Feat/cacerts (#619 )

extra volume mounts for oxia coordinator (#618 )
* extra volume mounts for oxia coordinator * . * .
2025-06-21 23:13:35 +03:00 · 2025-06-13 10:55:02 -07:00 · 2025-06-09 21:27:23 +03:00 · 2025-05-30 18:16:04 +03:00 · 2025-05-23 16:52:39 +03:00 · 2025-05-23 16:22:17 +03:00
202 changed files with 10869 additions and 5178 deletions
--- a/.asf.yaml
+++ b/.asf.yaml
@ -31,16 +31,17 @@ github:
    - helm
    - helm-chart
  features:
-    # Enable wiki for documentation
    wiki: true
-    # Enable issues management
    issues: true
-    # Enable projects for project management boards
    projects: true
  enabled_merge_buttons:
-    # enable squash button:
    squash:  true
-    # disable merge button:
    merge:   false
-    # disable rebase button:
    rebase:  false
+
+notifications:
+  commits:      commits@pulsar.apache.org
+  issues:       commits@pulsar.apache.org
+  pullrequests: commits@pulsar.apache.org
+  discussions:  dev@pulsar.apache.org
+  jira_options: link label
--- a/.ci/auth/keycloak/0-realm-pulsar-partial-export.json
+++ b/.ci/auth/keycloak/0-realm-pulsar-partial-export.json
--- a/.ci/auth/keycloak/1-client-template.json
+++ b/.ci/auth/keycloak/1-client-template.json
@ -0,0 +1,73 @@
+{
+  "clientId": $ARGS.named.CLIENT_ID,
+  "enabled": true,
+  "clientAuthenticatorType": "client-secret",
+  "secret": $ARGS.named.CLIENT_SECRET,
+  "standardFlowEnabled" : false,
+  "implicitFlowEnabled" : false,
+  "serviceAccountsEnabled": true,
+  "protocol": "openid-connect",
+  "attributes": {
+    "realm_client": "false",
+    "oidc.ciba.grant.enabled": "false",
+    "client.secret.creation.time": "1735689600",
+    "backchannel.logout.session.required": "true",
+    "standard.token.exchange.enabled": "false",
+    "frontchannel.logout.session.required": "true",
+    "oauth2.device.authorization.grant.enabled": "false",
+    "display.on.consent.screen": "false",
+    "backchannel.logout.revoke.offline.tokens": "false"
+  },
+  "protocolMappers": [
+    {
+      "name": "sub",
+      "protocol": "openid-connect",
+      "protocolMapper": "oidc-hardcoded-claim-mapper",
+      "consentRequired": false,
+      "config": {
+        "introspection.token.claim": "true",
+        "claim.value": $ARGS.named.SUB_CLAIM_VALUE,
+        "userinfo.token.claim": "true",
+        "id.token.claim": "true",
+        "lightweight.claim": "false",
+        "access.token.claim": "true",
+        "claim.name": "sub",
+        "jsonType.label": "String",
+        "access.tokenResponse.claim": "false"
+      }
+    },
+    {
+      "name": "nbf",
+      "protocol": "openid-connect",
+      "protocolMapper": "oidc-hardcoded-claim-mapper",
+      "consentRequired": false,
+      "config": {
+        "introspection.token.claim": "true",
+        "claim.value": "1735689600",
+        "userinfo.token.claim": "true",
+        "id.token.claim": "true",
+        "lightweight.claim": "false",
+        "access.token.claim": "true",
+        "claim.name": "nbf",
+        "jsonType.label": "long",
+        "access.tokenResponse.claim": "false"
+      }
+    }
+  ],
+  "defaultClientScopes": [
+    "web-origins",
+    "service_account",
+    "acr",
+    "profile",
+    "roles",
+    "basic",
+    "email"
+  ],
+  "optionalClientScopes": [
+    "address",
+    "phone",
+    "organization",
+    "offline_access",
+    "microprofile-jwt"
+  ]
+}
--- a/.ci/auth/keycloak/README.md
+++ b/.ci/auth/keycloak/README.md
@ -0,0 +1,26 @@
+# Keycloak
+
+Keycloak is used to validate OIDC configuration.
+
+To create the pulsar realm configuration, we use :
+
+* `0-realm-pulsar-partial-export.json` : after creating pulsar realm in Keycloack UI, this file is the result of the partial export in Keycloak UI without options.
+* `1-client-template.json` : this is the template to create pulsar clients.
+
+To create the final `realm-pulsar.json`, merge files with `jq` command :
+
+* create a client with `CLIENT_ID`, `CLIENT_SECRET` and `SUB_CLAIM_VALUE` :
+
+```
+CLIENT_ID=xx
+CLIENT_SECRET=yy
+SUB_CLAIM_VALUE=zz
+
+jq -n --arg CLIENT_ID "$CLIENT_ID" --arg CLIENT_SECRET "$CLIENT_SECRET" --arg SUB_CLAIM_VALUE "$SUB_CLAIM_VALUE" 1-client-template.json > client.json
+```
+
+* then merge the realm and the client :
+
+```
+jq '.clients += [input]' 0-realm-pulsar-partial-export.json client.json > realm-pulsar.json
+```
--- a/.github/workflows/verify_release.yml
+++ b/.github/workflows/verify_release.yml
@ -17,23 +17,18 @@
 # under the License.
 #

-name: Precommit - Verify releasing Pulsar Helm Chart 
-on:
-  pull_request:
-    branches:
-      - '*'
-    paths:
-      - 'charts/pulsar/**'
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - name: Install chart
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PUBLISH_CHARTS: false
-        run: |
-          .ci/release.sh
+tls:
+  enabled: false
+# This block sets up an example Pulsar Realm
+# https://www.keycloak.org/server/importExport#_importing_a_realm_from_a_directory
+extraEnvVars:
+  - name: KEYCLOAK_EXTRA_ARGS
+    value: "--import-realm"
+extraVolumes:
+  - name: realm-config
+    secret:
+      secretName: keycloak-ci-realm-config
+extraVolumeMounts:
+  - name: realm-config
+    mountPath: "/opt/bitnami/keycloak/data/import"
+    readOnly: true
--- a/.ci/auth/oauth2/credentials_file.json
+++ b/.ci/auth/oauth2/credentials_file.json
@ -0,0 +1,5 @@
+{
+    "type": "client_credentials",
+    "client_id": $ARGS.named.CLIENT_ID,
+    "client_secret": $ARGS.named.CLIENT_SECRET
+}
--- a/.ci/chart_test.sh
+++ b/.ci/chart_test.sh
@ -1,3 +1,4 @@
+#!/usr/bin/env bash
 #
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
@ -20,36 +21,96 @@
 set -e


-BINDIR=`dirname "$0"`
-PULSAR_HOME=`cd ${BINDIR}/..;pwd`
+BINDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
+PULSAR_HOME="$(cd "${BINDIR}/.." && pwd)"
 VALUES_FILE=$1
 TLS=${TLS:-"false"}
 SYMMETRIC=${SYMMETRIC:-"false"}
 FUNCTION=${FUNCTION:-"false"}
+MANAGER=${MANAGER:-"false"}
+ALLOW_LOADBALANCERS=${ALLOW_LOADBALANCERS:-"false"}

 source ${PULSAR_HOME}/.ci/helm.sh

 # create cluster
 ci::create_cluster

-# install storage provisioner
-ci::install_storage_provisioner
+ci::helm_repo_add
+
+extra_opts=()
+
+# Add any arguments after $1 to extra_opts
+shift # Remove $1 from the argument list
+while [[ $# -gt 0 ]]; do
+    extra_opts+=("$1")
+    shift
+done

-extra_opts=""
 if [[ "x${SYMMETRIC}" == "xtrue" ]]; then
-    extra_opts="-s"
+    extra_opts+=("-s")
 fi

-# install pulsar chart
-ci::install_pulsar_chart ${PULSAR_HOME}/${VALUES_FILE} ${extra_opts}
+if [[ "x${EXTRA_SUPERUSERS}" != "x" ]]; then
+    extra_opts+=("--pulsar-superusers" "proxy-admin,broker-admin,admin,${EXTRA_SUPERUSERS}")
+fi

-# test producer
-ci::test_pulsar_producer
+install_type="install"
+test_action="produce-consume"
+if [[ "$UPGRADE_FROM_VERSION" != "" ]]; then
+    ALLOW_LOADBALANCERS="true"
+    # install older version of pulsar chart
+    PULSAR_CHART_VERSION="$UPGRADE_FROM_VERSION"

-if [[ "x${FUNCTION}" == "xtrue" ]]; then
-    # install cert manager
+    # Install Prometheus Operator CRDs using the upgrade script since kube-prometheus-stack is now disabled before the upgrade
+    ${PULSAR_HOME}/scripts/kube-prometheus-stack/upgrade_prometheus_operator_crds.sh
+
+    ci::install_pulsar_chart install ${PULSAR_HOME}/.ci/values-common.yaml ${PULSAR_HOME}/${VALUES_FILE} --set kube-prometheus-stack.enabled=false "${extra_opts[@]}"
+    install_type="upgrade"
+    echo "Wait 10 seconds"
+    sleep 10
+    # check pulsar environment
+    ci::check_pulsar_environment
+    # test that we can access the admin api
+    ci::test_pulsar_admin_api_access
+    # produce messages with old version of pulsar and consume with new version
+    ci::test_pulsar_producer_consumer "produce"
+    test_action="consume"
+
+    if [[ "$(ci::helm_values_for_deployment | yq .victoria-metrics-k8s-stack.enabled)" == "true" ]]; then
+        echo "Upgrade Victoria Metrics Operator CRDs before upgrading the deployment"
+        ${PULSAR_HOME}/scripts/victoria-metrics-k8s-stack/upgrade_vm_operator_crds.sh
+    fi
+fi
+
+PULSAR_CHART_VERSION="local"
+# install (or upgrade) pulsar chart
+ci::install_pulsar_chart ${install_type} ${PULSAR_HOME}/.ci/values-common.yaml ${PULSAR_HOME}/${VALUES_FILE} "${extra_opts[@]}"
+
+echo "Wait 10 seconds"
+sleep 10
+
+# check that there aren't any loadbalancers if ALLOW_LOADBALANCERS is false
+if [[ "${ALLOW_LOADBALANCERS}" == "false" ]]; then
+    ci::check_loadbalancers
+fi
+
+# check pulsar environment
+ci::check_pulsar_environment
+
+# test that we can access the admin api
+ci::test_pulsar_admin_api_access
+# test producer/consumer
+ci::test_pulsar_producer_consumer "${test_action}"
+
+if [[ "$(ci::helm_values_for_deployment | yq .components.functions)" == "true" ]]; then
+    # test functions
    ci::test_pulsar_function
 fi

+if [[ "$(ci::helm_values_for_deployment | yq .components.pulsar_manager)" == "true" ]]; then
+    # test manager
+    ci::test_pulsar_manager
+fi
+
 # delete the cluster
 ci::delete_cluster
--- a/.ci/clusters/values-bk-tls.yaml
+++ b/.ci/clusters/values-bk-tls.yaml
@ -17,59 +17,14 @@
 # under the License.
 #

-monitoring:
-  prometheus: false
-  grafana: false
-  node_exporter: false
-  alert_manager: false
-
-volumes:
-  local_storage: true
-
-# disabled AntiAffinity
-affinity:
-  anti_affinity: false
-
-# disable auto recovery and pulsar manager
-components:
-  autorecovery: false
-  pulsar_manager: false
-
-zookeeper:
-  replicaCount: 1
-
-bookkeeper:
-  replicaCount: 3
-  configData:
-    diskUsageThreshold: "0.999"
-    diskUsageWarnThreshold: "0.999"
-    PULSAR_PREFIX_diskUsageThreshold: "0.999"
-    PULSAR_PREFIX_diskUsageWarnThreshold: "0.999"
-
-broker:
-  replicaCount: 1
-  configData:
-    ## Enable `autoSkipNonRecoverableData` since bookkeeper is running
-    ## without persistence
-    autoSkipNonRecoverableData: "true"
-    # storage settings
-    managedLedgerDefaultEnsembleSize: "1"
-    managedLedgerDefaultWriteQuorum: "1"
-    managedLedgerDefaultAckQuorum: "1"
-
-proxy:
-  replicaCount: 1
-
-toolset:
-  useProxy: false
-
 # enable TLS
 tls:
  enabled: true
  bookie:
    enabled: true

-# disable cert manager
+# enable cert-manager
 certs:
  internal_issuer:
-    enabled: false
+    enabled: true
+    type: selfsigning
--- a/.ci/clusters/values-broker-tls.yaml
+++ b/.ci/clusters/values-broker-tls.yaml
@ -17,52 +17,6 @@
 # under the License.
 #

-monitoring:
-  prometheus: false
-  grafana: false
-  node_exporter: false
-  alert_manager: false
-
-volumes:
-  local_storage: true
-
-# disabled AntiAffinity
-affinity:
-  anti_affinity: false
-
-# disable auto recovery and pulsar manager
-components:
-  autorecovery: false
-  pulsar_manager: false
-
-zookeeper:
-  replicaCount: 1
-
-bookkeeper:
-  replicaCount: 3
-  configData:
-    diskUsageThreshold: "0.999"
-    diskUsageWarnThreshold: "0.999"
-    PULSAR_PREFIX_diskUsageThreshold: "0.999"
-    PULSAR_PREFIX_diskUsageWarnThreshold: "0.999"
-
-broker:
-  replicaCount: 1
-  configData:
-    ## Enable `autoSkipNonRecoverableData` since bookkeeper is running
-    ## without persistence
-    autoSkipNonRecoverableData: "true"
-    # storage settings
-    managedLedgerDefaultEnsembleSize: "1"
-    managedLedgerDefaultWriteQuorum: "1"
-    managedLedgerDefaultAckQuorum: "1"
-
-proxy:
-  replicaCount: 1
-
-toolset:
-  useProxy: false
-
 # enable TLS
 tls:
  enabled: true
@ -71,7 +25,8 @@ tls:
  broker:
    enabled: true

-# disable cert-manager
+# enable cert-manager
 certs:
  internal_issuer:
-    enabled: false
+    enabled: true
+    type: selfsigning
--- a/.ci/clusters/values-cacerts.yaml
+++ b/.ci/clusters/values-cacerts.yaml
@ -0,0 +1,105 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+
+# enable TLS with cacerts
+tls:
+  enabled: true
+  proxy:
+    enabled: true
+    cacerts:
+      enabled: true
+      certs:
+        - name: common-cacert
+          existingSecret: "pulsar-ci-common-cacert"
+          secretKeys:
+            - ca.crt
+  broker:
+    enabled: true
+    cacerts:
+      enabled: true
+      certs:
+        - name: common-cacert
+          existingSecret: "pulsar-ci-common-cacert"
+          secretKeys:
+            - ca.crt
+  bookie:
+    enabled: true
+    cacerts:
+      enabled: true
+      certs:
+        - name: common-cacert
+          existingSecret: "pulsar-ci-common-cacert"
+          secretKeys:
+            - ca.crt
+  zookeeper:
+    enabled: true
+    cacerts:
+      enabled: true
+      certs:
+        - name: common-cacert
+          existingSecret: "pulsar-ci-common-cacert"
+          secretKeys:
+            - ca.crt
+  toolset:
+    cacerts:
+      enabled: true
+      certs:
+        - name: common-cacert
+          existingSecret: "pulsar-ci-common-cacert"
+          secretKeys:
+            - ca.crt
+  autorecovery:
+    cacerts:
+      enabled: true
+      certs:
+        - name: common-cacert
+          existingSecret: "pulsar-ci-common-cacert"
+          secretKeys:
+            - ca.crt
+
+# enable cert-manager
+certs:
+  internal_issuer:
+    enabled: true
+    type: selfsigning
+
+# deploy cacerts
+extraDeploy:
+  - |
+    apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
+    kind: Certificate
+    metadata:
+      name: "{{ template "pulsar.fullname" . }}-common-cacert"
+      namespace: {{ template "pulsar.namespace" . }}
+      labels:
+        {{- include "pulsar.standardLabels" . | nindent 4 }}
+    spec:
+      secretName: "{{ template "pulsar.fullname" . }}-common-cacert"
+      commonName: "common-cacert"
+      duration: "{{ .Values.certs.internal_issuer.duration }}"
+      renewBefore: "{{ .Values.certs.internal_issuer.renewBefore }}"
+      usages:
+        - server auth
+        - client auth
+      isCA: true
+      issuerRef:
+        name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}"
+        kind: Issuer
+        group: cert-manager.io
--- a/.ci/clusters/values-jwt-asymmetric.yaml
+++ b/.ci/clusters/values-jwt-asymmetric.yaml
@ -17,58 +17,13 @@
 # under the License.
 #

-monitoring:
-  prometheus: false
-  grafana: false
-  node_exporter: false
-  alert_manager: false
-
-volumes:
-  local_storage: true
-
-# disabled AntiAffinity
-affinity:
-  anti_affinity: false
-
-# disable auto recovery and pulsar manager
-components:
-  autorecovery: false
-  pulsar_manager: false
-
-zookeeper:
-  replicaCount: 1
-
-bookkeeper:
-  replicaCount: 2
-  configData:
-    diskUsageThreshold: "0.999"
-    diskUsageWarnThreshold: "0.999"
-    PULSAR_PREFIX_diskUsageThreshold: "0.999"
-    PULSAR_PREFIX_diskUsageWarnThreshold: "0.999"
-
-broker:
-  replicaCount: 1
-  configData:
-    ## Enable `autoSkipNonRecoverableData` since bookkeeper is running
-    ## without persistence
-    autoSkipNonRecoverableData: "true"
-    # storage settings
-    managedLedgerDefaultEnsembleSize: "1"
-    managedLedgerDefaultWriteQuorum: "1"
-    managedLedgerDefaultAckQuorum: "1"
-
-proxy:
-  replicaCount: 1
-
-toolset:
-  useProxy: false

 auth:
  authentication:
    enabled: true
-    provider: "jwt"
    jwt:
      # Enable JWT authentication
+      enabled: true
      # If the token is generated by a secret key, set the usingSecretKey as true.
      # If the token is generated by a private key, set the usingSecretKey as false.
      usingSecretKey: false
@ -81,3 +36,9 @@ auth:
    proxy: "proxy-admin"
    # pulsar-admin client to broker/proxy communication
    client: "admin"
+    # pulsar-manager to broker communication
+    manager: "manager-admin"
+
+components:
+  pulsar_manager: true
+
--- a/.ci/clusters/values-jwt-symmetric.yaml
+++ b/.ci/clusters/values-jwt-symmetric.yaml
@ -17,58 +17,13 @@
 # under the License.
 #

-monitoring:
-  prometheus: false
-  grafana: false
-  node_exporter: false
-  alert_manager: false
-
-volumes:
-  local_storage: true
-
-# disabled AntiAffinity
-affinity:
-  anti_affinity: false
-
-# disable auto recovery and pulsar manager
-components:
-  autorecovery: false
-  pulsar_manager: false
-
-zookeeper:
-  replicaCount: 1
-
-bookkeeper:
-  replicaCount: 3
-  configData:
-    diskUsageThreshold: "0.999"
-    diskUsageWarnThreshold: "0.999"
-    PULSAR_PREFIX_diskUsageThreshold: "0.999"
-    PULSAR_PREFIX_diskUsageWarnThreshold: "0.999"
-
-broker:
-  replicaCount: 1
-  configData:
-    ## Enable `autoSkipNonRecoverableData` since bookkeeper is running
-    ## without persistence
-    autoSkipNonRecoverableData: "true"
-    # storage settings
-    managedLedgerDefaultEnsembleSize: "1"
-    managedLedgerDefaultWriteQuorum: "1"
-    managedLedgerDefaultAckQuorum: "1"
-
-proxy:
-  replicaCount: 1
-
-toolset:
-  useProxy: false

 auth:
  authentication:
    enabled: true
-    provider: "jwt"
    jwt:
      # Enable JWT authentication
+      enabled: true
      # If the token is generated by a secret key, set the usingSecretKey as true.
      # If the token is generated by a private key, set the usingSecretKey as false.
      usingSecretKey: true
@ -81,3 +36,8 @@ auth:
    proxy: "proxy-admin"
    # pulsar-admin client to broker/proxy communication
    client: "admin"
+    # pulsar manager to broker
+    manager: "manager-admin"
+
+components:
+  pulsar_manager: true
--- a/.ci/clusters/values-local-pv.yaml
+++ b/.ci/clusters/values-local-pv.yaml
@ -1,64 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-monitoring:
-  prometheus: false
-  grafana: false
-  node_exporter: false
-  alert_manager: false
-
-volumes:
-  local_storage: true
-
-# disabled AntiAffinity
-affinity:
-  anti_affinity: false
-
-# disable auto recovery and pulsar manager
-components:
-  autorecovery: false
-  pulsar_manager: false
-
-zookeeper:
-  replicaCount: 1
-
-bookkeeper:
-  replicaCount: 3
-  configData:
-    diskUsageThreshold: "0.999"
-    diskUsageWarnThreshold: "0.999"
-    PULSAR_PREFIX_diskUsageThreshold: "0.999"
-    PULSAR_PREFIX_diskUsageWarnThreshold: "0.999"
-
-broker:
-  replicaCount: 1
-  configData:
-    ## Enable `autoSkipNonRecoverableData` since bookkeeper is running
-    ## without persistence
-    autoSkipNonRecoverableData: "true"
-    # storage settings
-    managedLedgerDefaultEnsembleSize: "1"
-    managedLedgerDefaultWriteQuorum: "1"
-    managedLedgerDefaultAckQuorum: "1"
-
-proxy:
-  replicaCount: 1
-
-toolset:
-  useProxy: false
--- a/.ci/clusters/values-openid.yaml
+++ b/.ci/clusters/values-openid.yaml
@ -0,0 +1,94 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# Mount crendentials to each component
+proxy:
+  configData:
+    # Authentication settings of the broker itself. Used when the broker connects to other brokers, or when the proxy connects to brokers, either in same or other clusters
+    brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2"
+    brokerClientAuthenticationParameters: '{"privateKey":"file:///pulsar/auth/proxy/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-headless:8080/realms/pulsar"}'
+  extraVolumes:
+    - name: pulsar-proxy-credentials
+      secret:
+        secretName: pulsar-proxy-credentials
+  extraVolumeMounts:
+    - name: pulsar-proxy-credentials
+      mountPath: "/pulsar/auth/proxy"
+      readOnly: true
+
+broker:
+  configData:
+    # Authentication settings of the broker itself. Used when the broker connects to other brokers, or when the proxy connects to brokers, either in same or other clusters
+    brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2"
+    brokerClientAuthenticationParameters: '{"privateKey":"file:///pulsar/auth/broker/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-headless:8080/realms/pulsar"}'
+  extraVolumes:
+    - name: pulsar-broker-credentials
+      secret:
+        secretName: pulsar-broker-credentials
+  extraVolumeMounts:
+    - name: pulsar-broker-credentials
+      mountPath: "/pulsar/auth/broker"
+      readOnly: true
+
+toolset:
+  configData:
+    authPlugin: "org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2"
+    authParams: '{"privateKey":"file:///pulsar/auth/admin/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-headless:8080/realms/pulsar"}'
+  extraVolumes:
+    - name: pulsar-admin-credentials
+      secret:
+        secretName: pulsar-admin-credentials
+  extraVolumeMounts:
+    - name: pulsar-admin-credentials
+      mountPath: "/pulsar/auth/admin"
+      readOnly: true
+
+auth:
+  authentication:
+    enabled: true
+    openid:
+      # Enable openid authentication
+      enabled: true
+      # https://pulsar.apache.org/docs/next/security-openid-connect/#enable-openid-connect-authentication-in-the-broker-and-proxy
+      openIDAllowedTokenIssuers:
+        - http://keycloak-ci-headless:8080/realms/pulsar
+      openIDAllowedAudiences:
+        - account
+      #openIDTokenIssuerTrustCertsFilePath:
+      openIDRoleClaim: "sub"
+      openIDAcceptedTimeLeewaySeconds: "0"
+      openIDCacheSize: "5"
+      openIDCacheRefreshAfterWriteSeconds: "64800"
+      openIDCacheExpirationSeconds: "86400"
+      openIDHttpConnectionTimeoutMillis: "10000"
+      openIDHttpReadTimeoutMillis: "10000"
+      openIDKeyIdCacheMissRefreshSeconds: "300"
+      openIDRequireIssuersUseHttps: "false"
+      openIDFallbackDiscoveryMode: "DISABLED"
+  authorization:
+    enabled: true
+  superUsers:
+    # broker to broker communication
+    broker: "broker-admin"
+    # proxy to broker communication
+    proxy: "proxy-admin"
+    # pulsar-admin client to broker/proxy communication
+    client: "admin"
+    # pulsar manager to broker
+    manager: "manager-admin"
--- a/.ci/clusters/values-oxia.yaml
+++ b/.ci/clusters/values-oxia.yaml
@ -17,27 +17,19 @@
 # under the License.
 #

-name: Precommit Style Check
-on:
-  pull_request:
-    branches:
-      - '*'
-jobs:
+components:
+  zookeeper: false
+  oxia: true
+  # disable functions for oxia tests since there's no support for Oxia in 
+  # BookKeeperPackagesStorage which requires Zookeeper
+  functions: false

-  build:
-    name: Build
-    runs-on: ubuntu-latest
-    steps:
-
-    - name: Set up Go 1.12
-      uses: actions/setup-go@v1
-      with:
-        go-version: 1.12
-      id: go
-
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v2
-
-    - name: Check license
-      run: |
-        go test license_test.go
+oxia:
+  initialShardCount: 3
+  replicationFactor: 3
+  server:
+    replicas: 3
+    cpuLimit: 333m
+    memoryLimit: 200Mi
+    dbCacheSizeMb: 100
+    storageSize: 1Gi
--- a/.ci/clusters/values-pulsar-image.yaml
+++ b/.ci/clusters/values-pulsar-image.yaml
@ -1,95 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-monitoring:
-  prometheus: false
-  grafana: false
-  node_exporter: false
-  alert_manager: false
-
-volumes:
-  persistence: false
-
-# disabled AntiAffinity
-affinity:
-  anti_affinity: false
-
-# disable auto recovery and pulsar manager
-components:
-  autorecovery: false
-  pulsar_manager: false
-
-zookeeper:
-  replicaCount: 1
-
-bookkeeper:
-  replicaCount: 3
-  configData:
-    diskUsageThreshold: "0.999"
-    diskUsageWarnThreshold: "0.999"
-    PULSAR_PREFIX_diskUsageThreshold: "0.999"
-    PULSAR_PREFIX_diskUsageWarnThreshold: "0.999"
-  metadata:
-    image:
-      repository: apachepulsar/pulsar-all
-      tag: 2.6.0
-
-broker:
-  replicaCount: 1
-  configData:
-    ## Enable `autoSkipNonRecoverableData` since bookkeeper is running
-    ## without persistence
-    autoSkipNonRecoverableData: "true"
-    # storage settings
-    managedLedgerDefaultEnsembleSize: "1"
-    managedLedgerDefaultWriteQuorum: "1"
-    managedLedgerDefaultAckQuorum: "1"
-
-proxy:
-  replicaCount: 1
-
-toolset:
-  useProxy: false
-
-# use pulsar image
-
-images:
-  zookeeper:
-    repository: apachepulsar/pulsar-all
-    tag: 2.6.0
-  bookie:
-    repository: apachepulsar/pulsar-all
-    tag: 2.6.0
-  autorecovery:
-    repository: apachepulsar/pulsar-all
-    tag: 2.6.0
-  broker:
-    repository: apachepulsar/pulsar-all
-    tag: 2.6.0
-  functions:
-    repository: apachepulsar/pulsar-all
-    tag: 2.6.0
-  proxy:
-    repository: apachepulsar/pulsar-all
-    tag: 2.6.0
-
-pulsar_metadata:
-  image:
-    repository: apachepulsar/pulsar-all
-    tag: 2.6.0
--- a/.ci/clusters/values-pulsar-manager.yaml
+++ b/.ci/clusters/values-pulsar-manager.yaml
@ -17,9 +17,5 @@
 # under the License.
 #

-set -e
-
-BINDIR=`dirname "$0"`
-CI_HOME=`cd ${BINDIR};pwd`
-
-${CI_HOME}/ct.sh -c lint
+components:
+  pulsar_manager: true
--- a/.ci/clusters/values-pulsar-previous-lts.yaml
+++ b/.ci/clusters/values-pulsar-previous-lts.yaml
@ -0,0 +1,20 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+defaultPulsarImageTag: 3.0.12
--- a/.ci/clusters/values-tls.yaml
+++ b/.ci/clusters/values-tls.yaml
@ -17,51 +17,6 @@
 # under the License.
 #

-monitoring:
-  prometheus: false
-  grafana: false
-  node_exporter: false
-  alert_manager: false
-
-volumes:
-  local_storage: true
-
-# disabled AntiAffinity
-affinity:
-  anti_affinity: false
-
-# disable auto recovery and pulsar manager
-components:
-  autorecovery: false
-  pulsar_manager: false
-
-zookeeper:
-  replicaCount: 1
-
-bookkeeper:
-  replicaCount: 3
-  configData:
-    diskUsageThreshold: "0.999"
-    diskUsageWarnThreshold: "0.999"
-    PULSAR_PREFIX_diskUsageThreshold: "0.999"
-    PULSAR_PREFIX_diskUsageWarnThreshold: "0.999"
-
-broker:
-  replicaCount: 1
-  configData:
-    ## Enable `autoSkipNonRecoverableData` since bookkeeper is running
-    ## without persistence
-    autoSkipNonRecoverableData: "true"
-    # storage settings
-    managedLedgerDefaultEnsembleSize: "1"
-    managedLedgerDefaultWriteQuorum: "1"
-    managedLedgerDefaultAckQuorum: "1"
-
-proxy:
-  replicaCount: 1
-
-toolset:
-  useProxy: false

 # enable TLS
 tls:
@ -75,7 +30,8 @@ tls:
  zookeeper:
    enabled: true

-# disable cert-manager
+# enable cert-manager
 certs:
  internal_issuer:
-    enabled: false
+    enabled: true
+    type: selfsigning
--- a/.ci/clusters/values-upgrade.yaml
+++ b/.ci/clusters/values-upgrade.yaml
@ -0,0 +1,19 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
--- a/.ci/clusters/values-victoria-metrics-grafana.yaml
+++ b/.ci/clusters/values-victoria-metrics-grafana.yaml
@ -0,0 +1,60 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+victoria-metrics-k8s-stack:
+  enabled: true
+  victoria-metrics-operator:
+    enabled: true
+  vmsingle:
+    enabled: true
+  vmagent:
+    enabled: true
+  grafana:
+    enabled: true
+    adminPassword: pulsar-ci-admin
+  prometheus-node-exporter:
+    enabled: true
+
+zookeeper:
+  podMonitor:
+    enabled: true
+
+bookkeeper:
+  podMonitor:
+    enabled: true
+
+broker:
+  podMonitor:
+    enabled: true
+    
+autorecovery:
+  podMonitor:
+    enabled: true
+
+proxy:
+  podMonitor:
+    enabled: true
+
+oxia:
+  coordinator:
+    podMonitor:
+      enabled: true
+  server:
+    podMonitor:
+      enabled: true
--- a/.ci/clusters/values-zk-tls.yaml
+++ b/.ci/clusters/values-zk-tls.yaml
@ -17,59 +17,14 @@
 # under the License.
 #

-monitoring:
-  prometheus: false
-  grafana: false
-  node_exporter: false
-  alert_manager: false
-
-volumes:
-  local_storage: true
-
-# disabled AntiAffinity
-affinity:
-  anti_affinity: false
-
-# disable auto recovery and pulsar manager
-components:
-  autorecovery: false
-  pulsar_manager: false
-
-zookeeper:
-  replicaCount: 1
-
-bookkeeper:
-  replicaCount: 3
-  configData:
-    diskUsageThreshold: "0.999"
-    diskUsageWarnThreshold: "0.999"
-    PULSAR_PREFIX_diskUsageThreshold: "0.999"
-    PULSAR_PREFIX_diskUsageWarnThreshold: "0.999"
-
-broker:
-  replicaCount: 1
-  configData:
-    ## Enable `autoSkipNonRecoverableData` since bookkeeper is running
-    ## without persistence
-    autoSkipNonRecoverableData: "true"
-    # storage settings
-    managedLedgerDefaultEnsembleSize: "1"
-    managedLedgerDefaultWriteQuorum: "1"
-    managedLedgerDefaultAckQuorum: "1"
-
-proxy:
-  replicaCount: 1
-
-toolset:
-  useProxy: false
-
 # enable TLS
 tls:
  enabled: true
  zookeeper:
    enabled: true

-# disable cert manager
+# enable cert-manager
 certs:
  internal_issuer:
-    enabled: false
+    enabled: true
+    type: selfsigning
--- a/.ci/clusters/values-zkbk-tls.yaml
+++ b/.ci/clusters/values-zkbk-tls.yaml
@ -17,52 +17,6 @@
 # under the License.
 #

-monitoring:
-  prometheus: false
-  grafana: false
-  node_exporter: false
-  alert_manager: false
-
-volumes:
-  local_storage: true
-
-# disabled AntiAffinity
-affinity:
-  anti_affinity: false
-
-# disable auto recovery and pulsar manager
-components:
-  autorecovery: false
-  pulsar_manager: false
-
-zookeeper:
-  replicaCount: 1
-
-bookkeeper:
-  replicaCount: 3
-  configData:
-    diskUsageThreshold: "0.999"
-    diskUsageWarnThreshold: "0.999"
-    PULSAR_PREFIX_diskUsageThreshold: "0.999"
-    PULSAR_PREFIX_diskUsageWarnThreshold: "0.999"
-
-broker:
-  replicaCount: 1
-  configData:
-    ## Enable `autoSkipNonRecoverableData` since bookkeeper is running
-    ## without persistence
-    autoSkipNonRecoverableData: "true"
-    # storage settings
-    managedLedgerDefaultEnsembleSize: "1"
-    managedLedgerDefaultWriteQuorum: "1"
-    managedLedgerDefaultAckQuorum: "1"
-
-proxy:
-  replicaCount: 1
-
-toolset:
-  useProxy: false
-
 # enable TLS
 tls:
  enabled: true
@ -71,7 +25,8 @@ tls:
  bookie:
    enabled: true

-# disable cert manager
+# enable cert-manager
 certs:
  internal_issuer:
-    enabled: false
+    enabled: true
+    type: selfsigning
--- a/.ci/configure_ci_runner_for_debugging.sh
+++ b/.ci/configure_ci_runner_for_debugging.sh
@ -0,0 +1,41 @@
+#!/bin/bash
+# this script is used to install tools for the GitHub Actions CI runner while debugging with ssh
+
+if [[ -z "${GITHUB_ACTIONS}" ]]; then
+    echo "Error: This script is intended to run only in GitHub Actions environment"
+    exit 1
+fi
+
+cat >> $HOME/.bashrc <<'EOF'
+function use_kind_kubeconfig() {
+    export KUBECONFIG=$(ls $HOME/kind/pulsar-ci-*/kubeconfig.yaml)
+}
+
+function kubectl() {
+    # use kind environment's kubeconfig
+    if [ -z "$KUBECONFIG" ]; then
+        use_kind_kubeconfig
+    fi
+    command kubectl "$@"
+}
+
+function k9s() {
+    # use kind environment's kubeconfig
+    if [ -z "$KUBECONFIG" ]; then
+        use_kind_kubeconfig
+    fi
+    # install k9s on the fly
+    if [ ! -x /usr/local/bin/k9s ]; then
+        echo "Installing k9s..."
+        curl -L -s https://github.com/derailed/k9s/releases/download/v0.40.5/k9s_Linux_amd64.tar.gz | sudo tar xz -C /usr/local/bin k9s
+    fi
+    command k9s "$@"
+}
+
+alias k=kubectl
+EOF
+cat >> $HOME/.bash_profile <<'EOF'
+if [ -f ~/.bashrc ]; then
+    source ~/.bashrc
+fi
+EOF
--- a/.ci/ct.sh
+++ b/.ci/ct.sh
@ -1,167 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-#!/usr/bin/env bash
-
-set -o errexit
-set -o nounset
-set -o pipefail
-
-DEFAULT_IMAGE=quay.io/helmpack/chart-testing:v3.0.0
-
-show_help() {
-cat << EOF
-Usage: $(basename "$0") <options>
-    -h, --help          Display help
-    -i, --image         The chart-testing Docker image to use (default: quay.io/helmpack/chart-testing:v2.4.0)
-    -c, --command       The chart-testing command to run
-        --config        The path to the chart-testing config file
-        --kubeconfig    The path to the kube config file
-EOF
-}
-
-main() {
-    local image="$DEFAULT_IMAGE"
-    local config=
-    local command=
-    local kubeconfig="$HOME/.kube/config"
-
-    parse_command_line "$@"
-
-    if [[ -z "$command" ]]; then
-        echo "ERROR: '-c|--command' is required." >&2
-        show_help
-        exit 1
-    fi
-
-    run_ct_container
-    trap cleanup EXIT
-
-    local changed
-    changed=$(docker_exec ct list-changed)
-    if [[ -z "$changed" ]]; then
-        echo 'No chart changes detected.'
-        echo "::set-output name=changed::false"
-        return
-    fi
-
-    # Convenience output for other actions to make use of ct config to check if
-    # charts changed.
-    echo "::set-output name=changed::true"
-
-    # All other ct commands require a cluster to be created in a previous step.
-    if [[ "$command" != "lint" ]] && [[ "$command" != "list-changed" ]]; then
-        configure_kube
-    fi
-
-    run_ct
-}
-
-parse_command_line() {
-    while :; do
-        case "${1:-}" in
-            -h|--help)
-                show_help
-                exit
-                ;;
-            -i|--image)
-                if [[ -n "${2:-}" ]]; then
-                    image="$2"
-                    shift
-                else
-                    echo "ERROR: '-i|--image' cannot be empty." >&2
-                    show_help
-                    exit 1
-                fi
-                ;;
-            -c|--command)
-                if [[ -n "${2:-}" ]]; then
-                    command="$2"
-                    shift
-                else
-                    echo "ERROR: '-c|--command' cannot be empty." >&2
-                    show_help
-                    exit 1
-                fi
-                ;;
-            --config)
-                if [[ -n "${2:-}" ]]; then
-                    config="$2"
-                    shift
-                else
-                    echo "ERROR: '--config' cannot be empty." >&2
-                    show_help
-                    exit 1
-                fi
-                ;;
-            --kubeconfig)
-                if [[ -n "${2:-}" ]]; then
-                    kubeconfig="$2"
-                    shift
-                else
-                    echo "ERROR: '--kubeconfig' cannot be empty." >&2
-                    show_help
-                    exit 1
-                fi
-                ;;
-            *)
-                break
-                ;;
-        esac
-
-        shift
-    done
-}
-
-run_ct_container() {
-    echo 'Running ct container...'
-    local args=(run --rm --interactive --detach --network host --name ct "--volume=$(pwd):/workdir" "--workdir=/workdir")
-
-    if [[ -n "$config" ]]; then
-        args+=("--volume=$(pwd)/$config:/etc/ct/ct.yaml" )
-    fi
-
-    args+=("$image" cat)
-
-    docker "${args[@]}"
-    echo
-}
-
-configure_kube() {
-    docker_exec sh -c 'mkdir -p /root/.kube'
-    docker cp "$kubeconfig" ct:/root/.kube/config
-}
-
-run_ct() {
-    echo "Running 'ct $command'..."
-    docker_exec ct "$command"
-    echo
-}
-
-cleanup() {
-    echo 'Removing ct container...'
-    docker kill ct > /dev/null 2>&1
-    echo 'Done!'
-}
-
-docker_exec() {
-    docker exec --interactive ct "$@"
-}
-
-main "$@"
--- a/.ci/helm.sh
+++ b/.ci/helm.sh
@ -17,17 +17,42 @@
 # specific language governing permissions and limitations
 # under the License.
 #
-
-BINDIR=`dirname "$0"`
-PULSAR_HOME=`cd ${BINDIR}/..;pwd`
+BINDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
+PULSAR_HOME="$(cd "${BINDIR}/.." && pwd)"
 CHARTS_HOME=${PULSAR_HOME}
+PULSAR_CHART_LOCAL=${CHARTS_HOME}/charts/pulsar
+PULSAR_CHART_VERSION=${PULSAR_CHART_VERSION:-"local"}
 OUTPUT_BIN=${CHARTS_HOME}/output/bin
 KIND_BIN=$OUTPUT_BIN/kind
 HELM=${OUTPUT_BIN}/helm
 KUBECTL=${OUTPUT_BIN}/kubectl
 NAMESPACE=pulsar
 CLUSTER=pulsar-ci
-CLUSTER_ID=$(uuidgen)
+: ${CLUSTER_ID:=$(uuidgen)}
+K8S_LOGS_DIR="${K8S_LOGS_DIR:-/tmp/k8s-logs}"
+export PATH="$OUTPUT_BIN:$PATH"
+
+# brew package 'coreutils' is required on MacOSX
+# coreutils includes the 'timeout' command
+if [[ "$OSTYPE" == "darwin"* ]]; then
+    brew_gnubin_packages=(coreutils)
+    if ! type -P brew &>/dev/null; then
+        echo "On MacOSX, you must install required binaries with the following command:"
+        echo "brew install" "${brew_gnubin_packages[@]}"
+        exit 1
+    fi
+    for dep in "${brew_gnubin_packages[@]}"; do
+        path_element="$(brew --prefix)/opt/${dep}/libexec/gnubin"
+        if [ ! -d "${path_element}" ]; then
+            echo "'${path_element}' is missing. Quick fix: 'brew install ${dep}'."
+            echo "On MacOSX, you must install required binaries with the following command:"
+            echo "brew install" "${brew_gnubin_packages[@]}"
+            exit 1
+        fi
+        PATH="${path_element}:$PATH"
+    done
+    export PATH
+fi

 function ci::create_cluster() {
    echo "Creating a kind cluster ..."
@ -41,21 +66,6 @@ function ci::delete_cluster() {
    echo "Successfully delete a kind cluster."
 }

