CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and is generated by Changie.

v26.2.1-beta.1 - 2026-04-24

Added

• Beta support for StretchCluster that allows deploying operator across multiple kubernetes clusters and creating Redpanda clusters out of Nodepools from different clusters. Requires a valid Redpanda enterprise license.
• rpk k8s multicluster plugin for bootstrapping, and interacting with StretchClusters.
• Multicluster-aware leader election so multiple operator replicas in the same Kubernetes cluster can take part in the global raft quorum while only the local lease holder votes.
• Multicluster PVC unbinder controller that extends stuck-Pod / volume-affinity remediation across all provider clusters.
• Kubeconfig cache on every raft member so a newly elected leader can engage peer clusters without needing live gRPC round-trips to every other operator at promotion time.
• NodePool CRD is installed automatically when the operator is deployed in multicluster mode.
• Per-peer operator Services to support Kubernetes cluster mesh (MCS / Cilium global service) setups for the multicluster raft transport.
• Opt-in pandaproxy_client.use_localhost / schema_registry_client.use_localhost settings on v1 Cluster CRs to use localhost for internal Schema Registry and Pandaproxy clients.
• rpk k8s multicluster bootstrap --loadbalancer flag that provisions a dedicated per-cluster peer LoadBalancer Service, waits for the provider to publish an address, and bakes that address into each peer's cert SANs — removing the previous redeploy cycle needed to bootstrap operators over public load balancers. On completion prints a ready-to-paste multicluster.peers helm-values block.

Changed

• Attempts to unset redpanda.storage.mode on a Topic are now a no-op to avoid warn-level log spam in the broker.
• Bumped Go to 1.26.1, controller-runtime to the matching release, and updated a range of dependencies (OpenTelemetry v1.43.0, grpc, containerd, golang.org/x/net, go-chi, buger/jsonparser) to address Snyk and govulncheck findings.

Fixed

• Ensure that the field manager "helm" gets removed in migration job to clear out field managers that might be set when migrating from helm to the operator.
• Fixed an issue with post-upgrade processing of cluster configuration that resulted in configuration errors due to removed properties across Redpanda versions.
• Fixed issue with ballast file tuning where the tuning container didn't mount the proper directory needed for propagating the ballast file to the main container.
• Removed more historic field managers that have caused problems with changes to StatefulSets.
• Fixed hot reconcile loops on healthy Redpanda clusters driven by two independent root causes: the setStatusCondition helper treated a zero rate limit as "force an update" (because time.Since(anything) > 0 is always true), and non-deterministic map iteration over features.Features flipped the stored InUseFeatures value on every reconcile. InUseFeatures is now sorted before comparison, the zero-rate-limit case is handled correctly, and the condition heartbeat rate limit was stretched from 1 minute to 5 minutes. Rate-limited heartbeats for License and Configuration conditions are preserved.
• Fixed an issue where the operator failed to authenticate to the Redpanda cluster with SCRAM when bootstrapUser.secretKeyRef pointed at an externally-managed secret.
• Fixed Schema Registry ACL sync failures on v1alpha1 Cluster resources that configured SR via the legacy single schemaRegistry field instead of the schemaRegistryApi slice — SchemaRegistryInternalListener now checks both fields and the factory routes the no-SR case to the graceful skip path.
• Fixed namespace-scoped operator deployments logging reconcile errors for resources in other namespaces; non-matching namespaces are now filtered before the initial fetch instead of entering exponential backoff.

v26.1.1 - 2026-03-31

Added

• Added Internal boolean field to RedpandaRole spec to enable managing Redpanda internal roles (prefixed with "__") using standard Kubernetes resource names.
• Adds group-based access control (GBAC) support to the Kubernetes operator both as a standalone Group CRD and allowing for Role-based principal binding.
• Added Schema Registry ACL awareness to all CRDs which support setting ACLs.
• Support for Kubernetes versions 1.32.x through 1.35.x. Per-PR tests validate against the minimum supported version (1.32.x) and nightly tests validate against the maximum supported version (1.35.x).
• Added allowPrivilegeEscalation: false and runAsNonRoot: true to redpanda, redpanda-configurator, and sidecar container security contexts to address GKE security findings.
• Namespace-scoped filtering — Controllers can now run in namespace-scoped mode with noise filtering.

Changed

• Add two +kubebuilder:printcolumn annotations to the Topic struct, matching the same pattern used by the Redpanda CRD.

