Re: [I] Allow use of ClusterIssuer for all component certs [pulsar-helm-chart]

Mon, 15 Sep 2025 00:38:51 -0700 


lhotari commented on issue #629:
URL: 
https://github.com/apache/pulsar-helm-chart/issues/629#issuecomment-3290856966

   including pulsar-diff.txt here as comment so that it's easier to comment on 
it. 
   ```patch
   diff --git a/charts/pulsar/templates/_certs.tpl 
b/charts/pulsar/templates/_certs.tpl
   index 5aad491..2c683cb 100644
   --- a/charts/pulsar/templates/_certs.tpl
   +++ b/charts/pulsar/templates/_certs.tpl
   @@ -67,6 +67,9 @@ Usage: {{- include "pulsar.cert.template" (dict "root" . 
"componentConfig" .Valu
    {{- if eq .root.Values.certs.internal_issuer.apiVersion 
"cert-manager.io/v1beta1" -}}
    {{- fail "cert-manager.io/v1beta1 is no longer supported. Please set 
certs.internal_issuer.apiVersion to cert-manager.io/v1" -}}
    {{- end -}}
   +{{- if and .root.Values.certs.internal_issuer.enabled 
.root.Values.certs.cluster_issuer.enabled -}}
   +{{- fail "Please only enable one of internal_issuer or cluster_issuer" -}}
   +{{- end -}}
    apiVersion: "{{ .root.Values.certs.internal_issuer.apiVersion }}"
    kind: Certificate
    metadata:
   @@ -106,10 +109,18 @@ spec:
        - {{ printf "%s-%s" (include "pulsar.fullname" .root) 
.componentConfig.component | quote }}
      # Issuer references are always required.
      issuerRef:
   +{{- if .root.Values.certs.cluster_issuer.enabled }}
   +    name: {{ .root.Values.certs.cluster_issuer.name | quote }}
   +{{- else }}
        name: "{{ template "pulsar.certs.issuers.ca.name" .root }}"
   +{{- end }}
        # We can reference ClusterIssuers by changing the kind here.
        # The default value is Issuer (i.e. a locally namespaced Issuer)
   +{{- if .root.Values.certs.cluster_issuer.enabled }}
   +    kind: ClusterIssuer
   +{{- else }}
        kind: Issuer
   +{{- end }}
        # This is optional since cert-manager will default to this value however
        # if you are using an external issuer, change this to that issuer group.
        group: cert-manager.io
   diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml
   index 0c65860..c5be28a 100755
   --- a/charts/pulsar/values.yaml
   +++ b/charts/pulsar/values.yaml
   @@ -397,6 +397,11 @@ certs:
          # The secret name of the CA certificate, it is mandatory to specify 
this value if TLS is enabled
          # and selfsigning is not used
          secretName:
   +  cluster_issuer:
   +    # set this to true if you want to use a ClusterIssuer and not create 
the Issuer
   +    # ensure you dont set both to enabled (cluster_issuer and 
internal_issuer)
   +    enabled: false
   :...skipping...
   diff --git a/charts/pulsar/templates/_certs.tpl 
b/charts/pulsar/templates/_certs.tpl
   index 5aad491..2c683cb 100644
   --- a/charts/pulsar/templates/_certs.tpl
   +++ b/charts/pulsar/templates/_certs.tpl
   @@ -67,6 +67,9 @@ Usage: {{- include "pulsar.cert.template" (dict "root" . 
"componentConfig" .Valu
    {{- if eq .root.Values.certs.internal_issuer.apiVersion 
"cert-manager.io/v1beta1" -}}
    {{- fail "cert-manager.io/v1beta1 is no longer supported. Please set 
certs.internal_issuer.apiVersion to cert-manager.io/v1" -}}
    {{- end -}}
   +{{- if and .root.Values.certs.internal_issuer.enabled 
.root.Values.certs.cluster_issuer.enabled -}}
   +{{- fail "Please only enable one of internal_issuer or cluster_issuer" -}}
   +{{- end -}}
    apiVersion: "{{ .root.Values.certs.internal_issuer.apiVersion }}"
    kind: Certificate
    metadata:
   @@ -106,10 +109,18 @@ spec:
        - {{ printf "%s-%s" (include "pulsar.fullname" .root) 
.componentConfig.component | quote }}
      # Issuer references are always required.
      issuerRef:
   +{{- if .root.Values.certs.cluster_issuer.enabled }}
   +    name: {{ .root.Values.certs.cluster_issuer.name | quote }}
   +{{- else }}
        name: "{{ template "pulsar.certs.issuers.ca.name" .root }}"
   +{{- end }}
        # We can reference ClusterIssuers by changing the kind here.
        # The default value is Issuer (i.e. a locally namespaced Issuer)
   +{{- if .root.Values.certs.cluster_issuer.enabled }}
   +    kind: ClusterIssuer
   +{{- else }}
        kind: Issuer
   +{{- end }}
        # This is optional since cert-manager will default to this value however
        # if you are using an external issuer, change this to that issuer group.
        group: cert-manager.io
   diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml
   index 0c65860..c5be28a 100755
   --- a/charts/pulsar/values.yaml
   +++ b/charts/pulsar/values.yaml
   @@ -397,6 +397,11 @@ certs:
          # The secret name of the CA certificate, it is mandatory to specify 
this value if TLS is enabled
          # and selfsigning is not used
          secretName:
   +  cluster_issuer:
   +    # set this to true if you want to use a ClusterIssuer and not create 
the Issuer
   +    # ensure you dont set both to enabled (cluster_issuer and 
internal_issuer)
   +    enabled: false
   +    name: cluster-issuer-name
   
    ######################################################################
    # Below are settings for each component
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to