add template for ca issuer name and secret name (#565)

gulecroc · GLECROC · lhotari · web-flow · commit 1180db46cd07 · 2025-05-23T16:22:17.000+03:00
* set template for ca issuer name and secret name + geo-replication installation example

* remove geo-replication from this PR

* use certs template to define ca name and secret name

* Handle proxy, toolset and zookeeper in the same way as others

* Make the logic more consistent by separating the selfsigning issuer configuration

---------

Co-authored-by: GLECROC &lt;guillaume.lecroc@cnp.fr&gt;
Co-authored-by: Lari Hotari &lt;lhotari@users.noreply.github.com&gt;
Co-authored-by: Lari Hotari &lt;lhotari@apache.org&gt;
diff --git a/charts/pulsar/templates/_autorecovery.tpl b/charts/pulsar/templates/_autorecovery.tpl
@@ -74,12 +74,7 @@ Define autorecovery tls certs volumes
       path: tls.key
 - name: ca
   secret:
-    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
-    {{- end }}
-    {{- if eq .Values.certs.internal_issuer.type "ca" }}
-    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-    {{- end }}
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
     items:
     - key: ca.crt
       path: ca.crt
diff --git a/charts/pulsar/templates/_bookkeeper.tpl b/charts/pulsar/templates/_bookkeeper.tpl
@@ -75,12 +75,7 @@ Define bookie tls certs volumes
       path: tls.key
 - name: ca
   secret:
-    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
-    {{- end }}
-    {{- if eq .Values.certs.internal_issuer.type "ca" }}
-    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-    {{- end }}
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
     items:
     - key: ca.crt
       path: ca.crt
diff --git a/charts/pulsar/templates/_broker.tpl b/charts/pulsar/templates/_broker.tpl
@@ -81,12 +81,7 @@ Define broker tls certs volumes
       path: tls.key
 - name: ca
   secret:
-    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
-    {{- end }}
-    {{- if eq .Values.certs.internal_issuer.type "ca" }}
-    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-    {{- end }}
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
     items:
     - key: ca.crt
       path: ca.crt
diff --git a/charts/pulsar/templates/_certs.tpl b/charts/pulsar/templates/_certs.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/}}
+
+{{/*
+Define the pulsar certs ca issuer name
+*/}}
+{{- define "pulsar.certs.issuers.ca.name" -}}
+{{- if .Values.certs.internal_issuer.enabled -}}
+{{- if and (eq .Values.certs.internal_issuer.type "selfsigning") .Values.certs.issuers.selfsigning.name -}}
+{{- .Values.certs.issuers.selfsigning.name -}}
+{{- else if and (eq .Values.certs.internal_issuer.type "ca") .Values.certs.issuers.ca.name -}}
+{{- .Values.certs.issuers.ca.name -}}
+{{- else -}}
+{{- template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer
+{{- end -}}
+{{- else -}}
+{{- if .Values.certs.issuers.ca.name -}}
+{{- .Values.certs.issuers.ca.name -}}
+{{- else -}}
+{{- fail "certs.issuers.ca.name is required when TLS is enabled and certs.internal_issuer.enabled is false" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Define the pulsar certs ca issuer secret name
+*/}}
+{{- define "pulsar.certs.issuers.ca.secretName" -}}
+{{- if .Values.certs.internal_issuer.enabled -}}
+{{- if and (eq .Values.certs.internal_issuer.type "selfsigning") .Values.certs.issuers.selfsigning.secretName -}}
+{{- .Values.certs.issuers.selfsigning.secretName -}}
+{{- else if and (eq .Values.certs.internal_issuer.type "ca") .Values.certs.issuers.ca.secretName -}}
+{{- .Values.certs.issuers.ca.secretName -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name .Values.tls.ca_suffix -}}
+{{- end -}}
+{{- else -}}
+{{- if .Values.certs.issuers.ca.secretName -}}
+{{- .Values.certs.issuers.ca.secretName -}}
+{{- else -}}
+{{- fail "certs.issuers.ca.secretName is required when TLS is enabled and certs.internal_issuer.enabled is false" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/pulsar/templates/_toolset.tpl b/charts/pulsar/templates/_toolset.tpl
@@ -74,12 +74,7 @@ Define toolset tls certs volumes
       path: tls.key
 - name: ca
   secret:
-    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
-    {{- end }}
-    {{- if eq .Values.certs.internal_issuer.type "ca" }}
-    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-    {{- end }}
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
     items:
     - key: ca.crt
       path: ca.crt
diff --git a/charts/pulsar/templates/proxy-statefulset.yaml b/charts/pulsar/templates/proxy-statefulset.yaml
@@ -299,12 +299,7 @@ spec:
         {{- if .Values.tls.proxy.enabled }}
         - name: ca
           secret:
-            {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-            secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
-            {{- end }}
-            {{- if eq .Values.certs.internal_issuer.type "ca" }}
-            secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-            {{- end }}
+            secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
             items:
               - key: ca.crt
                 path: ca.crt
diff --git a/charts/pulsar/templates/tls-cert-internal-issuer.yaml b/charts/pulsar/templates/tls-cert-internal-issuer.yaml
@@ -33,7 +33,7 @@ metadata:
   name: "{{ template "pulsar.fullname" . }}-ca"
   namespace: {{ template "pulsar.namespace" . }}
 spec:
-  secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+  secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
   commonName: "{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
   duration: "{{ .Values.certs.internal_issuer.duration }}"
   renewBefore: "{{ .Values.certs.internal_issuer.renewBefore }}"
@@ -50,23 +50,13 @@ spec:
     # if you are using an external issuer, change this to that issuer group.
     group: cert-manager.io
 ---
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
-kind: Issuer
-metadata:
-  name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
-  namespace: {{ template "pulsar.namespace" . }}
-spec:
-  ca:
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
 {{- end }}
-{{- if eq .Values.certs.internal_issuer.type "ca" }}
 apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
 kind: Issuer
 metadata:
-  name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+  name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
   namespace: {{ template "pulsar.namespace" . }}
 spec:
   ca:
-    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-{{- end }}
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
 {{- end }}
diff --git a/charts/pulsar/templates/tls-certs-internal.yaml b/charts/pulsar/templates/tls-certs-internal.yaml
@@ -18,7 +18,6 @@
 #
 
