This is an automated email from the ASF dual-hosted git repository.
lhotari pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar-helm-chart.git
The following commit(s) were added to refs/heads/master by this push:
new 2d16ffe Use PEM files directly as ZooKeeper keystore and truststore
(#613)
2d16ffe is described below
commit 2d16ffefd48a01b3eb15cf004cd7e1a4ed3a230d
Author: Lari Hotari <[email protected]>
AuthorDate: Fri May 30 18:16:04 2025 +0300
Use PEM files directly as ZooKeeper keystore and truststore (#613)
---
README.md | 11 +-
charts/pulsar/templates/_autorecovery.tpl | 17 +-
charts/pulsar/templates/_bookkeeper.tpl | 21 +-
charts/pulsar/templates/_broker.tpl | 17 +-
charts/pulsar/templates/_certs.tpl | 54 ++++
charts/pulsar/templates/_toolset.tpl | 15 +-
charts/pulsar/templates/_zookeeper.tpl | 18 +-
charts/pulsar/templates/keytool.yaml | 110 --------
charts/pulsar/templates/proxy-statefulset.yaml | 4 +
charts/pulsar/templates/tls-certs-internal.yaml | 308 +--------------------
charts/pulsar/templates/zookeeper-statefulset.yaml | 9 +-
scripts/cert-manager/install-cert-manager.sh | 6 +-
12 files changed, 116 insertions(+), 474 deletions(-)
diff --git a/README.md b/README.md
index 8303964..099f7e1 100644
--- a/README.md
+++ b/README.md
@@ -160,7 +160,7 @@ It includes support for:
- [x] Broker
- [x] Toolset
- [x] Bookie
- - [x] ZooKeeper
+ - [x] ZooKeeper (requires the
`AdditionalCertificateOutputFormats=true` feature gate to be enabled in the
cert-manager deployment when using cert-manager versions below 1.15.0)
- [x] Authentication
- [x] JWT
- [x] OpenID
@@ -402,6 +402,15 @@ helm upgrade -n <namespace> -f values.yaml
<pulsar-release-name> apachepulsar/pu
For more detailed information, see our
[Upgrading](http://pulsar.apache.org/docs/helm-upgrade/) guide.
+## Upgrading to Helm chart version 4.2.0 (not released yet)
+
+### TLS configuration for ZooKeeper has changed
+
+The TLS configuration for ZooKeeper has been changed to fix certificate and
private key expiration issues.
+This change impacts configurations that have `tls.enabled` and
`tls.zookeeper.enabled` set in `values.yaml`.
+The revised solution requires the `AdditionalCertificateOutputFormats=true`
feature gate to be enabled in the `cert-manager` deployment when using
cert-manager versions below 1.15.0.
+If you installed `cert-manager` using
`./scripts/cert-manager/install-cert-manager.sh`, you can re-run the updated
script to set the feature gate. The script currently installs or upgrades
cert-manager LTS version 1.12.17, where the feature gate must be explicitly
enabled.
+
## Upgrading from Helm Chart versions before 4.0.0 to 4.0.0 version and above
### Pulsar Proxy service's default type has been changed from `LoadBalancer`
to `ClusterIP`
diff --git a/charts/pulsar/templates/_autorecovery.tpl
b/charts/pulsar/templates/_autorecovery.tpl
index 60ea55d..f5b4185 100644
--- a/charts/pulsar/templates/_autorecovery.tpl
+++ b/charts/pulsar/templates/_autorecovery.tpl
@@ -36,7 +36,7 @@ Define autorecovery zookeeper client tls settings
*/}}
{{- define "pulsar.autorecovery.zookeeper.tls.settings" -}}
{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
-/pulsar/keytool/keytool.sh autorecovery {{ template
"pulsar.autorecovery.hostname" . }} true;
+{{- include "pulsar.component.zookeeper.tls.settings" (dict "component"
"autorecovery" "isClient" true) -}}
{{- end }}
{{- end }}
@@ -51,11 +51,6 @@ Define autorecovery tls certs mounts
- name: ca
mountPath: "/pulsar/certs/ca"
readOnly: true
-{{- if .Values.tls.zookeeper.enabled }}
-- name: keytool
- mountPath: "/pulsar/keytool/keytool.sh"
- subPath: keytool.sh
-{{- end }}
{{- end }}
{{- end }}
@@ -72,18 +67,14 @@ Define autorecovery tls certs volumes
path: tls.crt
- key: tls.key
path: tls.key
+ - key: tls-combined.pem
+ path: tls-combined.pem
- name: ca
secret:
secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
items:
- key: ca.crt
path: ca.crt
-{{- if .Values.tls.zookeeper.enabled }}
-- name: keytool
- configMap:
- name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
- defaultMode: 0755
-{{- end }}
{{- end }}
{{- end }}
@@ -93,7 +84,7 @@ Define autorecovery init container : verify cluster id
{{- define "pulsar.autorecovery.init.verify_cluster_id" -}}
bin/apply-config-from-env.py conf/bookkeeper.conf;
export BOOKIE_MEM="-Xmx128M";
-{{- include "pulsar.autorecovery.zookeeper.tls.settings" . -}}
+{{- include "pulsar.autorecovery.zookeeper.tls.settings" . }}
until timeout 15 bin/bookkeeper shell whatisinstanceid; do
sleep 3;
done;
diff --git a/charts/pulsar/templates/_bookkeeper.tpl
b/charts/pulsar/templates/_bookkeeper.tpl
index b8b367a..a279737 100644
--- a/charts/pulsar/templates/_bookkeeper.tpl
+++ b/charts/pulsar/templates/_bookkeeper.tpl
@@ -37,7 +37,7 @@ Define bookie zookeeper client tls settings
*/}}
{{- define "pulsar.bookkeeper.zookeeper.tls.settings" -}}
{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
-/pulsar/keytool/keytool.sh bookie {{ template "pulsar.bookkeeper.hostname" .
