diff --git a/.changes/unreleased/charts-redpanda-Changed-20250918-152741.yaml b/.changes/unreleased/charts-redpanda-Changed-20250918-152741.yaml new file mode 100644 index 000000000..668894675 --- /dev/null +++ b/.changes/unreleased/charts-redpanda-Changed-20250918-152741.yaml @@ -0,0 +1,4 @@ +project: charts/redpanda +kind: Changed +body: Client certificates are now named `$FULLNAME-$CERT-client-cert`. +time: 2025-09-18T15:27:41.700988-04:00 diff --git a/.changes/unreleased/charts-redpanda-Fixed-20250918-152623.yaml b/.changes/unreleased/charts-redpanda-Fixed-20250918-152623.yaml new file mode 100644 index 000000000..f015e276f --- /dev/null +++ b/.changes/unreleased/charts-redpanda-Fixed-20250918-152623.yaml @@ -0,0 +1,4 @@ +project: charts/redpanda +kind: Fixed +body: mTLS client certificates are now generated per certificate, as required, instead of using a single and potentially invalid certificate. +time: 2025-09-18T15:26:23.232523-04:00 diff --git a/.changes/unreleased/operator-Changed-20250918-152741.yaml b/.changes/unreleased/operator-Changed-20250918-152741.yaml new file mode 100644 index 000000000..8cb3cc43a --- /dev/null +++ b/.changes/unreleased/operator-Changed-20250918-152741.yaml @@ -0,0 +1,4 @@ +project: operator +kind: Changed +body: Client certificates are now named `$FULLNAME-$CERT-client-cert`. +time: 2025-09-18T15:27:41.700988-04:00 diff --git a/.changes/unreleased/operator-Fixed-20250918-152623.yaml b/.changes/unreleased/operator-Fixed-20250918-152623.yaml new file mode 100644 index 000000000..b8c3b2d41 --- /dev/null +++ b/.changes/unreleased/operator-Fixed-20250918-152623.yaml @@ -0,0 +1,4 @@ +project: operator +kind: Fixed +body: mTLS client certificates are now generated per certificate, as required, instead of using a single and potentially invalid certificate. +time: 2025-09-18T15:26:23.232523-04:00 diff --git a/charts/redpanda/cert_issuers.go b/charts/redpanda/cert_issuers.go index 76578eef2..9bf71fab2 100644 --- a/charts/redpanda/cert_issuers.go +++ b/charts/redpanda/cert_issuers.go @@ -37,11 +37,17 @@ func certIssuersAndCAs(dot *helmette.Dot) ([]*certmanagerv1.Issuer, []*certmanag var issuers []*certmanagerv1.Issuer var certs []*certmanagerv1.Certificate - if !TLSEnabled(dot) { - return issuers, certs + inUseCerts := map[string]bool{} + for _, name := range values.Listeners.InUseServerCerts(&values.TLS) { + inUseCerts[name] = true } + for _, name := range values.Listeners.InUseClientCerts(&values.TLS) { + inUseCerts[name] = true + } + + for name := range helmette.SortedMap(inUseCerts) { + data := values.TLS.Certs.MustGet(name) - for name, data := range helmette.SortedMap(values.TLS.Certs) { // If this certificate is disabled (.Enabled), provided directly by the // end user (.SecretRef), or has an issuer provided (.IssuerRef), we // don't need to bootstrap an issuer. @@ -130,7 +136,7 @@ func certIssuersAndCAs(dot *helmette.Dot) ([]*certmanagerv1.Issuer, []*certmanag Spec: certmanagerv1.IssuerSpec{ IssuerConfig: certmanagerv1.IssuerConfig{ CA: &certmanagerv1.CAIssuer{ - SecretName: fmt.Sprintf(`%s-%s-root-certificate`, Fullname(dot), name), + SecretName: data.RootSecretName(dot, name), }, }, }, diff --git a/charts/redpanda/certs.go b/charts/redpanda/certs.go index 9d5157723..c2db0e3d6 100644 --- a/charts/redpanda/certs.go +++ b/charts/redpanda/certs.go @@ -23,10 +23,6 @@ import ( ) func ClientCerts(dot *helmette.Dot) []*certmanagerv1.Certificate { - if !TLSEnabled(dot) { - return []*certmanagerv1.Certificate{} - } - values := helmette.Unwrap[Values](dot.Values) fullname := Fullname(dot) @@ -37,8 +33,11 @@ func ClientCerts(dot *helmette.Dot) []*certmanagerv1.Certificate { domain := strings.TrimSuffix(values.ClusterDomain, ".") var certs []*certmanagerv1.Certificate - for name, data := range helmette.SortedMap(values.TLS.Certs) { - if !helmette.Empty(data.SecretRef) || !ptr.Deref(data.Enabled, true) { + for _, name := range values.Listeners.InUseServerCerts(&values.TLS) { + data := values.TLS.Certs.MustGet(name) + + // Don't generate server Certificates if a secret is provided. + if !helmette.Empty(data.SecretRef) { continue } @@ -85,7 +84,7 @@ func ClientCerts(dot *helmette.Dot) []*certmanagerv1.Certificate { Duration: helmette.MustDuration(duration), IsCA: false, IssuerRef: issuerRef, - SecretName: fmt.Sprintf("%s-%s-cert", fullname, name), + SecretName: data.ServerSecretName(dot, name), PrivateKey: &certmanagerv1.CertificatePrivateKey{ Algorithm: "ECDSA", Size: 256, @@ -94,49 +93,54 @@ func ClientCerts(dot *helmette.Dot) []*certmanagerv1.Certificate { }) } - name := values.Listeners.Kafka.TLS.Cert + for _, name := range values.Listeners.InUseClientCerts(&values.TLS) { + data := values.TLS.Certs.MustGet(name) - data, ok := values.TLS.Certs[name] - if !ok { - panic(fmt.Sprintf("Certificate %q referenced but not defined", name)) - } + if data.SecretRef != nil && data.ClientSecretRef == nil { + panic(fmt.Sprintf(".clientSecretRef MUST be set if .secretRef is set and require_client_auth is true: Cert %q", name)) + } - if !helmette.Empty(data.SecretRef) || !ClientAuthRequired(dot) { - return certs - } + // Don't generate a client Certificate if a client secret is provided. + if data.ClientSecretRef != nil { + continue + } - issuerRef := cmmetav1.ObjectReference{ - Group: "cert-manager.io", - Kind: "Issuer", - Name: fmt.Sprintf("%s-%s-root-issuer", fullname, name), - } + issuerRef := cmmetav1.ObjectReference{ + Group: "cert-manager.io", + Kind: "Issuer", + Name: fmt.Sprintf("%s-%s-root-issuer", fullname, name), + } - if data.IssuerRef != nil { - issuerRef = *data.IssuerRef - issuerRef.Group = "cert-manager.io" - } + if data.IssuerRef != nil { + issuerRef = *data.IssuerRef + issuerRef.Group = "cert-manager.io" + } + + duration := helmette.Default("43800h", data.Duration) - duration := helmette.Default("43800h", data.Duration) - - return append(certs, &certmanagerv1.Certificate{ - TypeMeta: metav1.TypeMeta{ - APIVersion: "cert-manager.io/v1", - Kind: "Certificate", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: fmt.Sprintf("%s-client", fullname), - Labels: FullLabels(dot), - }, - Spec: certmanagerv1.CertificateSpec{ - CommonName: fmt.Sprintf("%s-client", fullname), - Duration: helmette.MustDuration(duration), - IsCA: false, - SecretName: fmt.Sprintf("%s-client", fullname), - PrivateKey: &certmanagerv1.CertificatePrivateKey{ - Algorithm: "ECDSA", - Size: 256, + certs = append(certs, &certmanagerv1.Certificate{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "cert-manager.io/v1", + Kind: "Certificate", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: fmt.Sprintf("%s-%s-client", fullname, name), + Namespace: dot.Release.Namespace, + Labels: FullLabels(dot), + }, + Spec: certmanagerv1.CertificateSpec{ + CommonName: fmt.Sprintf("%s--%s-client", fullname, name), + Duration: helmette.MustDuration(duration), + IsCA: false, + SecretName: data.ClientSecretName(dot, name), + PrivateKey: &certmanagerv1.CertificatePrivateKey{ + Algorithm: "ECDSA", + Size: 256, + }, + IssuerRef: issuerRef, }, - IssuerRef: issuerRef, - }, - }) + }) + } + + return certs } diff --git a/charts/redpanda/chart_test.go b/charts/redpanda/chart_test.go index 34391247d..7a8666bbf 100644 --- a/charts/redpanda/chart_test.go +++ b/charts/redpanda/chart_test.go @@ -749,26 +749,50 @@ func httpProxyListenerTest(ctx context.Context, rpk *Client) error { func mTLSValuesUsingCertManager() *redpanda.PartialValues { return minimalValues(&redpanda.PartialValues{ + TLS: &redpanda.PartialTLS{ + Certs: redpanda.PartialTLSCertMap{ + "kafka": redpanda.PartialTLSCert{ + Enabled: ptr.To(true), + CAEnabled: ptr.To(true), + }, + "http": redpanda.PartialTLSCert{ + Enabled: ptr.To(true), + CAEnabled: ptr.To(true), + }, + "rpc": redpanda.PartialTLSCert{ + Enabled: ptr.To(true), + CAEnabled: ptr.To(true), + }, + "schema": redpanda.PartialTLSCert{ + Enabled: ptr.To(true), + CAEnabled: ptr.To(true), + }, + }, + }, External: &redpanda.PartialExternalConfig{Enabled: ptr.To(false)}, ClusterDomain: ptr.To("cluster.local"), Listeners: &redpanda.PartialListeners{ Admin: &redpanda.PartialListenerConfig[redpanda.NoAuth]{ TLS: &redpanda.PartialInternalTLS{ + // Uses default by default. RequireClientAuth: ptr.To(true), }, }, HTTP: &redpanda.PartialListenerConfig[redpanda.HTTPAuthenticationMethod]{ TLS: &redpanda.PartialInternalTLS{ + Cert: ptr.To("http"), RequireClientAuth: ptr.To(true), }, }, Kafka: &redpanda.PartialListenerConfig[redpanda.KafkaAuthenticationMethod]{ TLS: &redpanda.PartialInternalTLS{ + Cert: ptr.To("kafka"), RequireClientAuth: ptr.To(true), }, }, SchemaRegistry: &redpanda.PartialListenerConfig[redpanda.NoAuth]{ TLS: &redpanda.PartialInternalTLS{ + Cert: ptr.To("schema"), RequireClientAuth: ptr.To(true), }, }, @@ -777,6 +801,7 @@ func mTLSValuesUsingCertManager() *redpanda.PartialValues { TLS *redpanda.PartialInternalTLS `json:"tls,omitempty" jsonschema:"required"` }{ TLS: &redpanda.PartialInternalTLS{ + Cert: ptr.To("rpc"), RequireClientAuth: ptr.To(true), }, }, diff --git a/charts/redpanda/client/client.go b/charts/redpanda/client/client.go index 977be8791..c320f1082 100644 --- a/charts/redpanda/client/client.go +++ b/charts/redpanda/client/client.go @@ -28,6 +28,7 @@ import ( "github.com/twmb/franz-go/pkg/sasl/scram" "github.com/twmb/franz-go/pkg/sr" corev1 "k8s.io/api/core/v1" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" "github.com/redpanda-data/redpanda-operator/charts/redpanda/v5" @@ -286,35 +287,21 @@ func authFromDot(dot *helmette.Dot) (username string, password string, mechanism return } -func certificatesFor(dot *helmette.Dot, cert string) (certSecret, certKey, clientSecret string) { +func certificatesFor(dot *helmette.Dot, name string) (certSecret, certKey, clientSecret string) { values := helmette.Unwrap[redpanda.Values](dot.Values) - name := redpanda.Fullname(dot) + cert, ok := values.TLS.Certs[name] + if !ok || !ptr.Deref(cert.Enabled, true) { + // TODO this isn't correct but it matches historical behavior. + fullname := redpanda.Fullname(dot) + certSecret = fmt.Sprintf("%s-%s-root-certificate", fullname, name) + clientSecret = fmt.Sprintf("%s-default-client-cert", fullname) - // default to cert manager issued names and tls.crt which is - // where cert-manager outputs the root CA - certKey = corev1.TLSCertKey - certSecret = fmt.Sprintf("%s-%s-root-certificate", name, cert) - clientSecret = fmt.Sprintf("%s-client", name) - - if certificate, ok := values.TLS.Certs[cert]; ok { - // if this references a non-enabled certificate, just return - // the default cert-manager issued names - if certificate.Enabled != nil && !*certificate.Enabled { - return certSecret, certKey, clientSecret - } - - if certificate.ClientSecretRef != nil { - clientSecret = certificate.ClientSecretRef.Name - } - if certificate.SecretRef != nil { - certSecret = certificate.SecretRef.Name - if certificate.CAEnabled { - certKey = "ca.crt" - } - } + return certSecret, corev1.TLSCertKey, clientSecret } - return certSecret, certKey, clientSecret + + ref := cert.CASecretRef(dot, name) + return ref.LocalObjectReference.Name, ref.Key, cert.ClientSecretName(dot, name) } func tlsConfigFromDot(dot *helmette.Dot, listener redpanda.InternalTLS) (*tls.Config, error) { diff --git a/charts/redpanda/client/client_test.go b/charts/redpanda/client/client_test.go index c82c12b59..80dd8086f 100644 --- a/charts/redpanda/client/client_test.go +++ b/charts/redpanda/client/client_test.go @@ -58,7 +58,7 @@ func TestCertificates(t *testing.T) { CertificateName: "default", ExpectedRootCertName: "redpanda-default-root-certificate", ExpectedRootCertKey: "tls.crt", - ExpectedClientCertName: "redpanda-client", + ExpectedClientCertName: "redpanda-default-client-cert", }, "default with non-enabled global cert": { Cert: &redpanda.TLSCert{ @@ -70,7 +70,7 @@ func TestCertificates(t *testing.T) { CertificateName: "default", ExpectedRootCertName: "redpanda-default-root-certificate", ExpectedRootCertKey: "tls.crt", - ExpectedClientCertName: "redpanda-client", + ExpectedClientCertName: "redpanda-default-client-cert", }, "certificate with secret ref": { Cert: &redpanda.TLSCert{ @@ -81,7 +81,7 @@ func TestCertificates(t *testing.T) { CertificateName: "default", ExpectedRootCertName: "some-cert", ExpectedRootCertKey: "tls.crt", - ExpectedClientCertName: "redpanda-client", + ExpectedClientCertName: "redpanda-default-client-cert", }, "certificate with CA": { Cert: &redpanda.TLSCert{ @@ -93,7 +93,7 @@ func TestCertificates(t *testing.T) { CertificateName: "default", ExpectedRootCertName: "some-cert", ExpectedRootCertKey: "ca.crt", - ExpectedClientCertName: "redpanda-client", + ExpectedClientCertName: "redpanda-default-client-cert", }, "certificate with client certificate": { Cert: &redpanda.TLSCert{ diff --git a/charts/redpanda/client_test.go b/charts/redpanda/client_test.go index 146214f98..f7ea07aaf 100644 --- a/charts/redpanda/client_test.go +++ b/charts/redpanda/client_test.go @@ -23,7 +23,6 @@ import ( "github.com/cockroachdb/errors" "github.com/redpanda-data/common-go/rpadmin" - "github.com/redpanda-data/redpanda/src/go/rpk/pkg/config" "github.com/stretchr/testify/require" "github.com/twmb/franz-go/pkg/sr" corev1 "k8s.io/api/core/v1" @@ -381,7 +380,7 @@ func (c *Client) ExposeRedpandaCluster(ctx context.Context, out, errOut io.Write return nil, errors.WithStack(err) } - availablePorts, cleanup, err := c.Ctl.PortForward(ctx, pod, out, errOut) + ports, cleanup, err := c.Ctl.PortForward(ctx, pod, out, errOut) if err != nil { return cleanup, errors.WithStack(err) } @@ -390,26 +389,9 @@ func (c *Client) ExposeRedpandaCluster(ctx context.Context, out, errOut io.Write c.proxyClients = make(map[string]*portForwardClient) } - rpYaml, err := c.getRedpandaConfig(ctx) - if err != nil { - return cleanup, errors.WithStack(err) - } - values := helmette.Unwrap[redpanda.Values](c.dot.Values) - defaultSecretName := fmt.Sprintf("%s-%s-%s", c.dot.Release.Name, "default", "cert") - - secretName := defaultSecretName - cert := values.TLS.Certs[values.Listeners.HTTP.TLS.Cert] - if ref := cert.ClientSecretRef; ref != nil { - secretName = ref.Name - } - - proxyClient, err := c.createClient(ctx, - getInternalPort(rpYaml.Pandaproxy.PandaproxyAPI, availablePorts), - isTLSEnabled(rpYaml.Pandaproxy.PandaproxyAPITLS), - isMutualTLSEnabled(rpYaml.Pandaproxy.PandaproxyAPITLS), - secretName) + proxyClient, err := c.createClient(ctx, ports, values.Listeners.HTTP.AsString()) if err != nil { return cleanup, errors.WithStack(err) } @@ -419,89 +401,18 @@ func (c *Client) ExposeRedpandaCluster(ctx context.Context, out, errOut io.Write return cleanup, err } -func isMutualTLSEnabled(tlsCfg []config.ServerTLS) bool { - for _, t := range tlsCfg { - if t.Name != "internal" || !t.Enabled { - continue - } - return t.RequireClientAuth - } - return false -} - -func isTLSEnabled(tlsCfg []config.ServerTLS) bool { - for _, t := range tlsCfg { - if t.Name != "internal" { - continue - } - return t.Enabled - } - return false -} - -func getInternalPort(addresses any, availablePorts []portforward.ForwardedPort) int { - var adminListenerPort int - switch v := addresses.