add template for ca issuer name and secret name (#565)

* set template for ca issuer name and secret name + geo-replication installation example * remove geo-replication from this PR * use certs template to define ca name and secret name * Handle proxy, toolset and zookeeper in the same way as others * Make the logic more consistent by separating the selfsigning issuer configuration --------- Co-authored-by: GLECROC <guillaume.lecroc@cnp.fr> Co-authored-by: Lari Hotari <lhotari@users.noreply.github.com> Co-authored-by: Lari Hotari <lhotari@apache.org>
2025-05-23 15:22:17 +02:00 · 2025-05-23 15:22:17 +02:00 · 1180db46cd
commit 1180db46cd
parent 51a535d83d
11 changed files with 91 additions and 67 deletions
--- a/charts/pulsar/templates/_autorecovery.tpl
+++ b/charts/pulsar/templates/_autorecovery.tpl
@ -74,12 +74,7 @@ Define autorecovery tls certs volumes
      path: tls.key
 - name: ca
  secret:
-    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
-    {{- end }}
-    {{- if eq .Values.certs.internal_issuer.type "ca" }}
-    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-    {{- end }}
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    items:
    - key: ca.crt
      path: ca.crt
--- a/charts/pulsar/templates/_bookkeeper.tpl
+++ b/charts/pulsar/templates/_bookkeeper.tpl
@ -75,12 +75,7 @@ Define bookie tls certs volumes
      path: tls.key
 - name: ca
  secret:
-    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
-    {{- end }}
-    {{- if eq .Values.certs.internal_issuer.type "ca" }}
-    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-    {{- end }}
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    items:
    - key: ca.crt
      path: ca.crt
--- a/charts/pulsar/templates/_broker.tpl
+++ b/charts/pulsar/templates/_broker.tpl
@ -81,12 +81,7 @@ Define broker tls certs volumes
      path: tls.key
 - name: ca
  secret:
-    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
-    {{- end }}
-    {{- if eq .Values.certs.internal_issuer.type "ca" }}
-    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-    {{- end }}
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    items:
    - key: ca.crt
      path: ca.crt
--- a/charts/pulsar/templates/_certs.tpl
+++ b/charts/pulsar/templates/_certs.tpl
@ -0,0 +1,60 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/}}
+
+{{/*
+Define the pulsar certs ca issuer name
+*/}}
+{{- define "pulsar.certs.issuers.ca.name" -}}
+{{- if .Values.certs.internal_issuer.enabled -}}
+{{- if and (eq .Values.certs.internal_issuer.type "selfsigning") .Values.certs.issuers.selfsigning.name -}}
+{{- .Values.certs.issuers.selfsigning.name -}}
+{{- else if and (eq .Values.certs.internal_issuer.type "ca") .Values.certs.issuers.ca.name -}}
+{{- .Values.certs.issuers.ca.name -}}
+{{- else -}}
+{{- template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer
+{{- end -}}
+{{- else -}}
+{{- if .Values.certs.issuers.ca.name -}}
+{{- .Values.certs.issuers.ca.name -}}
+{{- else -}}
+{{- fail "certs.issuers.ca.name is required when TLS is enabled and certs.internal_issuer.enabled is false" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Define the pulsar certs ca issuer secret name
+*/}}
+{{- define "pulsar.certs.issuers.ca.secretName" -}}
+{{- if .Values.certs.internal_issuer.enabled -}}
+{{- if and (eq .Values.certs.internal_issuer.type "selfsigning") .Values.certs.issuers.selfsigning.secretName -}}
+{{- .Values.certs.issuers.selfsigning.secretName -}}
+{{- else if and (eq .Values.certs.internal_issuer.type "ca") .Values.certs.issuers.ca.secretName -}}
+{{- .Values.certs.issuers.ca.secretName -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name .Values.tls.ca_suffix -}}
+{{- end -}}
+{{- else -}}
+{{- if .Values.certs.issuers.ca.secretName -}}
+{{- .Values.certs.issuers.ca.secretName -}}
+{{- else -}}
+{{- fail "certs.issuers.ca.secretName is required when TLS is enabled and certs.internal_issuer.enabled is false" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
--- a/charts/pulsar/templates/_toolset.tpl
+++ b/charts/pulsar/templates/_toolset.tpl
@ -74,12 +74,7 @@ Define toolset tls certs volumes
      path: tls.key
 - name: ca
  secret:
-    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
-    {{- end }}
-    {{- if eq .Values.certs.internal_issuer.type "ca" }}
-    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-    {{- end }}
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    items:
    - key: ca.crt
      path: ca.crt
--- a/charts/pulsar/templates/proxy-statefulset.yaml
+++ b/charts/pulsar/templates/proxy-statefulset.yaml
@ -299,12 +299,7 @@ spec:
        {{- if .Values.tls.proxy.enabled }}
        - name: ca
          secret:
-            {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-            secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
-            {{- end }}
-            {{- if eq .Values.certs.internal_issuer.type "ca" }}
-            secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-            {{- end }}
+            secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
            items:
              - key: ca.crt
                path: ca.crt
--- a/charts/pulsar/templates/tls-cert-internal-issuer.yaml
+++ b/charts/pulsar/templates/tls-cert-internal-issuer.yaml
@ -33,7 +33,7 @@ metadata:
  name: "{{ template "pulsar.fullname" . }}-ca"
  namespace: {{ template "pulsar.namespace" . }}
 spec:
-  secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+  secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
  commonName: "{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
  duration: "{{ .Values.certs.internal_issuer.duration }}"
  renewBefore: "{{ .Values.certs.internal_issuer.renewBefore }}"
@ -50,23 +50,13 @@ spec:
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
 ---
+{{- end }}
 apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
 kind: Issuer
 metadata:
-  name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+  name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
  namespace: {{ template "pulsar.namespace" . }}
 spec:
  ca:
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
-{{- end }}
-{{- if eq .Values.certs.internal_issuer.type "ca" }}
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
-kind: Issuer
-metadata:
-  name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
-  namespace: {{ template "pulsar.namespace" . }}
-spec:
-  ca:
-    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-{{- end }}
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
 {{- end }}
--- a/charts/pulsar/templates/tls-certs-internal.yaml
+++ b/charts/pulsar/templates/tls-certs-internal.yaml
@ -18,7 +18,6 @@
 #