-function ci::install_storage_provisioner() {
-    echo "Installing the local storage provisioner ..."
-    ${HELM} repo add streamnative https://charts.streamnative.io
-    ${HELM} repo update
-    ${HELM} install local-storage-provisioner streamnative/local-storage-provisioner
-    WC=$(${KUBECTL} get pods --field-selector=status.phase=Running | grep local-storage-provisioner | wc -l)
-    while [[ ${WC} -lt 1 ]]; do
-      echo ${WC};
-      sleep 15
-      ${KUBECTL} get pods --field-selector=status.phase=Running
-      WC=$(${KUBECTL} get pods --field-selector=status.phase=Running | grep local-storage-provisioner | wc -l)
-    done
-    echo "Successfully installed the local storage provisioner."
-}
-
 function ci::install_cert_manager() {
    echo "Installing the cert-manager ..."
    ${KUBECTL} create namespace cert-manager
@ -65,32 +75,126 @@ function ci::install_cert_manager() {
      echo ${WC};
      sleep 15
      ${KUBECTL} get pods -n cert-manager
+      ${KUBECTL} get events --sort-by=.lastTimestamp -A | tail -n 30 || true
      WC=$(${KUBECTL} get pods -n cert-manager --field-selector=status.phase=Running | wc -l)
    done
    echo "Successfully installed the cert manager."
 }

-function ci::install_pulsar_chart() {
-    local value_file=$1
-    local extra_opts=$2
+function ci::helm_repo_add() {
+    echo "Adding the helm repo ..."
+    ${HELM} repo add prometheus-community https://prometheus-community.github.io/helm-charts
+    ${HELM} repo add vm https://victoriametrics.github.io/helm-charts/
+    ${HELM} repo update
+    echo "Successfully added the helm repo."
+}

+function ci::print_pod_logs() {
+    echo "Logs for all containers:"
+    for k8sobject in $(${KUBECTL} get pods,jobs -n ${NAMESPACE} -o=name); do
+      ${KUBECTL} logs -n ${NAMESPACE} "$k8sobject" --all-containers=true --ignore-errors=true --prefix=true --tail=100 || true
+    done;
+}
+
+function ci::collect_k8s_logs() {
+    mkdir -p "${K8S_LOGS_DIR}" && cd "${K8S_LOGS_DIR}"
+    echo "Collecting k8s logs to ${K8S_LOGS_DIR}"
+    for k8sobject in $(${KUBECTL} get pods,jobs -n ${NAMESPACE} -o=name); do
+      filebase="${k8sobject//\//_}"
+      ${KUBECTL} logs -n ${NAMESPACE} "$k8sobject" --all-containers=true --ignore-errors=true --prefix=true > "${filebase}.$$.log.txt" || true
+      ${KUBECTL} logs -n ${NAMESPACE} "$k8sobject" --all-containers=true --ignore-errors=true --prefix=true --previous=true > "${filebase}.previous.$$.log.txt" || true
+    done;
+    ${KUBECTL} get events --sort-by=.lastTimestamp -A > events.$$.log.txt || true
+    ${KUBECTL} get events --sort-by=.lastTimestamp -A -o yaml > events.$$.log.yaml || true
+    ${KUBECTL} get -n ${NAMESPACE} all -o yaml > k8s_resources.$$.yaml || true
+}
+
+function ci::install_pulsar_chart() {
+    local install_type=$1
+    local common_value_file=$2
+    local value_file=$3
+    shift 3
+    local extra_values=()
+    local extra_opts=()
+    local values_next=false
+    for arg in "$@"; do
+        if [[ "$arg" == "--values" || "$arg" == "--set" ]]; then
+            extra_values+=("$arg")
+            values_next=true
+        elif [[ "$values_next" == true ]]; then
+            extra_values+=("$arg")
+            values_next=false
+        else
+            extra_opts+=("$arg")
+        fi
+    done
+    local install_args
+
+    if [[ "${install_type}" == "install" ]]; then
      echo "Installing the pulsar chart"
      ${KUBECTL} create namespace ${NAMESPACE}
-    echo ${CHARTS_HOME}/scripts/pulsar/prepare_helm_release.sh -k ${CLUSTER} -n ${NAMESPACE} ${extra_opts}
-    ${CHARTS_HOME}/scripts/pulsar/prepare_helm_release.sh -k ${CLUSTER} -n ${NAMESPACE} ${extra_opts}
-    ${CHARTS_HOME}/scripts/pulsar/upload_tls.sh -k ${CLUSTER} -n ${NAMESPACE} -d ${PULSAR_HOME}/.ci/tls
+      ci::install_cert_manager
+      echo ${CHARTS_HOME}/scripts/pulsar/prepare_helm_release.sh -k ${CLUSTER} -n ${NAMESPACE} "${extra_opts[@]}"
+      ${CHARTS_HOME}/scripts/pulsar/prepare_helm_release.sh -k ${CLUSTER} -n ${NAMESPACE} "${extra_opts[@]}"
      sleep 10

-    echo ${HELM} install --set initialize=true --values ${value_file} ${CLUSTER} ${CHARTS_HOME}/charts/pulsar
-    ${HELM} template --values ${value_file} ${CLUSTER} ${CHARTS_HOME}/charts/pulsar
-    ${HELM} install --set initialize=true --values ${value_file} --namespace=${NAMESPACE} ${CLUSTER} ${CHARTS_HOME}/charts/pulsar
+      # install metallb for loadbalancer support
+      # following instructions from https://kind.sigs.k8s.io/docs/user/loadbalancer/
+      ${KUBECTL} apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.12/config/manifests/metallb-native.yaml
+      # wait until metallb is ready
+      ${KUBECTL} wait --namespace metallb-system \
+                --for=condition=ready pod \
+                --selector=app=metallb \
+                --timeout=120s
+      # configure metallb
+      ${KUBECTL} apply -f ${BINDIR}/metallb/metallb-config.yaml
+      install_args=""

+      # create auth resources
+      if [[ "x${AUTHENTICATION_PROVIDER}" == "xopenid" ]]; then
+          ci::create_openid_resources
+      fi
+    else
+      install_args="--wait --wait-for-jobs --timeout 360s --debug"
+    fi
+
+    CHART_ARGS=""
+    if [[ "${PULSAR_CHART_VERSION}" == "local" ]]; then
+      set -x
+      ${HELM} dependency update ${PULSAR_CHART_LOCAL}
+      set +x
+      CHART_ARGS="${PULSAR_CHART_LOCAL}"
+    else
+      set -x
+      ${HELM} repo add apache https://pulsar.apache.org/charts
+      set +x
+      CHART_ARGS="apache/pulsar --dependency-update"
+      if [[ "${PULSAR_CHART_VERSION}" != "latest" ]]; then
+        CHART_ARGS="${CHART_ARGS} --version ${PULSAR_CHART_VERSION}"
+      fi
+    fi
+    set -x
+    ${HELM} template --values ${common_value_file} --values ${value_file} "${extra_values[@]}" ${CLUSTER} ${CHART_ARGS}
+    ${HELM} ${install_type} --values ${common_value_file} --values ${value_file} "${extra_values[@]}" --namespace=${NAMESPACE} ${CLUSTER} ${CHART_ARGS} ${install_args}
+    set +x
+
+    if [[ "${install_type}" == "install" ]]; then
      echo "wait until broker is alive"
      WC=$(${KUBECTL} get pods -n ${NAMESPACE} --field-selector=status.phase=Running | grep ${CLUSTER}-broker | wc -l)
+      counter=1
      while [[ ${WC} -lt 1 ]]; do
+        ((counter++))
        echo ${WC};
        sleep 15
-      ${KUBECTL} get pods -n ${NAMESPACE}
+        ${KUBECTL} get pods,jobs -n ${NAMESPACE}
+        ${KUBECTL} get events --sort-by=.lastTimestamp -A | tail -n 30 || true
+        if [[ $((counter % 20)) -eq 0 ]]; then
+          ci::print_pod_logs
+          if [[ $counter -gt 100 ]]; then
+            echo >&2 "Timeout waiting..."
+            exit 1
+          fi
+        fi
        WC=$(${KUBECTL} get pods -n ${NAMESPACE} | grep ${CLUSTER}-broker | wc -l)
        if [[ ${WC} -gt 1 ]]; then
          ${KUBECTL} describe pod -n ${NAMESPACE} pulsar-ci-broker-0
@ -98,67 +202,386 @@ function ci::install_pulsar_chart() {
        fi
        WC=$(${KUBECTL} get pods -n ${NAMESPACE} --field-selector=status.phase=Running | grep ${CLUSTER}-broker | wc -l)
      done
-    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'until nslookup pulsar-ci-broker; do sleep 3; done'
-    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'until [ "$(curl -L http://pulsar-ci-broker:8080/status.html)" == "OK" ]; do sleep 3; done'
+      timeout 300s ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'until nslookup pulsar-ci-broker; do sleep 3; done' || { echo >&2 "Timeout waiting..."; ci::print_pod_logs; exit 1; }
+      timeout 120s ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'until [ "$(curl -s -L http://pulsar-ci-broker:8080/status.html)" == "OK" ]; do sleep 3; done' || { echo >&2 "Timeout waiting..."; ci::print_pod_logs; exit 1; }

      WC=$(${KUBECTL} get pods -n ${NAMESPACE} --field-selector=status.phase=Running | grep ${CLUSTER}-proxy | wc -l)
+      counter=1
      while [[ ${WC} -lt 1 ]]; do
+        ((counter++))
        echo ${WC};
        sleep 15
-      ${KUBECTL} get pods -n ${NAMESPACE}
+        ${KUBECTL} get pods,jobs -n ${NAMESPACE}
+        ${KUBECTL} get events --sort-by=.lastTimestamp -A | tail -n 30 || true
+        if [[ $((counter % 8)) -eq 0 ]]; then
+          ci::print_pod_logs
+          if [[ $counter -gt 16 ]]; then
+            echo >&2 "Timeout waiting..."
+            exit 1
+          fi
+        fi
        WC=$(${KUBECTL} get pods -n ${NAMESPACE} --field-selector=status.phase=Running | grep ${CLUSTER}-proxy | wc -l)
      done
-    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'until nslookup pulsar-ci-proxy; do sleep 3; done'
-    # ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'until [ "$(curl -L http://pulsar-ci-proxy:8080/status.html)" == "OK" ]; do sleep 3; done'
+      timeout 300s ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'until nslookup pulsar-ci-proxy; do sleep 3; done' || { echo >&2 "Timeout waiting..."; ci::print_pod_logs; exit 1; }
+      echo "Install complete"
+    else
+      echo "wait until broker is alive"
+      timeout 300s ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'until nslookup pulsar-ci-broker; do sleep 3; done' || { echo >&2 "Timeout waiting..."; ci::print_pod_logs; exit 1; }
+      timeout 120s ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'until [ "$(curl -s -L http://pulsar-ci-broker:8080/status.html)" == "OK" ]; do sleep 3; done' || { echo >&2 "Timeout waiting..."; ci::print_pod_logs; exit 1; }
+      echo "wait until proxy is alive"
+      timeout 300s ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'until nslookup pulsar-ci-proxy; do sleep 3; done' || { echo >&2 "Timeout waiting..."; ci::print_pod_logs; exit 1; }
+      echo "Upgrade complete"
+    fi
 }

-function ci::test_pulsar_producer() {
-    sleep 120
+helm_values_cached=""
+
+function ci::helm_values_for_deployment() {
+    if [[ -z "${helm_values_cached}" ]]; then
+        helm_values_cached=$(helm get values -n ${NAMESPACE} ${CLUSTER} -a -o yaml)
+    fi
+    printf "%s" "${helm_values_cached}"
+}
+
+function ci::check_pulsar_environment() {
+    echo "Wait until pulsar-ci-broker is ready"
    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'until nslookup pulsar-ci-broker; do sleep 3; done'
+    echo "Wait until pulsar-ci-proxy is ready"
    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'until nslookup pulsar-ci-proxy; do sleep 3; done'
+    echo "bookie-0 disk usage"
    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-bookie-0 -- df -h
+    echo "bookie-0 bookkeeper.conf"
    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-bookie-0 -- cat conf/bookkeeper.conf
-    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/bookkeeper shell listbookies -rw
-    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/bookkeeper shell listbookies -ro
+    echo "bookie-0 bookies list (rw)"
+    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/bookkeeper shell listbookies -rw | grep ListBookiesCommand
+    echo "bookie-0 bookies list (ro)"
+    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/bookkeeper shell listbookies -ro | grep ListBookiesCommand
+}
+
+# function to retry a given commend 3 times with a backoff of 10 seconds in between
+function ci::retry() {
+  local n=1
+  local max=3
+  local delay=10
+  while true; do
+    "$@" && break || {
+      if [[ $n -lt $max ]]; then
+        ((n++))
+        echo "::warning::Command failed. Attempt $n/$max:"
+        sleep $delay
+      else
+        fail "::error::The command has failed after $n attempts."
+      fi
+    }
+  done
+}
+
+function ci::test_pulsar_admin_api_access() {
+  echo "Test pulsar admin api access"
+  ci::retry ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-admin tenants list
+}
+
+function ci::test_create_test_namespace() {
    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-admin tenants create pulsar-ci
    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-admin namespaces create pulsar-ci/test
+}
+
+function ci::test_pulsar_producer_consumer() {
+    action="${1:-"produce-consume"}"
+    echo "Testing with ${action}"
+    if [[ "$(ci::helm_values_for_deployment | yq .tls.proxy.enabled)" == "true" ]]; then
+      PROXY_URL="pulsar+ssl://pulsar-ci-proxy:6651"
+    else
+      PROXY_URL="pulsar://pulsar-ci-proxy:6650"
+    fi
+    set -x
+    if [[ "${action}" == "produce" || "${action}" == "produce-consume" ]]; then
+      ci::test_create_test_namespace
+      ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-admin topics create pulsar-ci/test/test-topic
+      ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-admin topics create-subscription -s test pulsar-ci/test/test-topic
      ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-client produce -m "test-message" pulsar-ci/test/test-topic
+      ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-admin topics create-subscription -s test2 pulsar-ci/test/test-topic
+      ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-client --url "${PROXY_URL}" produce -m "test-message2" pulsar-ci/test/test-topic
+    fi
+    if [[ "${action}" == "consume" || "${action}" == "produce-consume" ]]; then
+      ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-client consume -s test pulsar-ci/test/test-topic
+      ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-client --url "${PROXY_URL}" consume -s test2 pulsar-ci/test/test-topic
+    fi
+    set +x
 }

 function ci::wait_function_running() {
-    num_running=$(${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'bin/pulsar-admin functions status --tenant pulsar-ci --namespace test --name test-function | bin/jq .numRunning') 
+    num_running=$(${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'bin/pulsar-admin functions status --tenant pulsar-ci --namespace test --name test-function' | jq .numRunning)
+    counter=1
    while [[ ${num_running} -lt 1 ]]; do
-      echo ${num_running}
+      ((counter++))
+      if [[ $counter -gt 6 ]]; then
+        echo >&2 "Timeout waiting..."
+        return 1
+      fi
+      echo "Waiting 15 seconds for function to be running"
      sleep 15
-      ${KUBECTL} get pods -n ${NAMESPACE} --field-selector=status.phase=Running
-      num_running=$(${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'bin/pulsar-admin functions status --tenant pulsar-ci --namespace test --name test-function | bin/jq .numRunning') 
+      ${KUBECTL} get pods -n ${NAMESPACE} -l component=function || true
+      ${KUBECTL} get events --sort-by=.lastTimestamp -A | tail -n 30 || true
+      podname=$(${KUBECTL} get pods -l component=function -n ${NAMESPACE} --no-headers -o custom-columns=":metadata.name") || true
+      if [[ -n "$podname" ]]; then
+        echo "Function pod is $podname"
+        ${KUBECTL} describe pod -n ${NAMESPACE} $podname
+        echo "Function pod logs"
+        ${KUBECTL} logs -n ${NAMESPACE} $podname
+      fi
+      num_running=$(${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'bin/pulsar-admin functions status --tenant pulsar-ci --namespace test --name test-function' | jq .numRunning)
    done
 }

 function ci::wait_message_processed() {
-    num_processed=$(${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'bin/pulsar-admin functions stats --tenant pulsar-ci --namespace test --name test-function | bin/jq .processedSuccessfullyTotal') 
+    num_processed=$(${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'bin/pulsar-admin functions stats --tenant pulsar-ci --namespace test --name test-function' | jq .processedSuccessfullyTotal)
+    podname=$(${KUBECTL} get pods -l component=function -n ${NAMESPACE} --no-headers -o custom-columns=":metadata.name")
+    counter=1
    while [[ ${num_processed} -lt 1 ]]; do
-      echo ${num_processed}
+      ((counter++))
+      if [[ $counter -gt 6 ]]; then
+        echo >&2 "Timeout waiting..."
+        return 1
+      fi
+      echo "Waiting 15 seconds for message to be processed"
      sleep 15
+      echo "Function pod is $podname"
+      ${KUBECTL} describe pod -n ${NAMESPACE} $podname
+      echo "Function pod logs"
+      ${KUBECTL} logs -n ${NAMESPACE} $podname
      ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-admin functions stats --tenant pulsar-ci --namespace test --name test-function
-      num_processed=$(${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'bin/pulsar-admin functions stats --tenant pulsar-ci --namespace test --name test-function | bin/jq .processedSuccessfullyTotal') 
+      num_processed=$(${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'bin/pulsar-admin functions stats --tenant pulsar-ci --namespace test --name test-function' | jq .processedSuccessfullyTotal)
    done
 }