}} true;
+{{- include "pulsar.component.zookeeper.tls.settings" (dict "component"
"bookie" "isClient" true) -}}
{{- end }}
{{- end }}
@@ -52,11 +52,6 @@ Define bookie tls certs mounts
- name: ca
mountPath: "/pulsar/certs/ca"
readOnly: true
-{{- if .Values.tls.zookeeper.enabled }}
-- name: keytool
- mountPath: "/pulsar/keytool/keytool.sh"
- subPath: keytool.sh
-{{- end }}
{{- end }}
{{- end }}
@@ -73,18 +68,16 @@ Define bookie tls certs volumes
path: tls.crt
- key: tls.key
path: tls.key
+{{- if .Values.tls.zookeeper.enabled }}
+ - key: tls-combined.pem
+ path: tls-combined.pem
+{{- end }}
- name: ca
secret:
secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
items:
- key: ca.crt
path: ca.crt
-{{- if .Values.tls.zookeeper.enabled }}
-- name: keytool
- configMap:
- name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
- defaultMode: 0755
-{{- end }}
{{- end }}
{{- end }}
@@ -147,7 +140,7 @@ Define bookie init container : verify cluster id
{{- if not (and .Values.volumes.persistence
.Values.bookkeeper.volumes.persistence) }}
bin/apply-config-from-env.py conf/bookkeeper.conf;
export BOOKIE_MEM="-Xmx128M";
-{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . -}}
+{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . }}
until timeout 15 bin/bookkeeper shell whatisinstanceid; do
sleep 3;
done;
@@ -157,7 +150,7 @@ bin/bookkeeper shell bookieformat -nonInteractive -force
-deleteCookie || true
set -e;
bin/apply-config-from-env.py conf/bookkeeper.conf;
export BOOKIE_MEM="-Xmx128M";
-{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . -}}
+{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . }}
until timeout 15 bin/bookkeeper shell whatisinstanceid; do
sleep 3;
done;
diff --git a/charts/pulsar/templates/_broker.tpl
b/charts/pulsar/templates/_broker.tpl
index b5b86f2..773ae15 100644
--- a/charts/pulsar/templates/_broker.tpl
+++ b/charts/pulsar/templates/_broker.tpl
@@ -43,7 +43,7 @@ Define broker zookeeper client tls settings
*/}}
{{- define "pulsar.broker.zookeeper.tls.settings" -}}
{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
-/pulsar/keytool/keytool.sh broker {{ template "pulsar.broker.hostname" . }}
true;
+{{- include "pulsar.component.zookeeper.tls.settings" (dict "component"
"broker" "isClient" true) -}}
{{- end }}
{{- end }}
@@ -58,11 +58,6 @@ Define broker tls certs mounts
- name: ca
mountPath: "/pulsar/certs/ca"
readOnly: true
-{{- if .Values.tls.zookeeper.enabled }}
-- name: keytool
- mountPath: "/pulsar/keytool/keytool.sh"
- subPath: keytool.sh
-{{- end }}
{{- end }}
{{- end }}
@@ -79,17 +74,15 @@ Define broker tls certs volumes
path: tls.crt
- key: tls.key
path: tls.key
+{{- if .Values.tls.zookeeper.enabled }}
+ - key: tls-combined.pem
+ path: tls-combined.pem
+{{- end }}
- name: ca
secret:
secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
items:
- key: ca.crt
path: ca.crt
-{{- if .Values.tls.zookeeper.enabled }}
-- name: keytool
- configMap:
- name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
- defaultMode: 0755
-{{- end }}
{{- end }}
{{- end }}
diff --git a/charts/pulsar/templates/_certs.tpl
b/charts/pulsar/templates/_certs.tpl
index 739fbf0..8c5d93a 100644
--- a/charts/pulsar/templates/_certs.tpl
+++ b/charts/pulsar/templates/_certs.tpl
@@ -57,4 +57,58 @@ Define the pulsar certs ca issuer secret name
{{- fail "certs.issuers.ca.secretName is required when TLS is enabled and
certs.internal_issuer.enabled is false" -}}
{{- end -}}
{{- end -}}
+{{- end -}}
+
+{{/*
+Common certificate template
+Usage: {{- include "pulsar.cert.template" (dict "root" . "componentConfig"
.Values.proxy "tlsConfig" .Values.tls.proxy) -}}
+*/}}
+{{- define "pulsar.cert.template" -}}
+{{- if eq .root.Values.certs.internal_issuer.apiVersion
"cert-manager.io/v1beta1" -}}
+{{- fail "cert-manager.io/v1beta1 is no longer supported. Please set
