - description: Username. - secret: - type: string - description: The name of `Secret` where the credentials are stored. - description: The status of the Kafka User. - - name: v1alpha1 - served: true - storage: false - subresources: - status: {} - additionalPrinterColumns: - - name: Cluster - description: The name of the Kafka cluster this user belongs to - jsonPath: .metadata.labels.strimzi\.io/cluster - type: string - - name: Authentication - description: How the user is authenticated - jsonPath: .spec.authentication.type - type: string - - name: Authorization - description: How the user is authorised - jsonPath: .spec.authorization.type - type: string - - name: Ready - description: The state of the custom resource - jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" - type: string - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - authentication: - type: object - properties: - password: - type: object - properties: - valueFrom: - type: object - properties: - secretKeyRef: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + seccompProfile: type: object properties: - key: + localhostProfile: type: string - name: + type: type: string - optional: + windowsOptions: + type: object + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: type: boolean - description: Selects a key of a Secret in the resource's namespace. - description: Secret from which the password should be read. - required: - - valueFrom - description: "Specify the password for the user. If not set, a new password is generated by the User Operator." - type: - type: string - enum: - - tls - - tls-external - - scram-sha-512 - description: Authentication type. - required: - - type - description: "Authentication mechanism enabled for this Kafka user. The supported authentication mechanisms are `scram-sha-512`, `tls`, and `tls-external`. \n\n* `scram-sha-512` generates a secret with SASL SCRAM-SHA-512 credentials.\n* `tls` generates a secret with user certificate for mutual TLS authentication.\n* `tls-external` does not generate a user certificate. But prepares the user for using mutual TLS authentication using a user certificate generated outside the User Operator.\n ACLs and quotas set for this user are configured in the `CN=` format.\n\nAuthentication is optional. If authentication is not configured, no credentials are generated. ACLs and quotas set for the user are configured in the `` format suitable for SASL authentication." - authorization: + runAsUserName: + type: string + description: Security context for the container. + description: Template for the Kafka Connect Build container. The build container is used only on Kubernetes. + buildConfig: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata to apply to the `PodDisruptionBudgetTemplate` resource. + pullSecret: + type: string + description: Container Registry Secret with the credentials for pulling the base image. + description: Template for the Kafka Connect BuildConfig used to build new container images. The BuildConfig is used only on OpenShift. + buildServiceAccount: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for the Kafka Connect Build service account. + jmxSecret: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for Secret of the Kafka Connect Cluster JMX authentication. + description: "Template for Kafka Connect and Kafka Mirror Maker 2 resources. The template allows users to specify how the `Pods`, `Service`, and other services are generated." + externalConfiguration: type: object properties: - acls: + env: type: array items: type: object properties: - host: - type: string - description: The host from which the action described in the ACL rule is allowed or denied. - operation: + name: type: string - enum: - - Read - - Write - - Create - - Delete - - Alter - - Describe - - ClusterAction - - AlterConfigs - - DescribeConfigs - - IdempotentWrite - - All - description: "Operation which will be allowed or denied. Supported operations are: Read, Write, Create, Delete, Alter, Describe, ClusterAction, AlterConfigs, DescribeConfigs, IdempotentWrite and All." - operations: - type: array - items: - type: string - enum: - - Read - - Write - - Create - - Delete - - Alter - - Describe - - ClusterAction - - AlterConfigs - - DescribeConfigs - - IdempotentWrite - - All - description: "List of operations which will be allowed or denied. Supported operations are: Read, Write, Create, Delete, Alter, Describe, ClusterAction, AlterConfigs, DescribeConfigs, IdempotentWrite and All." - resource: + description: Name of the environment variable which will be passed to the Kafka Connect pods. The name of the environment variable cannot start with `KAFKA_` or `STRIMZI_`. + valueFrom: + type: object + properties: + configMapKeyRef: + type: object + properties: + key: + type: string + name: + type: string + optional: + type: boolean + description: Reference to a key in a ConfigMap. + secretKeyRef: + type: object + properties: + key: + type: string + name: + type: string + optional: + type: boolean + description: Reference to a key in a Secret. + description: Value of the environment variable which will be passed to the Kafka Connect pods. It can be passed either as a reference to Secret or ConfigMap field. The field has to specify exactly one Secret or ConfigMap. + required: + - name + - valueFrom + description: Makes data from a Secret or ConfigMap available in the Kafka Connect pods as environment variables. + volumes: + type: array + items: + type: object + properties: + configMap: type: object properties: + defaultMode: + type: integer + items: + type: array + items: + type: object + properties: + key: + type: string + mode: + type: integer + path: + type: string name: type: string - description: Name of resource for which given ACL rule applies. Can be combined with `patternType` field to use prefix pattern. - patternType: - type: string - enum: - - literal - - prefix - description: "Describes the pattern used in the resource field. The supported types are `literal` and `prefix`. With `literal` pattern type, the resource field will be used as a definition of a full name. With `prefix` pattern type, the resource name will be used only as a prefix. Default value is `literal`." - type: - type: string - enum: - - topic - - group - - cluster - - transactionalId - description: "Resource type. The available resource types are `topic`, `group`, `cluster`, and `transactionalId`." - required: - - type - description: Indicates the resource for which given ACL rule applies. - type: + optional: + type: boolean + description: Reference to a key in a ConfigMap. Exactly one Secret or ConfigMap has to be specified. + name: type: string - enum: - - allow - - deny - description: The type of the rule. Currently the only supported type is `allow`. ACL rules with type `allow` are used to allow user to execute the specified operations. Default value is `allow`. - required: - - resource - description: List of ACL rules which should be applied to this user. - type: - type: string - enum: - - simple - description: Authorization type. Currently the only supported type is `simple`. `simple` authorization type uses the Kafka Admin API for managing the ACL rules. - required: - - acls - - type - description: Authorization rules for this Kafka user. - quotas: - type: object - properties: - consumerByteRate: - type: integer - minimum: 0 - description: A quota on the maximum bytes per-second that each client group can fetch from a broker before the clients in the group are throttled. Defined on a per-broker basis. - controllerMutationRate: - type: number - minimum: 0 - description: "A quota on the rate at which mutations are accepted for the create topics request, the create partitions request and the delete topics request. The rate is accumulated by the number of partitions created or deleted." - producerByteRate: - type: integer - minimum: 0 - description: A quota on the maximum bytes per-second that each client group can publish to a broker before the clients in the group are throttled. Defined on a per-broker basis. - requestPercentage: - type: integer - minimum: 0 - description: A quota on the maximum CPU utilization of each client group as a percentage of network and I/O threads. - description: Quotas on requests to control the broker resources used by clients. Network bandwidth and request rate quotas can be enforced.Kafka documentation for Kafka User quotas can be found at http://kafka.apache.org/documentation/#design_quotas. - template: + description: Name of the volume which will be added to the Kafka Connect pods. + secret: + type: object + properties: + defaultMode: + type: integer + items: + type: array + items: + type: object + properties: + key: + type: string + mode: + type: integer + path: + type: string + optional: + type: boolean + secretName: + type: string + description: Reference to a key in a Secret. Exactly one Secret or ConfigMap has to be specified. + required: + - name + description: Makes data from a Secret or ConfigMap available in the Kafka Connect pods as volumes. + description: Pass data from Secrets or ConfigMaps to the Kafka Connect pods and use them to configure connectors. + metricsConfig: type: object properties: - secret: + type: + type: string + enum: + - jmxPrometheusExporter + description: Metrics type. Only 'jmxPrometheusExporter' supported currently. + valueFrom: type: object properties: - metadata: + configMapKeyRef: type: object properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for KafkaUser resources. The template allows users to specify how the `Secret` with password or TLS certificates is generated. - description: Template to specify how Kafka User `Secrets` are generated. - description: The specification of the user. + key: + type: string + name: + type: string + optional: + type: boolean + description: Reference to the key in the ConfigMap containing the configuration. + description: 'ConfigMap entry where the Prometheus JMX Exporter configuration is stored. ' + required: + - type + - valueFrom + description: Metrics configuration. + required: + - connectCluster + description: The specification of the Kafka MirrorMaker 2 cluster. status: type: object properties: @@ -6432,49 +5494,70 @@ spec: observedGeneration: type: integer description: The generation of the CRD that was last reconciled by the operator. - username: + url: type: string - description: Username. - secret: + description: The URL of the REST API endpoint for managing and monitoring Kafka Connect connectors. + autoRestartStatuses: + type: array + items: + type: object + properties: + count: + type: integer + description: The number of times the connector or task is restarted. + connectorName: + type: string + description: The name of the connector being restarted. + lastRestartTimestamp: + type: string + description: The last time the automatic restart was attempted. The required format is 'yyyy-MM-ddTHH:mm:ssZ' in the UTC time zone. + description: List of MirrorMaker 2 connector auto restart statuses. + connectorPlugins: + type: array + items: + type: object + properties: + type: + type: string + description: The type of the connector plugin. The available types are `sink` and `source`. + version: + type: string + description: The version of the connector plugin. + class: + type: string + description: The class of the connector plugin. + description: The list of connector plugins available in this Kafka Connect deployment. + connectors: + type: array + items: + x-kubernetes-preserve-unknown-fields: true + type: object + description: "List of MirrorMaker 2 connector statuses, as reported by the Kafka Connect REST API." + labelSelector: type: string - description: The name of `Secret` where the credentials are stored. - description: The status of the Kafka User. - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: strimzi-cluster-operator-kafka-broker-delegation - labels: - app: strimzi -# The Kafka broker cluster role must be bound to the cluster operator service account so that it can delegate the cluster role to the Kafka brokers. -# This must be done to avoid escalating privileges which would be blocked by Kubernetes. -subjects: - - kind: ServiceAccount - name: strimzi-cluster-operator - namespace: myproject -roleRef: - kind: ClusterRole - name: strimzi-kafka-broker - apiGroup: rbac.authorization.k8s.io + description: Label selector for pods providing this resource. + replicas: + type: integer + description: The current number of pods being used to provide this resource. + description: The status of the Kafka MirrorMaker 2 cluster. --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: kafkaconnectors.kafka.strimzi.io + name: kafkas.kafka.strimzi.io labels: app: strimzi strimzi.io/crd-install: "true" spec: group: kafka.strimzi.io names: - kind: KafkaConnector - listKind: KafkaConnectorList - singular: kafkaconnector - plural: kafkaconnectors + kind: Kafka + listKind: KafkaList + singular: kafka + plural: kafkas shortNames: - - kctr + - k categories: - strimzi scope: Namespaced @@ -6486,26 +5569,23 @@ spec: storage: true subresources: status: {} - scale: - specReplicasPath: .spec.tasksMax - statusReplicasPath: .status.tasksMax additionalPrinterColumns: - - name: Cluster - description: The name of the Kafka Connect cluster this connector belongs to - jsonPath: .metadata.labels.strimzi\.io/cluster - type: string - - name: Connector class - description: The class used by this connector - jsonPath: .spec.class - type: string - - name: Max Tasks - description: Maximum number of tasks - jsonPath: .spec.tasksMax + - name: Desired Kafka replicas + description: The desired number of Kafka replicas in the cluster + jsonPath: .spec.kafka.replicas + type: integer + - name: Desired ZK replicas + description: The desired number of ZooKeeper replicas in the cluster + jsonPath: .spec.zookeeper.replicas type: integer - name: Ready description: The state of the custom resource jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" type: string + - name: Warnings + description: Warnings related to the custom resource + jsonPath: ".status.conditions[?(@.type==\"Warning\")].status" + type: string schema: openAPIV3Schema: type: object @@ -6513,634 +5593,1725 @@ spec: spec: type: object properties: - class: - type: string - description: The Class for the Kafka Connector. - tasksMax: - type: integer - minimum: 1 - description: The maximum number of tasks for the Kafka Connector. - autoRestart: - type: object - properties: - enabled: - type: boolean - description: Whether automatic restart for failed connectors and tasks should be enabled or disabled. - maxRestarts: - type: integer - description: "The maximum number of connector restarts that the operator will try. If the connector remains in a failed state after reaching this limit, it must be restarted manually by the user. Defaults to an unlimited number of restarts." - description: Automatic restart of connector and tasks configuration. - config: - x-kubernetes-preserve-unknown-fields: true - type: object - description: "The Kafka Connector configuration. The following properties cannot be set: connector.class, tasks.max." - pause: - type: boolean - description: Whether the connector should be paused. Defaults to false. - state: - type: string - enum: - - paused - - stopped - - running - description: The state the connector should be in. Defaults to running. - description: The specification of the Kafka Connector. - status: - type: object - properties: - conditions: - type: array - items: - type: object - properties: - type: - type: string - description: "The unique identifier of a condition, used to distinguish between other conditions in the resource." - status: - type: string - description: "The status of the condition, either True, False or Unknown." - lastTransitionTime: - type: string - description: "Last time the condition of a type changed from one status to another. The required format is 'yyyy-MM-ddTHH:mm:ssZ', in the UTC time zone." - reason: - type: string - description: The reason for the condition's last transition (a single word in CamelCase). - message: - type: string - description: Human-readable message indicating details about the condition's last transition. - description: List of status conditions. - observedGeneration: - type: integer - description: The generation of the CRD that was last reconciled by the operator. - autoRestart: + kafka: type: object properties: - count: - type: integer - description: The number of times the connector or task is restarted. - connectorName: + version: type: string - description: The name of the connector being restarted. - lastRestartTimestamp: + description: The Kafka broker version. Defaults to the latest version. Consult the user documentation to understand the process required to upgrade or downgrade the version. + metadataVersion: type: string - description: The last time the automatic restart was attempted. The required format is 'yyyy-MM-ddTHH:mm:ssZ' in the UTC time zone. - description: The auto restart status. - connectorStatus: - x-kubernetes-preserve-unknown-fields: true - type: object - description: "The connector status, as reported by the Kafka Connect REST API." - tasksMax: - type: integer - description: The maximum number of tasks for the Kafka Connector. - topics: - type: array - items: - type: string - description: The list of topics used by the Kafka Connector. - description: The status of the Kafka Connector. + description: "The KRaft metadata version used by the Kafka cluster. This property is ignored when running in ZooKeeper mode. If the property is not set, it defaults to the metadata version that corresponds to the `version` property." + replicas: + type: integer + minimum: 1 + description: The number of pods in the cluster. + image: + type: string + description: "The container image used for Kafka pods. If the property is not set, the default Kafka image version is determined based on the `version` configuration. The image names are specifically mapped to corresponding versions in the Cluster Operator configuration. Changing the Kafka image version does not automatically update the image versions for other components, such as Kafka Exporter. " + listeners: + type: array + minItems: 1 + items: + type: object + properties: + name: + type: string + pattern: "^[a-z0-9]{1,11}$" + description: Name of the listener. The name will be used to identify the listener and the related Kubernetes objects. The name has to be unique within given a Kafka cluster. The name can consist of lowercase characters and numbers and be up to 11 characters long. + port: + type: integer + minimum: 9092 + description: "Port number used by the listener inside Kafka. The port number has to be unique within a given Kafka cluster. Allowed port numbers are 9092 and higher with the exception of ports 9404 and 9999, which are already used for Prometheus and JMX. Depending on the listener type, the port number might not be the same as the port number that connects Kafka clients." + type: + type: string + enum: + - internal + - route + - loadbalancer + - nodeport + - ingress + - cluster-ip + description: "Type of the listener. Currently the supported types are `internal`, `route`, `loadbalancer`, `nodeport` and `ingress`. \n\n* `internal` type exposes Kafka internally only within the Kubernetes cluster.\n* `route` type uses OpenShift Routes to expose Kafka.\n* `loadbalancer` type uses LoadBalancer type services to expose Kafka.\n* `nodeport` type uses NodePort type services to expose Kafka.\n* `ingress` type uses Kubernetes Nginx Ingress to expose Kafka with TLS passthrough.\n* `cluster-ip` type uses a per-broker `ClusterIP` service.\n" + tls: + type: boolean + description: Enables TLS encryption on the listener. This is a required property. + authentication: + type: object + properties: + accessTokenIsJwt: + type: boolean + description: Configure whether the access token is treated as JWT. This must be set to `false` if the authorization server returns opaque tokens. Defaults to `true`. + checkAccessTokenType: + type: boolean + description: Configure whether the access token type check is performed or not. This should be set to `false` if the authorization server does not include 'typ' claim in JWT token. Defaults to `true`. + checkAudience: + type: boolean + description: "Enable or disable audience checking. Audience checks identify the recipients of tokens. If audience checking is enabled, the OAuth Client ID also has to be configured using the `clientId` property. The Kafka broker will reject tokens that do not have its `clientId` in their `aud` (audience) claim.Default value is `false`." + checkIssuer: + type: boolean + description: Enable or disable issuer checking. By default issuer is checked using the value configured by `validIssuerUri`. Default value is `true`. + clientAudience: + type: string + description: The audience to use when making requests to the authorization server's token endpoint. Used for inter-broker authentication and for configuring OAuth 2.0 over PLAIN using the `clientId` and `secret` method. + clientId: + type: string + description: OAuth Client ID which the Kafka broker can use to authenticate against the authorization server and use the introspect endpoint URI. + clientScope: + type: string + description: The scope to use when making requests to the authorization server's token endpoint. Used for inter-broker authentication and for configuring OAuth 2.0 over PLAIN using the `clientId` and `secret` method. + clientSecret: + type: object + properties: + key: + type: string + description: The key under which the secret value is stored in the Kubernetes Secret. + secretName: + type: string + description: The name of the Kubernetes Secret containing the secret value. + required: + - key + - secretName + description: Link to Kubernetes Secret containing the OAuth client secret which the Kafka broker can use to authenticate against the authorization server and use the introspect endpoint URI. + connectTimeoutSeconds: + type: integer + description: "The connect timeout in seconds when connecting to authorization server. If not set, the effective connect timeout is 60 seconds." + customClaimCheck: + type: string + description: JsonPath filter query to be applied to the JWT token or to the response of the introspection endpoint for additional token validation. Not set by default. + disableTlsHostnameVerification: + type: boolean + description: Enable or disable TLS hostname verification. Default value is `false`. + enableECDSA: + type: boolean + description: Enable or disable ECDSA support by installing BouncyCastle crypto provider. ECDSA support is always enabled. The BouncyCastle libraries are no longer packaged with Strimzi. Value is ignored. + enableMetrics: + type: boolean + description: Enable or disable OAuth metrics. Default value is `false`. + enableOauthBearer: + type: boolean + description: Enable or disable OAuth authentication over SASL_OAUTHBEARER. Default value is `true`. + enablePlain: + type: boolean + description: Enable or disable OAuth authentication over SASL_PLAIN. There is no re-authentication support when this mechanism is used. Default value is `false`. + failFast: + type: boolean + description: Enable or disable termination of Kafka broker processes due to potentially recoverable runtime errors during startup. Default value is `true`. + fallbackUserNameClaim: + type: string + description: The fallback username claim to be used for the user id if the claim specified by `userNameClaim` is not present. This is useful when `client_credentials` authentication only results in the client id being provided in another claim. It only takes effect if `userNameClaim` is set. + fallbackUserNamePrefix: + type: string + description: "The prefix to use with the value of `fallbackUserNameClaim` to construct the user id. This only takes effect if `fallbackUserNameClaim` is true, and the value is present for the claim. Mapping usernames and client ids into the same user id space is useful in preventing name collisions." + groupsClaim: + type: string + description: JsonPath query used to extract groups for the user during authentication. Extracted groups can be used by a custom authorizer. By default no groups are extracted. + groupsClaimDelimiter: + type: string + description: "A delimiter used to parse groups when they are extracted as a single String value rather than a JSON array. Default value is ',' (comma)." + httpRetries: + type: integer + description: "The maximum number of retries to attempt if an initial HTTP request fails. If not set, the default is to not attempt any retries." + httpRetryPauseMs: + type: integer + description: "The pause to take before retrying a failed HTTP request. If not set, the default is to not pause at all but to immediately repeat a request." + includeAcceptHeader: + type: boolean + description: Whether the Accept header should be set in requests to the authorization servers. The default value is `true`. + introspectionEndpointUri: + type: string + description: URI of the token introspection endpoint which can be used to validate opaque non-JWT tokens. + jwksEndpointUri: + type: string + description: "URI of the JWKS certificate endpoint, which can be used for local JWT validation." + jwksExpirySeconds: + type: integer + minimum: 1 + description: Configures how often are the JWKS certificates considered valid. The expiry interval has to be at least 60 seconds longer then the refresh interval specified in `jwksRefreshSeconds`. Defaults to 360 seconds. + jwksIgnoreKeyUse: + type: boolean + description: Flag to ignore the 'use' attribute of `key` declarations in a JWKS endpoint response. Default value is `false`. + jwksMinRefreshPauseSeconds: + type: integer + minimum: 0 + description: "The minimum pause between two consecutive refreshes. When an unknown signing key is encountered the refresh is scheduled immediately, but will always wait for this minimum pause. Defaults to 1 second." + jwksRefreshSeconds: + type: integer + minimum: 1 + description: Configures how often are the JWKS certificates refreshed. The refresh interval has to be at least 60 seconds shorter then the expiry interval specified in `jwksExpirySeconds`. Defaults to 300 seconds. + listenerConfig: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Configuration to be used for a specific listener. All values are prefixed with listener.name.__. + maxSecondsWithoutReauthentication: + type: integer + description: "Maximum number of seconds the authenticated session remains valid without re-authentication. This enables Apache Kafka re-authentication feature, and causes sessions to expire when the access token expires. If the access token expires before max time or if max time is reached, the client has to re-authenticate, otherwise the server will drop the connection. Not set by default - the authenticated session does not expire when the access token expires. This option only applies to SASL_OAUTHBEARER authentication mechanism (when `enableOauthBearer` is `true`)." + readTimeoutSeconds: + type: integer + description: "The read timeout in seconds when connecting to authorization server. If not set, the effective read timeout is 60 seconds." + sasl: + type: boolean + description: Enable or disable SASL on this listener. + secrets: + type: array + items: + type: object + properties: + key: + type: string + description: The key under which the secret value is stored in the Kubernetes Secret. + secretName: + type: string + description: The name of the Kubernetes Secret containing the secret value. + required: + - key + - secretName + description: Secrets to be mounted to /opt/kafka/custom-authn-secrets/custom-listener-_-_/__. + tlsTrustedCertificates: + type: array + items: + type: object + properties: + certificate: + type: string + description: The name of the file certificate in the Secret. + secretName: + type: string + description: The name of the Secret containing the certificate. + required: + - certificate + - secretName + description: Trusted certificates for TLS connection to the OAuth server. + tokenEndpointUri: + type: string + description: "URI of the Token Endpoint to use with SASL_PLAIN mechanism when the client authenticates with `clientId` and a `secret`. If set, the client can authenticate over SASL_PLAIN by either setting `username` to `clientId`, and setting `password` to client `secret`, or by setting `username` to account username, and `password` to access token prefixed with `$accessToken:`. If this option is not set, the `password` is always interpreted as an access token (without a prefix), and `username` as the account username (a so called 'no-client-credentials' mode)." + type: + type: string + enum: + - tls + - scram-sha-512 + - oauth + - custom + description: Authentication type. `oauth` type uses SASL OAUTHBEARER Authentication. `scram-sha-512` type uses SASL SCRAM-SHA-512 Authentication. `tls` type uses TLS Client Authentication. `tls` type is supported only on TLS listeners.`custom` type allows for any authentication type to be used. + userInfoEndpointUri: + type: string + description: 'URI of the User Info Endpoint to use as a fallback to obtaining the user id when the Introspection Endpoint does not return information that can be used for the user id. ' + userNameClaim: + type: string + description: "Name of the claim from the JWT authentication token, Introspection Endpoint response or User Info Endpoint response which will be used to extract the user id. Defaults to `sub`." + validIssuerUri: + type: string + description: URI of the token issuer used for authentication. + validTokenType: + type: string + description: "Valid value for the `token_type` attribute returned by the Introspection Endpoint. No default value, and not checked by default." + required: + - type + description: Authentication configuration for this listener. + configuration: + type: object + properties: + brokerCertChainAndKey: + type: object + properties: + certificate: + type: string + description: The name of the file certificate in the Secret. + key: + type: string + description: The name of the private key in the Secret. + secretName: + type: string + description: The name of the Secret containing the certificate. + required: + - certificate + - key + - secretName + description: Reference to the `Secret` which holds the certificate and private key pair which will be used for this listener. The certificate can optionally contain the whole chain. This field can be used only with listeners with enabled TLS encryption. + externalTrafficPolicy: + type: string + enum: + - Local + - Cluster + description: "Specifies whether the service routes external traffic to node-local or cluster-wide endpoints. `Cluster` may cause a second hop to another node and obscures the client source IP. `Local` avoids a second hop for LoadBalancer and Nodeport type services and preserves the client source IP (when supported by the infrastructure). If unspecified, Kubernetes will use `Cluster` as the default.This field can be used only with `loadbalancer` or `nodeport` type listener." + loadBalancerSourceRanges: + type: array + items: + type: string + description: "A list of CIDR ranges (for example `10.0.0.0/8` or `130.211.204.1/32`) from which clients can connect to load balancer type listeners. If supported by the platform, traffic through the loadbalancer is restricted to the specified CIDR ranges. This field is applicable only for loadbalancer type services and is ignored if the cloud provider does not support the feature. This field can be used only with `loadbalancer` type listener." + bootstrap: + type: object + properties: + alternativeNames: + type: array + items: + type: string + description: Additional alternative names for the bootstrap service. The alternative names will be added to the list of subject alternative names of the TLS certificates. + host: + type: string + description: The bootstrap host. This field will be used in the Ingress resource or in the Route resource to specify the desired hostname. This field can be used only with `route` (optional) or `ingress` (required) type listeners. + nodePort: + type: integer + description: Node port for the bootstrap service. This field can be used only with `nodeport` type listener. + loadBalancerIP: + type: string + description: The loadbalancer is requested with the IP address specified in this field. This feature depends on whether the underlying cloud provider supports specifying the `loadBalancerIP` when a load balancer is created. This field is ignored if the cloud provider does not support the feature.This field can be used only with `loadbalancer` type listener. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: "Annotations that will be added to the `Ingress`, `Route`, or `Service` resource. You can use this field to configure DNS providers such as External DNS. This field can be used only with `loadbalancer`, `nodeport`, `route`, or `ingress` type listeners." + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: "Labels that will be added to the `Ingress`, `Route`, or `Service` resource. This field can be used only with `loadbalancer`, `nodeport`, `route`, or `ingress` type listeners." + description: Bootstrap configuration. + brokers: + type: array + items: + type: object + properties: + broker: + type: integer + description: ID of the kafka broker (broker identifier). Broker IDs start from 0 and correspond to the number of broker replicas. + advertisedHost: + type: string + description: The host name used in the brokers' `advertised.listeners`. + advertisedPort: + type: integer + description: The port number used in the brokers' `advertised.listeners`. + host: + type: string + description: The broker host. This field will be used in the Ingress resource or in the Route resource to specify the desired hostname. This field can be used only with `route` (optional) or `ingress` (required) type listeners. + nodePort: + type: integer + description: Node port for the per-broker service. This field can be used only with `nodeport` type listener. + loadBalancerIP: + type: string + description: The loadbalancer is requested with the IP address specified in this field. This feature depends on whether the underlying cloud provider supports specifying the `loadBalancerIP` when a load balancer is created. This field is ignored if the cloud provider does not support the feature.This field can be used only with `loadbalancer` type listener. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: "Annotations that will be added to the `Ingress` or `Service` resource. You can use this field to configure DNS providers such as External DNS. This field can be used only with `loadbalancer`, `nodeport`, or `ingress` type listeners." + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: "Labels that will be added to the `Ingress`, `Route`, or `Service` resource. This field can be used only with `loadbalancer`, `nodeport`, `route`, or `ingress` type listeners." + required: + - broker + description: Per-broker configurations. + ipFamilyPolicy: + type: string + enum: + - SingleStack + - PreferDualStack + - RequireDualStack + description: "Specifies the IP Family Policy used by the service. Available options are `SingleStack`, `PreferDualStack` and `RequireDualStack`. `SingleStack` is for a single IP family. `PreferDualStack` is for two IP families on dual-stack configured clusters or a single IP family on single-stack clusters. `RequireDualStack` fails unless there are two IP families on dual-stack configured clusters. If unspecified, Kubernetes will choose the default value based on the service type." + ipFamilies: + type: array + items: + type: string + enum: + - IPv4 + - IPv6 + description: "Specifies the IP Families used by the service. Available options are `IPv4` and `IPv6`. If unspecified, Kubernetes will choose the default value based on the `ipFamilyPolicy` setting." + createBootstrapService: + type: boolean + description: Whether to create the bootstrap service or not. The bootstrap service is created by default (if not specified differently). This field can be used with the `loadBalancer` type listener. + class: + type: string + description: "Configures a specific class for `Ingress` and `LoadBalancer` that defines which controller will be used. This field can only be used with `ingress` and `loadbalancer` type listeners. If not specified, the default controller is used. For an `ingress` listener, set the `ingressClassName` property in the `Ingress` resources. For a `loadbalancer` listener, set the `loadBalancerClass` property in the `Service` resources." + finalizers: + type: array + items: + type: string + description: "A list of finalizers which will be configured for the `LoadBalancer` type Services created for this listener. If supported by the platform, the finalizer `service.kubernetes.io/load-balancer-cleanup` to make sure that the external load balancer is deleted together with the service.For more information, see https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#garbage-collecting-load-balancers. This field can be used only with `loadbalancer` type listeners." + maxConnectionCreationRate: + type: integer + description: The maximum connection creation rate we allow in this listener at any time. New connections will be throttled if the limit is reached. + maxConnections: + type: integer + description: The maximum number of connections we allow for this listener in the broker at any time. New connections are blocked if the limit is reached. + preferredNodePortAddressType: + type: string + enum: + - ExternalIP + - ExternalDNS + - InternalIP + - InternalDNS + - Hostname + description: |- + Defines which address type should be used as the node address. Available types are: `ExternalDNS`, `ExternalIP`, `InternalDNS`, `InternalIP` and `Hostname`. By default, the addresses will be used in the following order (the first one found will be used): ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: strimzi-cluster-operator-watched - labels: - app: strimzi -rules: - # Resources in this role are being watched by the operator. When operator is deployed as cluster-wide, these permissions - # need to be granted to the operator on a cluster wide level as well, even if the operands will be deployed only in - # few of the namespaces in given cluster. This is required to set up the Kubernetes watches and informers. - # Note: The rights included in this role might change in the future - - apiGroups: - - "" - resources: - # The cluster operator needs to access and delete pods, this is to allow it to monitor pod health and coordinate rolling updates - - pods - verbs: - - watch - - list - - apiGroups: - - "kafka.strimzi.io" - resources: - # The cluster operator runs the KafkaAssemblyOperator, which needs to access and manage Kafka resources - - kafkas - - kafkas/status - # The cluster operator runs the KafkaAssemblyOperator, which needs to access and manage KafkaNodePool resources - - kafkanodepools - - kafkanodepools/status - # The cluster operator runs the KafkaConnectAssemblyOperator, which needs to access and manage KafkaConnect resources - - kafkaconnects - - kafkaconnects/status - # The cluster operator runs the KafkaConnectorAssemblyOperator, which needs to access and manage KafkaConnector resources - - kafkaconnectors - - kafkaconnectors/status - # The cluster operator runs the KafkaMirrorMakerAssemblyOperator, which needs to access and manage KafkaMirrorMaker resources - - kafkamirrormakers - - kafkamirrormakers/status - # The cluster operator runs the KafkaBridgeAssemblyOperator, which needs to access and manage BridgeMaker resources - - kafkabridges - - kafkabridges/status - # The cluster operator runs the KafkaMirrorMaker2AssemblyOperator, which needs to access and manage KafkaMirrorMaker2 resources - - kafkamirrormaker2s - - kafkamirrormaker2s/status - # The cluster operator runs the KafkaRebalanceAssemblyOperator, which needs to access and manage KafkaRebalance resources - - kafkarebalances - - kafkarebalances/status - verbs: - - get - - list - - watch - - create - - delete - - patch - - update - - apiGroups: - - "core.strimzi.io" - resources: - # The cluster operator uses StrimziPodSets to manage the Kafka and ZooKeeper pods - - strimzipodsets - - strimzipodsets/status - verbs: - - get - - list - - watch - - create - - delete - - patch - - update + * `ExternalDNS` + * `ExternalIP` + * `InternalDNS` + * `InternalIP` + * `Hostname` ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: kafkas.kafka.strimzi.io - labels: - app: strimzi - strimzi.io/crd-install: "true" -spec: - group: kafka.strimzi.io - names: - kind: Kafka - listKind: KafkaList - singular: kafka - plural: kafkas - shortNames: - - k - categories: - - strimzi - scope: Namespaced - conversion: - strategy: None - versions: - - name: v1beta2 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Desired Kafka replicas - description: The desired number of Kafka replicas in the cluster - jsonPath: .spec.kafka.replicas - type: integer - - name: Desired ZK replicas - description: The desired number of ZooKeeper replicas in the cluster - jsonPath: .spec.zookeeper.replicas - type: integer - - name: Ready - description: The state of the custom resource - jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" - type: string - - name: Warnings - description: Warnings related to the custom resource - jsonPath: ".status.conditions[?