From b5ff00b16be2d027b3fc9849adc4972400da0860 Mon Sep 17 00:00:00 2001 From: Eric Shen Date: Wed, 18 Dec 2024 23:11:54 +0800 Subject: [PATCH] feat(tls): support ca type issuer and v1alpha* version cert-manager api (#561) --- charts/pulsar/templates/_autorecovery.tpl | 5 ++ charts/pulsar/templates/_bookkeeper.tpl | 5 ++ charts/pulsar/templates/_broker.tpl | 5 ++ charts/pulsar/templates/_toolset.tpl | 5 ++ .../pulsar/templates/proxy-statefulset.yaml | 5 ++ .../templates/tls-cert-internal-issuer.yaml | 12 +++- .../pulsar/templates/tls-certs-internal.yaml | 70 ++++++++++++++++++- .../pulsar/templates/toolset-statefulset.yaml | 5 ++ .../templates/zookeeper-statefulset.yaml | 5 ++ charts/pulsar/values.yaml | 14 +++- examples/values-tls-ca.yaml | 43 ++++++++++++ ...es-tls.yaml => values-tls-selfsigned.yaml} | 0 12 files changed, 169 insertions(+), 5 deletions(-) create mode 100644 examples/values-tls-ca.yaml rename examples/{values-tls.yaml => values-tls-selfsigned.yaml} (100%) diff --git a/charts/pulsar/templates/_autorecovery.tpl b/charts/pulsar/templates/_autorecovery.tpl index 8ba78c8..ff12360 100644 --- a/charts/pulsar/templates/_autorecovery.tpl +++ b/charts/pulsar/templates/_autorecovery.tpl @@ -74,7 +74,12 @@ Define autorecovery tls certs volumes path: tls.key - name: ca secret: + {{- if eq .Values.certs.internal_issuer.type "selfsigning" }} secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" + {{- end }} + {{- if eq .Values.certs.internal_issuer.type "ca" }} + secretName: "{{ .Values.certs.issuers.ca.secretName }}" + {{- end }} items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/templates/_bookkeeper.tpl b/charts/pulsar/templates/_bookkeeper.tpl index d7a5702..f0d0b9e 100644 --- a/charts/pulsar/templates/_bookkeeper.tpl +++ b/charts/pulsar/templates/_bookkeeper.tpl @@ -75,7 +75,12 @@ Define bookie tls certs volumes path: tls.key - name: ca secret: + {{- if eq .Values.certs.internal_issuer.type "selfsigning" }} secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" + {{- end }} + {{- if eq .Values.certs.internal_issuer.type "ca" }} + secretName: "{{ .Values.certs.issuers.ca.secretName }}" + {{- end }} items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/templates/_broker.tpl b/charts/pulsar/templates/_broker.tpl index 42f5b85..cdd7f01 100644 --- a/charts/pulsar/templates/_broker.tpl +++ b/charts/pulsar/templates/_broker.tpl @@ -81,7 +81,12 @@ Define broker tls certs volumes path: tls.key - name: ca secret: + {{- if eq .Values.certs.internal_issuer.type "selfsigning" }} secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" + {{- end }} + {{- if eq .Values.certs.internal_issuer.type "ca" }} + secretName: "{{ .Values.certs.issuers.ca.secretName }}" + {{- end }} items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/templates/_toolset.tpl b/charts/pulsar/templates/_toolset.tpl index 30547ad..ec665e8 100644 --- a/charts/pulsar/templates/_toolset.tpl +++ b/charts/pulsar/templates/_toolset.tpl @@ -74,7 +74,12 @@ Define toolset tls certs volumes path: tls.key - name: ca secret: + {{- if eq .Values.certs.internal_issuer.type "selfsigning" }} secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" + {{- end }} + {{- if eq .Values.certs.internal_issuer.type "ca" }} + secretName: "{{ .Values.certs.issuers.ca.secretName }}" + {{- end }} items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/templates/proxy-statefulset.yaml b/charts/pulsar/templates/proxy-statefulset.yaml index d2728d8..73c5bae 100644 --- a/charts/pulsar/templates/proxy-statefulset.yaml +++ b/charts/pulsar/templates/proxy-statefulset.yaml @@ -296,7 +296,12 @@ spec: {{- if .Values.tls.proxy.enabled }} - name: ca secret: + {{- if eq .Values.certs.internal_issuer.type "selfsigning" }} secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" + {{- end }} + {{- if eq .Values.certs.internal_issuer.type "ca" }} + secretName: "{{ .Values.certs.issuers.ca.secretName }}" + {{- end }} items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/templates/tls-cert-internal-issuer.yaml b/charts/pulsar/templates/tls-cert-internal-issuer.yaml index e9c3a2f..faf1dff 100644 --- a/charts/pulsar/templates/tls-cert-internal-issuer.yaml +++ b/charts/pulsar/templates/tls-cert-internal-issuer.yaml @@ -27,7 +27,6 @@ metadata: spec: selfSigned: {} --- - apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}" kind: Certificate metadata: @@ -51,7 +50,6 @@ spec: # if you are using an external issuer, change this to that issuer group. group: cert-manager.io --- - apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}" kind: Issuer metadata: @@ -61,4 +59,14 @@ spec: ca: secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" {{- end }} +{{- if eq .Values.certs.internal_issuer.type "ca" }} +apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}" +kind: Issuer +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer" + namespace: {{ template "pulsar.namespace" . }} +spec: + ca: + secretName: "{{ .Values.certs.issuers.ca.secretName }}" +{{- end }} {{- end }} diff --git a/charts/pulsar/templates/tls-certs-internal.yaml b/charts/pulsar/templates/tls-certs-internal.yaml index b14ce15..53afd60 100644 --- a/charts/pulsar/templates/tls-certs-internal.yaml +++ b/charts/pulsar/templates/tls-certs-internal.yaml @@ -32,27 +32,38 @@ spec: secretName: "{{ .Release.Name }}-{{ .Values.tls.proxy.cert_name }}" duration: "{{ .Values.tls.common.duration }}" renewBefore: "{{ .Values.tls.common.renewBefore }}" + {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} subject: organizations: {{ toYaml .Values.tls.common.organization | indent 4 }} + {{- else }} + organization: +{{ toYaml .Values.tls.common.organization | indent 2 }} + {{- end }} # The use of the common name field has been deprecated since 2000 and is # discouraged from being used. commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" isCA: false + {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} privateKey: size: {{ .Values.tls.common.keySize }} algorithm: {{ .Values.tls.common.keyAlgorithm }} encoding: {{ .Values.tls.common.keyEncoding }} + {{- else }} + keySize: {{ .Values.tls.common.keySize }} + keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }} + keyEncoding: {{ .Values.tls.common.keyEncoding }} + {{- end }} usages: - server auth - client auth # At least one of a DNS Name, USI SAN, or IP address is required. dnsNames: - - "*.{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}" - - "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" {{- if .Values.tls.proxy.dnsNames }} {{ toYaml .Values.tls.proxy.dnsNames | indent 4 }} {{- end }} + - "*.{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}" + - "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" # Issuer references are always required. issuerRef: name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer" @@ -77,17 +88,28 @@ spec: secretName: "{{ .Release.Name }}-{{ .Values.tls.broker.cert_name }}" duration: "{{ .Values.tls.common.duration }}" renewBefore: "{{ .Values.tls.common.renewBefore }}" + {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} subject: organizations: {{ toYaml .Values.tls.common.organization | indent 4 }} + {{- else }} + organization: +{{ toYaml .Values.tls.common.organization | indent 2 }} + {{- end }} # The use of the common name field has been deprecated since 2000 and is # discouraged from being used. commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" isCA: false + {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} privateKey: size: {{ .Values.tls.common.keySize }} algorithm: {{ .Values.tls.common.keyAlgorithm }} encoding: {{ .Values.tls.common.keyEncoding }} + {{- else }} + keySize: {{ .Values.tls.common.keySize }} + keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }} + keyEncoding: {{ .Values.tls.common.keyEncoding }} + {{- end }} usages: - server auth - client auth @@ -121,17 +143,28 @@ spec: secretName: "{{ .Release.Name }}-{{ .Values.tls.bookie.cert_name }}" duration: "{{ .Values.tls.common.duration }}" renewBefore: "{{ .Values.tls.common.renewBefore }}" + {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} subject: organizations: {{ toYaml .Values.tls.common.organization | indent 4 }} + {{- else }} + organization: +{{ toYaml .Values.tls.common.organization | indent 2 }} + {{- end }} # The use of the common name field has been deprecated since 2000 and is # discouraged from being used. commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" isCA: false + {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} privateKey: size: {{ .Values.tls.common.keySize }} algorithm: {{ .Values.tls.common.keyAlgorithm }} encoding: {{ .Values.tls.common.keyEncoding }} + {{- else }} + keySize: {{ .Values.tls.common.keySize }} + keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }} + keyEncoding: {{ .Values.tls.common.keyEncoding }} + {{- end }} usages: - server auth - client auth @@ -164,17 +197,28 @@ spec: secretName: "{{ .Release.Name }}-{{ .Values.tls.autorecovery.cert_name }}" duration: "{{ .Values.tls.common.duration }}" renewBefore: "{{ .Values.tls.common.renewBefore }}" + {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} subject: organizations: {{ toYaml .Values.tls.common.organization | indent 4 }} + {{- else }} + organization: +{{ toYaml .Values.tls.common.organization | indent 2 }} + {{- end }} # The use of the common name field has been deprecated since 2000 and is # discouraged from being used. commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" isCA: false + {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} privateKey: size: {{ .Values.tls.common.keySize }} algorithm: {{ .Values.tls.common.keyAlgorithm }} encoding: {{ .Values.tls.common.keyEncoding }} + {{- else }} + keySize: {{ .Values.tls.common.keySize }} + keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }} + keyEncoding: {{ .Values.tls.common.keyEncoding }} + {{- end }} usages: - server auth - client auth @@ -204,17 +248,28 @@ spec: secretName: "{{ .Release.Name }}-{{ .Values.tls.toolset.cert_name }}" duration: "{{ .Values.tls.common.duration }}" renewBefore: "{{ .Values.tls.common.renewBefore }}" + {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} subject: organizations: {{ toYaml .Values.tls.common.organization | indent 4 }} + {{- else }} + organization: +{{ toYaml .Values.tls.common.organization | indent 2 }} + {{- end }} # The use of the common name field has been deprecated since 2000 and is # discouraged from being used. commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" isCA: false + {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} privateKey: size: {{ .Values.tls.common.keySize }} algorithm: {{ .Values.tls.common.keyAlgorithm }} encoding: {{ .Values.tls.common.keyEncoding }} + {{- else }} + keySize: {{ .Values.tls.common.keySize }} + keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }} + keyEncoding: {{ .Values.tls.common.keyEncoding }} + {{- end }} usages: - server auth - client auth @@ -244,17 +299,28 @@ spec: secretName: "{{ .Release.Name }}-{{ .Values.tls.zookeeper.cert_name }}" duration: "{{ .Values.tls.common.duration }}" renewBefore: "{{ .Values.tls.common.renewBefore }}" + {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} subject: organizations: {{ toYaml .Values.tls.common.organization | indent 4 }} + {{- else }} + organization: +{{ toYaml .Values.tls.common.organization | indent 2 }} + {{- end }} # The use of the common name field has been deprecated since 2000 and is # discouraged from being used. commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" isCA: false + {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }} privateKey: size: {{ .Values.tls.common.keySize }} algorithm: {{ .Values.tls.common.keyAlgorithm }} encoding: {{ .Values.tls.common.keyEncoding }} + {{- else }} + keySize: {{ .Values.tls.common.keySize }} + keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }} + keyEncoding: {{ .Values.tls.common.keyEncoding }} + {{- end }} usages: - server auth - client auth diff --git a/charts/pulsar/templates/toolset-statefulset.yaml b/charts/pulsar/templates/toolset-statefulset.yaml index 6f5ea82..c037d66 100644 --- a/charts/pulsar/templates/toolset-statefulset.yaml +++ b/charts/pulsar/templates/toolset-statefulset.yaml @@ -128,7 +128,12 @@ spec: {{- if and .Values.tls.enabled (or .Values.tls.broker.enabled .Values.tls.proxy.enabled) }} - name: proxy-ca secret: + {{- if eq .Values.certs.internal_issuer.type "selfsigning" }} secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" + {{- end }} + {{- if eq .Values.certs.internal_issuer.type "ca" }} + secretName: "{{ .Values.certs.issuers.ca.secretName }}" + {{- end }} items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/templates/zookeeper-statefulset.yaml b/charts/pulsar/templates/zookeeper-statefulset.yaml index cd84405..972c154 100755 --- a/charts/pulsar/templates/zookeeper-statefulset.yaml +++ b/charts/pulsar/templates/zookeeper-statefulset.yaml @@ -252,7 +252,12 @@ spec: path: tls.key - name: ca secret: + {{- if eq .Values.certs.internal_issuer.type "selfsigning" }} secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" + {{- end }} + {{- if eq .Values.certs.internal_issuer.type "ca" }} + secretName: "{{ .Values.certs.issuers.ca.secretName }}" + {{- end }} items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml index 9236c34..27df41c 100755 --- a/charts/pulsar/values.yaml +++ b/charts/pulsar/values.yaml @@ -232,11 +232,18 @@ tls: proxy: enabled: false cert_name: tls-proxy - createCert: true # set to false if you want to use an existing certificate + # set to false if you want to use an existing certificate + createCert: true + # The dnsNames field specifies a list of Subject Alternative Names to be associated with the certificate. + dnsNames: + # - example.com # settings for generating certs for broker broker: enabled: false cert_name: tls-broker + # The dnsNames field specifies a list of Subject Alternative Names to be associated with the certificate. + dnsNames: + # - example.com # settings for generating certs for bookies bookie: enabled: false @@ -297,13 +304,18 @@ certs: apiVersion: cert-manager.io/v1 enabled: false component: internal-cert-issuer + # The type of issuer, supports selfsigning and ca type: selfsigning # 90d duration: 2160h # 15d renewBefore: 360h issuers: + # Used for certs.type as selfsigning, the selfsigned issuer has no dependency on any other resource. selfsigning: + # used for certs.type as ca, the CA issuer needs to reference a Secret which contains your CA certificate and signing private key. + ca: + secretName: ###################################################################### # Below are settings for each component diff --git a/examples/values-tls-ca.yaml b/examples/values-tls-ca.yaml new file mode 100644 index 0000000..8692dc9 --- /dev/null +++ b/examples/values-tls-ca.yaml @@ -0,0 +1,43 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# enable TLS +tls: + enabled: true + proxy: + enabled: true + dnsNames: + # The dnsNames field specifies a list of Subject Alternative Names to be associated with the certificate. + - example.com + broker: + enabled: true + bookie: + enabled: true + zookeeper: + enabled: true + +# issue selfsigning certs +certs: + internal_issuer: + enabled: true + type: ca + issuers: + # used for certs.type as ca, the CA issuer needs to reference a Secret which contains your CA certificate and signing private key. + ca: + secretName: ca-key-pair \ No newline at end of file diff --git a/examples/values-tls.yaml b/examples/values-tls-selfsigned.yaml similarity index 100% rename from examples/values-tls.yaml rename to examples/values-tls-selfsigned.yaml