certs.internal_issuer.apiVersion to cert-manager.io/v1" -}}
+{{- end -}}
+apiVersion: "{{ .root.Values.certs.internal_issuer.apiVersion }}"
+kind: Certificate
+metadata:
+ name: "{{ template "pulsar.fullname" .root }}-{{ .tlsConfig.cert_name }}"
+ namespace: {{ template "pulsar.namespace" .root }}
+spec:
+ # Secret names are always required.
+ secretName: "{{ .root.Release.Name }}-{{ .tlsConfig.cert_name }}"
+{{- if .root.Values.tls.zookeeper.enabled }}
+ additionalOutputFormats:
+ - type: CombinedPEM
+{{- end }}
+ duration: "{{ .root.Values.tls.common.duration }}"
+ renewBefore: "{{ .root.Values.tls.common.renewBefore }}"
+ subject:
+ organizations:
+{{ toYaml .root.Values.tls.common.organization | indent 4 }}
+ # The use of the common name field has been deprecated since 2000 and is
+ # discouraged from being used.
+ commonName: "{{ template "pulsar.fullname" .root }}-{{
.componentConfig.component }}"
+ isCA: false
+ privateKey:
+ size: {{ .root.Values.tls.common.keySize }}
+ algorithm: {{ .root.Values.tls.common.keyAlgorithm }}
+ encoding: {{ .root.Values.tls.common.keyEncoding }}
+ usages:
+ - server auth
+ - client auth
+ # At least one of a DNS Name, USI SAN, or IP address is required.
+ dnsNames:
+{{- if .tlsConfig.dnsNames }}
+{{ toYaml .tlsConfig.dnsNames | indent 4 }}
+{{- end }}
+ - {{ printf "*.%s-%s.%s.svc.%s" (include "pulsar.fullname" .root)
.componentConfig.component (include "pulsar.namespace" .root)
.root.Values.clusterDomain | quote }}
+ - {{ printf "%s-%s" (include "pulsar.fullname" .root)
.componentConfig.component | quote }}
+ # Issuer references are always required.
+ issuerRef:
+ name: "{{ template "pulsar.certs.issuers.ca.name" .root }}"
+ # We can reference ClusterIssuers by changing the kind here.
+ # The default value is Issuer (i.e. a locally namespaced Issuer)
+ kind: Issuer
+ # This is optional since cert-manager will default to this value however
+ # if you are using an external issuer, change this to that issuer group.
+ group: cert-manager.io
{{- end -}}
\ No newline at end of file
diff --git a/charts/pulsar/templates/_toolset.tpl
b/charts/pulsar/templates/_toolset.tpl
index fe3295b..0865c67 100644
--- a/charts/pulsar/templates/_toolset.tpl
+++ b/charts/pulsar/templates/_toolset.tpl
@@ -36,7 +36,7 @@ Define toolset zookeeper client tls settings
*/}}
{{- define "pulsar.toolset.zookeeper.tls.settings" -}}
{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled -}}
-/pulsar/keytool/keytool.sh toolset {{ template "pulsar.toolset.hostname" . }}
true;
+{{- include "pulsar.component.zookeeper.tls.settings" (dict "component"
"toolset" "isClient" true) -}}
{{- end -}}
{{- end }}
@@ -51,11 +51,6 @@ Define toolset tls certs mounts
- name: ca
mountPath: "/pulsar/certs/ca"
readOnly: true
-{{- if .Values.tls.zookeeper.enabled }}
-- name: keytool
- mountPath: "/pulsar/keytool/keytool.sh"
- subPath: keytool.sh
-{{- end }}
{{- end }}
{{- end }}
@@ -72,17 +67,13 @@ Define toolset tls certs volumes
path: tls.crt
- key: tls.key
path: tls.key
+ - key: tls-combined.pem
+ path: tls-combined.pem
- name: ca
secret:
secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
items:
- key: ca.crt
path: ca.crt
-{{- if .Values.tls.zookeeper.enabled }}
-- name: keytool
- configMap:
- name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
- defaultMode: 0755
-{{- end }}
{{- end }}
{{- end }}
diff --git a/charts/pulsar/templates/_zookeeper.tpl
b/charts/pulsar/templates/_zookeeper.tpl
index 215b455..e546cde 100644
--- a/charts/pulsar/templates/_zookeeper.tpl
+++ b/charts/pulsar/templates/_zookeeper.tpl
@@ -53,7 +53,23 @@ Define zookeeper tls settings
*/}}
{{- define "pulsar.zookeeper.tls.settings" -}}
{{- if and .Values.tls.enabled .Values.tls.zookeeper.enabled }}
-/pulsar/keytool/keytool.sh zookeeper {{ template "pulsar.zookeeper.hostname" .
