Compare commits
4 Commits
pulsar-4.1
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
|
e8ab0c6ded | ||
|
|
3e5c82c229 | ||
|
|
7cd7078695 | ||
|
|
2d16ffefd4 |
105
.ci/clusters/values-cacerts.yaml
Normal file
105
.ci/clusters/values-cacerts.yaml
Normal file
@ -0,0 +1,105 @@
|
||||
#
|
||||
# Licensed to the Apache Software Foundation (ASF) under one
|
||||
# or more contributor license agreements. See the NOTICE file
|
||||
# distributed with this work for additional information
|
||||
# regarding copyright ownership. The ASF licenses this file
|
||||
# to you under the Apache License, Version 2.0 (the
|
||||
# "License"); you may not use this file except in compliance
|
||||
# with the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing,
|
||||
# software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
# KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
|
||||
|
||||
# enable TLS with cacerts
|
||||
tls:
|
||||
enabled: true
|
||||
proxy:
|
||||
enabled: true
|
||||
cacerts:
|
||||
enabled: true
|
||||
certs:
|
||||
- name: common-cacert
|
||||
existingSecret: "pulsar-ci-common-cacert"
|
||||
secretKeys:
|
||||
- ca.crt
|
||||
broker:
|
||||
enabled: true
|
||||
cacerts:
|
||||
enabled: true
|
||||
certs:
|
||||
- name: common-cacert
|
||||
existingSecret: "pulsar-ci-common-cacert"
|
||||
secretKeys:
|
||||
- ca.crt
|
||||
bookie:
|
||||
enabled: true
|
||||
cacerts:
|
||||
enabled: true
|
||||
certs:
|
||||
- name: common-cacert
|
||||
existingSecret: "pulsar-ci-common-cacert"
|
||||
secretKeys:
|
||||
- ca.crt
|
||||
zookeeper:
|
||||
enabled: true
|
||||
cacerts:
|
||||
enabled: true
|
||||
certs:
|
||||
- name: common-cacert
|
||||
existingSecret: "pulsar-ci-common-cacert"
|
||||
secretKeys:
|
||||
- ca.crt
|
||||
toolset:
|
||||
cacerts:
|
||||
enabled: true
|
||||
certs:
|
||||
- name: common-cacert
|
||||
existingSecret: "pulsar-ci-common-cacert"
|
||||
secretKeys:
|
||||
- ca.crt
|
||||
autorecovery:
|
||||
cacerts:
|
||||
enabled: true
|
||||
certs:
|
||||
- name: common-cacert
|
||||
existingSecret: "pulsar-ci-common-cacert"
|
||||
secretKeys:
|
||||
- ca.crt
|
||||
|
||||
# enable cert-manager
|
||||
certs:
|
||||
internal_issuer:
|
||||
enabled: true
|
||||
type: selfsigning
|
||||
|
||||
# deploy cacerts
|
||||
extraDeploy:
|
||||
- |
|
||||
apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: "{{ template "pulsar.fullname" . }}-common-cacert"
|
||||
namespace: {{ template "pulsar.namespace" . }}
|
||||
labels:
|
||||
{{- include "pulsar.standardLabels" . | nindent 4 }}
|
||||
spec:
|
||||
secretName: "{{ template "pulsar.fullname" . }}-common-cacert"
|
||||
commonName: "common-cacert"
|
||||
duration: "{{ .Values.certs.internal_issuer.duration }}"
|
||||
renewBefore: "{{ .Values.certs.internal_issuer.renewBefore }}"
|
||||
usages:
|
||||
- server auth
|
||||
- client auth
|
||||
isCA: true
|
||||
issuerRef:
|
||||
name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}"
|
||||
kind: Issuer
|
||||
group: cert-manager.io
|
||||
3
.github/workflows/pulsar-helm-chart-ci.yaml
vendored
3
.github/workflows/pulsar-helm-chart-ci.yaml
vendored
@ -233,6 +233,9 @@ jobs:
|
||||
- name: OpenID
|
||||
values_file: .ci/clusters/values-openid.yaml
|
||||
shortname: openid
|
||||
- name: CA certificates
|
||||
values_file: .ci/clusters/values-cacerts.yaml
|
||||
shortname: cacerts
|
||||
include:
|
||||
- k8sVersion:
|
||||
version: "1.25.16"
|
||||
|
||||
11
README.md
11
README.md
@ -160,7 +160,7 @@ It includes support for:
|
||||
- [x] Broker
|
||||
- [x] Toolset
|
||||
- [x] Bookie
|
||||
- [x] ZooKeeper
|
||||
- [x] ZooKeeper (requires the `AdditionalCertificateOutputFormats=true` feature gate to be enabled in the cert-manager deployment when using cert-manager versions below 1.15.0)
|
||||
- [x] Authentication
|
||||
- [x] JWT
|
||||
- [x] OpenID
|
||||
@ -402,6 +402,15 @@ helm upgrade -n <namespace> -f values.yaml <pulsar-release-name> apachepulsar/pu
|
||||
|
||||
For more detailed information, see our [Upgrading](http://pulsar.apache.org/docs/helm-upgrade/) guide.
|
||||
|
||||
## Upgrading to Helm chart version 4.2.0 (not released yet)
|
||||
|
||||
### TLS configuration for ZooKeeper has changed
|
||||
|
||||
The TLS configuration for ZooKeeper has been changed to fix certificate and private key expiration issues.
|
||||
This change impacts configurations that have `tls.enabled` and `tls.zookeeper.enabled` set in `values.yaml`.
|
||||
The revised solution requires the `AdditionalCertificateOutputFormats=true` feature gate to be enabled in the `cert-manager` deployment when using cert-manager versions below 1.15.0.
|
||||
If you installed `cert-manager` using `./scripts/cert-manager/install-cert-manager.sh`, you can re-run the updated script to set the feature gate. The script currently installs or upgrades cert-manager LTS version 1.12.17, where the feature gate must be explicitly enabled.
|
||||
|
||||
## Upgrading from Helm Chart versions before 4.0.0 to 4.0.0 version and above
|
||||
|
||||
### Pulsar Proxy service's default type has been changed from `LoadBalancer` to `ClusterIP`
|
||||
|
||||
@ -36,7 +36,7 @@ Define autorecovery zookeeper client tls settings
|
||||
*/}}
|
||||
{{- define "pulsar.autorecovery.zookeeper.tls.settings" -}}
|
||||
{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
|
||||
/pulsar/keytool/keytool.sh autorecovery {{ template "pulsar.autorecovery.hostname" . }} true;
|
||||
{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "autorecovery" "isClient" true "isCacerts" .Values.tls.autorecovery.cacerts.enabled) -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@ -51,11 +51,21 @@ Define autorecovery tls certs mounts
|
||||
- name: ca
|
||||
mountPath: "/pulsar/certs/ca"
|
||||
readOnly: true
|
||||
{{- if .Values.tls.zookeeper.enabled }}
|
||||
- name: keytool
|
||||
mountPath: "/pulsar/keytool/keytool.sh"
|
||||
subPath: keytool.sh
|
||||
{{- end }}
|
||||
{{- if .Values.tls.autorecovery.cacerts.enabled }}
|
||||
- mountPath: "/pulsar/certs/cacerts"
|
||||
name: autorecovery-cacerts
|
||||
{{- range $cert := .Values.tls.autorecovery.cacerts.certs }}
|
||||
- name: {{ $cert.name }}
|
||||
mountPath: "/pulsar/certs/{{ $cert.name }}"
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: certs-scripts
|
||||
mountPath: "/pulsar/bin/certs-combine-pem.sh"
|
||||
subPath: certs-combine-pem.sh
|
||||
- name: certs-scripts
|
||||
mountPath: "/pulsar/bin/certs-combine-pem-infinity.sh"
|
||||
subPath: certs-combine-pem-infinity.sh
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@ -72,18 +82,32 @@ Define autorecovery tls certs volumes
|
||||
path: tls.crt
|
||||
- key: tls.key
|
||||
path: tls.key
|
||||
- key: tls-combined.pem
|
||||
path: tls-combined.pem
|
||||
- name: ca
|
||||
secret:
|
||||
secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
|
||||
items:
|
||||
- key: ca.crt
|
||||
path: ca.crt
|
||||
{{- if .Values.tls.zookeeper.enabled }}
|
||||
- name: keytool
|
||||
configMap:
|
||||
name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
|
||||
defaultMode: 0755
|
||||
{{- end }}
|
||||
{{- if .Values.tls.autorecovery.cacerts.enabled }}
|
||||
- name: autorecovery-cacerts
|
||||
emptyDir: {}
|
||||
{{- range $cert := .Values.tls.autorecovery.cacerts.certs }}
|
||||
- name: {{ $cert.name }}
|
||||
secret:
|
||||
secretName: "{{ $cert.existingSecret }}"
|
||||
items:
|
||||
{{- range $key := $cert.secretKeys }}
|
||||
- key: {{ $key }}
|
||||
path: {{ $key }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: certs-scripts
|
||||
configMap:
|
||||
name: "{{ template "pulsar.fullname" . }}-certs-scripts"
|
||||
defaultMode: 0755
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@ -93,7 +117,7 @@ Define autorecovery init container : verify cluster id
|
||||
{{- define "pulsar.autorecovery.init.verify_cluster_id" -}}
|
||||
bin/apply-config-from-env.py conf/bookkeeper.conf;
|
||||
export BOOKIE_MEM="-Xmx128M";
|
||||
{{- include "pulsar.autorecovery.zookeeper.tls.settings" . -}}
|
||||
{{- include "pulsar.autorecovery.zookeeper.tls.settings" . }}
|
||||
until timeout 15 bin/bookkeeper shell whatisinstanceid; do
|
||||
sleep 3;
|
||||
done;
|
||||
|
||||
@ -37,7 +37,7 @@ Define bookie zookeeper client tls settings
|
||||
*/}}
|
||||
{{- define "pulsar.bookkeeper.zookeeper.tls.settings" -}}
|
||||
{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
|
||||
/pulsar/keytool/keytool.sh bookie {{ template "pulsar.bookkeeper.hostname" . }} true;
|
||||
{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "bookie" "isClient" true "isCacerts" .Values.tls.bookie.cacerts.enabled) -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@ -45,18 +45,30 @@ Define bookie zookeeper client tls settings
|
||||
Define bookie tls certs mounts
|
||||
*/}}
|
||||
{{- define "pulsar.bookkeeper.certs.volumeMounts" -}}
|
||||
{{- if and .Values.tls.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled) }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
{{- if or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled }}
|
||||
- name: bookie-certs
|
||||
mountPath: "/pulsar/certs/bookie"
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: ca
|
||||
mountPath: "/pulsar/certs/ca"
|
||||
readOnly: true
|
||||
{{- if .Values.tls.zookeeper.enabled }}
|
||||
- name: keytool
|
||||
mountPath: "/pulsar/keytool/keytool.sh"
|
||||
subPath: keytool.sh
|
||||
{{- end }}
|
||||
{{- if .Values.tls.bookie.cacerts.enabled }}
|
||||
- mountPath: "/pulsar/certs/cacerts"
|
||||
name: bookie-cacerts
|
||||
{{- range $cert := .Values.tls.bookie.cacerts.certs }}
|
||||
