Feat/cacerts (#619 )

extra volume mounts for oxia coordinator (#618 )
* extra volume mounts for oxia coordinator * . * .
2025-06-21 23:13:35 +03:00 · 2025-06-13 10:55:02 -07:00 · 2025-06-09 21:27:23 +03:00 · 2025-05-30 18:16:04 +03:00
35 changed files with 930 additions and 578 deletions
--- a/.ci/clusters/values-cacerts.yaml
+++ b/.ci/clusters/values-cacerts.yaml
@ -0,0 +1,105 @@
 #
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 #
 # enable TLS with cacerts
 tls:
  enabled: true
  proxy:
    enabled: true
    cacerts:
      enabled: true
      certs:
        - name: common-cacert
          existingSecret: "pulsar-ci-common-cacert"
          secretKeys:
            - ca.crt
  broker:
    enabled: true
    cacerts:
      enabled: true
      certs:
        - name: common-cacert
          existingSecret: "pulsar-ci-common-cacert"
          secretKeys:
            - ca.crt
  bookie:
    enabled: true
    cacerts:
      enabled: true
      certs:
        - name: common-cacert
          existingSecret: "pulsar-ci-common-cacert"
          secretKeys:
            - ca.crt
  zookeeper:
    enabled: true
    cacerts:
      enabled: true
      certs:
        - name: common-cacert
          existingSecret: "pulsar-ci-common-cacert"
          secretKeys:
            - ca.crt
  toolset:
    cacerts:
      enabled: true
      certs:
        - name: common-cacert
          existingSecret: "pulsar-ci-common-cacert"
          secretKeys:
            - ca.crt
  autorecovery:
    cacerts:
      enabled: true
      certs:
        - name: common-cacert
          existingSecret: "pulsar-ci-common-cacert"
          secretKeys:
            - ca.crt
 # enable cert-manager
 certs:
  internal_issuer:
    enabled: true
    type: selfsigning
 # deploy cacerts
 extraDeploy:
  - |
    apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
    kind: Certificate
    metadata:
      name: "{{ template "pulsar.fullname" . }}-common-cacert"
      namespace: {{ template "pulsar.namespace" . }}
      labels:
        {{- include "pulsar.standardLabels" . | nindent 4 }}
    spec:
      secretName: "{{ template "pulsar.fullname" . }}-common-cacert"
      commonName: "common-cacert"
      duration: "{{ .Values.certs.internal_issuer.duration }}"
      renewBefore: "{{ .Values.certs.internal_issuer.renewBefore }}"
      usages:
        - server auth
        - client auth
      isCA: true
      issuerRef:
        name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}"
        kind: Issuer
        group: cert-manager.io
--- a/.github/workflows/pulsar-helm-chart-ci.yaml
+++ b/.github/workflows/pulsar-helm-chart-ci.yaml
@ -233,6 +233,9 @@ jobs:
          - name: OpenID
            values_file: .ci/clusters/values-openid.yaml
            shortname: openid
          - name: CA certificates
            values_file: .ci/clusters/values-cacerts.yaml
            shortname: cacerts
        include:
          - k8sVersion:
              version: "1.25.16"
--- a/README.md
+++ b/README.md
@ -160,7 +160,7 @@ It includes support for:
        - [x] Broker
        - [x] Toolset
        - [x] Bookie
-        - [x] ZooKeeper
+        - [x] ZooKeeper (requires the `AdditionalCertificateOutputFormats=true` feature gate to be enabled in the cert-manager deployment when using cert-manager versions below 1.15.0)
    - [x] Authentication
        - [x] JWT
        - [x] OpenID
@ -402,6 +402,15 @@ helm upgrade -n <namespace> -f values.yaml <pulsar-release-name> apachepulsar/pu
 For more detailed information, see our [Upgrading](http://pulsar.apache.org/docs/helm-upgrade/) guide.
 ## Upgrading to Helm chart version 4.2.0 (not released yet)
 ### TLS configuration for ZooKeeper has changed
 The TLS configuration for ZooKeeper has been changed to fix certificate and private key expiration issues.
 This change impacts configurations that have `tls.enabled` and `tls.zookeeper.enabled` set in `values.yaml`.
 The revised solution requires the `AdditionalCertificateOutputFormats=true` feature gate to be enabled in the `cert-manager` deployment when using cert-manager versions below 1.15.0.
 If you installed `cert-manager` using `./scripts/cert-manager/install-cert-manager.sh`, you can re-run the updated script to set the feature gate. The script currently installs or upgrades cert-manager LTS version 1.12.17, where the feature gate must be explicitly enabled.
 ## Upgrading from Helm Chart versions before 4.0.0 to 4.0.0 version and above
 ### Pulsar Proxy service's default type has been changed from `LoadBalancer` to `ClusterIP`
--- a/charts/pulsar/templates/_autorecovery.tpl
+++ b/charts/pulsar/templates/_autorecovery.tpl
@ -36,7 +36,7 @@ Define autorecovery zookeeper client tls settings
 */}}
 {{- define "pulsar.autorecovery.zookeeper.tls.settings" -}}
 {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
-/pulsar/keytool/keytool.sh autorecovery {{ template "pulsar.autorecovery.hostname" . }} true;
+{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "autorecovery" "isClient" true "isCacerts" .Values.tls.autorecovery.cacerts.enabled) -}}
 {{- end }}
 {{- end }}
@ -51,11 +51,21 @@ Define autorecovery tls certs mounts
 - name: ca
  mountPath: "/pulsar/certs/ca"
  readOnly: true
 {{- if .Values.tls.zookeeper.enabled }}
 - name: keytool
  mountPath: "/pulsar/keytool/keytool.sh"
  subPath: keytool.sh
 {{- end }}
 {{- if .Values.tls.autorecovery.cacerts.enabled }}
 - mountPath: "/pulsar/certs/cacerts"
  name: autorecovery-cacerts
 {{- range $cert := .Values.tls.autorecovery.cacerts.certs }}
 - name: {{ $cert.name }}
  mountPath: "/pulsar/certs/{{ $cert.name }}"
  readOnly: true
 {{- end }}
 - name: certs-scripts
  mountPath: "/pulsar/bin/certs-combine-pem.sh"
  subPath: certs-combine-pem.sh
 - name: certs-scripts
  mountPath: "/pulsar/bin/certs-combine-pem-infinity.sh"
  subPath: certs-combine-pem-infinity.sh
 {{- end }}
 {{- end }}
@ -72,18 +82,32 @@ Define autorecovery tls certs volumes
      path: tls.crt
    - key: tls.key
      path: tls.key
    - key: tls-combined.pem
      path: tls-combined.pem
 - name: ca
  secret:
    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    items:
    - key: ca.crt
      path: ca.crt
 {{- if .Values.tls.zookeeper.enabled }}
 - name: keytool
  configMap:
    name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
    defaultMode: 0755
 {{- end }}
 {{- if .Values.tls.autorecovery.cacerts.enabled }}
 - name: autorecovery-cacerts
  emptyDir: {}
 {{- range $cert := .Values.tls.autorecovery.cacerts.certs }}
 - name: {{ $cert.name }}
  secret:
    secretName: "{{ $cert.existingSecret }}"
    items:
    {{- range $key := $cert.secretKeys }}
      - key: {{ $key }}
        path: {{ $key }}
    {{- end }}
 {{- end }}
 - name: certs-scripts
  configMap:
    name: "{{ template "pulsar.fullname" . }}-certs-scripts"
    defaultMode: 0755
 {{- end }}
 {{- end }}
@ -93,7 +117,7 @@ Define autorecovery init container : verify cluster id
 {{- define "pulsar.autorecovery.init.verify_cluster_id" -}}
 bin/apply-config-from-env.py conf/bookkeeper.conf;
 export BOOKIE_MEM="-Xmx128M";
-{{- include "pulsar.autorecovery.zookeeper.tls.settings" . -}}
+{{- include "pulsar.autorecovery.zookeeper.tls.settings" . }}
 until timeout 15 bin/bookkeeper shell whatisinstanceid; do
  sleep 3;
 done;
--- a/charts/pulsar/templates/_bookkeeper.tpl
+++ b/charts/pulsar/templates/_bookkeeper.tpl
@ -37,7 +37,7 @@ Define bookie zookeeper client tls settings
 */}}
 {{- define "pulsar.bookkeeper.zookeeper.tls.settings" -}}
 {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
-/pulsar/keytool/keytool.sh bookie {{ template "pulsar.bookkeeper.hostname" . }} true;
+{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "bookie" "isClient" true "isCacerts" .Values.tls.bookie.cacerts.enabled) -}}
 {{- end }}
 {{- end }}
@ -45,18 +45,30 @@ Define bookie zookeeper client tls settings
 Define bookie tls certs mounts
 */}}
 {{- define "pulsar.bookkeeper.certs.volumeMounts" -}}
-{{- if and .Values.tls.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled) }}
+{{- if .Values.tls.enabled }}
 {{- if or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled }}
 - name: bookie-certs
  mountPath: "/pulsar/certs/bookie"
  readOnly: true
 {{- end }}
 - name: ca
  mountPath: "/pulsar/certs/ca"
  readOnly: true
 {{- if .Values.tls.zookeeper.enabled }}
 - name: keytool
  mountPath: "/pulsar/keytool/keytool.sh"
  subPath: keytool.sh
 {{- end }}
 {{- if .Values.tls.bookie.cacerts.enabled }}
 - mountPath: "/pulsar/certs/cacerts"
  name: bookie-cacerts
 {{- range $cert := .Values.tls.bookie.cacerts.certs }}
 - name: {{ $cert.name }}
  mountPath: "/pulsar/certs/{{ $cert.name }}"
  readOnly: true
 {{- end }}
 - name: certs-scripts
  mountPath: "/pulsar/bin/certs-combine-pem.sh"
  subPath: certs-combine-pem.sh
 - name: certs-scripts
  mountPath: "/pulsar/bin/certs-combine-pem-infinity.sh"
  subPath: certs-combine-pem-infinity.sh
 {{- end }}
 {{- end }}
@ -64,7 +76,8 @@ Define bookie tls certs mounts
 Define bookie tls certs volumes
 */}}
 {{- define "pulsar.bookkeeper.certs.volumes" -}}
-{{- if and .Values.tls.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled) }}
+{{- if .Values.tls.enabled }}
 {{- if or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled }}
 - name: bookie-certs
  secret:
    secretName: "{{ .Release.Name }}-{{ .Values.tls.bookie.cert_name }}"
@ -73,18 +86,35 @@ Define bookie tls certs volumes
      path: tls.crt
    - key: tls.key
      path: tls.key
 {{- if .Values.tls.zookeeper.enabled }}
