Use PEM files directly as ZooKeeper keystore and truststore (#613)

2025-05-30 18:16:04 +03:00 · 2025-05-30 18:16:04 +03:00 · 2d16ffefd4
commit 2d16ffefd4
parent fdcfe60fe9
12 changed files with 116 additions and 474 deletions
--- a/README.md
+++ b/README.md
@ -160,7 +160,7 @@ It includes support for:
        - [x] Broker
        - [x] Toolset
        - [x] Bookie
-        - [x] ZooKeeper
+        - [x] ZooKeeper (requires the `AdditionalCertificateOutputFormats=true` feature gate to be enabled in the cert-manager deployment when using cert-manager versions below 1.15.0)
    - [x] Authentication
        - [x] JWT
        - [x] OpenID
@ -402,6 +402,15 @@ helm upgrade -n <namespace> -f values.yaml <pulsar-release-name> apachepulsar/pu
 For more detailed information, see our [Upgrading](http://pulsar.apache.org/docs/helm-upgrade/) guide.
 ## Upgrading to Helm chart version 4.2.0 (not released yet)
 ### TLS configuration for ZooKeeper has changed
 The TLS configuration for ZooKeeper has been changed to fix certificate and private key expiration issues.
 This change impacts configurations that have `tls.enabled` and `tls.zookeeper.enabled` set in `values.yaml`.
 The revised solution requires the `AdditionalCertificateOutputFormats=true` feature gate to be enabled in the `cert-manager` deployment when using cert-manager versions below 1.15.0.
 If you installed `cert-manager` using `./scripts/cert-manager/install-cert-manager.sh`, you can re-run the updated script to set the feature gate. The script currently installs or upgrades cert-manager LTS version 1.12.17, where the feature gate must be explicitly enabled.
 ## Upgrading from Helm Chart versions before 4.0.0 to 4.0.0 version and above
 ### Pulsar Proxy service's default type has been changed from `LoadBalancer` to `ClusterIP`
--- a/charts/pulsar/templates/_autorecovery.tpl
+++ b/charts/pulsar/templates/_autorecovery.tpl
@ -36,7 +36,7 @@ Define autorecovery zookeeper client tls settings
 */}}
 {{- define "pulsar.autorecovery.zookeeper.tls.settings" -}}
 {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
-/pulsar/keytool/keytool.sh autorecovery {{ template "pulsar.autorecovery.hostname" . }} true;
+{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "autorecovery" "isClient" true) -}}
 {{- end }}
 {{- end }}
@ -51,11 +51,6 @@ Define autorecovery tls certs mounts
 - name: ca
  mountPath: "/pulsar/certs/ca"
  readOnly: true
 {{- if .Values.tls.zookeeper.enabled }}
 - name: keytool
  mountPath: "/pulsar/keytool/keytool.sh"
  subPath: keytool.sh
 {{- end }}
 {{- end }}
 {{- end }}
@ -72,18 +67,14 @@ Define autorecovery tls certs volumes
      path: tls.crt
    - key: tls.key
      path: tls.key
    - key: tls-combined.pem
      path: tls-combined.pem
 - name: ca
  secret:
    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    items:
    - key: ca.crt
      path: ca.crt
 {{- if .Values.tls.zookeeper.enabled }}
 - name: keytool
  configMap:
    name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
    defaultMode: 0755
 {{- end }}
 {{- end }}
 {{- end }}
@ -93,7 +84,7 @@ Define autorecovery init container : verify cluster id
 {{- define "pulsar.autorecovery.init.verify_cluster_id" -}}
 bin/apply-config-from-env.py conf/bookkeeper.conf;
 export BOOKIE_MEM="-Xmx128M";
-{{- include "pulsar.autorecovery.zookeeper.tls.settings" . -}}
+{{- include "pulsar.autorecovery.zookeeper.tls.settings" . }}
 until timeout 15 bin/bookkeeper shell whatisinstanceid; do
  sleep 3;
 done;
--- a/charts/pulsar/templates/_bookkeeper.tpl
+++ b/charts/pulsar/templates/_bookkeeper.tpl
@ -37,7 +37,7 @@ Define bookie zookeeper client tls settings
 */}}
 {{- define "pulsar.bookkeeper.zookeeper.tls.settings" -}}
 {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
-/pulsar/keytool/keytool.sh bookie {{ template "pulsar.bookkeeper.hostname" . }} true;
+{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "bookie" "isClient" true) -}}