(type) { - case []config.NamedSocketAddress: - for _, a := range v { - if a.Name != "internal" { - continue - } - adminListenerPort = a.Port - } - case []config.NamedAuthNSocketAddress: - for _, a := range v { - if a.Name != "internal" { - continue - } - adminListenerPort = a.Port - } - } - - for _, p := range availablePorts { - if int(p.Remote) == adminListenerPort { - return int(p.Local) - } - } - - return 0 -} - -func (c *Client) getRedpandaConfig(ctx context.Context) (*config.RedpandaYaml, error) { - cm, err := kube.Get[corev1.ConfigMap](ctx, c.Ctl, kube.ObjectKey{ - Name: c.dot.Release.Name, - Namespace: c.dot.Release.Namespace, - }) - if err != nil { - return nil, errors.WithStack(err) - } - - rpCfg, exist := cm.Data["redpanda.yaml"] - if !exist { - return nil, errors.WithStack(fmt.Errorf("redpanda.yaml not found")) - } - - var cfg config.RedpandaYaml - err = yaml.Unmarshal([]byte(rpCfg), &cfg) - if err != nil { - return nil, errors.WithStack(err) - } - - return &cfg, nil -} - -func (c *Client) createClient(ctx context.Context, port int, tlsEnabled, mTLSEnabled bool, tlsK8SSecretName string) (*portForwardClient, error) { - if port == 0 { - return nil, errors.New("admin internal listener port not found") - } +func (c *Client) createClient(ctx context.Context, ports []portforward.ForwardedPort, cfg redpanda.ListenerConfig[string]) (*portForwardClient, error) { + values := helmette.Unwrap[redpanda.Values](c.dot.Values) schema := "http" var rootCAs *x509.CertPool var certs []tls.Certificate - if tlsEnabled { + if cfg.TLS.IsEnabled(&values.TLS) { + cert := values.TLS.Certs.MustGet(cfg.TLS.Cert) + schema = "https" s, err := kube.Get[corev1.Secret](ctx, c.Ctl, kube.ObjectKey{ - Name: tlsK8SSecretName, + Name: cert.ServerSecretName(c.dot, cfg.TLS.Cert), Namespace: c.dot.Release.Namespace, }) if err != nil { @@ -514,7 +425,7 @@ func (c *Client) createClient(ctx context.Context, port int, tlsEnabled, mTLSEna return nil, errors.WithStack(errors.New("failed to parse CA certificate")) } - if mTLSEnabled { + if cfg.TLS.RequireClientAuth { cert, err := tls.X509KeyPair(s.Data["tls.crt"], s.Data["tls.key"]) if err != nil { return nil, errors.WithStack(err) @@ -541,11 +452,15 @@ func (c *Client) createClient(ctx context.Context, port int, tlsEnabled, mTLSEna Transport: transport, } - pfc := &portForwardClient{ - httpClient, - port, - schema, + for _, port := range ports { + if port.Remote == uint16(cfg.Port) { + return &portForwardClient{ + httpClient, + int(port.Local), + schema, + }, nil + } } - return pfc, nil + return nil, errors.Newf("remote port not forwarded: %d", cfg.Port) } diff --git a/charts/redpanda/configmap.tpl.go b/charts/redpanda/configmap.tpl.go index fd3a7ce37..941485c1b 100644 --- a/charts/redpanda/configmap.tpl.go +++ b/charts/redpanda/configmap.tpl.go @@ -430,8 +430,8 @@ func rpkKafkaClientTLSConfiguration(dot *helmette.Dot) map[string]any { } if tls.RequireClientAuth { - result["cert_file"] = fmt.Sprintf("%s/%s-client/tls.crt", certificateMountPoint, Fullname(dot)) - result["key_file"] = fmt.Sprintf("%s/%s-client/tls.key", certificateMountPoint, Fullname(dot)) + result["cert_file"] = fmt.Sprintf("%s/tls.crt", tls.ClientMountPoint(&values.TLS)) + result["key_file"] = fmt.Sprintf("%s/tls.key", tls.ClientMountPoint(&values.TLS)) } return result @@ -454,8 +454,8 @@ func rpkAdminAPIClientTLSConfiguration(dot *helmette.Dot) map[string]any { } if tls.RequireClientAuth { - result["cert_file"] = fmt.Sprintf("%s/%s-client/tls.crt", certificateMountPoint, Fullname(dot)) - result["key_file"] = fmt.Sprintf("%s/%s-client/tls.key", certificateMountPoint, Fullname(dot)) + result["cert_file"] = fmt.Sprintf("%s/tls.crt", tls.ClientMountPoint(&values.TLS)) + result["key_file"] = fmt.Sprintf("%s/tls.key", tls.ClientMountPoint(&values.TLS)) } return result @@ -478,8 +478,8 @@ func rpkSchemaRegistryClientTLSConfiguration(dot *helmette.Dot) map[string]any { } if tls.RequireClientAuth { - result["cert_file"] = fmt.Sprintf("%s/%s-client/tls.crt", certificateMountPoint, Fullname(dot)) - result["key_file"] = fmt.Sprintf("%s/%s-client/tls.key", certificateMountPoint, Fullname(dot)) + result["cert_file"] = fmt.Sprintf("%s/tls.crt", tls.ClientMountPoint(&values.TLS)) + result["key_file"] = fmt.Sprintf("%s/tls.key", tls.ClientMountPoint(&values.TLS)) } return result @@ -513,8 +513,8 @@ func kafkaClient(dot *helmette.Dot) map[string]any { } if kafkaTLS.RequireClientAuth { - brokerTLS["cert_file"] = fmt.Sprintf("%s/%s-client/tls.crt", certificateMountPoint, Fullname(dot)) - brokerTLS["key_file"] = fmt.Sprintf("%s/%s-client/tls.key", certificateMountPoint, Fullname(dot)) + brokerTLS["cert_file"] = fmt.Sprintf("%s/tls.crt", kafkaTLS.ClientMountPoint(&values.TLS)) + brokerTLS["key_file"] = fmt.Sprintf("%s/tls.key", kafkaTLS.ClientMountPoint(&values.TLS)) } } @@ -605,12 +605,10 @@ func rpcListenersTLS(dot *helmette.Dot) map[string]any { return map[string]any{} } - certName := r.TLS.Cert - return map[string]any{ "enabled": true, - "cert_file": fmt.Sprintf("%s/%s/tls.crt", certificateMountPoint, certName), - "key_file": fmt.Sprintf("%s/%s/tls.key", certificateMountPoint, certName), + "cert_file": fmt.Sprintf("%s/tls.crt", r.TLS.ServerMountPoint(&values.TLS)), + "key_file": fmt.Sprintf("%s/tls.key", r.TLS.ServerMountPoint(&values.TLS)), "require_client_auth": r.TLS.RequireClientAuth, "truststore_file": r.TLS.TrustStoreFilePath(&values.TLS), } @@ -634,8 +632,8 @@ func createInternalListenerTLSCfg(tls *TLS, internal InternalTLS) map[string]any return map[string]any{ "name": "internal", "enabled": true, - "cert_file": fmt.Sprintf("%s/%s/tls.crt", certificateMountPoint, internal.Cert), - "key_file": fmt.Sprintf("%s/%s/tls.key", certificateMountPoint, internal.Cert), + "cert_file": fmt.Sprintf("%s/tls.crt", internal.ServerMountPoint(tls)), + "key_file": fmt.Sprintf("%s/tls.key", internal.ServerMountPoint(tls)), "require_client_auth": internal.RequireClientAuth, "truststore_file": internal.TrustStoreFilePath(tls), } diff --git a/charts/redpanda/console.tpl.go b/charts/redpanda/console.tpl.go index a678644e0..c463b30b4 100644 --- a/charts/redpanda/console.tpl.go +++ b/charts/redpanda/console.tpl.go @@ -139,9 +139,11 @@ func consoleTLSVolumesMounts(dot *helmette.Dot) []corev1.VolumeMount { } visitedCert[tlsCfg.Cert] = true + cert := values.TLS.Certs.MustGet(tlsCfg.Cert) + mounts = append(mounts, corev1.VolumeMount{ - Name: fmt.Sprintf("redpanda-%s-cert", tlsCfg.Cert), - MountPath: fmt.Sprintf("%s/%s", certificateMountPoint, tlsCfg.Cert), + Name: cert.ServerVolumeName(tlsCfg.Cert), + MountPath: cert.ServerMountPoint(tlsCfg.Cert), }) } @@ -180,12 +182,14 @@ func consoleTLSVolumes(dot *helmette.Dot) []corev1.Volume { } visitedCert[tlsCfg.Cert] = true + cert := values.TLS.Certs.MustGet(tlsCfg.Cert) + volumes = append(volumes, corev1.Volume{ - Name: fmt.Sprintf("redpanda-%s-cert", tlsCfg.Cert), + Name: cert.ServerVolumeName(tlsCfg.Cert), VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ DefaultMode: ptr.To[int32](0o420), - SecretName: CertSecretName(dot, tlsCfg.Cert, values.TLS.Certs.MustGet(tlsCfg.Cert)), + SecretName: cert.ServerSecretName(dot, tlsCfg.Cert), }, }, }) diff --git a/charts/redpanda/helpers.go b/charts/redpanda/helpers.go index 2875f1e06..95509fd83 100644 --- a/charts/redpanda/helpers.go +++ b/charts/redpanda/helpers.go @@ -130,53 +130,6 @@ func InternalDomain(dot *helmette.Dot) string { return fmt.Sprintf("%s.%s.svc.%s", service, ns, values.ClusterDomain) } -// check if client auth is enabled for any of the listeners -func TLSEnabled(dot *helmette.Dot) bool { - values := helmette.Unwrap[Values](dot.Values) - - if values.TLS.Enabled { - return true - } - - listeners := []string{"kafka", "admin", "schemaRegistry", "rpc", "http"} - for _, listener := range listeners { - tlsCert := helmette.Dig(dot.Values.AsMap(), false, "listeners", listener, "tls", "cert") - tlsEnabled := helmette.Dig(dot.Values.AsMap(), false, "listeners", listener, "tls", "enabled") - if !helmette.Empty(tlsEnabled) && !helmette.Empty(tlsCert) { - return true - } - - external := helmette.Dig(dot.Values.AsMap(), false, "listeners", listener, "external") - if helmette.Empty(external) { - continue - } - - keys := helmette.Keys(external.(map[string]any)) - for _, key := range keys { - enabled := helmette.Dig(dot.Values.AsMap(), false, "listeners", listener, "external", key, "enabled") - tlsCert := helmette.Dig(dot.Values.AsMap(), false, "listeners", listener, "external", key, "tls", "cert") - tlsEnabled := helmette.Dig(dot.Values.AsMap(), false, "listeners", listener, "external", key, "tls", "enabled") - - if !helmette.Empty(enabled) && !helmette.Empty(tlsCert) && !helmette.Empty(tlsEnabled) { - return true - } - } - } - - return false -} - -func ClientAuthRequired(dot *helmette.Dot) bool { - listeners := []string{"kafka", "admin", "schemaRegistry", "rpc", "http"} - for _, listener := range listeners { - required := helmette.Dig(dot.Values.AsMap(), false, "listeners", listener, "tls", "requireClientAuth") - if !helmette.Empty(required) { - return true - } - } - return false -} - // mounts that are common to most containers func DefaultMounts(dot *helmette.Dot) []corev1.VolumeMount { return append([]corev1.VolumeMount{ @@ -201,30 +154,23 @@ func CommonMounts(dot *helmette.Dot) []corev1.VolumeMount { }) } - if TLSEnabled(dot) { - certNames := helmette.Keys(values.TLS.Certs) - helmette.SortAlpha(certNames) + for _, name := range values.Listeners.InUseServerCerts(&values.TLS) { + cert := values.TLS.Certs.MustGet(name) - for _, name := range certNames { - cert := values.TLS.Certs[name] - - if !ptr.Deref(cert.Enabled, true) { - continue - } + mounts = append(mounts, corev1.VolumeMount{ + Name: cert.ServerVolumeName(name), + MountPath: cert.ServerMountPoint(name), + }) + } - mounts = append(mounts, corev1.VolumeMount{ - Name: fmt.Sprintf("redpanda-%s-cert", name), - MountPath: fmt.Sprintf("%s/%s", certificateMountPoint, name), - }) - } + // mTLS for any potentially in use listeners (kafka, admin, schema?) + for _, name := range values.Listeners.InUseClientCerts(&values.TLS) { + cert := values.TLS.Certs.MustGet(name) - adminTLS := values.Listeners.Admin.TLS - if adminTLS.RequireClientAuth { - mounts = append(mounts, corev1.VolumeMount{ - Name: "mtls-client", - MountPath: fmt.Sprintf("%s/%s-client", certificateMountPoint, Fullname(dot)), - }) - } + mounts = append(mounts, corev1.VolumeMount{ + Name: cert.ClientVolumeName(name), + MountPath: cert.ClientMountPoint(name), + }) } return mounts @@ -247,49 +193,36 @@ func DefaultVolumes(dot *helmette.Dot) []corev1.Volume { // volumes that are common to all pods func CommonVolumes(dot *helmette.Dot) []corev1.Volume { - volumes := []corev1.Volume{} values := helmette.Unwrap[Values](dot.Values) + volumes := []corev1.Volume{} - if TLSEnabled(dot) { - certNames := helmette.Keys(values.TLS.Certs) - helmette.SortAlpha(certNames) - - for _, name := range certNames { - cert := values.TLS.Certs[name] - - if !ptr.Deref(cert.Enabled, true) { - continue - } + for _, name := range values.Listeners.InUseServerCerts(&values.TLS) { + cert := values.TLS.Certs.MustGet(name) - volumes = append(volumes, corev1.Volume{ - Name: fmt.Sprintf("redpanda-%s-cert", name), - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: CertSecretName(dot, name, &cert), - DefaultMode: ptr.To[int32](0o440), - }, + volumes = append(volumes, corev1.Volume{ + // Intentionally use static names for VolumeNames to make overrides easier. + Name: cert.ServerVolumeName(name), + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: cert.ServerSecretName(dot, name), + DefaultMode: ptr.To[int32](0o440), }, - }) - } + }, + }) + } - adminTLS := values.Listeners.Admin.TLS - cert := values.TLS.Certs[adminTLS.Cert] - if adminTLS.RequireClientAuth { - secretName := fmt.Sprintf("%s-client", Fullname(dot)) - if cert.ClientSecretRef != nil { - secretName = cert.ClientSecretRef.Name - } - - volumes = append(volumes, corev1.Volume{ - Name: "mtls-client", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: secretName, - DefaultMode: ptr.To[int32](0o440), - }, + for _, name := range values.Listeners.InUseClientCerts(&values.TLS) { + cert := values.TLS.Certs.MustGet(name) + + volumes = append(volumes, corev1.Volume{ + Name: cert.ClientVolumeName(name), + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: cert.ClientSecretName(dot, name), + DefaultMode: ptr.To[int32](0o440), }, - }) - } + }, + }) } if sasl := values.Auth.SASL; sasl.Enabled && sasl.SecretRef != "" { @@ -306,14 +239,6 @@ func CommonVolumes(dot *helmette.Dot) []corev1.Volume { return volumes } -// return correct secretName to use based if secretRef exists -func CertSecretName(dot *helmette.Dot, certName string, cert *TLSCert) string { - if cert.SecretRef != nil { - return cert.SecretRef.Name - } - return fmt.Sprintf("%s-%s-cert", Fullname(dot), certName) -} - // PodSecurityContext returns a subset of [corev1.PodSecurityContext] for the // redpanda Statefulset. It is also used as the default PodSecurityContext. func PodSecurityContext(dot *helmette.Dot) *corev1.PodSecurityContext { diff --git a/charts/redpanda/notes.go b/charts/redpanda/notes.go index 62a2c835c..210cf9f95 100644 --- a/charts/redpanda/notes.go +++ b/charts/redpanda/notes.go @@ -74,7 +74,7 @@ func Notes(dot *helmette.Dot) []string { `Set up rpk for access to your external listeners:`, ) profile := values.Listeners.Kafka.External[profileName] - if TLSEnabled(dot) { + if profile.TLS.IsEnabled(&values.Listeners.Kafka.TLS, &values.TLS) { var external string if profile.TLS != nil && profile.TLS.Cert != nil { external = *profile.TLS.Cert diff --git a/charts/redpanda/secrets.go b/charts/redpanda/secrets.go index 586e97e87..38a6bae31 100644 --- a/charts/redpanda/secrets.go +++ b/charts/redpanda/secrets.go @@ -533,7 +533,7 @@ func adminTLSCurlFlags(dot *helmette.Dot) string { } if values.Listeners.Admin.TLS.RequireClientAuth { - path := fmt.Sprintf("%s/%s-client", certificateMountPoint, Fullname(dot)) + path := values.Listeners.Admin.TLS.ClientMountPoint(&values.TLS) return fmt.Sprintf("--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key", path, path, path) } diff --git a/charts/redpanda/templates/_cert-issuers.go.tpl b/charts/redpanda/templates/_cert-issuers.go.tpl index 15ea88ee4..c1a26001f 100644 --- a/charts/redpanda/templates/_cert-issuers.go.tpl +++ b/charts/redpanda/templates/_cert-issuers.go.tpl @@ -33,18 +33,27 @@ {{- $values := $dot.Values.AsMap -}} {{- $issuers := (coalesce nil) -}} {{- $certs := (coalesce nil) -}} -{{- if (not (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot)))) "r")) -}} -{{- $_is_returning = true -}} -{{- (dict "r" (list $issuers $certs)) | toJson -}} +{{- $inUseCerts := (dict) -}} +{{- range $_, $name := (get (fromJson (include "redpanda.Listeners.InUseServerCerts" (dict "a" (list $values.listeners $values.tls)))) "r") -}} +{{- $_ := (set $inUseCerts $name true) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $name := (get (fromJson (include "redpanda.Listeners.InUseClientCerts" (dict "a" (list $values.listeners $values.tls)))) "r") -}} +{{- $_ := (set $inUseCerts $name true) -}} +{{- end -}} +{{- if $_is_returning -}} {{- break -}} {{- end -}} -{{- range $name, $data := $values.tls.certs -}} +{{- range $name, $_ := $inUseCerts -}} +{{- $data := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $values.tls.certs) $name)))) "r") -}} {{- if (or (or (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.enabled true)))) "r")) (ne (toJson $data.secretRef) "null")) (ne (toJson $data.issuerRef) "null")) -}} {{- continue -}} {{- end -}} {{- $issuers = (concat (default (list) $issuers) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict) "status" (dict)) (mustMergeOverwrite (dict) (dict "apiVersion" "cert-manager.io/v1" "kind" "Issuer")) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil)) (dict "name" (printf `%s-%s-selfsigned-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot)))) "r"))) "spec" (mustMergeOverwrite (dict) (mustMergeOverwrite (dict) (dict "selfSigned" (mustMergeOverwrite (dict) (dict)))) (dict)))))) -}} {{- $certs = (concat (default (list) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict "secretName" "" "issuerRef" (dict "name" "")) "status" (dict)) (mustMergeOverwrite (dict) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate")) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil)) (dict "name" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot)))) "r"))) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "")) (dict "duration" (get (fromJson (include "_shims.time_Duration_String" (dict "a" (list (get (fromJson (include "_shims.time_ParseDuration" (dict "a" (list (default "43800h" $data.duration))))) "r"))))) "r") "isCA" true "commonName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r") $name) "secretName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r") $name) "privateKey" (mustMergeOverwrite (dict) (dict "algorithm" "ECDSA" "size" (256 | int))) "issuerRef" (mustMergeOverwrite (dict "name" "") (dict "name" (printf `%s-%s-selfsigned-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r") $name) "kind" "Issuer" "group" "cert-manager.io")))))))) -}} -{{- $issuers = (concat (default (list) $issuers) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict) "status" (dict)) (mustMergeOverwrite (dict) (dict "apiVersion" "cert-manager.io/v1" "kind" "Issuer")) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil)) (dict "name" (printf `%s-%s-root-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot)))) "r"))) "spec" (mustMergeOverwrite (dict) (mustMergeOverwrite (dict) (dict "ca" (mustMergeOverwrite (dict "secretName" "") (dict "secretName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r") $name))))) (dict)))))) -}} +{{- $issuers = (concat (default (list) $issuers) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict) "status" (dict)) (mustMergeOverwrite (dict) (dict "apiVersion" "cert-manager.io/v1" "kind" "Issuer")) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil)) (dict "name" (printf `%s-%s-root-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot)))) "r"))) "spec" (mustMergeOverwrite (dict) (mustMergeOverwrite (dict) (dict "ca" (mustMergeOverwrite (dict "secretName" "") (dict "secretName" (get (fromJson (include "redpanda.TLSCert.RootSecretName" (dict "a" (list $data $dot $name)))) "r"))))) (dict)))))) -}} {{- end -}} {{- if $_is_returning -}} {{- break -}} diff --git a/charts/redpanda/templates/_certs.go.tpl b/charts/redpanda/templates/_certs.go.tpl index f436f80b2..58dadeafa 100644 --- a/charts/redpanda/templates/_certs.go.tpl +++ b/charts/redpanda/templates/_certs.go.tpl @@ -4,19 +4,15 @@ {{- $dot := (index .a 0) -}} {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} -{{- if (not (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot)))) "r")) -}} -{{- $_is_returning = true -}} -{{- (dict "r" (list)) | toJson -}} -{{- break -}} -{{- end -}} {{- $values := $dot.Values.AsMap -}} {{- $fullname := (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r") -}} {{- $service := (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot)))) "r") -}} {{- $ns := $dot.Release.Namespace -}} {{- $domain := (trimSuffix "." $values.clusterDomain) -}} {{- $certs := (coalesce nil) -}} -{{- range $name, $data := $values.tls.certs -}} -{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.enabled true)))) "r"))) -}} +{{- range $_, $name := (get (fromJson (include "redpanda.Listeners.InUseServerCerts" (dict "a" (list $values.listeners $values.tls)))) "r") -}} +{{- $data := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $values.tls.certs) $name)))) "r") -}} +{{- if (not (empty $data.secretRef)) -}} {{- continue -}} {{- end -}} {{- $names := (coalesce nil) -}} @@ -40,22 +36,18 @@ {{- end -}} {{- $duration := (default "43800h" $data.duration) -}} {{- $issuerRef := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.issuerRef (mustMergeOverwrite (dict "name" "") (dict "kind" "Issuer" "group" "cert-manager.io" "name" (printf "%s-%s-root-issuer" $fullname $name))))))) "r") -}} -{{- $certs = (concat (default (list) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict "secretName" "" "issuerRef" (dict "name" "")) "status" (dict)) (mustMergeOverwrite (dict) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate")) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil)) (dict "name" (printf "%s-%s-cert" $fullname $name) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot)))) "r") "namespace" $dot.Release.Namespace)) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "")) (dict "dnsNames" $names "duration" (get (fromJson (include "_shims.time_Duration_String" (dict "a" (list (get (fromJson (include "_shims.time_ParseDuration" (dict "a" (list $duration)))) "r"))))) "r") "isCA" false "issuerRef" $issuerRef "secretName" (printf "%s-%s-cert" $fullname $name) "privateKey" (mustMergeOverwrite (dict) (dict "algorithm" "ECDSA" "size" (256 | int))))))))) -}} +{{- $certs = (concat (default (list) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict "secretName" "" "issuerRef" (dict "name" "")) "status" (dict)) (mustMergeOverwrite (dict) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate")) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil)) (dict "name" (printf "%s-%s-cert" $fullname $name) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot)))) "r") "namespace" $dot.Release.Namespace)) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "")) (dict "dnsNames" $names "duration" (get (fromJson (include "_shims.time_Duration_String" (dict "a" (list (get (fromJson (include "_shims.time_ParseDuration" (dict "a" (list $duration)))) "r"))))) "r") "isCA" false "issuerRef" $issuerRef "secretName" (get (fromJson (include "redpanda.TLSCert.ServerSecretName" (dict "a" (list $data $dot $name)))) "r") "privateKey" (mustMergeOverwrite (dict) (dict "algorithm" "ECDSA" "size" (256 | int))))))))) -}} {{- end -}} {{- if $_is_returning -}} {{- break -}} {{- end -}} -{{- $name := $values.listeners.kafka.tls.cert -}} -{{- $_99_data_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.tls.certs $name (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil)))))) "r") -}} -{{- $data := (index $_99_data_ok 0) -}} -{{- $ok := (index $_99_data_ok 1) -}} -{{- if (not $ok) -}} -{{- $_ := (fail (printf "Certificate %q referenced but not defined" $name)) -}} +{{- range $_, $name := (get (fromJson (include "redpanda.Listeners.InUseClientCerts" (dict "a" (list $values.listeners $values.tls)))) "r") -}} +{{- $data := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $values.tls.certs) $name)))) "r") -}} +{{- if (and (ne (toJson $data.secretRef) "null") (eq (toJson $data.clientSecretRef) "null")) -}} +{{- $_ := (fail (printf ".clientSecretRef MUST be set if .secretRef is set and require_client_auth is true: Cert %q" $name)) -}} {{- end -}} -{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "redpanda.ClientAuthRequired" (dict "a" (list $dot)))) "r"))) -}} -{{- $_is_returning = true -}} -{{- (dict "r" $certs) | toJson -}} -{{- break -}} +{{- if (ne (toJson $data.clientSecretRef) "null") -}} +{{- continue -}} {{- end -}} {{- $issuerRef := (mustMergeOverwrite (dict "name" "") (dict "group" "cert-manager.io" "kind" "Issuer" "name" (printf "%s-%s-root-issuer" $fullname $name))) -}} {{- if (ne (toJson $data.issuerRef) "null") -}} @@ -63,8 +55,13 @@ {{- $_ := (set $issuerRef "group" "cert-manager.io") -}} {{- end -}} {{- $duration := (default "43800h" $data.duration) -}} +{{- $certs = (concat (default (list) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict "secretName" "" "issuerRef" (dict "name" "")) "status" (dict)) (mustMergeOverwrite (dict) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate")) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil)) (dict "name" (printf "%s-%s-client" $fullname $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot)))) "r"))) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "")) (dict "commonName" (printf "%s--%s-client" $fullname $name) "duration" (get (fromJson (include "_shims.time_Duration_String" (dict "a" (list (get (fromJson (include "_shims.time_ParseDuration" (dict "a" (list $duration)))) "r"))))) "r") "isCA" false "secretName" (get (fromJson (include "redpanda.TLSCert.ClientSecretName" (dict "a" (list $data $dot $name)))) "r") "privateKey" (mustMergeOverwrite (dict) (dict "algorithm" "ECDSA" "size" (256 | int))) "issuerRef" $issuerRef)))))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} {{- $_is_returning = true -}} -{{- (dict "r" (concat (default (list) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "spec" (dict "secretName" "" "issuerRef" (dict "name" "")) "status" (dict)) (mustMergeOverwrite (dict) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate")) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil)) (dict "name" (printf "%s-client" $fullname) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot)))) "r"))) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "")) (dict "commonName" (printf "%s-client" $fullname) "duration" (get (fromJson (include "_shims.time_Duration_String" (dict "a" (list (get (fromJson (include "_shims.time_ParseDuration" (dict "a" (list $duration)))) "r"))))) "r") "isCA" false "secretName" (printf "%s-client" $fullname) "privateKey" (mustMergeOverwrite (dict) (dict "algorithm" "ECDSA" "size" (256 | int))) "issuerRef" $issuerRef))))))) | toJson -}} +{{- (dict "r" $certs) | toJson -}} {{- break -}} {{- end -}} {{- end -}} diff --git a/charts/redpanda/templates/_configmap.go.tpl b/charts/redpanda/templates/_configmap.go.tpl index 9f58d9c8d..a025e2ba7 100644 --- a/charts/redpanda/templates/_configmap.go.tpl +++ b/charts/redpanda/templates/_configmap.go.tpl @@ -382,8 +382,8 @@ {{- end -}} {{- $result := (dict "ca_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $tls $values.tls)))) "r")) -}} {{- if $tls.requireClientAuth -}} -{{- $_ := (set $result "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r"))) -}} -{{- $_ := (set $result "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r"))) -}} +{{- $_ := (set $result "cert_file" (printf "%s/tls.crt" (get (fromJson (include "redpanda.InternalTLS.ClientMountPoint" (dict "a" (list $tls $values.tls)))) "r"))) -}} +{{- $_ := (set $result "key_file" (printf "%s/tls.key" (get (fromJson (include "redpanda.InternalTLS.ClientMountPoint" (dict "a" (list $tls $values.tls)))) "r"))) -}} {{- end -}} {{- $_is_returning = true -}} {{- (dict "r" $result) | toJson -}} @@ -404,8 +404,8 @@ {{- end -}} {{- $result := (dict "ca_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $tls $values.tls)))) "r")) -}} {{- if $tls.requireClientAuth -}} -{{- $_ := (set $result "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r"))) -}} -{{- $_ := (set $result "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r"))) -}} +{{- $_ := (set $result "cert_file" (printf "%s/tls.crt" (get (fromJson (include "redpanda.InternalTLS.ClientMountPoint" (dict "a" (list $tls $values.tls)))) "r"))) -}} +{{- $_ := (set $result "key_file" (printf "%s/tls.key" (get (fromJson (include "redpanda.InternalTLS.ClientMountPoint" (dict "a" (list $tls $values.tls)))) "r"))) -}} {{- end -}} {{- $_is_returning = true -}} {{- (dict "r" $result) | toJson -}} @@ -426,8 +426,8 @@ {{- end -}} {{- $result := (dict "ca_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $tls $values.tls)))) "r")) -}} {{- if $tls.requireClientAuth -}} -{{- $_ := (set $result "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r"))) -}} -{{- $_ := (set $result "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r"))) -}} +{{- $_ := (set $result "cert_file" (printf "%s/tls.crt" (get (fromJson (include "redpanda.InternalTLS.ClientMountPoint" (dict "a" (list $tls $values.tls)))) "r"))) -}} +{{- $_ := (set $result "key_file" (printf "%s/tls.key" (get (fromJson (include "redpanda.InternalTLS.ClientMountPoint" (dict "a" (list $tls $values.tls)))) "r"))) -}} {{- end -}} {{- $_is_returning = true -}} {{- (dict "r" $result) | toJson -}} @@ -452,8 +452,8 @@ {{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.kafka.tls $values.tls)))) "r") -}} {{- $brokerTLS = (dict "enabled" true "require_client_auth" $kafkaTLS.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $kafkaTLS $values.tls)))) "r")) -}} {{- if $kafkaTLS.requireClientAuth -}} -{{- $_ := (set $brokerTLS "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r"))) -}} -{{- $_ := (set $brokerTLS "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r"))) -}} +{{- $_ := (set $brokerTLS "cert_file" (printf "%s/tls.crt" (get (fromJson (include "redpanda.InternalTLS.ClientMountPoint" (dict "a" (list $kafkaTLS $values.tls)))) "r"))) -}} +{{- $_ := (set $brokerTLS "key_file" (printf "%s/tls.key" (get (fromJson (include "redpanda.InternalTLS.ClientMountPoint" (dict "a" (list $kafkaTLS $values.tls)))) "r"))) -}} {{- end -}} {{- end -}} {{- $cfg := (dict "brokers" $brokerList) -}} @@ -550,9 +550,8 @@ {{- (dict "r" (dict)) | toJson -}} {{- break -}} {{- end -}} -{{- $certName := $r.tls.cert -}} {{- $_is_returning = true -}} -{{- (dict "r" (dict "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" $r.tls.