auto-docs: Update K8s acceptance tests

vbotbuildovich · github-actions[bot] · commit 76d2d70fd29a · 2025-12-02T12:18:18.000Z
diff --git a/modules/manage/examples/kubernetes/console-upgrades.feature b/modules/manage/examples/kubernetes/console-upgrades.feature
@@ -0,0 +1,90 @@
+@operator:none
+Feature: Upgrading the operator with Console installed
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Console v2 to v3 no warnings
+    Given I helm install "redpanda-operator" "redpanda/operator" --version v25.1.3 with values:
+    """
+    """
+    And I apply Kubernetes manifest:
+    """
+    ---
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: Redpanda
+    metadata:
+      name: operator-console-upgrade
+    spec:
+      clusterSpec:
+        console:
+          # Old versions have broken chart rendering for the console stanza
+          # unless nameOverride is set due to mapping configmap values for
+          # both the console deployment and redpanda statefulset to the same
+          # name. Setting nameOverride to "broken" works around this.
+          nameOverride: broken
+        tls:
+          enabled: false
+        external:
+          enabled: false
+        statefulset:
+          replicas: 1
+          sideCars:
+            image:
+              tag: dev
+              repository: localhost/redpanda-operator
+    """
+    And cluster "operator-console-upgrade" is available
+    Then I can helm upgrade "redpanda-operator" "../operator/chart" with values:
+    """
+    image:
+      tag: dev
+      repository: localhost/redpanda-operator
+    crds:
+      experimental: true
+    """
+    And cluster "operator-console-upgrade" should be stable with 1 nodes
+    And the migrated console cluster "operator-console-upgrade" should have 0 warnings
+
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Console v2 to v3 with warnings
+    Given I helm install "redpanda-operator" "redpanda/operator" --version v25.1.3 with values:
+    """
+    """
+    And I apply Kubernetes manifest:
+    """
+    ---
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: Redpanda
+    metadata:
+      name: operator-console-upgrade-warnings
+    spec:
+      clusterSpec:
+        console:
+          nameOverride: broken
+          console:
+            roleBindings:
+            - roleName: admin
+              subjects:
+              - kind: group
+                provider: OIDC
+                name: devs
+        tls:
+          enabled: false
+        external:
+          enabled: false
+        statefulset:
+          replicas: 1
+          sideCars:
+            image:
+              tag: dev
+              repository: localhost/redpanda-operator
+    """
+    And cluster "operator-console-upgrade-warnings" is available
+    Then I can helm upgrade "redpanda-operator" "../operator/chart" with values:
+    """
+    image:
+      tag: dev
+      repository: localhost/redpanda-operator
+    crds:
+      experimental: true
+    """
+    And cluster "operator-console-upgrade-warnings" should be stable with 1 nodes
+    And the migrated console cluster "operator-console-upgrade-warnings" should have 1 warning
diff --git a/modules/manage/examples/kubernetes/role-crds.feature b/modules/manage/examples/kubernetes/role-crds.feature
@@ -83,6 +83,7 @@ Feature: Role CRDs
     # In this example manifest, a role CRD called "travis-role" manages ACLs for an existing role.
     # The role includes authorization rules that allow reading from topics with names starting with "some-topic".
     # This example assumes that you already have a role called "travis-role" in your cluster.
+    # Note: When the CRD is deleted, the operator will remove both the role and ACLs since it takes full ownership.
     ---
     apiVersion: cluster.redpanda.com/v1alpha2
     kind: RedpandaRole
@@ -106,5 +107,180 @@ Feature: Role CRDs
     """
     And role "travis-role" is successfully synced
     And I delete the CRD role "travis-role"
-    Then there should still be role "travis-role" in cluster "sasl"
-    And there should be no ACLs for role "travis-role" in cluster "sasl"
+    Then there should be no role "travis-role" in cluster "sasl"
+
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Add managed principals to the role
+    Given there is no role "team-role" in cluster "sasl"
+    And there are the following pre-existing users in cluster "sasl"
+      | name    | password | mechanism     |
+      | user1   | password | SCRAM-SHA-256 |
+      | user2   | password | SCRAM-SHA-256 |
+      | user3   | password | SCRAM-SHA-256 |
+    When I apply Kubernetes manifest:
+    """
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: RedpandaRole
+    metadata:
+      name: team-role
+    spec:
+      cluster:
+        clusterRef:
+          name: sasl
+      principals:
+        - User:user1
+        - User:user2
+    """
+    And role "team-role" is successfully synced
+    Then role "team-role" should exist in cluster "sasl"
+    And role "team-role" should have members "user1 and user2" in cluster "sasl"
+    And RedpandaRole "team-role" should have status field "managedPrincipals" set to "true"
+    When I apply Kubernetes manifest:
+    """
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: RedpandaRole
+    metadata:
+      name: team-role
+    spec:
+      cluster:
+        clusterRef:
+          name: sasl
+      principals:
+        - User:user1
+        - User:user2
+        - User:user3
+    """
+    And role "team-role" is successfully synced
+    Then role "team-role" should have members "user1 and user2 and user3" in cluster "sasl"
+    And RedpandaRole "team-role" should have status field "managedPrincipals" set to "true"
+
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Remove managed principals from the role
+    Given there is no role "shrinking-role" in cluster "sasl"
