[Doc][Enhancement]kerberos config on kubernetes

docs/install/deploy-on-kubernetes/integrated-storage-compute/install-config-cluster.md

@@ -751,3 +751,27 @@ Support configmap monitoring and restart for FE and BE, Use FE usage as example.
     ```
 2. Update FE service configurations.  
    When modifying values under the `fe.conf` key in the fe-configmap ConfigMap (containing FE service configurations), Doris Operator will automatically perform a rolling restart of FE services to apply changes.
+
+## Using Kerberos Authentication
+The Doris Operator has supported Kerberos authentication for Doris (versions 2.1.9, 3.0.4, and later) in Kubernetes since version 25.2.0. To enable Kerberos authentication in Doris, both the [krb5.conf file](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html) and [keytab files](https://web.mit.edu/Kerberos/krb5-1.16/doc/basic/keytab_def.html) are required.
+The Doris Operator mounts the krb5.conf file using a ConfigMap resource and mounts the keytab files using a Secret resource. The workflow for enabling Kerberos authentication is as follows:
+
+1. Create a ConfigMap containing the krb5.conf file:
+    ```shell
+    kubectl create -n ${namespace} configmap ${name} --from-file=krb5.conf
+    ```
+   Replace ${namespace} with the namespace where the DorisCluster is deployed, and ${name} with the desired name for the ConfigMap.
+2. Create a Secret containing the keytab files:
+    ```shell
+    kubectl create -n ${namespace} secret generic ${name} --from-file=${xxx.keytab}
+    ```
+   Replace ${namespace} with the namespace where the DorisCluster is deployed, and ${name} with the desired name for the Secret. If multiple keytab files need to be mounted, refer to the [kubectl create Secret documentation](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/) to include them in a single Secret.
+3. Configure the DorisCluster resource to specify the ConfigMap containing krb5.conf and the Secret containing keytab files:
+    ```yaml
+    spec:
+      kerberosInfo:
+        krb5ConfigMap: ${krb5ConfigMapName}
+        keytabSecretName: ${keytabSecretName}
+        keytabPath: ${keytabPath}
+    ```
+   ${krb5ConfigMapName}: Name of the ConfigMap containing the krb5.conf file. ${keytabSecretName}: Name of the Secret containing the keytab files. ${keytabPath}: The directory path in the container where the Secret mounts the keytab files. This path should match the directory specified by hadoop.kerberos.keytab when creating a catalog. For catalog configuration details, refer to the [Hive Catalog configuration](../../../lakehouse/catalogs/hive-catalog.md#configuring-catalog) documentation.

i18n/zh-CN/docusaurus-plugin-content-docs/current/install/deploy-on-kubernetes/integrated-storage-compute/install-config-cluster.md

@@ -902,3 +902,27 @@ spec:
     ```
 2. 更新 `fe-configmap` 里面指定的 FE 服务启动配置。  
 当更新 `fe-configmap` 中 key 为 `fe.conf` 对应的值( FE 服务的启动配置)后，Doris Operator 自动滚动重启 FE 服务使配置生效。
+
+## 使用 Kerberos 认证
+Doris Operator 从 25.2.0 版本开始支持 Doris (2.1.9 和 3.0.4 及以后版本) 在 Kubernetes 使用 Kerberos 认证。 Doris 使用 Kerberos 认证需要使用 [krb5.conf](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html) 和 [keytab 文件](https://web.mit.edu/Kerberos/krb5-1.16/doc/basic/keytab_def.html) 。
+Doris Operator 使用 `ConfigMap` 资源挂载 krb5.conf 文件，使用 `Secret` 资源挂载 keytab 文件。使用 Kerberos 认证流程如下：
+1. 构建包含 krb5.conf 文件的 ConfigMap：
+    ```shell
+    kubectl create -n ${namespace} create configmap ${name} --from-file=krb5.conf
+    ```
+   ${namespace} 为 `DorisCluster` 部署的命名空间，${name} 为 ConfigMap 想要指定的名字。
+2. 构建包含 keytab 的 Secret:
+    ```shell
+    kubectl create -n ${namespace} secret generic ${name} --from-file= ${xxx.keytab}
+    ```
+   ${namespace} 为 `DorisCluster` 部署的命名空间，${name} 为 Secret 想要指定的名字，如果需要挂载多个 `keytab` 文件，请参考 [kubectl 创建 Secret 文档](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)将多个 `keytab` 文件放到一个 Secret 中。
+3. 配置 DorisCluster 资源，指定包含 `krb5.conf` 的 ConfigMap, 以及包含 `keytab` 文件的 Secret。
+    ```yaml
+    spec:
+      kerberosInfo:
+        krb5ConfigMap: ${krb5ConfigMapName}
+        keytabSecretName: ${keytabSecretName}
+        keytabPath: ${keytabPath}
+    ```
+   ${krb5ConfigMapName} 为包含要使用的 `krb5.conf` 文件的 ConfigMap 名称。${keytabSecretName} 为包含 keytab 文件的 Secret 名称。${keytabPath} 为 Secret 希望挂载到容器中的路径，这个路径是创建 catalog 时，通过 `hadoop.kerberos.keytab` 指定 keytab 的文件所在目录。创建
+   catalog 请参考配置 [Hive Catalog](../../../lakehouse/catalogs/hive-catalog.md#配置-catalog) 文档。

