From 1180db46cd07174ef9af539cf648db3dd596f965 Mon Sep 17 00:00:00 2001 From: gulecroc Date: Fri, 23 May 2025 15:22:17 +0200 Subject: [PATCH] add template for ca issuer name and secret name (#565) * set template for ca issuer name and secret name + geo-replication installation example * remove geo-replication from this PR * use certs template to define ca name and secret name * Handle proxy, toolset and zookeeper in the same way as others * Make the logic more consistent by separating the selfsigning issuer configuration --------- Co-authored-by: GLECROC Co-authored-by: Lari Hotari Co-authored-by: Lari Hotari --- charts/pulsar/templates/_autorecovery.tpl | 7 +-- charts/pulsar/templates/_bookkeeper.tpl | 7 +-- charts/pulsar/templates/_broker.tpl | 7 +-- charts/pulsar/templates/_certs.tpl | 60 +++++++++++++++++++ charts/pulsar/templates/_toolset.tpl | 7 +-- .../pulsar/templates/proxy-statefulset.yaml | 7 +-- .../templates/tls-cert-internal-issuer.yaml | 18 ++---- .../pulsar/templates/tls-certs-internal.yaml | 14 ++--- .../pulsar/templates/toolset-statefulset.yaml | 7 +-- .../templates/zookeeper-statefulset.yaml | 7 +-- charts/pulsar/values.yaml | 17 +++++- 11 files changed, 91 insertions(+), 67 deletions(-) create mode 100644 charts/pulsar/templates/_certs.tpl diff --git a/charts/pulsar/templates/_autorecovery.tpl b/charts/pulsar/templates/_autorecovery.tpl index ff12360..60ea55d 100644 --- a/charts/pulsar/templates/_autorecovery.tpl +++ b/charts/pulsar/templates/_autorecovery.tpl @@ -74,12 +74,7 @@ Define autorecovery tls certs volumes path: tls.key - name: ca secret: - {{- if eq .Values.certs.internal_issuer.type "selfsigning" }} - secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" - {{- end }} - {{- if eq .Values.certs.internal_issuer.type "ca" }} - secretName: "{{ .Values.certs.issuers.ca.secretName }}" - {{- end }} + secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}" items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/templates/_bookkeeper.tpl b/charts/pulsar/templates/_bookkeeper.tpl index e7ab4ce..b8b367a 100644 --- a/charts/pulsar/templates/_bookkeeper.tpl +++ b/charts/pulsar/templates/_bookkeeper.tpl @@ -75,12 +75,7 @@ Define bookie tls certs volumes path: tls.key - name: ca secret: - {{- if eq .Values.certs.internal_issuer.type "selfsigning" }} - secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" - {{- end }} - {{- if eq .Values.certs.internal_issuer.type "ca" }} - secretName: "{{ .Values.certs.issuers.ca.secretName }}" - {{- end }} + secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}" items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/templates/_broker.tpl b/charts/pulsar/templates/_broker.tpl index cdd7f01..b5b86f2 100644 --- a/charts/pulsar/templates/_broker.tpl +++ b/charts/pulsar/templates/_broker.tpl @@ -81,12 +81,7 @@ Define broker tls certs volumes path: tls.key - name: ca secret: - {{- if eq .Values.certs.internal_issuer.type "selfsigning" }} - secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" - {{- end }} - {{- if eq .Values.certs.internal_issuer.type "ca" }} - secretName: "{{ .Values.certs.issuers.ca.secretName }}" - {{- end }} + secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}" items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/templates/_certs.tpl b/charts/pulsar/templates/_certs.tpl new file mode 100644 index 0000000..739fbf0 --- /dev/null +++ b/charts/pulsar/templates/_certs.tpl @@ -0,0 +1,60 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +*/}} + +{{/* +Define the pulsar certs ca issuer name +*/}} +{{- define "pulsar.certs.issuers.ca.name" -}} +{{- if .Values.certs.internal_issuer.enabled -}} +{{- if and (eq .Values.certs.internal_issuer.type "selfsigning") .Values.certs.issuers.selfsigning.name -}} +{{- .Values.certs.issuers.selfsigning.name -}} +{{- else if and (eq .Values.certs.internal_issuer.type "ca") .Values.certs.issuers.ca.name -}} +{{- .Values.certs.issuers.ca.name -}} +{{- else -}} +{{- template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer +{{- end -}} +{{- else -}} +{{- if .Values.certs.issuers.ca.name -}} +{{- .Values.certs.issuers.ca.name -}} +{{- else -}} +{{- fail "certs.issuers.ca.name is required when TLS is enabled and certs.internal_issuer.enabled is false" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Define the pulsar certs ca issuer secret name +*/}} +{{- define "pulsar.certs.issuers.ca.secretName" -}} +{{- if .Values.certs.internal_issuer.enabled -}} +{{- if and (eq .Values.certs.internal_issuer.type "selfsigning") .Values.certs.issuers.selfsigning.secretName -}} +{{- .Values.certs.issuers.selfsigning.secretName -}} +{{- else if and (eq .Values.certs.internal_issuer.type "ca") .Values.certs.issuers.ca.secretName -}} +{{- .Values.certs.issuers.ca.secretName -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name .Values.tls.ca_suffix -}} +{{- end -}} +{{- else -}} +{{- if .Values.certs.issuers.ca.secretName -}} +{{- .Values.certs.issuers.ca.secretName -}} +{{- else -}} +{{- fail "certs.issuers.ca.secretName is required when TLS is enabled and certs.internal_issuer.enabled is false" -}} +{{- end -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/pulsar/templates/_toolset.tpl b/charts/pulsar/templates/_toolset.tpl index ec665e8..fe3295b 100644 --- a/charts/pulsar/templates/_toolset.tpl +++ b/charts/pulsar/templates/_toolset.tpl @@ -74,12 +74,7 @@ Define toolset tls certs volumes path: tls.key - name: ca secret: - {{- if eq .Values.certs.internal_issuer.type "selfsigning" }} - secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" - {{- end }} - {{- if eq .Values.certs.internal_issuer.type "ca" }} - secretName: "{{ .Values.certs.issuers.ca.secretName }}" - {{- end }} + secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}" items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/templates/proxy-statefulset.yaml b/charts/pulsar/templates/proxy-statefulset.yaml index 7ec56d4..f7235ba 100644 --- a/charts/pulsar/templates/proxy-statefulset.yaml +++ b/charts/pulsar/templates/proxy-statefulset.yaml @@ -299,12 +299,7 @@ spec: {{- if .Values.tls.proxy.enabled }} - name: ca secret: - {{- if eq .Values.certs.internal_issuer.type "selfsigning" }} - secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" - {{- end }} - {{- if eq .Values.certs.internal_issuer.type "ca" }} - secretName: "{{ .Values.certs.issuers.ca.secretName }}" - {{- end }} + secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}" items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/templates/tls-cert-internal-issuer.yaml b/charts/pulsar/templates/tls-cert-internal-issuer.yaml index faf1dff..b67a480 100644 --- a/charts/pulsar/templates/tls-cert-internal-issuer.yaml +++ b/charts/pulsar/templates/tls-cert-internal-issuer.yaml @@ -33,7 +33,7 @@ metadata: name: "{{ template "pulsar.fullname" . }}-ca" namespace: {{ template "pulsar.namespace" . }} spec: - secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" + secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}" commonName: "{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}" duration: "{{ .Values.certs.internal_issuer.duration }}" renewBefore: "{{ .Values.certs.internal_issuer.renewBefore }}" @@ -50,23 +50,13 @@ spec: # if you are using an external issuer, change this to that issuer group. group: cert-manager.io --- +{{- end }} apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}" kind: Issuer metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer" + name: "{{ template "pulsar.certs.issuers.ca.name" . }}" namespace: {{ template "pulsar.namespace" . }} spec: ca: - secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" -{{- end }} -{{- if eq .Values.certs.internal_issuer.type "ca" }} -apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}" -kind: Issuer -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer" - namespace: {{ template "pulsar.namespace" . }} -spec: - ca: - secretName: "{{ .Values.certs.issuers.ca.secretName }}" -{{- end }} + secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}" {{- end }} diff --git a/charts/pulsar/templates/tls-certs-internal.yaml b/charts/pulsar/templates/tls-certs-internal.yaml index 53afd60..ffe616a 100644 --- a/charts/pulsar/templates/tls-certs-internal.yaml +++ b/charts/pulsar/templates/tls-certs-internal.yaml @@ -18,7 +18,6 @@ # {{- if .Values.tls.enabled }} -{{- if .Values.certs.internal_issuer.enabled }} {{- if .Values.tls.proxy.enabled }} {{- if .Values.tls.proxy.createCert }} @@ -66,7 +65,7 @@ spec: - "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" # Issuer references are always required. issuerRef: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer" + name: "{{ template "pulsar.certs.issuers.ca.name" . }}" # We can reference ClusterIssuers by changing the kind here. # The default value is Issuer (i.e. a locally namespaced Issuer) kind: Issuer @@ -122,7 +121,7 @@ spec: - "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" # Issuer references are always required. issuerRef: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer" + name: "{{ template "pulsar.certs.issuers.ca.name" . }}" # We can reference ClusterIssuers by changing the kind here. # The default value is Issuer (i.e. a locally namespaced Issuer) kind: Issuer @@ -176,7 +175,7 @@ spec: - "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" # Issuer