Add Kubernetes secure bootstrap documentation

[JakeSCahill]

Summary

Adds documentation for the auth.sasl.bootstrapUser configuration that enables "secure by default" Kubernetes cluster deployments with authentication enforced from the first startup.

Changes

• k-production-deployment.adoc: Added "Secure bootstrap" section with quick example configuration
• authentication.adoc partial: Added comprehensive "Bootstrap superuser at cluster formation" section including:
  • When to use bootstrap user
  • Step-by-step configuration instructions for both Operator and Helm
  • Verification steps
  • Usage examples for creating users and ACLs
  • Security best practices
  • Note about secretRef requirement when using empty users list

Testing

Tested on kind clusters with:

• ✅ Default bootstrap user (kubernetes-controller) with SCRAM-SHA-256
• ✅ Custom bootstrap user (admin-bootstrap) with SCRAM-SHA-512
• ✅ Bootstrap user creation and authentication
• ✅ Creating additional users and ACLs with bootstrap credentials
• ✅ New users able to access cluster resources

Related

Closes: https://redpandadata.atlassian.net/browse/DOC-242

This addresses the content gap where bare metal docs covered bootstrap configuration but Kubernetes docs did not, despite the operator/Helm charts supporting the feature.

[netlify]

✅ Deploy Preview for redpanda-docs-preview ready!

Name	Link
🔨 Latest commit	e8d3d9f
🔍 Latest deploy log	https://app.netlify.com/projects/redpanda-docs-preview/deploys/69de64576b684c00076d94b0
😎 Deploy Preview	https://deploy-preview-1668--redpanda-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 05544f0e-68c3-4a0f-85cb-39134b048855

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This pull request adds documentation for the bootstrap superuser feature in Redpanda's Kubernetes deployments with authentication enabled. Two documentation files are updated: one adds a "Secure bootstrap" subsection with a YAML configuration example showing the auth.sasl.bootstrapUser structure under Kubernetes production deployment settings, and another provides a comprehensive guide documenting bootstrap superuser cluster formation, including Kubernetes Secret creation procedures, Helm configuration steps, user verification, and guidance for post-deployment user and ACL management. The documentation explains that the bootstrap user is created only on first cluster startup and is automatically added to the superusers list.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• redpanda-data/docs#1319 — Documents SASL mechanism support for bootstrap users, complementing the Kubernetes/Helm configuration documentation in this PR.

Suggested reviewers

• chrisseto
• sago2k8
• andrewstucki

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description covers the main objectives, files changed, and testing performed, but lacks the required template sections (JIRA ticket, page previews, and checkbox items).	Add the JIRA ticket link, page preview links for modified files, and check the appropriate checkboxes (Content gap) to match the repository template.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title accurately summarizes the main change—adding Kubernetes secure bootstrap documentation—and is clear, specific, and concise.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch doc-242-k8s-secure-bootstrap

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}