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $r.tls $values.tls)))) "r"))) | toJson -}} +{{- (dict "r" (dict "enabled" true "cert_file" (printf "%s/tls.crt" (get (fromJson (include "redpanda.InternalTLS.ServerMountPoint" (dict "a" (list $r.tls $values.tls)))) "r")) "key_file" (printf "%s/tls.key" (get (fromJson (include "redpanda.InternalTLS.ServerMountPoint" (dict "a" (list $r.tls $values.tls)))) "r")) "require_client_auth" $r.tls.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $r.tls $values.tls)))) "r"))) | toJson -}} {{- break -}} {{- end -}} {{- end -}} @@ -579,7 +578,7 @@ {{- break -}} {{- end -}} {{- $_is_returning = true -}} -{{- (dict "r" (dict "name" "internal" "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $internal.cert) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $internal.cert) "require_client_auth" $internal.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $internal $tls)))) "r"))) | toJson -}} +{{- (dict "r" (dict "name" "internal" "enabled" true "cert_file" (printf "%s/tls.crt" (get (fromJson (include "redpanda.InternalTLS.ServerMountPoint" (dict "a" (list $internal $tls)))) "r")) "key_file" (printf "%s/tls.key" (get (fromJson (include "redpanda.InternalTLS.ServerMountPoint" (dict "a" (list $internal $tls)))) "r")) "require_client_auth" $internal.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $internal $tls)))) "r"))) | toJson -}} {{- break -}} {{- end -}} {{- end -}} @@ -601,17 +600,17 @@ {{- end -}} {{- $enabledOptions := (dict "true" true "1" true "" true) -}} {{- $lockMemory := false -}} -{{- $_684_value_14_ok_15 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $flags "--lock-memory" "")))) "r") -}} -{{- $value_14 := (index $_684_value_14_ok_15 0) -}} -{{- $ok_15 := (index $_684_value_14_ok_15 1) -}} +{{- $_682_value_14_ok_15 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $flags "--lock-memory" "")))) "r") -}} +{{- $value_14 := (index $_682_value_14_ok_15 0) -}} +{{- $ok_15 := (index $_682_value_14_ok_15 1) -}} {{- if $ok_15 -}} {{- $lockMemory = (ternary (index $enabledOptions $value_14) false (hasKey $enabledOptions $value_14)) -}} {{- $_ := (unset $flags "--lock-memory") -}} {{- end -}} {{- $overprovisioned := false -}} -{{- $_691_value_16_ok_17 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $flags "--overprovisioned" "")))) "r") -}} -{{- $value_16 := (index $_691_value_16_ok_17 0) -}} -{{- $ok_17 := (index $_691_value_16_ok_17 1) -}} +{{- $_689_value_16_ok_17 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $flags "--overprovisioned" "")))) "r") -}} +{{- $value_16 := (index $_689_value_16_ok_17 0) -}} +{{- $ok_17 := (index $_689_value_16_ok_17 1) -}} {{- if $ok_17 -}} {{- $overprovisioned = (ternary (index $enabledOptions $value_16) false (hasKey $enabledOptions $value_16)) -}} {{- $_ := (unset $flags "--overprovisioned") -}} diff --git a/charts/redpanda/templates/_console.go.tpl b/charts/redpanda/templates/_console.go.tpl index dc8f8b6b4..dfe957596 100644 --- a/charts/redpanda/templates/_console.go.tpl +++ b/charts/redpanda/templates/_console.go.tpl @@ -72,7 +72,8 @@ {{- continue -}} {{- end -}} {{- $_ := (set $visitedCert $tlsCfg.cert true) -}} -{{- $mounts = (concat (default (list) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" (printf "redpanda-%s-cert" $tlsCfg.cert) "mountPath" (printf "%s/%s" "/etc/tls/certs" $tlsCfg.cert))))) -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $values.tls.certs) $tlsCfg.cert)))) "r") -}} +{{- $mounts = (concat (default (list) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" (get (fromJson (include "redpanda.TLSCert.ServerVolumeName" (dict "a" (list $cert $tlsCfg.cert)))) "r") "mountPath" (get (fromJson (include "redpanda.TLSCert.ServerMountPoint" (dict "a" (list $cert $tlsCfg.cert)))) "r"))))) -}} {{- end -}} {{- if $_is_returning -}} {{- break -}} @@ -99,14 +100,15 @@ {{- end -}} {{- $visitedCert := (dict) -}} {{- range $_, $tlsCfg := (list $values.listeners.kafka.tls $values.listeners.schemaRegistry.tls $values.listeners.admin.tls) -}} -{{- $_178___visited := (get (fromJson (include "_shims.dicttest" (dict "a" (list $visitedCert $tlsCfg.cert false)))) "r") -}} -{{- $_ := (index $_178___visited 0) -}} -{{- $visited := (index $_178___visited 1) -}} +{{- $_180___visited := (get (fromJson (include "_shims.dicttest" (dict "a" (list $visitedCert $tlsCfg.cert false)))) "r") -}} +{{- $_ := (index $_180___visited 0) -}} +{{- $visited := (index $_180___visited 1) -}} {{- if (or (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $tlsCfg $values.tls)))) "r")) $visited) -}} {{- continue -}} {{- end -}} {{- $_ := (set $visitedCert $tlsCfg.cert true) -}} -{{- $volumes = (concat (default (list) $volumes) (list (mustMergeOverwrite (dict "name" "") (mustMergeOverwrite (dict) (dict "secret" (mustMergeOverwrite (dict) (dict "defaultMode" (0o420 | int) "secretName" (get (fromJson (include "redpanda.CertSecretName" (dict "a" (list $dot $tlsCfg.cert (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $values.tls.certs) $tlsCfg.cert)))) "r"))))) "r"))))) (dict "name" (printf "redpanda-%s-cert" $tlsCfg.cert))))) -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $values.tls.certs) $tlsCfg.cert)))) "r") -}} +{{- $volumes = (concat (default (list) $volumes) (list (mustMergeOverwrite (dict "name" "") (mustMergeOverwrite (dict) (dict "secret" (mustMergeOverwrite (dict) (dict "defaultMode" (0o420 | int) "secretName" (get (fromJson (include "redpanda.TLSCert.ServerSecretName" (dict "a" (list $cert $dot $tlsCfg.cert)))) "r"))))) (dict "name" (get (fromJson (include "redpanda.TLSCert.ServerVolumeName" (dict "a" (list $cert $tlsCfg.cert)))) "r"))))) -}} {{- end -}} {{- if $_is_returning -}} {{- break -}} @@ -142,9 +144,9 @@ {{- $c := (dict "kafka" (dict "brokers" (get (fromJson (include "redpanda.BrokerList" (dict "a" (list $dot ($values.statefulset.replicas | int) ($values.listeners.kafka.port | int))))) "r") "sasl" (dict "enabled" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth)))) "r")) "tls" (get (fromJson (include "redpanda.ListenerConfig.ConsoleTLS" (dict "a" (list $values.listeners.kafka $values.tls)))) "r") "schemaRegistry" (dict "enabled" $values.listeners.schemaRegistry.enabled "urls" $schemaURLs "tls" (get (fromJson (include "redpanda.ListenerConfig.ConsoleTLS" (dict "a" (list $values.listeners.schemaRegistry $values.tls)))) "r"))) "redpanda" (dict "adminApi" (dict "enabled" true "urls" (list (printf "%s://%s:%d" $schema (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot)))) "r") ($values.listeners.admin.port | int))) "tls" (get (fromJson (include "redpanda.ListenerConfig.ConsoleTLS" (dict "a" (list $values.listeners.admin $values.tls)))) "r")))) -}} {{- if (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.connectors.enabled false)))) "r") -}} {{- $port := (dig "connectors" "connectors" "restPort" (8083 | int) $dot.Values.AsMap) -}} -{{- $_249_p_ok := (get (fromJson (include "_shims.asintegral" (dict "a" (list $port)))) "r") -}} -{{- $p := ((index $_249_p_ok 0) | int) -}} -{{- $ok := (index $_249_p_ok 1) -}} +{{- $_253_p_ok := (get (fromJson (include "_shims.asintegral" (dict "a" (list $port)))) "r") -}} +{{- $p := ((index $_253_p_ok 0) | int) -}} +{{- $ok := (index $_253_p_ok 1) -}} {{- if (not $ok) -}} {{- $_is_returning = true -}} {{- (dict "r" $c) | toJson -}} diff --git a/charts/redpanda/templates/_helpers.go.tpl b/charts/redpanda/templates/_helpers.go.tpl index f194b6881..7598dac3d 100644 --- a/charts/redpanda/templates/_helpers.go.tpl +++ b/charts/redpanda/templates/_helpers.go.tpl @@ -110,75 +110,6 @@ {{- end -}} {{- end -}} -{{- define "redpanda.TLSEnabled" -}} -{{- $dot := (index .a 0) -}} -{{- range $_ := (list 1) -}} -{{- $_is_returning := false -}} -{{- $values := $dot.Values.AsMap -}} -{{- if $values.tls.enabled -}} -{{- $_is_returning = true -}} -{{- (dict "r" true) | toJson -}} -{{- break -}} -{{- end -}} -{{- $listeners := (list "kafka" "admin" "schemaRegistry" "rpc" "http") -}} -{{- range $_, $listener := $listeners -}} -{{- $tlsCert := (dig "listeners" $listener "tls" "cert" false $dot.Values.AsMap) -}} -{{- $tlsEnabled := (dig "listeners" $listener "tls" "enabled" false $dot.Values.AsMap) -}} -{{- if (and (not (empty $tlsEnabled)) (not (empty $tlsCert))) -}} -{{- $_is_returning = true -}} -{{- (dict "r" true) | toJson -}} -{{- break -}} -{{- end -}} -{{- $external := (dig "listeners" $listener "external" false $dot.Values.AsMap) -}} -{{- if (empty $external) -}} -{{- continue -}} -{{- end -}} -{{- $keys := (keys (get (fromJson (include "_shims.typeassertion" (dict "a" (list (printf "map[%s]%s" "string" "interface {}") $external)))) "r")) -}} -{{- range $_, $key := $keys -}} -{{- $enabled := (dig "listeners" $listener "external" $key "enabled" false $dot.Values.AsMap) -}} -{{- $tlsCert := (dig "listeners" $listener "external" $key "tls" "cert" false $dot.Values.AsMap) -}} -{{- $tlsEnabled := (dig "listeners" $listener "external" $key "tls" "enabled" false $dot.Values.AsMap) -}} -{{- if (and (and (not (empty $enabled)) (not (empty $tlsCert))) (not (empty $tlsEnabled))) -}} -{{- $_is_returning = true -}} -{{- (dict "r" true) | toJson -}} -{{- break -}} -{{- end -}} -{{- end -}} -{{- if $_is_returning -}} -{{- break -}} -{{- end -}} -{{- end -}} -{{- if $_is_returning -}} -{{- break -}} -{{- end -}} -{{- $_is_returning = true -}} -{{- (dict "r" false) | toJson -}} -{{- break -}} -{{- end -}} -{{- end -}} - -{{- define "redpanda.ClientAuthRequired" -}} -{{- $dot := (index .a 0) -}} -{{- range $_ := (list 1) -}} -{{- $_is_returning := false -}} -{{- $listeners := (list "kafka" "admin" "schemaRegistry" "rpc" "http") -}} -{{- range $_, $listener := $listeners -}} -{{- $required := (dig "listeners" $listener "tls" "requireClientAuth" false $dot.Values.AsMap) -}} -{{- if (not (empty $required)) -}} -{{- $_is_returning = true -}} -{{- (dict "r" true) | toJson -}} -{{- break -}} -{{- end -}} -{{- end -}} -{{- if $_is_returning -}} -{{- break -}} -{{- end -}} -{{- $_is_returning = true -}} -{{- (dict "r" false) | toJson -}} -{{- break -}} -{{- end -}} -{{- end -}} - {{- define "redpanda.DefaultMounts" -}} {{- $dot := (index .a 0) -}} {{- range $_ := (list 1) -}} @@ -199,23 +130,19 @@ {{- if (and $sasl_5.enabled (ne $sasl_5.secretRef "")) -}} {{- $mounts = (concat (default (list) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" "users" "mountPath" "/etc/secrets/users" "readOnly" true)))) -}} {{- end -}} -{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot)))) "r") -}} -{{- $certNames := (keys $values.tls.certs) -}} -{{- $_ := (sortAlpha $certNames) -}} -{{- range $_, $name := $certNames -}} -{{- $cert := (ternary (index $values.tls.certs $name) (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil)) (hasKey $values.tls.certs $name)) -}} -{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $cert.enabled true)))) "r")) -}} -{{- continue -}} -{{- end -}} -{{- $mounts = (concat (default (list) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" (printf "redpanda-%s-cert" $name) "mountPath" (printf "%s/%s" "/etc/tls/certs" $name))))) -}} +{{- range $_, $name := (get (fromJson (include "redpanda.Listeners.InUseServerCerts" (dict "a" (list $values.listeners $values.tls)))) "r") -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $values.tls.certs) $name)))) "r") -}} +{{- $mounts = (concat (default (list) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" (get (fromJson (include "redpanda.TLSCert.ServerVolumeName" (dict "a" (list $cert $name)))) "r") "mountPath" (get (fromJson (include "redpanda.TLSCert.ServerMountPoint" (dict "a" (list $cert $name)))) "r"))))) -}} {{- end -}} {{- if $_is_returning -}} {{- break -}} {{- end -}} -{{- $adminTLS := $values.listeners.admin.tls -}} -{{- if $adminTLS.requireClientAuth -}} -{{- $mounts = (concat (default (list) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" "mtls-client" "mountPath" (printf "%s/%s-client" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r")))))) -}} +{{- range $_, $name := (get (fromJson (include "redpanda.Listeners.InUseClientCerts" (dict "a" (list $values.listeners $values.tls)))) "r") -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $values.tls.certs) $name)))) "r") -}} +{{- $mounts = (concat (default (list) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" (get (fromJson (include "redpanda.TLSCert.ClientVolumeName" (dict "a" (list $cert $name)))) "r") "mountPath" (get (fromJson (include "redpanda.TLSCert.ClientMountPoint" (dict "a" (list $cert $name)))) "r"))))) -}} {{- end -}} +{{- if $_is_returning -}} +{{- break -}} {{- end -}} {{- $_is_returning = true -}} {{- (dict "r" $mounts) | toJson -}} @@ -237,30 +164,21 @@ {{- $dot := (index .a 0) -}} {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} -{{- $volumes := (list) -}} {{- $values := $dot.Values.AsMap -}} -{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot)))) "r") -}} -{{- $certNames := (keys $values.tls.certs) -}} -{{- $_ := (sortAlpha $certNames) -}} -{{- range $_, $name := $certNames -}} -{{- $cert := (ternary (index $values.tls.certs $name) (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil)) (hasKey $values.tls.certs $name)) -}} -{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $cert.enabled true)))) "r")) -}} -{{- continue -}} -{{- end -}} -{{- $volumes = (concat (default (list) $volumes) (list (mustMergeOverwrite (dict "name" "") (mustMergeOverwrite (dict) (dict "secret" (mustMergeOverwrite (dict) (dict "secretName" (get (fromJson (include "redpanda.CertSecretName" (dict "a" (list $dot $name $cert)))) "r") "defaultMode" (0o440 | int))))) (dict "name" (printf "redpanda-%s-cert" $name))))) -}} +{{- $volumes := (list) -}} +{{- range $_, $name := (get (fromJson (include "redpanda.Listeners.InUseServerCerts" (dict "a" (list $values.listeners $values.tls)))) "r") -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $values.tls.certs) $name)))) "r") -}} +{{- $volumes = (concat (default (list) $volumes) (list (mustMergeOverwrite (dict "name" "") (mustMergeOverwrite (dict) (dict "secret" (mustMergeOverwrite (dict) (dict "secretName" (get (fromJson (include "redpanda.TLSCert.ServerSecretName" (dict "a" (list $cert $dot $name)))) "r") "defaultMode" (0o440 | int))))) (dict "name" (get (fromJson (include "redpanda.TLSCert.ServerVolumeName" (dict "a" (list $cert $name)))) "r"))))) -}} {{- end -}} {{- if $_is_returning -}} {{- break -}} {{- end -}} -{{- $adminTLS := $values.listeners.admin.tls -}} -{{- $cert := (ternary (index $values.tls.certs $adminTLS.cert) (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil)) (hasKey $values.tls.certs $adminTLS.cert)) -}} -{{- if $adminTLS.requireClientAuth -}} -{{- $secretName := (printf "%s-client" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r")) -}} -{{- if (ne (toJson $cert.clientSecretRef) "null") -}} -{{- $secretName = $cert.clientSecretRef.name -}} -{{- end -}} -{{- $volumes = (concat (default (list) $volumes) (list (mustMergeOverwrite (dict "name" "") (mustMergeOverwrite (dict) (dict "secret" (mustMergeOverwrite (dict) (dict "secretName" $secretName "defaultMode" (0o440 | int))))) (dict "name" "mtls-client")))) -}} +{{- range $_, $name := (get (fromJson (include "redpanda.Listeners.InUseClientCerts" (dict "a" (list $values.listeners $values.tls)))) "r") -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $values.tls.certs) $name)))) "r") -}} +{{- $volumes = (concat (default (list) $volumes) (list (mustMergeOverwrite (dict "name" "") (mustMergeOverwrite (dict) (dict "secret" (mustMergeOverwrite (dict) (dict "secretName" (get (fromJson (include "redpanda.TLSCert.ClientSecretName" (dict "a" (list $cert $dot $name)))) "r") "defaultMode" (0o440 | int))))) (dict "name" (get (fromJson (include "redpanda.TLSCert.ClientVolumeName" (dict "a" (list $cert $name)))) "r"))))) -}} {{- end -}} +{{- if $_is_returning -}} +{{- break -}} {{- end -}} {{- $sasl_6 := $values.auth.sasl -}} {{- if (and $sasl_6.enabled (ne $sasl_6.secretRef "")) -}} @@ -272,23 +190,6 @@ {{- end -}} {{- end -}} -{{- define "redpanda.CertSecretName" -}} -{{- $dot := (index .a 0) -}} -{{- $certName := (index .a 1) -}} -{{- $cert := (index .a 2) -}} -{{- range $_ := (list 1) -}} -{{- $_is_returning := false -}} -{{- if (ne (toJson $cert.secretRef) "null") -}} -{{- $_is_returning = true -}} -{{- (dict "r" $cert.secretRef.name) | toJson -}} -{{- break -}} -{{- end -}} -{{- $_is_returning = true -}} -{{- (dict "r" (printf "%s-%s-cert" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r") $certName)) | toJson -}} -{{- break -}} -{{- end -}} -{{- end -}} - {{- define "redpanda.PodSecurityContext" -}} {{- $dot := (index .a 0) -}} {{- range $_ := (list 1) -}} @@ -399,9 +300,9 @@ {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} {{- $version := (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot)))) "r")) -}} -{{- $_391_result_err := (list (semverCompare $constraint $version) nil) -}} -{{- $result := (index $_391_result_err 0) -}} -{{- $err := (index $_391_result_err 1) -}} +{{- $_316_result_err := (list (semverCompare $constraint $version) nil) -}} +{{- $result := (index $_316_result_err 0) -}} +{{- $err := (index $_316_result_err 1) -}} {{- if (ne (toJson $err) "null") -}} {{- $_ := (fail $err) -}} {{- end -}} @@ -497,9 +398,9 @@ {{- $originalKeys := (dict) -}} {{- $overrideByKey := (dict) -}} {{- range $_, $el := $override -}} -{{- $_503_key_ok := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey)))) "r") -}} -{{- $key := (index $_503_key_ok 0) -}} -{{- $ok := (index $_503_key_ok 1) -}} +{{- $_428_key_ok := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey)))) "r") -}} +{{- $key := (index $_428_key_ok 0) -}} +{{- $ok := (index $_428_key_ok 1) -}} {{- if (not $ok) -}} {{- continue -}} {{- end -}} @@ -510,13 +411,13 @@ {{- end -}} {{- $merged := (coalesce nil) -}} {{- range $_, $el := $original -}} -{{- $_515_key__ := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey)))) "r") -}} -{{- $key := (index $_515_key__ 0) -}} -{{- $_ := (index $_515_key__ 1) -}} +{{- $_440_key__ := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey)))) "r") -}} +{{- $key := (index $_440_key__ 0) -}} +{{- $_ := (index $_440_key__ 1) -}} {{- $_ := (set $originalKeys $key true) -}} -{{- $_517_elOverride_7_ok_8 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $overrideByKey $key (coalesce nil))))) "r") -}} -{{- $elOverride_7 := (index $_517_elOverride_7_ok_8 0) -}} -{{- $ok_8 := (index $_517_elOverride_7_ok_8 1) -}} +{{- $_442_elOverride_7_ok_8 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $overrideByKey $key (coalesce nil))))) "r") -}} +{{- $elOverride_7 := (index $_442_elOverride_7_ok_8 0) -}} +{{- $ok_8 := (index $_442_elOverride_7_ok_8 1) -}} {{- if $ok_8 -}} {{- $merged = (concat (default (list) $merged) (list (get (fromJson (include $mergeFunc (dict "a" (list $el $elOverride_7)))) "r"))) -}} {{- else -}} @@ -527,15 +428,15 @@ {{- break -}} {{- end -}} {{- range $_, $el := $override -}} -{{- $_527_key_ok := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey)))) "r") -}} -{{- $key := (index $_527_key_ok 0) -}} -{{- $ok := (index $_527_key_ok 1) -}} +{{- $_452_key_ok := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey)))) "r") -}} +{{- $key := (index $_452_key_ok 0) -}} +{{- $ok := (index $_452_key_ok 1) -}} {{- if (not $ok) -}} {{- continue -}} {{- end -}} -{{- $_532___ok_9 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $originalKeys $key false)))) "r") -}} -{{- $_ := (index $_532___ok_9 0) -}} -{{- $ok_9 := (index $_532___ok_9 1) -}} +{{- $_457___ok_9 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $originalKeys $key false)))) "r") -}} +{{- $_ := (index $_457___ok_9 0) -}} +{{- $ok_9 := (index $_457___ok_9 1) -}} {{- if $ok_9 -}} {{- continue -}} {{- end -}} diff --git a/charts/redpanda/templates/_notes.go.tpl b/charts/redpanda/templates/_notes.go.tpl index feedd9101..dde989bdb 100644 --- a/charts/redpanda/templates/_notes.go.tpl +++ b/charts/redpanda/templates/_notes.go.tpl @@ -48,7 +48,7 @@ {{- $profileName := (index $profiles (0 | int)) -}} {{- $notes = (concat (default (list) $notes) (list `` `Set up rpk for access to your external listeners:`)) -}} {{- $profile := (ternary (index $values.listeners.kafka.external $profileName) (dict "enabled" (coalesce nil) "advertisedPorts" (coalesce nil) "port" 0 "nodePort" (coalesce nil) "tls" (coalesce nil)) (hasKey $values.listeners.kafka.external $profileName)) -}} -{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot)))) "r") -}} +{{- if (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $profile.tls $values.listeners.kafka.tls $values.tls)))) "r") -}} {{- $external := "" -}} {{- if (and (ne (toJson $profile.tls) "null") (ne (toJson $profile.tls.cert) "null")) -}} {{- $external = $profile.tls.cert -}} diff --git a/charts/redpanda/templates/_secrets.go.tpl b/charts/redpanda/templates/_secrets.go.tpl index 719591dc7..bb4ef09f7 100644 --- a/charts/redpanda/templates/_secrets.go.tpl +++ b/charts/redpanda/templates/_secrets.go.tpl @@ -304,7 +304,7 @@ echo "passed"`) -}} {{- break -}} {{- end -}} {{- if $values.listeners.admin.tls.requireClientAuth -}} -{{- $path := (printf "%s/%s-client" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r")) -}} +{{- $path := (get (fromJson (include "redpanda.InternalTLS.ClientMountPoint" (dict "a" (list $values.listeners.admin.tls $values.tls)))) "r") -}} {{- $_is_returning = true -}} {{- (dict "r" (printf "--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key" $path $path $path)) | toJson -}} {{- break -}} diff --git a/charts/redpanda/templates/_values.go.tpl b/charts/redpanda/templates/_values.go.tpl index cff39bbed..be73bc241 100644 --- a/charts/redpanda/templates/_values.go.tpl +++ b/charts/redpanda/templates/_values.go.tpl @@ -151,13 +151,13 @@ {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} {{- if (and (ne (toJson $rr.limits) "null") (ne (toJson $rr.requests) "null")) -}} -{{- $_451_cpuReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.requests) "cpu" "0")))) "r") -}} -{{- $cpuReq := (index $_451_cpuReq_ok 0) -}} -{{- $ok := (index $_451_cpuReq_ok 1) -}} +{{- $_446_cpuReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.requests) "cpu" "0")))) "r") -}} +{{- $cpuReq := (index $_446_cpuReq_ok 0) -}} +{{- $ok := (index $_446_cpuReq_ok 1) -}} {{- if (not $ok) -}} -{{- $_453_cpuReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.limits) "cpu" "0")))) "r") -}} -{{- $cpuReq = (index $_453_cpuReq_ok 0) -}} -{{- $ok = (index $_453_cpuReq_ok 1) -}} +{{- $_448_cpuReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.limits) "cpu" "0")))) "r") -}} +{{- $cpuReq = (index $_448_cpuReq_ok 0) -}} +{{- $ok = (index $_448_cpuReq_ok 1) -}} {{- end -}} {{- if (and $ok (lt ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $cpuReq)))) "r") | int64) (1000 | int64))) -}} {{- $_is_returning = true -}} @@ -184,13 +184,13 @@ {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} {{- if (and (ne (toJson $rr.limits) "null") (ne (toJson $rr.requests) "null")) -}} -{{- $_477_cpuReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.requests) "cpu" "0")))) "r") -}} -{{- $cpuReq := (index $_477_cpuReq_ok 0) -}} -{{- $ok := (index $_477_cpuReq_ok 1) -}} +{{- $_472_cpuReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.requests) "cpu" "0")))) "r") -}} +{{- $cpuReq := (index $_472_cpuReq_ok 0) -}} +{{- $ok := (index $_472_cpuReq_ok 1) -}} {{- if (not $ok) -}} -{{- $_479_cpuReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.limits) "cpu" "0")))) "r") -}} -{{- $cpuReq = (index $_479_cpuReq_ok 0) -}} -{{- $ok = (index $_479_cpuReq_ok 1) -}} +{{- $_474_cpuReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.limits) "cpu" "0")))) "r") -}} +{{- $cpuReq = (index $_474_cpuReq_ok 0) -}} +{{- $ok = (index $_474_cpuReq_ok 1) -}} {{- end -}} {{- if (not $ok) -}} {{- $_is_returning = true -}} @@ -222,13 +222,13 @@ {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} {{- if (and (ne (toJson $rr.limits) "null") (ne (toJson $rr.requests) "null")) -}} -{{- $_536_memReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.requests) "memory" "0")))) "r") -}} -{{- $memReq := (index $_536_memReq_ok 0) -}} -{{- $ok := (index $_536_memReq_ok 1) -}} +{{- $_531_memReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.requests) "memory" "0")))) "r") -}} +{{- $memReq := (index $_531_memReq_ok 0) -}} +{{- $ok := (index $_531_memReq_ok 1) -}} {{- if (not $ok) -}} -{{- $_538_memReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.limits) "memory" "0")))) "r") -}} -{{- $memReq = (index $_538_memReq_ok 0) -}} -{{- $ok = (index $_538_memReq_ok 1) -}} +{{- $_533_memReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.limits) "memory" "0")))) "r") -}} +{{- $memReq = (index $_533_memReq_ok 0) -}} +{{- $ok = (index $_533_memReq_ok 1) -}} {{- end -}} {{- if (not $ok) -}} {{- $_is_returning = true -}} @@ -304,9 +304,9 @@ {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} {{- $conf := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $s)))) "r") -}} -{{- $_656_b_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $conf "cloud_storage_enabled" (coalesce nil))))) "r") -}} -{{- $b := (index $_656_b_ok 0) -}} -{{- $ok := (index $_656_b_ok 1) -}} +{{- $_651_b_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $conf "cloud_storage_enabled" (coalesce nil))))) "r") -}} +{{- $b := (index $_651_b_ok 0) -}} +{{- $ok := (index $_651_b_ok 1) -}} {{- $_is_returning = true -}} {{- (dict "r" (and $ok (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" $b)))) "r"))) | toJson -}} {{- break -}} @@ -351,18 +351,18 @@ {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} {{- $values := $dot.Values.AsMap -}} -{{- $_685_dir_7_ok_8 := (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $values.config.node "cloud_storage_cache_directory") "")))) "r") -}} -{{- $dir_7 := (index $_685_dir_7_ok_8 0) -}} -{{- $ok_8 := (index $_685_dir_7_ok_8 1) -}} +{{- $_680_dir_7_ok_8 := (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $values.config.node "cloud_storage_cache_directory") "")))) "r") -}} +{{- $dir_7 := (index $_680_dir_7_ok_8 0) -}} +{{- $ok_8 := (index $_680_dir_7_ok_8 1) -}} {{- if $ok_8 -}} {{- $_is_returning = true -}} {{- (dict "r" $dir_7) | toJson -}} {{- break -}} {{- end -}} {{- $tieredConfig := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage)))) "r") -}} -{{- $_694_dir_9_ok_10 := (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $tieredConfig "cloud_storage_cache_directory") "")))) "r") -}} -{{- $dir_9 := (index $_694_dir_9_ok_10 0) -}} -{{- $ok_10 := (index $_694_dir_9_ok_10 1) -}} +{{- $_689_dir_9_ok_10 := (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $tieredConfig "cloud_storage_cache_directory") "")))) "r") -}} +{{- $dir_9 := (index $_689_dir_9_ok_10 0) -}} +{{- $ok_10 := (index $_689_dir_9_ok_10 1) -}} {{- if $ok_10 -}} {{- $_is_returning = true -}} {{- (dict "r" $dir_9) | toJson -}} @@ -462,9 +462,9 @@ {{- $result := (dict) -}} {{- $s := (toJson $t) -}} {{- $tune := (fromJson $s) -}} -{{- $_905_m_ok := (get (fromJson (include "_shims.typetest" (dict "a" (list (printf "map[%s]%s" "string" "interface {}") $tune (coalesce nil))))) "r") -}} -{{- $m := (index $_905_m_ok 0) -}} -{{- $ok := (index $_905_m_ok 1) -}} +{{- $_900_m_ok := (get (fromJson (include "_shims.typetest" (dict "a" (list (printf "map[%s]%s" "string" "interface {}") $tune (coalesce nil))))) "r") -}} +{{- $m := (index $_900_m_ok 0) -}} +{{- $ok := (index $_900_m_ok 1) -}} {{- if (not $ok) -}} {{- $_is_returning = true -}} {{- (dict "r" (dict)) | toJson -}} @@ -522,6 +522,65 @@ {{- end -}} {{- end -}} +{{- define "redpanda.Listeners.InUseServerCerts" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $listeners := (list (get (fromJson (include "redpanda.ListenerConfig.AsString" (dict "a" (list $l.admin)))) "r") (get (fromJson (include "redpanda.ListenerConfig.AsString" (dict "a" (list $l.kafka)))) "r") (get (fromJson (include "redpanda.ListenerConfig.AsString" (dict "a" (list $l.http)))) "r") (get (fromJson (include "redpanda.ListenerConfig.AsString" (dict "a" (list $l.schemaRegistry)))) "r")) -}} +{{- $certs := (dict) -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.rpc.tls $tls)))) "r") -}} +{{- $_ := (set $certs $l.rpc.tls.cert true) -}} +{{- end -}} +{{- range $_, $listener := $listeners -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $listener.tls $tls)))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $_ := (set $certs $listener.tls.cert true) -}} +{{- range $_, $external := $listener.external -}} +{{- if (or (not (get (fromJson (include "redpanda.ExternalListener.IsEnabled" (dict "a" (list $external)))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $external.tls $listener.tls $tls)))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $_ := (set $certs (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $external.tls $listener.tls)))) "r") true) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (sortAlpha (keys $certs))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.InUseClientCerts" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $listeners := (list (get (fromJson (include "redpanda.ListenerConfig.AsString" (dict "a" (list $l.admin)))) "r") (get (fromJson (include "redpanda.ListenerConfig.AsString" (dict "a" (list $l.kafka)))) "r") (get (fromJson (include "redpanda.ListenerConfig.AsString" (dict "a" (list $l.http)))) "r") (get (fromJson (include "redpanda.ListenerConfig.AsString" (dict "a" (list $l.schemaRegistry)))) "r")) -}} +{{- $certs := (dict) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.rpc.tls $tls)))) "r") $l.rpc.tls.requireClientAuth) -}} +{{- $_ := (set $certs $l.rpc.tls.cert true) -}} +{{- end -}} +{{- range $_, $listener := $listeners -}} +{{- if (or (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $listener.tls $tls)))) "r")) (not $listener.tls.requireClientAuth)) -}} +{{- continue -}} +{{- end -}} +{{- $_ := (set $certs $listener.tls.cert true) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (sortAlpha (keys $certs))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + {{- define "redpanda.Listeners.CreateSeedServers" -}} {{- $l := (index .a 0) -}} {{- $replicas := (index .a 1) -}} @@ -640,9 +699,9 @@ {{- $seen := (dict) -}} {{- $deduped := (coalesce nil) -}} {{- range $_, $item := $items -}} -{{- $_1072___ok_11 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $seen $item.key false)))) "r") -}} -{{- $_ := (index $_1072___ok_11 0) -}} -{{- $ok_11 := (index $_1072___ok_11 1) -}} +{{- $_1126___ok_11 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $seen $item.key false)))) "r") -}} +{{- $_ := (index $_1126___ok_11 0) -}} +{{- $ok_11 := (index $_1126___ok_11 1) -}} {{- if $ok_11 -}} {{- continue -}} {{- end -}} @@ -749,14 +808,125 @@ {{- end -}} {{- end -}} +{{- define "redpanda.TLSCert.ServerVolumeName" -}} +{{- $c := (index .a 0) -}} +{{- $name := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "redpanda-%s-cert" $name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSCert.ClientVolumeName" -}} +{{- $c := (index .a 0) -}} +{{- $name := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "redpanda-%s-client-cert" $name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSCert.ServerMountPoint" -}} +{{- $c := (index .a 0) -}} +{{- $name := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "/etc/tls/certs/%s" $name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSCert.ClientMountPoint" -}} +{{- $c := (index .a 0) -}} +{{- $name := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "/etc/tls/certs/%s-client" $name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSCert.ServerSecretName" -}} +{{- $c := (index .a 0) -}} +{{- $state := (index .a 1) -}} +{{- $name := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $c.secretRef) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $c.secretRef.name) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s-%s-cert" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $state)))) "r") $name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSCert.ClientSecretName" -}} +{{- $c := (index .a 0) -}} +{{- $dot := (index .a 1) -}} +{{- $name := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $c.clientSecretRef) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $c.clientSecretRef.name) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s-%s-client-cert" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r") $name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSCert.RootSecretName" -}} +{{- $c := (index .a 0) -}} +{{- $dot := (index .a 1) -}} +{{- $name := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r") $name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSCert.CASecretRef" -}} +{{- $c := (index .a 0) -}} +{{- $dot := (index .a 1) -}} +{{- $name := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq (toJson $c.secretRef) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "key" "") (mustMergeOverwrite (dict) (dict "name" (get (fromJson (include "redpanda.TLSCert.RootSecretName" (dict "a" (list $c $dot $name)))) "r"))) (dict "key" "tls.crt"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $key := "tls.crt" -}} +{{- if $c.caEnabled -}} +{{- $key = "ca.crt" -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "key" "") (mustMergeOverwrite (dict) (dict "name" (get (fromJson (include "redpanda.TLSCert.ServerSecretName" (dict "a" (list $c $dot $name)))) "r"))) (dict "key" $key))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + {{- define "redpanda.TLSCertMap.MustGet" -}} {{- $m := (index .a 0) -}} {{- $name := (index .a 1) -}} {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} -{{- $_1293_cert_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $m $name (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil)))))) "r") -}} -{{- $cert := (index $_1293_cert_ok 0) -}} -{{- $ok := (index $_1293_cert_ok 1) -}} +{{- $_1414_cert_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $m $name (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil)))))) "r") -}} +{{- $cert := (index $_1414_cert_ok 0) -}} +{{- $ok := (index $_1414_cert_ok 1) -}} {{- if (not $ok) -}} {{- $_ := (fail (printf "Certificate %q referenced, but not found in the tls.certs map" $name)) -}} {{- end -}} @@ -895,9 +1065,10 @@ {{- (dict "r" (get (fromJson (include "redpanda.TrustStore.TrustStoreFilePath" (dict "a" (list $t.trustStore)))) "r")) | toJson -}} {{- break -}} {{- end -}} -{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert)))) "r").caEnabled -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert)))) "r") -}} +{{- if $cert.caEnabled -}} {{- $_is_returning = true -}} -{{- (dict "r" (printf "%s/%s/ca.crt" "/etc/tls/certs" $t.cert)) | toJson -}} +{{- (dict "r" (printf "%s/ca.crt" (get (fromJson (include "redpanda.TLSCert.ServerMountPoint" (dict "a" (list $cert $t.cert)))) "r"))) | toJson -}} {{- break -}} {{- end -}} {{- $_is_returning = true -}} @@ -916,13 +1087,68 @@ {{- (dict "r" (get (fromJson (include "redpanda.TrustStore.TrustStoreFilePath" (dict "a" (list $t.trustStore)))) "r")) | toJson -}} {{- break -}} {{- end -}} -{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert)))) "r").caEnabled -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert)))) "r") -}} +{{- if $cert.caEnabled -}} {{- $_is_returning = true -}} -{{- (dict "r" (printf "%s/%s/ca.crt" "/etc/tls/certs" $t.cert)) | toJson -}} +{{- (dict "r" (printf "%s/ca.crt" (get (fromJson (include "redpanda.TLSCert.ServerMountPoint" (dict "a" (list $cert $t.cert)))) "r"))) | toJson -}} {{- break -}} {{- end -}} {{- $_is_returning = true -}} -{{- (dict "r" (printf "%s/%s/tls.crt" "/etc/tls/certs" $t.cert)) | toJson -}} +{{- (dict "r" (printf "%s/tls.crt" (get (fromJson (include "redpanda.TLSCert.ServerMountPoint" (dict "a" (list $cert $t.cert)))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalTLS.ServerMountPoint" -}} +{{- $t := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert)))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.TLSCert.ServerMountPoint" (dict "a" (list $cert $t.cert)))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalTLS.ClientMountPoint" -}} +{{- $t := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert)))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.TLSCert.ClientMountPoint" (dict "a" (list $cert $t.cert)))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ListenerConfig.ConsoleTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls)))) "r"))) -}} +{{- if (not $t.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $l.tls.cert)))) "r") -}} +{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $l.tls.cert)))) "r").caEnabled -}} +{{- $_ := (set $t "caFilepath" (printf "%s/ca.crt" (get (fromJson (include "redpanda.TLSCert.ServerMountPoint" (dict "a" (list $cert $l.tls.cert)))) "r"))) -}} +{{- else -}} +{{- $_ := (set $t "caFilepath" (printf "%s/tls.crt" (get (fromJson (include "redpanda.TLSCert.ServerMountPoint" (dict "a" (list $cert $l.tls.cert)))) "r"))) -}} +{{- end -}} +{{- if (not $l.tls.requireClientAuth) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $t "certFilepath" (printf "%s/tls.crt" (get (fromJson (include "redpanda.TLSCert.ClientMountPoint" (dict "a" (list $cert $l.tls.cert)))) "r"))) -}} +{{- $_ := (set $t "keyFilepath" (printf "%s/tls.key" (get (fromJson (include "redpanda.TLSCert.ClientMountPoint" (dict "a" (list $cert $l.tls.cert)))) "r"))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} {{- break -}} {{- end -}} {{- end -}} @@ -961,9 +1187,11 @@ {{- (dict "r" (get (fromJson (include "redpanda.TrustStore.TrustStoreFilePath" (dict "a" (list $t.trustStore)))) "r")) | toJson -}} {{- break -}} {{- end -}} -{{- if (get (fromJson (include "redpanda.ExternalTLS.GetCert" (dict "a" (list $t $i $tls)))) "r").caEnabled -}} +{{- $name := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i)))) "r") -}} +{{- $cert_12 := (get (fromJson (include "redpanda.ExternalTLS.GetCert" (dict "a" (list $t $i $tls)))) "r") -}} +{{- if $cert_12.caEnabled -}} {{- $_is_returning = true -}} -{{- (dict "r" (printf "%s/%s/ca.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i)))) "r"))) | toJson -}} +{{- (dict "r" (printf "%s/ca.crt" (get (fromJson (include "redpanda.TLSCert.ServerMountPoint" (dict "a" (list $cert_12 $name)))) "r"))) | toJson -}} {{- break -}} {{- end -}} {{- $_is_returning = true -}} @@ -989,6 +1217,28 @@ {{- end -}} {{- end -}} +{{- define "redpanda.ListenerConfig.AsString" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $ext := (dict) -}} +{{- range $name, $l := $l.external -}} +{{- $_ := (set $ext $name (get (fromJson (include "redpanda.ExternalListener.AsString" (dict "a" (list $l)))) "r")) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $auth := (coalesce nil) -}} +{{- if (ne (toJson $l.authenticationMethod) "null") -}} +{{- $authAStr := (toString $l.authenticationMethod) -}} +{{- $auth = $authAStr -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "enabled" false "external" (coalesce nil) "port" 0 "tls" (dict "enabled" (coalesce nil) "cert" "" "requireClientAuth" false "trustStore" (coalesce nil))) (dict "enabled" $l.enabled "external" $ext "port" ($l.port | int) "tls" $l.tls "appProtocol" $l.appProtocol "authenticationMethod" $auth))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + {{- define "redpanda.ListenerConfig.ServicePorts" -}} {{- $l := (index .a 0) -}} {{- $namePrefix := (index .a 1) -}} @@ -1063,9 +1313,9 @@ {{- $_is_returning := false -}} {{- $internal := (dict "name" "internal" "address" "0.0.0.0" "port" ($l.port | int)) -}} {{- $defaultAuth := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $auth "")))) "r") -}} -{{- $am_12 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod $defaultAuth)))) "r") -}} -{{- if (ne $am_12 "") -}} -{{- $_ := (set $internal "authentication_method" $am_12) -}} +{{- $am_13 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod $defaultAuth)))) "r") -}} +{{- if (ne $am_13 "") -}} +{{- $_ := (set $internal "authentication_method" $am_13) -}} {{- end -}} {{- $listeners := (list $internal) -}} {{- range $k, $l := $l.external -}} @@ -1073,9 +1323,9 @@ {{- continue -}} {{- end -}} {{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0") -}} -{{- $am_13 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod $defaultAuth)))) "r") -}} -{{- if (ne $am_13 "") -}} -{{- $_ := (set $listener "authentication_method" $am_13) -}} +{{- $am_14 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod $defaultAuth)))) "r") -}} +{{- if (ne $am_14 "") -}} +{{- $_ := (set $listener "authentication_method" $am_14) -}} {{- end -}} {{- $listeners = (concat (default (list) $listeners) (list $listener)) -}} {{- end -}} @@ -1103,7 +1353,8 @@ {{- continue -}} {{- end -}} {{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls)))) "r") -}} -{{- $pp = (concat (default (list) $pp) (list (dict "name" $k "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false)))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls)))) "r")))) -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $certName)))) "r") -}} +{{- $pp = (concat (default (list) $pp) (list (dict "name" $k "enabled" true "cert_file" (printf "%s/tls.crt" (get (fromJson (include "redpanda.TLSCert.ServerMountPoint" (dict "a" (list $cert $certName)))) "r")) "key_file" (printf "%s/tls.key" (get (fromJson (include "redpanda.TLSCert.ServerMountPoint" (dict "a" (list $cert $certName)))) "r")) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false)))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls)))) "r")))) -}} {{- end -}} {{- if $_is_returning -}} {{- break -}} @@ -1114,32 +1365,17 @@ {{- end -}} {{- end -}} -{{- define "redpanda.ListenerConfig.ConsoleTLS" -}} +{{- define "redpanda.ExternalListener.AsString" -}} {{- $l := (index .a 0) -}} -{{- $tls := (index .a 1) -}} {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} -{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls)))) "r"))) -}} -{{- if (not $t.enabled) -}} -{{- $_is_returning = true -}} -{{- (dict "r" $t) | toJson -}} -{{- break -}} -{{- end -}} -{{- $adminAPIPrefix := (printf "%s/%s" "/etc/tls/certs" $l.tls.cert) -}} -{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $l.tls.cert)))) "r").caEnabled -}} -{{- $_ := (set $t "caFilepath" (printf "%s/ca.crt" $adminAPIPrefix)) -}} -{{- else -}} -{{- $_ := (set $t "caFilepath" (printf "%s/tls.crt" $adminAPIPrefix)) -}} +{{- $auth := (coalesce nil) -}} +{{- if (ne (toJson $l.authenticationMethod) "null") -}} +{{- $authAStr := (toString $l.authenticationMethod) -}} +{{- $auth = $authAStr -}} {{- end -}} -{{- if (not $l.tls.requireClientAuth) -}} -{{- $_is_returning = true -}} -{{- (dict "r" $t) | toJson -}} -{{- break -}} -{{- end -}} -{{- $_ := (set $t "certFilepath" (printf "%s/tls.crt" $adminAPIPrefix)) -}} -{{- $_ := (set $t "keyFilepath" (printf "%s/tls.key" $adminAPIPrefix)) -}} {{- $_is_returning = true -}} -{{- (dict "r" $t) | toJson -}} +{{- (dict "r" (mustMergeOverwrite (dict "enabled" (coalesce nil) "advertisedPorts" (coalesce nil) "port" 0 "nodePort" (coalesce nil) "tls" (coalesce nil)) (dict "enabled" $l.enabled "advertisedPorts" $l.advertisedPorts "port" ($l.port | int) "nodePort" $l.nodePort "tls" $l.tls "authenticationMethod" $auth "prefixTemplate" $l.prefixTemplate))) | toJson -}} {{- break -}} {{- end -}} {{- end -}} @@ -1185,10 +1421,10 @@ {{- $result := (dict) -}} {{- range $k, $v := $c -}} {{- if (not (empty $v)) -}} -{{- $_1756___ok_14 := (get (fromJson (include "_shims.asnumeric" (dict "a" (list $v)))) "r") -}} -{{- $_ := ((index $_1756___ok_14 0) | float64) -}} -{{- $ok_14 := (index $_1756___ok_14 1) -}} -{{- if $ok_14 -}} +{{- $_1937___ok_15 := (get (fromJson (include "_shims.asnumeric" (dict "a" (list $v)))) "r") -}} +{{- $_ := ((index $_1937___ok_15 0) | float64) -}} +{{- $ok_15 := (index $_1937___ok_15 1) -}} +{{- if $ok_15 -}} {{- $_ := (set $result $k $v) -}} {{- else -}}{{- if (kindIs "bool" $v) -}} {{- $_ := (set $result $k $v) -}} @@ -1213,11 +1449,11 @@ {{- $_is_returning := false -}} {{- $result := (dict) -}} {{- range $k, $v := $c -}} -{{- $_1776_b_15_ok_16 := (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $v false)))) "r") -}} -{{- $b_15 := (index $_1776_b_15_ok_16 0) -}} -{{- $ok_16 := (index $_1776_b_15_ok_16 1) -}} -{{- if $ok_16 -}} -{{- $_ := (set $result $k $b_15) -}} +{{- $_1957_b_16_ok_17 := (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $v false)))) "r") -}} +{{- $b_16 := (index $_1957_b_16_ok_17 0) -}} +{{- $ok_17 := (index $_1957_b_16_ok_17 1) -}} +{{- if $ok_17 -}} +{{- $_ := (set $result $k $b_16) -}} {{- continue -}} {{- end -}} {{- if (not (empty $v)) -}} @@ -1258,15 +1494,15 @@ {{- $config := (index .a 1) -}} {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} -{{- $_1821___hasAccessKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_access_key" (coalesce nil))))) "r") -}} -{{- $_ := (index $_1821___hasAccessKey 0) -}} -{{- $hasAccessKey := (index $_1821___hasAccessKey 1) -}} -{{- $_1822___hasSecretKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_secret_key" (coalesce nil))))) "r") -}} -{{- $_ := (index $_1822___hasSecretKey 0) -}} -{{- $hasSecretKey := (index $_1822___hasSecretKey 1) -}} -{{- $_1823___hasSharedKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_azure_shared_key" (coalesce nil))))) "r") -}} -{{- $_ := (index $_1823___hasSharedKey 0) -}} -{{- $hasSharedKey := (index $_1823___hasSharedKey 1) -}} +{{- $_2002___hasAccessKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_access_key" (coalesce nil))))) "r") -}} +{{- $_ := (index $_2002___hasAccessKey 0) -}} +{{- $hasAccessKey := (index $_2002___hasAccessKey 1) -}} +{{- $_2003___hasSecretKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_secret_key" (coalesce nil))))) "r") -}} +{{- $_ := (index $_2003___hasSecretKey 0) -}} +{{- $hasSecretKey := (index $_2003___hasSecretKey 1) -}} +{{- $_2004___hasSharedKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_azure_shared_key" (coalesce nil))))) "r") -}} +{{- $_ := (index $_2004___hasSharedKey 0) -}} +{{- $hasSharedKey := (index $_2004___hasSharedKey 1) -}} {{- $envvars := (coalesce nil) -}} {{- if (and (not $hasAccessKey) (get (fromJson (include "redpanda.SecretRef.IsValid" (dict "a" (list $tsc.accessKey)))) "r")) -}} {{- $envvars = (concat (default (list) $envvars) (list (mustMergeOverwrite (dict "name" "") (dict "name" "REDPANDA_CLOUD_STORAGE_ACCESS_KEY" "valueFrom" (get (fromJson (include "redpanda.SecretRef.AsSource" (dict "a" (list $tsc.accessKey)))) "r"))))) -}} @@ -1289,12 +1525,12 @@ {{- $c := (index .a 0) -}} {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} -{{- $_1859___containerExists := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c "cloud_storage_azure_container" (coalesce nil))))) "r") -}} -{{- $_ := (index $_1859___containerExists 0) -}} -{{- $containerExists := (index $_1859___containerExists 1) -}} -{{- $_1860___accountExists := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c "cloud_storage_azure_storage_account" (coalesce nil))))) "r") -}} -{{- $_ := (index $_1860___accountExists 0) -}} -{{- $accountExists := (index $_1860___accountExists 1) -}} +{{- $_2040___containerExists := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c "cloud_storage_azure_container" (coalesce nil))))) "r") -}} +{{- $_ := (index $_2040___containerExists 0) -}} +{{- $containerExists := (index $_2040___containerExists 1) -}} +{{- $_2041___accountExists := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c "cloud_storage_azure_storage_account" (coalesce nil))))) "r") -}} +{{- $_ := (index $_2041___accountExists 0) -}} +{{- $accountExists := (index $_2041___accountExists 1) -}} {{- $_is_returning = true -}} {{- (dict "r" (and $containerExists $accountExists)) | toJson -}} {{- break -}} @@ -1305,9 +1541,9 @@ {{- $c := (index .a 0) -}} {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} -{{- $_1865_value_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c `cloud_storage_cache_size` (coalesce nil))))) "r") -}} -{{- $value := (index $_1865_value_ok 0) -}} -{{- $ok := (index $_1865_value_ok 1) -}} +{{- $_2046_value_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c `cloud_storage_cache_size` (coalesce nil))))) "r") -}} +{{- $value := (index $_2046_value_ok 0) -}} +{{- $ok := (index $_2046_value_ok 1) -}} {{- if (not $ok) -}} {{- $_is_returning = true -}} {{- (dict "r" (coalesce nil)) | toJson -}} @@ -1333,9 +1569,9 @@ {{- if $_is_returning -}} {{- break -}} {{- end -}} -{{- $size_17 := (get (fromJson (include "redpanda.TieredStorageConfig.CloudStorageCacheSize" (dict "a" (list (deepCopy $c))))) "r") -}} -{{- if (ne (toJson $size_17) "null") -}} -{{- $_ := (set $config "cloud_storage_cache_size" ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $size_17)))) "r") | int64)) -}} +{{- $size_18 := (get (fromJson (include "redpanda.TieredStorageConfig.CloudStorageCacheSize" (dict "a" (list (deepCopy $c))))) "r") -}} +{{- if (ne (toJson $size_18) "null") -}} +{{- $_ := (set $config "cloud_storage_cache_size" ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $size_18)))) "r") | int64)) -}} {{- end -}} {{- $_is_returning = true -}} {{- (dict "r" (list $config $fixups)) | toJson -}} diff --git a/charts/redpanda/templates/tests/test-api-status.yaml b/charts/redpanda/templates/tests/test-api-status.yaml deleted file mode 100644 index 330a2c4a4..000000000 --- a/charts/redpanda/templates/tests/test-api-status.yaml +++ /dev/null @@ -1,52 +0,0 @@ -{{/* -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} -{{- if and .Values.tests.enabled (not (or (include "tls-enabled" . | fromJson).bool (include "sasl-enabled" . | fromJson).bool)) -}} -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "redpanda.fullname" . }}-test-api-status" - namespace: {{ .Release.Namespace | quote }} - labels: - {{- with include "full.labels" . }} - {{- . | nindent 4 }} - {{- end }} - annotations: - "helm.sh/hook": test - "helm.sh/hook-delete-policy": before-hook-creation -spec: - restartPolicy: Never - securityContext: {{ include "pod-security-context" . | nindent 4 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: {{- toYaml . | nindent 4 }} - {{- end }} - containers: - - name: {{ template "redpanda.name" . }} - image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} - command: - - /usr/bin/timeout - - "120" - - bash - - -c - - | - until rpk cluster info \ - --brokers {{ include "redpanda.fullname" . }}-0.{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.kafka.port }} - do sleep 2 - done - volumeMounts: {{ include "default-mounts" . | nindent 8 }} - securityContext: {{ include "container-security-context" . | nindent 8 }} - volumes: {{ include "default-volumes" . | nindent 4 }} -{{- end }} diff --git a/charts/redpanda/templates/tests/test-auditLogging.yaml b/charts/redpanda/templates/tests/test-auditLogging.yaml deleted file mode 100644 index fea34776f..000000000 --- a/charts/redpanda/templates/tests/test-auditLogging.yaml +++ /dev/null @@ -1,86 +0,0 @@ -{{/* - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/}} -{{/* - This feature is gated by having a license, and it must have sasl enabled, we assume these conditions are met - as part of setting auditLogging being enabled. -*/}} -{{- if and .Values.tests.enabled .Values.auditLogging.enabled (include "redpanda-atleast-23-3-0" . | fromJson).bool }} -{{- $sasl := .Values.auth.sasl }} -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "redpanda.fullname" . }}-test-audit-logging" - namespace: {{ .Release.Namespace | quote }} - labels: - {{- with include "full.labels" . }} - {{- . | nindent 4 }} - {{- end }} - annotations: - "helm.sh/hook": test - "helm.sh/hook-delete-policy": before-hook-creation -spec: - restartPolicy: Never - securityContext: {{ include "pod-security-context" . | nindent 4 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: { { - toYaml . | nindent 4 }} - {{- end }} - containers: - - name: {{ template "redpanda.name" . }} - image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} - command: - - /usr/bin/timeout - - "120" - - bash - - -c - - | - set -xe - old_setting=${-//[^x]/} - audit_topic_name="_redpanda.audit_log" - expected_partitions={{ .Values.auditLogging.partitions }} - - # sasl configurations - set +x - IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) - {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} - RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} - {{- else }} - REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} - {{- end }} - export {{ include "rpk-sasl-environment-variables" . }} - if [[ -n "$old_setting" ]]; then set -x; fi - - # now run the to determine if we have the right results - # should describe topic without error - rpk topic describe ${audit_topic_name} - # should get the expected values - result=$(rpk topic list | grep ${audit_topic_name}) - name=$(echo $result | awk '{print $1}') - partitions=$(echo $result | awk '{print $2}') - if [ "${name}" != "${audit_topic_name}" ]; then - echo "expected topic name does not match" - exit 1 - fi - if [ ${partitions} != ${expected_partitions} ]; then - echo "expected partition size did not match" - exit 1 - fi - volumeMounts: {{ include "default-mounts" . | nindent 8 }} - resources: -{{- toYaml .Values.statefulset.resources | nindent 12 }} - securityContext: {{ include "container-security-context" . | nindent 8 }} - volumes: {{ include "default-volumes" . | nindent 4 }} -{{- end }} diff --git a/charts/redpanda/templates/tests/test-connector-via-console.yaml b/charts/redpanda/templates/tests/test-connector-via-console.yaml deleted file mode 100644 index 67619a829..000000000 --- a/charts/redpanda/templates/tests/test-connector-via-console.yaml +++ /dev/null @@ -1,166 +0,0 @@ -{{/* -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} -{{- if and .Values.tests.enabled .Values.connectors.enabled .Values.console.enabled }} -{{- $sasl := .Values.auth.sasl }} -{{- $values := .Values }} -{{- $consoleValues := (merge (dict) .Values.console .Subcharts.console.Values) -}} -{{- $consoleDot := dict "Values" (dict "AsMap" $consoleValues) "Release" .Release "Chart" .Subcharts.console.Chart -}} -{{- $connectorsDot := dict "Values" (merge (dict) .Values.connectors .Subcharts.connectors.Values) "Release" .Release "Chart" .Subcharts.connectors.Chart -}} -{{/* brokers */}} -{{- $kafkaBrokers := list }} -{{- range (include "seed-server-list" . | mustFromJson) }} - {{- $kafkaBrokers = append $kafkaBrokers (printf "%s:%s" . ($values.listeners.kafka.port | toString)) }} -{{- end }} -{{- $brokersString := join "," $kafkaBrokers}} -apiVersion: v1 -kind: Pod -metadata: - name: {{ include "redpanda.fullname" . | trunc 54 }}-test-connectors-via-console - namespace: {{ .Release.Namespace | quote }} - labels: - {{- with include "full.labels" . }} - {{- . | nindent 4 }} - {{- end }} - test-name: test-connectors-via-console - annotations: - test-name: test-connectors-via-console - "helm.sh/hook": test - "helm.sh/hook-delete-policy": before-hook-creation -spec: - restartPolicy: Never - securityContext: {{ include "pod-security-context" . | nindent 4 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: {{- toYaml . | nindent 4 }} - {{- end }} - containers: - - name: {{ template "redpanda.name" . }} - image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} - env: - - name: TLS_ENABLED - value: {{ (include "kafka-internal-tls-enabled" . | fromJson).bool | quote }} - command: - - /bin/bash - - -c - - | - set -xe - - trap connectorsState ERR - - connectorsState () { - echo check connectors expand status - curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors?expand=status - echo check connectors expand info - curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors?expand=info - echo check connector configuration - curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors/$CONNECTOR_NAME - echo check connector topics - curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors/$CONNECTOR_NAME/topics - } - - {{- if .Values.auth.sasl.enabled }} - set -e - set +x - - echo "SASL enabled: reading credentials from $(find /etc/secrets/users/* -print)" - IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) - {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} - RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} - {{- else }} - REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} - RPK_USER="${REDPANDA_SASL_USERNAME}" - RPK_PASS="${REDPANDA_SASL_PASSWORD}" - RPK_SASL_MECHANISM="${REDPANDA_SASL_MECHANISM}" - {{- end }} - export {{ include "rpk-sasl-environment-variables" . }} - - JAAS_CONFIG_SOURCE="\"source.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${RPK_USER}\\\\"\" password=\\\\"\"${RPK_PASS}\\\\"\";\"," - JAAS_CONFIG_TARGET="\"target.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${RPK_USER}\\\\"\" password=\\\\"\"${RPK_PASS}\\\\"\";\"," - set -x - set +e - {{- end }} - - {{- $testTopic := printf "test-topic-%s" (randNumeric 3) }} - rpk topic create {{ $testTopic }} - rpk topic list - echo "Test message!" | rpk topic produce {{ $testTopic }} - - SECURITY_PROTOCOL=PLAINTEXT - if [[ -n "$RPK_SASL_MECHANISM" && $TLS_ENABLED == "true" ]]; then - SECURITY_PROTOCOL="SASL_SSL" - elif [[ -n "$RPK_SASL_MECHANISM" ]]; then - SECURITY_PROTOCOL="SASL_PLAINTEXT" - elif [[ $TLS_ENABLED == "true" ]]; then - SECURITY_PROTOCOL="SSL" - fi - - CONNECTOR_NAME=mm2-$RANDOM - cat << 'EOF' > /tmp/mm2-conf.json - { - "connectorName": "CONNECTOR_NAME", - "config": { - "connector.class": "org.apache.kafka.connect.mirror.MirrorSourceConnector", - "topics": "{{ $testTopic }}", - "replication.factor": "1", - "tasks.max": "1", - "source.cluster.bootstrap.servers": {{ $brokersString | quote }}, - "target.cluster.bootstrap.servers": {{ $brokersString | quote }}, - "target.cluster.alias": "test-only-redpanda", - "source.cluster.alias": "source", - "key.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", - "value.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", - "source->target.enabled": "true", - "target->source.enabled": "false", - "sync.topic.configs.interval.seconds": "5", - "sync.topics.configs.enabled": "true", - "source.cluster.ssl.truststore.type": "PEM", - "target.cluster.ssl.truststore.type": "PEM", - "source.cluster.ssl.truststore.location": "/opt/kafka/connect-certs/ca/ca.crt", - "target.cluster.ssl.truststore.location": "/opt/kafka/connect-certs/ca/ca.crt", - JAAS_CONFIG_SOURCE - JAAS_CONFIG_TARGET - "source.cluster.security.protocol": "SECURITY_PROTOCOL", - "target.cluster.security.protocol": "SECURITY_PROTOCOL", - "source.cluster.sasl.mechanism": "SASL_MECHANISM", - "target.cluster.sasl.mechanism": "SASL_MECHANISM" - } - } - EOF - - sed -i "s/CONNECTOR_NAME/$CONNECTOR_NAME/g" /tmp/mm2-conf.json - sed -i "s/SASL_MECHANISM/$RPK_SASL_MECHANISM/g" /tmp/mm2-conf.json - sed -i "s/SECURITY_PROTOCOL/$SECURITY_PROTOCOL/g" /tmp/mm2-conf.json - set +x - sed -i "s/JAAS_CONFIG_SOURCE/$JAAS_CONFIG_SOURCE/g" /tmp/mm2-conf.json - sed -i "s/JAAS_CONFIG_TARGET/$JAAS_CONFIG_TARGET/g" /tmp/mm2-conf.json - set -x - - URL=http://{{ get ((include "console.Fullname" (dict "a" (list $consoleDot))) | fromJson) "r" }}:{{ get (fromJson (include "console.ContainerPort" (dict "a" (list $consoleDot) ))) "r" }}/api/kafka-connect/clusters/connectors/connectors - {{/* outputting to /dev/null because the output contains the user password */}} - echo "Creating mm2 connector" - curl {{ template "curl-options" . }} -H 'Content-Type: application/json' "${URL}" -d @/tmp/mm2-conf.json - - rpk topic consume source.