(@.type==\"Warning\")].status" - type: string - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - kafka: - type: object - properties: - version: - type: string - description: "The kafka broker version. Defaults to {DefaultKafkaVersion}. Consult the user documentation to understand the process required to upgrade or downgrade the version." - replicas: - type: integer - minimum: 1 - description: The number of pods in the cluster. - image: - type: string - description: The docker image for the pods. The default value depends on the configured `Kafka.spec.kafka.version`. - listeners: - type: array - minItems: 1 - items: - type: object - properties: - name: - type: string - pattern: "^[a-z0-9]{1,11}$" - description: Name of the listener. The name will be used to identify the listener and the related Kubernetes objects. The name has to be unique within given a Kafka cluster. The name can consist of lowercase characters and numbers and be up to 11 characters long. - port: - type: integer - minimum: 9092 - description: "Port number used by the listener inside Kafka. The port number has to be unique within a given Kafka cluster. Allowed port numbers are 9092 and higher with the exception of ports 9404 and 9999, which are already used for Prometheus and JMX. Depending on the listener type, the port number might not be the same as the port number that connects Kafka clients." - type: + This field is used to select the preferred address type, which is checked first. If no address is found for this address type, the other types are checked in the default order. This field can only be used with `nodeport` type listener. + useServiceDnsDomain: + type: boolean + description: "Configures whether the Kubernetes service DNS domain should be used or not. If set to `true`, the generated addresses will contain the service DNS domain suffix (by default `.cluster.local`, can be configured using environment variable `KUBERNETES_SERVICE_DNS_DOMAIN`). Defaults to `false`.This field can be used only with `internal` and `cluster-ip` type listeners." + description: Additional listener configuration. + networkPolicyPeers: + type: array + items: + type: object + properties: + ipBlock: + type: object + properties: + cidr: + type: string + except: + type: array + items: + type: string + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: "List of peers which should be able to connect to this listener. Peers in this list are combined using a logical OR operation. If this field is empty or missing, all connections will be allowed for this listener. If this field is present and contains at least one item, the listener only allows the traffic which matches at least one item in this list." + required: + - name + - port + - type + - tls + description: Configures listeners of Kafka brokers. + config: + x-kubernetes-preserve-unknown-fields: true + type: object + description: "Kafka broker config properties with the following prefixes cannot be set: listeners, advertised., broker., listener., host.name, port, inter.broker.listener.name, sasl., ssl., security., password., log.dir, zookeeper.connect, zookeeper.set.acl, zookeeper.ssl, zookeeper.clientCnxnSocket, authorizer., super.user, cruise.control.metrics.topic, cruise.control.metrics.reporter.bootstrap.servers,node.id, process.roles, controller., metadata.log.dir (with the exception of: zookeeper.connection.timeout.ms, sasl.server.max.receive.size,ssl.cipher.suites, ssl.protocol, ssl.enabled.protocols, ssl.secure.random.implementation,cruise.control.metrics.topic.num.partitions, cruise.control.metrics.topic.replication.factor, cruise.control.metrics.topic.retention.ms,cruise.control.metrics.topic.auto.create.retries, cruise.control.metrics.topic.auto.create.timeout.ms,cruise.control.metrics.topic.min.insync.replicas,controller.quorum.election.backoff.max.ms, controller.quorum.election.timeout.ms, controller.quorum.fetch.timeout.ms)." + storage: + type: object + properties: + class: + type: string + description: The storage class to use for dynamic volume allocation. + deleteClaim: + type: boolean + description: Specifies if the persistent volume claim has to be deleted when the cluster is un-deployed. + id: + type: integer + minimum: 0 + description: Storage identification number. It is mandatory only for storage volumes defined in a storage of type 'jbod'. + overrides: + type: array + items: + type: object + properties: + class: + type: string + description: The storage class to use for dynamic volume allocation for this broker. + broker: + type: integer + description: Id of the kafka broker (broker identifier). + description: Overrides for individual brokers. The `overrides` field allows to specify a different configuration for different brokers. + selector: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Specifies a specific persistent volume to use. It contains key:value pairs representing labels for selecting such a volume. + size: + type: string + description: "When type=persistent-claim, defines the size of the persistent volume claim (i.e 1Gi). Mandatory when type=persistent-claim." + sizeLimit: + type: string + pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" + description: "When type=ephemeral, defines the total amount of local storage required for this EmptyDir volume (for example 1Gi)." + type: + type: string + enum: + - ephemeral + - persistent-claim + - jbod + description: "Storage type, must be either 'ephemeral', 'persistent-claim', or 'jbod'." + volumes: + type: array + items: + type: object + properties: + class: + type: string + description: The storage class to use for dynamic volume allocation. + deleteClaim: + type: boolean + description: Specifies if the persistent volume claim has to be deleted when the cluster is un-deployed. + id: + type: integer + minimum: 0 + description: Storage identification number. It is mandatory only for storage volumes defined in a storage of type 'jbod'. + overrides: + type: array + items: + type: object + properties: + class: + type: string + description: The storage class to use for dynamic volume allocation for this broker. + broker: + type: integer + description: Id of the kafka broker (broker identifier). + description: Overrides for individual brokers. The `overrides` field allows to specify a different configuration for different brokers. + selector: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Specifies a specific persistent volume to use. It contains key:value pairs representing labels for selecting such a volume. + size: + type: string + description: "When type=persistent-claim, defines the size of the persistent volume claim (i.e 1Gi). Mandatory when type=persistent-claim." + sizeLimit: + type: string + pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" + description: "When type=ephemeral, defines the total amount of local storage required for this EmptyDir volume (for example 1Gi)." + type: + type: string + enum: + - ephemeral + - persistent-claim + description: "Storage type, must be either 'ephemeral' or 'persistent-claim'." + required: + - type + description: List of volumes as Storage objects representing the JBOD disks array. + required: + - type + description: Storage configuration (disk). Cannot be updated. + authorization: + type: object + properties: + allowOnError: + type: boolean + description: "Defines whether a Kafka client should be allowed or denied by default when the authorizer fails to query the Open Policy Agent, for example, when it is temporarily unavailable). Defaults to `false` - all actions will be denied." + authorizerClass: + type: string + description: "Authorization implementation class, which must be available in classpath." + clientId: + type: string + description: OAuth Client ID which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. + connectTimeoutSeconds: + type: integer + minimum: 1 + description: "The connect timeout in seconds when connecting to authorization server. If not set, the effective connect timeout is 60 seconds." + delegateToKafkaAcls: + type: boolean + description: Whether authorization decision should be delegated to the 'Simple' authorizer if DENIED by Keycloak Authorization Services policies. Default value is `false`. + disableTlsHostnameVerification: + type: boolean + description: Enable or disable TLS hostname verification. Default value is `false`. + enableMetrics: + type: boolean + description: Enable or disable OAuth metrics. The default value is `false`. + expireAfterMs: + type: integer + description: The expiration of the records kept in the local cache to avoid querying the Open Policy Agent for every request. Defines how often the cached authorization decisions are reloaded from the Open Policy Agent server. In milliseconds. Defaults to `3600000`. + grantsAlwaysLatest: + type: boolean + description: "Controls whether the latest grants are fetched for a new session. When enabled, grants are retrieved from Keycloak and cached for the user. The default value is `false`." + grantsGcPeriodSeconds: + type: integer + minimum: 1 + description: "The time, in seconds, between consecutive runs of a job that cleans stale grants from the cache. The default value is 300." + grantsMaxIdleTimeSeconds: + type: integer + minimum: 1 + description: "The time, in seconds, after which an idle grant can be evicted from the cache. The default value is 300." + grantsRefreshPeriodSeconds: + type: integer + minimum: 0 + description: The time between two consecutive grants refresh runs in seconds. The default value is 60. + grantsRefreshPoolSize: + type: integer + minimum: 1 + description: "The number of threads to use to refresh grants for active sessions. The more threads, the more parallelism, so the sooner the job completes. However, using more threads places a heavier load on the authorization server. The default value is 5." + httpRetries: + type: integer + minimum: 0 + description: "The maximum number of retries to attempt if an initial HTTP request fails. If not set, the default is to not attempt any retries." + includeAcceptHeader: + type: boolean + description: Whether the Accept header should be set in requests to the authorization servers. The default value is `true`. + initialCacheCapacity: + type: integer + description: Initial capacity of the local cache used by the authorizer to avoid querying the Open Policy Agent for every request Defaults to `5000`. + maximumCacheSize: + type: integer + description: Maximum capacity of the local cache used by the authorizer to avoid querying the Open Policy Agent for every request. Defaults to `50000`. + readTimeoutSeconds: + type: integer + minimum: 1 + description: "The read timeout in seconds when connecting to authorization server. If not set, the effective read timeout is 60 seconds." + superUsers: + type: array + items: type: string - enum: - - internal - - route - - loadbalancer - - nodeport - - ingress - - cluster-ip - description: "Type of the listener. Currently the supported types are `internal`, `route`, `loadbalancer`, `nodeport` and `ingress`. \n\n* `internal` type exposes Kafka internally only within the Kubernetes cluster.\n* `route` type uses OpenShift Routes to expose Kafka.\n* `loadbalancer` type uses LoadBalancer type services to expose Kafka.\n* `nodeport` type uses NodePort type services to expose Kafka.\n* `ingress` type uses Kubernetes Nginx Ingress to expose Kafka with TLS passthrough.\n* `cluster-ip` type uses a per-broker `ClusterIP` service.\n" - tls: - type: boolean - description: Enables TLS encryption on the listener. This is a required property. - authentication: + description: "List of super users, which are user principals with unlimited access rights." + supportsAdminApi: + type: boolean + description: Indicates whether the custom authorizer supports the APIs for managing ACLs using the Kafka Admin API. Defaults to `false`. + tlsTrustedCertificates: + type: array + items: + type: object + properties: + certificate: + type: string + description: The name of the file certificate in the Secret. + secretName: + type: string + description: The name of the Secret containing the certificate. + required: + - certificate + - secretName + description: Trusted certificates for TLS connection to the OAuth server. + tokenEndpointUri: + type: string + description: Authorization server token endpoint URI. + type: + type: string + enum: + - simple + - opa + - keycloak + - custom + description: "Authorization type. Currently, the supported types are `simple`, `keycloak`, `opa` and `custom`. `simple` authorization type uses Kafka's built-in authorizer for authorization. `keycloak` authorization type uses Keycloak Authorization Services for authorization. `opa` authorization type uses Open Policy Agent based authorization.`custom` authorization type uses user-provided implementation for authorization." + url: + type: string + example: http://opa:8181/v1/data/kafka/authz/allow + description: The URL used to connect to the Open Policy Agent server. The URL has to include the policy which will be queried by the authorizer. This option is required. + required: + - type + description: Authorization configuration for Kafka brokers. + rack: + type: object + properties: + topologyKey: + type: string + example: topology.kubernetes.io/zone + description: "A key that matches labels assigned to the Kubernetes cluster nodes. The value of the label is used to set a broker's `broker.rack` config, and the `client.rack` config for Kafka Connect or MirrorMaker 2." + required: + - topologyKey + description: Configuration of the `broker.rack` broker config. + brokerRackInitImage: + type: string + description: The image of the init container used for initializing the `broker.rack`. + livenessProbe: + type: object + properties: + failureThreshold: + type: integer + minimum: 1 + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + initialDelaySeconds: + type: integer + minimum: 0 + description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. + periodSeconds: + type: integer + minimum: 1 + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + successThreshold: + type: integer + minimum: 1 + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. + timeoutSeconds: + type: integer + minimum: 1 + description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. + description: Pod liveness checking. + readinessProbe: + type: object + properties: + failureThreshold: + type: integer + minimum: 1 + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + initialDelaySeconds: + type: integer + minimum: 0 + description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. + periodSeconds: + type: integer + minimum: 1 + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + successThreshold: + type: integer + minimum: 1 + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. + timeoutSeconds: + type: integer + minimum: 1 + description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. + description: Pod readiness checking. + jvmOptions: + type: object + properties: + "-XX": + x-kubernetes-preserve-unknown-fields: true + type: object + description: A map of -XX options to the JVM. + "-Xms": + type: string + pattern: "^[0-9]+[mMgG]?$" + description: -Xms option to to the JVM. + "-Xmx": + type: string + pattern: "^[0-9]+[mMgG]?$" + description: -Xmx option to to the JVM. + gcLoggingEnabled: + type: boolean + description: Specifies whether the Garbage Collection logging is enabled. The default is false. + javaSystemProperties: + type: array + items: type: object properties: - accessTokenIsJwt: - type: boolean - description: Configure whether the access token is treated as JWT. This must be set to `false` if the authorization server returns opaque tokens. Defaults to `true`. - checkAccessTokenType: - type: boolean - description: Configure whether the access token type check is performed or not. This should be set to `false` if the authorization server does not include 'typ' claim in JWT token. Defaults to `true`. - checkAudience: - type: boolean - description: "Enable or disable audience checking. Audience checks identify the recipients of tokens. If audience checking is enabled, the OAuth Client ID also has to be configured using the `clientId` property. The Kafka broker will reject tokens that do not have its `clientId` in their `aud` (audience) claim.Default value is `false`." - checkIssuer: - type: boolean - description: Enable or disable issuer checking. By default issuer is checked using the value configured by `validIssuerUri`. Default value is `true`. - clientAudience: + name: type: string - description: The audience to use when making requests to the authorization server's token endpoint. Used for inter-broker authentication and for configuring OAuth 2.0 over PLAIN using the `clientId` and `secret` method. - clientId: + description: The system property name. + value: + type: string + description: The system property value. + description: A map of additional system properties which will be passed using the `-D` option to the JVM. + description: JVM Options for pods. + jmxOptions: + type: object + properties: + authentication: + type: object + properties: + type: + type: string + enum: + - password + description: Authentication type. Currently the only supported types are `password`.`password` type creates a username and protected port with no TLS. + required: + - type + description: Authentication configuration for connecting to the JMX port. + description: JMX Options for Kafka brokers. + resources: + type: object + properties: + claims: + type: array + items: + type: object + properties: + name: + type: string + limits: + x-kubernetes-preserve-unknown-fields: true + type: object + requests: + x-kubernetes-preserve-unknown-fields: true + type: object + description: CPU and memory resources to reserve. + metricsConfig: + type: object + properties: + type: + type: string + enum: + - jmxPrometheusExporter + description: Metrics type. Only 'jmxPrometheusExporter' supported currently. + valueFrom: + type: object + properties: + configMapKeyRef: + type: object + properties: + key: + type: string + name: + type: string + optional: + type: boolean + description: Reference to the key in the ConfigMap containing the configuration. + description: 'ConfigMap entry where the Prometheus JMX Exporter configuration is stored. ' + required: + - type + - valueFrom + description: Metrics configuration. + logging: + type: object + properties: + loggers: + x-kubernetes-preserve-unknown-fields: true + type: object + description: A Map from logger name to logger level. + type: + type: string + enum: + - inline + - external + description: "Logging type, must be either 'inline' or 'external'." + valueFrom: + type: object + properties: + configMapKeyRef: + type: object + properties: + key: + type: string + name: + type: string + optional: + type: boolean + description: Reference to the key in the ConfigMap containing the configuration. + description: '`ConfigMap` entry where the logging configuration is stored. ' + required: + - type + description: Logging configuration for Kafka. + template: + type: object + properties: + statefulset: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + podManagementPolicy: + type: string + enum: + - OrderedReady + - Parallel + description: PodManagementPolicy which will be used for this StatefulSet. Valid values are `Parallel` and `OrderedReady`. Defaults to `Parallel`. + description: Template for Kafka `StatefulSet`. + pod: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + imagePullSecrets: + type: array + items: + type: object + properties: + name: + type: string + description: "List of references to secrets in the same namespace to use for pulling any of the images used by this Pod. When the `STRIMZI_IMAGE_PULL_SECRETS` environment variable in Cluster Operator and the `imagePullSecrets` option are specified, only the `imagePullSecrets` variable is used and the `STRIMZI_IMAGE_PULL_SECRETS` variable is ignored." + securityContext: + type: object + properties: + fsGroup: + type: integer + fsGroupChangePolicy: + type: string + runAsGroup: + type: integer + runAsNonRoot: + type: boolean + runAsUser: + type: integer + seLinuxOptions: + type: object + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + seccompProfile: + type: object + properties: + localhostProfile: + type: string + type: + type: string + supplementalGroups: + type: array + items: + type: integer + sysctls: + type: array + items: + type: object + properties: + name: + type: string + value: + type: string + windowsOptions: + type: object + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + description: Configures pod-level security attributes and common container settings. + terminationGracePeriodSeconds: + type: integer + minimum: 0 + description: "The grace period is the duration in seconds after the processes running in the pod are sent a termination signal, and the time when the processes are forcibly halted with a kill signal. Set this value to longer than the expected cleanup time for your process. Value must be a non-negative integer. A zero value indicates delete immediately. You might need to increase the grace period for very large Kafka clusters, so that the Kafka brokers have enough time to transfer their work to another broker before they are terminated. Defaults to 30 seconds." + affinity: + type: object + properties: + nodeAffinity: + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + type: array + items: + type: object + properties: + preference: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchFields: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + weight: + type: integer + requiredDuringSchedulingIgnoredDuringExecution: + type: object + properties: + nodeSelectorTerms: + type: array + items: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchFields: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + podAffinity: + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + type: array + items: + type: object + properties: + podAffinityTerm: + type: object + properties: + labelSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + type: array + items: + type: string + topologyKey: + type: string + weight: + type: integer + requiredDuringSchedulingIgnoredDuringExecution: + type: array + items: + type: object + properties: + labelSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + type: array + items: + type: string + topologyKey: + type: string + podAntiAffinity: + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + type: array + items: + type: object + properties: + podAffinityTerm: + type: object + properties: + labelSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + type: array + items: + type: string + topologyKey: + type: string + weight: + type: integer + requiredDuringSchedulingIgnoredDuringExecution: + type: array + items: + type: object + properties: + labelSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + type: array + items: + type: string + topologyKey: + type: string + description: The pod's affinity rules. + tolerations: + type: array + items: + type: object + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + type: integer + value: + type: string + description: The pod's tolerations. + priorityClassName: + type: string + description: 'The name of the priority class used to assign priority to the pods. ' + schedulerName: + type: string + description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used." + hostAliases: + type: array + items: + type: object + properties: + hostnames: + type: array + items: + type: string + ip: + type: string + description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified. + tmpDirSizeLimit: + type: string + pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" + description: Defines the total amount (for example `1Gi`) of local storage required for temporary EmptyDir volume (`/tmp`). Default value is `5Mi`. + enableServiceLinks: + type: boolean + description: Indicates whether information about services should be injected into Pod's environment variables. + topologySpreadConstraints: + type: array + items: + type: object + properties: + labelSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + matchLabelKeys: + type: array + items: + type: string + maxSkew: + type: integer + minDomains: + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + description: The pod's topology spread constraints. + description: Template for Kafka `Pods`. + bootstrapService: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + ipFamilyPolicy: + type: string + enum: + - SingleStack + - PreferDualStack + - RequireDualStack + description: "Specifies the IP Family Policy used by the service. Available options are `SingleStack`, `PreferDualStack` and `RequireDualStack`. `SingleStack` is for a single IP family. `PreferDualStack` is for two IP families on dual-stack configured clusters or a single IP family on single-stack clusters. `RequireDualStack` fails unless there are two IP families on dual-stack configured clusters. If unspecified, Kubernetes will choose the default value based on the service type." + ipFamilies: + type: array + items: type: string - description: OAuth Client ID which the Kafka broker can use to authenticate against the authorization server and use the introspect endpoint URI. - clientScope: + enum: + - IPv4 + - IPv6 + description: "Specifies the IP Families used by the service. Available options are `IPv4` and `IPv6`. If unspecified, Kubernetes will choose the default value based on the `ipFamilyPolicy` setting." + description: Template for Kafka bootstrap `Service`. + brokersService: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + ipFamilyPolicy: + type: string + enum: + - SingleStack + - PreferDualStack + - RequireDualStack + description: "Specifies the IP Family Policy used by the service. Available options are `SingleStack`, `PreferDualStack` and `RequireDualStack`. `SingleStack` is for a single IP family. `PreferDualStack` is for two IP families on dual-stack configured clusters or a single IP family on single-stack clusters. `RequireDualStack` fails unless there are two IP families on dual-stack configured clusters. If unspecified, Kubernetes will choose the default value based on the service type." + ipFamilies: + type: array + items: type: string - description: The scope to use when making requests to the authorization server's token endpoint. Used for inter-broker authentication and for configuring OAuth 2.0 over PLAIN using the `clientId` and `secret` method. - clientSecret: + enum: + - IPv4 + - IPv6 + description: "Specifies the IP Families used by the service. Available options are `IPv4` and `IPv6`. If unspecified, Kubernetes will choose the default value based on the `ipFamilyPolicy` setting." + description: Template for Kafka broker `Service`. + externalBootstrapService: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for Kafka external bootstrap `Service`. + perPodService: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for Kafka per-pod `Services` used for access from outside of Kubernetes. + externalBootstrapRoute: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for Kafka external bootstrap `Route`. + perPodRoute: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for Kafka per-pod `Routes` used for access from outside of OpenShift. + externalBootstrapIngress: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for Kafka external bootstrap `Ingress`. + perPodIngress: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for Kafka per-pod `Ingress` used for access from outside of Kubernetes. + persistentVolumeClaim: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for all Kafka `PersistentVolumeClaims`. + podDisruptionBudget: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata to apply to the `PodDisruptionBudgetTemplate` resource. + maxUnavailable: + type: integer + minimum: 0 + description: "Maximum number of unavailable pods to allow automatic Pod eviction. A Pod eviction is allowed when the `maxUnavailable` number of pods or fewer are unavailable after the eviction. Setting this value to 0 prevents all voluntary evictions, so the pods must be evicted manually. Defaults to 1." + description: Template for Kafka `PodDisruptionBudget`. + kafkaContainer: + type: object + properties: + env: + type: array + items: type: object properties: - key: + name: type: string - description: The key under which the secret value is stored in the Kubernetes Secret. - secretName: + description: The environment variable key. + value: type: string - description: The name of the Kubernetes Secret containing the secret value. - required: - - key - - secretName - description: Link to Kubernetes Secret containing the OAuth client secret which the Kafka broker can use to authenticate against the authorization server and use the introspect endpoint URI. - connectTimeoutSeconds: - type: integer - description: "The connect timeout in seconds when connecting to authorization server. If not set, the effective connect timeout is 60 seconds." - customClaimCheck: - type: string - description: JsonPath filter query to be applied to the JWT token or to the response of the introspection endpoint for additional token validation. Not set by default. - disableTlsHostnameVerification: - type: boolean - description: Enable or disable TLS hostname verification. Default value is `false`. - enableECDSA: - type: boolean - description: Enable or disable ECDSA support by installing BouncyCastle crypto provider. ECDSA support is always enabled. The BouncyCastle libraries are no longer packaged with Strimzi. Value is ignored. - enableMetrics: - type: boolean - description: Enable or disable OAuth metrics. Default value is `false`. - enableOauthBearer: - type: boolean - description: Enable or disable OAuth authentication over SASL_OAUTHBEARER. Default value is `true`. - enablePlain: - type: boolean - description: Enable or disable OAuth authentication over SASL_PLAIN. There is no re-authentication support when this mechanism is used. Default value is `false`. - failFast: - type: boolean - description: Enable or disable termination of Kafka broker processes due to potentially recoverable runtime errors during startup. Default value is `true`. - fallbackUserNameClaim: - type: string - description: The fallback username claim to be used for the user id if the claim specified by `userNameClaim` is not present. This is useful when `client_credentials` authentication only results in the client id being provided in another claim. It only takes effect if `userNameClaim` is set. - fallbackUserNamePrefix: - type: string - description: "The prefix to use with the value of `fallbackUserNameClaim` to construct the user id. This only takes effect if `fallbackUserNameClaim` is true, and the value is present for the claim. Mapping usernames and client ids into the same user id space is useful in preventing name collisions." - groupsClaim: - type: string - description: JsonPath query used to extract groups for the user during authentication. Extracted groups can be used by a custom authorizer. By default no groups are extracted. - groupsClaimDelimiter: - type: string - description: "A delimiter used to parse groups when they are extracted as a single String value rather than a JSON array. Default value is ',' (comma)." - httpRetries: - type: integer - description: "The maximum number of retries to attempt if an initial HTTP request fails. If not set, the default is to not attempt any retries." - httpRetryPauseMs: - type: integer - description: "The pause to take before retrying a failed HTTP request. If not set, the default is to not pause at all but to immediately repeat a request." - includeAcceptHeader: - type: boolean - description: Whether the Accept header should be set in requests to the authorization servers. The default value is `true`. - introspectionEndpointUri: - type: string - description: URI of the token introspection endpoint which can be used to validate opaque non-JWT tokens. - jwksEndpointUri: - type: string - description: "URI of the JWKS certificate endpoint, which can be used for local JWT validation." - jwksExpirySeconds: - type: integer - minimum: 1 - description: Configures how often are the JWKS certificates considered valid. The expiry interval has to be at least 60 seconds longer then the refresh interval specified in `jwksRefreshSeconds`. Defaults to 360 seconds. - jwksIgnoreKeyUse: - type: boolean - description: Flag to ignore the 'use' attribute of `key` declarations in a JWKS endpoint response. Default value is `false`. - jwksMinRefreshPauseSeconds: - type: integer - minimum: 0 - description: "The minimum pause between two consecutive refreshes. When an unknown signing key is encountered the refresh is scheduled immediately, but will always wait for this minimum pause. Defaults to 1 second." - jwksRefreshSeconds: - type: integer - minimum: 1 - description: Configures how often are the JWKS certificates refreshed. The refresh interval has to be at least 60 seconds shorter then the expiry interval specified in `jwksExpirySeconds`. Defaults to 300 seconds. - listenerConfig: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Configuration to be used for a specific listener. All values are prefixed with listener.name.__. - maxSecondsWithoutReauthentication: - type: integer - description: "Maximum number of seconds the authenticated session remains valid without re-authentication. This enables Apache Kafka re-authentication feature, and causes sessions to expire when the access token expires. If the access token expires before max time or if max time is reached, the client has to re-authenticate, otherwise the server will drop the connection. Not set by default - the authenticated session does not expire when the access token expires. This option only applies to SASL_OAUTHBEARER authentication mechanism (when `enableOauthBearer` is `true`)." - readTimeoutSeconds: - type: integer - description: "The read timeout in seconds when connecting to authorization server. If not set, the effective read timeout is 60 seconds." - sasl: - type: boolean - description: Enable or disable SASL on this listener. - secrets: - type: array - items: + description: The environment variable value. + description: Environment variables which should be applied to the container. + securityContext: + type: object + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: type: object properties: - key: + add: + type: array + items: + type: string + drop: + type: array + items: + type: string + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + type: integer + runAsNonRoot: + type: boolean + runAsUser: + type: integer + seLinuxOptions: + type: object + properties: + level: type: string - description: The key under which the secret value is stored in the Kubernetes Secret. - secretName: + role: type: string - description: The name of the Kubernetes Secret containing the secret value. - required: - - key - - secretName - description: Secrets to be mounted to /opt/kafka/custom-authn-secrets/custom-listener-_-_/__. - tlsTrustedCertificates: - type: array - items: + type: + type: string + user: + type: string + seccompProfile: type: object properties: - certificate: + localhostProfile: type: string - description: The name of the file certificate in the Secret. - secretName: + type: type: string - description: The name of the Secret containing the certificate. - required: - - certificate - - secretName - description: Trusted certificates for TLS connection to the OAuth server. - tokenEndpointUri: - type: string - description: "URI of the Token Endpoint to use with SASL_PLAIN mechanism when the client authenticates with `clientId` and a `secret`. If set, the client can authenticate over SASL_PLAIN by either setting `username` to `clientId`, and setting `password` to client `secret`, or by setting `username` to account username, and `password` to access token prefixed with `$accessToken:`. If this option is not set, the `password` is always interpreted as an access token (without a prefix), and `username` as the account username (a so called 'no-client-credentials' mode)." - type: - type: string - enum: - - tls - - scram-sha-512 - - oauth - - custom - description: Authentication type. `oauth` type uses SASL OAUTHBEARER Authentication. `scram-sha-512` type uses SASL SCRAM-SHA-512 Authentication. `tls` type uses TLS Client Authentication. `tls` type is supported only on TLS listeners.`custom` type allows for any authentication type to be used. - userInfoEndpointUri: - type: string - description: 'URI of the User Info Endpoint to use as a fallback to obtaining the user id when the Introspection Endpoint does not return information that can be used for the user id. ' - userNameClaim: - type: string - description: "Name of the claim from the JWT authentication token, Introspection Endpoint response or User Info Endpoint response which will be used to extract the user id. Defaults to `sub`." - validIssuerUri: - type: string - description: URI of the token issuer used for authentication. - validTokenType: - type: string - description: "Valid value for the `token_type` attribute returned by the Introspection Endpoint. No default value, and not checked by default." - required: - - type - description: Authentication configuration for this listener. - configuration: - type: object - properties: - brokerCertChainAndKey: + windowsOptions: + type: object + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + description: Security context for the container. + description: Template for the Kafka broker container. + initContainer: + type: object + properties: + env: + type: array + items: type: object properties: - certificate: - type: string - description: The name of the file certificate in the Secret. - key: + name: type: string - description: The name of the private key in the Secret. - secretName: + description: The environment variable key. + value: type: string - description: The name of the Secret containing the certificate. - required: - - certificate - - key - - secretName - description: Reference to the `Secret` which holds the certificate and private key pair which will be used for this listener. The certificate can optionally contain the whole chain. This field can be used only with listeners with enabled TLS encryption. - externalTrafficPolicy: - type: string - enum: - - Local - - Cluster - description: "Specifies whether the service routes external traffic to node-local or cluster-wide endpoints. `Cluster` may cause a second hop to another node and obscures the client source IP. `Local` avoids a second hop for LoadBalancer and Nodeport type services and preserves the client source IP (when supported by the infrastructure). If unspecified, Kubernetes will use `Cluster` as the default.This field can be used only with `loadbalancer` or `nodeport` type listener." - loadBalancerSourceRanges: - type: array - items: + description: The environment variable value. + description: Environment variables which should be applied to the container. + securityContext: + type: object + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + type: object + properties: + add: + type: array + items: + type: string + drop: + type: array + items: + type: string + privileged: + type: boolean + procMount: type: string - description: "A list of CIDR ranges (for example `10.0.0.0/8` or `130.211.204.1/32`) from which clients can connect to load balancer type listeners. If supported by the platform, traffic through the loadbalancer is restricted to the specified CIDR ranges. This field is applicable only for loadbalancer type services and is ignored if the cloud provider does not support the feature. This field can be used only with `loadbalancer` type listener." - bootstrap: - type: object - properties: - alternativeNames: - type: array - items: + readOnlyRootFilesystem: + type: boolean + runAsGroup: + type: integer + runAsNonRoot: + type: boolean + runAsUser: + type: integer + seLinuxOptions: + type: object + properties: + level: type: string - description: Additional alternative names for the bootstrap service. The alternative names will be added to the list of subject alternative names of the TLS certificates. - host: - type: string - description: The bootstrap host. This field will be used in the Ingress resource or in the Route resource to specify the desired hostname. This field can be used only with `route` (optional) or `ingress` (required) type listeners. - nodePort: - type: integer - description: Node port for the bootstrap service. This field can be used only with `nodeport` type listener. - loadBalancerIP: - type: string - description: The loadbalancer is requested with the IP address specified in this field. This feature depends on whether the underlying cloud provider supports specifying the `loadBalancerIP` when a load balancer is created. This field is ignored if the cloud provider does not support the feature.This field can be used only with `loadbalancer` type listener. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: "Annotations that will be added to the `Ingress`, `Route`, or `Service` resource. You can use this field to configure DNS providers such as External DNS. This field can be used only with `loadbalancer`, `nodeport`, `route`, or `ingress` type listeners." - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: "Labels that will be added to the `Ingress`, `Route`, or `Service` resource. This field can be used only with `loadbalancer`, `nodeport`, `route`, or `ingress` type listeners." - description: Bootstrap configuration. - brokers: - type: array - items: + role: + type: string + type: + type: string + user: + type: string + seccompProfile: type: object properties: - broker: - type: integer - description: ID of the kafka broker (broker identifier). Broker IDs start from 0 and correspond to the number of broker replicas. - advertisedHost: + localhostProfile: type: string - description: The host name used in the brokers' `advertised.listeners`. - advertisedPort: - type: integer - description: The port number used in the brokers' `advertised.listeners`. - host: + type: type: string - description: The broker host. This field will be used in the Ingress resource or in the Route resource to specify the desired hostname. This field can be used only with `route` (optional) or `ingress` (required) type listeners. - nodePort: - type: integer - description: Node port for the per-broker service. This field can be used only with `nodeport` type listener. - loadBalancerIP: + windowsOptions: + type: object + properties: + gmsaCredentialSpec: type: string - description: The loadbalancer is requested with the IP address specified in this field. This feature depends on whether the underlying cloud provider supports specifying the `loadBalancerIP` when a load balancer is created. This field is ignored if the cloud provider does not support the feature.This field can be used only with `loadbalancer` type listener. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: "Annotations that will be added to the `Ingress` or `Service` resource. You can use this field to configure DNS providers such as External DNS. This field can be used only with `loadbalancer`, `nodeport`, or `ingress` type listeners." - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: "Labels that will be added to the `Ingress`, `Route`, or `Service` resource. This field can be used only with `loadbalancer`, `nodeport`, `route`, or `ingress` type listeners." - required: - - broker - description: Per-broker configurations. - ipFamilyPolicy: - type: string - enum: - - SingleStack - - PreferDualStack - - RequireDualStack - description: "Specifies the IP Family Policy used by the service. Available options are `SingleStack`, `PreferDualStack` and `RequireDualStack`. `SingleStack` is for a single IP family. `PreferDualStack` is for two IP families on dual-stack configured clusters or a single IP family on single-stack clusters. `RequireDualStack` fails unless there are two IP families on dual-stack configured clusters. If unspecified, Kubernetes will choose the default value based on the service type." - ipFamilies: - type: array - items: - type: string - enum: - - IPv4 - - IPv6 - description: "Specifies the IP Families used by the service. Available options are `IPv4` and `IPv6`. If unspecified, Kubernetes will choose the default value based on the `ipFamilyPolicy` setting." - createBootstrapService: - type: boolean - description: Whether to create the bootstrap service or not. The bootstrap service is created by default (if not specified differently). This field can be used with the `loadBalancer` type listener. - class: - type: string - description: "Configures a specific class for `Ingress` and `LoadBalancer` that defines which controller will be used. This field can only be used with `ingress` and `loadbalancer` type listeners. If not specified, the default controller is used. For an `ingress` listener, set the `ingressClassName` property in the `Ingress` resources. For a `loadbalancer` listener, set the `loadBalancerClass` property in the `Service` resources." - finalizers: - type: array - items: - type: string - description: "A list of finalizers which will be configured for the `LoadBalancer` type Services created for this listener. If supported by the platform, the finalizer `service.kubernetes.io/load-balancer-cleanup` to make sure that the external load balancer is deleted together with the service.For more information, see https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#garbage-collecting-load-balancers. This field can be used only with `loadbalancer` type listeners." - maxConnectionCreationRate: - type: integer - description: The maximum connection creation rate we allow in this listener at any time. New connections will be throttled if the limit is reached. - maxConnections: - type: integer - description: The maximum number of connections we allow for this listener in the broker at any time. New connections are blocked if the limit is reached. - preferredNodePortAddressType: - type: string - enum: - - ExternalIP - - ExternalDNS - - InternalIP - - InternalDNS - - Hostname - description: |- - Defines which address type should be used as the node address. Available types are: `ExternalDNS`, `ExternalIP`, `InternalDNS`, `InternalIP` and `Hostname`. By default, the addresses will be used in the following order (the first one found will be used): - - * `ExternalDNS` - * `ExternalIP` - * `InternalDNS` - * `InternalIP` - * `Hostname` - - This field is used to select the preferred address type, which is checked first. If no address is found for this address type, the other types are checked in the default order. This field can only be used with `nodeport` type listener. - useServiceDnsDomain: - type: boolean - description: "Configures whether the Kubernetes service DNS domain should be used or not. If set to `true`, the generated addresses will contain the service DNS domain suffix (by default `.cluster.local`, can be configured using environment variable `KUBERNETES_SERVICE_DNS_DOMAIN`). Defaults to `false`.This field can be used only with `internal` and `cluster-ip` type listeners." - description: Additional listener configuration. - networkPolicyPeers: - type: array - items: + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + description: Security context for the container. + description: Template for the Kafka init container. + clusterCaCert: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for Secret with Kafka Cluster certificate public key. + serviceAccount: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for the Kafka service account. + jmxSecret: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for Secret of the Kafka Cluster JMX authentication. + clusterRoleBinding: + type: object + properties: + metadata: type: object properties: - ipBlock: + labels: + x-kubernetes-preserve-unknown-fields: true type: object - properties: - cidr: - type: string - except: - type: array - items: - type: string - namespaceSelector: + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - podSelector: + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for the Kafka ClusterRoleBinding. + podSet: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: "List of peers which should be able to connect to this listener. Peers in this list are combined using a logical OR operation. If this field is empty or missing, all connections will be allowed for this listener. If this field is present and contains at least one item, the listener only allows the traffic which matches at least one item in this list." - required: - - name - - port - - type - - tls - description: Configures listeners of Kafka brokers. - config: - x-kubernetes-preserve-unknown-fields: true - type: object - description: "Kafka broker config properties with the following prefixes cannot be set: listeners, advertised., broker., listener., host.name, port, inter.broker.listener.name, sasl., ssl., security., password., log.dir, zookeeper.connect, zookeeper.set.acl, zookeeper.ssl, zookeeper.clientCnxnSocket, authorizer., super.user, cruise.control.metrics.topic, cruise.control.metrics.reporter.bootstrap.servers,node.id, process.roles, controller., metadata.log.dir (with the exception of: zookeeper.connection.timeout.ms, sasl.server.max.receive.size,ssl.cipher.suites, ssl.protocol, ssl.enabled.protocols, ssl.secure.random.implementation,cruise.control.metrics.topic.num.partitions, cruise.control.metrics.topic.replication.factor, cruise.control.metrics.topic.retention.ms,cruise.control.metrics.topic.auto.create.retries, cruise.control.metrics.topic.auto.create.timeout.ms,cruise.control.metrics.topic.min.insync.replicas,controller.quorum.election.backoff.max.ms, controller.quorum.election.timeout.ms, controller.quorum.fetch.timeout.ms)." + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for Kafka `StrimziPodSet` resource. + description: Template for Kafka cluster resources. The template allows users to specify how the Kubernetes resources are generated. + required: + - replicas + - listeners + - storage + description: Configuration of the Kafka cluster. + zookeeper: + type: object + properties: + replicas: + type: integer + minimum: 1 + description: The number of pods in the cluster. + image: + type: string + description: "The container image used for ZooKeeper pods. If no image name is explicitly specified, it is determined based on the Kafka version set in `spec.kafka.version`. The image names are specifically mapped to corresponding versions in the Cluster Operator configuration." storage: type: object properties: @@ -7159,199 +7330,37 @@ spec: items: type: object properties: - class: - type: string - description: The storage class to use for dynamic volume allocation for this broker. - broker: - type: integer - description: Id of the kafka broker (broker identifier). - description: Overrides for individual brokers. The `overrides` field allows to specify a different configuration for different brokers. - selector: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Specifies a specific persistent volume to use. It contains key:value pairs representing labels for selecting such a volume. - size: - type: string - description: "When type=persistent-claim, defines the size of the persistent volume claim (i.e 1Gi). Mandatory when type=persistent-claim." - sizeLimit: - type: string - pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" - description: "When type=ephemeral, defines the total amount of local storage required for this EmptyDir volume (for example 1Gi)." - type: - type: string - enum: - - ephemeral - - persistent-claim - - jbod - description: "Storage type, must be either 'ephemeral', 'persistent-claim', or 'jbod'." - volumes: - type: array - items: - type: object - properties: - class: - type: string - description: The storage class to use for dynamic volume allocation. - deleteClaim: - type: boolean - description: Specifies if the persistent volume claim has to be deleted when the cluster is un-deployed. - id: - type: integer - minimum: 0 - description: Storage identification number. It is mandatory only for storage volumes defined in a storage of type 'jbod'. - overrides: - type: array - items: - type: object - properties: - class: - type: string - description: The storage class to use for dynamic volume allocation for this broker. - broker: - type: integer - description: Id of the kafka broker (broker identifier). - description: Overrides for individual brokers. The `overrides` field allows to specify a different configuration for different brokers. - selector: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Specifies a specific persistent volume to use. It contains key:value pairs representing labels for selecting such a volume. - size: - type: string - description: "When type=persistent-claim, defines the size of the persistent volume claim (i.e 1Gi). Mandatory when type=persistent-claim." - sizeLimit: - type: string - pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" - description: "When type=ephemeral, defines the total amount of local storage required for this EmptyDir volume (for example 1Gi)." - type: - type: string - enum: - - ephemeral - - persistent-claim - description: "Storage type, must be either 'ephemeral' or 'persistent-claim'." - required: - - type - description: List of volumes as Storage objects representing the JBOD disks array. - required: - - type - description: Storage configuration (disk). Cannot be updated. - authorization: - type: object - properties: - allowOnError: - type: boolean - description: "Defines whether a Kafka client should be allowed or denied by default when the authorizer fails to query the Open Policy Agent, for example, when it is temporarily unavailable). Defaults to `false` - all actions will be denied." - authorizerClass: - type: string - description: "Authorization implementation class, which must be available in classpath." - clientId: - type: string - description: OAuth Client ID which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. - connectTimeoutSeconds: - type: integer - minimum: 1 - description: "The connect timeout in seconds when connecting to authorization server. If not set, the effective connect timeout is 60 seconds." - delegateToKafkaAcls: - type: boolean - description: Whether authorization decision should be delegated to the 'Simple' authorizer if DENIED by Keycloak Authorization Services policies. Default value is `false`. - disableTlsHostnameVerification: - type: boolean - description: Enable or disable TLS hostname verification. Default value is `false`. - enableMetrics: - type: boolean - description: Enable or disable OAuth metrics. The default value is `false`. - expireAfterMs: - type: integer - description: The expiration of the records kept in the local cache to avoid querying the Open Policy Agent for every request. Defines how often the cached authorization decisions are reloaded from the Open Policy Agent server. In milliseconds. Defaults to `3600000`. - grantsAlwaysLatest: - type: boolean - description: "Controls whether the latest grants are fetched for a new session. When enabled, grants are retrieved from Keycloak and cached for the user. The default value is `false`." - grantsGcPeriodSeconds: - type: integer - minimum: 1 - description: "The time, in seconds, between consecutive runs of a job that cleans stale grants from the cache. The default value is 300." - grantsMaxIdleTimeSeconds: - type: integer - minimum: 1 - description: "The time, in seconds, after which an idle grant can be evicted from the cache. The default value is 300." - grantsRefreshPeriodSeconds: - type: integer - minimum: 0 - description: The time between two consecutive grants refresh runs in seconds. The default value is 60. - grantsRefreshPoolSize: - type: integer - minimum: 1 - description: "The number of threads to use to refresh grants for active sessions. The more threads, the more parallelism, so the sooner the job completes. However, using more threads places a heavier load on the authorization server. The default value is 5." - httpRetries: - type: integer - minimum: 0 - description: "The maximum number of retries to attempt if an initial HTTP request fails. If not set, the default is to not attempt any retries." - includeAcceptHeader: - type: boolean - description: Whether the Accept header should be set in requests to the authorization servers. The default value is `true`. - initialCacheCapacity: - type: integer - description: Initial capacity of the local cache used by the authorizer to avoid querying the Open Policy Agent for every request Defaults to `5000`. - maximumCacheSize: - type: integer - description: Maximum capacity of the local cache used by the authorizer to avoid querying the Open Policy Agent for every request. Defaults to `50000`. - readTimeoutSeconds: - type: integer - minimum: 1 - description: "The read timeout in seconds when connecting to authorization server. If not set, the effective read timeout is 60 seconds." - superUsers: - type: array - items: - type: string - description: "List of super users, which are user principals with unlimited access rights." - supportsAdminApi: - type: boolean - description: Indicates whether the custom authorizer supports the APIs for managing ACLs using the Kafka Admin API. Defaults to `false`. - tlsTrustedCertificates: - type: array - items: - type: object - properties: - certificate: - type: string - description: The name of the file certificate in the Secret. - secretName: - type: string - description: The name of the Secret containing the certificate. - required: - - certificate - - secretName - description: Trusted certificates for TLS connection to the OAuth server. - tokenEndpointUri: + class: + type: string + description: The storage class to use for dynamic volume allocation for this broker. + broker: + type: integer + description: Id of the kafka broker (broker identifier). + description: Overrides for individual brokers. The `overrides` field allows to specify a different configuration for different brokers. + selector: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Specifies a specific persistent volume to use. It contains key:value pairs representing labels for selecting such a volume. + size: type: string - description: Authorization server token endpoint URI. + description: "When type=persistent-claim, defines the size of the persistent volume claim (i.e 1Gi). Mandatory when type=persistent-claim." + sizeLimit: + type: string + pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" + description: "When type=ephemeral, defines the total amount of local storage required for this EmptyDir volume (for example 1Gi)." type: type: string enum: - - simple - - opa - - keycloak - - custom - description: "Authorization type. Currently, the supported types are `simple`, `keycloak`, `opa` and `custom`. `simple` authorization type uses Kafka's built-in authorizer for authorization. `keycloak` authorization type uses Keycloak Authorization Services for authorization. `opa` authorization type uses Open Policy Agent based authorization.`custom` authorization type uses user-provided implementation for authorization." - url: - type: string - example: http://opa:8181/v1/data/kafka/authz/allow - description: The URL used to connect to the Open Policy Agent server. The URL has to include the policy which will be queried by the authorizer. This option is required. + - ephemeral + - persistent-claim + description: "Storage type, must be either 'ephemeral' or 'persistent-claim'." required: - type - description: Authorization configuration for Kafka brokers. - rack: + description: Storage configuration (disk). Cannot be updated. + config: + x-kubernetes-preserve-unknown-fields: true type: object - properties: - topologyKey: - type: string - example: topology.kubernetes.io/zone - description: "A key that matches labels assigned to the Kubernetes cluster nodes. The value of the label is used to set a broker's `broker.rack` config, and the `client.rack` config for Kafka Connect or MirrorMaker 2." - required: - - topologyKey - description: Configuration of the `broker.rack` broker config. - brokerRackInitImage: - type: string - description: The image of the init container used for initializing the `broker.rack`. + description: "The ZooKeeper broker config. Properties with the following prefixes cannot be set: server., dataDir, dataLogDir, clientPort, authProvider, quorum.auth, requireClientAuthScheme, snapshot.trust.empty, standaloneEnabled, reconfigEnabled, 4lw.commands.whitelist, secureClientPort, ssl., serverCnxnFactory, sslQuorum (with the exception of: ssl.protocol, ssl.quorum.protocol, ssl.enabledProtocols, ssl.quorum.enabledProtocols, ssl.ciphersuites, ssl.quorum.ciphersuites, ssl.hostnameVerification, ssl.quorum.hostnameVerification)." livenessProbe: type: object properties: @@ -7445,7 +7454,7 @@ spec: required: - type description: Authentication configuration for connecting to the JMX port. - description: JMX Options for Kafka brokers. + description: JMX Options for Zookeeper nodes. resources: type: object properties: @@ -7484,7 +7493,7 @@ spec: optional: type: boolean description: Reference to the key in the ConfigMap containing the configuration. - description: "ConfigMap entry where the Prometheus JMX Exporter configuration is stored. For details of the structure of this configuration, see the {JMXExporter}." + description: 'ConfigMap entry where the Prometheus JMX Exporter configuration is stored. ' required: - type - valueFrom @@ -7518,7 +7527,7 @@ spec: description: '`ConfigMap` entry where the logging configuration is stored. ' required: - type - description: Logging configuration for Kafka. + description: Logging configuration for ZooKeeper. template: type: object properties: @@ -7543,7 +7552,7 @@ spec: - OrderedReady - Parallel description: PodManagementPolicy which will be used for this StatefulSet. Valid values are `Parallel` and `OrderedReady`. Defaults to `Parallel`. - description: Template for Kafka `StatefulSet`. + description: Template for ZooKeeper `StatefulSet`. pod: type: object properties: @@ -7934,7 +7943,7 @@ spec: description: The pod's tolerations. priorityClassName: type: string - description: "The name of the priority class used to assign priority to the pods. For more information about priority classes, see {K8sPriorityClass}." + description: 'The name of the priority class used to assign priority to the pods. ' schedulerName: type: string description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used." @@ -7998,8 +8007,8 @@ spec: whenUnsatisfiable: type: string description: The pod's topology spread constraints. - description: Template for Kafka `Pods`. - bootstrapService: + description: Template for ZooKeeper `Pods`. + clientService: type: object properties: metadata: @@ -8029,8 +8038,8 @@ spec: - IPv4 - IPv6 description: "Specifies the IP Families used by the service. Available options are `IPv4` and `IPv6`. If unspecified, Kubernetes will choose the default value based on the `ipFamilyPolicy` setting." - description: Template for Kafka bootstrap `Service`. - brokersService: + description: Template for ZooKeeper client `Service`. + nodesService: type: object properties: metadata: @@ -8060,103 +8069,7 @@ spec: - IPv4 - IPv6 description: "Specifies the IP Families used by the service. Available options are `IPv4` and `IPv6`. If unspecified, Kubernetes will choose the default value based on the `ipFamilyPolicy` setting." - description: Template for Kafka broker `Service`. - externalBootstrapService: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for Kafka external bootstrap `Service`. - perPodService: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for Kafka per-pod `Services` used for access from outside of Kubernetes. - externalBootstrapRoute: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for Kafka external bootstrap `Route`. - perPodRoute: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for Kafka per-pod `Routes` used for access from outside of OpenShift. - externalBootstrapIngress: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for Kafka external bootstrap `Ingress`. - perPodIngress: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for Kafka per-pod `Ingress` used for access from outside of Kubernetes. + description: Template for ZooKeeper nodes `Service`. persistentVolumeClaim: type: object properties: @@ -8172,7 +8085,7 @@ spec: type: object description: Annotations added to the Kubernetes resource. description: Metadata applied to the resource. - description: Template for all Kafka `PersistentVolumeClaims`. + description: Template for all ZooKeeper `PersistentVolumeClaims`. podDisruptionBudget: type: object properties: @@ -8192,82 +8105,8 @@ spec: type: integer minimum: 0 description: "Maximum number of unavailable pods to allow automatic Pod eviction. A Pod eviction is allowed when the `maxUnavailable` number of pods or fewer are unavailable after the eviction. Setting this value to 0 prevents all voluntary evictions, so the pods must be evicted manually. Defaults to 1." - description: Template for Kafka `PodDisruptionBudget`. - kafkaContainer: - type: object - properties: - env: - type: array - items: - type: object - properties: - name: - type: string - description: The environment variable key. - value: - type: string - description: The environment variable value. - description: Environment variables which should be applied to the container. - securityContext: - type: object - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - type: object - properties: - add: - type: array - items: - type: string - drop: - type: array - items: - type: string - privileged: - type: boolean - procMount: - type: string - readOnlyRootFilesystem: - type: boolean - runAsGroup: - type: integer - runAsNonRoot: - type: boolean - runAsUser: - type: integer - seLinuxOptions: - type: object - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - seccompProfile: - type: object - properties: - localhostProfile: - type: string - type: - type: string - windowsOptions: - type: object - properties: - gmsaCredentialSpec: - type: string - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - runAsUserName: - type: string - description: Security context for the container. - description: Template for the Kafka broker container. - initContainer: + description: Template for ZooKeeper `PodDisruptionBudget`. + zookeeperContainer: type: object properties: env: @@ -8340,23 +8179,7 @@ spec: runAsUserName: type: string description: Security context for the container. - description: Template for the Kafka init container. - clusterCaCert: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for Secret with Kafka Cluster certificate public key. + description: Template for the ZooKeeper container. serviceAccount: type: object properties: @@ -8372,7 +8195,7 @@ spec: type: object description: Annotations added to the Kubernetes resource. description: Metadata applied to the resource. - description: Template for the Kafka service account. + description: Template for the ZooKeeper service account. jmxSecret: type: object properties: @@ -8388,23 +8211,7 @@ spec: type: object description: Annotations added to the Kubernetes resource. description: Metadata applied to the resource. - description: Template for Secret of the Kafka Cluster JMX authentication. - clusterRoleBinding: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for the Kafka ClusterRoleBinding. + description: Template for Secret of the Zookeeper Cluster JMX authentication. podSet: type: object properties: @@ -8420,243 +8227,422 @@ spec: type: object description: Annotations added to the Kubernetes resource. description: Metadata applied to the resource. - description: Template for Kafka `StrimziPodSet` resource. - description: Template for Kafka cluster resources. The template allows users to specify how the Kubernetes resources are generated. + description: Template for ZooKeeper `StrimziPodSet` resource. + description: Template for ZooKeeper cluster resources. The template allows users to specify how the Kubernetes resources are generated. required: - replicas - - listeners - storage - description: Configuration of the Kafka cluster. - zookeeper: + description: Configuration of the ZooKeeper cluster. + entityOperator: type: object properties: - replicas: - type: integer - minimum: 1 - description: The number of pods in the cluster. - image: - type: string - description: The docker image for the pods. - storage: + topicOperator: type: object properties: - class: - type: string - description: The storage class to use for dynamic volume allocation. - deleteClaim: - type: boolean - description: Specifies if the persistent volume claim has to be deleted when the cluster is un-deployed. - id: - type: integer - minimum: 0 - description: Storage identification number. It is mandatory only for storage volumes defined in a storage of type 'jbod'. - overrides: - type: array - items: - type: object - properties: - class: - type: string - description: The storage class to use for dynamic volume allocation for this broker. - broker: - type: integer - description: Id of the kafka broker (broker identifier). - description: Overrides for individual brokers. The `overrides` field allows to specify a different configuration for different brokers. - selector: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Specifies a specific persistent volume to use. It contains key:value pairs representing labels for selecting such a volume. - size: - type: string - description: "When type=persistent-claim, defines the size of the persistent volume claim (i.e 1Gi). Mandatory when type=persistent-claim." - sizeLimit: + watchedNamespace: type: string - pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" - description: "When type=ephemeral, defines the total amount of local storage required for this EmptyDir volume (for example 1Gi)." - type: + description: The namespace the Topic Operator should watch. + image: type: string - enum: - - ephemeral - - persistent-claim - description: "Storage type, must be either 'ephemeral' or 'persistent-claim'." - required: - - type - description: Storage configuration (disk). Cannot be updated. - config: - x-kubernetes-preserve-unknown-fields: true - type: object - description: "The ZooKeeper broker config. Properties with the following prefixes cannot be set: server., dataDir, dataLogDir, clientPort, authProvider, quorum.auth, requireClientAuthScheme, snapshot.trust.empty, standaloneEnabled, reconfigEnabled, 4lw.commands.whitelist, secureClientPort, ssl., serverCnxnFactory, sslQuorum (with the exception of: ssl.protocol, ssl.quorum.protocol, ssl.enabledProtocols, ssl.quorum.enabledProtocols, ssl.ciphersuites, ssl.quorum.ciphersuites, ssl.hostnameVerification, ssl.quorum.hostnameVerification)." - livenessProbe: - type: object - properties: - failureThreshold: - type: integer - minimum: 1 - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - initialDelaySeconds: + description: The image to use for the Topic Operator. + reconciliationIntervalSeconds: type: integer minimum: 0 - description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. - periodSeconds: - type: integer - minimum: 1 - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - successThreshold: + description: Interval between periodic reconciliations. + zookeeperSessionTimeoutSeconds: type: integer - minimum: 1 - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. - timeoutSeconds: + minimum: 0 + description: Timeout for the ZooKeeper session. + startupProbe: + type: object + properties: + failureThreshold: + type: integer + minimum: 1 + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + initialDelaySeconds: + type: integer + minimum: 0 + description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. + periodSeconds: + type: integer + minimum: 1 + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + successThreshold: + type: integer + minimum: 1 + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. + timeoutSeconds: + type: integer + minimum: 1 + description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. + description: Pod startup checking. + livenessProbe: + type: object + properties: + failureThreshold: + type: integer + minimum: 1 + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + initialDelaySeconds: + type: integer + minimum: 0 + description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. + periodSeconds: + type: integer + minimum: 1 + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + successThreshold: + type: integer + minimum: 1 + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. + timeoutSeconds: + type: integer + minimum: 1 + description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. + description: Pod liveness checking. + readinessProbe: + type: object + properties: + failureThreshold: + type: integer + minimum: 1 + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + initialDelaySeconds: + type: integer + minimum: 0 + description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. + periodSeconds: + type: integer + minimum: 1 + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + successThreshold: + type: integer + minimum: 1 + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. + timeoutSeconds: + type: integer + minimum: 1 + description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. + description: Pod readiness checking. + resources: + type: object + properties: + claims: + type: array + items: + type: object + properties: + name: + type: string + limits: + x-kubernetes-preserve-unknown-fields: true + type: object + requests: + x-kubernetes-preserve-unknown-fields: true + type: object + description: CPU and memory resources to reserve. + topicMetadataMaxAttempts: type: integer - minimum: 1 - description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. - description: Pod liveness checking. - readinessProbe: + minimum: 0 + description: The number of attempts at getting topic metadata. + logging: + type: object + properties: + loggers: + x-kubernetes-preserve-unknown-fields: true + type: object + description: A Map from logger name to logger level. + type: + type: string + enum: + - inline + - external + description: "Logging type, must be either 'inline' or 'external'." + valueFrom: + type: object + properties: + configMapKeyRef: + type: object + properties: + key: + type: string + name: + type: string + optional: + type: boolean + description: Reference to the key in the ConfigMap containing the configuration. + description: '`ConfigMap` entry where the logging configuration is stored. ' + required: + - type + description: Logging configuration. + jvmOptions: + type: object + properties: + "-XX": + x-kubernetes-preserve-unknown-fields: true + type: object + description: A map of -XX options to the JVM. + "-Xms": + type: string + pattern: "^[0-9]+[mMgG]?$" + description: -Xms option to to the JVM. + "-Xmx": + type: string + pattern: "^[0-9]+[mMgG]?$" + description: -Xmx option to to the JVM. + gcLoggingEnabled: + type: boolean + description: Specifies whether the Garbage Collection logging is enabled. The default is false. + javaSystemProperties: + type: array + items: + type: object + properties: + name: + type: string + description: The system property name. + value: + type: string + description: The system property value. + description: A map of additional system properties which will be passed using the `-D` option to the JVM. + description: JVM Options for pods. + description: Configuration of the Topic Operator. + userOperator: type: object properties: - failureThreshold: - type: integer - minimum: 1 - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - initialDelaySeconds: + watchedNamespace: + type: string + description: The namespace the User Operator should watch. + image: + type: string + description: The image to use for the User Operator. + reconciliationIntervalSeconds: type: integer minimum: 0 - description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. - periodSeconds: - type: integer - minimum: 1 - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - successThreshold: - type: integer - minimum: 1 - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. - timeoutSeconds: + description: Interval between periodic reconciliations. + zookeeperSessionTimeoutSeconds: type: integer - minimum: 1 - description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. - description: Pod readiness checking. - jvmOptions: - type: object - properties: - "-XX": - x-kubernetes-preserve-unknown-fields: true - type: object - description: A map of -XX options to the JVM. - "-Xms": - type: string - pattern: "^[0-9]+[mMgG]?$" - description: -Xms option to to the JVM. - "-Xmx": + minimum: 0 + description: Timeout for the ZooKeeper session. + secretPrefix: type: string - pattern: "^[0-9]+[mMgG]?$" - description: -Xmx option to to the JVM. - gcLoggingEnabled: - type: boolean - description: Specifies whether the Garbage Collection logging is enabled. The default is false. - javaSystemProperties: - type: array - items: - type: object - properties: - name: - type: string - description: The system property name. - value: - type: string - description: The system property value. - description: A map of additional system properties which will be passed using the `-D` option to the JVM. - description: JVM Options for pods. - jmxOptions: - type: object - properties: - authentication: + description: The prefix that will be added to the KafkaUser name to be used as the Secret name. + livenessProbe: + type: object + properties: + failureThreshold: + type: integer + minimum: 1 + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + initialDelaySeconds: + type: integer + minimum: 0 + description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. + periodSeconds: + type: integer + minimum: 1 + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + successThreshold: + type: integer + minimum: 1 + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. + timeoutSeconds: + type: integer + minimum: 1 + description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. + description: Pod liveness checking. + readinessProbe: + type: object + properties: + failureThreshold: + type: integer + minimum: 1 + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + initialDelaySeconds: + type: integer + minimum: 0 + description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. + periodSeconds: + type: integer + minimum: 1 + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + successThreshold: + type: integer + minimum: 1 + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. + timeoutSeconds: + type: integer + minimum: 1 + description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. + description: Pod readiness checking. + resources: + type: object + properties: + claims: + type: array + items: + type: object + properties: + name: + type: string + limits: + x-kubernetes-preserve-unknown-fields: true + type: object + requests: + x-kubernetes-preserve-unknown-fields: true + type: object + description: CPU and memory resources to reserve. + logging: type: object properties: + loggers: + x-kubernetes-preserve-unknown-fields: true + type: object + description: A Map from logger name to logger level. type: type: string enum: - - password - description: Authentication type. Currently the only supported types are `password`.`password` type creates a username and protected port with no TLS. + - inline + - external + description: "Logging type, must be either 'inline' or 'external'." + valueFrom: + type: object + properties: + configMapKeyRef: + type: object + properties: + key: + type: string + name: + type: string + optional: + type: boolean + description: Reference to the key in the ConfigMap containing the configuration. + description: '`ConfigMap` entry where the logging configuration is stored. ' required: - type - description: Authentication configuration for connecting to the JMX port. - description: JMX Options for Zookeeper nodes. - resources: - type: object - properties: - claims: - type: array - items: - type: object - properties: - name: - type: string - limits: - x-kubernetes-preserve-unknown-fields: true - type: object - requests: - x-kubernetes-preserve-unknown-fields: true - type: object - description: CPU and memory resources to reserve. - metricsConfig: - type: object - properties: - type: - type: string - enum: - - jmxPrometheusExporter - description: Metrics type. Only 'jmxPrometheusExporter' supported currently. - valueFrom: + description: Logging configuration. + jvmOptions: type: object properties: - configMapKeyRef: + "-XX": + x-kubernetes-preserve-unknown-fields: true type: object - properties: - key: - type: string - name: - type: string - optional: - type: boolean - description: Reference to the key in the ConfigMap containing the configuration. - description: "ConfigMap entry where the Prometheus JMX Exporter configuration is stored. For details of the structure of this configuration, see the {JMXExporter}." - required: - - type - - valueFrom - description: Metrics configuration. - logging: + description: A map of -XX options to the JVM. + "-Xms": + type: string + pattern: "^[0-9]+[mMgG]?$" + description: -Xms option to to the JVM. + "-Xmx": + type: string + pattern: "^[0-9]+[mMgG]?$" + description: -Xmx option to to the JVM. + gcLoggingEnabled: + type: boolean + description: Specifies whether the Garbage Collection logging is enabled. The default is false. + javaSystemProperties: + type: array + items: + type: object + properties: + name: + type: string + description: The system property name. + value: + type: string + description: The system property value. + description: A map of additional system properties which will be passed using the `-D` option to the JVM. + description: JVM Options for pods. + description: Configuration of the User Operator. + tlsSidecar: type: object properties: - loggers: - x-kubernetes-preserve-unknown-fields: true + image: + type: string + description: The docker image for the container. + livenessProbe: type: object - description: A Map from logger name to logger level. - type: + properties: + failureThreshold: + type: integer + minimum: 1 + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + initialDelaySeconds: + type: integer + minimum: 0 + description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. + periodSeconds: + type: integer + minimum: 1 + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + successThreshold: + type: integer + minimum: 1 + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. + timeoutSeconds: + type: integer + minimum: 1 + description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. + description: Pod liveness checking. + logLevel: type: string enum: - - inline - - external - description: "Logging type, must be either 'inline' or 'external'." - valueFrom: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + description: The log level for the TLS sidecar. Default value is `notice`. + readinessProbe: type: object properties: - configMapKeyRef: + failureThreshold: + type: integer + minimum: 1 + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + initialDelaySeconds: + type: integer + minimum: 0 + description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. + periodSeconds: + type: integer + minimum: 1 + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + successThreshold: + type: integer + minimum: 1 + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. + timeoutSeconds: + type: integer + minimum: 1 + description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. + description: Pod readiness checking. + resources: + type: object + properties: + claims: + type: array + items: + type: object + properties: + name: + type: string + limits: + x-kubernetes-preserve-unknown-fields: true type: object - properties: - key: - type: string - name: - type: string - optional: - type: boolean - description: Reference to the key in the ConfigMap containing the configuration. - description: '`ConfigMap` entry where the logging configuration is stored. ' - required: - - type - description: Logging configuration for ZooKeeper. + requests: + x-kubernetes-preserve-unknown-fields: true + type: object + description: CPU and memory resources to reserve. + description: TLS sidecar configuration. template: type: object properties: - statefulset: + deployment: type: object properties: metadata: @@ -8671,13 +8657,13 @@ spec: type: object description: Annotations added to the Kubernetes resource. description: Metadata applied to the resource. - podManagementPolicy: + deploymentStrategy: type: string enum: - - OrderedReady - - Parallel - description: PodManagementPolicy which will be used for this StatefulSet. Valid values are `Parallel` and `OrderedReady`. Defaults to `Parallel`. - description: Template for ZooKeeper `StatefulSet`. + - RollingUpdate + - Recreate + description: Pod replacement strategy for deployment configuration changes. Valid values are `RollingUpdate` and `Recreate`. Defaults to `RollingUpdate`. + description: Template for Entity Operator `Deployment`. pod: type: object properties: @@ -9068,7 +9054,7 @@ spec: description: The pod's tolerations. priorityClassName: type: string - description: "The name of the priority class used to assign priority to the pods. For more information about priority classes, see {K8sPriorityClass}." + description: 'The name of the priority class used to assign priority to the pods. ' schedulerName: type: string description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used." @@ -9132,106 +9118,156 @@ spec: whenUnsatisfiable: type: string description: The pod's topology spread constraints. - description: Template for ZooKeeper `Pods`. - clientService: + description: Template for Entity Operator `Pods`. + topicOperatorContainer: type: object properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - ipFamilyPolicy: - type: string - enum: - - SingleStack - - PreferDualStack - - RequireDualStack - description: "Specifies the IP Family Policy used by the service. Available options are `SingleStack`, `PreferDualStack` and `RequireDualStack`. `SingleStack` is for a single IP family. `PreferDualStack` is for two IP families on dual-stack configured clusters or a single IP family on single-stack clusters. `RequireDualStack` fails unless there are two IP families on dual-stack configured clusters. If unspecified, Kubernetes will choose the default value based on the service type." - ipFamilies: + env: type: array items: - type: string - enum: - - IPv4 - - IPv6 - description: "Specifies the IP Families used by the service. Available options are `IPv4` and `IPv6`. If unspecified, Kubernetes will choose the default value based on the `ipFamilyPolicy` setting." - description: Template for ZooKeeper client `Service`. - nodesService: - type: object - properties: - metadata: + type: object + properties: + name: + type: string + description: The environment variable key. + value: + type: string + description: The environment variable value. + description: Environment variables which should be applied to the container. + securityContext: type: object properties: - labels: - x-kubernetes-preserve-unknown-fields: true + allowPrivilegeEscalation: + type: boolean + capabilities: type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true + properties: + add: + type: array + items: + type: string + drop: + type: array + items: + type: string + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + type: integer + runAsNonRoot: + type: boolean + runAsUser: + type: integer + seLinuxOptions: type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - ipFamilyPolicy: - type: string - enum: - - SingleStack - - PreferDualStack - - RequireDualStack - description: "Specifies the IP Family Policy used by the service. Available options are `SingleStack`, `PreferDualStack` and `RequireDualStack`. `SingleStack` is for a single IP family. `PreferDualStack` is for two IP families on dual-stack configured clusters or a single IP family on single-stack clusters. `RequireDualStack` fails unless there are two IP families on dual-stack configured clusters. If unspecified, Kubernetes will choose the default value based on the service type." - ipFamilies: - type: array - items: - type: string - enum: - - IPv4 - - IPv6 - description: "Specifies the IP Families used by the service. Available options are `IPv4` and `IPv6`. If unspecified, Kubernetes will choose the default value based on the `ipFamilyPolicy` setting." - description: Template for ZooKeeper nodes `Service`. - persistentVolumeClaim: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + seccompProfile: + type: object + properties: + localhostProfile: + type: string + type: + type: string + windowsOptions: + type: object + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + description: Security context for the container. + description: Template for the Entity Topic Operator container. + userOperatorContainer: type: object properties: - metadata: + env: + type: array + items: + type: object + properties: + name: + type: string + description: The environment variable key. + value: + type: string + description: The environment variable value. + description: Environment variables which should be applied to the container. + securityContext: type: object properties: - labels: - x-kubernetes-preserve-unknown-fields: true + allowPrivilegeEscalation: + type: boolean + capabilities: type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true + properties: + add: + type: array + items: + type: string + drop: + type: array + items: + type: string + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + type: integer + runAsNonRoot: + type: boolean + runAsUser: + type: integer + seLinuxOptions: type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for all ZooKeeper `PersistentVolumeClaims`. - podDisruptionBudget: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + seccompProfile: type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true + properties: + localhostProfile: + type: string + type: + type: string + windowsOptions: type: object - description: Annotations added to the Kubernetes resource. - description: Metadata to apply to the `PodDisruptionBudgetTemplate` resource. - maxUnavailable: - type: integer - minimum: 0 - description: "Maximum number of unavailable pods to allow automatic Pod eviction. A Pod eviction is allowed when the `maxUnavailable` number of pods or fewer are unavailable after the eviction. Setting this value to 0 prevents all voluntary evictions, so the pods must be evicted manually. Defaults to 1." - description: Template for ZooKeeper `PodDisruptionBudget`. - zookeeperContainer: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + description: Security context for the container. + description: Template for the Entity User Operator container. + tlsSidecarContainer: type: object properties: env: @@ -9304,7 +9340,7 @@ spec: runAsUserName: type: string description: Security context for the container. - description: Template for the ZooKeeper container. + description: Template for the Entity Operator TLS sidecar container. serviceAccount: type: object properties: @@ -9320,8 +9356,8 @@ spec: type: object description: Annotations added to the Kubernetes resource. description: Metadata applied to the resource. - description: Template for the ZooKeeper service account. - jmxSecret: + description: Template for the Entity Operator service account. + entityOperatorRole: type: object properties: metadata: @@ -9336,8 +9372,8 @@ spec: type: object description: Annotations added to the Kubernetes resource. description: Metadata applied to the resource. - description: Template for Secret of the Zookeeper Cluster JMX authentication. - podSet: + description: Template for the Entity Operator Role. + topicOperatorRoleBinding: type: object properties: metadata: @@ -9352,207 +9388,85 @@ spec: type: object description: Annotations added to the Kubernetes resource. description: Metadata applied to the resource. - description: Template for ZooKeeper `StrimziPodSet` resource. - description: Template for ZooKeeper cluster resources. The template allows users to specify how the Kubernetes resources are generated. - required: - - replicas - - storage - description: Configuration of the ZooKeeper cluster. - entityOperator: - type: object - properties: - topicOperator: - type: object - properties: - watchedNamespace: - type: string - description: The namespace the Topic Operator should watch. - image: - type: string - description: The image to use for the Topic Operator. - reconciliationIntervalSeconds: - type: integer - minimum: 0 - description: Interval between periodic reconciliations. - zookeeperSessionTimeoutSeconds: - type: integer - minimum: 0 - description: Timeout for the ZooKeeper session. - startupProbe: - type: object - properties: - failureThreshold: - type: integer - minimum: 1 - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - initialDelaySeconds: - type: integer - minimum: 0 - description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. - periodSeconds: - type: integer - minimum: 1 - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - successThreshold: - type: integer - minimum: 1 - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. - timeoutSeconds: - type: integer - minimum: 1 - description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. - description: Pod startup checking. - livenessProbe: - type: object - properties: - failureThreshold: - type: integer - minimum: 1 - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - initialDelaySeconds: - type: integer - minimum: 0 - description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. - periodSeconds: - type: integer - minimum: 1 - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - successThreshold: - type: integer - minimum: 1 - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. - timeoutSeconds: - type: integer - minimum: 1 - description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. - description: Pod liveness checking. - readinessProbe: - type: object - properties: - failureThreshold: - type: integer - minimum: 1 - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - initialDelaySeconds: - type: integer - minimum: 0 - description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. - periodSeconds: - type: integer - minimum: 1 - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - successThreshold: - type: integer - minimum: 1 - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. - timeoutSeconds: - type: integer - minimum: 1 - description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. - description: Pod readiness checking. - resources: - type: object - properties: - claims: - type: array - items: - type: object - properties: - name: - type: string - limits: - x-kubernetes-preserve-unknown-fields: true - type: object - requests: - x-kubernetes-preserve-unknown-fields: true - type: object - description: CPU and memory resources to reserve. - topicMetadataMaxAttempts: - type: integer - minimum: 0 - description: The number of attempts at getting topic metadata. - logging: + description: Template for the Entity Topic Operator RoleBinding. + userOperatorRoleBinding: type: object properties: - loggers: - x-kubernetes-preserve-unknown-fields: true - type: object - description: A Map from logger name to logger level. - type: - type: string - enum: - - inline - - external - description: "Logging type, must be either 'inline' or 'external'." - valueFrom: + metadata: type: object properties: - configMapKeyRef: + labels: + x-kubernetes-preserve-unknown-fields: true type: object - properties: - key: - type: string - name: - type: string - optional: - type: boolean - description: Reference to the key in the ConfigMap containing the configuration. - description: '`ConfigMap` entry where the logging configuration is stored. ' - required: - - type - description: Logging configuration. - jvmOptions: - type: object - properties: - "-XX": - x-kubernetes-preserve-unknown-fields: true - type: object - description: A map of -XX options to the JVM. - "-Xms": - type: string - pattern: "^[0-9]+[mMgG]?