docs (k8s): Add Operator Console CRD deployment docs

[david-yu]

Summary

• Add Operator/Helm tabbed instructions for deploying Redpanda Console on Kubernetes using the Console custom resource (CRD)
• The Operator tab documents the Console CR with clusterRef for operator-managed Redpanda clusters and staticConfiguration for external clusters
• Tabs added to: Install Redpanda Console, Connect with TLS, Authentication and Security, and Verify Deployment sections

Context

The Redpanda Operator now supports a standalone Console CRD (see redpanda-data/redpanda-operator#1177) that manages Console deployments declaratively. The existing docs only covered the Helm chart approach. This PR adds the Operator path alongside Helm using the same tab pattern used elsewhere in the Kubernetes docs.

Test plan

• Verify Operator tab YAML examples match the Console CRD spec (cluster.redpanda.com/v1alpha2)
• Verify Helm tab content is unchanged from the original
• Preview the rendered page to confirm tabs display correctly
• Check all xrefs resolve

🤖 Generated with Claude Code

[netlify]

✅ Deploy Preview for redpanda-docs-preview ready!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	eee8a76
🔍 Latest deploy log	https://app.netlify.com/projects/redpanda-docs-preview/deploys/69be2b0e5af77e0008ef9949
😎 Deploy Preview	https://deploy-preview-1629--redpanda-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ebe59bf7-0009-4d26-8300-b7d5088a90a2

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The documentation for Kubernetes Console deployment was updated to provide parallel guidance for both Redpanda Operator and Helm-based deployments. The changes include restructuring the Install and Connect with TLS sections into tabbed interfaces covering both approaches, adding operator-specific instructions for creating and applying Console Custom Resources, and explaining configuration inheritance via clusterRef versus explicit staticConfiguration. The Verify deployment section was expanded with operator-specific verification commands, while Configuration examples were broadened to include Console CR patterns alongside Helm value configurations.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~25 minutes

Possibly related PRs

• auto-docs: Update CRD reference doc for release #1501: Updates Console CRD reference and related value/secret fields in documentation, directly complementing the Operator deployment instructions added in this PR.

Suggested reviewers

• JakeSCahill
• paulohtb6
• chrisseto

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description includes a clear summary of changes, helpful context about the Redpanda Operator support, and a test plan. However, it is missing the required JIRA ticket reference, review deadline, page preview links, and checkbox selections from the template.	Add the JIRA ticket link (Resolves https://...), review deadline, Netlify preview link for the deployment page, and mark appropriate checkboxes (e.g., New feature, Content gap, Support Follow-up, or Small fix).

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding Operator Console CRD deployment documentation to Kubernetes docs, which aligns with the changeset focused on expanding k8s deployment instructions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@modules/deploy/pages/console/kubernetes/deploy.adoc`:
- Around line 544-545: Replace the shorthand kubectl command "kubectl get
console -n redpanda" with the fully qualified CRD resource name "kubectl get
consoles.cluster.redpanda.com -n redpanda" so the example does not rely on CRD
shortname registration; update the line containing "kubectl get console -n
redpanda" to use "kubectl get consoles.cluster.redpanda.com -n redpanda".
- Around line 482-505: The example Console YAML mounts a secret but omits how
Console reads the password; update the Console spec so
spec.cluster.staticConfiguration.kafka.sasl includes a passwordFilepath pointing
to the mounted secret file (matching secretMounts.path), e.g. add
passwordFilepath: /etc/console/secrets/password under kafka.sasl in the Console
resource (refer to Console, spec.cluster.staticConfiguration.kafka.sasl and
secretMounts) so Console can read the password from the mounted file.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6a8ba598-1bcb-4c45-a9c1-3b170d08f39c

📥 Commits

Reviewing files that changed from the base of the PR and between 4230c3f and 552dd09.