}} false;
+{{- include "pulsar.component.zookeeper.tls.settings" (dict "component"
"zookeeper" "isClient" false) -}}
+{{- end }}
+{{- end }}
+
+{{- define "pulsar.component.zookeeper.tls.settings" }}
+{{- $component := .component -}}
+{{- $isClient := .isClient -}}
+{{- $keyFile := printf "/pulsar/certs/%s/tls-combined.pem" $component -}}
+{{- $caFile := "/pulsar/certs/ca/ca.crt" -}}
+{{- if $isClient }}
+echo $'\n' >> conf/pulsar_env.sh
+echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS}
-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
-Dzookeeper.client.secure=true -Dzookeeper.client.certReload=true
-Dzookeeper.ssl.keyStore.location={{- $keyFile }}
-Dzookeeper.ssl.keyStore.type=PEM -Dzookeeper.ssl.trustStore.location={{-
$caFile }} -Dzookeeper.ssl.trustStore.type=PEM\"" >> conf/pulsar_env.sh
+echo $'\n' >> conf/bkenv.sh
+echo "BOOKIE_EXTRA_OPTS=\"\${BOOKIE_EXTRA_OPTS}
-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
-Dzookeeper.client.secure=true -Dzookeeper.client.certReload=true
-Dzookeeper.ssl.keyStore.location={{- $keyFile }}
-Dzookeeper.ssl.keyStore.type=PEM -Dzookeeper.ssl.trustStore.location={{-
$caFile }} -Dzookeeper.ssl.trustStore.type=PEM\"" >> conf/bkenv.sh
+{{- else }}
+echo $'\n' >> conf/pulsar_env.sh
+echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS}
-Dzookeeper.ssl.keyStore.location={{- $keyFile }}
-Dzookeeper.ssl.keyStore.type=PEM -Dzookeeper.ssl.trustStore.location={{-
$caFile }} -Dzookeeper.ssl.trustStore.type=PEM\"" >> conf/pulsar_env.sh
{{- end }}
{{- end }}
diff --git a/charts/pulsar/templates/keytool.yaml
b/charts/pulsar/templates/keytool.yaml
deleted file mode 100644
index 43cec2d..0000000
--- a/charts/pulsar/templates/keytool.yaml
+++ /dev/null
@@ -1,110 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-# script to process key/cert to keystore and truststore
-{{- if .Values.tls.zookeeper.enabled }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
- namespace: {{ template "pulsar.namespace" . }}
- labels:
- {{- include "pulsar.standardLabels" . | nindent 4 }}
- component: keytool
-data:
- keytool.sh: |
- #!/bin/bash
- component=$1
- name=$2
- isClient=$3
- crtFile=/pulsar/certs/${component}/tls.crt
- keyFile=/pulsar/certs/${component}/tls.key
- caFile=/pulsar/certs/ca/ca.crt
- tlsDir=/tmp/pulsar-tls$$
- p12File=${tlsDir}/${component}.p12
- keyStoreFile=${tlsDir}/${component}.keystore.jks
- trustStoreFile=${tlsDir}/${component}.truststore.jks
-
- # create tmp dir for keystore and truststore files
- mkdir ${tlsDir}
- chmod 0700 ${tlsDir}
-
- function checkFile() {
- local file=$1
- local len=$(wc -c ${file} | awk '{print $1}')
- echo "processing ${file} : len = ${len}"
- if [ ! -f ${file} ]; then
- echo "${file} is not found"
- return -1
- fi
- if [ $len -le 0 ]; then
- echo "${file} is empty"
- return -1
- fi
- }
-
- function ensureFileNotEmpty() {
- local file=$1
- until checkFile ${file}; do
- echo "file isn't initialized yet ... check in 3 seconds ..." &&
sleep 3;
- done;
- }
-
- ensureFileNotEmpty ${crtFile}
- ensureFileNotEmpty ${keyFile}
- ensureFileNotEmpty ${caFile}
-
- PASSWORD=$(head /dev/urandom | base64 | head -c 24)
-
- openssl pkcs12 \
- -export \
- -in ${crtFile} \
- -inkey ${keyFile} \
- -out ${p12File} \
- -name ${name} \
- -passout "pass:${PASSWORD}"
-
- keytool -importkeystore \
- -srckeystore ${p12File} \
- -srcstoretype PKCS12 -srcstorepass "${PASSWORD}" \
- -alias ${name} \
- -destkeystore ${keyStoreFile} \
- -deststorepass "${PASSWORD}"
-
- keytool -import \
- -file ${caFile} \
