This is an automated email from the ASF dual-hosted git repository. sijie pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/pulsar-helm-chart.git
The following commit(s) were added to refs/heads/master by this push: new f307cc3 updates pulsar ca name generation to use suffix making cert swappable (#141) f307cc3 is described below commit f307cc32af530c369c34a021bb6c96f2d4907fcd Author: Peter Tinti <volgor...@gmail.com> AuthorDate: Wed Aug 25 23:14:03 2021 -0700 updates pulsar ca name generation to use suffix making cert swappable (#141) Updates CA name generation to be configurable allowing the swapping in of a CA. ### Motivation We recently swapped out cert issuers and found that with the current helm chart we were unable to do a hot swap without downtime (via helm) because the CA cert name is not configurable. Being able to change the name of the CA allows us to create a new CA first -> Validate -> then swap over in follow up apply/release. ### Modifications Adds the ability to specify the suffix used to generate the CA name (not the whole name in order to preserve back compatibility regardless of the release name.) --- charts/pulsar/templates/_autorecovery.tpl | 2 +- charts/pulsar/templates/_bookkeeper.tpl | 2 +- charts/pulsar/templates/_broker.tpl | 2 +- charts/pulsar/templates/_toolset.tpl | 2 +- charts/pulsar/templates/proxy-statefulset.yaml | 2 +- charts/pulsar/templates/tls-cert-internal-issuer.yaml | 4 ++-- charts/pulsar/templates/toolset-statefulset.yaml | 2 +- charts/pulsar/templates/zookeeper-statefulset.yaml | 2 +- charts/pulsar/values.yaml | 1 + scripts/pulsar/clean_tls.sh | 9 ++++++++- scripts/pulsar/upload_tls.sh | 9 ++++++++- 11 files changed, 26 insertions(+), 11 deletions(-) diff --git a/charts/pulsar/templates/_autorecovery.tpl b/charts/pulsar/templates/_autorecovery.tpl index e1e74d5..8343589 100644 --- a/charts/pulsar/templates/_autorecovery.tpl +++ b/charts/pulsar/templates/_autorecovery.tpl @@ -55,7 +55,7 @@ Define autorecovery tls certs volumes path: tls.key - name: ca secret: - secretName: "{{ .Release.Name }}-ca-tls" + secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/templates/_bookkeeper.tpl b/charts/pulsar/templates/_bookkeeper.tpl index bd319ff..5b96953 100644 --- a/charts/pulsar/templates/_bookkeeper.tpl +++ b/charts/pulsar/templates/_bookkeeper.tpl @@ -56,7 +56,7 @@ Define bookie tls certs volumes path: tls.key - name: ca secret: - secretName: "{{ .Release.Name }}-ca-tls" + secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/templates/_broker.tpl b/charts/pulsar/templates/_broker.tpl index 758a0b6..5614e8e 100644 --- a/charts/pulsar/templates/_broker.tpl +++ b/charts/pulsar/templates/_broker.tpl @@ -62,7 +62,7 @@ Define broker tls certs volumes path: tls.key - name: ca secret: - secretName: "{{ .Release.Name }}-ca-tls" + secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/templates/_toolset.tpl b/charts/pulsar/templates/_toolset.tpl index 5b149b5..c6bf857 100644 --- a/charts/pulsar/templates/_toolset.tpl +++ b/charts/pulsar/templates/_toolset.tpl @@ -55,7 +55,7 @@ Define toolset tls certs volumes path: tls.key - name: ca secret: - secretName: "{{ .Release.Name }}-ca-tls" + secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/templates/proxy-statefulset.yaml b/charts/pulsar/templates/proxy-statefulset.yaml index 96c24bf..0433d1b 100644 --- a/charts/pulsar/templates/proxy-statefulset.yaml +++ b/charts/pulsar/templates/proxy-statefulset.yaml @@ -260,7 +260,7 @@ spec: {{- if .Values.tls.proxy.enabled }} - name: ca secret: - secretName: "{{ .Release.Name }}-ca-tls" + secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/templates/tls-cert-internal-issuer.yaml b/charts/pulsar/templates/tls-cert-internal-issuer.yaml index 60ac91a..e9c3a2f 100644 --- a/charts/pulsar/templates/tls-cert-internal-issuer.yaml +++ b/charts/pulsar/templates/tls-cert-internal-issuer.yaml @@ -34,7 +34,7 @@ metadata: name: "{{ template "pulsar.fullname" . }}-ca" namespace: {{ template "pulsar.namespace" . }} spec: - secretName: "{{ .Release.Name }}-ca-tls" + secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" commonName: "{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}" duration: "{{ .Values.certs.internal_issuer.duration }}" renewBefore: "{{ .Values.certs.internal_issuer.renewBefore }}" @@ -59,6 +59,6 