Skip to content

Commit

Permalink
feat(tls): support ca type issuer and v1alpha* version cert-manager a…
Browse files Browse the repository at this point in the history 
…pi (#561)
  • Loading branch information
@ericsyh
ericsyh authored Dec 18, 2024
1 parent df9284d commit b5ff00b
Show file tree
Hide file tree
Showing 12 changed files with 169 additions and 5 deletions.
5 changes: 5 additions & 0 deletions charts/pulsar/templates/_autorecovery.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,12 @@ Define autorecovery tls certs volumes
path: tls.key
- name: ca
secret:
{{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
{{- end }}
{{- if eq .Values.certs.internal_issuer.type "ca" }}
secretName: "{{ .Values.certs.issuers.ca.secretName }}"
{{- end }}
items:
- key: ca.crt
path: ca.crt
Expand Down
5 changes: 5 additions & 0 deletions charts/pulsar/templates/_bookkeeper.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,12 @@ Define bookie tls certs volumes
path: tls.key
- name: ca
secret:
{{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
{{- end }}
{{- if eq .Values.certs.internal_issuer.type "ca" }}
secretName: "{{ .Values.certs.issuers.ca.secretName }}"
{{- end }}
items:
- key: ca.crt
path: ca.crt
Expand Down
5 changes: 5 additions & 0 deletions charts/pulsar/templates/_broker.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,12 @@ Define broker tls certs volumes
path: tls.key
- name: ca
secret:
{{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
{{- end }}
{{- if eq .Values.certs.internal_issuer.type "ca" }}
secretName: "{{ .Values.certs.issuers.ca.secretName }}"
{{- end }}
items:
- key: ca.crt
path: ca.crt
Expand Down
5 changes: 5 additions & 0 deletions charts/pulsar/templates/_toolset.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,12 @@ Define toolset tls certs volumes
path: tls.key
- name: ca
secret:
{{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
{{- end }}
{{- if eq .Values.certs.internal_issuer.type "ca" }}
secretName: "{{ .Values.certs.issuers.ca.secretName }}"
{{- end }}
items:
- key: ca.crt
path: ca.crt
Expand Down
5 changes: 5 additions & 0 deletions charts/pulsar/templates/proxy-statefulset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -296,7 +296,12 @@ spec:
{{- if .Values.tls.proxy.enabled }}
- name: ca
secret:
{{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
{{- end }}
{{- if eq .Values.certs.internal_issuer.type "ca" }}
secretName: "{{ .Values.certs.issuers.ca.secretName }}"
{{- end }}
items:
- key: ca.crt
path: ca.crt
Expand Down
12 changes: 10 additions & 2 deletions charts/pulsar/templates/tls-cert-internal-issuer.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ metadata:
spec:
selfSigned: {}
---

apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
kind: Certificate
metadata:
Expand All @@ -51,7 +50,6 @@ spec:
# if you are using an external issuer, change this to that issuer group.
group: cert-manager.io
---

apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
kind: Issuer
metadata:
Expand All @@ -61,4 +59,14 @@ spec:
ca:
secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
{{- end }}
{{- if eq .Values.certs.internal_issuer.type "ca" }}
apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
kind: Issuer
metadata:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
namespace: {{ template "pulsar.namespace" . }}
spec:
ca:
secretName: "{{ .Values.certs.issuers.ca.secretName }}"
{{- end }}
{{- end }}
70 changes: 68 additions & 2 deletions charts/pulsar/templates/tls-certs-internal.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,27 +32,38 @@ spec:
secretName: "{{ .Release.Name }}-{{ .Values.tls.proxy.cert_name }}"
duration: "{{ .Values.tls.common.duration }}"
renewBefore: "{{ .Values.tls.common.renewBefore }}"
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
subject:
organizations:
{{ toYaml .Values.tls.common.organization | indent 4 }}
{{- else }}
organization:
{{ toYaml .Values.tls.common.organization | indent 2 }}
{{- end }}
# The use of the common name field has been deprecated since 2000 and is
# discouraged from being used.
commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
isCA: false
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
privateKey:
size: {{ .Values.tls.common.keySize }}
algorithm: {{ .Values.tls.common.keyAlgorithm }}
encoding: {{ .Values.tls.common.keyEncoding }}
{{- else }}
keySize: {{ .Values.tls.common.keySize }}
keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
keyEncoding: {{ .Values.tls.common.keyEncoding }}
{{- end }}
usages:
- server auth
- client auth
# At least one of a DNS Name, USI SAN, or IP address is required.
dnsNames:
- "*.{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
- "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
{{- if .Values.tls.proxy.dnsNames }}
{{ toYaml .Values.tls.proxy.dnsNames | indent 4 }}
{{- end }}
- "*.{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
- "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
# Issuer references are always required.
issuerRef:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
Expand All @@ -77,17 +88,28 @@ spec:
secretName: "{{ .Release.Name }}-{{ .Values.tls.broker.cert_name }}"
duration: "{{ .Values.tls.common.duration }}"
renewBefore: "{{ .Values.tls.common.renewBefore }}"
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
subject:
organizations:
{{ toYaml .Values.tls.common.organization | indent 4 }}
{{- else }}
organization:
{{ toYaml .Values.tls.common.organization | indent 2 }}
{{- end }}
# The use of the common name field has been deprecated since 2000 and is
# discouraged from being used.
commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
isCA: false
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
privateKey:
size: {{ .Values.tls.common.keySize }}
algorithm: {{ .Values.tls.common.keyAlgorithm }}
encoding: {{ .Values.tls.common.keyEncoding }}
{{- else }}
keySize: {{ .Values.tls.common.keySize }}
keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
keyEncoding: {{ .Values.tls.common.keyEncoding }}
{{- end }}
usages:
- server auth
- client auth
Expand Down Expand Up @@ -121,17 +143,28 @@ spec:
secretName: "{{ .Release.Name }}-{{ .Values.tls.bookie.cert_name }}"
duration: "{{ .Values.tls.common.duration }}"
renewBefore: "{{ .Values.tls.common.renewBefore }}"
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
subject:
organizations:
{{ toYaml .Values.tls.common.organization | indent 4 }}
{{- else }}
organization:
{{ toYaml .Values.tls.common.organization | indent 2 }}
{{- end }}
# The use of the common name field has been deprecated since 2000 and is
# discouraged from being used.
commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
isCA: false
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
privateKey:
size: {{ .Values.tls.common.keySize }}
algorithm: {{ .Values.tls.common.keyAlgorithm }}
encoding: {{ .Values.tls.common.keyEncoding }}
{{- else }}
keySize: {{ .Values.tls.common.keySize }}
keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
keyEncoding: {{ .Values.tls.common.keyEncoding }}
{{- end }}
usages:
- server auth
- client auth
Expand Down Expand Up @@ -164,17 +197,28 @@ spec:
secretName: "{{ .Release.Name }}-{{ .Values.tls.autorecovery.cert_name }}"
duration: "{{ .Values.tls.common.duration }}"
renewBefore: "{{ .Values.tls.common.renewBefore }}"
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
subject:
organizations:
{{ toYaml .Values.tls.common.organization | indent 4 }}
{{- else }}
organization:
{{ toYaml .Values.tls.common.organization | indent 2 }}
{{- end }}
# The use of the common name field has been deprecated since 2000 and is
# discouraged from being used.
commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}"
isCA: false
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
privateKey:
size: {{ .Values.tls.common.keySize }}
algorithm: {{ .Values.tls.common.keyAlgorithm }}
encoding: {{ .Values.tls.common.keyEncoding }}
{{- else }}
keySize: {{ .Values.tls.common.keySize }}
keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
keyEncoding: {{ .Values.tls.common.keyEncoding }}
{{- end }}
