From dd09a76c31f1d9bb7430a2a8c05878344ab5c7f1 Mon Sep 17 00:00:00 2001
From: Jakub Scholz <www@scholzj.com>
Date: Tue, 25 Nov 2025 21:16:50 +0100
Subject: [PATCH 1/2] [DOC] Update the lists of resources belonging to
 different operands

Signed-off-by: Jakub Scholz <www@scholzj.com>
---
 ...onfig-list-of-kafka-connect-resources.adoc | 17 ++++++----
 .../ref-list-of-http-bridge-resources.adoc    |  8 ++---
 .../ref-list-of-kafka-cluster-resources.adoc  | 32 +++++++++----------
 .../ref-list-of-mirrormaker2-resources.adoc   | 13 +++++---
 4 files changed, 37 insertions(+), 33 deletions(-)

diff --git a/documentation/modules/configuring/ref-config-list-of-kafka-connect-resources.adoc b/documentation/modules/configuring/ref-config-list-of-kafka-connect-resources.adoc
index c8c6feab125..771981bee7d 100644
--- a/documentation/modules/configuring/ref-config-list-of-kafka-connect-resources.adoc
+++ b/documentation/modules/configuring/ref-config-list-of-kafka-connect-resources.adoc
@@ -10,16 +10,19 @@
 [role="_abstract"]
 The following resources are created by the Cluster Operator in the Kubernetes cluster:
 
-<connect_cluster_name>-connect:: Name given to the following Kafka Connect resources:
+`<connect_cluster_name>-connect`:: Name given to the following Kafka Connect resources:
 +
 - StrimziPodSet that creates the Kafka Connect worker node pods.
 - Headless service that provides stable DNS names to the Kafka Connect pods.
 - Service account used by the Kafka Connect pods.
 - Pod disruption budget configured for the Kafka Connect worker nodes.
 - Network policy managing access to the Kafka Connect REST API.
-<connect_cluster_name>-connect-<pod_id>:: Pods created by the Kafka Connect StrimziPodSet.
-<connect_cluster_name>-connect-api:: Service which exposes the REST interface for managing the Kafka Connect cluster.
-<connect_cluster_name>-connect-config:: ConfigMap which contains the Kafka Connect ancillary configuration and is mounted as a volume by the Kafka Connect pods.
-strimzi-<namespace-name>-<connect_cluster_name>-connect-init:: Cluster role binding used by the Kafka Connect cluster.
-<connect_cluster_name>-connect-build:: Pod used to build a new container image with additional connector plugins (only when Kafka Connect Build feature is used).
-<connect_cluster_name>-connect-dockerfile:: ConfigMap with the Dockerfile generated to build the new container image with additional connector plugins (only when the Kafka Connect build feature is used).
+- Role granting the Kafka Connect worker nodes access to read their certificates and credentials.
+
+`<connect_cluster_name>-connect-<pod_id>`:: Pods created by the Kafka Connect StrimziPodSet.
+`<connect_cluster_name>-connect-api`:: Service which exposes the REST interface for managing the Kafka Connect cluster.
+`<connect_cluster_name>-connect-config`:: ConfigMap which contains the Kafka Connect ancillary configuration and is mounted as a volume by the Kafka Connect pods.
+`<connect_cluster_name>-connect-role`:: Role binding granting the Kafka Connect worker nodes access to read their certificates and credentials.
+`strimzi-<namespace-name>-<connect_cluster_name>-connect-init`:: Cluster role binding used by the Kafka Connect cluster.
+`<connect_cluster_name>-connect-build`:: Pod used to build a new container image with additional connector plugins (only when Kafka Connect Build feature is used).
+`<connect_cluster_name>-connect-dockerfile`:: ConfigMap with the Dockerfile generated to build the new container image with additional connector plugins (only when the Kafka Connect build feature is used).
diff --git a/documentation/modules/configuring/ref-list-of-http-bridge-resources.adoc b/documentation/modules/configuring/ref-list-of-http-bridge-resources.adoc
index e433bf4014a..1730f5fe153 100644
--- a/documentation/modules/configuring/ref-list-of-http-bridge-resources.adoc
+++ b/documentation/modules/configuring/ref-list-of-http-bridge-resources.adoc
@@ -10,7 +10,7 @@
 [role="_abstract"]
 The following resources are created by the Cluster Operator in the Kubernetes cluster:
 