 function ci::test_pulsar_function() {
-    sleep 120
-    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'until nslookup pulsar-ci-broker; do sleep 3; done'
-    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bash -c 'until nslookup pulsar-ci-proxy; do sleep 3; done'
-    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-bookie-0 -- df -h
-    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/bookkeeper shell listbookies -rw
-    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/bookkeeper shell listbookies -ro
-    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- curl --retry 10 -L -o bin/jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64
-    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- chmod +x bin/jq
+    echo "Testing functions"
+    echo "Creating function"
    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-admin functions create --tenant pulsar-ci --namespace test --name test-function --inputs "pulsar-ci/test/test_input" --output "pulsar-ci/test/test_output" --parallelism 1 --classname org.apache.pulsar.functions.api.examples.ExclamationFunction --jar /pulsar/examples/api-examples.jar
-
+    echo "Creating subscription for output topic"
+    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-admin topics create-subscription -s test pulsar-ci/test/test_output
+    echo "Waiting for function to be ready"
    # wait until the function is running
-    # TODO: re-enable function test
-    # ci::wait_function_running
-    # ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-client produce -m "hello pulsar function!" pulsar-ci/test/test_input
-    # ci::wait_message_processed
+    ci::wait_function_running
+    echo "Sending input message"
+    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-client produce -m 'hello pulsar function!' pulsar-ci/test/test_input
+    echo "Waiting for message to be processed"
+    ci::wait_message_processed
+    echo "Consuming output message"
+    ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-toolset-0 -- bin/pulsar-client consume -s test pulsar-ci/test/test_output
 }
+
+function ci::test_pulsar_manager() {
+  echo "Testing pulsar manager"
+
+  until ${KUBECTL} get jobs -n ${NAMESPACE} ${CLUSTER}-pulsar-manager-init -o json | jq -r '.status.conditions[] | select (.type | test("Complete")).status' | grep True; do sleep 3; done
+  ${KUBECTL} describe job -n ${NAMESPACE} ${CLUSTER}-pulsar-manager-init
+  ${KUBECTL} logs -n ${NAMESPACE} job.batch/${CLUSTER}-pulsar-manager-init
+  ${KUBECTL} exec -n ${NAMESPACE} ${CLUSTER}-pulsar-manager-0 -- cat /pulsar-manager/pulsar-manager.log
+  echo "Checking Podname"
+  podname=$(${KUBECTL} get pods -n ${NAMESPACE} -l component=pulsar-manager --no-headers -o custom-columns=":metadata.name")
+  echo "Getting pulsar manager UI password"
+  PASSWORD=$(${KUBECTL} get secret -n ${NAMESPACE} -l component=pulsar-manager -o=jsonpath="{.items[0].data.UI_PASSWORD}" | base64 --decode)
+
+  echo "Getting CSRF_TOKEN"
+  CSRF_TOKEN=$(${KUBECTL} exec -n ${NAMESPACE} ${podname} -- curl http://127.0.0.1:7750/pulsar-manager/csrf-token)
+
+  echo "Performing login"
+  ${KUBECTL} exec -n ${NAMESPACE} ${podname} -- curl -X POST http://127.0.0.1:9527/pulsar-manager/login \
+                                                 -H 'Accept: application/json, text/plain, */*' \
+                                                 -H 'Content-Type: application/json' \
+                                                 -H "X-XSRF-TOKEN: $CSRF_TOKEN" \
+                                                 -H "Cookie: XSRF-TOKEN=$CSRF_TOKEN" \
+                                                 -sS -D headers.txt \
+                                                 -d '{"username": "pulsar", "password": "'${PASSWORD}'"}'
+  LOGIN_TOKEN=$(${KUBECTL} exec -n ${NAMESPACE} ${podname} -- grep "token:" headers.txt | sed 's/^.*: //')
+  LOGIN_JSESSIONID=$(${KUBECTL} exec -n ${NAMESPACE} ${podname} -- grep -o "JSESSIONID=[a-zA-Z0-9_]*" headers.txt | sed 's/^.*=//')
+
+  echo "Checking environment"
+  envs=$(${KUBECTL} exec -n ${NAMESPACE} ${podname} -- curl -X GET http://127.0.0.1:9527/pulsar-manager/environments \
+                  -H 'Content-Type: application/json' \
+                  -H "token: $LOGIN_TOKEN" \
+                  -H "X-XSRF-TOKEN: $CSRF_TOKEN" \
+                  -H "username: pulsar" \
+                  -H "Cookie: XSRF-TOKEN=$CSRF_TOKEN; JSESSIONID=$LOGIN_JSESSIONID;")
+  echo "$envs"
+  number_of_envs=$(echo $envs | jq '.total')
+  if [ "$number_of_envs" -ne 1 ]; then
+    echo "Error: Did not find expected environment"
+    exit 1
+  fi
+
+  # Force manager to query broker for tenant info. This will require use of the manager's JWT, if JWT authentication is enabled.
+  echo "Checking tenants"
+  pulsar_env=$(echo $envs | jq -r '.data[0].name')
+  tenants=$(${KUBECTL} exec -n ${NAMESPACE} ${podname} -- curl -X GET http://127.0.0.1:9527/pulsar-manager/admin/v2/tenants \
+                  -H 'Content-Type: application/json' \
+                  -H "token: $LOGIN_TOKEN" \
+                  -H "X-XSRF-TOKEN: $CSRF_TOKEN" \
+                  -H "username: pulsar" \
+                  -H "tenant: pulsar" \
+                  -H "environment: ${pulsar_env}" \
+                  -H "Cookie: XSRF-TOKEN=$CSRF_TOKEN; JSESSIONID=$LOGIN_JSESSIONID;")
+  echo "$tenants"
+  number_of_tenants=$(echo $tenants | jq '.total')
+  if [ "$number_of_tenants" -lt 1 ]; then
+    echo "Error: Found no tenants!"
+    exit 1
+  fi
+}
+
+function ci::check_loadbalancers() {
+  (
+  set +e
+  ${KUBECTL} get services -n ${NAMESPACE} | grep LoadBalancer
+  if [ $? -eq 0 ]; then
+    echo "Error: Found service with type LoadBalancer. This is not allowed because of security reasons."
+    exit 1
+  fi
+  exit 0
+  )
+}
+
+function ci::validate_kustomize_yaml() {
+  # if kustomize is not installed, install kustomize to a temp directory
+  if ! command -v kustomize &> /dev/null; then
+    KUSTOMIZE_VERSION=5.6.0
+    KUSTOMIZE_DIR=$(mktemp -d)
+    echo "Installing kustomize ${KUSTOMIZE_VERSION} to ${KUSTOMIZE_DIR}"
+    curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash -s ${KUSTOMIZE_VERSION} ${KUSTOMIZE_DIR}
+    export PATH=${KUSTOMIZE_DIR}:$PATH
+  fi
+  # prevent regression of https://github.com/apache/pulsar-helm-chart/issues/569
+  local kustomize_yaml_dir=$(mktemp -d)
+  cp ${PULSAR_HOME}/.ci/kustomization.yaml ${kustomize_yaml_dir}
+  PULSAR_HOME=${PULSAR_HOME} yq -i '.helmGlobals.chartHome = env(PULSAR_HOME) + "/charts"' ${kustomize_yaml_dir}/kustomization.yaml
+  failures=0
+  # validate zookeeper init
+  echo "Validating kustomize yaml output with zookeeper init"
+  _ci::validate_kustomize_yaml ${kustomize_yaml_dir} || ((failures++))
+  # validate oxia init
+  yq -i '.helmCharts[0].valuesInline.components += {"zookeeper": false, "oxia": true}' ${kustomize_yaml_dir}/kustomization.yaml
+  echo "Validating kustomize yaml output with oxia init"
+  _ci::validate_kustomize_yaml ${kustomize_yaml_dir} || ((failures++)) 
+  if [ $failures -gt 0 ]; then
+    exit 1
+  fi
+}
+
+function _ci::validate_kustomize_yaml() {
+  local kustomize_yaml_dir=$1
+  kustomize build --enable-helm --helm-kube-version 1.23.0 --load-restrictor=LoadRestrictionsNone ${kustomize_yaml_dir} | yq 'select(.spec.template.spec.containers[0].args != null) | .spec.template.spec.containers[0].args' | \
+  awk '{
+    if (prev_line ~ /\\$/ && $0 ~ /^$/) {
+      print "Found issue: backslash at end of line followed by empty line. Must use pipe character for multiline strings to support kustomize due to kubernetes-sigs/kustomize#4201.";
+      print "Line: " prev_line;
+      has_issue = 1;
+    }
+    prev_line = $0;
+  }
+  END {
+    if (!has_issue) {
+      print "No issues found: no backslash followed by empty line";
+      exit 0;
+    }
+    exit 1;
+  }'
+}
+
+# Create all resources needed for openid authentication
+function ci::create_openid_resources() {
+
+  echo "Creating openid resources"
+
+  cp ${PULSAR_HOME}/.ci/auth/keycloak/0-realm-pulsar-partial-export.json /tmp/realm-pulsar.json
+
+  for component in broker proxy admin manager; do
+
+    echo "Creating openid resources for ${component}"
+
+    local client_id=pulsar-${component}
+
+    # Github action hang up when read string from /dev/urandom, so use python to generate a random string
+    local client_secret=$(python -c "import secrets; import string; length = 32; random_string = ''.join(secrets.choice(string.ascii_letters + string.digits) for _ in range(length)); print(random_string);")
+
+    if [[ "${component}" == "admin" ]]; then
+      local sub_claim_value="admin"
+    else
+      local sub_claim_value="${component}-admin"
+    fi
+
+    # Create the client credentials file
+    jq -n --arg CLIENT_ID $client_id --arg CLIENT_SECRET "$client_secret" -f ${PULSAR_HOME}/.ci/auth/oauth2/credentials_file.json > /tmp/${component}-credentials_file.json
+
+    # Create the secret for the client credentials
+    local secret_name="pulsar-${component}-credentials"
+    ${KUBECTL} create secret generic ${secret_name} --from-file=credentials_file.json=/tmp/${component}-credentials_file.json -n ${NAMESPACE}
+
+    # Create the keycloak client file
+    jq -n --arg CLIENT_ID $client_id --arg CLIENT_SECRET "$client_secret" --arg SUB_CLAIM_VALUE "$sub_claim_value" -f ${PULSAR_HOME}/.ci/auth/keycloak/1-client-template.json > /tmp/${component}-keycloak-client.json
+
+    # Merge the keycloak client file with the realm
+    jq '.clients += [input]' /tmp/realm-pulsar.json /tmp/${component}-keycloak-client.json > /tmp/realm-pulsar.json.tmp
+    mv /tmp/realm-pulsar.json.tmp /tmp/realm-pulsar.json
+
+  done
+
+  echo "Create keycloak realm configuration"
+  ${KUBECTL} create secret generic keycloak-ci-realm-config --from-file=realm-pulsar.json=/tmp/realm-pulsar.json -n ${NAMESPACE}
+
+  echo "Installing keycloak helm chart"
+  ${HELM} install keycloak-ci oci://registry-1.docker.io/bitnamicharts/keycloak --version 24.6.4 --values ${PULSAR_HOME}/.ci/auth/keycloak/values.yaml -n ${NAMESPACE}
+
+  echo "Wait until keycloak is running"
+  WC=$(${KUBECTL} get pods -n ${NAMESPACE} --field-selector=status.phase=Running | grep keycloak-ci-0 | wc -l)
+  counter=1
+  while [[ ${WC} -lt 1 ]]; do
+    ((counter++))
+    echo ${WC};
+    sleep 15
+    ${KUBECTL} get pods,jobs -n ${NAMESPACE}
+    ${KUBECTL} get events --sort-by=.lastTimestamp -A | tail -n 30 || true
+    if [[ $((counter % 20)) -eq 0 ]]; then
+      ci::print_pod_logs
+      if [[ $counter -gt 100 ]]; then
+        echo >&2 "Timeout waiting..."
+        exit 1
+      fi
+    fi
+    WC=$(${KUBECTL} get pods -n ${NAMESPACE} --field-selector=status.phase=Running | grep keycloak-ci-0 | wc -l)
+  done
+
+  echo "Wait until keycloak is ready"
+  ${KUBECTL} wait --for=condition=Ready pod/keycloak-ci-0 -n ${NAMESPACE} --timeout 180s
+
+  echo "Check keycloack realm pulsar issuer url"
+  ${KUBECTL} exec -n ${NAMESPACE} keycloak-ci-0 -c keycloak -- bash -c 'curl -sSL http://keycloak-ci-headless:8080/realms/pulsar'
+
+}
+
+# lists all available functions in this tool
+function ci::list_functions() {
+  declare -F | awk '{print $NF}' | sort | grep -E '^ci::' | sed 's/^ci:://'
+}
+
+# Only run this section if the script is being executed directly (not sourced)
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+  if [ -z "$1" ]; then
+    echo "usage: $0 [function_name]"
+    echo "Available functions:"
+    ci::list_functions
+    exit 1
+  fi
+  ci_function_name="ci::$1"
+  shift
+  if [[ "$(LC_ALL=C type -t "${ci_function_name}")" == "function" ]]; then
+    eval "$ci_function_name" "$@"
+    exit $?
+  else
+    echo "Invalid ci function"
+    echo "Available functions:"
+    ci::list_functions
+    exit 1
+  fi
+fi
--- a/.ci/kustomization.yaml
+++ b/.ci/kustomization.yaml
@ -0,0 +1,32 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+helmGlobals:
+  chartHome: ../charts
+helmCharts:
+  - name: pulsar
+    releaseName: pulsar
+    valuesInline:
+      victoria-metrics-k8s-stack:
+        enabled: false
+      components:
+        pulsar_manager: true
+        zookeeper: true
--- a/.ci/metallb/metallb-config.yaml
+++ b/.ci/metallb/metallb-config.yaml
@ -0,0 +1,33 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: example
+  namespace: metallb-system
+spec:
+  addresses:
+  - 172.19.255.200-172.19.255.250
+---
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: empty
+  namespace: metallb-system
--- a/.ci/release.sh
+++ b/.ci/release.sh
@ -1,115 +0,0 @@
-#!/usr/bin/env bash
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-BINDIR=`dirname "$0"`
-CHARTS_HOME=`cd ${BINDIR}/..;pwd`
-CHARTS_PKGS=${CHARTS_HOME}/.chart-packages
-CHARTS_INDEX=${CHARTS_HOME}/.chart-index
-CHARTS_REPO=${CHARTS_REPO:-"https://pulsar.apache.org/charts/"}
-OWNER=${OWNER:-apache}
-REPO=${REPO:-pulsar-helm-chart}
-PUBLISH_CHARTS=${PUBLISH_CHARTS:-"false"}
-
-# hack/common.sh need this variable to be set
-PULSAR_CHART_HOME=${CHARTS_HOME}
-
-source ${CHARTS_HOME}/hack/common.sh
-source ${CHARTS_HOME}/.ci/git.sh
-
-# allow overwriting cr binary
-CR="docker run -v ${CHARTS_HOME}:/cr quay.io/helmpack/chart-releaser:v${CR_VERSION} cr"
-
-function release::ensure_dir() {
-    local dir=$1
-    if [[ -d ${dir} ]]; then
-        rm -rf ${dir}
-    fi
-    mkdir -p ${dir}
-}
-
-function release::find_changed_charts() {
-    local charts_dir=$1
-    echo $(git diff --find-renames --name-only "$latest_tag_rev" -- ${charts_dir} | cut -d '/' -f 2 | uniq)
-}
-
-function release::package_chart() {
-    local chart=$1
-    echo "Packaging chart '$chart'..."
-    helm package ${CHARTS_HOME}/charts/$chart --destination ${CHARTS_PKGS}
-}
-
-function release::upload_packages() {
-    ${CR} upload --owner ${OWNER} --git-repo ${REPO} -t ${GITHUB_TOKEN} --package-path /cr/.chart-packages
-}
-
-function release::update_chart_index() {
-    ${CR} index -o ${OWNER} -r ${REPO} -t "${GITHUB_TOKEN}" -c ${CHARTS_REPO} --index-path /cr/.chart-index --package-path /cr/.chart-packages
-}
-
-function release::git_setup() {
-  git config --global user.email "dev@pulsar.apache.org"
-  git config --global user.name "Apache Pulsar Team"
-}
-
-function release::publish_charts() {
-    release::git_setup
-    git clone https://${GITHUB_TOKEN}@github.com/apache/pulsar
-    cd pulsar
-    git checkout asf-site
-    mkdir -p content/charts
-    cp --force ${CHARTS_INDEX}/index.yaml content/charts/index.yaml
-    git add content/charts/index.yaml
-    ls content/charts
-    git commit --message="Publish new charts to ${CHARTS_REPO}" --signoff
-    if [[ "x${PUBLISH_CHARTS}" == "xtrue" ]]; then
-      git push --set-upstream origin asf-site
-    else
-      git push --dry-run --set-upstream origin asf-site
-    fi
-}
-
-# install cr
-# hack::ensure_cr
-docker pull quay.io/helmpack/chart-releaser:v${CR_VERSION}
-
-latest_tag=$(git::find_latest_tag)
-echo "Latest tag: $latest_tag"
-
-latest_tag_rev=$(git::get_revision "$latest_tag")
-echo "$latest_tag_rev $latest_tag (latest tag)"
-
-head_rev=$(git::get_revision HEAD)
-echo "$head_rev HEAD"
-
-if [[ "$latest_tag_rev" == "$head_rev" ]]; then
-    echo "Do nothing. Exiting ..."
-    exit
-fi
-
-release::ensure_dir ${CHARTS_PKGS}
-release::ensure_dir ${CHARTS_INDEX}
-
-for chart in $(release::find_changed_charts charts); do
-    release::package_chart ${chart}
-done
-
-release::upload_packages
-release::update_chart_index
-release::publish_charts
--- a/.ci/tls/certs/ca.cert.pem
+++ b/.ci/tls/certs/ca.cert.pem
@ -1,34 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIF6DCCA9CgAwIBAgIJALU82Re66PvtMA0GCSqGSIb3DQEBCwUAMIGAMQswCQYD
-VQQGEwJVUzEWMBQGA1UECAwNU2FuIEZyYW5jaXNjbzEWMBQGA1UEBwwNU2FuIEZy
-YW5jaXNjbzEVMBMGA1UECgwMU3RyZWFtTmF0aXZlMRYwFAYDVQQLDA1JVCBEZXBh
-cnRtZW50MRIwEAYDVQQDDAlwdWxzYXItY2kwHhcNMjAwMzI5MjEwMzA5WhcNNDAw
-MzI0MjEwMzA5WjCBgDELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lz
-Y28xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xFTATBgNVBAoMDFN0cmVhbU5hdGl2
-ZTEWMBQGA1UECwwNSVQgRGVwYXJ0bWVudDESMBAGA1UEAwwJcHVsc2FyLWNpMIIC
-IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApndiefjivlz7+UNm/245iZ+o
-muNufYw5KTm3mVwg87IJ9897h04j/M0ZRQq6BYnSMMhRBJO+jFjmDPWT51qApfTR
-M7+3sNdrVpXeTS21UI4Z4Mfp7pNNWWXd1mrtfqQ+qKZrAzK8i2ce+31uOfv/hZ9t
-hT6A16lC+xiM0QFgmOMZ5rfIhnz900wHaDli/4+PmydbYRHBbmG5R+LfzSgYJfly
-PcKbZn4TeJgvEQWR/BTugSjuah0yEzqIfrC5OuBypOInnH+08slcj9JU1zoA2Idy
-rt14GwLdJjoyT5YfvhWir3fRJh7PKZHjIC4W/SLqLWxwLEUzUzjFu8Vlv63rLvbQ
-WM5OdiHlO0vDU30FltNubDrg0Xf4W4WnKkJ/j/vb5r/Gwe4iqoMbdH6SfK270HCk
-P8S90Mgwfvm89KS5qJQNGizuCnAFNK4kTLlPMosQVkol4C7rH0svZLBcVgwZmtq5
-O1+zznEe9Sxy0ne1SXRcCfP8+lOis/LDRqtTO+rzHdfH7+kyiQvn3Wq69AMbyEmz
-ltTOzv8VAEUGvSq4MaLPT+SnqODk9/ZAAEoyjnRqTxDd7dONqj7xc2T7Qa1iqYw1
-fm9LG3AKUnJ91Wk/vZ9TlfJ6Heb/NkgZfvByf1NvKDL4oergQXtMn9ZbSFAy87ge
-OnsqotIv9K+CMJYQaPcCAwEAAaNjMGEwHQYDVR0OBBYEFAXVbjo175vQXn9g0za3
-eFVTNKi1MB8GA1UdIwQYMBaAFAXVbjo175vQXn9g0za3eFVTNKi1MA8GA1UdEwEB
-/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQB+wBxJ
-u7fpSCoEy6WITUS6D++3ZjpbqrkcJZfKE4bFcEuzKRhsJqLJPBHrvjRBnHoJ37Zx
-5v641IKOkAxOqmIYwDSD6xEZde4wjZX25cDb+34vj7KwM5V9rs+8bdXZwhU4l5sX
-P2wudfortX/L+oBczEOaS9qF7ZdAx20v0PL4X0ExiKFLmlTJdqCMWYwGFoDExWmP
-lySfQYo8y/0uxfn5fxqYQB2aG2uMPgZlrL4IdM9YvvJJ3tSTcs7se1/BdhjA1rso
-j8oZXi1xGhB565iFMHaHIDzfnG8tsrkdVknWtLJZjmZPFYYFxyqaSFQ+529CTEOY
-DNrdR7VECO3uDdgF5yGX08txoHXHCAUpZFKy6kE2F66bASLzkk4/trAbHuENcKAO
-FJ0+QP+DFGqpDkJvbEwn3OsDosNW7LSEJkTmEH/qT5ayN6RLXyhMAle8uXo868t7
-572vn6aOC1TkQTqtmytZe6DFs+xKnabwLvV91ZWL0LzR2VHBdWglhrrf7m39aKoI
-vsm8GgbG3uBA+E71p0TryEhiAZ1ypvbppWbXpuqCqhfCmfkp8U+2O1vdGN6189Nz
-pmA78rTNiyUfMpsrgiDovK2v0yDLr7ggMQdA1/JTINBf4sFxx9/auirOZizGSQyF
-FFb5n0Nhu7AJwT42rN6wPquzFEXqwkCjWbXMew==
-----END CERTIFICATE-----
--- a/.ci/tls/private/ca.key.pem
+++ b/.ci/tls/private/ca.key.pem
@ -1,54 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,85FB9A73260E703BFA595C60A73CC7F8
-
-eurjR7bYyu7RcI5TCnaPW9c7CH4CDOr0FFWzQMkzFrA+RnzRIGRK48GPUDVxrjFR
-MVzLQ+k8c7uCXbPLhPlhLsUi/eIDKOAGHQZ2yNJ7P009L34R4mvPoIbuAigvhUdh
-lZQ4dSU92JnpY/wlJc3ICZDC1d7tgD206tqfTOGD9csyGEHwtunjvIscFfRNndse
-HLjH8YWZnhbN8L6qItZQT88gCQWTE/LfAExV2PCUjMy5enFw49+IrxSEM4UHjuXh
-W6FwjGHR5U9rLAn/y0C6r8VgDrW3S3rG/3NeXR5v6k51Ju2ngdb+5rs7FW5PIf2O
-lxIvLnQ3p31rOArmL307H52/WWLUKu2vMBJOFtVBNVlcdFBdqUMpo4tpd4jsbbLG
-2/hpe5Ym/u132E+y8LJWpREjmzK5j0lYzR9awQPavc3oZ3I4oSCL4xwZvHfmwjL0
-LmNYBuL/nfrPZwDzPTFDzsrNCnUiJvxjzVEWOl/dWrUbD7tGFCihr17TajnF2lQZ
-stFdcmg7JoAcujkb5KnhPeDDBCfS4wNW2YQwBdDEblJBxzwEThwRjfgMACs9cZ/I
-2iNOII5gCsmUWQFTb45kI1OQz+LO7y+6J8rV1h+PjjSzlFZpjc/Sv1LnS9LzaF7a
-i/wubGg2ENCBZ3g4rwHK07RVGes5nuM2e0JY7IaxddDDLFpVZosGh8MlBsqGnAc6
-nw9h/cftvqmn7aKljS7f0PCCfeKp5q9xIxwE1auaq1WGZTIx9ToKpY677VmoOCuj
-sHVUusCTqUQrvTsfHdPF0Wjay+/fYVtCl/WKNrl0ZSq+7Sijh/VSofxSDmVWWvd5
-Z/lH9t1CJhnbXVB4eYfmzAdvRRxqlwQI8RADh0w4TvXVnkvjasc8GTkyOcAkQtjo
-hoZV82DkrsVZyYUOkk6kxSds1YNTGHpofNLu85d1LbE0hzCbSVDm5YNl6TcIVt/j
-rexiCyUdt7OCO99cIinYFFdj2Rdraqqwz8JNxf0MSnHBLxvqbAhsQtsm78UXM6PW
-Cs+n8zKdLRELuzTVFu78G0d+XLGVO3LMjEgzbpx8KNJixubUDc4E05sG2wwh6/lU
-mM2CRwOdz0EeUceoA6bhHHZm56C18Hw3ZTFwsPO/kQ83RGHRFWeThHNyfyGjF8mA
-cuEccnOPI50FmnvBi0n104KdYHAKU+lpBaX331w9xEZT02+Sdy6vlPi+ZPppiFgM
-JlfqCi9zoOCwnBKLOspyvzReNQdrSyE6BAJ6pH2qVVVHgxVF7N7aCFArwMqlrULL
-HcXWl9DKHrV2irAc/wm0GpdQWdXhDHk/sDmGOwIboi5Dv1zVIW3qnVJjP1eYGuzY
-mGb+gSforKFQ/78DErnqTllEcIDw7iFENkX8KJZsPsB9RKaFXgTcr0z+loN+Bwhn
-JYj1XW9IgicGAm2hoNNlif2Ntej+5A8XpZL/kidB4x2i/tMAtjpgJtADhaGChgDM
-sE3LSnsr6JwuDGpfdzpMgrKnHpjk3fIGfxMN76CW+MnJtgBWgWt0QQUB/MOD34AE
-mloev2ddGJwTQCE1T/CIEVxX6/3Sw0sg0xWdYhCY1kGOr9zkkjHa80b1i0e1uT05
-1hsIhGKL7KExd11PrLUPM3I6i2GFByTdRrQbPoL3BtiaK9hiUdZZCzeGbOBaWUrn
-Jkd24l3+kxg//BpmVniJ7tmAzo8gmSbAe5Pej0cCtZmPzLtUpjoTAyvgu4lw5Xyz
-27vIDIsf9sMy3Qyw+OT4ko0EMjbSDlRjnsJ081mOj3HtidjRWL2c+CxKcBn43i6b
-kTDrlqmaHpJ1GP8dvBAYG+BUwW5lS3Y7JCze9otoXxGrkS7a4Cr1gN/mN+HBEQJ8
-69ZYzELlI8fs2eNH7q8/ZvZ6MJAv25XF9hUIJ7i9ayWsCog0m2DWmEhf42C7SGmf
-GD7rOcGapbdqz6AQRqkaY/KDfeQS9oAgdRdjy4xHMKs/2E/oBWEz7KlVoXb7bpVd
-K1/DsETTadO46S2tGp4dIj2GHpowztzTDVeHAy2fd0mNoW+GdNinbZdQ+8sgIsH6
-6lv/P0PxPFrdKlFUNwAGenaUI21hv33Ety8sBydg5cVkOMFJawR5uwYsGi64wsAm
-7bJZSfVspuZxum/68inopZw0Y91/MPbPu6RC1W0sM/EmRNkP07GTUnAxHWhGM1oa
-Y8K/NM18Eep7SLORYJIpHHdKD//9NP/r8JYuY91WEVfchIU7/gNvPvLZGrRHI2zB
-asjUe5mfBZsvbYt3Trrz9sPHfp9GsvRB5GhasWHjzzs//+hDB0H4MCUoYmk1utTc
-6JhdUb3zAySHRFBIy7DLmE/Gg8nS/cn1Rm286dTwNyfoYEjmbj230JjivtTDxJFX
-573PA1FfP7t6c6aECERG33Mp0DkglvR5YtC0Fazeefj7s3571EKkaVVfanWV6B8M
-wOedZlrNfyKse+fporuxa/IMWJfopywN8zM9LHvV8B1ftZ4JGQgkxRZ9fip5/tWZ
-HRNAWaE67VPMAPpR0aE5MC8JRlteSTjM2TFB/qWjko5s1NZsjq7vlQo5whthkAJr
-pjT1+FrKSz1uj+lp/82PXwl+6Cs05ki3PdjiQqBaqEY/OByGqLlFn2ZmSPa9OiW+
-Nbx2HJauyyC6LqzsqYLs2lwoLpvqU7+yrs3y8q4kcEVoqNngnH9CJoASS1d4zO2n
-TIvVuHBYV88JN1rIY++9u68oude3OZDrdCZpuvbsGOm0unG14Zh7BK756bg7LbTO
-KehPJ4citigxNdczV9eeSBFSryGefdUT9OXS5SQeza1YE+yOR62Qc4pP7of0g88X
-ioIKBoz1fof6etp2X9JX4S9p8li1ZVcdfygGGuwxE5DR2dUlF/AeNmA06bTjZz08
-t6UmgivRwFSj8mTLfArrezPnIH3Fa8g77puxBam9TcPIHFSFi8SC3cyaMi/HNbIW
-nPSW6w+cU0RFwrMvsOQ4zjIlKNFJFcVUKoZXmKR6v843rg9vrUdJXSiq+gEGSvtA
-e/2Jom4HECyXpfVp9ybk7WntjesqUvaWBCHiS8f4G30rHIEHyU1cM68ow5jfxVFc
-yLTfrsdximbPcoHisl24H2hy4WNQrCLDNb4we1MZa9mqby8BsSwh9li3axB6Y0e5
-----END RSA PRIVATE KEY-----
--- a/.ci/tls/servers/bookie/bookie.cert.pem
+++ b/.ci/tls/servers/bookie/bookie.cert.pem
@ -1,34 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIF1TCCA72gAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwgYAxCzAJBgNVBAYTAlVT
-MRYwFAYDVQQIDA1TYW4gRnJhbmNpc2NvMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv
-MRUwEwYDVQQKDAxTdHJlYW1OYXRpdmUxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQx
-EjAQBgNVBAMMCXB1bHNhci1jaTAeFw0yMDAzMjkyMTAzMTBaFw0yMjEyMjQyMTAz
-MTBaMG8xCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1TYW4gRnJhbmNpc2NvMRUwEwYD
-VQQKDAxTdHJlYW1OYXRpdmUxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxGTAXBgNV
-BAMMEHB1bHNhci1jaS1ib29raWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQC2YDyQkP85nwfS2yrqEkpPkPaTuIn7YsHRUsfveEgdva87qDvl2lwaLft5
-150Ehvf6uRgi3+xlEynAj2ZOtF/GXH0ipv5kOKL5HDvvFRmp7FwR2i2SLPM1rasw
-JYpmTc+aUBV4qvXUWzLPcTAY1UdPCIEyH2Mc35un1N8Zx7USASkKHrObzE5F/tiD
-2rDdJ3UXtovS5MuJtx5VqMjc2zmqqCgC5h38E812Jn1zbXSFvpL6obwaL0rq4h8T
-SCgVzz3ovbISgqF6h6HRB8kb8VZ7mR6SUfM87Lbs/05zUBE5bk9O9j7Mf51j1nnj
-iD1P7qoqmjufvmnFIg1iSayINw+FAgMBAAGjggFnMIIBYzAJBgNVHRMEAjAAMBEG
-CWCGSAGG+EIBAQQEAwIF4DAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0
-ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBQ3ETJxE56xvo9gQ129aLcD
-tEiIJTCBtQYDVR0jBIGtMIGqgBQF1W46Ne+b0F5/YNM2t3hVUzSotaGBhqSBgzCB
-gDELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xFjAUBgNVBAcM
-DVNhbiBGcmFuY2lzY28xFTATBgNVBAoMDFN0cmVhbU5hdGl2ZTEWMBQGA1UECwwN
-SVQgRGVwYXJ0bWVudDESMBAGA1UEAwwJcHVsc2FyLWNpggkAtTzZF7ro++0wDgYD
-VR0PAQH/BAQDAgXgMCcGA1UdJQQgMB4GCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYB
-BQUHAwQwDQYJKoZIhvcNAQELBQADggIBABJSPJJRDj1bB8d8Z1ZCSqeJsLeA8Hi6
-Vdoe4lrHYUXIyleI05e6Ya21r638PUhJo9HWNiUFYkRmqrCTZyuk1UIVc+6Mx5LP
-WeNrkEIwLwSZlde0OgdEyKTJXKZhMDMUkGaoscl+JHbCDhkkPV3M01KxAFq2zZ9e
-zwVZTnRh1x/engidcR1uxS055UqkOtyqp19KPfaXOuIl2R/JVEyHq7yNHUGLu9wM
-0LGh17yBxyJcahLqGK2IWty+V8Snwfy6CQLoLUv9CNdVbWWd7/cGQUm2OvzIQEmb
-rw96pD7lM182cjbt616/hrES9lBcsaCMN97QG0ZPT2QQL1y3ci/Din7vzbjN2UNL
-7W3zUa1niFZDz6DpfP7gdsKkc4/weBRHglghfHhUJk15IBn+vCG2wiDXpWgm4AjJ
-UNBB7Yco8wBApt7+xZd2QLtKlGGxV+FR6GeuiiOeA9r/XC2p1b7zj3e5x9F4Zo5a
-80An42PyNZCTnGQzWUTfo2aRhLiUwNYXg+PFbA2j6EDgR7G38Vr/z7omdUjqYE+s
-4qVPU5kkz3H6lkfGfRiTooQk5zD9fSIgJc0oculARKgitpHaMdn2MKC4+1om3YKc
-WiOHdVpZzNkjjq6JbuY24EGEBACllehnqmJh2ku6eMIydSPUh2KgHPWUgdMfyzR/
-AzoXnRPk7pjh
-----END CERTIFICATE-----
--- a/.ci/tls/servers/bookie/bookie.csr.pem
+++ b/.ci/tls/servers/bookie/bookie.csr.pem
@ -1,18 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
-MIICzTCCAbUCAQAwgYcxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1TYW4gRnJhbmNp
-c2NvMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRUwEwYDVQQKDAxTdHJlYW1OYXRp
-dmUxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxGTAXBgNVBAMMEHB1bHNhci1jaS1i
-b29raWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2YDyQkP85nwfS
-2yrqEkpPkPaTuIn7YsHRUsfveEgdva87qDvl2lwaLft5150Ehvf6uRgi3+xlEynA
-j2ZOtF/GXH0ipv5kOKL5HDvvFRmp7FwR2i2SLPM1raswJYpmTc+aUBV4qvXUWzLP
-cTAY1UdPCIEyH2Mc35un1N8Zx7USASkKHrObzE5F/tiD2rDdJ3UXtovS5MuJtx5V
-qMjc2zmqqCgC5h38E812Jn1zbXSFvpL6obwaL0rq4h8TSCgVzz3ovbISgqF6h6HR
-B8kb8VZ7mR6SUfM87Lbs/05zUBE5bk9O9j7Mf51j1nnjiD1P7qoqmjufvmnFIg1i
-SayINw+FAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAfqkDkMzdfp43gZeqX5WH
-yTO3K0eBJAsCNSP9RvjrYjZdMja34mXac5JkMa1j1cs19IthLCPZ2T4SBJpd5SQX
-vkXhCkHkS5WR0Nrvb3cpsjUEKbp6yIBE8bLCal6eUkZOyYM6w+gr4fN4WEt+c0fC
-n5n8Ox4lK3yFmRlgQFYkGWBaZVIEUYJVUFIT8M7AHkKf5TqC5RVGMgLiP0+CYM9R
-xe1hIIjiifgtKx2w3VJJ8Jmmkw8Fax1ynu7+sGaAswZp0lJsMSQUCLjDvaRNhfRL
-+qZ4p+C5x9s20XTD8FmzEzwTcqhVQU2jjFq8zVlea3PVHr39+AbLez4jq7uLCeWQ
-5Q==
-----END CERTIFICATE REQUEST-----
--- a/.ci/tls/servers/bookie/bookie.key-pk8.pem
+++ b/.ci/tls/servers/bookie/bookie.key-pk8.pem
@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC2YDyQkP85nwfS
-2yrqEkpPkPaTuIn7YsHRUsfveEgdva87qDvl2lwaLft5150Ehvf6uRgi3+xlEynA
-j2ZOtF/GXH0ipv5kOKL5HDvvFRmp7FwR2i2SLPM1raswJYpmTc+aUBV4qvXUWzLP
-cTAY1UdPCIEyH2Mc35un1N8Zx7USASkKHrObzE5F/tiD2rDdJ3UXtovS5MuJtx5V
-qMjc2zmqqCgC5h38E812Jn1zbXSFvpL6obwaL0rq4h8TSCgVzz3ovbISgqF6h6HR
-B8kb8VZ7mR6SUfM87Lbs/05zUBE5bk9O9j7Mf51j1nnjiD1P7qoqmjufvmnFIg1i
-SayINw+FAgMBAAECggEBAKl2AtDR6lXAT6S9wcJ9/E6yhGv+rTfJLA80vFLnkRsR
-hiII0J9jpvEsiN9OWbg7MXDnTGYba6z/gWxL0uSO9e97QUtRoE+/0K9obMha8t3R
-ojt0X6PT4KmgFdFHELK+2oiooUrekE4h77SRl/97Lidh36qTP6U0oY3xXty1lKqE
-lrgqWntmwJnRl9H/kykrnfVVd/BiWkJ2kDktTwwAM2MPrUpENk7B0Q4ToCwTMI2I
-QHz5/khBGX6OCjFXAOCLRH3xcR0GH+vAhRt9PUERMlAiQJv5YJz6v31iU5djCznN
-xug0NFysIvzg6+kqP027GIaXc1BieerXrVDahd1UhAECgYEA6ZQmNbOD30Y5Lhrj
-QN0t6ZRaI8LrugKx9d8mb7SqIsAVroCGHJAwp4NQCMaYwsnrL6QIIb8bnX58fydR
-TK43sT6NDeShhCiNQyPgDn6xzFr5//FIyfIVHDfnIeCKdlWQKwZZSIWgmg72Xm7+
-YrYj9899DS6MO7LBngPK9h+QhUkCgYEAx+Ha0Ww/CJ+lK860BOG2QLaq6bgnB/S4
-q2xuIpF11YYRzPCcigS9e3B2v72zE8yJeaW5PHLBecR6kuAfANaGCkWbqNOmeYdh
-4f0v9yhJJNMu/YsiMnsFffPGckiNxDPN/u2PhiWkOi37PoYRaz+Mp5Y80f2utM8s
-z4SqvbUVhF0CgYABCJjKsAqrWEI0hAXxaYkkeXWUpu4oGo7zCZO/9sqx8Kun5AWz
-5qdwdlJKV6ahZgdWZKFslM3oeoDOhzwC3Np+PEqffx1/2jYVz/jT15et0dE9YrHx
-wtJ5F348ViQGtgY3SoXmnkDBrcNFU7Rod2ndVNu2zTfto7LboiSpxiX7kQKBgELn
-7efl1N+dGJumUAnGR8w3mNQs6Ru3pczzuZXmnMvBWdoAvFVSqt5T0dvysquw7l+C
-wpNiUjLhOqpJTPdp12o+zJDhb7sEPxZ3OoP/vyQNcJA771F4bmkvnUCJ2rJPKOfp
-Ov6LQQKce5n9JH2CwyEhn/Ame0FYi8ZWwRRJNg+dAoGBAM7sk+DWoHPeYunjbEVT
-/Uehevoc417YIzlIN0XB2QGyNAVgidOUO+vrpCYfQlnQqUTXXfzF3WhdAcEqCiqt
-nsteKiG/i7v+lULxGepxvj6hUW616LowqqXCmFqfEc8J/QrnKhO1j7IWUn8qytRh
-FPEJD9tESETYG6+CiiMndZG4
-----END PRIVATE KEY-----
--- a/.ci/tls/servers/bookie/bookie.key.pem
+++ b/.ci/tls/servers/bookie/bookie.key.pem
@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAtmA8kJD/OZ8H0tsq6hJKT5D2k7iJ+2LB0VLH73hIHb2vO6g7
-5dpcGi37ededBIb3+rkYIt/sZRMpwI9mTrRfxlx9Iqb+ZDii+Rw77xUZqexcEdot
-kizzNa2rMCWKZk3PmlAVeKr11Fsyz3EwGNVHTwiBMh9jHN+bp9TfGce1EgEpCh6z
-m8xORf7Yg9qw3Sd1F7aL0uTLibceVajI3Ns5qqgoAuYd/BPNdiZ9c210hb6S+qG8
-Gi9K6uIfE0goFc896L2yEoKheoeh0QfJG/FWe5keklHzPOy27P9Oc1AROW5PTvY+
-zH+dY9Z544g9T+6qKpo7n75pxSINYkmsiDcPhQIDAQABAoIBAQCpdgLQ0epVwE+k
-vcHCffxOsoRr/q03ySwPNLxS55EbEYYiCNCfY6bxLIjfTlm4OzFw50xmG2us/4Fs
-S9LkjvXve0FLUaBPv9CvaGzIWvLd0aI7dF+j0+CpoBXRRxCyvtqIqKFK3pBOIe+0
-kZf/ey4nYd+qkz+lNKGN8V7ctZSqhJa4Klp7ZsCZ0ZfR/5MpK531VXfwYlpCdpA5
-LU8MADNjD61KRDZOwdEOE6AsEzCNiEB8+f5IQRl+jgoxVwDgi0R98XEdBh/rwIUb
-fT1BETJQIkCb+WCc+r99YlOXYws5zcboNDRcrCL84OvpKj9NuxiGl3NQYnnq161Q
-2oXdVIQBAoGBAOmUJjWzg99GOS4a40DdLemUWiPC67oCsfXfJm+0qiLAFa6AhhyQ
-MKeDUAjGmMLJ6y+kCCG/G51+fH8nUUyuN7E+jQ3koYQojUMj4A5+scxa+f/xSMny
-FRw35yHginZVkCsGWUiFoJoO9l5u/mK2I/fPfQ0ujDuywZ4DyvYfkIVJAoGBAMfh
-2tFsPwifpSvOtAThtkC2qum4Jwf0uKtsbiKRddWGEczwnIoEvXtwdr+9sxPMiXml
-uTxywXnEepLgHwDWhgpFm6jTpnmHYeH9L/coSSTTLv2LIjJ7BX3zxnJIjcQzzf7t
-j4YlpDot+z6GEWs/jKeWPNH9rrTPLM+Eqr21FYRdAoGAAQiYyrAKq1hCNIQF8WmJ
-JHl1lKbuKBqO8wmTv/bKsfCrp+QFs+ancHZSSlemoWYHVmShbJTN6HqAzoc8Atza
-fjxKn38df9o2Fc/409eXrdHRPWKx8cLSeRd+PFYkBrYGN0qF5p5Awa3DRVO0aHdp
-3VTbts037aOy26IkqcYl+5ECgYBC5+3n5dTfnRibplAJxkfMN5jULOkbt6XM87mV
-5pzLwVnaALxVUqreU9Hb8rKrsO5fgsKTYlIy4TqqSUz3addqPsyQ4W+7BD8WdzqD
-/78kDXCQO+9ReG5pL51AidqyTyjn6Tr+i0ECnHuZ/SR9gsMhIZ/wJntBWIvGVsEU
-STYPnQKBgQDO7JPg1qBz3mLp42xFU/1HoXr6HONe2CM5SDdFwdkBsjQFYInTlDvr
-66QmH0JZ0KlE1138xd1oXQHBKgoqrZ7LXiohv4u7/pVC8Rnqcb4+oVFutei6MKql
-wphanxHPCf0K5yoTtY+yFlJ/KsrUYRTxCQ/bREhE2BuvgoojJ3WRuA==
-----END RSA PRIVATE KEY-----
--- a/.ci/tls/servers/broker/broker.cert.pem
+++ b/.ci/tls/servers/broker/broker.cert.pem
@ -1,34 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIF1TCCA72gAwIBAgICEAMwDQYJKoZIhvcNAQELBQAwgYAxCzAJBgNVBAYTAlVT
-MRYwFAYDVQQIDA1TYW4gRnJhbmNpc2NvMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv
-MRUwEwYDVQQKDAxTdHJlYW1OYXRpdmUxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQx
-EjAQBgNVBAMMCXB1bHNhci1jaTAeFw0yMDAzMjkyMTAzMTBaFw0yMjEyMjQyMTAz
-MTBaMG8xCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1TYW4gRnJhbmNpc2NvMRUwEwYD
-VQQKDAxTdHJlYW1OYXRpdmUxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxGTAXBgNV
-BAMMEHB1bHNhci1jaS1icm9rZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQDTlckitxCrXIgI0ti5QNL/HHXGuWtIPUGufU+oSqaqsl7y2EGe0he2TuBP
-bQleWdHYatw7ICftlp9kDIOt4T2jOMXxA4j/l5Ve5eeG+tLigOpTRP+F/A/2dEl+
-LgjocfWeec2ES6gvMeC0G79P/nstes8+0ezgo70SG/sAMFb1ni2cs/kwVtio9lhR
-FdYTJQ88u7Qenw4E0CEa+uoDGlz+tm8BJjPMV9RWBkOSHK1IU6JfKTlAR56VQ9yR
-x1Z9UABsbRRu3oZQLSWjANpWPsPIR0zecd7QujzW0E3kWTA4Y9Mb7hX03AFOoiBC
-nSSh3gw5JBcTlwC448Kqp08ungSBAgMBAAGjggFnMIIBYzAJBgNVHRMEAjAAMBEG
-CWCGSAGG+EIBAQQEAwIF4DAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0
-ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBRYpYCpJRoyONrzTNTRzAiS
-Jd1u+jCBtQYDVR0jBIGtMIGqgBQF1W46Ne+b0F5/YNM2t3hVUzSotaGBhqSBgzCB
-gDELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xFjAUBgNVBAcM
-DVNhbiBGcmFuY2lzY28xFTATBgNVBAoMDFN0cmVhbU5hdGl2ZTEWMBQGA1UECwwN
-SVQgRGVwYXJ0bWVudDESMBAGA1UEAwwJcHVsc2FyLWNpggkAtTzZF7ro++0wDgYD
-VR0PAQH/BAQDAgXgMCcGA1UdJQQgMB4GCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYB
-BQUHAwQwDQYJKoZIhvcNAQELBQADggIBAJxMGV3o9ukexBNCJBcR1pn9GRh+ti8j
-BxtDpPEnkwh0y6g/nAKR3HC2KHc05BpdeZ1TOqmLMaIbuVd9/xNpk6HQ1p3vJfw7
-x21r7MVsc2XZo1/FiHH8BeIY+46rJlfBNuARIvaEsxT32aeBGcSZ7wFmWuY3pRIc
-rUkUxlNb28JhKLiYXt1P6Irno9HFPH2w8meYRdG3gbsGul8OutAsoZpI5Ab+qWP0
-kO+BwVmf+YQ1BrlEm+rEyhmk5ewWGPSZ5Cp8ZtQZNsRai1FkyjTtqOy1U+kJad6c
-Dy1rBnVumDy2hcWmaPgCuGR8qulXt+yTas7vtwiWzKibT752XJcZHOJcIoB25ens
-XkDbF43YSqa7ZIXJITaSeZDLu2A8e5Gvuzmlv00YTPQFhnLUOFSYZ5swOQ0v4L+J
-B78gvkuHhLxOVwh61AAKrBTBu6GTf5ajrgZDnnrXx1oB2OxMD2uCzepOf/OROXdf
-+o2i1mjO9V7bF1pnXWlfRyGmFZEe3OoxvWqqP1KOHdGrFOkSVVFIKG4yTyV7BFR2
-uX9pyBYL7SPNUizJbSK7mxBPuQNNtE2cwNfCqB4kt11Q6yCvqPkbT2b/DmbMY60p
-kHsqxsMnaFjvZAlb7P+732qTXaVJTWEX/ksVFzGJwuxN24NqxJlf3wUSgzDhCj1K
-p4Bqaa6+GG6P
-----END CERTIFICATE-----
--- a/.ci/tls/servers/broker/broker.csr.pem
+++ b/.ci/tls/servers/broker/broker.csr.pem
@ -1,18 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
-MIICzTCCAbUCAQAwgYcxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1TYW4gRnJhbmNp
-c2NvMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRUwEwYDVQQKDAxTdHJlYW1OYXRp
-dmUxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxGTAXBgNVBAMMEHB1bHNhci1jaS1i
-cm9rZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTlckitxCrXIgI
-0ti5QNL/HHXGuWtIPUGufU+oSqaqsl7y2EGe0he2TuBPbQleWdHYatw7ICftlp9k
-DIOt4T2jOMXxA4j/l5Ve5eeG+tLigOpTRP+F/A/2dEl+LgjocfWeec2ES6gvMeC0
-G79P/nstes8+0ezgo70SG/sAMFb1ni2cs/kwVtio9lhRFdYTJQ88u7Qenw4E0CEa
-+uoDGlz+tm8BJjPMV9RWBkOSHK1IU6JfKTlAR56VQ9yRx1Z9UABsbRRu3oZQLSWj
-ANpWPsPIR0zecd7QujzW0E3kWTA4Y9Mb7hX03AFOoiBCnSSh3gw5JBcTlwC448Kq
-p08ungSBAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAX1WCH+wJ4znyeDPGwJe/
-jVTxHnZu4IY12rspo5zlK+qto33M9hD12ZwQJ8sg/zpXUsCwM4gA6HhOeiQPz69g
-vz0UJyv6YsfeVjPF9d/0TywMx0idxb04bQe0W2pLBRrtTvvm22uEbpKrj9QICnmS
-nwRjcciD8LBuLfUrR9kPkZnD51PCPGvQpx7mDWt3tAwdfR1sf0w6bwlPx0eqRpyl
-Fz+Kz7bWTCLBTZ6nsFyDdVNVLCPk6fPoPdSefWS+1za8I9/C28oIfYuqPkc9ULx7
-LZbuGyJU4rC4HxKSPcqmDy12TCSBvDcUMBfQ8d4LkbOIYnaW7aE3JBShTvgMzMOR
-TQ==
-----END CERTIFICATE REQUEST-----
--- a/.ci/tls/servers/broker/broker.key-pk8.pem
+++ b/.ci/tls/servers/broker/broker.key-pk8.pem
@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDTlckitxCrXIgI
-0ti5QNL/HHXGuWtIPUGufU+oSqaqsl7y2EGe0he2TuBPbQleWdHYatw7ICftlp9k
-DIOt4T2jOMXxA4j/l5Ve5eeG+tLigOpTRP+F/A/2dEl+LgjocfWeec2ES6gvMeC0
-G79P/nstes8+0ezgo70SG/sAMFb1ni2cs/kwVtio9lhRFdYTJQ88u7Qenw4E0CEa
-+uoDGlz+tm8BJjPMV9RWBkOSHK1IU6JfKTlAR56VQ9yRx1Z9UABsbRRu3oZQLSWj
