fix watching stoageclasses by etcd-operator

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

.gitignore

@@ -1,3 +1,78 @@
 _out
 .git
-.idea
+.idea
+
+# User-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+
+# AWS User-specific
+.idea/**/aws.xml
+
+# Generated files
+.idea/**/contentModel.xml
+
+# Sensitive or high-churn files
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+.idea/**/dbnavigator.xml
+
+# Gradle
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Gradle and Maven with auto-import
+# When using Gradle or Maven with auto-import, you should exclude module files,
+# since they will be recreated, and may cause churn.  Uncomment if using
+# auto-import.
+# .idea/artifacts
+# .idea/compiler.xml
+# .idea/jarRepositories.xml
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+# *.iml
+# *.ipr
+
+# CMake
+cmake-build-*/
+
+# Mongo Explorer plugin
+.idea/**/mongoSettings.xml
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# Editor-based Rest Client
+.idea/httpRequests
+
+# Android studio 3.1+ serialized cache file
+.idea/caches/build_file_checksums.ser
+
+.DS_Store
+**/.DS_Store

Makefile

@@ -2,6 +2,9 @@
 
 build:
 	make -C packages/apps/http-cache image
+	make -C packages/apps/postgres image
+	make -C packages/apps/mysql image
+	make -C packages/apps/clickhouse image
 	make -C packages/apps/kubernetes image
 	make -C packages/system/cilium image
 	make -C packages/system/kubeovn image

hack/gen_versions_map.sh

@@ -24,24 +24,36 @@ resolved_miss_map=$(
       change_commit=$(git --no-pager blame -L"$line",+1 -- "$chart/Chart.yaml" | awk '{print $1}')
        
       if [ "$change_commit" = "00000000" ]; then
-        # Not commited yet, use previus commit
+        # Not committed yet, use previous commit
         line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
         commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
         if [ $(echo $commit | cut -c1) = "^" ]; then
-          # Previus commit not exists
+          # Previous commit not exists
           commit=$(echo $commit | cut -c2-)
         fi
       else
-        # Commited, but version_map wasn't updated
+        # Committed, but version_map wasn't updated
         line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
         change_commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
         if [ $(echo $change_commit | cut -c1) = "^" ]; then
-          # Previus commit not exists
+          # Previous commit not exists
           commit=$(echo $change_commit | cut -c2-)
         else
           commit=$(git describe --always "$change_commit~1")
         fi
       fi
+
+      # Check if the commit belongs to the main branch
+      if ! git merge-base --is-ancestor "$commit" main; then
+        # Find the closest parent commit that belongs to main
+        commit_in_main=$(git log --pretty=format:"%h" main -- "$chart" | head -n 1)
+        if [ -n "$commit_in_main" ]; then
+          commit="$commit_in_main"
+        else
+          # No valid commit found in main branch for $chart, skipping..."
+          continue
+        fi
+      fi
     fi
     echo "$chart $version $commit"
   done

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.13.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.15.0"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.13.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.15.0"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/clickhouse/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.5.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/clickhouse/Makefile

@@ -1,4 +1,20 @@
+CLICKHOUSE_BACKUP_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
+
+include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk
 
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
+
+image:
+	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/clickhouse-backup \
+		--provenance false \
+		--tag $(REGISTRY)/clickhouse-backup:$(call settag,$(CLICKHOUSE_BACKUP_TAG)) \
+		--cache-from type=registry,ref=$(REGISTRY)/clickhouse-backup:latest \
+		--cache-to type=inline \
+		--metadata-file images/clickhouse-backup.json \
+		--push=$(PUSH) \
+		--load=$(LOAD)
+	echo "$(REGISTRY)/clickhouse-backup:$(call settag,$(CLICKHOUSE_BACKUP_TAG))@$$(yq e '."containerimage.digest"' images/clickhouse-backup.json -o json -r)" \
+		> images/clickhouse-backup.tag
+	rm -f images/clickhouse-backup.json

packages/apps/clickhouse/README.md

@@ -1,5 +1,20 @@
 # Managed Clickhouse Service
 
+### How to restore backup:
+
+find snapshot:
+```
+restic -r s3:s3.example.org/clickhouse-backups/table_name snapshots
+```
+
+restore:
+```
+restic -r s3:s3.example.org/clickhouse-backups/table_name restore latest --target /tmp/
+```
+
+more details:
+- https://itnext.io/restic-effective-backup-from-stdin-4bc1e8f083c1
+
 ## Parameters
 
 ### Common parameters
@@ -16,3 +31,16 @@
 | Name    | Description         | Value |
 | ------- | ------------------- | ----- |
 | `users` | Users configuration | `{}`  |
+
+### Backup parameters
+
+| Name                     | Description                                    | Value                                                  |
+| ------------------------ | ---------------------------------------------- | ------------------------------------------------------ |
+| `backup.enabled`         | Enable pereiodic backups                       | `false`                                                |
+| `backup.s3Region`        | The AWS S3 region where backups are stored     | `us-east-1`                                            |
+| `backup.s3Bucket`        | The S3 bucket used for storing backups         | `s3.example.org/clickhouse-backups`                    |
+| `backup.schedule`        | Cron schedule for automated backups            | `0 2 * * *`                                            |
+| `backup.cleanupStrategy` | The strategy for cleaning up old backups       | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.s3AccessKey`     | The access key for S3, used for authentication | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
+| `backup.s3SecretKey`     | The secret key for S3, used for authentication | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
+| `backup.resticPassword`  | The password for Restic backup encryption      | `ChaXoveekoh6eigh4siesheeda2quai0`                     |

packages/apps/clickhouse/images/clickhouse-backup.tag

@@ -0,0 +1 @@
+ghcr.io/aenix-io/cozystack/clickhouse-backup:0.5.0@sha256:dda84420cb8648721299221268a00d72a05c7af5b7fb452619bac727068b9e61

packages/apps/clickhouse/images/clickhouse-backup/Dockerfile

@@ -0,0 +1,2 @@
+FROM clickhouse/clickhouse-server:24.8.4-alpine
+RUN apk add --no-cache restic uuidgen

packages/apps/clickhouse/templates/backup-cronjob.yaml

@@ -0,0 +1,95 @@
+{{- if .Values.backup.enabled }}
+{{ $image := .Files.Get "images/backup.json" | fromJson }}
+
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ .Release.Name }}-backup
+spec:
+  schedule: "{{ .Values.backup.schedule }}"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 2
+      template:
+        spec:
+          restartPolicy: OnFailure
+      template:
+        metadata:
+          annotations:
+            checksum/config: {{ include (print $.Template.BasePath "/backup-script.yaml") . | sha256sum }}
+            checksum/secret: {{ include (print $.Template.BasePath "/backup-secret.yaml") . | sha256sum }}
+        spec:
+          imagePullSecrets:
+          - name: {{ .Release.Name }}-regsecret
+          restartPolicy: Never
+          containers:
+          - name: clickhouse-backup
+            image: "{{ $.Files.Get "images/clickhouse-backup.tag" | trim }}"
+            command:
+            - /bin/sh
+            - -x
+            - /scripts/backup.sh
+            env:
+            - name: REPO_PREFIX
+              value: {{ required "s3Bucket is not specified!" .Values.backup.s3Bucket | quote }}
+            - name: CLEANUP_STRATEGY
+              value: {{ required "cleanupPolicy is not specified!" .Values.backup.cleanupStrategy | quote }}
+            - name: CLICKHOUSE_USER
+              value: backup
+            - name: CLICKHOUSE_HOST
+              value: chi-{{ .Release.Name }}-clickhouse-0-0
+            - name: CLICKHOUSE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-credentials
+                  key: backup
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-backup
+                  key: s3AccessKey
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-backup
+                  key: s3SecretKey
+            - name: AWS_DEFAULT_REGION
+              value: {{ .Values.backup.s3Region }}
+            - name: RESTIC_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-backup
+                  key: resticPassword
+            volumeMounts:
+            - mountPath: /scripts
+              name: scripts
+            - mountPath: /tmp
+              name: tmp
+            - mountPath: /.cache
+              name: cache
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              privileged: false
+              readOnlyRootFilesystem: true
+              runAsNonRoot: true
+          volumes:
+          - name: scripts
+            secret:
+              secretName: {{ .Release.Name }}-backup-script
+          - name: tmp
+            emptyDir: {}
+          - name: cache
+            emptyDir: {}
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 9000
+            runAsGroup: 9000
+            seccompProfile:
+              type: RuntimeDefault
+{{- end }}

packages/apps/clickhouse/templates/backup-script.yaml

@@ -0,0 +1,55 @@
+{{- if .Values.backup.enabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-backup-script
+stringData:
+  backup.sh: |
+    #!/bin/sh
+    set -e
+    set -o pipefail
+    
+    JOB_ID="job-$(uuidgen|cut -f1 -d-)"
+    TABLE_LIST=$(clickhouse-client --host "$CLICKHOUSE_HOST" -q 'SHOW TABLES;' | grep -v '^.inner.' || true)
+    echo DB_LIST=$(echo "$TABLE_LIST" | shuf) # shuffle list
+    echo "Job ID: $JOB_ID"
+    echo "Target repo: $REPO_PREFIX"
+    echo "Cleanup strategy: $CLEANUP_STRATEGY"
+    echo "Start backup for:"
+    echo "$TABLE_LIST"
+    echo
+    echo "Backup started at `date +%Y-%m-%d\ %H:%M:%S`"
+    for table in $TABLE_LIST; do
+      (
+        set -x
+        restic -r "s3:${REPO_PREFIX}/$table" cat config >/dev/null 2>&1 || \
+          restic -r "s3:${REPO_PREFIX}/$table" init --repository-version 2
+        restic -r "s3:${REPO_PREFIX}/$table" unlock --remove-all >/dev/null 2>&1 || true # no locks, k8s takes care of it
+        clickhouse-client --host "$CLICKHOUSE_HOST" -q "SHOW CREATE TABLE ${table}" | awk '{gsub(/\\n/, "\n")} {gsub(/\\'\''/, "'\''")} 1' | \
+          restic -r "s3:${REPO_PREFIX}/$table" backup --tag "$JOB_ID" --tag index --stdin --stdin-filename index.sql
+        clickhouse-client --host "$CLICKHOUSE_HOST" -q "SELECT * FROM ${table} FORMAT TabSeparated" | \
+          restic -r "s3:${REPO_PREFIX}/$table" backup --tag "$JOB_ID" --tag data --stdin --stdin-filename data.tsv
+        restic -r "s3:${REPO_PREFIX}/$table" tag --tag "$JOB_ID" --set "completed"
+      )
+    done
+    echo "Backup finished at `date +%Y-%m-%d\ %H:%M:%S`"
+    
+    echo
+    echo "Run cleanup:"
+    echo
+    
+    echo "Cleanup started at `date +%Y-%m-%d\ %H:%M:%S`"
+    for db in $DB_LIST; do
+      (
+        set -x
+        # keep completed snapshots only
+        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags --keep-tag "completed" --tag index
+        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags --keep-tag "completed" --tag data
+        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags $CLEANUP_STRATEGY --tag index
+        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags $CLEANUP_STRATEGY --tag data
+        restic prune -r "s3:${REPO_PREFIX}/$db"
+      )
+    done
+    echo "Cleanup finished at `date +%Y-%m-%d\ %H:%M:%S`"
+{{- end }}

packages/apps/clickhouse/templates/backup-secret.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.backup.enabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-backup
+stringData:
+  s3AccessKey: {{ required "s3AccessKey is not specified!" .Values.backup.s3AccessKey }}
+  s3SecretKey: {{ required "s3SecretKey is not specified!" .Values.backup.s3SecretKey }}
+  resticPassword: {{ required "resticPassword is not specified!" .Values.backup.resticPassword }}
+{{- end }}

packages/apps/clickhouse/templates/clickhouse.yaml

@@ -1,3 +1,32 @@
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
+{{- $passwords := dict }}
+{{- $users := .Values.users }}
+{{- $_ := set $users "backup" dict }}
+
+{{- with (index $existingSecret "data") }}
+  {{- range $k, $v := . }}
+    {{- $_ := set $passwords $k (b64dec $v) }}
+  {{- end }}
+{{- end }}
+
+{{- range $user, $u := $users }}
+  {{- if $u.password }}
+    {{- $_ := set $passwords $user $u.password }}
+  {{- else if not (index $passwords $user) }}
+    {{- $_ := set $passwords $user (randAlphaNum 16) }}
+  {{- end }}
+{{- end }}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-credentials
+stringData:
+  {{- range $user, $u := .Values.users }}
+  {{ quote $user }}: {{ quote (index $passwords $user) }}
+  {{- end }}
+
+---
 apiVersion: "clickhouse.altinity.com/v1"
 kind: "ClickHouseInstallation"
 metadata:
@@ -9,10 +38,10 @@ spec:
       dataVolumeClaimTemplate: data-volume-template
   {{- end }}
   configuration:
-    {{- with .Values.users }}
+    {{- with $users }}
     users:
       {{- range $name, $u := . }}
-      {{ $name }}/password_sha256_hex: {{ sha256sum $u.password }}
+      {{ $name }}/password_sha256_hex: {{ sha256sum (index $passwords $name) }}
       {{ $name }}/profile: {{ ternary "readonly" "default" (index $u "readonly" | default false) }}
       {{ $name }}/networks/ip: ["::/0"]
       {{- end }}
@@ -31,7 +60,7 @@ spec:
         spec:
           accessModes:
             - ReadWriteOnce
-          {{- with .Values.storageClass }}
+          {{- with $.Values.storageClass }}
           storageClassName: {{ . }}
           {{- end }}
           resources:

packages/apps/clickhouse/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - chi-clickhouse-test-clickhouse-0-0
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-credentials
+  verbs: ["get", "list", "watch"]

packages/apps/clickhouse/values.schema.json

@@ -21,6 +21,51 @@
             "type": "string",
             "description": "StorageClass used to store the data",
             "default": ""
+        },
+        "backup": {
+            "type": "object",
+            "properties": {
+                "enabled": {
+                    "type": "boolean",
+                    "description": "Enable pereiodic backups",
+                    "default": false
+                },
+                "s3Region": {
+                    "type": "string",
+                    "description": "The AWS S3 region where backups are stored",
+                    "default": "us-east-1"
+                },
+                "s3Bucket": {
+                    "type": "string",
+                    "description": "The S3 bucket used for storing backups",
+                    "default": "s3.example.org/clickhouse-backups"
+                },
+                "schedule": {
+                    "type": "string",
+                    "description": "Cron schedule for automated backups",
+                    "default": "0 2 * * *"
+                },
+                "cleanupStrategy": {
+                    "type": "string",
+                    "description": "The strategy for cleaning up old backups",
+                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+                },
+                "s3AccessKey": {
+                    "type": "string",
+                    "description": "The access key for S3, used for authentication",
+                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu"
+                },
+                "s3SecretKey": {
+                    "type": "string",
+                    "description": "The secret key for S3, used for authentication",
+                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
+                },
+                "resticPassword": {
+                    "type": "string",
+                    "description": "The password for Restic backup encryption",
+                    "default": "ChaXoveekoh6eigh4siesheeda2quai0"
+                }
+            }
         }
     }
 }

packages/apps/clickhouse/values.yaml

@@ -22,3 +22,23 @@ storageClass: ""
 ##     password: hackme
 ##
 users: {}
+
+## @section Backup parameters
+
+## @param backup.enabled Enable pereiodic backups
+## @param backup.s3Region The AWS S3 region where backups are stored
+## @param backup.s3Bucket The S3 bucket used for storing backups
+## @param backup.schedule Cron schedule for automated backups
+## @param backup.cleanupStrategy The strategy for cleaning up old backups
+## @param backup.s3AccessKey The access key for S3, used for authentication
+## @param backup.s3SecretKey The secret key for S3, used for authentication
+## @param backup.resticPassword The password for Restic backup encryption
+backup:
+  enabled: false
+  s3Region: us-east-1
+  s3Bucket: s3.example.org/clickhouse-backups
+  schedule: "0 2 * * *"
+  cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+  s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
+  s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
+  resticPassword: ChaXoveekoh6eigh4siesheeda2quai0

packages/apps/ferretdb/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/ferretdb/images/postgres-backup.tag

@@ -0,0 +1 @@
+ghcr.io/aenix-io/cozystack/postgres-backup:0.6.2@sha256:d2015c6dba92293bda652d055e97d1be80e8414c2dc78037c12812d1a2e2cba1

packages/apps/ferretdb/templates/backup-cronjob.yaml

@@ -24,8 +24,8 @@ spec:
         spec:
           restartPolicy: Never
           containers:
-          - name: mysqldump
-            image: "{{ index $image "image.name" }}@{{ index $image "containerimage.digest" }}"
+          - name: pgdump
+            image: "{{ $.Files.Get "images/postgres-backup.tag" | trim }}"
             command:
             - /bin/sh
             - /scripts/backup.sh

packages/apps/ferretdb/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-credentials
+  verbs: ["get", "list", "watch"]

packages/apps/ferretdb/templates/init-script.yaml

@@ -1,3 +1,30 @@
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
+{{- $passwords := dict }}
+
+{{- with (index $existingSecret "data") }}
+  {{- range $k, $v := . }}
+    {{- $_ := set $passwords $k (b64dec $v) }}
+  {{- end }}
+{{- end }}
+
+{{- range $user, $u := .Values.users }}
+  {{- if $u.password }}
+    {{- $_ := set $passwords $user $u.password }}
+  {{- else if not (index $passwords $user) }}
+    {{- $_ := set $passwords $user (randAlphaNum 16) }}
+  {{- end }}
+{{- end }}
+
+{{- if .Values.users }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-credentials
+stringData:
+  {{- range $user, $u := .Values.users }}
+  {{ quote $user }}: {{ quote (index $passwords $user) }}
+  {{- end }}
+{{- end }}
 ---
 apiVersion: v1
 kind: Secret
@@ -13,7 +40,7 @@ stringData:
     {{- range $user, $u := .Values.users }}
     SELECT 'CREATE ROLE {{ $user }} LOGIN INHERIT;'
     WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $user }}')\gexec
-    ALTER ROLE {{ $user }} WITH PASSWORD '{{ $u.password }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
+    ALTER ROLE {{ $user }} WITH PASSWORD '{{ index $passwords $user }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
     COMMENT ON ROLE {{ $user }} IS 'user managed by helm';
     {{- end }}
     EOT

packages/apps/http-cache/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: http-cache
-description: Layer7 load balacner and caching service
+description: Layer7 load balancer and caching service
 icon: /logos/nginx.svg
 
 # A chart can be either an 'application' or a 'library' chart.
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.3.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/http-cache/Makefile

@@ -1,4 +1,4 @@
-NGINX_CACHE_TAG = v0.1.0
+NGINX_CACHE_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
 
 include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk
@@ -9,7 +9,6 @@ image-nginx:
 	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/nginx-cache \
 		--provenance false \
 		--tag $(REGISTRY)/nginx-cache:$(call settag,$(NGINX_CACHE_TAG)) \
-		--tag $(REGISTRY)/nginx-cache:$(call settag,$(NGINX_CACHE_TAG)-$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/nginx-cache:latest \
 		--cache-to type=inline \
 		--metadata-file images/nginx-cache.json \

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0@sha256:556bc8d29ee9e90b3d64d0481dcfc66483d055803315bba3d9ece17c0d97f32b
+ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:556bc8d29ee9e90b3d64d0481dcfc66483d055803315bba3d9ece17c0d97f32b

packages/apps/mysql/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.5.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/mysql/Makefile

@@ -1,4 +1,20 @@
+MARIADB_BACKUP_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
+
+include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk
 
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
+
+image:
+	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/mariadb-backup \
+		--provenance false \
+		--tag $(REGISTRY)/mariadb-backup:$(call settag,$(MARIADB_BACKUP_TAG)) \
+		--cache-from type=registry,ref=$(REGISTRY)/mariadb-backup:latest \
+		--cache-to type=inline \
+		--metadata-file images/mariadb-backup.json \
+		--push=$(PUSH) \
+		--load=$(LOAD)
+	echo "$(REGISTRY)/mariadb-backup:$(call settag,$(MARIADB_BACKUP_TAG))@$$(yq e '."containerimage.digest"' images/mariadb-backup.json -o json -r)" \
+		> images/mariadb-backup.tag
+	rm -f images/mariadb-backup.json

packages/apps/mysql/README.md

@@ -79,7 +79,7 @@ more details:
 | Name        | Description             | Value |
 | ----------- | ----------------------- | ----- |
 | `users`     | Users configuration     | `{}`  |
-| `databases` | Databases configuration | `[]`  |
+| `databases` | Databases configuration | `{}`  |
 