- name: {{ $cert.name }}
|
||||
mountPath: "/pulsar/certs/{{ $cert.name }}"
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: certs-scripts
|
||||
mountPath: "/pulsar/bin/certs-combine-pem.sh"
|
||||
subPath: certs-combine-pem.sh
|
||||
- name: certs-scripts
|
||||
mountPath: "/pulsar/bin/certs-combine-pem-infinity.sh"
|
||||
subPath: certs-combine-pem-infinity.sh
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@ -64,7 +76,8 @@ Define bookie tls certs mounts
|
||||
Define bookie tls certs volumes
|
||||
*/}}
|
||||
{{- define "pulsar.bookkeeper.certs.volumes" -}}
|
||||
{{- if and .Values.tls.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled) }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
{{- if or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled }}
|
||||
- name: bookie-certs
|
||||
secret:
|
||||
secretName: "{{ .Release.Name }}-{{ .Values.tls.bookie.cert_name }}"
|
||||
@ -73,18 +86,35 @@ Define bookie tls certs volumes
|
||||
path: tls.crt
|
||||
- key: tls.key
|
||||
path: tls.key
|
||||
{{- if .Values.tls.zookeeper.enabled }}
|
||||
- key: tls-combined.pem
|
||||
path: tls-combined.pem
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: ca
|
||||
secret:
|
||||
secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
|
||||
items:
|
||||
- key: ca.crt
|
||||
path: ca.crt
|
||||
{{- if .Values.tls.zookeeper.enabled }}
|
||||
- name: keytool
|
||||
configMap:
|
||||
name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
|
||||
defaultMode: 0755
|
||||
{{- end }}
|
||||
{{- if .Values.tls.bookie.cacerts.enabled }}
|
||||
- name: bookie-cacerts
|
||||
emptyDir: {}
|
||||
{{- range $cert := .Values.tls.bookie.cacerts.certs }}
|
||||
- name: {{ $cert.name }}
|
||||
secret:
|
||||
secretName: "{{ $cert.existingSecret }}"
|
||||
items:
|
||||
{{- range $key := $cert.secretKeys }}
|
||||
- key: {{ $key }}
|
||||
path: {{ $key }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: certs-scripts
|
||||
configMap:
|
||||
name: "{{ template "pulsar.fullname" . }}-certs-scripts"
|
||||
defaultMode: 0755
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@ -136,7 +166,7 @@ PULSAR_PREFIX_tlsCertificatePath: /pulsar/certs/bookie/tls.crt
|
||||
PULSAR_PREFIX_tlsKeyStoreType: PEM
|
||||
PULSAR_PREFIX_tlsKeyStore: /pulsar/certs/bookie/tls.key
|
||||
PULSAR_PREFIX_tlsTrustStoreType: PEM
|
||||
PULSAR_PREFIX_tlsTrustStore: /pulsar/certs/ca/ca.crt
|
||||
PULSAR_PREFIX_tlsTrustStore: {{ ternary "/pulsar/certs/cacerts/ca-combined.pem" "/pulsar/certs/ca/ca.crt" .Values.tls.bookie.cacerts.enabled | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@ -147,7 +177,7 @@ Define bookie init container : verify cluster id
|
||||
{{- if not (and .Values.volumes.persistence .Values.bookkeeper.volumes.persistence) }}
|
||||
bin/apply-config-from-env.py conf/bookkeeper.conf;
|
||||
export BOOKIE_MEM="-Xmx128M";
|
||||
{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . -}}
|
||||
{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . }}
|
||||
until timeout 15 bin/bookkeeper shell whatisinstanceid; do
|
||||
sleep 3;
|
||||
done;
|
||||
@ -157,7 +187,7 @@ bin/bookkeeper shell bookieformat -nonInteractive -force -deleteCookie || true
|
||||
set -e;
|
||||
bin/apply-config-from-env.py conf/bookkeeper.conf;
|
||||
export BOOKIE_MEM="-Xmx128M";
|
||||
{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . -}}
|
||||
{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . }}
|
||||
until timeout 15 bin/bookkeeper shell whatisinstanceid; do
|
||||
sleep 3;
|
||||
done;
|
||||
|
||||
@ -43,7 +43,7 @@ Define broker zookeeper client tls settings
|
||||
*/}}
|
||||
{{- define "pulsar.broker.zookeeper.tls.settings" -}}
|
||||
{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
|
||||
/pulsar/keytool/keytool.sh broker {{ template "pulsar.broker.hostname" . }} true;
|
||||
{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "broker" "isClient" true "isCacerts" .Values.tls.broker.cacerts.enabled) -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@ -51,18 +51,30 @@ Define broker zookeeper client tls settings
|
||||
Define broker tls certs mounts
|
||||
*/}}
|
||||
{{- define "pulsar.broker.certs.volumeMounts" -}}
|
||||
{{- if and .Values.tls.enabled (or .Values.tls.broker.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled)) }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
{{- if or .Values.tls.broker.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled) }}
|
||||
- name: broker-certs
|
||||
mountPath: "/pulsar/certs/broker"
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: ca
|
||||
mountPath: "/pulsar/certs/ca"
|
||||
readOnly: true
|
||||
{{- if .Values.tls.zookeeper.enabled }}
|
||||
- name: keytool
|
||||
mountPath: "/pulsar/keytool/keytool.sh"
|
||||
subPath: keytool.sh
|
||||
{{- end }}
|
||||
{{- if .Values.tls.broker.cacerts.enabled }}
|
||||
- mountPath: "/pulsar/certs/cacerts"
|
||||
name: broker-cacerts
|
||||
{{- range $cert := .Values.tls.broker.cacerts.certs }}
|
||||
- name: {{ $cert.name }}
|
||||
mountPath: "/pulsar/certs/{{ $cert.name }}"
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: certs-scripts
|
||||
mountPath: "/pulsar/bin/certs-combine-pem.sh"
|
||||
subPath: certs-combine-pem.sh
|
||||
- name: certs-scripts
|
||||
mountPath: "/pulsar/bin/certs-combine-pem-infinity.sh"
|
||||
subPath: certs-combine-pem-infinity.sh
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@ -70,7 +82,8 @@ Define broker tls certs mounts
|
||||
Define broker tls certs volumes
|
||||
*/}}
|
||||
{{- define "pulsar.broker.certs.volumes" -}}
|
||||
{{- if and .Values.tls.enabled (or .Values.tls.broker.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled)) }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
{{- if or .Values.tls.broker.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled) }}
|
||||
- name: broker-certs
|
||||
secret:
|
||||
secretName: "{{ .Release.Name }}-{{ .Values.tls.broker.cert_name }}"
|
||||
@ -79,17 +92,34 @@ Define broker tls certs volumes
|
||||
path: tls.crt
|
||||
- key: tls.key
|
||||
path: tls.key
|
||||
{{- if .Values.tls.zookeeper.enabled }}
|
||||
- key: tls-combined.pem
|
||||
path: tls-combined.pem
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: ca
|
||||
secret:
|
||||
secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
|
||||
items:
|
||||
- key: ca.crt
|
||||
path: ca.crt
|
||||
{{- if .Values.tls.zookeeper.enabled }}
|
||||
- name: keytool
|
||||
{{- end }}
|
||||
{{- if .Values.tls.broker.cacerts.enabled }}
|
||||
- name: broker-cacerts
|
||||
emptyDir: {}
|
||||
{{- range $cert := .Values.tls.broker.cacerts.certs }}
|
||||
- name: {{ $cert.name }}
|
||||
secret:
|
||||
secretName: "{{ $cert.existingSecret }}"
|
||||
items:
|
||||
{{- range $key := $cert.secretKeys }}
|
||||
- key: {{ $key }}
|
||||
path: {{ $key }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: certs-scripts
|
||||
configMap:
|
||||
name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
|
||||
name: "{{ template "pulsar.fullname" . }}-certs-scripts"
|
||||
defaultMode: 0755
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@ -58,3 +58,75 @@ Define the pulsar certs ca issuer secret name
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Common certificate template
|
||||
Usage: {{- include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.proxy "tlsConfig" .Values.tls.proxy) -}}
|
||||
*/}}
|
||||
{{- define "pulsar.cert.template" -}}
|
||||
{{- if eq .root.Values.certs.internal_issuer.apiVersion "cert-manager.io/v1beta1" -}}
|
||||
{{- fail "cert-manager.io/v1beta1 is no longer supported. Please set certs.internal_issuer.apiVersion to cert-manager.io/v1" -}}
|
||||
{{- end -}}
|
||||
apiVersion: "{{ .root.Values.certs.internal_issuer.apiVersion }}"
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: "{{ template "pulsar.fullname" .root }}-{{ .tlsConfig.cert_name }}"
|
||||
namespace: {{ template "pulsar.namespace" .root }}
|
||||
labels:
|
||||
{{- include "pulsar.standardLabels" .root | nindent 4 }}
|
||||
spec:
|
||||
# Secret names are always required.
|
||||
secretName: "{{ .root.Release.Name }}-{{ .tlsConfig.cert_name }}"
|
||||
{{- if .root.Values.tls.zookeeper.enabled }}
|
||||
additionalOutputFormats:
|
||||
- type: CombinedPEM
|
||||
{{- end }}
|
||||
duration: "{{ .root.Values.tls.common.duration }}"
|
||||
renewBefore: "{{ .root.Values.tls.common.renewBefore }}"
|
||||
subject:
|
||||
organizations:
|
||||
{{ toYaml .root.Values.tls.common.organization | indent 4 }}
|
||||
# The use of the common name field has been deprecated since 2000 and is
|
||||
# discouraged from being used.
|
||||
commonName: "{{ template "pulsar.fullname" .root }}-{{ .componentConfig.component }}"
|
||||
isCA: false
|
||||
privateKey:
|
||||
size: {{ .root.Values.tls.common.keySize }}
|
||||
algorithm: {{ .root.Values.tls.common.keyAlgorithm }}
|
||||
encoding: {{ .root.Values.tls.common.keyEncoding }}
|
||||
usages:
|
||||
- server auth
|
||||
- client auth
|
||||
# At least one of a DNS Name, USI SAN, or IP address is required.
|
||||
dnsNames:
|
||||
{{- if .tlsConfig.dnsNames }}
|
||||
{{ toYaml .tlsConfig.dnsNames | indent 4 }}
|
||||
{{- end }}
|
||||
- {{ printf "*.%s-%s.%s.svc.%s" (include "pulsar.fullname" .root) .componentConfig.component (include "pulsar.namespace" .root) .root.Values.clusterDomain | quote }}
|
||||
- {{ printf "%s-%s" (include "pulsar.fullname" .root) .componentConfig.component | quote }}
|
||||
# Issuer references are always required.
|
||||
issuerRef:
|
||||
name: "{{ template "pulsar.certs.issuers.ca.name" .root }}"
