(pulsar-helm-chart) branch master updated: Add support for ClusterIssuer for certificates (#630)

[lhotari]

This is an automated email from the ASF dual-hosted git repository.

lhotari pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar-helm-chart.git


The following commit(s) were added to refs/heads/master by this push:
     new 5aad65c  Add support for ClusterIssuer for certificates (#630)
5aad65c is described below

commit 5aad65c28761c02842108fe2eadf701e59ab930d
Author: Lari Hotari <lhot...@users.noreply.github.com>
AuthorDate: Tue Sep 16 15:11:33 2025 +0300

    Add support for ClusterIssuer for certificates (#630)
    
    * Add support for ClusterIssuer
    
    * Add validation that kind must be Issuer when issuer is created as part of 
the deployment
---
 charts/pulsar/templates/_certs.tpl                    | 8 ++------
 charts/pulsar/templates/tls-cert-internal-issuer.yaml | 3 +++
 charts/pulsar/values.yaml                             | 4 ++++
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/charts/pulsar/templates/_certs.tpl 
b/charts/pulsar/templates/_certs.tpl
index 5aad491..4240b60 100644
--- a/charts/pulsar/templates/_certs.tpl
+++ b/charts/pulsar/templates/_certs.tpl
@@ -107,12 +107,8 @@ spec:
   # Issuer references are always required.
   issuerRef:
     name: "{{ template "pulsar.certs.issuers.ca.name" .root }}"
-    # We can reference ClusterIssuers by changing the kind here.
-    # The default value is Issuer (i.e. a locally namespaced Issuer)
-    kind: Issuer
-    # This is optional since cert-manager will default to this value however
-    # if you are using an external issuer, change this to that issuer group.
-    group: cert-manager.io
+    kind: "{{ default "Issuer" .root.Values.certs.issuers.ca.kind }}"
+    group: "{{ default "cert-manager.io" .root.Values.certs.issuers.ca.group 
}}"
 {{- end -}}
 
 {{/*
diff --git a/charts/pulsar/templates/tls-cert-internal-issuer.yaml 
b/charts/pulsar/templates/tls-cert-internal-issuer.yaml
index f2ede04..cecc665 100644
--- a/charts/pulsar/templates/tls-cert-internal-issuer.yaml
+++ b/charts/pulsar/templates/tls-cert-internal-issuer.yaml
@@ -55,6 +55,9 @@ spec:
     group: cert-manager.io
 ---
 {{- end }}
+{{- if and (eq .Values.certs.internal_issuer.type "ca") (not (eq 
.Values.certs.issuers.ca.kind "Issuer")) -}}
+{{- fail "Set certs.internal_issuer.enabled to false when using 
certs.issuers.ca.kind other than Issuer." -}}
+{{- end }}
 apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
 kind: Issuer
 metadata:
diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml
index 0c65860..3e90311 100755
--- a/charts/pulsar/values.yaml
+++ b/charts/pulsar/values.yaml
@@ -397,6 +397,10 @@ certs:
       # The secret name of the CA certificate, it is mandatory to specify this 
value if TLS is enabled
       # and selfsigning is not used
       secretName:
+      # The k8s kind of the ca issuer: Issuer or ClusterIssuer
+      kind: Issuer
+      # Issuer group
+      group: cert-manager.io
 
 ######################################################################
 # Below are settings for each component