-ANpWPsPIR0zecd7QujzW0E3kWTA4Y9Mb7hX03AFOoiBCnSSh3gw5JBcTlwC448Kq
-p08ungSBAgMBAAECggEBAJXSLFhelHkizlihJEEZO87VEjijNuoyJf4uUWdzZMzd
-/QmsQ9r4HT5EX+Ud6lJa+5JpKITdYiiETV0E14EaSxD2tILS5AFIDsbhuK4Fkao9
-aq+H3f+72nnDIf8tDbW6bBfJW9Nf1zmD8f7W3wL/ya0Mlw9+imMOzmSyV2tsz0af
-btAHOxY92veHL1bi44MNf0s90AicpT3xmFFUYB0KyS7DfxXhFjTRo5zTDVISDGev
-mpzkbebOTox4y4eGjzydPmiIyTsEKu6aCdSn5zcQT7ooK4We0E24/U10HYQcbE5B
-dzw7VEcyuBLsY+bgie2rDstc1xGPqFng+gJ6m9rnAAECgYEA9XHjjdheuyHAgx+6
-nW8xJvQ9AL3ZxTP+3pMhPFUMHDWtNT1p1LvhUHHDC8na/CMzzGp9YJvZEZFNyWB5
-f54K0UzkKY24E3WxiVCv9L2XUX01pPsiZPJg9truW0APfguxIkikURuYggnQ8ix+
-jlmalvGVe5iIX7my0AhrVTViuAECgYEA3K8iIo+8cSEIRcM+w8onmGZYIhTTjQ1I
-9MDo0aD5/sFD2FidbFOZlj+DaEyoIZs+hF0SQwFUOsJ+pGLGmlxC1uSfbR1iCdj8
-8A8BOlX745x13BvJbMIhTAnjAz7IunIWDqbxdSHHR6zbNFty4tyQfQW8YZDjNtyE
-nLBxArE/TIECgYAdoao/LagCH4kGS4ZUC2B7u3DB7imkTSqv5ENW7U2Q+kn263sj
-W6tP8uwBOFVfq0BNpW2NhEMog8pITYVdis7zhbzl514Zu1O7qCoV+e2SwPMA//Cf
-D0P1iWjNS2aTaQXxhaOQxywaRuUa15RPyzGGl5PcYAXWyKx1wQ50MwXAAQKBgB5+
-lNjxw7heOCZrtGCZrp8AhW0wM4tqKoqnnYRaGjF5w0ZB+H7fjnmUjTP8Y79BFIJ1
-2fAoXts/xQAyJf9ugE3xiZYqWUHDGjCR4jmNaCErnZ2suUiuCqvXMedg5Zvd5+5e
-Yz8sS707xY6WlGmE0PJ1uHJC8yLBlhGQ0AzvMTABAoGAHpGyIWAemC6XFpjS0YDa
-TgdJjue47kSeLlwAfuYAI/DWMfQr+nYomxLipvOy7PwxmbAWVeJB8t+XthW1oR7q
-gb22NpD1d/ZmJLDqP8c0RaIiJvH4n0OeMSdTyQKHbLyZAPttZCNlaVoLNwyVhSdT
-/d7lZb8YU2u/PpNSKbxt65M=
-----END PRIVATE KEY-----
--- a/.ci/tls/servers/broker/broker.key.pem
+++ b/.ci/tls/servers/broker/broker.key.pem
@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA05XJIrcQq1yICNLYuUDS/xx1xrlrSD1Brn1PqEqmqrJe8thB
-ntIXtk7gT20JXlnR2GrcOyAn7ZafZAyDreE9ozjF8QOI/5eVXuXnhvrS4oDqU0T/
-hfwP9nRJfi4I6HH1nnnNhEuoLzHgtBu/T/57LXrPPtHs4KO9Ehv7ADBW9Z4tnLP5
-MFbYqPZYURXWEyUPPLu0Hp8OBNAhGvrqAxpc/rZvASYzzFfUVgZDkhytSFOiXyk5
-QEeelUPckcdWfVAAbG0Ubt6GUC0lowDaVj7DyEdM3nHe0Lo81tBN5FkwOGPTG+4V
-9NwBTqIgQp0kod4MOSQXE5cAuOPCqqdPLp4EgQIDAQABAoIBAQCV0ixYXpR5Is5Y
-oSRBGTvO1RI4ozbqMiX+LlFnc2TM3f0JrEPa+B0+RF/lHepSWvuSaSiE3WIohE1d
-BNeBGksQ9rSC0uQBSA7G4biuBZGqPWqvh93/u9p5wyH/LQ21umwXyVvTX9c5g/H+
-1t8C/8mtDJcPfopjDs5ksldrbM9Gn27QBzsWPdr3hy9W4uODDX9LPdAInKU98ZhR
-VGAdCskuw38V4RY00aOc0w1SEgxnr5qc5G3mzk6MeMuHho88nT5oiMk7BCrumgnU
-p+c3EE+6KCuFntBNuP1NdB2EHGxOQXc8O1RHMrgS7GPm4Intqw7LXNcRj6hZ4PoC
-epva5wABAoGBAPVx443YXrshwIMfup1vMSb0PQC92cUz/t6TITxVDBw1rTU9adS7
-4VBxwwvJ2vwjM8xqfWCb2RGRTclgeX+eCtFM5CmNuBN1sYlQr/S9l1F9NaT7ImTy
-YPba7ltAD34LsSJIpFEbmIIJ0PIsfo5ZmpbxlXuYiF+5stAIa1U1YrgBAoGBANyv
-IiKPvHEhCEXDPsPKJ5hmWCIU040NSPTA6NGg+f7BQ9hYnWxTmZY/g2hMqCGbPoRd
-EkMBVDrCfqRixppcQtbkn20dYgnY/PAPATpV++OcddwbyWzCIUwJ4wM+yLpyFg6m
-8XUhx0es2zRbcuLckH0FvGGQ4zbchJywcQKxP0yBAoGAHaGqPy2oAh+JBkuGVAtg
-e7twwe4ppE0qr+RDVu1NkPpJ9ut7I1urT/LsAThVX6tATaVtjYRDKIPKSE2FXYrO
-84W85edeGbtTu6gqFfntksDzAP/wnw9D9YlozUtmk2kF8YWjkMcsGkblGteUT8sx
-hpeT3GAF1sisdcEOdDMFwAECgYAefpTY8cO4Xjgma7Rgma6fAIVtMDOLaiqKp52E
-WhoxecNGQfh+3455lI0z/GO/QRSCddnwKF7bP8UAMiX/boBN8YmWKllBwxowkeI5
-jWghK52drLlIrgqr1zHnYOWb3efuXmM/LEu9O8WOlpRphNDydbhyQvMiwZYRkNAM
-7zEwAQKBgB6RsiFgHpgulxaY0tGA2k4HSY7nuO5Eni5cAH7mACPw1jH0K/p2KJsS
-4qbzsuz8MZmwFlXiQfLfl7YVtaEe6oG9tjaQ9Xf2ZiSw6j/HNEWiIibx+J9DnjEn
-U8kCh2y8mQD7bWQjZWlaCzcMlYUnU/3e5WW/GFNrvz6TUim8beuT
-----END RSA PRIVATE KEY-----
--- a/.ci/tls/servers/proxy/proxy.cert.pem
+++ b/.ci/tls/servers/proxy/proxy.cert.pem
@ -1,34 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIF1DCCA7ygAwIBAgICEAQwDQYJKoZIhvcNAQELBQAwgYAxCzAJBgNVBAYTAlVT
-MRYwFAYDVQQIDA1TYW4gRnJhbmNpc2NvMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv
-MRUwEwYDVQQKDAxTdHJlYW1OYXRpdmUxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQx
-EjAQBgNVBAMMCXB1bHNhci1jaTAeFw0yMDAzMjkyMTAzMTBaFw0yMjEyMjQyMTAz
-MTBaMG4xCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1TYW4gRnJhbmNpc2NvMRUwEwYD
-VQQKDAxTdHJlYW1OYXRpdmUxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxGDAWBgNV
-BAMMD3B1bHNhci1jaS1wcm94eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAO/KwkV8NT96A0pn/Y5DlUffefTLHkVgTYocj4s8CeDS67XsZ4he/+ekn3uR
-y4ze6kwA+qI8jxE7zycnBA3Dq01pG//com9nilcm1coDJrzIZSTnz1kQKOZwBoFM
-1kknpDNHGBvwSwCAFbhCtQtScnsa2InN0F2lgzEJmaS/HE0OTKGOrTlC+9qbKpA5
-kQtmdhs7p3IoYRbiNZMO7ZPxXZpxEy0EaAbTeCYpmkaBUKsW3tuwdLztmyHgT3iw
-y3YQcZV2tCyNyBp6bHsXp9BfhAzwehl0vSfL/3GmMLcpTH2rIhLrNL+jFpfUWOxP
-qHXvhAl5VNOkw182lYvlABb3I0ECAwEAAaOCAWcwggFjMAkGA1UdEwQCMAAwEQYJ
-YIZIAYb4QgEBBAQDAgXgMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRl
-ZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFAgm3jyic7NMgR4LrVWbE3pG
-qcbKMIG1BgNVHSMEga0wgaqAFAXVbjo175vQXn9g0za3eFVTNKi1oYGGpIGDMIGA
-MQswCQYDVQQGEwJVUzEWMBQGA1UECAwNU2FuIEZyYW5jaXNjbzEWMBQGA1UEBwwN
-U2FuIEZyYW5jaXNjbzEVMBMGA1UECgwMU3RyZWFtTmF0aXZlMRYwFAYDVQQLDA1J
-VCBEZXBhcnRtZW50MRIwEAYDVQQDDAlwdWxzYXItY2mCCQC1PNkXuuj77TAOBgNV
-HQ8BAf8EBAMCBeAwJwYDVR0lBCAwHgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEF
-BQcDBDANBgkqhkiG9w0BAQsFAAOCAgEApIwUVqrr3yWLhRitLvuJcwWz6fQ6WL3c
-RgYBw/Q9wXCq77mAxUCEVz6zF0FklNE9N3I0mQZC01Wp7JqvNFv4/9H5V02gzmFz
-m2gHIRs6hPz3gTkZNzP7vLBHe560pE0jkFD5b73esdYhr4F1U4829jV9D5IawoMa
-k/Yx5HxQX9ESRiPsw1SaMVR33k7GKYieg6Effj1d3N0Y4/+yVOZuWOVAv0GgVTIx
-271TDc1MrKYbYW+9qzkL5w8zOP3BbXwDxtQFAhiD82NjQU0/88WMC3I3f2oZ6jkh
-ZG3vF0ssM2LnnuoMCTynNvP4VJRXY721EOmw6ev/vapPmEIMSJaSDD6h4SiuQxKM
-OPHGk3ETTciYVDefCQca7UFMP+DlyJRRV2JmDdW2JvrfSVLxbhtEArgyeZnuDIGR
-fyeB6lO2mP/Pe2sUsd0FJpz2uB/JaNalTiCS0RpXvIIQUIiOpLeWa6N1NUtVtLow
-8mqmipieMdjjGEDHGZ8j2PXIIox5mWbcWAIvxJOZhJ8jZdBDbJB4fHw5lpTrcrxx
-NgnLFVlGyjGGDtZZig0fMN2QMt8SX9W8i3beqAK3Vsb8myxGJSH6/zulg4mt8hH1
-Rwis+P4vSkcPC8hcJoacVXEj4gMCxp2jDzslVE4jQwug+2b0qhW1500/JsKj5E7+
-ylzn5KM9OFE=
-----END CERTIFICATE-----
--- a/.ci/tls/servers/proxy/proxy.csr.pem
+++ b/.ci/tls/servers/proxy/proxy.csr.pem
@ -1,17 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
-MIICzDCCAbQCAQAwgYYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1TYW4gRnJhbmNp
-c2NvMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRUwEwYDVQQKDAxTdHJlYW1OYXRp
-dmUxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxGDAWBgNVBAMMD3B1bHNhci1jaS1w
-cm94eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO/KwkV8NT96A0pn
-/Y5DlUffefTLHkVgTYocj4s8CeDS67XsZ4he/+ekn3uRy4ze6kwA+qI8jxE7zycn
-BA3Dq01pG//com9nilcm1coDJrzIZSTnz1kQKOZwBoFM1kknpDNHGBvwSwCAFbhC
-tQtScnsa2InN0F2lgzEJmaS/HE0OTKGOrTlC+9qbKpA5kQtmdhs7p3IoYRbiNZMO
-7ZPxXZpxEy0EaAbTeCYpmkaBUKsW3tuwdLztmyHgT3iwy3YQcZV2tCyNyBp6bHsX
-p9BfhAzwehl0vSfL/3GmMLcpTH2rIhLrNL+jFpfUWOxPqHXvhAl5VNOkw182lYvl
-ABb3I0ECAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQDZkKjsOTvDQPoXfOldcZ9J
-DipCf83JI+J5tEmQvYW8FJlBfmEZUiewQmDuoy5RMpIejic4wjthU4xK+siSFzkf
-PUWAXzbx0oD8Y9vazFqQTmEIEbHWnWW84t5ocn9o0ZKLXSukzz/QVF1XXtquzo+n
-KRWiaMFVR+1Jw1KWPDcHK1uTvo8IsqKWin5JSkewbYJB1/HKt4OlJB6KxfI61X5L
-Kklx21SIPwCCQa+8l9sA3ONtmtEYSSsRxX6gbnwMpc8zZioaY5PO54wVgifjyNR/
-myjWjWi5jJE2AN4VMFmt/mvvcNz6x1RjzC5sQ6HsB7wyRZU1ybyb/oQzAi879v2n
-----END CERTIFICATE REQUEST-----
--- a/.ci/tls/servers/proxy/proxy.key-pk8.pem
+++ b/.ci/tls/servers/proxy/proxy.key-pk8.pem
@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDvysJFfDU/egNK
-Z/2OQ5VH33n0yx5FYE2KHI+LPAng0uu17GeIXv/npJ97kcuM3upMAPqiPI8RO88n
-JwQNw6tNaRv/3KJvZ4pXJtXKAya8yGUk589ZECjmcAaBTNZJJ6QzRxgb8EsAgBW4
-QrULUnJ7GtiJzdBdpYMxCZmkvxxNDkyhjq05QvvamyqQOZELZnYbO6dyKGEW4jWT
-Du2T8V2acRMtBGgG03gmKZpGgVCrFt7bsHS87Zsh4E94sMt2EHGVdrQsjcgaemx7
-F6fQX4QM8HoZdL0ny/9xpjC3KUx9qyIS6zS/oxaX1FjsT6h174QJeVTTpMNfNpWL
-5QAW9yNBAgMBAAECggEACCm32VO0IFgP+p11pT0pvMufxDSR8DyqBxSX0l6V24By
-o7vLfnn1bjZNc5BwBHimMzYpUhKLsEN/9s4+NhW+JCF64YfqQ66bqAHbb0gSLoUH
-5Gy7w0VojwerQQWTmePulAxMhs70Tq0NkDs9HIiO+x/b1T0bZcS3pZi1EUWsOfc8
-xjCbEvbdvRK1R3tjZExxdRx5FR7sMuZ0Q2PhWbRymSRlNW7mX+aaCUqWQLOgqWkL
-UZVl3ekljXTc+da3PxqDciHyPdYbXgVgBwKJoE8FXq1Sj7usjbrX/k+xigtA2MMW
-lxA4y9CU6Bd5yTx2FySgYvGbyTt+5g6nm8rQJamgAQKBgQD/V3ZBT55oqS9Y6SpA
-Rr2W89Yt66hkcJGjfHkc/onR1uyuYncNHXC3WQi8xeezzsgX4quhLSr5501iedJY
-faV+s0YBDJ5kYsRxzU8iUK8CBCYfwV6EXnKvR8LmqPot7ZcONaQVngAcmkEN+9pl
-FbWZeJuSaBPzjgQNBwgypA/EgQKBgQDwaQiOYtKB/O4+3qKqMR1AvWDc0/QS7kz+
-qBFP4qb3VBlLc60peosJVWBB/MUPX5ybTANl1Ah1GMpp387VcZ4tcexEiKiuofBD
-19SclJ0nEycn2WEeWTIZ/EErVVnRViOHKt5CWry2NnIlGx2PJ3WGGNd6uMIF6giw
-ZkqfRBz+wQKBgQCfYizCn7w1gEW5rfFdpcp6C0JJ76tw5oNCFVRUMN4+SXX7dCLz
-4MiW6dB2ZOI4bn6fyjFvrg4BZ8v6CCiwa919tNGhngrQhoYwswMOXGahT42sjLs+
-zOWxW43hBOEFAiUkDX+arsFLGU46OFceeeqdHZeeT7EEekU1DIqlcZsWAQKBgDFD
-9OLo0Wad5Fyx1ve1dN8tb8oRDTVL7C9LVbDfK4QHkd9qZxPW7uMMwdsD54YM+9S/
-MPsPBmSoneIwYPxQei+p5tbsglS3Drt4YTNtKP8255E89K/5a1Dz5o7wwKUrV8B9
-QmqqmX1ljuKXuej6FxVRxeZ6MhhwKzOq4qPcm2yBAoGBAMYUTcqxH5/Dqwx781/Z
-W753xja6LN1gRSKOHaoUiQo/2FKSXj7fT/ZAWJwiivndoVreiz5lK9FPnPJj67HA
-J+x2z2oiNbVyv7F2RnEuFxw4yeWO4wfNdEZ15DGHbIdD2nM9SvhwlMJ2rRD+O0Qa
-nlve8+9e/rf+fM1ml2dYFqwZ
-----END PRIVATE KEY-----
--- a/.ci/tls/servers/proxy/proxy.key.pem
+++ b/.ci/tls/servers/proxy/proxy.key.pem
@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA78rCRXw1P3oDSmf9jkOVR9959MseRWBNihyPizwJ4NLrtexn
-iF7/56Sfe5HLjN7qTAD6ojyPETvPJycEDcOrTWkb/9yib2eKVybVygMmvMhlJOfP
-WRAo5nAGgUzWSSekM0cYG/BLAIAVuEK1C1JyexrYic3QXaWDMQmZpL8cTQ5MoY6t
-OUL72psqkDmRC2Z2GzuncihhFuI1kw7tk/FdmnETLQRoBtN4JimaRoFQqxbe27B0
-vO2bIeBPeLDLdhBxlXa0LI3IGnpsexen0F+EDPB6GXS9J8v/caYwtylMfasiEus0
-v6MWl9RY7E+ode+ECXlU06TDXzaVi+UAFvcjQQIDAQABAoIBAAgpt9lTtCBYD/qd
-daU9KbzLn8Q0kfA8qgcUl9JelduAcqO7y3559W42TXOQcAR4pjM2KVISi7BDf/bO
-PjYVviQheuGH6kOum6gB229IEi6FB+Rsu8NFaI8Hq0EFk5nj7pQMTIbO9E6tDZA7
-PRyIjvsf29U9G2XEt6WYtRFFrDn3PMYwmxL23b0StUd7Y2RMcXUceRUe7DLmdENj
-4Vm0cpkkZTVu5l/mmglKlkCzoKlpC1GVZd3pJY103PnWtz8ag3Ih8j3WG14FYAcC
-iaBPBV6tUo+7rI261/5PsYoLQNjDFpcQOMvQlOgXeck8dhckoGLxm8k7fuYOp5vK
-0CWpoAECgYEA/1d2QU+eaKkvWOkqQEa9lvPWLeuoZHCRo3x5HP6J0dbsrmJ3DR1w
-t1kIvMXns87IF+KroS0q+edNYnnSWH2lfrNGAQyeZGLEcc1PIlCvAgQmH8FehF5y
-r0fC5qj6Le2XDjWkFZ4AHJpBDfvaZRW1mXibkmgT844EDQcIMqQPxIECgYEA8GkI
-jmLSgfzuPt6iqjEdQL1g3NP0Eu5M/qgRT+Km91QZS3OtKXqLCVVgQfzFD1+cm0wD
-ZdQIdRjKad/O1XGeLXHsRIiorqHwQ9fUnJSdJxMnJ9lhHlkyGfxBK1VZ0VYjhyre
-Qlq8tjZyJRsdjyd1hhjXerjCBeoIsGZKn0Qc/sECgYEAn2Iswp+8NYBFua3xXaXK
-egtCSe+rcOaDQhVUVDDePkl1+3Qi8+DIlunQdmTiOG5+n8oxb64OAWfL+ggosGvd
-fbTRoZ4K0IaGMLMDDlxmoU+NrIy7PszlsVuN4QThBQIlJA1/mq7BSxlOOjhXHnnq
-nR2Xnk+xBHpFNQyKpXGbFgECgYAxQ/Ti6NFmneRcsdb3tXTfLW/KEQ01S+wvS1Ww
-3yuEB5HfamcT1u7jDMHbA+eGDPvUvzD7DwZkqJ3iMGD8UHovqebW7IJUtw67eGEz
-bSj/NueRPPSv+WtQ8+aO8MClK1fAfUJqqpl9ZY7il7no+hcVUcXmejIYcCszquKj
-3JtsgQKBgQDGFE3KsR+fw6sMe/Nf2Vu+d8Y2uizdYEUijh2qFIkKP9hSkl4+30/2
-QFicIor53aFa3os+ZSvRT5zyY+uxwCfsds9qIjW1cr+xdkZxLhccOMnljuMHzXRG
-deQxh2yHQ9pzPUr4cJTCdq0Q/jtEGp5b3vPvXv63/nzNZpdnWBasGQ==
-----END RSA PRIVATE KEY-----
--- a/.ci/tls/servers/recovery/recovery.cert.pem
+++ b/.ci/tls/servers/recovery/recovery.cert.pem
@ -1,34 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIF1zCCA7+gAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwgYAxCzAJBgNVBAYTAlVT
-MRYwFAYDVQQIDA1TYW4gRnJhbmNpc2NvMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv
-MRUwEwYDVQQKDAxTdHJlYW1OYXRpdmUxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQx
-EjAQBgNVBAMMCXB1bHNhci1jaTAeFw0yMDAzMjkyMTAzMTBaFw0yMjEyMjQyMTAz
-MTBaMHExCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1TYW4gRnJhbmNpc2NvMRUwEwYD
-VQQKDAxTdHJlYW1OYXRpdmUxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxGzAZBgNV
-BAMMEnB1bHNhci1jaS1yZWNvdmVyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAK41jOTmc/XtTjIQmEvE/sHYfuUN/nbUNYerun3CpMOlUsenkMn8k1ms
-NCydtqvOLCK4OMjyIg/zany/1w1L2WwV4/Rg3cqCx+0n/WjfwaiP5oJ55d2G9tgN
-jrAy1ir8AaWgTJhGs8ktTtsPSIGZjbR0pMavXoWCdqbRba6Nt04/5Q+CyUo1gXu5
-c0oImC4DcJFkWW26iGF35BuVUGPmYtLOW2Zr6Wg2lcL4nZ8C2FpBGLYMtXvPVY5S
-dJlaA7MVjCrVaxCB+LdS+1HLywvhY8Zuodm5Q1QOhnmFti8BHBkwAOynjd5DqP8q
-qmjNZ3yC80bSlGeJ6GV1i5Cxkeyw1HMCAwEAAaOCAWcwggFjMAkGA1UdEwQCMAAw
-EQYJYIZIAYb4QgEBBAQDAgXgMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVy
-YXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFPZsppie+Vgxp01iUTRt
-Ik2DPw74MIG1BgNVHSMEga0wgaqAFAXVbjo175vQXn9g0za3eFVTNKi1oYGGpIGD
-MIGAMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNU2FuIEZyYW5jaXNjbzEWMBQGA1UE
-BwwNU2FuIEZyYW5jaXNjbzEVMBMGA1UECgwMU3RyZWFtTmF0aXZlMRYwFAYDVQQL
-DA1JVCBEZXBhcnRtZW50MRIwEAYDVQQDDAlwdWxzYXItY2mCCQC1PNkXuuj77TAO
-BgNVHQ8BAf8EBAMCBeAwJwYDVR0lBCAwHgYIKwYBBQUHAwEGCCsGAQUFBwMCBggr
-BgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAgEASqs3WwDz3eSsu3kywp/WI+UHjVLv
-8EmMgnzgMqHmbizQyqRAO5T0X/p8CaKDFr26au+mVylmQs/wtgzMdiDouBDMsF7O
-rSSZ/p/Gbd+aPPi92rxglG8eJXtMtMJQU07+7AX+Xb7e22/z//AN0ovT6lw+yelY
-n/4FR8AKuqhQRT6/+etq6Mex5MsalMXvT9qrL9oL8mGpz3LKdreGBbg40YhFgMRF
-edi6OBWF328MHEp1NaDJDKWXdIunWtt0t2Fa4EGZEdA3N11DljuRzq9iYLYO8cJl
-rYbo6afL+Yqh/GWTgdlCreEzaClv6lVP5jAduWpSPICTpY0UmS4JHHV2yY9qieCo
-+dEWHv9yyHHOqLIu8/q7NPljz+1NzRg7y4KUCQ5BZix0WKa0R98hAyY+LeCkFNgQ
-elPQDvhvyzVMpGUITSoN5/CQNx8Ei3r2Jfv7S5Q7k5oBudYQwKTHnCtmAM2kAo5Y
-Lr21dRXAS2DJ6sAzovhaJA5GB1ukO7jVLQiFxG6vNj4gC25XuT1+vTZh7buz1VYj
-cIaIrP1xKCklKVQTWtoH1ZA4X2UMw6L5JpLKIdtxgWU4/bg7ql6NcWHAwvf0T/xv
-TFYsccuxha3X/boFWSTdnGoX3dg7YKwrwRS9tUFGLlvTK0bwhTRdpe5A77XlBjwO
-PwECqK8ty7Ut+vU=
-----END CERTIFICATE-----
--- a/.ci/tls/servers/recovery/recovery.csr.pem
+++ b/.ci/tls/servers/recovery/recovery.csr.pem
@ -1,18 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
-MIICzzCCAbcCAQAwgYkxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1TYW4gRnJhbmNp
-c2NvMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRUwEwYDVQQKDAxTdHJlYW1OYXRp
-dmUxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxGzAZBgNVBAMMEnB1bHNhci1jaS1y
-ZWNvdmVyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK41jOTmc/Xt
-TjIQmEvE/sHYfuUN/nbUNYerun3CpMOlUsenkMn8k1msNCydtqvOLCK4OMjyIg/z
-any/1w1L2WwV4/Rg3cqCx+0n/WjfwaiP5oJ55d2G9tgNjrAy1ir8AaWgTJhGs8kt
-TtsPSIGZjbR0pMavXoWCdqbRba6Nt04/5Q+CyUo1gXu5c0oImC4DcJFkWW26iGF3
-5BuVUGPmYtLOW2Zr6Wg2lcL4nZ8C2FpBGLYMtXvPVY5SdJlaA7MVjCrVaxCB+LdS
-+1HLywvhY8Zuodm5Q1QOhnmFti8BHBkwAOynjd5DqP8qqmjNZ3yC80bSlGeJ6GV1
-i5Cxkeyw1HMCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBVYfA4nqzuKnGppwmG
-NTgAeVGJTD+i/eVHi4Vn8gAKNmYrnZzD9H0JUDlqhFcPShneT65AFhkd2lm2Sdg6
-IqNDnnMcATU9MkMkj9fO+a5IBwvRgbvq0KZOaPUQDIB4g31vy0ldqS8HwU80Q5bz
-pVSFeLoWzSJ1aNEQ2L7yz/tICFQ16Jpy8mzcYk3IXWdlcu3cqY5XqFazhLeacgVp
-x9W1frO3odqP174qo/XbvClSShjWQthDNUE1uh3J/RfoDFLzNpBXRYR8QPVImp3b
-gdzOccNuFGJm5a9PoX/6lD7pNQxEUAWaLkXZ5n6MybiANhRks71E8pNfXmORDekb
-t5a9
-----END CERTIFICATE REQUEST-----
--- a/.ci/tls/servers/recovery/recovery.key-pk8.pem
+++ b/.ci/tls/servers/recovery/recovery.key-pk8.pem
@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCuNYzk5nP17U4y
-EJhLxP7B2H7lDf521DWHq7p9wqTDpVLHp5DJ/JNZrDQsnbarziwiuDjI8iIP82p8
-v9cNS9lsFeP0YN3KgsftJ/1o38Goj+aCeeXdhvbYDY6wMtYq/AGloEyYRrPJLU7b
-D0iBmY20dKTGr16Fgnam0W2ujbdOP+UPgslKNYF7uXNKCJguA3CRZFltuohhd+Qb
-lVBj5mLSzltma+loNpXC+J2fAthaQRi2DLV7z1WOUnSZWgOzFYwq1WsQgfi3UvtR
-y8sL4WPGbqHZuUNUDoZ5hbYvARwZMADsp43eQ6j/KqpozWd8gvNG0pRniehldYuQ
-sZHssNRzAgMBAAECggEAPfkK4DsjMW90C9dfdkTkI+1yZuWtinQ/fr4Wn7pohrj/
-U8tGdLSHbrUV8nFAlKnJhahnewS4HViIn0xXooFDHXJEH6F+BRa1LKa3PWGsMNzQ
-McZPgZkLoxxfkErlaXEw3MzDssAkIQMfNEqhjokjofiEzbGBPJmGwB1smVYMyabX
-AwA8PrtH0c5Wk3DiZcJrQY5C1jVpfh0HA8jXdzoleYbWpjGz8zfZYHhV9Enufw4W
-2Uun4+LUxBvOAtrEvjcsHUF0C9tfUk97CT/KlqvndLjsJI1D2iRRZYqZBp1Cj8Ud
-EirSj8zx5eR56uluZV5QmXQbJsbO7dMXQknfiwCRQQKBgQDTnV8W1JHssmgCqJUc
-1W/OQJMk8Ty1If5WwIbqx2D56fcTcat48O4AIZB1H/Jc58GEgTTqsTYR6VVn1IOw
-soQHnzfKZpUYU6HOiLdsdVM8y9g+k6nHFbEfvXvOyyHVOv1mGVjTQevwQrj/oA1D
-EivycmyHxes03NdzhbNm35zF0QKBgQDSv7EzUP2/SoNlrK3bJ66zbHMTXSZ9RpAB
-hU+V5yvHbvnCDFWCZeSAXmKIEGHF/oP+gTIru4aGOFdDuuyY3xnIT/8IU9gngLc+
-TWhk7gVPwO9/CcitrziIpNkOZs/TRo9nKLF61DeNT1ZfIpQS8pQTyNyAKKMNheqH
-SFFQh2wTAwKBgQCs/lHmEBDbN13gDoEX+URVkGS6JpxCV2/c67df525X3/SkaKCN
-Vii64rV9iohPewawlA/2bLiPG/k90HV31fgpYvfw9rucD4KPnSSV/bP2V46IWZ7J
-qeoK0JSOEXGvJ3JQLRh4W8PNvj4Oe4Fb+1cB9JjUxe/qXz+iqQJobxVygQKBgQCI
-7b2fXu8PW8WVySVIsDbFIyB9o1c/rBoistAr0IBUWtlx5/ui9rsJYMnaJ/Ku5xgx
-wxWq7nOQP4kLW6cgCEzDJp7IdVmLCQmGNFswwKm40N2LB/tYRfGQbrMMtWYwmrbP
-ytPNv5a8fKDcvSXCTdRCKo6BwmV2gt0HusgCb4qbqwKBgQCCclGA+tGomV1AqOI5
-wU3LAvWXIt7wbi3pOOhKEQYNM09+0nFXJc+13DY0g/luM2VkOBpac5T5F6F7ZDiP
-vMBraJBKG1VqaGI/7Jpn8cSgTCHExJwk5rdmxJkWSmJCXVaW1oVT3PiSvEj9t/Ko
-rgeGK5Elmg225nH43gJ0vk1I+w==
-----END PRIVATE KEY-----
--- a/.ci/tls/servers/recovery/recovery.key.pem
+++ b/.ci/tls/servers/recovery/recovery.key.pem
@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEArjWM5OZz9e1OMhCYS8T+wdh+5Q3+dtQ1h6u6fcKkw6VSx6eQ
-yfyTWaw0LJ22q84sIrg4yPIiD/NqfL/XDUvZbBXj9GDdyoLH7Sf9aN/BqI/mgnnl
-3Yb22A2OsDLWKvwBpaBMmEazyS1O2w9IgZmNtHSkxq9ehYJ2ptFtro23Tj/lD4LJ
-SjWBe7lzSgiYLgNwkWRZbbqIYXfkG5VQY+Zi0s5bZmvpaDaVwvidnwLYWkEYtgy1
-e89VjlJ0mVoDsxWMKtVrEIH4t1L7UcvLC+Fjxm6h2blDVA6GeYW2LwEcGTAA7KeN
-3kOo/yqqaM1nfILzRtKUZ4noZXWLkLGR7LDUcwIDAQABAoIBAD35CuA7IzFvdAvX
-X3ZE5CPtcmblrYp0P36+Fp+6aIa4/1PLRnS0h261FfJxQJSpyYWoZ3sEuB1YiJ9M
-V6KBQx1yRB+hfgUWtSymtz1hrDDc0DHGT4GZC6McX5BK5WlxMNzMw7LAJCEDHzRK
-oY6JI6H4hM2xgTyZhsAdbJlWDMmm1wMAPD67R9HOVpNw4mXCa0GOQtY1aX4dBwPI
-13c6JXmG1qYxs/M32WB4VfRJ7n8OFtlLp+Pi1MQbzgLaxL43LB1BdAvbX1JPewk/
-ypar53S47CSNQ9okUWWKmQadQo/FHRIq0o/M8eXkeerpbmVeUJl0GybGzu3TF0JJ
-34sAkUECgYEA051fFtSR7LJoAqiVHNVvzkCTJPE8tSH+VsCG6sdg+en3E3GrePDu
-ACGQdR/yXOfBhIE06rE2EelVZ9SDsLKEB583ymaVGFOhzoi3bHVTPMvYPpOpxxWx
-H717zssh1Tr9ZhlY00Hr8EK4/6ANQxIr8nJsh8XrNNzXc4WzZt+cxdECgYEA0r+x
-M1D9v0qDZayt2yeus2xzE10mfUaQAYVPlecrx275wgxVgmXkgF5iiBBhxf6D/oEy
-K7uGhjhXQ7rsmN8ZyE//CFPYJ4C3Pk1oZO4FT8DvfwnIra84iKTZDmbP00aPZyix
-etQ3jU9WXyKUEvKUE8jcgCijDYXqh0hRUIdsEwMCgYEArP5R5hAQ2zdd4A6BF/lE
-VZBkuiacQldv3Ou3X+duV9/0pGigjVYouuK1fYqIT3sGsJQP9my4jxv5PdB1d9X4
-KWL38Pa7nA+Cj50klf2z9leOiFmeyanqCtCUjhFxrydyUC0YeFvDzb4+DnuBW/tX
-AfSY1MXv6l8/oqkCaG8VcoECgYEAiO29n17vD1vFlcklSLA2xSMgfaNXP6waIrLQ
-K9CAVFrZcef7ova7CWDJ2ifyrucYMcMVqu5zkD+JC1unIAhMwyaeyHVZiwkJhjRb
-MMCpuNDdiwf7WEXxkG6zDLVmMJq2z8rTzb+WvHyg3L0lwk3UQiqOgcJldoLdB7rI
-Am+Km6sCgYEAgnJRgPrRqJldQKjiOcFNywL1lyLe8G4t6TjoShEGDTNPftJxVyXP
-tdw2NIP5bjNlZDgaWnOU+Rehe2Q4j7zAa2iQShtVamhiP+yaZ/HEoEwhxMScJOa3
-ZsSZFkpiQl1WltaFU9z4krxI/bfyqK4HhiuRJZoNtuZx+N4CdL5NSPs=
-----END RSA PRIVATE KEY-----
--- a/.ci/tls/servers/toolset/toolset.cert.pem
+++ b/.ci/tls/servers/toolset/toolset.cert.pem
@ -1,34 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIF1jCCA76gAwIBAgICEAUwDQYJKoZIhvcNAQELBQAwgYAxCzAJBgNVBAYTAlVT
-MRYwFAYDVQQIDA1TYW4gRnJhbmNpc2NvMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv
-MRUwEwYDVQQKDAxTdHJlYW1OYXRpdmUxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQx
-EjAQBgNVBAMMCXB1bHNhci1jaTAeFw0yMDAzMjkyMTAzMTBaFw0yMjEyMjQyMTAz
-MTBaMHAxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1TYW4gRnJhbmNpc2NvMRUwEwYD
-VQQKDAxTdHJlYW1OYXRpdmUxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxGjAYBgNV
-BAMMEXB1bHNhci1jaS10b29sc2V0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEA1Oy51AEmFFblTOIzl+IWZftQ9+Htg66v/8kUNR7h+AYRor9Vyf3AuBMV
-ZuwHjl0xz0Mk3wir2RIhbcuXdiagcgdsijOWrSJK3uGgkKO0LWZMkMWcMNTgxm3S
-+2NhHxdZWqNsX0Fgfju5F5IA7yOoBsTcqTt/xKyBocFshd8D0VvwrPkdoqVWoBKf
-mIkJg+qp77DQ0rzvpkqGVjjIaUmFPyQL9Rv/escxZHwj7Q3JoGzY7KwgPGAwwwip
-CuhCi9+yyjhGCP0j0amLuEJAsTwYp7fguuZnyQFsJQ29MbesWtxoyt68wk7QPLCg
-/ZBLljdJSA7hNwjO8IZ97DzwmFfn0QIDAQABo4IBZzCCAWMwCQYDVR0TBAIwADAR
-BglghkgBhvhCAQEEBAMCBeAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJh
-dGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUsgXRoPfGg+Upnv87zdHm
-3L8RWBMwgbUGA1UdIwSBrTCBqoAUBdVuOjXvm9Bef2DTNrd4VVM0qLWhgYakgYMw
-gYAxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1TYW4gRnJhbmNpc2NvMRYwFAYDVQQH
-DA1TYW4gRnJhbmNpc2NvMRUwEwYDVQQKDAxTdHJlYW1OYXRpdmUxFjAUBgNVBAsM
-DUlUIERlcGFydG1lbnQxEjAQBgNVBAMMCXB1bHNhci1jaYIJALU82Re66PvtMA4G
-A1UdDwEB/wQEAwIF4DAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsG
-AQUFBwMEMA0GCSqGSIb3DQEBCwUAA4ICAQBCSA8FMpjtni9++dsKS4g6/iA+6tIP
-ptKZa5Cvo3UYImSBPwaySozN0/yDfHCuftieWWdWLUjXnu6ms1DQI5hLCqKEt2AE
-F5XCj8WVpkTaGtdBgyz2ftQDdJEbP/g8orANq6ET3BHAKkmok4v9xDol0KUejR4b
-QwUoHKPIg6NbR8VH6JDxX3VINTWnyRKKSDsT11ZrjlZQeVv0T/vt+CGy7u0VXP/V
-UzzuL5mZaKcBAq7JmuZY6xH2Q4dlrORt3KZM21T25laNOKfTE/vZfaO76S9WYlKZ
-bJLWEPEUhhM+vofwPw/nOOJmp0iu+bKt5VLrNcAZ0fCnJld4sBHcPOZQ7B7wScf4
-pWcKEzTzScn4MfEj9FZCJSV4ph8QWA3n8Ue9EVXkIWCevNjtnoPTzp7Qx8H+kr0j
-53JqPbjoENfqaDxKVEqPCEBPljgYAQ/uocuoMOKCSLlD27bGFnwwg+nyoA9j6fXS
-TXLZ4tYlA2qiGyDMJPc47ovEugXWUfDabu/ScuUItdnhZajdw9zRjD44+oSb5UfC
-Yb84WFtDswjO/qayfI/nt72tYymtQjOl3W9RtNMJNZf6c1LeumHaB56lpCnoLKYh
-Ap6rtWTCup/GtCXynXje76rMwsv1OLuo/1tm3wUAlYIoQPuoVjtlXG6P1XtZRErd
-OfCFrGQHLuH9Vg==
-----END CERTIFICATE-----
--- a/.ci/tls/servers/toolset/toolset.csr.pem
+++ b/.ci/tls/servers/toolset/toolset.csr.pem
@ -1,18 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
-MIICzjCCAbYCAQAwgYgxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1TYW4gRnJhbmNp
-c2NvMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRUwEwYDVQQKDAxTdHJlYW1OYXRp
-dmUxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxGjAYBgNVBAMMEXB1bHNhci1jaS10
-b29sc2V0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Oy51AEmFFbl
-TOIzl+IWZftQ9+Htg66v/8kUNR7h+AYRor9Vyf3AuBMVZuwHjl0xz0Mk3wir2RIh
-bcuXdiagcgdsijOWrSJK3uGgkKO0LWZMkMWcMNTgxm3S+2NhHxdZWqNsX0Fgfju5
-F5IA7yOoBsTcqTt/xKyBocFshd8D0VvwrPkdoqVWoBKfmIkJg+qp77DQ0rzvpkqG
-VjjIaUmFPyQL9Rv/escxZHwj7Q3JoGzY7KwgPGAwwwipCuhCi9+yyjhGCP0j0amL
-uEJAsTwYp7fguuZnyQFsJQ29MbesWtxoyt68wk7QPLCg/ZBLljdJSA7hNwjO8IZ9
-7DzwmFfn0QIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAF1xlJi80nwY6WduRUVA
-fo6EbDdoh+O124f81I+4yg1zrf623+qVlIJyDO+phhxwf1XxioQkTiimryRbvDPf
-y2ST1zF1bFrFqFgvUMggGgeUG2cwSF98egaUOHlhWjXPTiBs20gf2W9aueIsn/TK
-uiEdONzbprBtXRX76/0e0jP3YXc48YjTYlgcAgJI4JRR3qccDt/mapSuPBSvkq6C
-5FKN5ou6TuDW08N3wFv40D+YGwvwSBWgnr5NlQFVsrr53ijwJ7mRfg8kBK3SdlG5
-uu/03JjML7eNdphH1DNeljV7ZZXEnAyNcq4La5NM0Tndi9wgrQNOMKEpV1fzTZWV
-kec=
-----END CERTIFICATE REQUEST-----
--- a/.ci/tls/servers/toolset/toolset.key-pk8.pem
+++ b/.ci/tls/servers/toolset/toolset.key-pk8.pem
@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
-MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDU7LnUASYUVuVM
-4jOX4hZl+1D34e2Drq//yRQ1HuH4BhGiv1XJ/cC4ExVm7AeOXTHPQyTfCKvZEiFt
-y5d2JqByB2yKM5atIkre4aCQo7QtZkyQxZww1ODGbdL7Y2EfF1lao2xfQWB+O7kX
-kgDvI6gGxNypO3/ErIGhwWyF3wPRW/Cs+R2ipVagEp+YiQmD6qnvsNDSvO+mSoZW
-OMhpSYU/JAv1G/96xzFkfCPtDcmgbNjsrCA8YDDDCKkK6EKL37LKOEYI/SPRqYu4
-QkCxPBint+C65mfJAWwlDb0xt6xa3GjK3rzCTtA8sKD9kEuWN0lIDuE3CM7whn3s
-PPCYV+fRAgMBAAECggEBAMefpV1JMm1RRqt9S4ezNPKp2zB7hdW2elViLOrcqFiD
-QBeIMSMuH3e0lJUo5rCnWSKLPc9I7uyVnfe1L6xa7IPbx/wN/88UXoN1n7bbc/o4
-dcIpMpVpj88ZefusIYsnteNPYjQwNApFbfPWM8AAevDVsleLa+91GBgSIu+jtY2a
-YlPazfRil2pgzNNit5LLHZtSdHB8aznSsNm1B55uOXlHW8U3zUT8rU0/SVVBbL9u
-JPrrnc/95qZ/f/6PMVgWA2SHa7mS8qbpFGWl5pc7B3pF0AgTYA1Su885oZ+v3+8U
-vbWMbI87Ruseu/NHQ4LiSMdQN242wQIfob0eCSdaicECgYEA6eHPlQbAbYEsNZp/
-+qcSE7LZV1FIW6eqIe/eUlBbMRZ7wSXXFutlh3Kbn+XxwpIV3bDhjxYuNKS0LudA
-/aB+pfMmZ48k6CN/krbsvVtqJ3FMmiI/RGo0yt7F8Lp6ghVaw4yIKB2bcM68MpVe
-xG4HKrDbs5ojyZI2mMqNh8lB/dkCgYEA6Q+LvOsJvSO/uTEdLIWH4Gtyj0nHjv9/
-Z0s53I6gOYD8s01ZH0EObvGg9UUdpOYfENP8S3qvGd6ZYUk77uXBzlHwiDjLh1TW
-CssAiorsWbofuEhq6EDtO2Rl4qafPbdxonep/RXlVQuHGUxxpYNiZcnwanQ1VTG2
-K3d5Poe7ZrkCgYEA6M7SJvH1kgtGyoTkZ8jugZVCK1zJvhKDlAyFLUK3w4Ex5u2X
-0US4Z795kgz+PkPUaDyuChR2IgjhIt8nHlAoQWBsFiGzBzBuyMg1l7frTx/EtJjq
-iVt++YIPXrUBRYOkOYsl7WirVfsz8tYk4zry/1fVGk6Q2REmL6lQgJ2hhuECgYEA
-k9c1uHiMa/vScgKy0/w8rmLagAS4X4C56+dvY/bhsridFIybXVUid8Q1a4EVhfYo
-fL9MiwDfNJTdTTZsm2YJ4/xcjb0hds6dHKmbxUbNGToVRwxBLOWK16MfcoBqAXdt
-0TcBkTcjjChM4gJ5ERpf/9vy80SWVF29hqM6OS1W9pkCgYEArRK6fyeQBX2UtW39
-6OKH5Er1esLQ8tk7BH+t74OH2nrqKC5wu+oBG35rCDhq1ocP7QH+bnnpKZs0Xeoo
-im1zPzD0v8/BeGz7Uiv7ZyzNBki1YFEW5yagnYc+rjGRfEAbsARpDHtxniU4PjBu
-WXwvaO7oaX+DB8M4pZn4zyPmdGI=
-----END PRIVATE KEY-----
--- a/.ci/tls/servers/toolset/toolset.key.pem
+++ b/.ci/tls/servers/toolset/toolset.key.pem
@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpgIBAAKCAQEA1Oy51AEmFFblTOIzl+IWZftQ9+Htg66v/8kUNR7h+AYRor9V
-yf3AuBMVZuwHjl0xz0Mk3wir2RIhbcuXdiagcgdsijOWrSJK3uGgkKO0LWZMkMWc
-MNTgxm3S+2NhHxdZWqNsX0Fgfju5F5IA7yOoBsTcqTt/xKyBocFshd8D0VvwrPkd
-oqVWoBKfmIkJg+qp77DQ0rzvpkqGVjjIaUmFPyQL9Rv/escxZHwj7Q3JoGzY7Kwg
-PGAwwwipCuhCi9+yyjhGCP0j0amLuEJAsTwYp7fguuZnyQFsJQ29MbesWtxoyt68
-wk7QPLCg/ZBLljdJSA7hNwjO8IZ97DzwmFfn0QIDAQABAoIBAQDHn6VdSTJtUUar
-fUuHszTyqdswe4XVtnpVYizq3KhYg0AXiDEjLh93tJSVKOawp1kiiz3PSO7slZ33
-tS+sWuyD28f8Df/PFF6DdZ+223P6OHXCKTKVaY/PGXn7rCGLJ7XjT2I0MDQKRW3z
-1jPAAHrw1bJXi2vvdRgYEiLvo7WNmmJT2s30YpdqYMzTYreSyx2bUnRwfGs50rDZ
-tQeebjl5R1vFN81E/K1NP0lVQWy/biT6653P/eamf3/+jzFYFgNkh2u5kvKm6RRl
-peaXOwd6RdAIE2ANUrvPOaGfr9/vFL21jGyPO0brHrvzR0OC4kjHUDduNsECH6G9
-HgknWonBAoGBAOnhz5UGwG2BLDWaf/qnEhOy2VdRSFunqiHv3lJQWzEWe8El1xbr
-ZYdym5/l8cKSFd2w4Y8WLjSktC7nQP2gfqXzJmePJOgjf5K27L1baidxTJoiP0Rq
-NMrexfC6eoIVWsOMiCgdm3DOvDKVXsRuByqw27OaI8mSNpjKjYfJQf3ZAoGBAOkP
-i7zrCb0jv7kxHSyFh+Brco9Jx47/f2dLOdyOoDmA/LNNWR9BDm7xoPVFHaTmHxDT
-/Et6rxnemWFJO+7lwc5R8Ig4y4dU1grLAIqK7Fm6H7hIauhA7TtkZeKmnz23caJ3
-qf0V5VULhxlMcaWDYmXJ8Gp0NVUxtit3eT6Hu2a5AoGBAOjO0ibx9ZILRsqE5GfI
-7oGVQitcyb4Sg5QMhS1Ct8OBMebtl9FEuGe/eZIM/j5D1Gg8rgoUdiII4SLfJx5Q
-KEFgbBYhswcwbsjINZe3608fxLSY6olbfvmCD161AUWDpDmLJe1oq1X7M/LWJOM6
-8v9X1RpOkNkRJi+pUICdoYbhAoGBAJPXNbh4jGv70nICstP8PK5i2oAEuF+Auevn
-b2P24bK4nRSMm11VInfENWuBFYX2KHy/TIsA3zSU3U02bJtmCeP8XI29IXbOnRyp
-m8VGzRk6FUcMQSzlitejH3KAagF3bdE3AZE3I4woTOICeREaX//b8vNEllRdvYaj
-OjktVvaZAoGBAK0Sun8nkAV9lLVt/ejih+RK9XrC0PLZOwR/re+Dh9p66igucLvq
-ARt+awg4ataHD+0B/m556SmbNF3qKIptcz8w9L/PwXhs+1Ir+2cszQZItWBRFucm
-oJ2HPq4xkXxAG7AEaQx7cZ4lOD4wbll8L2ju6Gl/gwfDOKWZ+M8j5nRi
-----END RSA PRIVATE KEY-----
--- a/.ci/tls/servers/zookeeper/zookeeper.cert.pem
+++ b/.ci/tls/servers/zookeeper/zookeeper.cert.pem
@ -1,34 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIF2DCCA8CgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYAxCzAJBgNVBAYTAlVT
-MRYwFAYDVQQIDA1TYW4gRnJhbmNpc2NvMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv
-MRUwEwYDVQQKDAxTdHJlYW1OYXRpdmUxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQx
-EjAQBgNVBAMMCXB1bHNhci1jaTAeFw0yMDAzMjkyMTAzMDlaFw0yMjEyMjQyMTAz
-MDlaMHIxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1TYW4gRnJhbmNpc2NvMRUwEwYD
-VQQKDAxTdHJlYW1OYXRpdmUxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxHDAaBgNV
-BAMME3B1bHNhci1jaS16b29rZWVwZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQCqITWDFOGDR8zuiPrlu5+LsX0ToYfwAJFl10rW3G1vEsDoIc6ckNZ3
-EMXQlIcG4qKv46aBDz7j+fYLFxe2nB4O5K3vNnAwJKlpbsj/T4EKyPMavzo6YtrZ
-jtPH0a7NxfSXtoTl6HoxPL0xzE9GdaD8/zloEDmcakfQdMHT2RI/7ZCC23QiNdtJ
-4qZFjf7mTjoe/qaG3zdYsI180nR+uH6h8P5mzIQML0ME7lM0MzoyoAsOeykS40dB
-yFDcbOp/Z878Zx++2Cb39KibQ4BGbicXJUjWaJ6l9EFp5RektjluyOioJyRH/u2w
-VfKWJODvug/sZsgobCNv64N0rJOvZESzAgMBAAGjggFnMIIBYzAJBgNVHRMEAjAA
-MBEGCWCGSAGG+EIBAQQEAwIF4DAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5l
-cmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBQVX4oxgqLxXeerh43g
-+IuOyenZcTCBtQYDVR0jBIGtMIGqgBQF1W46Ne+b0F5/YNM2t3hVUzSotaGBhqSB
-gzCBgDELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xFjAUBgNV
-BAcMDVNhbiBGcmFuY2lzY28xFTATBgNVBAoMDFN0cmVhbU5hdGl2ZTEWMBQGA1UE
-CwwNSVQgRGVwYXJ0bWVudDESMBAGA1UEAwwJcHVsc2FyLWNpggkAtTzZF7ro++0w
-DgYDVR0PAQH/BAQDAgXgMCcGA1UdJQQgMB4GCCsGAQUFBwMBBggrBgEFBQcDAgYI
-KwYBBQUHAwQwDQYJKoZIhvcNAQELBQADggIBAIVogKtIA2arT/sMmm57i04CdrO9
-ttv2mgRb47lwshtfbHFv+oCJuXSubFTxMUPpEeecrxfiBt30xbLEx9CwBOZpewDl
-btERhG6B8WCVvYRIUb9uQdfgqAY6kD1ThapDWuDQRMw7h1Bc0c3PBiMrjCCFPsO+
-Vp4kv1BvzatWGkKOgMmUjRbIjHGta7qN4jqlOyzyMlbLbGCXutTOdpc+hjYUtYZg
-zAGZmkPFFYyDG2cPGLXI+io7Q6ZWAZD3AYhgYJTrMOvKs2+iUSZ5kRyPKyUd4tsJ
-Pl07Zz5yY78psWYV+by1b09Ehv0IoTYC5kEwnSjYB/lYhPm7E2E1XDaYHzIPXiQ5
-2kyH20zI9n55cEYWfo96h0dU/Uk5StbGxC8AZQQ64mmd0afqejTqQ5fOGI+04aoo
-X9mjQB5G5OTSHNdxm2t1HOaJYMTkdMmmjeCW0Dy1jtERe7+KsBclXRChwmXs48Kd
-Y/DyxAx2ssLtYrKF4vqY3uuPcGmEePgRUAZ5HY+PqrP/lxjhibzTlbaVDMG1/1jG
-yUjPoFa95ZqcIP9F1QLRCjNXUmHzFTOh4YoI9AFO9WdcexeOgFiBINptNyShNCJt
-NGDsMjdeevRCSjEClrClYG6ZVzp0NXDt3Yk8XcTqwmxz/n7kOAGoThWiwzisOV+L
-wcJC6h29x0XWiTfE
-----END CERTIFICATE-----
--- a/.ci/tls/servers/zookeeper/zookeeper.csr.pem
+++ b/.ci/tls/servers/zookeeper/zookeeper.csr.pem
@ -1,18 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
-MIIC0DCCAbgCAQAwgYoxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1TYW4gRnJhbmNp
-c2NvMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRUwEwYDVQQKDAxTdHJlYW1OYXRp
-dmUxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxHDAaBgNVBAMME3B1bHNhci1jaS16
-b29rZWVwZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqITWDFOGD
-R8zuiPrlu5+LsX0ToYfwAJFl10rW3G1vEsDoIc6ckNZ3EMXQlIcG4qKv46aBDz7j
-+fYLFxe2nB4O5K3vNnAwJKlpbsj/T4EKyPMavzo6YtrZjtPH0a7NxfSXtoTl6Hox
-PL0xzE9GdaD8/zloEDmcakfQdMHT2RI/7ZCC23QiNdtJ4qZFjf7mTjoe/qaG3zdY
-sI180nR+uH6h8P5mzIQML0ME7lM0MzoyoAsOeykS40dByFDcbOp/Z878Zx++2Cb3
-9KibQ4BGbicXJUjWaJ6l9EFp5RektjluyOioJyRH/u2wVfKWJODvug/sZsgobCNv
-64N0rJOvZESzAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEARBLSgRuoJniQqmqi
-cCLEab3HjNB0guiL6MmdmGv6D5BwH0MnEyE8RvdRiA+lcQGXC3ySpnmVc5nz99m3
-H8dQGC+6QjiRFWzsZ4nsvDG4gubASfSG8ruewNnafLyWCwnHS1M7KHoj9QjhgOIv
-qf4Ud2px0RNZY5LSl0e9rYp+LehokD6oZJCoU4uiEjli9vPR61oa3+/oFlzfDsN/
-O4ojDkNFpL/zpbpOYTrGcgtMghGrDjzG7jZ5LEzAFmcjmCaDNK16b5Y2Zat+IiaA
-cH3KdED8SohBEXRzbhBnEle5YwdS3bDYzyDnXYlvCEI9AWxolmKzQvrAWkah1X2t
-6rz3xg==
-----END CERTIFICATE REQUEST-----
--- a/.ci/tls/servers/zookeeper/zookeeper.key-pk8.pem
+++ b/.ci/tls/servers/zookeeper/zookeeper.key-pk8.pem
@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCqITWDFOGDR8zu
-iPrlu5+LsX0ToYfwAJFl10rW3G1vEsDoIc6ckNZ3EMXQlIcG4qKv46aBDz7j+fYL
-Fxe2nB4O5K3vNnAwJKlpbsj/T4EKyPMavzo6YtrZjtPH0a7NxfSXtoTl6HoxPL0x
-zE9GdaD8/zloEDmcakfQdMHT2RI/7ZCC23QiNdtJ4qZFjf7mTjoe/qaG3zdYsI18
-0nR+uH6h8P5mzIQML0ME7lM0MzoyoAsOeykS40dByFDcbOp/Z878Zx++2Cb39Kib
-Q4BGbicXJUjWaJ6l9EFp5RektjluyOioJyRH/u2wVfKWJODvug/sZsgobCNv64N0
-rJOvZESzAgMBAAECggEAKPa+D8XjVtze90B8SPyYOeaOmz91n9BDMiZYmsuQfgIh
-+MLLIN+vBBRBzSs2J+5CBd/mo4SsO/Bf0ePJjeqhQizFxKdy8+Sf9gb61p6qD5K7
-FmGc/5n14BSH4cEXOezELBOChGkpotlhJLBxFiIUlVZO2EOv232rtQGn+f52anXA
-jVa8JlcWjusb4D6586hV6zhyhk5qgHB3YxhA4461P/zpUqn6dWNrYV4m60vYWm4L
-mwnTldn6bTfZxsdrZrgPOR9mCB/O02daLkDF2gJMNWtPFt3irR5nx/HxWls22LB5
-rMD/LiLunELtAF6mXGYAeE57otK+XmdfqeKFv2M/YQKBgQDaxQLr/aUEmwxmyU3k
-Ny+Z/1jDzjxfoNsbvU+2HxsEh0ahT5B3pQQNOjST21yzxYIrZ3P1AwTiuzuQffZk
-PckFDTrCWQm6Fit+7Ku5aXqtJ4VhF6+QKTXJuFvQ3O3wsrJ7VZaMYZLcA0kzIIyw
-NK7/7EaQO9HgMEyyQXJCBa5s5QKBgQDHFSMy22Exb0fDndKHy0+HV4v3HhzDGdZ8
-RIuy9J1E6eV1j+FwzTa/nDzj252vZrflFfh+who4BcRAKgK4pJb4YMHTUI6GAhEa
-Rsg/6CzOGxw7CAkLMaVnj+TiIKzx6RGmzBCP3hToF9ZpnkmgXFwIsfKZoXvPEp8s
-Sdb5krjptwKBgQDJeY8LT3leGHz/XH1DpB9Or/9LtO+dEkM39M0oaNU1AnBltyTR
-S0PD+srZMLjbRxZuasQ77R/ev5hHpfn4r34mDN0Eh4ORwUElj0lHZID6Xt9TX8Dr
-/0fuEr9cR1tKxQfi1hvkBSh/Pvd3Ao8O6DYSs8L4ql7LHTBFKkjTzO+qkQKBgDgI
-nQWddbfCSIKoky8hbFr9qyl80j+fsBz99gwCiZlx8+GpA50KRZSc1w6TK8jIso3K
-J00WOOb3yIr+yBFMUinKogNmMxdI0aOBtK84HBRO0R1UX6dE6/dAKv3ykHruTMeT
-vD2iFmRVAUZtBPAbztOrskrHht97sE144wcP4vf1AoGAEx6O56DDjIxd/b5rC4mK
-n6AKzg/cJJLgN67ZUIZ87RQkuoRzvA8wiheUTbD/H75KfPmIPt085oDmjvKYLEZC
-l5R8ceLAxlQnhOYPVp1NjMP8YCcukWLdN1ltjVl1Fs/aUC9AzpyzzpU2auMuPk8q
-KCJQmTbCbDIGHfW39T6kNvE=
-----END PRIVATE KEY-----
--- a/.ci/tls/servers/zookeeper/zookeeper.key.pem
+++ b/.ci/tls/servers/zookeeper/zookeeper.key.pem
@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAqiE1gxThg0fM7oj65bufi7F9E6GH8ACRZddK1txtbxLA6CHO
-nJDWdxDF0JSHBuKir+OmgQ8+4/n2CxcXtpweDuSt7zZwMCSpaW7I/0+BCsjzGr86
-OmLa2Y7Tx9GuzcX0l7aE5eh6MTy9McxPRnWg/P85aBA5nGpH0HTB09kSP+2Qgtt0
-IjXbSeKmRY3+5k46Hv6mht83WLCNfNJ0frh+ofD+ZsyEDC9DBO5TNDM6MqALDnsp
-EuNHQchQ3Gzqf2fO/Gcfvtgm9/Som0OARm4nFyVI1miepfRBaeUXpLY5bsjoqCck
-R/7tsFXyliTg77oP7GbIKGwjb+uDdKyTr2REswIDAQABAoIBACj2vg/F41bc3vdA
-fEj8mDnmjps/dZ/QQzImWJrLkH4CIfjCyyDfrwQUQc0rNifuQgXf5qOErDvwX9Hj
-yY3qoUIsxcSncvPkn/YG+taeqg+SuxZhnP+Z9eAUh+HBFznsxCwTgoRpKaLZYSSw
-cRYiFJVWTthDr9t9q7UBp/n+dmp1wI1WvCZXFo7rG+A+ufOoVes4coZOaoBwd2MY
-QOOOtT/86VKp+nVja2FeJutL2FpuC5sJ05XZ+m032cbHa2a4DzkfZggfztNnWi5A
-xdoCTDVrTxbd4q0eZ8fx8VpbNtiweazA/y4i7pxC7QBeplxmAHhOe6LSvl5nX6ni
-hb9jP2ECgYEA2sUC6/2lBJsMZslN5Dcvmf9Yw848X6DbG71Pth8bBIdGoU+Qd6UE
-DTo0k9tcs8WCK2dz9QME4rs7kH32ZD3JBQ06wlkJuhYrfuyruWl6rSeFYRevkCk1
-ybhb0Nzt8LKye1WWjGGS3ANJMyCMsDSu/+xGkDvR4DBMskFyQgWubOUCgYEAxxUj
-MtthMW9Hw53Sh8tPh1eL9x4cwxnWfESLsvSdROnldY/hcM02v5w849udr2a35RX4
-fsIaOAXEQCoCuKSW+GDB01COhgIRGkbIP+gszhscOwgJCzGlZ4/k4iCs8ekRpswQ
-j94U6BfWaZ5JoFxcCLHymaF7zxKfLEnW+ZK46bcCgYEAyXmPC095Xhh8/1x9Q6Qf
-Tq//S7TvnRJDN/TNKGjVNQJwZbck0UtDw/rK2TC420cWbmrEO+0f3r+YR6X5+K9+
-JgzdBIeDkcFBJY9JR2SA+l7fU1/A6/9H7hK/XEdbSsUH4tYb5AUofz73dwKPDug2
-ErPC+Kpeyx0wRSpI08zvqpECgYA4CJ0FnXW3wkiCqJMvIWxa/aspfNI/n7Ac/fYM
-AomZcfPhqQOdCkWUnNcOkyvIyLKNyidNFjjm98iK/sgRTFIpyqIDZjMXSNGjgbSv
-OBwUTtEdVF+nROv3QCr98pB67kzHk7w9ohZkVQFGbQTwG87Tq7JKx4bfe7BNeOMH
-D+L39QKBgBMejuegw4yMXf2+awuJip+gCs4P3CSS4Deu2VCGfO0UJLqEc7wPMIoX
-lE2w/x++Snz5iD7dPOaA5o7ymCxGQpeUfHHiwMZUJ4TmD1adTYzD/GAnLpFi3TdZ
-bY1ZdRbP2lAvQM6cs86VNmrjLj5PKigiUJk2wmwyBh31t/U+pDbx
-----END RSA PRIVATE KEY-----
--- a/.ci/clusters/values-function.yaml
+++ b/.ci/clusters/values-function.yaml
@ -17,14 +17,36 @@
 # under the License.
 #

