diff --git a/.changes/unreleased/charts-redpanda-Changed-20250918-152741.yaml b/.changes/unreleased/charts-redpanda-Changed-20250918-152741.yaml new file mode 100644 index 000000000..668894675 --- /dev/null +++ b/.changes/unreleased/charts-redpanda-Changed-20250918-152741.yaml @@ -0,0 +1,4 @@ +project: charts/redpanda +kind: Changed +body: Client certificates are now named `$FULLNAME-$CERT-client-cert`. +time: 2025-09-18T15:27:41.700988-04:00 diff --git a/.changes/unreleased/charts-redpanda-Fixed-20250918-152623.yaml b/.changes/unreleased/charts-redpanda-Fixed-20250918-152623.yaml new file mode 100644 index 000000000..f015e276f --- /dev/null +++ b/.changes/unreleased/charts-redpanda-Fixed-20250918-152623.yaml @@ -0,0 +1,4 @@ +project: charts/redpanda +kind: Fixed +body: mTLS client certificates are now generated per certificate, as required, instead of using a single and potentially invalid certificate. +time: 2025-09-18T15:26:23.232523-04:00 diff --git a/.changes/unreleased/operator-Changed-20250918-152741.yaml b/.changes/unreleased/operator-Changed-20250918-152741.yaml new file mode 100644 index 000000000..8cb3cc43a --- /dev/null +++ b/.changes/unreleased/operator-Changed-20250918-152741.yaml @@ -0,0 +1,4 @@ +project: operator +kind: Changed +body: Client certificates are now named `$FULLNAME-$CERT-client-cert`. +time: 2025-09-18T15:27:41.700988-04:00 diff --git a/.changes/unreleased/operator-Fixed-20250918-152623.yaml b/.changes/unreleased/operator-Fixed-20250918-152623.yaml new file mode 100644 index 000000000..b8c3b2d41 --- /dev/null +++ b/.changes/unreleased/operator-Fixed-20250918-152623.yaml @@ -0,0 +1,4 @@ +project: operator +kind: Fixed +body: mTLS client certificates are now generated per certificate, as required, instead of using a single and potentially invalid certificate. +time: 2025-09-18T15:26:23.232523-04:00 diff --git a/charts/redpanda/cert_issuers.go b/charts/redpanda/cert_issuers.go index 328d4fdb7..10e1ceb32 100644 --- a/charts/redpanda/cert_issuers.go +++ b/charts/redpanda/cert_issuers.go @@ -35,11 +35,17 @@ func certIssuersAndCAs(state *RenderState) ([]*certmanagerv1.Issuer, []*certmana var issuers []*certmanagerv1.Issuer var certs []*certmanagerv1.Certificate - if !TLSEnabled(state) { - return issuers, certs + inUseCerts := map[string]bool{} + for _, name := range state.Values.Listeners.InUseServerCerts(&state.Values.TLS) { + inUseCerts[name] = true } + for _, name := range state.Values.Listeners.InUseClientCerts(&state.Values.TLS) { + inUseCerts[name] = true + } + + for name := range helmette.SortedMap(inUseCerts) { + data := state.Values.TLS.Certs.MustGet(name) - for name, data := range helmette.SortedMap(state.Values.TLS.Certs) { // If this certificate is disabled (.Enabled), provided directly by the // end user (.SecretRef), or has an issuer provided (.IssuerRef), we // don't need to bootstrap an issuer. @@ -128,7 +134,7 @@ func certIssuersAndCAs(state *RenderState) ([]*certmanagerv1.Issuer, []*certmana Spec: certmanagerv1.IssuerSpec{ IssuerConfig: certmanagerv1.IssuerConfig{ CA: &certmanagerv1.CAIssuer{ - SecretName: fmt.Sprintf(`%s-%s-root-certificate`, Fullname(state), name), + SecretName: data.RootSecretName(state, name), }, }, }, diff --git a/charts/redpanda/certs.go b/charts/redpanda/certs.go index 03ed1ae2d..c6789738f 100644 --- a/charts/redpanda/certs.go +++ b/charts/redpanda/certs.go @@ -23,10 +23,6 @@ import ( ) func ClientCerts(state *RenderState) []*certmanagerv1.Certificate { - if !TLSEnabled(state) { - return []*certmanagerv1.Certificate{} - } - fullname := Fullname(state) service := ServiceName(state) ns := state.Release.Namespace @@ -35,8 +31,11 @@ func ClientCerts(state *RenderState) []*certmanagerv1.Certificate { domain := strings.TrimSuffix(state.Values.ClusterDomain, ".") var certs []*certmanagerv1.Certificate - for name, data := range helmette.SortedMap(state.Values.TLS.Certs) { - if !helmette.Empty(data.SecretRef) || !ptr.Deref(data.Enabled, true) { + for _, name := range state.Values.Listeners.InUseServerCerts(&state.Values.TLS) { + data := state.Values.TLS.Certs.MustGet(name) + + // Don't generate server Certificates if a secret is provided. + if !helmette.Empty(data.SecretRef) { continue } @@ -83,7 +82,7 @@ func ClientCerts(state *RenderState) []*certmanagerv1.Certificate { Duration: helmette.MustDuration(duration), IsCA: false, IssuerRef: issuerRef, - SecretName: fmt.Sprintf("%s-%s-cert", fullname, name), + SecretName: data.ServerSecretName(state, name), PrivateKey: &certmanagerv1.CertificatePrivateKey{ Algorithm: "ECDSA", Size: 256, @@ -92,49 +91,54 @@ func ClientCerts(state *RenderState) []*certmanagerv1.Certificate { }) } - name := state.Values.Listeners.Kafka.TLS.Cert + for _, name := range state.Values.Listeners.InUseClientCerts(&state.Values.TLS) { + data := state.Values.TLS.Certs.MustGet(name) - data, ok := state.Values.TLS.Certs[name] - if !ok { - panic(fmt.Sprintf("Certificate %q referenced but not defined", name)) - } + if data.SecretRef != nil && data.ClientSecretRef == nil { + panic(fmt.Sprintf(".clientSecretRef MUST be set if .secretRef is set and require_client_auth is true: Cert %q", name)) + } - if !helmette.Empty(data.SecretRef) || !ClientAuthRequired(state) { - return certs - } + // Don't generate a client Certificate if a client secret is provided. + if data.ClientSecretRef != nil { + continue + } - issuerRef := cmmetav1.ObjectReference{ - Group: "cert-manager.io", - Kind: "Issuer", - Name: fmt.Sprintf("%s-%s-root-issuer", fullname, name), - } + issuerRef := cmmetav1.ObjectReference{ + Group: "cert-manager.io", + Kind: "Issuer", + Name: fmt.Sprintf("%s-%s-root-issuer", fullname, name), + } - if data.IssuerRef != nil { - issuerRef = *data.IssuerRef - issuerRef.Group = "cert-manager.io" - } + if data.IssuerRef != nil { + issuerRef = *data.IssuerRef + issuerRef.Group = "cert-manager.io" + } + + duration := helmette.Default("43800h", data.Duration) - duration := helmette.Default("43800h", data.Duration) - - return append(certs, &certmanagerv1.Certificate{ - TypeMeta: metav1.TypeMeta{ - APIVersion: "cert-manager.io/v1", - Kind: "Certificate", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: fmt.Sprintf("%s-client", fullname), - Labels: FullLabels(state), - }, - Spec: certmanagerv1.CertificateSpec{ - CommonName: fmt.Sprintf("%s-client", fullname), - Duration: helmette.MustDuration(duration), - IsCA: false, - SecretName: fmt.Sprintf("%s-client", fullname), - PrivateKey: &certmanagerv1.CertificatePrivateKey{ - Algorithm: "ECDSA", - Size: 256, + certs = append(certs, &certmanagerv1.Certificate{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "cert-manager.io/v1", + Kind: "Certificate", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: fmt.Sprintf("%s-%s-client", fullname, name), + Namespace: state.Release.Namespace, + Labels: FullLabels(state), + }, + Spec: certmanagerv1.CertificateSpec{ + CommonName: fmt.Sprintf("%s--%s-client", fullname, name), + Duration: helmette.MustDuration(duration), + IsCA: false, + SecretName: data.ClientSecretName(state, name), + PrivateKey: &certmanagerv1.CertificatePrivateKey{ + Algorithm: "ECDSA", + Size: 256, + }, + IssuerRef: issuerRef, }, - IssuerRef: issuerRef, - }, - }) + }) + } + + return certs } diff --git a/charts/redpanda/chart/templates/_cert-issuers.go.tpl b/charts/redpanda/chart/templates/_cert-issuers.go.tpl index 12cd98736..3213061e3 100644 --- a/charts/redpanda/chart/templates/_cert-issuers.go.tpl +++ b/charts/redpanda/chart/templates/_cert-issuers.go.tpl @@ -33,18 +33,27 @@ {{- $_is_returning := false -}} {{- $issuers := (coalesce nil) -}} {{- $certs := (coalesce nil) -}} -{{- if (not (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $state)))) "r")) -}} -{{- $_is_returning = true -}} -{{- (dict "r" (list $issuers $certs)) | toJson -}} +{{- $inUseCerts := (dict) -}} +{{- range $_, $name := (get (fromJson (include "redpanda.Listeners.InUseServerCerts" (dict "a" (list $state.Values.listeners $state.Values.tls)))) "r") -}} +{{- $_ := (set $inUseCerts $name true) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $name := (get (fromJson (include "redpanda.Listeners.InUseClientCerts" (dict "a" (list $state.Values.listeners $state.Values.tls)))) "r") -}} +{{- $_ := (set $inUseCerts $name true) -}} +{{- end -}} +{{- if $_is_returning -}} {{- break -}} {{- end -}} -{{- range $name, $data := $state.Values.tls.certs -}} +{{- range $name, $_ := $inUseCerts -}} +{{- $data := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $state.Values.tls.certs) $name)))) "r") -}} {{- if (or (or (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.enabled true)))) "r")) (ne (toJson $data.secretRef) "null")) (ne (toJson $data.issuerRef) "null")) -}} {{- continue -}} {{- end -}} {{- $issuers = (concat (default (list) $issuers) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict) "status" (dict)) (mustMergeOverwrite (dict) (dict "apiVersion" "cert-manager.io/v1" "kind" "Issuer")) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil)) (dict "name" (printf `%s-%s-selfsigned-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r") $name) "namespace" $state.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $state)))) "r"))) "spec" (mustMergeOverwrite (dict) (mustMergeOverwrite (dict) (dict "selfSigned" (mustMergeOverwrite (dict) (dict)))) (dict)))))) -}} {{- $certs = (concat (default (list) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict "secretName" "" "issuerRef" (dict "name" "")) "status" (dict)) (mustMergeOverwrite (dict) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate")) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil)) (dict "name" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r") $name) "namespace" $state.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $state)))) "r"))) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "")) (dict "duration" (get (fromJson (include "_shims.time_Duration_String" (dict "a" (list (get (fromJson (include "_shims.time_ParseDuration" (dict "a" (list (default "43800h" $data.duration))))) "r"))))) "r") "isCA" true "commonName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r") $name) "secretName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r") $name) "privateKey" (mustMergeOverwrite (dict) (dict "algorithm" "ECDSA" "size" (256 | int))) "issuerRef" (mustMergeOverwrite (dict "name" "") (dict "name" (printf `%s-%s-selfsigned-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r") $name) "kind" "Issuer" "group" "cert-manager.io")))))))) -}} -{{- $issuers = (concat (default (list) $issuers) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict) "status" (dict)) (mustMergeOverwrite (dict) (dict "apiVersion" "cert-manager.io/v1" "kind" "Issuer")) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil)) (dict "name" (printf `%s-%s-root-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r") $name) "namespace" $state.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $state)))) "r"))) "spec" (mustMergeOverwrite (dict) (mustMergeOverwrite (dict) (dict "ca" (mustMergeOverwrite (dict "secretName" "") (dict "secretName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r") $name))))) (dict)))))) -}} +{{- $issuers = (concat (default (list) $issuers) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict) "status" (dict)) (mustMergeOverwrite (dict) (dict "apiVersion" "cert-manager.io/v1" "kind" "Issuer")) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil)) (dict "name" (printf `%s-%s-root-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r") $name) "namespace" $state.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $state)))) "r"))) "spec" (mustMergeOverwrite (dict) (mustMergeOverwrite (dict) (dict "ca" (mustMergeOverwrite (dict "secretName" "") (dict "secretName" (get (fromJson (include "redpanda.TLSCert.RootSecretName" (dict "a" (list $data $state $name)))) "r"))))) (dict)))))) -}} {{- end -}} {{- if $_is_returning -}} {{- break -}} diff --git a/charts/redpanda/chart/templates/_certs.go.tpl b/charts/redpanda/chart/templates/_certs.go.tpl index 7e2ff06ca..3045a9afe 100644 --- a/charts/redpanda/chart/templates/_certs.go.tpl +++ b/charts/redpanda/chart/templates/_certs.go.tpl @@ -5,18 +5,14 @@ {{- $state := (index .a 0) -}} {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} -{{- if (not (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $state)))) "r")) -}} -{{- $_is_returning = true -}} -{{- (dict "r" (list)) | toJson -}} -{{- break -}} -{{- end -}} {{- $fullname := (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r") -}} {{- $service := (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $state)))) "r") -}} {{- $ns := $state.Release.Namespace -}} {{- $domain := (trimSuffix "." $state.Values.clusterDomain) -}} {{- $certs := (coalesce nil) -}} -{{- range $name, $data := $state.Values.tls.certs -}} -{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.enabled true)))) "r"))) -}} +{{- range $_, $name := (get (fromJson (include "redpanda.Listeners.InUseServerCerts" (dict "a" (list $state.Values.listeners $state.Values.tls)))) "r") -}} +{{- $data := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $state.Values.tls.certs) $name)))) "r") -}} +{{- if (not (empty $data.secretRef)) -}} {{- continue -}} {{- end -}} {{- $names := (coalesce nil) -}} @@ -40,22 +36,18 @@ {{- end -}} {{- $duration := (default "43800h" $data.duration) -}} {{- $issuerRef := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.issuerRef (mustMergeOverwrite (dict "name" "") (dict "kind" "Issuer" "group" "cert-manager.io" "name" (printf "%s-%s-root-issuer" $fullname $name))))))) "r") -}} -{{- $certs = (concat (default (list) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict "secretName" "" "issuerRef" (dict "name" "")) "status" (dict)) (mustMergeOverwrite (dict) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate")) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil)) (dict "name" (printf "%s-%s-cert" $fullname $name) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $state)))) "r") "namespace" $state.Release.Namespace)) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "")) (dict "dnsNames" $names "duration" (get (fromJson (include "_shims.time_Duration_String" (dict "a" (list (get (fromJson (include "_shims.time_ParseDuration" (dict "a" (list $duration)))) "r"))))) "r") "isCA" false "issuerRef" $issuerRef "secretName" (printf "%s-%s-cert" $fullname $name) "privateKey" (mustMergeOverwrite (dict) (dict "algorithm" "ECDSA" "size" (256 | int))))))))) -}} +{{- $certs = (concat (default (list) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict "secretName" "" "issuerRef" (dict "name" "")) "status" (dict)) (mustMergeOverwrite (dict) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate")) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil)) (dict "name" (printf "%s-%s-cert" $fullname $name) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $state)))) "r") "namespace" $state.Release.Namespace)) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "")) (dict "dnsNames" $names "duration" (get (fromJson (include "_shims.time_Duration_String" (dict "a" (list (get (fromJson (include "_shims.time_ParseDuration" (dict "a" (list $duration)))) "r"))))) "r") "isCA" false "issuerRef" $issuerRef "secretName" (get (fromJson (include "redpanda.TLSCert.ServerSecretName" (dict "a" (list $data $state $name)))) "r") "privateKey" (mustMergeOverwrite (dict) (dict "algorithm" "ECDSA" "size" (256 | int))))))))) -}} {{- end -}} {{- if $_is_returning -}} {{- break -}} {{- end -}} -{{- $name := $state.Values.listeners.kafka.tls.cert -}} -{{- $_97_data_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $state.Values.tls.certs $name (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil)))))) "r") -}} -{{- $data := (index $_97_data_ok 0) -}} -{{- $ok := (index $_97_data_ok 1) -}} -{{- if (not $ok) -}} -{{- $_ := (fail (printf "Certificate %q referenced but not defined" $name)) -}} +{{- range $_, $name := (get (fromJson (include "redpanda.Listeners.InUseClientCerts" (dict "a" (list $state.Values.listeners $state.Values.tls)))) "r") -}} +{{- $data := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $state.Values.tls.certs) $name)))) "r") -}} +{{- if (and (ne (toJson $data.secretRef) "null") (eq (toJson $data.clientSecretRef) "null")) -}} +{{- $_ := (fail (printf ".clientSecretRef MUST be set if .secretRef is set and require_client_auth is true: Cert %q" $name)) -}} {{- end -}} -{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "redpanda.ClientAuthRequired" (dict "a" (list $state)))) "r"))) -}} -{{- $_is_returning = true -}} -{{- (dict "r" $certs) | toJson -}} -{{- break -}} +{{- if (ne (toJson $data.clientSecretRef) "null") -}} +{{- continue -}} {{- end -}} {{- $issuerRef := (mustMergeOverwrite (dict "name" "") (dict "group" "cert-manager.io" "kind" "Issuer" "name" (printf "%s-%s-root-issuer" $fullname $name))) -}} {{- if (ne (toJson $data.issuerRef) "null") -}} @@ -63,8 +55,13 @@ {{- $_ := (set $issuerRef "group" "cert-manager.io") -}} {{- end -}} {{- $duration := (default "43800h" $data.duration) -}} +{{- $certs = (concat (default (list) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict "secretName" "" "issuerRef" (dict "name" "")) "status" (dict)) (mustMergeOverwrite (dict) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate")) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil)) (dict "name" (printf "%s-%s-client" $fullname $name) "namespace" $state.