Fixed

• Schema Registry ACL sync failures on v1alpha1 clusters
• Fixed issue with elevated reconciliation rates for ShadowLinks in large cluster deployments.
• Remove helm-controller field ownership to ensure old clusters deployed pre-Flux removal don't run into errors with accidentally merging fields that should otherwise be removed/overwritten.

v25.3.1 - 2025-12-10

Added

• ShadowLink CRD for controlling 25.3 shadow link settings. See documentation for details.

Changed

• Use the kube-system namespace by default for leader election when the operator is running in cluster-scoped mode.

v25.2.1 - 2025-12-02

Added

• Roles can be declaratively managed using RedpandaRole CRD
• Add experimental support for node pools. To enable node pool support you must install the experimental NodePool CRDs and run the controller with the --enable-v2-nodepools flag.
• Added a new Console CRD for managing a Redpanda Console deployments. For examples, see acceptance/features/console.feature.
• Added status.managedPrincipals field to RedpandaRole CRD to track whether the operator is managing role membership. The operator now properly reconciles membership changes when spec.principals is updated, including adding, removing, or clearing all principals.

Changed

• By default, the operator now reconciles resources (Redpanda, Topic, etc) across all namespaces.

  The --namespace flag may be used to scope the operator's watches to a single namespace.

• Client certificates are now named $FULLNAME-$CERT-client-cert.

Deprecated

• The Redpanda console stanza (.spec.clusterSpec.console) is now deprecated in favor of the stand-alone Console CRD.
• Deprecated various fields in multiple CRDs for kafka, adminAPI, and schemaRegistry under the static configuration of clusterSource so that various fields that were only specifiable via an in-cluster secret can now be pulled via either external secret provider, in-cluster secret, config map, or inlined value.
• The entirety of the spec.clusterSpec.console block in the Redpanda CR is now deprecated and will be removed in the future. Any Redpanda CR that contains one will automatically be migrated to a standalone Console CR with a back reference to the parent Redpanda CR. Note that these will not be automatically deleted when the console stanza is removed or when the parent Redpanda CR is deleted.

Fixed

• Fix a bug with the way the config-watcher sidecar syncs users. The Kubernetes mechanism for writing out a changed secret is involves re-creating a symlink in the secrets directory that points to the mounted secret. Previously the config-watcher only detected changes to the entire directory and could potentially miss syncs, this resyncs everything anytime the symlink is recreated.
• mTLS client certificates are now generated per certificate, as required, instead of using a single and potentially invalid certificate.

v25.2.1-beta1 - 2025-08-18

Changed

• By default, the operator now reconciles resources (Redpanda, Topic, etc) across all namespaces.

  The --namespace flag may be used to scope the operator's watches to a single namespace.

v25.1.1-beta3 - 2025-05-07

Added

• Added scheduled sync of ghost broker decommissioner to ensure it's running, even if no watches trigger the reconciler.
• v1 operator: ExternalSecretRefSelector is now provided for referring to external secrets in clusterConfiguration. This has an optional flag which is honoured if present - it turns errors into warnings if the secret can't be looked up.

Changed

• [Chart] Moved all template rendering into entry-point.yaml to match the redpanda and console charts.

• values.schema.json is now "closed" (additionalProperties: false)

  Any unexpected values will result in a validation error,previously they would have been ignored.

• The redpanda operator's helm chart has been merged into the operator itself.

  Going forward the chart's version and appVersion will always be equal.

• rbac.createRPKBundleCRs now defaults to true.

• The operator will now populate .Statefulset.SideCars.Image, if unspecified, with it's own image.

  The image and tag may be controlled with pre-existing --configurator-base-image and --configurator-tag flags, respectively.

  The previous behavior was to defer to the default of the redpanda chart which could result in out of sync RBAC requirements or regressions of sidecar/initcontainer behavior, if using an older redpanda chart.

Deprecated

• v1 operator: the clusterConfiguration field ExternalSecretRef is deprecated in favour of ExternalSecretRefSelector. Since this field was extremely new, it will be removed in the very near future.

Removed

• Removed bundled FluxCD controllers, bundled FluxCD CRDs, and support for delegating control to FluxCD.