- -storetype JKS \
- -alias ${name} \
- -keystore ${trustStoreFile} \
- -storepass "${PASSWORD}" \
- -trustcacerts -noprompt
-
- ensureFileNotEmpty ${keyStoreFile}
- ensureFileNotEmpty ${trustStoreFile}
-
- if [[ "x${isClient}" == "xtrue" ]]; then
- echo $'\n' >> conf/pulsar_env.sh
- echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS}
-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
-Dzookeeper.client.secure=true
-Dzookeeper.ssl.keyStore.location=${keyStoreFile}
-Dzookeeper.ssl.keyStore.password=${PASSWORD}
-Dzookeeper.ssl.trustStore.location=${trustStoreFile}
-Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/pulsar_env.sh
- echo $'\n' >> conf/bkenv.sh
- echo "BOOKIE_EXTRA_OPTS=\"\${BOOKIE_EXTRA_OPTS}
-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
-Dzookeeper.client.secure=true
-Dzookeeper.ssl.keyStore.location=${keyStoreFile}
-Dzookeeper.ssl.keyStore.password=${PASSWORD}
-Dzookeeper.ssl.trustStore.location=${trustStoreFile}
-Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/bkenv.sh
- else
- echo $'\n' >> conf/pulsar_env.sh
- echo "PULSAR_EXTRA_OPTS=\"\${PULSAR_EXTRA_OPTS}
-Dzookeeper.ssl.keyStore.location=${keyStoreFile}
-Dzookeeper.ssl.keyStore.password=${PASSWORD}
-Dzookeeper.ssl.trustStore.location=${trustStoreFile}
-Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/pulsar_env.sh
- fi
-{{- end }}
diff --git a/charts/pulsar/templates/proxy-statefulset.yaml
b/charts/pulsar/templates/proxy-statefulset.yaml
index f7235ba..9324a69 100644
--- a/charts/pulsar/templates/proxy-statefulset.yaml
+++ b/charts/pulsar/templates/proxy-statefulset.yaml
@@ -311,6 +311,10 @@ spec:
path: tls.crt
- key: tls.key
path: tls.key
+{{- if .Values.tls.zookeeper.enabled }}
+ - key: tls-combined.pem
+ path: tls-combined.pem
+{{- end }}
{{- end}}
{{- end}}
{{- end }}
diff --git a/charts/pulsar/templates/tls-certs-internal.yaml
b/charts/pulsar/templates/tls-certs-internal.yaml
index ffe616a..08fd2b3 100644
--- a/charts/pulsar/templates/tls-certs-internal.yaml
+++ b/charts/pulsar/templates/tls-certs-internal.yaml
@@ -21,323 +21,27 @@
{{- if .Values.tls.proxy.enabled }}
{{- if .Values.tls.proxy.createCert }}
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
-kind: Certificate
-metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.proxy.cert_name }}"
- namespace: {{ template "pulsar.namespace" . }}
-spec:
- # Secret names are always required.
- secretName: "{{ .Release.Name }}-{{ .Values.tls.proxy.cert_name }}"
- duration: "{{ .Values.tls.common.duration }}"
- renewBefore: "{{ .Values.tls.common.renewBefore }}"
- {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
- subject:
- organizations:
-{{ toYaml .Values.tls.common.organization | indent 4 }}
- {{- else }}
- organization:
-{{ toYaml .Values.tls.common.organization | indent 2 }}
- {{- end }}
- # The use of the common name field has been deprecated since 2000 and is
- # discouraged from being used.
- commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component
}}"
- isCA: false
- {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
- privateKey:
- size: {{ .Values.tls.common.keySize }}
- algorithm: {{ .Values.tls.common.keyAlgorithm }}
- encoding: {{ .Values.tls.common.keyEncoding }}
- {{- else }}
- keySize: {{ .Values.tls.common.keySize }}
- keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
- keyEncoding: {{ .Values.tls.common.keyEncoding }}
- {{- end }}
- usages:
- - server auth
- - client auth
- # At least one of a DNS Name, USI SAN, or IP address is required.
