diff --git a/README.md b/README.md index 8303964..099f7e1 100644 --- a/README.md +++ b/README.md @@ -160,7 +160,7 @@ It includes support for: - [x] Broker - [x] Toolset - [x] Bookie - - [x] ZooKeeper + - [x] ZooKeeper (requires the `AdditionalCertificateOutputFormats=true` feature gate to be enabled in the cert-manager deployment when using cert-manager versions below 1.15.0) - [x] Authentication - [x] JWT - [x] OpenID @@ -402,6 +402,15 @@ helm upgrade -n -f values.yaml apachepulsar/pu For more detailed information, see our [Upgrading](http://pulsar.apache.org/docs/helm-upgrade/) guide. +## Upgrading to Helm chart version 4.2.0 (not released yet) + +### TLS configuration for ZooKeeper has changed + +The TLS configuration for ZooKeeper has been changed to fix certificate and private key expiration issues. +This change impacts configurations that have `tls.enabled` and `tls.zookeeper.enabled` set in `values.yaml`. +The revised solution requires the `AdditionalCertificateOutputFormats=true` feature gate to be enabled in the `cert-manager` deployment when using cert-manager versions below 1.15.0. +If you installed `cert-manager` using `./scripts/cert-manager/install-cert-manager.sh`, you can re-run the updated script to set the feature gate. The script currently installs or upgrades cert-manager LTS version 1.12.17, where the feature gate must be explicitly enabled. + ## Upgrading from Helm Chart versions before 4.0.0 to 4.0.0 version and above ### Pulsar Proxy service's default type has been changed from `LoadBalancer` to `ClusterIP` diff --git a/charts/pulsar/templates/_autorecovery.tpl b/charts/pulsar/templates/_autorecovery.tpl index 60ea55d..f5b4185 100644 --- a/charts/pulsar/templates/_autorecovery.tpl +++ b/charts/pulsar/templates/_autorecovery.tpl @@ -36,7 +36,7 @@ Define autorecovery zookeeper client tls settings */}} {{- define "pulsar.autorecovery.zookeeper.tls.settings" -}} {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }} -/pulsar/keytool/keytool.sh autorecovery {{ template "pulsar.autorecovery.hostname" . }} true; +{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "autorecovery" "isClient" true) -}} {{- end }} {{- end }} @@ -51,11 +51,6 @@ Define autorecovery tls certs mounts - name: ca mountPath: "/pulsar/certs/ca" readOnly: true -{{- if .Values.tls.zookeeper.enabled }} -- name: keytool - mountPath: "/pulsar/keytool/keytool.sh" - subPath: keytool.sh -{{- end }} {{- end }} {{- end }} @@ -72,18 +67,14 @@ Define autorecovery tls certs volumes path: tls.crt - key: tls.key path: tls.key + - key: tls-combined.pem + path: tls-combined.pem - name: ca secret: secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}" items: - key: ca.crt path: ca.crt -{{- if .Values.tls.zookeeper.enabled }} -- name: keytool - configMap: - name: "{{ template "pulsar.fullname" . }}-keytool-configmap" - defaultMode: 0755 -{{- end }} {{- end }} {{- end }} @@ -93,7 +84,7 @@ Define autorecovery init container : verify cluster id {{- define "pulsar.autorecovery.init.verify_cluster_id" -}} bin/apply-config-from-env.py conf/bookkeeper.conf; export BOOKIE_MEM="-Xmx128M"; -{{- include "pulsar.autorecovery.zookeeper.tls.settings" . -}} +{{- include "pulsar.autorecovery.zookeeper.tls.settings" . }} until timeout 15 bin/bookkeeper shell whatisinstanceid; do sleep 3; done; diff --git a/charts/pulsar/templates/_bookkeeper.tpl b/charts/pulsar/templates/_bookkeeper.tpl index b8b367a..a279737 100644 --- a/charts/pulsar/templates/_bookkeeper.tpl +++ b/charts/pulsar/templates/_bookkeeper.tpl @@ -37,7 +37,7 @@ Define bookie zookeeper client tls settings */}} {{- define "pulsar.bookkeeper.zookeeper.tls.settings" -}} {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }} -/pulsar/keytool/keytool.sh bookie {{ template "pulsar.bookkeeper.hostname" . }} true; +{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "bookie" "isClient" true) -}} {{- end }} {{- end }} @@ -52,11 +52,6 @@ Define bookie tls certs mounts - name: ca mountPath: "/pulsar/certs/ca" readOnly: true -{{- if .Values.tls.zookeeper.enabled }} -- name: keytool - mountPath: "/pulsar/keytool/keytool.sh" - subPath: keytool.sh -{{- end }} {{- end }} {{- end }} @@ -73,18 +68,16 @@ Define bookie tls certs volumes path: tls.crt - key: tls.key path: tls.key +{{- if .Values.tls.zookeeper.enabled }} + - key: tls-combined.pem + path: tls-combined.pem +{{- end }} - name: ca secret: secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}" items: - key: ca.crt path: ca.crt -{{- if .Values.tls.zookeeper.enabled }} -- name: keytool - configMap: - name: "{{ template "pulsar.fullname" . }}-keytool-configmap" - defaultMode: 0755 -{{- end }} {{- end }} {{- end }} @@ -147,7 +140,7 @@ Define bookie init container : verify cluster id {{- if not (and .Values.volumes.persistence .Values.bookkeeper.volumes.persistence) }} bin/apply-config-from-env.py conf/bookkeeper.conf; export BOOKIE_MEM="-Xmx128M"; -{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . -}} +{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . }} until timeout 15 bin/bookkeeper shell whatisinstanceid; do sleep 3; done; @@ -157,7 +150,7 @@ bin/bookkeeper shell bookieformat -nonInteractive -force -deleteCookie || true set -e; bin/apply-config-from-env.py conf/bookkeeper.conf; export BOOKIE_MEM="-Xmx128M"; -{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . -}} +{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . }} until timeout 15 bin/bookkeeper shell whatisinstanceid; do sleep 3; done; diff --git a/charts/pulsar/templates/_broker.tpl b/charts/pulsar/templates/_broker.tpl index b5b86f2..773ae15 100644 --- a/charts/pulsar/templates/_broker.tpl +++ b/charts/pulsar/templates/_broker.tpl @@ -43,7 +43,7 @@ Define broker zookeeper client tls settings */}} {{- define "pulsar.broker.zookeeper.tls.settings" -}} {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }} -/pulsar/keytool/keytool.sh broker {{ template "pulsar.broker.hostname" . }} true; +{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "broker" "isClient" true) -}} {{- end }} {{- end }} @@ -58,11 +58,6 @@ Define broker tls certs mounts - name: ca mountPath: "/pulsar/certs/ca" readOnly: true -{{- if .Values.tls.zookeeper.enabled }} -- name: keytool - mountPath: "/pulsar/keytool/keytool.sh" - subPath: keytool.sh -{{- end }} {{- end }} {{- end }} @@ -79,17 +74,15 @@ Define broker tls certs volumes path: tls.crt - key: tls.key path: tls.key +{{- if .Values.tls.zookeeper.enabled }} + - key: tls-combined.pem + path: tls-combined.pem +{{- end }} - name: ca secret: secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}" items: - key: ca.crt path: ca.crt -{{- if .Values.tls.zookeeper.enabled }} -- name: keytool - configMap: - name: "{{ template "pulsar.fullname" . }}-keytool-configmap" - defaultMode: 0755 -{{- end }} {{- end }} {{- end }} diff --git a/charts/pulsar/templates/_certs.tpl b/charts/pulsar/templates/_certs.tpl index 739fbf0..8c5d93a 100644 --- a/charts/pulsar/templates/_certs.tpl +++ b/charts/pulsar/templates/_certs.tpl @@ -57,4 +57,58 @@ Define the pulsar certs ca issuer secret name {{- fail "certs.issuers.ca.secretName is required when TLS is enabled and certs.internal_issuer.enabled is false" -}} {{- end -}} {{- end -}} +{{- end -}} + +{{/* +Common certificate template +Usage: {{- include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.proxy "tlsConfig" .Values.tls.proxy) -}} +*/}} +{{- define "pulsar.cert.template" -}} +{{- if eq .root.Values.certs.internal_issuer.apiVersion "cert-manager.io/v1beta1" -}} +{{- fail "cert-manager.io/v1beta1 is no longer supported. Please set certs.internal_issuer.apiVersion to cert-manager.io/v1" -}} +{{- end -}} +apiVersion: "{{ .root.Values.certs.internal_issuer.apiVersion }}" +kind: Certificate +metadata: + name: "{{ template "pulsar.fullname" .root }}-{{ .tlsConfig.cert_name }}" + namespace: {{ template "pulsar.namespace" .root }} +spec: + # Secret names are always required. + secretName: "{{ .root.Release.Name }}-{{ .tlsConfig.cert_name }}" +{{- if .root.Values.tls.zookeeper.enabled }} + additionalOutputFormats: + - type: CombinedPEM +{{- end }} + duration: "{{ .root.Values.tls.common.duration }}" + renewBefore: "{{ .root.Values.tls.common.renewBefore }}" + subject: + organizations: +{{ toYaml .root.Values.tls.common.organization | indent 4 }} + # The use of the common name field has been deprecated since 2000 and is + # discouraged from being used. + commonName: "{{ template "pulsar.fullname" .root }}-{{ .componentConfig.component }}" + isCA: false + privateKey: + size: {{ .root.Values.tls.common.keySize }} + algorithm: {{ .root.Values.tls.common.keyAlgorithm }} + encoding: {{ .root.Values.tls.common.keyEncoding }} + usages: + - server auth + - client auth + # At least one of a DNS Name, USI SAN, or IP address is required. + dnsNames: +{{- if .tlsConfig.dnsNames }} +{{ toYaml .tlsConfig.dnsNames | indent 4 }} +{{- end }} + - {{ printf "*.%s-%s.%s.svc.%s" (include "pulsar.fullname" .root) .componentConfig.component (include "pulsar.namespace" .root) .root.Values.clusterDomain | quote }} + - {{ printf "%s-%s" (include "pulsar.fullname" .root) .componentConfig.component | quote }} + # Issuer references are always required. + issuerRef: + name: "{{ template "pulsar.certs.issuers.ca.name" .root }}" + # We can reference ClusterIssuers by changing the kind here. + # The default value is Issuer (i.e. a locally namespaced Issuer) + kind: Issuer + # This is optional since cert-manager will default to this value however + # if you are using an external issuer, change this to that issuer group. + group: cert-manager.io {{- end -}} \ No newline at end of file diff --git a/charts/pulsar/templates/_toolset.tpl b/charts/pulsar/templates/_toolset.tpl index fe3295b..0865c67 100644 --- a/charts/pulsar/templates/_toolset.tpl +++ b/charts/pulsar/templates/_toolset.tpl @@ -36,7 +36,7 @@ Define toolset zookeeper client tls settings */}} {{- define "pulsar.toolset.zookeeper.tls.settings" -}} {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled -}} -/pulsar/keytool/keytool.sh toolset {{ template "pulsar.toolset.hostname" . }} true; +{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "toolset" "isClient" true) -}} {{- end -}} {{- end }} @@ -51,11 +51,6 @@ Define toolset tls certs mounts - name: ca mountPath: "/pulsar/certs/ca" readOnly: true -{{- if .Values.tls.zookeeper.enabled }} -- name: keytool - mountPath: "/pulsar/keytool/keytool.sh" - subPath: keytool.sh -{{- end }} {{- end }} {{- end }} @@ -72,17 +67,13 @@ Define toolset tls certs volumes path: tls.crt - key: tls.key path: tls.key + - key: tls-combined.pem + path: tls-combined.pem - name: ca secret: secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}" items: - key: ca.crt path: ca.crt -{{- if .Values.tls.zookeeper.enabled }} -- name: keytool - configMap: - name: "{{ template "pulsar.fullname" . }}-keytool-configmap" - defaultMode: 0755 -{{- end }} {{- end }} {{- end }} diff --git a/charts/pulsar/templates/_zookeeper.tpl b/charts/pulsar/templates/_zookeeper.tpl index 215b455..e546cde 100644 --- a/charts/pulsar/templates/_zookeeper.tpl +++ b/charts/pulsar/templates/_zookeeper.tpl @@ -53,7 +53,23 @@ Define zookeeper tls settings */}} {{- define "pulsar.zookeeper.tls.settings" -}} {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }} -/pulsar/keytool/keytool.sh zookeeper {{ template "pulsar.zookeeper.hostname" . }} false; +{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "zookeeper" "isClient" false) -}} +{{- end }} +{{- end }} + +{{- define "pulsar.component.zookeeper.tls.settings" }} +{{- $component := .component -}} +{{- $isClient := .isClient -}} +{{- $keyFile := printf "/pulsar/certs/%s/tls-combined.pem" $component -}} +{{- $caFile := "/pulsar/certs/ca/ca.crt" -}} +{{- if $isClient }} +echo $'\n' >> conf/pulsar_env.sh +echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.client.certReload=true -Dzookeeper.ssl.keyStore.location={{- $keyFile }} -Dzookeeper.ssl.keyStore.type=PEM -Dzookeeper.ssl.trustStore.location={{- $caFile }} -Dzookeeper.ssl.trustStore.type=PEM\"" >> conf/pulsar_env.sh +echo $'\n' >> conf/bkenv.sh +echo "BOOKIE_EXTRA_OPTS=\"\${BOOKIE_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.client.certReload=true -Dzookeeper.ssl.keyStore.location={{- $keyFile }} -Dzookeeper.ssl.keyStore.type=PEM -Dzookeeper.ssl.trustStore.location={{- $caFile }} -Dzookeeper.ssl.trustStore.type=PEM\"" >> conf/bkenv.sh +{{- else }} +echo $'\n' >> conf/pulsar_env.sh +echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS} -Dzookeeper.ssl.keyStore.location={{- $keyFile }} -Dzookeeper.ssl.keyStore.type=PEM -Dzookeeper.ssl.trustStore.location={{- $caFile }} -Dzookeeper.ssl.trustStore.type=PEM\"" >> conf/pulsar_env.sh {{- end }} {{- end }} diff --git a/charts/pulsar/templates/keytool.yaml b/charts/pulsar/templates/keytool.yaml deleted file mode 100644 index 43cec2d..0000000 --- a/charts/pulsar/templates/keytool.yaml +++ /dev/null @@ -1,110 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -# script to process key/cert to keystore and truststore -{{- if .Values.tls.zookeeper.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ template "pulsar.fullname" . }}-keytool-configmap" - namespace: {{ template "pulsar.namespace" . }} - labels: - {{- include "pulsar.standardLabels" . | nindent 4 }} - component: keytool -data: - keytool.sh: | - #!/bin/bash - component=$1 - name=$2 - isClient=$3 - crtFile=/pulsar/certs/${component}/tls.crt - keyFile=/pulsar/certs/${component}/tls.key - caFile=/pulsar/certs/ca/ca.crt - tlsDir=/tmp/pulsar-tls$$ - p12File=${tlsDir}/${component}.p12 - keyStoreFile=${tlsDir}/${component}.keystore.jks - trustStoreFile=${tlsDir}/${component}.truststore.jks - - # create tmp dir for keystore and truststore files - mkdir ${tlsDir} - chmod 0700 ${tlsDir} - - function checkFile() { - local file=$1 - local len=$(wc -c ${file} | awk '{print $1}') - echo "processing ${file} : len = ${len}" - if [ ! -f ${file} ]; then - echo "${file} is not found" - return -1 - fi - if [ $len -le 0 ]; then - echo "${file} is empty" - return -1 - fi - } - - function ensureFileNotEmpty() { - local file=$1 - until checkFile ${file}; do - echo "file isn't initialized yet ... check in 3 seconds ..." && sleep 3; - done; - } - - ensureFileNotEmpty ${crtFile} - ensureFileNotEmpty ${keyFile} - ensureFileNotEmpty ${caFile} - - PASSWORD=$(head /dev/urandom | base64 | head -c 24) - - openssl pkcs12 \ - -export \ - -in ${crtFile} \ - -inkey ${keyFile} \ - -out ${p12File} \ - -name ${name} \ - -passout "pass:${PASSWORD}" - - keytool -importkeystore \ - -srckeystore ${p12File} \ - -srcstoretype PKCS12 -srcstorepass "${PASSWORD}" \ - -alias ${name} \ - -destkeystore ${keyStoreFile} \ - -deststorepass "${PASSWORD}" - - keytool -import \ - -file ${caFile} \ - -storetype JKS \ - -alias ${name} \ - -keystore ${trustStoreFile} \ - -storepass "${PASSWORD}" \ - -trustcacerts -noprompt - - ensureFileNotEmpty ${keyStoreFile} - ensureFileNotEmpty ${trustStoreFile} - - if [[ "x${isClient}" == "xtrue" ]]; then - echo $'\n' >> conf/pulsar_env.sh - echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/pulsar_env.sh - echo $'\n' >> conf/bkenv.sh - echo "BOOKIE_EXTRA_OPTS=\"\${BOOKIE_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/bkenv.sh - else - echo $'\n' >> conf/pulsar_env.sh - echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS} -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/pulsar_env.sh - fi -{{- end }} diff --git a/charts/pulsar/templates/proxy-statefulset.yaml b/charts/pulsar/templates/proxy-statefulset.yaml