    - key: tls-combined.pem
      path: tls-combined.pem
 {{- end }}
 {{- end }}
 - name: ca
  secret:
    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    items:
    - key: ca.crt
      path: ca.crt
 {{- if .Values.tls.zookeeper.enabled }}
 - name: keytool
  configMap:
    name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
    defaultMode: 0755
 {{- end }}
 {{- if .Values.tls.bookie.cacerts.enabled }}
 - name: bookie-cacerts
  emptyDir: {}
 {{- range $cert := .Values.tls.bookie.cacerts.certs }}
 - name: {{ $cert.name }}
  secret:
    secretName: "{{ $cert.existingSecret }}"
    items:
    {{- range $key := $cert.secretKeys }}
      - key: {{ $key }}
        path: {{ $key }}
    {{- end }}
 {{- end }}
 - name: certs-scripts
  configMap:
    name: "{{ template "pulsar.fullname" . }}-certs-scripts"
    defaultMode: 0755
 {{- end }}
 {{- end }}
@ -136,7 +166,7 @@ PULSAR_PREFIX_tlsCertificatePath: /pulsar/certs/bookie/tls.crt
 PULSAR_PREFIX_tlsKeyStoreType: PEM
 PULSAR_PREFIX_tlsKeyStore: /pulsar/certs/bookie/tls.key
 PULSAR_PREFIX_tlsTrustStoreType: PEM
-PULSAR_PREFIX_tlsTrustStore: /pulsar/certs/ca/ca.crt 
+PULSAR_PREFIX_tlsTrustStore: {{ ternary "/pulsar/certs/cacerts/ca-combined.pem" "/pulsar/certs/ca/ca.crt" .Values.tls.bookie.cacerts.enabled | quote }}
 {{- end }}
 {{- end }}
@ -147,7 +177,7 @@ Define bookie init container : verify cluster id
 {{- if not (and .Values.volumes.persistence .Values.bookkeeper.volumes.persistence) }}
 bin/apply-config-from-env.py conf/bookkeeper.conf;
 export BOOKIE_MEM="-Xmx128M";
-{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . -}}
+{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . }}
 until timeout 15 bin/bookkeeper shell whatisinstanceid; do
  sleep 3;
 done;
@ -157,7 +187,7 @@ bin/bookkeeper shell bookieformat -nonInteractive -force -deleteCookie || true
 set -e;
 bin/apply-config-from-env.py conf/bookkeeper.conf;
 export BOOKIE_MEM="-Xmx128M";
-{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . -}}
+{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . }}
 until timeout 15 bin/bookkeeper shell whatisinstanceid; do
  sleep 3;
 done;
--- a/charts/pulsar/templates/_broker.tpl
+++ b/charts/pulsar/templates/_broker.tpl
@ -43,7 +43,7 @@ Define broker zookeeper client tls settings
 */}}
 {{- define "pulsar.broker.zookeeper.tls.settings" -}}
 {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
-/pulsar/keytool/keytool.sh broker {{ template "pulsar.broker.hostname" . }} true;
+{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "broker" "isClient" true "isCacerts" .Values.tls.broker.cacerts.enabled) -}}
 {{- end }}
 {{- end }}
@ -51,18 +51,30 @@ Define broker zookeeper client tls settings
 Define broker tls certs mounts
 */}}
 {{- define "pulsar.broker.certs.volumeMounts" -}}
-{{- if and .Values.tls.enabled (or .Values.tls.broker.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled)) }}
+{{- if .Values.tls.enabled }}
 {{- if or .Values.tls.broker.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled) }}
 - name: broker-certs
  mountPath: "/pulsar/certs/broker"
  readOnly: true
 {{- end }}
 - name: ca
  mountPath: "/pulsar/certs/ca"
  readOnly: true
 {{- if .Values.tls.zookeeper.enabled }}
 - name: keytool
  mountPath: "/pulsar/keytool/keytool.sh"
  subPath: keytool.sh
 {{- end }}
 {{- if .Values.tls.broker.cacerts.enabled }}
 - mountPath: "/pulsar/certs/cacerts"
  name: broker-cacerts
 {{- range $cert := .Values.tls.broker.cacerts.certs }}
 - name: {{ $cert.name }}
  mountPath: "/pulsar/certs/{{ $cert.name }}"
  readOnly: true
 {{- end }}
 - name: certs-scripts
  mountPath: "/pulsar/bin/certs-combine-pem.sh"
  subPath: certs-combine-pem.sh
 - name: certs-scripts
  mountPath: "/pulsar/bin/certs-combine-pem-infinity.sh"
  subPath: certs-combine-pem-infinity.sh
 {{- end }}
 {{- end }}
@ -70,7 +82,8 @@ Define broker tls certs mounts
 Define broker tls certs volumes
 */}}
 {{- define "pulsar.broker.certs.volumes" -}}
-{{- if and .Values.tls.enabled (or .Values.tls.broker.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled)) }}
+{{- if .Values.tls.enabled }}
 {{- if or .Values.tls.broker.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled) }}
 - name: broker-certs
  secret:
    secretName: "{{ .Release.Name }}-{{ .Values.tls.broker.cert_name }}"
@ -79,17 +92,34 @@ Define broker tls certs volumes
      path: tls.crt
    - key: tls.key
      path: tls.key
 {{- if .Values.tls.zookeeper.enabled }}
    - key: tls-combined.pem
      path: tls-combined.pem
 {{- end }}
 {{- end }}
 - name: ca
  secret:
    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    items:
    - key: ca.crt
      path: ca.crt
-{{- if .Values.tls.zookeeper.enabled }}
+{{- end }}
- name: keytool
+{{- if .Values.tls.broker.cacerts.enabled }}
 - name: broker-cacerts
  emptyDir: {}
 {{- range $cert := .Values.tls.broker.cacerts.certs }}
 - name: {{ $cert.name }}
  secret:
    secretName: "{{ $cert.existingSecret }}"
    items:
    {{- range $key := $cert.secretKeys }}
      - key: {{ $key }}
        path: {{ $key }}
    {{- end }}
 {{- end }}
 - name: certs-scripts
  configMap:
-    name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
+    name: "{{ template "pulsar.fullname" . }}-certs-scripts"
    defaultMode: 0755
 {{- end }}
 {{- end }}
 {{- end }}
--- a/charts/pulsar/templates/_certs.tpl
+++ b/charts/pulsar/templates/_certs.tpl
@ -58,3 +58,75 @@ Define the pulsar certs ca issuer secret name
 {{- end -}}
 {{- end -}}
 {{- end -}}
 {{/*
 Common certificate template
 Usage: {{- include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.proxy "tlsConfig" .Values.tls.proxy) -}}
 */}}
 {{- define "pulsar.cert.template" -}}
 {{- if eq .root.Values.certs.internal_issuer.apiVersion "cert-manager.io/v1beta1" -}}
 {{- fail "cert-manager.io/v1beta1 is no longer supported. Please set certs.internal_issuer.apiVersion to cert-manager.io/v1" -}}
 {{- end -}}
 apiVersion: "{{ .root.Values.certs.internal_issuer.apiVersion }}"
 kind: Certificate
 metadata:
  name: "{{ template "pulsar.fullname" .root }}-{{ .tlsConfig.cert_name }}"
  namespace: {{ template "pulsar.namespace" .root }}
  labels:
    {{- include "pulsar.standardLabels" .root | nindent 4 }}
 spec:
  # Secret names are always required.
  secretName: "{{ .root.Release.Name }}-{{ .tlsConfig.cert_name }}"
 {{- if .root.Values.tls.zookeeper.enabled }}
  additionalOutputFormats:
    - type: CombinedPEM
 {{- end }}
  duration: "{{ .root.Values.tls.common.duration }}"
  renewBefore: "{{ .root.Values.tls.common.renewBefore }}"
  subject:
    organizations:
 {{ toYaml .root.Values.tls.common.organization | indent 4 }}
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: "{{ template "pulsar.fullname" .root }}-{{ .componentConfig.component }}"
  isCA: false
  privateKey:
    size: {{ .root.Values.tls.common.keySize }}
    algorithm: {{ .root.Values.tls.common.keyAlgorithm }}
    encoding: {{ .root.Values.tls.common.keyEncoding }}
  usages:
    - server auth
    - client auth
  # At least one of a DNS Name, USI SAN, or IP address is required.
  dnsNames:
 {{- if .tlsConfig.dnsNames }}
 {{ toYaml .tlsConfig.dnsNames | indent 4 }}
 {{- end }}
    - {{ printf "*.%s-%s.%s.svc.%s" (include "pulsar.fullname" .root) .componentConfig.component (include "pulsar.namespace" .root) .root.Values.clusterDomain | quote }}
    - {{ printf "%s-%s" (include "pulsar.fullname" .root) .componentConfig.component | quote }}
  # Issuer references are always required.
  issuerRef:
    name: "{{ template "pulsar.certs.issuers.ca.name" .root }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
 {{- end -}}
 {{/*
 CA certificates template
 Usage: {{ include "pulsar.certs.cacerts" (dict "certs" .Values.tls.<component>.cacerts.certs) }}
 */}}
 {{- define "pulsar.certs.cacerts" -}}
 {{- $certs := .certs -}}
 {{- $cacerts := list -}}
 {{- $cacerts = print "/pulsar/certs/ca/ca.crt" | append $cacerts -}}
 {{- range $cert := $certs -}}
 {{- range $key := $cert.secretKeys -}}
 {{- $cacerts = print "/pulsar/certs/" $cert.name "/" $key | append $cacerts -}}
 {{- end -}}
 {{- end -}}
 {{ join " " $cacerts }}
 {{- end -}}
--- a/charts/pulsar/templates/_monitor.tpl
+++ b/charts/pulsar/templates/_monitor.tpl
@ -43,10 +43,7 @@ kind: PodMonitor
 metadata:
  name: {{ template "pulsar.fullname" $root }}-{{ replace "." "-" $component }}
  labels:
-    app: {{ template "pulsar.name" $root }}
+    {{- include "pulsar.standardLabels" $root | nindent 4 }}
    chart: {{ template "pulsar.chart" $root }}
    release: {{ $root.Release.Name }}
    heritage: {{ $root.Release.Service }}
 spec:
  jobLabel: {{ replace "." "-" $component }}
  podMetricsEndpoints:
--- a/charts/pulsar/templates/_proxy.tpl
+++ b/charts/pulsar/templates/_proxy.tpl
@ -0,0 +1,95 @@
 {{/*
 Licensed to the Apache Software Foundation (ASF) under one
 or more contributor license agreements.  See the NOTICE file
 distributed with this work for additional information
 regarding copyright ownership.  The ASF licenses this file
 to you under the Apache License, Version 2.0 (the
 "License"); you may not use this file except in compliance
 with the License.  You may obtain a copy of the License at
  http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing,
 software distributed under the License is distributed on an
 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 KIND, either express or implied.  See the License for the
 specific language governing permissions and limitations
 under the License.