  Previously reconciled FluxCD resources (HelmRepository, HelmRelease) will NOT be garbage collected upon upgrading. If the operator is coexisting with a FluxCD installation, please take care to manually remove the left over resources.

  chartRef.useFlux: true and chartRef.chartVersion are no longer supported. The controller will log errors and abort reconcilation until the fields are unset. Ensure that both have been removed from all Redpanda resources before upgrading.

  All other chartRef fields are deprecated and are no longer referenced.

  helmRelease, helmReleaseReady, helmRepository, helmRepositoryReady, and upgradeFailures are no longer set on RedpandaStatus, similar to their behavior when useFlux: false was set.

• gcr.io/kubebuilder/kube-rbac-proxy container is deprecated and has been removed from the Redpanda operator helm chart. The same ports will continue to serve metrics using kubebuilder's built in RBAC.

  Any existing prometheus rules don't need to be adjusted.

  For more details see: kubernetes-sigs/kubebuilder#3907

• The V1 operator now requires a minimum Redpanda version of 23.2; all feature-gated behaviour that supported older versions is now enabled unconditionally.

• The kube-prometheus-stack subchart has been removed.

  This integration was not being up kept and most use cases will be better served by deploying this chart themselves.

Fixed

• Certificate reloading for webhook and metrics endpoints should now behave correctly.
• The operator will restart the redpanda cluster on any change to the cluster configuration
• Expanded the set of rules in both Roles and ClusterRoles to be appropriately in sync with the redpanda helm chart.
• DeprecatedFullNameOverride was interpreted differently between rendering resources and creating kafka, admin and schema registry client. Now deprecated fullNameOverride will be used only if correct FullNameOverride is not provided and handled the same way for both client creation and render function.
• The Redpanda license was not set by operator. Now it will be set in the first reconciliation. After initial setup the consequent license re-set will be reconciled after client-go cache resync timeout (default 10h).
• The operator now unconditionally produces statefulsets that have environment variables available to the initContainer that are used for CEL-based config patching.

Previously it attempted to leave existing sts resources unpatched if it seemed like they had already been bootstrapped. With the adoption of CEL patching for node configuration, that left sts pods unable to restart.

• The operator now unconditionally produces an environment for the initContainer that supports CEL-based patching.

This is required to ensure that a pre-existing sts can roll over to new configuration correctly.

v25.1.1-beta2 - 2025-04-24

Added

• Added scheduled sync of ghost broker decommissioner to ensure it's running, even if no watches trigger the reconciler.

Changed

• [Chart] Moved all template rendering into entry-point.yaml to match the redpanda and console charts.

• values.schema.json is now "closed" (additionalProperties: false)

  Any unexpected values will result in a validation error,previously they would have been ignored.

• The redpanda operator's helm chart has been merged into the operator itself.

  Going forward the chart's version and appVersion will always be equal.

• rbac.createRPKBundleCRs now defaults to true.

Removed

• Removed bundled FluxCD controllers, bundled FluxCD CRDs, and support for delegating control to FluxCD.

  Previously reconciled FluxCD resources (HelmRepository, HelmRelease) will NOT be garbage collected upon upgrading. If the operator is coexisting with a FluxCD installation, please take care to manually remove the left over resources.

  chartRef.useFlux: true and chartRef.chartVersion are no longer supported. The controller will log errors and abort reconcilation until the fields are unset. Ensure that both have been removed from all Redpanda resources before upgrading.

  All other chartRef fields are deprecated and are no longer referenced.

  helmRelease, helmReleaseReady, helmRepository, helmRepositoryReady, and upgradeFailures are no longer set on RedpandaStatus, similar to their behavior when useFlux: false was set.

• gcr.io/kubebuilder/kube-rbac-proxy container is deprecated and has been removed from the Redpanda operator helm chart. The same ports will continue to serve metrics using kubebuilder's built in RBAC.

  Any existing prometheus rules don't need to be adjusted.

  For more details see: kubernetes-sigs/kubebuilder#3907

• The V1 operator now requires a minimum Redpanda version of 23.2; all feature-gated behaviour that supported older versions is now enabled unconditionally.

• The kube-prometheus-stack subchart has been removed.

  This integration was not being up kept and most use cases will be better served by deploying this chart themselves.

