add template for ca issuer name and secret name (#565)

* set template for ca issuer name and secret name + geo-replication installation example * remove geo-replication from this PR * use certs template to define ca name and secret name * Handle proxy, toolset and zookeeper in the same way as others * Make the logic more consistent by separating the selfsigning issuer configuration --------- Co-authored-by: GLECROC <guillaume.lecroc@cnp.fr> Co-authored-by: Lari Hotari <lhotari@users.noreply.github.com> Co-authored-by: Lari Hotari <lhotari@apache.org>
2025-05-23 15:22:17 +02:00 · 2025-05-23 15:22:17 +02:00 · 1180db46cd
commit 1180db46cd
parent 51a535d83d
11 changed files with 91 additions and 67 deletions
--- a/charts/pulsar/templates/_autorecovery.tpl
+++ b/charts/pulsar/templates/_autorecovery.tpl
@ -74,12 +74,7 @@ Define autorecovery tls certs volumes
      path: tls.key
 - name: ca
  secret:
-    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
    {{- end }}
    {{- if eq .Values.certs.internal_issuer.type "ca" }}
    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
    {{- end }}
    items:
    - key: ca.crt
      path: ca.crt
--- a/charts/pulsar/templates/_bookkeeper.tpl
+++ b/charts/pulsar/templates/_bookkeeper.tpl
@ -75,12 +75,7 @@ Define bookie tls certs volumes
      path: tls.key
 - name: ca
  secret:
-    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
    {{- end }}
    {{- if eq .Values.certs.internal_issuer.type "ca" }}
    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
    {{- end }}
    items:
    - key: ca.crt
      path: ca.crt
--- a/charts/pulsar/templates/_broker.tpl
+++ b/charts/pulsar/templates/_broker.tpl
@ -81,12 +81,7 @@ Define broker tls certs volumes
      path: tls.key
 - name: ca
  secret:
-    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
    {{- end }}
    {{- if eq .Values.certs.internal_issuer.type "ca" }}
    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
    {{- end }}
    items:
    - key: ca.crt
      path: ca.crt
--- a/charts/pulsar/templates/_certs.tpl
+++ b/charts/pulsar/templates/_certs.tpl
@ -0,0 +1,60 @@
 {{/*
 Licensed to the Apache Software Foundation (ASF) under one
 or more contributor license agreements.  See the NOTICE file
 distributed with this work for additional information
 regarding copyright ownership.  The ASF licenses this file
 to you under the Apache License, Version 2.0 (the
 "License"); you may not use this file except in compliance
 with the License.  You may obtain a copy of the License at
  http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing,
 software distributed under the License is distributed on an
 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 KIND, either express or implied.  See the License for the
 specific language governing permissions and limitations
 under the License.
 */}}
 {{/*
 Define the pulsar certs ca issuer name
 */}}
 {{- define "pulsar.certs.issuers.ca.name" -}}
 {{- if .Values.certs.internal_issuer.enabled -}}
 {{- if and (eq .Values.certs.internal_issuer.type "selfsigning") .Values.certs.issuers.selfsigning.name -}}
 {{- .Values.certs.issuers.selfsigning.name -}}
 {{- else if and (eq .Values.certs.internal_issuer.type "ca") .Values.certs.issuers.ca.name -}}
 {{- .Values.certs.issuers.ca.name -}}
 {{- else -}}
 {{- template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer
 {{- end -}}
 {{- else -}}
 {{- if .Values.certs.issuers.ca.name -}}
 {{- .Values.certs.issuers.ca.name -}}
 {{- else -}}
 {{- fail "certs.issuers.ca.name is required when TLS is enabled and certs.internal_issuer.enabled is false" -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
 {{/*
 Define the pulsar certs ca issuer secret name
 */}}
 {{- define "pulsar.certs.issuers.ca.secretName" -}}
 {{- if .Values.certs.internal_issuer.enabled -}}
 {{- if and (eq .Values.certs.internal_issuer.type "selfsigning") .Values.certs.issuers.selfsigning.secretName -}}
 {{- .Values.certs.issuers.selfsigning.secretName -}}
 {{- else if and (eq .Values.certs.internal_issuer.type "ca") .Values.certs.issuers.ca.secretName -}}
 {{- .Values.certs.issuers.ca.secretName -}}
 {{- else -}}
 {{- printf "%s-%s" .Release.Name .Values.tls.ca_suffix -}}
 {{- end -}}
 {{- else -}}
 {{- if .Values.certs.issuers.ca.secretName -}}
 {{- .Values.certs.issuers.ca.secretName -}}
 {{- else -}}
 {{- fail "certs.issuers.ca.secretName is required when TLS is enabled and certs.internal_issuer.enabled is false" -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
--- a/charts/pulsar/templates/_toolset.tpl
+++ b/charts/pulsar/templates/_toolset.tpl
@ -74,12 +74,7 @@ Define toolset tls certs volumes
      path: tls.key
 - name: ca
  secret:
-    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
    {{- end }}
    {{- if eq .Values.certs.internal_issuer.type "ca" }}
    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
    {{- end }}
    items:
    - key: ca.crt
      path: ca.crt
--- a/charts/pulsar/templates/proxy-statefulset.yaml
+++ b/charts/pulsar/templates/proxy-statefulset.yaml
@ -299,12 +299,7 @@ spec:
        {{- if .Values.tls.proxy.enabled }}
        - name: ca
          secret:
-            {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
+            secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
            secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
            {{- end }}
            {{- if eq .Values.certs.internal_issuer.type "ca" }}
            secretName: "{{ .Values.certs.issuers.ca.secretName }}"
            {{- end }}
            items:
              - key: ca.crt
                path: ca.crt
--- a/charts/pulsar/templates/tls-cert-internal-issuer.yaml
+++ b/charts/pulsar/templates/tls-cert-internal-issuer.yaml
