Secret key holding the htpasswd-style file. Default users.
authentication.basic.usersSecretName
string
yes
Secret with a single key holding newline-separated user:cred entries (cred = plaintext or $2… bcrypt). The key is mounted as a file and passed via --basic-auth-file.
authentication.bearer
object
no
authentication.bearer.jwksEndpointUri
string
no
JWKS endpoint URI (required when mode = Jwks).
authentication.bearer.jwksExpectedAudience
string
no
Expected aud claim value.
authentication.bearer.jwksPrincipalClaim
string
no
JWT claim to use as the principal when mode is Jwks. Overrides principalClaim for JWKS paths.
authentication.bearer.jwksRefreshMs
integer
no
JWKS key-set refresh interval in milliseconds. Default 60 000.
authentication.bearer.jwksTlsSecretName
string
no
Secret name whose ca.crt key is mounted and passed as --bearer-jwks-ca.
authentication.bearer.jwksValidIssuer
string
no
Expected iss claim value.
authentication.bearer.mode
string
yes
authentication.bearer.principalClaim
string
no
JWT claim used as the principal name. Default sub.
authentication.realm
string
no
WWW-Authenticate: basic realm="<realm>".
authentication.requireAuth
boolean
no
false
Reject anonymous requests with 401.
authorization
object
no
REST authorization (Kafka-ACL based).
authorization.aclRefreshSeconds
integer
no
ACL-cache refresh interval (seconds). Default 30.
authorization.enabled
boolean
no
false
authorization.superUsers
array
no
bootstrapServers
string
no
Override bootstrap for an external/unmanaged Kafka. When unset, bootstrap is derived from the crabka.io/cluster-labeled Kafka's internal listener. (Secured external brokers are a future enhancement; the managed/label path is the secured one.)
groupId
string
no
Election group id. Default schema-registry.
image
string
no
Container image. Defaults to the operator's --default-schema-registry-image.
kafkaClient
object
no
SR → broker client security (SASL / TLS). Maps to --kafka-* flags.
kafkaClient.sasl
object
no
SASL credentials for the SR → broker connection.
kafkaClient.sasl.mechanism
string
yes
e.g. PLAIN, SCRAM-SHA-256, SCRAM-SHA-512.
kafkaClient.sasl.secretRef
string
yes
Name of the Secret holding username and password keys.
kafkaClient.securityProtocol
string
no
e.g. PLAINTEXT, SASL_PLAINTEXT, SSL, SASL_SSL.
kafkaClient.tls
object
no
TLS settings for the SR → broker connection.
kafkaClient.tls.caSecretName
string
no
Secret with a ca.crt key used as the broker CA.
kafkaClient.tls.serverNameOverride
string
no
Override the server name used for TLS SNI / hostname verification.
replicas
integer
yes
Stateless replicas; all join the election group. Default 1.
resources
object
no
Pod resource requirements.
resources.claims
array
no
Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers.
resources.limits
object
no
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources.requests
object
no
Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
schemasTopic
string
no
Backing compacted topic. Default _schemas.
schemasTopicReplicationFactor
integer
no
Replication factor for _schemas when auto-created. Default 3.
tls
object
no
Server TLS (HTTPS REST). None = plain HTTP.
tls.clientAuth
string
no
Client-cert mode. Default Disabled.
tls.clientCaSecretName
string
no
Secret with ca.crt to verify client certs (required when clientAuth != Disabled).
tls.issuerRef
object
no
cert-manager issuer reference. Mutually exclusive with secretName.
tls.issuerRef.group
string
no
API group. Default cert-manager.io.
tls.issuerRef.kind
string
no
Defaults to Issuer; set ClusterIssuer for cluster-scoped issuers.
tls.issuerRef.name
string
yes
tls.secretName
string
no
Secret (type kubernetes.io/tls) with tls.crt + tls.key. Mutually exclusive with issuerRef.