KafkaBackupValidation CRD
The KafkaBackupValidation custom resource validates backups and can produce evidence reports for compliance workflows.
Example
apiVersion: kafka.oso.sh/v1alpha1
kind: KafkaBackupValidation
metadata:
name: daily-backup-validation
namespace: kafka-backup
spec:
backupRef:
name: production-backup
backupId: "production-backup-20260413-120000"
kafkaCluster:
bootstrapServers:
- kafka:9092
connection:
connectionsPerBroker: 4
checks:
messageCount:
enabled: true
failThreshold: 0
topics:
- orders
offsetRange:
enabled: true
consumerGroupOffsets:
enabled: true
consumerGroups:
- order-processor
evidence:
formats:
- json
- pdf
retentionDays: 90
signing:
enabled: true
keySecret:
name: evidence-signing-key
privateKeyKey: signing-key.pem
publicKeyKey: signing-key-pub.pem
schedule: "0 0 2 * * * *"
suspend: false
Spec Fields
backupRef
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | KafkaBackup resource to validate; use "" when using direct storage |
namespace | string | No | Backup namespace; defaults to the validation namespace |
backupId | string | No | Specific backup ID to validate |
storage | object | No | Direct storage reference for external backups |
checks
| Field | Type | Description |
|---|---|---|
messageCount | object | Compare record counts against the backup manifest |
offsetRange | object | Verify backup offset ranges |
consumerGroupOffsets | object | Verify consumer group positions are backed up |
customWebhooks | array | POST validation payloads to external endpoints |
kafkaCluster is required when consumerGroupOffsets is enabled. The shared kafkaCluster.connection tuning fields are supported here, along with tlsSecret, caSecret, and saslSecret for secure clusters.
evidence
| Field | Type | Default | Description |
|---|---|---|---|
formats | []string | ["json"] | Evidence output formats |
signing | object | unset | ECDSA-P256-SHA256 signing configuration |
storage | object | unset | Evidence storage location |
retentionDays | int | 90 | Evidence retention period |
schedule
schedule uses the same cron parser as KafkaBackup and includes seconds. For example, 0 0 2 * * * * runs daily at 02:00 UTC.
Status
status:
phase: Completed
validationResult: Pass
checksTotal: 3
checksCompleted: 3
checksPassed: 3
evidenceReportPath: "evidence/daily-backup-validation.json"
evidenceReportSigned: true
lastValidationTime: "2026-04-13T02:00:00Z"
nextScheduledValidation: "2026-04-14T02:00:00Z"