feat(tls): support ca type issuer and v1alpha* version cert-manager api (#561)

2024-12-18 23:11:54 +08:00 · 2024-12-18 23:11:54 +08:00 · b5ff00b16b
commit b5ff00b16b
parent df9284dc97
12 changed files with 169 additions and 5 deletions
--- a/charts/pulsar/templates/_autorecovery.tpl
+++ b/charts/pulsar/templates/_autorecovery.tpl
@ -74,7 +74,12 @@ Define autorecovery tls certs volumes
      path: tls.key
 - name: ca
  secret:
+    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+    {{- end }}
+    {{- if eq .Values.certs.internal_issuer.type "ca" }}
+    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+    {{- end }}
    items:
    - key: ca.crt
      path: ca.crt
--- a/charts/pulsar/templates/_bookkeeper.tpl
+++ b/charts/pulsar/templates/_bookkeeper.tpl
@ -75,7 +75,12 @@ Define bookie tls certs volumes
      path: tls.key
 - name: ca
  secret:
+    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+    {{- end }}
+    {{- if eq .Values.certs.internal_issuer.type "ca" }}
+    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+    {{- end }}
    items:
    - key: ca.crt
      path: ca.crt
--- a/charts/pulsar/templates/_broker.tpl
+++ b/charts/pulsar/templates/_broker.tpl
@ -81,7 +81,12 @@ Define broker tls certs volumes
      path: tls.key
 - name: ca
  secret:
+    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+    {{- end }}
+    {{- if eq .Values.certs.internal_issuer.type "ca" }}
+    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+    {{- end }}
    items:
    - key: ca.crt
      path: ca.crt
--- a/charts/pulsar/templates/_toolset.tpl
+++ b/charts/pulsar/templates/_toolset.tpl
@ -74,7 +74,12 @@ Define toolset tls certs volumes
      path: tls.key
 - name: ca
  secret:
+    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+    {{- end }}
+    {{- if eq .Values.certs.internal_issuer.type "ca" }}
+    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+    {{- end }}
    items:
    - key: ca.crt
      path: ca.crt
--- a/charts/pulsar/templates/proxy-statefulset.yaml
+++ b/charts/pulsar/templates/proxy-statefulset.yaml
@ -296,7 +296,12 @@ spec:
        {{- if .Values.tls.proxy.enabled }}
        - name: ca
          secret:
+            {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
            secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+            {{- end }}
+            {{- if eq .Values.certs.internal_issuer.type "ca" }}
+            secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+            {{- end }}
            items:
              - key: ca.crt
                path: ca.crt
--- a/charts/pulsar/templates/tls-cert-internal-issuer.yaml
+++ b/charts/pulsar/templates/tls-cert-internal-issuer.yaml
@ -27,7 +27,6 @@ metadata:
 spec:
  selfSigned: {}
 ---
-
 apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
 kind: Certificate
 metadata:
@ -51,7 +50,6 @@ spec:
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
 ---
-
 apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
 kind: Issuer
 metadata:
@ -61,4 +59,14 @@ spec:
  ca:
    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
 {{- end }}
+{{- if eq .Values.certs.internal_issuer.type "ca" }}
+apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
+kind: Issuer
+metadata:
+  name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+  namespace: {{ template "pulsar.namespace" . }}
+spec:
+  ca:
+    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+{{- end }}
 {{- end }}
--- a/charts/pulsar/templates/tls-certs-internal.yaml
+++ b/charts/pulsar/templates/tls-certs-internal.yaml
@ -32,27 +32,38 @@ spec:
  secretName: "{{ .Release.Name }}-{{ .Values.tls.proxy.cert_name }}"
  duration: "{{ .Values.tls.common.duration }}"
  renewBefore: "{{ .Values.tls.common.renewBefore }}"
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  subject:
    organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
+  {{- else }}
+  organization:
+{{ toYaml .Values.tls.common.organization | indent 2 }}
+  {{- end }}
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
  isCA: false
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  privateKey:
    size: {{ .Values.tls.common.keySize }}
    algorithm: {{ .Values.tls.common.keyAlgorithm }}
    encoding: {{ .Values.tls.common.keyEncoding }}
+  {{- else }}
+  keySize: {{ .Values.tls.common.keySize }}
+  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
+  keyEncoding: {{ .Values.tls.common.keyEncoding }}
+  {{- end }}
  usages:
    - server auth
    - client auth
  # At least one of a DNS Name, USI SAN, or IP address is required.
  dnsNames:
-    -  "*.{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
-    -  "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
 {{- if .Values.tls.proxy.dnsNames }}
 {{ toYaml .Values.tls.proxy.dnsNames | indent 4 }}
 {{- end }}
+    -  "*.{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
+    -  "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
  # Issuer references are always required.
  issuerRef:
    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
@ -77,17 +88,28 @@ spec:
  secretName: "{{ .Release.Name }}-{{ .Values.tls.broker.cert_name }}"
  duration: "{{ .Values.tls.common.duration }}"
  renewBefore: "{{ .Values.tls.common.renewBefore }}"
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  subject:
    organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
+  {{- else }}
+  organization:
+{{ toYaml .Values.tls.common.organization | indent 2 }}
+  {{- end }}
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
  isCA: false
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  privateKey:
    size: {{ .Values.tls.common.keySize }}
    algorithm: {{ .Values.tls.common.keyAlgorithm }}
    encoding: {{ .Values.tls.common.keyEncoding }}
+  {{- else }}
+  keySize: {{ .Values.tls.common.keySize }}
+  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
+  keyEncoding: {{ .Values.tls.common.keyEncoding }}
+  {{- end }}
  usages:
    - server auth
    - client auth
@ -121,17 +143,28 @@ spec:
  secretName: "{{ .Release.Name }}-{{ .Values.tls.bookie.cert_name }}"
  duration: "{{ .Values.tls.common.duration }}"
  renewBefore: "{{ .Values.tls.common.renewBefore }}"
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  subject:
    organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
+  {{- else }}
+  organization:
+{{ toYaml .Values.tls.common.organization | indent 2 }}
+  {{- end }}
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
  isCA: false
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  privateKey:
    size: {{ .Values.tls.common.keySize }}
    algorithm: {{ .Values.tls.common.keyAlgorithm }}
    encoding: {{ .Values.tls.common.keyEncoding }}
+  {{- else }}
+  keySize: {{ .Values.tls.common.keySize }}
+  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
+  keyEncoding: {{ .Values.tls.common.keyEncoding }}
+  {{- end }}
  usages:
    - server auth
    - client auth
@ -164,17 +197,28 @@ spec:
  secretName: "{{ .Release.Name }}-{{ .Values.tls.autorecovery.cert_name }}"
  duration: "{{ .Values.tls.common.duration }}"
  renewBefore: "{{ .Values.tls.common.renewBefore }}"
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  subject:
    organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
+  {{- else }}
+  organization:
+{{ toYaml .Values.tls.common.organization | indent 2 }}
+  {{- end }}
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}"
  isCA: false
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  privateKey:
    size: {{ .Values.tls.common.keySize }}
    algorithm: {{ .Values.tls.common.keyAlgorithm }}
    encoding: {{ .Values.tls.common.keyEncoding }}
+  {{- else }}
+  keySize: {{ .Values.tls.common.keySize }}
+  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
+  keyEncoding: {{ .Values.tls.common.keyEncoding }}
+  {{- end }}
  usages:
    - server auth
    - client auth
@ -204,17 +248,28 @@ spec:
  secretName: "{{ .Release.Name }}-{{ .Values.tls.toolset.cert_name }}"
  duration: "{{ .Values.tls.common.duration }}"
  renewBefore: "{{ .Values.tls.common.renewBefore }}"
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  subject:
    organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
+  {{- else }}
+  organization:
+{{ toYaml .Values.tls.common.organization | indent 2 }}
+  {{- end }}
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
  isCA: false
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  privateKey:
    size: {{ .Values.tls.common.keySize }}
    algorithm: {{ .Values.tls.common.keyAlgorithm }}
    encoding: {{ .Values.tls.common.keyEncoding }}
+  {{- else }}
+  keySize: {{ .Values.tls.common.keySize }}
+  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
+  keyEncoding: {{ .Values.tls.common.keyEncoding }}
+  {{- end }}
  usages:
    - server auth
    - client auth
@ -244,17 +299,28 @@ spec:
  secretName: "{{ .Release.Name }}-{{ .Values.tls.zookeeper.cert_name }}"
  duration: "{{ .Values.tls.common.duration }}"
  renewBefore: "{{ .Values.tls.common.renewBefore }}"
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  subject:
    organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
+  {{- else }}
+  organization:
+{{ toYaml .Values.tls.common.organization | indent 2 }}
+  {{- end }}
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
  isCA: false
+  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  privateKey:
    size: {{ .Values.tls.common.keySize }}
    algorithm: {{ .Values.tls.common.keyAlgorithm }}
    encoding: {{ .Values.tls.common.keyEncoding }}
+  {{- else }}
+  keySize: {{ .Values.tls.common.keySize }}
+  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
+  keyEncoding: {{ .Values.tls.common.keyEncoding }}
+  {{- end }}
  usages:
    - server auth
    - client auth
--- a/charts/pulsar/templates/toolset-statefulset.yaml
+++ b/charts/pulsar/templates/toolset-statefulset.yaml
@ -128,7 +128,12 @@ spec:
      {{- if and .Values.tls.enabled (or .Values.tls.broker.enabled .Values.tls.proxy.enabled) }}
      - name: proxy-ca
        secret:
+          {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
          secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+          {{- end }}
+          {{- if eq .Values.certs.internal_issuer.type "ca" }}
+          secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+          {{- end }}
          items:
            - key: ca.crt
              path: ca.crt
--- a/charts/pulsar/templates/zookeeper-statefulset.yaml
+++ b/charts/pulsar/templates/zookeeper-statefulset.yaml
@ -252,7 +252,12 @@ spec:
              path: tls.key
      - name: ca
        secret:
+          {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
          secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+          {{- end }}
+          {{- if eq .Values.certs.internal_issuer.type "ca" }}
+          secretName: "{{ .Values.certs.issuers.ca.secretName }}"
+          {{- end }}
          items:
            - key: ca.crt
              path: ca.crt
--- a/charts/pulsar/values.yaml
+++ b/charts/pulsar/values.yaml
@ -232,11 +232,18 @@ tls:
  proxy:
    enabled: false
    cert_name: tls-proxy
-    createCert: true  # set to false if you want to use an existing certificate
+    # set to false if you want to use an existing certificate
+    createCert: true
+    # The dnsNames field specifies a list of Subject Alternative Names to be associated with the certificate.
+    dnsNames:
+    # - example.com
  # settings for generating certs for broker
  broker:
    enabled: false
    cert_name: tls-broker
+    # The dnsNames field specifies a list of Subject Alternative Names to be associated with the certificate.
+    dnsNames:
+    # - example.com
  # settings for generating certs for bookies
  bookie:
    enabled: false
@ -297,13 +304,18 @@ certs:
    apiVersion: cert-manager.io/v1
    enabled: false
    component: internal-cert-issuer
+    # The type of issuer, supports selfsigning and ca
    type: selfsigning
    # 90d
    duration: 2160h
    # 15d
    renewBefore: 360h
  issuers:
+    # Used for certs.type as selfsigning, the selfsigned issuer has no dependency on any other resource.
    selfsigning:
+    # used for certs.type as ca, the CA issuer needs to reference a Secret which contains your CA certificate and signing private key.
+    ca:
+      secretName:

 ######################################################################
 # Below are settings for each component
--- a/examples/values-tls-ca.yaml
+++ b/examples/values-tls-ca.yaml
@ -0,0 +1,43 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# enable TLS
+tls:
+  enabled: true
+  proxy:
+    enabled: true
+    dnsNames:
+    # The dnsNames field specifies a list of Subject Alternative Names to be associated with the certificate.
+    - example.com
+  broker:
+    enabled: true
+  bookie:
+    enabled: true
+  zookeeper:
+    enabled: true
+
+# issue selfsigning certs
+certs:
+  internal_issuer:
+    enabled: true
+    type: ca
+  issuers:
+    # used for certs.type as ca, the CA issuer needs to reference a Secret which contains your CA certificate and signing private key.
+    ca:
+      secretName: ca-key-pair
--- a/examples/values-tls-selfsigned.yaml
+++ b/examples/values-tls-selfsigned.yaml