-monitoring:
-  prometheus: false
-  grafana: false
-  node_exporter: false
-  alert_manager: false
-
-volumes:
-  local_storage: true
+victoria-metrics-k8s-stack:
+  enabled: false
+  victoria-metrics-operator:
+    enabled: false
+  vmsingle:
+    enabled: false
+  vmagent:
+    enabled: false
+  vmalert:
+    enabled: false
+  alertmanager:
+    enabled: false
+  grafana:
+    enabled: false
+  prometheus-node-exporter:
+    enabled: false
+  kube-state-metrics:
+    enabled: false
+  kubelet:
+    enabled: false
+  kubeApiServer:
+    enabled: false
+  kubeControllerManager:
+    enabled: false
+  coreDns:
+    enabled: false
+  kubeEtcd:
+    enabled: false
+  kubeScheduler:
+    enabled: false

 # disabled AntiAffinity
 affinity:
@ -34,20 +56,37 @@ affinity:
 components:
  autorecovery: false
  pulsar_manager: false
+  # enable functions by default in CI
+  functions: true

 zookeeper:
  replicaCount: 1
+  # Disable pod monitor since we're disabling CRD installation
+  podMonitor:
+    enabled: false

 bookkeeper:
  replicaCount: 3
+  # Disable pod monitor since we're disabling CRD installation
+  podMonitor:
+    enabled: false
  configData:
    diskUsageThreshold: "0.999"
    diskUsageWarnThreshold: "0.999"
    PULSAR_PREFIX_diskUsageThreshold: "0.999"
    PULSAR_PREFIX_diskUsageWarnThreshold: "0.999"
+    # minimal memory use for bookkeeper
+    # https://bookkeeper.apache.org/docs/reference/config#db-ledger-storage-settings
+    dbStorage_writeCacheMaxSizeMb: "32"
+    dbStorage_readAheadCacheMaxSizeMb: "32"
+    dbStorage_rocksDB_writeBufferSizeMB: "8"
+    dbStorage_rocksDB_blockCacheSize: "8388608"    

 broker:
  replicaCount: 1
+  # Disable pod monitor since we're disabling CRD installation
+  podMonitor:
+    enabled: false
  configData:
    ## Enable `autoSkipNonRecoverableData` since bookkeeper is running
    ## without persistence
@ -60,8 +99,24 @@ broker:
    PF_functionInstanceMinResources_ram: "268435456"
    PF_functionInstanceMinResources_disk: "268435456"
    
+autorecovery:
+  # Disable pod monitor since we're disabling CRD installation
+  podMonitor:
+    enabled: false
+
 proxy:
  replicaCount: 1
+  # Disable pod monitor since we're disabling CRD installation
+  podMonitor:
+    enabled: false

 toolset:
  useProxy: false
+
+oxia:
+  coordinator:
+    podMonitor:
+      enabled: false
+  server:
+    podMonitor:
+      enabled: false
--- a/.github/actions/chart-testing-action/README.md
+++ b/.github/actions/chart-testing-action/README.md
@ -0,0 +1,3 @@
+# chart-testing Action
+
+This action is an identical fork of [helm/chart-testing-action@v3.7.1](https://github.com/helm/chart-testing-action).
--- a/.github/actions/chart-testing-action/action.yml
+++ b/.github/actions/chart-testing-action/action.yml
@ -0,0 +1,60 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Copyright The Helm Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: "Helm Chart Testing"
+description: "Install the Helm chart-testing tool"
+author: "The Helm authors"
+branding:
+  color: blue
+  icon: anchor
+inputs:
+  version:
+    description: "The chart-testing version to install"
+    required: false
+    default: v3.12.0
+  yamllint_version:
+    description: "The yamllint version to install"
+    required: false
+    default: '1.35.1'
+  yamale_version:
+    description:  "The yamale version to install"
+    required: false
+    default: '6.0.0'
+runs:
+  using: composite
+  steps:
+    - run: |
+        cd $GITHUB_ACTION_PATH \
+        && ./ct.sh \
+            --version ${{ inputs.version }} \
+            --yamllint-version ${{ inputs.yamllint_version }} \
+            --yamale-version ${{ inputs.yamale_version }}
+      shell: bash
--- a/.github/actions/chart-testing-action/ct.sh
+++ b/.github/actions/chart-testing-action/ct.sh
@ -0,0 +1,168 @@
+#!/usr/bin/env bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Copyright The Helm Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+DEFAULT_CHART_TESTING_VERSION=v3.12.0
+DEFAULT_YAMLLINT_VERSION=1.35.1
+DEFAULT_YAMALE_VERSION=6.0.0
+
+ARCH=$(uname -m)
+case $ARCH in
+    x86) ARCH="386";;
+    x86_64) ARCH="amd64";;
+    i686) ARCH="386";;
+    i386) ARCH="386";;
+    arm64) ARCH="arm64";;
+    aarch64) ARCH="arm64";;
+esac
+OS=$(uname|tr '[:upper:]' '[:lower:]')
+
+show_help() {
+cat << EOF
+Usage: $(basename "$0") <options>
+    -h, --help          Display help
+    -v, --version       The chart-testing version to use (default: $DEFAULT_CHART_TESTING_VERSION)"
+EOF
+}
+
+main() {
+    local version="$DEFAULT_CHART_TESTING_VERSION"
+    local yamllint_version="$DEFAULT_YAMLLINT_VERSION"
+    local yamale_version="$DEFAULT_YAMALE_VERSION"
+
+    parse_command_line "$@"
+
+    install_chart_testing
+}
+
+parse_command_line() {
+    while :; do
+        case "${1:-}" in
+            -h|--help)
+                show_help
+                exit
+                ;;
+            -v|--version)
+                if [[ -n "${2:-}" ]]; then
+                    version="$2"
+                    shift
+                else
+                    echo "ERROR: '-v|--version' cannot be empty." >&2
+                    show_help
+                    exit 1
+                fi
+                ;;
+            --yamllint-version)
+                if [[ -n "${2:-}" ]]; then
+                    yamllint_version="$2"
+                    shift
+                else
+                    echo "ERROR: '--yamllint-version' cannot be empty." >&2
+                    show_help
+                    exit 1
+                fi
+                ;;
+            --yamale-version)
+                if [[ -n "${2:-}" ]]; then
+                    yamale_version="$2"
+                    shift
+                else
+                    echo "ERROR: '--yamale-version' cannot be empty." >&2
+                    show_help
+                    exit 1
+                fi
+                ;;
+            *)
+                break
+                ;;
+        esac
+
+        shift
+    done
+}
+
+install_chart_testing() {
+    if [[ ! -d "$RUNNER_TOOL_CACHE" ]]; then
+        echo "Cache directory '$RUNNER_TOOL_CACHE' does not exist" >&2
+        exit 1
+    fi
+
+    local cache_dir="$RUNNER_TOOL_CACHE/ct/$version/${ARCH}"
+    local venv_dir="$cache_dir/venv"
+
+    if [[ ! -d "$cache_dir" ]]; then
+        mkdir -p "$cache_dir"
+
+        echo "Installing chart-testing..."
+        curl -sSLo ct.tar.gz "https://github.com/helm/chart-testing/releases/download/$version/chart-testing_${version#v}_${OS}_${ARCH}.tar.gz"
+        tar -xzf ct.tar.gz -C "$cache_dir"
+        rm -f ct.tar.gz
+
+        # if uv (https://docs.astral.sh/uv/) is not installed, install it
+        if ! command -v uv &> /dev/null; then
+            echo 'Installing uv...'
+            curl -LsSf https://astral.sh/uv/install.sh | sh
+        fi
+
+        echo 'Creating virtual Python environment...'
+        uv venv "$venv_dir"
+
+        echo 'Activating virtual environment...'
+        # shellcheck disable=SC1090
+        source "$venv_dir/bin/activate"
+
+        echo 'Installing yamllint...'
+        uv pip install "yamllint==${yamllint_version}"
+
+        echo 'Installing Yamale...'
+        uv pip install "yamale==${yamale_version}"
+    fi
+
+    # https://github.com/helm/chart-testing-action/issues/62
+    echo 'Adding ct directory to PATH...'
+    echo "$cache_dir" >> "$GITHUB_PATH"
+
+    echo 'Setting CT_CONFIG_DIR...'
+    echo "CT_CONFIG_DIR=$cache_dir/etc" >> "$GITHUB_ENV"
+
+    echo 'Configuring environment variables for virtual environment for subsequent workflow steps...'
+    echo "VIRTUAL_ENV=$venv_dir" >> "$GITHUB_ENV"
+    echo "$venv_dir/bin" >> "$GITHUB_PATH"
+
+    "$cache_dir/ct" version
+}
+
+main "$@"
--- a/.github/actions/ssh-access/action.yml
+++ b/.github/actions/ssh-access/action.yml
@ -0,0 +1,161 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+name: ssh access
+description: Sets up SSH access to build VM with upterm
+inputs:
+  action:
+    description: |
+      Action to perform: options are "start" and "wait"
+      "start" will install, configure and start upterm.
+      "wait" will wait until a connection is established to upterm and will continue to wait until the session is closed.
+    required: false
+    default: 'start'
+  limit-access-to-actor:
+    description: 'If only the public SSH keys of the user triggering the workflow should be authorized'
+    required: false
+    default: 'false'
+  limit-access-to-users:
+    description: 'If only the public SSH keys of the listed GitHub users should be authorized. Comma separate list of GitHub user names.'
+    required: false
+    default: ''
+  secure-access:
+    description: |
+      Set to false for allowing public access when limit-access-to-actor and limit-access-to-users are unset.
+    required: false
+    default: 'true'
+  timeout:
+    description: 'When action=wait, the timeout in seconds to wait for the user to connect'
+    required: false
+    default: '300'
+runs:
+  using: composite
+  steps:
+    - run: |
+        if [[ "${{ inputs.action }}" == "start" ]]; then
+            echo "::group::Installing upterm & tmux"
+            if [[ "$OSTYPE" == "linux-gnu"* ]]; then
+                # install upterm
+                curl -sL https://github.com/owenthereal/upterm/releases/download/v0.7.6/upterm_linux_amd64.tar.gz | tar zxvf - -C /tmp upterm && sudo install /tmp/upterm /usr/local/bin/ && rm -rf /tmp/upterm
+            
+                # install tmux if it's not present
+                if ! command -v tmux &>/dev/null; then
+                    sudo apt-get -y install tmux
+                fi
+            elif [[ "$OSTYPE" == "darwin"* ]]; then
+                brew install owenthereal/upterm/upterm
+                # install tmux if it's not present
+                if ! command -v tmux &>/dev/null; then
+                    brew install tmux
+                fi
+            else
+                echo "Unsupported $OSTYPE"
+                exit 0
+            fi
+            echo '::endgroup::'  
+            echo "::group::Configuring ssh and ssh keys"
+            # generate ssh key
+            mkdir -p ~/.ssh
+            chmod 0700 ~/.ssh
+            if [ ! -f ~/.ssh/id_rsa ]; then
+                ssh-keygen -q -t rsa -N "" -f ~/.ssh/id_rsa
+            fi
+            if [ ! -f ~/.ssh/id_ed25519 ]; then
+                ssh-keygen -q -t ed25519 -N "" -f ~/.ssh/id_ed25519
+            fi
+            # configure ssh
+            echo -e "Host *\nStrictHostKeyChecking no\nCheckHostIP no\nTCPKeepAlive yes\nServerAliveInterval 30\nServerAliveCountMax 180\nVerifyHostKeyDNS yes\nUpdateHostKeys yes\n" > ~/.ssh/config
+            # Auto-generate ~/.ssh/known_hosts by attempting connection to uptermd.upterm.dev  
+            ssh -i ~/.ssh/id_ed25519 uptermd.upterm.dev || true
+            # @cert-authority entry is a mandatory entry when connecting to upterm. generate the entry based on the known_hosts entry key
+            cat <(cat ~/.ssh/known_hosts | awk '{ print "@cert-authority * " $2 " " $3 }') >> ~/.ssh/known_hosts
+            authorizedKeysParameter=""
+            authorizedKeysFile=${HOME}/.ssh/authorized_keys
+            if [[ "${{ inputs.secure-access }}" != "false" ]]; then
+                ssh-keygen -q -t ed25519 -N "$(echo $RANDOM | md5sum | awk '{ print $1 }')" -C "Prevent public access" -f /tmp/dummykey$$
+                cat /tmp/dummykey$$.pub >> $authorizedKeysFile
+                rm /tmp/dummykey$$ /tmp/dummykey$$.pub
+            fi
+            limit_access_to_actor="${{ inputs.limit-access-to-actor }}"
+            if [[ "${limit_access_to_actor}" == "true" ]]; then
+                echo "Adding ${GITHUB_ACTOR} to allowed users (identified by ssh key registered in GitHub)"
+                curl -s https://github.com/${GITHUB_ACTOR}.keys >> $authorizedKeysFile
+            fi
+            limit_access_to_users="${{ inputs.limit-access-to-users }}"
+            for github_user in ${limit_access_to_users//,/ }; do
+                if [[ -n "${github_user}" ]]; then
+                    echo "Adding ${github_user} to allowed users (identified by ssh key registered in GitHub)"
+                    curl -s https://github.com/${github_user}.keys >> $authorizedKeysFile
+                fi
+            done
+            if [ -f $authorizedKeysFile ]; then
+                chmod 0600 $authorizedKeysFile
+                authorizedKeysParameter="-a $authorizedKeysFile"
+                echo -e "Using $authorizedKeysFile\nContent:\n---------------------------"
+                cat $authorizedKeysFile
+                echo "---------------------------"
+            fi
+            echo '::endgroup::'  
+            echo "::group::Starting terminal session and connecting to server"
+            tmux new -d -s upterm-wrapper -x 132 -y 43 "upterm host ${authorizedKeysParameter} --force-command 'tmux attach -t upterm' -- tmux new -s upterm -x 132 -y 43"
+            sleep 2
+            tmux send-keys -t upterm-wrapper q C-m
+            sleep 1
+            tmux set -t upterm-wrapper window-size largest
+            tmux set -t upterm window-size largest
+            echo '::endgroup::'  
+            echo -e "\nSSH connection information"
+            # wait up to 10 seconds for upterm admin socket to appear
+            for i in {1..10}; do
+              ADMIN_SOCKET=$(find $HOME/.upterm -name "*.sock")
+              if [ ! -S "$ADMIN_SOCKET" ]; then
+                echo "Waiting for upterm admin socket to appear in ~/.upterm/*.sock ..."
+                sleep 1
+              else
+                echo "upterm admin socket available in $ADMIN_SOCKET"
+                break
+              fi
+            done
+            shopt -s nullglob
+            upterm session current --admin-socket ~/.upterm/*.sock || {
+              echo "Starting upterm failed."
+              exit 0
+            }
+        elif [[ "${{ inputs.action }}" == "wait" ]]; then
+            # only wait if upterm was installed
+            if command -v upterm &>/dev/null; then
+                shopt -s nullglob
+                echo "SSH connection information"
+                upterm session current --admin-socket ~/.upterm/*.sock || {
+                    echo "upterm isn't running. Not waiting any longer."
+                    exit 0
+                }
+                timeout=${{ inputs.timeout }}
+                echo "Waiting $timeout seconds..."
+                sleep $timeout
+                echo "Keep waiting as long as there's a connected session"
+                while upterm session current --admin-socket ~/.upterm/*.sock|grep Connected &>/dev/null; do
+                    sleep 30
+                done
+                echo "No session is connected. Not waiting any longer."
+            else
+                echo "upterm isn't installed"
+            fi
+        fi
+      shell: bash
--- a/.github/actions/tune-runner-vm/action.yml
+++ b/.github/actions/tune-runner-vm/action.yml
@ -0,0 +1,96 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+name: Tune Runner VM performance
+description: tunes the GitHub Runner VM operation system
+runs:
+  using: composite
+  steps:
+    - run: |
+        if [[ "$OSTYPE" == "linux-gnu"* ]]; then
+            echo "::group::Configure and tune OS"
+            # Ensure that reverse lookups for current hostname are handled properly
+            # Add the current IP address, long hostname and short hostname record to /etc/hosts file
+            echo -e "$(ip addr show eth0 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1)\t$(hostname -f) $(hostname -s)" | sudo tee -a /etc/hosts
+
+            # The default vm.swappiness setting is 60 which has a tendency to start swapping when memory
+            # consumption is high.
+            # Set vm.swappiness=1 to avoid swapping and allow high RAM usage
+            echo 1 | sudo tee /proc/sys/vm/swappiness
+            (
+              shopt -s nullglob
+              # Set swappiness to 1 for all cgroups and sub-groups
+              for swappiness_file in /sys/fs/cgroup/memory/*/memory.swappiness /sys/fs/cgroup/memory/*/*/memory.swappiness; do
+                echo 1 | sudo tee $swappiness_file > /dev/null
+              done
+            ) || true
+
+            # use "madvise" Linux Transparent HugePages (THP) setting
+            # https://www.kernel.org/doc/html/latest/admin-guide/mm/transhuge.html
+            # "madvise" is generally a better option than the default "always" setting
+            # Based on Azul instructions from https://docs.azul.com/prime/Enable-Huge-Pages#transparent-huge-pages-thp
+            echo madvise | sudo tee /sys/kernel/mm/transparent_hugepage/enabled
+            echo advise | sudo tee /sys/kernel/mm/transparent_hugepage/shmem_enabled
+            echo defer+madvise | sudo tee /sys/kernel/mm/transparent_hugepage/defrag
+            echo 1 | sudo tee /sys/kernel/mm/transparent_hugepage/khugepaged/defrag
+    
+            # tune filesystem mount options, https://www.kernel.org/doc/Documentation/filesystems/ext4.txt
+            # commit=999999, effectively disables automatic syncing to disk (default is every 5 seconds)
+            # nobarrier/barrier=0, loosen data consistency on system crash (no negative impact to empheral CI nodes)
+            sudo mount -o remount,nodiscard,commit=999999,barrier=0 / || true
+            sudo mount -o remount,nodiscard,commit=999999,barrier=0 /mnt || true
+            # disable discard/trim at device level since remount with nodiscard doesn't seem to be effective
+            # https://www.spinics.net/lists/linux-ide/msg52562.html
+            for i in /sys/block/sd*/queue/discard_max_bytes; do
+              echo 0 | sudo tee $i
+            done
+            # disable any background jobs that run SSD discard/trim
+            sudo systemctl disable fstrim.timer || true
+            sudo systemctl stop fstrim.timer || true
+            sudo systemctl disable fstrim.service || true
+            sudo systemctl stop fstrim.service || true
+
+            # stop php-fpm
+            sudo systemctl stop php8.0-fpm.service || true
+            sudo systemctl stop php7.4-fpm.service || true
+            # stop mono-xsp4
+            sudo systemctl disable mono-xsp4.service || true
+            sudo systemctl stop mono-xsp4.service || true
+            sudo killall mono || true
+
+            # stop Azure Linux agent to save RAM
+            sudo systemctl stop walinuxagent.service || true
+          
+            echo '::endgroup::'
+
+            # show memory
+            echo "::group::Available Memory"
+            free -m
+            echo '::endgroup::'
+            # show disk
+            echo "::group::Available diskspace"
+            df -BM
+            echo "::endgroup::"
+            # show cggroup
+            echo "::group::Cgroup settings for current cgroup $CURRENT_CGGROUP"
+            CURRENT_CGGROUP=$(cat /proc/self/cgroup | grep '0::' | awk -F: '{ print $3 }')
+            sudo cgget -a $CURRENT_CGGROUP || true
+            echo '::endgroup::'
+        fi
+      shell: bash
--- a/.github/changes-filter.yaml
+++ b/.github/changes-filter.yaml
@ -0,0 +1,28 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# contains pattern definitions used in workflows "changes" step
+# pattern syntax: https://github.com/micromatch/picomatch
+all:
+  - '**'
+docs:
+  - 'examples/**'
+  - '.asf.yaml'
+  - '*.md'
+  - '**/*.md'
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -1,48 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-name: Precommit - Helm Chart Lint
-on:
-  pull_request:
-    branches:
-      - '*'
-    paths:
-      - 'charts/pulsar/**'
-      - '.ci/ct.sh'
-jobs:
-  lint-test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Check if this pull request only changes documentation
-        id:   docs
-        uses: apache/pulsar-test-infra/diff-only@master
-        with:
-          args: site2 .asf.yaml ct.yaml
-
-      - name: Lint chart
-        id: lint
-        uses: helm/chart-testing-action@v2.0.0
-        with:
-          command: lint
--- a/.github/workflows/pulsar-helm-chart-ci.yaml
+++ b/.github/workflows/pulsar-helm-chart-ci.yaml
@ -0,0 +1,357 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+name: Pulsar Helm Chart CI
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+ 
+  preconditions:
+    name: Preconditions
+    runs-on: ubuntu-24.04
+    if: (github.event_name != 'schedule') || (github.repository == 'apache/pulsar-helm-chart')
+    outputs:
+      docs_only: ${{ steps.check_changes.outputs.docs_only }}
+
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+
+      - name: Detect changed files
+        id:   changes
+        uses: apache/pulsar-test-infra/paths-filter@master
+        with:
+          filters: .github/changes-filter.yaml
+          list-files: csv
+
+      - name: Check changed files
+        id: check_changes
+        run: |
+          if [[ "${GITHUB_EVENT_NAME}" != "schedule" && "${GITHUB_EVENT_NAME}" != "workflow_dispatch" ]]; then
+            echo "docs_only=${{ fromJSON(steps.changes.outputs.all_count) == fromJSON(steps.changes.outputs.docs_count) && fromJSON(steps.changes.outputs.docs_count) > 0 }}" >> $GITHUB_OUTPUT
+          else
+            echo docs_only=false >> $GITHUB_OUTPUT
+          fi
+
+  license-check:
+    needs: preconditions
+    name: License Check
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    if: ${{ needs.preconditions.outputs.docs_only != 'true' }}
+    steps:
+      - name: Set up Go 1.12
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.12
+        id: go
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v4
+
+      - name: Check license
+        run: |
+          go test license_test.go
+
+  # run "ct lint" https://github.com/helm/chart-testing/blob/main/doc/ct_lint.md
+  ct-lint:
+    needs: ['preconditions', 'license-check']
+    name: chart-testing lint
+    runs-on: ubuntu-24.04
+    timeout-minutes: 45
+    if: ${{ needs.preconditions.outputs.docs_only != 'true' }}
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Tune Runner VM
+        uses: ./.github/actions/tune-runner-vm
+
+      - name: Setup ssh access to build runner VM
+        # ssh access is enabled for builds in own forks
+        if: ${{ github.repository != 'apache/pulsar-helm-chart' && github.event_name == 'pull_request' }}
+        uses: ./.github/actions/ssh-access
+        continue-on-error: true
+        with:
+          limit-access-to-actor: true
+
+      - name: Set up Helm
+        if: ${{ steps.check_changes.outputs.docs_only != 'true' }}
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.16.4
+
+      - name: Set up Python
+        if: ${{ steps.check_changes.outputs.docs_only != 'true' }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install uv, a fast modern package manager for Python
+        if: ${{ steps.check_changes.outputs.docs_only != 'true' }}
+        run: curl -LsSf https://astral.sh/uv/install.sh | sh
+
+      - name: Set up chart-testing
+        if: ${{ steps.check_changes.outputs.docs_only != 'true' }}
+        uses: ./.github/actions/chart-testing-action
+
+      - name: Run chart-testing (lint)
+        id: ct-lint
+        if: ${{ steps.check_changes.outputs.docs_only != 'true' }}
+        run: |
+          ct lint --check-version-increment=false \
+            --validate-maintainers=false \
+            --target-branch ${{ github.event.repository.default_branch }}
+
+      - name: Run kubeconform check for helm template with every major k8s version 1.25.0-1.32.0
+        if: ${{ steps.check_changes.outputs.docs_only != 'true' }}
+        run: |
+          PULSAR_CHART_HOME=$(pwd)
+          source ${PULSAR_CHART_HOME}/hack/common.sh
+          source ${PULSAR_CHART_HOME}/.ci/helm.sh
+          hack::ensure_kubectl
+          hack::ensure_helm
+          hack::ensure_kubeconform
+          ci::helm_repo_add
+          helm dependency build charts/pulsar
+          validate_helm_template_with_k8s_version() {
+            local kube_version=$1
+            shift
+            echo -n "Validating helm template with kubeconform for k8s version $kube_version"
+            if [ $# -gt 0 ]; then
+              echo " Extra args: $*"
+            else
+              echo ""
+            fi
+            helm template charts/pulsar --set victoria-metrics-k8s-stack.enabled=false --set components.pulsar_manager=true --kube-version $kube_version "$@" | \
+              kubeconform -schema-location default -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' -strict -kubernetes-version $kube_version -summary
+          }
+          set -o pipefail
+          for k8s_version_part in {25..32}; do
+            k8s_version="1.${k8s_version_part}.0"
+            echo "Validating default values with k8s version $k8s_version"
+            validate_helm_template_with_k8s_version $k8s_version
+            for config in .ci/clusters/*.yaml; do
+              echo "Validating $config with k8s version $k8s_version"
+              validate_helm_template_with_k8s_version $k8s_version --values .ci/values-common.yaml --values $config
+            done
+          done
+
+      - name: Validate kustomize yaml for extra new lines in pulsar-init commands
+        if: ${{ steps.check_changes.outputs.docs_only != 'true' }}
+        run: |
+          ./.ci/helm.sh validate_kustomize_yaml
+
+      - name: Wait for ssh connection when build fails
+        # ssh access is enabled for builds in own forks
+        uses: ./.github/actions/ssh-access
+        if: ${{ failure() && github.repository != 'apache/pulsar-helm-chart' && github.event_name == 'pull_request' }}
+        continue-on-error: true
+        with:
+          action: wait
+
+  install-chart-tests:
+    name: ${{ matrix.testScenario.name }} - k8s ${{ matrix.k8sVersion.version }} - ${{ matrix.testScenario.type || 'install' }}
+    runs-on: ubuntu-24.04
+    timeout-minutes: ${{ matrix.testScenario.timeout || 45 }}
+    needs: ['preconditions', 'ct-lint']
+    if: ${{ needs.preconditions.outputs.docs_only != 'true' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        # see https://github.com/kubernetes-sigs/kind/releases/tag/v0.27.0 for the list of supported k8s versions for kind 0.27.0
+        # docker images are available at https://hub.docker.com/r/kindest/node/tags
+        k8sVersion:
+          - version: "1.25.16"
+            kind_image_tag: v1.25.16@sha256:6110314339b3b44d10da7d27881849a87e092124afab5956f2e10ecdb463b025
+          - version: "1.32.2"
+            kind_image_tag: v1.32.2@sha256:f226345927d7e348497136874b6d207e0b32cc52154ad8323129352923a3142f
+        testScenario:
+          - name: Upgrade latest released version
+            values_file: .ci/clusters/values-upgrade.yaml
+            shortname: upgrade
+            type: upgrade
+          - name: Use previous LTS Pulsar Image
+            values_file: .ci/clusters/values-pulsar-previous-lts.yaml
+            shortname: pulsar-previous-lts
+          - name: JWT Asymmetric Keys
+            values_file: .ci/clusters/values-jwt-asymmetric.yaml
+            shortname: jwt-asymmetric
+          - name: JWT Symmetric Key
+            values_file: .ci/clusters/values-jwt-symmetric.yaml
+            shortname: jwt-symmetric
+          - name: TLS
+            values_file: .ci/clusters/values-tls.yaml
+            shortname: tls
+          - name: Broker & Proxy TLS
+            values_file: .ci/clusters/values-broker-tls.yaml
+            shortname: broker-tls
+          - name: BK TLS Only
+            values_file: .ci/clusters/values-bk-tls.yaml
+            shortname: bk-tls
+          - name: ZK TLS Only
+            values_file: .ci/clusters/values-zk-tls.yaml
+            shortname: zk-tls
+          - name: ZK & BK TLS Only
+            values_file: .ci/clusters/values-zkbk-tls.yaml
+            shortname: zkbk-tls
+          - name: Pulsar Manager
+            values_file: .ci/clusters/values-pulsar-manager.yaml
+            shortname: pulsar-manager
+          - name: Oxia
+            values_file: .ci/clusters/values-oxia.yaml
+            shortname: oxia
+          - name: OpenID
+            values_file: .ci/clusters/values-openid.yaml
+            shortname: openid
+          - name: CA certificates
+            values_file: .ci/clusters/values-cacerts.yaml
+            shortname: cacerts
+        include:
+          - k8sVersion:
+              version: "1.25.16"
+              kind_image_tag: v1.25.16@sha256:6110314339b3b44d10da7d27881849a87e092124afab5956f2e10ecdb463b025
+            testScenario:
+              name: "Upgrade TLS"
+              values_file: .ci/clusters/values-tls.yaml
+              shortname: tls
+              type: upgrade
+          - k8sVersion:
+              version: "1.25.16"
+              kind_image_tag: v1.25.16@sha256:6110314339b3b44d10da7d27881849a87e092124afab5956f2e10ecdb463b025
+            testScenario:
+              name: "Upgrade victoria-metrics-k8s-stack for previous LTS"
+              values_file: .ci/clusters/values-victoria-metrics-grafana.yaml --values .ci/clusters/values-pulsar-previous-lts.yaml
+              shortname: victoria-metrics-grafana
+              type: upgrade
+              upgradeFromVersion: 3.2.0
+          - k8sVersion:
+              version: "1.25.16"
+              kind_image_tag: v1.25.16@sha256:6110314339b3b44d10da7d27881849a87e092124afab5956f2e10ecdb463b025
+            testScenario:
+              name: "TLS with helm 3.12.0"
+              values_file: .ci/clusters/values-tls.yaml
+              shortname: tls
+              type: install
+            helmVersion: 3.12.0
+    env:
+      k8sVersion: ${{ matrix.k8sVersion.kind_image_tag }}
+      KUBECTL_VERSION: ${{ matrix.k8sVersion.version }}
+      HELM_VERSION: ${{ matrix.helmVersion || '3.14.4' }}
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+
+      - name: Tune Runner VM
+        uses: ./.github/actions/tune-runner-vm
+
+      - name: Setup debugging tools for ssh access
+        if: ${{ github.repository != 'apache/pulsar-helm-chart' && github.event_name == 'pull_request' }}
+        run: .ci/configure_ci_runner_for_debugging.sh
+
+      - name: Setup ssh access to build runner VM
+        # ssh access is enabled for builds in own forks
+        if: ${{ github.repository != 'apache/pulsar-helm-chart' && github.event_name == 'pull_request' }}
+        uses: ./.github/actions/ssh-access
+        continue-on-error: true
+        with:
+          limit-access-to-actor: true
+
+      - name: Run chart-testing (${{ matrix.testScenario.type || 'install' }}) with helm ${{ env.HELM_VERSION }}
+        run: |
+          case "${{ matrix.testScenario.shortname }}" in
+            "jwt-symmetric")
+              export SYMMETRIC=true
+              export EXTRA_SUPERUSERS=manager-admin
+              ;;
+            "jwt-asymmetric")
+              export EXTRA_SUPERUSERS=manager-admin
+              ;;
+            "openid")
+              export AUTHENTICATION_PROVIDER=openid
+              ;;
+          esac
+          if [[ "${{ matrix.testScenario.type || 'install' }}" == "upgrade" ]]; then
+            export UPGRADE_FROM_VERSION="${{ matrix.testScenario.upgradeFromVersion || 'latest' }}"
+          fi
+          .ci/chart_test.sh ${{ matrix.testScenario.values_file }}
+
+      - name: Collect k8s logs on failure
+        if: ${{ cancelled() || failure() }}
+        continue-on-error: true
+        shell: bash
+        run: |
+          source .ci/helm.sh
+          set +e
+          ci::collect_k8s_logs
+
+      - name: Upload k8s logs on failure
+        uses: actions/upload-artifact@v4
+        if: ${{ cancelled() || failure() }}
+        continue-on-error: true
+        with:
+          name: k8s-logs-${{ matrix.testScenario.shortname }}
+          path: /tmp/k8s-logs
+          retention-days: 7
+          if-no-files-found: ignore          
+
+      - name: Wait for ssh connection when build fails
+        # ssh access is enabled for builds in own forks
+        uses: ./.github/actions/ssh-access
+        if: ${{ failure() && github.repository != 'apache/pulsar-helm-chart' && github.event_name == 'pull_request' }}
+        continue-on-error: true
+        with:
+          action: wait
+
+  # This job is required for pulls to be merged.
+  # It depends on all other jobs in this workflow.
+  pulsar-helm-chart-ci-checks-completed:
+    name: "CI checks completed"
+    if: ${{ always() && ((github.event_name != 'schedule') || (github.repository == 'apache/pulsar-helm-chart')) }}
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    needs: [
+      'preconditions',
+      'license-check',
+      'install-chart-tests'
+    ]
+    steps:
+      - name: Check that all required jobs were completed successfully
+        if: ${{ needs.preconditions.outputs.docs_only != 'true' }}
+        run: |
+          if [[ ! ( \
+                   "${{ needs.license-check.result }}" == "success" \
+                && "${{ needs.install-chart-tests.result }}" == "success" \
+               ) ]]; then
+            echo "Required jobs haven't been completed successfully."
+            exit 1
+          fi
--- a/.github/workflows/pulsar.yml
+++ b/.github/workflows/pulsar.yml
@ -1,48 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-name: Precommit - Pulsar Helm Chart (Basic Installation)
-on:
-  pull_request:
-    branches:
-      - '*'
-    paths:
-      - 'charts/pulsar/**'
-      - 'hack/kind-cluster-build.sh'
-jobs:
-  lint-test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Check if this pull request only changes documentation
-        id:   docs
-        uses: apache/pulsar-test-infra/diff-only@master
-        with:
-          args: site2 .asf.yaml ct.yaml
-
-      - name: Install chart
-        run: |
-          .ci/chart_test.sh .ci/clusters/values-local-pv.yaml
-        # Only build a kind cluster if there are chart changes to test.
-        if: steps.docs.outputs.changed_only == 'no'
--- a/.github/workflows/pulsar_bk_tls.yml
+++ b/.github/workflows/pulsar_bk_tls.yml
@ -1,48 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-name: Precommit - Pulsar Helm Chart (BK TLS Only)
-on:
-  pull_request:
-    branches:
-      - '*'
-    paths:
-      - 'charts/pulsar/**'
-      - 'hack/kind-cluster-build.sh'
-jobs:
-  lint-test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Check if this pull request only changes documentation
-        id:   docs
-        uses: apache/pulsar-test-infra/diff-only@master
-        with:
-          args: site2 .asf.yaml ct.yaml
-
-      - name: Run chart-testing (install)
-        run: |
-          .ci/chart_test.sh .ci/clusters/values-bk-tls.yaml
-        # Only build a kind cluster if there are chart changes to test.
-        if: steps.docs.outputs.changed_only == 'no'
--- a/.github/workflows/pulsar_broker_tls.yml
+++ b/.github/workflows/pulsar_broker_tls.yml
@ -1,48 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-name: Precommit - Pulsar Helm Chart (Broker & Proxy TLS Installation)
-on:
-  pull_request:
-    branches:
-      - '*'
-    paths:
-      - 'charts/pulsar/**'
-      - 'hack/kind-cluster-build.sh'
-jobs:
-  lint-test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Check if this pull request only changes documentation
-        id:   docs
-        uses: apache/pulsar-test-infra/diff-only@master
-        with:
-          args: site2 .asf.yaml ct.yaml
-
-      - name: Run chart-testing (install)
-        run: |
-          .ci/chart_test.sh .ci/clusters/values-broker-tls.yaml
-        # Only build a kind cluster if there are chart changes to test.
-        if: steps.docs.outputs.changed_only == 'no'
--- a/.github/workflows/pulsar_function.yml
+++ b/.github/workflows/pulsar_function.yml
@ -1,50 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-name: Precommit - Pulsar Helm Chart (Pulsar Function)
-on:
-  pull_request:
-    branches:
-      - '*'
-    paths:
-      - 'charts/pulsar/**'
-      - 'hack/kind-cluster-build.sh'
-jobs:
-  lint-test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Check if this pull request only changes documentation
-        id:   docs
-        uses: apache/pulsar-test-infra/diff-only@master
-        with:
-          args: site2 .asf.yaml ct.yaml
-
-      - name: Install chart
-        run: |
-          .ci/chart_test.sh .ci/clusters/values-function.yaml
-        env:
-          FUNCTION: "true"
-        # Only build a kind cluster if there are chart changes to test.
-        if: steps.docs.outputs.changed_only == 'no'
--- a/.github/workflows/pulsar_image.yml
+++ b/.github/workflows/pulsar_image.yml
@ -1,48 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-name: Precommit - Pulsar Helm Chart (Use Pulsar Image)
-on:
-  pull_request:
-    branches:
-      - '*'
-    paths:
-      - 'charts/pulsar/**'
-      - 'hack/kind-cluster-build.sh'
-jobs:
-  lint-test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Check if this pull request only changes documentation
-        id:   docs
-        uses: apache/pulsar-test-infra/diff-only@master
-        with:
-          args: site2 .asf.yaml ct.yaml
-
-      - name: Install chart
-        run: |
-          .ci/chart_test.sh .ci/clusters/values-pulsar-image.yaml
-        # Only build a kind cluster if there are chart changes to test.
-        if: steps.docs.outputs.changed_only == 'no'
--- a/.github/workflows/pulsar_jwt_asymmetric.yml
+++ b/.github/workflows/pulsar_jwt_asymmetric.yml
@ -1,50 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-name: Precommit - Pulsar Helm Chart (JWT Secret Key Installation)
-on:
-  pull_request:
-    branches:
-      - '*'
-    paths:
-      - 'charts/pulsar/**'
-      - 'hack/kind-cluster-build.sh'
-jobs:
-  lint-test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Check if this pull request only changes documentation
-        id:   docs
-        uses: apache/pulsar-test-infra/diff-only@master
-        with:
-          args: site2 .asf.yaml ct.yaml
-
-      - name: Run chart-testing (install)
-        run: |
-          .ci/chart_test.sh .ci/clusters/values-jwt-asymmetric.yaml
-        env:
-          SYMMETRIC: "false"
-        # Only build a kind cluster if there are chart changes to test.
-        if: steps.docs.outputs.changed_only == 'no'
--- a/.github/workflows/pulsar_jwt_symmetric.yml
+++ b/.github/workflows/pulsar_jwt_symmetric.yml
@ -1,50 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-name: Precommit - Pulsar Helm Chart (JWT Public/Private Key Installation)
-on:
-  pull_request:
-    branches:
-      - '*'
-    paths:
-      - 'charts/pulsar/**'
-      - 'hack/kind-cluster-build.sh'
-jobs:
-  lint-test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Check if this pull request only changes documentation
-        id:   docs
-        uses: apache/pulsar-test-infra/diff-only@master
-        with:
-          args: site2 .asf.yaml ct.yaml
-
-      - name: Run chart-testing (install)
-        run: |
-          .ci/chart_test.sh .ci/clusters/values-jwt-symmetric.yaml
-        env:
-          SYMMETRIC: "true"
-        # Only build a kind cluster if there are chart changes to test.
-        if: steps.docs.outputs.changed_only == 'no'
--- a/.github/workflows/pulsar_tls.yml
+++ b/.github/workflows/pulsar_tls.yml
@ -1,48 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-name: Precommit - Pulsar Helm Chart (TLS Installation)
-on:
-  pull_request:
-    branches:
-      - '*'
-    paths:
-      - 'charts/pulsar/**'
-      - 'hack/kind-cluster-build.sh'
-jobs:
-  lint-test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Check if this pull request only changes documentation
-        id:   docs
-        uses: apache/pulsar-test-infra/diff-only@master
-        with:
-          args: site2 .asf.yaml ct.yaml
-
-      - name: Install chart
-        run: |
-          .ci/chart_test.sh .ci/clusters/values-tls.yaml
-        # Only build a kind cluster if there are chart changes to test.
-        if: steps.docs.outputs.changed_only == 'no'
--- a/.github/workflows/pulsar_zk_tls.yml
+++ b/.github/workflows/pulsar_zk_tls.yml
@ -1,48 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-name: Precommit - Pulsar Helm Chart (ZK TLS Only)
-on:
-  pull_request:
-    branches:
-      - '*'
-    paths:
-      - 'charts/pulsar/**'
-      - 'hack/kind-cluster-build.sh'
-jobs:
-  lint-test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Check if this pull request only changes documentation
-        id:   docs
-        uses: apache/pulsar-test-infra/diff-only@master
-        with:
-          args: site2 .asf.yaml ct.yaml
-
-      - name: Install chart
-        run: |
-          .ci/chart_test.sh .ci/clusters/values-zk-tls.yaml
-        # Only build a kind cluster if there are chart changes to test.
-        if: steps.docs.outputs.changed_only == 'no'
--- a/.github/workflows/pulsar_zkbk_tls.yml
+++ b/.github/workflows/pulsar_zkbk_tls.yml
@ -1,48 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-name: Precommit - Pulsar Helm Chart (ZK & BK TLS Only)
-on:
-  pull_request:
-    branches:
-      - '*'
-    paths:
-      - 'charts/pulsar/**'
-      - 'hack/kind-cluster-build.sh'
-jobs:
-  lint-test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Check if this pull request only changes documentation
-        id:   docs
-        uses: apache/pulsar-test-infra/diff-only@master
-        with:
-          args: site2 .asf.yaml ct.yaml
-
-      - name: Install chart
-        run: |
-          .ci/chart_test.sh .ci/clusters/values-zkbk-tls.yaml
-        # Only build a kind cluster if there are chart changes to test.
-        if: steps.docs.outputs.changed_only == 'no'
--- a/.gitignore
+++ b/.gitignore
@ -16,3 +16,4 @@ charts/**/*.lock