 {{- if .Values.tls.enabled }}
-{{- if .Values.certs.internal_issuer.enabled }}

 {{- if .Values.tls.proxy.enabled }}
 {{- if .Values.tls.proxy.createCert }}
@ -66,7 +65,7 @@ spec:
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
  # Issuer references are always required.
  issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
@ -122,7 +121,7 @@ spec:
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
  # Issuer references are always required.
  issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
@ -176,7 +175,7 @@ spec:
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
  # Issuer references are always required.
  issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
@ -230,7 +229,7 @@ spec:
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}"
  # Issuer references are always required.
  issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
@ -281,7 +280,7 @@ spec:
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
  # Issuer references are always required.
  issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
@ -332,7 +331,7 @@ spec:
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
  # Issuer references are always required.
  issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
@ -342,4 +341,3 @@ spec:
 {{- end }}

 {{- end }}
-{{- end }}
--- a/charts/pulsar/templates/toolset-statefulset.yaml
+++ b/charts/pulsar/templates/toolset-statefulset.yaml
@ -125,12 +125,7 @@ spec:
      {{- if and .Values.tls.enabled (or .Values.tls.broker.enabled .Values.tls.proxy.enabled) }}
      - name: proxy-ca
        secret:
-          {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-          secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
-          {{- end }}
-          {{- if eq .Values.certs.internal_issuer.type "ca" }}
-          secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-          {{- end }}
+          secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
          items:
            - key: ca.crt
              path: ca.crt
--- a/charts/pulsar/templates/zookeeper-statefulset.yaml
+++ b/charts/pulsar/templates/zookeeper-statefulset.yaml
@ -253,12 +253,7 @@ spec:
              path: tls.key
      - name: ca
        secret:
-          {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-          secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
-          {{- end }}
-          {{- if eq .Values.certs.internal_issuer.type "ca" }}
-          secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-          {{- end }}
+          secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
          items:
            - key: ca.crt
              path: ca.crt
--- a/charts/pulsar/values.yaml
+++ b/charts/pulsar/values.yaml
@ -315,13 +315,15 @@ auth:
 ######################################################################

 ## cert-manager
-## templates/tls-cert-issuer.yaml
+## templates/tls-cert-internal-issuer.yaml
 ##
 ## Cert manager is used for automatically provisioning TLS certificates
 ## for components within a Pulsar cluster
 certs:
  internal_issuer:
    apiVersion: cert-manager.io/v1
+    # To enable internal issuer for TLS certificates, set this to true
+    # It is necessary to have cert-manager installed in the cluster
    enabled: false
    component: internal-cert-issuer
    # The type of issuer, supports selfsigning and ca
@ -331,10 +333,19 @@ certs:
    # 15d
    renewBefore: 360h
  issuers:
-    # Used for certs.type as selfsigning, the selfsigned issuer has no dependency on any other resource.
+    # Used for certs.internal_issuer.type as selfsigning
    selfsigning:
-    # used for certs.type as ca, the CA issuer needs to reference a Secret which contains your CA certificate and signing private key.
+      # The name of the issuer, if not specified, the default value is used
+      name:
+      # The secret name of the selfsigned CA certificate, if not specified, the default value is used
+      secretName:
+    # used for certs.internal_issuer.type as ca or when internal_issuer is disabled
    ca:
+      # The name of the issuer, it is mandatory to specify this value if TLS is enabled
+      # and selfsigning is not used
+      name:
+      # The secret name of the CA certificate, it is mandatory to specify this value if TLS is enabled
+      # and selfsigning is not used
      secretName:

 ######################################################################