|
||||
# We can reference ClusterIssuers by changing the kind here.
|
||||
# The default value is Issuer (i.e. a locally namespaced Issuer)
|
||||
kind: Issuer
|
||||
# This is optional since cert-manager will default to this value however
|
||||
# if you are using an external issuer, change this to that issuer group.
|
||||
group: cert-manager.io
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
CA certificates template
|
||||
Usage: {{ include "pulsar.certs.cacerts" (dict "certs" .Values.tls.<component>.cacerts.certs) }}
|
||||
*/}}
|
||||
{{- define "pulsar.certs.cacerts" -}}
|
||||
{{- $certs := .certs -}}
|
||||
{{- $cacerts := list -}}
|
||||
{{- $cacerts = print "/pulsar/certs/ca/ca.crt" | append $cacerts -}}
|
||||
{{- range $cert := $certs -}}
|
||||
{{- range $key := $cert.secretKeys -}}
|
||||
{{- $cacerts = print "/pulsar/certs/" $cert.name "/" $key | append $cacerts -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{ join " " $cacerts }}
|
||||
{{- end -}}
|
||||
|
||||
@ -43,10 +43,7 @@ kind: PodMonitor
|
||||
metadata:
|
||||
name: {{ template "pulsar.fullname" $root }}-{{ replace "." "-" $component }}
|
||||
labels:
|
||||
app: {{ template "pulsar.name" $root }}
|
||||
chart: {{ template "pulsar.chart" $root }}
|
||||
release: {{ $root.Release.Name }}
|
||||
heritage: {{ $root.Release.Service }}
|
||||
{{- include "pulsar.standardLabels" $root | nindent 4 }}
|
||||
spec:
|
||||
jobLabel: {{ replace "." "-" $component }}
|
||||
podMetricsEndpoints:
|
||||
|
||||
95
charts/pulsar/templates/_proxy.tpl
Normal file
95
charts/pulsar/templates/_proxy.tpl
Normal file
@ -0,0 +1,95 @@
|
||||
{{/*
|
||||
Licensed to the Apache Software Foundation (ASF) under one
|
||||
or more contributor license agreements. See the NOTICE file
|
||||
distributed with this work for additional information
|
||||
regarding copyright ownership. The ASF licenses this file
|
||||
to you under the Apache License, Version 2.0 (the
|
||||
"License"); you may not use this file except in compliance
|
||||
with the License. You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing,
|
||||
software distributed under the License is distributed on an
|
||||
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
KIND, either express or implied. See the License for the
|
||||
specific language governing permissions and limitations
|
||||
under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
Define proxy tls certs mounts
|
||||
*/}}
|
||||
{{- define "pulsar.proxy.certs.volumeMounts" -}}
|
||||
{{- if .Values.tls.enabled }}
|
||||
{{- if .Values.tls.proxy.enabled }}
|
||||
- mountPath: "/pulsar/certs/proxy"
|
||||
name: proxy-certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- mountPath: "/pulsar/certs/ca"
|
||||
name: ca
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.tls.proxy.cacerts.enabled }}
|
||||
- mountPath: "/pulsar/certs/cacerts"
|
||||
name: proxy-cacerts
|
||||
{{- range $cert := .Values.tls.proxy.cacerts.certs }}
|
||||
- name: {{ $cert.name }}
|
||||
mountPath: "/pulsar/certs/{{ $cert.name }}"
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: certs-scripts
|
||||
mountPath: "/pulsar/bin/certs-combine-pem.sh"
|
||||
subPath: certs-combine-pem.sh
|
||||
- name: certs-scripts
|
||||
mountPath: "/pulsar/bin/certs-combine-pem-infinity.sh"
|
||||
subPath: certs-combine-pem-infinity.sh
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Define proxy tls certs volumes
|
||||
*/}}
|
||||
{{- define "pulsar.proxy.certs.volumes" -}}
|
||||
{{- if .Values.tls.enabled }}
|
||||
{{- if .Values.tls.proxy.enabled }}
|
||||
- name: proxy-certs
|
||||
secret:
|
||||
secretName: "{{ .Release.Name }}-{{ .Values.tls.proxy.cert_name }}"
|
||||
items:
|
||||
- key: tls.crt
|
||||
path: tls.crt
|
||||
- key: tls.key
|
||||
path: tls.key
|
||||
{{- if .Values.tls.zookeeper.enabled }}
|
||||
- key: tls-combined.pem
|
||||
path: tls-combined.pem
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: ca
|
||||
secret:
|
||||
secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
|
||||
items:
|
||||
- key: ca.crt
|
||||
path: ca.crt
|
||||
{{- end }}
|
||||
{{- if .Values.tls.proxy.cacerts.enabled }}
|
||||
- name: proxy-cacerts
|
||||
emptyDir: {}
|
||||
{{- range $cert := .Values.tls.proxy.cacerts.certs }}
|
||||
- name: {{ $cert.name }}
|
||||
secret:
|
||||
secretName: "{{ $cert.existingSecret }}"
|
||||
items:
|
||||
{{- range $key := $cert.secretKeys }}
|
||||
- key: {{ $key }}
|
||||
path: {{ $key }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: certs-scripts
|
||||
configMap:
|
||||
name: "{{ template "pulsar.fullname" . }}-certs-scripts"
|
||||
defaultMode: 0755
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@ -36,7 +36,7 @@ Define toolset zookeeper client tls settings
|
||||
*/}}
|
||||
{{- define "pulsar.toolset.zookeeper.tls.settings" -}}
|
||||
{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled -}}
|
||||
/pulsar/keytool/keytool.sh toolset {{ template "pulsar.toolset.hostname" . }} true;
|
||||
{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "toolset" "isClient" true "isCacerts" .Values.tls.toolset.cacerts.enabled) -}}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
|
||||
@ -44,18 +44,30 @@ Define toolset zookeeper client tls settings
|
||||
Define toolset tls certs mounts
|
||||
*/}}
|
||||
{{- define "pulsar.toolset.certs.volumeMounts" -}}
|
||||
{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
{{- if .Values.tls.zookeeper.enabled }}
|
||||
- name: toolset-certs
|
||||
mountPath: "/pulsar/certs/toolset"
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: ca
|
||||
mountPath: "/pulsar/certs/ca"
|
||||
readOnly: true
|
||||
{{- if .Values.tls.zookeeper.enabled }}
|
||||
- name: keytool
|
||||
mountPath: "/pulsar/keytool/keytool.sh"
|
||||
subPath: keytool.sh
|
||||
{{- end }}
|
||||
{{- if .Values.tls.toolset.cacerts.enabled }}
|
||||
- mountPath: "/pulsar/certs/cacerts"
|
||||
name: toolset-cacerts
|
||||
{{- range $cert := .Values.tls.toolset.cacerts.certs }}
|
||||
- name: {{ $cert.name }}
|
||||
mountPath: "/pulsar/certs/{{ $cert.name }}"
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: certs-scripts
|
||||
mountPath: "/pulsar/bin/certs-combine-pem.sh"
|
||||
subPath: certs-combine-pem.sh
|
||||
- name: certs-scripts
|
||||
mountPath: "/pulsar/bin/certs-combine-pem-infinity.sh"
|
||||
subPath: certs-combine-pem-infinity.sh
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@ -63,7 +75,8 @@ Define toolset tls certs mounts
|
||||
Define toolset tls certs volumes
|
||||
*/}}
|
||||
{{- define "pulsar.toolset.certs.volumes" -}}
|
||||
{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
{{- if .Values.tls.zookeeper.enabled }}
|
||||
- name: toolset-certs
|
||||
secret:
|
||||
secretName: "{{ .Release.Name }}-{{ .Values.tls.toolset.cert_name }}"
|
||||
@ -72,17 +85,32 @@ Define toolset tls certs volumes
|
||||
path: tls.crt
|
||||
- key: tls.key
|
||||
path: tls.key
|
||||
- key: tls-combined.pem
|
||||
path: tls-combined.pem
|
||||
{{- end }}
|
||||
- name: ca
|
||||
secret:
|
||||
secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
|
||||
items:
|
||||
- key: ca.crt
|
||||
path: ca.crt
|
||||
{{- if .Values.tls.zookeeper.enabled }}
|
||||
- name: keytool
|
||||
{{- end }}
|
||||
{{- if .Values.tls.toolset.cacerts.enabled }}
|
||||
- name: toolset-cacerts
|
||||
emptyDir: {}
|
||||
{{- range $cert := .Values.tls.toolset.cacerts.certs }}
|
||||
- name: {{ $cert.name }}
|
||||
secret:
|
||||
secretName: "{{ $cert.existingSecret }}"
|
||||
items:
|
||||
{{- range $key := $cert.secretKeys }}
|
||||
- key: {{ $key }}
|
||||
path: {{ $key }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: certs-scripts
|
||||
configMap:
|
||||
name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
|
||||
name: "{{ template "pulsar.fullname" . }}-certs-scripts"
|
||||
defaultMode: 0755
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
37
charts/pulsar/templates/_tplvalues.tpl
Normal file
37
charts/pulsar/templates/_tplvalues.tpl
Normal file
@ -0,0 +1,37 @@
|
||||
{{/*
|
||||
Licensed to the Apache Software Foundation (ASF) under one
|
||||
or more contributor license agreements. See the NOTICE file
|
||||
distributed with this work for additional information
|
||||
regarding copyright ownership. The ASF licenses this file
|
||||
to you under the Apache License, Version 2.0 (the
|
||||
"License"); you may not use this file except in compliance
|
||||
with the License. You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing,
|
||||
software distributed under the License is distributed on an
|
||||
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
KIND, either express or implied. See the License for the
|
||||
specific language governing permissions and limitations
|
||||
under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
Renders a value that contains template perhaps with scope if the scope is present.