Fixed

• Certificate reloading for webhook and metrics endpoints should now behave correctly.
• The operator will restart the redpanda cluster on any change to the cluster configuration
• Expanded the set of rules in both Roles and ClusterRoles to be appropriately in sync with the redpanda helm chart.
• DeprecatedFullNameOverride was interpreted differently between rendering resources and creating kafka, admin and schema registry client. Now deprecated fullNameOverride will be used only if correct FullNameOverride is not provided and handled the same way for both client creation and render function.

v25.1.1-beta1 - 2025-04-10

Added

• Added scheduled sync of ghost broker decommissioner to ensure it's running, even if no watches trigger the reconciler.

Changed

• Bumped internal redpanda chart to v5.9.19. chartRef now defaults to v5.9.19. When useFlux is false, the equivalent of chart v5.9.19 will be deployed.

• Bumped the internal chart version to v5.9.20.

• [Chart] Moved all template rendering into entry-point.yaml to match the redpanda and console charts.

• The redpanda operator's helm chart has been merged into the operator itself.

  Going forward the chart's version and appVersion will always be equal.

Removed

• Removed bundled FluxCD controllers, bundled FluxCD CRDs, and support for delegating control to FluxCD.

  Previously reconciled FluxCD resources (HelmRepository, HelmRelease) will NOT be garbage collected upon upgrading. If the operator is coexisting with a FluxCD installation, please take care to manually remove the left over resources.

  chartRef.useFlux: true and chartRef.chartVersion are no longer supported. The controller will log errors and abort reconcilation until the fields are unset. Ensure that both have been removed from all Redpanda resources before upgrading.

  All other chartRef fields are deprecated and are no longer referenced.

  helmRelease, helmReleaseReady, helmRepository, helmRepositoryReady, and upgradeFailures are no longer set on RedpandaStatus, similar to their behavior when useFlux: false was set.

• gcr.io/kubebuilder/kube-rbac-proxy container is deprecated and has been removed from the Redpanda operator helm chart. The same ports will continue to serve metrics using kubebuilder's built in RBAC.

Any existing prometheus rules don't need to be adjusted.

For more details see: kubernetes-sigs/kubebuilder#3907

• The V1 operator now requires a minimum Redpanda version of 23.2; all feature-gated behaviour that supported older versions is now enabled unconditionally.

Fixed

• Usage of tpl and include now function as expected when useFlux: false is set.

  {{ (get (fromJson (include "redpanda.Fullname" (dict "a" (list .)))) "r") }} would previously failure with fairly arcane errors.

  Now, the above example will correctly render to a string value. However, syntax errors and the like are still reported in an arcane fashion.

• Toggling useFlux, in either direction, no longer causes the bootstrap user's password to be regenerated.

  Manual mitigation steps are available here.

• Certificate reloading for webhook and metrics endpoints should now behave correctly.

• Expanded the set of rules in both Roles and ClusterRoles to be appropriately in sync with the redpanda helm chart.

v2.3.8-24.3.6 - 2025-03-05

Fixed

• Fixed the way that paths are handled for the config watcher routine in the sidecar process.

v2.3.6-24.3.3 - 2025-01-17

Added

• Users in air-gapped environments that cannot access the official Redpanda Helm Chart repository (https://charts.redpanda.com/) can now specify an alternative Helm chart repository using the helm-repository-url flag. In the Redpanda Operator Helm chart, this flag is not exposed as an option in the Helm values. Instead, it must be set as an input in the additionalCmdFlags array.

  The given repository must include the following charts:

  • Redpanda
  • Console
  • Connectors

• Added resources.limits and resources.requests as an alternative method of managing the redpanda container's resources.

  When both resources.limits and resources.requests are specified, the redpanda container's resources will be set to the provided values and all other keys of resources will be ignored. Instead, all other values will be inferred from the limits and requests.

  This allows fine grain control of resources. i.e. It is now possible to set CPU requests without setting limits:

  resources:
    limits: {} # Specified but no cpu or memory values provided
    requests:
      cpu: 5 # Only CPU requests

Changed

• For any user that is mirroring configurator image (air-gapped environment) and changes entrypoint or wraps configurator with additional script the following constraint need to be meet:
  • set the following flags
    • to change the container repository set --configurator-base-image=my.repo.com/configurator flag
    • to change the container tag set --configurator-tag=XYZ flag
  • image needs to supports the entrypoint redpanda-operator configure as it is the default one

Fixed

• Value's merging no longer writes files to disk which prevents the operator from eating disk space when the reconciliation loop is run in rapid succession
• Fixed slice out of bounds panics when using the fs-validator and useFlux: false