-<bridge_cluster_name>-bridge:: Deployment which is in charge to create the HTTP Bridge worker node pods.
-<bridge_cluster_name>-bridge-service:: Service which exposes the HTTP Bridge REST interface.
-<bridge_cluster_name>-bridge-config:: ConfigMap which contains the HTTP Bridge ancillary configuration and is mounted as a volume by the Kafka broker pods.
-<bridge_cluster_name>-bridge:: Pod Disruption Budget configured for the HTTP Bridge worker nodes.
+`<bridge_cluster_name>-bridge`:: Deployment which is in charge to create the HTTP Bridge worker node pods.
+`<bridge_cluster_name>-bridge-service`:: Service which exposes the HTTP Bridge REST interface.
+`<bridge_cluster_name>-bridge-config`:: ConfigMap which contains the HTTP Bridge ancillary configuration and is mounted as a volume by the Kafka broker pods.
+`<bridge_cluster_name>-bridge`:: Pod Disruption Budget configured for the HTTP Bridge worker nodes.
diff --git a/documentation/modules/configuring/ref-list-of-kafka-cluster-resources.adoc b/documentation/modules/configuring/ref-list-of-kafka-cluster-resources.adoc
index c86922be472..8b2fa98e111 100644
--- a/documentation/modules/configuring/ref-list-of-kafka-cluster-resources.adoc
+++ b/documentation/modules/configuring/ref-list-of-kafka-cluster-resources.adoc
@@ -18,39 +18,29 @@ The following resources are created by the Cluster Operator in the Kubernetes cl
 `<kafka_cluster_name>-clients-ca-cert`:: Secret with the Clients CA public key. This key can be used to verify the identity of the Kafka users.
 `<kafka_cluster_name>-cluster-operator-certs`:: Secret with Cluster operators keys for communication with Kafka.
 
-.Kafka brokers
+.Kafka brokers and controllers
 
 `<kafka_cluster_name>-kafka`:: Name given to the following Kafka resources:
 +
-- StrimziPodSet for managing the Kafka pods.
 - Service account used by the Kafka pods.
 - PodDisruptionBudget that applies to all Kafka cluster node pool pods.
-
-`<kafka_cluster_name>-kafka-<pod_id>`:: Name given to the following Kafka resources:
-+
-- Pods created by the StrimziPodSet.
-- ConfigMaps with Kafka broker configuration.
+- Role granting the Kafka brokers and controllers access to read their certificates and credentials.
 