 ### Backup parameters
 

packages/apps/mysql/images/mariadb-backup.tag

@@ -0,0 +1 @@
+ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.1@sha256:fa2b3195521cffa55eb6d71a50b875d3c234a45e5dff71b2b9002674175bea93

packages/apps/mysql/images/mariadb-backup/Dockerfile

@@ -0,0 +1,2 @@
+FROM alpine:3.20
+RUN apk add --no-cache mariadb-client uuidgen restic

packages/apps/mysql/templates/backup-cronjob.yaml

@@ -27,7 +27,7 @@ spec:
           restartPolicy: Never
           containers:
           - name: mysqldump
-            image: "{{ index $image "image.name" }}@{{ index $image "containerimage.digest" }}"
+            image: "{{ $.Files.Get "images/mariadb-backup.tag" | trim }}"
             command:
             - /bin/sh
             - /scripts/backup.sh

packages/apps/mysql/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}-primary
+  - {{ .Release.Name }}-secondary
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-credentials
+  verbs: ["get", "list", "watch"]

packages/apps/mysql/templates/db.yaml

@@ -1,14 +1,47 @@
-{{- range $name := .Values.databases }}
-{{ $dnsName := replace "_" "-" $name }}
+{{- range $name, $db := .Values.databases }}
+{{ $dbDNSName := replace "_" "-" $name }}
 ---
 apiVersion: k8s.mariadb.com/v1alpha1
 kind: Database
 metadata:
-  name: {{ $.Release.Name }}-{{ $dnsName }}
+  name: {{ $.Release.Name }}-{{ $dbDNSName }}
 spec:
   name: {{ $name }}
   mariaDbRef:
     name: {{ $.Release.Name }}
   characterSet: utf8
   collate: utf8_general_ci
+{{- range $user := $db.roles.admin }}
+{{ $userDNSName := replace "_" "-" $user }}
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Grant
+metadata:
+  name: {{ $.Release.Name }}-{{ $dbDNSName }}-{{ $userDNSName }}
+spec:
+  mariaDbRef:
+    name: {{ $.Release.Name }}
+  privileges: ['ALL']
+  database: {{ $name }}
+  table: "*"
+  username: {{ $user }}
+  grantOption: true
+{{- end }}
+{{- range $user := $db.roles.readonly }}
+{{ $userDNSName := replace "_" "-" $user }}
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Grant
+metadata:
+  name: {{ $.Release.Name }}-{{ $dbDNSName }}-{{ $userDNSName }}
+spec:
+  mariaDbRef:
+    name: {{ $.Release.Name }}
+  privileges: ['SELECT']
+  database: {{ $name }}
+  table: "*"
+  username: {{ $user }}
+  grantOption: true
+{{- end }}
+
 {{- end }}

packages/apps/mysql/templates/mariadb.yaml

@@ -4,11 +4,9 @@ kind: MariaDB
 metadata:
   name: {{ .Release.Name }}
 spec:
-  {{- if (and .Values.users.root .Values.users.root.password) }}
   rootPasswordSecretKeyRef:
-    name: {{ .Release.Name }}
-    key: root-password
-  {{- end }}
+    name: {{ .Release.Name }}-credentials
+    key: root
 
   image: "mariadb:11.0.2"
 

packages/apps/mysql/templates/secret.yaml

@@ -1,9 +1,31 @@
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
+{{- $passwords := dict }}
+
+{{- with (index $existingSecret "data") }}
+  {{- range $k, $v := . }}
+    {{- $_ := set $passwords $k (b64dec $v) }}
+  {{- end }}
+{{- end }}
+
+{{- $usersWithRoot := .Values.users }}
+{{- if (and .Values.users.root .Values.users.root.password) }}
+  {{- $_ := set $usersWithRoot "root" dict }}
+{{- end }}
+
+{{- range $user, $u := $usersWithRoot }}
+  {{- if $u.password }}
+    {{- $_ := set $passwords $user $u.password }}
+  {{- else if not (index $passwords $user) }}
+    {{- $_ := set $passwords $user (randAlphaNum 16) }}
+  {{- end }}
+{{- end }}
+
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Release.Name }}
+  name: {{ .Release.Name }}-credentials
 stringData:
-  {{- range $name, $u := .Values.users }}
-  {{ $name }}-password: {{ $u.password }}
+  {{- range $name, $u := $usersWithRoot }}
+  {{ $name }}: {{ index $passwords $name }}
   {{- end }}

packages/apps/mysql/templates/user.yaml

@@ -11,21 +11,8 @@ spec:
   mariaDbRef:
     name: {{ $.Release.Name }}
   passwordSecretKeyRef:
-    name: {{ $.Release.Name }}
-    key: {{ $name }}-password
+    name: {{ $.Release.Name }}-credentials
+    key: {{ $name }}
   maxUserConnections: {{ $u.maxUserConnections }}
----
-apiVersion: k8s.mariadb.com/v1alpha1
-kind: Grant
-metadata:
-  name: {{ $.Release.Name }}-{{ $dnsName }}
-spec:
-  mariaDbRef:
-    name: {{ $.Release.Name }}
-  privileges: {{ $u.privileges | toJson }}
-  database: "*"
-  table: "*"
-  username: {{ $name }}
-  grantOption: true
 {{- end }}
 {{- end }}

packages/apps/mysql/values.schema.json

@@ -22,12 +22,6 @@
             "description": "StorageClass used to store the data",
             "default": ""
         },
-        "databases": {
-            "type": "array",
-            "description": "Databases configuration",
-            "default": [],
-            "items": {}
-        },
         "backup": {
             "type": "object",
             "properties": {

packages/apps/mysql/values.yaml

@@ -15,27 +15,25 @@ storageClass: ""
 ## @param users [object] Users configuration
 ## Example:
 ## users:
-##   root:
-##     password: strongpassword
 ##   user1:
-##     privileges: ['ALL']
 ##     maxUserConnections: 1000
 ##     password: hackme
 ##   user2:
-##     privileges: ['SELECT']
 ##     maxUserConnections: 1000
 ##     password: hackme
 ##
 users: {}
 
-## @param databases Databases configuration
+## @param databases [object] Databases configuration
 ## Example:
 ## databases:
-## - wordpress1
-## - wordpress2
-## - wordpress3
-## - wordpress4
-databases: []
+##   myapp1:
+##     roles:
+##       admin:
+##       - user1
+##       readonly:
+##       - user2
+databases: {}
 
 ## @section Backup parameters
 

packages/apps/postgres/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0
+version: 0.6.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/postgres/Makefile

@@ -1,4 +1,21 @@
+POSTGRES_BACKUP_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
+
+include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk
 
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
+
+image:
+	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/postgres-backup \
+		--provenance false \
+		--tag $(REGISTRY)/postgres-backup:$(call settag,$(POSTGRES_BACKUP_TAG)) \
+		--cache-from type=registry,ref=$(REGISTRY)/postgres-backup:latest \
+		--cache-to type=inline \
+		--metadata-file images/postgres-backup.json \
+		--push=$(PUSH) \
+		--load=$(LOAD)
+	echo "$(REGISTRY)/postgres-backup:$(call settag,$(POSTGRES_BACKUP_TAG))@$$(yq e '."containerimage.digest"' images/postgres-backup.json -o json -r)" \
+		> images/postgres-backup.tag
+	cp images/postgres-backup.tag ../ferretdb/images/
+	rm -f images/postgres-backup.json

packages/apps/postgres/images/postgres-backup.tag

@@ -0,0 +1 @@
+ghcr.io/aenix-io/cozystack/postgres-backup:0.6.2@sha256:d2015c6dba92293bda652d055e97d1be80e8414c2dc78037c12812d1a2e2cba1

packages/apps/postgres/images/postgres-backup/Dockerfile

@@ -0,0 +1,2 @@
+FROM alpine:3.20
+RUN apk add --no-cache postgresql16-client uuidgen restic

packages/apps/postgres/templates/backup-cronjob.yaml

@@ -26,8 +26,8 @@ spec:
           - name: {{ .Release.Name }}-regsecret
           restartPolicy: Never
           containers:
-          - name: mysqldump
-            image: "{{ index $image "image.name" }}@{{ index $image "containerimage.digest" }}"
+          - name: pgdump
+            image: "{{ $.Files.Get "images/postgres-backup.tag" | trim }}"
             command:
             - /bin/sh
             - /scripts/backup.sh

packages/apps/postgres/templates/dashboard-resourcemap.yaml

@@ -8,7 +8,14 @@ rules:
   resources:
   - services
   resourceNames:
-  - postgres-service-r
-  - postgres-service-ro
-  - postgres-service-rw
+  - {{ .Release.Name }}-r
+  - {{ .Release.Name }}-ro
+  - {{ .Release.Name }}-rw
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-credentials
   verbs: ["get", "list", "watch"]

packages/apps/postgres/templates/init-script.yaml

@@ -1,3 +1,30 @@
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
+{{- $passwords := dict }}
+
+{{- with (index $existingSecret "data") }}
+  {{- range $k, $v := . }}
+    {{- $_ := set $passwords $k (b64dec $v) }}
+  {{- end }}
+{{- end }}
+
+{{- range $user, $u := .Values.users }}
+  {{- if $u.password }}
+    {{- $_ := set $passwords $user $u.password }}
+  {{- else if not (index $passwords $user) }}
+    {{- $_ := set $passwords $user (randAlphaNum 16) }}
+  {{- end }}
+{{- end }}
+
+{{- if .Values.users }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-credentials
+stringData:
+  {{- range $user, $u := .Values.users }}
+  {{ quote $user }}: {{ quote (index $passwords $user) }}
+  {{- end }}
+{{- end }}
 ---
 apiVersion: v1
 kind: Secret
@@ -13,7 +40,7 @@ stringData:
     {{- range $user, $u := .Values.users }}
     SELECT 'CREATE ROLE {{ $user }} LOGIN INHERIT;'
     WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $user }}')\gexec
-    ALTER ROLE {{ $user }} WITH PASSWORD '{{ $u.password }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
+    ALTER ROLE {{ $user }} WITH PASSWORD '{{ index $passwords $user }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
     COMMENT ON ROLE {{ $user }} IS 'user managed by helm';
     {{- end }}
     EOT

packages/apps/rabbitmq/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.4.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "3.12.2"
+appVersion: "3.13.2"

packages/apps/rabbitmq/README.md

@@ -19,3 +19,10 @@ The service utilizes official RabbitMQ operator. This ensures the reliability an
 | `size`         | Persistent Volume size                          | `10Gi`  |
 | `replicas`     | Number of RabbitMQ replicas                     | `3`     |
 | `storageClass` | StorageClass used to store the data             | `""`    |
+
+### Configuration parameters
+
+| Name     | Description                 | Value |
+| -------- | --------------------------- | ----- |
+| `users`  | Users configuration         | `{}`  |
+| `vhosts` | Virtual Hosts configuration | `{}`  |

packages/apps/rabbitmq/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,22 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-default-user
+  {{- range $name, $u := .Values.users }}
+  - {{ $.Release.Name }}-{{ kebabcase $name }}-credentials
+  {{- end }}
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]

packages/apps/rabbitmq/templates/rabbitmq.yaml

@@ -12,8 +12,94 @@ spec:
     type: LoadBalancer
   {{- end }}
 
+  override:
+    statefulSet:
+      spec:
+        template:
+          metadata:
+            labels:
+              policy.cozystack.io/allow-to-apiserver: "true"
+
   persistence:
     {{- with .Values.storageClass }}
     storageClassName: {{ . }}
     {{- end }}
     storage: {{ .Values.size }}
+
+{{- range $user, $u := .Values.users }}
+
+{{- $password := $u.password }}
+{{- if not $password }}
+{{- with (dig "data" "password" "" (lookup "v1" "Secret" $.Release.Namespace (printf "%s-%s-credentials" $.Release.Name (kebabcase $user)))) }}
+{{- $password = b64dec . }}
+{{- end }}
+{{- end }}
+{{- if not $password }}
+{{- $password = (randAlphaNum 16) }}
+{{- end }}
+
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: User
+metadata:
+  name: {{ $.Release.Name }}-{{ kebabcase $user }}
+  annotations:
+    config: '{{ printf "%s %s" $user $password | sha256sum }}'
+spec:
+  importCredentialsSecret:
+    name: {{ $.Release.Name }}-{{ $user }}-credentials
+  rabbitmqClusterReference:
+    name: {{ $.Release.Name }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $.Release.Name }}-{{ kebabcase $user }}-credentials
+type: Opaque
+stringData:
+  username: {{ $user }}
+  password: {{ $password }}
+{{- end }}
+
+{{- range $host, $h := .Values.vhosts }}
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Vhost
+metadata:
+  name: {{ $.Release.Name }}-{{ kebabcase $host }}
+spec:
+  name: {{ $host }}
+  rabbitmqClusterReference:
+    name: {{ $.Release.Name }}
+{{- range $user := $h.roles.admin }}
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Permission
+metadata:
+  name: {{ $.Release.Name }}-{{ kebabcase $host }}-{{ kebabcase $user }}
+spec:
+  vhost: "{{ $host }}"
+  user: "{{ $user }}"
+  permissions:
+    write: ".*"
+    configure: ".*"
+    read: ".*"
+  rabbitmqClusterReference:
+    name: {{ $.Release.Name }}
+{{- end }}
+{{- range $user := $h.roles.readonly }}
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Permission
+metadata:
+  name: {{ $.Release.Name }}-{{ kebabcase $host }}-{{ kebabcase $user }}
+spec:
+  vhost: "{{ $host }}"
+  user: "{{ $user }}"
+  permissions:
+    read: ".*"
+  rabbitmqClusterReference:
+    name: {{ $.Release.Name }}
+{{- end }}
+
+{{- end }}

packages/apps/rabbitmq/values.schema.json

@@ -21,6 +21,11 @@
             "type": "string",
             "description": "StorageClass used to store the data",
             "default": ""
+        },
+        "vhosts": {
+            "type": "object",
+            "description": "Virtual Hosts configuration",
+            "default": {}
         }
     }
 }

packages/apps/rabbitmq/values.yaml

@@ -9,3 +9,33 @@ external: false
 size: 10Gi
 replicas: 3
 storageClass: ""
+
+## @section Configuration parameters
+
+## @param users [object] Users configuration
+## Example:
+## users:
+##   user1:
+##     password: strongpassword
+##   user2:
+##     password: hackme
+##   user3:
+##     password: testtest
+##
+users: {}
+
+## @param vhosts Virtual Hosts configuration
+## Example:
+## vhosts:
+##   myapp:
+##     roles:
+##       admin:
+##       - user1
+##       - user2
+##       readonly:
+##       - user3
+##   test:
+##     roles:
+##       admin:
+##       - user3
+vhosts: {}

packages/apps/tenant/templates/networkpolicy.yaml

@@ -83,6 +83,21 @@ spec:
     {{- end }}
   {{- end }}
 ---
+{{- if .Values.ingress }}
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: {{ include "tenant.name" . }}-ingress-ingress
+spec:
+  endpointSelector:
+    matchLabels:
+      "k8s:io.kubernetes.pod.namespace": "{{ include "tenant.name" . }}"
+      cozystack.io/service: ingress
+  ingress:
+  - fromEndpoints:
+    - {}
+{{- end }}
+---
 {{- if .Values.etcd }}
 apiVersion: cilium.io/v2
 kind: CiliumClusterwideNetworkPolicy

packages/apps/versions_map

@@ -2,14 +2,18 @@ bucket 0.1.0 HEAD
 clickhouse 0.1.0 ca79f72
 clickhouse 0.2.0 7cd7de73
 clickhouse 0.2.1 5ca8823
-clickhouse 0.3.0 HEAD
+clickhouse 0.3.0 b00621e
+clickhouse 0.4.0 320fc32
+clickhouse 0.5.0 HEAD
 ferretdb 0.1.0 4ffa8615
 ferretdb 0.1.1 5ca8823
 ferretdb 0.2.0 adaf603
-ferretdb 0.3.0 HEAD
+ferretdb 0.3.0 aa2f553
+ferretdb 0.4.0 HEAD
 http-cache 0.1.0 a956713
 http-cache 0.2.0 5ca8823
-http-cache 0.3.0 HEAD
+http-cache 0.3.0 fab5940
+http-cache 0.3.1 HEAD
 kafka 0.1.0 760f86d2
 kafka 0.2.0 a2cc83d
 kafka 0.2.1 3ac17018
@@ -31,7 +35,9 @@ kubernetes 0.10.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 5ca8823
-mysql 0.4.0 HEAD
+mysql 0.4.0 93018c4
+mysql 0.5.0 4b84798
+mysql 0.5.1 HEAD
 nats 0.1.0 5ca8823
 nats 0.2.0 HEAD
 postgres 0.1.0 f642698
@@ -40,10 +46,14 @@ postgres 0.2.1 4a97e297
 postgres 0.3.0 995dea6f
 postgres 0.4.0 ec283c33
 postgres 0.4.1 5ca8823
-postgres 0.5.0 HEAD
+postgres 0.5.0 c07c4bbd
+postgres 0.6.0 2a4768a
+postgres 0.6.2 HEAD
 rabbitmq 0.1.0 f642698
 rabbitmq 0.2.0 5ca8823
-rabbitmq 0.3.0 HEAD
+rabbitmq 0.3.0 9e33dc0
+rabbitmq 0.4.0 36d8855
+rabbitmq 0.4.1 HEAD
 redis 0.1.1 f642698
 redis 0.2.0 5ca8823
 redis 0.3.0 HEAD

packages/core/installer/Makefile

@@ -54,9 +54,9 @@ image-matchbox:
 		--load=$(LOAD)
 	rm -f images/matchbox.json
 
-assets: talos-iso talos-nocloud
+assets: talos-iso talos-nocloud talos-metal
 
-talos-initramfs talos-kernel talos-installer talos-iso talos-nocloud:
+talos-initramfs talos-kernel talos-installer talos-iso talos-nocloud talos-metal:
 	mkdir -p ../../../_out/assets
 	cat images/talos/profiles/$(subst talos-,,$@).yaml | \
 		docker run --rm -i -v /dev:/dev --privileged "ghcr.io/siderolabs/imager:$(TALOS_VERSION)" --tar-to-stdout - | \

packages/core/installer/hack/gen-profiles.sh

@@ -2,7 +2,7 @@
 set -e
 set -u
 
-PROFILES="initramfs kernel iso installer nocloud"
+PROFILES="initramfs kernel iso installer nocloud metal"
 FIRMWARES="amd-ucode amdgpu-firmware bnx2-bnx2x i915-ucode intel-ice-firmware intel-ucode qlogic-firmware"
 EXTENSIONS="drbd zfs"
 
@@ -32,10 +32,10 @@ done
 
 for profile in $PROFILES; do
   echo "writing profile images/talos/profiles/$profile.yaml"
-  if [ "$profile" = "nocloud" ]; then
+  if [ "$profile" = "nocloud" ] || [ "$profile" = "metal" ]; then
     image_options="{ diskSize: 1306525696, diskFormat: raw }"
     out_format=".xz"
-    platform="nocloud"
+    platform="$profile"
     kind="image"
   else
     image_options="{}"

packages/core/installer/images/talos/profiles/initramfs.yaml

@@ -12,13 +12,13 @@ input:
   baseInstaller:
     imageRef: ghcr.io/siderolabs/installer:v1.7.6
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240709
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240709
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240709
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240709
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240709
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240531
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
     - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
     - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:

packages/core/installer/images/talos/profiles/installer.yaml

@@ -12,13 +12,13 @@ input:
   baseInstaller:
     imageRef: ghcr.io/siderolabs/installer:v1.7.6
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240709
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240709
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240709
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240709
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240709
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240531
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
     - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
     - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:

packages/core/installer/images/talos/profiles/iso.yaml

@@ -12,13 +12,13 @@ input:
   baseInstaller:
     imageRef: ghcr.io/siderolabs/installer:v1.7.6
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240709
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240709
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240709
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240709
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240709
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240531
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
     - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
     - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:

packages/core/installer/images/talos/profiles/kernel.yaml

@@ -12,13 +12,13 @@ input:
   baseInstaller:
     imageRef: ghcr.io/siderolabs/installer:v1.7.6
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240709
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240709
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240709
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240709
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240709
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240531
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
     - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
     - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:

packages/core/installer/images/talos/profiles/metal.yaml

@@ -0,0 +1,27 @@
+# this file generated by hack/gen-profiles.sh
+# do not edit it
+arch: amd64
+platform: metal
+secureboot: false
+version: v1.7.6
+input:
+  kernel:
+    path: /usr/install/amd64/vmlinuz
+  initramfs:
+    path: /usr/install/amd64/initramfs.xz
+  baseInstaller:
+    imageRef: ghcr.io/siderolabs/installer:v1.7.6
+  systemExtensions:
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
+output:
+  kind: image
+  imageOptions: { diskSize: 1306525696, diskFormat: raw }
+  outFormat: .xz

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -12,13 +12,13 @@ input:
   baseInstaller:
     imageRef: ghcr.io/siderolabs/installer:v1.7.6
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240709
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240709
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240709
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240709
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240709
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240531
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
     - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
     - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:v0.13.0@sha256:0943f277c63f20cea19bef0207dc47f47157b58309c09af18830aac7906d1416
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.15.0@sha256:aeff26a80f84b4323578e613b3bf03caa842d617ec8d9ca98706867c1e70609f

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.13.0@sha256:be1693c8ce6a9522499f79b1e42b2e08c7ca80405026a095299e5e990a3ab791
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.15.0@sha256:20cc84e4a11db31434881355c070113a7823501a28a6114ca02830b18607ad21

packages/extra/seaweedfs/templates/seaweedfs.yaml

@@ -50,7 +50,7 @@ spec:
             cert-manager.io/cluster-issuer: letsencrypt-prod
           tls:
             - hosts:
-              - {{ .Values.host | default (printf "seaweedfs.%s" $host) }}
+              - {{ .Values.host | default (printf "s3.%s" $host) }}
               secretName: {{ .Release.Name }}-s3-ingress-tls
 
       cosi:

packages/system/cilium/values-kubeovn.yaml

@@ -2,7 +2,6 @@ cilium:
   sctp:
     enabled: true
   autoDirectNodeRoutes: false
-  kubeProxyReplacement: true
   bpf:
     masquerade: false
   cni:

packages/system/cilium/values.yaml

@@ -1,4 +1,5 @@
 cilium:
+  kubeProxyReplacement: true
   hubble:
     enabled: false
   externalIPs:

packages/system/dashboard/values.yaml

@@ -33,11 +33,11 @@ kubeapps:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: dashboard
-      tag: v0.13.0
+      tag: v0.15.0
       digest: "sha256:4818712e9fc9c57cc321512760c3226af564a04e69d4b3ec9229ab91fd39abeb"
   kubeappsapis:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: kubeapps-apis
-      tag: v0.13.0
-      digest: "sha256:a8cf2b536573f4bc29d4dce323ef3007a65567d6f1fe7803490bd71f422aca88"
+      tag: v0.15.0
+      digest: "sha256:70c095c8f7e3ecfa11433a3a2c8f57f6ff5a0053f006939a2c171c180cc50baf"

packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml

@@ -73,6 +73,7 @@ rules:
     verbs:
     - get
     - list
+    - watch
   - apiGroups:
       - etcd.aenix.io
     resources:

packages/system/kafka-operator/charts/strimzi-kafka-operator/.helmignore

@@ -19,3 +19,5 @@
 .project
 .idea/
 *.tmproj
+# Unit Tests
+tests/

packages/system/kafka-operator/charts/strimzi-kafka-operator/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 0.40.0
+appVersion: 0.43.0
 description: 'Strimzi: Apache Kafka running on Kubernetes'
 home: https://strimzi.io/
 icon: https://raw.githubusercontent.com/strimzi/strimzi-kafka-operator/main/documentation/logo/strimzi_logo.png
@@ -24,4 +24,4 @@ maintainers:
 name: strimzi-kafka-operator
 sources:
 - https://github.com/strimzi/strimzi-kafka-operator
-version: 0.40.0
+version: 0.43.0

packages/system/kafka-operator/charts/strimzi-kafka-operator/README.md

@@ -9,8 +9,8 @@ Upgrading to Strimzi 0.32 and newer directly from Strimzi 0.22 and earlier is no
 Please follow the [documentation](https://strimzi.io/docs/operators/latest/full/deploying.html#assembly-upgrade-str) for more details.
 