 PRIVATEKEY
 PUBLICKEY
+.vagrant/
--- a/.rat-excludes
+++ b/.rat-excludes
@ -0,0 +1,20 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+
+#   http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+.gitignore
+# Generated Helm file
+Chart.lock
--- a/239
+++ b/239
@ -0,0 +1,239 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+----------------------------------------------------------------------------------------------------
+
+pulsar-common/src/main/java/org/apache/pulsar/common/util/protobuf/ByteBufCoded{Input,Output}Stream.java
+
+Copyright 2014, Google Inc.  All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+    * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+    * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+Code generated by the Protocol Buffer compiler is owned by the owner
+of the input file used when generating it.  This code is not
+standalone and requires a support library to be linked with it.  This
+support library is itself covered by the above license.
--- a/5
+++ b/5
@ -0,0 +1,5 @@
+Apache Pulsar
+Copyright 2017-2022 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
--- a/README.md
+++ b/README.md
@ -18,11 +18,121 @@
    under the License.

 -->
-# Official Apache Pulsar Helm Chart

-This is the officially supported Helm Chart for installing Apache Pulsar on Kubernetes.
+# Apache Pulsar Helm Chart

-Read [Deploying Pulsar on Kubernetes](http://pulsar.apache.org/docs/en/deploy-kubernetes/) for more details.
+This project provides Helm Charts for installing Apache Pulsar on Kubernetes.
+
+Read [Deploying Pulsar on Kubernetes](http://pulsar.apache.org/docs/deploy-kubernetes/) for more details.
+
+> :warning: This helm chart is updated outside of the regular Pulsar release cycle and might lag behind a bit. It only supports basic Kubernetes features now. Currently, it can be used as no more than a template and starting point for a Kubernetes deployment. In many cases, it would require some customizations.
+
+## Important Security Advisory for Helm Chart Usage
+
+### Notice of Default Configuration
+
+This Helm chart's default configuration DOES NOT meet production security requirements.
+Users MUST review and customize security settings for their specific environment.
+
+IMPORTANT: This Helm chart provides a starting point for Pulsar deployments but requires
+significant security customization before use in production environments. We strongly
+recommend implementing:
+
+1. Authentication and authorization for all components
+2. TLS encryption for all communication channels
+3. Proper network isolation and access controls
+4. Regular security updates and vulnerability assessments
+
+As an open source project, we welcome contributions to improve security features.
+Please consider submitting pull requests to address security gaps or enhance
+existing security implementations.
+
+### Pulsar Proxy Security Considerations
+
+As per the [Pulsar Proxy documentation](https://pulsar.apache.org/docs/3.1.x/administration-proxy/), it is explicitly stated that the Pulsar proxy is not designed for exposure to the public internet. The design assumes that deployments will be protected by network perimeter security measures. It is crucial to understand that relying solely on the default configuration can expose your deployment to significant security vulnerabilities.
+
+### Upgrading
+
+#### To 4.1.0
+
+This version introduces `OpenID` authentication. Setting `auth.authentication.provider` is no longer supported, you need to enable the provider with `auth.authentication.<provider>.enabled`.
+
+#### To 4.0.0
+
+The default service type for the Pulsar proxy has changed from `LoadBalancer` to `ClusterIP` for security reasons. This limits access to within the Kubernetes environment by default.
+
+### External Access Recommendations
+
+If you need to expose the Pulsar Proxy outside the cluster:
+
+1. **USE INTERNAL LOAD BALANCERS ONLY**
+   - Set type to LoadBalancer only in secured environments with proper network controls
+   - Add cloud provider-specific annotations for internal load balancers:
+     - Kubernetes documentation about internal load balancers:
+        - [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer)
+     - See cloud provider documentation:
+       - AWS / EKS: [AWS Load Balancer Controller / Service Annotations](https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/annotations/)
+       - Azure / AKS: [Use an internal load balancer with Azure Kubernetes Service (AKS)](https://learn.microsoft.com/en-us/azure/aks/internal-lb)
+       - GCP / GKE: [LoadBalancer service parameters](https://cloud.google.com/kubernetes-engine/docs/concepts/service-load-balancer-parameters)
+     - Examples (verify correctness for your environment):
+       - AWS / EKS:  `service.beta.kubernetes.io/aws-load-balancer-internal: "true"`
+       - Azure / AKS: `service.beta.kubernetes.io/azure-load-balancer-internal: "true"`
+       - GCP / GKE:   `networking.gke.io/load-balancer-type: "Internal"`
+
+2. **IMPLEMENT AUTHENTICATION AND AUTHORIZATION**
+   - Configure all clients to authenticate properly
+   - Set up appropriate authorization policies
+
+3. **USE TLS FOR ALL CONNECTIONS**
+   - Enable TLS for client-to-proxy connections
+   - Enable TLS for proxy-to-broker connections
+   - Enable TLS for all internal cluster communications
+   - Note: TLS alone is NOT sufficient as a security solution. Even with TLS enabled, clusters exposed to untrusted networks remain vulnerable to denial-of-service attacks, authentication bypass attempts, and protocol-level exploits.
+
+4. **NETWORK SECURITY**
+   - Use private networks (VPCs)
+   - Configure firewalls, security groups, and IP restrictions
+
+5. **CLIENT IP ADDRESS BASED ACCESS RESTRICTIONS**
+
+   - When using a LoadBalancer service type, restrict access to specific IP ranges by configuring `proxy.service.loadBalancerSourceRanges` in your values.yaml:
+     ```yaml
+     proxy:
+       service:
+         loadBalancerSourceRanges:
+           - 10.0.0.0/8     # Private network range
+           - 172.16.0.0/12  # Private network range
+           - 192.168.0.0/16 # Private network range
+     ```
+   - This feature:
+     - Provides an additional defense layer by filtering traffic at the load balancer level
+     - Only allows connections from specified CIDR blocks
+     - Works only with LoadBalancer service type and when your cloud provider supports the `loadBalancerSourceRanges` parameter
+   - Important: This should be implemented alongside other security measures (internal load balancer, authentication, TLS, network policies) as part of a defense-in-depth strategy,
+     not as a standalone security solution
+
+### Alternative for External Access
+
+As an alternative method for external access, Pulsar has support for [SNI proxy routing](https://pulsar.apache.org/docs/next/concepts-proxy-sni-routing/). SNI Proxy routing is supported with proxy servers such as Apache Traffic Server, HAProxy and Nginx.
+
+Note: This option isn't currently implemented in the Apache Pulsar Helm chart.
+
+**IMPORTANT**: Pulsar binary protocol cannot be exposed outside of the Kubernetes cluster using Kubernetes Ingress. Kubernetes Ingress works for the Admin REST API and topic lookups, but clients would be connecting to the advertised listener addresses returned by the brokers and it would only work when clients can connect directly to brokers. This is not a supported secure option for exposing Pulsar to untrusted networks.
+
+### General Recommendations
+
+- **Network Perimeter Security:** It is imperative to implement robust network perimeter security to safeguard your deployment. The absence of such security measures can lead to unauthorized access and potential data breaches.
+- **Restricted Access:** For environments where security is less critical, such as certain development or testing scenarios, the use of `loadBalancerSourceRanges` may be employed to restrict access to specified IP addresses or ranges. This, however, should not be considered a substitute for comprehensive security measures in production environments.
+
+### User Responsibility
+
+The user assumes full responsibility for the security and integrity of their deployment. This includes, but is not limited to, the proper configuration of security features and adherence to best practices for securing network access. The providers of this Helm chart disclaim all warranties, whether express or implied, including any warranties of merchantability, fitness for a particular purpose, and non-infringement of third-party rights.
+
+### No Security Guarantees
+
+The providers of this Helm chart make no guarantees regarding the security of the chart under any circumstances. It is the user's responsibility to ensure that their deployment is secure and complies with all relevant security standards and regulations.
+
+By using this Helm chart, the user acknowledges the risks associated with its default configuration and the necessity for proper security customization. The user further agrees that the providers of the Helm chart shall not be liable for any security breaches or incidents resulting from the use of the chart.

 ## Features

@ -36,8 +146,8 @@ This Helm Chart includes all the components of Apache Pulsar for a complete expe
    - [x] Proxies
 - [x] Management & monitoring components:
    - [x] Pulsar Manager
-    - [x] Prometheus
-    - [x] Grafana
+    - [x] Optional PodMonitors for each component (enabled by default)
+    - [x] [victoria-metrics-k8s-stack](hhttps://github.com/VictoriaMetrics/helm-charts/tree/master/charts/victoria-metrics-k8s-stack) (as of 4.0.0)

 It includes support for:

@ -50,17 +160,19 @@ It includes support for:
        - [x] Broker
        - [x] Toolset
        - [x] Bookie
-        - [x] ZooKeeper
+        - [x] ZooKeeper (requires the `AdditionalCertificateOutputFormats=true` feature gate to be enabled in the cert-manager deployment when using cert-manager versions below 1.15.0)
    - [x] Authentication
        - [x] JWT
+        - [x] OpenID
        - [ ] Mutal TLS
        - [ ] Kerberos
    - [x] Authorization
+    - [x] Non-root broker, bookkeeper, proxy, and zookeeper containers (version 2.10.0 and above)
 - [x] Storage
    - [x] Non-persistence storage
    - [x] Persistence Volume
    - [x] Local Persistent Volumes
-    - [ ] Tiered Storage
+    - [x] Tiered Storage
 - [x] Functions
    - [x] Kubernetes Runtime
    - [x] Process Runtime
@ -72,9 +184,9 @@ It includes support for:

 In order to use this chart to deploy Apache Pulsar on Kubernetes, the followings are required.

-1. kubectl 1.14 or higher, compatible with your cluster ([+/- 1 minor release from your cluster](https://kubernetes.io/docs/tasks/tools/install-kubectl/#before-you-begin))
-2. Helm v3 (3.0.2 or higher)
-3. A Kubernetes cluster, version 1.14 or higher.
+1. kubectl 1.25 or higher, compatible with your cluster ([+/- 1 minor release from your cluster](https://kubernetes.io/docs/tasks/tools/install-kubectl/#before-you-begin))
+2. Helm v3 (3.12.0 or higher)
+3. A Kubernetes cluster, version 1.25 or higher.

 ## Environment setup

@ -82,67 +194,69 @@ Before proceeding to deploying Pulsar, you need to prepare your environment.

 ### Tools

-`helm` and `kubectl` need to be [installed on your computer](http://pulsar.apache.org/docs/en/helm-tools/).
+`helm` and `kubectl` need to be [installed on your computer](https://pulsar.apache.org/docs/helm-tools/).

 ## Add to local Helm repository

 To add this chart to your local Helm repository:

 ```bash
-helm repo add apache https://pulsar.apache.org/charts
-```
-
-To use the helm chart:
-
-> NOTE: Please specify `--set initialize=true` when installing a release at the first time. `initialize=true` will start initialize jobs
->       to initialize the cluster metadata for both bookkeeper and pulsar clusters.
-
-```bash
-helm install --set initialize=true <release-name> apache/pulsar
+helm repo add apachepulsar https://pulsar.apache.org/charts
+helm repo update
 ```

 ## Kubernetes cluster preparation

-You need a Kubernetes cluster whose version is 1.14 or higher in order to use this chart, due to the usage of certain Kubernetes features.
+You need a Kubernetes cluster whose version is 1.25 or higher in order to use this chart, due to the usage of certain Kubernetes features.

-We provide some instructions to guide you through the preparation: http://pulsar.apache.org/docs/en/helm-prepare/
+We provide some instructions to guide you through the preparation: http://pulsar.apache.org/docs/helm-prepare/

 ## Deploy Pulsar to Kubernetes

-1. Clone the Pulsar Helm charts repository.
+1. Configure your values file. The best way to know which values are available is to read the [values.yaml](./charts/pulsar/values.yaml).
+   A best practice is to start with an empty values file and only set the keys that differ from the default configuration.

-    ```bash
-    git clone https://github.com/apache/pulsar-helm-chart
-    ```
-    ```bash
-    cd pulsar-helm-chart
+   Anti-affinity rules for Zookeeper and Bookie components require at least one node per replica. For Kubernetes clusters with less than 3 nodes,
+   you must disable this feature by adding this to your initial values.yaml file:
+
+    ```yaml
+    affinity:
+      anti_affinity: false
    ```

-2. Run `prepare_helm_release.sh` to create required kubernetes resources for installing this Helm chart.
-    - A k8s namespace for installing the Pulsar release (if `-c` is specified)
-    - Create the JWT secret keys and tokens for three superusers: `broker-admin`, `proxy-admin`, and `admin`.
-      By default, it generates asymmeric pubic/private key pair. You can choose to generate symmeric secret key
-      by specifying `--symmetric` in the following command.
-        - `proxy-admin` role is used for proxies to communicate to brokers.
-        - `broker-admin` role is used for inter-broker communications.
-        - `admin` role is used by the admin tools.
+2. Install the chart:

    ```bash
-    ./scripts/pulsar/prepare_helm_release.sh -n <k8s-namespace> -k <pulsar-release-name> -c
+    helm install -n <namespace> --create-namespace <release-name> -f your-values.yaml apachepulsar/pulsar
    ```

-3. Use the Pulsar Helm charts to install Apache Pulsar. 
+3. Observe the deployment progress

-> NOTE: Please specify `--set initialize=true` when installing a release at the first time. `initialize=true` will start initialize jobs
->       to initialize the cluster metadata for both bookkeeper and pulsar clusters.
+    Watching events to view progress of deployment:

-    This command installs and starts Apache Pulsar.
-
-    ```bash 
-    $ helm install --set initialize=true <pulsar-release-name> apache/pulsar
+    ```shell
+    kubectl get -n <namespace> events -o wide --watch
    ```

-5. Access the Pulsar cluster
+    Watching state of deployed Kubernetes objects, updated every 2 seconds:
+
+    ```shell
+    watch kubectl get -n <namespace> all
+    ```
+
+    Waiting until Pulsar Proxy is available:
+
+    ```shell
+    kubectl wait --timeout=600s --for=condition=ready pod -n <namespace> -l component=proxy
+    ```
+
+    Watching state with k9s (https://k9scli.io/topics/install/):
+
+    ```shell
+    k9s -n <namespace>
+    ```
+
+4. Access the Pulsar cluster

    The default values will create a `ClusterIP` for the proxy you can use to interact with the cluster. To find the IP address of proxy use:

@ -151,11 +265,11 @@ We provide some instructions to guide you through the preparation: http://pulsar
    ```

 For more information, please follow our detailed
-[quick start guide](http://pulsar.apache.org/docs/en/kubernetes-helm/).
+[quick start guide](https://pulsar.apache.org/docs/getting-started-helm/).

 ## Customize the deployment

-We provide a [detailed guideline](http://pulsar.apache.org/docs/en/helm-deploy/) for you to customize
+We provide a [detailed guideline](https://pulsar.apache.org/docs/helm-deploy/) for you to customize
 the Helm Chart for a production-ready deployment.

 You can also checkout out the example values file for different deployments.
@ -169,30 +283,250 @@ You can also checkout out the example values file for different deployments.
 - [Deploy a Pulsar cluster with JWT authentication using symmetric key](examples/values-jwt-symmetric.yaml)
 - [Deploy a Pulsar cluster with JWT authentication using asymmetric key](examples/values-jwt-asymmetric.yaml)

+## Disabling victoria-metrics-k8s-stack components
+
+In order to disable the victoria-metrics-k8s-stack, you can add the following to your `values.yaml`.
+Victoria Metrics components can also be disabled and enabled individually if you only need specific monitoring features.
+
+```yaml
+# disable VictoriaMetrics and related components
+victoria-metrics-k8s-stack:
+  enabled: false
+  victoria-metrics-operator:
+    enabled: false
+  vmsingle:
+    enabled: false
+  vmagent:
+    enabled: false
+  kube-state-metrics:
+    enabled: false
+  prometheus-node-exporter:
+    enabled: false
+  grafana:
+    enabled: false
+
+Additionally, you'll need to set each component's `podMonitor` property to `false`. 
+
+```yaml
+# disable pod monitors
+autorecovery:
+  podMonitor:
+    enabled: false
+bookkeeper:
+  podMonitor:
+    enabled: false
+oxia:
+  server:
+    podMonitor:
+      enabled: false
+  coordinator:
+    podMonitor:
+      enabled: false
+broker:
+  podMonitor:
+    enabled: false
+proxy:
+  podMonitor:
+    enabled: false
+zookeeper:
+  podMonitor:
+    enabled: false
+```
+
+This is shown in some [examples/values-disable-monitoring.yaml](examples/values-disable-monitoring.yaml).
+
+## Pulsar Manager
+
+The Pulsar Manager can be deployed alongside the pulsar cluster instance.
+Depending on the given settings it uses an existing Secret within the given namespace or creates a new one, with random
+passwords for both, the UI and the internal database.
+
+To forward the UI use (assumes you did not change the namespace):
+
+```
+kubectl port-forward $(kubectl get pods -l component=pulsar-manager -o jsonpath='{.items[0].metadata.name}') 9527:9527
+```
+
+And then opening the browser to http://localhost:9527
+
+The default user is `pulsar` and you can find out the password with this command
+
+```
+kubectl get secret -l component=pulsar-manager -o=jsonpath="{.items[0].data.UI_PASSWORD}" | base64 --decode
+```
+
+## Grafana Dashboards
+
+The Apache Pulsar Helm Chart uses the `victoria-metrics-k8s-stack` Helm Chart to deploy Grafana.
+
+There are several ways to configure Grafana dashboards. The default [`values.yaml`](charts/pulsar/values.yaml) comes with examples of Pulsar dashboards which get downloaded from the Apache-2.0 licensed [lhotari/pulsar-grafana-dashboards OSS project](https://github.com/lhotari/pulsar-grafana-dashboards) by URL.
+
+Dashboards can be configured in [`values.yaml`](charts/pulsar/values.yaml) or by adding `ConfigMap` items with the label `grafana_dashboard: "1"`.
+In [`values.yaml`](charts/pulsar/values.yaml), it's possible to include dashboards by URL or by grafana.com dashboard id (`gnetId` and `revision`).
+Please see the [Grafana Helm chart documentation for importing dashboards](https://github.com/grafana/helm-charts/blob/main/charts/grafana/README.md#import-dashboards).
+
+You can connect to Grafana by forwarding port 3000
+```
+kubectl port-forward $(kubectl get pods -l app.kubernetes.io/name=grafana -o jsonpath='{.items[0].metadata.name}') 3000:3000
+```
+And then opening the browser to http://localhost:3000 . The default user is `admin`.
+
+You can find out the password with this command
+```
+kubectl get secret -l app.kubernetes.io/name=grafana -o=jsonpath="{.items[0].data.admin-password}" | base64 --decode
+```
+
+### Pulsar Grafana Dashboards
+
+* The `apache/pulsar` GitHub repo contains some Grafana dashboards [here](https://github.com/apache/pulsar/tree/master/grafana).
+* StreamNative provides Grafana Dashboards for Apache Pulsar in this [GitHub repository](https://github.com/streamnative/apache-pulsar-grafana-dashboard).
+* DataStax provides Grafana Dashboards for Apache Pulsar in this [GitHub repository](https://github.com/datastax/pulsar-helm-chart/tree/master/helm-chart-sources/pulsar/grafana-dashboards).
+
+Note: if you have third party dashboards that you would like included in this list, please open a pull request.
+
 ## Upgrading

 Once your Pulsar Chart is installed, configuration changes and chart
 updates should be done using `helm upgrade`.

 ```bash
-helm repo add apache https://pulsar.apache.org/charts
+helm repo add apachepulsar https://pulsar.apache.org/charts
 helm repo update
-helm get values <pulsar-release-name> > pulsar.yaml
-helm upgrade -f pulsar.yaml \
-    <pulsar-release-name> apache/pulsar
+# If you are using the provided victoria-metrics-k8s-stack for monitoring, this installs or upgrades the required CRDs
+./scripts/victoria-metrics-k8s-stack/upgrade_vm_operator_crds.sh
+# get the existing values.yaml used for the most recent deployment
+helm get values -n <namespace> <pulsar-release-name> > values.yaml
+# upgrade the deployment
+helm upgrade -n <namespace> -f values.yaml <pulsar-release-name> apachepulsar/pulsar
 ```

-For more detailed information, see our [Upgrading](http://pulsar.apache.org/docs/en/helm-upgrade/) guide.
+For more detailed information, see our [Upgrading](http://pulsar.apache.org/docs/helm-upgrade/) guide.
+
+## Upgrading to Helm chart version 4.2.0 (not released yet)
+
+### TLS configuration for ZooKeeper has changed
+
+The TLS configuration for ZooKeeper has been changed to fix certificate and private key expiration issues.
+This change impacts configurations that have `tls.enabled` and `tls.zookeeper.enabled` set in `values.yaml`.
+The revised solution requires the `AdditionalCertificateOutputFormats=true` feature gate to be enabled in the `cert-manager` deployment when using cert-manager versions below 1.15.0.
+If you installed `cert-manager` using `./scripts/cert-manager/install-cert-manager.sh`, you can re-run the updated script to set the feature gate. The script currently installs or upgrades cert-manager LTS version 1.12.17, where the feature gate must be explicitly enabled.
+
+## Upgrading from Helm Chart versions before 4.0.0 to 4.0.0 version and above
+
+### Pulsar Proxy service's default type has been changed from `LoadBalancer` to `ClusterIP`
+
+Please check the section "External Access Recommendations" for guidance and also check the security advisory section.
+You will need to configure keys under `proxy.service` in your `values.yaml` to preserve existing functionality since the default has been changed.
+
+### kube-prometheus-stack replaced with victoria-metrics-k8s-stack
+
+The `kube-prometheus-stack` was replaced with `victoria-metrics-k8s-stack` in Pulsar Helm chart version 4.0.0. The trigger for the change was incompatibilities discovered in testing with most recent `kube-prometheus-stack` and Prometheus 3.2.1 which failed to scrape Pulsar metrics in certain cases without providing proper error messages or debug information at debug level logging.
+
+[Victoria Metrics](https://docs.victoriametrics.com/) is Apache 2.0 Licensed OSS and it's a fully compatible drop-in replacement for Prometheus which is fast and efficient.
+
+Before upgrading to Pulsar Helm Chart version 4.0.0, it is recommended to disable kube-prometheus-stack in the original Helm chart version that
+is used:
+
+```shell
+# get the existing values.yaml used for the most recent deployment
+helm get values -n <namespace> <pulsar-release-name> > values.yaml
+# disable kube-prometheus-stack in the currently used version before upgrading to Pulsar Helm chart 4.0.0
+helm upgrade -n <namespace> -f values.yaml --version <your-current-chart-version> --set kube-prometheus-stack.enabled=false  <pulsar-release-name> apachepulsar/pulsar
+```
+
+After, this you can proceed with `helm upgrade`.
+
+## Upgrading to Apache Pulsar 2.10.0 and above (or Helm Chart version 3.0.0 and above)
+
+The 2.10.0+ Apache Pulsar docker image is a non-root container, by default. That complicates an upgrade to 2.10.0
+because the existing files are owned by the root user but are not writable by the root group. In order to leverage this
+new security feature, the Bookkeeper and Zookeeper StatefulSet [securityContexts](https://kubernetes.io/docs/tasks/configure-pod-container/security-context)
+are configurable in the [`values.yaml`](charts/pulsar/values.yaml). They default to:
+
+```yaml
+  securityContext:
+    fsGroup: 0
+    fsGroupChangePolicy: "OnRootMismatch"
+```
+
+This configuration is ideal for regular Kubernetes clusters where the UID is stable across restarts. If the process
+UID is subject to change (like it is in OpenShift), you'll need to set `fsGroupChangePolicy: "Always"`.
+
+The official docker image assumes that it is run as a member of the root group.
+
+If you upgrade to the latest version of the helm chart before upgrading to Pulsar 2.10.0, then when you perform your
+first upgrade to version >= 2.10.0, you will need to set `fsGroupChangePolicy: "Always"` on the first upgrade and then
+set it back to `fsGroupChangePolicy: "OnRootMismatch"` on subsequent upgrades. This is because the root file won't
+mismatch permissions, but the RocksDB lock file will. If you have direct access to the persistent volumes, you can
+alternatively run `chgrp -R g+w /pulsar/data` before upgrading.
+
+Here is a sample error you can expect if the RocksDB lock file is not correctly owned by the root group:
+
+```text
+2022-05-14T03:45:06,903+0000  ERROR org.apache.bookkeeper.server.Main - Failed to build bookie server
+java.io.IOException: Error open RocksDB database
+    at org.apache.bookkeeper.bookie.storage.ldb.KeyValueStorageRocksDB.<init>(KeyValueStorageRocksDB.java:199) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]
+    at org.apache.bookkeeper.bookie.storage.ldb.KeyValueStorageRocksDB.<init>(KeyValueStorageRocksDB.java:88) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]
+    at org.apache.bookkeeper.bookie.storage.ldb.KeyValueStorageRocksDB.lambda$static$0(KeyValueStorageRocksDB.java:62) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]
+    at org.apache.bookkeeper.bookie.storage.ldb.LedgerMetadataIndex.<init>(LedgerMetadataIndex.java:68) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]
+    at org.apache.bookkeeper.bookie.storage.ldb.SingleDirectoryDbLedgerStorage.<init>(SingleDirectoryDbLedgerStorage.java:169) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]
+    at org.apache.bookkeeper.bookie.storage.ldb.DbLedgerStorage.newSingleDirectoryDbLedgerStorage(DbLedgerStorage.java:150) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]
+    at org.apache.bookkeeper.bookie.storage.ldb.DbLedgerStorage.initialize(DbLedgerStorage.java:129) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]
+    at org.apache.bookkeeper.bookie.Bookie.<init>(Bookie.java:818) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]
+    at org.apache.bookkeeper.proto.BookieServer.newBookie(BookieServer.java:152) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]
+    at org.apache.bookkeeper.proto.BookieServer.<init>(BookieServer.java:120) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]
+    at org.apache.bookkeeper.server.service.BookieService.<init>(BookieService.java:52) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]
+    at org.apache.bookkeeper.server.Main.buildBookieServer(Main.java:304) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]
+    at org.apache.bookkeeper.server.Main.doMain(Main.java:226) [org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]
+    at org.apache.bookkeeper.server.Main.main(Main.java:208) [org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]
+Caused by: org.rocksdb.RocksDBException: while open a file for lock: /pulsar/data/bookkeeper/ledgers/current/ledgers/LOCK: Permission denied
+    at org.rocksdb.RocksDB.open(Native Method) ~[org.rocksdb-rocksdbjni-6.10.2.jar:?]
+    at org.rocksdb.RocksDB.open(RocksDB.java:239) ~[org.rocksdb-rocksdbjni-6.10.2.jar:?]
+    at org.apache.bookkeeper.bookie.storage.ldb.KeyValueStorageRocksDB.<init>(KeyValueStorageRocksDB.java:196) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]
+    ... 13 more
+```
+
+### Recovering from `helm upgrade` error "unable to build kubernetes objects from current release manifest"
+
+Example of the error message:
+
+```bash
+Error: UPGRADE FAILED: unable to build kubernetes objects from current release manifest:
+[resource mapping not found for name: "pulsar-bookie" namespace: "pulsar" from "":
+no matches for kind "PodDisruptionBudget" in version "policy/v1beta1" ensure CRDs are installed first,
+resource mapping not found for name: "pulsar-broker" namespace: "pulsar" from "":
+no matches for kind "PodDisruptionBudget" in version "policy/v1beta1" ensure CRDs are installed first,
+resource mapping not found for name: "pulsar-zookeeper" namespace: "pulsar" from "":
+no matches for kind "PodDisruptionBudget" in version "policy/v1beta1" ensure CRDs are installed first]
+```
+
+Helm documentation [explains issues with managing releases deployed using outdated APIs](https://helm.sh/docs/topics/kubernetes_apis/#helm-users) when the Kubernetes cluster has been upgraded
+to a version where these APIs are removed. This happens regardless of whether the chart in the upgrade includes supported API versions.
+In this case, you can use the following workaround:
+
+1. Install the [Helm mapkubeapis plugin](https://github.com/helm/helm-mapkubeapis):
+
+    ```bash
+    helm plugin install https://github.com/helm/helm-mapkubeapis
+    ```
+
+2. Run the `helm mapkubeapis` command with the appropriate namespace and release name. In this example, we use the namespace "pulsar" and release name "pulsar":
+
+    ```bash
+    helm mapkubeapis --namespace pulsar pulsar
+    ```
+
+This workaround addresses the issue by updating in-place Helm release metadata that contains deprecated or removed Kubernetes APIs to a new instance with supported Kubernetes APIs and should allow for a successful Helm upgrade.

 ## Uninstall

 To uninstall the Pulsar Chart, run the following command:

 ```bash
-helm delete <pulsar-release-name>
+helm uninstall <pulsar-release-name>
 ```

-For the purposes of continuity, these charts have some Kubernetes objects that are not removed when performing `helm delete`.
+For the purposes of continuity, these charts have some Kubernetes objects that are not removed when performing `helm uninstall`.
 These items we require you to *conciously* remove them, as they affect re-deployment should you choose to.