- dnsNames:
-{{- if .Values.tls.proxy.dnsNames }}
-{{ toYaml .Values.tls.proxy.dnsNames | indent 4 }}
-{{- end }}
- - "*.{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}.{{
template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
- - "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
- # Issuer references are always required.
- issuerRef:
- name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
- # We can reference ClusterIssuers by changing the kind here.
- # The default value is Issuer (i.e. a locally namespaced Issuer)
- kind: Issuer
- # This is optional since cert-manager will default to this value however
- # if you are using an external issuer, change this to that issuer group.
- group: cert-manager.io
+{{ include "pulsar.cert.template" (dict "root" . "componentConfig"
.Values.proxy "tlsConfig" .Values.tls.proxy) }}
---
{{- end }}
{{- end }}
{{- if or .Values.tls.broker.enabled (or .Values.tls.bookie.enabled
.Values.tls.zookeeper.enabled) }}
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
-kind: Certificate
-metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.broker.cert_name }}"
- namespace: {{ template "pulsar.namespace" . }}
-spec:
- # Secret names are always required.
- secretName: "{{ .Release.Name }}-{{ .Values.tls.broker.cert_name }}"
- duration: "{{ .Values.tls.common.duration }}"
- renewBefore: "{{ .Values.tls.common.renewBefore }}"
- {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
- subject:
- organizations:
-{{ toYaml .Values.tls.common.organization | indent 4 }}
- {{- else }}
- organization:
-{{ toYaml .Values.tls.common.organization | indent 2 }}
- {{- end }}
- # The use of the common name field has been deprecated since 2000 and is
- # discouraged from being used.
- commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component
}}"
- isCA: false
- {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
- privateKey:
- size: {{ .Values.tls.common.keySize }}
- algorithm: {{ .Values.tls.common.keyAlgorithm }}
- encoding: {{ .Values.tls.common.keyEncoding }}
- {{- else }}
- keySize: {{ .Values.tls.common.keySize }}
- keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
- keyEncoding: {{ .Values.tls.common.keyEncoding }}
- {{- end }}
- usages:
- - server auth
- - client auth
- # At least one of a DNS Name, USI SAN, or IP address is required.
- dnsNames:
-{{- if .Values.tls.broker.dnsNames }}
-{{ toYaml .Values.tls.broker.dnsNames | indent 4 }}
-{{- end}}
- - "*.{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}.{{
template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
- - "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
- # Issuer references are always required.
- issuerRef:
- name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
- # We can reference ClusterIssuers by changing the kind here.
- # The default value is Issuer (i.e. a locally namespaced Issuer)
- kind: Issuer
- # This is optional since cert-manager will default to this value however
- # if you are using an external issuer, change this to that issuer group.
- group: cert-manager.io
+{{ include "pulsar.cert.template" (dict "root" . "componentConfig"
.Values.broker "tlsConfig" .Values.tls.broker) }}
---
{{- end }}
{{- if or .Values.tls.bookie.enabled .Values.tls.zookeeper.enabled }}
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
-kind: Certificate
-metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.bookie.cert_name }}"
- namespace: {{ template "pulsar.namespace" . }}
-spec:
- # Secret names are always required.
- secretName: "{{ .Release.Name }}-{{ .Values.tls.bookie.cert_name }}"
- duration: "{{ .Values.tls.common.duration }}"
- renewBefore: "{{ .Values.tls.common.renewBefore }}"
- {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
- subject:
- organizations:
-{{ toYaml .Values.tls.common.organization | indent 4 }}
- {{- else }}
- organization:
-{{ toYaml .Values.tls.common.organization | indent 2 }}
- {{- end }}
- # The use of the common name field has been deprecated since 2000 and is
- # discouraged from being used.
- commonName: "{{ template "pulsar.fullname" . }}-{{
.Values.bookkeeper.component }}"
- isCA: false
- {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
- privateKey:
- size: {{ .Values.tls.common.keySize }}
- algorithm: {{ .Values.tls.common.keyAlgorithm }}
- encoding: {{ .Values.tls.common.keyEncoding }}
- {{- else }}
- keySize: {{ .Values.tls.common.keySize }}
- keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
- keyEncoding: {{ .Values.tls.common.keyEncoding }}
- {{- end }}
- usages:
- - server auth
- - client auth
- dnsNames:
-{{- if .Values.tls.bookie.dnsNames }}
-{{ toYaml .Values.tls.bookie.dnsNames | indent 4 }}
-{{- end }}
- - "*.{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component
}}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
- - "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
- # Issuer references are always required.