 **!!! IMPORTANT !!!**
-From Strimzi 0.40 on, we support only Kubernetes 1.23 and newer.
-Kubernetes versions 1.21 and 1.22 are no longer supported.
+Strimzi 0.43.0 (and any of its patch releases) is the last Strimzi version with support for Kubernetes 1.23 and 1.24.
+From Strimzi 0.44.0 on, Strimzi will support only Kubernetes 1.25 and newer.
 
 ## Introduction
 
@@ -21,6 +21,7 @@ cluster using the [Helm](https://helm.sh) package manager.
 ### Supported Features
 
 * **Manages the Kafka Cluster** - Deploys and manages all of the components of this complex application, including dependencies like Apache ZooKeeper® that are traditionally hard to administer.
+* **KRaft support** - Allows running Apache Kafka clusters in the KRaft mode (without ZooKeeper). 
 * **Includes Kafka Connect** - Allows for configuration of common data sources and sinks to move data into and out of the Kafka cluster.
 * **Topic Management** - Creates and manages Kafka Topics within the cluster.
 * **User Management** - Creates and manages Kafka Users within the cluster.
@@ -91,11 +92,12 @@ the documentation for more details.
 | Parameter                                   | Description                                                                     | Default                      |
 |---------------------------------------------|---------------------------------------------------------------------------------|------------------------------|
 | `replicas`                                  | Number of replicas of the cluster operator                                      | 1                            |
+| `revisionHistoryLimit`                      | Number of replicaSet to keep of the operator deployment                         | 10                           |
 | `watchNamespaces`                           | Comma separated list of additional namespaces for the strimzi-operator to watch | []                           |
 | `watchAnyNamespace`                         | Watch the whole Kubernetes cluster (all namespaces)                             | `false`                      |
 | `defaultImageRegistry`                      | Default image registry for all the images                                       | `quay.io`                    |
 | `defaultImageRepository`                    | Default image registry for all the images                                       | `strimzi`                    |
-| `defaultImageTag`                           | Default image tag for all the images except Kafka Bridge                        | `0.40.0`                     |
+| `defaultImageTag`                           | Default image tag for all the images except Kafka Bridge                        | `0.43.0`                     |
 | `image.registry`                            | Override default Cluster Operator image registry                                | `nil`                        |
 | `image.repository`                          | Override default Cluster Operator image repository                              | `nil`                        |
 | `image.name`                                | Cluster Operator image name                                                     | `cluster-operator`           |
@@ -156,16 +158,10 @@ the documentation for more details.
 | `kafkaInit.image.name`                      | Init Kafka image name                                                           | `operator`                   |
 | `kafkaInit.image.tag`                       | Override default Init Kafka image tag                                           | `nil`                        |
 | `kafkaInit.image.digest`                    | Override Init Kafka image tag with digest                                       | `nil`                        |
-| `tlsSidecarEntityOperator.image.registry`   | Override default TLS Sidecar Entity Operator image registry                     | `nil`                        |
-| `tlsSidecarEntityOperator.image.repository` | Override default TLS Sidecar Entity Operator image repository                   | `nil`                        |
-| `tlsSidecarEntityOperator.image.name`       | TLS Sidecar Entity Operator image name                                          | `kafka`                      |
-| `tlsSidecarEntityOperator.image.tagPrefix`  | Override default TLS Sidecar Entity Operator image tag prefix                   | `nil`                        |
-| `tlsSidecarEntityOperator.image.tag`        | Override default TLS Sidecar Entity Operator image tag and ignore suffix        | `nil`                        |
-| `tlsSidecarEntityOperator.image.digest`     | Override TLS Sidecar Entity Operator image tag with digest                      | `nil`                        |
 | `kafkaBridge.image.registry`                | Override default Kafka Bridge image registry                                    | `quay.io`                    |
 | `kafkaBridge.image.repository`              | Override default Kafka Bridge image repository                                  | `strimzi`                    |
 | `kafkaBridge.image.name`                    | Kafka Bridge image name                                                         | `kafka-bridge`               |
-| `kafkaBridge.image.tag`                     | Override default Kafka Bridge image tag                                         | `0.28.0`                     |
+| `kafkaBridge.image.tag`                     | Override default Kafka Bridge image tag                                         | `0.30.0`                     |
 | `kafkaBridge.image.digest`                  | Override Kafka Bridge image tag with digest                                     | `nil`                        |
 | `kafkaExporter.image.registry`              | Override default Kafka Exporter image registry                                  | `nil`                        |
 | `kafkaExporter.image.repository`            | Override default Kafka Exporter image repository                                | `nil`                        |
@@ -184,9 +180,9 @@ the documentation for more details.
 | `kanikoExecutor.image.name`                 | Kaniko Executor image name                                                      | `kaniko-executor`            |
 | `kanikoExecutor.image.tag`                  | Override default Kaniko Executor image tag                                      | `nil`                        |
 | `kanikoExecutor.image.digest`               | Override Kaniko Executor image tag with digest                                  | `nil`                        |
-| `resources.limits.memory`                   | Memory constraint for limits                                                    | `256Mi`                      |
+| `resources.limits.memory`                   | Memory constraint for limits                                                    | `384Mi`                      |
 | `resources.limits.cpu`                      | CPU constraint for limits                                                       | `1000m`                      |
-| `resources.requests.memory`                 | Memory constraint for requests                                                  | `256Mi`                      |
+| `resources.requests.memory`                 | Memory constraint for requests                                                  | `384Mi`                      |
 | `livenessProbe.initialDelaySeconds`         | Liveness probe initial delay in seconds                                         | 10                           |
 | `livenessProbe.periodSeconds`               | Liveness probe period in seconds                                                | 30                           |
 | `readinessProbe.initialDelaySeconds`        | Readiness probe initial delay in seconds                                        | 10                           |
@@ -210,6 +206,7 @@ the documentation for more details.
 | `mavenBuilder.image.tag`                    | Override default Maven Builder image tag                                        | `nil`                        |
 | `mavenBuilder.image.digest`                 | Override Maven Builder image tag with digest                                    | `nil`                        |
 | `logConfiguration`                          | Override default `log4j.properties` content                                     | `nil`                        |
+| `logLevel`                                  | Override default logging level                                                  | `INFO`                       |
 | `dashboards.enable`                         | Generate configmaps containing the dashboards                                   | `false`                      |
 | `dashboards.label`                          | How should the dashboards be labeled for the sidecar                            | `grafana_dashboard`          |
 | `dashboards.labelValue`                     | What should the dashboards label value be for the sidecar                       | `"1"`                        |

packages/system/kafka-operator/charts/strimzi-kafka-operator/crds/041-Crd-kafkaconnect.yaml

@@ -74,14 +74,25 @@ spec:
                       items:
                         type: object
                         properties:
-                          certificate:
-                            type: string
-                            description: The name of the file certificate in the Secret.
                           secretName:
                             type: string
                             description: The name of the Secret containing the certificate.
+                          certificate:
+                            type: string
+                            description: The name of the file certificate in the secret.
+                          pattern:
+                            type: string
+                            description: "Pattern for the certificate files in the secret. Use the link:https://en.wikipedia.org/wiki/Glob_(programming)[_glob syntax_] for the pattern. All files in the secret that match the pattern are used."
+                        oneOf:
+                          - properties:
+                              certificate: {}
+                            required:
+                              - certificate
+                          - properties:
+                              pattern: {}
+                            required:
+                              - pattern
                         required:
-                          - certificate
                           - secretName
                       description: Trusted certificates for TLS connection.
                   description: TLS configuration.
@@ -104,26 +115,48 @@ spec:
                     accessTokenIsJwt:
                       type: boolean
                       description: Configure whether access token should be treated as JWT. This should be set to `false` if the authorization server returns opaque tokens. Defaults to `true`.
+                    accessTokenLocation:
+                      type: string
+                      description: Path to the token file containing an access token to be used for authentication.
                     audience:
                       type: string
                       description: "OAuth audience to use when authenticating against the authorization server. Some authorization servers require the audience to be explicitly set. The possible values depend on how the authorization server is configured. By default, `audience` is not specified when performing the token endpoint request."
                     certificateAndKey:
                       type: object
                       properties:
+                        secretName:
+                          type: string
+                          description: The name of the Secret containing the certificate.
                         certificate:
                           type: string
                           description: The name of the file certificate in the Secret.
                         key:
                           type: string
                           description: The name of the private key in the Secret.
-                        secretName:
-                          type: string
-                          description: The name of the Secret containing the certificate.
                       required:
+                        - secretName
                         - certificate
                         - key
-                        - secretName
                       description: Reference to the `Secret` which holds the certificate and private key pair.
+                    clientAssertion:
+                      type: object
+                      properties:
+                        key:
+                          type: string
+                          description: The key under which the secret value is stored in the Kubernetes Secret.
+                        secretName:
+                          type: string
+                          description: The name of the Kubernetes Secret containing the secret value.
+                      required:
+                        - key
+                        - secretName
+                      description: Link to Kubernetes secret containing the client assertion which was manually configured for the client.
+                    clientAssertionLocation:
+                      type: string
+                      description: Path to the file containing the client assertion to be used for authentication.
+                    clientAssertionType:
+                      type: string
+                      description: "The client assertion type. If not set, and either `clientAssertion` or `clientAssertionLocation` is configured, this value defaults to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`."
                     clientId:
                       type: string
                       description: OAuth Client ID which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI.
@@ -164,15 +197,15 @@ spec:
                     passwordSecret:
                       type: object
                       properties:
-                        password:
-                          type: string
-                          description: The name of the key in the Secret under which the password is stored.
                         secretName:
                           type: string
                           description: The name of the Secret containing the password.
+                        password:
+                          type: string
+                          description: The name of the key in the Secret under which the password is stored.
                       required:
-                        - password
                         - secretName
+                        - password
                       description: Reference to the `Secret` which holds the password.
                     readTimeoutSeconds:
                       type: integer
@@ -190,6 +223,11 @@ spec:
                         - key
                         - secretName
                       description: Link to Kubernetes Secret containing the refresh token which can be used to obtain access token from the authorization server.
+                    saslExtensions:
+                      additionalProperties:
+                        type: string
+                      type: object
+                      description: SASL extensions parameters.
                     scope:
                       type: string
                       description: OAuth scope to use when authenticating against the authorization server. Some authorization servers require this to be set. The possible values depend on how authorization server is configured. By default `scope` is not specified when doing the token endpoint request.
@@ -198,14 +236,25 @@ spec:
                       items:
                         type: object
                         properties:
-                          certificate:
-                            type: string
-                            description: The name of the file certificate in the Secret.
                           secretName:
                             type: string
                             description: The name of the Secret containing the certificate.
+                          certificate:
+                            type: string
+                            description: The name of the file certificate in the secret.
+                          pattern:
+                            type: string
+                            description: "Pattern for the certificate files in the secret. Use the link:https://en.wikipedia.org/wiki/Glob_(programming)[_glob syntax_] for the pattern. All files in the secret that match the pattern are used."
+                        oneOf:
+                          - properties:
+                              certificate: {}
+                            required:
+                              - certificate
+                          - properties:
+                              pattern: {}
+                            required:
+                              - pattern
                         required:
-                          - certificate
                           - secretName
                       description: Trusted certificates for TLS connection to the OAuth server.
                     tokenEndpointUri:
@@ -241,23 +290,33 @@ spec:
                           name:
                             type: string
                     limits:
-                      x-kubernetes-preserve-unknown-fields: true
+                      additionalProperties:
+                        anyOf:
+                          - type: integer
+                          - type: string
+                        pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+                        x-kubernetes-int-or-string: true
                       type: object
                     requests:
-                      x-kubernetes-preserve-unknown-fields: true
+                      additionalProperties:
+                        anyOf:
+                          - type: integer
+                          - type: string
+                        pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+                        x-kubernetes-int-or-string: true
                       type: object
                   description: The maximum limits for CPU and memory resources and the requested initial resources.
                 livenessProbe:
                   type: object
                   properties:
-                    failureThreshold:
-                      type: integer
-                      minimum: 1
-                      description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
                     initialDelaySeconds:
                       type: integer
                       minimum: 0
                       description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0.
+                    timeoutSeconds:
+                      type: integer
+                      minimum: 1
+                      description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1.
                     periodSeconds:
                       type: integer
                       minimum: 1
@@ -266,22 +325,22 @@ spec:
                       type: integer
                       minimum: 1
                       description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1.
-                    timeoutSeconds:
+                    failureThreshold:
                       type: integer
                       minimum: 1
-                      description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1.
+                      description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
                   description: Pod liveness checking.
                 readinessProbe:
                   type: object
                   properties:
-                    failureThreshold:
-                      type: integer
-                      minimum: 1
-                      description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
                     initialDelaySeconds:
                       type: integer
                       minimum: 0
                       description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0.
+                    timeoutSeconds:
+                      type: integer
+                      minimum: 1
+                      description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1.
                     periodSeconds:
                       type: integer
                       minimum: 1
@@ -290,10 +349,10 @@ spec:
                       type: integer
                       minimum: 1
                       description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1.
-                    timeoutSeconds:
+                    failureThreshold:
                       type: integer
                       minimum: 1
-                      description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1.
+                      description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
                   description: Pod readiness checking.
                 jvmOptions:
                   type: object
@@ -303,14 +362,14 @@ spec:
                         type: string
                       type: object
                       description: A map of -XX options to the JVM.
-                    "-Xms":
-                      type: string
-                      pattern: "^[0-9]+[mMgG]?$"
-                      description: -Xms option to to the JVM.
                     "-Xmx":
                       type: string
                       pattern: "^[0-9]+[mMgG]?$"
                       description: -Xmx option to to the JVM.
+                    "-Xms":
+                      type: string
+                      pattern: "^[0-9]+[mMgG]?$"
+                      description: -Xms option to to the JVM.
                     gcLoggingEnabled:
                       type: boolean
                       description: Specifies whether the Garbage Collection logging is enabled. The default is false.
@@ -386,6 +445,32 @@ spec:
                   required:
                     - topologyKey
                   description: Configuration of the node label which will be used as the `client.rack` consumer configuration.
+                metricsConfig:
+                  type: object
+                  properties:
+                    type:
+                      type: string
+                      enum:
+                        - jmxPrometheusExporter
+                      description: Metrics type. Only 'jmxPrometheusExporter' supported currently.
+                    valueFrom:
+                      type: object
+                      properties:
+                        configMapKeyRef:
+                          type: object
+                          properties:
+                            key:
+                              type: string
+                            name:
+                              type: string
+                            optional:
+                              type: boolean
+                          description: Reference to the key in the ConfigMap containing the configuration.
+                      description: 'ConfigMap entry where the Prometheus JMX Exporter configuration is stored. '
+                  required:
+                    - type
+                    - valueFrom
+                  description: Metrics configuration.
                 tracing:
                   type: object
                   properties:
@@ -471,6 +556,13 @@ spec:
                         securityContext:
                           type: object
                           properties:
+                            appArmorProfile:
+                              type: object
+                              properties:
+                                localhostProfile:
+                                  type: string
+                                type:
+                                  type: string
                             fsGroup:
                               type: integer
                             fsGroupChangePolicy:
@@ -873,31 +965,6 @@ spec:
                               value:
                                 type: string
                           description: The pod's tolerations.
-                        priorityClassName:
-                          type: string
-                          description: 'The name of the priority class used to assign priority to the pods. '
-                        schedulerName:
-                          type: string
-                          description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used."
-                        hostAliases:
-                          type: array
-                          items:
-                            type: object
-                            properties:
-                              hostnames:
-                                type: array
-                                items:
-                                  type: string
-                              ip:
-                                type: string
-                          description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified.
-                        tmpDirSizeLimit:
-                          type: string
-                          pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
-                          description: Defines the total amount (for example `1Gi`) of local storage required for temporary EmptyDir volume (`/tmp`). Default value is `5Mi`.
-                        enableServiceLinks:
-                          type: boolean
-                          description: Indicates whether information about services should be injected into Pod's environment variables.
                         topologySpreadConstraints:
                           type: array
                           items:
@@ -940,6 +1007,110 @@ spec:
                               whenUnsatisfiable:
                                 type: string
                           description: The pod's topology spread constraints.
+                        priorityClassName:
+                          type: string
+                          description: 'The name of the priority class used to assign priority to the pods. '
+                        schedulerName:
+                          type: string
+                          description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used."
+                        hostAliases:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              hostnames:
+                                type: array
+                                items:
+                                  type: string
+                              ip:
+                                type: string
+                          description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified.
+                        enableServiceLinks:
+                          type: boolean
+                          description: Indicates whether information about services should be injected into Pod's environment variables.
+                        tmpDirSizeLimit:
+                          type: string
+                          pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
+                          description: "Defines the total amount of pod memory allocated for the temporary `EmptyDir` volume `/tmp`. Specify the allocation in memory units, for example, `100Mi` for 100 mebibytes. Default value is `5Mi`. The `/tmp` volume is backed by pod memory, not disk storage, so avoid setting a high value as it consumes pod memory resources."
+                        volumes:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              name:
+                                type: string
+                                description: Name to use for the volume. Required.
+                              secret:
+                                type: object
+                                properties:
+                                  defaultMode:
+                                    type: integer
+                                  items:
+                                    type: array
+                                    items:
+                                      type: object
+                                      properties:
+                                        key:
+                                          type: string
+                                        mode:
+                                          type: integer
+                                        path:
+                                          type: string
+                                  optional:
+                                    type: boolean
+                                  secretName:
+                                    type: string
+                                description: Secret to use populate the volume.
+                              configMap:
+                                type: object
+                                properties:
+                                  defaultMode:
+                                    type: integer
+                                  items:
+                                    type: array
+                                    items:
+                                      type: object
+                                      properties:
+                                        key:
+                                          type: string
+                                        mode:
+                                          type: integer
+                                        path:
+                                          type: string
+                                  name:
+                                    type: string
+                                  optional:
+                                    type: boolean
+                                description: ConfigMap to use to populate the volume.
+                              emptyDir:
+                                type: object
+                                properties:
+                                  medium:
+                                    type: string
+                                  sizeLimit:
+                                    type: object
+                                    properties:
+                                      amount:
+                                        type: string
+                                      format:
+                                        type: string
+                                description: EmptyDir to use to populate the volume.
+                              persistentVolumeClaim:
+                                type: object
+                                properties:
+                                  claimName:
+                                    type: string
+                                  readOnly:
+                                    type: boolean
+                                description: PersistentVolumeClaim object to use to populate the volume.
+                            oneOf:
+                              - properties:
+                                  secret: {}
+                                  configMap: {}
+                                  emptyDir: {}
+                                  persistentVolumeClaim: {}
+                                required: []
+                          description: Additional volumes that can be mounted to the pod.
                       description: Template for Kafka Connect `Pods`.
                     apiService:
                       type: object
@@ -1027,6 +1198,13 @@ spec:
                           properties:
                             allowPrivilegeEscalation:
                               type: boolean
+                            appArmorProfile:
+                              type: object
+                              properties:
+                                localhostProfile:
+                                  type: string
+                                type:
+                                  type: string
                             capabilities:
                               type: object
                               properties:
@@ -1080,6 +1258,26 @@ spec:
                                 runAsUserName:
                                   type: string
                           description: Security context for the container.
+                        volumeMounts:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              mountPath:
+                                type: string
+                              mountPropagation:
+                                type: string
+                              name:
+                                type: string
+                              readOnly:
+                                type: boolean
+                              recursiveReadOnly:
+                                type: string
+                              subPath:
+                                type: string
+                              subPathExpr:
+                                type: string
+                          description: Additional volume mounts which should be applied to the container.
                       description: Template for the Kafka Connect container.
                     initContainer:
                       type: object
@@ -1101,6 +1299,13 @@ spec:
                           properties:
                             allowPrivilegeEscalation:
                               type: boolean
+                            appArmorProfile:
+                              type: object
+                              properties:
+                                localhostProfile:
+                                  type: string
+                                type:
+                                  type: string
                             capabilities:
                               type: object
                               properties:
@@ -1154,6 +1359,26 @@ spec:
                                 runAsUserName:
                                   type: string
                           description: Security context for the container.
+                        volumeMounts:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              mountPath:
+                                type: string
+                              mountPropagation:
+                                type: string
+                              name:
+                                type: string
+                              readOnly:
+                                type: boolean
+                              recursiveReadOnly:
+                                type: string
+                              subPath:
+                                type: string
+                              subPathExpr:
+                                type: string
+                          description: Additional volume mounts which should be applied to the container.
                       description: Template for the Kafka init container.
                     podDisruptionBudget:
                       type: object
@@ -1241,6 +1466,13 @@ spec:
                         securityContext:
                           type: object
                           properties:
+                            appArmorProfile:
+                              type: object
+                              properties:
+                                localhostProfile:
+                                  type: string
+                                type:
+                                  type: string
                             fsGroup:
                               type: integer
                             fsGroupChangePolicy:
@@ -1643,31 +1875,6 @@ spec:
                               value:
                                 type: string
                           description: The pod's tolerations.
-                        priorityClassName:
-                          type: string
-                          description: 'The name of the priority class used to assign priority to the pods. '
-                        schedulerName:
-                          type: string
-                          description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used."
-                        hostAliases:
-                          type: array
-                          items:
-                            type: object
-                            properties:
-                              hostnames:
-                                type: array
-                                items:
-                                  type: string
-                              ip:
-                                type: string
-                          description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified.
-                        tmpDirSizeLimit:
-                          type: string
-                          pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
-                          description: Defines the total amount (for example `1Gi`) of local storage required for temporary EmptyDir volume (`/tmp`). Default value is `5Mi`.
-                        enableServiceLinks:
-                          type: boolean
-                          description: Indicates whether information about services should be injected into Pod's environment variables.
                         topologySpreadConstraints:
                           type: array
                           items:
@@ -1710,6 +1917,110 @@ spec:
                               whenUnsatisfiable:
                                 type: string
                           description: The pod's topology spread constraints.
+                        priorityClassName:
+                          type: string
+                          description: 'The name of the priority class used to assign priority to the pods. '
+                        schedulerName:
+                          type: string
+                          description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used."
+                        hostAliases:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              hostnames:
+                                type: array
+                                items:
+                                  type: string
+                              ip:
+                                type: string
+                          description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified.
+                        enableServiceLinks:
+                          type: boolean
+                          description: Indicates whether information about services should be injected into Pod's environment variables.
+                        tmpDirSizeLimit:
+                          type: string
+                          pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
+                          description: "Defines the total amount of pod memory allocated for the temporary `EmptyDir` volume `/tmp`. Specify the allocation in memory units, for example, `100Mi` for 100 mebibytes. Default value is `5Mi`. The `/tmp` volume is backed by pod memory, not disk storage, so avoid setting a high value as it consumes pod memory resources."
+                        volumes:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              name:
+                                type: string
+                                description: Name to use for the volume. Required.
+                              secret:
+                                type: object
+                                properties:
+                                  defaultMode:
+                                    type: integer
+                                  items:
+                                    type: array
+                                    items:
+                                      type: object
+                                      properties:
+                                        key:
+                                          type: string
+                                        mode:
+                                          type: integer
+                                        path:
+                                          type: string
+                                  optional:
+                                    type: boolean
+                                  secretName:
+                                    type: string
+                                description: Secret to use populate the volume.
+                              configMap:
+                                type: object
+                                properties:
+                                  defaultMode:
+                                    type: integer
+                                  items:
+                                    type: array
+                                    items:
+                                      type: object
+                                      properties:
+                                        key:
+                                          type: string
+                                        mode:
+                                          type: integer
+                                        path:
+                                          type: string
+                                  name:
+                                    type: string
+                                  optional:
+                                    type: boolean
+                                description: ConfigMap to use to populate the volume.
+                              emptyDir:
+                                type: object
+                                properties:
+                                  medium:
+                                    type: string
+                                  sizeLimit:
+                                    type: object
+                                    properties:
+                                      amount:
+                                        type: string
+                                      format:
+                                        type: string
+                                description: EmptyDir to use to populate the volume.
+                              persistentVolumeClaim:
+                                type: object
+                                properties:
+                                  claimName:
+                                    type: string
+                                  readOnly:
+                                    type: boolean
+                                description: PersistentVolumeClaim object to use to populate the volume.
+                            oneOf:
+                              - properties:
+                                  secret: {}
+                                  configMap: {}
+                                  emptyDir: {}
+                                  persistentVolumeClaim: {}
+                                required: []
+                          description: Additional volumes that can be mounted to the pod.
                       description: Template for Kafka Connect Build `Pods`. The build pod is used only on Kubernetes.
                     buildContainer:
                       type: object
@@ -1731,6 +2042,13 @@ spec:
                           properties:
                             allowPrivilegeEscalation:
                               type: boolean
+                            appArmorProfile:
+                              type: object
+                              properties:
+                                localhostProfile:
+                                  type: string
+                                type:
+                                  type: string
                             capabilities:
                               type: object
                               properties:
@@ -1784,6 +2102,26 @@ spec:
                                 runAsUserName:
                                   type: string
                           description: Security context for the container.
+                        volumeMounts:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              mountPath:
+                                type: string
+                              mountPropagation:
+                                type: string
+                              name:
+                                type: string
+                              readOnly:
+                                type: boolean
+                              recursiveReadOnly:
+                                type: string
+                              subPath:
+                                type: string
+                              subPathExpr:
+                                type: string
+                          description: Additional volume mounts which should be applied to the container.
                       description: Template for the Kafka Connect Build container. The build container is used only on Kubernetes.
                     buildConfig:
                       type: object
@@ -1842,7 +2180,7 @@ spec:
                               description: Annotations added to the Kubernetes resource.
                           description: Metadata applied to the resource.
                       description: Template for Secret of the Kafka Connect Cluster JMX authentication.
-                  description: "Template for Kafka Connect and Kafka Mirror Maker 2 resources. The template allows users to specify how the `Pods`, `Service`, and other services are generated."
+                  description: "Template for Kafka Connect and Kafka MirrorMaker 2 resources. The template allows users to specify how the `Pods`, `Service`, and other services are generated."
                 externalConfiguration:
                   type: object
                   properties:
@@ -1857,16 +2195,6 @@ spec:
                           valueFrom:
                             type: object
                             properties:
-                              configMapKeyRef:
-                                type: object
-                                properties:
-                                  key:
-                                    type: string
-                                  name:
-                                    type: string
-                                  optional:
-                                    type: boolean
-                                description: Reference to a key in a ConfigMap.
                               secretKeyRef:
                                 type: object
                                 properties:
@@ -1877,6 +2205,16 @@ spec:
                                   optional:
                                     type: boolean
                                 description: Reference to a key in a Secret.
+                              configMapKeyRef:
+                                type: object
+                                properties:
+                                  key:
+                                    type: string
+                                  name:
+                                    type: string
+                                  optional:
+                                    type: boolean
+                                description: Reference to a key in a ConfigMap.
                             description: Value of the environment variable which will be passed to the Kafka Connect pods. It can be passed either as a reference to Secret or ConfigMap field. The field has to specify exactly one Secret or ConfigMap.
                         required:
                           - name
@@ -1887,27 +2225,6 @@ spec:
                       items:
                         type: object
                         properties:
-                          configMap:
-                            type: object
-                            properties:
-                              defaultMode:
-                                type: integer
-                              items:
-                                type: array
-                                items:
-                                  type: object
-                                  properties:
-                                    key:
-                                      type: string
-                                    mode:
-                                      type: integer
-                                    path:
-                                      type: string
-                              name:
-                                type: string
-                              optional:
-                                type: boolean
-                            description: Reference to a key in a ConfigMap. Exactly one Secret or ConfigMap has to be specified.
                           name:
                             type: string
                             description: Name of the volume which will be added to the Kafka Connect pods.
@@ -1932,6 +2249,27 @@ spec:
                               secretName:
                                 type: string
                             description: Reference to a key in a Secret. Exactly one Secret or ConfigMap has to be specified.
+                          configMap:
+                            type: object
+                            properties:
+                              defaultMode:
+                                type: integer
+                              items:
+                                type: array
+                                items:
+                                  type: object
+                                  properties:
+                                    key:
+                                      type: string
+                                    mode:
+                                      type: integer
+                                    path:
+                                      type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            description: Reference to a key in a ConfigMap. Exactly one Secret or ConfigMap has to be specified.
                         required:
                           - name
                       description: Makes data from a Secret or ConfigMap available in the Kafka Connect pods as volumes.
@@ -1963,23 +2301,6 @@ spec:
                         - image
                         - type
                       description: Configures where should the newly built image be stored. Required.
-                    resources:
-                      type: object
-                      properties:
-                        claims:
-                          type: array
-                          items:
-                            type: object
-                            properties:
-                              name:
-                                type: string
-                        limits:
-                          x-kubernetes-preserve-unknown-fields: true
-                          type: object
-                        requests:
-                          x-kubernetes-preserve-unknown-fields: true
-                          type: object
-                      description: CPU and memory resources to reserve for the build.
                     plugins:
                       type: array
                       items:
@@ -2035,36 +2356,37 @@ spec:
                           - name
                           - artifacts
                       description: List of connector plugins which should be added to the Kafka Connect. Required.
+                    resources:
+                      type: object
+                      properties:
+                        claims:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              name:
+                                type: string
+                        limits:
+                          additionalProperties:
+                            anyOf:
+                              - type: integer
+                              - type: string
+                            pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+                            x-kubernetes-int-or-string: true
+                          type: object
+                        requests:
+                          additionalProperties:
+                            anyOf:
+                              - type: integer
+                              - type: string
+                            pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+                            x-kubernetes-int-or-string: true
+                          type: object
+                      description: CPU and memory resources to reserve for the build.
                   required:
                     - output
                     - plugins
                   description: Configures how the Connect container image should be built. Optional.
-                metricsConfig:
-                  type: object
-                  properties:
-                    type:
-                      type: string
-                      enum:
-                        - jmxPrometheusExporter
-                      description: Metrics type. Only 'jmxPrometheusExporter' supported currently.
-                    valueFrom:
-                      type: object
-                      properties:
-                        configMapKeyRef:
-                          type: object
-                          properties:
-                            key:
-                              type: string
-                            name:
-                              type: string
-                            optional:
-                              type: boolean
-                          description: Reference to the key in the ConfigMap containing the configuration.
-                      description: 'ConfigMap entry where the Prometheus JMX Exporter configuration is stored. '
-                  required:
-                    - type
-                    - valueFrom
-                  description: Metrics configuration.
               required:
                 - bootstrapServers
               description: The specification of the Kafka Connect cluster.
@@ -2103,20 +2425,20 @@ spec:
                   items:
                     type: object
                     properties:
+                      class:
+                        type: string
+                        description: The class of the connector plugin.
                       type:
                         type: string
                         description: The type of the connector plugin. The available types are `sink` and `source`.
                       version:
                         type: string
                         description: The version of the connector plugin.
-                      class:
-                        type: string
-                        description: The class of the connector plugin.
                   description: The list of connector plugins available in this Kafka Connect deployment.
-                labelSelector:
-                  type: string
-                  description: Label selector for pods providing this resource.
                 replicas:
                   type: integer
                   description: The current number of pods being used to provide this resource.
+                labelSelector:
+                  type: string
+                  description: Label selector for pods providing this resource.
               description: The status of the Kafka Connect cluster.

