This is an automated email from the ASF dual-hosted git repository.
lhotari pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar-helm-chart.git
The following commit(s) were added to refs/heads/master by this push:
new 1180db4 add template for ca issuer name and secret name (#565)
1180db4 is described below
commit 1180db46cd07174ef9af539cf648db3dd596f965
Author: gulecroc <[email protected]>
AuthorDate: Fri May 23 15:22:17 2025 +0200
add template for ca issuer name and secret name (#565)
* set template for ca issuer name and secret name + geo-replication
installation example
* remove geo-replication from this PR
* use certs template to define ca name and secret name
* Handle proxy, toolset and zookeeper in the same way as others
* Make the logic more consistent by separating the selfsigning issuer
configuration
---------
Co-authored-by: GLECROC <[email protected]>
Co-authored-by: Lari Hotari <[email protected]>
Co-authored-by: Lari Hotari <[email protected]>
---
charts/pulsar/templates/_autorecovery.tpl | 7 +--
charts/pulsar/templates/_bookkeeper.tpl | 7 +--
charts/pulsar/templates/_broker.tpl | 7 +--
charts/pulsar/templates/_certs.tpl | 60 ++++++++++++++++++++++
charts/pulsar/templates/_toolset.tpl | 7 +--
charts/pulsar/templates/proxy-statefulset.yaml | 7 +--
.../pulsar/templates/tls-cert-internal-issuer.yaml | 16 ++----
charts/pulsar/templates/tls-certs-internal.yaml | 14 +++--
charts/pulsar/templates/toolset-statefulset.yaml | 7 +--
charts/pulsar/templates/zookeeper-statefulset.yaml | 7 +--
charts/pulsar/values.yaml | 17 ++++--
11 files changed, 90 insertions(+), 66 deletions(-)
diff --git a/charts/pulsar/templates/_autorecovery.tpl
b/charts/pulsar/templates/_autorecovery.tpl
index ff12360..60ea55d 100644
--- a/charts/pulsar/templates/_autorecovery.tpl
+++ b/charts/pulsar/templates/_autorecovery.tpl
@@ -74,12 +74,7 @@ Define autorecovery tls certs volumes
path: tls.key
- name: ca
secret:
- {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
- secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
- {{- end }}
- {{- if eq .Values.certs.internal_issuer.type "ca" }}
- secretName: "{{ .Values.certs.issuers.ca.secretName }}"
- {{- end }}
+ secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/templates/_bookkeeper.tpl
b/charts/pulsar/templates/_bookkeeper.tpl
index e7ab4ce..b8b367a 100644
--- a/charts/pulsar/templates/_bookkeeper.tpl
+++ b/charts/pulsar/templates/_bookkeeper.tpl
@@ -75,12 +75,7 @@ Define bookie tls certs volumes
path: tls.key
- name: ca
secret:
- {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
- secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
- {{- end }}
- {{- if eq .Values.certs.internal_issuer.type "ca" }}
- secretName: "{{ .Values.certs.issuers.ca.secretName }}"
- {{- end }}
+ secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/templates/_broker.tpl
b/charts/pulsar/templates/_broker.tpl
index cdd7f01..b5b86f2 100644
--- a/charts/pulsar/templates/_broker.tpl
+++ b/charts/pulsar/templates/_broker.tpl
@@ -81,12 +81,7 @@ Define broker tls certs volumes
path: tls.key
- name: ca
secret:
- {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
- secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
- {{- end }}
- {{- if eq .Values.certs.internal_issuer.type "ca" }}
- secretName: "{{ .Values.certs.issuers.ca.secretName }}"
- {{- end }}
+ secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/templates/_certs.tpl
b/charts/pulsar/templates/_certs.tpl
new file mode 100644
index 0000000..739fbf0
--- /dev/null
+++ b/charts/pulsar/templates/_certs.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+*/}}
+
+{{/*
+Define the pulsar certs ca issuer name
+*/}}
+{{- define "pulsar.certs.issuers.ca.name" -}}
+{{- if .Values.certs.internal_issuer.enabled -}}
+{{- if and (eq .Values.certs.internal_issuer.type "selfsigning")
.Values.certs.issuers.selfsigning.name -}}
+{{- .Values.certs.issuers.selfsigning.name -}}
+{{- else if and (eq .Values.certs.internal_issuer.type "ca")
.Values.certs.issuers.ca.name -}}
+{{- .Values.certs.issuers.ca.name -}}
+{{- else -}}
+{{- template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component
}}-ca-issuer
+{{- end -}}
+{{- else -}}
+{{- if .Values.certs.issuers.ca.name -}}
+{{- .Values.certs.issuers.ca.name -}}
+{{- else -}}