 * PVCs for stateful data, which you must *consciously* remove
@ -207,15 +541,36 @@ We've done our best to make these charts as seamless as possible,
 occasionally troubles do surface outside of our control. We've collected
 tips and tricks for troubleshooting common issues. Please examine these first before raising an [issue](https://github.com/apache/pulsar-helm-chart/issues/new/choose), and feel free to add to them by raising a [Pull Request](https://github.com/apache/pulsar-helm-chart/compare)!

+### VictoriaMetrics Troubleshooting
+
+In example commands, k8s is namespace `pulsar` replace with your deployment namespace.
+
+#### VictoriaMetrics Web UI
+
+Connecting to `vmsingle` pod for web UI.
+
+```shell
+kubectl port-forward -n pulsar $(kubectl get pods -n pulsar -l app.kubernetes.io/name=vmsingle -o jsonpath='{.items[0].metadata.name}') 8429:8429
+```
+
+Now you can access the UI at http://localhost:8429 and http://localhost:8429/vmui (for similar UI as in Prometheus)
+
+#### VictoriaMetrics Scraping debugging UI - Active Targets
+
+Connection to `vmagent` pod for debugging targets.
+
+```shell
+kubectl port-forward -n pulsar $(kubectl get pods -n pulsar -l app.kubernetes.io/name=vmagent -o jsonpath='{.items[0].metadata.name}') 8429:8429
+```
+
+Now you can access the UI at http://localhost:8429
+
+Active Targets UI
+- http://localhost:8429/targets
+
+Scraping Configuration
+- http://localhost:8429/config
+
 ## Release Process

-1. Bump the version in [charts/pulsar/Chart.yaml](https://github.com/apache/pulsar-helm-chart/blob/master/charts/pulsar/Chart.yaml#L24).
-
-2. Send a pull request for reviews.
-
-3. After the pull request is approved, merge it. The release workflow will be triggered automatically.
-   - It creates a tag named `pulsar-<version>`.
-   - Published the packaged helm chart to Github releases.
-   - Update the `charts/index.yaml` in Pulsar website.
-
-4. Trigger the Pulsar website build to make the release available under https://pulsar.apache.org/charts.
+See [RELEASE.md](RELEASE.md)
--- a/RELEASE.md
+++ b/RELEASE.md
@ -0,0 +1,652 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+
+This document details the steps for releasing the Apache Pulsar Helm Chart.
+
+# Prepare the Apache Pulsar Helm Chart Release Candidate
+
+## Prerequisites
+
+- Helm version >= 3.12.0
+- Helm gpg plugin (one option: https://github.com/technosophos/helm-gpg)
+
+## Build Release Notes
+
+Before creating the RC, you need to build and commit the release notes for the release.
+
+## Build RC artifacts
+
+The Release Candidate artifacts we vote upon should be the exact ones we vote against,
+without any modification than renaming – i.e. the contents of the files must be
+the same between voted release candidate and final release.
+Because of this the version in the built artifacts that will become the
+official Apache releases must not include the rcN suffix.
+
+- Set environment variables
+
+    ```shell
+    # Set Version
+    export VERSION_RC=3.0.0-candidate-1
+    export VERSION_WITHOUT_RC=${VERSION_RC%-candidate-*}
+    # set your ASF user id
+    export APACHE_USER=<your ASF userid>
+    ```
+
+- Clone clean repository and set PULSAR_REPO_ROOT
+
+    ```shell
+    git clone https://github.com/apache/pulsar-helm-chart.git
+    cd pulsar-helm-chart
+    export PULSAR_REPO_ROOT=$(pwd)
+    ```
+
+- Alternatively (not recommended), go to your already checked out pulsar-helm-chart directory and ensure that it's clean
+
+    ```shell
+    git checkout master
+    git fetch origin
+    git reset --hard origin/master
+    # clean the checkout
+    git clean -fdX .
+    export PULSAR_REPO_ROOT=$(pwd)
+    ```
+
+- Update Helm Chart version in `Chart.yaml`, example: `version: 1.0.0` (without
+  the RC tag). Verify that the `appVersion` matches the `values.yaml` versions for Pulsar components.
+
+    ```shell
+    yq -i '.version=strenv(VERSION_WITHOUT_RC)' charts/pulsar/Chart.yaml
+    ```
+
+- Add and commit the version change.
+
+    ```shell
+    git add charts/pulsar/Chart.yaml
+    git commit -m "Chart: Bump version to $VERSION_WITHOUT_RC"
+    git push origin master
+    ```
+
+  Note: You will tag this commit, you do not need to open a PR for it.
+
+- Tag your release
+
+    ```shell
+    git tag -u $APACHE_USER@apache.org -s pulsar-${VERSION_RC} -m "Apache Pulsar Helm Chart $VERSION_RC"
+    ```
+
+- Tarball the repo
+
+    NOTE: Make sure your checkout is clean at this stage - any untracked or changed files will otherwise be included
+     in the file produced.
+
+    ```shell
+    git archive --format=tar.gz pulsar-${VERSION_RC} --prefix=pulsar-chart-${VERSION_WITHOUT_RC}/ \
+        -o pulsar-chart-${VERSION_WITHOUT_RC}-source.tar.gz .
+    ```
+
+- Generate chart binary
+
+
+    ```shell
+    helm package charts/pulsar --dependency-update
+    ```
+
+- Sign the chart binary
+
+    In the following command, replace the email address with your email address or your KEY ID
+    so GPG uses the right key to sign the chart.
+    (If you have not generated a key yet, generate it by following instructions on
+    http://www.apache.org/dev/openpgp.html#key-gen-generate-key)
+
+    ```shell
+    helm gpg sign -u $APACHE_USER@apache.org pulsar-${VERSION_WITHOUT_RC}.tgz
+    ```
+
+    Warning: you need the `helm gpg` plugin to sign the chart. It can be found at: https://github.com/technosophos/helm-gpg
+
+    This should also generate a provenance file (Example: `pulsar-1.0.0.tgz.prov`) as described in
+    https://helm.sh/docs/topics/provenance/, which can be used to verify integrity of the Helm chart.
+
+    Verify the signed chart:
+
+    ```shell
+    helm gpg verify pulsar-${VERSION_WITHOUT_RC}.tgz
+    ```
+
+    Example output:
+    ```
+    gpg: Signature made Thu Oct 20 16:36:24 2022 CDT
+    gpg:                using RSA key BD4291E509D771B79E7BD1F5C5724B3F5588C4EB
+    gpg:                issuer "mmarshall@apache.org"
+    gpg: Good signature from "Michael Marshall <mmarshall@apache.org>" [ultimate]
+    plugin: Chart SHA verified. sha256:deb035dcb765b1989ed726eabe3d7d89529df05658c8eec6cdd4dc213fa0513e
+    ```
+
+- Generate SHA512/ASC
+
+    ```shell
+    ${PULSAR_REPO_ROOT}/scripts/sign.sh pulsar-chart-${VERSION_WITHOUT_RC}-source.tar.gz
+    ${PULSAR_REPO_ROOT}/scripts/sign.sh pulsar-${VERSION_WITHOUT_RC}.tgz
+    ```
+
+- Move the artifacts to ASF dev dist repo, generate convenience `index.yaml` & publish them
+
+  ```shell
+  # Create new folder for the release
+  svn mkdir --username $APACHE_USER -m "Add directory for pulsar-helm-chart $VERSION_RC release" https://dist.apache.org/repos/dist/dev/pulsar/helm-chart/$VERSION_RC
+  # checkout the directory
+  svn co --username $APACHE_USER https://dist.apache.org/repos/dist/dev/pulsar/helm-chart/$VERSION_RC helm-chart-$VERSION_RC
+
+  # Move the artifacts to svn folder
+  mv ${PULSAR_REPO_ROOT}/pulsar-${VERSION_WITHOUT_RC}.tgz* helm-chart-${VERSION_RC}/
+  mv ${PULSAR_REPO_ROOT}/pulsar-chart-${VERSION_WITHOUT_RC}-source.tar.gz* helm-chart-${VERSION_RC}/
+  cd helm-chart-${VERSION_RC}/
+
+  ###### Generate index.yaml file - Start
+  # Download the latest index.yaml on Pulsar Website
+  curl https://pulsar.apache.org/charts/index.yaml --output index.yaml
+
+  # Replace the URLs from "https://downloads.apache.org" to "https://archive.apache.org"
+  # as the downloads.apache.org only contains latest releases.
+  sed -i 's|https://downloads.apache.org/pulsar/helm-chart/|https://archive.apache.org/dist/pulsar/helm-chart/|' index.yaml
+
+  # Generate / Merge the new version with existing index.yaml
+  helm repo index --merge ./index.yaml . --url "https://dist.apache.org/repos/dist/dev/pulsar/helm-chart/${VERSION_RC}"
+
+  ###### Generate index.yaml file - End
+
+  # Commit the artifacts
+  svn add *
+  svn commit -m "Add artifacts for Helm Chart ${VERSION_RC}"
+  ```
+
+- Remove old Helm Chart versions from the dev repo 
+
+  First check if this is required by viewing the versions available at https://dist.apache.org/repos/dist/dev/pulsar/helm-chart
+
+  ```shell
+  export PREVIOUS_VERSION_RC=3.0.0-candidate-1
+  svn rm --username $APACHE_USER -m "Remove old Helm Chart release: ${PREVIOUS_VERSION_RC}" https://dist.apache.org/repos/dist/dev/pulsar/helm-chart/${PREVIOUS_VERSION_RC}
+  ```
+
+- Push Tag for the release candidate
+
+  ```shell
+  cd ${PULSAR_REPO_ROOT}
+  git push origin tag pulsar-${VERSION_RC}
+  ```
+
+## Create release notes for the release candidate in GitHub UI
+
+```shell 
+# open this URL and create release notes by clicking "Create release from tag"
+echo https://github.com/apache/pulsar-helm-chart/releases/tag/pulsar-${VERSION_RC}
+```
+
+1. Open the above URL in a browser and create release notes by clicking "Create release from tag".
+2. Find "Previous tag: auto" in the UI above the text box and choose the previous release there.
+3. Click "Generate release notes".
+4. Review the generated release notes.
+5. Select "Set as a pre-release"
+6. Click "Publish release".  
+
+## Prepare Vote email on the Apache Pulsar release candidate
+
+
+- Send out a vote to the dev@pulsar.apache.org mailing list:
+
+> [!TIP]
+> The template output will get copied to the clipboard using pbpaste. On Linux, you can install xsel and add `alias pbcopy='xsel --clipboard --input'` to the shell. 
+
+Subject:
+
+```shell
+tee >(pbcopy) <<EOF
+[VOTE] Release Apache Pulsar Helm Chart ${VERSION_WITHOUT_RC} based on ${VERSION_RC}
+EOF
+```
+
+Body:
+
+```shell
+tee >(pbcopy) <<EOF
+Hello Apache Pulsar Community,
+
+This is a call for the vote to release the Apache Pulsar Helm Chart version ${VERSION_WITHOUT_RC}.
+
+Release notes for $VERSION_RC:
+https://github.com/apache/pulsar-helm-chart/releases/tag/pulsar-$VERSION_RC
+
+The release candidate is available at:
+https://dist.apache.org/repos/dist/dev/pulsar/helm-chart/$VERSION_RC/
+
+pulsar-chart-${VERSION_WITHOUT_RC}-source.tar.gz - is the "main source release".
+pulsar-${VERSION_WITHOUT_RC}.tgz - is the binary Helm Chart release.
+
+Public keys are available at: https://www.apache.org/dist/pulsar/KEYS
+
+For convenience "index.yaml" has been uploaded (though excluded from voting), so you can also run the below commands.
+
+helm repo add --force-update apache-pulsar-dist-dev \\
+  https://dist.apache.org/repos/dist/dev/pulsar/helm-chart/$VERSION_RC/
+helm repo update
+helm install pulsar apache-pulsar-dist-dev/pulsar \\
+ --version ${VERSION_WITHOUT_RC} --set affinity.anti_affinity=false \\
+ --wait --timeout 10m --debug
+
+ For observing the deployment progress, you can use the k9s tool to view the cluster state changes in a different terminal window.
+ The k9s tool is available at https://k9scli.io/topics/install/.
+ 
+pulsar-${VERSION_WITHOUT_RC}.tgz.prov - is also uploaded for verifying Chart Integrity, though it is not strictly required for releasing the artifact based on ASF Guidelines. 
+
+You can optionally verify this file using this helm plugin https://github.com/technosophos/helm-gpg, or by using helm --verify (https://helm.sh/docs/helm/helm_verify/).
+
+helm fetch --prov apache-pulsar-dist-dev/pulsar
+helm plugin install https://github.com/technosophos/helm-gpg
+helm gpg verify pulsar-${VERSION_WITHOUT_RC}.tgz
+
+The vote will be open for at least 72 hours.
+
+Only votes from PMC members are binding, but members of the community are
+encouraged to test the release and vote with "(non-binding)".
+
+For license checks, the .rat-excludes files is included, so you can run the following to verify licenses (just update $PATH_TO_RAT):
+
+tar -xvf pulsar-chart-${VERSION_WITHOUT_RC}-source.tar.gz
+cd pulsar-chart-${VERSION_WITHOUT_RC}
+java -jar $PATH_TO_RAT/apache-rat-0.15/apache-rat-0.15.jar . -E .rat-excludes
+
+Please note that the version number excludes the \`-candidate-X\` string, so it's now
+simply ${VERSION_WITHOUT_RC}. This will allow us to rename the artifact without modifying
+the artifact checksums when we actually release it.
+
+Thanks,
+<your name>
+EOF
+```
+
+Note, you need to update the `helm gpg verify` output and verify the end of the voting period in the body.
+
+## Note about `helm gpg` vs `helm --verify`
+
+Helm ships with a gpg verification tool, but it appears not to work with the currently used format for our KEYS file.
+
+# Verify the release candidate by the PMC
+
+The PMC should verify the releases in order to make sure the release is following the
+[Apache Legal Release Policy](http://www.apache.org/legal/release-policy.html).
+
+At least 3 (+1) votes from PMC members should be recorded in accordance to
+[Votes on Package Releases](https://www.apache.org/foundation/voting.html#ReleaseVotes)
+
+The legal checks include:
+
+* checking if the packages are present in the right dist folder on svn
+* verifying if all the sources have correct licences
+* verifying if release manager signed the releases with the right key
+* verifying if all the checksums are valid for the release
+
+## SVN check
+
+The files should be present in the sub-folder of
+[Pulsar dist](https://dist.apache.org/repos/dist/dev/pulsar/helm-chart)
+
+The following files should be present (7 files):
+
+* `pulsar-chart-${VERSION_WITHOUT_RC}-source.tar.gz` + .asc + .sha512
+* `pulsar-${VERSION_WITHOUT_RC}.tgz` + .asc + .sha512
+* `pulsar-${VERSION_WITHOUT_RC}.tgz.prov`
+
+As a PMC member you should be able to clone the SVN repository:
+
+```shell
+svn co https://dist.apache.org/repos/dist/dev/pulsar/helm-chart
+```
+
+Or update it if you already checked it out:
+
+```shell
+svn update .
+```
+
+## Licence check
+
+This can be done with the Apache RAT tool.
+
+* Download the latest jar from https://creadur.apache.org/rat/download_rat.cgi (unpack the binary,
+  the jar is inside)
+* Unpack the release source archive (the `<package + version>-source.tar.gz` file) to a folder
+* Enter the sources folder run the check
+
+```shell
+java -jar $PATH_TO_RAT/apache-rat-0.15/apache-rat-0.15.jar pulsar-chart-${VERSION_WITHOUT_RC} -E .rat-excludes
+```
+
+where `.rat-excludes` is the file in the root of git repo.
+
+## Signature check
+
+Make sure you have imported into your GPG the PGP key of the person signing the release. You can find the valid keys in
+[KEYS](https://dist.apache.org/repos/dist/release/pulsar/KEYS).
+
+You can import the whole KEYS file:
+
+```shell script
+gpg --import KEYS
+```
+
+You can also import the keys individually from a keyserver. The below one uses a key and
+retrieves it from the default GPG keyserver
+[OpenPGP.org](https://keys.openpgp.org):
+
+```shell script
+gpg --keyserver keys.openpgp.org --receive-keys <some_key>
+```
+
+You should choose to import the key when asked.
+
+Note that by being default, the OpenPGP server tends to be overloaded often and might respond with
+errors or timeouts. Many of the release managers also uploaded their keys to the
+[GNUPG.net](https://keys.gnupg.net) keyserver, and you can retrieve it from there.
+
+```shell script
+gpg --keyserver keys.gnupg.net --receive-keys <some_key>
+```
+
+Once you have the keys, the signatures can be verified by running this:
+
+```shell script
+for i in *.asc
+do
+   echo -e "Checking $i\n"; gpg --verify $i
+done
+```
+
+This should produce results similar to the below. The "Good signature from ..." is indication
+that the signatures are correct. Do not worry about the "not certified with a trusted signature"
+warning. Most of the certificates used by release managers are self-signed, and that's why you get this
+warning. By importing the key either from the server in the previous step or from the
+[KEYS](https://dist.apache.org/repos/dist/release/pulsar/KEYS) page, you know that
+this is a valid key already.
+
+## SHA512 sum check
+
+Run this:
+
+```shell
+for i in *.sha512
+do
+    echo "Checking $i"; shasum -a 512 `basename $i .sha512 ` | diff - $i
+done
+```
+
+You should get output similar to:
+
+```
+Checking pulsar-1.0.0.tgz.sha512
+Checking pulsar-chart-1.0.0-source.tar.gz.sha512
+```
+
+# Verify release candidates by Contributors
+
+Contributors can run below commands to test the Helm Chart
+
+```shell
+export VERSION_RC=3.0.0-candidate-1
+export VERSION_WITHOUT_RC=${VERSION_RC%-candidate-*}
+```
+
+```shell
+helm repo add --force-update \
+ apache-pulsar-dist-dev https://dist.apache.org/repos/dist/dev/pulsar/helm-chart/$VERSION_RC/
+helm repo update
+helm install pulsar apache-pulsar-dist-dev/pulsar \
+ --version ${VERSION_WITHOUT_RC} --set affinity.anti_affinity=false
+```
+
+You can then perform any other verifications to check that it works as you expected by
+upgrading the Chart or installing by overriding default of `values.yaml`.
+
+# Publish the final release
+
+## Summarize the voting for the release
+
+Once the vote has been passed, you will need to send a result vote to [dev@pulsar.apache.org](mailto:dev@pulsar.apache.org):
+
+Subject:
+
+```shell
+tee >(pbcopy) <<EOF
+[RESULT][VOTE] Release Apache Pulsar Helm Chart ${VERSION_WITHOUT_RC} based on ${VERSION_RC}
+EOF
+```
+
+Message:
+
+```shell
+tee >(pbcopy) <<EOF
+Hello all,
+
+The vote to release Apache Pulsar Helm Chart version ${VERSION_WITHOUT_RC} based on ${VERSION_RC} is now closed.
+
+The vote PASSED with X binding "+1", Y non-binding "+1" and 0 "-1" votes:
+
+"+1" Binding votes:
+
+  - <name>
+
+"+1" Non-Binding votes:
+
+  - <name>
+
+I'll continue with the release process and the release announcement will follow shortly.
+
+Thanks,
+<your name>
+EOF
+```
+
+## Publish release to SVN
+
+Set environment variables
+```shell
+export VERSION_RC=3.0.0-candidate-1
+export VERSION_WITHOUT_RC=${VERSION_RC%-candidate-*}
+export APACHE_USER=<your ASF userid>
+```
+
+Migrating the approved RC artifacts to the release directory:
+https://dist.apache.org/repos/dist/release/pulsar/helm-chart/
+
+svn commands for handling this:
+
+```shell
+svn rm --username $APACHE_USER -m "Remove temporary index.yaml file" https://dist.apache.org/repos/dist/dev/pulsar/helm-chart/${VERSION_RC}/index.yaml
+svn move --username $APACHE_USER -m "Release Pulsar Helm Chart ${VERSION_WITHOUT_RC} from ${VERSION_RC}" \
+  https://dist.apache.org/repos/dist/dev/pulsar/helm-chart/${VERSION_RC} \
+  https://dist.apache.org/repos/dist/release/pulsar/helm-chart/${VERSION_WITHOUT_RC}
+```
+
+Verify that the packages appear in [Pulsar Helm Chart](https://dist.apache.org/repos/dist/release/pulsar/helm-chart/).
+
+## Publish release tag
+
+Create and push the release tag:
+
+```shell
+git tag -u $APACHE_USER@apache.org pulsar-$VERSION_WITHOUT_RC $(git rev-parse pulsar-$VERSION_RC^{}) -m "Apache Pulsar Helm Chart ${VERSION_WITHOUT_RC}"
+git push origin pulsar-${VERSION_WITHOUT_RC}
+```
+
+## Update index.yaml
+
+The `index.yaml` file is the way helm users discover the binaries for the helm distribution. We currently host the
+file at `pulsar.apache.org/charts/index.yaml`.
+
+Then, run the following command from within `github.com/apache/pulsar-site` in the git repo.
+
+```shell
+# checkout pulsar-site
+git clone https://github.com/apache/pulsar-site
+cd pulsar-site
+```
+
+```shell
+# Run on a branch based on main branch
+cd static/charts
+# need the chart file temporarily to update the index
+wget https://dist.apache.org/repos/dist/release/pulsar/helm-chart/${VERSION_WITHOUT_RC}/pulsar-${VERSION_WITHOUT_RC}.tgz
+# store the license header temporarily
+head -n 17 index.yaml > license_header.txt
+# update the index
+helm repo index --merge ./index.yaml . --url "https://downloads.apache.org/pulsar/helm-chart/${VERSION_WITHOUT_RC}"
+# restore the license header
+mv index.yaml index.yaml.new
+cat license_header.txt index.yaml.new > index.yaml
+rm license_header.txt index.yaml.new
+# remove the temp file
+rm pulsar-${VERSION_WITHOUT_RC}.tgz
+```
+
+Verify that the updated `index.yaml` file has the most recent version. 
+
+Wait until the file is available:
+
+```shell
+while ! curl -fIL https://downloads.apache.org/pulsar/helm-chart/${VERSION_WITHOUT_RC}/pulsar-${VERSION_WITHOUT_RC}.tgz; do
+  echo "Waiting for pulsar-${VERSION_WITHOUT_RC}.tgz to become available..."
+  sleep 10
+done
+```
+
+Then run:
+
+```shell
+git add index.yaml
+git commit -m "Adding Pulsar Helm Chart ${VERSION_WITHOUT_RC} to index.yaml"
+```
+
+Then commit the change.
+```
+git push origin main
+```
+
+
+## Create release notes for the tag in GitHub UI
+
+```shell 
+# open this URL and create release notes by clicking "Create release from tag"
+echo https://github.com/apache/pulsar-helm-chart/releases/tag/pulsar-${VERSION_WITHOUT_RC}
+```
+
+1. Open the above URL in a browser and create release notes by clicking "Create release from tag".
+2. Find "Previous tag: auto" in the UI above the text box and choose the previous release there.
+3. Click "Generate release notes".
+4. Review the generated release notes.
+5. Click "Publish release".
+
+
+## Notify developers of release
+
+Once the `index.yaml` is live on the website, it is time to announce the release.
+
+- Notify users@pulsar.apache.org (cc'ing dev@pulsar.apache.org) that
+the artifacts have been published:
+
+Subject:
+
+```shell
+tee >(pbcopy) <<EOF
+[ANNOUNCE] Apache Pulsar Helm Chart version ${VERSION_WITHOUT_RC} Released
+EOF
+```
+
+Body:
+
+```shell
+tee >(pbcopy) <<EOF
+Dear community,
+
+The Apache Pulsar team is pleased to announce the release of the Apache
+Pulsar Helm Chart $VERSION_WITHOUT_RC.
+
+The official source release, as well as the binary Helm Chart release,
+are available at
+https://downloads.apache.org/pulsar/helm-chart/$VERSION_WITHOUT_RC/.
+
+The helm chart index at https://pulsar.apache.org/charts/ has been
+updated and the release is also available directly via helm.
+
+Release Notes:
+https://github.com/apache/pulsar-helm-chart/releases/tag/pulsar-$VERSION_WITHOUT_RC
+Docs: https://github.com/apache/pulsar-helm-chart#readme and https://pulsar.apache.org/docs/helm-overview
+ArtifactHub: https://artifacthub.io/packages/helm/apache/pulsar/$VERSION_WITHOUT_RC
+
+Thanks to all the contributors who made this possible.
+
+Regards,
+
+The Apache Pulsar Team
+EOF
+```
+
+
+Send the same email to announce@apache.org.
+It is more reliable to send it via the web ui at https://lists.apache.org/list.html?announce@apache.org
+(press "c" to compose a new thread).
+
+## Create release on GitHub
+
+Create a new release on GitHub with the release notes and assets from the release svn.
+
+## Close the milestone
+
+Close the milestone on GitHub. Create the next one if it hasn't been already.
+
+## Announce the release on the community slack
+
+Post this in the #announce channel:
+
+```shell
+tee >(pbcopy) <<EOF
+We've just released Apache Pulsar Helm Chart ${VERSION_WITHOUT_RC} 🎉
+
+The official source release, as well as the binary Helm Chart release,
+are available at
+https://downloads.apache.org/pulsar/helm-chart/$VERSION_WITHOUT_RC/.
+
+The helm chart index at https://pulsar.apache.org/charts/ has been
+updated and the release is also available directly via helm.
+
+Release Notes:
+https://github.com/apache/pulsar-helm-chart/releases/tag/pulsar-$VERSION_WITHOUT_RC
+Docs: https://github.com/apache/pulsar-helm-chart#readme and https://pulsar.apache.org/docs/helm-overview
+ArtifactHub: https://artifacthub.io/packages/helm/apache/pulsar/$VERSION_WITHOUT_RC
+
+Thanks to all the contributors who made this possible.
+EOF
+```
+
+## Maintaining svn https://dist.apache.org/repos/dist/release/pulsar/helm-chart/ content
+
+The chart references the files in https://downloads.apache.org/pulsar/helm-chart/ which are maintained
+by SVN directory https://dist.apache.org/repos/dist/release/pulsar/helm-chart/.
+
+If you remove releases from this directory, the URLs in index.yaml should be updated point to the 
+https://archive.apache.org/dist/pulsar/helm-chart/ URL base instead of https://downloads.apache.org/pulsar/helm-chart/.
--- a/53
+++ b/53
@ -0,0 +1,53 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+# vagrant configuration file for setting up local environment for Pulsar Helm Chart 
+# CI script development.
+#
+# usage: 
+# Starting vagrant box:
+#   vagrant up
+# Connecting to vagrant box and running a ci script:
+#   vagrant ssh
+#   byobu
+#   cd /vagrant
+#   .ci/chart_test.sh .ci/clusters/values-local-pv.yaml
+# Shutting down vagrant box:
+#   vagrant halt
+# Destroying vagrant box:
+#   vagrant destroy
+Vagrant.configure("2") do |config|
+  config.vm.box = "ubuntu/focal64"
+
+  config.vm.provider "virtualbox" do |vb|
+    vb.memory = "7168"
+    vb.cpus = 2
+  end
+
+  config.vm.provision "shell", inline: <<-SHELL
+    export DEBIAN_FRONTEND=noninteractive
+    sudo apt-get update
+    sudo apt-get -y install docker.io
+    sudo adduser vagrant docker
+    echo 'PATH="/vagrant/output/bin:$PATH"' >> /home/vagrant/.profile
+  SHELL
+end
--- a/charts/pulsar/.helmignore
+++ b/charts/pulsar/.helmignore
@ -1,3 +1,20 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and
 # negation (prefixed with !). Only one pattern per line.
--- a/charts/pulsar/Chart.yaml
+++ b/charts/pulsar/Chart.yaml
@ -17,15 +17,22 @@
 # under the License.
 #

-apiVersion: v1
-appVersion: "2.7.1"
+apiVersion: v2
+appVersion: "4.0.5"
 description: Apache Pulsar Helm chart for Kubernetes
 name: pulsar
-version: 2.7.1
+version: 4.1.0
+kubeVersion: ">=1.25.0-0"
 home: https://pulsar.apache.org
 sources:
  - https://github.com/apache/pulsar
-icon: http://pulsar.apache.org/img/pulsar.svg
+  - https://github.com/apache/pulsar-helm-chart
+icon: https://pulsar.apache.org/img/pulsar.svg
 maintainers:
  - name: The Apache Pulsar Team
    email: dev@pulsar.apache.org
+dependencies:
+  - name: victoria-metrics-k8s-stack
+    version: 0.38.x
+    repository: https://victoriametrics.github.io/helm-charts/
+    condition: victoria-metrics-k8s-stack.enabled
--- a/charts/pulsar/LICENSE
+++ b/charts/pulsar/LICENSE
@ -0,0 +1,239 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+----------------------------------------------------------------------------------------------------
+
+pulsar-common/src/main/java/org/apache/pulsar/common/util/protobuf/ByteBufCoded{Input,Output}Stream.java
+
+Copyright 2014, Google Inc.  All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+    * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+    * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+Code generated by the Protocol Buffer compiler is owned by the owner
+of the input file used when generating it.  This code is not
+standalone and requires a support library to be linked with it.  This
+support library is itself covered by the above license.
--- a/charts/pulsar/NOTICE
+++ b/charts/pulsar/NOTICE
@ -0,0 +1,5 @@
+Apache Pulsar
+Copyright 2017-2022 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
--- a/charts/pulsar/templates/NOTES.txt
+++ b/charts/pulsar/templates/NOTES.txt
@ -0,0 +1,185 @@
+======================================================================================
+                           APACHE PULSAR HELM CHART
+======================================================================================
+
+======================================================================================
+                           SECURITY ADVISORY
+======================================================================================
+
+This Helm chart's default configuration DOES NOT meet production security requirements.
+Users MUST review and customize security settings for their specific environment.
+
+IMPORTANT: This Helm chart provides a starting point for Pulsar deployments but requires
+significant security customization before use in production environments. We strongly
+recommend implementing:
+
+1. Proper network isolation and access controls
+2. Authentication and authorization for all components
+3. TLS encryption for all communication channels
+4. Regular security updates and vulnerability assessments
+
+As an open source project, we welcome contributions to improve security features.
+Please consider submitting pull requests to address security gaps or enhance
+existing security implementations.
+
+---------------------------------------------------------------------------------------
+
+SECURITY NOTICE: The Pulsar proxy is not designed for direct public internet exposure.
+It lacks security features required for untrusted networks and should only be deployed
+within secured environments with proper network controls.
+
+IMPORTANT CHANGE IN v4.0.0: Default service type changed from LoadBalancer to ClusterIP
+for security reasons. This limits access to within the Kubernetes environment by default.
+
+---------------------------------------------------------------------------------------
+IF YOU NEED EXTERNAL ACCESS FOR YOUR PULSAR CLUSTER:
+---------------------------------------------------------------------------------------
+
+Note: This information might be outdated. Please go to https://github.com/apache/pulsar-helm-chart for updated information.
+
+If you need to expose the Pulsar Proxy outside the cluster using a LoadBalancer service type:
+
+1. USE INTERNAL LOAD BALANCERS ONLY
+   - Set type to LoadBalancer only in secured environments with proper network controls
+   - Add cloud provider-specific annotations for internal load balancers
+   - See cloud provider documentation:
+     * AWS / EKS: https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/annotations/
+     * Azure / AKS: https://learn.microsoft.com/en-us/azure/aks/internal-lb
+     * GCP / GKE: https://cloud.google.com/kubernetes-engine/docs/concepts/service-load-balancer-parameters
+   - Examples (verify correctness for your environment):
+     * AWS / EKS:  service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+     * Azure / AKS: service.beta.kubernetes.io/azure-load-balancer-internal: "true"
+     * GCP / GKE:   networking.gke.io/load-balancer-type: "Internal"
+
+2. IMPLEMENT AUTHENTICATION AND AUTHORIZATION
+   - Configure all clients to authenticate properly
+   - Set up appropriate authorization policies
+
+3. USE TLS FOR ALL CONNECTIONS
+   - Enable TLS for client-to-proxy connections
+   - Enable TLS for proxy-to-broker connections
+   - Enable TLS for all internal cluster communications (brokers, zookeepers, bookies)
+   - Note: TLS alone is NOT sufficient as a security solution in Pulsar. Even with TLS enabled,
+     clusters exposed to untrusted networks remain vulnerable to denial-of-service attacks, 
+     authentication bypass attempts, and protocol-level exploits. Always implement defense-in-depth
+     security measures and limit exposure to trusted networks only.
+
+4. NETWORK SECURITY
+   - Use private networks (VPCs)
+   - Configure firewalls, security groups, and IP restrictions appropriately
+   - In addition, consider using loadBalancerSourceRanges to limit access to specific IP ranges
+
+5. CLIENT IP ADDRESS BASED ACCESS RESTRICTIONS
+   - When using a LoadBalancer service type, restrict access to specific IP ranges by configuring 
+     `proxy.service.loadBalancerSourceRanges` in your values.yaml
+   - Important: This should be implemented alongside other security measures (internal load balancer,
+     authentication, TLS, network policies) as part of a defense-in-depth strategy,
+     not as a standalone security solution
+
+---------------------------------------------------------------------------------------
+ALTERNATIVE FOR EXTERNAL ACCESS
+---------------------------------------------------------------------------------------
+
+As an alternative method for external access, Pulsar has support for SNI proxy routing:
+https://pulsar.apache.org/docs/next/concepts-proxy-sni-routing/
+SNI Proxy routing is supported with proxy servers such as Apache Traffic Server, HAProxy and Nginx.
+
+Note: This option isn't currently implemented in the Apache Pulsar Helm chart.
+
+IMPORTANT: Pulsar binary protocol cannot be exposed outside of the Kubernetes cluster
+using Kubernetes Ingress. Kubernetes Ingress works for the Admin REST API and topic lookups,
+but clients would be connecting to the advertised listener addresses returned by the brokers and it 
+would only work when clients can connect directly to brokers. This is not a supported secure option 
+for exposing Pulsar to untrusted networks.
+
+{{- if .Values.useReleaseStatus }}
+
+======================================================================================
+                           🚀 QUICK START 🚀
+======================================================================================
+
+Watching events to view progress of deployment:
+kubectl get -n {{ .Values.namespace | default .Release.Namespace }} events -o wide --watch
+
+Watching state of deployed Kubernetes objects, updated every 2 seconds:
+watch kubectl get -n {{ .Values.namespace | default .Release.Namespace }} all
+
+{{- if .Values.components.proxy }}
+
+Waiting until Pulsar Proxy is available:
+kubectl wait --timeout=600s --for=condition=ready pod -n {{ .Values.namespace | default .Release.Namespace }} -l component=proxy
+{{- end }}
+
+Watching state with k9s (https://k9scli.io/topics/install/):
+k9s -n {{ .Values.namespace | default .Release.Namespace }}
+
+{{- if and .Values.affinity.anti_affinity (or (gt (int .Values.bookkeeper.replicaCount) 1) (gt (int .Values.zookeeper.replicaCount) 1)) }}
+
+======================================================================================
+                      ⚠️  NOTICE FOR DEV K8S CLUSTER USERS  ⚠️
+======================================================================================
+
+Please note that anti-affinity rules for Zookeeper and Bookie components require at least 
+one node per replica. There are currently {{ .Values.bookkeeper.replicaCount }} bookies and {{ .Values.zookeeper.replicaCount }} zookeepers configured.
+
+For Kubernetes clusters with fewer than 3 nodes, such as single-node Kubernetes clusters in 
+development environments like minikube, Docker Desktop, Rancher Desktop (k3s), or Podman 
+Desktop, you must disable the anti-affinity feature by either:
+
+Adding to your values.yaml:
+affinity:
+  anti_affinity: false
+
+Or adding "--set affinity.anti_affinity=false" to the helm command line.
+
+After making the changes to your values yaml file, redeploy with "helm upgrade":
+helm upgrade -n {{ .Release.Namespace }} -f your_values_file.yaml {{ .Release.Name }} apachepulsar/pulsar
+
+These configuration instructions can be omitted for Kubernetes clusters with 3 or more nodes.
+{{- end }}
+{{- end }}
+{{- if and (eq .Values.proxy.service.type "LoadBalancer") (not .Values.proxy.service.annotations) }}
+
+======================================================================================
+                      ⚠️ 🚨 INSECURE CONFIGURATION DETECTED 🚨 ⚠️
+======================================================================================
+WARNING: You are using a LoadBalancer service type without internal load balancer
+annotations. This is potentially an insecure configuration. Please carefully review
+the security recommendations above and visit https://github.com/apache/pulsar-helm-chart
+for more information.
+======================================================================================
+{{- end }}
+
+======================================================================================
+                           DISCLAIMER
+======================================================================================
+
+The providers of this Helm chart make no guarantees regarding the security of the chart under
+any circumstances. It is the user's responsibility to ensure that their deployment is secure
+and complies with all relevant security standards and regulations.
+
+By using this Helm chart, the user acknowledges the risks associated with its default
+configuration and the necessity for proper security customization. The user further 
+agrees that the providers of the Helm chart shall not be liable for any security breaches
+or incidents resulting from the use of the chart.
+
+The user assumes full responsibility for the security and integrity of their deployment.
+This includes, but is not limited to, the proper configuration of security features and 
+adherence to best practices for securing network access. The providers of this Helm chart
+disclaim all warranties, whether express or implied, including any warranties of
+merchantability, fitness for a particular purpose, and non-infringement of third-party rights.
+
+======================================================================================
+                           RESOURCES
+======================================================================================
+
+- 🖥️ Install k9s terminal interface for viewing and managing k8s clusters: https://k9scli.io/topics/install/
+- ❓ Usage Questions: https://github.com/apache/pulsar/discussions/categories/q-a
+- 🐛 Report Issues: https://github.com/apache/pulsar-helm-chart/issues
+- 🔒 Security Issues: https://pulsar.apache.org/security/
+- 📚 Documentation: https://github.com/apache/pulsar-helm-chart
+
+🌟 Please contribute to improve the Apache Pulsar Helm chart and its documentation:
+- 🤝 Contribute: https://github.com/apache/pulsar-helm-chart
+
+Thank you for installing Apache Pulsar Helm chart version {{ .Chart.Version }}.
--- a/charts/pulsar/templates/_autorecovery.tpl
+++ b/charts/pulsar/templates/_autorecovery.tpl
@ -1,3 +1,22 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/}}
+
 {{/*
 Define the pulsar autorecovery service
 */}}
@ -17,7 +36,7 @@ Define autorecovery zookeeper client tls settings
 */}}
 {{- define "pulsar.autorecovery.zookeeper.tls.settings" -}}
 {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
-/pulsar/keytool/keytool.sh autorecovery {{ template "pulsar.autorecovery.hostname" . }} true;
+{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "autorecovery" "isClient" true "isCacerts" .Values.tls.autorecovery.cacerts.enabled) -}}
 {{- end }}
 {{- end }}

@ -32,11 +51,21 @@ Define autorecovery tls certs mounts
 - name: ca
  mountPath: "/pulsar/certs/ca"
  readOnly: true
-{{- if .Values.tls.zookeeper.enabled }}
- name: keytool
-  mountPath: "/pulsar/keytool/keytool.sh"
-  subPath: keytool.sh
 {{- end }}
+{{- if .Values.tls.autorecovery.cacerts.enabled }}
+- mountPath: "/pulsar/certs/cacerts"
+  name: autorecovery-cacerts
+{{- range $cert := .Values.tls.autorecovery.cacerts.certs }}
+- name: {{ $cert.name }}
+  mountPath: "/pulsar/certs/{{ $cert.name }}"
+  readOnly: true
+{{- end }}
+- name: certs-scripts
+  mountPath: "/pulsar/bin/certs-combine-pem.sh"
+  subPath: certs-combine-pem.sh
+- name: certs-scripts
+  mountPath: "/pulsar/bin/certs-combine-pem-infinity.sh"
+  subPath: certs-combine-pem-infinity.sh
 {{- end }}
 {{- end }}

@ -53,18 +82,32 @@ Define autorecovery tls certs volumes
      path: tls.crt
    - key: tls.key
      path: tls.key
+    - key: tls-combined.pem
+      path: tls-combined.pem
 - name: ca
  secret:
-    secretName: "{{ .Release.Name }}-ca-tls"
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    items:
    - key: ca.crt
      path: ca.crt
-{{- if .Values.tls.zookeeper.enabled }}
- name: keytool
-  configMap:
-    name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
-    defaultMode: 0755
 {{- end }}
+{{- if .Values.tls.autorecovery.cacerts.enabled }}
+- name: autorecovery-cacerts
+  emptyDir: {}
+{{- range $cert := .Values.tls.autorecovery.cacerts.certs }}
+- name: {{ $cert.name }}
+  secret:
+    secretName: "{{ $cert.existingSecret }}"
+    items:
+    {{- range $key := $cert.secretKeys }}
+      - key: {{ $key }}
+        path: {{ $key }}
+    {{- end }}
+{{- end }}
+- name: certs-scripts
+  configMap:
+    name: "{{ template "pulsar.fullname" . }}-certs-scripts"
+    defaultMode: 0755
 {{- end }}
 {{- end }}