 */}}
 {{/*
 Define proxy tls certs mounts
 */}}
 {{- define "pulsar.proxy.certs.volumeMounts" -}}
 {{- if .Values.tls.enabled }}
 {{- if .Values.tls.proxy.enabled }}
 - mountPath: "/pulsar/certs/proxy"
  name: proxy-certs
  readOnly: true
 {{- end }}
 - mountPath: "/pulsar/certs/ca"
  name: ca
  readOnly: true
 {{- end }}
 {{- if .Values.tls.proxy.cacerts.enabled }}
 - mountPath: "/pulsar/certs/cacerts"
  name: proxy-cacerts
 {{- range $cert := .Values.tls.proxy.cacerts.certs }}
 - name: {{ $cert.name }}
  mountPath: "/pulsar/certs/{{ $cert.name }}"
  readOnly: true
 {{- end }}
 - name: certs-scripts
  mountPath: "/pulsar/bin/certs-combine-pem.sh"
  subPath: certs-combine-pem.sh
 - name: certs-scripts
  mountPath: "/pulsar/bin/certs-combine-pem-infinity.sh"
  subPath: certs-combine-pem-infinity.sh
 {{- end }}
 {{- end }}
 {{/*
 Define proxy tls certs volumes
 */}}
 {{- define "pulsar.proxy.certs.volumes" -}}
 {{- if .Values.tls.enabled }}
 {{- if .Values.tls.proxy.enabled }}
 - name: proxy-certs
  secret:
    secretName: "{{ .Release.Name }}-{{ .Values.tls.proxy.cert_name }}"
    items:
      - key: tls.crt
        path: tls.crt
      - key: tls.key
        path: tls.key
      {{- if .Values.tls.zookeeper.enabled }}
      - key: tls-combined.pem
        path: tls-combined.pem
      {{- end }}
 {{- end }}
 - name: ca
  secret:
    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    items:
      - key: ca.crt
        path: ca.crt
 {{- end }}
 {{- if .Values.tls.proxy.cacerts.enabled }}
 - name: proxy-cacerts
  emptyDir: {}
 {{- range $cert := .Values.tls.proxy.cacerts.certs }}
 - name: {{ $cert.name }}
  secret:
    secretName: "{{ $cert.existingSecret }}"
    items:
    {{- range $key := $cert.secretKeys }}
      - key: {{ $key }}
        path: {{ $key }}
    {{- end }}
 {{- end }}
 - name: certs-scripts
  configMap:
    name: "{{ template "pulsar.fullname" . }}-certs-scripts"
    defaultMode: 0755
 {{- end }}
 {{- end }}
--- a/charts/pulsar/templates/_toolset.tpl
+++ b/charts/pulsar/templates/_toolset.tpl
@ -36,7 +36,7 @@ Define toolset zookeeper client tls settings
 */}}
 {{- define "pulsar.toolset.zookeeper.tls.settings" -}}
 {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled -}}
-/pulsar/keytool/keytool.sh toolset {{ template "pulsar.toolset.hostname" . }} true;
+{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "toolset" "isClient" true "isCacerts" .Values.tls.toolset.cacerts.enabled) -}}
 {{- end -}}
 {{- end }}
@ -44,18 +44,30 @@ Define toolset zookeeper client tls settings
 Define toolset tls certs mounts
 */}}
 {{- define "pulsar.toolset.certs.volumeMounts" -}}
-{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
+{{- if .Values.tls.enabled }}
 {{- if .Values.tls.zookeeper.enabled }}
 - name: toolset-certs
  mountPath: "/pulsar/certs/toolset"
  readOnly: true
 {{- end }}
 - name: ca
  mountPath: "/pulsar/certs/ca"
  readOnly: true
 {{- if .Values.tls.zookeeper.enabled }}
 - name: keytool
  mountPath: "/pulsar/keytool/keytool.sh"
  subPath: keytool.sh
 {{- end }}
 {{- if .Values.tls.toolset.cacerts.enabled }}
 - mountPath: "/pulsar/certs/cacerts"
  name: toolset-cacerts
 {{- range $cert := .Values.tls.toolset.cacerts.certs }}
 - name: {{ $cert.name }}
  mountPath: "/pulsar/certs/{{ $cert.name }}"
  readOnly: true
 {{- end }}
 - name: certs-scripts
  mountPath: "/pulsar/bin/certs-combine-pem.sh"
  subPath: certs-combine-pem.sh
 - name: certs-scripts
  mountPath: "/pulsar/bin/certs-combine-pem-infinity.sh"
  subPath: certs-combine-pem-infinity.sh
 {{- end }}
 {{- end }}
@ -63,7 +75,8 @@ Define toolset tls certs mounts
 Define toolset tls certs volumes
 */}}
 {{- define "pulsar.toolset.certs.volumes" -}}
-{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
+{{- if .Values.tls.enabled  }}
 {{- if .Values.tls.zookeeper.enabled }}
 - name: toolset-certs
  secret:
    secretName: "{{ .Release.Name }}-{{ .Values.tls.toolset.cert_name }}"
@ -72,17 +85,32 @@ Define toolset tls certs volumes
      path: tls.crt
    - key: tls.key
      path: tls.key
    - key: tls-combined.pem
      path: tls-combined.pem
 {{- end }}
 - name: ca
  secret:
    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    items:
    - key: ca.crt
      path: ca.crt
-{{- if .Values.tls.zookeeper.enabled }}
+{{- end }}
- name: keytool
+{{- if .Values.tls.toolset.cacerts.enabled }}
 - name: toolset-cacerts
  emptyDir: {}
 {{- range $cert := .Values.tls.toolset.cacerts.certs }}
 - name: {{ $cert.name }}
  secret:
    secretName: "{{ $cert.existingSecret }}"
    items:
    {{- range $key := $cert.secretKeys }}
      - key: {{ $key }}
        path: {{ $key }}
    {{- end }}
 {{- end }}
 - name: certs-scripts
  configMap:
-    name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
+    name: "{{ template "pulsar.fullname" . }}-certs-scripts"
    defaultMode: 0755
 {{- end }}
 {{- end }}
 {{- end }}
--- a/charts/pulsar/templates/_tplvalues.tpl
+++ b/charts/pulsar/templates/_tplvalues.tpl
@ -0,0 +1,37 @@
 {{/*
 Licensed to the Apache Software Foundation (ASF) under one
 or more contributor license agreements.  See the NOTICE file
 distributed with this work for additional information
 regarding copyright ownership.  The ASF licenses this file
 to you under the Apache License, Version 2.0 (the
 "License"); you may not use this file except in compliance
 with the License.  You may obtain a copy of the License at
  http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing,
 software distributed under the License is distributed on an
 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 KIND, either express or implied.  See the License for the
 specific language governing permissions and limitations
 under the License.
 */}}
 {{/*
 Renders a value that contains template perhaps with scope if the scope is present.