 `<kafka_cluster_name>-kafka-brokers`:: Service needed to have DNS resolve the Kafka broker pods IP addresses directly.
 `<kafka_cluster_name>-kafka-bootstrap`:: Service can be used as bootstrap servers for Kafka clients connecting from within the Kubernetes cluster.
 `<kafka_cluster_name>-kafka-external-bootstrap`:: Bootstrap service for clients connecting from outside the Kubernetes cluster. This resource is created only when an external listener is enabled. The old service name will be used for backwards compatibility when the listener name is `external` and port is `9094`.
-`<kafka_cluster_name>-kafka-<pod_id>`:: Service used to route traffic from outside the Kubernetes cluster to individual pods. This resource is created only when an external listener is enabled. The old service name will be used for backwards compatibility when the listener name is `external` and port is `9094`.
 `<kafka_cluster_name>-kafka-external-bootstrap`:: Bootstrap route for clients connecting from outside the Kubernetes cluster. This resource is created only when an external listener is enabled and set to type `route`. The old route name will be used for backwards compatibility when the listener name is `external` and port is `9094`.
-`<kafka_cluster_name>-kafka-<pod_id>`:: Route for traffic from outside the Kubernetes cluster to individual pods. This resource is created only when an external listener is enabled and set to type `route`. The old route name will be used for backwards compatibility when the listener name is `external` and port is `9094`.
 `<kafka_cluster_name>-kafka-<listener_name>-bootstrap`:: Bootstrap service for clients connecting from outside the Kubernetes cluster. This resource is created only when an external listener is enabled. The new service name will be used for all other external listeners.
-`<kafka_cluster_name>-kafka-<listener_name>-<pod_id>`:: Service used to route traffic from outside the Kubernetes cluster to individual pods. This resource is created only when an external listener is enabled. The new service name will be used for all other external listeners.
 `<kafka_cluster_name>-kafka-<listener_name>-bootstrap`:: Bootstrap route for clients connecting from outside the Kubernetes cluster. This resource is created only when an external listener is enabled and set to type `route`. The new route name will be used for all other external listeners.
-`<kafka_cluster_name>-kafka-<listener_name>-<pod_id>`:: Route for traffic from outside the Kubernetes cluster to individual pods. This resource is created only when an external listener is enabled and set to type `route`. The new route name will be used for all other external listeners.
-`<kafka_cluster_name>-<pool_name>-<pod_id>_`:: Secret with Kafka node public and private keys.
+`<kafka_cluster_name>-kafka-<listener_name>-bootstrap`:: Bootstrap ingress for clients connecting from outside the Kubernetes cluster. This resource is created only when an external listener is enabled and set to type `ingress`. The new route name will be used for all other external listeners.
 `<kafka_cluster_name>-network-policy-kafka`:: Network policy managing access to the Kafka services.
+`<kafka_cluster_name>-kafka-role`:: Role binding granting the Kafka brokers and controllers access to read their certificates and credentials.
 `strimzi-_namespace-name_-<kafka_cluster_name>-kafka-init`:: Cluster role binding used by the Kafka brokers.
 `<kafka_cluster_name>-jmx`:: Secret with JMX username and password used to secure the Kafka broker port. This resource is created only when JMX is enabled in Kafka.
-`data-<kafka_cluster_name>-kafka-<pod_id>`:: Persistent Volume Claim for the volume used for storing data for a specific Kafka broker. This resource is created only if persistent storage is selected for provisioning persistent volumes to store data.
-`data-<id>-<kafka_cluster_name>-kafka-<pod_id>`:: Persistent Volume Claim for the volume `id` used for storing data for a specific Kafka broker. This resource is created only if persistent storage is selected for JBOD volumes when provisioning persistent volumes to store data.
 
 .Kafka node pools
 
-If you are using Kafka node pools, the resources created apply to the nodes managed in the node pools whether they are operating as brokers, controllers, or both.
+The resources that are created per node pool.
 The naming convention includes the name of the Kafka cluster and the node pool: `<kafka_cluster_name>-<pool_name>`.
 
 `<kafka_cluster_name>-<pool_name>`:: Name given to the StrimziPodSet for managing the Kafka node pool.
@@ -58,8 +48,15 @@ The naming convention includes the name of the Kafka cluster and the node pool:
 `<kafka_cluster_name>-<pool_name>-<pod_id>`:: Name given to the following Kafka node pool resources:
 +
 - Pods created by the StrimziPodSet.
+- Secret with Kafka node public and private keys.
 - ConfigMaps with Kafka node configuration.
+- Service used to route traffic from outside the Kubernetes cluster to individual pods. This resource is created only when an external listener is enabled. The old service name will be used for backwards compatibility when the listener name is `external` and port is `9094`.
+- Route for traffic from outside the Kubernetes cluster to individual pods. This resource is created only when an external listener is enabled and set to type `route`. The old route name will be used for backwards compatibility when the listener name is `external` and port is `9094`.
+- Ingress for traffic from outside the Kubernetes cluster to individual pods. This resource is created only when an external listener is enabled and set to type `ingress`. The old ingress name will be used for backwards compatibility when the listener name is `external` and port is `9094`.
 