- issuerRef:
- name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
- # We can reference ClusterIssuers by changing the kind here.
- # The default value is Issuer (i.e. a locally namespaced Issuer)
- kind: Issuer
- # This is optional since cert-manager will default to this value however
- # if you are using an external issuer, change this to that issuer group.
- group: cert-manager.io
+{{ include "pulsar.cert.template" (dict "root" . "componentConfig"
.Values.bookkeeper "tlsConfig" .Values.tls.bookie) }}
---
{{- end }}
{{- if .Values.tls.zookeeper.enabled }}
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
-kind: Certificate
-metadata:
- name: "{{ template "pulsar.fullname" . }}-{{
.Values.tls.autorecovery.cert_name }}"
- namespace: {{ template "pulsar.namespace" . }}
-spec:
- # Secret names are always required.
- secretName: "{{ .Release.Name }}-{{ .Values.tls.autorecovery.cert_name }}"
- duration: "{{ .Values.tls.common.duration }}"
- renewBefore: "{{ .Values.tls.common.renewBefore }}"
- {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
- subject:
- organizations:
-{{ toYaml .Values.tls.common.organization | indent 4 }}
- {{- else }}
- organization:
-{{ toYaml .Values.tls.common.organization | indent 2 }}
- {{- end }}
- # The use of the common name field has been deprecated since 2000 and is
- # discouraged from being used.
- commonName: "{{ template "pulsar.fullname" . }}-{{
.Values.autorecovery.component }}"
- isCA: false
- {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
- privateKey:
- size: {{ .Values.tls.common.keySize }}
- algorithm: {{ .Values.tls.common.keyAlgorithm }}
- encoding: {{ .Values.tls.common.keyEncoding }}
- {{- else }}
- keySize: {{ .Values.tls.common.keySize }}
- keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
- keyEncoding: {{ .Values.tls.common.keyEncoding }}
- {{- end }}
- usages:
- - server auth
- - client auth
- dnsNames:
-{{- if .Values.tls.autorecovery.dnsNames }}
-{{ toYaml .Values.tls.autorecovery.dnsNames | indent 4 }}
-{{- end }}
- - "*.{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component
}}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
- - "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component
}}"
- # Issuer references are always required.
- issuerRef:
- name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
- # We can reference ClusterIssuers by changing the kind here.
- # The default value is Issuer (i.e. a locally namespaced Issuer)
- kind: Issuer
- # This is optional since cert-manager will default to this value however
- # if you are using an external issuer, change this to that issuer group.
- group: cert-manager.io
+{{ include "pulsar.cert.template" (dict "root" . "componentConfig"
.Values.autorecovery "tlsConfig" .Values.tls.autorecovery) }}
---
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
-kind: Certificate
-metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.toolset.cert_name
}}"
- namespace: {{ template "pulsar.namespace" . }}
-spec:
- # Secret names are always required.
- secretName: "{{ .Release.Name }}-{{ .Values.tls.toolset.cert_name }}"
- duration: "{{ .Values.tls.common.duration }}"
- renewBefore: "{{ .Values.tls.common.renewBefore }}"
- {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
- subject:
- organizations:
-{{ toYaml .Values.tls.common.organization | indent 4 }}
- {{- else }}
- organization:
-{{ toYaml .Values.tls.common.organization | indent 2 }}
- {{- end }}
- # The use of the common name field has been deprecated since 2000 and is
- # discouraged from being used.
- commonName: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component
}}"
- isCA: false
- {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
- privateKey:
- size: {{ .Values.tls.common.keySize }}
- algorithm: {{ .Values.tls.common.keyAlgorithm }}
- encoding: {{ .Values.tls.common.keyEncoding }}
- {{- else }}
- keySize: {{ .Values.tls.common.keySize }}
- keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
- keyEncoding: {{ .Values.tls.common.keyEncoding }}
- {{- end }}
- usages:
- - server auth
- - client auth
- dnsNames:
-{{- if .Values.tls.toolset.dnsNames }}
-{{ toYaml .Values.tls.toolset.dnsNames | indent 4 }}
-{{- end }}
- - "*.{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component
}}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
- - "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
- # Issuer references are always required.
- issuerRef:
- name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
- # We can reference ClusterIssuers by changing the kind here.
- # The default value is Issuer (i.e. a locally namespaced Issuer)
- kind: Issuer
- # This is optional since cert-manager will default to this value however
- # if you are using an external issuer, change this to that issuer group.
- group: cert-manager.io
+{{ include "pulsar.cert.template" (dict "root" . "componentConfig"
.Values.toolset "tlsConfig" .Values.tls.toolset) }}
---
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
-kind: Certificate
-metadata:
- name: "{{ template "pulsar.fullname" . }}-{{ .Values.tls.zookeeper.cert_name
}}"
- namespace: {{ template "pulsar.namespace" . }}
-spec:
- # Secret names are always required.
