This is an automated email from the ASF dual-hosted git repository.
lhotari pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar-helm-chart.git
The following commit(s) were added to refs/heads/master by this push:
new b5ff00b feat(tls): support ca type issuer and v1alpha* version
cert-manager api (#561)
b5ff00b is described below
commit b5ff00b16be2d027b3fc9849adc4972400da0860
Author: Eric Shen <[email protected]>
AuthorDate: Wed Dec 18 23:11:54 2024 +0800
feat(tls): support ca type issuer and v1alpha* version cert-manager api
(#561)
---
charts/pulsar/templates/_autorecovery.tpl | 5 ++
charts/pulsar/templates/_bookkeeper.tpl | 5 ++
charts/pulsar/templates/_broker.tpl | 5 ++
charts/pulsar/templates/_toolset.tpl | 5 ++
charts/pulsar/templates/proxy-statefulset.yaml | 5 ++
.../pulsar/templates/tls-cert-internal-issuer.yaml | 12 +++-
charts/pulsar/templates/tls-certs-internal.yaml | 70 +++++++++++++++++++++-
charts/pulsar/templates/toolset-statefulset.yaml | 5 ++
charts/pulsar/templates/zookeeper-statefulset.yaml | 5 ++
charts/pulsar/values.yaml | 14 ++++-
examples/{values-tls.yaml => values-tls-ca.yaml} | 11 +++-
...{values-tls.yaml => values-tls-selfsigned.yaml} | 0
12 files changed, 136 insertions(+), 6 deletions(-)
diff --git a/charts/pulsar/templates/_autorecovery.tpl
b/charts/pulsar/templates/_autorecovery.tpl
index 8ba78c8..ff12360 100644
--- a/charts/pulsar/templates/_autorecovery.tpl
+++ b/charts/pulsar/templates/_autorecovery.tpl
@@ -74,7 +74,12 @@ Define autorecovery tls certs volumes
path: tls.key
- name: ca
secret:
+ {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+ {{- end }}
+ {{- if eq .Values.certs.internal_issuer.type "ca" }}
+ secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+ {{- end }}
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/templates/_bookkeeper.tpl
b/charts/pulsar/templates/_bookkeeper.tpl
index d7a5702..f0d0b9e 100644
--- a/charts/pulsar/templates/_bookkeeper.tpl
+++ b/charts/pulsar/templates/_bookkeeper.tpl
@@ -75,7 +75,12 @@ Define bookie tls certs volumes
path: tls.key
- name: ca
secret:
+ {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+ {{- end }}
+ {{- if eq .Values.certs.internal_issuer.type "ca" }}
+ secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+ {{- end }}
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/templates/_broker.tpl
b/charts/pulsar/templates/_broker.tpl
index 42f5b85..cdd7f01 100644
--- a/charts/pulsar/templates/_broker.tpl
+++ b/charts/pulsar/templates/_broker.tpl
@@ -81,7 +81,12 @@ Define broker tls certs volumes
path: tls.key
- name: ca
secret:
+ {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+ {{- end }}
+ {{- if eq .Values.certs.internal_issuer.type "ca" }}
+ secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+ {{- end }}
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/templates/_toolset.tpl
b/charts/pulsar/templates/_toolset.tpl
index 30547ad..ec665e8 100644
--- a/charts/pulsar/templates/_toolset.tpl
+++ b/charts/pulsar/templates/_toolset.tpl
@@ -74,7 +74,12 @@ Define toolset tls certs volumes
path: tls.key
- name: ca
secret:
+ {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+ {{- end }}
+ {{- if eq .Values.certs.internal_issuer.type "ca" }}
+ secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+ {{- end }}
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/templates/proxy-statefulset.yaml
b/charts/pulsar/templates/proxy-statefulset.yaml
index d2728d8..73c5bae 100644
--- a/charts/pulsar/templates/proxy-statefulset.yaml
+++ b/charts/pulsar/templates/proxy-statefulset.yaml
@@ -296,7 +296,12 @@ spec:
{{- if .Values.tls.proxy.enabled }}
- name: ca
secret:
+ {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+ {{- end }}
+ {{- if eq .Values.certs.internal_issuer.type "ca" }}
+ secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+ {{- end }}
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/templates/tls-cert-internal-issuer.yaml
b/charts/pulsar/templates/tls-cert-internal-issuer.yaml
index e9c3a2f..faf1dff 100644
--- a/charts/pulsar/templates/tls-cert-internal-issuer.yaml
+++ b/charts/pulsar/templates/tls-cert-internal-issuer.yaml
@@ -27,7 +27,6 @@ metadata:
spec:
selfSigned: {}
---
-
apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
kind: Certificate
metadata:
@@ -51,7 +50,6 @@ spec:
# if you are using an external issuer, change this to that issuer group.
group: cert-manager.io
---
-
apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
kind: Issuer
metadata:
@@ -61,4 +59,14 @@ spec:
ca:
secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
{{- end }}
+{{- if eq .Values.certs.internal_issuer.type "ca" }}
+apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
+kind: Issuer
+metadata:
+ name: "{{ template "pulsar.fullname" . }}-{{
.Values.certs.internal_issuer.component }}-ca-issuer"
+ namespace: {{ template "pulsar.namespace" . }}
+spec:
+ ca:
+ secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+{{- end }}
{{- end }}
diff --git a/charts/pulsar/templates/tls-certs-internal.yaml
b/charts/pulsar/templates/tls-certs-internal.yaml
index b14ce15..53afd60 100644
--- a/charts/pulsar/templates/tls-certs-internal.yaml
+++ b/charts/pulsar/templates/tls-certs-internal.yaml
@@ -32,27 +32,38 @@ spec:
secretName: "{{ .Release.Name }}-{{ .Values.tls.proxy.cert_name }}"
duration: "{{ .Values.tls.common.duration }}"
renewBefore: "{{ .Values.tls.common.renewBefore }}"
+ {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
subject:
organizations:
{{ toYaml .Values.tls.common.organization | indent 4 }}
+ {{- else }}
+ organization:
+{{ toYaml .Values.tls.common.organization | indent 2 }}
+ {{- end }}
# The use of the common name field has been deprecated since 2000 and is
# discouraged from being used.
commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component
}}"
isCA: false
+ {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
privateKey:
size: {{ .Values.tls.common.keySize }}
algorithm: {{ .Values.tls.common.keyAlgorithm }}
encoding: {{ .Values.tls.common.keyEncoding }}
+ {{- else }}
+ keySize: {{ .Values.tls.common.keySize }}
+ keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
+ keyEncoding: {{ .Values.tls.common.keyEncoding }}
+ {{- end }}
usages:
- server auth
- client auth
# At least one of a DNS Name, USI SAN, or IP address is required.
dnsNames:
- - "*.{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}.{{
template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
- - "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
{{- if .Values.tls.proxy.dnsNames }}
{{ toYaml .Values.tls.proxy.dnsNames | indent 4 }}
{{- end }}
+ - "*.{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}.{{
template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
+ - "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
# Issuer references are always required.
issuerRef:
name: "{{ template "pulsar.fullname" . }}-{{
.Values.certs.internal_issuer.component }}-ca-issuer"
@@ -77,17 +88,28 @@ spec:
secretName: "{{ .Release.Name }}-{{ .Values.tls.broker.cert_name }}"
duration: "{{ .Values.tls.common.duration }}"
renewBefore: "{{ .Values.tls.common.renewBefore }}"
+ {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
subject:
organizations:
{{ toYaml .Values.tls.common.organization | indent 4 }}
+ {{- else }}
+ organization:
+{{ toYaml .Values.tls.common.organization | indent 2 }}
+ {{- end }}
# The use of the common name field has been deprecated since 2000 and is
# discouraged from being used.
commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component
}}"
isCA: false
+ {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
privateKey:
size: {{ .Values.tls.common.keySize }}
algorithm: {{ .Values.tls.common.keyAlgorithm }}
encoding: {{ .Values.tls.common.keyEncoding }}
+ {{- else }}
+ keySize: {{ .Values.tls.common.keySize }}
+ keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
+ keyEncoding: {{ .Values.tls.common.keyEncoding }}
+ {{- end }}
usages:
- server auth
- client auth
@@ -121,17 +143,28 @@ spec:
secretName: "{{ .Release.Name }}-{{ .Values.tls.bookie.cert_name }}"
duration: "{{ .Values.tls.common.duration }}"
renewBefore: "{{ .Values.tls.common.renewBefore }}"
+ {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
subject:
organizations:
{{ toYaml .Values.tls.common.organization | indent 4 }}
+ {{- else }}
+ organization:
+{{ toYaml .Values.tls.common.organization | indent 2 }}
+ {{- end }}
# The use of the common name field has been deprecated since 2000 and is
# discouraged from being used.
commonName: "{{ template "pulsar.fullname" . }}-{{
.Values.bookkeeper.component }}"
isCA: false
+ {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
privateKey:
size: {{ .Values.tls.common.keySize }}
algorithm: {{ .Values.tls.common.keyAlgorithm }}
encoding: {{ .Values.tls.common.keyEncoding }}
+ {{- else }}
+ keySize: {{ .Values.tls.common.keySize }}
+ keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
+ keyEncoding: {{ .Values.tls.common.keyEncoding }}
+ {{- end }}
usages:
- server auth
- client auth
@@ -164,17 +197,28 @@ spec:
secretName: "{{ .Release.Name }}-{{ .Values.tls.autorecovery.cert_name }}"
duration: "{{ .Values.tls.common.duration }}"
renewBefore: "{{ .Values.tls.common.renewBefore }}"
+ {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
subject:
organizations:
{{ toYaml .Values.tls.common.organization | indent 4 }}
+ {{- else }}
+ organization:
+{{ toYaml .Values.tls.common.organization | indent 2 }}
+ {{- end }}
# The use of the common name field has been deprecated since 2000 and is
# discouraged from being used.
commonName: "{{ template "pulsar.fullname" . }}-{{
.Values.autorecovery.component }}"
isCA: false
+ {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
privateKey:
size: {{ .Values.tls.common.keySize }}
algorithm: {{ .Values.tls.common.keyAlgorithm }}
encoding: {{ .Values.tls.common.keyEncoding }}
+ {{- else }}
+ keySize: {{ .Values.tls.common.keySize }}
+ keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
+ keyEncoding: {{ .Values.tls.common.keyEncoding }}
+ {{- end }}
usages:
- server auth
- client auth
@@ -204,17 +248,28 @@ spec:
secretName: "{{ .Release.Name }}-{{ .Values.tls.toolset.cert_name }}"
duration: "{{ .Values.tls.common.duration }}"
renewBefore: "{{ .Values.tls.common.renewBefore }}"
+ {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
subject:
organizations:
{{ toYaml .Values.tls.common.organization | indent 4 }}
+ {{- else }}
+ organization:
+{{ toYaml .Values.tls.common.organization | indent 2 }}
+ {{- end }}
# The use of the common name field has been deprecated since 2000 and is
# discouraged from being used.
commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component
}}"
isCA: false
+ {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
privateKey:
size: {{ .Values.tls.common.keySize }}
algorithm: {{ .Values.tls.common.keyAlgorithm }}
encoding: {{ .Values.tls.common.keyEncoding }}
+ {{- else }}
+ keySize: {{ .Values.tls.common.keySize }}
+ keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
+ keyEncoding: {{ .Values.tls.common.keyEncoding }}
+ {{- end }}
usages:
- server auth
- client auth
@@ -244,17 +299,28 @@ spec:
secretName: "{{ .Release.Name }}-{{ .Values.tls.zookeeper.cert_name }}"
duration: "{{ .Values.tls.common.duration }}"
renewBefore: "{{ .Values.tls.common.renewBefore }}"
+ {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
subject:
organizations:
{{ toYaml .Values.tls.common.organization | indent 4 }}
+ {{- else }}
+ organization:
+{{ toYaml .Values.tls.common.organization | indent 2 }}
+ {{- end }}
# The use of the common name field has been deprecated since 2000 and is
# discouraged from being used.
commonName: "{{ template "pulsar.fullname" . }}-{{
.Values.zookeeper.component }}"
isCA: false
+ {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
privateKey:
size: {{ .Values.tls.common.keySize }}
algorithm: {{ .Values.tls.common.keyAlgorithm }}
encoding: {{ .Values.tls.common.keyEncoding }}
+ {{- else }}
+ keySize: {{ .Values.tls.common.keySize }}
+ keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
+ keyEncoding: {{ .Values.tls.common.keyEncoding }}
+ {{- end }}
usages:
- server auth
- client auth
diff --git a/charts/pulsar/templates/toolset-statefulset.yaml
b/charts/pulsar/templates/toolset-statefulset.yaml
index 6f5ea82..c037d66 100644
--- a/charts/pulsar/templates/toolset-statefulset.yaml
+++ b/charts/pulsar/templates/toolset-statefulset.yaml
@@ -128,7 +128,12 @@ spec:
{{- if and .Values.tls.enabled (or .Values.tls.broker.enabled
.Values.tls.proxy.enabled) }}
- name: proxy-ca
secret:
+ {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+ {{- end }}
+ {{- if eq .Values.certs.internal_issuer.type "ca" }}
+ secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+ {{- end }}
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/templates/zookeeper-statefulset.yaml
b/charts/pulsar/templates/zookeeper-statefulset.yaml
index cd84405..972c154 100755
--- a/charts/pulsar/templates/zookeeper-statefulset.yaml
+++ b/charts/pulsar/templates/zookeeper-statefulset.yaml
@@ -252,7 +252,12 @@ spec:
path: tls.key
- name: ca
secret:
+ {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+ {{- end }}
+ {{- if eq .Values.certs.internal_issuer.type "ca" }}
+ secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+ {{- end }}
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml
index 9236c34..27df41c 100755
--- a/charts/pulsar/values.yaml
+++ b/charts/pulsar/values.yaml
@@ -232,11 +232,18 @@ tls:
proxy:
enabled: false
cert_name: tls-proxy
- createCert: true # set to false if you want to use an existing certificate
+ # set to false if you want to use an existing certificate
+ createCert: true
+ # The dnsNames field specifies a list of Subject Alternative Names to be
associated with the certificate.
+ dnsNames:
+ # - example.com
# settings for generating certs for broker
broker:
enabled: false
cert_name: tls-broker
+ # The dnsNames field specifies a list of Subject Alternative Names to be
associated with the certificate.
+ dnsNames:
+ # - example.com
# settings for generating certs for bookies
bookie:
enabled: false
@@ -297,13 +304,18 @@ certs:
apiVersion: cert-manager.io/v1
enabled: false
component: internal-cert-issuer
+ # The type of issuer, supports selfsigning and ca
type: selfsigning
# 90d
duration: 2160h
# 15d
renewBefore: 360h
issuers:
+ # Used for certs.type as selfsigning, the selfsigned issuer has no
dependency on any other resource.
selfsigning:
+ # used for certs.type as ca, the CA issuer needs to reference a Secret
which contains your CA certificate and signing private key.
+ ca:
+ secretName:
######################################################################
# Below are settings for each component
diff --git a/examples/values-tls.yaml b/examples/values-tls-ca.yaml
similarity index 72%
copy from examples/values-tls.yaml
copy to examples/values-tls-ca.yaml
index fadab07..8692dc9 100644
--- a/examples/values-tls.yaml
+++ b/examples/values-tls-ca.yaml
@@ -22,8 +22,13 @@ tls:
enabled: true
proxy:
enabled: true
+ dnsNames:
+ # The dnsNames field specifies a list of Subject Alternative Names to be
associated with the certificate.
+ - example.com
broker:
enabled: true
+ bookie:
+ enabled: true
zookeeper:
enabled: true
@@ -31,4 +36,8 @@ tls:
certs:
internal_issuer:
enabled: true
- type: selfsigning
\ No newline at end of file
+ type: ca
+ issuers:
+ # used for certs.type as ca, the CA issuer needs to reference a Secret
which contains your CA certificate and signing private key.
+ ca:
+ secretName: ca-key-pair
\ No newline at end of file
diff --git a/examples/values-tls.yaml b/examples/values-tls-selfsigned.yaml
similarity index 100%
rename from examples/values-tls.yaml
rename to examples/values-tls-selfsigned.yaml
