114 lines
4.7 KiB
Smarty
114 lines
4.7 KiB
Smarty
{{/*
|
|
Licensed to the Apache Software Foundation (ASF) under one
|
|
or more contributor license agreements. See the NOTICE file
|
|
distributed with this work for additional information
|
|
regarding copyright ownership. The ASF licenses this file
|
|
to you under the Apache License, Version 2.0 (the
|
|
"License"); you may not use this file except in compliance
|
|
with the License. You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing,
|
|
software distributed under the License is distributed on an
|
|
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
KIND, either express or implied. See the License for the
|
|
specific language governing permissions and limitations
|
|
under the License.
|
|
*/}}
|
|
|
|
{{/*
|
|
Define the pulsar certs ca issuer name
|
|
*/}}
|
|
{{- define "pulsar.certs.issuers.ca.name" -}}
|
|
{{- if .Values.certs.internal_issuer.enabled -}}
|
|
{{- if and (eq .Values.certs.internal_issuer.type "selfsigning") .Values.certs.issuers.selfsigning.name -}}
|
|
{{- .Values.certs.issuers.selfsigning.name -}}
|
|
{{- else if and (eq .Values.certs.internal_issuer.type "ca") .Values.certs.issuers.ca.name -}}
|
|
{{- .Values.certs.issuers.ca.name -}}
|
|
{{- else -}}
|
|
{{- template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer
|
|
{{- end -}}
|
|
{{- else -}}
|
|
{{- if .Values.certs.issuers.ca.name -}}
|
|
{{- .Values.certs.issuers.ca.name -}}
|
|
{{- else -}}
|
|
{{- fail "certs.issuers.ca.name is required when TLS is enabled and certs.internal_issuer.enabled is false" -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
Define the pulsar certs ca issuer secret name
|
|
*/}}
|
|
{{- define "pulsar.certs.issuers.ca.secretName" -}}
|
|
{{- if .Values.certs.internal_issuer.enabled -}}
|
|
{{- if and (eq .Values.certs.internal_issuer.type "selfsigning") .Values.certs.issuers.selfsigning.secretName -}}
|
|
{{- .Values.certs.issuers.selfsigning.secretName -}}
|
|
{{- else if and (eq .Values.certs.internal_issuer.type "ca") .Values.certs.issuers.ca.secretName -}}
|
|
{{- .Values.certs.issuers.ca.secretName -}}
|
|
{{- else -}}
|
|
{{- printf "%s-%s" .Release.Name .Values.tls.ca_suffix -}}
|
|
{{- end -}}
|
|
{{- else -}}
|
|
{{- if .Values.certs.issuers.ca.secretName -}}
|
|
{{- .Values.certs.issuers.ca.secretName -}}
|
|
{{- else -}}
|
|
{{- fail "certs.issuers.ca.secretName is required when TLS is enabled and certs.internal_issuer.enabled is false" -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
|
|
{{/*
|
|
Common certificate template
|
|
Usage: {{- include "pulsar.cert.template" (dict "root" . "componentConfig" .Values.proxy "tlsConfig" .Values.tls.proxy) -}}
|
|
*/}}
|
|
{{- define "pulsar.cert.template" -}}
|
|
{{- if eq .root.Values.certs.internal_issuer.apiVersion "cert-manager.io/v1beta1" -}}
|
|
{{- fail "cert-manager.io/v1beta1 is no longer supported. Please set certs.internal_issuer.apiVersion to cert-manager.io/v1" -}}
|
|
{{- end -}}
|
|
apiVersion: "{{ .root.Values.certs.internal_issuer.apiVersion }}"
|
|
kind: Certificate
|
|
metadata:
|
|
name: "{{ template "pulsar.fullname" .root }}-{{ .tlsConfig.cert_name }}"
|
|
namespace: {{ template "pulsar.namespace" .root }}
|
|
spec:
|
|
# Secret names are always required.
|
|
secretName: "{{ .root.Release.Name }}-{{ .tlsConfig.cert_name }}"
|
|
{{- if .root.Values.tls.zookeeper.enabled }}
|
|
additionalOutputFormats:
|
|
- type: CombinedPEM
|
|
{{- end }}
|
|
duration: "{{ .root.Values.tls.common.duration }}"
|
|
renewBefore: "{{ .root.Values.tls.common.renewBefore }}"
|
|
subject:
|
|
organizations:
|
|
{{ toYaml .root.Values.tls.common.organization | indent 4 }}
|
|
# The use of the common name field has been deprecated since 2000 and is
|
|
# discouraged from being used.
|
|
commonName: "{{ template "pulsar.fullname" .root }}-{{ .componentConfig.component }}"
|
|
isCA: false
|
|
privateKey:
|
|
size: {{ .root.Values.tls.common.keySize }}
|
|
algorithm: {{ .root.Values.tls.common.keyAlgorithm }}
|
|
encoding: {{ .root.Values.tls.common.keyEncoding }}
|
|
usages:
|
|
- server auth
|
|
- client auth
|
|
# At least one of a DNS Name, USI SAN, or IP address is required.
|
|
dnsNames:
|
|
{{- if .tlsConfig.dnsNames }}
|
|
{{ toYaml .tlsConfig.dnsNames | indent 4 }}
|
|
{{- end }}
|
|
- {{ printf "*.%s-%s.%s.svc.%s" (include "pulsar.fullname" .root) .componentConfig.component (include "pulsar.namespace" .root) .root.Values.clusterDomain | quote }}
|
|
- {{ printf "%s-%s" (include "pulsar.fullname" .root) .componentConfig.component | quote }}
|
|
# Issuer references are always required.
|
|
issuerRef:
|
|
name: "{{ template "pulsar.certs.issuers.ca.name" .root }}"
|
|
# We can reference ClusterIssuers by changing the kind here.
|
|
# The default value is Issuer (i.e. a locally namespaced Issuer)
|
|
kind: Issuer
|
|
# This is optional since cert-manager will default to this value however
|
|
# if you are using an external issuer, change this to that issuer group.
|
|
group: cert-manager.io
|
|
{{- end -}} |