 {{- end }}
 {{- end }}
@ -52,11 +52,6 @@ Define bookie tls certs mounts
 - name: ca
  mountPath: "/pulsar/certs/ca"
  readOnly: true
 {{- if .Values.tls.zookeeper.enabled }}
 - name: keytool
  mountPath: "/pulsar/keytool/keytool.sh"
  subPath: keytool.sh
 {{- end }}
 {{- end }}
 {{- end }}
@ -73,18 +68,16 @@ Define bookie tls certs volumes
      path: tls.crt
    - key: tls.key
      path: tls.key
 {{- if .Values.tls.zookeeper.enabled }}
    - key: tls-combined.pem
      path: tls-combined.pem
 {{- end }}
 - name: ca
  secret:
    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    items:
    - key: ca.crt
      path: ca.crt
 {{- if .Values.tls.zookeeper.enabled }}
 - name: keytool
  configMap:
    name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
    defaultMode: 0755
 {{- end }}
 {{- end }}
 {{- end }}
@ -147,7 +140,7 @@ Define bookie init container : verify cluster id
 {{- if not (and .Values.volumes.persistence .Values.bookkeeper.volumes.persistence) }}
 bin/apply-config-from-env.py conf/bookkeeper.conf;
 export BOOKIE_MEM="-Xmx128M";
-{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . -}}
+{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . }}
 until timeout 15 bin/bookkeeper shell whatisinstanceid; do
  sleep 3;
 done;
@ -157,7 +150,7 @@ bin/bookkeeper shell bookieformat -nonInteractive -force -deleteCookie || true
 set -e;
 bin/apply-config-from-env.py conf/bookkeeper.conf;
 export BOOKIE_MEM="-Xmx128M";
-{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . -}}
+{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . }}
 until timeout 15 bin/bookkeeper shell whatisinstanceid; do
  sleep 3;
 done;
--- a/charts/pulsar/templates/_broker.tpl
+++ b/charts/pulsar/templates/_broker.tpl
@ -43,7 +43,7 @@ Define broker zookeeper client tls settings
 */}}
 {{- define "pulsar.broker.zookeeper.tls.settings" -}}
 {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
-/pulsar/keytool/keytool.sh broker {{ template "pulsar.broker.hostname" . }} true;
+{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "broker" "isClient" true) -}}
 {{- end }}
 {{- end }}
@ -58,11 +58,6 @@ Define broker tls certs mounts
 - name: ca
  mountPath: "/pulsar/certs/ca"
  readOnly: true
 {{- if .Values.tls.zookeeper.enabled }}
 - name: keytool
  mountPath: "/pulsar/keytool/keytool.sh"
  subPath: keytool.sh
 {{- end }}
 {{- end }}
 {{- end }}
@ -79,17 +74,15 @@ Define broker tls certs volumes
      path: tls.crt
    - key: tls.key
      path: tls.key
 {{- if .Values.tls.zookeeper.enabled }}
    - key: tls-combined.pem
      path: tls-combined.pem
 {{- end }}
 - name: ca
  secret:
    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    items:
    - key: ca.crt
      path: ca.crt
 {{- if .Values.tls.zookeeper.enabled }}
 - name: keytool
  configMap:
    name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
    defaultMode: 0755
 {{- end }}
 {{- end }}
 {{- end }}
--- a/charts/pulsar/templates/_certs.tpl
+++ b/charts/pulsar/templates/_certs.tpl
@ -57,4 +57,58 @@ Define the pulsar certs ca issuer secret name
 {{- fail "certs.issuers.ca.secretName is required when TLS is enabled and certs.internal_issuer.enabled is false" -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
 {{/*
 Common certificate template
 Usage: {{- include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.proxy "tlsConfig" .Values.tls.proxy) -}}
 */}}
 {{- define "pulsar.cert.template" -}}
 {{- if eq .root.Values.certs.internal_issuer.apiVersion "cert-manager.io/v1beta1" -}}
 {{- fail "cert-manager.io/v1beta1 is no longer supported. Please set certs.internal_issuer.apiVersion to cert-manager.io/v1" -}}
 {{- end -}}
 apiVersion: "{{ .root.Values.certs.internal_issuer.apiVersion }}"
 kind: Certificate
 metadata:
  name: "{{ template "pulsar.fullname" .root }}-{{ .tlsConfig.cert_name }}"
  namespace: {{ template "pulsar.namespace" .root }}
 spec:
  # Secret names are always required.
  secretName: "{{ .root.Release.Name }}-{{ .tlsConfig.cert_name }}"
 {{- if .root.Values.tls.zookeeper.enabled }}
  additionalOutputFormats:
    - type: CombinedPEM
 {{- end }}
  duration: "{{ .root.Values.tls.common.duration }}"
  renewBefore: "{{ .root.Values.tls.common.renewBefore }}"
  subject:
    organizations:
 {{ toYaml .root.Values.tls.common.organization | indent 4 }}
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: "{{ template "pulsar.fullname" .root }}-{{ .componentConfig.component }}"
  isCA: false
  privateKey:
    size: {{ .root.Values.tls.common.keySize }}
    algorithm: {{ .root.Values.tls.common.keyAlgorithm }}
    encoding: {{ .root.Values.tls.common.keyEncoding }}
  usages:
    - server auth
    - client auth
  # At least one of a DNS Name, USI SAN, or IP address is required.
  dnsNames:
 {{- if .tlsConfig.dnsNames }}
 {{ toYaml .tlsConfig.dnsNames | indent 4 }}
 {{- end }}
    - {{ printf "*.%s-%s.%s.svc.%s" (include "pulsar.fullname" .root) .componentConfig.component (include "pulsar.namespace" .root) .root.Values.clusterDomain | quote }}
    - {{ printf "%s-%s" (include "pulsar.fullname" .root) .componentConfig.component | quote }}
  # Issuer references are always required.
  issuerRef:
    name: "{{ template "pulsar.certs.issuers.ca.name" .root }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
 {{- end -}}
--- a/charts/pulsar/templates/_toolset.tpl
+++ b/charts/pulsar/templates/_toolset.tpl
@ -36,7 +36,7 @@ Define toolset zookeeper client tls settings
 */}}
 {{- define "pulsar.toolset.zookeeper.tls.settings" -}}
 {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled -}}
-/pulsar/keytool/keytool.sh toolset {{ template "pulsar.toolset.hostname" . }} true;
+{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "toolset" "isClient" true) -}}
 {{- end -}}
 {{- end }}
@ -51,11 +51,6 @@ Define toolset tls certs mounts
 - name: ca
  mountPath: "/pulsar/certs/ca"
  readOnly: true
 {{- if .Values.tls.zookeeper.enabled }}
 - name: keytool
  mountPath: "/pulsar/keytool/keytool.sh"
  subPath: keytool.sh
 {{- end }}
 {{- end }}
 {{- end }}
@ -72,17 +67,13 @@ Define toolset tls certs volumes
      path: tls.crt
    - key: tls.key
      path: tls.key
    - key: tls-combined.pem
      path: tls-combined.pem
 - name: ca
  secret:
    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    items:
    - key: ca.crt
      path: ca.crt
 {{- if .Values.tls.zookeeper.enabled }}
 - name: keytool
  configMap:
    name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
    defaultMode: 0755
 {{- end }}
 {{- end }}
 {{- end }}
--- a/charts/pulsar/templates/_zookeeper.tpl
+++ b/charts/pulsar/templates/_zookeeper.tpl
@ -53,7 +53,23 @@ Define zookeeper tls settings
 */}}
 {{- define "pulsar.zookeeper.tls.settings" -}}
 {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
-/pulsar/keytool/keytool.sh zookeeper {{ template "pulsar.zookeeper.hostname" . }} false;
+{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "zookeeper" "isClient" false) -}}
 {{- end }}
 {{- end }}
 {{- define "pulsar.component.zookeeper.tls.settings" }}
 {{- $component := .component -}}
 {{- $isClient := .isClient -}}
 {{- $keyFile := printf "/pulsar/certs/%s/tls-combined.pem" $component -}}
 {{- $caFile := "/pulsar/certs/ca/ca.crt" -}}
 {{- if $isClient }}
 echo $'\n' >> conf/pulsar_env.sh
 echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.client.certReload=true -Dzookeeper.ssl.keyStore.location={{- $keyFile }} -Dzookeeper.ssl.keyStore.type=PEM -Dzookeeper.ssl.trustStore.location={{- $caFile }} -Dzookeeper.ssl.trustStore.type=PEM\"" >> conf/pulsar_env.sh