+    And there are the following pre-existing users in cluster "sasl"
+      | name    | password | mechanism     |
+      | dev1    | password | SCRAM-SHA-256 |
+      | dev2    | password | SCRAM-SHA-256 |
+      | dev3    | password | SCRAM-SHA-256 |
+    When I apply Kubernetes manifest:
+    """
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: RedpandaRole
+    metadata:
+      name: shrinking-role
+    spec:
+      cluster:
+        clusterRef:
+          name: sasl
+      principals:
+        - User:dev1
+        - User:dev2
+        - User:dev3
+    """
+    And role "shrinking-role" is successfully synced
+    Then role "shrinking-role" should have members "dev1 and dev2 and dev3" in cluster "sasl"
+    And RedpandaRole "shrinking-role" should have status field "managedPrincipals" set to "true"
+    When I apply Kubernetes manifest:
+    """
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: RedpandaRole
+    metadata:
+      name: shrinking-role
+    spec:
+      cluster:
+        clusterRef:
+          name: sasl
+      principals:
+        - User:dev1
+    """
+    And role "shrinking-role" is successfully synced
+    Then role "shrinking-role" should have members "dev1" in cluster "sasl"
+    And role "shrinking-role" should not have member "dev2" in cluster "sasl"
+    And role "shrinking-role" should not have member "dev3" in cluster "sasl"
+    And RedpandaRole "shrinking-role" should have status field "managedPrincipals" set to "true"
+
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Stop managing principals
+    Given there is no role "clearing-role" in cluster "sasl"
+    And there are the following pre-existing users in cluster "sasl"
+      | name    | password | mechanism     |
+      | temp1   | password | SCRAM-SHA-256 |
+      | temp2   | password | SCRAM-SHA-256 |
+    When I apply Kubernetes manifest:
+    """
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: RedpandaRole
+    metadata:
+      name: clearing-role
+    spec:
+      cluster:
+        clusterRef:
+          name: sasl
+      principals:
+        - User:temp1
+        - User:temp2
+    """
+    And role "clearing-role" is successfully synced
+    Then role "clearing-role" should have members "temp1 and temp2" in cluster "sasl"
+    And RedpandaRole "clearing-role" should have status field "managedPrincipals" set to "true"
+    When I apply Kubernetes manifest:
+    """
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: RedpandaRole
+    metadata:
+      name: clearing-role
+    spec:
+      cluster:
+        clusterRef:
+          name: sasl
+      principals: []
+    """
+    And role "clearing-role" is successfully synced
+    Then RedpandaRole "clearing-role" should have no members in cluster "sasl"
+    And RedpandaRole "clearing-role" should have status field "managedPrincipals" set to "false"
+
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Replace all managed principals
+    Given there is no role "swap-role" in cluster "sasl"
+    And there are the following pre-existing users in cluster "sasl"
+      | name    | password | mechanism     |
+      | olduser1| password | SCRAM-SHA-256 |
+      | olduser2| password | SCRAM-SHA-256 |
+      | newuser1| password | SCRAM-SHA-256 |
+      | newuser2| password | SCRAM-SHA-256 |
+    When I apply Kubernetes manifest:
+    """
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: RedpandaRole
+    metadata:
+      name: swap-role
+    spec:
+      cluster:
+        clusterRef:
+          name: sasl
+      principals:
+        - User:olduser1
+        - User:olduser2
+    """
+    And role "swap-role" is successfully synced
+    Then role "swap-role" should have members "olduser1 and olduser2" in cluster "sasl"
+    And RedpandaRole "swap-role" should have status field "managedPrincipals" set to "true"
+    When I apply Kubernetes manifest:
+    """
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: RedpandaRole
+    metadata:
+      name: swap-role
+    spec:
+      cluster:
+        clusterRef:
+          name: sasl
+      principals:
+        - User:newuser1
+        - User:newuser2
+    """
+    And role "swap-role" is successfully synced
+    Then role "swap-role" should have members "newuser1 and newuser2" in cluster "sasl"
+    And role "swap-role" should not have member "olduser1" in cluster "sasl"
+    And role "swap-role" should not have member "olduser2" in cluster "sasl"
+    And RedpandaRole "swap-role" should have status field "managedPrincipals" set to "true"
diff --git a/modules/manage/examples/kubernetes/upgrade.feature b/modules/manage/examples/kubernetes/upgrade.feature
@@ -0,0 +1,47 @@
+Feature: Upgrading redpanda
+  @skip:gke @skip:aks @skip:eks @skip:k3d
+  Scenario: Redpanda upgrade from 25.2.11
+    Given I apply Kubernetes manifest:
+    """
+    ---
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: Redpanda
+    metadata:
+      name: cluster-upgrade
+    spec:
+      clusterSpec:
+        image:
+          repository: redpandadata/redpanda
+          tag: v25.2.11
+        console:
+          enabled: false
+        statefulset:
+          replicas: 3
+          sideCars:
+            image:
+              tag: dev
+              repository: localhost/redpanda-operator
+    """
+    And cluster "cluster-upgrade" should be stable with 3 nodes
+    Then I apply Kubernetes manifest:
+    """
+    ---
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: Redpanda
+    metadata:
+      name: cluster-upgrade
+    spec:
+      clusterSpec:
+        image:
+          repository: redpandadata/redpanda-unstable
+          tag: v25.3.1-rc4
+        console:
+          enabled: false
+        statefulset:
+          replicas: 3
+          sideCars:
+            image:
+              tag: dev
+              repository: localhost/redpanda-operator
+    """
+    And cluster "cluster-upgrade" should be stable with 3 nodes