i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/install/deploy-on-kubernetes/install-config-cluster.md

@@ -903,3 +903,26 @@ spec:
 2. 更新 `fe-configmap` 里面指定的 FE 服务启动配置。  
   当更新 `fe-configmap` 中 key 为 `fe.conf` 对应的值( FE 服务的启动配置)后，Doris Operator 自动滚动重启 FE 服务使配置生效。
 
+## 使用 Kerberos 认证
+Doris Operator 从 25.2.0 版本开始支持 Doris (2.1.9 和 3.0.4 及以后版本) 在 Kubernetes 使用 Kerberos 认证。 Doris 使用 Kerberos 认证需要使用 [krb5.conf](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html) 和 [keytab 文件](https://web.mit.edu/Kerberos/krb5-1.16/doc/basic/keytab_def.html) 。
+Doris Operator 使用 `ConfigMap` 资源挂载 krb5.conf 文件，使用 `Secret` 资源挂载 keytab 文件。使用 Kerberos 认证流程如下：
+1. 构建包含 krb5.conf 文件的 ConfigMap：
+    ```shell
+    kubectl create -n ${namespace} create configmap ${name} --from-file=krb5.conf
+    ```
+    ${namespace} 为 `DorisCluster` 部署的命名空间，${name} 为 ConfigMap 想要指定的名字。
+2. 构建包含 keytab 的 Secret:
+    ```shell
+    kubectl create -n ${namespace} secret generic ${name} --from-file= ${xxx.keytab}
+    ```
+    ${namespace} 为 `DorisCluster` 部署的命名空间，${name} 为 Secret 想要指定的名字，如果需要挂载多个 `keytab` 文件，请参考 [kubectl 创建 Secret 文档](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)将多个 `keytab` 文件放到一个 Secret 中。
+3. 配置 DorisCluster 资源，指定包含 `krb5.conf` 的 ConfigMap, 以及包含 `keytab` 文件的 Secret。
+    ```yaml
+    spec:
+      kerberosInfo:
+        krb5ConfigMap: ${krb5ConfigMapName}
+        keytabSecretName: ${keytabSecretName}
+        keytabPath: ${keytabPath}
+    ```
+    ${krb5ConfigMapName} 为包含要使用的 `krb5.conf` 文件的 ConfigMap 名称。${keytabSecretName} 为包含 keytab 文件的 Secret 名称。${keytabPath} 为 Secret 希望挂载到容器中的路径，这个路径是创建 catalog 时，通过 `hadoop.kerberos.keytab` 指定 keytab 的文件所在目录。创建
+      atalog 请参考配置 [Hive Catalog](../../lakehouse/datalake-analytics/hive.md#catalog-配置) 文档。

i18n/zh-CN/docusaurus-plugin-content-docs/version-3.0/install/deploy-on-kubernetes/integrated-storage-compute/install-config-cluster.md