 Usage:
 {{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }}
 {{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }}
 */}}
 {{- define "common.tplvalues.render" -}}
 {{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }}
 {{- if contains "{{" (toJson .value) }}
  {{- if .scope }}
      {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }}
  {{- else }}
    {{- tpl $value .context }}
  {{- end }}
 {{- else }}
    {{- $value }}
 {{- end }}
 {{- end -}}
--- a/charts/pulsar/templates/_zookeeper.tpl
+++ b/charts/pulsar/templates/_zookeeper.tpl
@ -53,7 +53,93 @@ Define zookeeper tls settings
 */}}
 {{- define "pulsar.zookeeper.tls.settings" -}}
 {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
-/pulsar/keytool/keytool.sh zookeeper {{ template "pulsar.zookeeper.hostname" . }} false;
+{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "zookeeper" "isClient" false "isCacerts" .Values.tls.zookeeper.cacerts.enabled) -}}
 {{- end }}
 {{- end }}
 {{- define "pulsar.component.zookeeper.tls.settings" }}
 {{- $component := .component -}}
 {{- $isClient := .isClient -}}
 {{- $keyFile := printf "/pulsar/certs/%s/tls-combined.pem" $component -}}
 {{- $caFile := ternary "/pulsar/certs/cacerts/ca-combined.pem" "/pulsar/certs/ca/ca.crt" .isCacerts -}}
 {{- if $isClient }}
 echo $'\n' >> conf/pulsar_env.sh
 echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.client.certReload=true -Dzookeeper.ssl.keyStore.location={{- $keyFile }} -Dzookeeper.ssl.keyStore.type=PEM -Dzookeeper.ssl.trustStore.location={{- $caFile }} -Dzookeeper.ssl.trustStore.type=PEM\"" >> conf/pulsar_env.sh
 echo $'\n' >> conf/bkenv.sh
 echo "BOOKIE_EXTRA_OPTS=\"\${BOOKIE_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.client.certReload=true -Dzookeeper.ssl.keyStore.location={{- $keyFile }} -Dzookeeper.ssl.keyStore.type=PEM -Dzookeeper.ssl.trustStore.location={{- $caFile }} -Dzookeeper.ssl.trustStore.type=PEM\"" >> conf/bkenv.sh
 {{- else }}
 echo $'\n' >> conf/pulsar_env.sh
 echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS} -Dzookeeper.ssl.keyStore.location={{- $keyFile }} -Dzookeeper.ssl.keyStore.type=PEM -Dzookeeper.ssl.trustStore.location={{- $caFile }} -Dzookeeper.ssl.trustStore.type=PEM\"" >> conf/pulsar_env.sh
 {{- end }}
 {{- end }}
 {{/*
 Define zookeeper tls certs mounts
 */}}
 {{- define "pulsar.zookeeper.certs.volumeMounts" -}}
 {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
 - mountPath: "/pulsar/certs/zookeeper"
  name: zookeeper-certs
  readOnly: true
 - mountPath: "/pulsar/certs/ca"
  name: ca
  readOnly: true
 {{- end }}
 {{- if .Values.tls.zookeeper.cacerts.enabled }}
 - mountPath: "/pulsar/certs/cacerts"
  name: zookeeper-cacerts
 {{- range $cert := .Values.tls.zookeeper.cacerts.certs }}
 - name: {{ $cert.name }}
  mountPath: "/pulsar/certs/{{ $cert.name }}"
  readOnly: true
 {{- end }}
 - name: certs-scripts
  mountPath: "/pulsar/bin/certs-combine-pem.sh"
  subPath: certs-combine-pem.sh
 - name: certs-scripts
  mountPath: "/pulsar/bin/certs-combine-pem-infinity.sh"
  subPath: certs-combine-pem-infinity.sh
 {{- end }}
 {{- end }}
 {{/*
 Define zookeeper tls certs volumes
 */}}
 {{- define "pulsar.zookeeper.certs.volumes" -}}
 {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
 - name: zookeeper-certs
  secret:
    secretName: "{{ .Release.Name }}-{{ .Values.tls.zookeeper.cert_name }}"
    items:
      - key: tls.crt
        path: tls.crt
      - key: tls.key
        path: tls.key
      - key: tls-combined.pem
        path: tls-combined.pem
 - name: ca
  secret:
    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
    items:
      - key: ca.crt
        path: ca.crt
 {{- end }}
 {{- if .Values.tls.zookeeper.cacerts.enabled }}
 - name: zookeeper-cacerts
  emptyDir: {}
 {{- range $cert := .Values.tls.zookeeper.cacerts.certs }}
 - name: {{ $cert.name }}
  secret:
    secretName: "{{ $cert.existingSecret }}"
    items:
    {{- range $key := $cert.secretKeys }}
      - key: {{ $key }}
        path: {{ $key }}
    {{- end }}
 {{- end }}
 - name: certs-scripts
  configMap:
    name: "{{ template "pulsar.fullname" . }}-certs-scripts"
    defaultMode: 0755
 {{- end }}
 {{- end }}
--- a/charts/pulsar/templates/autorecovery-statefulset.yaml
+++ b/charts/pulsar/templates/autorecovery-statefulset.yaml
@ -113,6 +113,18 @@ spec:
      terminationGracePeriodSeconds: {{ .Values.autorecovery.gracePeriod }}
      serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}"
      initContainers:
      {{- if .Values.tls.autorecovery.cacerts.enabled }}
      - name: cacerts
        image: "{{ template "pulsar.imageFullName" (dict "image" .Values.images.autorecovery "root" .) }}"
        imagePullPolicy: "{{ template "pulsar.imagePullPolicy" (dict "image" .Values.images.autorecovery "root" .) }}"
        resources: {{ toYaml .Values.initContainer.resources | nindent 10 }}
        command: ["sh", "-c"]
        args:
        - |
          bin/certs-combine-pem.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.autorecovery.cacerts.certs) }}
        volumeMounts:
        {{- include "pulsar.autorecovery.certs.volumeMounts" . | nindent 8 }}
      {{- end }}
      {{- if and .Values.autorecovery.waitBookkeeperTimeout (gt (.Values.autorecovery.waitBookkeeperTimeout | int) 0) }}
      # This initContainer will wait for bookkeeper initnewcluster to complete
      # before deploying the bookies
@ -147,6 +159,11 @@ spec:
        command: ["sh", "-c"]
        args:
        - |
          {{- if .Values.tls.autorecovery.cacerts.enabled }}
          cd /pulsar/certs/cacerts;
          nohup /pulsar/bin/certs-combine-pem-infinity.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.autorecovery.cacerts.certs) }} > /pulsar/certs/cacerts/certs-combine-pem-infinity.log 2>&1 &
          cd /pulsar;
          {{- end }}
          bin/apply-config-from-env.py conf/bookkeeper.conf;
          {{- include "pulsar.autorecovery.zookeeper.tls.settings" . | nindent 10 }}
          OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true" exec bin/bookkeeper autorecovery
--- a/charts/pulsar/templates/bookkeeper-cluster-initialize.yaml
+++ b/charts/pulsar/templates/bookkeeper-cluster-initialize.yaml
@ -33,6 +33,10 @@ spec:
  ttlSecondsAfterFinished: {{ .Values.job.ttl.secondsAfterFinished | default 600 }}
 {{- end }}
  template:
    metadata:
      labels:
        {{- include "pulsar.template.labels" . | nindent 8 }}
        component: {{ .Values.bookkeeper.component }}-init
    spec:
    {{- include "pulsar.imagePullSecrets" . | nindent 6 }}
      serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
@ -45,6 +49,18 @@ spec:
 {{ toYaml .Values.pulsar_metadata.tolerations | indent 8 }}
      {{- end }}
      initContainers:
      {{- if .Values.tls.bookie.cacerts.enabled }}
      - name: cacerts
        image: "{{ template "pulsar.imageFullName" (dict "image" .Values.images.bookie "root" .) }}"
        imagePullPolicy: "{{ template "pulsar.imagePullPolicy" (dict "image" .Values.images.bookie "root" .) }}"
        resources: {{ toYaml .Values.initContainer.resources | nindent 10 }}
        command: ["sh", "-c"]
        args:
          - |
            bin/certs-combine-pem.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.bookie.cacerts.certs) }}
        volumeMounts:
        {{- include "pulsar.toolset.certs.volumeMounts" . | nindent 8 }}
      {{- end }}
      {{- if and .Values.components.zookeeper .Values.bookkeeper.metadata.waitZookeeperTimeout (gt (.Values.bookkeeper.metadata.waitZookeeperTimeout | int) 0) }}
      - name: wait-zookeeper-ready
        image: "{{ template "pulsar.imageFullName" (dict "image" .Values.images.bookie "root" .) }}"
--- a/charts/pulsar/templates/bookkeeper-statefulset.yaml
+++ b/charts/pulsar/templates/bookkeeper-statefulset.yaml
@ -115,6 +115,18 @@ spec:
      {{- end }}
      {{- if and .Values.bookkeeper.waitMetadataTimeout (gt (.Values.bookkeeper.waitMetadataTimeout | int) 0) }}
      initContainers:
      {{- if .Values.tls.bookie.cacerts.enabled }}
      - name: cacerts
        image: "{{ template "pulsar.imageFullName" (dict "image" .Values.images.bookie "root" .) }}"
        imagePullPolicy: "{{ template "pulsar.imagePullPolicy" (dict "image" .Values.images.bookie "root" .) }}"
        resources: {{ toYaml .Values.initContainer.resources | nindent 10 }}
        command: ["sh", "-c"]
        args:
        - |
          bin/certs-combine-pem.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.bookie.cacerts.certs) }}
        volumeMounts:
        {{- include "pulsar.bookkeeper.certs.volumeMounts" . | nindent 8 }}
      {{- end }}
      # This initContainer will wait for bookkeeper initnewcluster to complete
      # before deploying the bookies
      - name: pulsar-bookkeeper-verify-clusterid
@ -195,6 +207,11 @@ spec:
          {{- if .Values.bookkeeper.additionalCommand }}
          {{ .Values.bookkeeper.additionalCommand }}
          {{- end }}
          {{- if .Values.tls.bookie.cacerts.enabled }}
          cd /pulsar/certs/cacerts;
          nohup /pulsar/bin/certs-combine-pem-infinity.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.bookie.cacerts.certs) }} > /pulsar/certs/cacerts/certs-combine-pem-infinity.log 2>&1 &
          cd /pulsar;
          {{- end }}
          bin/apply-config-from-env.py conf/bookkeeper.conf;
          {{- include "pulsar.bookkeeper.zookeeper.tls.settings" . | nindent 10 }}
          OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true" exec bin/pulsar bookie;
--- a/charts/pulsar/templates/broker-configmap.yaml