 echo $'\n' >> conf/bkenv.sh
 echo "BOOKIE_EXTRA_OPTS=\"\${BOOKIE_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.client.certReload=true -Dzookeeper.ssl.keyStore.location={{- $keyFile }} -Dzookeeper.ssl.keyStore.type=PEM -Dzookeeper.ssl.trustStore.location={{- $caFile }} -Dzookeeper.ssl.trustStore.type=PEM\"" >> conf/bkenv.sh
 {{- else }}
 echo $'\n' >> conf/pulsar_env.sh
 echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS} -Dzookeeper.ssl.keyStore.location={{- $keyFile }} -Dzookeeper.ssl.keyStore.type=PEM -Dzookeeper.ssl.trustStore.location={{- $caFile }} -Dzookeeper.ssl.trustStore.type=PEM\"" >> conf/pulsar_env.sh
 {{- end }}
 {{- end }}
--- a/charts/pulsar/templates/keytool.yaml
+++ b/charts/pulsar/templates/keytool.yaml
@ -1,110 +0,0 @@
 #
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 #
 # script to process key/cert to keystore and truststore
 {{- if .Values.tls.zookeeper.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
  namespace: {{ template "pulsar.namespace" . }}
  labels:
    {{- include "pulsar.standardLabels" . | nindent 4 }}
    component: keytool 
 data:
  keytool.sh: |
    #!/bin/bash
    component=$1
    name=$2
    isClient=$3
    crtFile=/pulsar/certs/${component}/tls.crt
    keyFile=/pulsar/certs/${component}/tls.key
    caFile=/pulsar/certs/ca/ca.crt
    tlsDir=/tmp/pulsar-tls$$
    p12File=${tlsDir}/${component}.p12
    keyStoreFile=${tlsDir}/${component}.keystore.jks
    trustStoreFile=${tlsDir}/${component}.truststore.jks
    # create tmp dir for keystore and truststore files
    mkdir ${tlsDir}
    chmod 0700 ${tlsDir}
    function checkFile() {
        local file=$1
        local len=$(wc -c ${file} | awk '{print $1}')
        echo "processing ${file} : len = ${len}"
        if [ ! -f ${file} ]; then
            echo "${file} is not found"
            return -1
        fi
        if [ $len -le 0 ]; then
            echo "${file} is empty"
            return -1
        fi
    }
    function ensureFileNotEmpty() {
        local file=$1
        until checkFile ${file}; do
            echo "file isn't initialized yet ... check in 3 seconds ..." && sleep 3;
        done;
    }
    ensureFileNotEmpty ${crtFile}
    ensureFileNotEmpty ${keyFile}
    ensureFileNotEmpty ${caFile}
    PASSWORD=$(head /dev/urandom | base64 | head -c 24)
    openssl pkcs12 \
        -export \
        -in ${crtFile} \
        -inkey ${keyFile} \
        -out ${p12File} \
        -name ${name} \
        -passout "pass:${PASSWORD}"
    keytool -importkeystore \
        -srckeystore ${p12File} \
        -srcstoretype PKCS12 -srcstorepass "${PASSWORD}" \
        -alias ${name} \
        -destkeystore ${keyStoreFile} \
        -deststorepass "${PASSWORD}"
    keytool -import \
        -file ${caFile} \
        -storetype JKS \
        -alias ${name} \
        -keystore ${trustStoreFile} \
        -storepass "${PASSWORD}" \
        -trustcacerts -noprompt
    ensureFileNotEmpty ${keyStoreFile}
    ensureFileNotEmpty ${trustStoreFile}
    if [[ "x${isClient}" == "xtrue" ]]; then
        echo $'\n' >> conf/pulsar_env.sh
        echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/pulsar_env.sh
        echo $'\n' >> conf/bkenv.sh
        echo "BOOKIE_EXTRA_OPTS=\"\${BOOKIE_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/bkenv.sh
    else
        echo $'\n' >> conf/pulsar_env.sh
        echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS} -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/pulsar_env.sh
    fi