packages/system/kafka-operator/charts/strimzi-kafka-operator/crds/043-Crd-kafkatopic.yaml

@@ -58,6 +58,9 @@ spec:
             spec:
               type: object
               properties:
+                topicName:
+                  type: string
+                  description: The name of the topic. When absent this will default to the metadata.name of the topic. It is recommended to not set this unless the topic name is not a valid Kubernetes resource name.
                 partitions:
                   type: integer
                   minimum: 1
@@ -71,9 +74,6 @@ spec:
                   x-kubernetes-preserve-unknown-fields: true
                   type: object
                   description: The topic configuration.
-                topicName:
-                  type: string
-                  description: The name of the topic. When absent this will default to the metadata.name of the topic. It is recommended to not set this unless the topic name is not a valid Kubernetes resource name.
               description: The specification of the topic.
             status:
               type: object
@@ -108,6 +108,25 @@ spec:
                 topicId:
                   type: string
                   description: "The topic's id. For a KafkaTopic with the ready condition, this will change only if the topic gets deleted and recreated with the same name."
+                replicasChange:
+                  type: object
+                  properties:
+                    targetReplicas:
+                      type: integer
+                      description: The target replicas value requested by the user. This may be different from .spec.replicas when a change is ongoing.
+                    state:
+                      type: string
+                      enum:
+                        - pending
+                        - ongoing
+                      description: "Current state of the replicas change operation. This can be `pending`, when the change has been requested, or `ongoing`, when the change has been successfully submitted to Cruise Control."
+                    message:
+                      type: string
+                      description: Message for the user related to the replicas change request. This may contain transient error messages that would disappear on periodic reconciliations.
+                    sessionId:
+                      type: string
+                      description: The session identifier for replicas change requests pertaining to this KafkaTopic resource. This is used by the Topic Operator to track the status of `ongoing` replicas change operations.
+                  description: Replication factor change status.
               description: The status of the topic.
     - name: v1beta1
       served: true
@@ -146,6 +165,9 @@ spec:
             spec:
               type: object
               properties:
+                topicName:
+                  type: string
+                  description: The name of the topic. When absent this will default to the metadata.name of the topic. It is recommended to not set this unless the topic name is not a valid Kubernetes resource name.
                 partitions:
                   type: integer
                   minimum: 1
@@ -159,9 +181,6 @@ spec:
                   x-kubernetes-preserve-unknown-fields: true
                   type: object
                   description: The topic configuration.
-                topicName:
-                  type: string
-                  description: The name of the topic. When absent this will default to the metadata.name of the topic. It is recommended to not set this unless the topic name is not a valid Kubernetes resource name.
               description: The specification of the topic.
             status:
               type: object
@@ -196,6 +215,25 @@ spec:
                 topicId:
                   type: string
                   description: "The topic's id. For a KafkaTopic with the ready condition, this will change only if the topic gets deleted and recreated with the same name."
+                replicasChange:
+                  type: object
+                  properties:
+                    targetReplicas:
+                      type: integer
+                      description: The target replicas value requested by the user. This may be different from .spec.replicas when a change is ongoing.
+                    state:
+                      type: string
+                      enum:
+                        - pending
+                        - ongoing
+                      description: "Current state of the replicas change operation. This can be `pending`, when the change has been requested, or `ongoing`, when the change has been successfully submitted to Cruise Control."
+                    message:
+                      type: string
+                      description: Message for the user related to the replicas change request. This may contain transient error messages that would disappear on periodic reconciliations.
+                    sessionId:
+                      type: string
+                      description: The session identifier for replicas change requests pertaining to this KafkaTopic resource. This is used by the Topic Operator to track the status of `ongoing` replicas change operations.
+                  description: Replication factor change status.
               description: The status of the topic.
     - name: v1alpha1
       served: true
@@ -234,6 +272,9 @@ spec:
             spec:
               type: object
               properties:
+                topicName:
+                  type: string
+                  description: The name of the topic. When absent this will default to the metadata.name of the topic. It is recommended to not set this unless the topic name is not a valid Kubernetes resource name.
                 partitions:
                   type: integer
                   minimum: 1
@@ -247,9 +288,6 @@ spec:
                   x-kubernetes-preserve-unknown-fields: true
                   type: object
                   description: The topic configuration.
-                topicName:
-                  type: string
-                  description: The name of the topic. When absent this will default to the metadata.name of the topic. It is recommended to not set this unless the topic name is not a valid Kubernetes resource name.
               description: The specification of the topic.
             status:
               type: object
@@ -284,4 +322,23 @@ spec:
                 topicId:
                   type: string
                   description: "The topic's id. For a KafkaTopic with the ready condition, this will change only if the topic gets deleted and recreated with the same name."
+                replicasChange:
+                  type: object
+                  properties:
+                    targetReplicas:
+                      type: integer
+                      description: The target replicas value requested by the user. This may be different from .spec.replicas when a change is ongoing.
+                    state:
+                      type: string
+                      enum:
+                        - pending
+                        - ongoing
+                      description: "Current state of the replicas change operation. This can be `pending`, when the change has been requested, or `ongoing`, when the change has been successfully submitted to Cruise Control."
+                    message:
+                      type: string
+                      description: Message for the user related to the replicas change request. This may contain transient error messages that would disappear on periodic reconciliations.
+                    sessionId:
+                      type: string
+                      description: The session identifier for replicas change requests pertaining to this KafkaTopic resource. This is used by the Topic Operator to track the status of `ongoing` replicas change operations.
+                  description: Replication factor change status.
               description: The status of the topic.

packages/system/kafka-operator/charts/strimzi-kafka-operator/crds/044-Crd-kafkauser.yaml