@ -33,7 +33,7 @@ metadata:
  name: "{{ template "pulsar.fullname" . }}-ca"
  namespace: {{ template "pulsar.namespace" . }}
 spec:
-  secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+  secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
  commonName: "{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
  duration: "{{ .Values.certs.internal_issuer.duration }}"
  renewBefore: "{{ .Values.certs.internal_issuer.renewBefore }}"
@ -50,23 +50,13 @@ spec:
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
 ---
 {{- end }}
 apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
 kind: Issuer
 metadata:
-  name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+  name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
  namespace: {{ template "pulsar.namespace" . }}
 spec:
  ca:
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
 {{- end }}
 {{- if eq .Values.certs.internal_issuer.type "ca" }}
 apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
 kind: Issuer
 metadata:
  name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
  namespace: {{ template "pulsar.namespace" . }}
 spec:
  ca:
    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
 {{- end }}
 {{- end }}
--- a/charts/pulsar/templates/tls-certs-internal.yaml
+++ b/charts/pulsar/templates/tls-certs-internal.yaml
@ -18,7 +18,6 @@
 #
 {{- if .Values.tls.enabled }}
 {{- if .Values.certs.internal_issuer.enabled }}
 {{- if .Values.tls.proxy.enabled }}
 {{- if .Values.tls.proxy.createCert }}
@ -66,7 +65,7 @@ spec:
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
  # Issuer references are always required.
  issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
@ -122,7 +121,7 @@ spec:
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
  # Issuer references are always required.
  issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
@ -176,7 +175,7 @@ spec:
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
  # Issuer references are always required.
  issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
@ -230,7 +229,7 @@ spec:
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}"
  # Issuer references are always required.
  issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
@ -281,7 +280,7 @@ spec:
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
  # Issuer references are always required.
  issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
@ -332,7 +331,7 @@ spec:
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
  # Issuer references are always required.
  issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
@ -342,4 +341,3 @@ spec:
 {{- end }}
 {{- end }}
 {{- end }}
--- a/charts/pulsar/templates/toolset-statefulset.yaml
+++ b/charts/pulsar/templates/toolset-statefulset.yaml
@ -125,12 +125,7 @@ spec:
      {{- if and .Values.tls.enabled (or .Values.tls.broker.enabled .Values.tls.proxy.enabled) }}
      - name: proxy-ca
        secret:
-          {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
+          secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
          secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
          {{- end }}
          {{- if eq .Values.certs.internal_issuer.type "ca" }}
          secretName: "{{ .Values.certs.issuers.ca.secretName }}"
          {{- end }}
          items:
            - key: ca.crt
              path: ca.crt
--- a/charts/pulsar/templates/zookeeper-statefulset.yaml
+++ b/charts/pulsar/templates/zookeeper-statefulset.yaml
@ -253,12 +253,7 @@ spec:
              path: tls.key
      - name: ca
        secret:
-          {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
+          secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
          secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
          {{- end }}
          {{- if eq .Values.certs.internal_issuer.type "ca" }}
          secretName: "{{ .Values.certs.issuers.ca.secretName }}"
          {{- end }}
          items:
            - key: ca.crt
              path: ca.crt
--- a/charts/pulsar/values.yaml
+++ b/charts/pulsar/values.yaml
@ -315,13 +315,15 @@ auth:
 ######################################################################
 ## cert-manager
-## templates/tls-cert-issuer.yaml
+## templates/tls-cert-internal-issuer.yaml
 ##
 ## Cert manager is used for automatically provisioning TLS certificates
 ## for components within a Pulsar cluster
 certs:
  internal_issuer:
    apiVersion: cert-manager.io/v1
    # To enable internal issuer for TLS certificates, set this to true
    # It is necessary to have cert-manager installed in the cluster
    enabled: false
    component: internal-cert-issuer
    # The type of issuer, supports selfsigning and ca
@ -331,10 +333,19 @@ certs:
    # 15d
    renewBefore: 360h
  issuers:
-    # Used for certs.type as selfsigning, the selfsigned issuer has no dependency on any other resource.
+    # Used for certs.internal_issuer.type as selfsigning
    selfsigning:
-    # used for certs.type as ca, the CA issuer needs to reference a Secret which contains your CA certificate and signing private key.
+      # The name of the issuer, if not specified, the default value is used
      name:
      # The secret name of the selfsigned CA certificate, if not specified, the default value is used
      secretName:
    # used for certs.internal_issuer.type as ca or when internal_issuer is disabled
    ca:
      # The name of the issuer, it is mandatory to specify this value if TLS is enabled
      # and selfsigning is not used
      name:
      # The secret name of the CA certificate, it is mandatory to specify this value if TLS is enabled
      # and selfsigning is not used
      secretName:
 ######################################################################