$" - description: -Xms option to to the JVM. - "-Xmx": - type: string - pattern: "^[0-9]+[mMgG]?$" - description: -Xmx option to to the JVM. - gcLoggingEnabled: - type: boolean - description: Specifies whether the Garbage Collection logging is enabled. The default is false. - javaSystemProperties: - type: array - items: - type: object - properties: - name: - type: string - description: The system property name. - value: - type: string - description: The system property value. - description: A map of additional system properties which will be passed using the `-D` option to the JVM. - description: JVM Options for pods. - description: Configuration of the Topic Operator. - userOperator: + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for the Entity Topic Operator RoleBinding. + description: Template for Entity Operator resources. The template allows users to specify how a `Deployment` and `Pod` is generated. + description: Configuration of the Entity Operator. + clusterCa: + type: object + properties: + generateCertificateAuthority: + type: boolean + description: If true then Certificate Authority certificates will be generated automatically. Otherwise the user will need to provide a Secret with the CA certificate. Default is true. + generateSecretOwnerReference: + type: boolean + description: "If `true`, the Cluster and Client CA Secrets are configured with the `ownerReference` set to the `Kafka` resource. If the `Kafka` resource is deleted when `true`, the CA Secrets are also deleted. If `false`, the `ownerReference` is disabled. If the `Kafka` resource is deleted when `false`, the CA Secrets are retained and available for reuse. Default is `true`." + validityDays: + type: integer + minimum: 1 + description: The number of days generated certificates should be valid for. The default is 365. + renewalDays: + type: integer + minimum: 1 + description: "The number of days in the certificate renewal period. This is the number of days before the a certificate expires during which renewal actions may be performed. When `generateCertificateAuthority` is true, this will cause the generation of a new certificate. When `generateCertificateAuthority` is true, this will cause extra logging at WARN level about the pending certificate expiry. Default is 30." + certificateExpirationPolicy: + type: string + enum: + - renew-certificate + - replace-key + description: How should CA certificate expiration be handled when `generateCertificateAuthority=true`. The default is for a new CA certificate to be generated reusing the existing private key. + description: Configuration of the cluster certificate authority. + clientsCa: + type: object + properties: + generateCertificateAuthority: + type: boolean + description: If true then Certificate Authority certificates will be generated automatically. Otherwise the user will need to provide a Secret with the CA certificate. Default is true. + generateSecretOwnerReference: + type: boolean + description: "If `true`, the Cluster and Client CA Secrets are configured with the `ownerReference` set to the `Kafka` resource. If the `Kafka` resource is deleted when `true`, the CA Secrets are also deleted. If `false`, the `ownerReference` is disabled. If the `Kafka` resource is deleted when `false`, the CA Secrets are retained and available for reuse. Default is `true`." + validityDays: + type: integer + minimum: 1 + description: The number of days generated certificates should be valid for. The default is 365. + renewalDays: + type: integer + minimum: 1 + description: "The number of days in the certificate renewal period. This is the number of days before the a certificate expires during which renewal actions may be performed. When `generateCertificateAuthority` is true, this will cause the generation of a new certificate. When `generateCertificateAuthority` is true, this will cause extra logging at WARN level about the pending certificate expiry. Default is 30." + certificateExpirationPolicy: + type: string + enum: + - renew-certificate + - replace-key + description: How should CA certificate expiration be handled when `generateCertificateAuthority=true`. The default is for a new CA certificate to be generated reusing the existing private key. + description: Configuration of the clients certificate authority. + cruiseControl: + type: object + properties: + image: + type: string + description: "The container image used for Cruise Control pods. If no image name is explicitly specified, the image name corresponds to the name specified in the Cluster Operator configuration. If an image name is not defined in the Cluster Operator configuration, a default value is used." + tlsSidecar: type: object properties: - watchedNamespace: - type: string - description: The namespace the User Operator should watch. image: type: string - description: The image to use for the User Operator. - reconciliationIntervalSeconds: - type: integer - minimum: 0 - description: Interval between periodic reconciliations. - zookeeperSessionTimeoutSeconds: - type: integer - minimum: 0 - description: Timeout for the ZooKeeper session. - secretPrefix: - type: string - description: The prefix that will be added to the KafkaUser name to be used as the Secret name. + description: The docker image for the container. livenessProbe: type: object properties: @@ -9577,6 +9491,18 @@ spec: minimum: 1 description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. description: Pod liveness checking. + logLevel: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + description: The log level for the TLS sidecar. Default value is `notice`. readinessProbe: type: object properties: @@ -9618,152 +9544,133 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object description: CPU and memory resources to reserve. - logging: + description: TLS sidecar configuration. + resources: + type: object + properties: + claims: + type: array + items: + type: object + properties: + name: + type: string + limits: + x-kubernetes-preserve-unknown-fields: true type: object - properties: - loggers: - x-kubernetes-preserve-unknown-fields: true - type: object - description: A Map from logger name to logger level. - type: - type: string - enum: - - inline - - external - description: "Logging type, must be either 'inline' or 'external'." - valueFrom: - type: object - properties: - configMapKeyRef: - type: object - properties: - key: - type: string - name: - type: string - optional: - type: boolean - description: Reference to the key in the ConfigMap containing the configuration. - description: '`ConfigMap` entry where the logging configuration is stored. ' - required: - - type - description: Logging configuration. - jvmOptions: + requests: + x-kubernetes-preserve-unknown-fields: true type: object - properties: - "-XX": - x-kubernetes-preserve-unknown-fields: true - type: object - description: A map of -XX options to the JVM. - "-Xms": - type: string - pattern: "^[0-9]+[mMgG]?$" - description: -Xms option to to the JVM. - "-Xmx": - type: string - pattern: "^[0-9]+[mMgG]?$" - description: -Xmx option to to the JVM. - gcLoggingEnabled: - type: boolean - description: Specifies whether the Garbage Collection logging is enabled. The default is false. - javaSystemProperties: - type: array - items: - type: object - properties: - name: - type: string - description: The system property name. - value: - type: string - description: The system property value. - description: A map of additional system properties which will be passed using the `-D` option to the JVM. - description: JVM Options for pods. - description: Configuration of the User Operator. - tlsSidecar: + description: CPU and memory resources to reserve for the Cruise Control container. + livenessProbe: type: object properties: - image: - type: string - description: The docker image for the container. - livenessProbe: + failureThreshold: + type: integer + minimum: 1 + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + initialDelaySeconds: + type: integer + minimum: 0 + description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. + periodSeconds: + type: integer + minimum: 1 + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + successThreshold: + type: integer + minimum: 1 + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. + timeoutSeconds: + type: integer + minimum: 1 + description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. + description: Pod liveness checking for the Cruise Control container. + readinessProbe: + type: object + properties: + failureThreshold: + type: integer + minimum: 1 + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + initialDelaySeconds: + type: integer + minimum: 0 + description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. + periodSeconds: + type: integer + minimum: 1 + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + successThreshold: + type: integer + minimum: 1 + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. + timeoutSeconds: + type: integer + minimum: 1 + description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. + description: Pod readiness checking for the Cruise Control container. + jvmOptions: + type: object + properties: + "-XX": + x-kubernetes-preserve-unknown-fields: true type: object - properties: - failureThreshold: - type: integer - minimum: 1 - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - initialDelaySeconds: - type: integer - minimum: 0 - description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. - periodSeconds: - type: integer - minimum: 1 - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - successThreshold: - type: integer - minimum: 1 - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. - timeoutSeconds: - type: integer - minimum: 1 - description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. - description: Pod liveness checking. - logLevel: + description: A map of -XX options to the JVM. + "-Xms": + type: string + pattern: "^[0-9]+[mMgG]?$" + description: -Xms option to to the JVM. + "-Xmx": + type: string + pattern: "^[0-9]+[mMgG]?$" + description: -Xmx option to to the JVM. + gcLoggingEnabled: + type: boolean + description: Specifies whether the Garbage Collection logging is enabled. The default is false. + javaSystemProperties: + type: array + items: + type: object + properties: + name: + type: string + description: The system property name. + value: + type: string + description: The system property value. + description: A map of additional system properties which will be passed using the `-D` option to the JVM. + description: JVM Options for the Cruise Control container. + logging: + type: object + properties: + loggers: + x-kubernetes-preserve-unknown-fields: true + type: object + description: A Map from logger name to logger level. + type: type: string enum: - - emerg - - alert - - crit - - err - - warning - - notice - - info - - debug - description: The log level for the TLS sidecar. Default value is `notice`. - readinessProbe: - type: object - properties: - failureThreshold: - type: integer - minimum: 1 - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - initialDelaySeconds: - type: integer - minimum: 0 - description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. - periodSeconds: - type: integer - minimum: 1 - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - successThreshold: - type: integer - minimum: 1 - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. - timeoutSeconds: - type: integer - minimum: 1 - description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. - description: Pod readiness checking. - resources: + - inline + - external + description: "Logging type, must be either 'inline' or 'external'." + valueFrom: type: object properties: - claims: - type: array - items: - type: object - properties: - name: - type: string - limits: - x-kubernetes-preserve-unknown-fields: true - type: object - requests: - x-kubernetes-preserve-unknown-fields: true + configMapKeyRef: type: object - description: CPU and memory resources to reserve. - description: TLS sidecar configuration. + properties: + key: + type: string + name: + type: string + optional: + type: boolean + description: Reference to the key in the ConfigMap containing the configuration. + description: '`ConfigMap` entry where the logging configuration is stored. ' + required: + - type + description: Logging configuration (Log4j 2) for Cruise Control. template: type: object properties: @@ -9788,7 +9695,7 @@ spec: - RollingUpdate - Recreate description: Pod replacement strategy for deployment configuration changes. Valid values are `RollingUpdate` and `Recreate`. Defaults to `RollingUpdate`. - description: Template for Entity Operator `Deployment`. + description: Template for Cruise Control `Deployment`. pod: type: object properties: @@ -10179,7 +10086,7 @@ spec: description: The pod's tolerations. priorityClassName: type: string - description: "The name of the priority class used to assign priority to the pods. For more information about priority classes, see {K8sPriorityClass}." + description: 'The name of the priority class used to assign priority to the pods. ' schedulerName: type: string description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used." @@ -10243,82 +10150,59 @@ spec: whenUnsatisfiable: type: string description: The pod's topology spread constraints. - description: Template for Entity Operator `Pods`. - topicOperatorContainer: + description: Template for Cruise Control `Pods`. + apiService: type: object properties: - env: - type: array - items: - type: object - properties: - name: - type: string - description: The environment variable key. - value: - type: string - description: The environment variable value. - description: Environment variables which should be applied to the container. - securityContext: + metadata: type: object properties: - allowPrivilegeEscalation: - type: boolean - capabilities: + labels: + x-kubernetes-preserve-unknown-fields: true type: object - properties: - add: - type: array - items: - type: string - drop: - type: array - items: - type: string - privileged: - type: boolean - procMount: - type: string - readOnlyRootFilesystem: - type: boolean - runAsGroup: - type: integer - runAsNonRoot: - type: boolean - runAsUser: - type: integer - seLinuxOptions: + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true type: object - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - seccompProfile: + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + ipFamilyPolicy: + type: string + enum: + - SingleStack + - PreferDualStack + - RequireDualStack + description: "Specifies the IP Family Policy used by the service. Available options are `SingleStack`, `PreferDualStack` and `RequireDualStack`. `SingleStack` is for a single IP family. `PreferDualStack` is for two IP families on dual-stack configured clusters or a single IP family on single-stack clusters. `RequireDualStack` fails unless there are two IP families on dual-stack configured clusters. If unspecified, Kubernetes will choose the default value based on the service type." + ipFamilies: + type: array + items: + type: string + enum: + - IPv4 + - IPv6 + description: "Specifies the IP Families used by the service. Available options are `IPv4` and `IPv6`. If unspecified, Kubernetes will choose the default value based on the `ipFamilyPolicy` setting." + description: Template for Cruise Control API `Service`. + podDisruptionBudget: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true type: object - properties: - localhostProfile: - type: string - type: - type: string - windowsOptions: + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true type: object - properties: - gmsaCredentialSpec: - type: string - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - runAsUserName: - type: string - description: Security context for the container. - description: Template for the Entity Topic Operator container. - userOperatorContainer: + description: Annotations added to the Kubernetes resource. + description: Metadata to apply to the `PodDisruptionBudgetTemplate` resource. + maxUnavailable: + type: integer + minimum: 0 + description: "Maximum number of unavailable pods to allow automatic Pod eviction. A Pod eviction is allowed when the `maxUnavailable` number of pods or fewer are unavailable after the eviction. Setting this value to 0 prevents all voluntary evictions, so the pods must be evicted manually. Defaults to 1." + description: Template for Cruise Control `PodDisruptionBudget`. + cruiseControlContainer: type: object properties: env: @@ -10391,7 +10275,7 @@ spec: runAsUserName: type: string description: Security context for the container. - description: Template for the Entity User Operator container. + description: Template for the Cruise Control container. tlsSidecarContainer: type: object properties: @@ -10443,78 +10327,30 @@ spec: role: type: string type: - type: string - user: - type: string - seccompProfile: - type: object - properties: - localhostProfile: - type: string - type: - type: string - windowsOptions: - type: object - properties: - gmsaCredentialSpec: - type: string - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - runAsUserName: - type: string - description: Security context for the container. - description: Template for the Entity Operator TLS sidecar container. - serviceAccount: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for the Entity Operator service account. - entityOperatorRole: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for the Entity Operator Role. - topicOperatorRoleBinding: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true + type: string + user: + type: string + seccompProfile: type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true + properties: + localhostProfile: + type: string + type: + type: string + windowsOptions: type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for the Entity Topic Operator RoleBinding. - userOperatorRoleBinding: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + description: Security context for the container. + description: Template for the Cruise Control TLS sidecar container. + serviceAccount: type: object properties: metadata: @@ -10529,256 +10365,70 @@ spec: type: object description: Annotations added to the Kubernetes resource. description: Metadata applied to the resource. - description: Template for the Entity Topic Operator RoleBinding. - description: Template for Entity Operator resources. The template allows users to specify how a `Deployment` and `Pod` is generated. - description: Configuration of the Entity Operator. - clusterCa: - type: object - properties: - generateCertificateAuthority: - type: boolean - description: If true then Certificate Authority certificates will be generated automatically. Otherwise the user will need to provide a Secret with the CA certificate. Default is true. - generateSecretOwnerReference: - type: boolean - description: "If `true`, the Cluster and Client CA Secrets are configured with the `ownerReference` set to the `Kafka` resource. If the `Kafka` resource is deleted when `true`, the CA Secrets are also deleted. If `false`, the `ownerReference` is disabled. If the `Kafka` resource is deleted when `false`, the CA Secrets are retained and available for reuse. Default is `true`." - validityDays: - type: integer - minimum: 1 - description: The number of days generated certificates should be valid for. The default is 365. - renewalDays: - type: integer - minimum: 1 - description: "The number of days in the certificate renewal period. This is the number of days before the a certificate expires during which renewal actions may be performed. When `generateCertificateAuthority` is true, this will cause the generation of a new certificate. When `generateCertificateAuthority` is true, this will cause extra logging at WARN level about the pending certificate expiry. Default is 30." - certificateExpirationPolicy: - type: string - enum: - - renew-certificate - - replace-key - description: How should CA certificate expiration be handled when `generateCertificateAuthority=true`. The default is for a new CA certificate to be generated reusing the existing private key. - description: Configuration of the cluster certificate authority. - clientsCa: - type: object - properties: - generateCertificateAuthority: - type: boolean - description: If true then Certificate Authority certificates will be generated automatically. Otherwise the user will need to provide a Secret with the CA certificate. Default is true. - generateSecretOwnerReference: - type: boolean - description: "If `true`, the Cluster and Client CA Secrets are configured with the `ownerReference` set to the `Kafka` resource. If the `Kafka` resource is deleted when `true`, the CA Secrets are also deleted. If `false`, the `ownerReference` is disabled. If the `Kafka` resource is deleted when `false`, the CA Secrets are retained and available for reuse. Default is `true`." - validityDays: - type: integer - minimum: 1 - description: The number of days generated certificates should be valid for. The default is 365. - renewalDays: - type: integer - minimum: 1 - description: "The number of days in the certificate renewal period. This is the number of days before the a certificate expires during which renewal actions may be performed. When `generateCertificateAuthority` is true, this will cause the generation of a new certificate. When `generateCertificateAuthority` is true, this will cause extra logging at WARN level about the pending certificate expiry. Default is 30." - certificateExpirationPolicy: - type: string - enum: - - renew-certificate - - replace-key - description: How should CA certificate expiration be handled when `generateCertificateAuthority=true`. The default is for a new CA certificate to be generated reusing the existing private key. - description: Configuration of the clients certificate authority. - cruiseControl: - type: object - properties: - image: - type: string - description: The docker image for the pods. - tlsSidecar: + description: Template for the Cruise Control service account. + description: "Template to specify how Cruise Control resources, `Deployments` and `Pods`, are generated." + brokerCapacity: type: object properties: - image: - type: string - description: The docker image for the container. - livenessProbe: - type: object - properties: - failureThreshold: - type: integer - minimum: 1 - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - initialDelaySeconds: - type: integer - minimum: 0 - description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. - periodSeconds: - type: integer - minimum: 1 - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - successThreshold: - type: integer - minimum: 1 - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. - timeoutSeconds: - type: integer - minimum: 1 - description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. - description: Pod liveness checking. - logLevel: + disk: type: string - enum: - - emerg - - alert - - crit - - err - - warning - - notice - - info - - debug - description: The log level for the TLS sidecar. Default value is `notice`. - readinessProbe: - type: object - properties: - failureThreshold: - type: integer - minimum: 1 - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - initialDelaySeconds: - type: integer - minimum: 0 - description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. - periodSeconds: - type: integer - minimum: 1 - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - successThreshold: - type: integer - minimum: 1 - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. - timeoutSeconds: - type: integer - minimum: 1 - description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. - description: Pod readiness checking. - resources: - type: object - properties: - claims: - type: array - items: - type: object - properties: - name: - type: string - limits: - x-kubernetes-preserve-unknown-fields: true - type: object - requests: - x-kubernetes-preserve-unknown-fields: true - type: object - description: CPU and memory resources to reserve. - description: TLS sidecar configuration. - resources: - type: object - properties: - claims: - type: array - items: - type: object - properties: - name: - type: string - limits: - x-kubernetes-preserve-unknown-fields: true - type: object - requests: - x-kubernetes-preserve-unknown-fields: true - type: object - description: CPU and memory resources to reserve for the Cruise Control container. - livenessProbe: - type: object - properties: - failureThreshold: - type: integer - minimum: 1 - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - initialDelaySeconds: - type: integer - minimum: 0 - description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. - periodSeconds: - type: integer - minimum: 1 - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - successThreshold: - type: integer - minimum: 1 - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. - timeoutSeconds: - type: integer - minimum: 1 - description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. - description: Pod liveness checking for the Cruise Control container. - readinessProbe: - type: object - properties: - failureThreshold: - type: integer - minimum: 1 - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - initialDelaySeconds: + pattern: "^[0-9]+([.][0-9]*)?([KMGTPE]i?|e[0-9]+)?$" + description: "Broker capacity for disk in bytes. Use a number value with either standard Kubernetes byte units (K, M, G, or T), their bibyte (power of two) equivalents (Ki, Mi, Gi, or Ti), or a byte value with or without E notation. For example, 100000M, 100000Mi, 104857600000, or 1e+11." + cpuUtilization: type: integer minimum: 0 - description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. - periodSeconds: - type: integer - minimum: 1 - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - successThreshold: - type: integer - minimum: 1 - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. - timeoutSeconds: - type: integer - minimum: 1 - description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. - description: Pod readiness checking for the Cruise Control container. - jvmOptions: - type: object - properties: - "-XX": - x-kubernetes-preserve-unknown-fields: true - type: object - description: A map of -XX options to the JVM. - "-Xms": + maximum: 100 + description: Broker capacity for CPU resource utilization as a percentage (0 - 100). + cpu: type: string - pattern: "^[0-9]+[mMgG]?$" - description: -Xms option to to the JVM. - "-Xmx": + pattern: "^[0-9]+([.][0-9]{0,3}|[m]?)$" + description: "Broker capacity for CPU resource in cores or millicores. For example, 1, 1.500, 1500m. For more information on valid CPU resource units see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu." + inboundNetwork: + type: string + pattern: "^[0-9]+([KMG]i?)?B/s$" + description: "Broker capacity for inbound network throughput in bytes per second. Use an integer value with standard Kubernetes byte units (K, M, G) or their bibyte (power of two) equivalents (Ki, Mi, Gi) per second. For example, 10000KiB/s." + outboundNetwork: type: string - pattern: "^[0-9]+[mMgG]?$" - description: -Xmx option to to the JVM. - gcLoggingEnabled: - type: boolean - description: Specifies whether the Garbage Collection logging is enabled. The default is false. - javaSystemProperties: + pattern: "^[0-9]+([KMG]i?)?B/s$" + description: "Broker capacity for outbound network throughput in bytes per second. Use an integer value with standard Kubernetes byte units (K, M, G) or their bibyte (power of two) equivalents (Ki, Mi, Gi) per second. For example, 10000KiB/s." + overrides: type: array items: type: object properties: - name: + brokers: + type: array + items: + type: integer + description: List of Kafka brokers (broker identifiers). + cpu: type: string - description: The system property name. - value: + pattern: "^[0-9]+([.][0-9]{0,3}|[m]?)$" + description: "Broker capacity for CPU resource in cores or millicores. For example, 1, 1.500, 1500m. For more information on valid CPU resource units see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu." + inboundNetwork: type: string - description: The system property value. - description: A map of additional system properties which will be passed using the `-D` option to the JVM. - description: JVM Options for the Cruise Control container. - logging: + pattern: "^[0-9]+([KMG]i?)?B/s$" + description: "Broker capacity for inbound network throughput in bytes per second. Use an integer value with standard Kubernetes byte units (K, M, G) or their bibyte (power of two) equivalents (Ki, Mi, Gi) per second. For example, 10000KiB/s." + outboundNetwork: + type: string + pattern: "^[0-9]+([KMG]i?)?B/s$" + description: "Broker capacity for outbound network throughput in bytes per second. Use an integer value with standard Kubernetes byte units (K, M, G) or their bibyte (power of two) equivalents (Ki, Mi, Gi) per second. For example, 10000KiB/s." + required: + - brokers + description: Overrides for individual brokers. The `overrides` property lets you specify a different capacity configuration for different brokers. + description: The Cruise Control `brokerCapacity` configuration. + config: + x-kubernetes-preserve-unknown-fields: true + type: object + description: "The Cruise Control configuration. For a full list of configuration options refer to https://github.com/linkedin/cruise-control/wiki/Configurations. Note that properties with the following prefixes cannot be set: bootstrap.servers, client.id, zookeeper., network., security., failed.brokers.zk.path,webserver.http., webserver.api.urlprefix, webserver.session.path, webserver.accesslog., two.step., request.reason.required,metric.reporter.sampler.bootstrap.servers, capacity.config.file, self.healing., ssl., kafka.broker.failure.detection.enable, topic.config.provider.class (with the exception of: ssl.cipher.suites, ssl.protocol, ssl.enabled.protocols, webserver.http.cors.enabled, webserver.http.cors.origin, webserver.http.cors.exposeheaders, webserver.security.enable, webserver.ssl.enable)." + metricsConfig: type: object properties: - loggers: - x-kubernetes-preserve-unknown-fields: true - type: object - description: A Map from logger name to logger level. type: type: string enum: - - inline - - external - description: "Logging type, must be either 'inline' or 'external'." + - jmxPrometheusExporter + description: Metrics type. Only 'jmxPrometheusExporter' supported currently. valueFrom: type: object properties: @@ -10792,10 +10442,90 @@ spec: optional: type: boolean description: Reference to the key in the ConfigMap containing the configuration. - description: '`ConfigMap` entry where the logging configuration is stored. ' + description: 'ConfigMap entry where the Prometheus JMX Exporter configuration is stored. ' required: - type - description: Logging configuration (Log4j 2) for Cruise Control. + - valueFrom + description: Metrics configuration. + description: Configuration for Cruise Control deployment. Deploys a Cruise Control instance when specified. + jmxTrans: + type: object + properties: + image: + type: string + description: The image to use for the JmxTrans. + outputDefinitions: + type: array + items: + type: object + properties: + outputType: + type: string + description: "Template for setting the format of the data that will be pushed.For more information see https://github.com/jmxtrans/jmxtrans/wiki/OutputWriters[JmxTrans OutputWriters]." + host: + type: string + description: The DNS/hostname of the remote host that the data is pushed to. + port: + type: integer + description: The port of the remote host that the data is pushed to. + flushDelayInSeconds: + type: integer + description: How many seconds the JmxTrans waits before pushing a new set of data out. + typeNames: + type: array + items: + type: string + description: "Template for filtering data to be included in response to a wildcard query. For more information see https://github.com/jmxtrans/jmxtrans/wiki/Queries[JmxTrans queries]." + name: + type: string + description: Template for setting the name of the output definition. This is used to identify where to send the results of queries should be sent. + required: + - outputType + - name + description: "Defines the output hosts that will be referenced later on. For more information on these properties see, xref:type-JmxTransOutputDefinitionTemplate-reference[`JmxTransOutputDefinitionTemplate` schema reference]." + logLevel: + type: string + description: "Sets the logging level of the JmxTrans deployment.For more information see, https://github.com/jmxtrans/jmxtrans-agent/wiki/Troubleshooting[JmxTrans Logging Level]." + kafkaQueries: + type: array + items: + type: object + properties: + targetMBean: + type: string + description: If using wildcards instead of a specific MBean then the data is gathered from multiple MBeans. Otherwise if specifying an MBean then data is gathered from that specified MBean. + attributes: + type: array + items: + type: string + description: Determine which attributes of the targeted MBean should be included. + outputs: + type: array + items: + type: string + description: "List of the names of output definitions specified in the spec.kafka.jmxTrans.outputDefinitions that have defined where JMX metrics are pushed to, and in which data format." + required: + - targetMBean + - attributes + - outputs + description: "Queries to send to the Kafka brokers to define what data should be read from each broker. For more information on these properties see, xref:type-JmxTransQueryTemplate-reference[`JmxTransQueryTemplate` schema reference]." + resources: + type: object + properties: + claims: + type: array + items: + type: object + properties: + name: + type: string + limits: + x-kubernetes-preserve-unknown-fields: true + type: object + requests: + x-kubernetes-preserve-unknown-fields: true + type: object + description: CPU and memory resources to reserve. template: type: object properties: @@ -10820,7 +10550,7 @@ spec: - RollingUpdate - Recreate description: Pod replacement strategy for deployment configuration changes. Valid values are `RollingUpdate` and `Recreate`. Defaults to `RollingUpdate`. - description: Template for Cruise Control `Deployment`. + description: Template for JmxTrans `Deployment`. pod: type: object properties: @@ -11209,199 +10939,74 @@ spec: value: type: string description: The pod's tolerations. - priorityClassName: - type: string - description: "The name of the priority class used to assign priority to the pods. For more information about priority classes, see {K8sPriorityClass}." - schedulerName: - type: string - description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used." - hostAliases: - type: array - items: - type: object - properties: - hostnames: - type: array - items: - type: string - ip: - type: string - description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified. - tmpDirSizeLimit: - type: string - pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" - description: Defines the total amount (for example `1Gi`) of local storage required for temporary EmptyDir volume (`/tmp`). Default value is `5Mi`. - enableServiceLinks: - type: boolean - description: Indicates whether information about services should be injected into Pod's environment variables. - topologySpreadConstraints: - type: array - items: - type: object - properties: - labelSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - matchLabelKeys: - type: array - items: - type: string - maxSkew: - type: integer - minDomains: - type: integer - nodeAffinityPolicy: - type: string - nodeTaintsPolicy: - type: string - topologyKey: - type: string - whenUnsatisfiable: - type: string - description: The pod's topology spread constraints. - description: Template for Cruise Control `Pods`. - apiService: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - ipFamilyPolicy: - type: string - enum: - - SingleStack - - PreferDualStack - - RequireDualStack - description: "Specifies the IP Family Policy used by the service. Available options are `SingleStack`, `PreferDualStack` and `RequireDualStack`. `SingleStack` is for a single IP family. `PreferDualStack` is for two IP families on dual-stack configured clusters or a single IP family on single-stack clusters. `RequireDualStack` fails unless there are two IP families on dual-stack configured clusters. If unspecified, Kubernetes will choose the default value based on the service type." - ipFamilies: - type: array - items: - type: string - enum: - - IPv4 - - IPv6 - description: "Specifies the IP Families used by the service. Available options are `IPv4` and `IPv6`. If unspecified, Kubernetes will choose the default value based on the `ipFamilyPolicy` setting." - description: Template for Cruise Control API `Service`. - podDisruptionBudget: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata to apply to the `PodDisruptionBudgetTemplate` resource. - maxUnavailable: - type: integer - minimum: 0 - description: "Maximum number of unavailable pods to allow automatic Pod eviction. A Pod eviction is allowed when the `maxUnavailable` number of pods or fewer are unavailable after the eviction. Setting this value to 0 prevents all voluntary evictions, so the pods must be evicted manually. Defaults to 1." - description: Template for Cruise Control `PodDisruptionBudget`. - cruiseControlContainer: - type: object - properties: - env: + priorityClassName: + type: string + description: 'The name of the priority class used to assign priority to the pods. ' + schedulerName: + type: string + description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used." + hostAliases: type: array items: type: object properties: - name: - type: string - description: The environment variable key. - value: - type: string - description: The environment variable value. - description: Environment variables which should be applied to the container. - securityContext: - type: object - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - type: object - properties: - add: - type: array - items: - type: string - drop: - type: array - items: - type: string - privileged: - type: boolean - procMount: - type: string - readOnlyRootFilesystem: - type: boolean - runAsGroup: - type: integer - runAsNonRoot: - type: boolean - runAsUser: - type: integer - seLinuxOptions: - type: object - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - seccompProfile: - type: object - properties: - localhostProfile: - type: string - type: - type: string - windowsOptions: - type: object - properties: - gmsaCredentialSpec: - type: string - gmsaCredentialSpecName: + hostnames: + type: array + items: type: string - hostProcess: - type: boolean - runAsUserName: + ip: + type: string + description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified. + tmpDirSizeLimit: + type: string + pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" + description: Defines the total amount (for example `1Gi`) of local storage required for temporary EmptyDir volume (`/tmp`). Default value is `5Mi`. + enableServiceLinks: + type: boolean + description: Indicates whether information about services should be injected into Pod's environment variables. + topologySpreadConstraints: + type: array + items: + type: object + properties: + labelSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + matchLabelKeys: + type: array + items: type: string - description: Security context for the container. - description: Template for the Cruise Control container. - tlsSidecarContainer: + maxSkew: + type: integer + minDomains: + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + description: The pod's topology spread constraints. + description: Template for JmxTrans `Pods`. + container: type: object properties: env: @@ -11474,166 +11079,46 @@ spec: runAsUserName: type: string description: Security context for the container. - description: Template for the Cruise Control TLS sidecar container. + description: Template for JmxTrans container. serviceAccount: type: object properties: metadata: type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for the Cruise Control service account. - description: "Template to specify how Cruise Control resources, `Deployments` and `Pods`, are generated." - brokerCapacity: - type: object - properties: - disk: - type: string - pattern: "^[0-9]+([.][0-9]*)?([KMGTPE]i?|e[0-9]+)?$" - description: "Broker capacity for disk in bytes. Use a number value with either standard Kubernetes byte units (K, M, G, or T), their bibyte (power of two) equivalents (Ki, Mi, Gi, or Ti), or a byte value with or without E notation. For example, 100000M, 100000Mi, 104857600000, or 1e+11." - cpuUtilization: - type: integer - minimum: 0 - maximum: 100 - description: Broker capacity for CPU resource utilization as a percentage (0 - 100). - cpu: - type: string - pattern: "^[0-9]+([.][0-9]{0,3}|[m]?)$" - description: "Broker capacity for CPU resource in cores or millicores. For example, 1, 1.500, 1500m. For more information on valid CPU resource units see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu." - inboundNetwork: - type: string - pattern: "^[0-9]+([KMG]i?)?B/s$" - description: "Broker capacity for inbound network throughput in bytes per second. Use an integer value with standard Kubernetes byte units (K, M, G) or their bibyte (power of two) equivalents (Ki, Mi, Gi) per second. For example, 10000KiB/s." - outboundNetwork: - type: string - pattern: "^[0-9]+([KMG]i?)?B/s$" - description: "Broker capacity for outbound network throughput in bytes per second. Use an integer value with standard Kubernetes byte units (K, M, G) or their bibyte (power of two) equivalents (Ki, Mi, Gi) per second. For example, 10000KiB/s." - overrides: - type: array - items: - type: object - properties: - brokers: - type: array - items: - type: integer - description: List of Kafka brokers (broker identifiers). - cpu: - type: string - pattern: "^[0-9]+([.][0-9]{0,3}|[m]?)$" - description: "Broker capacity for CPU resource in cores or millicores. For example, 1, 1.500, 1500m. For more information on valid CPU resource units see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu." - inboundNetwork: - type: string - pattern: "^[0-9]+([KMG]i?)?B/s$" - description: "Broker capacity for inbound network throughput in bytes per second. Use an integer value with standard Kubernetes byte units (K, M, G) or their bibyte (power of two) equivalents (Ki, Mi, Gi) per second. For example, 10000KiB/s." - outboundNetwork: - type: string - pattern: "^[0-9]+([KMG]i?)