@@ -99,9 +99,38 @@ spec:
                       items:
                         type: object
                         properties:
+                          type:
+                            type: string
+                            enum:
+                              - allow
+                              - deny
+                            description: The type of the rule. Currently the only supported type is `allow`. ACL rules with type `allow` are used to allow user to execute the specified operations. Default value is `allow`.
+                          resource:
+                            type: object
+                            properties:
+                              name:
+                                type: string
+                                description: Name of resource for which given ACL rule applies. Can be combined with `patternType` field to use prefix pattern.
+                              patternType:
+                                type: string
+                                enum:
+                                  - literal
+                                  - prefix
+                                description: "Describes the pattern used in the resource field. The supported types are `literal` and `prefix`. With `literal` pattern type, the resource field will be used as a definition of a full name. With `prefix` pattern type, the resource name will be used only as a prefix. Default value is `literal`."
+                              type:
+                                type: string
+                                enum:
+                                  - topic
+                                  - group
+                                  - cluster
+                                  - transactionalId
+                                description: "Resource type. The available resource types are `topic`, `group`, `cluster`, and `transactionalId`."
+                            required:
+                              - type
+                            description: Indicates the resource for which given ACL rule applies.
                           host:
                             type: string
-                            description: The host from which the action described in the ACL rule is allowed or denied.
+                            description: "The host from which the action described in the ACL rule is allowed or denied. If not set, it defaults to `*`, allowing or denying the action from any host."
                           operation:
                             type: string
                             enum:
@@ -133,36 +162,7 @@ spec:
                                 - DescribeConfigs
                                 - IdempotentWrite
                                 - All
-                            description: "List of operations which will be allowed or denied. Supported operations are: Read, Write, Create, Delete, Alter, Describe, ClusterAction, AlterConfigs, DescribeConfigs, IdempotentWrite and All."
-                          resource:
-                            type: object
-                            properties:
-                              name:
-                                type: string
-                                description: Name of resource for which given ACL rule applies. Can be combined with `patternType` field to use prefix pattern.
-                              patternType:
-                                type: string
-                                enum:
-                                  - literal
-                                  - prefix
-                                description: "Describes the pattern used in the resource field. The supported types are `literal` and `prefix`. With `literal` pattern type, the resource field will be used as a definition of a full name. With `prefix` pattern type, the resource name will be used only as a prefix. Default value is `literal`."
-                              type:
-                                type: string
-                                enum:
-                                  - topic
-                                  - group
-                                  - cluster
-                                  - transactionalId
-                                description: "Resource type. The available resource types are `topic`, `group`, `cluster`, and `transactionalId`."
-                            required:
-                              - type
-                            description: Indicates the resource for which given ACL rule applies.
-                          type:
-                            type: string
-                            enum:
-                              - allow
-                              - deny
-                            description: The type of the rule. Currently the only supported type is `allow`. ACL rules with type `allow` are used to allow user to execute the specified operations. Default value is `allow`.
+                            description: "List of operations to allow or deny. Supported operations are: Read, Write, Create, Delete, Alter, Describe, ClusterAction, AlterConfigs, DescribeConfigs, IdempotentWrite and All. Only certain operations work with the specified resource."
                         required:
                           - resource
                       description: List of ACL rules which should be applied to this user.
@@ -178,22 +178,22 @@ spec:
                 quotas:
                   type: object
                   properties:
-                    consumerByteRate:
-                      type: integer
-                      minimum: 0
-                      description: A quota on the maximum bytes per-second that each client group can fetch from a broker before the clients in the group are throttled. Defined on a per-broker basis.
-                    controllerMutationRate:
-                      type: number
-                      minimum: 0
-                      description: "A quota on the rate at which mutations are accepted for the create topics request, the create partitions request and the delete topics request. The rate is accumulated by the number of partitions created or deleted."
                     producerByteRate:
                       type: integer
                       minimum: 0
                       description: A quota on the maximum bytes per-second that each client group can publish to a broker before the clients in the group are throttled. Defined on a per-broker basis.
+                    consumerByteRate:
+                      type: integer
+                      minimum: 0
+                      description: A quota on the maximum bytes per-second that each client group can fetch from a broker before the clients in the group are throttled. Defined on a per-broker basis.
                     requestPercentage:
                       type: integer
                       minimum: 0
                       description: A quota on the maximum CPU utilization of each client group as a percentage of network and I/O threads.
+                    controllerMutationRate:
+                      type: number
+                      minimum: 0
+                      description: "A quota on the rate at which mutations are accepted for the create topics request, the create partitions request and the delete topics request. The rate is accumulated by the number of partitions created or deleted."
                   description: Quotas on requests to control the broker resources used by clients. Network bandwidth and request rate quotas can be enforced.Kafka documentation for Kafka User quotas can be found at http://kafka.apache.org/documentation/#design_quotas.
                 template:
                   type: object
@@ -330,9 +330,38 @@ spec:
                       items:
                         type: object
                         properties:
+                          type:
+                            type: string
+                            enum:
+                              - allow
+                              - deny
+                            description: The type of the rule. Currently the only supported type is `allow`. ACL rules with type `allow` are used to allow user to execute the specified operations. Default value is `allow`.
+                          resource:
+                            type: object
+                            properties:
+                              name:
+                                type: string
+                                description: Name of resource for which given ACL rule applies. Can be combined with `patternType` field to use prefix pattern.
+                              patternType:
+                                type: string
+                                enum:
+                                  - literal
+                                  - prefix
+                                description: "Describes the pattern used in the resource field. The supported types are `literal` and `prefix`. With `literal` pattern type, the resource field will be used as a definition of a full name. With `prefix` pattern type, the resource name will be used only as a prefix. Default value is `literal`."
+                              type:
+                                type: string
+                                enum:
+                                  - topic
+                                  - group
+                                  - cluster
+                                  - transactionalId
+                                description: "Resource type. The available resource types are `topic`, `group`, `cluster`, and `transactionalId`."
+                            required:
+                              - type
+                            description: Indicates the resource for which given ACL rule applies.
                           host:
                             type: string
-                            description: The host from which the action described in the ACL rule is allowed or denied.
+                            description: "The host from which the action described in the ACL rule is allowed or denied. If not set, it defaults to `*`, allowing or denying the action from any host."
                           operation:
                             type: string
                             enum:
@@ -364,36 +393,7 @@ spec:
                                 - DescribeConfigs
                                 - IdempotentWrite
                                 - All
-                            description: "List of operations which will be allowed or denied. Supported operations are: Read, Write, Create, Delete, Alter, Describe, ClusterAction, AlterConfigs, DescribeConfigs, IdempotentWrite and All."
-                          resource:
-                            type: object
-                            properties:
-                              name:
-                                type: string
-                                description: Name of resource for which given ACL rule applies. Can be combined with `patternType` field to use prefix pattern.
-                              patternType:
-                                type: string
-                                enum:
-                                  - literal
-                                  - prefix
-                                description: "Describes the pattern used in the resource field. The supported types are `literal` and `prefix`. With `literal` pattern type, the resource field will be used as a definition of a full name. With `prefix` pattern type, the resource name will be used only as a prefix. Default value is `literal`."
-                              type:
-                                type: string
-                                enum:
-                                  - topic
-                                  - group
-                                  - cluster
-                                  - transactionalId
-                                description: "Resource type. The available resource types are `topic`, `group`, `cluster`, and `transactionalId`."
-                            required:
-                              - type
-                            description: Indicates the resource for which given ACL rule applies.
-                          type:
-                            type: string
-                            enum:
-                              - allow
-                              - deny
-                            description: The type of the rule. Currently the only supported type is `allow`. ACL rules with type `allow` are used to allow user to execute the specified operations. Default value is `allow`.
+                            description: "List of operations to allow or deny. Supported operations are: Read, Write, Create, Delete, Alter, Describe, ClusterAction, AlterConfigs, DescribeConfigs, IdempotentWrite and All. Only certain operations work with the specified resource."
                         required:
                           - resource
                       description: List of ACL rules which should be applied to this user.
@@ -409,22 +409,22 @@ spec:
                 quotas:
                   type: object
                   properties:
-                    consumerByteRate:
-                      type: integer
-                      minimum: 0
-                      description: A quota on the maximum bytes per-second that each client group can fetch from a broker before the clients in the group are throttled. Defined on a per-broker basis.
-                    controllerMutationRate:
-                      type: number
-                      minimum: 0
-                      description: "A quota on the rate at which mutations are accepted for the create topics request, the create partitions request and the delete topics request. The rate is accumulated by the number of partitions created or deleted."
                     producerByteRate:
                       type: integer
                       minimum: 0
                       description: A quota on the maximum bytes per-second that each client group can publish to a broker before the clients in the group are throttled. Defined on a per-broker basis.
+                    consumerByteRate:
+                      type: integer
+                      minimum: 0
+                      description: A quota on the maximum bytes per-second that each client group can fetch from a broker before the clients in the group are throttled. Defined on a per-broker basis.
                     requestPercentage:
                       type: integer
                       minimum: 0
                       description: A quota on the maximum CPU utilization of each client group as a percentage of network and I/O threads.
+                    controllerMutationRate:
+                      type: number
+                      minimum: 0
+                      description: "A quota on the rate at which mutations are accepted for the create topics request, the create partitions request and the delete topics request. The rate is accumulated by the number of partitions created or deleted."
                   description: Quotas on requests to control the broker resources used by clients. Network bandwidth and request rate quotas can be enforced.Kafka documentation for Kafka User quotas can be found at http://kafka.apache.org/documentation/#design_quotas.
                 template:
                   type: object
@@ -561,9 +561,38 @@ spec:
                       items:
                         type: object
                         properties:
+                          type:
+                            type: string
+                            enum:
+                              - allow
+                              - deny
+                            description: The type of the rule. Currently the only supported type is `allow`. ACL rules with type `allow` are used to allow user to execute the specified operations. Default value is `allow`.
+                          resource:
+                            type: object
+                            properties:
+                              name:
+                                type: string
+                                description: Name of resource for which given ACL rule applies. Can be combined with `patternType` field to use prefix pattern.
+                              patternType:
+                                type: string
+                                enum:
+                                  - literal
+                                  - prefix
+                                description: "Describes the pattern used in the resource field. The supported types are `literal` and `prefix`. With `literal` pattern type, the resource field will be used as a definition of a full name. With `prefix` pattern type, the resource name will be used only as a prefix. Default value is `literal`."
+                              type:
+                                type: string
+                                enum:
+                                  - topic
+                                  - group
+                                  - cluster
+                                  - transactionalId
+                                description: "Resource type. The available resource types are `topic`, `group`, `cluster`, and `transactionalId`."
+                            required:
+                              - type
+                            description: Indicates the resource for which given ACL rule applies.
                           host:
                             type: string
-                            description: The host from which the action described in the ACL rule is allowed or denied.
+                            description: "The host from which the action described in the ACL rule is allowed or denied. If not set, it defaults to `*`, allowing or denying the action from any host."
                           operation:
                             type: string
                             enum:
@@ -595,36 +624,7 @@ spec:
                                 - DescribeConfigs
                                 - IdempotentWrite
                                 - All
-                            description: "List of operations which will be allowed or denied. Supported operations are: Read, Write, Create, Delete, Alter, Describe, ClusterAction, AlterConfigs, DescribeConfigs, IdempotentWrite and All."
-                          resource:
-                            type: object
-                            properties:
-                              name:
-                                type: string
-                                description: Name of resource for which given ACL rule applies. Can be combined with `patternType` field to use prefix pattern.
-                              patternType:
-                                type: string
-                                enum:
-                                  - literal
-                                  - prefix
-                                description: "Describes the pattern used in the resource field. The supported types are `literal` and `prefix`. With `literal` pattern type, the resource field will be used as a definition of a full name. With `prefix` pattern type, the resource name will be used only as a prefix. Default value is `literal`."
-                              type:
-                                type: string
-                                enum:
-                                  - topic
-                                  - group
-                                  - cluster
-                                  - transactionalId
-                                description: "Resource type. The available resource types are `topic`, `group`, `cluster`, and `transactionalId`."
-                            required:
-                              - type
-                            description: Indicates the resource for which given ACL rule applies.
-                          type:
-                            type: string
-                            enum:
-                              - allow
-                              - deny
-                            description: The type of the rule. Currently the only supported type is `allow`. ACL rules with type `allow` are used to allow user to execute the specified operations. Default value is `allow`.
+                            description: "List of operations to allow or deny. Supported operations are: Read, Write, Create, Delete, Alter, Describe, ClusterAction, AlterConfigs, DescribeConfigs, IdempotentWrite and All. Only certain operations work with the specified resource."
                         required:
                           - resource
                       description: List of ACL rules which should be applied to this user.
@@ -640,22 +640,22 @@ spec:
                 quotas:
                   type: object
                   properties:
-                    consumerByteRate:
-                      type: integer
-                      minimum: 0
-                      description: A quota on the maximum bytes per-second that each client group can fetch from a broker before the clients in the group are throttled. Defined on a per-broker basis.
-                    controllerMutationRate:
-                      type: number
-                      minimum: 0
-                      description: "A quota on the rate at which mutations are accepted for the create topics request, the create partitions request and the delete topics request. The rate is accumulated by the number of partitions created or deleted."
                     producerByteRate:
                       type: integer
                       minimum: 0
                       description: A quota on the maximum bytes per-second that each client group can publish to a broker before the clients in the group are throttled. Defined on a per-broker basis.
+                    consumerByteRate:
+                      type: integer
+                      minimum: 0
+                      description: A quota on the maximum bytes per-second that each client group can fetch from a broker before the clients in the group are throttled. Defined on a per-broker basis.
                     requestPercentage:
                       type: integer
                       minimum: 0
                       description: A quota on the maximum CPU utilization of each client group as a percentage of network and I/O threads.
+                    controllerMutationRate:
+                      type: number
+                      minimum: 0
+                      description: "A quota on the rate at which mutations are accepted for the create topics request, the create partitions request and the delete topics request. The rate is accumulated by the number of partitions created or deleted."
                   description: Quotas on requests to control the broker resources used by clients. Network bandwidth and request rate quotas can be enforced.Kafka documentation for Kafka User quotas can be found at http://kafka.apache.org/documentation/#design_quotas.
                 template:
                   type: object

packages/system/kafka-operator/charts/strimzi-kafka-operator/crds/045-Crd-kafkamirrormaker.yaml

@@ -109,26 +109,48 @@ spec:
                         accessTokenIsJwt:
                           type: boolean
                           description: Configure whether access token should be treated as JWT. This should be set to `false` if the authorization server returns opaque tokens. Defaults to `true`.
+                        accessTokenLocation:
+                          type: string
+                          description: Path to the token file containing an access token to be used for authentication.
                         audience:
                           type: string
                           description: "OAuth audience to use when authenticating against the authorization server. Some authorization servers require the audience to be explicitly set. The possible values depend on how the authorization server is configured. By default, `audience` is not specified when performing the token endpoint request."
                         certificateAndKey:
                           type: object
                           properties:
+                            secretName:
+                              type: string
+                              description: The name of the Secret containing the certificate.
                             certificate:
                               type: string
                               description: The name of the file certificate in the Secret.
                             key:
                               type: string
                               description: The name of the private key in the Secret.
-                            secretName:
-                              type: string
-                              description: The name of the Secret containing the certificate.
                           required:
+                            - secretName
                             - certificate
                             - key
-                            - secretName
                           description: Reference to the `Secret` which holds the certificate and private key pair.
+                        clientAssertion:
+                          type: object
+                          properties:
+                            key:
+                              type: string
+                              description: The key under which the secret value is stored in the Kubernetes Secret.
+                            secretName:
+                              type: string
+                              description: The name of the Kubernetes Secret containing the secret value.
+                          required:
+                            - key
+                            - secretName
+                          description: Link to Kubernetes secret containing the client assertion which was manually configured for the client.
+                        clientAssertionLocation:
+                          type: string
+                          description: Path to the file containing the client assertion to be used for authentication.
+                        clientAssertionType:
+                          type: string
+                          description: "The client assertion type. If not set, and either `clientAssertion` or `clientAssertionLocation` is configured, this value defaults to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`."
                         clientId:
                           type: string
                           description: OAuth Client ID which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI.
@@ -169,15 +191,15 @@ spec:
                         passwordSecret:
                           type: object
                           properties:
-                            password:
-                              type: string
-                              description: The name of the key in the Secret under which the password is stored.
                             secretName:
                               type: string
                               description: The name of the Secret containing the password.
+                            password:
+                              type: string
+                              description: The name of the key in the Secret under which the password is stored.
                           required:
-                            - password
                             - secretName
+                            - password
                           description: Reference to the `Secret` which holds the password.
                         readTimeoutSeconds:
                           type: integer
@@ -195,6 +217,11 @@ spec:
                             - key
                             - secretName
                           description: Link to Kubernetes Secret containing the refresh token which can be used to obtain access token from the authorization server.
+                        saslExtensions:
+                          additionalProperties:
+                            type: string
+                          type: object
+                          description: SASL extensions parameters.
                         scope:
                           type: string
                           description: OAuth scope to use when authenticating against the authorization server. Some authorization servers require this to be set. The possible values depend on how authorization server is configured. By default `scope` is not specified when doing the token endpoint request.
@@ -203,14 +230,25 @@ spec:
                           items:
                             type: object
                             properties:
-                              certificate:
-                                type: string
-                                description: The name of the file certificate in the Secret.
                               secretName:
                                 type: string
                                 description: The name of the Secret containing the certificate.
+                              certificate:
+                                type: string
+                                description: The name of the file certificate in the secret.
+                              pattern:
+                                type: string
+                                description: "Pattern for the certificate files in the secret. Use the link:https://en.wikipedia.org/wiki/Glob_(programming)[_glob syntax_] for the pattern. All files in the secret that match the pattern are used."
+                            oneOf:
+                              - properties:
+                                  certificate: {}
+                                required:
+                                  - certificate
+                              - properties:
+                                  pattern: {}
+                                required:
+                                  - pattern
                             required:
-                              - certificate
                               - secretName
                           description: Trusted certificates for TLS connection to the OAuth server.
                         tokenEndpointUri:
@@ -231,10 +269,6 @@ spec:
                       required:
                         - type
                       description: Authentication configuration for connecting to the cluster.
-                    config:
-                      x-kubernetes-preserve-unknown-fields: true
-                      type: object
-                      description: "The MirrorMaker consumer config. Properties with the following prefixes cannot be set: ssl., bootstrap.servers, group.id, sasl., security., interceptor.classes (with the exception of: ssl.endpoint.identification.algorithm, ssl.cipher.suites, ssl.protocol, ssl.enabled.protocols)."
                     tls:
                       type: object
                       properties:
@@ -243,17 +277,32 @@ spec:
                           items:
                             type: object
                             properties:
-                              certificate:
-                                type: string
-                                description: The name of the file certificate in the Secret.
                               secretName:
                                 type: string
                                 description: The name of the Secret containing the certificate.
+                              certificate:
+                                type: string
+                                description: The name of the file certificate in the secret.
+                              pattern:
+                                type: string
+                                description: "Pattern for the certificate files in the secret. Use the link:https://en.wikipedia.org/wiki/Glob_(programming)[_glob syntax_] for the pattern. All files in the secret that match the pattern are used."
+                            oneOf:
+                              - properties:
+                                  certificate: {}
+                                required:
+                                  - certificate
+                              - properties:
+                                  pattern: {}
+                                required:
+                                  - pattern
                             required:
-                              - certificate
                               - secretName
                           description: Trusted certificates for TLS connection.
                       description: TLS configuration for connecting MirrorMaker to the cluster.
+                    config:
+                      x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                      description: "The MirrorMaker consumer config. Properties with the following prefixes cannot be set: ssl., bootstrap.servers, group.id, sasl., security., interceptor.classes (with the exception of: ssl.endpoint.identification.algorithm, ssl.cipher.suites, ssl.protocol, ssl.enabled.protocols)."
                   required:
                     - bootstrapServers
                     - groupId
@@ -286,26 +335,48 @@ spec:
                         accessTokenIsJwt:
                           type: boolean
                           description: Configure whether access token should be treated as JWT. This should be set to `false` if the authorization server returns opaque tokens. Defaults to `true`.
+                        accessTokenLocation:
+                          type: string
+                          description: Path to the token file containing an access token to be used for authentication.
                         audience:
                           type: string
                           description: "OAuth audience to use when authenticating against the authorization server. Some authorization servers require the audience to be explicitly set. The possible values depend on how the authorization server is configured. By default, `audience` is not specified when performing the token endpoint request."
                         certificateAndKey:
                           type: object
                           properties:
+                            secretName:
+                              type: string
+                              description: The name of the Secret containing the certificate.
                             certificate:
                               type: string
                               description: The name of the file certificate in the Secret.
                             key:
                               type: string
                               description: The name of the private key in the Secret.
-                            secretName:
-                              type: string
-                              description: The name of the Secret containing the certificate.
                           required:
+                            - secretName
                             - certificate
                             - key
-                            - secretName
                           description: Reference to the `Secret` which holds the certificate and private key pair.
+                        clientAssertion:
+                          type: object
+                          properties:
+                            key:
+                              type: string
+                              description: The key under which the secret value is stored in the Kubernetes Secret.
+                            secretName:
+                              type: string
+                              description: The name of the Kubernetes Secret containing the secret value.
+                          required:
+                            - key
+                            - secretName
+                          description: Link to Kubernetes secret containing the client assertion which was manually configured for the client.
+                        clientAssertionLocation:
+                          type: string
+                          description: Path to the file containing the client assertion to be used for authentication.
+                        clientAssertionType:
+                          type: string
+                          description: "The client assertion type. If not set, and either `clientAssertion` or `clientAssertionLocation` is configured, this value defaults to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`."
                         clientId:
                           type: string
                           description: OAuth Client ID which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI.
@@ -346,15 +417,15 @@ spec:
                         passwordSecret:
                           type: object
                           properties:
-                            password:
-                              type: string
-                              description: The name of the key in the Secret under which the password is stored.
                             secretName:
                               type: string
                               description: The name of the Secret containing the password.
+                            password:
+                              type: string
+                              description: The name of the key in the Secret under which the password is stored.
                           required:
-                            - password
                             - secretName
+                            - password
                           description: Reference to the `Secret` which holds the password.
                         readTimeoutSeconds:
                           type: integer
@@ -372,6 +443,11 @@ spec:
                             - key
                             - secretName
                           description: Link to Kubernetes Secret containing the refresh token which can be used to obtain access token from the authorization server.
+                        saslExtensions:
+                          additionalProperties:
+                            type: string
+                          type: object
+                          description: SASL extensions parameters.
                         scope:
                           type: string
                           description: OAuth scope to use when authenticating against the authorization server. Some authorization servers require this to be set. The possible values depend on how authorization server is configured. By default `scope` is not specified when doing the token endpoint request.
@@ -380,14 +456,25 @@ spec:
                           items:
                             type: object
                             properties:
-                              certificate:
-                                type: string
-                                description: The name of the file certificate in the Secret.
                               secretName:
                                 type: string
                                 description: The name of the Secret containing the certificate.
+                              certificate:
+                                type: string
+                                description: The name of the file certificate in the secret.
+                              pattern:
+                                type: string
+                                description: "Pattern for the certificate files in the secret. Use the link:https://en.wikipedia.org/wiki/Glob_(programming)[_glob syntax_] for the pattern. All files in the secret that match the pattern are used."
+                            oneOf:
+                              - properties:
+                                  certificate: {}
+                                required:
+                                  - certificate
+                              - properties:
+                                  pattern: {}
+                                required:
+                                  - pattern
                             required:
-                              - certificate
                               - secretName
                           description: Trusted certificates for TLS connection to the OAuth server.
                         tokenEndpointUri:
@@ -420,14 +507,25 @@ spec:
                           items:
                             type: object
                             properties:
-                              certificate:
-                                type: string
-                                description: The name of the file certificate in the Secret.
                               secretName:
                                 type: string
                                 description: The name of the Secret containing the certificate.
+                              certificate:
+                                type: string
+                                description: The name of the file certificate in the secret.
+                              pattern:
+                                type: string
+                                description: "Pattern for the certificate files in the secret. Use the link:https://en.wikipedia.org/wiki/Glob_(programming)[_glob syntax_] for the pattern. All files in the secret that match the pattern are used."
+                            oneOf:
+                              - properties:
+                                  certificate: {}
+                                required:
+                                  - certificate
+                              - properties:
+                                  pattern: {}
+                                required:
+                                  - pattern
                             required:
-                              - certificate
                               - secretName
                           description: Trusted certificates for TLS connection.
                       description: TLS configuration for connecting MirrorMaker to the cluster.
@@ -445,10 +543,20 @@ spec:
                           name:
                             type: string
                     limits:
-                      x-kubernetes-preserve-unknown-fields: true
+                      additionalProperties:
+                        anyOf:
+                          - type: integer
+                          - type: string
+                        pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+                        x-kubernetes-int-or-string: true
                       type: object
                     requests:
-                      x-kubernetes-preserve-unknown-fields: true
+                      additionalProperties:
+                        anyOf:
+                          - type: integer
+                          - type: string
+                        pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+                        x-kubernetes-int-or-string: true
                       type: object
                   description: CPU and memory resources to reserve.
                 whitelist:
@@ -465,14 +573,14 @@ spec:
                         type: string
                       type: object
                       description: A map of -XX options to the JVM.
-                    "-Xms":
-                      type: string
-                      pattern: "^[0-9]+[mMgG]?$"
-                      description: -Xms option to to the JVM.
                     "-Xmx":
                       type: string
                       pattern: "^[0-9]+[mMgG]?$"
                       description: -Xmx option to to the JVM.
+                    "-Xms":
+                      type: string
+                      pattern: "^[0-9]+[mMgG]?$"
+                      description: -Xms option to to the JVM.
                     gcLoggingEnabled:
                       type: boolean
                       description: Specifies whether the Garbage Collection logging is enabled. The default is false.
@@ -613,6 +721,13 @@ spec:
                         securityContext:
                           type: object
                           properties:
+                            appArmorProfile:
+                              type: object
+                              properties:
+                                localhostProfile:
+                                  type: string
+                                type:
+                                  type: string
                             fsGroup:
                               type: integer
                             fsGroupChangePolicy:
@@ -1015,31 +1130,6 @@ spec:
                               value:
                                 type: string
                           description: The pod's tolerations.
-                        priorityClassName:
-                          type: string
-                          description: 'The name of the priority class used to assign priority to the pods. '
-                        schedulerName:
-                          type: string
-                          description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used."
-                        hostAliases:
-                          type: array
-                          items:
-                            type: object
-                            properties:
-                              hostnames:
-                                type: array
-                                items:
-                                  type: string
-                              ip:
-                                type: string
-                          description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified.
-                        tmpDirSizeLimit:
-                          type: string
-                          pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
-                          description: Defines the total amount (for example `1Gi`) of local storage required for temporary EmptyDir volume (`/tmp`). Default value is `5Mi`.
-                        enableServiceLinks:
-                          type: boolean
-                          description: Indicates whether information about services should be injected into Pod's environment variables.
                         topologySpreadConstraints:
                           type: array
                           items:
@@ -1082,6 +1172,110 @@ spec:
                               whenUnsatisfiable:
                                 type: string
                           description: The pod's topology spread constraints.
+                        priorityClassName:
+                          type: string
+                          description: 'The name of the priority class used to assign priority to the pods. '
+                        schedulerName:
+                          type: string
+                          description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used."
+                        hostAliases:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              hostnames:
+                                type: array
+                                items:
+                                  type: string
+                              ip:
+                                type: string
+                          description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified.
+                        enableServiceLinks:
+                          type: boolean
+                          description: Indicates whether information about services should be injected into Pod's environment variables.
+                        tmpDirSizeLimit:
+                          type: string
+                          pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
+                          description: "Defines the total amount of pod memory allocated for the temporary `EmptyDir` volume `/tmp`. Specify the allocation in memory units, for example, `100Mi` for 100 mebibytes. Default value is `5Mi`. The `/tmp` volume is backed by pod memory, not disk storage, so avoid setting a high value as it consumes pod memory resources."
+                        volumes:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              name:
+                                type: string
+                                description: Name to use for the volume. Required.
+                              secret:
+                                type: object
+                                properties:
+                                  defaultMode:
+                                    type: integer
+                                  items:
+                                    type: array
+                                    items:
+                                      type: object
+                                      properties:
+                                        key:
+                                          type: string
+                                        mode:
+                                          type: integer
+                                        path:
+                                          type: string
+                                  optional:
+                                    type: boolean
+                                  secretName:
+                                    type: string
+                                description: Secret to use populate the volume.
+                              configMap:
+                                type: object
+                                properties:
+                                  defaultMode:
+                                    type: integer
+                                  items:
+                                    type: array
+                                    items:
+                                      type: object
+                                      properties:
+                                        key:
+                                          type: string
+                                        mode:
+                                          type: integer
+                                        path:
+                                          type: string
+                                  name:
+                                    type: string
+                                  optional:
+                                    type: boolean
+                                description: ConfigMap to use to populate the volume.
+                              emptyDir:
+                                type: object
+                                properties:
+                                  medium:
+                                    type: string
+                                  sizeLimit:
+                                    type: object
+                                    properties:
+                                      amount:
+                                        type: string
+                                      format:
+                                        type: string
+                                description: EmptyDir to use to populate the volume.
+                              persistentVolumeClaim:
+                                type: object
+                                properties:
+                                  claimName:
+                                    type: string
+                                  readOnly:
+                                    type: boolean
+                                description: PersistentVolumeClaim object to use to populate the volume.
+                            oneOf:
+                              - properties:
+                                  secret: {}
+                                  configMap: {}
+                                  emptyDir: {}
+                                  persistentVolumeClaim: {}
+                                required: []
+                          description: Additional volumes that can be mounted to the pod.
                       description: Template for Kafka MirrorMaker `Pods`.
                     podDisruptionBudget:
                       type: object
@@ -1125,6 +1319,13 @@ spec:
                           properties:
                             allowPrivilegeEscalation:
                               type: boolean
+                            appArmorProfile:
+                              type: object
+                              properties:
+                                localhostProfile:
+                                  type: string
+                                type:
+                                  type: string
                             capabilities:
                               type: object
                               properties:
@@ -1178,6 +1379,26 @@ spec:
                                 runAsUserName:
                                   type: string
                           description: Security context for the container.
+                        volumeMounts:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              mountPath:
+                                type: string
+                              mountPropagation:
+                                type: string
+                              name:
+                                type: string
+                              readOnly:
+                                type: boolean
+                              recursiveReadOnly:
+                                type: string
+                              subPath:
+                                type: string
+                              subPathExpr:
+                                type: string
+                          description: Additional volume mounts which should be applied to the container.
                       description: Template for Kafka MirrorMaker container.
                     serviceAccount:
                       type: object
@@ -1201,14 +1422,14 @@ spec:
                 livenessProbe:
                   type: object
                   properties:
-                    failureThreshold:
-                      type: integer
-                      minimum: 1
-                      description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
                     initialDelaySeconds:
                       type: integer
                       minimum: 0
                       description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0.
+                    timeoutSeconds:
+                      type: integer
+                      minimum: 1
+                      description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1.
                     periodSeconds:
                       type: integer
                       minimum: 1
@@ -1217,22 +1438,22 @@ spec:
                       type: integer
                       minimum: 1
                       description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1.
-                    timeoutSeconds:
+                    failureThreshold:
                       type: integer
                       minimum: 1
-                      description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1.
+                      description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
                   description: Pod liveness checking.
                 readinessProbe:
                   type: object
                   properties:
-                    failureThreshold:
-                      type: integer
-                      minimum: 1
-                      description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
                     initialDelaySeconds:
                       type: integer
                       minimum: 0
                       description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0.
+                    timeoutSeconds:
+                      type: integer
+                      minimum: 1
+                      description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1.
                     periodSeconds:
                       type: integer
                       minimum: 1
@@ -1241,10 +1462,10 @@ spec:
                       type: integer
                       minimum: 1
                       description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1.
-                    timeoutSeconds:
+                    failureThreshold:
                       type: integer
                       minimum: 1
-                      description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1.
+                      description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
                   description: Pod readiness checking.
               oneOf:
                 - properties:

packages/system/kafka-operator/charts/strimzi-kafka-operator/crds/046-Crd-kafkabridge.yaml

@@ -77,14 +77,25 @@ spec:
                       items:
                         type: object
                         properties:
-                          certificate:
-                            type: string
-                            description: The name of the file certificate in the Secret.
                           secretName:
                             type: string
                             description: The name of the Secret containing the certificate.
+                          certificate:
+                            type: string
+                            description: The name of the file certificate in the secret.
+                          pattern:
+                            type: string
+                            description: "Pattern for the certificate files in the secret. Use the link:https://en.wikipedia.org/wiki/Glob_(programming)[_glob syntax_] for the pattern. All files in the secret that match the pattern are used."
+                        oneOf:
+                          - properties:
+                              certificate: {}
+                            required:
+                              - certificate
+                          - properties:
+                              pattern: {}
+                            required:
+                              - pattern
                         required:
-                          - certificate
                           - secretName
                       description: Trusted certificates for TLS connection.
                   description: TLS configuration for connecting Kafka Bridge to the cluster.
@@ -107,26 +118,48 @@ spec:
                     accessTokenIsJwt:
                       type: boolean
                       description: Configure whether access token should be treated as JWT. This should be set to `false` if the authorization server returns opaque tokens. Defaults to `true`.
+                    accessTokenLocation:
+                      type: string
+                      description: Path to the token file containing an access token to be used for authentication.
                     audience:
                       type: string
                       description: "OAuth audience to use when authenticating against the authorization server. Some authorization servers require the audience to be explicitly set. The possible values depend on how the authorization server is configured. By default, `audience` is not specified when performing the token endpoint request."
                     certificateAndKey:
                       type: object
                       properties:
+                        secretName:
+                          type: string
+                          description: The name of the Secret containing the certificate.
                         certificate:
                           type: string
                           description: The name of the file certificate in the Secret.
                         key:
                           type: string
                           description: The name of the private key in the Secret.
-                        secretName:
-                          type: string
-                          description: The name of the Secret containing the certificate.
                       required:
+                        - secretName
                         - certificate
                         - key
-                        - secretName
                       description: Reference to the `Secret` which holds the certificate and private key pair.
+                    clientAssertion:
+                      type: object
+                      properties:
+                        key:
+                          type: string
+                          description: The key under which the secret value is stored in the Kubernetes Secret.
+                        secretName:
+                          type: string
+                          description: The name of the Kubernetes Secret containing the secret value.
+                      required:
+                        - key
+                        - secretName
+                      description: Link to Kubernetes secret containing the client assertion which was manually configured for the client.
+                    clientAssertionLocation:
+                      type: string
+                      description: Path to the file containing the client assertion to be used for authentication.
+                    clientAssertionType:
+                      type: string
+                      description: "The client assertion type. If not set, and either `clientAssertion` or `clientAssertionLocation` is configured, this value defaults to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`."
                     clientId:
                       type: string
                       description: OAuth Client ID which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI.
@@ -167,15 +200,15 @@ spec:
                     passwordSecret:
                       type: object
                       properties:
-                        password:
-                          type: string
-                          description: The name of the key in the Secret under which the password is stored.
                         secretName:
                           type: string
                           description: The name of the Secret containing the password.
+                        password:
+                          type: string
+                          description: The name of the key in the Secret under which the password is stored.
                       required:
-                        - password
                         - secretName
+                        - password
                       description: Reference to the `Secret` which holds the password.
                     readTimeoutSeconds:
                       type: integer
@@ -193,6 +226,11 @@ spec:
                         - key
                         - secretName
                       description: Link to Kubernetes Secret containing the refresh token which can be used to obtain access token from the authorization server.
+                    saslExtensions:
+                      additionalProperties:
+                        type: string
+                      type: object
+                      description: SASL extensions parameters.
                     scope:
                       type: string
                       description: OAuth scope to use when authenticating against the authorization server. Some authorization servers require this to be set. The possible values depend on how authorization server is configured. By default `scope` is not specified when doing the token endpoint request.
@@ -201,14 +239,25 @@ spec:
                       items:
                         type: object
                         properties:
-                          certificate:
-                            type: string
-                            description: The name of the file certificate in the Secret.
                           secretName:
                             type: string
                             description: The name of the Secret containing the certificate.
+                          certificate:
+                            type: string
+                            description: The name of the file certificate in the secret.
+                          pattern:
+                            type: string
+                            description: "Pattern for the certificate files in the secret. Use the link:https://en.wikipedia.org/wiki/Glob_(programming)[_glob syntax_] for the pattern. All files in the secret that match the pattern are used."
+                        oneOf:
+                          - properties:
+                              certificate: {}
+                            required:
+                              - certificate
+                          - properties:
+                              pattern: {}
+                            required:
+                              - pattern
                         required:
-                          - certificate
                           - secretName
                       description: Trusted certificates for TLS connection to the OAuth server.
                     tokenEndpointUri:
@@ -265,6 +314,12 @@ spec:
                 consumer:
                   type: object
                   properties:
+                    enabled:
+                      type: boolean
+                      description: Whether the HTTP consumer should be enabled or disabled. The default is enabled (`true`).
+                    timeoutSeconds:
+                      type: integer
+                      description: "The timeout in seconds for deleting inactive consumers, default is -1 (disabled)."
                     config:
                       x-kubernetes-preserve-unknown-fields: true
                       type: object
@@ -273,6 +328,9 @@ spec:
                 producer:
                   type: object
                   properties:
+                    enabled:
+                      type: boolean
+                      description: Whether the HTTP producer should be enabled or disabled. The default is enabled (`true`).
                     config:
                       x-kubernetes-preserve-unknown-fields: true
                       type: object
@@ -289,10 +347,20 @@ spec:
                           name:
                             type: string
                     limits:
-                      x-kubernetes-preserve-unknown-fields: true
+                      additionalProperties:
+                        anyOf:
+                          - type: integer
+                          - type: string
+                        pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+                        x-kubernetes-int-or-string: true
                       type: object
                     requests:
-                      x-kubernetes-preserve-unknown-fields: true
+                      additionalProperties:
+                        anyOf:
+                          - type: integer
+                          - type: string
+                        pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+                        x-kubernetes-int-or-string: true
                       type: object
                   description: CPU and memory resources to reserve.
                 jvmOptions:
@@ -303,14 +371,14 @@ spec:
                         type: string
                       type: object
                       description: A map of -XX options to the JVM.
-                    "-Xms":
-                      type: string
-                      pattern: "^[0-9]+[mMgG]?$"
-                      description: -Xms option to to the JVM.
                     "-Xmx":
                       type: string
                       pattern: "^[0-9]+[mMgG]?$"
                       description: -Xmx option to to the JVM.
+                    "-Xms":
+                      type: string
+                      pattern: "^[0-9]+[mMgG]?$"
+                      description: -Xms option to to the JVM.
                     gcLoggingEnabled:
                       type: boolean
                       description: Specifies whether the Garbage Collection logging is enabled. The default is false.
@@ -377,14 +445,14 @@ spec:
                 livenessProbe:
                   type: object
                   properties:
-                    failureThreshold:
-                      type: integer
-                      minimum: 1
-                      description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
                     initialDelaySeconds:
                       type: integer
                       minimum: 0
                       description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0.
+                    timeoutSeconds:
+                      type: integer
+                      minimum: 1
+                      description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1.
                     periodSeconds:
                       type: integer
                       minimum: 1
@@ -393,22 +461,22 @@ spec:
                       type: integer
                       minimum: 1
                       description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1.
-                    timeoutSeconds:
+                    failureThreshold:
                       type: integer
                       minimum: 1
-                      description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1.
+                      description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
                   description: Pod liveness checking.
                 readinessProbe:
                   type: object
                   properties:
-                    failureThreshold:
-                      type: integer
-                      minimum: 1
-                      description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
                     initialDelaySeconds:
                       type: integer
                       minimum: 0
                       description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0.
+                    timeoutSeconds:
+                      type: integer
+                      minimum: 1
+                      description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1.
                     periodSeconds:
                       type: integer
                       minimum: 1
@@ -417,10 +485,10 @@ spec:
                       type: integer
                       minimum: 1
                       description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1.
-                    timeoutSeconds:
+                    failureThreshold:
                       type: integer
                       minimum: 1
-                      description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1.
+                      description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
                   description: Pod readiness checking.
                 template:
                   type: object
@@ -477,6 +545,13 @@ spec:
                         securityContext:
                           type: object
                           properties:
+                            appArmorProfile:
+                              type: object
+                              properties:
+                                localhostProfile:
+                                  type: string
+                                type:
+                                  type: string
                             fsGroup:
                               type: integer
                             fsGroupChangePolicy:
@@ -879,31 +954,6 @@ spec:
                               value:
                                 type: string
                           description: The pod's tolerations.
-                        priorityClassName:
-                          type: string
-                          description: 'The name of the priority class used to assign priority to the pods. '
-                        schedulerName:
-                          type: string
-                          description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used."
-                        hostAliases:
-                          type: array
-                          items:
-                            type: object
-                            properties:
-                              hostnames:
-                                type: array
-                                items:
-                                  type: string
-                              ip:
-                                type: string
-                          description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified.
-                        tmpDirSizeLimit:
-                          type: string
-                          pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
-                          description: Defines the total amount (for example `1Gi`) of local storage required for temporary EmptyDir volume (`/tmp`). Default value is `5Mi`.
-                        enableServiceLinks:
-                          type: boolean
-                          description: Indicates whether information about services should be injected into Pod's environment variables.
                         topologySpreadConstraints:
                           type: array
                           items:
@@ -946,6 +996,110 @@ spec:
                               whenUnsatisfiable:
                                 type: string
                           description: The pod's topology spread constraints.
+                        priorityClassName:
+                          type: string
+                          description: 'The name of the priority class used to assign priority to the pods. '
+                        schedulerName:
+                          type: string
+                          description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used."
+                        hostAliases:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              hostnames:
+                                type: array
+                                items:
+                                  type: string
+                              ip:
+                                type: string
+                          description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified.
+                        enableServiceLinks:
+                          type: boolean
+                          description: Indicates whether information about services should be injected into Pod's environment variables.
+                        tmpDirSizeLimit:
+                          type: string
+                          pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
+                          description: "Defines the total amount of pod memory allocated for the temporary `EmptyDir` volume `/tmp`. Specify the allocation in memory units, for example, `100Mi` for 100 mebibytes. Default value is `5Mi`. The `/tmp` volume is backed by pod memory, not disk storage, so avoid setting a high value as it consumes pod memory resources."
+                        volumes:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              name:
+                                type: string
+                                description: Name to use for the volume. Required.
+                              secret:
+                                type: object
+                                properties:
+                                  defaultMode:
+                                    type: integer
+                                  items:
+                                    type: array
+                                    items:
+                                      type: object
+                                      properties:
+                                        key:
+                                          type: string
+                                        mode:
+                                          type: integer
+                                        path:
+                                          type: string
+                                  optional:
+                                    type: boolean
+                                  secretName:
+                                    type: string
+                                description: Secret to use populate the volume.
+                              configMap:
+                                type: object
+                                properties:
+                                  defaultMode:
+                                    type: integer
+                                  items:
+                                    type: array
+                                    items:
+                                      type: object
+                                      properties:
+                                        key:
+                                          type: string
+                                        mode:
+                                          type: integer
+                                        path:
+                                          type: string
+                                  name:
+                                    type: string
+                                  optional:
+                                    type: boolean
+                                description: ConfigMap to use to populate the volume.
+                              emptyDir:
+                                type: object
+                                properties:
+                                  medium:
+                                    type: string
+                                  sizeLimit:
+                                    type: object
+                                    properties:
+                                      amount:
+                                        type: string
+                                      format:
+                                        type: string
+                                description: EmptyDir to use to populate the volume.
+                              persistentVolumeClaim:
+                                type: object
+                                properties:
+                                  claimName:
+                                    type: string
+                                  readOnly:
+                                    type: boolean
+                                description: PersistentVolumeClaim object to use to populate the volume.
+                            oneOf:
+                              - properties:
+                                  secret: {}
+                                  configMap: {}
+                                  emptyDir: {}
+                                  persistentVolumeClaim: {}
+                                required: []
+                          description: Additional volumes that can be mounted to the pod.
                       description: Template for Kafka Bridge `Pods`.
                     apiService:
                       type: object
@@ -1022,6 +1176,13 @@ spec:
                           properties:
                             allowPrivilegeEscalation:
                               type: boolean
+                            appArmorProfile:
+                              type: object
+                              properties:
+                                localhostProfile:
+                                  type: string
+                                type:
+                                  type: string
                             capabilities:
                               type: object
                               properties:
@@ -1075,6 +1236,26 @@ spec:
                                 runAsUserName:
                                   type: string
                           description: Security context for the container.
+                        volumeMounts:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              mountPath:
+                                type: string
+                              mountPropagation:
+                                type: string
+                              name:
+                                type: string
+                              readOnly:
+                                type: boolean
+                              recursiveReadOnly:
+                                type: string
+                              subPath:
+                                type: string
+                              subPathExpr:
+                                type: string
+                          description: Additional volume mounts which should be applied to the container.
                       description: Template for the Kafka Bridge container.
                     clusterRoleBinding:
                       type: object
@@ -1132,6 +1313,13 @@ spec:
                           properties:
                             allowPrivilegeEscalation:
                               type: boolean
+                            appArmorProfile:
+                              type: object
+                              properties:
+                                localhostProfile:
+                                  type: string
+                                type:
+                                  type: string
                             capabilities:
                               type: object
                               properties:
@@ -1185,6 +1373,26 @@ spec:
                                 runAsUserName:
                                   type: string
                           description: Security context for the container.
+                        volumeMounts:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              mountPath:
+                                type: string
+                              mountPropagation:
+                                type: string
+                              name:
+                                type: string
+                              readOnly:
+                                type: boolean
+                              recursiveReadOnly:
+                                type: string
+                              subPath:
+                                type: string
+                              subPathExpr:
+                                type: string
+                          description: Additional volume mounts which should be applied to the container.
                       description: Template for the Kafka Bridge init container.
                   description: Template for Kafka Bridge resources. The template allows users to specify how a `Deployment` and `Pod` is generated.
                 tracing:
@@ -1232,10 +1440,10 @@ spec:
                 url:
                   type: string
                   description: The URL at which external client applications can access the Kafka Bridge.
-                labelSelector:
-                  type: string
-                  description: Label selector for pods providing this resource.
                 replicas:
                   type: integer
                   description: The current number of pods being used to provide this resource.
+                labelSelector:
+                  type: string
+                  description: Label selector for pods providing this resource.
               description: The status of the Kafka Bridge.

packages/system/kafka-operator/charts/strimzi-kafka-operator/crds/047-Crd-kafkaconnector.yaml

@@ -81,7 +81,7 @@ spec:
                 config:
                   x-kubernetes-preserve-unknown-fields: true
                   type: object
-                  description: "The Kafka Connector configuration. The following properties cannot be set: connector.class, tasks.max."
+                  description: "The Kafka Connector configuration. The following properties cannot be set: name, connector.class, tasks.max."
                 pause:
                   type: boolean
                   description: Whether the connector should be paused. Defaults to false.

