apache/pulsar-helm-chart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

updates pulsar ca name generation to use suffix making cert swappable (#141)

Browse Source 
Updates CA name generation to be configurable allowing the swapping in of a CA.

### Motivation

We recently swapped out cert issuers and found that with the current helm chart we were unable to do a hot swap without downtime (via helm) because the CA cert name is not configurable. Being able to change the name of the CA allows us to create a new CA first -> Validate -> then swap over in follow up apply/release.

### Modifications

Adds the ability to specify the suffix used to generate the CA name (not the whole name in order to preserve back compatibility regardless of the release name.)
This commit is contained in:
Peter Tinti 2021-08-25 23:14:03 -07:00 committed by GitHub
parent 65dc68654b
commit f307cc32af
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 26 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/pulsar/templates/_autorecovery.tpl
View File

@ -55,7 +55,7 @@ Define autorecovery tls certs volumes
path: tls.key path: tls.key
- name: ca - name: ca
secret: secret:
secretName: "{{ .Release.Name }}-ca-tls" secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
items: items:
- key: ca.crt - key: ca.crt
path: ca.crt path: ca.crt

2
charts/pulsar/templates/_bookkeeper.tpl
View File

@ -56,7 +56,7 @@ Define bookie tls certs volumes
path: tls.key path: tls.key
- name: ca - name: ca
secret: secret:
secretName: "{{ .Release.Name }}-ca-tls" secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
items: items:
- key: ca.crt - key: ca.crt
path: ca.crt path: ca.crt

2
charts/pulsar/templates/_broker.tpl
View File

@ -62,7 +62,7 @@ Define broker tls certs volumes
path: tls.key path: tls.key
- name: ca - name: ca
secret: secret:
secretName: "{{ .Release.Name }}-ca-tls" secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
items: items:
- key: ca.crt - key: ca.crt
path: ca.crt path: ca.crt

2
charts/pulsar/templates/_toolset.tpl
View File

@ -55,7 +55,7 @@ Define toolset tls certs volumes
path: tls.key path: tls.key
- name: ca - name: ca
secret: secret:
secretName: "{{ .Release.Name }}-ca-tls" secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
items: items:
- key: ca.crt - key: ca.crt
path: ca.crt path: ca.crt

2
charts/pulsar/templates/proxy-statefulset.yaml
View File

@ -260,7 +260,7 @@ spec:
{{- if .Values.tls.proxy.enabled }} {{- if .Values.tls.proxy.enabled }}
- name: ca - name: ca
secret: secret:
secretName: "{{ .Release.Name }}-ca-tls" secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
items: items:
- key: ca.crt - key: ca.crt
path: ca.crt path: ca.crt

4
charts/pulsar/templates/tls-cert-internal-issuer.yaml
View File

@ -34,7 +34,7 @@ metadata:
name: "{{ template "pulsar.fullname" . }}-ca" name: "{{ template "pulsar.fullname" . }}-ca"
namespace: {{ template "pulsar.namespace" . }} namespace: {{ template "pulsar.namespace" . }}
spec: spec:
secretName: "{{ .Release.Name }}-ca-tls" secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
commonName: "{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}" commonName: "{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
duration: "{{ .Values.certs.internal_issuer.duration }}" duration: "{{ .Values.certs.internal_issuer.duration }}"
renewBefore: "{{ .Values.certs.internal_issuer.renewBefore }}" renewBefore: "{{ .Values.certs.internal_issuer.renewBefore }}"
@ -59,6 +59,6 @@ metadata:
namespace: {{ template "pulsar.namespace" . }} namespace: {{ template "pulsar.namespace" . }}
spec: spec:
ca: ca:
secretName: "{{ .Release.Name }}-ca-tls" secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
{{- end }} {{- end }}
{{- end }} {{- end }}

2
charts/pulsar/templates/toolset-statefulset.yaml
View File

@ -112,7 +112,7 @@ spec:
{{- if and .Values.tls.enabled (or .Values.tls.broker.enabled .Values.tls.proxy.enabled) }} {{- if and .Values.tls.enabled (or .Values.tls.broker.enabled .Values.tls.proxy.enabled) }}
- name: proxy-ca - name: proxy-ca
secret: secret:
secretName: "{{ .Release.Name }}-ca-tls" secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
items: items:
- key: ca.crt - key: ca.crt
path: ca.crt path: ca.crt

2
charts/pulsar/templates/zookeeper-statefulset.yaml
View File

@ -205,7 +205,7 @@ spec:
path: tls.key path: tls.key
- name: ca - name: ca
secret: secret:
secretName: "{{ .Release.Name }}-ca-tls" secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
items: items:
- key: ca.crt - key: ca.crt
path: ca.crt path: ca.crt

1
charts/pulsar/values.yaml
View File

@ -191,6 +191,7 @@ images:
## brokers and proxies. ## brokers and proxies.
tls: tls:
enabled: false enabled: false
ca_suffix: ca-tls
# common settings for generating certs # common settings for generating certs
common: common:
# 90d # 90d