@@ -924,4 +924,28 @@ spec:
 ```
 2. 更新 `fe-configmap` 里面指定的 FE 服务启动配置。
 
-当更新 `fe-configmap` 中 key 为 `fe.conf` 对应的值 (为 FE 服务的启动配置) 后，Doris Operator 自动滚动重启 FE 服务使配置生效。
+当更新 `fe-configmap` 中 key 为 `fe.conf` 对应的值 (为 FE 服务的启动配置) 后，Doris Operator 自动滚动重启 FE 服务使配置生效。
+
+## 使用 Kerberos 认证
+Doris Operator 从 25.2.0 版本开始支持 Doris (2.1.9 和 3.0.4 及以后版本) 在 Kubernetes 使用 Kerberos 认证。 Doris 使用 Kerberos 认证需要使用 [krb5.conf](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html) 和 [keytab 文件](https://web.mit.edu/Kerberos/krb5-1.16/doc/basic/keytab_def.html) 。
+Doris Operator 使用 `ConfigMap` 资源挂载 krb5.conf 文件，使用 `Secret` 资源挂载 keytab 文件。使用 Kerberos 认证流程如下：
+1. 构建包含 krb5.conf 文件的 ConfigMap：
+    ```shell
+    kubectl create -n ${namespace} create configmap ${name} --from-file=krb5.conf
+    ```
+   ${namespace} 为 `DorisCluster` 部署的命名空间，${name} 为 ConfigMap 想要指定的名字。
+2. 构建包含 keytab 的 Secret:
+    ```shell
+    kubectl create -n ${namespace} secret generic ${name} --from-file= ${xxx.keytab}
+    ```
+   ${namespace} 为 `DorisCluster` 部署的命名空间，${name} 为 Secret 想要指定的名字，如果需要挂载多个 `keytab` 文件，请参考 [kubectl 创建 Secret 文档](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)将多个 `keytab` 文件放到一个 Secret 中。
+3. 配置 DorisCluster 资源，指定包含 `krb5.conf` 的 ConfigMap, 以及包含 `keytab` 文件的 Secret。
+    ```yaml
+    spec:
+      kerberosInfo:
+        krb5ConfigMap: ${krb5ConfigMapName}
+        keytabSecretName: ${keytabSecretName}
+        keytabPath: ${keytabPath}
+    ```
+   ${krb5ConfigMapName} 为包含要使用的 `krb5.conf` 文件的 ConfigMap 名称。${keytabSecretName} 为包含 keytab 文件的 Secret 名称。${keytabPath} 为 Secret 希望挂载到容器中的路径，这个路径是创建 catalog 时，通过 `hadoop.kerberos.keytab` 指定 keytab 的文件所在目录。创建
+   catalog 请参考配置 [Hive Catalog](../../../lakehouse/datalake-analytics/hive.md#catalog-配置) 文档。

versioned_docs/version-2.1/install/deploy-on-kubernetes/install-config-cluster.md

@@ -517,7 +517,7 @@ mysql -h ac4828493dgrftb884g67wg4tb68gyut-1137856348.us-east-1.elb.amazonaws.com
 ```
 
 ## Configuring the username and password for the management cluster
-Managing Doris nodes requires connecting to the live FE nodes via the MySQL protocol using a username and password for administrative operations. Doris implements [a permission management mechanism similar to RBAC]( ../../admin-manual/auth/authentication-and-authorization), where the user must have the [Node_priv](../../admin-manual/auth/authentication-and-authorization#Types of Permissions) permission to perform node management. By default, the Doris Operator deploys the cluster with the root user in passwordless mode.
+Managing Doris nodes requires connecting to the live FE nodes via the MySQL protocol using a username and password for administrative operations. Doris implements [a permission management mechanism similar to RBAC]( ../../admin-manual/auth/authentication-and-authorization), where the user must have the [Node_priv](../../admin-manual/auth/authentication-and-authorization.md#types-of-permissions) permission to perform node management. By default, the Doris Operator deploys the cluster with the root user in passwordless mode.
 
 The process of configuring the username and password can be divided into three scenarios:  
 - initializing the root user password during cluster deployment;
@@ -664,7 +664,7 @@ After deployment, please set the root password. Doris Operator will switch to us
 :::
 
 ### Setting the root user password after cluster deployment
-After deploying the Doris cluster and setting the root user's password, it's essential to create a management user with the necessary [Node_priv](../../admin-manual/auth/authentication-and-authorization#Types of Permissions) permission to allow Doris Operator to automatically manage the cluster nodes. Using the root user for this purpose is not recommended. Instead, please refer to [the User Creation and Permission Assignment Section](../../sql-manual/sql-statements/account-management/CREATE-USER) to create a new user and grant Node_priv permission.
+After deploying the Doris cluster and setting the root user's password, it's essential to create a management user with the necessary [Node_priv](../../admin-manual/auth/authentication-and-authorization.md#types-of-permissions) permission to allow Doris Operator to automatically manage the cluster nodes. Using the root user for this purpose is not recommended. Instead, please refer to [the User Creation and Permission Assignment Section](../../sql-manual/sql-statements/account-management/CREATE-USER) to create a new user and grant Node_priv permission.
 