+`<kafka_cluster_name>-<pool_name>-<listener_name>-<pod_id>`:: Service used to route traffic from outside the Kubernetes cluster to individual pods, or when using the type `cluster-ip` listener. This resource is created only when an external listener is enabled. The new service name will be used for all other external listeners.
+`<kafka_cluster_name>-<pool_name>-<listener_name>-<pod_id>`:: Route for traffic from outside the Kubernetes cluster to individual pods. This resource is created only when an external listener is enabled and set to type `route`. The new route name will be used for all other external listeners.
+`<kafka_cluster_name>-<pool_name>-<listener_name>-<pod_id>`:: Ingress for traffic from outside the Kubernetes cluster to individual pods. This resource is created only when an external listener is enabled and set to type `ingress`. The new ingress name will be used for all other external listeners.
 `data-<kafka_cluster_name>-<pool_name>-<pod_id>`:: Persistent Volume Claim for the volume used for storing data for a specific node. This resource is created only if persistent storage is selected for provisioning persistent volumes to store data.
 `data-<id>-<kafka_cluster_name>-<pool_name>-<pod_id>`:: Persistent Volume Claim for the volume `id` used for storing data for a specific node. This resource is created only if persistent storage is selected for JBOD volumes when provisioning persistent volumes to store data.
 
@@ -72,14 +69,15 @@ These resources are only created if the Entity Operator is deployed using the Cl
 - Deployment with Topic and User Operators.
 - Service account used by the Entity Operator.
 - Network policy managing access to the Entity Operator metrics.
+- Role granting the Entity Operator the rights to manage topics and users.
 
 `<kafka_cluster_name>-entity-operator-<random_string>`:: Pod created by the Entity Operator deployment.
 `<kafka_cluster_name>-entity-topic-operator-config`:: ConfigMap with ancillary configuration for Topic Operators.
 `<kafka_cluster_name>-entity-user-operator-config`:: ConfigMap with ancillary configuration for User Operators.
 `<kafka_cluster_name>-entity-topic-operator-certs`:: Secret with Topic Operator keys for communication with Kafka.
 `<kafka_cluster_name>-entity-user-operator-certs`:: Secret with User Operator keys for communication with Kafka.
-`strimzi-<kafka_cluster_name>-entity-topic-operator`:: Role binding used by the Entity Topic Operator.
-`strimzi-<kafka_cluster_name>-entity-user-operator`:: Role binding used by the Entity User Operator.
+`<kafka_cluster_name>-entity-topic-operator`:: Role binding used by the Entity Topic Operator.
+`<kafka_cluster_name>-entity-user-operator`:: Role binding used by the Entity User Operator.
 
 .Kafka Exporter
 
diff --git a/documentation/modules/configuring/ref-list-of-mirrormaker2-resources.adoc b/documentation/modules/configuring/ref-list-of-mirrormaker2-resources.adoc
index d9bd07ea251..785139f9d0c 100644
--- a/documentation/modules/configuring/ref-list-of-mirrormaker2-resources.adoc
+++ b/documentation/modules/configuring/ref-list-of-mirrormaker2-resources.adoc
@@ -10,14 +10,17 @@
 [role="_abstract"]
 The following resources are created by the Cluster Operator in the Kubernetes cluster:
 
-<mirrormaker2_cluster_name>-mirrormaker2:: Name given to the following MirrorMaker 2 resources:
+`<mirrormaker2_cluster_name>-mirrormaker2`:: Name given to the following MirrorMaker 2 resources:
 +
 - StrimziPodSet that creates the MirrorMaker 2 worker node pods.
 - Headless service that provides stable DNS names to the MirrorMaker 2 pods.
 - Service account used by the MirrorMaker 2 pods.
 - Pod disruption budget configured for the MirrorMaker 2 worker nodes.
 - Network Policy managing access to the MirrorMaker 2 REST API.
-<mirrormaker2_cluster_name>-mirrormaker2-<pod_id>:: Pods created by the MirrorMaker 2 StrimziPodSet.
-<mirrormaker2_cluster_name>-mirrormaker2-api:: Service which exposes the REST interface for managing the MirrorMaker 2 cluster.
-<mirrormaker2_cluster_name>-mirrormaker2-config:: ConfigMap which contains the MirrorMaker 2 ancillary configuration and is mounted as a volume by the MirrorMaker 2 pods.
-strimzi-<namespace-name>-<mirrormaker2_cluster_name>-mirrormaker2-init:: Cluster role binding used by the MirrorMaker 2 cluster.
+- Role granting the MirrorMaker 2 worker nodes access to read their certificates and credentials.
+
+`<mirrormaker2_cluster_name>-mirrormaker2-<pod_id>`:: Pods created by the MirrorMaker 2 StrimziPodSet.
+`<mirrormaker2_cluster_name>-mirrormaker2-api`:: Service which exposes the REST interface for managing the MirrorMaker 2 cluster.
+`<mirrormaker2_cluster_name>-mirrormaker2-config`:: ConfigMap which contains the MirrorMaker 2 ancillary configuration and is mounted as a volume by the MirrorMaker 2 pods.
+`<mirrormaker2_cluster_name>-mirrormaker2-role`:: Role binding granting the MirrorMaker 2 worker nodes access to read their certificates and credentials.
+`strimzi-<namespace-name>-<mirrormaker2_cluster_name>-mirrormaker2-init`:: Cluster role binding used by the MirrorMaker 2 cluster.