references are always required. issuerRef: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer" + name: "{{ template "pulsar.certs.issuers.ca.name" . }}" # We can reference ClusterIssuers by changing the kind here. # The default value is Issuer (i.e. a locally namespaced Issuer) kind: Issuer @@ -230,7 +229,7 @@ spec: - "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" # Issuer references are always required. issuerRef: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer" + name: "{{ template "pulsar.certs.issuers.ca.name" . }}" # We can reference ClusterIssuers by changing the kind here. # The default value is Issuer (i.e. a locally namespaced Issuer) kind: Issuer @@ -281,7 +280,7 @@ spec: - "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" # Issuer references are always required. issuerRef: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer" + name: "{{ template "pulsar.certs.issuers.ca.name" . }}" # We can reference ClusterIssuers by changing the kind here. # The default value is Issuer (i.e. a locally namespaced Issuer) kind: Issuer @@ -332,7 +331,7 @@ spec: - "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" # Issuer references are always required. issuerRef: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer" + name: "{{ template "pulsar.certs.issuers.ca.name" . }}" # We can reference ClusterIssuers by changing the kind here. # The default value is Issuer (i.e. a locally namespaced Issuer) kind: Issuer @@ -342,4 +341,3 @@ spec: {{- end }} {{- end }} -{{- end }} diff --git a/charts/pulsar/templates/toolset-statefulset.yaml b/charts/pulsar/templates/toolset-statefulset.yaml index ac386db..922f8ac 100644 --- a/charts/pulsar/templates/toolset-statefulset.yaml +++ b/charts/pulsar/templates/toolset-statefulset.yaml @@ -125,12 +125,7 @@ spec: {{- if and .Values.tls.enabled (or .Values.tls.broker.enabled .Values.tls.proxy.enabled) }} - name: proxy-ca secret: - {{- if eq .Values.certs.internal_issuer.type "selfsigning" }} - secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" - {{- end }} - {{- if eq .Values.certs.internal_issuer.type "ca" }} - secretName: "{{ .Values.certs.issuers.ca.secretName }}" - {{- end }} + secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}" items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/templates/zookeeper-statefulset.yaml b/charts/pulsar/templates/zookeeper-statefulset.yaml index b92fde6..fc7554f 100755 --- a/charts/pulsar/templates/zookeeper-statefulset.yaml +++ b/charts/pulsar/templates/zookeeper-statefulset.yaml @@ -253,12 +253,7 @@ spec: path: tls.key - name: ca secret: - {{- if eq .Values.certs.internal_issuer.type "selfsigning" }} - secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" - {{- end }} - {{- if eq .Values.certs.internal_issuer.type "ca" }} - secretName: "{{ .Values.certs.issuers.ca.secretName }}" - {{- end }} + secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}" items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml index 1e18d96..0a4f775 100755 --- a/charts/pulsar/values.yaml +++ b/charts/pulsar/values.yaml @@ -315,13 +315,15 @@ auth: ###################################################################### ## cert-manager -## templates/tls-cert-issuer.yaml +## templates/tls-cert-internal-issuer.yaml ## ## Cert manager is used for automatically provisioning TLS certificates ## for components within a Pulsar cluster certs: internal_issuer: apiVersion: cert-manager.io/v1 + # To enable internal issuer for TLS certificates, set this to true + # It is necessary to have cert-manager installed in the cluster enabled: false component: internal-cert-issuer # The type of issuer, supports selfsigning and ca @@ -331,10 +333,19 @@ certs: # 15d renewBefore: 360h issuers: - # Used for certs.type as selfsigning, the selfsigned issuer has no dependency on any other resource. + # Used for certs.internal_issuer.type as selfsigning selfsigning: - # used for certs.type as ca, the CA issuer needs to reference a Secret which contains your CA certificate and signing private key. + # The name of the issuer, if not specified, the default value is used + name: + # The secret name of the selfsigned CA certificate, if not specified, the default value is used + secretName: + # used for certs.internal_issuer.type as ca or when internal_issuer is disabled ca: + # The name of the issuer, it is mandatory to specify this value if TLS is enabled + # and selfsigning is not used + name: + # The secret name of the CA certificate, it is mandatory to specify this value if TLS is enabled + # and selfsigning is not used secretName: ######################################################################