 #### Step 1: Create a user with Node_priv permission
 First, connect to the Doris database using the MySQL protocol, then create a new user with the required permissions:
@@ -749,3 +749,27 @@ Support configmap monitoring and restart for FE and BE, Use FE usage as example.
     ```
 2. Update FE service configurations.  
    When modifying values under the `fe.conf` key in the fe-configmap ConfigMap (containing FE service configurations), Doris Operator will automatically perform a rolling restart of FE services to apply changes.
+
+## Using Kerberos Authentication
+The Doris Operator has supported Kerberos authentication for Doris (versions 2.1.9, 3.0.4, and later) in Kubernetes since version 25.2.0. To enable Kerberos authentication in Doris, both the [krb5.conf file](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html) and [keytab files](https://web.mit.edu/Kerberos/krb5-1.16/doc/basic/keytab_def.html) are required.
+The Doris Operator mounts the krb5.conf file using a ConfigMap resource and mounts the keytab files using a Secret resource. The workflow for enabling Kerberos authentication is as follows:
+
+1. Create a ConfigMap containing the krb5.conf file:
+    ```shell
+    kubectl create -n ${namespace} configmap ${name} --from-file=krb5.conf
+    ```
+    Replace ${namespace} with the namespace where the DorisCluster is deployed, and ${name} with the desired name for the ConfigMap.
+2. Create a Secret containing the keytab files:
+    ```shell
+    kubectl create -n ${namespace} secret generic ${name} --from-file=${xxx.keytab}
+    ```
+    Replace ${namespace} with the namespace where the DorisCluster is deployed, and ${name} with the desired name for the Secret. If multiple keytab files need to be mounted, refer to the [kubectl create Secret documentation](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/) to include them in a single Secret.
+3. Configure the DorisCluster resource to specify the ConfigMap containing krb5.conf and the Secret containing keytab files:
+    ```yaml
+    spec:
+      kerberosInfo:
+        krb5ConfigMap: ${krb5ConfigMapName}
+        keytabSecretName: ${keytabSecretName}
+        keytabPath: ${keytabPath}
+    ```
+    ${krb5ConfigMapName}: Name of the ConfigMap containing the krb5.conf file. ${keytabSecretName}: Name of the Secret containing the keytab files. ${keytabPath}: The directory path in the container where the Secret mounts the keytab files. This path should match the directory specified by hadoop.kerberos.keytab when creating a catalog. For catalog configuration details, refer to the [Hive Catalog configuration](../../lakehouse/datalake-analytics/hive.md#catalog-configuration) documentation.

versioned_docs/version-3.0/install/deploy-on-kubernetes/integrated-storage-compute/install-config-cluster.md

@@ -751,3 +751,27 @@ Support configmap monitoring and restart for FE and BE, Use FE usage as example.
     ```
 2. Update FE service configurations.  
    When modifying values under the `fe.conf` key in the fe-configmap ConfigMap (containing FE service configurations), Doris Operator will automatically perform a rolling restart of FE services to apply changes.
+
+## Using Kerberos Authentication
+The Doris Operator has supported Kerberos authentication for Doris (versions 2.1.9, 3.0.4, and later) in Kubernetes since version 25.2.0. To enable Kerberos authentication in Doris, both the [krb5.conf file](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html) and [keytab files](https://web.mit.edu/Kerberos/krb5-1.16/doc/basic/keytab_def.html) are required.
+The Doris Operator mounts the krb5.conf file using a ConfigMap resource and mounts the keytab files using a Secret resource. The workflow for enabling Kerberos authentication is as follows:
+
+1. Create a ConfigMap containing the krb5.conf file:
+    ```shell
+    kubectl create -n ${namespace} configmap ${name} --from-file=krb5.conf
+    ```
+   Replace ${namespace} with the namespace where the DorisCluster is deployed, and ${name} with the desired name for the ConfigMap.
+2. Create a Secret containing the keytab files:
+    ```shell
+    kubectl create -n ${namespace} secret generic ${name} --from-file=${xxx.keytab}
+    ```
+   Replace ${namespace} with the namespace where the DorisCluster is deployed, and ${name} with the desired name for the Secret. If multiple keytab files need to be mounted, refer to the [kubectl create Secret documentation](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/) to include them in a single Secret.
+3. Configure the DorisCluster resource to specify the ConfigMap containing krb5.conf and the Secret containing keytab files:
+    ```yaml
+    spec:
+      kerberosInfo:
+        krb5ConfigMap: ${krb5ConfigMapName}
+        keytabSecretName: ${keytabSecretName}
+        keytabPath: ${keytabPath}
+    ```
+   ${krb5ConfigMapName}: Name of the ConfigMap containing the krb5.conf file. ${keytabSecretName}: Name of the Secret containing the keytab files. ${keytabPath}: The directory path in the container where the Secret mounts the keytab files. This path should match the directory specified by hadoop.kerberos.keytab when creating a catalog. For catalog configuration details, refer to the [Hive Catalog configuration](../../../lakehouse/datalake-analytics/hive.md#catalog-configuration) documentation.