From a86fd3a1c758499221d877e74d9eac0e67714ed1 Mon Sep 17 00:00:00 2001
From: Jakub Scholz <www@scholzj.com>
Date: Wed, 26 Nov 2025 14:49:24 +0100
Subject: [PATCH 2/2] Add certificate secret

Signed-off-by: Jakub Scholz <www@scholzj.com>
---
 .../configuring/ref-config-list-of-kafka-connect-resources.adoc  | 1 +
 .../modules/configuring/ref-list-of-mirrormaker2-resources.adoc  | 1 +
 2 files changed, 2 insertions(+)

diff --git a/documentation/modules/configuring/ref-config-list-of-kafka-connect-resources.adoc b/documentation/modules/configuring/ref-config-list-of-kafka-connect-resources.adoc
index 771981bee7d..3e78addec7f 100644
--- a/documentation/modules/configuring/ref-config-list-of-kafka-connect-resources.adoc
+++ b/documentation/modules/configuring/ref-config-list-of-kafka-connect-resources.adoc
@@ -20,6 +20,7 @@ The following resources are created by the Cluster Operator in the Kubernetes cl
 - Role granting the Kafka Connect worker nodes access to read their certificates and credentials.
 
 `<connect_cluster_name>-connect-<pod_id>`:: Pods created by the Kafka Connect StrimziPodSet.
+`<connect_cluster_name>-connect-tls-trusted-certs`:: Secret with TLS certificates.
 `<connect_cluster_name>-connect-api`:: Service which exposes the REST interface for managing the Kafka Connect cluster.
 `<connect_cluster_name>-connect-config`:: ConfigMap which contains the Kafka Connect ancillary configuration and is mounted as a volume by the Kafka Connect pods.
 `<connect_cluster_name>-connect-role`:: Role binding granting the Kafka Connect worker nodes access to read their certificates and credentials.
diff --git a/documentation/modules/configuring/ref-list-of-mirrormaker2-resources.adoc b/documentation/modules/configuring/ref-list-of-mirrormaker2-resources.adoc
index 785139f9d0c..cf9bc987107 100644
--- a/documentation/modules/configuring/ref-list-of-mirrormaker2-resources.adoc
+++ b/documentation/modules/configuring/ref-list-of-mirrormaker2-resources.adoc
@@ -20,6 +20,7 @@ The following resources are created by the Cluster Operator in the Kubernetes cl
 - Role granting the MirrorMaker 2 worker nodes access to read their certificates and credentials.
 
 `<mirrormaker2_cluster_name>-mirrormaker2-<pod_id>`:: Pods created by the MirrorMaker 2 StrimziPodSet.
+`<mirrormaker2_cluster_name>-mirrormaker2-tls-trusted-certs`:: Secret with TLS certificates.
 `<mirrormaker2_cluster_name>-mirrormaker2-api`:: Service which exposes the REST interface for managing the MirrorMaker 2 cluster.
 `<mirrormaker2_cluster_name>-mirrormaker2-config`:: ConfigMap which contains the MirrorMaker 2 ancillary configuration and is mounted as a volume by the MirrorMaker 2 pods.
 `<mirrormaker2_cluster_name>-mirrormaker2-role`:: Role binding granting the MirrorMaker 2 worker nodes access to read their certificates and credentials.