@ -73,8 +116,9 @@ Define autorecovery init container : verify cluster id
 */}}
 {{- define "pulsar.autorecovery.init.verify_cluster_id" -}}
 bin/apply-config-from-env.py conf/bookkeeper.conf;
-{{- include "pulsar.autorecovery.zookeeper.tls.settings" . -}}
-until bin/bookkeeper shell whatisinstanceid; do
+export BOOKIE_MEM="-Xmx128M";
+{{- include "pulsar.autorecovery.zookeeper.tls.settings" . }}
+until timeout 15 bin/bookkeeper shell whatisinstanceid; do
  sleep 3;
 done;
 {{- end }}
--- a/charts/pulsar/templates/_bookkeeper.tpl
+++ b/charts/pulsar/templates/_bookkeeper.tpl
@ -1,3 +1,22 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/}}
+
 {{/*
 Define the pulsar bookkeeper service
 */}}
@ -18,7 +37,7 @@ Define bookie zookeeper client tls settings
 */}}
 {{- define "pulsar.bookkeeper.zookeeper.tls.settings" -}}
 {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
-/pulsar/keytool/keytool.sh bookie {{ template "pulsar.bookkeeper.hostname" . }} true;
+{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "bookie" "isClient" true "isCacerts" .Values.tls.bookie.cacerts.enabled) -}}
 {{- end }}
 {{- end }}

@ -26,18 +45,30 @@ Define bookie zookeeper client tls settings
 Define bookie tls certs mounts
 */}}
 {{- define "pulsar.bookkeeper.certs.volumeMounts" -}}
-{{- if and .Values.tls.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled) }}
+{{- if .Values.tls.enabled }}
+{{- if or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled }}
 - name: bookie-certs
  mountPath: "/pulsar/certs/bookie"
  readOnly: true
+{{- end }}
 - name: ca
  mountPath: "/pulsar/certs/ca"
  readOnly: true
-{{- if .Values.tls.zookeeper.enabled }}
- name: keytool
-  mountPath: "/pulsar/keytool/keytool.sh"
-  subPath: keytool.sh
 {{- end }}
+{{- if .Values.tls.bookie.cacerts.enabled }}
+- mountPath: "/pulsar/certs/cacerts"
+  name: bookie-cacerts
+{{- range $cert := .Values.tls.bookie.cacerts.certs }}
+- name: {{ $cert.name }}
+  mountPath: "/pulsar/certs/{{ $cert.name }}"
+  readOnly: true
+{{- end }}
+- name: certs-scripts
+  mountPath: "/pulsar/bin/certs-combine-pem.sh"
+  subPath: certs-combine-pem.sh
+- name: certs-scripts
+  mountPath: "/pulsar/bin/certs-combine-pem-infinity.sh"
+  subPath: certs-combine-pem-infinity.sh
 {{- end }}
 {{- end }}

@ -45,7 +76,8 @@ Define bookie tls certs mounts
 Define bookie tls certs volumes
 */}}
 {{- define "pulsar.bookkeeper.certs.volumes" -}}
-{{- if and .Values.tls.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled) }}
+{{- if .Values.tls.enabled }}
+{{- if or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled }}
 - name: bookie-certs
  secret:
    secretName: "{{ .Release.Name }}-{{ .Values.tls.bookie.cert_name }}"
@ -54,18 +86,35 @@ Define bookie tls certs volumes
      path: tls.crt
    - key: tls.key
      path: tls.key
+{{- if .Values.tls.zookeeper.enabled }}
+    - key: tls-combined.pem
+      path: tls-combined.pem
+{{- end }}
+{{- end }}
 - name: ca
  secret:
-    secretName: "{{ .Release.Name }}-ca-tls"
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    items:
    - key: ca.crt
      path: ca.crt
-{{- if .Values.tls.zookeeper.enabled }}
- name: keytool
-  configMap:
-    name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
-    defaultMode: 0755
 {{- end }}
+{{- if .Values.tls.bookie.cacerts.enabled }}
+- name: bookie-cacerts
+  emptyDir: {}
+{{- range $cert := .Values.tls.bookie.cacerts.certs }}
+- name: {{ $cert.name }}
+  secret:
+    secretName: "{{ $cert.existingSecret }}"
+    items:
+    {{- range $key := $cert.secretKeys }}
+      - key: {{ $key }}
+        path: {{ $key }}
+    {{- end }}
+{{- end }}
+- name: certs-scripts
+  configMap:
+    name: "{{ template "pulsar.fullname" . }}-certs-scripts"
+    defaultMode: 0755
 {{- end }}
 {{- end }}

@ -73,8 +122,31 @@ Define bookie tls certs volumes
 Define bookie common config
 */}}
 {{- define "pulsar.bookkeeper.config.common" -}}
-zkServers: "{{ template "pulsar.zookeeper.connect" . }}"
-zkLedgersRootPath: "{{ .Values.metadataPrefix }}/ledgers"
+{{/*
+Configure BookKeeper's metadata store (available since BookKeeper 4.7.0 / BP-29)
+https://bookkeeper.apache.org/bps/BP-29-metadata-store-api-module/
+https://bookkeeper.apache.org/docs/deployment/manual#cluster-metadata-setup
+*/}}
+# Set empty values for zkServers and zkLedgersRootPath since we're using the metadataServiceUri to configure BookKeeper's metadata store
+zkServers: ""
+zkLedgersRootPath: ""
+{{- if .Values.components.zookeeper }}
+{{- if (and (hasKey .Values.pulsar_metadata "bookkeeper") .Values.pulsar_metadata.bookkeeper.usePulsarMetadataBookieDriver) }}
+# there's a bug when using PulsarMetadataBookieDriver since it always appends /ledgers to the metadataServiceUri
+# Possibly a bug in org.apache.pulsar.metadata.bookkeeper.AbstractMetadataDriver#resolveLedgersRootPath in Pulsar code base
+metadataServiceUri: "metadata-store:zk:{{ template "pulsar.zookeeper.connect" . }}{{ .Values.metadataPrefix }}"
+{{- else }}
+# use zk+hierarchical:// when using BookKeeper's built-in metadata driver
+metadataServiceUri: "zk+hierarchical://{{ template "pulsar.zookeeper.connect" . }}{{ .Values.metadataPrefix }}/ledgers"
+{{- end }}
+{{- else if .Values.components.oxia }}
+metadataServiceUri: "{{ template "pulsar.oxia.metadata.url.bookkeeper" . }}"
+{{- end }}
+{{- /* metadataStoreSessionTimeoutMillis maps to zkTimeout in bookkeeper.conf for both zookeeper and oxia metadata stores */}}
+{{- if (and (hasKey .Values.pulsar_metadata "bookkeeper") (hasKey .Values.pulsar_metadata.bookkeeper "metadataStoreSessionTimeoutMillis")) }}
+zkTimeout: "{{ .Values.pulsar_metadata.bookkeeper.metadataStoreSessionTimeoutMillis }}"
+{{- end }}
+
 # enable bookkeeper http server
 httpServerEnabled: "true"
 httpServerPort: "{{ .Values.bookkeeper.ports.http }}"
@ -94,7 +166,7 @@ PULSAR_PREFIX_tlsCertificatePath: /pulsar/certs/bookie/tls.crt
 PULSAR_PREFIX_tlsKeyStoreType: PEM
 PULSAR_PREFIX_tlsKeyStore: /pulsar/certs/bookie/tls.key
 PULSAR_PREFIX_tlsTrustStoreType: PEM
-PULSAR_PREFIX_tlsTrustStore: /pulsar/certs/ca/ca.crt 
+PULSAR_PREFIX_tlsTrustStore: {{ ternary "/pulsar/certs/cacerts/ca-combined.pem" "/pulsar/certs/ca/ca.crt" .Values.tls.bookie.cacerts.enabled | quote }}
 {{- end }}
 {{- end }}

@ -104,8 +176,9 @@ Define bookie init container : verify cluster id
 {{- define "pulsar.bookkeeper.init.verify_cluster_id" -}}
 {{- if not (and .Values.volumes.persistence .Values.bookkeeper.volumes.persistence) }}
 bin/apply-config-from-env.py conf/bookkeeper.conf;
-{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . -}}
-until bin/bookkeeper shell whatisinstanceid; do
+export BOOKIE_MEM="-Xmx128M";
+{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . }}
+until timeout 15 bin/bookkeeper shell whatisinstanceid; do
  sleep 3;
 done;
 bin/bookkeeper shell bookieformat -nonInteractive -force -deleteCookie || true
@ -113,8 +186,9 @@ bin/bookkeeper shell bookieformat -nonInteractive -force -deleteCookie || true
 {{- if and .Values.volumes.persistence .Values.bookkeeper.volumes.persistence }}
 set -e;
 bin/apply-config-from-env.py conf/bookkeeper.conf;
-{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . -}}
-until bin/bookkeeper shell whatisinstanceid; do
+export BOOKIE_MEM="-Xmx128M";
+{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . }}
+until timeout 15 bin/bookkeeper shell whatisinstanceid; do
  sleep 3;
 done;
 {{- end }}
--- a/charts/pulsar/templates/_broker.tpl
+++ b/charts/pulsar/templates/_broker.tpl
@ -1,3 +1,22 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/}}
+
 {{/*
 Define the pulsar brroker service
 */}}
@ -24,7 +43,7 @@ Define broker zookeeper client tls settings
 */}}
 {{- define "pulsar.broker.zookeeper.tls.settings" -}}
 {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
-/pulsar/keytool/keytool.sh broker {{ template "pulsar.broker.hostname" . }} true;
+{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "broker" "isClient" true "isCacerts" .Values.tls.broker.cacerts.enabled) -}}
 {{- end }}
 {{- end }}

@ -32,18 +51,30 @@ Define broker zookeeper client tls settings
 Define broker tls certs mounts
 */}}
 {{- define "pulsar.broker.certs.volumeMounts" -}}
-{{- if and .Values.tls.enabled (or .Values.tls.broker.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled)) }}
+{{- if .Values.tls.enabled }}
+{{- if or .Values.tls.broker.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled) }}
 - name: broker-certs
  mountPath: "/pulsar/certs/broker"
  readOnly: true
+{{- end }}
 - name: ca
  mountPath: "/pulsar/certs/ca"
  readOnly: true
-{{- if .Values.tls.zookeeper.enabled }}
- name: keytool
-  mountPath: "/pulsar/keytool/keytool.sh"
-  subPath: keytool.sh
 {{- end }}
+{{- if .Values.tls.broker.cacerts.enabled }}
+- mountPath: "/pulsar/certs/cacerts"
+  name: broker-cacerts
+{{- range $cert := .Values.tls.broker.cacerts.certs }}
+- name: {{ $cert.name }}
+  mountPath: "/pulsar/certs/{{ $cert.name }}"
+  readOnly: true
+{{- end }}
+- name: certs-scripts
+  mountPath: "/pulsar/bin/certs-combine-pem.sh"
+  subPath: certs-combine-pem.sh
+- name: certs-scripts
+  mountPath: "/pulsar/bin/certs-combine-pem-infinity.sh"
+  subPath: certs-combine-pem-infinity.sh
 {{- end }}
 {{- end }}

@ -51,7 +82,8 @@ Define broker tls certs mounts
 Define broker tls certs volumes
 */}}
 {{- define "pulsar.broker.certs.volumes" -}}
-{{- if and .Values.tls.enabled (or .Values.tls.broker.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled)) }}
+{{- if .Values.tls.enabled }}
+{{- if or .Values.tls.broker.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled) }}
 - name: broker-certs
  secret:
    secretName: "{{ .Release.Name }}-{{ .Values.tls.broker.cert_name }}"
@ -60,17 +92,34 @@ Define broker tls certs volumes
      path: tls.crt
    - key: tls.key
      path: tls.key
+{{- if .Values.tls.zookeeper.enabled }}
+    - key: tls-combined.pem
+      path: tls-combined.pem
+{{- end }}
+{{- end }}
 - name: ca
  secret:
-    secretName: "{{ .Release.Name }}-ca-tls"
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    items:
    - key: ca.crt
      path: ca.crt
-{{- if .Values.tls.zookeeper.enabled }}
- name: keytool
+{{- end }}
+{{- if .Values.tls.broker.cacerts.enabled }}
+- name: broker-cacerts
+  emptyDir: {}
+{{- range $cert := .Values.tls.broker.cacerts.certs }}
+- name: {{ $cert.name }}
+  secret:
+    secretName: "{{ $cert.existingSecret }}"
+    items:
+    {{- range $key := $cert.secretKeys }}
+      - key: {{ $key }}
+        path: {{ $key }}
+    {{- end }}
+{{- end }}
+- name: certs-scripts
  configMap:
-    name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
+    name: "{{ template "pulsar.fullname" . }}-certs-scripts"
    defaultMode: 0755
 {{- end }}
 {{- end }}
-{{- end }}
--- a/charts/pulsar/templates/_certs.tpl
+++ b/charts/pulsar/templates/_certs.tpl
@ -0,0 +1,132 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/}}
+
+{{/*
+Define the pulsar certs ca issuer name
+*/}}
+{{- define "pulsar.certs.issuers.ca.name" -}}
+{{- if .Values.certs.internal_issuer.enabled -}}
+{{- if and (eq .Values.certs.internal_issuer.type "selfsigning") .Values.certs.issuers.selfsigning.name -}}
+{{- .Values.certs.issuers.selfsigning.name -}}
+{{- else if and (eq .Values.certs.internal_issuer.type "ca") .Values.certs.issuers.ca.name -}}
+{{- .Values.certs.issuers.ca.name -}}
+{{- else -}}
+{{- template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer
+{{- end -}}
+{{- else -}}
+{{- if .Values.certs.issuers.ca.name -}}
+{{- .Values.certs.issuers.ca.name -}}
+{{- else -}}
+{{- fail "certs.issuers.ca.name is required when TLS is enabled and certs.internal_issuer.enabled is false" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Define the pulsar certs ca issuer secret name
+*/}}
+{{- define "pulsar.certs.issuers.ca.secretName" -}}
+{{- if .Values.certs.internal_issuer.enabled -}}
+{{- if and (eq .Values.certs.internal_issuer.type "selfsigning") .Values.certs.issuers.selfsigning.secretName -}}
+{{- .Values.certs.issuers.selfsigning.secretName -}}
+{{- else if and (eq .Values.certs.internal_issuer.type "ca") .Values.certs.issuers.ca.secretName -}}
+{{- .Values.certs.issuers.ca.secretName -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name .Values.tls.ca_suffix -}}
+{{- end -}}
+{{- else -}}
+{{- if .Values.certs.issuers.ca.secretName -}}
+{{- .Values.certs.issuers.ca.secretName -}}
+{{- else -}}
+{{- fail "certs.issuers.ca.secretName is required when TLS is enabled and certs.internal_issuer.enabled is false" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Common certificate template
+Usage: {{- include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.proxy "tlsConfig" .Values.tls.proxy) -}}
+*/}}
+{{- define "pulsar.cert.template" -}}
+{{- if eq .root.Values.certs.internal_issuer.apiVersion "cert-manager.io/v1beta1" -}}
+{{- fail "cert-manager.io/v1beta1 is no longer supported. Please set certs.internal_issuer.apiVersion to cert-manager.io/v1" -}}
+{{- end -}}
+apiVersion: "{{ .root.Values.certs.internal_issuer.apiVersion }}"
+kind: Certificate
+metadata:
+  name: "{{ template "pulsar.fullname" .root }}-{{ .tlsConfig.cert_name }}"
+  namespace: {{ template "pulsar.namespace" .root }}
+  labels:
+    {{- include "pulsar.standardLabels" .root | nindent 4 }}
+spec:
+  # Secret names are always required.
+  secretName: "{{ .root.Release.Name }}-{{ .tlsConfig.cert_name }}"
+{{- if .root.Values.tls.zookeeper.enabled }}
+  additionalOutputFormats:
+    - type: CombinedPEM
+{{- end }}
+  duration: "{{ .root.Values.tls.common.duration }}"
+  renewBefore: "{{ .root.Values.tls.common.renewBefore }}"
+  subject:
+    organizations:
+{{ toYaml .root.Values.tls.common.organization | indent 4 }}
+  # The use of the common name field has been deprecated since 2000 and is
+  # discouraged from being used.
+  commonName: "{{ template "pulsar.fullname" .root }}-{{ .componentConfig.component }}"
+  isCA: false
+  privateKey:
+    size: {{ .root.Values.tls.common.keySize }}
+    algorithm: {{ .root.Values.tls.common.keyAlgorithm }}
+    encoding: {{ .root.Values.tls.common.keyEncoding }}
+  usages:
+    - server auth
+    - client auth
+  # At least one of a DNS Name, USI SAN, or IP address is required.
+  dnsNames:
+{{- if .tlsConfig.dnsNames }}
+{{ toYaml .tlsConfig.dnsNames | indent 4 }}
+{{- end }}
+    - {{ printf "*.%s-%s.%s.svc.%s" (include "pulsar.fullname" .root) .componentConfig.component (include "pulsar.namespace" .root) .root.Values.clusterDomain | quote }}
+    - {{ printf "%s-%s" (include "pulsar.fullname" .root) .componentConfig.component | quote }}
+  # Issuer references are always required.
+  issuerRef:
+    name: "{{ template "pulsar.certs.issuers.ca.name" .root }}"
+    # We can reference ClusterIssuers by changing the kind here.
+    # The default value is Issuer (i.e. a locally namespaced Issuer)
+    kind: Issuer
+    # This is optional since cert-manager will default to this value however
+    # if you are using an external issuer, change this to that issuer group.
+    group: cert-manager.io
+{{- end -}}
+
+{{/*
+CA certificates template
+Usage: {{ include "pulsar.certs.cacerts" (dict "certs" .Values.tls.<component>.cacerts.certs) }}
+*/}}
+{{- define "pulsar.certs.cacerts" -}}
+{{- $certs := .certs -}}
+{{- $cacerts := list -}}
+{{- $cacerts = print "/pulsar/certs/ca/ca.crt" | append $cacerts -}}
+{{- range $cert := $certs -}}
+{{- range $key := $cert.secretKeys -}}
+{{- $cacerts = print "/pulsar/certs/" $cert.name "/" $key | append $cacerts -}}
+{{- end -}}
+{{- end -}}
+{{ join " " $cacerts }}
+{{- end -}}
--- a/charts/pulsar/templates/_configurationstore.tpl
+++ b/charts/pulsar/templates/_configurationstore.tpl
@ -1,3 +1,22 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/}}
+
 {{/*
 Define configuration store endpoint
 */}}
--- a/charts/pulsar/templates/_helpers.tpl
+++ b/charts/pulsar/templates/_helpers.tpl
@ -1,3 +1,22 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/}}
+
 {{/* vim: set filetype=mustache: */}}

 {{/*
@ -66,6 +85,9 @@ chart: {{ template "pulsar.chart" . }}
 release: {{ .Release.Name }}
 heritage: {{ .Release.Service }}
 cluster: {{ template "pulsar.cluster.name" . }}
+{{- if .Values.labels }}
+{{ .Values.labels | toYaml | trim }}
+{{- end }}
 {{- end }}

 {{/*
@ -75,6 +97,9 @@ Create the template labels.
 app: {{ template "pulsar.name" . }}
 release: {{ .Release.Name }}
 cluster: {{ template "pulsar.cluster.name" . }}
+{{- if .Values.labels }}
+{{ .Values.labels | toYaml | trim }}
+{{- end }}
 {{- end }}

 {{/*
@ -84,3 +109,30 @@ Create the match labels.
 app: {{ template "pulsar.name" . }}
 release: {{ .Release.Name }}
 {{- end }}
+
+{{/*
+Create ImagePullSecrets
+*/}}
+{{- define "pulsar.imagePullSecrets" -}}
+{{- if .Values.images.imagePullSecrets -}}
+imagePullSecrets:
+{{- range .Values.images.imagePullSecrets }}
+- name: {{ . }}
+{{- end }}
+{{- end -}}
+{{- end }}
+
+{{/*
+Create full image name
+*/}}
+{{- define "pulsar.imageFullName" -}}
+{{- printf "%s:%s" (.image.repository | default .root.Values.defaultPulsarImageRepository) (.image.tag | default .root.Values.defaultPulsarImageTag | default .root.Chart.AppVersion) -}}
+{{- end -}}
+
+{{/*
+Lookup pull policy, default to defaultPullPolicy
+*/}}
+{{- define "pulsar.imagePullPolicy" -}}
+{{- printf "%s" (.image.pullPolicy | default .root.Values.defaultPullPolicy) -}}
+{{- end -}}
+
--- a/charts/pulsar/templates/_monitor.tpl
+++ b/charts/pulsar/templates/_monitor.tpl
@ -0,0 +1,97 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/}}
+
+{{- define "pulsar.podMonitor" -}}
+{{- $root := index . 0 }}
+{{- $component := index . 1 }}
+{{- $matchLabel := index . 2 }}
+{{- $portName := "http" }}
+{{- if gt (len .) 3 }}
+{{- $portName = index . 3 }}
+{{- end }}
+
+{{/* Extract component parts for nested values */}}
+{{- $componentParts := splitList "." $component }}
+{{- $valuesPath := $root.Values }}
+{{- range $componentParts }}
+  {{- $valuesPath = index $valuesPath . }}
+{{- end }}
+
+{{- if index $root.Values "victoria-metrics-k8s-stack" "enabled" }}
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMPodScrape
+{{- else }}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+{{- end }}
+metadata:
+  name: {{ template "pulsar.fullname" $root }}-{{ replace "." "-" $component }}
+  labels:
+    {{- include "pulsar.standardLabels" $root | nindent 4 }}
+spec:
+  jobLabel: {{ replace "." "-" $component }}
+  podMetricsEndpoints:
+    - port: {{ $portName }}
+      path: /metrics
+      scheme: http
+      interval: {{ $valuesPath.podMonitor.interval }}
+      scrapeTimeout: {{ $valuesPath.podMonitor.scrapeTimeout }}
+      # Set honor labels to true to allow overriding namespace label with Pulsar's namespace label
+      honorLabels: true
+      {{- if index $root.Values "victoria-metrics-k8s-stack" "enabled" }}
+      relabelConfigs:
+      {{- else }}
+      relabelings:
+      {{- end }}
+        - action: labelmap
+          regex: __meta_kubernetes_pod_label_(.+)
+        - sourceLabels: [__meta_kubernetes_namespace]
+          action: replace
+          targetLabel: kubernetes_namespace
+        - sourceLabels: [__meta_kubernetes_pod_label_component]
+          action: replace
+          targetLabel: job
+        - sourceLabels: [__meta_kubernetes_pod_name]
+          action: replace
+          targetLabel: kubernetes_pod_name
+      {{- if or $valuesPath.podMonitor.metricRelabelings (and $valuesPath.podMonitor.dropUnderscoreCreatedMetrics (index $valuesPath.podMonitor.dropUnderscoreCreatedMetrics "enabled")) }}
+      {{- if index $root.Values "victoria-metrics-k8s-stack" "enabled" }}
+      metricRelabelConfigs:
+      {{- else }}
+      metricRelabelings:
+      {{- end }}
+      {{- if and $valuesPath.podMonitor.dropUnderscoreCreatedMetrics (index $valuesPath.podMonitor.dropUnderscoreCreatedMetrics "enabled") }}
+        # Drop metrics that end with _created, auto-created by metrics library to match OpenMetrics format
+        - sourceLabels: [__name__]
+          {{- if and (hasKey $valuesPath.podMonitor.dropUnderscoreCreatedMetrics "excludePatterns") $valuesPath.podMonitor.dropUnderscoreCreatedMetrics.excludePatterns }}
+          regex: "(?!{{ $valuesPath.podMonitor.dropUnderscoreCreatedMetrics.excludePatterns | join "|" }}).*_created$"
+          {{- else }}
+          regex: ".*_created$"
+          {{- end }}
+          action: drop
+      {{- end }}
+      {{- with $valuesPath.podMonitor.metricRelabelings }}
+{{ toYaml . | indent 8 }}
+      {{- end }}
+      {{- end }}
+  selector:
+    matchLabels:
+      {{- include "pulsar.matchLabels" $root | nindent 6 }}
+      {{ $matchLabel }}
+{{- end -}}
--- a/charts/pulsar/templates/_oxia.tpl
+++ b/charts/pulsar/templates/_oxia.tpl
@ -0,0 +1,122 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/}}
+
+{{/*
+Probe
+*/}}
+{{- define "oxia-cluster.probe" -}}
+exec:
+  command: ["oxia", "health", "--port={{ . }}"]
+initialDelaySeconds: 10
+timeoutSeconds: 10
+{{- end }}
+
+
+{{/*
+Probe
+*/}}
+{{- define "oxia-cluster.readiness-probe" -}}
+exec:
+  command: ["oxia", "health", "--port={{ . }}", "--service=oxia-readiness"]
+initialDelaySeconds: 10
+timeoutSeconds: 10
+{{- end }}
+
+{{/*
+Probe
+*/}}
+{{- define "oxia-cluster.startup-probe" -}}
+exec:
+  command: ["oxia", "health", "--port={{ . }}"]
+initialDelaySeconds: 60
+timeoutSeconds: 10
+{{- end }}
+
+{{/*
+Define the pulsar oxia
+*/}}
+{{- define "pulsar.oxia.server.service" -}}
+{{ template "pulsar.fullname" . }}-{{ .Values.oxia.component }}-svc
+{{- end }}
+
+{{/*
+oxia url for broker metadata
+*/}}
+{{- define "pulsar.oxia.metadata.url.broker" -}}
+{{- if .Values.components.oxia -}}
+oxia://{{ template "pulsar.oxia.server.service" . }}:{{ .Values.oxia.server.ports.public }}/broker
+{{- end -}}
+{{- end -}}
+
+{{/*
+oxia url for bookkeeper metadata
+*/}}
+{{- define "pulsar.oxia.metadata.url.bookkeeper" -}}
+{{- if .Values.components.oxia -}}
+metadata-store:oxia://{{ template "pulsar.oxia.server.service" . }}:{{ .Values.oxia.server.ports.public }}/bookkeeper
+{{- end -}}
+{{- end -}}
+
+{{/*
+Define coordinator configmap
+*/}}
+{{- define "oxia.coordinator.config.yaml" -}}
+namespaces:
+  - name: default
+    initialShardCount: {{ .Values.oxia.initialShardCount }}
+    replicationFactor: {{ .Values.oxia.replicationFactor }}
+  - name: broker
+    initialShardCount: {{ .Values.oxia.initialShardCount }}
+    replicationFactor: {{ .Values.oxia.replicationFactor }}
+  - name: bookkeeper
+    initialShardCount: {{ .Values.oxia.initialShardCount }}
+    replicationFactor: {{ .Values.oxia.replicationFactor }}
+servers:
+  {{- $servicename := printf "%s-%s-svc" (include "pulsar.fullname" .) .Values.oxia.component }}
+  {{- $fqdnSuffix := printf "%s.svc.cluster.local" (include "pulsar.namespace" .) }}
+  {{- $podnamePrefix := printf "%s-%s-server-" (include "pulsar.fullname" .) .Values.oxia.component }}
+  {{- range until (int .Values.oxia.server.replicas) }}
+  {{- $podnameIndex := . }}
+  {{- $podname := printf "%s%d.%s" $podnamePrefix $podnameIndex $servicename }}
+  {{- $podnameFQDN := printf "%s.%s" $podname $fqdnSuffix }}
+  - public: {{ $podnameFQDN }}:{{ $.Values.oxia.server.ports.public }}
+    internal: {{ $podname }}:{{ $.Values.oxia.server.ports.internal }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Define coordinator entrypoint
+*/}}
+{{- define "oxia.coordinator.entrypoint" -}}
+- "oxia"
+- "coordinator"
+{{- if .Values.oxia.coordinator.customConfigMapName }}
+- "--conf=configmap:{{ template "pulsar.namespace" . }}/{{ .Values.oxia.coordinator.customConfigMapName }}"
+{{- else }}
+- "--conf=configmap:{{ template "pulsar.namespace" . }}/{{ template "pulsar.fullname" . }}-{{ .Values.oxia.component }}-coordinator"
+{{- end }}
+- "--log-json"
+- "--metadata=configmap"
+- "--k8s-namespace={{ template "pulsar.namespace" . }}"
+- "--k8s-configmap-name={{ template "pulsar.fullname" . }}-{{ .Values.oxia.component }}-coordinator-status"
+{{- if .Values.oxia.pprofEnabled }}
+- "--profile"
+{{- end}}
+{{- end}}
+
--- a/charts/pulsar/templates/_proxy.tpl
+++ b/charts/pulsar/templates/_proxy.tpl
@ -0,0 +1,95 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/}}
+
+{{/*
+Define proxy tls certs mounts
+*/}}
+{{- define "pulsar.proxy.certs.volumeMounts" -}}
+{{- if .Values.tls.enabled }}
+{{- if .Values.tls.proxy.enabled }}
+- mountPath: "/pulsar/certs/proxy"
+  name: proxy-certs
+  readOnly: true
+{{- end }}
+- mountPath: "/pulsar/certs/ca"
+  name: ca
+  readOnly: true
+{{- end }}
+{{- if .Values.tls.proxy.cacerts.enabled }}
+- mountPath: "/pulsar/certs/cacerts"
+  name: proxy-cacerts
+{{- range $cert := .Values.tls.proxy.cacerts.certs }}
+- name: {{ $cert.name }}
+  mountPath: "/pulsar/certs/{{ $cert.name }}"
+  readOnly: true
+{{- end }}
+- name: certs-scripts
+  mountPath: "/pulsar/bin/certs-combine-pem.sh"
+  subPath: certs-combine-pem.sh
+- name: certs-scripts
+  mountPath: "/pulsar/bin/certs-combine-pem-infinity.sh"
+  subPath: certs-combine-pem-infinity.sh
+{{- end }}
+{{- end }}
+
+{{/*
+Define proxy tls certs volumes
+*/}}
+{{- define "pulsar.proxy.certs.volumes" -}}
+{{- if .Values.tls.enabled }}
+{{- if .Values.tls.proxy.enabled }}
+- name: proxy-certs
+  secret:
+    secretName: "{{ .Release.Name }}-{{ .Values.tls.proxy.cert_name }}"
+    items:
+      - key: tls.crt
+        path: tls.crt
+      - key: tls.key
+        path: tls.key
+      {{- if .Values.tls.zookeeper.enabled }}
+      - key: tls-combined.pem
+        path: tls-combined.pem
+      {{- end }}
+{{- end }}
+- name: ca
+  secret:
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
+    items:
+      - key: ca.crt
+        path: ca.crt
+{{- end }}
+{{- if .Values.tls.proxy.cacerts.enabled }}
+- name: proxy-cacerts
+  emptyDir: {}
+{{- range $cert := .Values.tls.proxy.cacerts.certs }}
+- name: {{ $cert.name }}
+  secret:
+    secretName: "{{ $cert.existingSecret }}"
+    items:
+    {{- range $key := $cert.secretKeys }}
+      - key: {{ $key }}
+        path: {{ $key }}
+    {{- end }}
+{{- end }}
+- name: certs-scripts
+  configMap:
+    name: "{{ template "pulsar.fullname" . }}-certs-scripts"
+    defaultMode: 0755
+{{- end }}
+{{- end }}
--- a/charts/pulsar/templates/_toolset.tpl
+++ b/charts/pulsar/templates/_toolset.tpl
@ -1,3 +1,22 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/}}
+
 {{/*
 Define the pulsar toolset service
 */}}
@ -17,7 +36,7 @@ Define toolset zookeeper client tls settings
 */}}
 {{- define "pulsar.toolset.zookeeper.tls.settings" -}}
 {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled -}}
-/pulsar/keytool/keytool.sh toolset {{ template "pulsar.toolset.hostname" . }} true;
+{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "toolset" "isClient" true "isCacerts" .Values.tls.toolset.cacerts.enabled) -}}
 {{- end -}}
 {{- end }}

@ -25,18 +44,30 @@ Define toolset zookeeper client tls settings
 Define toolset tls certs mounts
 */}}
 {{- define "pulsar.toolset.certs.volumeMounts" -}}
-{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
+{{- if .Values.tls.enabled }}
+{{- if .Values.tls.zookeeper.enabled }}
 - name: toolset-certs
  mountPath: "/pulsar/certs/toolset"
  readOnly: true
+{{- end }}
 - name: ca
  mountPath: "/pulsar/certs/ca"
  readOnly: true
-{{- if .Values.tls.zookeeper.enabled }}
- name: keytool
-  mountPath: "/pulsar/keytool/keytool.sh"
-  subPath: keytool.sh
 {{- end }}
+{{- if .Values.tls.toolset.cacerts.enabled }}
+- mountPath: "/pulsar/certs/cacerts"
+  name: toolset-cacerts
+{{- range $cert := .Values.tls.toolset.cacerts.certs }}
+- name: {{ $cert.name }}
+  mountPath: "/pulsar/certs/{{ $cert.name }}"
+  readOnly: true
+{{- end }}
+- name: certs-scripts
+  mountPath: "/pulsar/bin/certs-combine-pem.sh"
+  subPath: certs-combine-pem.sh
+- name: certs-scripts
+  mountPath: "/pulsar/bin/certs-combine-pem-infinity.sh"
+  subPath: certs-combine-pem-infinity.sh
 {{- end }}
 {{- end }}

@ -44,7 +75,8 @@ Define toolset tls certs mounts
 Define toolset tls certs volumes
 */}}
 {{- define "pulsar.toolset.certs.volumes" -}}
-{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
+{{- if .Values.tls.enabled  }}
+{{- if .Values.tls.zookeeper.enabled }}
 - name: toolset-certs
  secret:
    secretName: "{{ .Release.Name }}-{{ .Values.tls.toolset.cert_name }}"
@ -53,17 +85,32 @@ Define toolset tls certs volumes
      path: tls.crt
    - key: tls.key
      path: tls.key
+    - key: tls-combined.pem
+      path: tls-combined.pem
+{{- end }}
 - name: ca
  secret:
-    secretName: "{{ .Release.Name }}-ca-tls"
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    items:
    - key: ca.crt
      path: ca.crt
-{{- if .Values.tls.zookeeper.enabled }}
- name: keytool
+{{- end }}
+{{- if .Values.tls.toolset.cacerts.enabled }}
+- name: toolset-cacerts
+  emptyDir: {}
+{{- range $cert := .Values.tls.toolset.cacerts.certs }}
+- name: {{ $cert.name }}
+  secret:
+    secretName: "{{ $cert.existingSecret }}"
+    items:
+    {{- range $key := $cert.secretKeys }}
+      - key: {{ $key }}
+        path: {{ $key }}
+    {{- end }}
+{{- end }}
+- name: certs-scripts
  configMap:
-    name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
+    name: "{{ template "pulsar.fullname" . }}-certs-scripts"
    defaultMode: 0755
 {{- end }}
 {{- end }}
-{{- end }}
--- a/charts/pulsar/templates/_tplvalues.tpl
+++ b/charts/pulsar/templates/_tplvalues.tpl
@ -0,0 +1,37 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/}}
+
+{{/*
+Renders a value that contains template perhaps with scope if the scope is present.
+Usage:
+{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }}
+{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }}
+*/}}
+{{- define "common.tplvalues.render" -}}
+{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }}
+{{- if contains "{{" (toJson .value) }}
+  {{- if .scope }}
+      {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }}
+  {{- else }}
+    {{- tpl $value .context }}
+  {{- end }}
+{{- else }}
+    {{- $value }}
+{{- end }}
+{{- end -}}
--- a/charts/pulsar/templates/_values_validation.tpl
+++ b/charts/pulsar/templates/_values_validation.tpl
@ -0,0 +1,25 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/}}
+
+{{/*
+Check deprecated setting auth.authentication.provider since 4.1.0
+*/}}
+{{- if (and .Values.auth.authentication.enabled (not (empty .Values.auth.authentication.provider))) }}
+  {{- fail "ERROR: Setting auth.authentication.provider is no longer supported. For details, see the migration guide in README.md." }}
+{{- end }}
--- a/charts/pulsar/templates/_zookeeper.tpl
+++ b/charts/pulsar/templates/_zookeeper.tpl
@ -1,3 +1,22 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/}}
+
 {{/*
 Define the pulsar zookeeper
 */}}
@ -34,6 +53,93 @@ Define zookeeper tls settings
 */}}
 {{- define "pulsar.zookeeper.tls.settings" -}}
 {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
-/pulsar/keytool/keytool.sh zookeeper {{ template "pulsar.zookeeper.hostname" . }} false;
+{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "zookeeper" "isClient" false "isCacerts" .Values.tls.zookeeper.cacerts.enabled) -}}
+{{- end }}
+{{- end }}
+
+{{- define "pulsar.component.zookeeper.tls.settings" }}
+{{- $component := .component -}}
+{{- $isClient := .isClient -}}
+{{- $keyFile := printf "/pulsar/certs/%s/tls-combined.pem" $component -}}
+{{- $caFile := ternary "/pulsar/certs/cacerts/ca-combined.pem" "/pulsar/certs/ca/ca.crt" .isCacerts -}}
+{{- if $isClient }}
+echo $'\n' >> conf/pulsar_env.sh
+echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.client.certReload=true -Dzookeeper.ssl.keyStore.location={{- $keyFile }} -Dzookeeper.ssl.keyStore.type=PEM -Dzookeeper.ssl.trustStore.location={{- $caFile }} -Dzookeeper.ssl.trustStore.type=PEM\"" >> conf/pulsar_env.sh
+echo $'\n' >> conf/bkenv.sh
+echo "BOOKIE_EXTRA_OPTS=\"\${BOOKIE_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.client.certReload=true -Dzookeeper.ssl.keyStore.location={{- $keyFile }} -Dzookeeper.ssl.keyStore.type=PEM -Dzookeeper.ssl.trustStore.location={{- $caFile }} -Dzookeeper.ssl.trustStore.type=PEM\"" >> conf/bkenv.sh
+{{- else }}
+echo $'\n' >> conf/pulsar_env.sh
+echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS} -Dzookeeper.ssl.keyStore.location={{- $keyFile }} -Dzookeeper.ssl.keyStore.type=PEM -Dzookeeper.ssl.trustStore.location={{- $caFile }} -Dzookeeper.ssl.trustStore.type=PEM\"" >> conf/pulsar_env.sh
+{{- end }}
+{{- end }}
+
+{{/*
+Define zookeeper tls certs mounts
+*/}}
+{{- define "pulsar.zookeeper.certs.volumeMounts" -}}
+{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
+- mountPath: "/pulsar/certs/zookeeper"
+  name: zookeeper-certs
+  readOnly: true
+- mountPath: "/pulsar/certs/ca"
+  name: ca
+  readOnly: true
+{{- end }}
+{{- if .Values.tls.zookeeper.cacerts.enabled }}
+- mountPath: "/pulsar/certs/cacerts"
+  name: zookeeper-cacerts
+{{- range $cert := .Values.tls.zookeeper.cacerts.certs }}
+- name: {{ $cert.name }}
+  mountPath: "/pulsar/certs/{{ $cert.name }}"
+  readOnly: true
+{{- end }}
+- name: certs-scripts
+  mountPath: "/pulsar/bin/certs-combine-pem.sh"
+  subPath: certs-combine-pem.sh
+- name: certs-scripts
+  mountPath: "/pulsar/bin/certs-combine-pem-infinity.sh"
+  subPath: certs-combine-pem-infinity.sh
+{{- end }}
+{{- end }}
+
+{{/*
+Define zookeeper tls certs volumes
+*/}}
+{{- define "pulsar.zookeeper.certs.volumes" -}}
+{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
+- name: zookeeper-certs
+  secret:
+    secretName: "{{ .Release.Name }}-{{ .Values.tls.zookeeper.cert_name }}"
+    items:
+      - key: tls.crt
+        path: tls.crt
+      - key: tls.key
+        path: tls.key
+      - key: tls-combined.pem
+        path: tls-combined.pem
+- name: ca
+  secret:
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
+    items:
+      - key: ca.crt
+        path: ca.crt
+{{- end }}
+{{- if .Values.tls.zookeeper.cacerts.enabled }}
+- name: zookeeper-cacerts
+  emptyDir: {}
+{{- range $cert := .Values.tls.zookeeper.cacerts.certs }}
+- name: {{ $cert.name }}
+  secret:
+    secretName: "{{ $cert.existingSecret }}"
+    items:
+    {{- range $key := $cert.secretKeys }}
+      - key: {{ $key }}
+        path: {{ $key }}
+    {{- end }}
+{{- end }}
+- name: certs-scripts
+  configMap:
+    name: "{{ template "pulsar.fullname" . }}-certs-scripts"
+    defaultMode: 0755
 {{- end }}
 {{- end }}
--- a/charts/pulsar/templates/autorecovery-configmap.yaml
+++ b/charts/pulsar/templates/autorecovery-configmap.yaml
@ -17,7 +17,7 @@
 # under the License.
 #

-{{- if or .Values.components.autorecovery .Values.extra.autoRecovery  }}
+{{- if .Values.components.autorecovery }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
--- a/Show More
+++ b/Show More