feat(tls): support ca type issuer and v1alpha* version cert-manager api (#561)

charts/pulsar/templates/_autorecovery.tpl

@@ -74,7 +74,12 @@ Define autorecovery tls certs volumes
       path: tls.key
 - name: ca
   secret:
+    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
     secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+    {{- end }}
+    {{- if eq .Values.certs.internal_issuer.type "ca" }}
+    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+    {{- end }}
     items:
     - key: ca.crt
       path: ca.crt

charts/pulsar/templates/_bookkeeper.tpl

@@ -75,7 +75,12 @@ Define bookie tls certs volumes
       path: tls.key
 - name: ca
   secret:
+    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
     secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+    {{- end }}
+    {{- if eq .Values.certs.internal_issuer.type "ca" }}
+    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+    {{- end }}
     items:
     - key: ca.crt
       path: ca.crt

charts/pulsar/templates/_broker.tpl

@@ -81,7 +81,12 @@ Define broker tls certs volumes
       path: tls.key
 - name: ca
   secret:
+    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
     secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+    {{- end }}
+    {{- if eq .Values.certs.internal_issuer.type "ca" }}
+    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+    {{- end }}
     items:
     - key: ca.crt
       path: ca.crt

charts/pulsar/templates/_toolset.tpl

@@ -74,7 +74,12 @@ Define toolset tls certs volumes
       path: tls.key
 - name: ca
   secret:
+    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
     secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+    {{- end }}
+    {{- if eq .Values.certs.internal_issuer.type "ca" }}
+    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+    {{- end }}
     items:
     - key: ca.crt
       path: ca.crt

charts/pulsar/templates/proxy-statefulset.yaml

@@ -296,7 +296,12 @@ spec:
         {{- if .Values.tls.proxy.enabled }}
         - name: ca
           secret:
+            {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
             secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+            {{- end }}
+            {{- if eq .Values.certs.internal_issuer.type "ca" }}
+            secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+            {{- end }}
             items:
               - key: ca.crt
                 path: ca.crt

charts/pulsar/templates/tls-cert-internal-issuer.yaml

@@ -27,7 +27,6 @@ metadata:
 spec:
   selfSigned: {}
 ---
-
 apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
 kind: Certificate
 metadata:
@@ -51,7 +50,6 @@ spec:
     # if you are using an external issuer, change this to that issuer group.
     group: cert-manager.io
 ---
-
 apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
 kind: Issuer
 metadata:
@@ -61,4 +59,14 @@ spec:
   ca:
     secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
 {{- end }}
+{{- if eq .Values.certs.internal_issuer.type "ca" }}
+apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
+kind: Issuer
+metadata:
+  name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+  namespace: {{ template "pulsar.namespace" . }}
+spec:
+  ca:
+    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+{{- end }}
 {{- end }}