+++ b/charts/pulsar/templates/broker-configmap.yaml
@ -204,7 +204,7 @@ data:
  # TLS Settings
  tlsCertificateFilePath: "/pulsar/certs/broker/tls.crt"
  tlsKeyFilePath: "/pulsar/certs/broker/tls.key"
-  tlsTrustCertsFilePath: "/pulsar/certs/ca/ca.crt"
+  tlsTrustCertsFilePath: {{ ternary "/pulsar/certs/cacerts/ca-combined.pem" "/pulsar/certs/ca/ca.crt" .Values.tls.broker.cacerts.enabled | quote }}
  {{- end }}
  # Authentication Settings
@ -260,13 +260,13 @@ data:
  bookkeeperTLSKeyFileType: "PEM"
  bookkeeperTLSKeyFilePath: "/pulsar/certs/broker/tls.key"
  bookkeeperTLSCertificateFilePath: "/pulsar/certs/broker/tls.crt"
-  bookkeeperTLSTrustCertsFilePath: "/pulsar/certs/ca/ca.crt"
+  bookkeeperTLSTrustCertsFilePath: {{ ternary "/pulsar/certs/cacerts/ca-combined.pem" "/pulsar/certs/ca/ca.crt" .Values.tls.broker.cacerts.enabled | quote }}
  bookkeeperTLSTrustCertTypes: "PEM"
  PULSAR_PREFIX_bookkeeperTLSClientAuthentication: "true"
  PULSAR_PREFIX_bookkeeperTLSKeyFileType: "PEM"
  PULSAR_PREFIX_bookkeeperTLSKeyFilePath: "/pulsar/certs/broker/tls.key"
  PULSAR_PREFIX_bookkeeperTLSCertificateFilePath: "/pulsar/certs/broker/tls.crt"
-  PULSAR_PREFIX_bookkeeperTLSTrustCertsFilePath: "/pulsar/certs/ca/ca.crt"
+  PULSAR_PREFIX_bookkeeperTLSTrustCertsFilePath: {{ ternary "/pulsar/certs/cacerts/ca-combined.pem" "/pulsar/certs/ca/ca.crt" .Values.tls.broker.cacerts.enabled | quote }}
  PULSAR_PREFIX_bookkeeperTLSTrustCertTypes: "PEM"
  # https://github.com/apache/bookkeeper/pull/2300
  bookkeeperUseV2WireProtocol: "false"
--- a/charts/pulsar/templates/broker-statefulset.yaml
+++ b/charts/pulsar/templates/broker-statefulset.yaml
@ -130,6 +130,18 @@ spec:
        {{- end }}
      terminationGracePeriodSeconds: {{ .Values.broker.gracePeriod }}
      initContainers:
      {{- if .Values.tls.broker.cacerts.enabled }}
      - name: cacerts
        image: "{{ template "pulsar.imageFullName" (dict "image" .Values.images.broker "root" .) }}"
        imagePullPolicy: "{{ template "pulsar.imagePullPolicy" (dict "image" .Values.images.broker "root" .) }}"
        resources: {{ toYaml .Values.initContainer.resources | nindent 10 }}
        command: ["sh", "-c"]
        args:
          - |
            bin/certs-combine-pem.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.broker.cacerts.certs) }}
        volumeMounts:
        {{- include "pulsar.broker.certs.volumeMounts" . | nindent 8 }}
      {{- end }}
      {{- if and .Values.components.zookeeper .Values.broker.waitZookeeperTimeout (gt (.Values.broker.waitZookeeperTimeout | int) 0) }}
      # This init container will wait for zookeeper to be ready before
      # deploying the bookies
@ -243,6 +255,11 @@ spec:
        {{- if .Values.broker.additionalCommand }}
          {{ .Values.broker.additionalCommand }}
        {{- end }}
          {{- if .Values.tls.broker.cacerts.enabled }}
          cd /pulsar/certs/cacerts;
          nohup /pulsar/bin/certs-combine-pem-infinity.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.broker.cacerts.certs) }} > /pulsar/certs/cacerts/certs-combine-pem-infinity.log 2>&1 &
          cd /pulsar;
          {{- end }}
          bin/apply-config-from-env.py conf/broker.conf;
          bin/gen-yml-from-env.py conf/functions_worker.yml;
          echo "OK" > "${statusFilePath:-status}";
--- a/charts/pulsar/templates/certs-scripts-configmap.yaml
+++ b/charts/pulsar/templates/certs-scripts-configmap.yaml
@ -0,0 +1,82 @@
 #
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 #
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: "{{ template "pulsar.fullname" . }}-certs-scripts"
  namespace: {{ template "pulsar.namespace" . }}
  labels:
    {{- include "pulsar.standardLabels" . | nindent 4 }}
    component: certs-scripts 
 data:
    certs-combine-pem.sh: |
      #!/bin/bash
      # This script combines all certificates into a single file.
      # Usage: certs-combine-pem.sh <output_file> <cert1> <cert2> ...
      set -eu -o pipefail
      if [ "$#" -lt 2 ]; then
        echo "Usage: $0 <output_file> <cert1> <cert2> ..."
        exit 1
      fi
      OUTPUT_FILE="$1"
      shift
      OUTPUT_FILE_TMP="${OUTPUT_FILE}.tmp"
      rm -f "$OUTPUT_FILE_TMP"
      for CERT in "$@"; do
        if [ -f "$CERT" ]; then
          echo "# $CERT" >> "$OUTPUT_FILE_TMP"
          cat "$CERT" >> "$OUTPUT_FILE_TMP"
        else
          echo "Certificate file '$CERT' does not exist, skipping"
        fi
      done
      if [ ! -f "$OUTPUT_FILE" ]; then
        touch "$OUTPUT_FILE"
      fi
      if diff -q "$OUTPUT_FILE" "$OUTPUT_FILE_TMP" > /dev/null; then
        # No changes detected, skipping update
        rm -f "$OUTPUT_FILE_TMP"
      else
        # Update $OUTPUT_FILE with new certificates
        mv "$OUTPUT_FILE_TMP" "$OUTPUT_FILE"
      fi
    certs-combine-pem-infinity.sh: |
      #!/bin/bash
      # This script combines all certificates into a single file, every minutes.
      # Usage: certs-combine-pem-infinity.sh <output_file> <cert1> <cert2> ...
      set -eu -o pipefail
      if [ "$#" -lt 2 ]; then
        echo "Usage: $0 <output_file> <cert1> <cert2> ..."
        exit 1
      fi
      while true; do
        /pulsar/bin/certs-combine-pem.sh "$@"
        sleep 60
      done
--- a/charts/pulsar/templates/extra-list.yaml
+++ b/charts/pulsar/templates/extra-list.yaml
@ -0,0 +1,23 @@
 #
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 #
 {{- range .Values.extraDeploy }}
 ---
 {{ include "common.tplvalues.render" (dict "value" . "context" $) }}
 {{- end }}
--- a/charts/pulsar/templates/keytool.yaml
+++ b/charts/pulsar/templates/keytool.yaml
@ -1,110 +0,0 @@
 #
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 #
 # script to process key/cert to keystore and truststore
 {{- if .Values.tls.zookeeper.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
  namespace: {{ template "pulsar.namespace" . }}
  labels:
    {{- include "pulsar.standardLabels" . | nindent 4 }}
    component: keytool 
 data:
  keytool.sh: |
    #!/bin/bash
    component=$1
    name=$2
    isClient=$3
    crtFile=/pulsar/certs/${component}/tls.crt
    keyFile=/pulsar/certs/${component}/tls.key
    caFile=/pulsar/certs/ca/ca.crt
    tlsDir=/tmp/pulsar-tls$$
    p12File=${tlsDir}/${component}.p12
    keyStoreFile=${tlsDir}/${component}.keystore.jks
    trustStoreFile=${tlsDir}/${component}.truststore.jks
    # create tmp dir for keystore and truststore files
    mkdir ${tlsDir}
    chmod 0700 ${tlsDir}
    function checkFile() {
        local file=$1
        local len=$(wc -c ${file} | awk '{print $1}')
        echo "processing ${file} : len = ${len}"
        if [ ! -f ${file} ]; then
            echo "${file} is not found"
            return -1
        fi
        if [ $len -le 0 ]; then
            echo "${file} is empty"
            return -1
        fi
    }
    function ensureFileNotEmpty() {
        local file=$1
        until checkFile ${file}; do
            echo "file isn't initialized yet ... check in 3 seconds ..." && sleep 3;
        done;
    }
    ensureFileNotEmpty ${crtFile}
    ensureFileNotEmpty ${keyFile}
    ensureFileNotEmpty ${caFile}
    PASSWORD=$(head /dev/urandom | base64 | head -c 24)
    openssl pkcs12 \
        -export \
        -in ${crtFile} \
        -inkey ${keyFile} \
        -out ${p12File} \
        -name ${name} \
        -passout "pass:${PASSWORD}"
    keytool -importkeystore \
        -srckeystore ${p12File} \
        -srcstoretype PKCS12 -srcstorepass "${PASSWORD}" \
        -alias ${name} \
        -destkeystore ${keyStoreFile} \
        -deststorepass "${PASSWORD}"
    keytool -import \
        -file ${caFile} \
        -storetype JKS \
        -alias ${name} \
        -keystore ${trustStoreFile} \
        -storepass "${PASSWORD}" \
        -trustcacerts -noprompt
    ensureFileNotEmpty ${keyStoreFile}
    ensureFileNotEmpty ${trustStoreFile}
    if [[ "x${isClient}" == "xtrue" ]]; then
        echo $'\n' >> conf/pulsar_env.sh
        echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/pulsar_env.sh
        echo $'\n' >> conf/bkenv.sh
        echo "BOOKIE_EXTRA_OPTS=\"\${BOOKIE_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/bkenv.sh
    else
        echo $'\n' >> conf/pulsar_env.sh
        echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS} -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/pulsar_env.sh
    fi
 {{- end }}
--- a/charts/pulsar/templates/oxia-coordinator-deployment.yaml
+++ b/charts/pulsar/templates/oxia-coordinator-deployment.yaml
@ -77,6 +77,10 @@ spec:
            limits:
              cpu: {{ .Values.oxia.coordinator.cpuLimit }}
              memory: {{ .Values.oxia.coordinator.memoryLimit }}
      {{- if .Values.oxia.coordinator.extraVolumeMounts }}
          volumeMounts:
        {{- toYaml .Values.oxia.coordinator.extraVolumeMounts | nindent 12 }}
      {{- end }}
          livenessProbe:
            {{- include "oxia-cluster.probe" .Values.oxia.coordinator.ports.internal | nindent 12 }}
          readinessProbe:
--- a/charts/pulsar/templates/proxy-configmap.yaml
+++ b/charts/pulsar/templates/proxy-configmap.yaml
@ -42,14 +42,14 @@ data:
  webServicePortTls: "{{ .Values.proxy.ports.containerPorts.https }}"
  tlsCertificateFilePath: "/pulsar/certs/proxy/tls.crt"
  tlsKeyFilePath: "/pulsar/certs/proxy/tls.key"
-  tlsTrustCertsFilePath: "/pulsar/certs/ca/ca.crt"
+  tlsTrustCertsFilePath: {{ ternary "/pulsar/certs/cacerts/ca-combined.pem" "/pulsar/certs/ca/ca.crt" .Values.tls.proxy.cacerts.enabled | quote }}
  {{- if and .Values.tls.enabled .Values.tls.broker.enabled }}