9
scripts/pulsar/clean_tls.sh
View File

@ -25,6 +25,7 @@ cd ${CHART_HOME}
namespace=${namespace:-pulsar} namespace=${namespace:-pulsar}
release=${release:-pulsar-dev} release=${release:-pulsar-dev}
caSuffix=${caSuffix:-ca-tls}
clientComponents=${clientComponents:-"toolset"} clientComponents=${clientComponents:-"toolset"}
serverComponents=${serverComponents:-"bookie,broker,proxy,recovery,zookeeper"} serverComponents=${serverComponents:-"bookie,broker,proxy,recovery,zookeeper"}
@ -35,6 +36,7 @@ Options:
-h,--help prints the usage message -h,--help prints the usage message
-n,--namespace the k8s namespace to install the pulsar helm chart. Defaut to ${namespace}. -n,--namespace the k8s namespace to install the pulsar helm chart. Defaut to ${namespace}.
-k,--release the pulsar helm release name. Default to ${release}. -k,--release the pulsar helm release name. Default to ${release}.
-ca,--ca-suffix the suffix used to name the CA certificate. Default to ${caSuffix}.
-c,--client-components the client components of pulsar cluster. a comma separated list of components. Default to ${clientComponents}. -c,--client-components the client components of pulsar cluster. a comma separated list of components. Default to ${clientComponents}.
-s,--server-components the server components of pulsar cluster. a comma separated list of components. Default to ${serverComponents}. -s,--server-components the server components of pulsar cluster. a comma separated list of components. Default to ${serverComponents}.
Usage: Usage:
@ -57,6 +59,11 @@ case $key in
shift shift
shift shift
;; ;;
-ca|--ca-suffix)
caSuffix="$2"
shift
shift
;;
-c|--client-components) -c|--client-components)
clientComponents="$2" clientComponents="$2"
shift shift
@ -80,7 +87,7 @@ esac
done done
function delete_ca() { function delete_ca() {
local tls_ca_secret="${release}-ca-tls" local tls_ca_secret="${release}-${caSuffix}"
kubectl delete secret ${tls_ca_secret} -n ${namespace} kubectl delete secret ${tls_ca_secret} -n ${namespace}
} }

9
scripts/pulsar/upload_tls.sh
View File

@ -25,6 +25,7 @@ cd ${CHART_HOME}
namespace=${namespace:-pulsar} namespace=${namespace:-pulsar}
release=${release:-pulsar-dev} release=${release:-pulsar-dev}
caSuffix=${caSuffix:-ca-tls}
tlsdir=${tlsdir:-"${HOME}/.config/pulsar/security_tool/gen/ca"} tlsdir=${tlsdir:-"${HOME}/.config/pulsar/security_tool/gen/ca"}
clientComponents=${clientComponents:-""} clientComponents=${clientComponents:-""}
serverComponents=${serverComponents:-"bookie,broker,proxy,recovery,zookeeper,toolset"} serverComponents=${serverComponents:-"bookie,broker,proxy,recovery,zookeeper,toolset"}
@ -37,6 +38,7 @@ Options:
-h,--help prints the usage message -h,--help prints the usage message
-n,--namespace the k8s namespace to install the pulsar helm chart. Defaut to ${namespace}. -n,--namespace the k8s namespace to install the pulsar helm chart. Defaut to ${namespace}.
-k,--release the pulsar helm release name. Default to ${release}. -k,--release the pulsar helm release name. Default to ${release}.
-ca,--ca-suffix the suffix used to name the CA certificate. Default to ${caSuffix}.
-d,--dir the dir for storing tls certs. Default to ${tlsdir}. -d,--dir the dir for storing tls certs. Default to ${tlsdir}.
-c,--client-components the client components of pulsar cluster. a comma separated list of components. Default to ${clientComponents}. -c,--client-components the client components of pulsar cluster. a comma separated list of components. Default to ${clientComponents}.
-s,--server-components the server components of pulsar cluster. a comma separated list of components. Default to ${serverComponents}. -s,--server-components the server components of pulsar cluster. a comma separated list of components. Default to ${serverComponents}.
@ -61,6 +63,11 @@ case $key in
shift shift
shift shift
;; ;;
-ca|--ca-suffix)
caSuffix="$2"
shift
shift
;;
-d|--dir) -d|--dir)
tlsdir="$2" tlsdir="$2"
shift shift
@ -95,7 +102,7 @@ done
ca_cert_file=${tlsdir}/certs/ca.cert.pem ca_cert_file=${tlsdir}/certs/ca.cert.pem
function upload_ca() { function upload_ca() {
local tls_ca_secret="${release}-ca-tls" local tls_ca_secret="${release}-${caSuffix}"
kubectl create secret generic ${tls_ca_secret} -n ${namespace} --from-file="ca.crt=${ca_cert_file}" ${local:+ -o yaml --dry-run=client} kubectl create secret generic ${tls_ca_secret} -n ${namespace} --from-file="ca.crt=${ca_cert_file}" ${local:+ -o yaml --dry-run=client}
} }