|
||||
Usage:
|
||||
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }}
|
||||
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }}
|
||||
*/}}
|
||||
{{- define "common.tplvalues.render" -}}
|
||||
{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }}
|
||||
{{- if contains "{{" (toJson .value) }}
|
||||
{{- if .scope }}
|
||||
{{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }}
|
||||
{{- else }}
|
||||
{{- tpl $value .context }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
{{- $value }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
@ -53,7 +53,93 @@ Define zookeeper tls settings
|
||||
*/}}
|
||||
{{- define "pulsar.zookeeper.tls.settings" -}}
|
||||
{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
|
||||
/pulsar/keytool/keytool.sh zookeeper {{ template "pulsar.zookeeper.hostname" . }} false;
|
||||
{{- include "pulsar.component.zookeeper.tls.settings" (dict "component" "zookeeper" "isClient" false "isCacerts" .Values.tls.zookeeper.cacerts.enabled) -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "pulsar.component.zookeeper.tls.settings" }}
|
||||
{{- $component := .component -}}
|
||||
{{- $isClient := .isClient -}}
|
||||
{{- $keyFile := printf "/pulsar/certs/%s/tls-combined.pem" $component -}}
|
||||
{{- $caFile := ternary "/pulsar/certs/cacerts/ca-combined.pem" "/pulsar/certs/ca/ca.crt" .isCacerts -}}
|
||||
{{- if $isClient }}
|
||||
echo $'\n' >> conf/pulsar_env.sh
|
||||
echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.client.certReload=true -Dzookeeper.ssl.keyStore.location={{- $keyFile }} -Dzookeeper.ssl.keyStore.type=PEM -Dzookeeper.ssl.trustStore.location={{- $caFile }} -Dzookeeper.ssl.trustStore.type=PEM\"" >> conf/pulsar_env.sh
|
||||
echo $'\n' >> conf/bkenv.sh
|
||||
echo "BOOKIE_EXTRA_OPTS=\"\${BOOKIE_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.client.certReload=true -Dzookeeper.ssl.keyStore.location={{- $keyFile }} -Dzookeeper.ssl.keyStore.type=PEM -Dzookeeper.ssl.trustStore.location={{- $caFile }} -Dzookeeper.ssl.trustStore.type=PEM\"" >> conf/bkenv.sh
|
||||
{{- else }}
|
||||
echo $'\n' >> conf/pulsar_env.sh
|
||||
echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS} -Dzookeeper.ssl.keyStore.location={{- $keyFile }} -Dzookeeper.ssl.keyStore.type=PEM -Dzookeeper.ssl.trustStore.location={{- $caFile }} -Dzookeeper.ssl.trustStore.type=PEM\"" >> conf/pulsar_env.sh
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Define zookeeper tls certs mounts
|
||||
*/}}
|
||||
{{- define "pulsar.zookeeper.certs.volumeMounts" -}}
|
||||
{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
|
||||
- mountPath: "/pulsar/certs/zookeeper"
|
||||
name: zookeeper-certs
|
||||
readOnly: true
|
||||
- mountPath: "/pulsar/certs/ca"
|
||||
name: ca
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.tls.zookeeper.cacerts.enabled }}
|
||||
- mountPath: "/pulsar/certs/cacerts"
|
||||
name: zookeeper-cacerts
|
||||
{{- range $cert := .Values.tls.zookeeper.cacerts.certs }}
|
||||
- name: {{ $cert.name }}
|
||||
mountPath: "/pulsar/certs/{{ $cert.name }}"
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: certs-scripts
|
||||
mountPath: "/pulsar/bin/certs-combine-pem.sh"
|
||||
subPath: certs-combine-pem.sh
|
||||
- name: certs-scripts
|
||||
mountPath: "/pulsar/bin/certs-combine-pem-infinity.sh"
|
||||
subPath: certs-combine-pem-infinity.sh
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Define zookeeper tls certs volumes
|
||||
*/}}
|
||||
{{- define "pulsar.zookeeper.certs.volumes" -}}
|
||||
{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
|
||||
- name: zookeeper-certs
|
||||
secret:
|
||||
secretName: "{{ .Release.Name }}-{{ .Values.tls.zookeeper.cert_name }}"
|
||||
items:
|
||||
- key: tls.crt
|
||||
path: tls.crt
|
||||
- key: tls.key
|
||||
path: tls.key
|
||||
- key: tls-combined.pem
|
||||
path: tls-combined.pem
|
||||
- name: ca
|
||||
secret:
|
||||
secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
|
||||
items:
|
||||
- key: ca.crt
|
||||
path: ca.crt
|
||||
{{- end }}
|
||||
{{- if .Values.tls.zookeeper.cacerts.enabled }}
|
||||
- name: zookeeper-cacerts
|
||||
emptyDir: {}
|
||||
{{- range $cert := .Values.tls.zookeeper.cacerts.certs }}
|
||||
- name: {{ $cert.name }}
|
||||
secret:
|
||||
secretName: "{{ $cert.existingSecret }}"
|
||||
items:
|
||||
{{- range $key := $cert.secretKeys }}
|
||||
- key: {{ $key }}
|
||||
path: {{ $key }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: certs-scripts
|
||||
configMap:
|
||||
name: "{{ template "pulsar.fullname" . }}-certs-scripts"
|
||||
defaultMode: 0755
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@ -113,6 +113,18 @@ spec:
|
||||
terminationGracePeriodSeconds: {{ .Values.autorecovery.gracePeriod }}
|
||||
serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}"
|
||||
initContainers:
|
||||
{{- if .Values.tls.autorecovery.cacerts.enabled }}
|
||||
- name: cacerts
|
||||
image: "{{ template "pulsar.imageFullName" (dict "image" .Values.images.autorecovery "root" .) }}"
|
||||
imagePullPolicy: "{{ template "pulsar.imagePullPolicy" (dict "image" .Values.images.autorecovery "root" .) }}"
|
||||
resources: {{ toYaml .Values.initContainer.resources | nindent 10 }}
|
||||
command: ["sh", "-c"]
|
||||
args:
|
||||
- |
|
||||
bin/certs-combine-pem.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.autorecovery.cacerts.certs) }}
|
||||
volumeMounts:
|
||||
{{- include "pulsar.autorecovery.certs.volumeMounts" . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.autorecovery.waitBookkeeperTimeout (gt (.Values.autorecovery.waitBookkeeperTimeout | int) 0) }}
|
||||
# This initContainer will wait for bookkeeper initnewcluster to complete
|
||||
# before deploying the bookies
|
||||
@ -147,6 +159,11 @@ spec:
|
||||
command: ["sh", "-c"]
|
||||
args:
|
||||
- |
|
||||
{{- if .Values.tls.autorecovery.cacerts.enabled }}
|
||||
cd /pulsar/certs/cacerts;
|
||||
nohup /pulsar/bin/certs-combine-pem-infinity.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.autorecovery.cacerts.certs) }} > /pulsar/certs/cacerts/certs-combine-pem-infinity.log 2>&1 &
|
||||
cd /pulsar;
|
||||
{{- end }}
|
||||
bin/apply-config-from-env.py conf/bookkeeper.conf;
|
||||
{{- include "pulsar.autorecovery.zookeeper.tls.settings" . | nindent 10 }}
|
||||
OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true" exec bin/bookkeeper autorecovery
|
||||
|
||||
@ -33,6 +33,10 @@ spec:
|
||||
ttlSecondsAfterFinished: {{ .Values.job.ttl.secondsAfterFinished | default 600 }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "pulsar.template.labels" . | nindent 8 }}
|
||||
component: {{ .Values.bookkeeper.component }}-init
|
||||
spec:
|
||||
{{- include "pulsar.imagePullSecrets" . | nindent 6 }}
|
||||
serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
|
||||
@ -45,6 +49,18 @@ spec:
|
||||
{{ toYaml .Values.pulsar_metadata.tolerations | indent 8 }}
|
||||
{{- end }}
|
||||
initContainers:
|
||||
{{- if .Values.tls.bookie.cacerts.enabled }}
|
||||
- name: cacerts
|
||||
image: "{{ template "pulsar.imageFullName" (dict "image" .Values.images.bookie "root" .) }}"
|
||||
imagePullPolicy: "{{ template "pulsar.imagePullPolicy" (dict "image" .Values.images.bookie "root" .) }}"
|
||||
resources: {{ toYaml .Values.initContainer.resources | nindent 10 }}
|
||||
command: ["sh", "-c"]
|
||||
args:
|
||||
- |
|
||||
bin/certs-combine-pem.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.bookie.cacerts.certs) }}
|
||||
volumeMounts:
|
||||
{{- include "pulsar.toolset.certs.volumeMounts" . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.components.zookeeper .Values.bookkeeper.metadata.waitZookeeperTimeout (gt (.Values.bookkeeper.metadata.waitZookeeperTimeout | int) 0) }}
|
||||
- name: wait-zookeeper-ready
|
||||
image: "{{ template "pulsar.imageFullName" (dict "image" .Values.images.bookie "root" .) }}"
|
||||
|
||||
@ -115,6 +115,18 @@ spec:
|
||||
{{- end }}
|
||||
{{- if and .Values.bookkeeper.waitMetadataTimeout (gt (.Values.bookkeeper.waitMetadataTimeout | int) 0) }}
|
||||
initContainers:
|
||||
{{- if .Values.tls.bookie.cacerts.enabled }}
|
||||
- name: cacerts
|
||||
image: "{{ template "pulsar.imageFullName" (dict "image" .Values.images.bookie "root" .) }}"
|
||||
imagePullPolicy: "{{ template "pulsar.imagePullPolicy" (dict "image" .Values.images.bookie "root" .) }}"
|
||||
resources: {{ toYaml .Values.initContainer.resources | nindent 10 }}
|
||||
command: ["sh", "-c"]
|
||||
args:
|
||||
- |
|
||||
bin/certs-combine-pem.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.bookie.cacerts.certs) }}
|
||||
volumeMounts:
|
||||
{{- include "pulsar.bookkeeper.certs.volumeMounts" . | nindent 8 }}
|
||||
{{- end }}
|
||||
# This initContainer will wait for bookkeeper initnewcluster to complete
|
||||
# before deploying the bookies
|
||||
- name: pulsar-bookkeeper-verify-clusterid
|
||||
@ -195,6 +207,11 @@ spec:
|
||||
{{- if .Values.bookkeeper.additionalCommand }}
|
||||
{{ .Values.bookkeeper.additionalCommand }}
|
||||
{{- end }}
|
||||
{{- if .Values.tls.bookie.cacerts.enabled }}
|
||||
cd /pulsar/certs/cacerts;
|
||||
nohup /pulsar/bin/certs-combine-pem-infinity.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.bookie.cacerts.certs) }} > /pulsar/certs/cacerts/certs-combine-pem-infinity.log 2>&1 &
|
||||
cd /pulsar;
|
||||
{{- end }}
|
||||
bin/apply-config-from-env.py conf/bookkeeper.conf;
|
||||
{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . | nindent 10 }}
|
||||
OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true" exec bin/pulsar bookie;
|
||||
|
||||
@ -204,7 +204,7 @@ data:
|
||||
# TLS Settings
|
||||
tlsCertificateFilePath: "/pulsar/certs/broker/tls.crt"
|
||||
tlsKeyFilePath: "/pulsar/certs/broker/tls.key"
|
||||
tlsTrustCertsFilePath: "/pulsar/certs/ca/ca.crt"
|
||||
tlsTrustCertsFilePath: {{ ternary "/pulsar/certs/cacerts/ca-combined.pem" "/pulsar/certs/ca/ca.crt" .Values.tls.broker.cacerts.enabled | quote }}
|
||||
{{- end }}
|
||||
|
||||
# Authentication Settings
|
||||
@ -260,13 +260,13 @@ data:
|
||||
bookkeeperTLSKeyFileType: "PEM"
|
||||
bookkeeperTLSKeyFilePath: "/pulsar/certs/broker/tls.key"
|
||||
bookkeeperTLSCertificateFilePath: "/pulsar/certs/broker/tls.crt"
|
||||
bookkeeperTLSTrustCertsFilePath: "/pulsar/certs/ca/ca.crt"
|
||||
bookkeeperTLSTrustCertsFilePath: {{ ternary "/pulsar/certs/cacerts/ca-combined.pem" "/pulsar/certs/ca/ca.crt" .Values.tls.broker.cacerts.enabled | quote }}
|
||||
bookkeeperTLSTrustCertTypes: "PEM"
|
||||
PULSAR_PREFIX_bookkeeperTLSClientAuthentication: "true"
|
||||
PULSAR_PREFIX_bookkeeperTLSKeyFileType: "PEM"
|
||||
PULSAR_PREFIX_bookkeeperTLSKeyFilePath: "/pulsar/certs/broker/tls.key"
|
||||
PULSAR_PREFIX_bookkeeperTLSCertificateFilePath: "/pulsar/certs/broker/tls.crt"
|
||||
PULSAR_PREFIX_bookkeeperTLSTrustCertsFilePath: "/pulsar/certs/ca/ca.crt"
|
||||
PULSAR_PREFIX_bookkeeperTLSTrustCertsFilePath: {{ ternary "/pulsar/certs/cacerts/ca-combined.pem" "/pulsar/certs/ca/ca.crt" .Values.tls.broker.cacerts.enabled | quote }}
|
||||
PULSAR_PREFIX_bookkeeperTLSTrustCertTypes: "PEM"
|
||||
# https://github.com/apache/bookkeeper/pull/2300
|
||||
bookkeeperUseV2WireProtocol: "false"
|
||||
|
||||
@ -130,6 +130,18 @@ spec:
|
||||
{{- end }}
|
||||
terminationGracePeriodSeconds: {{ .Values.broker.gracePeriod }}
|
||||
initContainers:
|
||||
{{- if .Values.tls.broker.cacerts.enabled }}
|
||||
- name: cacerts
|
||||
image: "{{ template "pulsar.imageFullName" (dict "image" .Values.images.broker "root" .) }}"
|
||||
imagePullPolicy: "{{ template "pulsar.imagePullPolicy" (dict "image" .Values.images.broker "root" .) }}"
|
||||
resources: {{ toYaml .Values.initContainer.resources | nindent 10 }}
|
||||
command: ["sh", "-c"]
|
||||
args:
|
||||
- |
|
||||
bin/certs-combine-pem.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.broker.cacerts.certs) }}
|
||||
volumeMounts:
|
||||
{{- include "pulsar.broker.certs.volumeMounts" . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.components.zookeeper .Values.broker.waitZookeeperTimeout (gt (.Values.broker.waitZookeeperTimeout | int) 0) }}
|
||||
# This init container will wait for zookeeper to be ready before
|
||||
# deploying the bookies
|
||||
@ -242,6 +254,11 @@ spec:
|
||||
- |
|
||||
{{- if .Values.broker.additionalCommand }}
|
||||
{{ .Values.broker.additionalCommand }}
|
||||
{{- end }}
|
||||
{{- if .Values.tls.broker.cacerts.enabled }}
|
||||
cd /pulsar/certs/cacerts;
|
||||
nohup /pulsar/bin/certs-combine-pem-infinity.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.broker.cacerts.certs) }} > /pulsar/certs/cacerts/certs-combine-pem-infinity.log 2>&1 &
|
||||
cd /pulsar;
|
||||
{{- end }}
|
||||
bin/apply-config-from-env.py conf/broker.conf;
|
||||
bin/gen-yml-from-env.py conf/functions_worker.yml;
|
||||
|
||||
82
charts/pulsar/templates/certs-scripts-configmap.yaml
Normal file
82
charts/pulsar/templates/certs-scripts-configmap.yaml
Normal file
@ -0,0 +1,82 @@
|
||||
#
|
||||
# Licensed to the Apache Software Foundation (ASF) under one
|
||||
# or more contributor license agreements. See the NOTICE file
|
||||
# distributed with this work for additional information
|
||||
# regarding copyright ownership. The ASF licenses this file
|
||||
# to you under the Apache License, Version 2.0 (the
|
||||
# "License"); you may not use this file except in compliance
|
||||
# with the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing,
|
||||
# software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
# KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: "{{ template "pulsar.fullname" . }}-certs-scripts"
|
||||
namespace: {{ template "pulsar.namespace" . }}
|
||||
labels:
|
||||
{{- include "pulsar.standardLabels" . | nindent 4 }}
|
||||
component: certs-scripts
|
||||
data:
|
||||
certs-combine-pem.sh: |
|
||||
#!/bin/bash
|
||||
# This script combines all certificates into a single file.
|
||||
# Usage: certs-combine-pem.sh <output_file> <cert1> <cert2> ...
|
||||
set -eu -o pipefail
|
||||
|
||||
if [ "$#" -lt 2 ]; then
|
||||
echo "Usage: $0 <output_file> <cert1> <cert2> ..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
OUTPUT_FILE="$1"
|
||||
shift
|
||||
|
||||
OUTPUT_FILE_TMP="${OUTPUT_FILE}.tmp"
|
||||
rm -f "$OUTPUT_FILE_TMP"
|
||||
|
||||
for CERT in "$@"; do
|
||||
if [ -f "$CERT" ]; then
|
||||
echo "# $CERT" >> "$OUTPUT_FILE_TMP"
|
||||
cat "$CERT" >> "$OUTPUT_FILE_TMP"
|
||||
else
|
||||
echo "Certificate file '$CERT' does not exist, skipping"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ ! -f "$OUTPUT_FILE" ]; then
|
||||
touch "$OUTPUT_FILE"
|
||||
fi
|
||||
|
||||
if diff -q "$OUTPUT_FILE" "$OUTPUT_FILE_TMP" > /dev/null; then
|
||||
# No changes detected, skipping update
|
||||
rm -f "$OUTPUT_FILE_TMP"
|
||||
else
|
||||
# Update $OUTPUT_FILE with new certificates
|
||||
mv "$OUTPUT_FILE_TMP" "$OUTPUT_FILE"
|
||||
fi
|
||||
|
||||
certs-combine-pem-infinity.sh: |
|
||||
#!/bin/bash
|
||||
# This script combines all certificates into a single file, every minutes.
|
||||
# Usage: certs-combine-pem-infinity.sh <output_file> <cert1> <cert2> ...
|
||||
set -eu -o pipefail
|
||||
|
||||
if [ "$#" -lt 2 ]; then
|
||||
echo "Usage: $0 <output_file> <cert1> <cert2> ..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
while true; do
|
||||
/pulsar/bin/certs-combine-pem.sh "$@"
|
||||
sleep 60
|
||||
done
|
||||
|
||||
23
charts/pulsar/templates/extra-list.yaml
Normal file
23
charts/pulsar/templates/extra-list.yaml
Normal file
@ -0,0 +1,23 @@
|
||||
#
|
||||
# Licensed to the Apache Software Foundation (ASF) under one
|
||||
# or more contributor license agreements. See the NOTICE file
|
||||
# distributed with this work for additional information
|
||||
# regarding copyright ownership. The ASF licenses this file
|
||||
# to you under the Apache License, Version 2.0 (the
|
||||
# "License"); you may not use this file except in compliance
|
||||
# with the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing,
|
||||
# software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
# KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
|
||||
{{- range .Values.extraDeploy }}
|
||||
---
|
||||
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
|
||||
{{- end }}
|
||||
@ -1,110 +0,0 @@
|
||||
#
|
||||
# Licensed to the Apache Software Foundation (ASF) under one
|
||||
# or more contributor license agreements. See the NOTICE file
|
||||
# distributed with this work for additional information
|
||||
# regarding copyright ownership. The ASF licenses this file
|
||||
# to you under the Apache License, Version 2.0 (the
|
||||
# "License"); you may not use this file except in compliance
|
||||
# with the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing,
|
||||
# software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
# KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
|
||||
# script to process key/cert to keystore and truststore
|
||||
{{- if .Values.tls.zookeeper.enabled }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
|
||||
namespace: {{ template "pulsar.namespace" . }}
|
||||
labels:
|
||||
{{- include "pulsar.standardLabels" . | nindent 4 }}
|
||||
component: keytool
|
||||
data:
|
||||
keytool.sh: |
|
||||
#!/bin/bash
|
||||
component=$1
|
||||
name=$2
|
||||
isClient=$3
|
||||
crtFile=/pulsar/certs/${component}/tls.crt
|
||||
keyFile=/pulsar/certs/${component}/tls.key
|
||||
caFile=/pulsar/certs/ca/ca.crt
|
||||
tlsDir=/tmp/pulsar-tls$$
|
||||
p12File=${tlsDir}/${component}.p12
|
||||
keyStoreFile=${tlsDir}/${component}.keystore.jks
|
||||
trustStoreFile=${tlsDir}/${component}.truststore.jks
|
||||
|
||||
# create tmp dir for keystore and truststore files
|
||||
mkdir ${tlsDir}
|
||||
chmod 0700 ${tlsDir}
|
||||
|
||||
function checkFile() {
|
||||
local file=$1
|
||||
local len=$(wc -c ${file} | awk '{print $1}')
|
||||
echo "processing ${file} : len = ${len}"
|
||||
if [ ! -f ${file} ]; then
|
||||
echo "${file} is not found"
|
||||
return -1
|
||||
fi
|
||||
if [ $len -le 0 ]; then
|
||||
echo "${file} is empty"
|
||||
return -1
|
||||
fi
|
||||
}
|
||||
|
||||
function ensureFileNotEmpty() {
|
||||
local file=$1
|
||||
until checkFile ${file}; do
|
||||
echo "file isn't initialized yet ... check in 3 seconds ..." && sleep 3;
|
||||
done;
|
||||
}
|
||||
|
||||
ensureFileNotEmpty ${crtFile}
|
||||
ensureFileNotEmpty ${keyFile}
|
||||
ensureFileNotEmpty ${caFile}
|
||||
|
||||
PASSWORD=$(head /dev/urandom | base64 | head -c 24)
|
||||
|
||||
openssl pkcs12 \
|
||||
-export \
|
||||
-in ${crtFile} \
|
||||
-inkey ${keyFile} \
|
||||
-out ${p12File} \
|
||||
-name ${name} \
|
||||
-passout "pass:${PASSWORD}"
|
||||
|
||||
keytool -importkeystore \
|
||||
-srckeystore ${p12File} \
|
||||
-srcstoretype PKCS12 -srcstorepass "${PASSWORD}" \
|
||||
-alias ${name} \
|
||||
-destkeystore ${keyStoreFile} \
|
||||
-deststorepass "${PASSWORD}"
|
||||
|
||||
keytool -import \
|
||||
-file ${caFile} \
|
||||
-storetype JKS \
|
||||
-alias ${name} \
|
||||
-keystore ${trustStoreFile} \
|
||||
-storepass "${PASSWORD}" \
|
||||
-trustcacerts -noprompt
|
||||
|
||||
ensureFileNotEmpty ${keyStoreFile}
|
||||
ensureFileNotEmpty ${trustStoreFile}
|
||||
|
||||
if [[ "x${isClient}" == "xtrue" ]]; then
|
||||
echo $'\n' >> conf/pulsar_env.sh
|
||||
echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/pulsar_env.sh
|
||||
echo $'\n' >> conf/bkenv.sh
|
||||
echo "BOOKIE_EXTRA_OPTS=\"\${BOOKIE_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/bkenv.sh
|
||||
else
|
||||
echo $'\n' >> conf/pulsar_env.sh
|
||||
echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS} -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/pulsar_env.sh
|
||||
fi
|
||||
{{- end }}
|
||||
@ -77,6 +77,10 @@ spec:
|
||||
limits:
|
||||
cpu: {{ .Values.oxia.coordinator.cpuLimit }}
|
||||
memory: {{ .Values.oxia.coordinator.memoryLimit }}
|
||||
{{- if .Values.oxia.coordinator.extraVolumeMounts }}
|
||||
volumeMounts:
|
||||
{{- toYaml .Values.oxia.coordinator.extraVolumeMounts | nindent 12 }}
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
{{- include "oxia-cluster.probe" .Values.oxia.coordinator.ports.internal | nindent 12 }}
|
||||
readinessProbe:
|
||||
|
||||
@ -42,14 +42,14 @@ data:
|
||||
webServicePortTls: "{{ .Values.proxy.ports.containerPorts.https }}"
|
||||
tlsCertificateFilePath: "/pulsar/certs/proxy/tls.crt"
|
||||
tlsKeyFilePath: "/pulsar/certs/proxy/tls.key"
|
||||
tlsTrustCertsFilePath: "/pulsar/certs/ca/ca.crt"
|
||||
tlsTrustCertsFilePath: {{ ternary "/pulsar/certs/cacerts/ca-combined.pem" "/pulsar/certs/ca/ca.crt" .Values.tls.proxy.cacerts.enabled | quote }}
|
||||
{{- if and .Values.tls.enabled .Values.tls.broker.enabled }}
|
||||
# if broker enables TLS, configure proxy to talk to broker using TLS
|
||||
brokerServiceURLTLS: pulsar+ssl://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.pulsarssl }}
|
||||
brokerWebServiceURLTLS: https://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.https }}
|
||||
tlsEnabledWithBroker: "true"
|
||||
tlsCertRefreshCheckDurationSec: "300"
|
||||
brokerClientTrustCertsFilePath: "/pulsar/certs/ca/ca.crt"
|
||||
brokerClientTrustCertsFilePath: {{ ternary "/pulsar/certs/cacerts/ca-combined.pem" "/pulsar/certs/ca/ca.crt" .Values.tls.proxy.cacerts.enabled | quote }}
|
||||
{{- end }}
|
||||
{{- if not (and .Values.tls.enabled .Values.tls.broker.enabled) }}
|
||||
brokerServiceURL: pulsar://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.pulsar }}
|
||||
|
||||
@ -27,6 +27,8 @@ kind: HorizontalPodAutoscaler
|
||||
metadata:
|
||||
name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
|
||||
namespace: {{ template "pulsar.namespace" . }}
|
||||
labels:
|
||||
{{- include "pulsar.standardLabels" . | nindent 4 }}
|
||||
spec:
|
||||
maxReplicas: {{ .Values.proxy.autoscaling.maxReplicas }}
|
||||
{{- with .Values.proxy.autoscaling.metrics }}
|
||||
|
||||
@ -112,6 +112,18 @@ spec:
|
||||
terminationGracePeriodSeconds: {{ .Values.proxy.gracePeriod }}
|
||||
serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
|
||||
initContainers:
|
||||
{{- if .Values.tls.proxy.cacerts.enabled }}
|
||||
- name: combine-certs
|
||||
image: "{{ template "pulsar.imageFullName" (dict "image" .Values.images.proxy "root" .) }}"
|
||||
imagePullPolicy: "{{ template "pulsar.imagePullPolicy" (dict "image" .Values.images.proxy "root" .) }}"
|
||||
resources: {{ toYaml .Values.initContainer.resources | nindent 10 }}
|
||||
command: ["sh", "-c"]
|
||||
args:
|
||||
- |
|
||||
bin/certs-combine-pem.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.proxy.cacerts.certs) }}
|
||||
volumeMounts:
|
||||
{{- include "pulsar.proxy.certs.volumeMounts" . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.components.zookeeper .Values.proxy.waitZookeeperTimeout (gt (.Values.proxy.waitZookeeperTimeout | int) 0) }}
|
||||
# This init container will wait for zookeeper to be ready before
|
||||
# deploying the bookies
|
||||
@ -213,6 +225,11 @@ spec:
|
||||
- |
|
||||
{{- if .Values.proxy.additionalCommand }}
|
||||
{{ .Values.proxy.additionalCommand }}
|
||||
{{- end }}
|
||||
{{- if .Values.tls.proxy.cacerts.enabled }}
|