📒 Files selected for processing (1)

• modules/deploy/pages/console/kubernetes/deploy.adoc

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

For Redpanda Operator Console CRD (apiVersion: cluster.redpanda.com/v1alpha2, kind: Console), what is the exact schema for providing SASL passwords from Kubernetes Secrets when using cluster.staticConfiguration.kafka.sasl? Please include the canonical field names and a minimal valid YAML example.

💡 Result:

The Redpanda Operator Console CRD (apiVersion: cluster.redpanda.com/v1alpha2, kind: Console) configures Redpanda Console instances, including staticConfiguration for manual cluster connections when not using clusterRef. For cluster.staticConfiguration.kafka.sasl to provide SASL passwords from Kubernetes Secrets, use inline strings for username and password fields. Secrets are mounted as files or env vars by the operator/Helm based on config, but docs show direct string values (use env vars for security in YAML). Schema under staticConfiguration.kafka.sasl (for SCRAM/PLAIN): - enabled: boolean - mechanism: string (e.g., SCRAM-SHA-256, PLAIN, OAUTHBEARER, GSSAPI) - impersonateUser: boolean (default false for static) - username: string (from Secret) - password: string (from Secret) For OAUTHBEARER: - oauth: - token: string - clientId: string - clientSecret: string Minimal valid YAML example for Console CRD with SASL/SCRAM (passwords as inline strings; replace with Secret refs via env in practice): apiVersion: cluster.redpanda.com/v1alpha2 kind: Console metadata: name: example-console spec: staticConfiguration: kafka: brokers: - redpanda.example:9092 sasl: enabled: true mechanism: SCRAM-SHA-256 username: console-user password: supersecretpass image: redpandadata/console:2.4.0

Citations:

• 1: https://docs.redpanda.com/current/reference/k-crd/
• 2: https://docs.redpanda.com/current/console/config/security/authentication
• 3: https://docs.redpanda.com/current/console/config/connect-to-redpanda
• 4: https://docs.redpanda.com/current/console/config/configure-console
• 5: https://docs.redpanda.com/23.3/reference/console/config
• 6: https://docs.vectorized.io/current/console/config/configure-console/

---

🏁 Script executed:

# Search for Console CRD examples showing complete SASL+secretMounts configuration
git ls-files | grep -E "(console|crd)" | head -20

Repository: redpanda-data/docs

Length of output: 969

---

🌐 Web query:

Redpanda Operator Console CRD secretMounts with SASL password reference - complete working example with staticConfiguration

💡 Result:

Here is a complete working example for deploying Redpanda Console using the Redpanda Operator with staticConfiguration for SASL authentication using secretMounts to reference a Kubernetes Secret containing the SASL password. ## Prerequisites 1. Redpanda cluster deployed with SASL enabled (e.g., SCRAM-SHA-256) and a superuser created. 2. Kubernetes Secret containing the SASL credentials. Create the Secret: kubectl create secret generic console-sasl-secret \ --from-literal=username=admin \ --from-literal=password=your-superuser-password \ -n redpanda ## Console CRD Example yaml apiVersion: cluster.redpanda.com/v1alpha2 kind: Console metadata: name: redpanda-console namespace: redpanda spec: clusterRef: name: redpanda # Name of your Redpanda cluster staticConfiguration: # Use staticConfiguration instead of auto-discovery via clusterRef for custom SASL kafka: brokers: - redpanda-0.redpanda.redpanda.svc.cluster.local:9092 - redpanda-1.redpanda.redpanda.svc.cluster.local:9092 - redpanda-2.redpanda.redpanda.svc.cluster.local:9092 sasl: enabled: true mechanism: SCRAM-SHA-256 # Match your Redpanda SASL mechanism username: admin # Or reference via envFrom if needed passwordFilepath: /etc/console-secrets/password # Path where secret is mounted clientId: console redpanda: adminApi: enabled: true urls: - redpanda-0.redpanda.redpanda.svc.cluster.local:9644 - redpanda-1.redpanda.redpanda.svc.cluster.local:9644 - redpanda-2.redpanda.redpanda.svc.cluster.local:9644 authentication: impersonateUser: true # Uses Console login credentials server: listenPort: 8080 secretMounts: # Mount the SASL password as a file - name: console-secrets secret: secretName: console-sasl-secret path: /etc/console-secrets items: - key: password path: password - key: username # Optional, if not hardcoded path: username Apply the CRD: kubectl apply -f console-crd.yaml ## Explanation - staticConfiguration: Manually configures Kafka connection details with SASL, overriding clusterRef auto-discovery when custom auth is needed (sources 12,16,4). - secretMounts: Mounts the Secret as files in /etc/console-secrets/ inside the Console Pod. Console reads passwordFilepath for the SASL password (source 58). - SASL Configuration: Matches Redpanda's SASL setup. Use SCRAM-SHA-256 or SCRAM-SHA-512 as configured in your RedpandaCluster CR (sources 1,3). - Admin API: Configured for Redpanda-specific features like user management. ## Verification kubectl port-forward svc/redpanda-console 8080:8080 -n redpanda Access http://localhost:8080. Console connects using mounted SASL credentials. This synthesizes official docs: Console CRD uses secretMounts for files like passwords (58), staticConfiguration for SASL (12,16), matching Helm spec patterns (58) and standalone YAML (2,4,22).