?B/s$" - description: "Broker capacity for outbound network throughput in bytes per second. Use an integer value with standard Kubernetes byte units (K, M, G) or their bibyte (power of two) equivalents (Ki, Mi, Gi) per second. For example, 10000KiB/s." - required: - - brokers - description: Overrides for individual brokers. The `overrides` property lets you specify a different capacity configuration for different brokers. - description: The Cruise Control `brokerCapacity` configuration. - config: - x-kubernetes-preserve-unknown-fields: true - type: object - description: "The Cruise Control configuration. For a full list of configuration options refer to https://github.com/linkedin/cruise-control/wiki/Configurations. Note that properties with the following prefixes cannot be set: bootstrap.servers, client.id, zookeeper., network., security., failed.brokers.zk.path,webserver.http., webserver.api.urlprefix, webserver.session.path, webserver.accesslog., two.step., request.reason.required,metric.reporter.sampler.bootstrap.servers, capacity.config.file, self.healing., ssl., kafka.broker.failure.detection.enable, topic.config.provider.class (with the exception of: ssl.cipher.suites, ssl.protocol, ssl.enabled.protocols, webserver.http.cors.enabled, webserver.http.cors.origin, webserver.http.cors.exposeheaders, webserver.security.enable, webserver.ssl.enable)." - metricsConfig: - type: object - properties: - type: - type: string - enum: - - jmxPrometheusExporter - description: Metrics type. Only 'jmxPrometheusExporter' supported currently. - valueFrom: - type: object - properties: - configMapKeyRef: - type: object - properties: - key: - type: string - name: - type: string - optional: - type: boolean - description: Reference to the key in the ConfigMap containing the configuration. - description: "ConfigMap entry where the Prometheus JMX Exporter configuration is stored. For details of the structure of this configuration, see the {JMXExporter}." - required: - - type - - valueFrom - description: Metrics configuration. - description: Configuration for Cruise Control deployment. Deploys a Cruise Control instance when specified. - jmxTrans: - type: object - properties: - image: - type: string - description: The image to use for the JmxTrans. - outputDefinitions: - type: array - items: - type: object - properties: - outputType: - type: string - description: "Template for setting the format of the data that will be pushed.For more information see https://github.com/jmxtrans/jmxtrans/wiki/OutputWriters[JmxTrans OutputWriters]." - host: - type: string - description: The DNS/hostname of the remote host that the data is pushed to. - port: - type: integer - description: The port of the remote host that the data is pushed to. - flushDelayInSeconds: - type: integer - description: How many seconds the JmxTrans waits before pushing a new set of data out. - typeNames: - type: array - items: - type: string - description: "Template for filtering data to be included in response to a wildcard query. For more information see https://github.com/jmxtrans/jmxtrans/wiki/Queries[JmxTrans queries]." - name: - type: string - description: Template for setting the name of the output definition. This is used to identify where to send the results of queries should be sent. - required: - - outputType - - name - description: "Defines the output hosts that will be referenced later on. For more information on these properties see, xref:type-JmxTransOutputDefinitionTemplate-reference[`JmxTransOutputDefinitionTemplate` schema reference]." - logLevel: + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for the JmxTrans service account. + description: Template for JmxTrans resources. + required: + - outputDefinitions + - kafkaQueries + description: "As of Strimzi 0.35.0, JMXTrans is not supported anymore and this option is ignored." + kafkaExporter: + type: object + properties: + image: type: string - description: "Sets the logging level of the JmxTrans deployment.For more information see, https://github.com/jmxtrans/jmxtrans-agent/wiki/Troubleshooting[JmxTrans Logging Level]." - kafkaQueries: - type: array - items: - type: object - properties: - targetMBean: - type: string - description: If using wildcards instead of a specific MBean then the data is gathered from multiple MBeans. Otherwise if specifying an MBean then data is gathered from that specified MBean. - attributes: - type: array - items: - type: string - description: Determine which attributes of the targeted MBean should be included. - outputs: - type: array - items: - type: string - description: "List of the names of output definitions specified in the spec.kafka.jmxTrans.outputDefinitions that have defined where JMX metrics are pushed to, and in which data format." - required: - - targetMBean - - attributes - - outputs - description: "Queries to send to the Kafka brokers to define what data should be read from each broker. For more information on these properties see, xref:type-JmxTransQueryTemplate-reference[`JmxTransQueryTemplate` schema reference]." + description: "The container image used for the Kafka Exporter pods. If no image name is explicitly specified, the image name corresponds to the version specified in the Cluster Operator configuration. If an image name is not defined in the Cluster Operator configuration, a default value is used." + groupRegex: + type: string + description: Regular expression to specify which consumer groups to collect. Default value is `.*`. + topicRegex: + type: string + description: Regular expression to specify which topics to collect. Default value is `.*`. + groupExcludeRegex: + type: string + description: Regular expression to specify which consumer groups to exclude. + topicExcludeRegex: + type: string + description: Regular expression to specify which topics to exclude. resources: type: object properties: @@ -11651,6 +11136,12 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object description: CPU and memory resources to reserve. + logging: + type: string + description: "Only log messages with the given severity or above. Valid levels: [`info`, `debug`, `trace`]. Default log level is `info`." + enableSaramaLogging: + type: boolean + description: "Enable Sarama logging, a Go client library used by the Kafka Exporter." template: type: object properties: @@ -11675,7 +11166,7 @@ spec: - RollingUpdate - Recreate description: Pod replacement strategy for deployment configuration changes. Valid values are `RollingUpdate` and `Recreate`. Defaults to `RollingUpdate`. - description: Template for JmxTrans `Deployment`. + description: Template for Kafka Exporter `Deployment`. pod: type: object properties: @@ -12066,327 +11557,1097 @@ spec: description: The pod's tolerations. priorityClassName: type: string - description: "The name of the priority class used to assign priority to the pods. For more information about priority classes, see {K8sPriorityClass}." - schedulerName: + description: 'The name of the priority class used to assign priority to the pods. ' + schedulerName: + type: string + description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used." + hostAliases: + type: array + items: + type: object + properties: + hostnames: + type: array + items: + type: string + ip: + type: string + description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified. + tmpDirSizeLimit: + type: string + pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" + description: Defines the total amount (for example `1Gi`) of local storage required for temporary EmptyDir volume (`/tmp`). Default value is `5Mi`. + enableServiceLinks: + type: boolean + description: Indicates whether information about services should be injected into Pod's environment variables. + topologySpreadConstraints: + type: array + items: + type: object + properties: + labelSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + matchLabelKeys: + type: array + items: + type: string + maxSkew: + type: integer + minDomains: + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + description: The pod's topology spread constraints. + description: Template for Kafka Exporter `Pods`. + service: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for Kafka Exporter `Service`. + container: + type: object + properties: + env: + type: array + items: + type: object + properties: + name: + type: string + description: The environment variable key. + value: + type: string + description: The environment variable value. + description: Environment variables which should be applied to the container. + securityContext: + type: object + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + type: object + properties: + add: + type: array + items: + type: string + drop: + type: array + items: + type: string + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + type: integer + runAsNonRoot: + type: boolean + runAsUser: + type: integer + seLinuxOptions: + type: object + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + seccompProfile: + type: object + properties: + localhostProfile: + type: string + type: + type: string + windowsOptions: + type: object + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + description: Security context for the container. + description: Template for the Kafka Exporter container. + serviceAccount: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for the Kafka Exporter service account. + description: Customization of deployment templates and pods. + livenessProbe: + type: object + properties: + failureThreshold: + type: integer + minimum: 1 + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + initialDelaySeconds: + type: integer + minimum: 0 + description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. + periodSeconds: + type: integer + minimum: 1 + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + successThreshold: + type: integer + minimum: 1 + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. + timeoutSeconds: + type: integer + minimum: 1 + description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. + description: Pod liveness check. + readinessProbe: + type: object + properties: + failureThreshold: + type: integer + minimum: 1 + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + initialDelaySeconds: + type: integer + minimum: 0 + description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. + periodSeconds: + type: integer + minimum: 1 + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + successThreshold: + type: integer + minimum: 1 + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. + timeoutSeconds: + type: integer + minimum: 1 + description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. + description: Pod readiness check. + description: "Configuration of the Kafka Exporter. Kafka Exporter can provide additional metrics, for example lag of consumer group at topic/partition." + maintenanceTimeWindows: + type: array + items: + type: string + description: "A list of time windows for maintenance tasks (that is, certificates renewal). Each time window is defined by a cron expression." + required: + - kafka + - zookeeper + description: "The specification of the Kafka and ZooKeeper clusters, and Topic Operator." + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + description: "The unique identifier of a condition, used to distinguish between other conditions in the resource." + status: + type: string + description: "The status of the condition, either True, False or Unknown." + lastTransitionTime: + type: string + description: "Last time the condition of a type changed from one status to another. The required format is 'yyyy-MM-ddTHH:mm:ssZ', in the UTC time zone." + reason: + type: string + description: The reason for the condition's last transition (a single word in CamelCase). + message: + type: string + description: Human-readable message indicating details about the condition's last transition. + description: List of status conditions. + observedGeneration: + type: integer + description: The generation of the CRD that was last reconciled by the operator. + listeners: + type: array + items: + type: object + properties: + type: + type: string + description: The name of the listener. + name: + type: string + description: The name of the listener. + addresses: + type: array + items: + type: object + properties: + host: + type: string + description: The DNS name or IP address of the Kafka bootstrap service. + port: + type: integer + description: The port of the Kafka bootstrap service. + description: A list of the addresses for this listener. + bootstrapServers: + type: string + description: A comma-separated list of `host:port` pairs for connecting to the Kafka cluster using this listener. + certificates: + type: array + items: + type: string + description: A list of TLS certificates which can be used to verify the identity of the server when connecting to the given listener. Set only for `tls` and `external` listeners. + description: Addresses of the internal and external listeners. + kafkaNodePools: + type: array + items: + type: object + properties: + name: + type: string + description: The name of the KafkaNodePool used by this Kafka resource. + description: List of the KafkaNodePools used by this Kafka cluster. + clusterId: + type: string + description: Kafka cluster Id. + operatorLastSuccessfulVersion: + type: string + description: The version of the Strimzi Cluster Operator which performed the last successful reconciliation. + kafkaVersion: + type: string + description: The version of Kafka currently deployed in the cluster. + kafkaMetadataVersion: + type: string + description: The KRaft metadata.version currently used by the Kafka cluster. + description: "The status of the Kafka and ZooKeeper clusters, and Topic Operator." + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: strimzi-cluster-operator-leader-election + labels: + app: strimzi +rules: + - apiGroups: + - coordination.k8s.io + resources: + # The cluster operator needs to access and manage leases for leader election + # The "create" verb cannot be used with "resourceNames" + - leases + verbs: + - create + - apiGroups: + - coordination.k8s.io + resources: + # The cluster operator needs to access and manage leases for leader election + - leases + resourceNames: + # The default RBAC files give the operator only access to the Lease resource names strimzi-cluster-operator + # If you want to use another resource name or resource namespace, you have to configure the RBAC resources accordingly + - strimzi-cluster-operator + verbs: + - get + - list + - watch + - delete + - patch + - update + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: kafkamirrormakers.kafka.strimzi.io + labels: + app: strimzi + strimzi.io/crd-install: "true" +spec: + group: kafka.strimzi.io + names: + kind: KafkaMirrorMaker + listKind: KafkaMirrorMakerList + singular: kafkamirrormaker + plural: kafkamirrormakers + shortNames: + - kmm + categories: + - strimzi + scope: Namespaced + conversion: + strategy: None + versions: + - name: v1beta2 + served: true + storage: true + subresources: + status: {} + scale: + specReplicasPath: .spec.replicas + statusReplicasPath: .status.replicas + labelSelectorPath: .status.labelSelector + additionalPrinterColumns: + - name: Desired replicas + description: The desired number of Kafka MirrorMaker replicas + jsonPath: .spec.replicas + type: integer + - name: Consumer Bootstrap Servers + description: The boostrap servers for the consumer + jsonPath: .spec.consumer.bootstrapServers + type: string + priority: 1 + - name: Producer Bootstrap Servers + description: The boostrap servers for the producer + jsonPath: .spec.producer.bootstrapServers + type: string + priority: 1 + - name: Ready + description: The state of the custom resource + jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" + type: string + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + version: + type: string + description: The Kafka MirrorMaker version. Defaults to the latest version. Consult the documentation to understand the process required to upgrade or downgrade the version. + replicas: + type: integer + minimum: 0 + description: The number of pods in the `Deployment`. + image: + type: string + description: "The container image used for Kafka MirrorMaker pods. If no image name is explicitly specified, it is determined based on the `spec.version` configuration. The image names are specifically mapped to corresponding versions in the Cluster Operator configuration." + consumer: + type: object + properties: + numStreams: + type: integer + minimum: 1 + description: Specifies the number of consumer stream threads to create. + offsetCommitInterval: + type: integer + description: Specifies the offset auto-commit interval in ms. Default value is 60000. + bootstrapServers: + type: string + description: A list of host:port pairs for establishing the initial connection to the Kafka cluster. + groupId: + type: string + description: A unique string that identifies the consumer group this consumer belongs to. + authentication: + type: object + properties: + accessToken: + type: object + properties: + key: + type: string + description: The key under which the secret value is stored in the Kubernetes Secret. + secretName: + type: string + description: The name of the Kubernetes Secret containing the secret value. + required: + - key + - secretName + description: Link to Kubernetes Secret containing the access token which was obtained from the authorization server. + accessTokenIsJwt: + type: boolean + description: Configure whether access token should be treated as JWT. This should be set to `false` if the authorization server returns opaque tokens. Defaults to `true`. + audience: + type: string + description: "OAuth audience to use when authenticating against the authorization server. Some authorization servers require the audience to be explicitly set. The possible values depend on how the authorization server is configured. By default, `audience` is not specified when performing the token endpoint request." + certificateAndKey: + type: object + properties: + certificate: + type: string + description: The name of the file certificate in the Secret. + key: type: string - description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used." - hostAliases: - type: array - items: - type: object - properties: - hostnames: - type: array - items: - type: string - ip: - type: string - description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified. - tmpDirSizeLimit: + description: The name of the private key in the Secret. + secretName: type: string - pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" - description: Defines the total amount (for example `1Gi`) of local storage required for temporary EmptyDir volume (`/tmp`). Default value is `5Mi`. - enableServiceLinks: - type: boolean - description: Indicates whether information about services should be injected into Pod's environment variables. - topologySpreadConstraints: - type: array - items: - type: object - properties: - labelSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - matchLabelKeys: - type: array - items: - type: string - maxSkew: - type: integer - minDomains: - type: integer - nodeAffinityPolicy: - type: string - nodeTaintsPolicy: - type: string - topologyKey: - type: string - whenUnsatisfiable: - type: string - description: The pod's topology spread constraints. - description: Template for JmxTrans `Pods`. - container: + description: The name of the Secret containing the certificate. + required: + - certificate + - key + - secretName + description: Reference to the `Secret` which holds the certificate and private key pair. + clientId: + type: string + description: OAuth Client ID which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. + clientSecret: + type: object + properties: + key: + type: string + description: The key under which the secret value is stored in the Kubernetes Secret. + secretName: + type: string + description: The name of the Kubernetes Secret containing the secret value. + required: + - key + - secretName + description: Link to Kubernetes Secret containing the OAuth client secret which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. + connectTimeoutSeconds: + type: integer + description: "The connect timeout in seconds when connecting to authorization server. If not set, the effective connect timeout is 60 seconds." + disableTlsHostnameVerification: + type: boolean + description: Enable or disable TLS hostname verification. Default value is `false`. + enableMetrics: + type: boolean + description: Enable or disable OAuth metrics. Default value is `false`. + httpRetries: + type: integer + description: "The maximum number of retries to attempt if an initial HTTP request fails. If not set, the default is to not attempt any retries." + httpRetryPauseMs: + type: integer + description: "The pause to take before retrying a failed HTTP request. If not set, the default is to not pause at all but to immediately repeat a request." + includeAcceptHeader: + type: boolean + description: Whether the Accept header should be set in requests to the authorization servers. The default value is `true`. + maxTokenExpirySeconds: + type: integer + description: Set or limit time-to-live of the access tokens to the specified number of seconds. This should be set if the authorization server returns opaque tokens. + passwordSecret: + type: object + properties: + password: + type: string + description: The name of the key in the Secret under which the password is stored. + secretName: + type: string + description: The name of the Secret containing the password. + required: + - password + - secretName + description: Reference to the `Secret` which holds the password. + readTimeoutSeconds: + type: integer + description: "The read timeout in seconds when connecting to authorization server. If not set, the effective read timeout is 60 seconds." + refreshToken: + type: object + properties: + key: + type: string + description: The key under which the secret value is stored in the Kubernetes Secret. + secretName: + type: string + description: The name of the Kubernetes Secret containing the secret value. + required: + - key + - secretName + description: Link to Kubernetes Secret containing the refresh token which can be used to obtain access token from the authorization server. + scope: + type: string + description: OAuth scope to use when authenticating against the authorization server. Some authorization servers require this to be set. The possible values depend on how authorization server is configured. By default `scope` is not specified when doing the token endpoint request. + tlsTrustedCertificates: + type: array + items: + type: object + properties: + certificate: + type: string + description: The name of the file certificate in the Secret. + secretName: + type: string + description: The name of the Secret containing the certificate. + required: + - certificate + - secretName + description: Trusted certificates for TLS connection to the OAuth server. + tokenEndpointUri: + type: string + description: Authorization server token endpoint URI. + type: + type: string + enum: + - tls + - scram-sha-256 + - scram-sha-512 + - plain + - oauth + description: "Authentication type. Currently the supported types are `tls`, `scram-sha-256`, `scram-sha-512`, `plain`, and 'oauth'. `scram-sha-256` and `scram-sha-512` types use SASL SCRAM-SHA-256 and SASL SCRAM-SHA-512 Authentication, respectively. `plain` type uses SASL PLAIN Authentication. `oauth` type uses SASL OAUTHBEARER Authentication. The `tls` type uses TLS Client Authentication. The `tls` type is supported only over TLS connections." + username: + type: string + description: Username used for the authentication. + required: + - type + description: Authentication configuration for connecting to the cluster. + config: + x-kubernetes-preserve-unknown-fields: true + type: object + description: "The MirrorMaker consumer config. Properties with the following prefixes cannot be set: ssl., bootstrap.servers, group.id, sasl., security., interceptor.classes (with the exception of: ssl.endpoint.identification.algorithm, ssl.cipher.suites, ssl.protocol, ssl.enabled.protocols)." + tls: + type: object + properties: + trustedCertificates: + type: array + items: + type: object + properties: + certificate: + type: string + description: The name of the file certificate in the Secret. + secretName: + type: string + description: The name of the Secret containing the certificate. + required: + - certificate + - secretName + description: Trusted certificates for TLS connection. + description: TLS configuration for connecting MirrorMaker to the cluster. + required: + - bootstrapServers + - groupId + description: Configuration of source cluster. + producer: + type: object + properties: + bootstrapServers: + type: string + description: A list of host:port pairs for establishing the initial connection to the Kafka cluster. + abortOnSendFailure: + type: boolean + description: Flag to set the MirrorMaker to exit on a failed send. Default value is `true`. + authentication: + type: object + properties: + accessToken: + type: object + properties: + key: + type: string + description: The key under which the secret value is stored in the Kubernetes Secret. + secretName: + type: string + description: The name of the Kubernetes Secret containing the secret value. + required: + - key + - secretName + description: Link to Kubernetes Secret containing the access token which was obtained from the authorization server. + accessTokenIsJwt: + type: boolean + description: Configure whether access token should be treated as JWT. This should be set to `false` if the authorization server returns opaque tokens. Defaults to `true`. + audience: + type: string + description: "OAuth audience to use when authenticating against the authorization server. Some authorization servers require the audience to be explicitly set. The possible values depend on how the authorization server is configured. By default, `audience` is not specified when performing the token endpoint request." + certificateAndKey: + type: object + properties: + certificate: + type: string + description: The name of the file certificate in the Secret. + key: + type: string + description: The name of the private key in the Secret. + secretName: + type: string + description: The name of the Secret containing the certificate. + required: + - certificate + - key + - secretName + description: Reference to the `Secret` which holds the certificate and private key pair. + clientId: + type: string + description: OAuth Client ID which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. + clientSecret: type: object properties: - env: - type: array - items: - type: object - properties: - name: - type: string - description: The environment variable key. - value: - type: string - description: The environment variable value. - description: Environment variables which should be applied to the container. - securityContext: - type: object - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - type: object - properties: - add: - type: array - items: - type: string - drop: - type: array - items: - type: string - privileged: - type: boolean - procMount: - type: string - readOnlyRootFilesystem: - type: boolean - runAsGroup: - type: integer - runAsNonRoot: - type: boolean - runAsUser: - type: integer - seLinuxOptions: - type: object - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - seccompProfile: - type: object - properties: - localhostProfile: - type: string - type: - type: string - windowsOptions: - type: object - properties: - gmsaCredentialSpec: - type: string - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - runAsUserName: - type: string - description: Security context for the container. - description: Template for JmxTrans container. - serviceAccount: + key: + type: string + description: The key under which the secret value is stored in the Kubernetes Secret. + secretName: + type: string + description: The name of the Kubernetes Secret containing the secret value. + required: + - key + - secretName + description: Link to Kubernetes Secret containing the OAuth client secret which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. + connectTimeoutSeconds: + type: integer + description: "The connect timeout in seconds when connecting to authorization server. If not set, the effective connect timeout is 60 seconds." + disableTlsHostnameVerification: + type: boolean + description: Enable or disable TLS hostname verification. Default value is `false`. + enableMetrics: + type: boolean + description: Enable or disable OAuth metrics. Default value is `false`. + httpRetries: + type: integer + description: "The maximum number of retries to attempt if an initial HTTP request fails. If not set, the default is to not attempt any retries." + httpRetryPauseMs: + type: integer + description: "The pause to take before retrying a failed HTTP request. If not set, the default is to not pause at all but to immediately repeat a request." + includeAcceptHeader: + type: boolean + description: Whether the Accept header should be set in requests to the authorization servers. The default value is `true`. + maxTokenExpirySeconds: + type: integer + description: Set or limit time-to-live of the access tokens to the specified number of seconds. This should be set if the authorization server returns opaque tokens. + passwordSecret: + type: object + properties: + password: + type: string + description: The name of the key in the Secret under which the password is stored. + secretName: + type: string + description: The name of the Secret containing the password. + required: + - password + - secretName + description: Reference to the `Secret` which holds the password. + readTimeoutSeconds: + type: integer + description: "The read timeout in seconds when connecting to authorization server. If not set, the effective read timeout is 60 seconds." + refreshToken: + type: object + properties: + key: + type: string + description: The key under which the secret value is stored in the Kubernetes Secret. + secretName: + type: string + description: The name of the Kubernetes Secret containing the secret value. + required: + - key + - secretName + description: Link to Kubernetes Secret containing the refresh token which can be used to obtain access token from the authorization server. + scope: + type: string + description: OAuth scope to use when authenticating against the authorization server. Some authorization servers require this to be set. The possible values depend on how authorization server is configured. By default `scope` is not specified when doing the token endpoint request. + tlsTrustedCertificates: + type: array + items: + type: object + properties: + certificate: + type: string + description: The name of the file certificate in the Secret. + secretName: + type: string + description: The name of the Secret containing the certificate. + required: + - certificate + - secretName + description: Trusted certificates for TLS connection to the OAuth server. + tokenEndpointUri: + type: string + description: Authorization server token endpoint URI. + type: + type: string + enum: + - tls + - scram-sha-256 + - scram-sha-512 + - plain + - oauth + description: "Authentication type. Currently the supported types are `tls`, `scram-sha-256`, `scram-sha-512`, `plain`, and 'oauth'. `scram-sha-256` and `scram-sha-512` types use SASL SCRAM-SHA-256 and SASL SCRAM-SHA-512 Authentication, respectively. `plain` type uses SASL PLAIN Authentication. `oauth` type uses SASL OAUTHBEARER Authentication. The `tls` type uses TLS Client Authentication. The `tls` type is supported only over TLS connections." + username: + type: string + description: Username used for the authentication. + required: + - type + description: Authentication configuration for connecting to the cluster. + config: + x-kubernetes-preserve-unknown-fields: true + type: object + description: "The MirrorMaker producer config. Properties with the following prefixes cannot be set: ssl., bootstrap.servers, sasl., security., interceptor.classes (with the exception of: ssl.endpoint.identification.algorithm, ssl.cipher.suites, ssl.protocol, ssl.enabled.protocols)." + tls: + type: object + properties: + trustedCertificates: + type: array + items: + type: object + properties: + certificate: + type: string + description: The name of the file certificate in the Secret. + secretName: + type: string + description: The name of the Secret containing the certificate. + required: + - certificate + - secretName + description: Trusted certificates for TLS connection. + description: TLS configuration for connecting MirrorMaker to the cluster. + required: + - bootstrapServers + description: Configuration of target cluster. + resources: + type: object + properties: + claims: + type: array + items: + type: object + properties: + name: + type: string + limits: + x-kubernetes-preserve-unknown-fields: true + type: object + requests: + x-kubernetes-preserve-unknown-fields: true + type: object + description: CPU and memory resources to reserve. + whitelist: + type: string + description: "List of topics which are included for mirroring. This option allows any regular expression using Java-style regular expressions. Mirroring two topics named A and B is achieved by using the expression `A\\|B`. Or, as a special case, you can mirror all topics using the regular expression `*`. You can also specify multiple regular expressions separated by commas." + include: + type: string + description: "List of topics which are included for mirroring. This option allows any regular expression using Java-style regular expressions. Mirroring two topics named A and B is achieved by using the expression `A\\|B`. Or, as a special case, you can mirror all topics using the regular expression `*`. You can also specify multiple regular expressions separated by commas." + jvmOptions: + type: object + properties: + "-XX": + x-kubernetes-preserve-unknown-fields: true + type: object + description: A map of -XX options to the JVM. + "-Xms": + type: string + pattern: "^[0-9]+[mMgG]?$" + description: -Xms option to to the JVM. + "-Xmx": + type: string + pattern: "^[0-9]+[mMgG]?$" + description: -Xmx option to to the JVM. + gcLoggingEnabled: + type: boolean + description: Specifies whether the Garbage Collection logging is enabled. The default is false. + javaSystemProperties: + type: array + items: + type: object + properties: + name: + type: string + description: The system property name. + value: + type: string + description: The system property value. + description: A map of additional system properties which will be passed using the `-D` option to the JVM. + description: JVM Options for pods. + logging: + type: object + properties: + loggers: + x-kubernetes-preserve-unknown-fields: true + type: object + description: A Map from logger name to logger level. + type: + type: string + enum: + - inline + - external + description: "Logging type, must be either 'inline' or 'external'." + valueFrom: + type: object + properties: + configMapKeyRef: type: object properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for the JmxTrans service account. - description: Template for JmxTrans resources. + key: + type: string + name: + type: string + optional: + type: boolean + description: Reference to the key in the ConfigMap containing the configuration. + description: '`ConfigMap` entry where the logging configuration is stored. ' required: - - outputDefinitions - - kafkaQueries - description: "As of Strimzi 0.35.0, JMXTrans is not supported anymore and this option is ignored." - kafkaExporter: + - type + description: Logging configuration for MirrorMaker. + metricsConfig: type: object properties: - image: - type: string - description: The docker image for the pods. - groupRegex: - type: string - description: Regular expression to specify which consumer groups to collect. Default value is `.*`. - topicRegex: - type: string - description: Regular expression to specify which topics to collect. Default value is `.*`. - groupExcludeRegex: + type: type: string - description: Regular expression to specify which consumer groups to exclude. - topicExcludeRegex: + enum: + - jmxPrometheusExporter + description: Metrics type. Only 'jmxPrometheusExporter' supported currently. + valueFrom: + type: object + properties: + configMapKeyRef: + type: object + properties: + key: + type: string + name: + type: string + optional: + type: boolean + description: Reference to the key in the ConfigMap containing the configuration. + description: 'ConfigMap entry where the Prometheus JMX Exporter configuration is stored. ' + required: + - type + - valueFrom + description: Metrics configuration. + tracing: + type: object + properties: + type: type: string - description: Regular expression to specify which topics to exclude. - resources: + enum: + - jaeger + - opentelemetry + description: "Type of the tracing used. Currently the only supported type is `opentelemetry` for OpenTelemetry tracing. As of Strimzi 0.37.0, `jaeger` type is not supported anymore and this option is ignored." + required: + - type + description: The configuration of tracing in Kafka MirrorMaker. + template: + type: object + properties: + deployment: type: object properties: - claims: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + deploymentStrategy: + type: string + enum: + - RollingUpdate + - Recreate + description: Pod replacement strategy for deployment configuration changes. Valid values are `RollingUpdate` and `Recreate`. Defaults to `RollingUpdate`. + description: Template for Kafka MirrorMaker `Deployment`. + pod: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + imagePullSecrets: type: array items: type: object properties: name: type: string - limits: - x-kubernetes-preserve-unknown-fields: true - type: object - requests: - x-kubernetes-preserve-unknown-fields: true - type: object - description: CPU and memory resources to reserve. - logging: - type: string - description: "Only log messages with the given severity or above. Valid levels: [`info`, `debug`, `trace`]. Default log level is `info`." - enableSaramaLogging: - type: boolean - description: "Enable Sarama logging, a Go client library used by the Kafka Exporter." - template: - type: object - properties: - deployment: + description: "List of references to secrets in the same namespace to use for pulling any of the images used by this Pod. When the `STRIMZI_IMAGE_PULL_SECRETS` environment variable in Cluster Operator and the `imagePullSecrets` option are specified, only the `imagePullSecrets` variable is used and the `STRIMZI_IMAGE_PULL_SECRETS` variable is ignored." + securityContext: type: object properties: - metadata: + fsGroup: + type: integer + fsGroupChangePolicy: + type: string + runAsGroup: + type: integer + runAsNonRoot: + type: boolean + runAsUser: + type: integer + seLinuxOptions: type: object properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - deploymentStrategy: - type: string - enum: - - RollingUpdate - - Recreate - description: Pod replacement strategy for deployment configuration changes. Valid values are `RollingUpdate` and `Recreate`. Defaults to `RollingUpdate`. - description: Template for Kafka Exporter `Deployment`. - pod: - type: object - properties: - metadata: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + seccompProfile: type: object properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - imagePullSecrets: + localhostProfile: + type: string + type: + type: string + supplementalGroups: + type: array + items: + type: integer + sysctls: type: array items: type: object properties: name: type: string - description: "List of references to secrets in the same namespace to use for pulling any of the images used by this Pod. When the `STRIMZI_IMAGE_PULL_SECRETS` environment variable in Cluster Operator and the `imagePullSecrets` option are specified, only the `imagePullSecrets` variable is used and the `STRIMZI_IMAGE_PULL_SECRETS` variable is ignored." - securityContext: + value: + type: string + windowsOptions: type: object properties: - fsGroup: - type: integer - fsGroupChangePolicy: + gmsaCredentialSpec: type: string - runAsGroup: - type: integer - runAsNonRoot: + gmsaCredentialSpecName: + type: string + hostProcess: type: boolean - runAsUser: - type: integer - seLinuxOptions: - type: object - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - seccompProfile: - type: object - properties: - localhostProfile: - type: string - type: - type: string - supplementalGroups: - type: array - items: - type: integer - sysctls: + runAsUserName: + type: string + description: Configures pod-level security attributes and common container settings. + terminationGracePeriodSeconds: + type: integer + minimum: 0 + description: "The grace period is the duration in seconds after the processes running in the pod are sent a termination signal, and the time when the processes are forcibly halted with a kill signal. Set this value to longer than the expected cleanup time for your process. Value must be a non-negative integer. A zero value indicates delete immediately. You might need to increase the grace period for very large Kafka clusters, so that the Kafka brokers have enough time to transfer their work to another broker before they are terminated. Defaults to 30 seconds." + affinity: + type: object + properties: + nodeAffinity: + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: type: array items: type: object properties: - name: - type: string - value: - type: string - windowsOptions: - type: object - properties: - gmsaCredentialSpec: - type: string - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - runAsUserName: - type: string - description: Configures pod-level security attributes and common container settings. - terminationGracePeriodSeconds: - type: integer - minimum: 0 - description: "The grace period is the duration in seconds after the processes running in the pod are sent a termination signal, and the time when the processes are forcibly halted with a kill signal. Set this value to longer than the expected cleanup time for your process. Value must be a non-negative integer. A zero value indicates delete immediately. You might need to increase the grace period for very large Kafka clusters, so that the Kafka brokers have enough time to transfer their work to another broker before they are terminated. Defaults to 30 seconds." - affinity: - type: object - properties: - nodeAffinity: + preference: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchFields: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + weight: + type: integer + requiredDuringSchedulingIgnoredDuringExecution: type: object properties: - preferredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: type: array items: type: object properties: - preference: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchFields: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + podAffinity: + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + type: array + items: + type: object + properties: + podAffinityTerm: + type: object + properties: + labelSelector: type: object properties: matchExpressions: @@ -12402,27 +12663,10 @@ spec: type: array items: type: string - matchFields: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - weight: - type: integer - requiredDuringSchedulingIgnoredDuringExecution: - type: object - properties: - nodeSelectorTerms: - type: array - items: + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaceSelector: type: object properties: matchExpressions: @@ -12438,79 +12682,75 @@ spec: type: array items: type: string - matchFields: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - podAffinity: - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - type: array - items: + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + type: array + items: + type: string + topologyKey: + type: string + weight: + type: integer + requiredDuringSchedulingIgnoredDuringExecution: + type: array + items: + type: object + properties: + labelSelector: type: object properties: - podAffinityTerm: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true type: object - properties: - labelSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - type: array - items: + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: type: string - topologyKey: - type: string - weight: - type: integer - requiredDuringSchedulingIgnoredDuringExecution: - type: array - items: + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: + type: array + items: + type: string + topologyKey: + type: string + podAntiAffinity: + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + type: array + items: + type: object + properties: + podAffinityTerm: type: object properties: labelSelector: @@ -12557,564 +12797,314 @@ spec: type: string topologyKey: type: string - podAntiAffinity: - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - type: array - items: + weight: + type: integer + requiredDuringSchedulingIgnoredDuringExecution: + type: array + items: + type: object + properties: + labelSelector: type: object properties: - podAffinityTerm: - type: object - properties: - labelSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: - type: array - items: + matchExpressions: + type: array + items: + type: object + properties: + key: type: string - topologyKey: - type: string - weight: - type: integer - requiredDuringSchedulingIgnoredDuringExecution: - type: array - items: + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaceSelector: type: object properties: - labelSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - namespaces: + matchExpressions: type: array items: - type: string - topologyKey: - type: string - description: The pod's affinity rules. - tolerations: - type: array - items: - type: object - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - type: integer - value: - type: string - description: The pod's tolerations. - priorityClassName: - type: string - description: "The name of the priority class used to assign priority to the pods. For more information about priority classes, see {K8sPriorityClass}." - schedulerName: - type: string - description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used." - hostAliases: - type: array - items: - type: object - properties: - hostnames: - type: array - items: - type: string - ip: - type: string - description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified. - tmpDirSizeLimit: - type: string - pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" - description: Defines the total amount (for example `1Gi`) of local storage required for temporary EmptyDir volume (`/tmp`). Default value is `5Mi`. - enableServiceLinks: - type: boolean - description: Indicates whether information about services should be injected into Pod's environment variables. - topologySpreadConstraints: - type: array - items: - type: object - properties: - labelSelector: - type: object - properties: - matchExpressions: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + namespaces: type: array items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - matchLabelKeys: - type: array - items: - type: string - maxSkew: - type: integer - minDomains: - type: integer - nodeAffinityPolicy: - type: string - nodeTaintsPolicy: - type: string - topologyKey: - type: string - whenUnsatisfiable: - type: string - description: The pod's topology spread constraints. - description: Template for Kafka Exporter `Pods`. - service: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for Kafka Exporter `Service`. - container: - type: object - properties: - env: - type: array - items: + type: string + topologyKey: + type: string + description: The pod's affinity rules. + tolerations: + type: array + items: + type: object + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + type: integer + value: + type: string + description: The pod's tolerations. + priorityClassName: + type: string + description: 'The name of the priority class used to assign priority to the pods. ' + schedulerName: + type: string + description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used." + hostAliases: + type: array + items: + type: object + properties: + hostnames: + type: array + items: + type: string + ip: + type: string + description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified. + tmpDirSizeLimit: + type: string + pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$" + description: Defines the total amount (for example `1Gi`) of local storage required for temporary EmptyDir volume (`/tmp`). Default value is `5Mi`. + enableServiceLinks: + type: boolean + description: Indicates whether information about services should be injected into Pod's environment variables. + topologySpreadConstraints: + type: array + items: + type: object + properties: + labelSelector: type: object properties: - name: - type: string - description: The environment variable key. - value: - type: string - description: The environment variable value. - description: Environment variables which should be applied to the container. - securityContext: - type: object - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - type: object - properties: - add: - type: array - items: - type: string - drop: - type: array - items: - type: string - privileged: - type: boolean - procMount: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + type: object + matchLabelKeys: + type: array + items: type: string - readOnlyRootFilesystem: - type: boolean - runAsGroup: - type: integer - runAsNonRoot: - type: boolean - runAsUser: - type: integer - seLinuxOptions: - type: object - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - seccompProfile: - type: object - properties: - localhostProfile: - type: string - type: - type: string - windowsOptions: - type: object - properties: - gmsaCredentialSpec: - type: string - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - runAsUserName: - type: string - description: Security context for the container. - description: Template for the Kafka Exporter container. - serviceAccount: + maxSkew: + type: integer + minDomains: + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + description: The pod's topology spread constraints. + description: Template for Kafka MirrorMaker `Pods`. + podDisruptionBudget: + type: object + properties: + metadata: type: object properties: - metadata: + labels: + x-kubernetes-preserve-unknown-fields: true type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for the Kafka Exporter service account. - description: Customization of deployment templates and pods. - livenessProbe: - type: object - properties: - failureThreshold: - type: integer - minimum: 1 - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - initialDelaySeconds: - type: integer - minimum: 0 - description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. - periodSeconds: - type: integer - minimum: 1 - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - successThreshold: - type: integer - minimum: 1 - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. - timeoutSeconds: - type: integer - minimum: 1 - description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. - description: Pod liveness check. - readinessProbe: - type: object - properties: - failureThreshold: - type: integer - minimum: 1 - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - initialDelaySeconds: - type: integer - minimum: 0 - description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. - periodSeconds: - type: integer - minimum: 1 - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - successThreshold: - type: integer - minimum: 1 - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. - timeoutSeconds: - type: integer - minimum: 1 - description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. - description: Pod readiness check. - description: "Configuration of the Kafka Exporter. Kafka Exporter can provide additional metrics, for example lag of consumer group at topic/partition." - maintenanceTimeWindows: - type: array - items: - type: string - description: "A list of time windows for maintenance tasks (that is, certificates renewal). Each time window is defined by a cron expression." - required: - - kafka - - zookeeper - description: "The specification of the Kafka and ZooKeeper clusters, and Topic Operator." - status: - type: object - properties: - conditions: - type: array - items: - type: object - properties: - type: - type: string - description: "The unique identifier of a condition, used to distinguish between other conditions in the resource." - status: - type: string - description: "The status of the condition, either True, False or Unknown." - lastTransitionTime: - type: string - description: "Last time the condition of a type changed from one status to another. The required format is 'yyyy-MM-ddTHH:mm:ssZ', in the UTC time zone." - reason: - type: string - description: The reason for the condition's last transition (a single word in CamelCase). - message: - type: string - description: Human-readable message indicating details about the condition's last transition. - description: List of status conditions. - observedGeneration: - type: integer - description: The generation of the CRD that was last reconciled by the operator. - listeners: - type: array - items: - type: object - properties: - type: - type: string - description: The name of the listener. - name: - type: string - description: The name of the listener. - addresses: - type: array - items: + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata to apply to the `PodDisruptionBudgetTemplate` resource. + maxUnavailable: + type: integer + minimum: 0 + description: "Maximum number of unavailable pods to allow automatic Pod eviction. A Pod eviction is allowed when the `maxUnavailable` number of pods or fewer are unavailable after the eviction. Setting this value to 0 prevents all voluntary evictions, so the pods must be evicted manually. Defaults to 1." + description: Template for Kafka MirrorMaker `PodDisruptionBudget`. + mirrorMakerContainer: + type: object + properties: + env: + type: array + items: + type: object + properties: + name: + type: string + description: The environment variable key. + value: + type: string + description: The environment variable value. + description: Environment variables which should be applied to the container. + securityContext: type: object properties: - host: + allowPrivilegeEscalation: + type: boolean + capabilities: + type: object + properties: + add: + type: array + items: + type: string + drop: + type: array + items: + type: string + privileged: + type: boolean + procMount: type: string - description: The DNS name or IP address of the Kafka bootstrap service. - port: + readOnlyRootFilesystem: + type: boolean + runAsGroup: type: integer - description: The port of the Kafka bootstrap service. - description: A list of the addresses for this listener. - bootstrapServers: - type: string - description: A comma-separated list of `host:port` pairs for connecting to the Kafka cluster using this listener. - certificates: - type: array - items: - type: string - description: A list of TLS certificates which can be used to verify the identity of the server when connecting to the given listener. Set only for `tls` and `external` listeners. - description: Addresses of the internal and external listeners. - kafkaNodePools: - type: array - items: - type: object - properties: - name: - type: string - description: The name of the KafkaNodePool used by this Kafka resource. - description: List of the KafkaNodePools used by this Kafka cluster. - clusterId: - type: string - description: Kafka cluster Id. - operatorLastSuccessfulVersion: - type: string - description: The version of the Strimzi Cluster Operator which performed the last successful reconciliation. - kafkaVersion: - type: string - description: The version of Kafka currently deployed in the cluster. - description: "The status of the Kafka and ZooKeeper clusters, and Topic Operator." - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: strimzi-cluster-operator-watched - labels: - app: strimzi -subjects: - - kind: ServiceAccount - name: strimzi-cluster-operator - namespace: myproject -roleRef: - kind: ClusterRole - name: strimzi-cluster-operator-watched - apiGroup: rbac.authorization.k8s.io - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: kafkarebalances.kafka.strimzi.io - labels: - app: strimzi - strimzi.io/crd-install: "true" -spec: - group: kafka.strimzi.io - names: - kind: KafkaRebalance - listKind: KafkaRebalanceList - singular: kafkarebalance - plural: kafkarebalances - shortNames: - - kr - categories: - - strimzi - scope: Namespaced - conversion: - strategy: None - versions: - - name: v1beta2 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Cluster - description: The name of the Kafka cluster this resource rebalances - jsonPath: .metadata.labels.strimzi\.io/cluster - type: string - - name: PendingProposal - description: A proposal has been requested from Cruise Control - jsonPath: ".status.conditions[?(@.type==\"PendingProposal\")].status" - type: string - - name: ProposalReady - description: A proposal is ready and waiting for approval - jsonPath: ".status.conditions[?(@.type==\"ProposalReady\")].status" - type: string - - name: Rebalancing - description: Cruise Control is doing the rebalance - jsonPath: ".status.conditions[?(@.type==\"Rebalancing\")].status" - type: string - - name: Ready - description: The rebalance is complete - jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" - type: string - - name: NotReady - description: There is an error on the custom resource - jsonPath: ".status.conditions[?(@.type==\"NotReady\")].status" - type: string - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - mode: - type: string - enum: - - full - - add-brokers - - remove-brokers - description: "Mode to run the rebalancing. The supported modes are `full`, `add-brokers`, `remove-brokers`.\nIf not specified, the `full` mode is used by default. \n\n* `full` mode runs the rebalancing across all the brokers in the cluster.\n* `add-brokers` mode can be used after scaling up the cluster to move some replicas to the newly added brokers.\n* `remove-brokers` mode can be used before scaling down the cluster to move replicas out of the brokers to be removed.\n" - brokers: - type: array - items: - type: integer - description: The list of newly added brokers in case of scaling up or the ones to be removed in case of scaling down to use for rebalancing. This list can be used only with rebalancing mode `add-brokers` and `removed-brokers`. It is ignored with `full` mode. - goals: - type: array - items: - type: string - description: "A list of goals, ordered by decreasing priority, to use for generating and executing the rebalance proposal. The supported goals are available at https://github.com/linkedin/cruise-control#goals. If an empty goals list is provided, the goals declared in the default.goals Cruise Control configuration parameter are used." - skipHardGoalCheck: - type: boolean - description: Whether to allow the hard goals specified in the Kafka CR to be skipped in optimization proposal generation. This can be useful when some of those hard goals are preventing a balance solution being found. Default is false. - rebalanceDisk: - type: boolean - description: "Enables intra-broker disk balancing, which balances disk space utilization between disks on the same broker. Only applies to Kafka deployments that use JBOD storage with multiple disks. When enabled, inter-broker balancing is disabled. Default is false." - excludedTopics: - type: string - description: A regular expression where any matching topics will be excluded from the calculation of optimization proposals. This expression will be parsed by the java.util.regex.Pattern class; for more information on the supported format consult the documentation for that class. - concurrentPartitionMovementsPerBroker: - type: integer - minimum: 0 - description: The upper bound of ongoing partition replica movements going into/out of each broker. Default is 5. - concurrentIntraBrokerPartitionMovements: - type: integer - minimum: 0 - description: The upper bound of ongoing partition replica movements between disks within each broker. Default is 2. - concurrentLeaderMovements: - type: integer - minimum: 0 - description: The upper bound of ongoing partition leadership movements. Default is 1000. - replicationThrottle: - type: integer - minimum: 0 - description: "The upper bound, in bytes per second, on the bandwidth used to move replicas. There is no limit by default." - replicaMovementStrategies: - type: array - items: - type: string - description: "A list of strategy class names used to determine the execution order for the replica movements in the generated optimization proposal. By default BaseReplicaMovementStrategy is used, which will execute the replica movements in the order that they were generated." - description: The specification of the Kafka rebalance. + runAsNonRoot: + type: boolean + runAsUser: + type: integer + seLinuxOptions: + type: object + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + seccompProfile: + type: object + properties: + localhostProfile: + type: string + type: + type: string + windowsOptions: + type: object + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + description: Security context for the container. + description: Template for Kafka MirrorMaker container. + serviceAccount: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for the Kafka MirrorMaker service account. + description: "Template to specify how Kafka MirrorMaker resources, `Deployments` and `Pods`, are generated." + livenessProbe: + type: object + properties: + failureThreshold: + type: integer + minimum: 1 + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + initialDelaySeconds: + type: integer + minimum: 0 + description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. + periodSeconds: + type: integer + minimum: 1 + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + successThreshold: + type: integer + minimum: 1 + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. + timeoutSeconds: + type: integer + minimum: 1 + description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. + description: Pod liveness checking. + readinessProbe: + type: object + properties: + failureThreshold: + type: integer + minimum: 1 + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + initialDelaySeconds: + type: integer + minimum: 0 + description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. + periodSeconds: + type: integer + minimum: 1 + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + successThreshold: + type: integer + minimum: 1 + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. + timeoutSeconds: + type: integer + minimum: 1 + description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. + description: Pod readiness checking. + oneOf: + - properties: + include: {} + required: + - include + - properties: + whitelist: {} + required: + - whitelist + required: + - replicas + - consumer + - producer + description: The specification of Kafka MirrorMaker. status: type: object properties: @@ -13142,203 +13132,31 @@ spec: observedGeneration: type: integer description: The generation of the CRD that was last reconciled by the operator. - sessionId: + labelSelector: type: string - description: The session identifier for requests to Cruise Control pertaining to this KafkaRebalance resource. This is used by the Kafka Rebalance operator to track the status of ongoing rebalancing operations. - optimizationResult: - x-kubernetes-preserve-unknown-fields: true - type: object - description: A JSON object describing the optimization result. - description: The status of the Kafka rebalance. - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: strimzi-cluster-operator-leader-election - labels: - app: strimzi -subjects: - - kind: ServiceAccount - name: strimzi-cluster-operator - namespace: myproject -roleRef: - kind: ClusterRole - name: strimzi-cluster-operator-leader-election - apiGroup: rbac.authorization.k8s.io - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: strimzi-cluster-operator-namespaced - labels: - app: strimzi -rules: - # Resources in this role are used by the operator based on an operand being deployed in some namespace. When needed, you - # can deploy the operator as a cluster-wide operator. But grant the rights listed in this role only on the namespaces - # where the operands will be deployed. That way, you can limit the access the operator has to other namespaces where it - # does not manage any clusters. - - apiGroups: - - "rbac.authorization.k8s.io" - resources: - # The cluster operator needs to access and manage rolebindings to grant Strimzi components cluster permissions - - rolebindings - verbs: - - get - - list - - watch - - create - - delete - - patch - - update - - apiGroups: - - "rbac.authorization.k8s.io" - resources: - # The cluster operator needs to access and manage roles to grant the entity operator permissions - - roles - verbs: - - get - - list - - watch - - create - - delete - - patch - - update - - apiGroups: - - "" - resources: - # The cluster operator needs to access and delete pods, this is to allow it to monitor pod health and coordinate rolling updates - - pods - # The cluster operator needs to access and manage service accounts to grant Strimzi components cluster permissions - - serviceaccounts - # The cluster operator needs to access and manage config maps for Strimzi components configuration - - configmaps - # The cluster operator needs to access and manage services and endpoints to expose Strimzi components to network traffic - - services - - endpoints - # The cluster operator needs to access and manage secrets to handle credentials - - secrets - # The cluster operator needs to access and manage persistent volume claims to bind them to Strimzi components for persistent data - - persistentvolumeclaims - verbs: - - get - - list - - watch - - create - - delete - - patch - - update - - apiGroups: - - "apps" - resources: - # The cluster operator needs to access and manage deployments to run deployment based Strimzi components - - deployments - - deployments/scale - - deployments/status - # The cluster operator needs to access and manage stateful sets to run stateful sets based Strimzi components - - statefulsets - # The cluster operator needs to access replica-sets to manage Strimzi components and to determine error states - - replicasets - verbs: - - get - - list - - watch - - create - - delete - - patch - - update - - apiGroups: - - "" # legacy core events api, used by topic operator - - "events.k8s.io" # new events api, used by cluster operator - resources: - # The cluster operator needs to be able to create events and delegate permissions to do so - - events - verbs: - - create - - apiGroups: - # Kafka Connect Build on OpenShift requirement - - build.openshift.io - resources: - - buildconfigs - - buildconfigs/instantiate - - builds - verbs: - - get - - list - - watch - - create - - delete - - patch - - update - - apiGroups: - - networking.k8s.io - resources: - # The cluster operator needs to access and manage network policies to lock down communication between Strimzi components - - networkpolicies - # The cluster operator needs to access and manage ingresses which allow external access to the services in a cluster - - ingresses - verbs: - - get - - list - - watch - - create - - delete - - patch - - update - - apiGroups: - - route.openshift.io - resources: - # The cluster operator needs to access and manage routes to expose Strimzi components for external access - - routes - - routes/custom-host - verbs: - - get - - list - - watch - - create - - delete - - patch - - update - - apiGroups: - - image.openshift.io - resources: - # The cluster operator needs to verify the image stream when used for Kafka Connect image build - - imagestreams - verbs: - - get - - apiGroups: - - policy - resources: - # The cluster operator needs to access and manage pod disruption budgets this limits the number of concurrent disruptions - # that a Strimzi component experiences, allowing for higher availability - - poddisruptionbudgets - verbs: - - get - - list - - watch - - create - - delete - - patch - - update + description: Label selector for pods providing this resource. + replicas: + type: integer + description: The current number of pods being used to provide this resource. + description: The status of Kafka MirrorMaker. --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: kafkamirrormakers.kafka.strimzi.io + name: kafkabridges.kafka.strimzi.io labels: app: strimzi strimzi.io/crd-install: "true" spec: group: kafka.strimzi.io names: - kind: KafkaMirrorMaker - listKind: KafkaMirrorMakerList - singular: kafkamirrormaker - plural: kafkamirrormakers + kind: KafkaBridge + listKind: KafkaBridgeList + singular: kafkabridge + plural: kafkabridges shortNames: - - kmm + - kb categories: - strimzi scope: Namespaced @@ -13356,17 +13174,12 @@ spec: labelSelectorPath: .status.labelSelector additionalPrinterColumns: - name: Desired replicas - description: The desired number of Kafka MirrorMaker replicas + description: The desired number of Kafka Bridge replicas jsonPath: .spec.replicas type: integer - - name: Consumer Bootstrap Servers - description: The boostrap servers for the consumer - jsonPath: .spec.consumer.bootstrapServers - type: string - priority: 1 - - name: Producer Bootstrap Servers - description: The boostrap servers for the producer - jsonPath: .spec.producer.bootstrapServers + - name: Bootstrap Servers + description: The boostrap servers + jsonPath: .spec.bootstrapServers type: string priority: 1 - name: Ready @@ -13380,376 +13193,225 @@ spec: spec: type: object properties: - version: - type: string - description: "The Kafka MirrorMaker version. Defaults to {DefaultKafkaVersion}. Consult the documentation to understand the process required to upgrade or downgrade the version." replicas: type: integer minimum: 0 - description: The number of pods in the `Deployment`. + description: The number of pods in the `Deployment`. Defaults to `1`. image: type: string - description: The docker image for the pods. - consumer: + description: "The container image used for Kafka Bridge pods. If no image name is explicitly specified, the image name corresponds to the image specified in the Cluster Operator configuration. If an image name is not defined in the Cluster Operator configuration, a default value is used." + bootstrapServers: + type: string + description: A list of host:port pairs for establishing the initial connection to the Kafka cluster. + tls: type: object properties: - numStreams: - type: integer - minimum: 1 - description: Specifies the number of consumer stream threads to create. - offsetCommitInterval: - type: integer - description: Specifies the offset auto-commit interval in ms. Default value is 60000. - bootstrapServers: - type: string - description: A list of host:port pairs for establishing the initial connection to the Kafka cluster. - groupId: - type: string - description: A unique string that identifies the consumer group this consumer belongs to. - authentication: + trustedCertificates: + type: array + items: + type: object + properties: + certificate: + type: string + description: The name of the file certificate in the Secret. + secretName: + type: string + description: The name of the Secret containing the certificate. + required: + - certificate + - secretName + description: Trusted certificates for TLS connection. + description: TLS configuration for connecting Kafka Bridge to the cluster. + authentication: + type: object + properties: + accessToken: type: object properties: - accessToken: - type: object - properties: - key: - type: string - description: The key under which the secret value is stored in the Kubernetes Secret. - secretName: - type: string - description: The name of the Kubernetes Secret containing the secret value. - required: - - key - - secretName - description: Link to Kubernetes Secret containing the access token which was obtained from the authorization server. - accessTokenIsJwt: - type: boolean - description: Configure whether access token should be treated as JWT. This should be set to `false` if the authorization server returns opaque tokens. Defaults to `true`. - audience: + key: type: string - description: "OAuth audience to use when authenticating against the authorization server. Some authorization servers require the audience to be explicitly set. The possible values depend on how the authorization server is configured. By default, `audience` is not specified when performing the token endpoint request." - certificateAndKey: - type: object - properties: - certificate: - type: string - description: The name of the file certificate in the Secret. - key: - type: string - description: The name of the private key in the Secret. - secretName: - type: string - description: The name of the Secret containing the certificate. - required: - - certificate - - key - - secretName - description: Reference to the `Secret` which holds the certificate and private key pair. - clientId: + description: The key under which the secret value is stored in the Kubernetes Secret. + secretName: type: string - description: OAuth Client ID which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. - clientSecret: - type: object - properties: - key: - type: string - description: The key under which the secret value is stored in the Kubernetes Secret. - secretName: - type: string - description: The name of the Kubernetes Secret containing the secret value. - required: - - key - - secretName - description: Link to Kubernetes Secret containing the OAuth client secret which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. - connectTimeoutSeconds: - type: integer - description: "The connect timeout in seconds when connecting to authorization server. If not set, the effective connect timeout is 60 seconds." - disableTlsHostnameVerification: - type: boolean - description: Enable or disable TLS hostname verification. Default value is `false`. - enableMetrics: - type: boolean - description: Enable or disable OAuth metrics. Default value is `false`. - httpRetries: - type: integer - description: "The maximum number of retries to attempt if an initial HTTP request fails. If not set, the default is to not attempt any retries." - httpRetryPauseMs: - type: integer - description: "The pause to take before retrying a failed HTTP request. If not set, the default is to not pause at all but to immediately repeat a request." - includeAcceptHeader: - type: boolean - description: Whether the Accept header should be set in requests to the authorization servers. The default value is `true`. - maxTokenExpirySeconds: - type: integer - description: Set or limit time-to-live of the access tokens to the specified number of seconds. This should be set if the authorization server returns opaque tokens. - passwordSecret: - type: object - properties: - password: - type: string - description: The name of the key in the Secret under which the password is stored. - secretName: - type: string - description: The name of the Secret containing the password. - required: - - password - - secretName - description: Reference to the `Secret` which holds the password. - readTimeoutSeconds: - type: integer - description: "The read timeout in seconds when connecting to authorization server. If not set, the effective read timeout is 60 seconds." - refreshToken: - type: object - properties: - key: - type: string - description: The key under which the secret value is stored in the Kubernetes Secret. - secretName: - type: string - description: The name of the Kubernetes Secret containing the secret value. - required: - - key - - secretName - description: Link to Kubernetes Secret containing the refresh token which can be used to obtain access token from the authorization server. - scope: + description: The name of the Kubernetes Secret containing the secret value. + required: + - key + - secretName + description: Link to Kubernetes Secret containing the access token which was obtained from the authorization server. + accessTokenIsJwt: + type: boolean + description: Configure whether access token should be treated as JWT. This should be set to `false` if the authorization server returns opaque tokens. Defaults to `true`. + audience: + type: string + description: "OAuth audience to use when authenticating against the authorization server. Some authorization servers require the audience to be explicitly set. The possible values depend on how the authorization server is configured. By default, `audience` is not specified when performing the token endpoint request." + certificateAndKey: + type: object + properties: + certificate: type: string - description: OAuth scope to use when authenticating against the authorization server. Some authorization servers require this to be set. The possible values depend on how authorization server is configured. By default `scope` is not specified when doing the token endpoint request. - tlsTrustedCertificates: - type: array - items: - type: object - properties: - certificate: - type: string - description: The name of the file certificate in the Secret. - secretName: - type: string - description: The name of the Secret containing the certificate. - required: - - certificate - - secretName - description: Trusted certificates for TLS connection to the OAuth server. - tokenEndpointUri: + description: The name of the file certificate in the Secret. + key: type: string - description: Authorization server token endpoint URI. - type: + description: The name of the private key in the Secret. + secretName: type: string - enum: - - tls - - scram-sha-256 - - scram-sha-512 - - plain - - oauth - description: "Authentication type. Currently the supported types are `tls`, `scram-sha-256`, `scram-sha-512`, `plain`, and 'oauth'. `scram-sha-256` and `scram-sha-512` types use SASL SCRAM-SHA-256 and SASL SCRAM-SHA-512 Authentication, respectively. `plain` type uses SASL PLAIN Authentication. `oauth` type uses SASL OAUTHBEARER Authentication. The `tls` type uses TLS Client Authentication. The `tls` type is supported only over TLS connections." - username: + description: The name of the Secret containing the certificate. + required: + - certificate + - key + - secretName + description: Reference to the `Secret` which holds the certificate and private key pair. + clientId: + type: string + description: OAuth Client ID which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. + clientSecret: + type: object + properties: + key: type: string - description: Username used for the authentication. + description: The key under which the secret value is stored in the Kubernetes Secret. + secretName: + type: string + description: The name of the Kubernetes Secret containing the secret value. required: - - type - description: Authentication configuration for connecting to the cluster. - config: - x-kubernetes-preserve-unknown-fields: true + - key + - secretName + description: Link to Kubernetes Secret containing the OAuth client secret which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. + connectTimeoutSeconds: + type: integer + description: "The connect timeout in seconds when connecting to authorization server. If not set, the effective connect timeout is 60 seconds." + disableTlsHostnameVerification: + type: boolean + description: Enable or disable TLS hostname verification. Default value is `false`. + enableMetrics: + type: boolean + description: Enable or disable OAuth metrics. Default value is `false`. + httpRetries: + type: integer + description: "The maximum number of retries to attempt if an initial HTTP request fails. If not set, the default is to not attempt any retries." + httpRetryPauseMs: + type: integer + description: "The pause to take before retrying a failed HTTP request. If not set, the default is to not pause at all but to immediately repeat a request." + includeAcceptHeader: + type: boolean + description: Whether the Accept header should be set in requests to the authorization servers. The default value is `true`. + maxTokenExpirySeconds: + type: integer + description: Set or limit time-to-live of the access tokens to the specified number of seconds. This should be set if the authorization server returns opaque tokens. + passwordSecret: type: object - description: "The MirrorMaker consumer config. Properties with the following prefixes cannot be set: ssl., bootstrap.servers, group.id, sasl., security., interceptor.classes (with the exception of: ssl.endpoint.identification.algorithm, ssl.cipher.suites, ssl.protocol, ssl.enabled.protocols)." - tls: + properties: + password: + type: string + description: The name of the key in the Secret under which the password is stored. + secretName: + type: string + description: The name of the Secret containing the password. + required: + - password + - secretName + description: Reference to the `Secret` which holds the password. + readTimeoutSeconds: + type: integer + description: "The read timeout in seconds when connecting to authorization server. If not set, the effective read timeout is 60 seconds." + refreshToken: type: object properties: - trustedCertificates: - type: array - items: - type: object - properties: - certificate: - type: string - description: The name of the file certificate in the Secret. - secretName: - type: string - description: The name of the Secret containing the certificate. - required: - - certificate - - secretName - description: Trusted certificates for TLS connection. - description: TLS configuration for connecting MirrorMaker to the cluster. + key: + type: string + description: The key under which the secret value is stored in the Kubernetes Secret. + secretName: + type: string + description: The name of the Kubernetes Secret containing the secret value. + required: + - key + - secretName + description: Link to Kubernetes Secret containing the refresh token which can be used to obtain access token from the authorization server. + scope: + type: string + description: OAuth scope to use when authenticating against the authorization server. Some authorization servers require this to be set. The possible values depend on how authorization server is configured. By default `scope` is not specified when doing the token endpoint request. + tlsTrustedCertificates: + type: array + items: + type: object + properties: + certificate: + type: string + description: The name of the file certificate in the Secret. + secretName: + type: string + description: The name of the Secret containing the certificate. + required: + - certificate + - secretName + description: Trusted certificates for TLS connection to the OAuth server. + tokenEndpointUri: + type: string + description: Authorization server token endpoint URI. + type: + type: string + enum: + - tls + - scram-sha-256 + - scram-sha-512 + - plain + - oauth + description: "Authentication type. Currently the supported types are `tls`, `scram-sha-256`, `scram-sha-512`, `plain`, and 'oauth'. `scram-sha-256` and `scram-sha-512` types use SASL SCRAM-SHA-256 and SASL SCRAM-SHA-512 Authentication, respectively. `plain` type uses SASL PLAIN Authentication. `oauth` type uses SASL OAUTHBEARER Authentication. The `tls` type uses TLS Client Authentication. The `tls` type is supported only over TLS connections." + username: + type: string + description: Username used for the authentication. required: - - bootstrapServers - - groupId - description: Configuration of source cluster. - producer: + - type + description: Authentication configuration for connecting to the cluster. + http: type: object properties: - bootstrapServers: - type: string - description: A list of host:port pairs for establishing the initial connection to the Kafka cluster. - abortOnSendFailure: - type: boolean - description: Flag to set the MirrorMaker to exit on a failed send. Default value is `true`. - authentication: + port: + type: integer + minimum: 1023 + description: The port which is the server listening on. + cors: type: object properties: - accessToken: - type: object - properties: - key: - type: string - description: The key under which the secret value is stored in the Kubernetes Secret. - secretName: - type: string - description: The name of the Kubernetes Secret containing the secret value. - required: - - key - - secretName - description: Link to Kubernetes Secret containing the access token which was obtained from the authorization server. - accessTokenIsJwt: - type: boolean - description: Configure whether access token should be treated as JWT. This should be set to `false` if the authorization server returns opaque tokens. Defaults to `true`. - audience: - type: string - description: "OAuth audience to use when authenticating against the authorization server. Some authorization servers require the audience to be explicitly set. The possible values depend on how the authorization server is configured. By default, `audience` is not specified when performing the token endpoint request." - certificateAndKey: - type: object - properties: - certificate: - type: string - description: The name of the file certificate in the Secret. - key: - type: string - description: The name of the private key in the Secret. - secretName: - type: string - description: The name of the Secret containing the certificate. - required: - - certificate - - key - - secretName - description: Reference to the `Secret` which holds the certificate and private key pair. - clientId: - type: string - description: OAuth Client ID which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. - clientSecret: - type: object - properties: - key: - type: string - description: The key under which the secret value is stored in the Kubernetes Secret. - secretName: - type: string - description: The name of the Kubernetes Secret containing the secret value. - required: - - key - - secretName - description: Link to Kubernetes Secret containing the OAuth client secret which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. - connectTimeoutSeconds: - type: integer - description: "The connect timeout in seconds when connecting to authorization server. If not set, the effective connect timeout is 60 seconds." - disableTlsHostnameVerification: - type: boolean - description: Enable or disable TLS hostname verification. Default value is `false`. - enableMetrics: - type: boolean - description: Enable or disable OAuth metrics. Default value is `false`. - httpRetries: - type: integer - description: "The maximum number of retries to attempt if an initial HTTP request fails. If not set, the default is to not attempt any retries." - httpRetryPauseMs: - type: integer - description: "The pause to take before retrying a failed HTTP request. If not set, the default is to not pause at all but to immediately repeat a request." - includeAcceptHeader: - type: boolean - description: Whether the Accept header should be set in requests to the authorization servers. The default value is `true`. - maxTokenExpirySeconds: - type: integer - description: Set or limit time-to-live of the access tokens to the specified number of seconds. This should be set if the authorization server returns opaque tokens. - passwordSecret: - type: object - properties: - password: - type: string - description: The name of the key in the Secret under which the password is stored. - secretName: - type: string - description: The name of the Secret containing the password. - required: - - password - - secretName - description: Reference to the `Secret` which holds the password. - readTimeoutSeconds: - type: integer - description: "The read timeout in seconds when connecting to authorization server. If not set, the effective read timeout is 60 seconds." - refreshToken: - type: object - properties: - key: - type: string - description: The key under which the secret value is stored in the Kubernetes Secret. - secretName: - type: string - description: The name of the Kubernetes Secret containing the secret value. - required: - - key - - secretName - description: Link to Kubernetes Secret containing the refresh token which can be used to obtain access token from the authorization server. - scope: - type: string - description: OAuth scope to use when authenticating against the authorization server. Some authorization servers require this to be set. The possible values depend on how authorization server is configured. By default `scope` is not specified when doing the token endpoint request. - tlsTrustedCertificates: + allowedOrigins: type: array items: - type: object - properties: - certificate: - type: string - description: The name of the file certificate in the Secret. - secretName: - type: string - description: The name of the Secret containing the certificate. - required: - - certificate - - secretName - description: Trusted certificates for TLS connection to the OAuth server. - tokenEndpointUri: - type: string - description: Authorization server token endpoint URI. - type: - type: string - enum: - - tls - - scram-sha-256 - - scram-sha-512 - - plain - - oauth - description: "Authentication type. Currently the supported types are `tls`, `scram-sha-256`, `scram-sha-512`, `plain`, and 'oauth'. `scram-sha-256` and `scram-sha-512` types use SASL SCRAM-SHA-256 and SASL SCRAM-SHA-512 Authentication, respectively. `plain` type uses SASL PLAIN Authentication. `oauth` type uses SASL OAUTHBEARER Authentication. The `tls` type uses TLS Client Authentication. The `tls` type is supported only over TLS connections." - username: - type: string - description: Username used for the authentication. + type: string + description: List of allowed origins. Java regular expressions can be used. + allowedMethods: + type: array + items: + type: string + description: List of allowed HTTP methods. required: - - type - description: Authentication configuration for connecting to the cluster. + - allowedOrigins + - allowedMethods + description: CORS configuration for the HTTP Bridge. + description: The HTTP related configuration. + adminClient: + type: object + properties: config: x-kubernetes-preserve-unknown-fields: true type: object - description: "The MirrorMaker producer config. Properties with the following prefixes cannot be set: ssl., bootstrap.servers, sasl., security., interceptor.classes (with the exception of: ssl.endpoint.identification.algorithm, ssl.cipher.suites, ssl.protocol, ssl.enabled.protocols)." - tls: + description: The Kafka AdminClient configuration used for AdminClient instances created by the bridge. + description: Kafka AdminClient related configuration. + consumer: + type: object + properties: + config: + x-kubernetes-preserve-unknown-fields: true + type: object + description: "The Kafka consumer configuration used for consumer instances created by the bridge. Properties with the following prefixes cannot be set: ssl., bootstrap.servers, group.id, sasl., security. (with the exception of: ssl.endpoint.identification.algorithm, ssl.cipher.suites, ssl.protocol, ssl.enabled.protocols)." + description: Kafka consumer related configuration. + producer: + type: object + properties: + config: + x-kubernetes-preserve-unknown-fields: true type: object - properties: - trustedCertificates: - type: array - items: - type: object - properties: - certificate: - type: string - description: The name of the file certificate in the Secret. - secretName: - type: string - description: The name of the Secret containing the certificate. - required: - - certificate - - secretName - description: Trusted certificates for TLS connection. - description: TLS configuration for connecting MirrorMaker to the cluster. - required: - - bootstrapServers - description: Configuration of target cluster. + description: "The Kafka producer configuration used for producer instances created by the bridge. Properties with the following prefixes cannot be set: ssl., bootstrap.servers, sasl., security. (with the exception of: ssl.endpoint.identification.algorithm, ssl.cipher.suites, ssl.protocol, ssl.enabled.protocols)." + description: Kafka producer related configuration. resources: type: object properties: @@ -13767,12 +13429,6 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object description: CPU and memory resources to reserve. - whitelist: - type: string - description: "List of topics which are included for mirroring. This option allows any regular expression using Java-style regular expressions. Mirroring two topics named A and B is achieved by using the expression `A\\|B`. Or, as a special case, you can mirror all topics using the regular expression `*`. You can also specify multiple regular expressions separated by commas." - include: - type: string - description: "List of topics which are included for mirroring. This option allows any regular expression using Java-style regular expressions. Mirroring two topics named A and B is achieved by using the expression `A\\|B`. Or, as a special case, you can mirror all topics using the regular expression `*`. You can also specify multiple regular expressions separated by commas." jvmOptions: type: object properties: @@ -13803,7 +13459,7 @@ spec: type: string description: The system property value. description: A map of additional system properties which will be passed using the `-D` option to the JVM. - description: JVM Options for pods. + description: '**Currently not supported** JVM Options for pods.' logging: type: object properties: @@ -13833,45 +13489,71 @@ spec: description: '`ConfigMap` entry where the logging configuration is stored. ' required: - type - description: Logging configuration for MirrorMaker. - metricsConfig: + description: Logging configuration for Kafka Bridge. + clientRackInitImage: + type: string + description: The image of the init container used for initializing the `client.rack`. + rack: type: object properties: - type: + topologyKey: type: string - enum: - - jmxPrometheusExporter - description: Metrics type. Only 'jmxPrometheusExporter' supported currently. - valueFrom: - type: object - properties: - configMapKeyRef: - type: object - properties: - key: - type: string - name: - type: string - optional: - type: boolean - description: Reference to the key in the ConfigMap containing the configuration. - description: "ConfigMap entry where the Prometheus JMX Exporter configuration is stored. For details of the structure of this configuration, see the {JMXExporter}." + example: topology.kubernetes.io/zone + description: "A key that matches labels assigned to the Kubernetes cluster nodes. The value of the label is used to set a broker's `broker.rack` config, and the `client.rack` config for Kafka Connect or MirrorMaker 2." required: - - type - - valueFrom - description: Metrics configuration. - tracing: + - topologyKey + description: Configuration of the node label which will be used as the client.rack consumer configuration. + enableMetrics: + type: boolean + description: Enable the metrics for the Kafka Bridge. Default is false. + livenessProbe: type: object properties: - type: - type: string - enum: - - jaeger - - opentelemetry - description: "Type of the tracing used. Currently the only supported type is `opentelemetry` for OpenTelemetry tracing. As of Strimzi 0.37.0, `jaeger` type is not supported anymore and this option is ignored." - required: - - type - description: The configuration of tracing in Kafka MirrorMaker. + failureThreshold: + type: integer + minimum: 1 + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + initialDelaySeconds: + type: integer + minimum: 0 + description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. + periodSeconds: + type: integer + minimum: 1 + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + successThreshold: + type: integer + minimum: 1 + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. + timeoutSeconds: + type: integer + minimum: 1 + description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. + description: Pod liveness checking. + readinessProbe: + type: object + properties: + failureThreshold: + type: integer + minimum: 1 + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + initialDelaySeconds: + type: integer + minimum: 0 + description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. + periodSeconds: + type: integer + minimum: 1 + description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + successThreshold: + type: integer + minimum: 1 + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. + timeoutSeconds: + type: integer + minimum: 1 + description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. + description: Pod readiness checking. template: type: object properties: @@ -13896,7 +13578,7 @@ spec: - RollingUpdate - Recreate description: Pod replacement strategy for deployment configuration changes. Valid values are `RollingUpdate` and `Recreate`. Defaults to `RollingUpdate`. - description: Template for Kafka MirrorMaker `Deployment`. + description: Template for Kafka Bridge `Deployment`. pod: type: object properties: @@ -14287,7 +13969,7 @@ spec: description: The pod's tolerations. priorityClassName: type: string - description: "The name of the priority class used to assign priority to the pods. For more information about priority classes, see {K8sPriorityClass}." + description: 'The name of the priority class used to assign priority to the pods. ' schedulerName: type: string description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used." @@ -14351,7 +14033,38 @@ spec: whenUnsatisfiable: type: string description: The pod's topology spread constraints. - description: Template for Kafka MirrorMaker `Pods`. + description: Template for Kafka Bridge `Pods`. + apiService: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + ipFamilyPolicy: + type: string + enum: + - SingleStack + - PreferDualStack + - RequireDualStack + description: "Specifies the IP Family Policy used by the service. Available options are `SingleStack`, `PreferDualStack` and `RequireDualStack`. `SingleStack` is for a single IP family. `PreferDualStack` is for two IP families on dual-stack configured clusters or a single IP family on single-stack clusters. `RequireDualStack` fails unless there are two IP families on dual-stack configured clusters. If unspecified, Kubernetes will choose the default value based on the service type." + ipFamilies: + type: array + items: + type: string + enum: + - IPv4 + - IPv6 + description: "Specifies the IP Families used by the service. Available options are `IPv4` and `IPv6`. If unspecified, Kubernetes will choose the default value based on the `ipFamilyPolicy` setting." + description: Template for Kafka Bridge API `Service`. podDisruptionBudget: type: object properties: @@ -14366,13 +14079,119 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object description: Annotations added to the Kubernetes resource. - description: Metadata to apply to the `PodDisruptionBudgetTemplate` resource. - maxUnavailable: - type: integer - minimum: 0 - description: "Maximum number of unavailable pods to allow automatic Pod eviction. A Pod eviction is allowed when the `maxUnavailable` number of pods or fewer are unavailable after the eviction. Setting this value to 0 prevents all voluntary evictions, so the pods must be evicted manually. Defaults to 1." - description: Template for Kafka MirrorMaker `PodDisruptionBudget`. - mirrorMakerContainer: + description: Metadata to apply to the `PodDisruptionBudgetTemplate` resource. + maxUnavailable: + type: integer + minimum: 0 + description: "Maximum number of unavailable pods to allow automatic Pod eviction. A Pod eviction is allowed when the `maxUnavailable` number of pods or fewer are unavailable after the eviction. Setting this value to 0 prevents all voluntary evictions, so the pods must be evicted manually. Defaults to 1." + description: Template for Kafka Bridge `PodDisruptionBudget`. + bridgeContainer: + type: object + properties: + env: + type: array + items: + type: object + properties: + name: + type: string + description: The environment variable key. + value: + type: string + description: The environment variable value. + description: Environment variables which should be applied to the container. + securityContext: + type: object + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + type: object + properties: + add: + type: array + items: + type: string + drop: + type: array + items: + type: string + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + type: integer + runAsNonRoot: + type: boolean + runAsUser: + type: integer + seLinuxOptions: + type: object + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + seccompProfile: + type: object + properties: + localhostProfile: + type: string + type: + type: string + windowsOptions: + type: object + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + description: Security context for the container. + description: Template for the Kafka Bridge container. + clusterRoleBinding: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for the Kafka Bridge ClusterRoleBinding. + serviceAccount: + type: object + properties: + metadata: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Labels added to the Kubernetes resource. + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + description: Annotations added to the Kubernetes resource. + description: Metadata applied to the resource. + description: Template for the Kafka Bridge service account. + initContainer: type: object properties: env: @@ -14445,86 +14264,23 @@ spec: runAsUserName: type: string description: Security context for the container. - description: Template for Kafka MirrorMaker container. - serviceAccount: - type: object - properties: - metadata: - type: object - properties: - labels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Labels added to the Kubernetes resource. - annotations: - x-kubernetes-preserve-unknown-fields: true - type: object - description: Annotations added to the Kubernetes resource. - description: Metadata applied to the resource. - description: Template for the Kafka MirrorMaker service account. - description: "Template to specify how Kafka MirrorMaker resources, `Deployments` and `Pods`, are generated." - livenessProbe: - type: object - properties: - failureThreshold: - type: integer - minimum: 1 - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - initialDelaySeconds: - type: integer - minimum: 0 - description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. - periodSeconds: - type: integer - minimum: 1 - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - successThreshold: - type: integer - minimum: 1 - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. - timeoutSeconds: - type: integer - minimum: 1 - description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. - description: Pod liveness checking. - readinessProbe: + description: Template for the Kafka Bridge init container. + description: Template for Kafka Bridge resources. The template allows users to specify how a `Deployment` and `Pod` is generated. + tracing: type: object properties: - failureThreshold: - type: integer - minimum: 1 - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - initialDelaySeconds: - type: integer - minimum: 0 - description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0. - periodSeconds: - type: integer - minimum: 1 - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - successThreshold: - type: integer - minimum: 1 - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. - timeoutSeconds: - type: integer - minimum: 1 - description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1. - description: Pod readiness checking. - oneOf: - - properties: - include: {} - required: - - include - - properties: - whitelist: {} - required: - - whitelist + type: + type: string + enum: + - jaeger + - opentelemetry + description: "Type of the tracing used. Currently the only supported type is `opentelemetry` for OpenTelemetry tracing. As of Strimzi 0.37.0, `jaeger` type is not supported anymore and this option is ignored." + required: + - type + description: The configuration of tracing in Kafka Bridge. required: - - replicas - - consumer - - producer - description: The specification of Kafka MirrorMaker. + - bootstrapServers + description: The specification of the Kafka Bridge. status: type: object properties: @@ -14552,13 +14308,16 @@ spec: observedGeneration: type: integer description: The generation of the CRD that was last reconciled by the operator. + url: + type: string + description: The URL at which external client applications can access the Kafka Bridge. labelSelector: type: string description: Label selector for pods providing this resource. replicas: type: integer description: The current number of pods being used to provide this resource. - description: The status of Kafka MirrorMaker. + description: The status of the Kafka Bridge. --- apiVersion: apiextensions.k8s.io/v1 @@ -15166,7 +14925,7 @@ spec: description: The pod's tolerations. priorityClassName: type: string - description: "The name of the priority class used to assign priority to the pods. For more information about priority classes, see {K8sPriorityClass}." + description: 'The name of the priority class used to assign priority to the pods. ' schedulerName: type: string description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used." @@ -15484,6 +15243,14 @@ spec: clusterId: type: string description: Kafka cluster ID. + roles: + type: array + items: + type: string + enum: + - controller + - broker + description: The roles currently assigned to this pool. replicas: type: integer description: The current number of pods being used to provide this resource. @@ -15492,23 +15259,433 @@ spec: description: Label selector for pods providing this resource. description: The status of the KafkaNodePool. +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: strimzi-cluster-operator + labels: + app: strimzi +data: + log4j2.properties: | + name = COConfig + monitorInterval = 30 + + appender.console.type = Console + appender.console.name = STDOUT + appender.console.layout.type = PatternLayout + appender.console.layout.pattern = %d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n + + rootLogger.level = ${env:STRIMZI_LOG_LEVEL:-INFO} + rootLogger.appenderRefs = stdout + rootLogger.appenderRef.console.ref = STDOUT + + # Kafka AdminClient logging is a bit noisy at INFO level + logger.kafka.name = org.apache.kafka + logger.kafka.level = WARN + + # Zookeeper is very verbose even on INFO level -> We set it to WARN by default + logger.zookeepertrustmanager.name = org.apache.zookeeper + logger.zookeepertrustmanager.level = WARN + + # Keeps separate level for Netty logging -> to not be changed by the root logger + logger.netty.name = io.netty + logger.netty.level = INFO + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: strimzi-cluster-operator + labels: + app: strimzi +spec: + replicas: 1 + selector: + matchLabels: + name: strimzi-cluster-operator + strimzi.io/kind: cluster-operator + template: + metadata: + labels: + name: strimzi-cluster-operator + strimzi.io/kind: cluster-operator + spec: + serviceAccountName: strimzi-cluster-operator + volumes: + - name: strimzi-tmp + emptyDir: + medium: Memory + sizeLimit: 1Mi + - name: co-config-volume + configMap: + name: strimzi-cluster-operator + containers: + - name: strimzi-cluster-operator + image: quay.io/strimzi/operator:0.39.0 + ports: + - containerPort: 8080 + name: http + args: + - /opt/strimzi/bin/cluster_operator_run.sh + volumeMounts: + - name: strimzi-tmp + mountPath: /tmp + - name: co-config-volume + mountPath: /opt/strimzi/custom-config/ + env: + - name: STRIMZI_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: STRIMZI_FULL_RECONCILIATION_INTERVAL_MS + value: "120000" + - name: STRIMZI_OPERATION_TIMEOUT_MS + value: "300000" + - name: STRIMZI_DEFAULT_TLS_SIDECAR_ENTITY_OPERATOR_IMAGE + value: quay.io/strimzi/kafka:0.39.0-kafka-3.6.1 + - name: STRIMZI_DEFAULT_KAFKA_EXPORTER_IMAGE + value: quay.io/strimzi/kafka:0.39.0-kafka-3.6.1 + - name: STRIMZI_DEFAULT_CRUISE_CONTROL_IMAGE + value: quay.io/strimzi/kafka:0.39.0-kafka-3.6.1 + - name: STRIMZI_KAFKA_IMAGES + value: | + 3.5.0=quay.io/strimzi/kafka:0.39.0-kafka-3.5.0 + 3.5.1=quay.io/strimzi/kafka:0.39.0-kafka-3.5.1 + 3.5.2=quay.io/strimzi/kafka:0.39.0-kafka-3.5.2 + 3.6.0=quay.io/strimzi/kafka:0.39.0-kafka-3.6.0 + 3.6.1=quay.io/strimzi/kafka:0.39.0-kafka-3.6.1 + - name: STRIMZI_KAFKA_CONNECT_IMAGES + value: | + 3.5.0=quay.io/strimzi/kafka:0.39.0-kafka-3.5.0 + 3.5.1=quay.io/strimzi/kafka:0.39.0-kafka-3.5.1 + 3.5.2=quay.io/strimzi/kafka:0.39.0-kafka-3.5.2 + 3.6.0=quay.io/strimzi/kafka:0.39.0-kafka-3.6.0 + 3.6.1=quay.io/strimzi/kafka:0.39.0-kafka-3.6.1 + - name: STRIMZI_KAFKA_MIRROR_MAKER_IMAGES + value: | + 3.5.0=quay.io/strimzi/kafka:0.39.0-kafka-3.5.0 + 3.5.1=quay.io/strimzi/kafka:0.39.0-kafka-3.5.1 + 3.5.2=quay.io/strimzi/kafka:0.39.0-kafka-3.5.2 + 3.6.0=quay.io/strimzi/kafka:0.39.0-kafka-3.6.0 + 3.6.1=quay.io/strimzi/kafka:0.39.0-kafka-3.6.1 + - name: STRIMZI_KAFKA_MIRROR_MAKER_2_IMAGES + value: | + 3.5.0=quay.io/strimzi/kafka:0.39.0-kafka-3.5.0 + 3.5.1=quay.io/strimzi/kafka:0.39.0-kafka-3.5.1 + 3.5.2=quay.io/strimzi/kafka:0.39.0-kafka-3.5.2 + 3.6.0=quay.io/strimzi/kafka:0.39.0-kafka-3.6.0 + 3.6.1=quay.io/strimzi/kafka:0.39.0-kafka-3.6.1 + - name: STRIMZI_DEFAULT_TOPIC_OPERATOR_IMAGE + value: quay.io/strimzi/operator:0.39.0 + - name: STRIMZI_DEFAULT_USER_OPERATOR_IMAGE + value: quay.io/strimzi/operator:0.39.0 + - name: STRIMZI_DEFAULT_KAFKA_INIT_IMAGE + value: quay.io/strimzi/operator:0.39.0 + - name: STRIMZI_DEFAULT_KAFKA_BRIDGE_IMAGE + value: quay.io/strimzi/kafka-bridge:0.27.0 + - name: STRIMZI_DEFAULT_KANIKO_EXECUTOR_IMAGE + value: quay.io/strimzi/kaniko-executor:0.39.0 + - name: STRIMZI_DEFAULT_MAVEN_BUILDER + value: quay.io/strimzi/maven-builder:0.39.0 + - name: STRIMZI_OPERATOR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: STRIMZI_FEATURE_GATES + value: "" + - name: STRIMZI_LEADER_ELECTION_ENABLED + value: "true" + - name: STRIMZI_LEADER_ELECTION_LEASE_NAME + value: "strimzi-cluster-operator" + - name: STRIMZI_LEADER_ELECTION_LEASE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: STRIMZI_LEADER_ELECTION_IDENTITY + valueFrom: + fieldRef: + fieldPath: metadata.name + livenessProbe: + httpGet: + path: /healthy + port: http + initialDelaySeconds: 10 + periodSeconds: 30 + readinessProbe: + httpGet: + path: /ready + port: http + initialDelaySeconds: 10 + periodSeconds: 30 + resources: + limits: + cpu: 1000m + memory: 384Mi + requests: + cpu: 200m + memory: 384Mi + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: strimzi-entity-operator + labels: + app: strimzi +rules: + - apiGroups: + - "kafka.strimzi.io" + resources: + # The Entity Operator contains the Topic Operator which needs to access and manage KafkaTopic resources + - kafkatopics + verbs: + - get + - list + - watch + - create + - patch + - update + - delete + - apiGroups: + - "kafka.strimzi.io" + resources: + # The Entity Operator contains the User Operator which needs to access and manage KafkaUser resources + - kafkausers + verbs: + - get + - list + - watch + - create + - patch + - update + - apiGroups: + - "kafka.strimzi.io" + resources: + # The Entity Operator contains the Topic Operator which needs to access and manage KafkaTopic resources + - kafkatopics/status + # The Entity Operator contains the User Operator which needs to access and manage KafkaUser resources + - kafkausers/status + verbs: + - get + - patch + - update + - apiGroups: + - "" + resources: + - events + verbs: + # The entity operator needs to be able to create events + - create + - apiGroups: + - "" + resources: + # The entity operator user-operator needs to access and manage secrets to store generated credentials + - secrets + verbs: + - get + - list + - watch + - create + - delete + - patch + - update + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: strimzi-cluster-operator-entity-operator-delegation + labels: + app: strimzi +# The Entity Operator cluster role must be bound to the cluster operator service account so that it can delegate the cluster role to the Entity Operator. +# This must be done to avoid escalating privileges which would be blocked by Kubernetes. +subjects: + - kind: ServiceAccount + name: strimzi-cluster-operator + namespace: myproject +roleRef: + kind: ClusterRole + name: strimzi-entity-operator + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: strimzi-cluster-operator + labels: + app: strimzi + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: strimzi-cluster-operator-watched + labels: + app: strimzi +rules: + # Resources in this role are being watched by the operator. When operator is deployed as cluster-wide, these permissions + # need to be granted to the operator on a cluster wide level as well, even if the operands will be deployed only in + # few of the namespaces in given cluster. This is required to set up the Kubernetes watches and informers. + # Note: The rights included in this role might change in the future + - apiGroups: + - "" + resources: + # The cluster operator needs to access and delete pods, this is to allow it to monitor pod health and coordinate rolling updates + - pods + verbs: + - watch + - list + - apiGroups: + - "kafka.strimzi.io" + resources: + # The Cluster Operator operates the Strimzi custom resources + - kafkas + - kafkanodepools + - kafkaconnects + - kafkaconnectors + - kafkamirrormakers + - kafkabridges + - kafkamirrormaker2s + - kafkarebalances + verbs: + - get + - list + - watch + - create + - patch + - update + - apiGroups: + - "kafka.strimzi.io" + resources: + # The Cluster Operator needs to manage the status of the Strimzi custom resources + - kafkas/status + - kafkanodepools/status + - kafkaconnects/status + - kafkaconnectors/status + - kafkamirrormakers/status + - kafkabridges/status + - kafkamirrormaker2s/status + - kafkarebalances/status + verbs: + - get + - patch + - update + - apiGroups: + - "core.strimzi.io" + resources: + # The cluster operator uses StrimziPodSets to manage the Kafka and ZooKeeper pods + - strimzipodsets + verbs: + - get + - list + - watch + - create + - delete + - patch + - update + - apiGroups: + - "core.strimzi.io" + resources: + # The Cluster Operator needs to manage the status of the StrimziPodSet custom resource + - strimzipodsets/status + verbs: + - get + - patch + - update + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: strimzi-kafka-client + labels: + app: strimzi +rules: + - apiGroups: + - "" + resources: + # The Kafka clients (Connect, Mirror Maker, etc.) require "get" permissions to view the node they are on + # This information is used to generate a Rack ID (client.rack option) that is used for consuming from the closest + # replicas when enabled + - nodes + verbs: + - get + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: strimzi-cluster-operator-global + labels: + app: strimzi +rules: + - apiGroups: + - "rbac.authorization.k8s.io" + resources: + # The cluster operator needs to create and manage cluster role bindings in the case of an install where a user + # has specified they want their cluster role bindings generated + - clusterrolebindings + verbs: + - get + - list + - watch + - create + - delete + - patch + - update + - apiGroups: + - storage.k8s.io + resources: + # The cluster operator requires "get" permissions to view storage class details + # This is because only a persistent volume of a supported storage class type can be resized + - storageclasses + verbs: + - get + - apiGroups: + - "" + resources: + # The cluster operator requires "list" permissions to view all nodes in a cluster + # The listing is used to determine the node addresses when NodePort access is configured + # These addresses are then exposed in the custom resource states + - nodes + verbs: + - list + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: strimzi-cluster-operator + labels: + app: strimzi +subjects: + - kind: ServiceAccount + name: strimzi-cluster-operator + namespace: myproject +roleRef: + kind: ClusterRole + name: strimzi-cluster-operator-global + apiGroup: rbac.authorization.k8s.io + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: strimzipodsets.core.strimzi.io + name: kafkarebalances.kafka.strimzi.io labels: app: strimzi strimzi.io/crd-install: "true" spec: - group: core.strimzi.io + group: kafka.strimzi.io names: - kind: StrimziPodSet - listKind: StrimziPodSetList - singular: strimzipodset - plural: strimzipodsets + kind: KafkaRebalance + listKind: KafkaRebalanceList + singular: kafkarebalance + plural: kafkarebalances shortNames: - - sps + - kr categories: - strimzi scope: Namespaced @@ -15521,22 +15698,30 @@ spec: subresources: status: {} additionalPrinterColumns: - - name: Pods - description: Number of pods managed by the StrimziPodSet - jsonPath: .status.pods - type: integer - - name: Ready Pods - description: Number of ready pods managed by the StrimziPodSet - jsonPath: .status.readyPods - type: integer - - name: Current Pods - description: Number of up-to-date pods managed by the StrimziPodSet - jsonPath: .status.currentPods - type: integer - - name: Age - description: Age of the StrimziPodSet - jsonPath: .metadata.creationTimestamp - type: date + - name: Cluster + description: The name of the Kafka cluster this resource rebalances + jsonPath: .metadata.labels.strimzi\.io/cluster + type: string + - name: PendingProposal + description: A proposal has been requested from Cruise Control + jsonPath: ".status.conditions[?(@.type==\"PendingProposal\")].status" + type: string + - name: ProposalReady + description: A proposal is ready and waiting for approval + jsonPath: ".status.conditions[?(@.type==\"ProposalReady\")].status" + type: string + - name: Rebalancing + description: Cruise Control is doing the rebalance + jsonPath: ".status.conditions[?(@.type==\"Rebalancing\")].status" + type: string + - name: Ready + description: The rebalance is complete + jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" + type: string + - name: NotReady + description: There is an error on the custom resource + jsonPath: ".status.conditions[?(@.type==\"NotReady\")].status" + type: string schema: openAPIV3Schema: type: object @@ -15544,36 +15729,54 @@ spec: spec: type: object properties: - selector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - matchLabels: - x-kubernetes-preserve-unknown-fields: true - type: object - description: "Selector is a label query which matches all the pods managed by this `StrimziPodSet`. Only `matchLabels` is supported. If `matchExpressions` is set, it will be ignored." - pods: + mode: + type: string + enum: + - full + - add-brokers + - remove-brokers + description: "Mode to run the rebalancing. The supported modes are `full`, `add-brokers`, `remove-brokers`.\nIf not specified, the `full` mode is used by default. \n\n* `full` mode runs the rebalancing across all the brokers in the cluster.\n* `add-brokers` mode can be used after scaling up the cluster to move some replicas to the newly added brokers.\n* `remove-brokers` mode can be used before scaling down the cluster to move replicas out of the brokers to be removed.\n" + brokers: type: array items: - x-kubernetes-preserve-unknown-fields: true - type: object - description: The Pods managed by this StrimziPodSet. - required: - - selector - - pods - description: The specification of the StrimziPodSet. + type: integer + description: The list of newly added brokers in case of scaling up or the ones to be removed in case of scaling down to use for rebalancing. This list can be used only with rebalancing mode `add-brokers` and `removed-brokers`. It is ignored with `full` mode. + goals: + type: array + items: + type: string + description: "A list of goals, ordered by decreasing priority, to use for generating and executing the rebalance proposal. The supported goals are available at https://github.com/linkedin/cruise-control#goals. If an empty goals list is provided, the goals declared in the default.goals Cruise Control configuration parameter are used." + skipHardGoalCheck: + type: boolean + description: Whether to allow the hard goals specified in the Kafka CR to be skipped in optimization proposal generation. This can be useful when some of those hard goals are preventing a balance solution being found. Default is false. + rebalanceDisk: + type: boolean + description: "Enables intra-broker disk balancing, which balances disk space utilization between disks on the same broker. Only applies to Kafka deployments that use JBOD storage with multiple disks. When enabled, inter-broker balancing is disabled. Default is false." + excludedTopics: + type: string + description: A regular expression where any matching topics will be excluded from the calculation of optimization proposals. This expression will be parsed by the java.util.regex.Pattern class; for more information on the supported format consult the documentation for that class. + concurrentPartitionMovementsPerBroker: + type: integer + minimum: 0 + description: The upper bound of ongoing partition replica movements going into/out of each broker. Default is 5. + concurrentIntraBrokerPartitionMovements: + type: integer + minimum: 0 + description: The upper bound of ongoing partition replica movements between disks within each broker. Default is 2. + concurrentLeaderMovements: + type: integer + minimum: 0 + description: The upper bound of ongoing partition leadership movements. Default is 1000. + replicationThrottle: + type: integer + minimum: 0 + description: "The upper bound, in bytes per second, on the bandwidth used to move replicas. There is no limit by default." + replicaMovementStrategies: + type: array + items: + type: string + description: "A list of strategy class names used to determine the execution order for the replica movements in the generated optimization proposal. By default BaseReplicaMovementStrategy is used, which will execute the replica movements in the order that they were generated." + description: The specification of the Kafka rebalance. status: type: object properties: @@ -15601,160 +15804,13 @@ spec: observedGeneration: type: integer description: The generation of the CRD that was last reconciled by the operator. - pods: - type: integer - description: Number of pods managed by this `StrimziPodSet` resource. - readyPods: - type: integer - description: Number of pods managed by this `StrimziPodSet` resource that are ready. - currentPods: - type: integer - description: Number of pods managed by this `StrimziPodSet` resource that have the current revision. - description: The status of the StrimziPodSet. - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: strimzi-cluster-operator-kafka-client-delegation - labels: - app: strimzi -# The Kafka clients cluster role must be bound to the cluster operator service account so that it can delegate the -# cluster role to the Kafka clients using it for consuming from closest replica. -# This must be done to avoid escalating privileges which would be blocked by Kubernetes. -subjects: - - kind: ServiceAccount - name: strimzi-cluster-operator - namespace: myproject -roleRef: - kind: ClusterRole - name: strimzi-kafka-client - apiGroup: rbac.authorization.k8s.io - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: strimzi-cluster-operator - labels: - app: strimzi -spec: - replicas: 1 - selector: - matchLabels: - name: strimzi-cluster-operator - strimzi.io/kind: cluster-operator - template: - metadata: - labels: - name: strimzi-cluster-operator - strimzi.io/kind: cluster-operator - spec: - serviceAccountName: strimzi-cluster-operator - volumes: - - name: strimzi-tmp - emptyDir: - medium: Memory - sizeLimit: 1Mi - - name: co-config-volume - configMap: - name: strimzi-cluster-operator - containers: - - name: strimzi-cluster-operator - image: quay.io/strimzi/operator:0.38.0 - ports: - - containerPort: 8080 - name: http - args: - - /opt/strimzi/bin/cluster_operator_run.sh - volumeMounts: - - name: strimzi-tmp - mountPath: /tmp - - name: co-config-volume - mountPath: /opt/strimzi/custom-config/ - env: - - name: STRIMZI_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: STRIMZI_FULL_RECONCILIATION_INTERVAL_MS - value: "120000" - - name: STRIMZI_OPERATION_TIMEOUT_MS - value: "300000" - - name: STRIMZI_DEFAULT_TLS_SIDECAR_ENTITY_OPERATOR_IMAGE - value: quay.io/strimzi/kafka:0.38.0-kafka-3.6.0 - - name: STRIMZI_DEFAULT_KAFKA_EXPORTER_IMAGE - value: quay.io/strimzi/kafka:0.38.0-kafka-3.6.0 - - name: STRIMZI_DEFAULT_CRUISE_CONTROL_IMAGE - value: quay.io/strimzi/kafka:0.38.0-kafka-3.6.0 - - name: STRIMZI_KAFKA_IMAGES - value: | - 3.5.0=quay.io/strimzi/kafka:0.38.0-kafka-3.5.0 - 3.5.1=quay.io/strimzi/kafka:0.38.0-kafka-3.5.1 - 3.6.0=quay.io/strimzi/kafka:0.38.0-kafka-3.6.0 - - name: STRIMZI_KAFKA_CONNECT_IMAGES - value: | - 3.5.0=quay.io/strimzi/kafka:0.38.0-kafka-3.5.0 - 3.5.1=quay.io/strimzi/kafka:0.38.0-kafka-3.5.1 - 3.6.0=quay.io/strimzi/kafka:0.38.0-kafka-3.6.0 - - name: STRIMZI_KAFKA_MIRROR_MAKER_IMAGES - value: | - 3.5.0=quay.io/strimzi/kafka:0.38.0-kafka-3.5.0 - 3.5.1=quay.io/strimzi/kafka:0.38.0-kafka-3.5.1 - 3.6.0=quay.io/strimzi/kafka:0.38.0-kafka-3.6.0 - - name: STRIMZI_KAFKA_MIRROR_MAKER_2_IMAGES - value: | - 3.5.0=quay.io/strimzi/kafka:0.38.0-kafka-3.5.0 - 3.5.1=quay.io/strimzi/kafka:0.38.0-kafka-3.5.1 - 3.6.0=quay.io/strimzi/kafka:0.38.0-kafka-3.6.0 - - name: STRIMZI_DEFAULT_TOPIC_OPERATOR_IMAGE - value: quay.io/strimzi/operator:0.38.0 - - name: STRIMZI_DEFAULT_USER_OPERATOR_IMAGE - value: quay.io/strimzi/operator:0.38.0 - - name: STRIMZI_DEFAULT_KAFKA_INIT_IMAGE - value: quay.io/strimzi/operator:0.38.0 - - name: STRIMZI_DEFAULT_KAFKA_BRIDGE_IMAGE - value: quay.io/strimzi/kafka-bridge:0.27.0 - - name: STRIMZI_DEFAULT_KANIKO_EXECUTOR_IMAGE - value: quay.io/strimzi/kaniko-executor:0.38.0 - - name: STRIMZI_DEFAULT_MAVEN_BUILDER - value: quay.io/strimzi/maven-builder:0.38.0 - - name: STRIMZI_OPERATOR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: STRIMZI_FEATURE_GATES - value: "" - - name: STRIMZI_LEADER_ELECTION_ENABLED - value: "true" - - name: STRIMZI_LEADER_ELECTION_LEASE_NAME - value: "strimzi-cluster-operator" - - name: STRIMZI_LEADER_ELECTION_LEASE_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: STRIMZI_LEADER_ELECTION_IDENTITY - valueFrom: - fieldRef: - fieldPath: metadata.name - livenessProbe: - httpGet: - path: /healthy - port: http - initialDelaySeconds: 10 - periodSeconds: 30 - readinessProbe: - httpGet: - path: /ready - port: http - initialDelaySeconds: 10 - periodSeconds: 30 - resources: - limits: - cpu: 1000m - memory: 384Mi - requests: - cpu: 200m - memory: 384Mi + sessionId: + type: string + description: The session identifier for requests to Cruise Control pertaining to this KafkaRebalance resource. This is used by the Kafka Rebalance operator to track the status of ongoing rebalancing operations. + optimizationResult: + x-kubernetes-preserve-unknown-fields: true + type: object + description: A JSON object describing the optimization result. + description: The status of the Kafka rebalance. --- From 9541bb6f66b643c470291ca2753fee7c1fb6ad5e Mon Sep 17 00:00:00 2001 From: Knative Automation Date: Mon, 15 Jan 2024 11:45:37 -0500 Subject: [PATCH 03/12] upgrade to latest dependencies (#3602) bumping golang.org/x/sys 13b15b7...0829ab1: > 0829ab1 windows: add SetFileValidData > 32cdffc unix: don't redefine constants already defined in glibc headers > f0c7190 unix: remove extra trailing newlines in zsyscall_openbsd_*.go > 5ff87d7 unix: add Netfilter and NFTables constants bumping golang.org/x/term ee66497...ae94145: > ae94145 go.mod: update golang.org/x dependencies bumping golang.org/x/oauth2 6e9ec93...39adbb7: > 39adbb7 go.mod: update golang.org/x dependencies > 4ce7bbb google: add Credentials.GetUniverseDomain with GCE MDS support > 1e6999b google: add UniverseDomain to CredentialsParams bumping golang.org/x/net a8e0109...cb5b10f: > cb5b10f go.mod: update golang.org/x dependencies > 689bbc7 quic: deflake TestStreamsCreateConcurrency > f12db26 internal/quic/cmd/interop: use wget --no-verbose in Dockerfile > c136d0c quic: avoid panic when PTO expires and implicitly-created streams exist > f9726a9 quic: fix packet size logging > c337daf quic: enable qlog output in tests > 2b416c3 quic/qlog: create log files with O_EXCL > 1e59a7e quic/qlog: correctly write negative durations > b0eb4d6 quic: compute pnum len from max ack received, not sent > b952594 quic: fix data race in connection close > 577e44a quic: skip leaked goroutine check on GOOS=js > 65efbad quic: avoid leaking tls goroutines in tests > 08a78b1 quic: unblock operations when closing conns > c1b6eee quic: send occasional ack-eliciting packets > 491f354 quic: log packets and frames > f812076 http2: explicitly set minimum TLS version in tests bumping knative.dev/pkg bc230ae...f95090a: > f95090a Bump github.com/evanphx/json-patch/v5 from 5.7.0 to 5.8.0 (# 2935) > 347a4b5 Bump github.com/prometheus/common from 0.45.0 to 0.46.0 (# 2937) > e8c79d4 Bump golang.org/x/oauth2 from 0.15.0 to 0.16.0 (# 2934) > ff26179 Bump golang.org/x/tools from 0.16.1 to 0.17.0 (# 2936) > e0d5064 Bump golang.org/x/net from 0.19.0 to 0.20.0 (# 2933) Signed-off-by: Knative Automation --- go.mod | 23 +- go.sum | 46 +- .../v2/pbutil/LICENSE | 201 --- .../v2/pbutil/NOTICE | 1 - .../json-patch/v5/internal/json/decode.go | 1385 ++++++++++++++++ .../json-patch/v5/internal/json/encode.go | 1473 +++++++++++++++++ .../json-patch/v5/internal/json/fold.go | 141 ++ .../json-patch/v5/internal/json/fuzz.go | 42 + .../json-patch/v5/internal/json/indent.go | 143 ++ .../json-patch/v5/internal/json/scanner.go | 610 +++++++ .../json-patch/v5/internal/json/stream.go | 515 ++++++ .../json-patch/v5/internal/json/tables.go | 218 +++ .../json-patch/v5/internal/json/tags.go | 38 + .../github.com/evanphx/json-patch/v5/merge.go | 58 +- .../github.com/evanphx/json-patch/v5/patch.go | 325 ++-- .../golang_protobuf_extensions/v2/LICENSE | 201 --- .../golang_protobuf_extensions/v2/NOTICE | 1 - .../v2/pbutil/.gitignore | 1 - .../v2/pbutil/Makefile | 7 - .../v2/pbutil/decode.go | 81 - .../v2/pbutil/doc.go | 16 - .../v2/pbutil/encode.go | 49 - .../prometheus/common/expfmt/decode.go | 9 +- .../prometheus/common/expfmt/encode.go | 7 +- .../prometheus/common/expfmt/text_parse.go | 8 +- .../prometheus/common/model/alert.go | 4 +- .../prometheus/common/model/metadata.go | 28 + .../prometheus/common/model/metric.go | 10 +- .../prometheus/common/model/signature.go | 6 +- .../prometheus/common/model/silence.go | 2 +- .../prometheus/common/model/value.go | 16 +- .../prometheus/common/model/value_float.go | 14 +- .../x/crypto/internal/poly1305/bits_compat.go | 39 - .../x/crypto/internal/poly1305/bits_go1.13.go | 21 - .../x/crypto/internal/poly1305/sum_generic.go | 43 +- vendor/golang.org/x/oauth2/google/default.go | 72 +- vendor/golang.org/x/sys/unix/mkerrors.sh | 37 +- vendor/golang.org/x/sys/unix/zerrors_linux.go | 54 + .../x/sys/unix/zsyscall_openbsd_386.go | 2 - .../x/sys/unix/zsyscall_openbsd_amd64.go | 2 - .../x/sys/unix/zsyscall_openbsd_arm.go | 2 - .../x/sys/unix/zsyscall_openbsd_arm64.go | 2 - .../x/sys/unix/zsyscall_openbsd_mips64.go | 2 - .../x/sys/unix/zsyscall_openbsd_ppc64.go | 2 - .../x/sys/unix/zsyscall_openbsd_riscv64.go | 2 - .../x/sys/windows/syscall_windows.go | 1 + .../x/sys/windows/zsyscall_windows.go | 9 + .../encoding/protodelim/protodelim.go | 160 ++ .../features/new_trigger_filters/feature.go | 86 +- .../features/new_trigger_filters/filters.go | 3 +- vendor/modules.txt | 27 +- 51 files changed, 5342 insertions(+), 903 deletions(-) delete mode 100644 third_party/VENDOR-LICENSE/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/LICENSE delete mode 100644 third_party/VENDOR-LICENSE/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/NOTICE create mode 100644 vendor/github.com/evanphx/json-patch/v5/internal/json/decode.go create mode 100644 vendor/github.com/evanphx/json-patch/v5/internal/json/encode.go create mode 100644 vendor/github.com/evanphx/json-patch/v5/internal/json/fold.go create mode 100644 vendor/github.com/evanphx/json-patch/v5/internal/json/fuzz.go create mode 100644 vendor/github.com/evanphx/json-patch/v5/internal/json/indent.go create mode 100644 vendor/github.com/evanphx/json-patch/v5/internal/json/scanner.go create mode 100644 vendor/github.com/evanphx/json-patch/v5/internal/json/stream.go create mode 100644 vendor/github.com/evanphx/json-patch/v5/internal/json/tables.go create mode 100644 vendor/github.com/evanphx/json-patch/v5/internal/json/tags.go delete mode 100644 vendor/github.com/matttproud/golang_protobuf_extensions/v2/LICENSE delete mode 100644 vendor/github.com/matttproud/golang_protobuf_extensions/v2/NOTICE delete mode 100644 vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/.gitignore delete mode 100644 vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/Makefile delete mode 100644 vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/decode.go delete mode 100644 vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/doc.go delete mode 100644 vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/encode.go create mode 100644 vendor/github.com/prometheus/common/model/metadata.go delete mode 100644 vendor/golang.org/x/crypto/internal/poly1305/bits_compat.go delete mode 100644 vendor/golang.org/x/crypto/internal/poly1305/bits_go1.13.go create mode 100644 vendor/google.golang.org/protobuf/encoding/protodelim/protodelim.go diff --git a/go.mod b/go.mod index 7f47cd3441..5a101ea2f4 100644 --- a/go.mod +++ b/go.mod @@ -35,10 +35,10 @@ require ( k8s.io/apiserver v0.28.5 k8s.io/client-go v0.28.5 k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 - knative.dev/eventing v0.39.1-0.20240111175334-3cbddd640f53 + knative.dev/eventing v0.39.1-0.20240115085419-42af160c3cfc knative.dev/hack v0.0.0-20240111013919-e89096d74d85 - knative.dev/pkg v0.0.0-20240111013350-bc230ae58d14 - knative.dev/reconciler-test v0.0.0-20240111144344-71a6b2b04861 + knative.dev/pkg v0.0.0-20240115132401-f95090a164db + knative.dev/reconciler-test v0.0.0-20240115013758-eaf0b825b575 sigs.k8s.io/controller-runtime v0.12.3 sigs.k8s.io/yaml v1.4.0 ) @@ -69,7 +69,7 @@ require ( github.com/eapache/queue v1.1.0 // indirect github.com/emicklei/go-restful/v3 v3.9.0 // indirect github.com/evanphx/json-patch v4.12.0+incompatible // indirect - github.com/evanphx/json-patch/v5 v5.7.0 // indirect + github.com/evanphx/json-patch/v5 v5.8.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/go-jose/go-jose/v3 v3.0.1 // indirect github.com/go-kit/log v0.2.1 // indirect @@ -107,7 +107,6 @@ require ( github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/compress v1.16.7 // indirect github.com/mailru/easyjson v0.7.7 // indirect - github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect @@ -118,7 +117,7 @@ require ( github.com/pmezard/go-difflib v1.0.0 // indirect github.com/prometheus/client_golang v1.18.0 // indirect github.com/prometheus/client_model v0.5.0 // indirect - github.com/prometheus/common v0.45.0 // indirect + github.com/prometheus/common v0.46.0 // indirect github.com/prometheus/procfs v0.12.0 // indirect github.com/prometheus/statsd_exporter v0.22.7 // indirect github.com/rickb777/plural v1.2.2 // indirect @@ -135,16 +134,16 @@ require ( go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect go.opentelemetry.io/otel/metric v1.21.0 // indirect go.uber.org/automaxprocs v1.5.3 // indirect - golang.org/x/crypto v0.17.0 // indirect + golang.org/x/crypto v0.18.0 // indirect golang.org/x/mod v0.14.0 // indirect - golang.org/x/net v0.19.0 // indirect - golang.org/x/oauth2 v0.15.0 // indirect + golang.org/x/net v0.20.0 // indirect + golang.org/x/oauth2 v0.16.0 // indirect golang.org/x/sync v0.6.0 // indirect - golang.org/x/sys v0.15.0 // indirect - golang.org/x/term v0.15.0 // indirect + golang.org/x/sys v0.16.0 // indirect + golang.org/x/term v0.16.