index f7235ba..9324a69 100644 --- a/charts/pulsar/templates/proxy-statefulset.yaml +++ b/charts/pulsar/templates/proxy-statefulset.yaml @@ -311,6 +311,10 @@ spec: path: tls.crt - key: tls.key path: tls.key +{{- if .Values.tls.zookeeper.enabled }} + - key: tls-combined.pem + path: tls-combined.pem +{{- end }} {{- end}} {{- end}} {{- end }} diff --git a/charts/pulsar/templates/tls-certs-internal.yaml b/charts/pulsar/templates/tls-certs-internal.yaml index ffe616a..08fd2b3 100644 --- a/charts/pulsar/templates/tls-certs-internal.yaml +++ b/charts/pulsar/templates/tls-certs-internal.yaml @@ -21,323 +21,27 @@ {{- if .Values.tls.proxy.enabled }} {{- if .Values.tls.proxy.createCert }} -apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}" -kind: Certificate -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.proxy.cert_name }}" - namespace: {{ template "pulsar.namespace" . }} -spec: - # Secret names are always required. - secretName: "{{ .Release.Name }}-{{ .Values.tls.proxy.cert_name }}" - duration: "{{ .Values.tls.common.duration }}" - renewBefore: "{{ .Values.tls.common.renewBefore }}" - {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} - subject: - organizations: -{{ toYaml .Values.tls.common.organization | indent 4 }} - {{- else }} - organization: -{{ toYaml .Values.tls.common.organization | indent 2 }} - {{- end }} - # The use of the common name field has been deprecated since 2000 and is - # discouraged from being used. - commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" - isCA: false - {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} - privateKey: - size: {{ .Values.tls.common.keySize }} - algorithm: {{ .Values.tls.common.keyAlgorithm }} - encoding: {{ .Values.tls.common.keyEncoding }} - {{- else }} - keySize: {{ .Values.tls.common.keySize }} - keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }} - keyEncoding: {{ .Values.tls.common.keyEncoding }} - {{- end }} - usages: - - server auth - - client auth - # At least one of a DNS Name, USI SAN, or IP address is required. - dnsNames: -{{- if .Values.tls.proxy.dnsNames }} -{{ toYaml .Values.tls.proxy.dnsNames | indent 4 }} -{{- end }} - - "*.{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}" - - "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" - # Issuer references are always required. - issuerRef: - name: "{{ template "pulsar.certs.issuers.ca.name" . }}" - # We can reference ClusterIssuers by changing the kind here. - # The default value is Issuer (i.e. a locally namespaced Issuer) - kind: Issuer - # This is optional since cert-manager will default to this value however - # if you are using an external issuer, change this to that issuer group. - group: cert-manager.io +{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.proxy "tlsConfig" .Values.tls.proxy) }} --- {{- end }} {{- end }} {{- if or .Values.tls.broker.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled) }} -apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}" -kind: Certificate -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.broker.cert_name }}" - namespace: {{ template "pulsar.namespace" . }} -spec: - # Secret names are always required. - secretName: "{{ .Release.Name }}-{{ .Values.tls.broker.cert_name }}" - duration: "{{ .Values.tls.common.duration }}" - renewBefore: "{{ .Values.tls.common.renewBefore }}" - {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} - subject: - organizations: -{{ toYaml .Values.tls.common.organization | indent 4 }} - {{- else }} - organization: -{{ toYaml .Values.tls.common.organization | indent 2 }} - {{- end }} - # The use of the common name field has been deprecated since 2000 and is - # discouraged from being used. - commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" - isCA: false - {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} - privateKey: - size: {{ .Values.tls.common.keySize }} - algorithm: {{ .Values.tls.common.keyAlgorithm }} - encoding: {{ .Values.tls.common.keyEncoding }} - {{- else }} - keySize: {{ .Values.tls.common.keySize }} - keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }} - keyEncoding: {{ .Values.tls.common.keyEncoding }} - {{- end }} - usages: - - server auth - - client auth - # At least one of a DNS Name, USI SAN, or IP address is required. - dnsNames: -{{- if .Values.tls.broker.dnsNames }} -{{ toYaml .Values.tls.broker.dnsNames | indent 4 }} -{{- end}} - - "*.