charts/pulsar/templates/tls-certs-internal.yaml

@@ -32,27 +32,38 @@ spec:
   secretName: "{{ .Release.Name }}-{{ .Values.tls.proxy.cert_name }}"
   duration: "{{ .Values.tls.common.duration }}"
   renewBefore: "{{ .Values.tls.common.renewBefore }}"
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
   subject:
     organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
+  {{- else }}
+  organization:
+{{ toYaml .Values.tls.common.organization | indent 2 }}
+  {{- end }}
   # The use of the common name field has been deprecated since 2000 and is
   # discouraged from being used.
   commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
   isCA: false
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
   privateKey:
     size: {{ .Values.tls.common.keySize }}
     algorithm: {{ .Values.tls.common.keyAlgorithm }}
     encoding: {{ .Values.tls.common.keyEncoding }}
+  {{- else }}
+  keySize: {{ .Values.tls.common.keySize }}
+  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
+  keyEncoding: {{ .Values.tls.common.keyEncoding }}
+  {{- end }}
   usages:
     - server auth
     - client auth
   # At least one of a DNS Name, USI SAN, or IP address is required.
   dnsNames:
-    -  "*.{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
-    -  "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
 {{- if .Values.tls.proxy.dnsNames }}
 {{ toYaml .Values.tls.proxy.dnsNames | indent 4 }}
 {{- end }}
+    -  "*.{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
+    -  "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
   # Issuer references are always required.
   issuerRef:
     name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
@@ -77,17 +88,28 @@ spec:
   secretName: "{{ .Release.Name }}-{{ .Values.tls.broker.cert_name }}"
   duration: "{{ .Values.tls.common.duration }}"
   renewBefore: "{{ .Values.tls.common.renewBefore }}"
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
   subject:
     organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
+  {{- else }}
+  organization:
+{{ toYaml .Values.tls.common.organization | indent 2 }}
+  {{- end }}
   # The use of the common name field has been deprecated since 2000 and is
   # discouraged from being used.
   commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
   isCA: false
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
   privateKey:
     size: {{ .Values.tls.common.keySize }}
     algorithm: {{ .Values.tls.common.keyAlgorithm }}
     encoding: {{ .Values.tls.common.keyEncoding }}
+  {{- else }}
+  keySize: {{ .Values.tls.common.keySize }}
+  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
+  keyEncoding: {{ .Values.tls.common.keyEncoding }}
+  {{- end }}
   usages:
     - server auth
     - client auth
@@ -121,17 +143,28 @@ spec:
   secretName: "{{ .Release.Name }}-{{ .Values.tls.bookie.cert_name }}"
   duration: "{{ .Values.tls.common.duration }}"
   renewBefore: "{{ .Values.tls.common.renewBefore }}"
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
   subject:
     organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
+  {{- else }}
+  organization:
+{{ toYaml .Values.tls.common.organization | indent 2 }}
+  {{- end }}
   # The use of the common name field has been deprecated since 2000 and is
   # discouraged from being used.
   commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
   isCA: false
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
   privateKey:
     size: {{ .Values.tls.common.keySize }}
     algorithm: {{ .Values.tls.common.keyAlgorithm }}
     encoding: {{ .Values.tls.common.keyEncoding }}
+  {{- else }}
+  keySize: {{ .Values.tls.common.keySize }}
+  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
+  keyEncoding: {{ .Values.tls.common.keyEncoding }}
+  {{- end }}
   usages:
     - server auth
     - client auth
@@ -164,17 +197,28 @@ spec:
   secretName: "{{ .Release.Name }}-{{ .Values.tls.autorecovery.cert_name }}"
   duration: "{{ .Values.tls.common.duration }}"
   renewBefore: "{{ .Values.tls.common.renewBefore }}"
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
   subject:
     organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
+  {{- else }}
+  organization:
+{{ toYaml .Values.tls.common.organization | indent 2 }}
+  {{- end }}
   # The use of the common name field has been deprecated since 2000 and is
   # discouraged from being used.
   commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}"
   isCA: false
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
   privateKey:
     size: {{ .Values.tls.common.keySize }}
     algorithm: {{ .Values.tls.common.keyAlgorithm }}
     encoding: {{ .Values.tls.common.keyEncoding }}
+  {{- else }}
+  keySize: {{ .Values.tls.common.keySize }}
+  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
+  keyEncoding: {{ .Values.tls.common.keyEncoding }}
+  {{- end }}
   usages:
     - server auth
     - client auth
@@ -204,17 +248,28 @@ spec:
   secretName: "{{ .Release.Name }}-{{ .Values.tls.toolset.cert_name }}"
   duration: "{{ .Values.tls.common.duration }}"
   renewBefore: "{{ .Values.tls.common.renewBefore }}"
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
   subject:
     organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
+  {{- else }}
+  organization:
+{{ toYaml .Values.tls.common.organization | indent 2 }}
+  {{- end }}
   # The use of the common name field has been deprecated since 2000 and is
   # discouraged from being used.
   commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
   isCA: false
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
   privateKey:
     size: {{ .Values.tls.common.keySize }}
     algorithm: {{ .Values.tls.common.keyAlgorithm }}
     encoding: {{ .Values.tls.common.keyEncoding }}
+  {{- else }}
+  keySize: {{ .Values.tls.common.keySize }}
+  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
+  keyEncoding: {{ .Values.tls.common.keyEncoding }}
+  {{- end }}
   usages:
     - server auth
     - client auth
@@ -244,17 +299,28 @@ spec:
   secretName: "{{ .Release.Name }}-{{ .Values.tls.zookeeper.cert_name }}"
   duration: "{{ .Values.tls.common.duration }}"
   renewBefore: "{{ .Values.tls.common.renewBefore }}"
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
   subject:
     organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
+  {{- else }}
+  organization:
+{{ toYaml .Values.tls.common.organization | indent 2 }}
+  {{- end }}
   # The use of the common name field has been deprecated since 2000 and is
   # discouraged from being used.
   commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
   isCA: false
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
   privateKey:
     size: {{ .Values.tls.common.keySize }}
     algorithm: {{ .Values.tls.common.keyAlgorithm }}
     encoding: {{ .Values.tls.common.keyEncoding }}
+  {{- else }}
+  keySize: {{ .Values.tls.common.keySize }}
+  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
+  keyEncoding: {{ .Values.tls.common.keyEncoding }}
+  {{- end }}
   usages:
     - server auth
     - client auth