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.5.0 // indirect - golang.org/x/tools v0.16.1 // indirect + golang.org/x/tools v0.17.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/api v0.155.0 // indirect diff --git a/go.sum b/go.sum index c0b65c0898..ff5507ff6f 100644 --- a/go.sum +++ b/go.sum @@ -190,8 +190,8 @@ github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.0.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/evanphx/json-patch/v5 v5.2.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= -github.com/evanphx/json-patch/v5 v5.7.0 h1:nJqP7uwL84RJInrohHfW0Fx3awjbm8qZeFv0nW9SYGc= -github.com/evanphx/json-patch/v5 v5.7.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= +github.com/evanphx/json-patch/v5 v5.8.0 h1:lRj6N9Nci7MvzrXuX6HFzU8XjmhPiXPlsKEy1u0KQro= +github.com/evanphx/json-patch/v5 v5.8.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.9.0 h1:8xPHl4/q1VyqGIPif1F+1V3Y3lSmrq01EabUW3CoW5s= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= @@ -522,8 +522,6 @@ github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHX github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= -github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg= -github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= @@ -609,8 +607,8 @@ github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9 github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/common v0.35.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA= github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA= -github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM= -github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY= +github.com/prometheus/common v0.46.0 h1:doXzt5ybi1HBKpsZOL0sSkaNHJJqkyfEWZGGqqScV0Y= +github.com/prometheus/common v0.46.0/go.mod h1:Tp0qkxpb9Jsg54QMe+EAmqXkSV7Evdy1BTn+g2pa/hQ= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= @@ -770,8 +768,8 @@ golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= -golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= -golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= +golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -858,8 +856,8 @@ golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= -golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= +golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= +golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -868,8 +866,8 @@ golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4Iltr golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= -golang.org/x/oauth2 v0.15.0 h1:s8pnnxNVzjWyrvYdFUQq5llS1PX2zhPXmccZv99h7uQ= -golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCAM= +golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ= +golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -943,15 +941,15 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220708085239-5a0f0661e09d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= -golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= -golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= -golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= +golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= +golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1030,8 +1028,8 @@ golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= -golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= +golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc= +golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1242,14 +1240,14 @@ k8s.io/utils v0.0.0-20200912215256-4140de9c8800/go.mod h1:jPW/WVKK9YHAvNhRxK0md/ k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -knative.dev/eventing v0.39.1-0.20240111175334-3cbddd640f53 h1:/bNPG11sPU1gLTAA9Dl5ZFvVLicYOzVFQ4gG2SBaBWI= -knative.dev/eventing v0.39.1-0.20240111175334-3cbddd640f53/go.mod h1:D9CdRKD3XPEN0bgBNA+NIb1J2HUPPhimIEnsenxfr88= +knative.dev/eventing v0.39.1-0.20240115085419-42af160c3cfc h1:XUStgo3Ufw/OLPsk0G9AdUVya8Txzhz1ViHH3hLvM5Q= +knative.dev/eventing v0.39.1-0.20240115085419-42af160c3cfc/go.mod h1:D9CdRKD3XPEN0bgBNA+NIb1J2HUPPhimIEnsenxfr88= knative.dev/hack v0.0.0-20240111013919-e89096d74d85 h1:ERgPObDcW9LfaEPAeFvbW3UJcF3C3ul6B2ErNMv13OE= knative.dev/hack v0.0.0-20240111013919-e89096d74d85/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= -knative.dev/pkg v0.0.0-20240111013350-bc230ae58d14 h1:F3+36IHb7qFLg0r43QBfF+PRcMXHnHOpS0gIERZGpXA= -knative.dev/pkg v0.0.0-20240111013350-bc230ae58d14/go.mod h1:8/u65OwQ+l56FFE1j8BB/rMiy6B9dom4fTrvLFZ/Vqg= -knative.dev/reconciler-test v0.0.0-20240111144344-71a6b2b04861 h1:R5gZHRV303ntominOoccjHow5zBA/WpA97Cg5aF56Bw= -knative.dev/reconciler-test v0.0.0-20240111144344-71a6b2b04861/go.mod h1:XyEKX1l6HKLKgifABg1A+u/IZteyVivjfYM32ZtfxP0= +knative.dev/pkg v0.0.0-20240115132401-f95090a164db h1:R63oGanRi+VR0t0PO0Sir4XUYSxxlkzqAO/ULOXboNs= +knative.dev/pkg v0.0.0-20240115132401-f95090a164db/go.mod h1:cointeW7atmC6znxBSHmJtKIaQSf5EdLnDUYvUxIktk= +knative.dev/reconciler-test v0.0.0-20240115013758-eaf0b825b575 h1:XsIThpt7pT8X5Dgu0hJcU1OezBXOFsj/WGnhwkn+amc= +knative.dev/reconciler-test v0.0.0-20240115013758-eaf0b825b575/go.mod h1:XyEKX1l6HKLKgifABg1A+u/IZteyVivjfYM32ZtfxP0= pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= diff --git a/third_party/VENDOR-LICENSE/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/LICENSE b/third_party/VENDOR-LICENSE/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/LICENSE deleted file mode 100644 index 8dada3edaf..0000000000 --- a/third_party/VENDOR-LICENSE/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/LICENSE +++ /dev/null @@ -1,201 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/third_party/VENDOR-LICENSE/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/NOTICE b/third_party/VENDOR-LICENSE/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/NOTICE deleted file mode 100644 index 5d8cb5b72e..0000000000 --- a/third_party/VENDOR-LICENSE/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/NOTICE +++ /dev/null @@ -1 +0,0 @@ -Copyright 2012 Matt T. Proud (matt.proud@gmail.com) diff --git a/vendor/github.com/evanphx/json-patch/v5/internal/json/decode.go b/vendor/github.com/evanphx/json-patch/v5/internal/json/decode.go new file mode 100644 index 0000000000..e9bb0efe77 --- /dev/null +++ b/vendor/github.com/evanphx/json-patch/v5/internal/json/decode.go @@ -0,0 +1,1385 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Represents JSON data structure using native Go types: booleans, floats, +// strings, arrays, and maps. + +package json + +import ( + "encoding" + "encoding/base64" + "fmt" + "reflect" + "strconv" + "strings" + "sync" + "unicode" + "unicode/utf16" + "unicode/utf8" +) + +// Unmarshal parses the JSON-encoded data and stores the result +// in the value pointed to by v. If v is nil or not a pointer, +// Unmarshal returns an InvalidUnmarshalError. +// +// Unmarshal uses the inverse of the encodings that +// Marshal uses, allocating maps, slices, and pointers as necessary, +// with the following additional rules: +// +// To unmarshal JSON into a pointer, Unmarshal first handles the case of +// the JSON being the JSON literal null. In that case, Unmarshal sets +// the pointer to nil. Otherwise, Unmarshal unmarshals the JSON into +// the value pointed at by the pointer. If the pointer is nil, Unmarshal +// allocates a new value for it to point to. +// +// To unmarshal JSON into a value implementing the Unmarshaler interface, +// Unmarshal calls that value's UnmarshalJSON method, including +// when the input is a JSON null. +// Otherwise, if the value implements encoding.TextUnmarshaler +// and the input is a JSON quoted string, Unmarshal calls that value's +// UnmarshalText method with the unquoted form of the string. +// +// To unmarshal JSON into a struct, Unmarshal matches incoming object +// keys to the keys used by Marshal (either the struct field name or its tag), +// preferring an exact match but also accepting a case-insensitive match. By +// default, object keys which don't have a corresponding struct field are +// ignored (see Decoder.DisallowUnknownFields for an alternative). +// +// To unmarshal JSON into an interface value, +// Unmarshal stores one of these in the interface value: +// +// bool, for JSON booleans +// float64, for JSON numbers +// string, for JSON strings +// []interface{}, for JSON arrays +// map[string]interface{}, for JSON objects +// nil for JSON null +// +// To unmarshal a JSON array into a slice, Unmarshal resets the slice length +// to zero and then appends each element to the slice. +// As a special case, to unmarshal an empty JSON array into a slice, +// Unmarshal replaces the slice with a new empty slice. +// +// To unmarshal a JSON array into a Go array, Unmarshal decodes +// JSON array elements into corresponding Go array elements. +// If the Go array is smaller than the JSON array, +// the additional JSON array elements are discarded. +// If the JSON array is smaller than the Go array, +// the additional Go array elements are set to zero values. +// +// To unmarshal a JSON object into a map, Unmarshal first establishes a map to +// use. If the map is nil, Unmarshal allocates a new map. Otherwise Unmarshal +// reuses the existing map, keeping existing entries. Unmarshal then stores +// key-value pairs from the JSON object into the map. The map's key type must +// either be any string type, an integer, implement json.Unmarshaler, or +// implement encoding.TextUnmarshaler. +// +// If the JSON-encoded data contain a syntax error, Unmarshal returns a SyntaxError. +// +// If a JSON value is not appropriate for a given target type, +// or if a JSON number overflows the target type, Unmarshal +// skips that field and completes the unmarshaling as best it can. +// If no more serious errors are encountered, Unmarshal returns +// an UnmarshalTypeError describing the earliest such error. In any +// case, it's not guaranteed that all the remaining fields following +// the problematic one will be unmarshaled into the target object. +// +// The JSON null value unmarshals into an interface, map, pointer, or slice +// by setting that Go value to nil. Because null is often used in JSON to mean +// “not present,” unmarshaling a JSON null into any other Go type has no effect +// on the value and produces no error. +// +// When unmarshaling quoted strings, invalid UTF-8 or +// invalid UTF-16 surrogate pairs are not treated as an error. +// Instead, they are replaced by the Unicode replacement +// character U+FFFD. +func Unmarshal(data []byte, v any) error { + // Check for well-formedness. + // Avoids filling out half a data structure + // before discovering a JSON syntax error. + d := ds.Get().(*decodeState) + defer ds.Put(d) + //var d decodeState + d.useNumber = true + err := checkValid(data, &d.scan) + if err != nil { + return err + } + + d.init(data) + return d.unmarshal(v) +} + +var ds = sync.Pool{ + New: func() any { + return new(decodeState) + }, +} + +func UnmarshalWithKeys(data []byte, v any) ([]string, error) { + // Check for well-formedness. + // Avoids filling out half a data structure + // before discovering a JSON syntax error. + + d := ds.Get().(*decodeState) + defer ds.Put(d) + //var d decodeState + d.useNumber = true + err := checkValid(data, &d.scan) + if err != nil { + return nil, err + } + + d.init(data) + err = d.unmarshal(v) + if err != nil { + return nil, err + } + + return d.lastKeys, nil +} + +func UnmarshalValid(data []byte, v any) error { + // Check for well-formedness. + // Avoids filling out half a data structure + // before discovering a JSON syntax error. + d := ds.Get().(*decodeState) + defer ds.Put(d) + //var d decodeState + d.useNumber = true + + d.init(data) + return d.unmarshal(v) +} + +func UnmarshalValidWithKeys(data []byte, v any) ([]string, error) { + // Check for well-formedness. + // Avoids filling out half a data structure + // before discovering a JSON syntax error. + + d := ds.Get().(*decodeState) + defer ds.Put(d) + //var d decodeState + d.useNumber = true + + d.init(data) + err := d.unmarshal(v) + if err != nil { + return nil, err + } + + return d.lastKeys, nil +} + +// Unmarshaler is the interface implemented by types +// that can unmarshal a JSON description of themselves. +// The input can be assumed to be a valid encoding of +// a JSON value. UnmarshalJSON must copy the JSON data +// if it wishes to retain the data after returning. +// +// By convention, to approximate the behavior of Unmarshal itself, +// Unmarshalers implement UnmarshalJSON([]byte("null")) as a no-op. +type Unmarshaler interface { + UnmarshalJSON([]byte) error +} + +// An UnmarshalTypeError describes a JSON value that was +// not appropriate for a value of a specific Go type. +type UnmarshalTypeError struct { + Value string // description of JSON value - "bool", "array", "number -5" + Type reflect.Type // type of Go value it could not be assigned to + Offset int64 // error occurred after reading Offset bytes + Struct string // name of the struct type containing the field + Field string // the full path from root node to the field +} + +func (e *UnmarshalTypeError) Error() string { + if e.Struct != "" || e.Field != "" { + return "json: cannot unmarshal " + e.Value + " into Go struct field " + e.Struct + "." + e.Field + " of type " + e.Type.String() + } + return "json: cannot unmarshal " + e.Value + " into Go value of type " + e.Type.String() +} + +// An UnmarshalFieldError describes a JSON object key that +// led to an unexported (and therefore unwritable) struct field. +// +// Deprecated: No longer used; kept for compatibility. +type UnmarshalFieldError struct { + Key string + Type reflect.Type + Field reflect.StructField +} + +func (e *UnmarshalFieldError) Error() string { + return "json: cannot unmarshal object key " + strconv.Quote(e.Key) + " into unexported field " + e.Field.Name + " of type " + e.Type.String() +} + +// An InvalidUnmarshalError describes an invalid argument passed to Unmarshal. +// (The argument to Unmarshal must be a non-nil pointer.) +type InvalidUnmarshalError struct { + Type reflect.Type +} + +func (e *InvalidUnmarshalError) Error() string { + if e.Type == nil { + return "json: Unmarshal(nil)" + } + + if e.Type.Kind() != reflect.Pointer { + return "json: Unmarshal(non-pointer " + e.Type.String() + ")" + } + return "json: Unmarshal(nil " + e.Type.String() + ")" +} + +func (d *decodeState) unmarshal(v any) error { + rv := reflect.ValueOf(v) + if rv.Kind() != reflect.Pointer || rv.IsNil() { + return &InvalidUnmarshalError{reflect.TypeOf(v)} + } + + d.scan.reset() + d.scanWhile(scanSkipSpace) + // We decode rv not rv.Elem because the Unmarshaler interface + // test must be applied at the top level of the value. + err := d.value(rv) + if err != nil { + return d.addErrorContext(err) + } + return d.savedError +} + +// A Number represents a JSON number literal. +type Number string + +// String returns the literal text of the number. +func (n Number) String() string { return string(n) } + +// Float64 returns the number as a float64. +func (n Number) Float64() (float64, error) { + return strconv.ParseFloat(string(n), 64) +} + +// Int64 returns the number as an int64. +func (n Number) Int64() (int64, error) { + return strconv.ParseInt(string(n), 10, 64) +} + +// An errorContext provides context for type errors during decoding. +type errorContext struct { + Struct reflect.Type + FieldStack []string +} + +// decodeState represents the state while decoding a JSON value. +type decodeState struct { + data []byte + off int // next read offset in data + opcode int // last read result + scan scanner + errorContext *errorContext + savedError error + useNumber bool + disallowUnknownFields bool + lastKeys []string +} + +// readIndex returns the position of the last byte read. +func (d *decodeState) readIndex() int { + return d.off - 1 +} + +// phasePanicMsg is used as a panic message when we end up with something that +// shouldn't happen. It can indicate a bug in the JSON decoder, or that +// something is editing the data slice while the decoder executes. +const phasePanicMsg = "JSON decoder out of sync - data changing underfoot?" + +func (d *decodeState) init(data []byte) *decodeState { + d.data = data + d.off = 0 + d.savedError = nil + if d.errorContext != nil { + d.errorContext.Struct = nil + // Reuse the allocated space for the FieldStack slice. + d.errorContext.FieldStack = d.errorContext.FieldStack[:0] + } + return d +} + +// saveError saves the first err it is called with, +// for reporting at the end of the unmarshal. +func (d *decodeState) saveError(err error) { + if d.savedError == nil { + d.savedError = d.addErrorContext(err) + } +} + +// addErrorContext returns a new error enhanced with information from d.errorContext +func (d *decodeState) addErrorContext(err error) error { + if d.errorContext != nil && (d.errorContext.Struct != nil || len(d.errorContext.FieldStack) > 0) { + switch err := err.(type) { + case *UnmarshalTypeError: + err.Struct = d.errorContext.Struct.Name() + err.Field = strings.Join(d.errorContext.FieldStack, ".") + } + } + return err +} + +// skip scans to the end of what was started. +func (d *decodeState) skip() { + s, data, i := &d.scan, d.data, d.off + depth := len(s.parseState) + for { + op := s.step(s, data[i]) + i++ + if len(s.parseState) < depth { + d.off = i + d.opcode = op + return + } + } +} + +// scanNext processes the byte at d.data[d.off]. +func (d *decodeState) scanNext() { + if d.off < len(d.data) { + d.opcode = d.scan.step(&d.scan, d.data[d.off]) + d.off++ + } else { + d.opcode = d.scan.eof() + d.off = len(d.data) + 1 // mark processed EOF with len+1 + } +} + +// scanWhile processes bytes in d.data[d.off:] until it +// receives a scan code not equal to op. +func (d *decodeState) scanWhile(op int) { + s, data, i := &d.scan, d.data, d.off + for i < len(data) { + newOp := s.step(s, data[i]) + i++ + if newOp != op { + d.opcode = newOp + d.off = i + return + } + } + + d.off = len(data) + 1 // mark processed EOF with len+1 + d.opcode = d.scan.eof() +} + +// rescanLiteral is similar to scanWhile(scanContinue), but it specialises the +// common case where we're decoding a literal. The decoder scans the input +// twice, once for syntax errors and to check the length of the value, and the +// second to perform the decoding. +// +// Only in the second step do we use decodeState to tokenize literals, so we +// know there aren't any syntax errors. We can take advantage of that knowledge, +// and scan a literal's bytes much more quickly. +func (d *decodeState) rescanLiteral() { + data, i := d.data, d.off +Switch: + switch data[i-1] { + case '"': // string + for ; i < len(data); i++ { + switch data[i] { + case '\\': + i++ // escaped char + case '"': + i++ // tokenize the closing quote too + break Switch + } + } + case '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '-': // number + for ; i < len(data); i++ { + switch data[i] { + case '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', + '.', 'e', 'E', '+', '-': + default: + break Switch + } + } + case 't': // true + i += len("rue") + case 'f': // false + i += len("alse") + case 'n': // null + i += len("ull") + } + if i < len(data) { + d.opcode = stateEndValue(&d.scan, data[i]) + } else { + d.opcode = scanEnd + } + d.off = i + 1 +} + +// value consumes a JSON value from d.data[d.off-1:], decoding into v, and +// reads the following byte ahead. If v is invalid, the value is discarded. +// The first byte of the value has been read already. +func (d *decodeState) value(v reflect.Value) error { + switch d.opcode { + default: + panic(phasePanicMsg) + + case scanBeginArray: + if v.IsValid() { + if err := d.array(v); err != nil { + return err + } + } else { + d.skip() + } + d.scanNext() + + case scanBeginObject: + if v.IsValid() { + if err := d.object(v); err != nil { + return err + } + } else { + d.skip() + } + d.scanNext() + + case scanBeginLiteral: + // All bytes inside literal return scanContinue op code. + start := d.readIndex() + d.rescanLiteral() + + if v.IsValid() { + if err := d.literalStore(d.data[start:d.readIndex()], v, false); err != nil { + return err + } + } + } + return nil +} + +type unquotedValue struct{} + +// valueQuoted is like value but decodes a +// quoted string literal or literal null into an interface value. +// If it finds anything other than a quoted string literal or null, +// valueQuoted returns unquotedValue{}. +func (d *decodeState) valueQuoted() any { + switch d.opcode { + default: + panic(phasePanicMsg) + + case scanBeginArray, scanBeginObject: + d.skip() + d.scanNext() + + case scanBeginLiteral: + v := d.literalInterface() + switch v.(type) { + case nil, string: + return v + } + } + return unquotedValue{} +} + +// indirect walks down v allocating pointers as needed, +// until it gets to a non-pointer. +// If it encounters an Unmarshaler, indirect stops and returns that. +// If decodingNull is true, indirect stops at the first settable pointer so it +// can be set to nil. +func indirect(v reflect.Value, decodingNull bool) (Unmarshaler, encoding.TextUnmarshaler, reflect.Value) { + // Issue #24153 indicates that it is generally not a guaranteed property + // that you may round-trip a reflect.Value by calling Value.Addr().Elem() + // and expect the value to still be settable for values derived from + // unexported embedded struct fields. + // + // The logic below effectively does this when it first addresses the value + // (to satisfy possible pointer methods) and continues to dereference + // subsequent pointers as necessary. + // + // After the first round-trip, we set v back to the original value to + // preserve the original RW flags contained in reflect.Value. + v0 := v + haveAddr := false + + // If v is a named type and is addressable, + // start with its address, so that if the type has pointer methods, + // we find them. + if v.Kind() != reflect.Pointer && v.Type().Name() != "" && v.CanAddr() { + haveAddr = true + v = v.Addr() + } + for { + // Load value from interface, but only if the result will be + // usefully addressable. + if v.Kind() == reflect.Interface && !v.IsNil() { + e := v.Elem() + if e.Kind() == reflect.Pointer && !e.IsNil() && (!decodingNull || e.Elem().Kind() == reflect.Pointer) { + haveAddr = false + v = e + continue + } + } + + if v.Kind() != reflect.Pointer { + break + } + + if decodingNull && v.CanSet() { + break + } + + // Prevent infinite loop if v is an interface pointing to its own address: + // var v interface{} + // v = &v + if v.Elem().Kind() == reflect.Interface && v.Elem().Elem() == v { + v = v.Elem() + break + } + if v.IsNil() { + v.Set(reflect.New(v.Type().Elem())) + } + if v.Type().NumMethod() > 0 && v.CanInterface() { + if u, ok := v.Interface().(Unmarshaler); ok { + return u, nil, reflect.Value{} + } + if !decodingNull { + if u, ok := v.Interface().(encoding.TextUnmarshaler); ok { + return nil, u, reflect.Value{} + } + } + } + + if haveAddr { + v = v0 // restore original value after round-trip Value.Addr().Elem() + haveAddr = false + } else { + v = v.Elem() + } + } + return nil, nil, v +} + +// array consumes an array from d.data[d.off-1:], decoding into v. +// The first byte of the array ('[') has been read already. +func (d *decodeState) array(v reflect.Value) error { + // Check for unmarshaler. + u, ut, pv := indirect(v, false) + if u != nil { + start := d.readIndex() + d.skip() + return u.UnmarshalJSON(d.data[start:d.off]) + } + if ut != nil { + d.saveError(&UnmarshalTypeError{Value: "array", Type: v.Type(), Offset: int64(d.off)}) + d.skip() + return nil + } + v = pv + + // Check type of target. + switch v.Kind() { + case reflect.Interface: + if v.NumMethod() == 0 { + // Decoding into nil interface? Switch to non-reflect code. + ai := d.arrayInterface() + v.Set(reflect.ValueOf(ai)) + return nil + } + // Otherwise it's invalid. + fallthrough + default: + d.saveError(&UnmarshalTypeError{Value: "array", Type: v.Type(), Offset: int64(d.off)}) + d.skip() + return nil + case reflect.Array, reflect.Slice: + break + } + + i := 0 + for { + // Look ahead for ] - can only happen on first iteration. + d.scanWhile(scanSkipSpace) + if d.opcode == scanEndArray { + break + } + + // Get element of array, growing if necessary. + if v.Kind() == reflect.Slice { + // Grow slice if necessary + if i >= v.Cap() { + newcap := v.Cap() + v.Cap()/2 + if newcap < 4 { + newcap = 4 + } + newv := reflect.MakeSlice(v.Type(), v.Len(), newcap) + reflect.Copy(newv, v) + v.Set(newv) + } + if i >= v.Len() { + v.SetLen(i + 1) + } + } + + if i < v.Len() { + // Decode into element. + if err := d.value(v.Index(i)); err != nil { + return err + } + } else { + // Ran out of fixed array: skip. + if err := d.value(reflect.Value{}); err != nil { + return err + } + } + i++ + + // Next token must be , or ]. + if d.opcode == scanSkipSpace { + d.scanWhile(scanSkipSpace) + } + if d.opcode == scanEndArray { + break + } + if d.opcode != scanArrayValue { + panic(phasePanicMsg) + } + } + + if i < v.Len() { + if v.Kind() == reflect.Array { + // Array. Zero the rest. + z := reflect.Zero(v.Type().Elem()) + for ; i < v.Len(); i++ { + v.Index(i).Set(z) + } + } else { + v.SetLen(i) + } + } + if i == 0 && v.Kind() == reflect.Slice { + v.Set(reflect.MakeSlice(v.Type(), 0, 0)) + } + return nil +} + +var nullLiteral = []byte("null") +var textUnmarshalerType = reflect.TypeOf((*encoding.TextUnmarshaler)(nil)).Elem() + +// object consumes an object from d.data[d.off-1:], decoding into v. +// The first byte ('{') of the object has been read already. +func (d *decodeState) object(v reflect.Value) error { + // Check for unmarshaler. + u, ut, pv := indirect(v, false) + if u != nil { + start := d.readIndex() + d.skip() + return u.UnmarshalJSON(d.data[start:d.off]) + } + if ut != nil { + d.saveError(&UnmarshalTypeError{Value: "object", Type: v.Type(), Offset: int64(d.off)}) + d.skip() + return nil + } + v = pv + t := v.Type() + + // Decoding into nil interface? Switch to non-reflect code. + if v.Kind() == reflect.Interface && v.NumMethod() == 0 { + oi := d.objectInterface() + v.Set(reflect.ValueOf(oi)) + return nil + } + + var fields structFields + + // Check type of target: + // struct or + // map[T1]T2 where T1 is string, an integer type, + // or an encoding.TextUnmarshaler + switch v.Kind() { + case reflect.Map: + // Map key must either have string kind, have an integer kind, + // or be an encoding.TextUnmarshaler. + switch t.Key().Kind() { + case reflect.String, + reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64, + reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr: + default: + if !reflect.PointerTo(t.Key()).Implements(textUnmarshalerType) { + d.saveError(&UnmarshalTypeError{Value: "object", Type: t, Offset: int64(d.off)}) + d.skip() + return nil + } + } + if v.IsNil() { + v.Set(reflect.MakeMap(t)) + } + case reflect.Struct: + fields = cachedTypeFields(t) + // ok + default: + d.saveError(&UnmarshalTypeError{Value: "object", Type: t, Offset: int64(d.off)}) + d.skip() + return nil + } + + var mapElem reflect.Value + var origErrorContext errorContext + if d.errorContext != nil { + origErrorContext = *d.errorContext + } + + var keys []string + + for { + // Read opening " of string key or closing }. + d.scanWhile(scanSkipSpace) + if d.opcode == scanEndObject { + // closing } - can only happen on first iteration. + break + } + if d.opcode != scanBeginLiteral { + panic(phasePanicMsg) + } + + // Read key. + start := d.readIndex() + d.rescanLiteral() + item := d.data[start:d.readIndex()] + key, ok := unquoteBytes(item) + if !ok { + panic(phasePanicMsg) + } + + keys = append(keys, string(key)) + + // Figure out field corresponding to key. + var subv reflect.Value + destring := false // whether the value is wrapped in a string to be decoded first + + if v.Kind() == reflect.Map { + elemType := t.Elem() + if !mapElem.IsValid() { + mapElem = reflect.New(elemType).Elem() + } else { + mapElem.Set(reflect.Zero(elemType)) + } + subv = mapElem + } else { + var f *field + if i, ok := fields.nameIndex[string(key)]; ok { + // Found an exact name match. + f = &fields.list[i] + } else { + // Fall back to the expensive case-insensitive + // linear search. + for i := range fields.list { + ff := &fields.list[i] + if ff.equalFold(ff.nameBytes, key) { + f = ff + break + } + } + } + if f != nil { + subv = v + destring = f.quoted + for _, i := range f.index { + if subv.Kind() == reflect.Pointer { + if subv.IsNil() { + // If a struct embeds a pointer to an unexported type, + // it is not possible to set a newly allocated value + // since the field is unexported. + // + // See https://golang.org/issue/21357 + if !subv.CanSet() { + d.saveError(fmt.Errorf("json: cannot set embedded pointer to unexported struct: %v", subv.Type().Elem())) + // Invalidate subv to ensure d.value(subv) skips over + // the JSON value without assigning it to subv. + subv = reflect.Value{} + destring = false + break + } + subv.Set(reflect.New(subv.Type().Elem())) + } + subv = subv.Elem() + } + subv = subv.Field(i) + } + if d.errorContext == nil { + d.errorContext = new(errorContext) + } + d.errorContext.FieldStack = append(d.errorContext.FieldStack, f.name) + d.errorContext.Struct = t + } else if d.disallowUnknownFields { + d.saveError(fmt.Errorf("json: unknown field %q", key)) + } + } + + // Read : before value. + if d.opcode == scanSkipSpace { + d.scanWhile(scanSkipSpace) + } + if d.opcode != scanObjectKey { + panic(phasePanicMsg) + } + d.scanWhile(scanSkipSpace) + + if destring { + switch qv := d.valueQuoted().(type) { + case nil: + if err := d.literalStore(nullLiteral, subv, false); err != nil { + return err + } + case string: + if err := d.literalStore([]byte(qv), subv, true); err != nil { + return err + } + default: + d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal unquoted value into %v", subv.Type())) + } + } else { + if err := d.value(subv); err != nil { + return err + } + } + + // Write value back to map; + // if using struct, subv points into struct already. + if v.Kind() == reflect.Map { + kt := t.Key() + var kv reflect.Value + switch { + case reflect.PointerTo(kt).Implements(textUnmarshalerType): + kv = reflect.New(kt) + if err := d.literalStore(item, kv, true); err != nil { + return err + } + kv = kv.Elem() + case kt.Kind() == reflect.String: + kv = reflect.ValueOf(key).Convert(kt) + default: + switch kt.Kind() { + case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64: + s := string(key) + n, err := strconv.ParseInt(s, 10, 64) + if err != nil || reflect.Zero(kt).OverflowInt(n) { + d.saveError(&UnmarshalTypeError{Value: "number " + s, Type: kt, Offset: int64(start + 1)}) + break + } + kv = reflect.ValueOf(n).Convert(kt) + case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr: + s := string(key) + n, err := strconv.ParseUint(s, 10, 64) + if err != nil || reflect.Zero(kt).OverflowUint(n) { + d.saveError(&UnmarshalTypeError{Value: "number " + s, Type: kt, Offset: int64(start + 1)}) + break + } + kv = reflect.ValueOf(n).Convert(kt) + default: + panic("json: Unexpected key type") // should never occur + } + } + if kv.IsValid() { + v.SetMapIndex(kv, subv) + } + } + + // Next token must be , or }. + if d.opcode == scanSkipSpace { + d.scanWhile(scanSkipSpace) + } + if d.errorContext != nil { + // Reset errorContext to its original state. + // Keep the same underlying array for FieldStack, to reuse the + // space and avoid unnecessary allocs. + d.errorContext.FieldStack = d.errorContext.FieldStack[:len(origErrorContext.FieldStack)] + d.errorContext.Struct = origErrorContext.Struct + } + if d.opcode == scanEndObject { + break + } + if d.opcode != scanObjectValue { + panic(phasePanicMsg) + } + } + + if v.Kind() == reflect.Map { + d.lastKeys = keys + } + return nil +} + +// convertNumber converts the number literal s to a float64 or a Number +// depending on the setting of d.useNumber. +func (d *decodeState) convertNumber(s string) (any, error) { + if d.useNumber { + return Number(s), nil + } + f, err := strconv.ParseFloat(s, 64) + if err != nil { + return nil, &UnmarshalTypeError{Value: "number " + s, Type: reflect.TypeOf(0.0), Offset: int64(d.off)} + } + return f, nil +} + +var numberType = reflect.TypeOf(Number("")) + +// literalStore decodes a literal stored in item into v. +// +// fromQuoted indicates whether this literal came from unwrapping a +// string from the ",string" struct tag option. this is used only to +// produce more helpful error messages. +func (d *decodeState) literalStore(item []byte, v reflect.Value, fromQuoted bool) error { + // Check for unmarshaler. + if len(item) == 0 { + //Empty string given + d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type())) + return nil + } + isNull := item[0] == 'n' // null + u, ut, pv := indirect(v, isNull) + if u != nil { + return u.UnmarshalJSON(item) + } + if ut != nil { + if item[0] != '"' { + if fromQuoted { + d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type())) + return nil + } + val := "number" + switch item[0] { + case 'n': + val = "null" + case 't', 'f': + val = "bool" + } + d.saveError(&UnmarshalTypeError{Value: val, Type: v.Type(), Offset: int64(d.readIndex())}) + return nil + } + s, ok := unquoteBytes(item) + if !ok { + if fromQuoted { + return fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()) + } + panic(phasePanicMsg) + } + return ut.UnmarshalText(s) + } + + v = pv + + switch c := item[0]; c { + case 'n': // null + // The main parser checks that only true and false can reach here, + // but if this was a quoted string input, it could be anything. + if fromQuoted && string(item) != "null" { + d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type())) + break + } + switch v.Kind() { + case reflect.Interface, reflect.Pointer, reflect.Map, reflect.Slice: + v.Set(reflect.Zero(v.Type())) + // otherwise, ignore null for primitives/string + } + case 't', 'f': // true, false + value := item[0] == 't' + // The main parser checks that only true and false can reach here, + // but if this was a quoted string input, it could be anything. + if fromQuoted && string(item) != "true" && string(item) != "false" { + d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type())) + break + } + switch v.Kind() { + default: + if fromQuoted { + d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type())) + } else { + d.saveError(&UnmarshalTypeError{Value: "bool", Type: v.Type(), Offset: int64(d.readIndex())}) + } + case reflect.Bool: + v.SetBool(value) + case reflect.Interface: + if v.NumMethod() == 0 { + v.Set(reflect.ValueOf(value)) + } else { + d.saveError(&UnmarshalTypeError{Value: "bool", Type: v.Type(), Offset: int64(d.readIndex())}) + } + } + + case '"': // string + s, ok := unquoteBytes(item) + if !ok { + if fromQuoted { + return fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()) + } + panic(phasePanicMsg) + } + switch v.Kind() { + default: + d.saveError(&UnmarshalTypeError{Value: "string", Type: v.Type(), Offset: int64(d.readIndex())}) + case reflect.Slice: + if v.Type().Elem().Kind() != reflect.Uint8 { + d.saveError(&UnmarshalTypeError{Value: "string", Type: v.Type(), Offset: int64(d.readIndex())}) + break + } + b := make([]byte, base64.StdEncoding.DecodedLen(len(s))) + n, err := base64.StdEncoding.Decode(b, s) + if err != nil { + d.saveError(err) + break + } + v.SetBytes(b[:n]) + case reflect.String: + if v.Type() == numberType && !isValidNumber(string(s)) { + return fmt.Errorf("json: invalid number literal, trying to unmarshal %q into Number", item) + } + v.SetString(string(s)) + case reflect.Interface: + if v.NumMethod() == 0 { + v.Set(reflect.ValueOf(string(s))) + } else { + d.saveError(&UnmarshalTypeError{Value: "string", Type: v.Type(), Offset: int64(d.readIndex())}) + } + } + + default: // number + if c != '-' && (c < '0' || c > '9') { + if fromQuoted { + return fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()) + } + panic(phasePanicMsg) + } + s := string(item) + switch v.Kind() { + default: + if v.Kind() == reflect.String && v.Type() == numberType { + // s must be a valid number, because it's + // already been tokenized. + v.SetString(s) + break + } + if fromQuoted { + return fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()) + } + d.saveError(&UnmarshalTypeError{Value: "number", Type: v.Type(), Offset: int64(d.readIndex())}) + case reflect.Interface: + n, err := d.convertNumber(s) + if err != nil { + d.saveError(err) + break + } + if v.NumMethod() != 0 { + d.saveError(&UnmarshalTypeError{Value: "number", Type: v.Type(), Offset: int64(d.readIndex())}) + break + } + v.Set(reflect.ValueOf(n)) + + case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64: + n, err := strconv.ParseInt(s, 10, 64) + if err != nil || v.OverflowInt(n) { + d.saveError(&UnmarshalTypeError{Value: "number " + s, Type: v.Type(), Offset: int64(d.readIndex())}) + break + } + v.SetInt(n) + + case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr: + n, err := strconv.ParseUint(s, 10, 64) + if err != nil || v.OverflowUint(n) { + d.saveError(&UnmarshalTypeError{Value: "number " + s, Type: v.Type(), Offset: int64(d.readIndex())}) + break + } + v.SetUint(n) + + case reflect.Float32, reflect.Float64: + n, err := strconv.ParseFloat(s, v.Type().Bits()) + if err != nil || v.OverflowFloat(n) { + d.saveError(&UnmarshalTypeError{Value: "number " + s, Type: v.Type(), Offset: int64(d.readIndex())}) + break + } + v.SetFloat(n) + } + } + return nil +} + +// The xxxInterface routines build up a value to be stored +// in an empty interface. They are not strictly necessary, +// but they avoid the weight of reflection in this common case. + +// valueInterface is like value but returns interface{} +func (d *decodeState) valueInterface() (val any) { + switch d.opcode { + default: + panic(phasePanicMsg) + case scanBeginArray: + val = d.arrayInterface() + d.scanNext() + case scanBeginObject: + val = d.objectInterface() + d.scanNext() + case scanBeginLiteral: + val = d.literalInterface() + } + return +} + +// arrayInterface is like array but returns []interface{}. +func (d *decodeState) arrayInterface() []any { + var v = make([]any, 0) + for { + // Look ahead for ] - can only happen on first iteration. + d.scanWhile(scanSkipSpace) + if d.opcode == scanEndArray { + break + } + + v = append(v, d.valueInterface()) + + // Next token must be , or ]. + if d.opcode == scanSkipSpace { + d.scanWhile(scanSkipSpace) + } + if d.opcode == scanEndArray { + break + } + if d.opcode != scanArrayValue { + panic(phasePanicMsg) + } + } + return v +} + +// objectInterface is like object but returns map[string]interface{}. +func (d *decodeState) objectInterface() map[string]any { + m := make(map[string]any) + for { + // Read opening " of string key or closing }. + d.scanWhile(scanSkipSpace) + if d.opcode == scanEndObject { + // closing } - can only happen on first iteration. + break + } + if d.opcode != scanBeginLiteral { + panic(phasePanicMsg) + } + + // Read string key. + start := d.readIndex() + d.rescanLiteral() + item := d.data[start:d.readIndex()] + key, ok := unquote(item) + if !ok { + panic(phasePanicMsg) + } + + // Read : before value. + if d.opcode == scanSkipSpace { + d.scanWhile(scanSkipSpace) + } + if d.opcode != scanObjectKey { + panic(phasePanicMsg) + } + d.scanWhile(scanSkipSpace) + + // Read value. + m[key] = d.valueInterface() + + // Next token must be , or }. + if d.opcode == scanSkipSpace { + d.scanWhile(scanSkipSpace) + } + if d.opcode == scanEndObject { + break + } + if d.opcode != scanObjectValue { + panic(phasePanicMsg) + } + } + return m +} + +// literalInterface consumes and returns a literal from d.data[d.off-1:] and +// it reads the following byte ahead. The first byte of the literal has been +// read already (that's how the caller knows it's a literal). +func (d *decodeState) literalInterface() any { + // All bytes inside literal return scanContinue op code. + start := d.readIndex() + d.rescanLiteral() + + item := d.data[start:d.readIndex()] + + switch c := item[0]; c { + case 'n': // null + return nil + + case 't', 'f': // true, false + return c == 't' + + case '"': // string + s, ok := unquote(item) + if !ok { + panic(phasePanicMsg) + } + return s + + default: // number + if c != '-' && (c < '0' || c > '9') { + panic(phasePanicMsg) + } + n, err := d.convertNumber(string(item)) + if err != nil { + d.saveError(err) + } + return n + } +} + +// getu4 decodes \uXXXX from the beginning of s, returning the hex value, +// or it returns -1. +func getu4(s []byte) rune { + if len(s) < 6 || s[0] != '\\' || s[1] != 'u' { + return -1 + } + var r rune + for _, c := range s[2:6] { + switch { + case '0' <= c && c <= '9': + c = c - '0' + case 'a' <= c && c <= 'f': + c = c - 'a' + 10 + case 'A' <= c && c <= 'F': + c = c - 'A' + 10 + default: + return -1 + } + r = r*16 + rune(c) + } + return r +} + +// unquote converts a quoted JSON string literal s into an actual string t. +// The rules are different than for Go, so cannot use strconv.Unquote. +func unquote(s []byte) (t string, ok bool) { + s, ok = unquoteBytes(s) + t = string(s) + return +} + +func unquoteBytes(s []byte) (t []byte, ok bool) { + if len(s) < 2 || s[0] != '"' || s[len(s)-1] != '"' { + return + } + s = s[1 : len(s)-1] + + // Check for unusual characters. If there are none, + // then no unquoting is needed, so return a slice of the + // original bytes. + r := 0 + for r < len(s) { + c := s[r] + if c == '\\' || c == '"' || c < ' ' { + break + } + if c < utf8.RuneSelf { + r++ + continue + } + rr, size := utf8.DecodeRune(s[r:]) + if rr == utf8.RuneError && size == 1 { + break + } + r += size + } + if r == len(s) { + return s, true + } + + b := make([]byte, len(s)+2*utf8.UTFMax) + w := copy(b, s[0:r]) + for r < len(s) { + // Out of room? Can only happen if s is full of + // malformed UTF-8 and we're replacing each + // byte with RuneError. + if w >= len(b)-2*utf8.UTFMax { + nb := make([]byte, (len(b)+utf8.UTFMax)*2) + copy(nb, b[0:w]) + b = nb + } + switch c := s[r]; { + case c == '\\': + r++ + if r >= len(s) { + return + } + switch s[r] { + default: + return + case '"', '\\', '/', '\'': + b[w] = s[r] + r++ + w++ + case 'b': + b[w] = '\b' + r++ + w++ + case 'f': + b[w] = '\f' + r++ + w++ + case 'n': + b[w] = '\n' + r++ + w++ + case 'r': + b[w] = '\r' + r++ + w++ + case 't': + b[w] = '\t' + r++ + w++ + case 'u': + r-- + rr := getu4(s[r:]) + if rr < 0 { + return + } + r += 6 + if utf16.IsSurrogate(rr) { + rr1 := getu4(s[r:]) + if dec := utf16.DecodeRune(rr, rr1); dec != unicode.ReplacementChar { + // A valid pair; consume. + r += 6 + w += utf8.EncodeRune(b[w:], dec) + break + } + // Invalid surrogate; fall back to replacement rune. + rr = unicode.ReplacementChar + } + w += utf8.EncodeRune(b[w:], rr) + } + + // Quote, control characters are invalid. + case c == '"', c < ' ': + return + + // ASCII + case c < utf8.RuneSelf: + b[w] = c + r++ + w++ + + // Coerce to well-formed UTF-8. + default: + rr, size := utf8.DecodeRune(s[r:]) + r += size + w += utf8.EncodeRune(b[w:], rr) + } + } + return b[0:w], true +} diff --git a/vendor/github.com/evanphx/json-patch/v5/internal/json/encode.go b/vendor/github.com/evanphx/json-patch/v5/internal/json/encode.go new file mode 100644 index 0000000000..a1819b16ac --- /dev/null +++ b/vendor/github.com/evanphx/json-patch/v5/internal/json/encode.go @@ -0,0 +1,1473 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package json implements encoding and decoding of JSON as defined in +// RFC 7159. The mapping between JSON and Go values is described +// in the documentation for the Marshal and Unmarshal functions. +// +// See "JSON and Go" for an introduction to this package: +// https://golang.org/doc/articles/json_and_go.html +package json + +import ( + "bytes" + "encoding" + "encoding/base64" + "fmt" + "math" + "reflect" + "sort" + "strconv" + "strings" + "sync" + "unicode" + "unicode/utf8" +) + +// Marshal returns the JSON encoding of v. +// +// Marshal traverses the value v recursively. +// If an encountered value implements the Marshaler interface +// and is not a nil pointer, Marshal calls its MarshalJSON method +// to produce JSON. If no MarshalJSON method is present but the +// value implements encoding.TextMarshaler instead, Marshal calls +// its MarshalText method and encodes the result as a JSON string. +// The nil pointer exception is not strictly necessary +// but mimics a similar, necessary exception in the behavior of +// UnmarshalJSON. +// +// Otherwise, Marshal uses the following type-dependent default encodings: +// +// Boolean values encode as JSON booleans. +// +// Floating point, integer, and Number values encode as JSON numbers. +// +// String values encode as JSON strings coerced to valid UTF-8, +// replacing invalid bytes with the Unicode replacement rune. +// So that the JSON will be safe to embed inside HTML