Add Kubernetes secure bootstrap documentation

[JakeSCahill]

Summary

Adds documentation for the auth.sasl.bootstrapUser configuration that enables "secure by default" Kubernetes cluster deployments with authentication enforced from the first startup.

Changes

• k-production-deployment.adoc: Added "Secure bootstrap" section with quick example configuration
• authentication.adoc partial: Added comprehensive "Bootstrap superuser at cluster formation" section including:
  • When to use bootstrap user
  • Step-by-step configuration instructions for both Operator and Helm
  • Verification steps
  • Usage examples for creating users and ACLs
  • Security best practices
  • Note about secretRef requirement when using empty users list

Testing

Tested on kind clusters with:

• ✅ Default bootstrap user (kubernetes-controller) with SCRAM-SHA-256
• ✅ Custom bootstrap user (admin-bootstrap) with SCRAM-SHA-512
• ✅ Bootstrap user creation and authentication
• ✅ Creating additional users and ACLs with bootstrap credentials
• ✅ New users able to access cluster resources

Related

Closes: https://redpandadata.atlassian.net/browse/DOC-242

This addresses the content gap where bare metal docs covered bootstrap configuration but Kubernetes docs did not, despite the operator/Helm charts supporting the feature.

[netlify]

✅ Deploy Preview for redpanda-docs-preview ready!

Name	Link
🔨 Latest commit	6b7c0a5
🔍 Latest deploy log	https://app.netlify.com/projects/redpanda-docs-preview/deploys/6a2063bf1030850008fab88e
😎 Deploy Preview	https://deploy-preview-1668--redpanda-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b01a3071-ca46-4b20-85e4-75839eb2e0ce

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This pull request adds documentation for the bootstrap superuser feature in Redpanda's Kubernetes deployments with authentication enabled. Two documentation files are updated: one adds a "Secure bootstrap" subsection with a YAML configuration example showing the auth.sasl.bootstrapUser structure under Kubernetes production deployment settings, and another provides a comprehensive guide documenting bootstrap superuser cluster formation, including Kubernetes Secret creation procedures, Helm configuration steps, user verification, and guidance for post-deployment user and ACL management. The documentation explains that the bootstrap user is created only on first cluster startup and is automatically added to the superusers list.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• redpanda-data/docs#1319 — Documents SASL mechanism support for bootstrap users, complementing the Kubernetes/Helm configuration documentation in this PR.

Suggested reviewers

• chrisseto
• sago2k8
• andrewstucki

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description covers the main objectives, files changed, and testing performed, but lacks the required template sections (JIRA ticket, page previews, and checkbox items).	Add the JIRA ticket link, page preview links for modified files, and check the appropriate checkboxes (Content gap) to match the repository template.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title accurately summarizes the main change—adding Kubernetes secure bootstrap documentation—and is clear, specific, and concise.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch doc-242-k8s-secure-bootstrap

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Feediver1]

@david-yu @andrewstucki This PR cannot be merged without an SME approval.

[Feediver1]

Docs standards review

Files reviewed: 2 .adoc files (1 page + 1 partial)
Net diff: 217+/0- across 2 files.

What this PR does

Adds Kubernetes documentation for the auth.sasl.bootstrapUser configuration that creates a superuser at cluster formation. Closes DOC-242 — the content gap where bare-metal docs covered bootstrap config but Kubernetes docs didn't. Touches:

• modules/deploy/pages/redpanda/kubernetes/k-production-deployment.adoc (26+/0-): adds a short "Bootstrap user with custom credentials" section under the existing SASL configuration with a quick-example YAML and a link to the deeper partial section.
• modules/manage/partials/authentication.adoc (191+/0-): adds a comprehensive [[bootstrap]] === Bootstrap superuser at cluster formation section inside the existing ifdef::env-kubernetes[] block, covering when-to-use, configure-via-Operator-or-Helm, verify, use, and security best practices.

The partial is single-sourced from modules/manage/pages/security/authentication.adoc (bare metal) and modules/manage/pages/kubernetes/security/authentication/k-authentication.adoc (Kubernetes). The new section is properly gated to env-kubernetes only, so the bare-metal rendering won't see it.

Jira ticket alignment

Ticket: DOC-242 — content gap on Kubernetes bootstrap user docs.
Status: Addressed. Covers Operator AND Helm chart paths, includes the secretRef / users: [] gotcha discovered during testing, and tests claimed against kind clusters with both SCRAM-SHA-256 and SCRAM-SHA-512.