packages/system/kafka-operator/charts/strimzi-kafka-operator/crds/048-Crd-kafkamirrormaker2.yaml

@@ -86,14 +86,25 @@ spec:
                             items:
                               type: object
                               properties:
-                                certificate:
-                                  type: string
-                                  description: The name of the file certificate in the Secret.
                                 secretName:
                                   type: string
                                   description: The name of the Secret containing the certificate.
+                                certificate:
+                                  type: string
+                                  description: The name of the file certificate in the secret.
+                                pattern:
+                                  type: string
+                                  description: "Pattern for the certificate files in the secret. Use the link:https://en.wikipedia.org/wiki/Glob_(programming)[_glob syntax_] for the pattern. All files in the secret that match the pattern are used."
+                              oneOf:
+                                - properties:
+                                    certificate: {}
+                                  required:
+                                    - certificate
+                                - properties:
+                                    pattern: {}
+                                  required:
+                                    - pattern
                               required:
-                                - certificate
                                 - secretName
                             description: Trusted certificates for TLS connection.
                         description: TLS configuration for connecting MirrorMaker 2 connectors to a cluster.
@@ -116,26 +127,48 @@ spec:
                           accessTokenIsJwt:
                             type: boolean
                             description: Configure whether access token should be treated as JWT. This should be set to `false` if the authorization server returns opaque tokens. Defaults to `true`.
+                          accessTokenLocation:
+                            type: string
+                            description: Path to the token file containing an access token to be used for authentication.
                           audience:
                             type: string
                             description: "OAuth audience to use when authenticating against the authorization server. Some authorization servers require the audience to be explicitly set. The possible values depend on how the authorization server is configured. By default, `audience` is not specified when performing the token endpoint request."
                           certificateAndKey:
                             type: object
                             properties:
+                              secretName:
+                                type: string
+                                description: The name of the Secret containing the certificate.
                               certificate:
                                 type: string
                                 description: The name of the file certificate in the Secret.
                               key:
                                 type: string
                                 description: The name of the private key in the Secret.
-                              secretName:
-                                type: string
-                                description: The name of the Secret containing the certificate.
                             required:
+                              - secretName
                               - certificate
                               - key
-                              - secretName
                             description: Reference to the `Secret` which holds the certificate and private key pair.
+                          clientAssertion:
+                            type: object
+                            properties:
+                              key:
+                                type: string
+                                description: The key under which the secret value is stored in the Kubernetes Secret.
+                              secretName:
+                                type: string
+                                description: The name of the Kubernetes Secret containing the secret value.
+                            required:
+                              - key
+                              - secretName
+                            description: Link to Kubernetes secret containing the client assertion which was manually configured for the client.
+                          clientAssertionLocation:
+                            type: string
+                            description: Path to the file containing the client assertion to be used for authentication.
+                          clientAssertionType:
+                            type: string
+                            description: "The client assertion type. If not set, and either `clientAssertion` or `clientAssertionLocation` is configured, this value defaults to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`."
                           clientId:
                             type: string
                             description: OAuth Client ID which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI.
@@ -176,15 +209,15 @@ spec:
                           passwordSecret:
                             type: object
                             properties:
-                              password:
-                                type: string
-                                description: The name of the key in the Secret under which the password is stored.
                               secretName:
                                 type: string
                                 description: The name of the Secret containing the password.
+                              password:
+                                type: string
+                                description: The name of the key in the Secret under which the password is stored.
                             required:
-                              - password
                               - secretName
+                              - password
                             description: Reference to the `Secret` which holds the password.
                           readTimeoutSeconds:
                             type: integer
@@ -202,6 +235,11 @@ spec:
                               - key
                               - secretName
                             description: Link to Kubernetes Secret containing the refresh token which can be used to obtain access token from the authorization server.
+                          saslExtensions:
+                            additionalProperties:
+                              type: string
+                            type: object
+                            description: SASL extensions parameters.
                           scope:
                             type: string
                             description: OAuth scope to use when authenticating against the authorization server. Some authorization servers require this to be set. The possible values depend on how authorization server is configured. By default `scope` is not specified when doing the token endpoint request.
@@ -210,14 +248,25 @@ spec:
                             items:
                               type: object
                               properties:
-                                certificate:
-                                  type: string
-                                  description: The name of the file certificate in the Secret.
                                 secretName:
                                   type: string
                                   description: The name of the Secret containing the certificate.
+                                certificate:
+                                  type: string
+                                  description: The name of the file certificate in the secret.
+                                pattern:
+                                  type: string
+                                  description: "Pattern for the certificate files in the secret. Use the link:https://en.wikipedia.org/wiki/Glob_(programming)[_glob syntax_] for the pattern. All files in the secret that match the pattern are used."
+                              oneOf:
+                                - properties:
+                                    certificate: {}
+                                  required:
+                                    - certificate
+                                - properties:
+                                    pattern: {}
+                                  required:
+                                    - pattern
                               required:
-                                - certificate
                                 - secretName
                             description: Trusted certificates for TLS connection to the OAuth server.
                           tokenEndpointUri:
@@ -264,10 +313,20 @@ spec:
                             type: integer
                             minimum: 1
                             description: The maximum number of tasks for the Kafka Connector.
+                          pause:
+                            type: boolean
+                            description: Whether the connector should be paused. Defaults to false.
                           config:
                             x-kubernetes-preserve-unknown-fields: true
                             type: object
-                            description: "The Kafka Connector configuration. The following properties cannot be set: connector.class, tasks.max."
+                            description: "The Kafka Connector configuration. The following properties cannot be set: name, connector.class, tasks.max."
+                          state:
+                            type: string
+                            enum:
+                              - paused
+                              - stopped
+                              - running
+                            description: The state the connector should be in. Defaults to running.
                           autoRestart:
                             type: object
                             properties:
@@ -278,16 +337,6 @@ spec:
                                 type: integer
                                 description: "The maximum number of connector restarts that the operator will try. If the connector remains in a failed state after reaching this limit, it must be restarted manually by the user. Defaults to an unlimited number of restarts."
                             description: Automatic restart of connector and tasks configuration.
-                          pause:
-                            type: boolean
-                            description: Whether the connector should be paused. Defaults to false.
-                          state:
-                            type: string
-                            enum:
-                              - paused
-                              - stopped
-                              - running
-                            description: The state the connector should be in. Defaults to running.
                         description: The specification of the Kafka MirrorMaker 2 source connector.
                       heartbeatConnector:
                         type: object
@@ -296,10 +345,20 @@ spec:
                             type: integer
                             minimum: 1
                             description: The maximum number of tasks for the Kafka Connector.
+                          pause:
+                            type: boolean
+                            description: Whether the connector should be paused. Defaults to false.
                           config:
                             x-kubernetes-preserve-unknown-fields: true
                             type: object
-                            description: "The Kafka Connector configuration. The following properties cannot be set: connector.class, tasks.max."
+                            description: "The Kafka Connector configuration. The following properties cannot be set: name, connector.class, tasks.max."
+                          state:
+                            type: string
+                            enum:
+                              - paused
+                              - stopped
+                              - running
+                            description: The state the connector should be in. Defaults to running.
                           autoRestart:
                             type: object
                             properties:
@@ -310,16 +369,6 @@ spec:
                                 type: integer
                                 description: "The maximum number of connector restarts that the operator will try. If the connector remains in a failed state after reaching this limit, it must be restarted manually by the user. Defaults to an unlimited number of restarts."
                             description: Automatic restart of connector and tasks configuration.
-                          pause:
-                            type: boolean
-                            description: Whether the connector should be paused. Defaults to false.
-                          state:
-                            type: string
-                            enum:
-                              - paused
-                              - stopped
-                              - running
-                            description: The state the connector should be in. Defaults to running.
                         description: The specification of the Kafka MirrorMaker 2 heartbeat connector.
                       checkpointConnector:
                         type: object
@@ -328,10 +377,20 @@ spec:
                             type: integer
                             minimum: 1
                             description: The maximum number of tasks for the Kafka Connector.
+                          pause:
+                            type: boolean
+                            description: Whether the connector should be paused. Defaults to false.
                           config:
                             x-kubernetes-preserve-unknown-fields: true
                             type: object
-                            description: "The Kafka Connector configuration. The following properties cannot be set: connector.class, tasks.max."
+                            description: "The Kafka Connector configuration. The following properties cannot be set: name, connector.class, tasks.max."
+                          state:
+                            type: string
+                            enum:
+                              - paused
+                              - stopped
+                              - running
+                            description: The state the connector should be in. Defaults to running.
                           autoRestart:
                             type: object
                             properties:
@@ -342,16 +401,6 @@ spec:
                                 type: integer
                                 description: "The maximum number of connector restarts that the operator will try. If the connector remains in a failed state after reaching this limit, it must be restarted manually by the user. Defaults to an unlimited number of restarts."
                             description: Automatic restart of connector and tasks configuration.
-                          pause:
-                            type: boolean
-                            description: Whether the connector should be paused. Defaults to false.
-                          state:
-                            type: string
-                            enum:
-                              - paused
-                              - stopped
-                              - running
-                            description: The state the connector should be in. Defaults to running.
                         description: The specification of the Kafka MirrorMaker 2 checkpoint connector.
                       topicsPattern:
                         type: string
@@ -386,23 +435,33 @@ spec:
                           name:
                             type: string
                     limits:
-                      x-kubernetes-preserve-unknown-fields: true
+                      additionalProperties:
+                        anyOf:
+                          - type: integer
+                          - type: string
+                        pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+                        x-kubernetes-int-or-string: true
                       type: object
                     requests:
-                      x-kubernetes-preserve-unknown-fields: true
+                      additionalProperties:
+                        anyOf:
+                          - type: integer
+                          - type: string
+                        pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+                        x-kubernetes-int-or-string: true
                       type: object
                   description: The maximum limits for CPU and memory resources and the requested initial resources.
                 livenessProbe:
                   type: object
                   properties:
-                    failureThreshold:
-                      type: integer
-                      minimum: 1
-                      description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
                     initialDelaySeconds:
                       type: integer
                       minimum: 0
                       description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0.
+                    timeoutSeconds:
+                      type: integer
+                      minimum: 1
+                      description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1.
                     periodSeconds:
                       type: integer
                       minimum: 1
@@ -411,22 +470,22 @@ spec:
                       type: integer
                       minimum: 1
                       description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1.
-                    timeoutSeconds:
+                    failureThreshold:
                       type: integer
                       minimum: 1
-                      description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1.
+                      description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
                   description: Pod liveness checking.
                 readinessProbe:
                   type: object
                   properties:
-                    failureThreshold:
-                      type: integer
-                      minimum: 1
-                      description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
                     initialDelaySeconds:
                       type: integer
                       minimum: 0
                       description: The initial delay before first the health is first checked. Default to 15 seconds. Minimum value is 0.
+                    timeoutSeconds:
+                      type: integer
+                      minimum: 1
+                      description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1.
                     periodSeconds:
                       type: integer
                       minimum: 1
@@ -435,10 +494,10 @@ spec:
                       type: integer
                       minimum: 1
                       description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1.
-                    timeoutSeconds:
+                    failureThreshold:
                       type: integer
                       minimum: 1
-                      description: The timeout for each attempted health check. Default to 5 seconds. Minimum value is 1.
+                      description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
                   description: Pod readiness checking.
                 jvmOptions:
                   type: object
@@ -448,14 +507,14 @@ spec:
                         type: string
                       type: object
                       description: A map of -XX options to the JVM.
-                    "-Xms":
-                      type: string
-                      pattern: "^[0-9]+[mMgG]?$"
-                      description: -Xms option to to the JVM.
                     "-Xmx":
                       type: string
                       pattern: "^[0-9]+[mMgG]?$"
                       description: -Xmx option to to the JVM.
+                    "-Xms":
+                      type: string
+                      pattern: "^[0-9]+[mMgG]?$"
+                      description: -Xms option to to the JVM.
                     gcLoggingEnabled:
                       type: boolean
                       description: Specifies whether the Garbage Collection logging is enabled. The default is false.
@@ -531,6 +590,32 @@ spec:
                   required:
                     - topologyKey
                   description: Configuration of the node label which will be used as the `client.rack` consumer configuration.
+                metricsConfig:
+                  type: object
+                  properties:
+                    type:
+                      type: string
+                      enum:
+                        - jmxPrometheusExporter
+                      description: Metrics type. Only 'jmxPrometheusExporter' supported currently.
+                    valueFrom:
+                      type: object
+                      properties:
+                        configMapKeyRef:
+                          type: object
+                          properties:
+                            key:
+                              type: string
+                            name:
+                              type: string
+                            optional:
+                              type: boolean
+                          description: Reference to the key in the ConfigMap containing the configuration.
+                      description: 'ConfigMap entry where the Prometheus JMX Exporter configuration is stored. '
+                  required:
+                    - type
+                    - valueFrom
+                  description: Metrics configuration.
                 tracing:
                   type: object
                   properties:
@@ -616,6 +701,13 @@ spec:
                         securityContext:
                           type: object
                           properties:
+                            appArmorProfile:
+                              type: object
+                              properties:
+                                localhostProfile:
+                                  type: string
+                                type:
+                                  type: string
                             fsGroup:
                               type: integer
                             fsGroupChangePolicy:
@@ -1018,31 +1110,6 @@ spec:
                               value:
                                 type: string
                           description: The pod's tolerations.
-                        priorityClassName:
-                          type: string
-                          description: 'The name of the priority class used to assign priority to the pods. '
-                        schedulerName:
-                          type: string
-                          description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used."
-                        hostAliases:
-                          type: array
-                          items:
-                            type: object
-                            properties:
-                              hostnames:
-                                type: array
-                                items:
-                                  type: string
-                              ip:
-                                type: string
-                          description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified.
-                        tmpDirSizeLimit:
-                          type: string
-                          pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
-                          description: Defines the total amount (for example `1Gi`) of local storage required for temporary EmptyDir volume (`/tmp`). Default value is `5Mi`.
-                        enableServiceLinks:
-                          type: boolean
-                          description: Indicates whether information about services should be injected into Pod's environment variables.
                         topologySpreadConstraints:
                           type: array
                           items:
@@ -1085,6 +1152,110 @@ spec:
                               whenUnsatisfiable:
                                 type: string
                           description: The pod's topology spread constraints.
+                        priorityClassName:
+                          type: string
+                          description: 'The name of the priority class used to assign priority to the pods. '
+                        schedulerName:
+                          type: string
+                          description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used."
+                        hostAliases:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              hostnames:
+                                type: array
+                                items:
+                                  type: string
+                              ip:
+                                type: string
+                          description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified.
+                        enableServiceLinks:
+                          type: boolean
+                          description: Indicates whether information about services should be injected into Pod's environment variables.
+                        tmpDirSizeLimit:
+                          type: string
+                          pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
+                          description: "Defines the total amount of pod memory allocated for the temporary `EmptyDir` volume `/tmp`. Specify the allocation in memory units, for example, `100Mi` for 100 mebibytes. Default value is `5Mi`. The `/tmp` volume is backed by pod memory, not disk storage, so avoid setting a high value as it consumes pod memory resources."
+                        volumes:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              name:
+                                type: string
+                                description: Name to use for the volume. Required.
+                              secret:
+                                type: object
+                                properties:
+                                  defaultMode:
+                                    type: integer
+                                  items:
+                                    type: array
+                                    items:
+                                      type: object
+                                      properties:
+                                        key:
+                                          type: string
+                                        mode:
+                                          type: integer
+                                        path:
+                                          type: string
+                                  optional:
+                                    type: boolean
+                                  secretName:
+                                    type: string
+                                description: Secret to use populate the volume.
+                              configMap:
+                                type: object
+                                properties:
+                                  defaultMode:
+                                    type: integer
+                                  items:
+                                    type: array
+                                    items:
+                                      type: object
+                                      properties:
+                                        key:
+                                          type: string
+                                        mode:
+                                          type: integer
+                                        path:
+                                          type: string
+                                  name:
+                                    type: string
+                                  optional:
+                                    type: boolean
+                                description: ConfigMap to use to populate the volume.
+                              emptyDir:
+                                type: object
+                                properties:
+                                  medium:
+                                    type: string
+                                  sizeLimit:
+                                    type: object
+                                    properties:
+                                      amount:
+                                        type: string
+                                      format:
+                                        type: string
+                                description: EmptyDir to use to populate the volume.
+                              persistentVolumeClaim:
+                                type: object
+                                properties:
+                                  claimName:
+                                    type: string
+                                  readOnly:
+                                    type: boolean
+                                description: PersistentVolumeClaim object to use to populate the volume.
+                            oneOf:
+                              - properties:
+                                  secret: {}
+                                  configMap: {}
+                                  emptyDir: {}
+                                  persistentVolumeClaim: {}
+                                required: []
+                          description: Additional volumes that can be mounted to the pod.
                       description: Template for Kafka Connect `Pods`.
                     apiService:
                       type: object
@@ -1172,6 +1343,13 @@ spec:
                           properties:
                             allowPrivilegeEscalation:
                               type: boolean
+                            appArmorProfile:
+                              type: object
+                              properties:
+                                localhostProfile:
+                                  type: string
+                                type:
+                                  type: string
                             capabilities:
                               type: object
                               properties:
@@ -1225,6 +1403,26 @@ spec:
                                 runAsUserName:
                                   type: string
                           description: Security context for the container.
+                        volumeMounts:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              mountPath:
+                                type: string
+                              mountPropagation:
+                                type: string
+                              name:
+                                type: string
+                              readOnly:
+                                type: boolean
+                              recursiveReadOnly:
+                                type: string
+                              subPath:
+                                type: string
+                              subPathExpr:
+                                type: string
+                          description: Additional volume mounts which should be applied to the container.
                       description: Template for the Kafka Connect container.
                     initContainer:
                       type: object
@@ -1246,6 +1444,13 @@ spec:
                           properties:
                             allowPrivilegeEscalation:
                               type: boolean
+                            appArmorProfile:
+                              type: object
+                              properties:
+                                localhostProfile:
+                                  type: string
+                                type:
+                                  type: string
                             capabilities:
                               type: object
                               properties:
@@ -1299,6 +1504,26 @@ spec:
                                 runAsUserName:
                                   type: string
                           description: Security context for the container.
+                        volumeMounts:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              mountPath:
+                                type: string
+                              mountPropagation:
+                                type: string
+                              name:
+                                type: string
+                              readOnly:
+                                type: boolean
+                              recursiveReadOnly:
+                                type: string
+                              subPath:
+                                type: string
+                              subPathExpr:
+                                type: string
+                          description: Additional volume mounts which should be applied to the container.
                       description: Template for the Kafka init container.
                     podDisruptionBudget:
                       type: object
@@ -1386,6 +1611,13 @@ spec:
                         securityContext:
                           type: object
                           properties:
+                            appArmorProfile:
+                              type: object
+                              properties:
+                                localhostProfile:
+                                  type: string
+                                type:
+                                  type: string
                             fsGroup:
                               type: integer
                             fsGroupChangePolicy:
@@ -1788,31 +2020,6 @@ spec:
                               value:
                                 type: string
                           description: The pod's tolerations.
-                        priorityClassName:
-                          type: string
-                          description: 'The name of the priority class used to assign priority to the pods. '
-                        schedulerName:
-                          type: string
-                          description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used."
-                        hostAliases:
-                          type: array
-                          items:
-                            type: object
-                            properties:
-                              hostnames:
-                                type: array
-                                items:
-                                  type: string
-                              ip:
-                                type: string
-                          description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified.
-                        tmpDirSizeLimit:
-                          type: string
-                          pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
-                          description: Defines the total amount (for example `1Gi`) of local storage required for temporary EmptyDir volume (`/tmp`). Default value is `5Mi`.
-                        enableServiceLinks:
-                          type: boolean
-                          description: Indicates whether information about services should be injected into Pod's environment variables.
                         topologySpreadConstraints:
                           type: array
                           items:
@@ -1855,6 +2062,110 @@ spec:
                               whenUnsatisfiable:
                                 type: string
                           description: The pod's topology spread constraints.
+                        priorityClassName:
+                          type: string
+                          description: 'The name of the priority class used to assign priority to the pods. '
+                        schedulerName:
+                          type: string
+                          description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used."
+                        hostAliases:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              hostnames:
+                                type: array
+                                items:
+                                  type: string
+                              ip:
+                                type: string
+                          description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified.
+                        enableServiceLinks:
+                          type: boolean
+                          description: Indicates whether information about services should be injected into Pod's environment variables.
+                        tmpDirSizeLimit:
+                          type: string
+                          pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
+                          description: "Defines the total amount of pod memory allocated for the temporary `EmptyDir` volume `/tmp`. Specify the allocation in memory units, for example, `100Mi` for 100 mebibytes. Default value is `5Mi`. The `/tmp` volume is backed by pod memory, not disk storage, so avoid setting a high value as it consumes pod memory resources."
+                        volumes:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              name:
+                                type: string
+                                description: Name to use for the volume. Required.
+                              secret:
+                                type: object
+                                properties:
+                                  defaultMode:
+                                    type: integer
+                                  items:
+                                    type: array
+                                    items:
+                                      type: object
+                                      properties:
+                                        key:
+                                          type: string
+                                        mode:
+                                          type: integer
+                                        path:
+                                          type: string
+                                  optional:
+                                    type: boolean
+                                  secretName:
+                                    type: string
+                                description: Secret to use populate the volume.
+                              configMap:
+                                type: object
+                                properties:
+                                  defaultMode:
+                                    type: integer
+                                  items:
+                                    type: array
+                                    items:
+                                      type: object
+                                      properties:
+                                        key:
+                                          type: string
+                                        mode:
+                                          type: integer
+                                        path:
+                                          type: string
+                                  name:
+                                    type: string
+                                  optional:
+                                    type: boolean
+                                description: ConfigMap to use to populate the volume.
+                              emptyDir:
+                                type: object
+                                properties:
+                                  medium:
+                                    type: string
+                                  sizeLimit:
+                                    type: object
+                                    properties:
+                                      amount:
+                                        type: string
+                                      format:
+                                        type: string
+                                description: EmptyDir to use to populate the volume.
+                              persistentVolumeClaim:
+                                type: object
+                                properties:
+                                  claimName:
+                                    type: string
+                                  readOnly:
+                                    type: boolean
+                                description: PersistentVolumeClaim object to use to populate the volume.
+                            oneOf:
+                              - properties:
+                                  secret: {}
+                                  configMap: {}
+                                  emptyDir: {}
+                                  persistentVolumeClaim: {}
+                                required: []
+                          description: Additional volumes that can be mounted to the pod.
                       description: Template for Kafka Connect Build `Pods`. The build pod is used only on Kubernetes.
                     buildContainer:
                       type: object
@@ -1876,6 +2187,13 @@ spec:
                           properties:
                             allowPrivilegeEscalation:
                               type: boolean
+                            appArmorProfile:
+                              type: object
+                              properties:
+                                localhostProfile:
+                                  type: string
+                                type:
+                                  type: string
                             capabilities:
                               type: object
                               properties:
@@ -1929,6 +2247,26 @@ spec:
                                 runAsUserName:
                                   type: string
                           description: Security context for the container.
+                        volumeMounts:
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              mountPath:
+                                type: string
+                              mountPropagation:
+                                type: string
+                              name:
+                                type: string
+                              readOnly:
+                                type: boolean
+                              recursiveReadOnly:
+                                type: string
+                              subPath:
+                                type: string
+                              subPathExpr:
+                                type: string
+                          description: Additional volume mounts which should be applied to the container.
                       description: Template for the Kafka Connect Build container. The build container is used only on Kubernetes.
                     buildConfig:
                       type: object
@@ -1987,7 +2325,7 @@ spec:
                               description: Annotations added to the Kubernetes resource.
                           description: Metadata applied to the resource.
                       description: Template for Secret of the Kafka Connect Cluster JMX authentication.
-                  description: "Template for Kafka Connect and Kafka Mirror Maker 2 resources. The template allows users to specify how the `Pods`, `Service`, and other services are generated."
+                  description: "Template for Kafka Connect and Kafka MirrorMaker 2 resources. The template allows users to specify how the `Pods`, `Service`, and other services are generated."
                 externalConfiguration:
                   type: object
                   properties:
@@ -2002,16 +2340,6 @@ spec:
                           valueFrom:
                             type: object
                             properties:
-                              configMapKeyRef:
-                                type: object
-                                properties:
-                                  key:
-                                    type: string
-                                  name:
-                                    type: string
-                                  optional:
-                                    type: boolean
-                                description: Reference to a key in a ConfigMap.
                               secretKeyRef:
                                 type: object
                                 properties:
@@ -2022,6 +2350,16 @@ spec:
                                   optional:
                                     type: boolean
                                 description: Reference to a key in a Secret.
+                              configMapKeyRef:
+                                type: object
+                                properties:
+                                  key:
+                                    type: string
+                                  name:
+                                    type: string
+                                  optional:
+                                    type: boolean
+                                description: Reference to a key in a ConfigMap.
                             description: Value of the environment variable which will be passed to the Kafka Connect pods. It can be passed either as a reference to Secret or ConfigMap field. The field has to specify exactly one Secret or ConfigMap.
                         required:
                           - name
@@ -2032,27 +2370,6 @@ spec:
                       items:
                         type: object
                         properties:
-                          configMap:
-                            type: object
-                            properties:
-                              defaultMode:
-                                type: integer
-                              items:
-                                type: array
-                                items:
-                                  type: object
-                                  properties:
-                                    key:
-                                      type: string
-                                    mode:
-                                      type: integer
-                                    path:
-                                      type: string
-                              name:
-                                type: string
-                              optional:
-                                type: boolean
-                            description: Reference to a key in a ConfigMap. Exactly one Secret or ConfigMap has to be specified.
                           name:
                             type: string
                             description: Name of the volume which will be added to the Kafka Connect pods.
@@ -2077,36 +2394,31 @@ spec:
                               secretName:
                                 type: string
                             description: Reference to a key in a Secret. Exactly one Secret or ConfigMap has to be specified.
+                          configMap:
+                            type: object
+                            properties:
+                              defaultMode:
+                                type: integer
+                              items:
+                                type: array
+                                items:
+                                  type: object
+                                  properties:
+                                    key:
+                                      type: string
+                                    mode:
+                                      type: integer
+                                    path:
+                                      type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            description: Reference to a key in a ConfigMap. Exactly one Secret or ConfigMap has to be specified.
                         required:
                           - name
                       description: Makes data from a Secret or ConfigMap available in the Kafka Connect pods as volumes.
                   description: Pass data from Secrets or ConfigMaps to the Kafka Connect pods and use them to configure connectors.
-                metricsConfig:
-                  type: object
-                  properties:
-                    type:
-                      type: string
-                      enum:
-                        - jmxPrometheusExporter
-                      description: Metrics type. Only 'jmxPrometheusExporter' supported currently.
-                    valueFrom:
-                      type: object
-                      properties:
-                        configMapKeyRef:
-                          type: object
-                          properties:
-                            key:
-                              type: string
-                            name:
-                              type: string
-                            optional:
-                              type: boolean
-                          description: Reference to the key in the ConfigMap containing the configuration.
-                      description: 'ConfigMap entry where the Prometheus JMX Exporter configuration is stored. '
-                  required:
-                    - type
-                    - valueFrom
-                  description: Metrics configuration.
               required:
                 - connectCluster
               description: The specification of the Kafka MirrorMaker 2 cluster.
@@ -2140,6 +2452,12 @@ spec:
                 url:
                   type: string
                   description: The URL of the REST API endpoint for managing and monitoring Kafka Connect connectors.
+                connectors:
+                  type: array
+                  items:
+                    x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                  description: "List of MirrorMaker 2 connector statuses, as reported by the Kafka Connect REST API."
                 autoRestartStatuses:
                   type: array
                   items:
@@ -2160,22 +2478,16 @@ spec:
                   items:
                     type: object
                     properties:
+                      class:
+                        type: string
+                        description: The class of the connector plugin.
                       type:
                         type: string
                         description: The type of the connector plugin. The available types are `sink` and `source`.
                       version:
                         type: string
                         description: The version of the connector plugin.
-                      class:
-                        type: string
-                        description: The class of the connector plugin.
                   description: The list of connector plugins available in this Kafka Connect deployment.
-                connectors:
-                  type: array
-                  items:
-                    x-kubernetes-preserve-unknown-fields: true
-                    type: object
-                  description: "List of MirrorMaker 2 connector statuses, as reported by the Kafka Connect REST API."
                 labelSelector:
                   type: string
                   description: Label selector for pods providing this resource.