usages:
- server auth
- client auth
Expand Down Expand Up @@ -204,17 +248,28 @@ spec:
secretName: "{{ .Release.Name }}-{{ .Values.tls.toolset.cert_name }}"
duration: "{{ .Values.tls.common.duration }}"
renewBefore: "{{ .Values.tls.common.renewBefore }}"
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
subject:
organizations:
{{ toYaml .Values.tls.common.organization | indent 4 }}
{{- else }}
organization:
{{ toYaml .Values.tls.common.organization | indent 2 }}
{{- end }}
# The use of the common name field has been deprecated since 2000 and is
# discouraged from being used.
commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
isCA: false
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
privateKey:
size: {{ .Values.tls.common.keySize }}
algorithm: {{ .Values.tls.common.keyAlgorithm }}
encoding: {{ .Values.tls.common.keyEncoding }}
{{- else }}
keySize: {{ .Values.tls.common.keySize }}
keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
keyEncoding: {{ .Values.tls.common.keyEncoding }}
{{- end }}
usages:
- server auth
- client auth
Expand Down Expand Up @@ -244,17 +299,28 @@ spec:
secretName: "{{ .Release.Name }}-{{ .Values.tls.zookeeper.cert_name }}"
duration: "{{ .Values.tls.common.duration }}"
renewBefore: "{{ .Values.tls.common.renewBefore }}"
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
subject:
organizations:
{{ toYaml .Values.tls.common.organization | indent 4 }}
{{- else }}
organization:
{{ toYaml .Values.tls.common.organization | indent 2 }}
{{- end }}
# The use of the common name field has been deprecated since 2000 and is
# discouraged from being used.
commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
isCA: false
{{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
privateKey:
size: {{ .Values.tls.common.keySize }}
algorithm: {{ .Values.tls.common.keyAlgorithm }}
encoding: {{ .Values.tls.common.keyEncoding }}
{{- else }}
keySize: {{ .Values.tls.common.keySize }}
keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
keyEncoding: {{ .Values.tls.common.keyEncoding }}
{{- end }}
usages:
- server auth
- client auth
Expand Down
5 changes: 5 additions & 0 deletions charts/pulsar/templates/toolset-statefulset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,12 @@ spec:
{{- if and .Values.tls.enabled (or .Values.tls.broker.enabled .Values.tls.proxy.enabled) }}
- name: proxy-ca
secret:
{{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
{{- end }}
{{- if eq .Values.certs.internal_issuer.type "ca" }}
secretName: "{{ .Values.certs.issuers.ca.secretName }}"
{{- end }}
items:
- key: ca.crt
path: ca.crt
Expand Down
5 changes: 5 additions & 0 deletions charts/pulsar/templates/zookeeper-statefulset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -252,7 +252,12 @@ spec:
path: tls.key
- name: ca
secret:
{{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
{{- end }}
{{- if eq .Values.certs.internal_issuer.type "ca" }}
secretName: "{{ .Values.certs.issuers.ca.secretName }}"
{{- end }}
items:
- key: ca.crt
path: ca.crt
Expand Down
14 changes: 13 additions & 1 deletion charts/pulsar/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -232,11 +232,18 @@ tls:
proxy:
enabled: false
cert_name: tls-proxy
createCert: true # set to false if you want to use an existing certificate
# set to false if you want to use an existing certificate
createCert: true
# The dnsNames field specifies a list of Subject Alternative Names to be associated with the certificate.
dnsNames:
# - example.com
# settings for generating certs for broker
broker:
enabled: false
cert_name: tls-broker
# The dnsNames field specifies a list of Subject Alternative Names to be associated with the certificate.
dnsNames:
# - example.com
# settings for generating certs for bookies
bookie:
enabled: false
Expand Down Expand Up @@ -297,13 +304,18 @@ certs:
apiVersion: cert-manager.io/v1
enabled: false
component: internal-cert-issuer
# The type of issuer, supports selfsigning and ca
type: selfsigning
# 90d
duration: 2160h
# 15d
renewBefore: 360h
issuers:
# Used for certs.type as selfsigning, the selfsigned issuer has no dependency on any other resource.
selfsigning:
# used for certs.type as ca, the CA issuer needs to reference a Secret which contains your CA certificate and signing private key.
ca:
secretName:

######################################################################
# Below are settings for each component
Expand Down
43 changes: 43 additions & 0 deletions examples/values-tls-ca.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#

# enable TLS
tls:
enabled: true
proxy:
enabled: true
dnsNames:
# The dnsNames field specifies a list of Subject Alternative Names to be associated with the certificate.
- example.com
broker:
enabled: true
bookie:
enabled: true
zookeeper:
enabled: true

# issue selfsigning certs
certs:
internal_issuer:
enabled: true
type: ca
issuers:
# used for certs.type as ca, the CA issuer needs to reference a Secret which contains your CA certificate and signing private key.
ca:
secretName: ca-key-pair
0 examples/values-tls.yaml → examples/values-tls-selfsigned.yaml
View file
File renamed without changes.

0 comments on commit b5ff00b

Please sign in to comment.