{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}" - - "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" - # Issuer references are always required. - issuerRef: - name: "{{ template "pulsar.certs.issuers.ca.name" . }}" - # We can reference ClusterIssuers by changing the kind here. - # The default value is Issuer (i.e. a locally namespaced Issuer) - kind: Issuer - # This is optional since cert-manager will default to this value however - # if you are using an external issuer, change this to that issuer group. - group: cert-manager.io +{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.broker "tlsConfig" .Values.tls.broker) }} --- {{- end }} {{- if or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled }} -apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}" -kind: Certificate -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.bookie.cert_name }}" - namespace: {{ template "pulsar.namespace" . }} -spec: - # Secret names are always required. - secretName: "{{ .Release.Name }}-{{ .Values.tls.bookie.cert_name }}" - duration: "{{ .Values.tls.common.duration }}" - renewBefore: "{{ .Values.tls.common.renewBefore }}" - {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} - subject: - organizations: -{{ toYaml .Values.tls.common.organization | indent 4 }} - {{- else }} - organization: -{{ toYaml .Values.tls.common.organization | indent 2 }} - {{- end }} - # The use of the common name field has been deprecated since 2000 and is - # discouraged from being used. - commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" - isCA: false - {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} - privateKey: - size: {{ .Values.tls.common.keySize }} - algorithm: {{ .Values.tls.common.keyAlgorithm }} - encoding: {{ .Values.tls.common.keyEncoding }} - {{- else }} - keySize: {{ .Values.tls.common.keySize }} - keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }} - keyEncoding: {{ .Values.tls.common.keyEncoding }} - {{- end }} - usages: - - server auth - - client auth - dnsNames: -{{- if .Values.tls.bookie.dnsNames }} -{{ toYaml .Values.tls.bookie.dnsNames | indent 4 }} -{{- end }} - - "*.{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}" - - "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" - # Issuer references are always required. - issuerRef: - name: "{{ template "pulsar.certs.issuers.ca.name" . }}" - # We can reference ClusterIssuers by changing the kind here. - # The default value is Issuer (i.e. a locally namespaced Issuer) - kind: Issuer - # This is optional since cert-manager will default to this value however - # if you are using an external issuer, change this to that issuer group. - group: cert-manager.io +{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.bookkeeper "tlsConfig" .Values.tls.bookie) }} --- {{- end }} {{- if .Values.tls.zookeeper.enabled }} -apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}" -kind: Certificate -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.autorecovery.cert_name }}" - namespace: {{ template "pulsar.namespace" . }} -spec: - # Secret names are always required. - secretName: "{{ .Release.Name }}-{{ .Values.tls.autorecovery.cert_name }}" - duration: "{{ .Values.tls.common.duration }}" - renewBefore: "{{ .Values.tls.common.renewBefore }}" - {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} - subject: - organizations: -{{ toYaml .Values.tls.common.organization | indent 4 }} - {{- else }} - organization: -{{ toYaml .Values.tls.common.organization | indent 2 }} - {{- end }} - # The use of the common name field has been deprecated since 2000 and is - # discouraged from being used. - commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" - isCA: false - {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} - privateKey: - size: {{ .Values.tls.common.keySize }} - algorithm: {{ .Values.tls.common.keyAlgorithm }} - encoding: {{ .Values.tls.common.keyEncoding }} - {{- else }} - keySize: {{ .Values.tls.common.keySize }} - keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }} - keyEncoding: {{ .Values.tls.common.keyEncoding }} - {{- end }} - usages: - - server auth - - client auth - dnsNames: -{{- if .Values.tls.autorecovery.dnsNames }} -{{ toYaml .Values.tls.autorecovery.dnsNames | indent 4 }} -{{- end }} - - "*.{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}" - - "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" - # Issuer references are always required. - issuerRef: - name: "{{ template "pulsar.certs.issuers.ca.name" . }}" - # We can reference ClusterIssuers by changing the kind here. - # The default value is Issuer (i.e. a locally namespaced Issuer) - kind: Issuer - # This is optional since cert-manager will default to this value however - # if you are using an external issuer, change this to that issuer group. - group: cert-manager.io +{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.autorecovery "tlsConfig" .Values.tls.autorecovery) }} --- -apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}" -kind: Certificate -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.toolset.cert_name }}" - namespace: {{ template "pulsar.namespace" . }} -spec: - # Secret names are always required. - secretName: "{{ .Release.Name }}-{{ .Values.tls.toolset.cert_name }}" - duration: "{{ .Values.tls.common.duration }}" - renewBefore: "{{ .Values.tls.common.renewBefore }}" - {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} - subject: - organizations: -{{ toYaml .Values.tls.common.organization | indent 4 }} - {{- else }} - organization: -{{ toYaml .Values.tls.common.organization | indent 2 }} - {{- end }} - # The use of the common name field has been deprecated since 2000 and is - # discouraged from being used. - commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" - isCA: false - {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} - privateKey: - size: {{ .Values.tls.common.keySize }} - algorithm: {{ .Values.tls.common.keyAlgorithm }} - encoding: {{ .Values.tls.common.keyEncoding }} - {{- else }} - keySize: {{ .Values.tls.common.keySize }} - keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }} - keyEncoding: {{ .Values.tls.common.keyEncoding }} - {{- end }} - usages: - - server auth - - client auth - dnsNames: -{{- if .Values.tls.toolset.dnsNames }} -{{ toYaml .Values.tls.toolset.dnsNames | indent 4 }} -{{- end }} - - "*.{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}" - - "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" - # Issuer references are always required. - issuerRef: - name: "{{ template "pulsar.certs.issuers.ca.name" . }}" - # We can reference ClusterIssuers by changing the kind here. - # The default value is Issuer (i.e. a locally namespaced Issuer) - kind: Issuer - # This is optional since cert-manager will default to this value however - # if you are using an external issuer, change this to that issuer group. - group: cert-manager.io +{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.toolset "tlsConfig" .Values.tls.toolset) }} --- -apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}" -kind: Certificate -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.zookeeper.cert_name }}" - namespace: {{ template "pulsar.namespace" . }} -spec: - # Secret names are always required. - secretName: "{{ .Release.Name }}-{{ .Values.tls.zookeeper.cert_name }}" - duration: "{{ .Values.tls.common.duration }}" - renewBefore: "{{ .Values.tls.common.renewBefore }}" - {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} - subject: - organizations: -{{ toYaml .Values.tls.common.organization | indent 4 }} - {{- else }} - organization: -{{ toYaml .Values.tls.common.organization | indent 2 }} - {{- end }} - # The use of the common name field has been deprecated since 2000 and is - # discouraged from being used. - commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" - isCA: false - {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} - privateKey: - size: {{ .Values.tls.common.keySize }} - algorithm: {{ .Values.tls.common.keyAlgorithm }} - encoding: {{ .Values.tls.common.keyEncoding }} - {{- else }} - keySize: {{ .Values.tls.common.keySize }} - keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }} - keyEncoding: {{ .Values.tls.common.keyEncoding }} - {{- end }} - usages: - - server auth - - client auth - dnsNames: -{{- if .Values.tls.zookeeper.dnsNames }} -{{ toYaml .Values.tls.zookeeper.dnsNames | indent 4 }} -{{- end }} - - "*.{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}" - - "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" - # Issuer references are always required. - issuerRef: - name: "{{ template "pulsar.certs.issuers.ca.name" . }}" - # We can reference ClusterIssuers by changing the kind here. - # The default value is Issuer (i.e. a locally namespaced Issuer) - kind: Issuer - # This is optional since cert-manager will default to this value however - # if you are using an external issuer, change this to that issuer group. - group: cert-manager.io +{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.zookeeper "tlsConfig" .Values.tls.zookeeper) }} {{- end }} {{- end }} diff --git a/charts/pulsar/templates/zookeeper-statefulset.yaml b/charts/pulsar/templates/zookeeper-statefulset.yaml index fc7554f..292642a 100755 --- a/charts/pulsar/templates/zookeeper-statefulset.yaml +++ b/charts/pulsar/templates/zookeeper-statefulset.yaml @@ -227,9 +227,6 @@ spec: - mountPath: "/pulsar/certs/ca" name: ca readOnly: true - - name: keytool - mountPath: "/pulsar/keytool/keytool.sh" - subPath: keytool.sh {{- end }} {{- if .Values.zookeeper.extraVolumeMounts }} {{ toYaml .Values.zookeeper.extraVolumeMounts | indent 8 }} @@ -251,16 +248,14 @@ spec: path: tls.crt - key: tls.key path: tls.key + - key: tls-combined.pem + path: tls-combined.pem - name: ca secret: secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}" items: - key: ca.crt path: ca.crt - - name: keytool - configMap: - name: "{{ template "pulsar.fullname" . }}-keytool-configmap" - defaultMode: 0755 {{- end}} {{- include "pulsar.imagePullSecrets" . | nindent 6}} {{- if and (and .Values.persistence .Values.volumes.persistence) .Values.zookeeper.volumes.persistence }} diff --git a/scripts/cert-manager/install-cert-manager.sh b/scripts/cert-manager/install-cert-manager.sh index 8e63066..b35a334 100755 --- a/scripts/cert-manager/install-cert-manager.sh +++ b/scripts/cert-manager/install-cert-manager.sh @@ -25,7 +25,7 @@ set -e NAMESPACE=cert-manager NAME=cert-manager # check compatibility with k8s versions from https://cert-manager.io/docs/installation/supported-releases/ -VERSION=v1.12.16 +VERSION=v1.12.17 # Install cert-manager CustomResourceDefinition resources echo "Installing cert-manager CRD resources ..." @@ -41,10 +41,12 @@ echo "Updating local helm chart repository cache ..." helm repo update echo "Installing cert-manager ${VERSION} to namespace ${NAMESPACE} as '${NAME}' ..." -helm install \ +helm upgrade \ + --install \ --namespace ${NAMESPACE} \ --create-namespace \ --version ${VERSION} \ + --set featureGates=AdditionalCertificateOutputFormats=true \ ${NAME} \ jetstack/cert-manager echo "Successfully installed cert-manager ${VERSION}."