Citations:

• 1: https://docs.redpanda.com/current/manage/kubernetes/security/authentication/k-authentication/
• 2: https://docs.redpanda.com/24.2/console/config/configure-console
• 3: https://docs.redpanda.com/current/manage/kubernetes/security/authentication/k-user-controller/
• 4: https://docs.redpanda.com/current/console/config/connect-to-redpanda
• 5: https://docs.redpanda.com/current/console/config/configure-console
• 6: https://docs.redpanda.com/docs/console/config/connect-to-redpanda/
• 7: https://docs.redpanda.com/23.3/reference/k-crd
• 8: https://docs.redpanda.com/24.2/console/config/connect-to-redpanda/
• 9: https://www.tattravels.net
• 10: https://docs.redpanda.com/24.3/reference/k-console-helm-spec

---

🌐 Web query:

Redpanda console operator how to reference kubernetes secret in sasl password field from secretMounts

💡 Result:

To reference a Kubernetes secret in the SASL password field for Redpanda Console deployed via the Redpanda Operator, use the secretMounts configuration in the Console custom resource (CR). This mounts the secret as a file in the Console pod, which can then be referenced in the Console configuration under kafka.sasl.passwordFilepath. ## Steps: 1. Create a Kubernetes Secret containing the password: kubectl create secret generic console-sasl-secret \ --from-literal=password.txt='your-sasl-password' \ -n 2. Configure the Console CR with secretMounts and reference the file in the Kafka SASL config: apiVersion: console.redpanda.com/v1alpha1 kind: Console metadata: name: redpanda-console namespace: spec: clusterRef: name: redpanda secretMounts: - secretName: console-sasl-secret path: /etc/console/secrets config: kafka: sasl: enabled: true mechanism: SCRAM-SHA-256 # or PLAIN, etc. username: "console-user" passwordFilepath: /etc/console/secrets/password.txt 3. Apply the CR: kubectl apply -f console.yaml -n The Redpanda Operator mounts the secret at the specified path, making the password available as a file. Console reads it via passwordFilepath for secure SASL authentication to the Kafka/Redpanda brokers without hardcoding or using env vars directly in the config. This approach avoids embedding secrets in the YAML and leverages Kubernetes secret mounting, as supported in the Console Helm chart spec (which the operator uses) with secretMounts for files like certificates and passwords.

Citations:

• 1: https://docs.redpanda.com/24.3/reference/k-console-helm-spec
• 2: https://docs.redpanda.com/current/console/config/configure-console
• 3: https://docs.redpanda.com/current/deploy/console/kubernetes/deploy
• 4: https://docs.redpanda.com/docs/console/config/connect-to-redpanda/
• 5: https://docs.redpanda.com/current/console/config/connect-to-redpanda

---

Add passwordFilepath to SASL configuration to reference the mounted secret.