- secretName: "{{ .Release.Name }}-{{ .Values.tls.zookeeper.cert_name }}"
- duration: "{{ .Values.tls.common.duration }}"
- renewBefore: "{{ .Values.tls.common.renewBefore }}"
- {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
- subject:
- organizations:
-{{ toYaml .Values.tls.common.organization | indent 4 }}
- {{- else }}
- organization:
-{{ toYaml .Values.tls.common.organization | indent 2 }}
- {{- end }}
- # The use of the common name field has been deprecated since 2000 and is
- # discouraged from being used.
- commonName: "{{ template "pulsar.fullname" . }}-{{
.Values.zookeeper.component }}"
- isCA: false
- {{- if eq .Values.certs.internal_issuer.apiVersion "cert-manager.io/v1" }}
- privateKey:
- size: {{ .Values.tls.common.keySize }}
- algorithm: {{ .Values.tls.common.keyAlgorithm }}
- encoding: {{ .Values.tls.common.keyEncoding }}
- {{- else }}
- keySize: {{ .Values.tls.common.keySize }}
- keyAlgorithm: {{ .Values.tls.common.keyAlgorithm }}
- keyEncoding: {{ .Values.tls.common.keyEncoding }}
- {{- end }}
- usages:
- - server auth
- - client auth
- dnsNames:
-{{- if .Values.tls.zookeeper.dnsNames }}
-{{ toYaml .Values.tls.zookeeper.dnsNames | indent 4 }}
-{{- end }}
- - "*.{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component
}}.{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
- - "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
- # Issuer references are always required.
- issuerRef:
- name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
- # We can reference ClusterIssuers by changing the kind here.
- # The default value is Issuer (i.e. a locally namespaced Issuer)
- kind: Issuer
- # This is optional since cert-manager will default to this value however
- # if you are using an external issuer, change this to that issuer group.
- group: cert-manager.io
+{{ include "pulsar.cert.template" (dict "root" . "componentConfig"
.Values.zookeeper "tlsConfig" .Values.tls.zookeeper) }}
{{- end }}
{{- end }}
diff --git a/charts/pulsar/templates/zookeeper-statefulset.yaml
b/charts/pulsar/templates/zookeeper-statefulset.yaml
index fc7554f..292642a 100755
--- a/charts/pulsar/templates/zookeeper-statefulset.yaml
+++ b/charts/pulsar/templates/zookeeper-statefulset.yaml
@@ -227,9 +227,6 @@ spec:
- mountPath: "/pulsar/certs/ca"
name: ca
readOnly: true
- - name: keytool
- mountPath: "/pulsar/keytool/keytool.sh"
- subPath: keytool.sh
{{- end }}
{{- if .Values.zookeeper.extraVolumeMounts }}
{{ toYaml .Values.zookeeper.extraVolumeMounts | indent 8 }}
@@ -251,16 +248,14 @@ spec:
path: tls.crt
- key: tls.key
path: tls.key
+ - key: tls-combined.pem
+ path: tls-combined.pem
- name: ca
secret:
secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
items:
- key: ca.crt
path: ca.crt
- - name: keytool
- configMap:
- name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
- defaultMode: 0755
{{- end}}
{{- include "pulsar.imagePullSecrets" . | nindent 6}}
{{- if and (and .Values.persistence .Values.volumes.persistence)
.Values.zookeeper.volumes.persistence }}
diff --git a/scripts/cert-manager/install-cert-manager.sh
b/scripts/cert-manager/install-cert-manager.sh
index 8e63066..b35a334 100755
--- a/scripts/cert-manager/install-cert-manager.sh
+++ b/scripts/cert-manager/install-cert-manager.sh
@@ -25,7 +25,7 @@ set -e
NAMESPACE=cert-manager
NAME=cert-manager
# check compatibility with k8s versions from
https://cert-manager.io/docs/installation/supported-releases/
-VERSION=v1.12.16
+VERSION=v1.12.17
# Install cert-manager CustomResourceDefinition resources
echo "Installing cert-manager CRD resources ..."
@@ -41,10 +41,12 @@ echo "Updating local helm chart repository cache ..."
helm repo update
echo "Installing cert-manager ${VERSION} to namespace ${NAMESPACE} as
'${NAME}' ..."
-helm install \
+helm upgrade \
+ --install \
--namespace ${NAMESPACE} \
--create-namespace \
--version ${VERSION} \
+ --set featureGates=AdditionalCertificateOutputFormats=true \
${NAME} \
jetstack/cert-manager
echo "Successfully installed cert-manager ${VERSION}."