charts/pulsar/templates/toolset-statefulset.yaml

@@ -128,7 +128,12 @@ spec:
       {{- if and .Values.tls.enabled (or .Values.tls.broker.enabled .Values.tls.proxy.enabled) }}
       - name: proxy-ca
         secret:
+          {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
           secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+          {{- end }}
+          {{- if eq .Values.certs.internal_issuer.type "ca" }}
+          secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+          {{- end }}
           items:
             - key: ca.crt
               path: ca.crt

charts/pulsar/templates/zookeeper-statefulset.yaml

@@ -252,7 +252,12 @@ spec:
               path: tls.key
       - name: ca
         secret:
+          {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
           secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+          {{- end }}
+          {{- if eq .Values.certs.internal_issuer.type "ca" }}
+          secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+          {{- end }}
           items:
             - key: ca.crt
               path: ca.crt

charts/pulsar/values.yaml

@@ -232,11 +232,18 @@ tls:
   proxy:
     enabled: false
     cert_name: tls-proxy
-    createCert: true  # set to false if you want to use an existing certificate
+    # set to false if you want to use an existing certificate
+    createCert: true
+    # The dnsNames field specifies a list of Subject Alternative Names to be associated with the certificate.
+    dnsNames:
+    # - example.com
   # settings for generating certs for broker
   broker:
     enabled: false
     cert_name: tls-broker
+    # The dnsNames field specifies a list of Subject Alternative Names to be associated with the certificate.
+    dnsNames:
+    # - example.com
   # settings for generating certs for bookies
   bookie:
     enabled: false
@@ -297,13 +304,18 @@ certs:
     apiVersion: cert-manager.io/v1
     enabled: false
     component: internal-cert-issuer
+    # The type of issuer, supports selfsigning and ca
     type: selfsigning
     # 90d
     duration: 2160h
     # 15d
     renewBefore: 360h
   issuers:
+    # Used for certs.type as selfsigning, the selfsigned issuer has no dependency on any other resource.
     selfsigning:
+    # used for certs.type as ca, the CA issuer needs to reference a Secret which contains your CA certificate and signing private key.
+    ca:
+      secretName:
 
 ######################################################################
 # Below are settings for each component

examples/values-tls-ca.yaml

@@ -0,0 +1,43 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# enable TLS
+tls:
+  enabled: true
+  proxy:
+    enabled: true
+    dnsNames:
+    # The dnsNames field specifies a list of Subject Alternative Names to be associated with the certificate.
+    - example.com
+  broker:
+    enabled: true
+  bookie:
+    enabled: true
+  zookeeper:
+    enabled: true
+
+# issue selfsigning certs
+certs:
+  internal_issuer:
+    enabled: true
+    type: ca
+  issuers:
+    # used for certs.type as ca, the CA issuer needs to reference a Secret which contains your CA certificate and signing private key.
+    ca:
+      secretName: ca-key-pair