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $state)))) "r"))) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "")) (dict "commonName" (printf "%s--%s-client" $fullname $name) "duration" (get (fromJson (include "_shims.time_Duration_String" (dict "a" (list (get (fromJson (include "_shims.time_ParseDuration" (dict "a" (list $duration)))) "r"))))) "r") "isCA" false "secretName" (get (fromJson (include "redpanda.TLSCert.ClientSecretName" (dict "a" (list $data $state $name)))) "r") "privateKey" (mustMergeOverwrite (dict) (dict "algorithm" "ECDSA" "size" (256 | int))) "issuerRef" $issuerRef)))))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} {{- $_is_returning = true -}} -{{- (dict "r" (concat (default (list) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict "secretName" "" "issuerRef" (dict "name" "")) "status" (dict)) (mustMergeOverwrite (dict) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate")) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil)) (dict "name" (printf "%s-client" $fullname) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $state)))) "r"))) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "")) (dict "commonName" (printf "%s-client" $fullname) "duration" (get (fromJson (include "_shims.time_Duration_String" (dict "a" (list (get (fromJson (include "_shims.time_ParseDuration" (dict "a" (list $duration)))) "r"))))) "r") "isCA" false "secretName" (printf "%s-client" $fullname) "privateKey" (mustMergeOverwrite (dict) (dict "algorithm" "ECDSA" "size" (256 | int))) "issuerRef" $issuerRef))))))) | toJson -}} +{{- (dict "r" $certs) | toJson -}} {{- break -}} {{- end -}} {{- end -}} diff --git a/charts/redpanda/chart/templates/_configmap.go.tpl b/charts/redpanda/chart/templates/_configmap.go.tpl index fdb18dc1d..42134a94a 100644 --- a/charts/redpanda/chart/templates/_configmap.go.tpl +++ b/charts/redpanda/chart/templates/_configmap.go.tpl @@ -412,8 +412,8 @@ {{- end -}} {{- $result := (dict "ca_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $tls $state.Values.tls)))) "r")) -}} {{- if $tls.requireClientAuth -}} -{{- $_ := (set $result "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r"))) -}} -{{- $_ := (set $result "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r"))) -}} +{{- $_ := (set $result "cert_file" (printf "%s/tls.crt" (get (fromJson (include "redpanda.InternalTLS.ClientMountPoint" (dict "a" (list $tls $state.Values.tls)))) "r"))) -}} +{{- $_ := (set $result "key_file" (printf "%s/tls.key" (get (fromJson (include "redpanda.InternalTLS.ClientMountPoint" (dict "a" (list $tls $state.Values.tls)))) "r"))) -}} {{- end -}} {{- $_is_returning = true -}} {{- (dict "r" $result) | toJson -}} @@ -433,8 +433,8 @@ {{- end -}} {{- $result := (dict "ca_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $tls $state.Values.tls)))) "r")) -}} {{- if $tls.requireClientAuth -}} -{{- $_ := (set $result "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r"))) -}} -{{- $_ := (set $result "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r"))) -}} +{{- $_ := (set $result "cert_file" (printf "%s/tls.crt" (get (fromJson (include "redpanda.InternalTLS.ClientMountPoint" (dict "a" (list $tls $state.Values.tls)))) "r"))) -}} +{{- $_ := (set $result "key_file" (printf "%s/tls.key" (get (fromJson (include "redpanda.InternalTLS.ClientMountPoint" (dict "a" (list $tls $state.Values.tls)))) "r"))) -}} {{- end -}} {{- $_is_returning = true -}} {{- (dict "r" $result) | toJson -}} @@ -454,8 +454,8 @@ {{- end -}} {{- $result := (dict "ca_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $tls $state.Values.tls)))) "r")) -}} {{- if $tls.requireClientAuth -}} -{{- $_ := (set $result "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r"))) -}} -{{- $_ := (set $result "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r"))) -}} +{{- $_ := (set $result "cert_file" (printf "%s/tls.crt" (get (fromJson (include "redpanda.InternalTLS.ClientMountPoint" (dict "a" (list $tls $state.Values.tls)))) "r"))) -}} +{{- $_ := (set $result "key_file" (printf "%s/tls.key" (get (fromJson (include "redpanda.InternalTLS.ClientMountPoint" (dict "a" (list $tls $state.Values.tls)))) "r"))) -}} {{- end -}} {{- $_is_returning = true -}} {{- (dict "r" $result) | toJson -}} @@ -479,8 +479,8 @@ {{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $state.Values.listeners.kafka.tls $state.Values.tls)))) "r") -}} {{- $brokerTLS = (dict "enabled" true "require_client_auth" $kafkaTLS.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $kafkaTLS $state.Values.tls)))) "r")) -}} {{- if $kafkaTLS.requireClientAuth -}} -{{- $_ := (set $brokerTLS "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r"))) -}} -{{- $_ := (set $brokerTLS "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r"))) -}} +{{- $_ := (set $brokerTLS "cert_file" (printf "%s/tls.crt" (get (fromJson (include "redpanda.InternalTLS.ClientMountPoint" (dict "a" (list $kafkaTLS $state.Values.tls)))) "r"))) -}} +{{- $_ := (set $brokerTLS "key_file" (printf "%s/tls.key" (get (fromJson (include "redpanda.InternalTLS.ClientMountPoint" (dict "a" (list $kafkaTLS $state.Values.tls)))) "r"))) -}} {{- end -}} {{- end -}} {{- $cfg := (dict "brokers" $brokerList) -}} @@ -573,9 +573,8 @@ {{- (dict "r" (dict)) | toJson -}} {{- break -}} {{- end -}} -{{- $certName := $r.tls.cert -}} {{- $_is_returning = true -}} -{{- (dict "r" (dict "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" $r.tls.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $r.tls $state.Values.tls)))) "r"))) | toJson -}} +{{- (dict "r" (dict "enabled" true "cert_file" (printf "%s/tls.crt" (get (fromJson (include "redpanda.InternalTLS.ServerMountPoint" (dict "a" (list $r.tls $state.Values.tls)))) "r")) "key_file" (printf "%s/tls.key" (get (fromJson (include "redpanda.InternalTLS.ServerMountPoint" (dict "a" (list $r.tls $state.Values.tls)))) "r")) "require_client_auth" $r.tls.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $r.tls $state.Values.tls)))) "r"))) | toJson -}} {{- break -}} {{- end -}} {{- end -}} @@ -601,7 +600,7 @@ {{- break -}} {{- end -}} {{- $_is_returning = true -}} -{{- (dict "r" (dict "name" "internal" "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $internal.cert) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $internal.cert) "require_client_auth" $internal.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $internal $tls)))) "r"))) | toJson -}} +{{- (dict "r" (dict "name" "internal" "enabled" true "cert_file" (printf "%s/tls.crt" (get (fromJson (include "redpanda.InternalTLS.ServerMountPoint" (dict "a" (list $internal $tls)))) "r")) "key_file" (printf "%s/tls.key" (get (fromJson (include "redpanda.InternalTLS.ServerMountPoint" (dict "a" (list $internal $tls)))) "r")) "require_client_auth" $internal.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $internal $tls)))) "r"))) | toJson -}} {{- break -}} {{- end -}} {{- end -}} @@ -624,17 +623,17 @@ {{- end -}} {{- $enabledOptions := (dict "true" true "1" true "" true) -}} {{- $lockMemory := false -}} -{{- $_672_value_14_ok_15 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $flags "--lock-memory" "")))) "r") -}} -{{- $value_14 := (index $_672_value_14_ok_15 0) -}} -{{- $ok_15 := (index $_672_value_14_ok_15 1) -}} +{{- $_670_value_14_ok_15 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $flags "--lock-memory" "")))) "r") -}} +{{- $value_14 := (index $_670_value_14_ok_15 0) -}} +{{- $ok_15 := (index $_670_value_14_ok_15 1) -}} {{- if $ok_15 -}} {{- $lockMemory = (ternary (index $enabledOptions $value_14) false (hasKey $enabledOptions $value_14)) -}} {{- $_ := (unset $flags "--lock-memory") -}} {{- end -}} {{- $overprovisioned := false -}} -{{- $_679_value_16_ok_17 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $flags "--overprovisioned" "")))) "r") -}} -{{- $value_16 := (index $_679_value_16_ok_17 0) -}} -{{- $ok_17 := (index $_679_value_16_ok_17 1) -}} +{{- $_677_value_16_ok_17 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $flags "--overprovisioned" "")))) "r") -}} +{{- $value_16 := (index $_677_value_16_ok_17 0) -}} +{{- $ok_17 := (index $_677_value_16_ok_17 1) -}} {{- if $ok_17 -}} {{- $overprovisioned = (ternary (index $enabledOptions $value_16) false (hasKey $enabledOptions $value_16)) -}} {{- $_ := (unset $flags "--overprovisioned") -}} diff --git a/charts/redpanda/chart/templates/_helpers.go.tpl b/charts/redpanda/chart/templates/_helpers.go.tpl index 7fd3a55e2..16f9820f8 100644 --- a/charts/redpanda/chart/templates/_helpers.go.tpl +++ b/charts/redpanda/chart/templates/_helpers.go.tpl @@ -103,74 +103,6 @@ {{- end -}} {{- end -}} -{{- define "redpanda.TLSEnabled" -}} -{{- $state := (index .a 0) -}} -{{- range $_ := (list 1) -}} -{{- $_is_returning := false -}} -{{- if $state.Values.tls.enabled -}} -{{- $_is_returning = true -}} -{{- (dict "r" true) | toJson -}} -{{- break -}} -{{- end -}} -{{- $listeners := (list "kafka" "admin" "schemaRegistry" "rpc" "http") -}} -{{- range $_, $listener := $listeners -}} -{{- $tlsCert := (dig "listeners" $listener "tls" "cert" false $state.Dot.Values.AsMap) -}} -{{- $tlsEnabled := (dig "listeners" $listener "tls" "enabled" false $state.Dot.Values.AsMap) -}} -{{- if (and (not (empty $tlsEnabled)) (not (empty $tlsCert))) -}} -{{- $_is_returning = true -}} -{{- (dict "r" true) | toJson -}} -{{- break -}} -{{- end -}} -{{- $external := (dig "listeners" $listener "external" false $state.Dot.Values.AsMap) -}} -{{- if (empty $external) -}} -{{- continue -}} -{{- end -}} -{{- $keys := (keys (get (fromJson (include "_shims.typeassertion" (dict "a" (list (printf "map[%s]%s" "string" "interface {}") $external)))) "r")) -}} -{{- range $_, $key := $keys -}} -{{- $enabled := (dig "listeners" $listener "external" $key "enabled" false $state.Dot.Values.AsMap) -}} -{{- $tlsCert := (dig "listeners" $listener "external" $key "tls" "cert" false $state.Dot.Values.AsMap) -}} -{{- $tlsEnabled := (dig "listeners" $listener "external" $key "tls" "enabled" false $state.Dot.Values.AsMap) -}} -{{- if (and (and (not (empty $enabled)) (not (empty $tlsCert))) (not (empty $tlsEnabled))) -}} -{{- $_is_returning = true -}} -{{- (dict "r" true) | toJson -}} -{{- break -}} -{{- end -}} -{{- end -}} -{{- if $_is_returning -}} -{{- break -}} -{{- end -}} -{{- end -}} -{{- if $_is_returning -}} -{{- break -}} -{{- end -}} -{{- $_is_returning = true -}} -{{- (dict "r" false) | toJson -}} -{{- break -}} -{{- end -}} -{{- end -}} - -{{- define "redpanda.ClientAuthRequired" -}} -{{- $state := (index .a 0) -}} -{{- range $_ := (list 1) -}} -{{- $_is_returning := false -}} -{{- $listeners := (list "kafka" "admin" "schemaRegistry" "rpc" "http") -}} -{{- range $_, $listener := $listeners -}} -{{- $required := (dig "listeners" $listener "tls" "requireClientAuth" false $state.Dot.Values.AsMap) -}} -{{- if (not (empty $required)) -}} -{{- $_is_returning = true -}} -{{- (dict "r" true) | toJson -}} -{{- break -}} -{{- end -}} -{{- end -}} -{{- if $_is_returning -}} -{{- break -}} -{{- end -}} -{{- $_is_returning = true -}} -{{- (dict "r" false) | toJson -}} -{{- break -}} -{{- end -}} -{{- end -}} - {{- define "redpanda.DefaultMounts" -}} {{- $state := (index .a 0) -}} {{- range $_ := (list 1) -}} @@ -190,23 +122,19 @@ {{- if (and $sasl_3.enabled (ne $sasl_3.secretRef "")) -}} {{- $mounts = (concat (default (list) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" "users" "mountPath" "/etc/secrets/users" "readOnly" true)))) -}} {{- end -}} -{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $state)))) "r") -}} -{{- $certNames := (keys $state.Values.tls.certs) -}} -{{- $_ := (sortAlpha $certNames) -}} -{{- range $_, $name := $certNames -}} -{{- $cert := (ternary (index $state.Values.tls.certs $name) (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil)) (hasKey $state.Values.tls.certs $name)) -}} -{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $cert.enabled true)))) "r")) -}} -{{- continue -}} -{{- end -}} -{{- $mounts = (concat (default (list) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" (printf "redpanda-%s-cert" $name) "mountPath" (printf "%s/%s" "/etc/tls/certs" $name))))) -}} +{{- range $_, $name := (get (fromJson (include "redpanda.Listeners.InUseServerCerts" (dict "a" (list $state.Values.listeners $state.Values.tls)))) "r") -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $state.Values.tls.certs) $name)))) "r") -}} +{{- $mounts = (concat (default (list) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" (get (fromJson (include "redpanda.TLSCert.ServerVolumeName" (dict "a" (list $cert $name)))) "r") "mountPath" (get (fromJson (include "redpanda.TLSCert.ServerMountPoint" (dict "a" (list $cert $name)))) "r"))))) -}} {{- end -}} {{- if $_is_returning -}} {{- break -}} {{- end -}} -{{- $adminTLS := $state.Values.listeners.admin.tls -}} -{{- if $adminTLS.requireClientAuth -}} -{{- $mounts = (concat (default (list) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" "mtls-client" "mountPath" (printf "%s/%s-client" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r")))))) -}} +{{- range $_, $name := (get (fromJson (include "redpanda.Listeners.InUseClientCerts" (dict "a" (list $state.Values.listeners $state.Values.tls)))) "r") -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $state.Values.tls.certs) $name)))) "r") -}} +{{- $mounts = (concat (default (list) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" (get (fromJson (include "redpanda.TLSCert.ClientVolumeName" (dict "a" (list $cert $name)))) "r") "mountPath" (get (fromJson (include "redpanda.TLSCert.ClientMountPoint" (dict "a" (list $cert $name)))) "r"))))) -}} {{- end -}} +{{- if $_is_returning -}} +{{- break -}} {{- end -}} {{- $_is_returning = true -}} {{- (dict "r" $mounts) | toJson -}} @@ -229,28 +157,19 @@ {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} {{- $volumes := (list) -}} -{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $state)))) "r") -}} -{{- $certNames := (keys $state.Values.tls.certs) -}} -{{- $_ := (sortAlpha $certNames) -}} -{{- range $_, $name := $certNames -}} -{{- $cert := (ternary (index $state.Values.tls.certs $name) (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil)) (hasKey $state.Values.tls.certs $name)) -}} -{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $cert.enabled true)))) "r")) -}} -{{- continue -}} -{{- end -}} -{{- $volumes = (concat (default (list) $volumes) (list (mustMergeOverwrite (dict "name" "") (mustMergeOverwrite (dict) (dict "secret" (mustMergeOverwrite (dict) (dict "secretName" (get (fromJson (include "redpanda.CertSecretName" (dict "a" (list $state $name $cert)))) "r") "defaultMode" (0o440 | int))))) (dict "name" (printf "redpanda-%s-cert" $name))))) -}} +{{- range $_, $name := (get (fromJson (include "redpanda.Listeners.InUseServerCerts" (dict "a" (list $state.Values.listeners $state.Values.tls)))) "r") -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $state.Values.tls.certs) $name)))) "r") -}} +{{- $volumes = (concat (default (list) $volumes) (list (mustMergeOverwrite (dict "name" "") (mustMergeOverwrite (dict) (dict "secret" (mustMergeOverwrite (dict) (dict "secretName" (get (fromJson (include "redpanda.TLSCert.ServerSecretName" (dict "a" (list $cert $state $name)))) "r") "defaultMode" (0o440 | int))))) (dict "name" (get (fromJson (include "redpanda.TLSCert.ServerVolumeName" (dict "a" (list $cert $name)))) "r"))))) -}} {{- end -}} {{- if $_is_returning -}} {{- break -}} {{- end -}} -{{- $adminTLS := $state.Values.listeners.admin.tls -}} -{{- $cert := (ternary (index $state.Values.tls.certs $adminTLS.cert) (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil)) (hasKey $state.Values.tls.certs $adminTLS.cert)) -}} -{{- if $adminTLS.requireClientAuth -}} -{{- $secretName := (printf "%s-client" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r")) -}} -{{- if (ne (toJson $cert.clientSecretRef) "null") -}} -{{- $secretName = $cert.clientSecretRef.name -}} -{{- end -}} -{{- $volumes = (concat (default (list) $volumes) (list (mustMergeOverwrite (dict "name" "") (mustMergeOverwrite (dict) (dict "secret" (mustMergeOverwrite (dict) (dict "secretName" $secretName "defaultMode" (0o440 | int))))) (dict "name" "mtls-client")))) -}} +{{- range $_, $name := (get (fromJson (include "redpanda.Listeners.InUseClientCerts" (dict "a" (list $state.Values.listeners $state.Values.tls)))) "r") -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $state.Values.tls.certs) $name)))) "r") -}} +{{- $volumes = (concat (default (list) $volumes) (list (mustMergeOverwrite (dict "name" "") (mustMergeOverwrite (dict) (dict "secret" (mustMergeOverwrite (dict) (dict "secretName" (get (fromJson (include "redpanda.TLSCert.ClientSecretName" (dict "a" (list $cert $state $name)))) "r") "defaultMode" (0o440 | int))))) (dict "name" (get (fromJson (include "redpanda.TLSCert.ClientVolumeName" (dict "a" (list $cert $name)))) "r"))))) -}} {{- end -}} +{{- if $_is_returning -}} +{{- break -}} {{- end -}} {{- $sasl_4 := $state.Values.auth.sasl -}} {{- if (and $sasl_4.enabled (ne $sasl_4.secretRef "")) -}} @@ -262,40 +181,6 @@ {{- end -}} {{- end -}} -{{- define "redpanda.CertSecretName" -}} -{{- $state := (index .a 0) -}} -{{- $certName := (index .a 1) -}} -{{- $cert := (index .a 2) -}} -{{- range $_ := (list 1) -}} -{{- $_is_returning := false -}} -{{- if (ne (toJson $cert.secretRef) "null") -}} -{{- $_is_returning = true -}} -{{- (dict "r" $cert.secretRef.name) | toJson -}} -{{- break -}} -{{- end -}} -{{- $_is_returning = true -}} -{{- (dict "r" (printf "%s-%s-cert" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r") $certName)) | toJson -}} -{{- break -}} -{{- end -}} -{{- end -}} - -{{- define "redpanda.ClientCertSecretName" -}} -{{- $state := (index .a 0) -}} -{{- $certName := (index .a 1) -}} -{{- $cert := (index .a 2) -}} -{{- range $_ := (list 1) -}} -{{- $_is_returning := false -}} -{{- if (ne (toJson $cert.clientSecretRef) "null") -}} -{{- $_is_returning = true -}} -{{- (dict "r" $cert.secretRef.name) | toJson -}} -{{- break -}} -{{- end -}} -{{- $_is_returning = true -}} -{{- (dict "r" (printf "%s-client" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r"))) | toJson -}} -{{- break -}} -{{- end -}} -{{- end -}} - {{- define "redpanda.RedpandaAtLeast_22_2_0" -}} {{- $state := (index .a 0) -}} {{- range $_ := (list 1) -}} @@ -382,9 +267,9 @@ {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} {{- $version := (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $state)))) "r")) -}} -{{- $_358_result_err := (list (semverCompare $constraint $version) nil) -}} -{{- $result := (index $_358_result_err 0) -}} -{{- $err := (index $_358_result_err 1) -}} +{{- $_277_result_err := (list (semverCompare $constraint $version) nil) -}} +{{- $result := (index $_277_result_err 0) -}} +{{- $err := (index $_277_result_err 1) -}} {{- if (ne (toJson $err) "null") -}} {{- $_ := (fail $err) -}} {{- end -}} @@ -505,9 +390,9 @@ {{- $originalKeys := (dict) -}} {{- $overrideByKey := (dict) -}} {{- range $_, $el := $override -}} -{{- $_495_key_ok := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey)))) "r") -}} -{{- $key := (index $_495_key_ok 0) -}} -{{- $ok := (index $_495_key_ok 1) -}} +{{- $_414_key_ok := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey)))) "r") -}} +{{- $key := (index $_414_key_ok 0) -}} +{{- $ok := (index $_414_key_ok 1) -}} {{- if (not $ok) -}} {{- continue -}} {{- end -}} @@ -518,13 +403,13 @@ {{- end -}} {{- $merged := (coalesce nil) -}} {{- range $_, $el := $original -}} -{{- $_507_key__ := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey)))) "r") -}} -{{- $key := (index $_507_key__ 0) -}} -{{- $_ := (index $_507_key__ 1) -}} +{{- $_426_key__ := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey)))) "r") -}} +{{- $key := (index $_426_key__ 0) -}} +{{- $_ := (index $_426_key__ 1) -}} {{- $_ := (set $originalKeys $key true) -}} -{{- $_509_elOverride_5_ok_6 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $overrideByKey $key (coalesce nil))))) "r") -}} -{{- $elOverride_5 := (index $_509_elOverride_5_ok_6 0) -}} -{{- $ok_6 := (index $_509_elOverride_5_ok_6 1) -}} +{{- $_428_elOverride_5_ok_6 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $overrideByKey $key (coalesce nil))))) "r") -}} +{{- $elOverride_5 := (index $_428_elOverride_5_ok_6 0) -}} +{{- $ok_6 := (index $_428_elOverride_5_ok_6 1) -}} {{- if $ok_6 -}} {{- $merged = (concat (default (list) $merged) (list (get (fromJson (include (first $mergeFunc) (dict "a" (concat (rest $mergeFunc) (list $el $elOverride_5))))) "r"))) -}} {{- else -}} @@ -535,15 +420,15 @@ {{- break -}} {{- end -}} {{- range $_, $el := $override -}} -{{- $_519_key_ok := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey)))) "r") -}} -{{- $key := (index $_519_key_ok 0) -}} -{{- $ok := (index $_519_key_ok 1) -}} +{{- $_438_key_ok := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey)))) "r") -}} +{{- $key := (index $_438_key_ok 0) -}} +{{- $ok := (index $_438_key_ok 1) -}} {{- if (not $ok) -}} {{- continue -}} {{- end -}} -{{- $_524___ok_7 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $originalKeys $key false)))) "r") -}} -{{- $_ := (index $_524___ok_7 0) -}} -{{- $ok_7 := (index $_524___ok_7 1) -}} +{{- $_443___ok_7 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $originalKeys $key false)))) "r") -}} +{{- $_ := (index $_443___ok_7 0) -}} +{{- $ok_7 := (index $_443___ok_7 1) -}} {{- if $ok_7 -}} {{- continue -}} {{- end -}} diff --git a/charts/redpanda/chart/templates/_notes.go.tpl b/charts/redpanda/chart/templates/_notes.go.tpl index 91d170108..aa2913161 100644 --- a/charts/redpanda/chart/templates/_notes.go.tpl +++ b/charts/redpanda/chart/templates/_notes.go.tpl @@ -47,7 +47,7 @@ {{- $profileName := (index $profiles (0 | int)) -}} {{- $notes = (concat (default (list) $notes) (list `` `Set up rpk for access to your external listeners:`)) -}} {{- $profile := (ternary (index $state.Values.listeners.kafka.external $profileName) (dict "enabled" (coalesce nil) "advertisedPorts" (coalesce nil) "port" 0 "nodePort" (coalesce nil) "tls" (coalesce nil)) (hasKey $state.Values.listeners.kafka.external $profileName)) -}} -{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $state)))) "r") -}} +{{- if (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $profile.tls $state.Values.listeners.kafka.tls $state.Values.tls)))) "r") -}} {{- $external := "" -}} {{- if (and (ne (toJson $profile.tls) "null") (ne (toJson $profile.tls.cert) "null")) -}} {{- $external = $profile.tls.cert -}} diff --git a/charts/redpanda/chart/templates/_secrets.go.tpl b/charts/redpanda/chart/templates/_secrets.go.tpl index 2baab0e31..da0d5656c 100644 --- a/charts/redpanda/chart/templates/_secrets.go.tpl +++ b/charts/redpanda/chart/templates/_secrets.go.tpl @@ -311,7 +311,7 @@ echo "passed"`) -}} {{- break -}} {{- end -}} {{- if $state.Values.listeners.admin.tls.requireClientAuth -}} -{{- $path := (printf "%s/%s-client" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r")) -}} +{{- $path := (get (fromJson (include "redpanda.InternalTLS.ClientMountPoint" (dict "a" (list $state.Values.listeners.admin.tls $state.Values.tls)))) "r") -}} {{- $_is_returning = true -}} {{- (dict "r" (printf "--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key" $path $path $path)) | toJson -}} {{- break -}} diff --git a/charts/redpanda/chart/templates/_values.go.tpl b/charts/redpanda/chart/templates/_values.go.tpl index 18be0af92..2ab3028fd 100644 --- a/charts/redpanda/chart/templates/_values.go.tpl +++ b/charts/redpanda/chart/templates/_values.go.tpl @@ -152,13 +152,13 @@ {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} {{- if (and (ne (toJson $rr.limits) "null") (ne (toJson $rr.requests) "null")) -}} -{{- $_441_cpuReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.requests) "cpu" "0")))) "r") -}} -{{- $cpuReq := (index $_441_cpuReq_ok 0) -}} -{{- $ok := (index $_441_cpuReq_ok 1) -}} +{{- $_436_cpuReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.requests) "cpu" "0")))) "r") -}} +{{- $cpuReq := (index $_436_cpuReq_ok 0) -}} +{{- $ok := (index $_436_cpuReq_ok 1) -}} {{- if (not $ok) -}} -{{- $_443_cpuReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.limits) "cpu" "0")))) "r") -}} -{{- $cpuReq = (index $_443_cpuReq_ok 0) -}} -{{- $ok = (index $_443_cpuReq_ok 1) -}} +{{- $_438_cpuReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.limits) "cpu" "0")))) "r") -}} +{{- $cpuReq = (index $_438_cpuReq_ok 0) -}} +{{- $ok = (index $_438_cpuReq_ok 1) -}} {{- end -}} {{- if (and $ok (lt ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $cpuReq)))) "r") | int64) (1000 | int64))) -}} {{- $_is_returning = true -}} @@ -185,13 +185,13 @@ {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} {{- if (and (ne (toJson $rr.limits) "null") (ne (toJson $rr.requests) "null")) -}} -{{- $_467_cpuReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.requests) "cpu" "0")))) "r") -}} -{{- $cpuReq := (index $_467_cpuReq_ok 0) -}} -{{- $ok := (index $_467_cpuReq_ok 1) -}} +{{- $_462_cpuReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.requests) "cpu" "0")))) "r") -}} +{{- $cpuReq := (index $_462_cpuReq_ok 0) -}} +{{- $ok := (index $_462_cpuReq_ok 1) -}} {{- if (not $ok) -}} -{{- $_469_cpuReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.limits) "cpu" "0")))) "r") -}} -{{- $cpuReq = (index $_469_cpuReq_ok 0) -}} -{{- $ok = (index $_469_cpuReq_ok 1) -}} +{{- $_464_cpuReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.limits) "cpu" "0")))) "r") -}} +{{- $cpuReq = (index $_464_cpuReq_ok 0) -}} +{{- $ok = (index $_464_cpuReq_ok 1) -}} {{- end -}} {{- if (not $ok) -}} {{- $_is_returning = true -}} @@ -223,13 +223,13 @@ {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} {{- if (and (ne (toJson $rr.limits) "null") (ne (toJson $rr.requests) "null")) -}} -{{- $_526_memReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.requests) "memory" "0")))) "r") -}} -{{- $memReq := (index $_526_memReq_ok 0) -}} -{{- $ok := (index $_526_memReq_ok 1) -}} +{{- $_521_memReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.requests) "memory" "0")))) "r") -}} +{{- $memReq := (index $_521_memReq_ok 0) -}} +{{- $ok := (index $_521_memReq_ok 1) -}} {{- if (not $ok) -}} -{{- $_528_memReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.limits) "memory" "0")))) "r") -}} -{{- $memReq = (index $_528_memReq_ok 0) -}} -{{- $ok = (index $_528_memReq_ok 1) -}} +{{- $_523_memReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.limits) "memory" "0")))) "r") -}} +{{- $memReq = (index $_523_memReq_ok 0) -}} +{{- $ok = (index $_523_memReq_ok 1) -}} {{- end -}} {{- if (not $ok) -}} {{- $_is_returning = true -}} @@ -305,9 +305,9 @@ {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} {{- $conf := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $s)))) "r") -}} -{{- $_646_b_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $conf "cloud_storage_enabled" (coalesce nil))))) "r") -}} -{{- $b := (index $_646_b_ok 0) -}} -{{- $ok := (index $_646_b_ok 1) -}} +{{- $_641_b_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $conf "cloud_storage_enabled" (coalesce nil))))) "r") -}} +{{- $b := (index $_641_b_ok 0) -}} +{{- $ok := (index $_641_b_ok 1) -}} {{- $_is_returning = true -}} {{- (dict "r" (and $ok (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" $b)))) "r"))) | toJson -}} {{- break -}} @@ -351,18 +351,18 @@ {{- $state := (index .a 1) -}} {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} -{{- $_674_dir_7_ok_8 := (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $state.Values.config.node "cloud_storage_cache_directory") "")))) "r") -}} -{{- $dir_7 := (index $_674_dir_7_ok_8 0) -}} -{{- $ok_8 := (index $_674_dir_7_ok_8 1) -}} +{{- $_669_dir_7_ok_8 := (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $state.Values.config.node "cloud_storage_cache_directory") "")))) "r") -}} +{{- $dir_7 := (index $_669_dir_7_ok_8 0) -}} +{{- $ok_8 := (index $_669_dir_7_ok_8 1) -}} {{- if $ok_8 -}} {{- $_is_returning = true -}} {{- (dict "r" $dir_7) | toJson -}} {{- break -}} {{- end -}} {{- $tieredConfig := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $state.Values.storage)))) "r") -}} -{{- $_683_dir_9_ok_10 := (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $tieredConfig "cloud_storage_cache_directory") "")))) "r") -}} -{{- $dir_9 := (index $_683_dir_9_ok_10 0) -}} -{{- $ok_10 := (index $_683_dir_9_ok_10 1) -}} +{{- $_678_dir_9_ok_10 := (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $tieredConfig "cloud_storage_cache_directory") "")))) "r") -}} +{{- $dir_9 := (index $_678_dir_9_ok_10 0) -}} +{{- $ok_10 := (index $_678_dir_9_ok_10 1) -}} {{- if $ok_10 -}} {{- $_is_returning = true -}} {{- (dict "r" $dir_9) | toJson -}} @@ -477,9 +477,9 @@ {{- $result := (dict) -}} {{- $s := (toJson $t) -}} {{- $tune := (fromJson $s) -}} -{{- $_842_m_ok := (get (fromJson (include "_shims.typetest" (dict "a" (list (printf "map[%s]%s" "string" "interface {}") $tune (coalesce nil))))) "r") -}} -{{- $m := (index $_842_m_ok 0) -}} -{{- $ok := (index $_842_m_ok 1) -}} +{{- $_837_m_ok := (get (fromJson (include "_shims.typetest" (dict "a" (list (printf "map[%s]%s" "string" "interface {}") $tune (coalesce nil))))) "r") -}} +{{- $m := (index $_837_m_ok 0) -}} +{{- $ok := (index $_837_m_ok 1) -}} {{- if (not $ok) -}} {{- $_is_returning = true -}} {{- (dict "r" (dict)) | toJson -}} @@ -537,6 +537,65 @@ {{- end -}} {{- end -}} +{{- define "redpanda.Listeners.InUseServerCerts" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $listeners := (list (get (fromJson (include "redpanda.ListenerConfig.AsString" (dict "a" (list $l.admin)))) "r") (get (fromJson (include "redpanda.ListenerConfig.AsString" (dict "a" (list $l.kafka)))) "r") (get (fromJson (include "redpanda.ListenerConfig.AsString" (dict "a" (list $l.http)))) "r") (get (fromJson (include "redpanda.ListenerConfig.AsString" (dict "a" (list $l.schemaRegistry)))) "r")) -}} +{{- $certs := (dict) -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.rpc.tls $tls)))) "r") -}} +{{- $_ := (set $certs $l.rpc.tls.cert true) -}} +{{- end -}} +{{- range $_, $listener := $listeners -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $listener.tls $tls)))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $_ := (set $certs $listener.tls.cert true) -}} +{{- range $_, $external := $listener.external -}} +{{- if (or (not (get (fromJson (include "redpanda.ExternalListener.IsEnabled" (dict "a" (list $external)))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $external.tls $listener.tls $tls)))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $_ := (set $certs (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $external.tls $listener.tls)))) "r") true) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (sortAlpha (keys $certs))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.InUseClientCerts" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $listeners := (list (get (fromJson (include "redpanda.ListenerConfig.AsString" (dict "a" (list $l.admin)))) "r") (get (fromJson (include "redpanda.ListenerConfig.AsString" (dict "a" (list $l.kafka)))) "r") (get (fromJson (include "redpanda.ListenerConfig.AsString" (dict "a" (list $l.http)))) "r") (get (fromJson (include "redpanda.ListenerConfig.AsString" (dict "a" (list $l.schemaRegistry)))) "r")) -}} +{{- $certs := (dict) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.rpc.tls $tls)))) "r") $l.rpc.tls.requireClientAuth) -}} +{{- $_ := (set $certs $l.rpc.tls.cert true) -}} +{{- end -}} +{{- range $_, $listener := $listeners -}} +{{- if (or (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $listener.tls $tls)))) "r")) (not $listener.tls.requireClientAuth)) -}} +{{- continue -}} +{{- end -}} +{{- $_ := (set $certs $listener.tls.cert true) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (sortAlpha (keys $certs))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + {{- define "redpanda.Listeners.CreateSeedServers" -}} {{- $l := (index .a 0) -}} {{- $replicas := (index .a 1) -}} @@ -608,9 +667,9 @@ {{- $seen := (dict) -}} {{- $deduped := (coalesce nil) -}} {{- range $_, $item := $items -}} -{{- $_985___ok_11 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $seen $item.key false)))) "r") -}} -{{- $_ := (index $_985___ok_11 0) -}} -{{- $ok_11 := (index $_985___ok_11 1) -}} +{{- $_1039___ok_11 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $seen $item.key false)))) "r") -}} +{{- $_ := (index $_1039___ok_11 0) -}} +{{- $ok_11 := (index $_1039___ok_11 1) -}} {{- if $ok_11 -}} {{- continue -}} {{- end -}} @@ -717,14 +776,125 @@ {{- end -}} {{- end -}} +{{- define "redpanda.TLSCert.ServerVolumeName" -}} +{{- $c := (index .a 0) -}} +{{- $name := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "redpanda-%s-cert" $name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSCert.ClientVolumeName" -}} +{{- $c := (index .a 0) -}} +{{- $name := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "redpanda-%s-client-cert" $name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSCert.ServerMountPoint" -}} +{{- $c := (index .a 0) -}} +{{- $name := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "/etc/tls/certs/%s" $name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSCert.ClientMountPoint" -}} +{{- $c := (index .a 0) -}} +{{- $name := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "/etc/tls/certs/%s-client" $name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSCert.ServerSecretName" -}} +{{- $c := (index .a 0) -}} +{{- $state := (index .a 1) -}} +{{- $name := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $c.secretRef) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $c.secretRef.name) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s-%s-cert" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r") $name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSCert.ClientSecretName" -}} +{{- $c := (index .a 0) -}} +{{- $state := (index .a 1) -}} +{{- $name := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $c.clientSecretRef) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $c.clientSecretRef.name) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s-%s-client-cert" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r") $name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSCert.RootSecretName" -}} +{{- $c := (index .a 0) -}} +{{- $state := (index .a 1) -}} +{{- $name := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r") $name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSCert.CASecretRef" -}} +{{- $c := (index .a 0) -}} +{{- $state := (index .a 1) -}} +{{- $name := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq (toJson $c.secretRef) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "key" "") (mustMergeOverwrite (dict) (dict "name" (get (fromJson (include "redpanda.TLSCert.RootSecretName" (dict "a" (list $c $state $name)))) "r"))) (dict "key" "tls.crt"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $key := "tls.crt" -}} +{{- if $c.caEnabled -}} +{{- $key = "ca.crt" -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "key" "") (mustMergeOverwrite (dict) (dict "name" (get (fromJson (include "redpanda.TLSCert.ServerSecretName" (dict "a" (list $c $state $name)))) "r"))) (dict "key" $key))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + {{- define "redpanda.TLSCertMap.MustGet" -}} {{- $m := (index .a 0) -}} {{- $name := (index .a 1) -}} {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} -{{- $_1206_cert_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $m $name (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil)))))) "r") -}} -{{- $cert := (index $_1206_cert_ok 0) -}} -{{- $ok := (index $_1206_cert_ok 1) -}} +{{- $_1327_cert_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $m $name (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil)))))) "r") -}} +{{- $cert := (index $_1327_cert_ok 0) -}} +{{- $ok := (index $_1327_cert_ok 1) -}} {{- if (not $ok) -}} {{- $_ := (fail (printf "Certificate %q referenced, but not found in the tls.certs map" $name)) -}} {{- end -}} @@ -863,9 +1033,10 @@ {{- (dict "r" (get (fromJson (include "redpanda.TrustStore.TrustStoreFilePath" (dict "a" (list $t.trustStore)))) "r")) | toJson -}} {{- break -}} {{- end -}} -{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert)))) "r").caEnabled -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert)))) "r") -}} +{{- if $cert.caEnabled -}} {{- $_is_returning = true -}} -{{- (dict "r" (printf "%s/%s/ca.crt" "/etc/tls/certs" $t.cert)) | toJson -}} +{{- (dict "r" (printf "%s/ca.crt" (get (fromJson (include "redpanda.TLSCert.ServerMountPoint" (dict "a" (list $cert $t.cert)))) "r"))) | toJson -}} {{- break -}} {{- end -}} {{- $_is_returning = true -}} @@ -884,13 +1055,38 @@ {{- (dict "r" (get (fromJson (include "redpanda.TrustStore.TrustStoreFilePath" (dict "a" (list $t.trustStore)))) "r")) | toJson -}} {{- break -}} {{- end -}} -{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert)))) "r").caEnabled -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert)))) "r") -}} +{{- if $cert.caEnabled -}} {{- $_is_returning = true -}} -{{- (dict "r" (printf "%s/%s/ca.crt" "/etc/tls/certs" $t.cert)) | toJson -}} +{{- (dict "r" (printf "%s/ca.crt" (get (fromJson (include "redpanda.TLSCert.ServerMountPoint" (dict "a" (list $cert $t.cert)))) "r"))) | toJson -}} {{- break -}} {{- end -}} {{- $_is_returning = true -}} -{{- (dict "r" (printf "%s/%s/tls.crt" "/etc/tls/certs" $t.cert)) | toJson -}} +{{- (dict "r" (printf "%s/tls.crt" (get (fromJson (include "redpanda.TLSCert.ServerMountPoint" (dict "a" (list $cert $t.cert)))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalTLS.ServerMountPoint" -}} +{{- $t := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert)))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.TLSCert.ServerMountPoint" (dict "a" (list $cert $t.cert)))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalTLS.ClientMountPoint" -}} +{{- $t := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert)))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.TLSCert.ClientMountPoint" (dict "a" (list $cert $t.cert)))) "r")) | toJson -}} {{- break -}} {{- end -}} {{- end -}} @@ -908,7 +1104,7 @@ {{- end -}} {{- $spec := (mustMergeOverwrite (dict "insecureSkipTlsVerify" false) (dict)) -}} {{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert)))) "r") -}} -{{- $secretName := (get (fromJson (include "redpanda.CertSecretName" (dict "a" (list $state $t.cert $cert)))) "r") -}} +{{- $secretName := (get (fromJson (include "redpanda.TLSCert.ServerSecretName" (dict "a" (list $cert $state $t.cert)))) "r") -}} {{- if (ne (toJson $t.trustStore) "null") -}} {{- $_ := (set $spec "caCertSecretRef" (mustMergeOverwrite (dict) (dict "configMapKeyRef" $t.trustStore.configMapKeyRef "secretKeyRef" $t.trustStore.secretKeyRef))) -}} {{- else -}}{{- if $cert.caEnabled -}} @@ -918,7 +1114,7 @@ {{- end -}} {{- end -}} {{- if $t.requireClientAuth -}} -{{- $clientSecretName := (get (fromJson (include "redpanda.ClientCertSecretName" (dict "a" (list $state $t.cert $cert)))) "r") -}} +{{- $clientSecretName := (get (fromJson (include "redpanda.TLSCert.ClientSecretName" (dict "a" (list $cert $state $t.cert)))) "r") -}} {{- $_ := (set $spec "certSecretRef" (mustMergeOverwrite (dict "name" "") (dict "name" $clientSecretName "key" "tls.crt"))) -}} {{- $_ := (set $spec "keySecretRef" (mustMergeOverwrite (dict "name" "") (dict "name" $clientSecretName "key" "tls.key"))) -}} {{- end -}} @@ -962,9 +1158,11 @@ {{- (dict "r" (get (fromJson (include "redpanda.TrustStore.TrustStoreFilePath" (dict "a" (list $t.trustStore)))) "r")) | toJson -}} {{- break -}} {{- end -}} -{{- if (get (fromJson (include "redpanda.ExternalTLS.GetCert" (dict "a" (list $t $i $tls)))) "r").caEnabled -}} +{{- $name := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i)))) "r") -}} +{{- $cert_12 := (get (fromJson (include "redpanda.ExternalTLS.GetCert" (dict "a" (list $t $i $tls)))) "r") -}} +{{- if $cert_12.caEnabled -}} {{- $_is_returning = true -}} -{{- (dict "r" (printf "%s/%s/ca.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i)))) "r"))) | toJson -}} +{{- (dict "r" (printf "%s/ca.crt" (get (fromJson (include "redpanda.TLSCert.ServerMountPoint" (dict "a" (list $cert_12 $name)))) "r"))) | toJson -}} {{- break -}} {{- end -}} {{- $_is_returning = true -}} @@ -990,6 +1188,28 @@ {{- end -}} {{- end -}} +{{- define "redpanda.ListenerConfig.AsString" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $ext := (dict) -}} +{{- range $name, $l := $l.external -}} +{{- $_ := (set $ext $name (get (fromJson (include "redpanda.ExternalListener.AsString" (dict "a" (list $l)))) "r")) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $auth := (coalesce nil) -}} +{{- if (ne (toJson $l.authenticationMethod) "null") -}} +{{- $authAStr := (toString $l.authenticationMethod) -}} +{{- $auth = $authAStr -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "enabled" false "external" (coalesce nil) "port" 0 "tls" (dict "enabled" (coalesce nil) "cert" "" "requireClientAuth" false "trustStore" (coalesce nil))) (dict "enabled" $l.enabled "external" $ext "port" ($l.port | int) "tls" $l.tls "appProtocol" $l.appProtocol "authenticationMethod" $auth))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + {{- define "redpanda.ListenerConfig.ServicePorts" -}} {{- $l := (index .a 0) -}} {{- $namePrefix := (index .a 1) -}} @@ -1045,9 +1265,9 @@ {{- $_is_returning := false -}} {{- $internal := (dict "name" "internal" "address" "0.0.0.0" "port" ($l.port | int)) -}} {{- $defaultAuth := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $auth "")))) "r") -}} -{{- $am_12 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod $defaultAuth)))) "r") -}} -{{- if (ne $am_12 "") -}} -{{- $_ := (set $internal "authentication_method" $am_12) -}} +{{- $am_13 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod $defaultAuth)))) "r") -}} +{{- if (ne $am_13 "") -}} +{{- $_ := (set $internal "authentication_method" $am_13) -}} {{- end -}} {{- $listeners := (list $internal) -}} {{- range $k, $l := $l.external -}} @@ -1055,9 +1275,9 @@ {{- continue -}} {{- end -}} {{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0") -}} -{{- $am_13 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod $defaultAuth)))) "r") -}} -{{- if (ne $am_13 "") -}} -{{- $_ := (set $listener "authentication_method" $am_13) -}} +{{- $am_14 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod $defaultAuth)))) "r") -}} +{{- if (ne $am_14 "") -}} +{{- $_ := (set $listener "authentication_method" $am_14) -}} {{- end -}} {{- $listeners = (concat (default (list) $listeners) (list $listener)) -}} {{- end -}} @@ -1085,7 +1305,8 @@ {{- continue -}} {{- end -}} {{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls)))) "r") -}} -{{- $pp = (concat (default (list) $pp) (list (dict "name" $k "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false)))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls)))) "r")))) -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $certName)))) "r") -}} +{{- $pp = (concat (default (list) $pp) (list (dict "name" $k "enabled" true "cert_file" (printf "%s/tls.crt" (get (fromJson (include "redpanda.TLSCert.ServerMountPoint" (dict "a" (list $cert $certName)))) "r")) "key_file" (printf "%s/tls.key" (get (fromJson (include "redpanda.TLSCert.ServerMountPoint" (dict "a" (list $cert $certName)))) "r")) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false)))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls)))) "r")))) -}} {{- end -}} {{- if $_is_returning -}} {{- break -}} @@ -1096,32 +1317,17 @@ {{- end -}} {{- end -}} -{{- define "redpanda.ListenerConfig.ConsoleTLS" -}} +{{- define "redpanda.ExternalListener.AsString" -}} {{- $l := (index .a 0) -}} -{{- $tls := (index .a 1) -}} {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} -{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls)))) "r"))) -}} -{{- if (not $t.enabled) -}} -{{- $_is_returning = true -}} -{{- (dict "r" $t) | toJson -}} -{{- break -}} -{{- end -}} -{{- $adminAPIPrefix := (printf "%s/%s" "/etc/tls/certs" $l.tls.cert) -}} -{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $l.tls.cert)))) "r").caEnabled -}} -{{- $_ := (set $t "caFilepath" (printf "%s/ca.crt" $adminAPIPrefix)) -}} -{{- else -}} -{{- $_ := (set $t "caFilepath" (printf "%s/tls.crt" $adminAPIPrefix)) -}} -{{- end -}} -{{- if (not $l.tls.requireClientAuth) -}} -{{- $_is_returning = true -}} -{{- (dict "r" $t) | toJson -}} -{{- break -}} +{{- $auth := (coalesce nil) -}} +{{- if (ne (toJson $l.authenticationMethod) "null") -}} +{{- $authAStr := (toString $l.authenticationMethod) -}} +{{- $auth = $authAStr -}} {{- end -}} -{{- $_ := (set $t "certFilepath" (printf "%s/tls.crt" $adminAPIPrefix)) -}} -{{- $_ := (set $t "keyFilepath" (printf "%s/tls.key" $adminAPIPrefix)) -}} {{- $_is_returning = true -}} -{{- (dict "r" $t) | toJson -}} +{{- (dict "r" (mustMergeOverwrite (dict "enabled" (coalesce nil) "advertisedPorts" (coalesce nil) "port" 0 "nodePort" (coalesce nil) "tls" (coalesce nil)) (dict "enabled" $l.enabled "advertisedPorts" $l.advertisedPorts "port" ($l.port | int) "nodePort" $l.nodePort "tls" $l.tls "authenticationMethod" $auth "prefixTemplate" $l.prefixTemplate))) | toJson -}} {{- break -}} {{- end -}} {{- end -}} @@ -1167,10 +1373,10 @@ {{- $result := (dict) -}} {{- range $k, $v := $c -}} {{- if (not (empty $v)) -}} -{{- $_1710___ok_14 := (get (fromJson (include "_shims.asnumeric" (dict "a" (list $v)))) "r") -}} -{{- $_ := ((index $_1710___ok_14 0) | float64) -}} -{{- $ok_14 := (index $_1710___ok_14 1) -}} -{{- if $ok_14 -}} +{{- $_1848___ok_15 := (get (fromJson (include "_shims.asnumeric" (dict "a" (list $v)))) "r") -}} +{{- $_ := ((index $_1848___ok_15 0) | float64) -}} +{{- $ok_15 := (index $_1848___ok_15 1) -}} +{{- if $ok_15 -}} {{- $_ := (set $result $k $v) -}} {{- else -}}{{- if (kindIs "bool" $v) -}} {{- $_ := (set $result $k $v) -}} @@ -1195,11 +1401,11 @@ {{- $_is_returning := false -}} {{- $result := (dict) -}} {{- range $k, $v := $c -}} -{{- $_1730_b_15_ok_16 := (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $v false)))) "r") -}} -{{- $b_15 := (index $_1730_b_15_ok_16 0) -}} -{{- $ok_16 := (index $_1730_b_15_ok_16 1) -}} -{{- if $ok_16 -}} -{{- $_ := (set $result $k $b_15) -}} +{{- $_1868_b_16_ok_17 := (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $v false)))) "r") -}} +{{- $b_16 := (index $_1868_b_16_ok_17 0) -}} +{{- $ok_17 := (index $_1868_b_16_ok_17 1) -}} +{{- if $ok_17 -}} +{{- $_ := (set $result $k $b_16) -}} {{- continue -}} {{- end -}} {{- if (not (empty $v)) -}} @@ -1240,15 +1446,15 @@ {{- $config := (index .a 1) -}} {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} -{{- $_1775___hasAccessKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_access_key" (coalesce nil))))) "r") -}} -{{- $_ := (index $_1775___hasAccessKey 0) -}} -{{- $hasAccessKey := (index $_1775___hasAccessKey 1) -}} -{{- $_1776___hasSecretKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_secret_key" (coalesce nil))))) "r") -}} -{{- $_ := (index $_1776___hasSecretKey 0) -}} -{{- $hasSecretKey := (index $_1776___hasSecretKey 1) -}} -{{- $_1777___hasSharedKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_azure_shared_key" (coalesce nil))))) "r") -}} -{{- $_ := (index $_1777___hasSharedKey 0) -}} -{{- $hasSharedKey := (index $_1777___hasSharedKey 1) -}} +{{- $_1913___hasAccessKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_access_key" (coalesce nil))))) "r") -}} +{{- $_ := (index $_1913___hasAccessKey 0) -}} +{{- $hasAccessKey := (index $_1913___hasAccessKey 1) -}} +{{- $_1914___hasSecretKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_secret_key" (coalesce nil))))) "r") -}} +{{- $_ := (index $_1914___hasSecretKey 0) -}} +{{- $hasSecretKey := (index $_1914___hasSecretKey 1) -}} +{{- $_1915___hasSharedKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_azure_shared_key" (coalesce nil))))) "r") -}} +{{- $_ := (index $_1915___hasSharedKey 0) -}} +{{- $hasSharedKey := (index $_1915___hasSharedKey 1) -}} {{- $envvars := (coalesce nil) -}} {{- if (and (not $hasAccessKey) (get (fromJson (include "redpanda.SecretRef.IsValid" (dict "a" (list $tsc.accessKey)))) "r")) -}} {{- $envvars = (concat (default (list) $envvars) (list (mustMergeOverwrite (dict "name" "") (dict "name" "REDPANDA_CLOUD_STORAGE_ACCESS_KEY" "valueFrom" (get (fromJson (include "redpanda.SecretRef.AsSource" (dict "a" (list $tsc.accessKey)))) "r"))))) -}} @@ -1271,12 +1477,12 @@ {{- $c := (index .a 0) -}} {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} -{{- $_1813___containerExists := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c "cloud_storage_azure_container" (coalesce nil))))) "r") -}} -{{- $_ := (index $_1813___containerExists 0) -}} -{{- $containerExists := (index $_1813___containerExists 1) -}} -{{- $_1814___accountExists := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c "cloud_storage_azure_storage_account" (coalesce nil))))) "r") -}} -{{- $_ := (index $_1814___accountExists 0) -}} -{{- $accountExists := (index $_1814___accountExists 1) -}} +{{- $_1951___containerExists := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c "cloud_storage_azure_container" (coalesce nil))))) "r") -}} +{{- $_ := (index $_1951___containerExists 0) -}} +{{- $containerExists := (index $_1951___containerExists 1) -}} +{{- $_1952___accountExists := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c "cloud_storage_azure_storage_account" (coalesce nil))))) "r") -}} +{{- $_ := (index $_1952___accountExists 0) -}} +{{- $accountExists := (index $_1952___accountExists 1) -}} {{- $_is_returning = true -}} {{- (dict "r" (and $containerExists $accountExists)) | toJson -}} {{- break -}} @@ -1287,9 +1493,9 @@ {{- $c := (index .a 0) -}} {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} -{{- $_1819_value_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c `cloud_storage_cache_size` (coalesce nil))))) "r") -}} -{{- $value := (index $_1819_value_ok 0) -}} -{{- $ok := (index $_1819_value_ok 1) -}} +{{- $_1957_value_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c `cloud_storage_cache_size` (coalesce nil))))) "r") -}} +{{- $value := (index $_1957_value_ok 0) -}} +{{- $ok := (index $_1957_value_ok 1) -}} {{- if (not $ok) -}} {{- $_is_returning = true -}} {{- (dict "r" (coalesce nil)) | toJson -}} @@ -1315,9 +1521,9 @@ {{- if $_is_returning -}} {{- break -}} {{- end -}} -{{- $size_17 := (get (fromJson (include "redpanda.TieredStorageConfig.CloudStorageCacheSize" (dict "a" (list (deepCopy $c))))) "r") -}} -{{- if (ne (toJson $size_17) "null") -}} -{{- $_ := (set $config "cloud_storage_cache_size" ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $size_17)))) "r") | int64)) -}} +{{- $size_18 := (get (fromJson (include "redpanda.TieredStorageConfig.CloudStorageCacheSize" (dict "a" (list (deepCopy $c))))) "r") -}} +{{- if (ne (toJson $size_18) "null") -}} +{{- $_ := (set $config "cloud_storage_cache_size" ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $size_18)))) "r") | int64)) -}} {{- end -}} {{- $_is_returning = true -}} {{- (dict "r" (list $config $fixups)) | toJson -}} diff --git a/charts/redpanda/chart_test.go b/charts/redpanda/chart_test.go index 1866fb9e3..da7c4b9df 100644 --- a/charts/redpanda/chart_test.go +++ b/charts/redpanda/chart_test.go @@ -870,26 +870,50 @@ func httpProxyListenerTest(ctx context.Context, rpk *Client) error { func mTLSValuesUsingCertManager() *redpanda.PartialValues { return minimalValues(&redpanda.PartialValues{ + TLS: &redpanda.PartialTLS{ + Certs: redpanda.PartialTLSCertMap{ + "kafka": redpanda.PartialTLSCert{ + Enabled: ptr.To(true), + CAEnabled: ptr.To(true), + }, + "http": redpanda.PartialTLSCert{ + Enabled: ptr.To(true), + CAEnabled: ptr.To(true), + }, + "rpc": redpanda.PartialTLSCert{ + Enabled: ptr.To(true), + CAEnabled: ptr.To(true), + }, + "schema": redpanda.PartialTLSCert{ + Enabled: ptr.To(true), + CAEnabled: ptr.To(true), + }, + }, + }, External: &redpanda.PartialExternalConfig{Enabled: ptr.To(false)}, ClusterDomain: ptr.To("cluster.local"), Listeners: &redpanda.PartialListeners{ Admin: &redpanda.PartialListenerConfig[redpanda.NoAuth]{ TLS: &redpanda.PartialInternalTLS{ + // Uses default by default. RequireClientAuth: ptr.To(true), }, }, HTTP: &redpanda.PartialListenerConfig[redpanda.HTTPAuthenticationMethod]{ TLS: &redpanda.PartialInternalTLS{ + Cert: ptr.To("http"), RequireClientAuth: ptr.To(true), }, }, Kafka: &redpanda.PartialListenerConfig[redpanda.KafkaAuthenticationMethod]{ TLS: &redpanda.PartialInternalTLS{ + Cert: ptr.To("kafka"), RequireClientAuth: ptr.To(true), }, }, SchemaRegistry: &redpanda.PartialListenerConfig[redpanda.NoAuth]{ TLS: &redpanda.PartialInternalTLS{ + Cert: ptr.To("schema"), RequireClientAuth: ptr.To(true), }, }, @@ -898,6 +922,7 @@ func mTLSValuesUsingCertManager() *redpanda.PartialValues { TLS *redpanda.PartialInternalTLS `json:"tls,omitempty" jsonschema:"required"` }{ TLS: &redpanda.PartialInternalTLS{ + Cert: ptr.To("rpc"), RequireClientAuth: ptr.To(true), }, }, diff --git a/charts/redpanda/client_test.go b/charts/redpanda/client_test.go index b8679da97..057f684da 100644 --- a/charts/redpanda/client_test.go +++ b/charts/redpanda/client_test.go @@ -23,7 +23,6 @@ import ( "github.com/cockroachdb/errors" "github.com/redpanda-data/common-go/rpadmin" - "github.com/redpanda-data/redpanda/src/go/rpk/pkg/config" "github.com/stretchr/testify/require" "github.com/twmb/franz-go/pkg/sr" corev1 "k8s.io/api/core/v1" @@ -384,7 +383,7 @@ func (c *Client) ExposeRedpandaCluster(ctx context.Context, out, errOut io.Write return nil, errors.WithStack(err) } - availablePorts, cleanup, err := c.Ctl.PortForward(ctx, pod, out, errOut) + ports, cleanup, err := c.Ctl.PortForward(ctx, pod, out, errOut) if err != nil { return cleanup, errors.WithStack(err) } @@ -393,24 +392,7 @@ func (c *Client) ExposeRedpandaCluster(ctx context.Context, out, errOut io.Write c.proxyClients = make(map[string]*portForwardClient) } - rpYaml, err := c.getRedpandaConfig(ctx) - if err != nil { - return cleanup, errors.WithStack(err) - } - - defaultSecretName := fmt.Sprintf("%s-%s-%s", c.state.Release.Name, "default", "cert") - - secretName := defaultSecretName - cert := c.state.Values.TLS.Certs[c.state.Values.Listeners.HTTP.TLS.Cert] - if ref := cert.ClientSecretRef; ref != nil { - secretName = ref.Name - } - - proxyClient, err := c.createClient(ctx, - getInternalPort(rpYaml.Pandaproxy.PandaproxyAPI, availablePorts), - isTLSEnabled(rpYaml.Pandaproxy.PandaproxyAPITLS), - isMutualTLSEnabled(rpYaml.Pandaproxy.PandaproxyAPITLS), - secretName) + proxyClient, err := c.createClient(ctx, ports, c.state.Values.Listeners.HTTP.AsString()) if err != nil { return cleanup, errors.WithStack(err) } @@ -420,89 +402,16 @@ func (c *Client) ExposeRedpandaCluster(ctx context.Context, out, errOut io.Write return cleanup, err } -func isMutualTLSEnabled(tlsCfg []config.ServerTLS) bool { - for _, t := range tlsCfg { - if t.Name != "internal" || !t.Enabled { - continue - } - return t.RequireClientAuth - } - return false -} - -func isTLSEnabled(tlsCfg []config.ServerTLS) bool { - for _, t := range tlsCfg { - if t.Name != "internal" { - continue - } - return t.Enabled - } - return false -} - -func getInternalPort(addresses any, availablePorts []portforward.ForwardedPort) int { - var adminListenerPort int - switch v := addresses.