  # if broker enables TLS, configure proxy to talk to broker using TLS
  brokerServiceURLTLS: pulsar+ssl://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.pulsarssl }}
  brokerWebServiceURLTLS: https://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.https }}
  tlsEnabledWithBroker: "true"
  tlsCertRefreshCheckDurationSec: "300"
-  brokerClientTrustCertsFilePath: "/pulsar/certs/ca/ca.crt"
+  brokerClientTrustCertsFilePath: {{ ternary "/pulsar/certs/cacerts/ca-combined.pem" "/pulsar/certs/ca/ca.crt" .Values.tls.proxy.cacerts.enabled | quote }}
  {{- end }}
  {{- if not (and .Values.tls.enabled .Values.tls.broker.enabled) }}
  brokerServiceURL: pulsar://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.pulsar }}
--- a/charts/pulsar/templates/proxy-hpa.yaml
+++ b/charts/pulsar/templates/proxy-hpa.yaml
@ -27,6 +27,8 @@ kind: HorizontalPodAutoscaler
 metadata:
  name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
  namespace: {{ template "pulsar.namespace" . }}
  labels:
    {{- include "pulsar.standardLabels" . | nindent 4 }}
 spec:
  maxReplicas: {{ .Values.proxy.autoscaling.maxReplicas }}
  {{- with .Values.proxy.autoscaling.metrics }}
--- a/charts/pulsar/templates/proxy-statefulset.yaml
+++ b/charts/pulsar/templates/proxy-statefulset.yaml
@ -112,6 +112,18 @@ spec:
      terminationGracePeriodSeconds: {{ .Values.proxy.gracePeriod }}
      serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
      initContainers:
      {{- if .Values.tls.proxy.cacerts.enabled }}
      - name: combine-certs
        image: "{{ template "pulsar.imageFullName" (dict "image" .Values.images.proxy "root" .) }}"
        imagePullPolicy: "{{ template "pulsar.imagePullPolicy" (dict "image" .Values.images.proxy "root" .) }}"
        resources: {{ toYaml .Values.initContainer.resources | nindent 10 }}
        command: ["sh", "-c"]
        args:
          - |
            bin/certs-combine-pem.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.proxy.cacerts.certs) }}
        volumeMounts:
        {{- include "pulsar.proxy.certs.volumeMounts" . | nindent 8 }}
      {{- end }}
      {{- if and .Values.components.zookeeper .Values.proxy.waitZookeeperTimeout (gt (.Values.proxy.waitZookeeperTimeout | int) 0) }}
      # This init container will wait for zookeeper to be ready before
      # deploying the bookies
@ -214,6 +226,11 @@ spec:
        {{- if .Values.proxy.additionalCommand }}
          {{ .Values.proxy.additionalCommand }}
        {{- end }}
          {{- if .Values.tls.proxy.cacerts.enabled }}
          cd /pulsar/certs/cacerts;
          nohup /pulsar/bin/certs-combine-pem-infinity.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.proxy.cacerts.certs) }} > /pulsar/certs/cacerts/certs-combine-pem-infinity.log 2>&1 &
          cd /pulsar;
          {{- end }}
          bin/apply-config-from-env.py conf/proxy.conf &&
          echo "OK" > "${statusFilePath:-status}" &&
          OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true" exec bin/pulsar proxy
@ -250,16 +267,7 @@ spec:
            readOnly: true
          {{- end }}
          {{- end }}
-          {{- if .Values.tls.proxy.enabled }}
+          {{- include "pulsar.proxy.certs.volumeMounts" . | nindent 10 }}
          - mountPath: "/pulsar/certs/proxy"
            name: proxy-certs
            readOnly: true
          {{- end}}
          {{- if .Values.tls.enabled }}
          - mountPath: "/pulsar/certs/ca"
            name: ca
            readOnly: true
          {{- end}}
          {{- if .Values.proxy.extraVolumeMounts }}
 {{ toYaml .Values.proxy.extraVolumeMounts | indent 10 }}
          {{- end }}
@ -296,21 +304,6 @@ spec:
                path: proxy/token
        {{- end}}
        {{- end}}
-        {{- if .Values.tls.proxy.enabled }}
+        {{- include "pulsar.proxy.certs.volumes" . | nindent 8 }}
        - name: ca
          secret:
            secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
            items:
              - key: ca.crt
                path: ca.crt
        - name: proxy-certs
          secret:
            secretName: "{{ .Release.Name }}-{{ .Values.tls.proxy.cert_name }}"
            items:
              - key: tls.crt
                path: tls.crt
              - key: tls.key
                path: tls.key
        {{- end}}
      {{- end}}
 {{- end }}
--- a/charts/pulsar/templates/pulsar-cluster-initialize.yaml
+++ b/charts/pulsar/templates/pulsar-cluster-initialize.yaml
@ -34,6 +34,10 @@ spec:
  ttlSecondsAfterFinished: {{ .Values.job.ttl.secondsAfterFinished | default 600 }}
 {{- end }}
  template:
    metadata:
      labels:
        {{- include "pulsar.template.labels" . | nindent 8 }}
        component: {{ .Values.pulsar_metadata.component }}
    spec:
    {{- include "pulsar.imagePullSecrets" . | nindent 6 }}
    {{- if .Values.pulsar_metadata.nodeSelector }}
@ -41,6 +45,18 @@ spec:
 {{ toYaml .Values.pulsar_metadata.nodeSelector | indent 8 }}
    {{- end }}
      initContainers:
      {{- if .Values.tls.toolset.cacerts.enabled }}
      - name: cacerts
        image: "{{ template "pulsar.imageFullName" (dict "image" .Values.pulsar_metadata.image "root" .) }}"
        imagePullPolicy: "{{ template "pulsar.imagePullPolicy" (dict "image" .Values.pulsar_metadata.image "root" .) }}"
        resources: {{ toYaml .Values.initContainer.resources | nindent 10 }}
        command: ["sh", "-c"]
        args:
          - |
            bin/certs-combine-pem.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.toolset.cacerts.certs) }}
        volumeMounts:
        {{- include "pulsar.toolset.certs.volumeMounts" . | nindent 8 }}
      {{- end }}
      {{- if and .Values.components.zookeeper .Values.pulsar_metadata.waitZookeeperTimeout (gt (.Values.pulsar_metadata.waitZookeeperTimeout | int) 0) }}
      {{- if .Values.pulsar_metadata.configurationStore }}
      - name: wait-zk-cs-ready
--- a/charts/pulsar/templates/pulsar-manager-admin-secret.yaml
+++ b/charts/pulsar/templates/pulsar-manager-admin-secret.yaml
@ -24,12 +24,8 @@ metadata:
  name: "{{ template "pulsar.fullname" . }}-{{ .Values.pulsar_manager.component }}-secret"
  namespace: {{ template "pulsar.namespace" . }}
  labels:
-    app: {{ template "pulsar.name" . }}
+    {{- include "pulsar.standardLabels" . | nindent 4 }}
    chart: {{ template "pulsar.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
    component: {{ .Values.pulsar_manager.component }}
    cluster: {{ template "pulsar.fullname" . }}
    "helm.sh/resource-policy": "keep"  # do not remove when uninstalling to keep it for next install
 type: Opaque
 data:
--- a/charts/pulsar/templates/pulsar-manager-cluster-initialize.yaml
+++ b/charts/pulsar/templates/pulsar-manager-cluster-initialize.yaml
@ -32,6 +32,10 @@ spec:
  ttlSecondsAfterFinished: {{ .Values.job.ttl.secondsAfterFinished | default 600 }}
  {{- end }}
  template:
    metadata:
      labels:
        {{- include "pulsar.template.labels" . | nindent 8 }}
        component: {{ .Values.pulsar_manager.component }}-init
    spec:
    {{- include "pulsar.imagePullSecrets" . | nindent 6 }}
      nodeSelector:
--- a/charts/pulsar/templates/tls-cert-internal-issuer.yaml
+++ b/charts/pulsar/templates/tls-cert-internal-issuer.yaml
@ -24,6 +24,8 @@ kind: Issuer
 metadata:
  name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}"
  namespace: {{ template "pulsar.namespace" . }}
  labels:
    {{- include "pulsar.standardLabels" . | nindent 4 }}
 spec:
  selfSigned: {}
 ---
@ -32,6 +34,8 @@ kind: Certificate
 metadata:
  name: "{{ template "pulsar.fullname" . }}-ca"
  namespace: {{ template "pulsar.namespace" . }}
  labels:
    {{- include "pulsar.standardLabels" . | nindent 4 }}
 spec:
  secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
  commonName: "{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
@ -56,6 +60,8 @@ kind: Issuer
 metadata:
  name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
  namespace: {{ template "pulsar.namespace" . }}
  labels:
    {{- include "pulsar.standardLabels" . | nindent 4 }}
 spec:
  ca:
    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
--- a/charts/pulsar/templates/tls-certs-internal.yaml
+++ b/charts/pulsar/templates/tls-certs-internal.yaml
@ -21,323 +21,27 @@
 {{- if .Values.tls.proxy.enabled }}
 {{- if .Values.tls.proxy.createCert }}
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
+{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.proxy "tlsConfig" .Values.tls.proxy) }}
 kind: Certificate
 metadata:
  name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.proxy.cert_name }}"
  namespace: {{ template "pulsar.namespace" . }}
 spec:
  # Secret names are always required.
  secretName: "{{ .Release.Name }}-{{ .Values.tls.proxy.cert_name }}"
  duration: "{{ .Values.tls.common.duration }}"
  renewBefore: "{{ .Values.tls.common.renewBefore }}"
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  subject:
    organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
  {{- else }}
  organization:
 {{ toYaml .Values.tls.common.organization | indent 2 }}
  {{- end }}
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
  isCA: false
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  privateKey:
    size: {{ .Values.tls.common.keySize }}
    algorithm: {{ .Values.tls.common.keyAlgorithm }}
    encoding: {{ .Values.tls.common.keyEncoding }}
  {{- else }}
  keySize: {{ .Values.tls.common.keySize }}
  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
  keyEncoding: {{ .Values.tls.common.keyEncoding }}
  {{- end }}
  usages:
    - server auth
    - client auth
  # At least one of a DNS Name, USI SAN, or IP address is required.
  dnsNames:
 {{- if .Values.tls.proxy.dnsNames }}
 {{ toYaml .Values.tls.proxy.dnsNames | indent 4 }}
 {{- end }}
    -  "*.{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
  # Issuer references are always required.
  issuerRef:
    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
 ---
 {{- end }}
 {{- end }}
 {{- if or .Values.tls.broker.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled) }}
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
+{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.broker "tlsConfig" .Values.tls.broker) }}
 kind: Certificate
 metadata:
  name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.broker.cert_name }}"
  namespace: {{ template "pulsar.namespace" . }}
 spec:
  # Secret names are always required.
  secretName: "{{ .Release.Name }}-{{ .Values.tls.broker.cert_name }}"
  duration: "{{ .Values.tls.common.duration }}"
  renewBefore: "{{ .Values.tls.common.renewBefore }}"
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  subject:
    organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
  {{- else }}
  organization:
 {{ toYaml .Values.tls.common.organization | indent 2 }}
  {{- end }}
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
  isCA: false
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  privateKey:
    size: {{ .Values.tls.common.keySize }}
    algorithm: {{ .Values.tls.common.keyAlgorithm }}
    encoding: {{ .Values.tls.common.keyEncoding }}
  {{- else }}
  keySize: {{ .Values.tls.common.keySize }}
  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
  keyEncoding: {{ .Values.tls.common.keyEncoding }}
  {{- end }}
  usages:
    - server auth
    - client auth
  # At least one of a DNS Name, USI SAN, or IP address is required.
  dnsNames:
 {{- if .Values.tls.broker.dnsNames }}
 {{ toYaml .Values.tls.broker.dnsNames | indent 4 }}
 {{- end}}
    -  "*.{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
  # Issuer references are always required.
  issuerRef:
    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
 ---
 {{- end }}
 {{- if or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled }}
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
+{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.bookkeeper "tlsConfig" .Values.tls.bookie) }}
 kind: Certificate
 metadata:
  name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.bookie.cert_name }}"
  namespace: {{ template "pulsar.namespace" . }}
 spec:
  # Secret names are always required.
  secretName: "{{ .Release.Name }}-{{ .Values.tls.bookie.cert_name }}"
  duration: "{{ .Values.tls.common.duration }}"
  renewBefore: "{{ .Values.tls.common.renewBefore }}"
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  subject:
    organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
  {{- else }}
  organization:
 {{ toYaml .Values.tls.common.organization | indent 2 }}
  {{- end }}
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
  isCA: false
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  privateKey:
    size: {{ .Values.tls.common.keySize }}
    algorithm: {{ .Values.tls.common.keyAlgorithm }}
    encoding: {{ .Values.tls.common.keyEncoding }}
  {{- else }}
  keySize: {{ .Values.tls.common.keySize }}
  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
  keyEncoding: {{ .Values.tls.common.keyEncoding }}
  {{- end }}
  usages:
    - server auth
    - client auth
  dnsNames:
 {{- if .Values.tls.bookie.dnsNames }}
 {{ toYaml .Values.tls.bookie.dnsNames | indent 4 }}
 {{- end }}
    -  "*.{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
  # Issuer references are always required.
  issuerRef:
    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
 ---
 {{- end }}
 {{- if .Values.tls.zookeeper.enabled }}
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
+{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.autorecovery "tlsConfig" .Values.tls.autorecovery) }}
 kind: Certificate
 metadata:
  name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.autorecovery.cert_name }}"
  namespace: {{ template "pulsar.namespace" . }}
 spec:
  # Secret names are always required.
  secretName: "{{ .Release.Name }}-{{ .Values.tls.autorecovery.cert_name }}"
  duration: "{{ .Values.tls.common.duration }}"
  renewBefore: "{{ .Values.tls.common.renewBefore }}"
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  subject:
    organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
  {{- else }}
  organization:
 {{ toYaml .Values.tls.common.organization | indent 2 }}
  {{- end }}
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}"
  isCA: false
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  privateKey:
    size: {{ .Values.tls.common.keySize }}
    algorithm: {{ .Values.tls.common.keyAlgorithm }}
    encoding: {{ .Values.tls.common.keyEncoding }}
  {{- else }}
  keySize: {{ .Values.tls.common.keySize }}
  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
  keyEncoding: {{ .Values.tls.common.keyEncoding }}
  {{- end }}
  usages:
    - server auth
    - client auth
  dnsNames:
 {{- if .Values.tls.autorecovery.dnsNames }}
 {{ toYaml .Values.tls.autorecovery.dnsNames | indent 4 }}
 {{- end }}
    -  "*.{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}"
  # Issuer references are always required.
  issuerRef:
    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
 ---
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
+{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.toolset "tlsConfig" .Values.tls.toolset) }}
 kind: Certificate
 metadata:
  name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.toolset.cert_name }}"
  namespace: {{ template "pulsar.namespace" . }}
 spec:
  # Secret names are always required.
  secretName: "{{ .Release.Name }}-{{ .Values.tls.toolset.cert_name }}"
  duration: "{{ .Values.tls.common.duration }}"
  renewBefore: "{{ .Values.tls.common.renewBefore }}"
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  subject:
    organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
  {{- else }}
  organization:
 {{ toYaml .Values.tls.common.organization | indent 2 }}
  {{- end }}
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
  isCA: false
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  privateKey:
    size: {{ .Values.tls.common.keySize }}
    algorithm: {{ .Values.tls.common.keyAlgorithm }}
    encoding: {{ .Values.tls.common.keyEncoding }}
  {{- else }}
  keySize: {{ .Values.tls.common.keySize }}
  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
  keyEncoding: {{ .Values.tls.common.keyEncoding }}
  {{- end }}
  usages:
    - server auth
    - client auth
  dnsNames:
 {{- if .Values.tls.toolset.dnsNames }}
 {{ toYaml .Values.tls.toolset.dnsNames | indent 4 }}
 {{- end }}
    -  "*.{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
  # Issuer references are always required.
  issuerRef:
    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
 ---
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
+{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.zookeeper "tlsConfig" .Values.tls.zookeeper) }}
 kind: Certificate
 metadata:
  name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.zookeeper.cert_name }}"
  namespace: {{ template "pulsar.namespace" . }}
 spec:
  # Secret names are always required.
  secretName: "{{ .Release.Name }}-{{ .Values.tls.zookeeper.cert_name }}"
  duration: "{{ .Values.tls.common.duration }}"
  renewBefore: "{{ .Values.tls.common.renewBefore }}"
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  subject:
    organizations:
 {{ toYaml .Values.tls.common.organization | indent 4 }}
  {{- else }}
  organization:
 {{ toYaml .Values.tls.common.organization | indent 2 }}
  {{- end }}
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
  isCA: false
  {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
  privateKey:
    size: {{ .Values.tls.common.keySize }}
    algorithm: {{ .Values.tls.common.keyAlgorithm }}
    encoding: {{ .Values.tls.common.keyEncoding }}
  {{- else }}
  keySize: {{ .Values.tls.common.keySize }}
  keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
  keyEncoding: {{ .Values.tls.common.keyEncoding }}
  {{- end }}
  usages:
    - server auth
    - client auth
  dnsNames:
 {{- if .Values.tls.zookeeper.dnsNames }}
 {{ toYaml .Values.tls.zookeeper.dnsNames | indent 4 }}
 {{- end }}
    -  "*.{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
    -  "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
  # Issuer references are always required.
  issuerRef:
    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
 {{- end }}
 {{- end }}
--- a/charts/pulsar/templates/toolset-configmap.yaml
+++ b/charts/pulsar/templates/toolset-configmap.yaml
@ -36,7 +36,7 @@ data:
  brokerServiceUrl: "pulsar+ssl://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.pulsarssl }}/"
  useTls: "true"
  tlsAllowInsecureConnection: "false"
-  tlsTrustCertsFilePath: "/pulsar/certs/proxy-ca/ca.crt"
+  tlsTrustCertsFilePath: {{ ternary "/pulsar/certs/cacerts/ca-combined.pem" "/pulsar/certs/ca/ca.crt" .Values.tls.toolset.cacerts.enabled | quote }}
  tlsEnableHostnameVerification: "false"
  {{- end }}
  {{- if not (and .Values.tls.enabled .Values.tls.broker.enabled) }}
@ -51,7 +51,7 @@ data:
  brokerServiceUrl: "pulsar+ssl://{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}:{{ .Values.proxy.ports.pulsarssl }}/"
  useTls: "true"
  tlsAllowInsecureConnection: "false"
-  tlsTrustCertsFilePath: "/pulsar/certs/proxy-ca/ca.crt"
+  tlsTrustCertsFilePath: {{ ternary "/pulsar/certs/cacerts/ca-combined.pem" "/pulsar/certs/ca/ca.crt" .Values.tls.toolset.cacerts.enabled | quote }}
  tlsEnableHostnameVerification: "false"
  {{- end }}
  {{- if not (and .Values.tls.enabled .Values.tls.proxy.enabled) }}
--- a/charts/pulsar/templates/toolset-statefulset.yaml
+++ b/charts/pulsar/templates/toolset-statefulset.yaml
@ -64,8 +64,20 @@ spec:
    {{- end }}
      terminationGracePeriodSeconds: {{ .Values.toolset.gracePeriod }}
      serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
      {{- if .Values.toolset.initContainers }}
      initContainers:
      {{- if .Values.tls.toolset.cacerts.enabled }}
      - name: cacerts
        image: "{{ template "pulsar.imageFullName" (dict "image" .Values.images.toolset "root" .) }}"
        imagePullPolicy: "{{ template "pulsar.imagePullPolicy" (dict "image" .Values.images.toolset "root" .) }}"
        resources: {{ toYaml .Values.initContainer.resources | nindent 10 }}
        command: ["sh", "-c"]
        args:
          - |
            bin/certs-combine-pem.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.toolset.cacerts.certs) }}
        volumeMounts:
        {{- include "pulsar.toolset.certs.volumeMounts" . | nindent 8 }}
      {{- end }}
      {{- if .Values.toolset.initContainers }}
        {{- toYaml .Values.toolset.initContainers | nindent 6 }}
      {{- end }}
      containers:
@ -87,6 +99,11 @@ spec:
        {{- if .Values.toolset.additionalCommand }}
          {{ .Values.toolset.additionalCommand }}
        {{- end }}
          {{- if .Values.tls.toolset.cacerts.enabled }}
          cd /pulsar/certs/cacerts;
          nohup /pulsar/bin/certs-combine-pem-infinity.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.toolset.cacerts.certs) }} > /pulsar/certs/cacerts/certs-combine-pem-infinity.log 2>&1 &
          cd /pulsar;
          {{- end }}
          bin/apply-config-from-env.py conf/client.conf;
          bin/apply-config-from-env.py conf/bookkeeper.conf;
          {{- include "pulsar.toolset.zookeeper.tls.settings" . | nindent 10 }}
@ -102,11 +119,6 @@ spec:
          readOnly: true
        {{- end }}
        {{- end }}
        {{- if and .Values.tls.enabled (or .Values.tls.broker.enabled .Values.tls.proxy.enabled) }}
        - mountPath: "/pulsar/certs/proxy-ca"
          name: proxy-ca
          readOnly: true
        {{- end}}
        {{- if .Values.toolset.extraVolumeMounts }}
 {{ toYaml .Values.toolset.extraVolumeMounts | indent 8 }}
        {{- end }}
@ -122,14 +134,6 @@ spec:
              path: client/token
      {{- end}}
      {{- end}}
      {{- if and .Values.tls.enabled (or .Values.tls.broker.enabled .Values.tls.proxy.enabled) }}
      - name: proxy-ca
        secret:
          secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
          items:
            - key: ca.crt
              path: ca.crt
      {{- end}}
      {{- if .Values.toolset.extraVolumes }}
 {{ toYaml .Values.toolset.extraVolumes | indent 6 }}
      {{- end }}
--- a/charts/pulsar/templates/zookeeper-statefulset.yaml
+++ b/charts/pulsar/templates/zookeeper-statefulset.yaml
@ -114,8 +114,20 @@ spec:
      securityContext:
 {{ toYaml .Values.zookeeper.securityContext | indent 8 }}
      {{- end }}
      {{- if .Values.zookeeper.initContainers }}
      initContainers:
      {{- if .Values.tls.zookeeper.cacerts.enabled }}
      - name: cacerts
        image: "{{ template "pulsar.imageFullName" (dict "image" .Values.images.zookeeper "root" .) }}"
        imagePullPolicy: "{{ template "pulsar.imagePullPolicy" (dict "image" .Values.images.zookeeper "root" .) }}"
        resources: {{ toYaml .Values.initContainer.resources | nindent 10 }}
        command: ["sh", "-c"]
        args:
        - |
          bin/certs-combine-pem.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.zookeeper.cacerts.certs) }}
        volumeMounts:
        {{- include "pulsar.zookeeper.certs.volumeMounts" . | nindent 8 }}
      {{- end }}
      {{- if .Values.zookeeper.initContainers }}
        {{- toYaml .Values.zookeeper.initContainers | nindent 6 }}
      {{- end }}
      containers:
@ -132,6 +144,11 @@ spec:
        {{- if .Values.zookeeper.additionalCommand }}
          {{ .Values.zookeeper.additionalCommand }}
        {{- end }}
          {{- if .Values.tls.zookeeper.cacerts.enabled }}
          cd /pulsar/certs/cacerts;
          nohup /pulsar/bin/certs-combine-pem-infinity.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.zookeeper.cacerts.certs) }} > /pulsar/certs/cacerts/certs-combine-pem-infinity.log 2>&1 &
          cd /pulsar;
          {{- end }}
          bin/apply-config-from-env.py conf/zookeeper.conf;
          {{- include "pulsar.zookeeper.tls.settings" . | nindent 10 }}
          bin/generate-zookeeper-config.sh conf/zookeeper.conf;
@ -220,17 +237,7 @@ spec:
        - name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}-{{ .Values.zookeeper.volumes.datalog.name }}"
          mountPath: /pulsar/data-log
        {{- end }}
-        {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
+        {{- include "pulsar.zookeeper.certs.volumeMounts" . | nindent 8 }}
        - mountPath: "/pulsar/certs/zookeeper"
          name: zookeeper-certs
          readOnly: true
        - mountPath: "/pulsar/certs/ca"
          name: ca
          readOnly: true
        - name: keytool
          mountPath: "/pulsar/keytool/keytool.sh"
          subPath: keytool.sh
        {{- end }}
        {{- if .Values.zookeeper.extraVolumeMounts }}
 {{ toYaml .Values.zookeeper.extraVolumeMounts | indent 8 }}
        {{- end }}
@ -239,29 +246,10 @@ spec:
      - name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}-{{ .Values.zookeeper.volumes.data.name }}"
        emptyDir: {}
      {{- end }}
      {{- include "pulsar.zookeeper.certs.volumes" . | nindent 6 }}
      {{- if .Values.zookeeper.extraVolumes }}
 {{ toYaml .Values.zookeeper.extraVolumes | indent 6 }}
      {{- end }}
      {{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
      - name: zookeeper-certs
        secret:
          secretName: "{{ .Release.Name }}-{{ .Values.tls.zookeeper.cert_name }}"
          items:
            - key: tls.crt
              path: tls.crt
            - key: tls.key
              path: tls.key
      - name: ca
        secret:
          secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
          items:
            - key: ca.crt
              path: ca.crt
      - name: keytool
        configMap:
          name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
          defaultMode: 0755
      {{- end}}
      {{- include "pulsar.imagePullSecrets" . | nindent 6}}
 {{- if and (and .Values.persistence .Values.volumes.persistence) .Values.zookeeper.volumes.persistence }}
  volumeClaimTemplates:
--- a/charts/pulsar/values.yaml
+++ b/charts/pulsar/values.yaml
@ -241,6 +241,13 @@ tls:
    # The dnsNames field specifies a list of Subject Alternative Names to be associated with the certificate.
    dnsNames:
    # - example.com
    cacerts:
      enabled: false
      certs:
        # - name: proxy-cacert
        #   existingSecret: proxy-cacert
        #   secretKeys:
        #     - ca.crt
  # settings for generating certs for broker
  broker:
    enabled: false
@ -248,26 +255,69 @@ tls:
    # The dnsNames field specifies a list of Subject Alternative Names to be associated with the certificate.
    dnsNames:
    # - example.com
    cacerts:
      enabled: false
      certs:
        # - name: broker-cacert
        #   existingSecret: broker-cacert
        #   secretKeys:
        #     - ca.crt
  # settings for generating certs for bookies
  bookie:
    enabled: false
    cert_name: tls-bookie
    cacerts:
      enabled: false
      certs:
        # - name: bookie-cacert
        #   existingSecret: bookie-cacert
        #   secretKeys:
        #     - ca.crt
  # settings for generating certs for zookeeper
  zookeeper:
    enabled: false
    cert_name: tls-zookeeper
    cacerts:
      enabled: false
      certs:
        # - name: zookeeper-cacert
        #   existingSecret: zookeeper-cacert
        #   secretKeys:
        #     - ca.crt
  # settings for generating certs for recovery
  autorecovery:
    cert_name: tls-recovery
    cacerts:
      enabled: false
      certs:
        # - name: autorecovery-cacert
        #   existingSecret: autorecovery-cacert
        #   secretKeys:
        #     - ca.crt
  # settings for generating certs for toolset
  toolset:
    cert_name: tls-toolset
    cacerts:
      enabled: false
      certs:
        # - name: toolset-cacert
        #   existingSecret: toolset-cacert
        #   secretKeys:
        #     - ca.crt
  # TLS setting for function runtime instance
  function_instance:
    # controls the use of TLS for function runtime connections towards brokers
    enabled: false
  oxia:
    enabled: false
  pulsar_metadata:
    cacerts:
      enabled: false
      certs:
        # - name: pulsar-metadata-cacert
        #   existingSecret: pulsar-metadata-cacert
        #   secretKeys:
        #     - ca.crt
 # Enable or disable broker authentication and authorization.
 auth:
@ -554,6 +604,7 @@ oxia:
      # cloud.google.com/gke-nodepool: default-pool
    extraContainers: []
    extraVolumes: []
    extraVolumeMounts: []
    # customConfigMapName: ""
    # entrypoint: []
 ## templates/server-statefulset.yaml
@ -1888,3 +1939,7 @@ initContainer:
    requests:
      memory: 256Mi
      cpu: 0.1
 ## Array of extra objects to deploy with the release (evaluated as a template)
 ##
 extraDeploy: []
--- a/scripts/cert-manager/install-cert-manager.sh
+++ b/scripts/cert-manager/install-cert-manager.sh
@ -25,7 +25,7 @@ set -e
 NAMESPACE=cert-manager
 NAME=cert-manager
 # check compatibility with k8s versions from https://cert-manager.io/docs/installation/supported-releases/
-VERSION=v1.12.16
+VERSION=v1.12.17
 # Install cert-manager CustomResourceDefinition resources
 echo "Installing cert-manager CRD resources ..."
@ -41,10 +41,12 @@ echo "Updating local helm chart repository cache ..."
 helm repo update
 echo "Installing cert-manager ${VERSION} to namespace ${NAMESPACE} as '${NAME}' ..."
-helm install \
+helm upgrade \
  --install \
  --namespace ${NAMESPACE} \
  --create-namespace \
  --version ${VERSION} \
  --set featureGates=AdditionalCertificateOutputFormats=true \
  ${NAME} \
  jetstack/cert-manager
 echo "Successfully installed cert-manager ${VERSION}."
Author	SHA1	Message	Date
gulecroc	e8ab0c6ded	Feat/cacerts (#619 )	2025-06-21 23:13:35 +03:00
Artem Nosulchyk	3e5c82c229	extra volume mounts for oxia coordinator (#618 ) * extra volume mounts for oxia coordinator * . * .	2025-06-13 10:55:02 -07:00
Lari Hotari	7cd7078695	Add labels to all k8s objects (#617 ) * Add labels to all k8s objects * Add labels to initialization job pods	2025-06-09 21:27:23 +03:00
Lari Hotari	2d16ffefd4	Use PEM files directly as ZooKeeper keystore and truststore (#613 )	2025-05-30 18:16:04 +03:00