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: ca: - secretName: "{{ .Release.Name }}-ca-tls" + secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" {{- end }} {{- end }} diff --git a/charts/pulsar/templates/toolset-statefulset.yaml b/charts/pulsar/templates/toolset-statefulset.yaml index 1f50c7d..8e3b8d5 100644 --- a/charts/pulsar/templates/toolset-statefulset.yaml +++ b/charts/pulsar/templates/toolset-statefulset.yaml @@ -112,7 +112,7 @@ spec: {{- if and .Values.tls.enabled (or .Values.tls.broker.enabled .Values.tls.proxy.enabled) }} - name: proxy-ca secret: - secretName: "{{ .Release.Name }}-ca-tls" + secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/templates/zookeeper-statefulset.yaml b/charts/pulsar/templates/zookeeper-statefulset.yaml index 9b36634..f1ffb88 100644 --- a/charts/pulsar/templates/zookeeper-statefulset.yaml +++ b/charts/pulsar/templates/zookeeper-statefulset.yaml @@ -205,7 +205,7 @@ spec: path: tls.key - name: ca secret: - secretName: "{{ .Release.Name }}-ca-tls" + secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}" items: - key: ca.crt path: ca.crt diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml index 88e8942..8a218a8 100644 --- a/charts/pulsar/values.yaml +++ b/charts/pulsar/values.yaml @@ -191,6 +191,7 @@ images: ## brokers and proxies. tls: enabled: false + ca_suffix: ca-tls # common settings for generating certs common: # 90d diff --git a/scripts/pulsar/clean_tls.sh b/scripts/pulsar/clean_tls.sh index 8dba53d..092e7d4 100755 --- a/scripts/pulsar/clean_tls.sh +++ b/scripts/pulsar/clean_tls.sh @@ -25,6 +25,7 @@ cd ${CHART_HOME} namespace=${namespace:-pulsar} release=${release:-pulsar-dev} +caSuffix=${caSuffix:-ca-tls} clientComponents=${clientComponents:-"toolset"} serverComponents=${serverComponents:-"bookie,broker,proxy,recovery,zookeeper"} @@ -35,6 +36,7 @@ Options: -h,--help prints the usage message -n,--namespace the k8s namespace to install the pulsar helm chart. Defaut to ${namespace}. -k,--release the pulsar helm release name. Default to ${release}. + -ca,--ca-suffix the suffix used to name the CA certificate. Default to ${caSuffix}. -c,--client-components the client components of pulsar cluster. a comma separated list of components. Default to ${clientComponents}. -s,--server-components the server components of pulsar cluster. a comma separated list of components. Default to ${serverComponents}. Usage: @@ -57,6 +59,11 @@ case $key in shift shift ;; + -ca|--ca-suffix) + caSuffix="$2" + shift + shift + ;; -c|--client-components) clientComponents="$2" shift @@ -80,7 +87,7 @@ esac done function delete_ca() { - local tls_ca_secret="${release}-ca-tls" + local tls_ca_secret="${release}-${caSuffix}" kubectl delete secret ${tls_ca_secret} -n ${namespace} } diff --git a/scripts/pulsar/upload_tls.sh b/scripts/pulsar/upload_tls.sh index 3485089..7a993fe 100755 --- a/scripts/pulsar/upload_tls.sh +++ b/scripts/pulsar/upload_tls.sh @@ -25,6 +25,7 @@ cd ${CHART_HOME} namespace=${namespace:-pulsar} release=${release:-pulsar-dev} +caSuffix=${caSuffix:-ca-tls} tlsdir=${tlsdir:-"${HOME}/.config/pulsar/security_tool/gen/ca"} clientComponents=${clientComponents:-""} serverComponents=${serverComponents:-"bookie,broker,proxy,recovery,zookeeper,toolset"} @@ -37,6 +38,7 @@ Options: -h,--help prints the usage message -n,--namespace the k8s namespace to install the pulsar helm chart. Defaut to ${namespace}. -k,--release the pulsar helm release name. Default to ${release}. + -ca,--ca-suffix the suffix used to name the CA certificate. Default to ${caSuffix}. -d,--dir the dir for storing tls certs. Default to ${tlsdir}. -c,--client-components the client components of pulsar cluster. a comma separated list of components. Default to ${clientComponents}. -s,--server-components the server components of pulsar cluster. a comma separated list of components. Default to ${serverComponents}. @@ -61,6 +63,11 @@ case $key in shift shift ;; + -ca|--ca-suffix) + caSuffix="$2" + shift + shift + ;; -d|--dir) tlsdir="$2" shift @@ -95,7 +102,7 @@ done ca_cert_file=${tlsdir}/certs/ca.cert.pem function upload_ca() { - local tls_ca_secret="${release}-ca-tls" + local tls_ca_secret="${release}-${caSuffix}" kubectl create secret generic ${tls_ca_secret} -n ${namespace} --from-file="ca.crt=${ca_cert_file}" ${local:+ -o yaml --dry-run=client} }