+{{- fail "certs.issuers.ca.name is required when TLS is enabled and
certs.internal_issuer.enabled is false" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Define the pulsar certs ca issuer secret name
+*/}}
+{{- define "pulsar.certs.issuers.ca.secretName" -}}
+{{- if .Values.certs.internal_issuer.enabled -}}
+{{- if and (eq .Values.certs.internal_issuer.type "selfsigning")
.Values.certs.issuers.selfsigning.secretName -}}
+{{- .Values.certs.issuers.selfsigning.secretName -}}
+{{- else if and (eq .Values.certs.internal_issuer.type "ca")
.Values.certs.issuers.ca.secretName -}}
+{{- .Values.certs.issuers.ca.secretName -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name .Values.tls.ca_suffix -}}
+{{- end -}}
+{{- else -}}
+{{- if .Values.certs.issuers.ca.secretName -}}
+{{- .Values.certs.issuers.ca.secretName -}}
+{{- else -}}
+{{- fail "certs.issuers.ca.secretName is required when TLS is enabled and
certs.internal_issuer.enabled is false" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/pulsar/templates/_toolset.tpl
b/charts/pulsar/templates/_toolset.tpl
index ec665e8..fe3295b 100644
--- a/charts/pulsar/templates/_toolset.tpl
+++ b/charts/pulsar/templates/_toolset.tpl
@@ -74,12 +74,7 @@ Define toolset tls certs volumes
path: tls.key
- name: ca
secret:
- {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
- secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
- {{- end }}
- {{- if eq .Values.certs.internal_issuer.type "ca" }}
- secretName: "{{ .Values.certs.issuers.ca.secretName }}"
- {{- end }}
+ secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/templates/proxy-statefulset.yaml
b/charts/pulsar/templates/proxy-statefulset.yaml
index 7ec56d4..f7235ba 100644
--- a/charts/pulsar/templates/proxy-statefulset.yaml
+++ b/charts/pulsar/templates/proxy-statefulset.yaml
@@ -299,12 +299,7 @@ spec:
{{- if .Values.tls.proxy.enabled }}
- name: ca
secret:
- {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
- secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
- {{- end }}
- {{- if eq .Values.certs.internal_issuer.type "ca" }}
- secretName: "{{ .Values.certs.issuers.ca.secretName }}"
- {{- end }}
+ secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/templates/tls-cert-internal-issuer.yaml
b/charts/pulsar/templates/tls-cert-internal-issuer.yaml
index faf1dff..b67a480 100644
--- a/charts/pulsar/templates/tls-cert-internal-issuer.yaml
+++ b/charts/pulsar/templates/tls-cert-internal-issuer.yaml
@@ -33,7 +33,7 @@ metadata:
name: "{{ template "pulsar.fullname" . }}-ca"
namespace: {{ template "pulsar.namespace" . }}
spec:
- secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+ secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
commonName: "{{ template "pulsar.namespace" . }}.svc.{{
.Values.clusterDomain }}"
duration: "{{ .Values.certs.internal_issuer.duration }}"
renewBefore: "{{ .Values.certs.internal_issuer.renewBefore }}"
@@ -50,23 +50,13 @@ spec:
# if you are using an external issuer, change this to that issuer group.
group: cert-manager.io
---
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
-kind: Issuer
-metadata:
- name: "{{ template "pulsar.fullname" . }}-{{
.Values.certs.internal_issuer.component }}-ca-issuer"
- namespace: {{ template "pulsar.namespace" . }}
-spec:
- ca:
- secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
{{- end }}
-{{- if eq .Values.certs.internal_issuer.type "ca" }}
apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
kind: Issuer
metadata:
- name: "{{ template "pulsar.fullname" . }}-{{
.Values.certs.internal_issuer.component }}-ca-issuer"
+ name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
namespace: {{ template "pulsar.namespace" . }}
spec:
ca:
- secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-{{- end }}
+ secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
{{- end }}
diff --git a/charts/pulsar/templates/tls-certs-internal.yaml
b/charts/pulsar/templates/tls-certs-internal.yaml
index 53afd60..ffe616a 100644
--- a/charts/pulsar/templates/tls-certs-internal.yaml
+++ b/charts/pulsar/templates/tls-certs-internal.yaml
@@ -18,7 +18,6 @@
#
{{- if .Values.tls.enabled }}
-{{- if .Values.certs.internal_issuer.enabled }}
{{- if .Values.tls.proxy.enabled }}
{{- if .Values.tls.proxy.createCert }}
@@ -66,7 +65,7 @@ spec:
- "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
# Issuer references are always required.
issuerRef:
- name: "{{ template "pulsar.fullname" . }}-{{
.Values.certs.internal_issuer.component }}-ca-issuer"
+ name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: Issuer
@@ -122,7 +121,7 @@ spec:
- "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
# Issuer references are always required.
issuerRef:
- name: "{{ template "pulsar.fullname" . }}-{{
.Values.certs.internal_issuer.component }}-ca-issuer"
+ name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: Issuer
@@ -176,7 +175,7 @@ spec:
- "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
# Issuer references are always required.
issuerRef:
- name: "{{ template "pulsar.fullname" . }}-{{
.Values.certs.internal_issuer.component }}-ca-issuer"
+ name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: Issuer
@@ -230,7 +229,7 @@ spec:
- "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component
}}"
# Issuer references are always required.
issuerRef:
- name: "{{ template "pulsar.fullname" . }}-{{
.Values.certs.internal_issuer.component }}-ca-issuer"
+ name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: Issuer
@@ -281,7 +280,7 @@ spec:
- "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
# Issuer references are always required.
issuerRef:
- name: "{{ template "pulsar.fullname" . }}-{{
.Values.certs.internal_issuer.component }}-ca-issuer"
+ name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: Issuer
@@ -332,7 +331,7 @@ spec:
- "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
# Issuer references are always required.
issuerRef:
- name: "{{ template "pulsar.fullname" . }}-{{
.Values.certs.internal_issuer.component }}-ca-issuer"
+ name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: Issuer
@@ -342,4 +341,3 @@ spec:
{{- end }}
{{- end }}
-{{- end }}
diff --git a/charts/pulsar/templates/toolset-statefulset.yaml
b/charts/pulsar/templates/toolset-statefulset.yaml
index ac386db..922f8ac 100644
--- a/charts/pulsar/templates/toolset-statefulset.yaml
+++ b/charts/pulsar/templates/toolset-statefulset.yaml
@@ -125,12 +125,7 @@ spec:
{{- if and .Values.tls.enabled (or .Values.tls.broker.enabled
.Values.tls.proxy.enabled) }}
- name: proxy-ca
secret:
- {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
- secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
- {{- end }}
- {{- if eq .Values.certs.internal_issuer.type "ca" }}
- secretName: "{{ .Values.certs.issuers.ca.secretName }}"
- {{- end }}
+ secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/templates/zookeeper-statefulset.yaml
b/charts/pulsar/templates/zookeeper-statefulset.yaml
index b92fde6..fc7554f 100755
--- a/charts/pulsar/templates/zookeeper-statefulset.yaml
+++ b/charts/pulsar/templates/zookeeper-statefulset.yaml
@@ -253,12 +253,7 @@ spec:
path: tls.key
- name: ca
secret:
- {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
- secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
- {{- end }}
- {{- if eq .Values.certs.internal_issuer.type "ca" }}
- secretName: "{{ .Values.certs.issuers.ca.secretName }}"
- {{- end }}
+ secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml
index 1e18d96..0a4f775 100755
--- a/charts/pulsar/values.yaml
+++ b/charts/pulsar/values.yaml
@@ -315,13 +315,15 @@ auth:
######################################################################
## cert-manager
-## templates/tls-cert-issuer.yaml
+## templates/tls-cert-internal-issuer.yaml
##
## Cert manager is used for automatically provisioning TLS certificates
## for components within a Pulsar cluster
certs:
internal_issuer:
apiVersion: cert-manager.io/v1
+ # To enable internal issuer for TLS certificates, set this to true
+ # It is necessary to have cert-manager installed in the cluster
enabled: false
component: internal-cert-issuer
# The type of issuer, supports selfsigning and ca
@@ -331,10 +333,19 @@ certs:
# 15d
renewBefore: 360h
issuers:
- # Used for certs.type as selfsigning, the selfsigned issuer has no
dependency on any other resource.
+ # Used for certs.internal_issuer.type as selfsigning
selfsigning:
- # used for certs.type as ca, the CA issuer needs to reference a Secret
which contains your CA certificate and signing private key.
+ # The name of the issuer, if not specified, the default value is used
+ name:
+ # The secret name of the selfsigned CA certificate, if not specified,
the default value is used
+ secretName:
+ # used for certs.internal_issuer.type as ca or when internal_issuer is
disabled
ca:
+ # The name of the issuer, it is mandatory to specify this value if TLS
is enabled
+ # and selfsigning is not used
+ name:
+ # The secret name of the CA certificate, it is mandatory to specify this
value if TLS is enabled
+ # and selfsigning is not used
secretName:
######################################################################