The example mounts a secret but doesn't show how Console consumes the password, which causes authentication to fail when copied as-is. Add the passwordFilepath field under kafka.sasl to reference the mounted secret file:

spec:
  cluster:
    staticConfiguration:
      kafka:
        brokers:
          - redpanda-0.redpanda.redpanda.svc.cluster.local:9092
        sasl:
          enabled: true
          mechanism: SCRAM-SHA-256
          username: console-user
          passwordFilepath: /etc/console/secrets/password
  secretMounts:
    - name: kafka-credentials
      secretName: console-kafka-credentials
      path: /etc/console/secrets

The passwordFilepath must point to the file path where the secret is mounted, matching the path in secretMounts.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/deploy/pages/console/kubernetes/deploy.adoc` around lines 482 - 505,
The example Console YAML mounts a secret but omits how Console reads the
password; update the Console spec so spec.cluster.staticConfiguration.kafka.sasl
includes a passwordFilepath pointing to the mounted secret file (matching
secretMounts.path), e.g. add passwordFilepath: /etc/console/secrets/password
under kafka.sasl in the Console resource (refer to Console,
spec.cluster.staticConfiguration.kafka.sasl and secretMounts) so Console can
read the password from the mounted file.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

Does kubectl always support kubectl get consolefor Redpanda Operator Console CRDs, or iskubectl get consoles.cluster.redpanda.com the more reliable form across clusters?

💡 Result:

kubectl get consoles.cluster.redpanda.com is the more reliable form for listing Redpanda Operator Console CRDs across clusters. kubectl get console works only if 'console' is registered as the short name in the CRD spec, which is not confirmed in current documentation. Official Redpanda Operator docs and migration guides use kubectl get console -A for the deprecated Console CR (likely with shortName 'console'), but current CRDs are under cluster.redpanda.com group (e.g., Redpanda at cluster.redpanda.com/v1alpha2). A 2022 PR shows historical Console CR as redpanda.vectorized.io/v1alpha1 kind: Console, suggesting short name support then, but deprecated now. The fully qualified form ensures compatibility regardless of short name configuration or discovery issues across clusters/contexts.

Citations:

• 1: https://docs.redpanda.com/current/reference/k-crd/
• 2: https://docs.redpanda.com/current/reference/k-crd-index/
• 3: https://docs.redpanda.com/23.3/upgrade/migrate/kubernetes/operator
• 4: https://docs.redpanda.com/current/deploy/redpanda/kubernetes/k-production-deployment/
• 5: Install redpanda console through operator redpanda#5758
• 6: https://docs.redpanda.com/current/console/config/configure-console

---

🏁 Script executed:

# Verify the exact file and line content
cat -n modules/deploy/pages/console/kubernetes/deploy.adoc | sed -n '540,550p'

Repository: redpanda-data/docs

Length of output: 317

---

Use fully qualified CRD resource name for portability.

Replace kubectl get console -n redpanda with kubectl get consoles.cluster.redpanda.com -n redpanda. The shorthand form depends on CRD shortname registration, which may not be configured consistently across clusters. Using the fully qualified resource name ensures the documentation example works reliably regardless of cluster configuration.

Suggested change

-kubectl get console -n redpanda
+kubectl get consoles.cluster.redpanda.com -n redpanda

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	kubectl get console -n redpanda
	----
	kubectl get consoles.cluster.redpanda.com -n redpanda
	----

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/deploy/pages/console/kubernetes/deploy.adoc` around lines 544 - 545,
Replace the shorthand kubectl command "kubectl get console -n redpanda" with the
fully qualified CRD resource name "kubectl get consoles.cluster.redpanda.com -n
redpanda" so the example does not rely on CRD shortname registration; update the
line containing "kubectl get console -n redpanda" to use "kubectl get
consoles.cluster.redpanda.com -n redpanda".