(type) { - case []config.NamedSocketAddress: - for _, a := range v { - if a.Name != "internal" { - continue - } - adminListenerPort = a.Port - } - case []config.NamedAuthNSocketAddress: - for _, a := range v { - if a.Name != "internal" { - continue - } - adminListenerPort = a.Port - } - } - - for _, p := range availablePorts { - if int(p.Remote) == adminListenerPort { - return int(p.Local) - } - } - - return 0 -} - -func (c *Client) getRedpandaConfig(ctx context.Context) (*config.RedpandaYaml, error) { - cm, err := kube.Get[corev1.ConfigMap](ctx, c.Ctl, kube.ObjectKey{ - Name: c.state.Release.Name, - Namespace: c.state.Release.Namespace, - }) - if err != nil { - return nil, errors.WithStack(err) - } - - rpCfg, exist := cm.Data["redpanda.yaml"] - if !exist { - return nil, errors.WithStack(fmt.Errorf("redpanda.yaml not found")) - } - - var cfg config.RedpandaYaml - err = yaml.Unmarshal([]byte(rpCfg), &cfg) - if err != nil { - return nil, errors.WithStack(err) - } - - return &cfg, nil -} - -func (c *Client) createClient(ctx context.Context, port int, tlsEnabled, mTLSEnabled bool, tlsK8SSecretName string) (*portForwardClient, error) { - if port == 0 { - return nil, errors.New("admin internal listener port not found") - } - +func (c *Client) createClient(ctx context.Context, ports []portforward.ForwardedPort, cfg redpanda.ListenerConfig[string]) (*portForwardClient, error) { schema := "http" var rootCAs *x509.CertPool var certs []tls.Certificate - if tlsEnabled { + if cfg.TLS.IsEnabled(&c.state.Values.TLS) { + cert := c.state.Values.TLS.Certs.MustGet(cfg.TLS.Cert) + schema = "https" s, err := kube.Get[corev1.Secret](ctx, c.Ctl, kube.ObjectKey{ - Name: tlsK8SSecretName, + Name: cert.ServerSecretName(c.state, cfg.TLS.Cert), Namespace: c.state.Release.Namespace, }) if err != nil { @@ -515,7 +424,7 @@ func (c *Client) createClient(ctx context.Context, port int, tlsEnabled, mTLSEna return nil, errors.WithStack(errors.New("failed to parse CA certificate")) } - if mTLSEnabled { + if cfg.TLS.RequireClientAuth { cert, err := tls.X509KeyPair(s.Data["tls.crt"], s.Data["tls.key"]) if err != nil { return nil, errors.WithStack(err) @@ -542,11 +451,15 @@ func (c *Client) createClient(ctx context.Context, port int, tlsEnabled, mTLSEna Transport: transport, } - pfc := &portForwardClient{ - httpClient, - port, - schema, + for _, port := range ports { + if port.Remote == uint16(cfg.Port) { + return &portForwardClient{ + httpClient, + int(port.Local), + schema, + }, nil + } } - return pfc, nil + return nil, errors.Newf("remote port not forwarded: %d", cfg.Port) } diff --git a/charts/redpanda/configmap.tpl.go b/charts/redpanda/configmap.tpl.go index a67b9c377..b49060e91 100644 --- a/charts/redpanda/configmap.tpl.go +++ b/charts/redpanda/configmap.tpl.go @@ -434,8 +434,8 @@ func rpkKafkaClientTLSConfiguration(state *RenderState) map[string]any { } if tls.RequireClientAuth { - result["cert_file"] = fmt.Sprintf("%s/%s-client/tls.crt", certificateMountPoint, Fullname(state)) - result["key_file"] = fmt.Sprintf("%s/%s-client/tls.key", certificateMountPoint, Fullname(state)) + result["cert_file"] = fmt.Sprintf("%s/tls.crt", tls.ClientMountPoint(&state.Values.TLS)) + result["key_file"] = fmt.Sprintf("%s/tls.key", tls.ClientMountPoint(&state.Values.TLS)) } return result @@ -456,8 +456,8 @@ func rpkAdminAPIClientTLSConfiguration(state *RenderState) map[string]any { } if tls.RequireClientAuth { - result["cert_file"] = fmt.Sprintf("%s/%s-client/tls.crt", certificateMountPoint, Fullname(state)) - result["key_file"] = fmt.Sprintf("%s/%s-client/tls.key", certificateMountPoint, Fullname(state)) + result["cert_file"] = fmt.Sprintf("%s/tls.crt", tls.ClientMountPoint(&state.Values.TLS)) + result["key_file"] = fmt.Sprintf("%s/tls.key", tls.ClientMountPoint(&state.Values.TLS)) } return result @@ -478,8 +478,8 @@ func rpkSchemaRegistryClientTLSConfiguration(state *RenderState) map[string]any } if tls.RequireClientAuth { - result["cert_file"] = fmt.Sprintf("%s/%s-client/tls.crt", certificateMountPoint, Fullname(state)) - result["key_file"] = fmt.Sprintf("%s/%s-client/tls.key", certificateMountPoint, Fullname(state)) + result["cert_file"] = fmt.Sprintf("%s/tls.crt", tls.ClientMountPoint(&state.Values.TLS)) + result["key_file"] = fmt.Sprintf("%s/tls.key", tls.ClientMountPoint(&state.Values.TLS)) } return result @@ -511,8 +511,8 @@ func kafkaClient(state *RenderState) map[string]any { } if kafkaTLS.RequireClientAuth { - brokerTLS["cert_file"] = fmt.Sprintf("%s/%s-client/tls.crt", certificateMountPoint, Fullname(state)) - brokerTLS["key_file"] = fmt.Sprintf("%s/%s-client/tls.key", certificateMountPoint, Fullname(state)) + brokerTLS["cert_file"] = fmt.Sprintf("%s/tls.crt", kafkaTLS.ClientMountPoint(&state.Values.TLS)) + brokerTLS["key_file"] = fmt.Sprintf("%s/tls.key", kafkaTLS.ClientMountPoint(&state.Values.TLS)) } } @@ -595,12 +595,10 @@ func rpcListenersTLS(state *RenderState) map[string]any { return map[string]any{} } - certName := r.TLS.Cert - return map[string]any{ "enabled": true, - "cert_file": fmt.Sprintf("%s/%s/tls.crt", certificateMountPoint, certName), - "key_file": fmt.Sprintf("%s/%s/tls.key", certificateMountPoint, certName), + "cert_file": fmt.Sprintf("%s/tls.crt", r.TLS.ServerMountPoint(&state.Values.TLS)), + "key_file": fmt.Sprintf("%s/tls.key", r.TLS.ServerMountPoint(&state.Values.TLS)), "require_client_auth": r.TLS.RequireClientAuth, "truststore_file": r.TLS.TrustStoreFilePath(&state.Values.TLS), } @@ -622,8 +620,8 @@ func createInternalListenerTLSCfg(tls *TLS, internal InternalTLS) map[string]any return map[string]any{ "name": "internal", "enabled": true, - "cert_file": fmt.Sprintf("%s/%s/tls.crt", certificateMountPoint, internal.Cert), - "key_file": fmt.Sprintf("%s/%s/tls.key", certificateMountPoint, internal.Cert), + "cert_file": fmt.Sprintf("%s/tls.crt", internal.ServerMountPoint(tls)), + "key_file": fmt.Sprintf("%s/tls.key", internal.ServerMountPoint(tls)), "require_client_auth": internal.RequireClientAuth, "truststore_file": internal.TrustStoreFilePath(tls), } diff --git a/charts/redpanda/helpers.go b/charts/redpanda/helpers.go index 611bd5ea6..dddafc318 100644 --- a/charts/redpanda/helpers.go +++ b/charts/redpanda/helpers.go @@ -122,52 +122,6 @@ func InternalDomain(state *RenderState) string { return fmt.Sprintf("%s.%s.svc.%s", service, ns, state.Values.ClusterDomain) } -// check if client auth is enabled for any of the listeners -func TLSEnabled(state *RenderState) bool { - if state.Values.TLS.Enabled { - return true - } - - listeners := []string{"kafka", "admin", "schemaRegistry", "rpc", "http"} - for _, listener := range listeners { - // TODO: replace the use of general map stuff to actually leverage the structured values - tlsCert := helmette.Dig(state.Dot.Values.AsMap(), false, "listeners", listener, "tls", "cert") - tlsEnabled := helmette.Dig(state.Dot.Values.AsMap(), false, "listeners", listener, "tls", "enabled") - if !helmette.Empty(tlsEnabled) && !helmette.Empty(tlsCert) { - return true - } - - external := helmette.Dig(state.Dot.Values.AsMap(), false, "listeners", listener, "external") - if helmette.Empty(external) { - continue - } - - keys := helmette.Keys(external.(map[string]any)) - for _, key := range keys { - enabled := helmette.Dig(state.Dot.Values.AsMap(), false, "listeners", listener, "external", key, "enabled") - tlsCert := helmette.Dig(state.Dot.Values.AsMap(), false, "listeners", listener, "external", key, "tls", "cert") - tlsEnabled := helmette.Dig(state.Dot.Values.AsMap(), false, "listeners", listener, "external", key, "tls", "enabled") - - if !helmette.Empty(enabled) && !helmette.Empty(tlsCert) && !helmette.Empty(tlsEnabled) { - return true - } - } - } - - return false -} - -func ClientAuthRequired(state *RenderState) bool { - listeners := []string{"kafka", "admin", "schemaRegistry", "rpc", "http"} - for _, listener := range listeners { - required := helmette.Dig(state.Dot.Values.AsMap(), false, "listeners", listener, "tls", "requireClientAuth") - if !helmette.Empty(required) { - return true - } - } - return false -} - // mounts that are common to most containers func DefaultMounts(state *RenderState) []corev1.VolumeMount { return append([]corev1.VolumeMount{ @@ -190,30 +144,24 @@ func CommonMounts(state *RenderState) []corev1.VolumeMount { }) } - if TLSEnabled(state) { - certNames := helmette.Keys(state.Values.TLS.Certs) - helmette.SortAlpha(certNames) + for _, name := range state.Values.Listeners.InUseServerCerts(&state.Values.TLS) { + cert := state.Values.TLS.Certs.MustGet(name) - for _, name := range certNames { - cert := state.Values.TLS.Certs[name] + mounts = append(mounts, corev1.VolumeMount{ + Name: cert.ServerVolumeName(name), + MountPath: cert.ServerMountPoint(name), + }) + } - if !ptr.Deref(cert.Enabled, true) { - continue - } + // mTLS for any potentially in use listeners (kafka, admin, schema?) + for _, name := range state.Values.Listeners.InUseClientCerts(&state.Values.TLS) { + cert := state.Values.TLS.Certs.MustGet(name) - mounts = append(mounts, corev1.VolumeMount{ - Name: fmt.Sprintf("redpanda-%s-cert", name), - MountPath: fmt.Sprintf("%s/%s", certificateMountPoint, name), - }) - } + mounts = append(mounts, corev1.VolumeMount{ + Name: cert.ClientVolumeName(name), + MountPath: cert.ClientMountPoint(name), + }) - adminTLS := state.Values.Listeners.Admin.TLS - if adminTLS.RequireClientAuth { - mounts = append(mounts, corev1.VolumeMount{ - Name: "mtls-client", - MountPath: fmt.Sprintf("%s/%s-client", certificateMountPoint, Fullname(state)), - }) - } } return mounts @@ -237,46 +185,34 @@ func DefaultVolumes(state *RenderState) []corev1.Volume { // volumes that are common to all pods func CommonVolumes(state *RenderState) []corev1.Volume { volumes := []corev1.Volume{} - if TLSEnabled(state) { - certNames := helmette.Keys(state.Values.TLS.Certs) - helmette.SortAlpha(certNames) - - for _, name := range certNames { - cert := state.Values.TLS.Certs[name] - - if !ptr.Deref(cert.Enabled, true) { - continue - } - - volumes = append(volumes, corev1.Volume{ - Name: fmt.Sprintf("redpanda-%s-cert", name), - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: CertSecretName(state, name, &cert), - DefaultMode: ptr.To[int32](0o440), - }, + + for _, name := range state.Values.Listeners.InUseServerCerts(&state.Values.TLS) { + cert := state.Values.TLS.Certs.MustGet(name) + + volumes = append(volumes, corev1.Volume{ + // Intentionally use static names for VolumeNames to make overrides easier. + Name: cert.ServerVolumeName(name), + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: cert.ServerSecretName(state, name), + DefaultMode: ptr.To[int32](0o440), }, - }) - } + }, + }) + } - adminTLS := state.Values.Listeners.Admin.TLS - cert := state.Values.TLS.Certs[adminTLS.Cert] - if adminTLS.RequireClientAuth { - secretName := fmt.Sprintf("%s-client", Fullname(state)) - if cert.ClientSecretRef != nil { - secretName = cert.ClientSecretRef.Name - } - - volumes = append(volumes, corev1.Volume{ - Name: "mtls-client", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: secretName, - DefaultMode: ptr.To[int32](0o440), - }, + for _, name := range state.Values.Listeners.InUseClientCerts(&state.Values.TLS) { + cert := state.Values.TLS.Certs.MustGet(name) + + volumes = append(volumes, corev1.Volume{ + Name: cert.ClientVolumeName(name), + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: cert.ClientSecretName(state, name), + DefaultMode: ptr.To[int32](0o440), }, - }) - } + }, + }) } if sasl := state.Values.Auth.SASL; sasl.Enabled && sasl.SecretRef != "" { @@ -293,23 +229,6 @@ func CommonVolumes(state *RenderState) []corev1.Volume { return volumes } -// return correct secretName to use based if secretRef exists -func CertSecretName(state *RenderState, certName string, cert *TLSCert) string { - if cert.SecretRef != nil { - return cert.SecretRef.Name - } - return fmt.Sprintf("%s-%s-cert", Fullname(state), certName) -} - -func ClientCertSecretName(state *RenderState, certName string, cert *TLSCert) string { - if cert.ClientSecretRef != nil { - return cert.SecretRef.Name - } - // TODO this case is incorrect because we only generate a single client - // cert. It should be 1 per Certificate that requires client auth. - return fmt.Sprintf("%s-client", Fullname(state)) -} - //nolint:stylecheck func RedpandaAtLeast_22_2_0(state *RenderState) bool { return redpandaAtLeast(state, redpanda_22_2_0) diff --git a/charts/redpanda/notes.go b/charts/redpanda/notes.go index 4685f22d5..f983c8b9b 100644 --- a/charts/redpanda/notes.go +++ b/charts/redpanda/notes.go @@ -70,7 +70,7 @@ func Notes(state *RenderState) []string { `Set up rpk for access to your external listeners:`, ) profile := state.Values.Listeners.Kafka.External[profileName] - if TLSEnabled(state) { + if profile.TLS.IsEnabled(&state.Values.Listeners.Kafka.TLS, &state.Values.TLS) { var external string if profile.TLS != nil && profile.TLS.Cert != nil { external = *profile.TLS.Cert diff --git a/charts/redpanda/render_state_nogotohelm.go b/charts/redpanda/render_state_nogotohelm.go index cd81047d8..46c0a9d43 100644 --- a/charts/redpanda/render_state_nogotohelm.go +++ b/charts/redpanda/render_state_nogotohelm.go @@ -26,6 +26,7 @@ import ( corev1 "k8s.io/api/core/v1" k8sapierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/types" + "k8s.io/utils/ptr" "github.com/redpanda-data/redpanda-operator/gotohelm/helmette" "github.com/redpanda-data/redpanda-operator/pkg/kube" @@ -235,33 +236,19 @@ func (r *RenderState) TLSConfig(listener InternalTLS) (*tls.Config, error) { return tlsConfig, nil } -func certificatesFor(state *RenderState, cert string) (certSecret, certKey, clientSecret string) { - name := Fullname(state) +func certificatesFor(state *RenderState, name string) (certSecret, certKey, clientSecret string) { + cert, ok := state.Values.TLS.Certs[name] + if !ok || !ptr.Deref(cert.Enabled, true) { + // TODO this isn't correct but it matches historical behavior. + fullname := Fullname(state) + certSecret = fmt.Sprintf("%s-%s-root-certificate", fullname, name) + clientSecret = fmt.Sprintf("%s-default-client-cert", fullname) - // default to cert manager issued names and tls.crt which is - // where cert-manager outputs the root CA - certKey = corev1.TLSCertKey - certSecret = fmt.Sprintf("%s-%s-root-certificate", name, cert) - clientSecret = fmt.Sprintf("%s-client", name) - - if certificate, ok := state.Values.TLS.Certs[cert]; ok { - // if this references a non-enabled certificate, just return - // the default cert-manager issued names - if certificate.Enabled != nil && !