||||
cd /pulsar/certs/cacerts;
|
||||
nohup /pulsar/bin/certs-combine-pem-infinity.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.proxy.cacerts.certs) }} > /pulsar/certs/cacerts/certs-combine-pem-infinity.log 2>&1 &
|
||||
cd /pulsar;
|
||||
{{- end }}
|
||||
bin/apply-config-from-env.py conf/proxy.conf &&
|
||||
echo "OK" > "${statusFilePath:-status}" &&
|
||||
@ -250,16 +267,7 @@ spec:
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.tls.proxy.enabled }}
|
||||
- mountPath: "/pulsar/certs/proxy"
|
||||
name: proxy-certs
|
||||
readOnly: true
|
||||
{{- end}}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- mountPath: "/pulsar/certs/ca"
|
||||
name: ca
|
||||
readOnly: true
|
||||
{{- end}}
|
||||
{{- include "pulsar.proxy.certs.volumeMounts" . | nindent 10 }}
|
||||
{{- if .Values.proxy.extraVolumeMounts }}
|
||||
{{ toYaml .Values.proxy.extraVolumeMounts | indent 10 }}
|
||||
{{- end }}
|
||||
@ -296,21 +304,6 @@ spec:
|
||||
path: proxy/token
|
||||
{{- end}}
|
||||
{{- end}}
|
||||
{{- if .Values.tls.proxy.enabled }}
|
||||
- name: ca
|
||||
secret:
|
||||
secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
|
||||
items:
|
||||
- key: ca.crt
|
||||
path: ca.crt
|
||||
- name: proxy-certs
|
||||
secret:
|
||||
secretName: "{{ .Release.Name }}-{{ .Values.tls.proxy.cert_name }}"
|
||||
items:
|
||||
- key: tls.crt
|
||||
path: tls.crt
|
||||
- key: tls.key
|
||||
path: tls.key
|
||||
{{- end}}
|
||||
{{- include "pulsar.proxy.certs.volumes" . | nindent 8 }}
|
||||
{{- end}}
|
||||
{{- end }}
|
||||
|
||||
@ -34,6 +34,10 @@ spec:
|
||||
ttlSecondsAfterFinished: {{ .Values.job.ttl.secondsAfterFinished | default 600 }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "pulsar.template.labels" . | nindent 8 }}
|
||||
component: {{ .Values.pulsar_metadata.component }}
|
||||
spec:
|
||||
{{- include "pulsar.imagePullSecrets" . | nindent 6 }}
|
||||
{{- if .Values.pulsar_metadata.nodeSelector }}
|
||||
@ -41,6 +45,18 @@ spec:
|
||||
{{ toYaml .Values.pulsar_metadata.nodeSelector | indent 8 }}
|
||||
{{- end }}
|
||||
initContainers:
|
||||
{{- if .Values.tls.toolset.cacerts.enabled }}
|
||||
- name: cacerts
|
||||
image: "{{ template "pulsar.imageFullName" (dict "image" .Values.pulsar_metadata.image "root" .) }}"
|
||||
imagePullPolicy: "{{ template "pulsar.imagePullPolicy" (dict "image" .Values.pulsar_metadata.image "root" .) }}"
|
||||
resources: {{ toYaml .Values.initContainer.resources | nindent 10 }}
|
||||
command: ["sh", "-c"]
|
||||
args:
|
||||
- |
|
||||
bin/certs-combine-pem.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.toolset.cacerts.certs) }}
|
||||
volumeMounts:
|
||||
{{- include "pulsar.toolset.certs.volumeMounts" . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.components.zookeeper .Values.pulsar_metadata.waitZookeeperTimeout (gt (.Values.pulsar_metadata.waitZookeeperTimeout | int) 0) }}
|
||||
{{- if .Values.pulsar_metadata.configurationStore }}
|
||||
- name: wait-zk-cs-ready
|
||||
|
||||
@ -24,12 +24,8 @@ metadata:
|
||||
name: "{{ template "pulsar.fullname" . }}-{{ .Values.pulsar_manager.component }}-secret"
|
||||
namespace: {{ template "pulsar.namespace" . }}
|
||||
labels:
|
||||
app: {{ template "pulsar.name" . }}
|
||||
chart: {{ template "pulsar.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
{{- include "pulsar.standardLabels" . | nindent 4 }}
|
||||
component: {{ .Values.pulsar_manager.component }}
|
||||
cluster: {{ template "pulsar.fullname" . }}
|
||||
"helm.sh/resource-policy": "keep" # do not remove when uninstalling to keep it for next install
|
||||
type: Opaque
|
||||
data:
|
||||
|
||||
@ -32,6 +32,10 @@ spec:
|
||||
ttlSecondsAfterFinished: {{ .Values.job.ttl.secondsAfterFinished | default 600 }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "pulsar.template.labels" . | nindent 8 }}
|
||||
component: {{ .Values.pulsar_manager.component }}-init
|
||||
spec:
|
||||
{{- include "pulsar.imagePullSecrets" . | nindent 6 }}
|
||||
nodeSelector:
|
||||
|
||||
@ -24,6 +24,8 @@ kind: Issuer
|
||||
metadata:
|
||||
name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}"
|
||||
namespace: {{ template "pulsar.namespace" . }}
|
||||
labels:
|
||||
{{- include "pulsar.standardLabels" . | nindent 4 }}
|
||||
spec:
|
||||
selfSigned: {}
|
||||
---
|
||||
@ -32,6 +34,8 @@ kind: Certificate
|
||||
metadata:
|
||||
name: "{{ template "pulsar.fullname" . }}-ca"
|
||||
namespace: {{ template "pulsar.namespace" . }}
|
||||
labels:
|
||||
{{- include "pulsar.standardLabels" . | nindent 4 }}
|
||||
spec:
|
||||
secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
|
||||
commonName: "{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
|
||||
@ -56,6 +60,8 @@ kind: Issuer
|
||||
metadata:
|
||||
name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
|
||||
namespace: {{ template "pulsar.namespace" . }}
|
||||
labels:
|
||||
{{- include "pulsar.standardLabels" . | nindent 4 }}
|
||||
spec:
|
||||
ca:
|
||||
secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
|
||||
|
||||
@ -21,323 +21,27 @@
|
||||
|
||||
{{- if .Values.tls.proxy.enabled }}
|
||||
{{- if .Values.tls.proxy.createCert }}
|
||||
apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.proxy.cert_name }}"
|
||||
namespace: {{ template "pulsar.namespace" . }}
|
||||
spec:
|
||||
# Secret names are always required.
|
||||
secretName: "{{ .Release.Name }}-{{ .Values.tls.proxy.cert_name }}"
|
||||
duration: "{{ .Values.tls.common.duration }}"
|
||||
renewBefore: "{{ .Values.tls.common.renewBefore }}"
|
||||
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
|
||||
subject:
|
||||
organizations:
|
||||
{{ toYaml .Values.tls.common.organization | indent 4 }}
|
||||
{{- else }}
|
||||
organization:
|
||||
{{ toYaml .Values.tls.common.organization | indent 2 }}
|
||||
{{- end }}
|
||||
# The use of the common name field has been deprecated since 2000 and is
|
||||
# discouraged from being used.
|
||||
commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
|
||||
isCA: false
|
||||
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
|
||||
privateKey:
|
||||
size: {{ .Values.tls.common.keySize }}
|
||||
algorithm: {{ .Values.tls.common.keyAlgorithm }}
|
||||
encoding: {{ .Values.tls.common.keyEncoding }}
|
||||
{{- else }}
|
||||
keySize: {{ .Values.tls.common.keySize }}
|
||||
keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
|
||||
keyEncoding: {{ .Values.tls.common.keyEncoding }}
|
||||
{{- end }}
|
||||
usages:
|
||||
- server auth
|
||||
- client auth
|
||||
# At least one of a DNS Name, USI SAN, or IP address is required.
|
||||
dnsNames:
|
||||
{{- if .Values.tls.proxy.dnsNames }}
|
||||
{{ toYaml .Values.tls.proxy.dnsNames | indent 4 }}
|
||||
{{- end }}
|
||||
- "*.{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
|
||||
- "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
|
||||
# Issuer references are always required.
|
||||
issuerRef:
|
||||
name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
|
||||
# We can reference ClusterIssuers by changing the kind here.
|
||||
# The default value is Issuer (i.e. a locally namespaced Issuer)
|
||||
kind: Issuer
|
||||
# This is optional since cert-manager will default to this value however
|
||||
# if you are using an external issuer, change this to that issuer group.
|
||||
group: cert-manager.io
|
||||
{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.proxy "tlsConfig" .Values.tls.proxy) }}
|
||||
---
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if or .Values.tls.broker.enabled (or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled) }}
|
||||
apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.broker.cert_name }}"
|
||||
namespace: {{ template "pulsar.namespace" . }}
|
||||
spec:
|
||||
# Secret names are always required.
|
||||
secretName: "{{ .Release.Name }}-{{ .Values.tls.broker.cert_name }}"
|
||||
duration: "{{ .Values.tls.common.duration }}"
|
||||
renewBefore: "{{ .Values.tls.common.renewBefore }}"
|
||||
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
|
||||
subject:
|
||||
organizations:
|
||||
{{ toYaml .Values.tls.common.organization | indent 4 }}
|
||||
{{- else }}
|
||||
organization:
|
||||
{{ toYaml .Values.tls.common.organization | indent 2 }}
|
||||
{{- end }}
|
||||
# The use of the common name field has been deprecated since 2000 and is
|
||||
# discouraged from being used.
|
||||
commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
|
||||
isCA: false
|
||||
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
|
||||
privateKey:
|
||||
size: {{ .Values.tls.common.keySize }}
|
||||
algorithm: {{ .Values.tls.common.keyAlgorithm }}
|
||||
encoding: {{ .Values.tls.common.keyEncoding }}
|
||||
{{- else }}
|
||||
keySize: {{ .Values.tls.common.keySize }}
|
||||
keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
|
||||
keyEncoding: {{ .Values.tls.common.keyEncoding }}
|
||||
{{- end }}
|
||||
usages:
|
||||
- server auth
|
||||
- client auth
|
||||
# At least one of a DNS Name, USI SAN, or IP address is required.
|
||||
dnsNames:
|
||||
{{- if .Values.tls.broker.dnsNames }}
|
||||
{{ toYaml .Values.tls.broker.dnsNames | indent 4 }}
|
||||
{{- end}}
|
||||
- "*.{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
|
||||
- "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
|
||||
# Issuer references are always required.
|
||||
issuerRef:
|
||||
name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
|
||||
# We can reference ClusterIssuers by changing the kind here.
|
||||
# The default value is Issuer (i.e. a locally namespaced Issuer)
|
||||
kind: Issuer
|
||||
# This is optional since cert-manager will default to this value however
|
||||
# if you are using an external issuer, change this to that issuer group.
|
||||
group: cert-manager.io
|
||||
{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.broker "tlsConfig" .Values.tls.broker) }}
|
||||
---
|
||||
{{- end }}
|
||||
|
||||
{{- if or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled }}
|
||||
apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.bookie.cert_name }}"
|
||||
namespace: {{ template "pulsar.namespace" . }}
|
||||
spec:
|
||||
# Secret names are always required.
|
||||
secretName: "{{ .Release.Name }}-{{ .Values.tls.bookie.cert_name }}"
|
||||
duration: "{{ .Values.tls.common.duration }}"
|
||||
renewBefore: "{{ .Values.tls.common.renewBefore }}"
|
||||
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
|
||||
subject:
|
||||
organizations:
|
||||
{{ toYaml .Values.tls.common.organization | indent 4 }}
|
||||
{{- else }}
|
||||
organization:
|
||||
{{ toYaml .Values.tls.common.organization | indent 2 }}
|
||||
{{- end }}
|
||||
# The use of the common name field has been deprecated since 2000 and is
|
||||
# discouraged from being used.
|
||||
commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
|
||||
isCA: false
|
||||
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
|
||||
privateKey:
|
||||
size: {{ .Values.tls.common.keySize }}
|
||||
algorithm: {{ .Values.tls.common.keyAlgorithm }}
|
||||
encoding: {{ .Values.tls.common.keyEncoding }}
|
||||
{{- else }}
|
||||
keySize: {{ .Values.tls.common.keySize }}
|
||||
keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
|
||||
keyEncoding: {{ .Values.tls.common.keyEncoding }}
|
||||
{{- end }}
|
||||
usages:
|
||||
- server auth
|
||||
- client auth
|
||||
dnsNames:
|
||||
{{- if .Values.tls.bookie.dnsNames }}
|
||||
{{ toYaml .Values.tls.bookie.dnsNames | indent 4 }}
|
||||
{{- end }}
|
||||
- "*.{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
|
||||
- "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
|
||||
# Issuer references are always required.
|
||||
issuerRef:
|
||||
name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
|
||||
# We can reference ClusterIssuers by changing the kind here.
|
||||
# The default value is Issuer (i.e. a locally namespaced Issuer)
|
||||
kind: Issuer
|
||||
# This is optional since cert-manager will default to this value however
|
||||
# if you are using an external issuer, change this to that issuer group.
|
||||
group: cert-manager.io
|
||||
{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.bookkeeper "tlsConfig" .Values.tls.bookie) }}
|
||||
---
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.tls.zookeeper.enabled }}
|
||||
apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.autorecovery.cert_name }}"
|
||||
namespace: {{ template "pulsar.namespace" . }}
|
||||
spec:
|
||||
# Secret names are always required.
|
||||
secretName: "{{ .Release.Name }}-{{ .Values.tls.autorecovery.cert_name }}"
|
||||
duration: "{{ .Values.tls.common.duration }}"
|
||||
renewBefore: "{{ .Values.tls.common.renewBefore }}"
|
||||
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
|
||||
subject:
|
||||
organizations:
|
||||
{{ toYaml .Values.tls.common.organization | indent 4 }}
|
||||
{{- else }}
|
||||
organization:
|
||||
{{ toYaml .Values.tls.common.organization | indent 2 }}
|
||||
{{- end }}
|
||||
# The use of the common name field has been deprecated since 2000 and is
|
||||
# discouraged from being used.
|
||||
commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}"
|
||||
isCA: false
|
||||
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
|
||||
privateKey:
|
||||
size: {{ .Values.tls.common.keySize }}
|
||||
algorithm: {{ .Values.tls.common.keyAlgorithm }}
|
||||
encoding: {{ .Values.tls.common.keyEncoding }}
|
||||
{{- else }}
|
||||
keySize: {{ .Values.tls.common.keySize }}
|
||||
keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
|
||||
keyEncoding: {{ .Values.tls.common.keyEncoding }}
|
||||
{{- end }}
|
||||
usages:
|
||||
- server auth
|
||||
- client auth
|
||||
dnsNames:
|
||||
{{- if .Values.tls.autorecovery.dnsNames }}
|
||||
{{ toYaml .Values.tls.autorecovery.dnsNames | indent 4 }}
|
||||
{{- end }}
|
||||
- "*.{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
|
||||
- "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}"
|
||||
# Issuer references are always required.
|
||||
issuerRef:
|
||||
name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
|
||||
# We can reference ClusterIssuers by changing the kind here.
|
||||
# The default value is Issuer (i.e. a locally namespaced Issuer)
|
||||
kind: Issuer
|
||||
# This is optional since cert-manager will default to this value however
|
||||
# if you are using an external issuer, change this to that issuer group.
|
||||
group: cert-manager.io
|
||||
{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.autorecovery "tlsConfig" .Values.tls.autorecovery) }}
|
||||
---
|
||||
apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.toolset.cert_name }}"
|
||||
namespace: {{ template "pulsar.namespace" . }}
|
||||
spec:
|
||||
# Secret names are always required.
|
||||
secretName: "{{ .Release.Name }}-{{ .Values.tls.toolset.cert_name }}"
|
||||
duration: "{{ .Values.tls.common.duration }}"
|
||||
renewBefore: "{{ .Values.tls.common.renewBefore }}"
|
||||
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
|
||||
subject:
|
||||
organizations:
|
||||
{{ toYaml .Values.tls.common.organization | indent 4 }}
|
||||
{{- else }}
|
||||
organization:
|
||||
{{ toYaml .Values.tls.common.organization | indent 2 }}
|
||||
{{- end }}
|
||||
# The use of the common name field has been deprecated since 2000 and is
|
||||
# discouraged from being used.
|
||||
commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
|
||||
isCA: false
|
||||
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
|
||||
privateKey:
|
||||
size: {{ .Values.tls.common.keySize }}
|
||||
algorithm: {{ .Values.tls.common.keyAlgorithm }}
|
||||
encoding: {{ .Values.tls.common.keyEncoding }}
|
||||
{{- else }}
|
||||
keySize: {{ .Values.tls.common.keySize }}
|
||||
keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
|
||||
keyEncoding: {{ .Values.tls.common.keyEncoding }}
|
||||
{{- end }}
|
||||
usages:
|
||||
- server auth
|
||||
- client auth
|
||||
dnsNames:
|
||||
{{- if .Values.tls.toolset.dnsNames }}
|
||||
{{ toYaml .Values.tls.toolset.dnsNames | indent 4 }}
|
||||
{{- end }}
|
||||
- "*.{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
|
||||
- "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
|
||||
# Issuer references are always required.
|
||||
issuerRef:
|
||||
name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
|
||||
# We can reference ClusterIssuers by changing the kind here.
|
||||
# The default value is Issuer (i.e. a locally namespaced Issuer)
|
||||
kind: Issuer
|
||||
# This is optional since cert-manager will default to this value however
|
||||
# if you are using an external issuer, change this to that issuer group.
|
||||
group: cert-manager.io
|
||||
{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.toolset "tlsConfig" .Values.tls.toolset) }}
|
||||
---
|
||||
apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.zookeeper.cert_name }}"
|
||||
namespace: {{ template "pulsar.namespace" . }}
|
||||
spec:
|
||||
# Secret names are always required.
|
||||
secretName: "{{ .Release.Name }}-{{ .Values.tls.zookeeper.cert_name }}"
|
||||
duration: "{{ .Values.tls.common.duration }}"
|
||||
renewBefore: "{{ .Values.tls.common.renewBefore }}"
|
||||
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
|
||||
subject:
|
||||
organizations:
|
||||
{{ toYaml .Values.tls.common.organization | indent 4 }}
|
||||
{{- else }}
|
||||
organization:
|
||||
{{ toYaml .Values.tls.common.organization | indent 2 }}
|
||||
{{- end }}
|
||||
# The use of the common name field has been deprecated since 2000 and is
|
||||
# discouraged from being used.
|
||||
commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
|
||||
isCA: false
|
||||
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
|
||||
privateKey:
|
||||
size: {{ .Values.tls.common.keySize }}
|
||||
algorithm: {{ .Values.tls.common.keyAlgorithm }}
|
||||
encoding: {{ .Values.tls.common.keyEncoding }}
|
||||
{{- else }}
|
||||
keySize: {{ .Values.tls.common.keySize }}
|
||||
keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
|
||||
keyEncoding: {{ .Values.tls.common.keyEncoding }}
|
||||
{{- end }}
|
||||
usages:
|
||||
- server auth
|
||||
- client auth
|
||||
dnsNames:
|
||||
{{- if .Values.tls.zookeeper.dnsNames }}
|
||||
{{ toYaml .Values.tls.zookeeper.dnsNames | indent 4 }}
|
||||
{{- end }}
|
||||
- "*.{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
|
||||
- "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
|
||||
# Issuer references are always required.
|
||||
issuerRef:
|
||||
name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
|
||||
# We can reference ClusterIssuers by changing the kind here.
|
||||
# The default value is Issuer (i.e. a locally namespaced Issuer)
|
||||
kind: Issuer
|
||||
# This is optional since cert-manager will default to this value however
|
||||
# if you are using an external issuer, change this to that issuer group.
|
||||
group: cert-manager.io
|
||||
{{ include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.zookeeper "tlsConfig" .Values.tls.zookeeper) }}
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
||||
|
||||
@ -36,7 +36,7 @@ data:
|
||||
brokerServiceUrl: "pulsar+ssl://{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}:{{ .Values.broker.ports.pulsarssl }}/"
|
||||
useTls: "true"
|
||||
tlsAllowInsecureConnection: "false"
|
||||
tlsTrustCertsFilePath: "/pulsar/certs/proxy-ca/ca.crt"
|
||||
tlsTrustCertsFilePath: {{ ternary "/pulsar/certs/cacerts/ca-combined.pem" "/pulsar/certs/ca/ca.crt" .Values.tls.toolset.cacerts.enabled | quote }}
|
||||
tlsEnableHostnameVerification: "false"
|
||||
{{- end }}
|
||||
{{- if not (and .Values.tls.enabled .Values.tls.broker.enabled) }}
|
||||
@ -51,7 +51,7 @@ data:
|
||||
brokerServiceUrl: "pulsar+ssl://{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}:{{ .Values.proxy.ports.pulsarssl }}/"
|
||||
useTls: "true"
|
||||
tlsAllowInsecureConnection: "false"
|
||||
tlsTrustCertsFilePath: "/pulsar/certs/proxy-ca/ca.crt"
|
||||
tlsTrustCertsFilePath: {{ ternary "/pulsar/certs/cacerts/ca-combined.pem" "/pulsar/certs/ca/ca.crt" .Values.tls.toolset.cacerts.enabled | quote }}
|
||||
tlsEnableHostnameVerification: "false"
|
||||
{{- end }}
|
||||
{{- if not (and .Values.tls.enabled .Values.tls.proxy.enabled) }}
|
||||
|
||||
@ -64,8 +64,20 @@ spec:
|
||||
{{- end }}
|
||||
terminationGracePeriodSeconds: {{ .Values.toolset.gracePeriod }}
|
||||
serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
|
||||
{{- if .Values.toolset.initContainers }}
|
||||
initContainers:
|
||||
{{- if .Values.tls.toolset.cacerts.enabled }}
|
||||
- name: cacerts
|
||||
image: "{{ template "pulsar.imageFullName" (dict "image" .Values.images.toolset "root" .) }}"
|
||||
imagePullPolicy: "{{ template "pulsar.imagePullPolicy" (dict "image" .Values.images.toolset "root" .) }}"
|
||||
resources: {{ toYaml .Values.initContainer.resources | nindent 10 }}
|
||||
command: ["sh", "-c"]
|
||||
args:
|
||||
- |
|
||||
bin/certs-combine-pem.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.toolset.cacerts.certs) }}
|
||||
volumeMounts:
|
||||
{{- include "pulsar.toolset.certs.volumeMounts" . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.toolset.initContainers }}
|
||||
{{- toYaml .Values.toolset.initContainers | nindent 6 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
@ -86,6 +98,11 @@ spec:
|
||||
- |
|
||||
{{- if .Values.toolset.additionalCommand }}
|
||||
{{ .Values.toolset.additionalCommand }}
|
||||
{{- end }}
|
||||
{{- if .Values.tls.toolset.cacerts.enabled }}
|
||||
cd /pulsar/certs/cacerts;
|
||||
nohup /pulsar/bin/certs-combine-pem-infinity.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.toolset.cacerts.certs) }} > /pulsar/certs/cacerts/certs-combine-pem-infinity.log 2>&1 &
|
||||
cd /pulsar;
|
||||
{{- end }}
|
||||
bin/apply-config-from-env.py conf/client.conf;
|
||||
bin/apply-config-from-env.py conf/bookkeeper.conf;
|
||||
@ -102,11 +119,6 @@ spec:
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if and .Values.tls.enabled (or .Values.tls.broker.enabled .Values.tls.proxy.enabled) }}
|
||||
- mountPath: "/pulsar/certs/proxy-ca"
|
||||
name: proxy-ca
|
||||
readOnly: true
|
||||
{{- end}}
|
||||
{{- if .Values.toolset.extraVolumeMounts }}
|
||||
{{ toYaml .Values.toolset.extraVolumeMounts | indent 8 }}
|
||||
{{- end }}
|
||||
@ -122,14 +134,6 @@ spec:
|
||||
path: client/token
|
||||
{{- end}}
|
||||
{{- end}}
|
||||
{{- if and .Values.tls.enabled (or .Values.tls.broker.enabled .Values.tls.proxy.enabled) }}
|
||||
- name: proxy-ca
|
||||
secret:
|
||||
secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
|
||||
items:
|
||||
- key: ca.crt
|
||||
path: ca.crt
|
||||
{{- end}}
|
||||
{{- if .Values.toolset.extraVolumes }}
|
||||
{{ toYaml .Values.toolset.extraVolumes | indent 6 }}
|
||||
{{- end }}
|
||||
|
||||
@ -114,8 +114,20 @@ spec:
|
||||
securityContext:
|
||||
{{ toYaml .Values.zookeeper.securityContext | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.zookeeper.initContainers }}
|
||||
initContainers:
|
||||
{{- if .Values.tls.zookeeper.cacerts.enabled }}
|
||||
- name: cacerts
|
||||
image: "{{ template "pulsar.imageFullName" (dict "image" .Values.images.zookeeper "root" .) }}"
|
||||
imagePullPolicy: "{{ template "pulsar.imagePullPolicy" (dict "image" .Values.images.zookeeper "root" .) }}"
|
||||
resources: {{ toYaml .Values.initContainer.resources | nindent 10 }}
|
||||
command: ["sh", "-c"]
|
||||
args:
|
||||
- |
|
||||
bin/certs-combine-pem.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.zookeeper.cacerts.certs) }}
|
||||
volumeMounts:
|
||||
{{- include "pulsar.zookeeper.certs.volumeMounts" . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.zookeeper.initContainers }}
|
||||
{{- toYaml .Values.zookeeper.initContainers | nindent 6 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
@ -131,6 +143,11 @@ spec:
|
||||
- |
|
||||
{{- if .Values.zookeeper.additionalCommand }}
|
||||
{{ .Values.zookeeper.additionalCommand }}
|
||||
{{- end }}
|
||||
{{- if .Values.tls.zookeeper.cacerts.enabled }}
|
||||
cd /pulsar/certs/cacerts;
|
||||
nohup /pulsar/bin/certs-combine-pem-infinity.sh /pulsar/certs/cacerts/ca-combined.pem {{ template "pulsar.certs.cacerts" (dict "certs" .Values.tls.zookeeper.cacerts.certs) }} > /pulsar/certs/cacerts/certs-combine-pem-infinity.log 2>&1 &
|
||||
cd /pulsar;
|
||||
{{- end }}
|
||||
bin/apply-config-from-env.py conf/zookeeper.conf;
|
||||
{{- include "pulsar.zookeeper.tls.settings" . | nindent 10 }}
|
||||
@ -220,17 +237,7 @@ spec:
|
||||
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}-{{ .Values.zookeeper.volumes.datalog.name }}"
|
||||
mountPath: /pulsar/data-log
|
||||
{{- end }}
|
||||
{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
|
||||
- mountPath: "/pulsar/certs/zookeeper"
|
||||
name: zookeeper-certs
|
||||
readOnly: true
|
||||
- mountPath: "/pulsar/certs/ca"
|
||||
name: ca
|
||||
readOnly: true
|
||||
- name: keytool
|
||||
mountPath: "/pulsar/keytool/keytool.sh"
|
||||
subPath: keytool.sh
|
||||
{{- end }}
|
||||
{{- include "pulsar.zookeeper.certs.volumeMounts" . | nindent 8 }}
|
||||
{{- if .Values.zookeeper.extraVolumeMounts }}
|
||||
{{ toYaml .Values.zookeeper.extraVolumeMounts | indent 8 }}
|
||||
{{- end }}
|
||||
@ -239,29 +246,10 @@ spec:
|
||||
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}-{{ .Values.zookeeper.volumes.data.name }}"
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- include "pulsar.zookeeper.certs.volumes" . | nindent 6 }}
|
||||
{{- if .Values.zookeeper.extraVolumes }}
|
||||
{{ toYaml .Values.zookeeper.extraVolumes | indent 6 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
|
||||
- name: zookeeper-certs
|
||||
secret:
|
||||
secretName: "{{ .Release.Name }}-{{ .Values.tls.zookeeper.cert_name }}"
|
||||
items:
|
||||
- key: tls.crt
|
||||
path: tls.crt
|
||||
- key: tls.key
|
||||
path: tls.key
|
||||
- name: ca
|
||||
secret:
|
||||
secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
|
||||
items:
|
||||
- key: ca.crt
|
||||
path: ca.crt
|
||||
- name: keytool
|
||||
configMap:
|
||||
name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
|
||||
defaultMode: 0755
|
||||
{{- end}}
|
||||
{{- include "pulsar.imagePullSecrets" . | nindent 6}}
|
||||
{{- if and (and .Values.persistence .Values.volumes.persistence) .Values.zookeeper.volumes.persistence }}
|
||||
volumeClaimTemplates:
|
||||
|
||||
@ -241,6 +241,13 @@ tls:
|
||||
# The dnsNames field specifies a list of Subject Alternative Names to be associated with the certificate.
|
||||
dnsNames:
|
||||
# - example.com
|
||||
cacerts:
|
||||
enabled: false
|
||||
certs:
|
||||
# - name: proxy-cacert
|
||||
# existingSecret: proxy-cacert
|
||||
# secretKeys:
|
||||
# - ca.crt
|
||||
# settings for generating certs for broker
|
||||
broker:
|
||||
enabled: false
|
||||
@ -248,26 +255,69 @@ tls:
|
||||
# The dnsNames field specifies a list of Subject Alternative Names to be associated with the certificate.
|
||||
dnsNames:
|
||||
# - example.com
|
||||
cacerts:
|
||||
enabled: false
|
||||
certs:
|
||||
# - name: broker-cacert
|
||||
# existingSecret: broker-cacert
|
||||
# secretKeys:
|
||||
# - ca.crt
|
||||
# settings for generating certs for bookies
|
||||
bookie:
|
||||
enabled: false
|
||||
cert_name: tls-bookie
|
||||
cacerts:
|
||||
enabled: false
|
||||
certs:
|
||||
# - name: bookie-cacert
|
||||
# existingSecret: bookie-cacert
|
||||
# secretKeys:
|
||||
# - ca.crt
|
||||
# settings for generating certs for zookeeper
|
||||
zookeeper:
|
||||
enabled: false
|
||||
cert_name: tls-zookeeper
|
||||
cacerts:
|
||||
enabled: false
|
||||
certs:
|
||||
# - name: zookeeper-cacert
|
||||
# existingSecret: zookeeper-cacert
|
||||
# secretKeys:
|
||||
# - ca.crt
|
||||
# settings for generating certs for recovery
|
||||
autorecovery:
|
||||
cert_name: tls-recovery
|
||||
cacerts:
|
||||
enabled: false
|
||||
certs:
|
||||
# - name: autorecovery-cacert
|
||||
# existingSecret: autorecovery-cacert
|
||||
# secretKeys:
|
||||
# - ca.crt
|
||||
# settings for generating certs for toolset
|
||||
toolset:
|
||||
cert_name: tls-toolset
|
||||
cacerts:
|
||||
enabled: false
|
||||
certs:
|
||||
# - name: toolset-cacert
|
||||
# existingSecret: toolset-cacert
|
||||
# secretKeys:
|
||||
# - ca.crt
|
||||
# TLS setting for function runtime instance
|
||||
function_instance:
|
||||
# controls the use of TLS for function runtime connections towards brokers
|
||||
enabled: false
|
||||
oxia:
|
||||
enabled: false
|
||||
pulsar_metadata:
|
||||
cacerts:
|
||||
enabled: false
|
||||
certs:
|
||||
# - name: pulsar-metadata-cacert
|
||||
# existingSecret: pulsar-metadata-cacert
|
||||
# secretKeys:
|
||||
# - ca.crt
|
||||
|
||||
# Enable or disable broker authentication and authorization.
|
||||
auth:
|
||||
@ -554,6 +604,7 @@ oxia:
|
||||
# cloud.google.com/gke-nodepool: default-pool
|
||||
extraContainers: []
|
||||
extraVolumes: []
|
||||
extraVolumeMounts: []
|
||||
# customConfigMapName: ""
|
||||
# entrypoint: []
|
||||
## templates/server-statefulset.yaml
|
||||
@ -1888,3 +1939,7 @@ initContainer:
|
||||
requests:
|
||||
memory: 256Mi
|
||||
cpu: 0.1
|
||||
|
||||
## Array of extra objects to deploy with the release (evaluated as a template)
|
||||
##
|
||||
extraDeploy: []
|
||||
|
||||
@ -25,7 +25,7 @@ set -e
|
||||
NAMESPACE=cert-manager
|
||||
NAME=cert-manager
|
||||
# check compatibility with k8s versions from https://cert-manager.io/docs/installation/supported-releases/
|
||||
VERSION=v1.12.16
|
||||
VERSION=v1.12.17
|
||||
|
||||
# Install cert-manager CustomResourceDefinition resources
|
||||
echo "Installing cert-manager CRD resources ..."
|
||||
@ -41,10 +41,12 @@ echo "Updating local helm chart repository cache ..."
|
||||
helm repo update
|
||||
|
||||
echo "Installing cert-manager ${VERSION} to namespace ${NAMESPACE} as '${NAME}' ..."
|
||||
helm install \
|
||||
helm upgrade \
|
||||
--install \
|
||||
--namespace ${NAMESPACE} \
|
||||
--create-namespace \
|
||||
--version ${VERSION} \
|
||||
--set featureGates=AdditionalCertificateOutputFormats=true \
|
||||
${NAME} \
|
||||
jetstack/cert-manager
|
||||
echo "Successfully installed cert-manager ${VERSION}."
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user