Skip to content

charts/redpanda: support schema_registry_client SASL credentials via secretRef#1503

Closed
AldoFusterTurpin wants to merge 5 commits into
redpanda-data:mainfrom
AldoFusterTurpin:feat/schema-registry-sasl-secret-ref
Closed

charts/redpanda: support schema_registry_client SASL credentials via secretRef#1503
AldoFusterTurpin wants to merge 5 commits into
redpanda-data:mainfrom
AldoFusterTurpin:feat/schema-registry-sasl-secret-ref

Conversation

@AldoFusterTurpin
Copy link
Copy Markdown

@AldoFusterTurpin AldoFusterTurpin commented May 8, 2026
edited
Loading

Summary

The V2 Helm chart had no way to configure SASL credentials for the schema registry's internal Kafka client (schema_registry_client) without storing plaintext passwords in the ConfigMap. This is a regression compared to the V1 operator, which already supports this via operator/pkg/resources/configuration.go.

This PR adds a saslSecretRef field to config.schema_registry_client that references a Kubernetes Secret containing the SASL username and password. Credentials are injected at pod start using the existing redpanda.yaml.fixups mechanism (the same approach already used for tiered storage credentials) so they never appear in plaintext in the ConfigMap or Helm release history.

How it works

  1. User sets config.schema_registry_client.saslSecretRef.name=<secret-name> where the Secret has keys username and password
  2. Helm writes a redpanda.yaml.fixups entry into the ConfigMap instructing the configurator init container to patch schema_registry_client.scram_username, schema_registry_client.scram_password, and schema_registry_client.sasl_mechanism
  3. The init container sources the values from env vars backed by secretKeyRef, applies them to redpanda.yaml, and Redpanda starts with credentials in place

The field names written to redpanda.yaml (scram_username, scram_password, sasl_mechanism) are documented Redpanda broker properties:
https://docs.redpanda.com/current/reference/properties/broker-properties/#schema-registry-client

Test plan

  • TestSASLClientFixups: unit test verifying fixup fields and env var names/keys
  • TestTemplate/sasl-schema-registry-client-secret-ref: integration test verifying env vars appear in the StatefulSet configurator init container when the feature is used
  • TestTemplate/sasl-disabled-secret-ref-ignored: verifies nothing is injected when auth.sasl.enabled is false
  • TestTemplate/11-update-sasl-users-values.yaml: existing test, confirmed still passing

Files auto-generated

For reference (even for myself), this is what I did to autogenerate files:

  1. Create the build output directory (not created automatically)
    mkdir -p .build

  2. Build the gen and gotohelm tools
    PATH="$(pwd)/.build:$PATH" task charts:generate:redpanda

That commands does in order:

  1. go:build:gen: builds the gen binary into .build/
  2. genpartial:redpanda: generates values_partial.gen.go (partial structs for optional overrides)
  3. genschema:redpanda: generates chart/values.schema.json from Go struct tags
  4. go:build:gotohelm: builds the gotohelm transpiler binary into .build/
  5. gotohelm:redpanda: transpiles the Go source files into chart/templates/*.go.tpl

The PATH prefix is needed because the task builds its own tools into .build/ and they need to be on the path to run.

@CLAassistant
Copy link
Copy Markdown

CLAassistant commented May 8, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@AldoFusterTurpin
Copy link
Copy Markdown
Author

AldoFusterTurpin commented May 8, 2026
edited
Loading

@RafalKorepta Could you please take a look when you have some time ? 🙏 I created the PR because I need it for our cluster, but I believe this could be useful for other people as well.

Thank you a lot.

@AldoFusterTurpin AldoFusterTurpin force-pushed the feat/schema-registry-sasl-secret-ref branch 2 times, most recently from e0246ca to 6810791 Compare May 11, 2026 18:33
@david-yu
Copy link
Copy Markdown
Contributor

david-yu commented May 11, 2026

Hi @AldoFusterTurpin I can take a look, would it be ok if I re-open the PR but preserve the commits so our CI can run? I can see if i get it working end to end via test.

@david-yu david-yu mentioned this pull request May 11, 2026
Open
7 tasks
@AldoFusterTurpin
Copy link
Copy Markdown
Author

AldoFusterTurpin commented May 11, 2026
edited
Loading

Hi @AldoFusterTurpin I can take a look, would it be ok if I re-open the PR but preserve the commits so our CI can run? I can see if i get it working end to end via test.

Sure! Thanks! (I just rebased main and force pushed now)

@AldoFusterTurpin
charts/redpanda: support schema_registry_client SASL credentials via …
6dd8e1e 
…secretRef

The V2 Helm chart had no way to configure SASL credentials for the schema registry's internal Kafka client without storing plaintext in the ConfigMap. This adds
config.schema_registry_client.saslSecretRef  (a reference to a Kubernetes Secret) which injects credentials at pod start via the existing redpanda.yaml.fixups
mechanism.
@AldoFusterTurpin
refactor: improve SASLClientFixups usage with two functions
d5cfb9e 
Split into two functions instead of returning both values
as both fields are never used from the same caller
@AldoFusterTurpin
fix empty redpandaYamlFixupsStr case
44a807b
@AldoFusterTurpin
charts/redpanda: add TestTemplate assertions for schema_registry_clie…
cb711b7 
…nt SASL fixups
@AldoFusterTurpin AldoFusterTurpin force-pushed the feat/schema-registry-sasl-secret-ref branch from 6810791 to cb711b7 Compare May 11, 2026 22:26
@david-yu
Copy link
Copy Markdown
Contributor

david-yu commented May 12, 2026

Closing as is re-created here with more tests passing and other enhancements: #1520

@david-yu david-yu closed this May 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RafalKorepta RafalKorepta Awaiting requested review from RafalKorepta RafalKorepta is a code owner

@chrisseto chrisseto Awaiting requested review from chrisseto chrisseto is a code owner

@andrewstucki andrewstucki Awaiting requested review from andrewstucki andrewstucki is a code owner

@gene-redpanda gene-redpanda Awaiting requested review from gene-redpanda gene-redpanda is a code owner

@hidalgopl hidalgopl Awaiting requested review from hidalgopl hidalgopl is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AldoFusterTurpin @CLAassistant @david-yu