*certificate.Enabled { - return certSecret, certKey, clientSecret - } - - if certificate.ClientSecretRef != nil { - clientSecret = certificate.ClientSecretRef.Name - } - if certificate.SecretRef != nil { - certSecret = certificate.SecretRef.Name - if certificate.CAEnabled { - certKey = "ca.crt" - } - } + return certSecret, corev1.TLSCertKey, clientSecret } - return certSecret, certKey, clientSecret + + ref := cert.CASecretRef(state, name) + return ref.LocalObjectReference.Name, ref.Key, cert.ClientSecretName(state, name) } // KubeCTL constructs a kube.Ctl from the RenderState's kubeconfig. diff --git a/charts/redpanda/render_state_test.go b/charts/redpanda/render_state_test.go index bac0869da..06f9c1580 100644 --- a/charts/redpanda/render_state_test.go +++ b/charts/redpanda/render_state_test.go @@ -32,7 +32,7 @@ func TestCertificates(t *testing.T) { CertificateName: "default", ExpectedRootCertName: "redpanda-default-root-certificate", ExpectedRootCertKey: "tls.crt", - ExpectedClientCertName: "redpanda-client", + ExpectedClientCertName: "redpanda-default-client-cert", }, "default with non-enabled global cert": { Cert: &TLSCert{ @@ -44,7 +44,7 @@ func TestCertificates(t *testing.T) { CertificateName: "default", ExpectedRootCertName: "redpanda-default-root-certificate", ExpectedRootCertKey: "tls.crt", - ExpectedClientCertName: "redpanda-client", + ExpectedClientCertName: "redpanda-default-client-cert", }, "certificate with secret ref": { Cert: &TLSCert{ @@ -55,7 +55,7 @@ func TestCertificates(t *testing.T) { CertificateName: "default", ExpectedRootCertName: "some-cert", ExpectedRootCertKey: "tls.crt", - ExpectedClientCertName: "redpanda-client", + ExpectedClientCertName: "redpanda-default-client-cert", }, "certificate with CA": { Cert: &TLSCert{ @@ -67,7 +67,7 @@ func TestCertificates(t *testing.T) { CertificateName: "default", ExpectedRootCertName: "some-cert", ExpectedRootCertKey: "ca.crt", - ExpectedClientCertName: "redpanda-client", + ExpectedClientCertName: "redpanda-default-client-cert", }, "certificate with client certificate": { Cert: &TLSCert{ diff --git a/charts/redpanda/secrets.go b/charts/redpanda/secrets.go index 7c81e86d9..0e169753d 100644 --- a/charts/redpanda/secrets.go +++ b/charts/redpanda/secrets.go @@ -518,7 +518,7 @@ func adminTLSCurlFlags(state *RenderState) string { } if state.Values.Listeners.Admin.TLS.RequireClientAuth { - path := fmt.Sprintf("%s/%s-client", certificateMountPoint, Fullname(state)) + path := state.Values.Listeners.Admin.TLS.ClientMountPoint(&state.Values.TLS) return fmt.Sprintf("--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key", path, path, path) } diff --git a/charts/redpanda/testdata/template-cases.golden.txtar b/charts/redpanda/testdata/template-cases.golden.txtar index 70705ede0..8321240ba 100644 --- a/charts/redpanda/testdata/template-cases.golden.txtar +++ b/charts/redpanda/testdata/template-cases.golden.txtar @@ -9140,8 +9140,6 @@ spec: initialDelaySeconds: 1 periodSeconds: 10 volumeMounts: - - mountPath: /etc/tls/certs/cert2 - name: redpanda-cert2-cert - mountPath: /etc/tls/certs/default name: redpanda-default-cert - mountPath: /etc/tls/certs/external @@ -9199,8 +9197,6 @@ spec: timeoutSeconds: 0 resources: {} volumeMounts: - - mountPath: /etc/tls/certs/cert2 - name: redpanda-cert2-cert - mountPath: /etc/tls/certs/default name: redpanda-default-cert - mountPath: /etc/tls/certs/external @@ -9228,8 +9224,6 @@ spec: runAsGroup: 0 runAsUser: 0 volumeMounts: - - mountPath: /etc/tls/certs/cert2 - name: redpanda-cert2-cert - mountPath: /etc/tls/certs/default name: redpanda-default-cert - mountPath: /etc/tls/certs/external @@ -9264,8 +9258,6 @@ spec: name: redpanda-configurator resources: {} volumeMounts: - - mountPath: /etc/tls/certs/cert2 - name: redpanda-cert2-cert - mountPath: /etc/tls/certs/default name: redpanda-default-cert - mountPath: /etc/tls/certs/external @@ -9321,10 +9313,6 @@ spec: topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway volumes: - - name: redpanda-cert2-cert - secret: - defaultMode: 288 - secretName: redpanda-cert2-cert - name: redpanda-default-cert secret: defaultMode: 288 @@ -9389,32 +9377,6 @@ spec: # Source: redpanda/templates/entry-point.yaml apiVersion: cert-manager.io/v1 kind: Certificate -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-25.1.1-beta3 - name: redpanda-cert2-root-certificate - namespace: default -spec: - commonName: redpanda-cert2-root-certificate - duration: 43800h0m0s - isCA: true - issuerRef: - group: cert-manager.io - kind: Issuer - name: redpanda-cert2-selfsigned-issuer - privateKey: - algorithm: ECDSA - size: 256 - secretName: redpanda-cert2-root-certificate ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate metadata: creationTimestamp: null labels: @@ -9467,44 +9429,6 @@ spec: # Source: redpanda/templates/entry-point.yaml apiVersion: cert-manager.io/v1 kind: Certificate -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-25.1.1-beta3 - name: redpanda-cert2-cert - namespace: default -spec: - dnsNames: - - redpanda-cluster.redpanda.default.svc.cluster.local - - redpanda-cluster.redpanda.default.svc - - redpanda-cluster.redpanda.default - - '*.redpanda-cluster.redpanda.default.svc.cluster.local' - - '*.redpanda-cluster.redpanda.default.svc' - - '*.redpanda-cluster.redpanda.default' - - redpanda.default.svc.cluster.local - - redpanda.default.svc - - redpanda.default - - '*.redpanda.default.svc.cluster.local' - - '*.redpanda.default.svc' - - '*.redpanda.default' - duration: 43800h0m0s - isCA: false - issuerRef: - group: cert-manager.io - kind: Issuer - name: redpanda-cert2-root-issuer - privateKey: - algorithm: ECDSA - size: 256 - secretName: redpanda-cert2-cert ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate metadata: creationTimestamp: null labels: @@ -9581,39 +9505,6 @@ spec: # Source: redpanda/templates/entry-point.yaml apiVersion: cert-manager.io/v1 kind: Issuer -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-25.1.1-beta3 - name: redpanda-cert2-selfsigned-issuer - namespace: default -spec: - selfSigned: {} ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-25.1.1-beta3 - name: redpanda-cert2-root-issuer - namespace: default -spec: - ca: - secretName: redpanda-cert2-root-certificate ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Issuer metadata: creationTimestamp: null labels: @@ -9722,8 +9613,6 @@ spec: resources: {} securityContext: {} volumeMounts: - - mountPath: /etc/tls/certs/cert2 - name: redpanda-cert2-cert - mountPath: /etc/tls/certs/default name: redpanda-default-cert - mountPath: /etc/tls/certs/external @@ -9769,10 +9658,6 @@ spec: serviceAccountName: redpanda tolerations: [] volumes: - - name: redpanda-cert2-cert - secret: - defaultMode: 288 - secretName: redpanda-cert2-cert - name: redpanda-default-cert secret: defaultMode: 288 @@ -63144,9 +63029,9 @@ data: pandaproxy_api_tls: null pandaproxy_client: broker_tls: - cert_file: /etc/tls/certs/redpanda-client/tls.crt + cert_file: /etc/tls/certs/kafka-internal-0-client/tls.crt enabled: true - key_file: /etc/tls/certs/redpanda-client/tls.key + key_file: /etc/tls/certs/kafka-internal-0-client/tls.key require_client_auth: true truststore_file: /etc/tls/certs/kafka-internal-0/ca.crt brokers: @@ -63227,8 +63112,8 @@ data: - redpanda-2.redpanda.default.svc.cluster.local.:9092 tls: ca_file: /etc/tls/certs/kafka-internal-0/ca.crt - cert_file: /etc/tls/certs/redpanda-client/tls.crt - key_file: /etc/tls/certs/redpanda-client/tls.key + cert_file: /etc/tls/certs/kafka-internal-0-client/tls.crt + key_file: /etc/tls/certs/kafka-internal-0-client/tls.key overprovisioned: false schema_registry: addresses: @@ -63261,9 +63146,9 @@ data: truststore_file: /etc/tls/certs/external/ca.crt schema_registry_client: broker_tls: - cert_file: /etc/tls/certs/redpanda-client/tls.crt + cert_file: /etc/tls/certs/kafka-internal-0-client/tls.crt enabled: true - key_file: /etc/tls/certs/redpanda-client/tls.key + key_file: /etc/tls/certs/kafka-internal-0-client/tls.key require_client_auth: true truststore_file: /etc/tls/certs/kafka-internal-0/ca.crt brokers: @@ -63302,8 +63187,8 @@ data: - redpanda-2:31092 tls: ca_file: ca.crt - cert_file: /etc/tls/certs/redpanda-client/tls.crt - key_file: /etc/tls/certs/redpanda-client/tls.key + cert_file: /etc/tls/certs/kafka-internal-0-client/tls.crt + key_file: /etc/tls/certs/kafka-internal-0-client/tls.key name: default schema_registry: addresses: @@ -63655,6 +63540,8 @@ spec: name: redpanda-external-cert - mountPath: /etc/tls/certs/kafka-internal-0 name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/kafka-internal-0-client + name: redpanda-kafka-internal-0-client-cert - mountPath: /etc/redpanda name: config - mountPath: /tmp/base-config @@ -63714,6 +63601,8 @@ spec: name: redpanda-external-cert - mountPath: /etc/tls/certs/kafka-internal-0 name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/kafka-internal-0-client + name: redpanda-kafka-internal-0-client-cert - mountPath: /etc/redpanda name: config - mountPath: /var/run/secrets/kubernetes.io/serviceaccount @@ -63743,6 +63632,8 @@ spec: name: redpanda-external-cert - mountPath: /etc/tls/certs/kafka-internal-0 name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/kafka-internal-0-client + name: redpanda-kafka-internal-0-client-cert - mountPath: /etc/redpanda name: base-config - command: @@ -63779,6 +63670,8 @@ spec: name: redpanda-external-cert - mountPath: /etc/tls/certs/kafka-internal-0 name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/kafka-internal-0-client + name: redpanda-kafka-internal-0-client-cert - mountPath: /etc/redpanda name: config - mountPath: /tmp/base-config @@ -63842,6 +63735,10 @@ spec: secret: defaultMode: 288 secretName: redpanda-kafka-internal-0-cert + - name: redpanda-kafka-internal-0-client-cert + secret: + defaultMode: 288 + secretName: redpanda-kafka-internal-0-client-cert - name: lifecycle-scripts secret: defaultMode: 509 @@ -64098,9 +63995,10 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: redpanda helm.sh/chart: redpanda-25.1.1-beta3 - name: redpanda-client + name: redpanda-kafka-internal-0-client + namespace: default spec: - commonName: redpanda-client + commonName: redpanda--kafka-internal-0-client duration: 43800h0m0s isCA: false issuerRef: @@ -64110,7 +64008,7 @@ spec: privateKey: algorithm: ECDSA size: 256 - secretName: redpanda-client + secretName: redpanda-kafka-internal-0-client-cert --- # Source: redpanda/templates/entry-point.yaml apiVersion: cert-manager.io/v1 @@ -64262,6 +64160,8 @@ spec: name: redpanda-external-cert - mountPath: /etc/tls/certs/kafka-internal-0 name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/kafka-internal-0-client + name: redpanda-kafka-internal-0-client-cert - mountPath: /tmp/config name: config - mountPath: /tmp/base-config @@ -64315,6 +64215,10 @@ spec: secret: defaultMode: 288 secretName: redpanda-kafka-internal-0-cert + - name: redpanda-kafka-internal-0-client-cert + secret: + defaultMode: 288 + secretName: redpanda-kafka-internal-0-client-cert - configMap: name: redpanda name: base-config @@ -78546,8 +78450,6 @@ spec: - mountPath: /etc/secrets/users name: users readOnly: true - - mountPath: /etc/tls/certs/default - name: redpanda-default-cert - mountPath: /etc/tls/certs/external name: redpanda-external-cert - mountPath: /etc/tls/certs/letsencrypt @@ -78625,8 +78527,6 @@ spec: - mountPath: /etc/secrets/users name: users readOnly: true - - mountPath: /etc/tls/certs/default - name: redpanda-default-cert - mountPath: /etc/tls/certs/external name: redpanda-external-cert - mountPath: /etc/tls/certs/letsencrypt @@ -78660,8 +78560,6 @@ spec: - mountPath: /etc/secrets/users name: users readOnly: true - - mountPath: /etc/tls/certs/default - name: redpanda-default-cert - mountPath: /etc/tls/certs/external name: redpanda-external-cert - mountPath: /etc/tls/certs/letsencrypt @@ -78718,8 +78616,6 @@ spec: - mountPath: /etc/secrets/users name: users readOnly: true - - mountPath: /etc/tls/certs/default - name: redpanda-default-cert - mountPath: /etc/tls/certs/external name: redpanda-external-cert - mountPath: /etc/tls/certs/letsencrypt @@ -78782,10 +78678,6 @@ spec: topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway volumes: - - name: redpanda-default-cert - secret: - defaultMode: 288 - secretName: redpanda-default-cert - name: redpanda-external-cert secret: defaultMode: 288 @@ -78870,32 +78762,6 @@ spec: # Source: redpanda/templates/entry-point.yaml apiVersion: cert-manager.io/v1 kind: Certificate -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-25.1.1-beta3 - name: redpanda-default-root-certificate - namespace: default -spec: - commonName: redpanda-default-root-certificate - duration: 43800h0m0s - isCA: true - issuerRef: - group: cert-manager.io - kind: Issuer - name: redpanda-default-selfsigned-issuer - privateKey: - algorithm: ECDSA - size: 256 - secretName: redpanda-default-root-certificate ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate metadata: creationTimestamp: null labels: @@ -78922,46 +78788,6 @@ spec: # Source: redpanda/templates/entry-point.yaml apiVersion: cert-manager.io/v1 kind: Certificate -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-25.1.1-beta3 - name: redpanda-default-cert - namespace: default -spec: - dnsNames: - - redpanda-cluster.redpanda.default.svc.cluster.local - - redpanda-cluster.redpanda.default.svc - - redpanda-cluster.redpanda.default - - '*.redpanda-cluster.redpanda.default.svc.cluster.local' - - '*.redpanda-cluster.redpanda.default.svc' - - '*.redpanda-cluster.redpanda.default' - - redpanda.default.svc.cluster.local - - redpanda.default.svc - - redpanda.default - - '*.redpanda.default.svc.cluster.local' - - '*.redpanda.default.svc' - - '*.redpanda.default' - - some.local.dev.domain - - '*.some.local.dev.domain' - duration: 43800h0m0s - isCA: false - issuerRef: - group: cert-manager.io - kind: Issuer - name: redpanda-default-root-issuer - privateKey: - algorithm: ECDSA - size: 256 - secretName: redpanda-default-cert ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate metadata: creationTimestamp: null labels: @@ -79002,39 +78828,6 @@ spec: # Source: redpanda/templates/entry-point.yaml apiVersion: cert-manager.io/v1 kind: Issuer -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-25.1.1-beta3 - name: redpanda-default-selfsigned-issuer - namespace: default -spec: - selfSigned: {} ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-25.1.1-beta3 - name: redpanda-default-root-issuer - namespace: default -spec: - ca: - secretName: redpanda-default-root-certificate ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Issuer metadata: creationTimestamp: null labels: @@ -79161,8 +78954,6 @@ spec: - mountPath: /etc/secrets/users name: users readOnly: true - - mountPath: /etc/tls/certs/default - name: redpanda-default-cert - mountPath: /etc/tls/certs/external name: redpanda-external-cert - mountPath: /etc/tls/certs/letsencrypt @@ -79210,10 +79001,6 @@ spec: serviceAccountName: someaccountname tolerations: [] volumes: - - name: redpanda-default-cert - secret: - defaultMode: 288 - secretName: redpanda-default-cert - name: redpanda-external-cert secret: defaultMode: 288 @@ -110118,11 +109905,11 @@ stringData: CURL_URL="https://${SERVICE_NAME}.redpanda.default.svc.cluster.local:9644" # commands used throughout - CURL_NODE_ID_CMD="curl --silent --fail --cacert /etc/tls/certs/default/ca.crt ${CURL_URL}/v1/node_config" + CURL_NODE_ID_CMD="curl --silent --fail --cacert /etc/tls/certs/for-internal/tls.crt ${CURL_URL}/v1/node_config" CURL_MAINTENANCE_DELETE_CMD_PREFIX='curl -X DELETE --silent -o /dev/null -w "%{http_code}"' CURL_MAINTENANCE_PUT_CMD_PREFIX='curl -X PUT --silent -o /dev/null -w "%{http_code}"' - CURL_MAINTENANCE_GET_CMD="curl -X GET --silent --cacert /etc/tls/certs/default/ca.crt ${CURL_URL}/v1/maintenance" + CURL_MAINTENANCE_GET_CMD="curl -X GET --silent --cacert /etc/tls/certs/for-internal/tls.crt ${CURL_URL}/v1/maintenance" postStart.sh: |- #!