Critical issues

None.

Suggestions

1. name: "kubernetes-controller" # Optional, defaults to "kubernetes-controller" is potentially confusing. Showing the example value equal to the default value doesn't illustrate the customization path. Either:

   • (a) Show a real custom name (e.g., name: "admin-bootstrap") so readers see what customization looks like, or
   • (b) Omit the name: field in the example and note "When omitted, defaults to kubernetes-controller."

   The current example reads like "set this field to its default value" which most readers will translate to "this field is required and has no useful customization." That undersells the feature.

2. Inconsistent code-block syntax between the two changed files:

   • k-production-deployment.adoc uses [source,yaml]
   • The partial uses [,yaml,lines=10-16] (shorthand + line-highlighting)

   Pick one style for the PR's new content.

3. secretRef vs secretKeyRef distinction. Both appear in the same YAML block:

   secretRef: redpanda-superusers
   ...
   bootstrapUser:
     secretKeyRef:
       name: "bootstrap-user-secret"

   These are different mechanisms but visually similar names. A one-line note inline (or in a NOTE block) clarifying that secretRef is the SASL-users secret while secretKeyRef is the bootstrap user's password reference would save readers from confusion.

4. redpanda-superusers secret name — is this a Helm-chart convention (the chart looks for a secret by that specific name) or just a placeholder? If conventional, worth saying "The secret name redpanda-superusers is the default name expected by the Helm chart"; if arbitrary, worth using a placeholder like <superusers-secret-name> to avoid implying it's required.

5. Security best practices NOTE block uses bullets with hyphens (- Use strong...). That's valid AsciiDoc but uncommon in this repo's NOTE blocks — most use * for unordered lists. Cosmetic; one-character change for consistency.

6. The "Combine with bootstrap configuration" section cross-links to xref:deploy:redpanda/manual/production/production-deployment.adoc#configure-a-bootstrap-file. Verified the target heading exists on the bare-metal page. The xref will work — but the linked content is bare-metal-specific (.bootstrap.yaml file approach), so readers click expecting K8s guidance and land on a manual page. Either:

   • (a) Add a note in the K8s section about how the .bootstrap.yaml concept maps to K8s (Operator config? ConfigMap?), or
   • (b) Reframe the link as "For the bare-metal equivalent of this configuration, see…" so readers know what they're clicking into.

Impact on other files

• Partial is consumed by two pages: bare-metal authentication.adoc and K8s k-authentication.adoc. The env-gating ensures the new section only shows in K8s rendering. ✓ Verified.
• k-production-deployment.adoc consumers: referenced from k-production-workflow.adoc, k-production-readiness.adoc, k-tune-workers.adoc, etc. No cross-references TO the new section need updating.
• Bare-metal production-deployment.adoc has the related Configure a bootstrap file and Bootstrap a user account sections that this PR's K8s equivalent parallels. Worth confirming with @david-yu / @andrewstucki that the K8s flow matches the bare-metal flow semantically.
• No What's New entry — this is filling a content gap, not announcing a new feature. Probably fine.

CodeRabbit findings

None — CodeRabbit didn't post on this PR.

What works well

• Pothole coverage: the NOTE about secretRef requirement when using empty users: [] is exactly the kind of testing-discovered gotcha that saves customers from a confusing failure mode. Including it inline rather than as a separate "Troubleshooting" page is the right structural choice.
• Operator AND Helm coverage via the nested tabs structure — neither audience is treated as second-class.
• --values and --set Helm variants both shown — readers can copy/paste from the form they prefer.
• Verification step is concrete (rpk security user list with the bootstrap creds, expected output shown). Lets readers confirm success.
• Security best practices NOTE at the end caps the section with sensible guardrails.
• Cross-link from k-production-deployment.adoc to the deeper partial section is well-placed, so the production-deployment page stays scannable while the depth lives in the auth partial.
• [[bootstrap]] anchor is correctly placed inside the env-kubernetes block, so the bare-metal rendering of the same partial won't expose a confusing K8s-only anchor.

Process note

This PR has been sitting for ~7 weeks without SME review. The technical content here is meaningful (it documents a "secure by default" capability relevant to every K8s production deployment) — letting it languish has a real customer cost.