packages/system/kafka-operator/charts/strimzi-kafka-operator/crds/049-Crd-kafkarebalance.yaml

@@ -51,6 +51,10 @@ spec:
           description: There is an error on the custom resource
           jsonPath: ".status.conditions[?(@.type==\"NotReady\")].status"
           type: string
+        - name: Stopped
+          description: Processing the proposal or running rebalancing was stopped
+          jsonPath: ".status.conditions[?(@.type==\"Stopped\")].status"
+          type: string
       schema:
         openAPIV3Schema:
           type: object

packages/system/kafka-operator/charts/strimzi-kafka-operator/crds/04A-Crd-kafkanodepool.yaml

@@ -34,6 +34,14 @@ spec:
       description: The desired number of replicas
       jsonPath: .spec.replicas
       type: integer
+    - name: Roles
+      description: Roles of the nodes in the pool
+      jsonPath: .status.roles
+      type: string
+    - name: NodeIds
+      description: Node IDs used by Kafka nodes in this pool
+      jsonPath: .status.nodeIds
+      type: string
     schema:
       openAPIV3Schema:
         type: object
@@ -66,6 +74,11 @@ spec:
                     type: integer
                     minimum: 0
                     description: Storage identification number. It is mandatory only for storage volumes defined in a storage of type 'jbod'.
+                  kraftMetadata:
+                    type: string
+                    enum:
+                    - shared
+                    description: "Specifies whether this volume should be used for storing KRaft metadata. This property is optional. When set, the only currently supported value is `shared`. At most one volume can have this property set."
                   overrides:
                     type: array
                     items:
@@ -77,7 +90,7 @@ spec:
                         broker:
                           type: integer
                           description: Id of the kafka broker (broker identifier).
-                    description: Overrides for individual brokers. The `overrides` field allows to specify a different configuration for different brokers.
+                    description: Overrides for individual brokers. The `overrides` field allows you to specify a different configuration for different brokers.
                   selector:
                     additionalProperties:
                       type: string
@@ -111,7 +124,12 @@ spec:
                         id:
                           type: integer
                           minimum: 0
-                          description: Storage identification number. It is mandatory only for storage volumes defined in a storage of type 'jbod'.
+                          description: Storage identification number. Mandatory for storage volumes defined with a `jbod` storage type configuration.
+                        kraftMetadata:
+                          type: string
+                          enum:
+                          - shared
+                          description: "Specifies whether this volume should be used for storing KRaft metadata. This property is optional. When set, the only currently supported value is `shared`. At most one volume can have this property set."
                         overrides:
                           type: array
                           items:
@@ -123,7 +141,7 @@ spec:
                               broker:
                                 type: integer
                                 description: Id of the kafka broker (broker identifier).
-                          description: Overrides for individual brokers. The `overrides` field allows to specify a different configuration for different brokers.
+                          description: Overrides for individual brokers. The `overrides` field allows you to specify a different configuration for different brokers.
                         selector:
                           additionalProperties:
                             type: string
@@ -167,10 +185,20 @@ spec:
                         name:
                           type: string
                   limits:
-                    x-kubernetes-preserve-unknown-fields: true
+                    additionalProperties:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+                      x-kubernetes-int-or-string: true
                     type: object
                   requests:
-                    x-kubernetes-preserve-unknown-fields: true
+                    additionalProperties:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+                      x-kubernetes-int-or-string: true
                     type: object
                 description: CPU and memory resources to reserve.
               jvmOptions:
@@ -181,14 +209,14 @@ spec:
                       type: string
                     type: object
                     description: A map of -XX options to the JVM.
-                  "-Xms":
-                    type: string
-                    pattern: "^[0-9]+[mMgG]?$"
-                    description: -Xms option to to the JVM.
                   "-Xmx":
                     type: string
                     pattern: "^[0-9]+[mMgG]?$"
                     description: -Xmx option to to the JVM.
+                  "-Xms":
+                    type: string
+                    pattern: "^[0-9]+[mMgG]?$"
+                    description: -Xms option to to the JVM.
                   gcLoggingEnabled:
                     type: boolean
                     description: Specifies whether the Garbage Collection logging is enabled. The default is false.
@@ -254,6 +282,13 @@ spec:
                       securityContext:
                         type: object
                         properties:
+                          appArmorProfile:
+                            type: object
+                            properties:
+                              localhostProfile:
+                                type: string
+                              type:
+                                type: string
                           fsGroup:
                             type: integer
                           fsGroupChangePolicy:
@@ -656,31 +691,6 @@ spec:
                             value:
                               type: string
                         description: The pod's tolerations.
-                      priorityClassName:
-                        type: string
-                        description: 'The name of the priority class used to assign priority to the pods. '
-                      schedulerName:
-                        type: string
-                        description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used."
-                      hostAliases:
-                        type: array
-                        items:
-                          type: object
-                          properties:
-                            hostnames:
-                              type: array
-                              items:
-                                type: string
-                            ip:
-                              type: string
-                        description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified.
-                      tmpDirSizeLimit:
-                        type: string
-                        pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
-                        description: Defines the total amount (for example `1Gi`) of local storage required for temporary EmptyDir volume (`/tmp`). Default value is `5Mi`.
-                      enableServiceLinks:
-                        type: boolean
-                        description: Indicates whether information about services should be injected into Pod's environment variables.
                       topologySpreadConstraints:
                         type: array
                         items:
@@ -723,6 +733,110 @@ spec:
                             whenUnsatisfiable:
                               type: string
                         description: The pod's topology spread constraints.
+                      priorityClassName:
+                        type: string
+                        description: 'The name of the priority class used to assign priority to the pods. '
+                      schedulerName:
+                        type: string
+                        description: "The name of the scheduler used to dispatch this `Pod`. If not specified, the default scheduler will be used."
+                      hostAliases:
+                        type: array
+                        items:
+                          type: object
+                          properties:
+                            hostnames:
+                              type: array
+                              items:
+                                type: string
+                            ip:
+                              type: string
+                        description: The pod's HostAliases. HostAliases is an optional list of hosts and IPs that will be injected into the Pod's hosts file if specified.
+                      enableServiceLinks:
+                        type: boolean
+                        description: Indicates whether information about services should be injected into Pod's environment variables.
+                      tmpDirSizeLimit:
+                        type: string
+                        pattern: "^([0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
+                        description: "Defines the total amount of pod memory allocated for the temporary `EmptyDir` volume `/tmp`. Specify the allocation in memory units, for example, `100Mi` for 100 mebibytes. Default value is `5Mi`. The `/tmp` volume is backed by pod memory, not disk storage, so avoid setting a high value as it consumes pod memory resources."
+                      volumes:
+                        type: array
+                        items:
+                          type: object
+                          properties:
+                            name:
+                              type: string
+                              description: Name to use for the volume. Required.
+                            secret:
+                              type: object
+                              properties:
+                                defaultMode:
+                                  type: integer
+                                items:
+                                  type: array
+                                  items:
+                                    type: object
+                                    properties:
+                                      key:
+                                        type: string
+                                      mode:
+                                        type: integer
+                                      path:
+                                        type: string
+                                optional:
+                                  type: boolean
+                                secretName:
+                                  type: string
+                              description: Secret to use populate the volume.
+                            configMap:
+                              type: object
+                              properties:
+                                defaultMode:
+                                  type: integer
+                                items:
+                                  type: array
+                                  items:
+                                    type: object
+                                    properties:
+                                      key:
+                                        type: string
+                                      mode:
+                                        type: integer
+                                      path:
+                                        type: string
+                                name:
+                                  type: string
+                                optional:
+                                  type: boolean
+                              description: ConfigMap to use to populate the volume.
+                            emptyDir:
+                              type: object
+                              properties:
+                                medium:
+                                  type: string
+                                sizeLimit:
+                                  type: object
+                                  properties:
+                                    amount:
+                                      type: string
+                                    format:
+                                      type: string
+                              description: EmptyDir to use to populate the volume.
+                            persistentVolumeClaim:
+                              type: object
+                              properties:
+                                claimName:
+                                  type: string
+                                readOnly:
+                                  type: boolean
+                              description: PersistentVolumeClaim object to use to populate the volume.
+                          oneOf:
+                          - properties:
+                              secret: {}
+                              configMap: {}
+                              emptyDir: {}
+                              persistentVolumeClaim: {}
+                            required: []
+                        description: Additional volumes that can be mounted to the pod.
                     description: Template for Kafka `Pods`.
                   perPodService:
                     type: object
@@ -816,6 +930,13 @@ spec:
                         properties:
                           allowPrivilegeEscalation:
                             type: boolean
+                          appArmorProfile:
+                            type: object
+                            properties:
+                              localhostProfile:
+                                type: string
+                              type:
+                                type: string
                           capabilities:
                             type: object
                             properties:
@@ -869,6 +990,26 @@ spec:
                               runAsUserName:
                                 type: string
                         description: Security context for the container.
+                      volumeMounts:
+                        type: array
+                        items:
+                          type: object
+                          properties:
+                            mountPath:
+                              type: string
+                            mountPropagation:
+                              type: string
+                            name:
+                              type: string
+                            readOnly:
+                              type: boolean
+                            recursiveReadOnly:
+                              type: string
+                            subPath:
+                              type: string
+                            subPathExpr:
+                              type: string
+                        description: Additional volume mounts which should be applied to the container.
                     description: Template for the Kafka broker container.
                   initContainer:
                     type: object
@@ -890,6 +1031,13 @@ spec:
                         properties:
                           allowPrivilegeEscalation:
                             type: boolean
+                          appArmorProfile:
+                            type: object
+                            properties:
+                              localhostProfile:
+                                type: string
+                              type:
+                                type: string
                           capabilities:
                             type: object
                             properties:
@@ -943,6 +1091,26 @@ spec:
                               runAsUserName:
                                 type: string
                         description: Security context for the container.
+                      volumeMounts:
+                        type: array
+                        items:
+                          type: object
+                          properties:
+                            mountPath:
+                              type: string
+                            mountPropagation:
+                              type: string
+                            name:
+                              type: string
+                            readOnly:
+                              type: boolean
+                            recursiveReadOnly:
+                              type: string
+                            subPath:
+                              type: string
+                            subPathExpr:
+                              type: string
+                        description: Additional volume mounts which should be applied to the container.
                     description: Template for the Kafka init container.
                 description: Template for pool resources. The template allows users to specify how the resources belonging to this pool are generated.
             required:

packages/system/kafka-operator/charts/strimzi-kafka-operator/templates/020-ClusterRole-strimzi-cluster-operator-role.yaml

@@ -91,10 +91,9 @@ rules:
   - patch
   - update
 - apiGroups:
-  - ""   # legacy core events api, used by topic operator
   - "events.k8s.io" # new events api, used by cluster operator
   resources:
-    # The cluster operator needs to be able to create events and delegate permissions to do so
+    # The cluster operator needs to be able to create events
   - events
   verbs:
   - create

packages/system/kafka-operator/charts/strimzi-kafka-operator/templates/020-RoleBinding-strimzi-cluster-operator.yaml

@@ -13,8 +13,10 @@ metadata:
   name: strimzi-cluster-operator-namespaced
   {{- else }}
   name: strimzi-cluster-operator
-  {{- end }}
+  {{- end }}  
+  {{- if not $root.Values.watchAnyNamespace }}
   namespace: {{ . }}
+  {{- end }}
   labels:
     app: {{ template "strimzi.name" $root }}
     chart: {{ template "strimzi.chart" $root }}

packages/system/kafka-operator/charts/strimzi-kafka-operator/templates/023-RoleBinding-strimzi-cluster-operator.yaml

@@ -14,7 +14,9 @@ metadata:
   {{- else }}
   name: strimzi-cluster-operator-watched
   {{- end }}
+  {{- if not $root.Values.watchAnyNamespace }}
   namespace: {{ . }}
+  {{- end }}
   labels:
     app: {{ template "strimzi.name" $root }}
     chart: {{ template "strimzi.chart" $root }}

packages/system/kafka-operator/charts/strimzi-kafka-operator/templates/031-ClusterRole-strimzi-entity-operator.yaml

@@ -46,13 +46,6 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-    # The entity operator needs to be able to create events
-  - create
 - apiGroups:
   - ""
   resources:

packages/system/kafka-operator/charts/strimzi-kafka-operator/templates/031-RoleBinding-strimzi-cluster-operator-entity-operator-delegation.yaml

@@ -10,7 +10,9 @@ kind: RoleBinding
 {{- end }}
 metadata:
   name: strimzi-cluster-operator-entity-operator-delegation
+  {{- if not $root.Values.watchAnyNamespace }}
   namespace: {{ . }}
+  {{- end }}
   labels:
     app: {{ template "strimzi.name" $root }}
     chart: {{ template "strimzi.chart" $root }}

packages/system/kafka-operator/charts/strimzi-kafka-operator/templates/060-Deployment-strimzi-cluster-operator.yaml

@@ -11,6 +11,9 @@ metadata:
     heritage: {{ .Release.Service }}
 spec:
   replicas: {{ .Values.replicas }}
+  {{- if .Values.revisionHistoryLimit }}
+  revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
+  {{- end }}
   selector:
     matchLabels:
       name: strimzi-cluster-operator

packages/system/kafka-operator/charts/strimzi-kafka-operator/templates/070-ClusterRole-strimzi-admin.yaml

@@ -17,6 +17,8 @@ rules:
       - "kafka.strimzi.io"
     resources:
       - kafkas
+      - kafkanodepools
+      - kafkanodepools/scale
       - kafkaconnects
       - kafkaconnects/scale
       - kafkamirrormakers

packages/system/kafka-operator/charts/strimzi-kafka-operator/templates/080-ClusterRole-strimzi-view.yaml

@@ -16,6 +16,7 @@ rules:
       - "kafka.strimzi.io"
     resources:
       - kafkas
+      - kafkanodepools
       - kafkaconnects
       - kafkamirrormakers
       - kafkausers

packages/system/kafka-operator/charts/strimzi-kafka-operator/templates/_helpers.tpl

@@ -40,7 +40,7 @@ Creates the image name from the registry, repository, image, tag, and digest
 To use, add the following key/value pairs to the scope:
 - "key" [optional]: the key to lookup under .Values for the image map
 - "tagSuffix" [optional]: the suffix to add to tagPrefix or the default tag
-- Example: `template "strimzi.image" (merge . (dict "key" "tlsSidecarEntityOperator" "tagSuffix" "-kafka-3.1.0"))`
+- Example: `template "strimzi.image" (merge . (dict "key" "cruiseControl" "tagSuffix" "-kafka-3.1.0"))`
 */}}
 {{- define "strimzi.image" -}}
 {{- $vals := ternary .Values.image (index .Values .key).image (empty .key) -}}