/usr/bin/env bash # This code should be similar if not exactly the same as that found in the panda-operator, see @@ -110141,7 +109928,7 @@ stringData: done echo "Clearing maintenance mode on node ${NODE_ID}" - CURL_MAINTENANCE_DELETE_CMD="${CURL_MAINTENANCE_DELETE_CMD_PREFIX} --cacert /etc/tls/certs/default/ca.crt ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" + CURL_MAINTENANCE_DELETE_CMD="${CURL_MAINTENANCE_DELETE_CMD_PREFIX} --cacert /etc/tls/certs/for-internal/tls.crt ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" # a 400 here would mean not in maintenance mode until [ "${status:-}" = '"200"' ] || [ "${status:-}" = '"400"' ]; do status=$(${CURL_MAINTENANCE_DELETE_CMD}) @@ -110171,7 +109958,7 @@ stringData: done echo "Setting maintenance mode on node ${NODE_ID}" - CURL_MAINTENANCE_PUT_CMD="${CURL_MAINTENANCE_PUT_CMD_PREFIX} --cacert /etc/tls/certs/default/ca.crt ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" + CURL_MAINTENANCE_PUT_CMD="${CURL_MAINTENANCE_PUT_CMD_PREFIX} --cacert /etc/tls/certs/for-internal/tls.crt ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" until [ "${status:-}" = '"200"' ]; do status=$(${CURL_MAINTENANCE_PUT_CMD}) sleep 0.5 @@ -110298,18 +110085,18 @@ data: name: default port: 9645 admin_api_tls: - - cert_file: /etc/tls/certs/default/tls.crt + - cert_file: /etc/tls/certs/for-internal/tls.crt enabled: true - key_file: /etc/tls/certs/default/tls.key + key_file: /etc/tls/certs/for-internal/tls.key name: internal require_client_auth: false - truststore_file: /etc/tls/certs/default/ca.crt - - cert_file: /etc/tls/certs/external/tls.crt + truststore_file: /etc/ssl/certs/ca-certificates.crt + - cert_file: /etc/tls/certs/for-external/tls.crt enabled: true - key_file: /etc/tls/certs/external/tls.key + key_file: /etc/tls/certs/for-external/tls.key name: default require_client_auth: false - truststore_file: /etc/tls/certs/external/ca.crt + truststore_file: /etc/ssl/certs/ca-certificates.crt crash_loop_limit: 5 empty_seed_starts_cluster: false kafka_api: @@ -110363,7 +110150,7 @@ data: - redpanda-1.redpanda.default.svc.cluster.local.:9644 - redpanda-2.redpanda.default.svc.cluster.local.:9644 tls: - ca_file: /etc/tls/certs/default/ca.crt + ca_file: /etc/tls/certs/for-internal/tls.crt enable_memory_locking: false kafka_api: brokers: @@ -110481,7 +110268,7 @@ data: adminApi: enabled: true tls: - caFilepath: /etc/tls/certs/secrets/redpanda-default-cert/ca.crt + caFilepath: /etc/tls/certs/secrets/some-secret/cert.crt enabled: true urls: - https://redpanda.default.svc.cluster.local.:9644 @@ -110749,7 +110536,7 @@ spec: template: metadata: annotations: - checksum/config: afc24f133c4e2e03ba05dc092d61d707c80024ce3cd90e848bbdaf20a5a33a9c + checksum/config: eeb876b9766e69a0717c8a9df517ace34a4ad116fa9643f49afa19d35b8ca3d5 creationTimestamp: null labels: app.kubernetes.io/instance: redpanda @@ -110815,11 +110602,6 @@ spec: - name: redpanda-certificates projected: sources: - - secret: - items: - - key: ca.crt - path: secrets/redpanda-default-cert/ca.crt - name: redpanda-default-cert - secret: items: - key: cert.crt @@ -110851,7 +110633,7 @@ spec: template: metadata: annotations: - config.redpanda.com/checksum: 9a27a058371023eacfdf490e992b689b7ffa8dfc1569887cd1e5a13f95b2e173 + config.redpanda.com/checksum: 8eb9a418d8217f65cc9c6d4d6be3d9c40bd88a4d20055fe146ae310754043966 creationTimestamp: null labels: app.kubernetes.io/component: redpanda-statefulset @@ -110912,7 +110694,7 @@ spec: command: - /bin/sh - -c - - curl --silent --fail -k -m 5 --cacert /etc/tls/certs/default/ca.crt + - curl --silent --fail -k -m 5 --cacert /etc/tls/certs/for-internal/tls.crt "https://${SERVICE_NAME}.redpanda.default.svc.cluster.local.:9644/v1/status/ready" failureThreshold: 3 initialDelaySeconds: 10 @@ -110948,7 +110730,7 @@ spec: - -c - | set -e - RESULT=$(curl --silent --fail -k -m 5 --cacert /etc/tls/certs/default/ca.crt "https://${SERVICE_NAME}.redpanda.default.svc.cluster.local.:9644/v1/status/ready") + RESULT=$(curl --silent --fail -k -m 5 --cacert /etc/tls/certs/for-internal/tls.crt "https://${SERVICE_NAME}.redpanda.default.svc.cluster.local.:9644/v1/status/ready") echo $RESULT echo $RESULT | grep ready failureThreshold: 120 @@ -127685,9 +127467,9 @@ data: truststore_file: /etc/tls/certs/external/ca.crt pandaproxy_client: broker_tls: - cert_file: /etc/tls/certs/redpanda-client/tls.crt + cert_file: /etc/tls/certs/kafka-internal-0-client/tls.crt enabled: true - key_file: /etc/tls/certs/redpanda-client/tls.key + key_file: /etc/tls/certs/kafka-internal-0-client/tls.key require_client_auth: true truststore_file: /etc/tls/certs/kafka-internal-0/ca.crt brokers: @@ -127781,8 +127563,8 @@ data: - redpanda-2.redpanda.default.svc.cluster.local.:9093 tls: ca_file: /etc/tls/certs/kafka-internal-0/ca.crt - cert_file: /etc/tls/certs/redpanda-client/tls.crt - key_file: /etc/tls/certs/redpanda-client/tls.key + cert_file: /etc/tls/certs/kafka-internal-0-client/tls.crt + key_file: /etc/tls/certs/kafka-internal-0-client/tls.key overprovisioned: false schema_registry: addresses: @@ -127815,9 +127597,9 @@ data: truststore_file: /etc/tls/certs/external/ca.crt schema_registry_client: broker_tls: - cert_file: /etc/tls/certs/redpanda-client/tls.crt + cert_file: /etc/tls/certs/kafka-internal-0-client/tls.crt enabled: true - key_file: /etc/tls/certs/redpanda-client/tls.key + key_file: /etc/tls/certs/kafka-internal-0-client/tls.key require_client_auth: true truststore_file: /etc/tls/certs/kafka-internal-0/ca.crt brokers: @@ -127857,8 +127639,8 @@ data: - redpanda-2:31092 tls: ca_file: ca.crt - cert_file: /etc/tls/certs/redpanda-client/tls.crt - key_file: /etc/tls/certs/redpanda-client/tls.key + cert_file: /etc/tls/certs/kafka-internal-0-client/tls.crt + key_file: /etc/tls/certs/kafka-internal-0-client/tls.key name: default schema_registry: addresses: @@ -127891,9 +127673,9 @@ data: - redpanda-2.redpanda.default.svc.cluster.local.:9093 tls: caFilepath: /etc/tls/certs/secrets/redpanda-kafka-internal-0-cert/ca.crt - certFilepath: /etc/tls/certs/secrets/redpanda-client/tls.crt + certFilepath: /etc/tls/certs/secrets/redpanda-kafka-internal-0-client-cert/tls.crt enabled: true - keyFilepath: /etc/tls/certs/secrets/redpanda-client/tls.key + keyFilepath: /etc/tls/certs/secrets/redpanda-kafka-internal-0-client-cert/tls.key redpanda: adminApi: enabled: true @@ -128166,7 +127948,7 @@ spec: template: metadata: annotations: - checksum/config: e1d1a2c725732276a9b94a28959e3c722a7dfeee699f9ddb48938abd8b4794e3 + checksum/config: eb6566cc00e3bd984531f7c18c74fb6edf4871ddb56be9e4eac6ea89d56353aa creationTimestamp: null labels: app.kubernetes.io/instance: redpanda @@ -128232,13 +128014,6 @@ spec: - name: redpanda-certificates projected: sources: - - secret: - items: - - key: tls.crt - path: secrets/redpanda-client/tls.crt - - key: tls.key - path: secrets/redpanda-client/tls.key - name: redpanda-client - secret: items: - key: ca.crt @@ -128249,6 +128024,13 @@ spec: - key: ca.crt path: secrets/redpanda-kafka-internal-0-cert/ca.crt name: redpanda-kafka-internal-0-cert + - secret: + items: + - key: tls.crt + path: secrets/redpanda-kafka-internal-0-client-cert/tls.crt + - key: tls.key + path: secrets/redpanda-kafka-internal-0-client-cert/tls.key + name: redpanda-kafka-internal-0-client-cert --- # Source: redpanda/templates/entry-point.yaml apiVersion: apps/v1 @@ -128385,6 +128167,8 @@ spec: name: redpanda-external-cert - mountPath: /etc/tls/certs/kafka-internal-0 name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/kafka-internal-0-client + name: redpanda-kafka-internal-0-client-cert - mountPath: /etc/redpanda name: config - mountPath: /tmp/base-config @@ -128444,6 +128228,8 @@ spec: name: redpanda-external-cert - mountPath: /etc/tls/certs/kafka-internal-0 name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/kafka-internal-0-client + name: redpanda-kafka-internal-0-client-cert - mountPath: /etc/redpanda name: config - mountPath: /var/run/secrets/kubernetes.io/serviceaccount @@ -128473,6 +128259,8 @@ spec: name: redpanda-external-cert - mountPath: /etc/tls/certs/kafka-internal-0 name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/kafka-internal-0-client + name: redpanda-kafka-internal-0-client-cert - mountPath: /etc/redpanda name: base-config - command: @@ -128509,6 +128297,8 @@ spec: name: redpanda-external-cert - mountPath: /etc/tls/certs/kafka-internal-0 name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/kafka-internal-0-client + name: redpanda-kafka-internal-0-client-cert - mountPath: /etc/redpanda name: config - mountPath: /tmp/base-config @@ -128572,6 +128362,10 @@ spec: secret: defaultMode: 288 secretName: redpanda-kafka-internal-0-cert + - name: redpanda-kafka-internal-0-client-cert + secret: + defaultMode: 288 + secretName: redpanda-kafka-internal-0-client-cert - name: lifecycle-scripts secret: defaultMode: 509 @@ -128828,9 +128622,10 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: redpanda helm.sh/chart: redpanda-25.1.1-beta3 - name: redpanda-client + name: redpanda-kafka-internal-0-client + namespace: default spec: - commonName: redpanda-client + commonName: redpanda--kafka-internal-0-client duration: 43800h0m0s isCA: false issuerRef: @@ -128840,7 +128635,7 @@ spec: privateKey: algorithm: ECDSA size: 256 - secretName: redpanda-client + secretName: redpanda-kafka-internal-0-client-cert --- # Source: redpanda/templates/entry-point.yaml apiVersion: cert-manager.io/v1 @@ -128992,6 +128787,8 @@ spec: name: redpanda-external-cert - mountPath: /etc/tls/certs/kafka-internal-0 name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/kafka-internal-0-client + name: redpanda-kafka-internal-0-client-cert - mountPath: /tmp/config name: config - mountPath: /tmp/base-config @@ -129045,6 +128842,10 @@ spec: secret: defaultMode: 288 secretName: redpanda-kafka-internal-0-cert + - name: redpanda-kafka-internal-0-client-cert + secret: + defaultMode: 288 + secretName: redpanda-kafka-internal-0-client-cert - configMap: name: redpanda name: base-config @@ -146838,11 +146639,11 @@ stringData: CURL_URL="https://${SERVICE_NAME}.redpanda.default.svc.cluster.local:9643" # commands used throughout - CURL_NODE_ID_CMD="curl --silent --fail --cacert /etc/tls/certs/redpanda-client/ca.crt --cert /etc/tls/certs/redpanda-client/tls.crt --key /etc/tls/certs/redpanda-client/tls.key ${CURL_URL}/v1/node_config" + CURL_NODE_ID_CMD="curl --silent --fail --cacert /etc/tls/certs/default-client/ca.crt --cert /etc/tls/certs/default-client/tls.crt --key /etc/tls/certs/default-client/tls.key ${CURL_URL}/v1/node_config" CURL_MAINTENANCE_DELETE_CMD_PREFIX='curl -X DELETE --silent -o /dev/null -w "%{http_code}"' CURL_MAINTENANCE_PUT_CMD_PREFIX='curl -X PUT --silent -o /dev/null -w "%{http_code}"' - CURL_MAINTENANCE_GET_CMD="curl -X GET --silent --cacert /etc/tls/certs/redpanda-client/ca.crt --cert /etc/tls/certs/redpanda-client/tls.crt --key /etc/tls/certs/redpanda-client/tls.key ${CURL_URL}/v1/maintenance" + CURL_MAINTENANCE_GET_CMD="curl -X GET --silent --cacert /etc/tls/certs/default-client/ca.crt --cert /etc/tls/certs/default-client/tls.crt --key /etc/tls/certs/default-client/tls.key ${CURL_URL}/v1/maintenance" postStart.sh: |- #!/usr/bin/env bash # This code should be similar if not exactly the same as that found in the panda-operator, see @@ -146861,7 +146662,7 @@ stringData: done echo "Clearing maintenance mode on node ${NODE_ID}" - CURL_MAINTENANCE_DELETE_CMD="${CURL_MAINTENANCE_DELETE_CMD_PREFIX} --cacert /etc/tls/certs/redpanda-client/ca.crt --cert /etc/tls/certs/redpanda-client/tls.crt --key /etc/tls/certs/redpanda-client/tls.key ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" + CURL_MAINTENANCE_DELETE_CMD="${CURL_MAINTENANCE_DELETE_CMD_PREFIX} --cacert /etc/tls/certs/default-client/ca.crt --cert /etc/tls/certs/default-client/tls.crt --key /etc/tls/certs/default-client/tls.key ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" # a 400 here would mean not in maintenance mode until [ "${status:-}" = '"200"' ] || [ "${status:-}" = '"400"' ]; do status=$(${CURL_MAINTENANCE_DELETE_CMD}) @@ -146891,7 +146692,7 @@ stringData: done echo "Setting maintenance mode on node ${NODE_ID}" - CURL_MAINTENANCE_PUT_CMD="${CURL_MAINTENANCE_PUT_CMD_PREFIX} --cacert /etc/tls/certs/redpanda-client/ca.crt --cert /etc/tls/certs/redpanda-client/tls.crt --key /etc/tls/certs/redpanda-client/tls.key ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" + CURL_MAINTENANCE_PUT_CMD="${CURL_MAINTENANCE_PUT_CMD_PREFIX} --cacert /etc/tls/certs/default-client/ca.crt --cert /etc/tls/certs/default-client/tls.crt --key /etc/tls/certs/default-client/tls.key ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" until [ "${status:-}" = '"200"' ]; do status=$(${CURL_MAINTENANCE_PUT_CMD}) sleep 0.5 @@ -146999,9 +146800,9 @@ data: truststore_file: /etc/truststores/configmaps/redpanda-company-cacrt-ca.crt pandaproxy_client: broker_tls: - cert_file: /etc/tls/certs/redpanda-client/tls.crt + cert_file: /etc/tls/certs/default-client/tls.crt enabled: true - key_file: /etc/tls/certs/redpanda-client/tls.key + key_file: /etc/tls/certs/default-client/tls.key require_client_auth: true truststore_file: /etc/truststores/configmaps/redpanda-company-cacrt-ca.crt brokers: @@ -147086,8 +146887,8 @@ data: - redpanda-2.redpanda.default.svc.cluster.local.:9643 tls: ca_file: /etc/truststores/configmaps/redpanda-company-cacrt-ca.crt - cert_file: /etc/tls/certs/redpanda-client/tls.crt - key_file: /etc/tls/certs/redpanda-client/tls.key + cert_file: /etc/tls/certs/default-client/tls.crt + key_file: /etc/tls/certs/default-client/tls.key enable_memory_locking: false kafka_api: brokers: @@ -147096,8 +146897,8 @@ data: - redpanda-2.redpanda.default.svc.cluster.local.:9093 tls: ca_file: /etc/truststores/configmaps/redpanda-company-cacrt-ca.crt - cert_file: /etc/tls/certs/redpanda-client/tls.crt - key_file: /etc/tls/certs/redpanda-client/tls.key + cert_file: /etc/tls/certs/default-client/tls.crt + key_file: /etc/tls/certs/default-client/tls.key overprovisioned: false schema_registry: addresses: @@ -147106,8 +146907,8 @@ data: - redpanda-2.redpanda.default.svc.cluster.local.:8081 tls: ca_file: /etc/truststores/configmaps/redpanda-company-cacrt-ca.crt - cert_file: /etc/tls/certs/redpanda-client/tls.crt - key_file: /etc/tls/certs/redpanda-client/tls.key + cert_file: /etc/tls/certs/default-client/tls.crt + key_file: /etc/tls/certs/default-client/tls.key tune_aio_events: true schema_registry: schema_registry_api: @@ -147132,9 +146933,9 @@ data: truststore_file: /etc/truststores/configmaps/redpanda-company-cacrt-ca.crt schema_registry_client: broker_tls: - cert_file: /etc/tls/certs/redpanda-client/tls.crt + cert_file: /etc/tls/certs/default-client/tls.crt enabled: true - key_file: /etc/tls/certs/redpanda-client/tls.key + key_file: /etc/tls/certs/default-client/tls.key require_client_auth: true truststore_file: /etc/truststores/configmaps/redpanda-company-cacrt-ca.crt brokers: @@ -147167,8 +146968,8 @@ data: - redpanda-2.:9644 tls: ca_file: ca.crt - cert_file: /etc/tls/certs/redpanda-client/tls.crt - key_file: /etc/tls/certs/redpanda-client/tls.key + cert_file: /etc/tls/certs/default-client/tls.crt + key_file: /etc/tls/certs/default-client/tls.key kafka_api: brokers: - redpanda-0.:9094 @@ -147176,8 +146977,8 @@ data: - redpanda-2.:9094 tls: ca_file: ca.crt - cert_file: /etc/tls/certs/redpanda-client/tls.crt - key_file: /etc/tls/certs/redpanda-client/tls.key + cert_file: /etc/tls/certs/default-client/tls.crt + key_file: /etc/tls/certs/default-client/tls.key name: default schema_registry: addresses: @@ -147186,8 +146987,8 @@ data: - redpanda-2.:8084 tls: ca_file: ca.crt - cert_file: /etc/tls/certs/redpanda-client/tls.crt - key_file: /etc/tls/certs/redpanda-client/tls.key + cert_file: /etc/tls/certs/default-client/tls.crt + key_file: /etc/tls/certs/default-client/tls.key kind: ConfigMap metadata: creationTimestamp: null @@ -147212,26 +147013,26 @@ data: - redpanda-2.redpanda.default.svc.cluster.local.:9093 tls: caFilepath: /etc/tls/certs/configmaps/redpanda-company-cacrt/ca.crt - certFilepath: /etc/tls/certs/secrets/redpanda-tls-cert/tls.crt + certFilepath: /etc/tls/certs/secrets/redpanda-admin-cert/tls.crt enabled: true - keyFilepath: /etc/tls/certs/secrets/redpanda-tls-cert/tls.key + keyFilepath: /etc/tls/certs/secrets/redpanda-admin-cert/tls.key redpanda: adminApi: enabled: true tls: caFilepath: /etc/tls/certs/configmaps/redpanda-company-cacrt/ca.crt - certFilepath: /etc/tls/certs/secrets/redpanda-tls-cert/tls.crt + certFilepath: /etc/tls/certs/secrets/redpanda-admin-cert/tls.crt enabled: true - keyFilepath: /etc/tls/certs/secrets/redpanda-tls-cert/tls.key + keyFilepath: /etc/tls/certs/secrets/redpanda-admin-cert/tls.key urls: - https://redpanda.default.svc.cluster.local.:9643 schemaRegistry: enabled: true tls: caFilepath: /etc/tls/certs/configmaps/redpanda-company-cacrt/ca.crt - certFilepath: /etc/tls/certs/secrets/redpanda-tls-cert/tls.crt + certFilepath: /etc/tls/certs/secrets/redpanda-admin-cert/tls.crt enabled: true - keyFilepath: /etc/tls/certs/secrets/redpanda-tls-cert/tls.key + keyFilepath: /etc/tls/certs/secrets/redpanda-admin-cert/tls.key urls: - https://redpanda-0.redpanda.default.svc.cluster.local.:8081 - https://redpanda-1.redpanda.default.svc.cluster.local.:8081 @@ -147591,7 +147392,7 @@ spec: template: metadata: annotations: - checksum/config: 2e6222bc6bf7a1238a68a878796070c06e0838c798d13f733603cf0e8ae1d965 + checksum/config: 6ca5d29cdbad9c70206c333f995591800e65c8f5b488f120e7f0f53b07ef07a2 creationTimestamp: null labels: app.kubernetes.io/instance: redpanda @@ -147660,10 +147461,10 @@ spec: - secret: items: - key: tls.crt - path: secrets/redpanda-tls-cert/tls.crt + path: secrets/redpanda-admin-cert/tls.crt - key: tls.key - path: secrets/redpanda-tls-cert/tls.key - name: redpanda-tls-cert + path: secrets/redpanda-admin-cert/tls.key + name: redpanda-admin-cert - configMap: items: - key: ca.crt @@ -147756,8 +147557,8 @@ spec: command: - /bin/sh - -c - - curl --silent --fail -k -m 5 --cacert /etc/tls/certs/redpanda-client/ca.crt - --cert /etc/tls/certs/redpanda-client/tls.crt --key /etc/tls/certs/redpanda-client/tls.key + - curl --silent --fail -k -m 5 --cacert /etc/tls/certs/default-client/ca.crt + --cert /etc/tls/certs/default-client/tls.crt --key /etc/tls/certs/default-client/tls.key "https://${SERVICE_NAME}.redpanda.default.svc.cluster.local.:9643/v1/status/ready" failureThreshold: 3 initialDelaySeconds: 10 @@ -147793,7 +147594,7 @@ spec: - -c - | set -e - RESULT=$(curl --silent --fail -k -m 5 --cacert /etc/tls/certs/redpanda-client/ca.crt --cert /etc/tls/certs/redpanda-client/tls.crt --key /etc/tls/certs/redpanda-client/tls.key "https://${SERVICE_NAME}.redpanda.default.svc.cluster.local.:9643/v1/status/ready") + RESULT=$(curl --silent --fail -k -m 5 --cacert /etc/tls/certs/default-client/ca.crt --cert /etc/tls/certs/default-client/tls.crt --key /etc/tls/certs/default-client/tls.key "https://${SERVICE_NAME}.redpanda.default.svc.cluster.local.:9643/v1/status/ready") echo $RESULT echo $RESULT | grep ready failureThreshold: 120 @@ -147802,10 +147603,8 @@ spec: volumeMounts: - mountPath: /etc/tls/certs/default name: redpanda-default-cert - - mountPath: /etc/tls/certs/external - name: redpanda-external-cert - - mountPath: /etc/tls/certs/redpanda-client - name: mtls-client + - mountPath: /etc/tls/certs/default-client + name: redpanda-default-client-cert - mountPath: /etc/redpanda name: config - mountPath: /tmp/base-config @@ -147864,10 +147663,8 @@ spec: volumeMounts: - mountPath: /etc/tls/certs/default name: redpanda-default-cert - - mountPath: /etc/tls/certs/external - name: redpanda-external-cert - - mountPath: /etc/tls/certs/redpanda-client - name: mtls-client + - mountPath: /etc/tls/certs/default-client + name: redpanda-default-client-cert - mountPath: /etc/redpanda name: config - mountPath: /var/run/secrets/kubernetes.io/serviceaccount @@ -147893,10 +147690,8 @@ spec: volumeMounts: - mountPath: /etc/tls/certs/default name: redpanda-default-cert - - mountPath: /etc/tls/certs/external - name: redpanda-external-cert - - mountPath: /etc/tls/certs/redpanda-client - name: mtls-client + - mountPath: /etc/tls/certs/default-client + name: redpanda-default-client-cert - mountPath: /etc/redpanda name: base-config - command: @@ -147929,10 +147724,8 @@ spec: volumeMounts: - mountPath: /etc/tls/certs/default name: redpanda-default-cert - - mountPath: /etc/tls/certs/external - name: redpanda-external-cert - - mountPath: /etc/tls/certs/redpanda-client - name: mtls-client + - mountPath: /etc/tls/certs/default-client + name: redpanda-default-client-cert - mountPath: /etc/redpanda name: config - mountPath: /tmp/base-config @@ -147988,11 +147781,7 @@ spec: secret: defaultMode: 288 secretName: redpanda-tls-cert - - name: redpanda-external-cert - secret: - defaultMode: 288 - secretName: redpanda-external-cert - - name: mtls-client + - name: redpanda-default-client-cert secret: defaultMode: 288 secretName: redpanda-admin-cert @@ -148058,105 +147847,6 @@ spec: status: {} --- # Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-25.1.1-beta3 - name: redpanda-external-root-certificate - namespace: default -spec: - commonName: redpanda-external-root-certificate - duration: 43800h0m0s - isCA: true - issuerRef: - group: cert-manager.io - kind: Issuer - name: redpanda-external-selfsigned-issuer - privateKey: - algorithm: ECDSA - size: 256 - secretName: redpanda-external-root-certificate ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-25.1.1-beta3 - name: redpanda-external-cert - namespace: default -spec: - dnsNames: - - redpanda-cluster.redpanda.default.svc.cluster.local - - redpanda-cluster.redpanda.default.svc - - redpanda-cluster.redpanda.default - - '*.redpanda-cluster.redpanda.default.svc.cluster.local' - - '*.redpanda-cluster.redpanda.default.svc' - - '*.redpanda-cluster.redpanda.default' - - redpanda.default.svc.cluster.local - - redpanda.default.svc - - redpanda.default - - '*.redpanda.default.svc.cluster.local' - - '*.redpanda.default.svc' - - '*.redpanda.default' - - - - '*.' - duration: 43800h0m0s - isCA: false - issuerRef: - group: cert-manager.io - kind: Issuer - name: redpanda-external-root-issuer - privateKey: - algorithm: ECDSA - size: 256 - secretName: redpanda-external-cert ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-25.1.1-beta3 - name: redpanda-external-selfsigned-issuer - namespace: default -spec: - selfSigned: {} ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-25.1.1-beta3 - name: redpanda-external-root-issuer - namespace: default -spec: - ca: - secretName: redpanda-external-root-certificate ---- -# Source: redpanda/templates/entry-point.yaml apiVersion: batch/v1 kind: Job metadata: @@ -148203,10 +147893,8 @@ spec: volumeMounts: - mountPath: /etc/tls/certs/default name: redpanda-default-cert - - mountPath: /etc/tls/certs/external - name: redpanda-external-cert - - mountPath: /etc/tls/certs/redpanda-client - name: mtls-client + - mountPath: /etc/tls/certs/default-client + name: redpanda-default-client-cert - mountPath: /tmp/config name: config - mountPath: /tmp/base-config @@ -148252,11 +147940,7 @@ spec: secret: defaultMode: 288 secretName: redpanda-tls-cert - - name: redpanda-external-cert - secret: - defaultMode: 288 - secretName: redpanda-external-cert - - name: mtls-client + - name: redpanda-default-client-cert secret: defaultMode: 288 secretName: redpanda-admin-cert diff --git a/charts/redpanda/testdata/template-cases.txtar b/charts/redpanda/testdata/template-cases.txtar index 11327b418..b04983c70 100644 --- a/charts/redpanda/testdata/template-cases.txtar +++ b/charts/redpanda/testdata/template-cases.txtar @@ -111,6 +111,14 @@ tls: # ASSERT-NO-GVK ["cert-manager.io/v1", "Certificate"] # ASSERT-STATEFULSET-ALL-VOLUMES-ARE-USED listeners: + admin: + external: + default: + tls: + cert: for-external + requireClientAuth: false + tls: + cert: for-internal http: external: default: diff --git a/charts/redpanda/values.go b/charts/redpanda/values.go index 19a1f99f5..fced8f388 100644 --- a/charts/redpanda/values.go +++ b/charts/redpanda/values.go @@ -65,11 +65,6 @@ const ( // FSValidatorContainerName is the user facing name of the // fs-validator init container in the redpanda StatefulSet. FSValidatorContainerName = "fs-validator" - - // certificateMountPoint is a common mount point for any TLS certificate - // defined as external truststore or as certificate that would be - // created by cert-manager. - certificateMountPoint = "/etc/tls/certs" ) type MebiBytes = int64 @@ -902,6 +897,65 @@ type Listeners struct { } `json:"rpc" jsonschema:"required"` } +// InUseServerCerts returns a set of names (As a sorted slice) of all TLS +// certificates that are referenced via listeners and enabled. +func (l *Listeners) InUseServerCerts(tls *TLS) []string { + listeners := []ListenerConfig[string]{ + l.Admin.AsString(), + l.Kafka.AsString(), + l.HTTP.AsString(), + l.SchemaRegistry.AsString(), + } + + certs := map[string]bool{} + + if l.RPC.TLS.IsEnabled(tls) { + certs[l.RPC.TLS.Cert] = true + } + + for _, listener := range listeners { + if !listener.TLS.IsEnabled(tls) { + continue + } + + certs[listener.TLS.Cert] = true + + for _, external := range helmette.SortedMap(listener.External) { + if !external.IsEnabled() || !external.TLS.IsEnabled(&listener.TLS, tls) { + continue + } + + certs[external.TLS.GetCertName(&listener.TLS)] = true + } + } + + return helmette.SortedKeys(certs) +} + +func (l *Listeners) InUseClientCerts(tls *TLS) []string { + listeners := []ListenerConfig[string]{ + l.Admin.AsString(), + l.Kafka.AsString(), + l.HTTP.AsString(), + l.SchemaRegistry.AsString(), + } + + certs := map[string]bool{} + + if l.RPC.TLS.IsEnabled(tls) && l.RPC.TLS.RequireClientAuth { + certs[l.RPC.TLS.Cert] = true + } + + for _, listener := range listeners { + if !listener.TLS.IsEnabled(tls) || !listener.TLS.RequireClientAuth { + continue + } + certs[listener.TLS.Cert] = true + } + + return helmette.SortedKeys(certs) +} + func (l *Listeners) CreateSeedServers(replicas int32, fullname, internalDomain string) []map[string]any { var result []map[string]any for i := int32(0); i < replicas; i++ { @@ -1187,6 +1241,73 @@ type TLSCert struct { ClientSecretRef *corev1.LocalObjectReference `json:"clientSecretRef"` } +func (c *TLSCert) ServerVolumeName(name string) string { + // NB: Volume names are intentionally hardcoded to redpanda to make + // overrides easier. + return fmt.Sprintf("redpanda-%s-cert", name) +} + +func (c *TLSCert) ClientVolumeName(name string) string { + // NB: Volume names are intentionally hardcoded to redpanda to make + // overrides easier. + return fmt.Sprintf("redpanda-%s-client-cert", name) +} + +func (c *TLSCert) ServerMountPoint(name string) string { + // NB: The path here is intentionally hardcoded to discourage manual + // construct of this mount point. + return fmt.Sprintf("/etc/tls/certs/%s", name) +} + +func (c *TLSCert) ClientMountPoint(name string) string { + // NB: The path here is intentionally hardcoded to discourage manual + // construct of this mount point. + return fmt.Sprintf("/etc/tls/certs/%s-client", name) +} + +func (c *TLSCert) ServerSecretName(state *RenderState, name string) string { + if c.SecretRef != nil { + return c.SecretRef.Name + } + return fmt.Sprintf("%s-%s-cert", Fullname(state), name) +} + +func (c *TLSCert) ClientSecretName(state *RenderState, name string) string { + if c.ClientSecretRef != nil { + return c.ClientSecretRef.Name + } + return fmt.Sprintf("%s-%s-client-cert", Fullname(state), name) +} + +func (c *TLSCert) RootSecretName(state *RenderState, name string) string { + return fmt.Sprintf(`%s-%s-root-certificate`, Fullname(state), name) +} + +func (c *TLSCert) CASecretRef(state *RenderState, name string) corev1.SecretKeySelector { + // If no SecretRef is specified, we know that the CA was generated by cert-manager. + if c.SecretRef == nil { + return corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: c.RootSecretName(state, name), + }, + Key: corev1.TLSCertKey, + } + } + + // Otherwise we have to use the provided SecretRef. + key := corev1.TLSCertKey + if c.CAEnabled { + key = "ca.crt" + } + + return corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: c.ServerSecretName(state, name), + }, + Key: key, + } +} + type TLSCertMap map[string]TLSCert // +gotohelm:ignore=true @@ -1350,8 +1471,9 @@ func (t *InternalTLS) TrustStoreFilePath(tls *TLS) string { return t.TrustStore.TrustStoreFilePath() } - if tls.Certs.MustGet(t.Cert).CAEnabled { - return fmt.Sprintf("%s/%s/ca.crt", certificateMountPoint, t.Cert) + cert := tls.Certs.MustGet(t.Cert) + if cert.CAEnabled { + return fmt.Sprintf("%s/ca.crt", cert.ServerMountPoint(t.Cert)) } return defaultTruststorePath @@ -1364,15 +1486,31 @@ func (t *InternalTLS) ServerCAPath(tls *TLS) string { return t.TrustStore.TrustStoreFilePath() } - if tls.Certs.MustGet(t.Cert).CAEnabled { - return fmt.Sprintf("%s/%s/ca.crt", certificateMountPoint, t.Cert) + cert := tls.Certs.MustGet(t.Cert) + if cert.CAEnabled { + return fmt.Sprintf("%s/ca.crt", cert.ServerMountPoint(t.Cert)) } + // Strange but technically correct, if CAEnabled is false, we can't safely // assume that a ca.crt file will exist. So we fallback to using the // server's certificate itself. // Other options would be: failing or falling back to the container's // default truststore. - return fmt.Sprintf("%s/%s/tls.crt", certificateMountPoint, t.Cert) + return fmt.Sprintf("%s/tls.crt", cert.ServerMountPoint(t.Cert)) +} + +// ServerMountPoint is a helper to call [TLSCert.ServerMountPoint] on the +// configure certificate. +func (t *InternalTLS) ServerMountPoint(tls *TLS) string { + cert := tls.Certs.MustGet(t.Cert) + return cert.ServerMountPoint(t.Cert) +} + +// ClientMountPoint is a helper to call [TLSCert.ClientMountPoint] on the +// configure certificate. +func (t *InternalTLS) ClientMountPoint(tls *TLS) string { + cert := tls.Certs.MustGet(t.Cert) + return cert.ClientMountPoint(t.Cert) } // ToCommonTLS converts InternalTLS configuration to ir.CommonTLS format with proper secret references. @@ -1383,7 +1521,7 @@ func (t *InternalTLS) ToCommonTLS(state *RenderState, tls *TLS) *ir.CommonTLS { spec := &ir.CommonTLS{} cert := tls.Certs.MustGet(t.Cert) - secretName := CertSecretName(state, t.Cert, cert) + secretName := cert.ServerSecretName(state, t.Cert) if t.TrustStore != nil { // Only one of ConfigMapKeyRef or SecretKeyRef should actually be set. @@ -1414,7 +1552,7 @@ func (t *InternalTLS) ToCommonTLS(state *RenderState, tls *TLS) *ir.CommonTLS { // Add client certificate and key if client auth is required if t.RequireClientAuth { - clientSecretName := ClientCertSecretName(state, t.Cert, cert) + clientSecretName := cert.ClientSecretName(state, t.Cert) spec.Cert = &ir.SecretKeyRef{ Name: clientSecretName, @@ -1457,8 +1595,9 @@ func (t *ExternalTLS) TrustStoreFilePath(i *InternalTLS, tls *TLS) string { return t.TrustStore.TrustStoreFilePath() } - if t.GetCert(i, tls).CAEnabled { - return fmt.Sprintf("%s/%s/ca.crt", certificateMountPoint, t.GetCertName(i)) + name := t.GetCertName(i) + if cert := t.GetCert(i, tls); cert.CAEnabled { + return fmt.Sprintf("%s/ca.crt", cert.ServerMountPoint(name)) } return defaultTruststorePath @@ -1484,6 +1623,28 @@ type ListenerConfig[T ~string] struct { AuthenticationMethod *T `json:"authenticationMethod,omitempty"` } +func (l *ListenerConfig[T]) AsString() ListenerConfig[string] { + ext := map[string]ExternalListener[string]{} + for name, l := range l.External { + ext[name] = l.AsString() + } + + var auth *string + if l.AuthenticationMethod != nil { + authAStr := string(*l.AuthenticationMethod) + auth = &authAStr + } + + return ListenerConfig[string]{ + Enabled: l.Enabled, + External: ext, + Port: l.Port, + TLS: l.TLS, + AppProtocol: l.AppProtocol, + AuthenticationMethod: auth, + } +} + // +gotohelm:ignore=true func (ListenerConfig[T]) JSONSchemaExtend(schema *jsonschema.Schema) { makeNullable(schema, "authenticationMethod") @@ -1591,12 +1752,13 @@ func (l *ListenerConfig[T]) ListenersTLS(tls *TLS) []map[string]any { } certName := lis.TLS.GetCertName(&l.TLS) + cert := tls.Certs.MustGet(certName) pp = append(pp, map[string]any{ "name": k, "enabled": true, - "cert_file": fmt.Sprintf("%s/%s/tls.crt", certificateMountPoint, certName), - "key_file": fmt.Sprintf("%s/%s/tls.key", certificateMountPoint, certName), + "cert_file": fmt.Sprintf("%s/tls.crt", cert.ServerMountPoint(certName)), + "key_file": fmt.Sprintf("%s/tls.key", cert.ServerMountPoint(certName)), "require_client_auth": ptr.Deref(lis.TLS.RequireClientAuth, false), "truststore_file": lis.TLS.TrustStoreFilePath(&l.TLS, tls), }) @@ -1604,49 +1766,6 @@ func (l *ListenerConfig[T]) ListenersTLS(tls *TLS) []map[string]any { return pp } -// ConsoleTLS is a struct that represents TLS configuration used -// in console configuration in Kafka, Schema Registry and -// Redpanda Admin API. -// For the above configuration helm chart could import struct, but -// as of the writing the struct fields tag have only `yaml` annotation. -// `sigs.k8s.io/yaml` requires `json` tags. -type ConsoleTLS struct { - Enabled bool `json:"enabled"` - CaFilepath string `json:"caFilepath"` - CertFilepath string `json:"certFilepath"` - KeyFilepath string `json:"keyFilepath"` - InsecureSkipTLSVerify bool `json:"insecureSkipTlsVerify"` -} - -func (l *ListenerConfig[T]) ConsoleTLS(tls *TLS) ConsoleTLS { - t := ConsoleTLS{Enabled: l.TLS.IsEnabled(tls)} - if !t.Enabled { - return t - } - - adminAPIPrefix := fmt.Sprintf("%s/%s", certificateMountPoint, l.TLS.Cert) - - // Strange but technically correct, if CAEnabled is false, we can't safely - // assume that a ca.crt file will exist. So we fallback to using the - // server's certificate itself. - // Other options would be: failing or falling back to the container's - // default truststore. - if tls.Certs.MustGet(l.TLS.Cert).CAEnabled { - t.CaFilepath = fmt.Sprintf("%s/ca.crt", adminAPIPrefix) - } else { - t.CaFilepath = fmt.Sprintf("%s/tls.crt", adminAPIPrefix) - } - - if !l.TLS.RequireClientAuth { - return t - } - - t.CertFilepath = fmt.Sprintf("%s/tls.crt", adminAPIPrefix) - t.KeyFilepath = fmt.Sprintf("%s/tls.key", adminAPIPrefix) - - return t -} - type ExternalListener[T ~string] struct { Enabled *bool `json:"enabled"` AdvertisedPorts []int32 `json:"advertisedPorts" jsonschema:"minItems=1"` @@ -1659,6 +1778,24 @@ type ExternalListener[T ~string] struct { PrefixTemplate *string `json:"prefixTemplate,omitempty"` } +func (l *ExternalListener[T]) AsString() ExternalListener[string] { + var auth *string + if l.AuthenticationMethod != nil { + authAStr := string(*l.AuthenticationMethod) + auth = &authAStr + } + + return ExternalListener[string]{ + Enabled: l.Enabled, + AdvertisedPorts: l.AdvertisedPorts, + Port: l.Port, + NodePort: l.NodePort, + TLS: l.TLS, + AuthenticationMethod: auth, + PrefixTemplate: l.PrefixTemplate, + } +} + // +gotohelm:ignore=true func (ExternalListener[T]) JSONSchemaExtend(schema *jsonschema.Schema) { makeNullable(schema, "authenticationMethod") diff --git a/gotohelm/transpiler.go b/gotohelm/transpiler.go index 6c5466dc3..3abc3cb1f 100644 --- a/gotohelm/transpiler.go +++ b/gotohelm/transpiler.go @@ -1639,7 +1639,7 @@ func (t *Transpiler) zeroOf(typ types.Type) Node { switch underlying := typ.Underlying().(type) { case *types.Basic: switch underlying.Info() { - case types.IsString: + case types.IsString, types.IsUntyped | types.IsString: return Literal(`""`) case types.IsInteger, types.IsUnsigned | types.IsInteger: return Literal("0") diff --git a/pkg/helm/helm.go b/pkg/helm/helm.go index 33162a21b..b40677733 100644 --- a/pkg/helm/helm.go +++ b/pkg/helm/helm.go @@ -557,14 +557,21 @@ func (c *Client) runHelmInDir(ctx context.Context, dir string, args ...string) ( var stderr bytes.Buffer log.Printf("Executing: %#v", strings.Join(append([]string{"helm"}, args...), " ")) - cmd := exec.Command("helm", args...) + cmd := exec.CommandContext(ctx, "helm", args...) cmd.Dir = dir cmd.Env = c.env cmd.Stderr = &stderr cmd.Stdout = &stdout + // Setting Cancel and WaitDelay will cause SIGINT to be sent upon context + // cancellation and send SIGKILL after 5s. (i.e. a graceful shutdown with a + // 5s grace period). + cmd.WaitDelay = 5 * time.Second + cmd.Cancel = func() error { + return cmd.Process.Signal(os.Interrupt) + } - err := runWithGracePeriod(ctx, cmd, 5*time.Second) + err := cmd.Run() return stdout.Bytes(), stderr.Bytes(), errors.Join( ctx.Err(), @@ -622,31 +629,3 @@ func UpdateChartLock(chartLock ChartLock, filepath string) error { return os.WriteFile(filepath, b, 0o644) } - -// runWithGracePeriod is similar to [exec.CommandContext] except that it first -// SIGINT's the child process and allows it exit within [gracePeriod] before -// killing the process. -func runWithGracePeriod(ctx context.Context, cmd *exec.Cmd, gracePeriod time.Duration) error { - errCh := make(chan error, 1) - go func() { - errCh <- cmd.Run() - }() - - // Attempt to do a graceful shutdown of the - select { - case err := <-errCh: - return err - - case <-ctx.Done(): - _ = cmd.Process.Signal(os.Interrupt) - - select { - case err := <-errCh: - return errors.Join(err, ctx.Err()) - - case <-time.After(gracePeriod): - _ = cmd.Process.Kill() - return errors.Join(<-errCh, ctx.Err()) - } - } -}