 {{- end }}
--- a/charts/pulsar/templates/proxy-statefulset.yaml
+++ b/charts/pulsar/templates/proxy-statefulset.yaml
@ -311,6 +311,10 @@ spec:
                path: tls.crt
              - key: tls.key
                path: tls.key
 {{- if .Values.tls.zookeeper.enabled }}
              - key: tls-combined.pem
                path: tls-combined.pem
 {{- end }}
        {{- end}}
      {{- end}}
 {{- end }}
--- a/charts/pulsar/templates/tls-certs-internal.yaml
+++ b/charts/pulsar/templates/tls-certs-internal.yaml
@ -21,323 +21,27 @@
 {{- if .Values.tls.proxy.enabled }}
 {{- if .Values.tls.proxy.createCert }}
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
+{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.proxy "tlsConfig" .Values.tls.proxy) }}
 kind: Certificate
 metadata:
  name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.proxy.cert_name }}"
  namespace: {{ template "pulsar.namespace" . }}
 spec:
  # Secret names are always required.
  secretName: "{{ .Release.Name }}-{{ .Values.tls.proxy.cert_name }}"
  duration: "{{ .Values.tls.common.duration }}"
  renewBefore: "{{ .Values.tls.common.renewBefore }}"
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  subject:
    organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
  {{- else }}
  organization:
 {{ toYaml .Values.tls.common.organization | indent 2 }}
  {{- end }}
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
  isCA: false
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  privateKey:
    size: {{ .Values.tls.common.keySize }}
    algorithm: {{ .Values.tls.common.keyAlgorithm }}
    encoding: {{ .Values.tls.common.keyEncoding }}
  {{- else }}
  keySize: {{ .Values.tls.common.keySize }}
  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
  keyEncoding: {{ .Values.tls.common.keyEncoding }}
  {{- end }}
  usages:
    - server auth
    - client auth
  # At least one of a DNS Name, USI SAN, or IP address is required.
  dnsNames:
 {{- if .Values.tls.proxy.dnsNames }}
 {{ toYaml .Values.tls.proxy.dnsNames | indent 4 }}
 {{- end }}
    -  "*.{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
  # Issuer references are always required.
  issuerRef:
    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
 ---
 {{- end }}
 {{- end }}
 {{- if or .Values.tls.broker.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled) }}
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
+{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.broker "tlsConfig" .Values.tls.broker) }}
 kind: Certificate
 metadata:
  name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.broker.cert_name }}"
  namespace: {{ template "pulsar.namespace" . }}
 spec:
  # Secret names are always required.
  secretName: "{{ .Release.Name }}-{{ .Values.tls.broker.cert_name }}"
  duration: "{{ .Values.tls.common.duration }}"
  renewBefore: "{{ .Values.tls.common.renewBefore }}"
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  subject:
    organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
  {{- else }}
  organization:
 {{ toYaml .Values.tls.common.organization | indent 2 }}
  {{- end }}
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
  isCA: false
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  privateKey:
    size: {{ .Values.tls.common.keySize }}
    algorithm: {{ .Values.tls.common.keyAlgorithm }}
    encoding: {{ .Values.tls.common.keyEncoding }}
  {{- else }}
  keySize: {{ .Values.tls.common.keySize }}
  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
  keyEncoding: {{ .Values.tls.common.keyEncoding }}
  {{- end }}
  usages:
    - server auth
    - client auth
  # At least one of a DNS Name, USI SAN, or IP address is required.
  dnsNames:
 {{- if .Values.tls.broker.dnsNames }}
 {{ toYaml .Values.tls.broker.dnsNames | indent 4 }}
 {{- end}}
    -  "*.{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
  # Issuer references are always required.
  issuerRef:
    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
 ---
 {{- end }}
 {{- if or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled }}
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
+{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.bookkeeper "tlsConfig" .Values.tls.bookie) }}
 kind: Certificate
 metadata:
  name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.bookie.cert_name }}"
  namespace: {{ template "pulsar.namespace" . }}
 spec:
  # Secret names are always required.
  secretName: "{{ .Release.Name }}-{{ .Values.tls.bookie.cert_name }}"
  duration: "{{ .Values.tls.common.duration }}"
  renewBefore: "{{ .Values.tls.common.renewBefore }}"
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  subject:
    organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
  {{- else }}
  organization:
 {{ toYaml .Values.tls.common.organization | indent 2 }}
  {{- end }}
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
  isCA: false
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  privateKey:
    size: {{ .Values.tls.common.keySize }}
    algorithm: {{ .Values.tls.common.keyAlgorithm }}
    encoding: {{ .Values.tls.common.keyEncoding }}
  {{- else }}
  keySize: {{ .Values.tls.common.keySize }}
  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
  keyEncoding: {{ .Values.tls.common.keyEncoding }}
  {{- end }}
  usages:
    - server auth
    - client auth
  dnsNames:
 {{- if .Values.tls.bookie.dnsNames }}
 {{ toYaml .Values.tls.bookie.dnsNames | indent 4 }}
 {{- end }}
    -  "*.{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
  # Issuer references are always required.
  issuerRef:
    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
 ---
 {{- end }}
 {{- if .Values.tls.zookeeper.enabled }}
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
+{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.autorecovery "tlsConfig" .Values.tls.autorecovery) }}
 kind: Certificate
 metadata:
  name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.autorecovery.cert_name }}"
  namespace: {{ template "pulsar.namespace" . }}
 spec:
  # Secret names are always required.
  secretName: "{{ .Release.Name }}-{{ .Values.tls.autorecovery.cert_name }}"
  duration: "{{ .Values.tls.common.duration }}"
  renewBefore: "{{ .Values.tls.common.renewBefore }}"
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  subject:
    organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
  {{- else }}
  organization:
 {{ toYaml .Values.tls.common.organization | indent 2 }}
  {{- end }}
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}"
  isCA: false
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  privateKey:
    size: {{ .Values.tls.common.keySize }}
    algorithm: {{ .Values.tls.common.keyAlgorithm }}
    encoding: {{ .Values.tls.common.keyEncoding }}
  {{- else }}
  keySize: {{ .Values.tls.common.keySize }}
  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
  keyEncoding: {{ .Values.tls.common.keyEncoding }}
  {{- end }}
  usages:
    - server auth
    - client auth
  dnsNames:
 {{- if .Values.tls.autorecovery.dnsNames }}
 {{ toYaml .Values.tls.autorecovery.dnsNames | indent 4 }}
 {{- end }}
    -  "*.{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}"
  # Issuer references are always required.
  issuerRef:
    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
 ---
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
+{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.toolset "tlsConfig" .Values.tls.toolset) }}
 kind: Certificate
 metadata:
  name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.toolset.cert_name }}"
  namespace: {{ template "pulsar.namespace" . }}
 spec:
  # Secret names are always required.
  secretName: "{{ .Release.Name }}-{{ .Values.tls.toolset.cert_name }}"
  duration: "{{ .Values.tls.common.duration }}"
  renewBefore: "{{ .Values.tls.common.renewBefore }}"
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  subject:
    organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
  {{- else }}
  organization:
 {{ toYaml .Values.tls.common.organization | indent 2 }}
  {{- end }}
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
  isCA: false
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  privateKey:
    size: {{ .Values.tls.common.keySize }}
    algorithm: {{ .Values.tls.common.keyAlgorithm }}
    encoding: {{ .Values.tls.common.keyEncoding }}
  {{- else }}
  keySize: {{ .Values.tls.common.keySize }}
  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
  keyEncoding: {{ .Values.tls.common.keyEncoding }}
  {{- end }}
  usages:
    - server auth
    - client auth
  dnsNames:
 {{- if .Values.tls.toolset.dnsNames }}
 {{ toYaml .Values.tls.toolset.dnsNames | indent 4 }}
 {{- end }}
    -  "*.{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
  # Issuer references are always required.
  issuerRef:
    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
 ---
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
+{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.zookeeper "tlsConfig" .Values.tls.zookeeper) }}
 kind: Certificate
 metadata:
  name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.zookeeper.cert_name }}"
  namespace: {{ template "pulsar.namespace" . }}
 spec:
  # Secret names are always required.
  secretName: "{{ .Release.Name }}-{{ .Values.tls.zookeeper.cert_name }}"
  duration: "{{ .Values.tls.common.duration }}"
  renewBefore: "{{ .Values.tls.common.renewBefore }}"
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  subject:
    organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
  {{- else }}
  organization:
 {{ toYaml .Values.tls.common.organization | indent 2 }}
  {{- end }}
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
  isCA: false
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  privateKey:
    size: {{ .Values.tls.common.keySize }}
    algorithm: {{ .Values.tls.common.keyAlgorithm }}
    encoding: {{ .Values.tls.common.keyEncoding }}
  {{- else }}
  keySize: {{ .Values.tls.common.keySize }}
  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
  keyEncoding: {{ .Values.tls.common.keyEncoding }}
  {{- end }}
  usages:
    - server auth
    - client auth
  dnsNames:
 {{- if .Values.tls.zookeeper.dnsNames }}
 {{ toYaml .Values.tls.zookeeper.dnsNames | indent 4 }}
 {{- end }}
    -  "*.{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
  # Issuer references are always required.
  issuerRef:
    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
 {{- end }}
 {{- end }}
--- a/charts/pulsar/templates/zookeeper-statefulset.yaml
+++ b/charts/pulsar/templates/zookeeper-statefulset.yaml
@ -227,9 +227,6 @@ spec:
        - mountPath: "/pulsar/certs/ca"
          name: ca
          readOnly: true
        - name: keytool
          mountPath: "/pulsar/keytool/keytool.sh"
          subPath: keytool.sh
        {{- end }}
        {{- if .Values.zookeeper.extraVolumeMounts }}
 {{ toYaml .Values.zookeeper.extraVolumeMounts | indent 8 }}
@ -251,16 +248,14 @@ spec:
              path: tls.crt
            - key: tls.key
              path: tls.key
            - key: tls-combined.pem
              path: tls-combined.pem
      - name: ca
        secret:
          secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
          items:
            - key: ca.crt
              path: ca.crt
      - name: keytool
        configMap:
          name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
          defaultMode: 0755
      {{- end}}
      {{- include "pulsar.imagePullSecrets" . | nindent 6}}
 {{- if and (and .Values.persistence .Values.volumes.persistence) .Values.zookeeper.volumes.persistence }}
--- a/scripts/cert-manager/install-cert-manager.sh
+++ b/scripts/cert-manager/install-cert-manager.sh
@ -25,7 +25,7 @@ set -e
 NAMESPACE=cert-manager
 NAME=cert-manager
 # check compatibility with k8s versions from https://cert-manager.io/docs/installation/supported-releases/
-VERSION=v1.12.16
+VERSION=v1.12.17
 # Install cert-manager CustomResourceDefinition resources
 echo "Installing cert-manager CRD resources ..."
@ -41,10 +41,12 @@ echo "Updating local helm chart repository cache ..."
 helm repo update
 echo "Installing cert-manager ${VERSION} to namespace ${NAMESPACE} as '${NAME}' ..."
-helm install \
+helm upgrade \
  --install \
  --namespace ${NAMESPACE} \
  --create-namespace \
  --version ${VERSION} \
  --set featureGates=AdditionalCertificateOutputFormats=true \
  ${NAME} \
  jetstack/cert-manager
 echo "Successfully installed cert-manager ${VERSION}."