 {{- if .Values.tls.enabled }}
-{{- if .Values.certs.internal_issuer.enabled }}
 
 {{- if .Values.tls.proxy.enabled }}
 {{- if .Values.tls.proxy.createCert }}
@@ -66,7 +65,7 @@ spec:
     -  "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
   # Issuer references are always required.
   issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
     # We can reference ClusterIssuers by changing the kind here.
     # The default value is Issuer (i.e. a locally namespaced Issuer)
     kind: Issuer
@@ -122,7 +121,7 @@ spec:
     -  "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
   # Issuer references are always required.
   issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
     # We can reference ClusterIssuers by changing the kind here.
     # The default value is Issuer (i.e. a locally namespaced Issuer)
     kind: Issuer
@@ -176,7 +175,7 @@ spec:
     -  "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
   # Issuer references are always required.
   issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
     # We can reference ClusterIssuers by changing the kind here.
     # The default value is Issuer (i.e. a locally namespaced Issuer)
     kind: Issuer
@@ -230,7 +229,7 @@ spec:
     -  "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}"
   # Issuer references are always required.
   issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
     # We can reference ClusterIssuers by changing the kind here.
     # The default value is Issuer (i.e. a locally namespaced Issuer)
     kind: Issuer
@@ -281,7 +280,7 @@ spec:
     -  "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
   # Issuer references are always required.
   issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
     # We can reference ClusterIssuers by changing the kind here.
     # The default value is Issuer (i.e. a locally namespaced Issuer)
     kind: Issuer
@@ -332,7 +331,7 @@ spec:
     -  "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
   # Issuer references are always required.
   issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
     # We can reference ClusterIssuers by changing the kind here.
     # The default value is Issuer (i.e. a locally namespaced Issuer)
     kind: Issuer
@@ -342,4 +341,3 @@ spec:
 {{- end }}
 
 {{- end }}
-{{- end }}
diff --git a/charts/pulsar/templates/toolset-statefulset.yaml b/charts/pulsar/templates/toolset-statefulset.yaml
@@ -125,12 +125,7 @@ spec:
       {{- if and .Values.tls.enabled (or .Values.tls.broker.enabled .Values.tls.proxy.enabled) }}
       - name: proxy-ca
         secret:
-          {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-          secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
-          {{- end }}
-          {{- if eq .Values.certs.internal_issuer.type "ca" }}
-          secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-          {{- end }}
+          secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
           items:
             - key: ca.crt
               path: ca.crt
diff --git a/charts/pulsar/templates/zookeeper-statefulset.yaml b/charts/pulsar/templates/zookeeper-statefulset.yaml
@@ -253,12 +253,7 @@ spec:
               path: tls.key
       - name: ca
         secret:
-          {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-          secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
-          {{- end }}
-          {{- if eq .Values.certs.internal_issuer.type "ca" }}
-          secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-          {{- end }}
+          secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
           items:
             - key: ca.crt
               path: ca.crt
diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml
@@ -315,13 +315,15 @@ auth:
 ######################################################################
 
 ## cert-manager
-## templates/tls-cert-issuer.yaml
+## templates/tls-cert-internal-issuer.yaml
 ##
 ## Cert manager is used for automatically provisioning TLS certificates
 ## for components within a Pulsar cluster
 certs:
   internal_issuer:
     apiVersion: cert-manager.io/v1
+    # To enable internal issuer for TLS certificates, set this to true
+    # It is necessary to have cert-manager installed in the cluster
     enabled: false
     component: internal-cert-issuer
     # The type of issuer, supports selfsigning and ca
@@ -331,10 +333,19 @@ certs:
     # 15d
     renewBefore: 360h
   issuers:
-    # Used for certs.type as selfsigning, the selfsigned issuer has no dependency on any other resource.
+    # Used for certs.internal_issuer.type as selfsigning
     selfsigning:
-    # used for certs.type as ca, the CA issuer needs to reference a Secret which contains your CA certificate and signing private key.
+      # The name of the issuer, if not specified, the default value is used
+      name:
+      # The secret name of the selfsigned CA certificate, if not specified, the default value is used
+      secretName:
+    # used for certs.internal_issuer.type as ca or when internal_issuer is disabled
     ca:
+      # The name of the issuer, it is mandatory to specify this value if TLS is enabled
+      # and selfsigning is not used
+      name:
+      # The secret name of the CA certificate, it is mandatory to specify this value if TLS is enabled
+      # and selfsigning is not used
       secretName:
 
 ######################################################################