{{ $testTopic }} -n 1 - - echo "Destroying mm2 connector" - curl {{ template "curl-options" . }} -X DELETE "${URL}/${CONNECTOR_NAME}" - - rpk topic list - rpk topic delete {{ $testTopic }} source.{{ $testTopic }} mm2-offset-syncs.test-only-redpanda.internal - volumeMounts: {{ include "default-mounts" . | nindent 8 }} - securityContext: {{ include "container-security-context" . | nindent 8 }} - volumes: {{ include "default-volumes" . | nindent 4 }} -{{- end }} diff --git a/charts/redpanda/templates/tests/test-console.yaml b/charts/redpanda/templates/tests/test-console.yaml deleted file mode 100644 index aeef1117a..000000000 --- a/charts/redpanda/templates/tests/test-console.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{/* -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} -{{- if and .Values.tests.enabled .Values.console.enabled -}} -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "redpanda.fullname" . }}-test-console" - namespace: {{ .Release.Namespace | quote }} - labels: - {{- with include "full.labels" . }} - {{- . | nindent 4 }} - {{- end }} - annotations: - "helm.sh/hook": test - "helm.sh/hook-delete-policy": before-hook-creation -spec: - restartPolicy: Never - securityContext: {{ include "pod-security-context" . | nindent 4 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: {{- toYaml . | nindent 4 }} - {{- end }} - containers: - - name: {{ template "redpanda.name" . }} - image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} - command: - - /usr/bin/timeout - - "120" - - bash - - -c - - | - curl {{ template "curl-options" . }} http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{ (get (fromJson (include "console.ContainerPort" (dict "a" (list (dict "Values" (dict "AsMap" .Values.console)) )))) "r" ) }}/api/cluster - volumeMounts: {{ include "default-mounts" . | nindent 8 }} - securityContext: {{ include "container-security-context" . | nindent 8 }} - volumes: {{ include "default-volumes" . | nindent 4 }} -{{- end }} diff --git a/charts/redpanda/templates/tests/test-internal-external-tls-secrets.yaml b/charts/redpanda/templates/tests/test-internal-external-tls-secrets.yaml deleted file mode 100644 index 53d75bb1b..000000000 --- a/charts/redpanda/templates/tests/test-internal-external-tls-secrets.yaml +++ /dev/null @@ -1,122 +0,0 @@ -{{/* -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} -{{- if and .Values.tests.enabled (include "tls-enabled" . | fromJson).bool ( eq .Values.external.type "NodePort" ) }} - {{- $values := .Values }} -apiVersion: v1 -kind: Pod -metadata: - name: {{ include "redpanda.fullname" . }}-test-internal-externals-cert-secrets - namespace: {{ .Release.Namespace | quote }} - labels: - {{- with include "full.labels" . }} - {{- . | nindent 4 }} - {{- end }} - annotations: - "helm.sh/hook": test - "helm.sh/hook-delete-policy": before-hook-creation -spec: - restartPolicy: Never - securityContext: {{ include "pod-security-context" . | nindent 4 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: {{- toYaml . | nindent 4 }} - {{- end }} - containers: - - name: {{ template "redpanda.name" . }} - image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} - command: - - bash - - -c - - | - set -x - - retry() { - local retries="$1" - local command="$2" - - # Run the command, and save the exit code - bash -c $command - local exit_code=$? - - # If the exit code is non-zero (i.e. command failed), and we have not - # reached the maximum number of retries, run the command again - if [[ $exit_code -ne 0 && $retries -gt 0 ]]; then - retry $(($retries - 1)) "$command" - else - # Return the exit code from the command - return $exit_code - fi - } - - {{- range $name, $cert := $values.tls.certs }} - {{- if $cert.secretRef }} - echo testing cert: {{ $name | quote }} - - {{- if eq $cert.secretRef.name "internal-tls-secret" }} - echo "---> testing internal tls" - retry 5 'openssl s_client -verify_return_error -prexit - {{- if $cert.caEnabled }} - -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt - {{- end }} - -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key - -connect {{ include "admin-api-urls" $ }}' - {{- end }} - - {{- if eq $cert.secretRef.name "external-tls-secret" }} - echo "---> testing external tls" - - {{- if eq $values.listeners.kafka.external.default.tls.cert $name }} - echo "-----> testing external tls: kafka api" - {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }} - retry 5 'openssl s_client -verify_return_error -prexit - {{- if $cert.caEnabled }} - -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt - {{- end }} - -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key - -connect {{ $values.external.domain }}:{{ $port }}' - {{- end }} - - {{- if and (eq $values.listeners.schemaRegistry.external.default.tls.cert $name) (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }} - echo "-----> testing external tls: schema registry" - {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }} - retry 5 'openssl s_client -verify_return_error -prexit - {{- if $cert.caEnabled }} - -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt - {{- end }} - -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key - -connect {{ $values.external.domain }}:{{ $port }}' - {{- end }} - - {{- if and (eq $values.listeners.http.external.default.tls.cert $name) (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }} - echo "-----> testing external tls: http api" - {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }} - retry 5 'openssl s_client -verify_return_error -prexit - {{- if $cert.caEnabled }} - -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt - {{- end }} - -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key - -connect {{ $values.external.domain }}:{{ $port }}' - {{- end }} - - {{- end }} - echo "----" - - {{- end }} - {{- end }} - volumeMounts: {{ include "default-mounts" . | nindent 8 }} - securityContext: {{ include "container-security-context" . | nindent 8 }} - volumes: {{ include "default-volumes" . | nindent 4 }} -{{- end }} diff --git a/charts/redpanda/templates/tests/test-kafka-internal-tls-status.yaml b/charts/redpanda/templates/tests/test-kafka-internal-tls-status.yaml deleted file mode 100644 index dcfc02cbd..000000000 --- a/charts/redpanda/templates/tests/test-kafka-internal-tls-status.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} -{{- if and .Values.tests.enabled (include "kafka-internal-tls-enabled" . | fromJson).bool (not (include "sasl-enabled" . | fromJson).bool) -}} - {{- $service := .Values.listeners.kafka -}} - {{- $cert := get .Values.tls.certs $service.tls.cert -}} -apiVersion: v1 -kind: Pod -metadata: - name: {{ include "redpanda.fullname" . }}-test-kafka-internal-tls-status - namespace: {{ .Release.Namespace | quote }} - labels: - {{- with include "full.labels" . }} - {{- . | nindent 4 }} - {{- end }} - annotations: - "helm.sh/hook": test - "helm.sh/hook-delete-policy": before-hook-creation -spec: - restartPolicy: Never - securityContext: {{ include "pod-security-context" . | nindent 4 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: {{- toYaml . | nindent 4 }} - {{- end }} - containers: - - name: {{ template "redpanda.name" . }} - image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} - command: - - /usr/bin/timeout - - "120" - - bash - - -c - - | - until rpk cluster info \ - --brokers {{ include "redpanda.fullname" .}}-0.{{ include "redpanda.internal.domain" . }}:{{ $service.port }} \ - --tls-enabled \ - {{- if $cert.caEnabled }} - --tls-truststore /etc/tls/certs/{{ $service.tls.cert }}/ca.crt - {{- else }} - {{- /* This is a required field so we use the default in the redpanda debian container */}} - --tls-truststore /etc/ssl/certs/ca-certificates.crt - {{- end }} - do sleep 2 - done - resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} - volumeMounts: {{ include "default-mounts" . | nindent 8 }} - securityContext: {{ include "container-security-context" . | nindent 8 }} - volumes: {{ include "default-volumes" . | nindent 4 }} -{{- end }} diff --git a/charts/redpanda/templates/tests/test-kafka-nodelete.yaml b/charts/redpanda/templates/tests/test-kafka-nodelete.yaml deleted file mode 100644 index 9b5fe4237..000000000 --- a/charts/redpanda/templates/tests/test-kafka-nodelete.yaml +++ /dev/null @@ -1,100 +0,0 @@ -{{/* -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} -{{- if and .Values.tests.enabled (dig "kafka_nodelete_topics" "[]" $.Values.config.cluster) }} -{{- $noDeleteTopics := .Values.config.cluster.kafka_nodelete_topics }} -{{- $sasl := .Values.auth.sasl }} -apiVersion: v1 -kind: Pod -metadata: - name: {{ include "redpanda.fullname" . }}-test-kafka-nodelete - namespace: {{ .Release.Namespace | quote }} - labels: -{{- with include "full.labels" . }} - {{- . | nindent 4 }} -{{- end }} - annotations: - "helm.sh/hook": test - "helm.sh/hook-delete-policy": before-hook-creation -spec: - restartPolicy: Never - securityContext: {{ include "pod-security-context" . | nindent 4 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: {{- toYaml . | nindent 4 }} -{{- end }} - containers: - - name: {{ template "redpanda.name" . }} - image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} - env: - - name: REDPANDA_BROKERS - value: "{{ include "redpanda.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain | trimSuffix "." }}:{{ .Values.listeners.kafka.port }}" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - command: - - /usr/bin/timeout - - "120" - - bash - - -c - - | - set -e -{{- $cloudStorageFlags := "" }} -{{- if (include "storage-tiered-config" .|fromJson).cloud_storage_enabled }} - {{- $cloudStorageFlags = "-c retention.bytes=80 -c segment.bytes=40 -c redpanda.remote.read=true -c redpanda.remote.write=true"}} -{{- end }} -{{- if .Values.auth.sasl.enabled }} - old_setting=${-//[^x]/} - set +x - IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) - {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} - RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} - {{- else }} - REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} - {{- end }} - export {{ include "rpk-sasl-environment-variables" . }} - if [[ -n "$old_setting" ]]; then set -x; fi -{{- end }} - - exists=$(rpk topic list | grep my_sample_topic | awk '{print $1}') - if [[ "$exists" != "my_sample_topic" ]]; then - until rpk topic create my_sample_topic {{ $cloudStorageFlags }} - do sleep 2 - done - fi - - {{- range $i := until 100 }} - echo "Pandas are awesome!" | rpk topic produce my_sample_topic - {{- end }} - sleep 2 - rpk topic consume my_sample_topic -n 1 | grep "Pandas are awesome!" - - # now check if we can delete the topic (we should not) - rpk topic delete my_sample_topic - - {{- if has "my_sample_topic" $noDeleteTopics }} - result=$(rpk topic list | grep my_sample_topic | awk '{print $1}') - if [[ "$result" != "my_sample_topic" ]]; then - echo "topic should not have been deleted" - exit 1 - fi - {{- end }} - - volumeMounts: {{ include "default-mounts" . | nindent 8 }} - resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} - securityContext: {{ include "container-security-context" . | nindent 8 }} - volumes: {{ include "default-volumes" . | nindent 4 }} -{{- end }} diff --git a/charts/redpanda/templates/tests/test-kafka-produce-consume.yaml b/charts/redpanda/templates/tests/test-kafka-produce-consume.yaml deleted file mode 100644 index d8f0ee751..000000000 --- a/charts/redpanda/templates/tests/test-kafka-produce-consume.yaml +++ /dev/null @@ -1,83 +0,0 @@ -{{/* -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} -{{- if .Values.tests.enabled }} -{{- $sasl := .Values.auth.sasl }} -apiVersion: v1 -kind: Pod -metadata: - name: {{ include "redpanda.fullname" . }}-test-kafka-produce-consume - namespace: {{ .Release.Namespace | quote }} - labels: -{{- with include "full.labels" . }} - {{- . | nindent 4 }} -{{- end }} - annotations: - "helm.sh/hook": test - "helm.sh/hook-delete-policy": before-hook-creation -spec: - restartPolicy: Never - securityContext: {{ include "pod-security-context" . | nindent 4 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: {{- toYaml . | nindent 4 }} -{{- end }} - containers: - - name: {{ template "redpanda.name" . }} - image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} - env: - - name: REDPANDA_BROKERS - value: "{{ include "redpanda.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain | trimSuffix "." }}:{{ .Values.listeners.kafka.port }}" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - command: - - /usr/bin/timeout - - "120" - - bash - - -c - - | - set -e -{{- $cloudStorageFlags := "" }} -{{- if (include "storage-tiered-config" .|fromJson).cloud_storage_enabled }} - {{- $cloudStorageFlags = "-c retention.bytes=80 -c segment.bytes=40 -c redpanda.remote.read=true -c redpanda.remote.write=true"}} -{{- end }} -{{- if .Values.auth.sasl.enabled }} - old_setting=${-//[^x]/} - set +x - IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) - {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} - RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} - {{- else }} - REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} - {{- end }} - export {{ include "rpk-sasl-environment-variables" . }} - if [[ -n "$old_setting" ]]; then set -x; fi -{{- end }} - until rpk topic create produce.consume.test.$POD_NAME {{ $cloudStorageFlags }} - do sleep 2 - done - {{- range $i := until 100 }} - echo "Pandas are awesome!" | rpk topic produce produce.consume.test.$POD_NAME - {{- end }} - sleep 2 - rpk topic consume produce.consume.test.$POD_NAME -n 1 | grep "Pandas are awesome!" - rpk topic delete produce.consume.test.$POD_NAME - volumeMounts: {{ include "default-mounts" . | nindent 8 }} - resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} - securityContext: {{ include "container-security-context" . | nindent 8 }} - volumes: {{ include "default-volumes" . | nindent 4 }} -{{- end }} diff --git a/charts/redpanda/templates/tests/test-kafka-sasl-status.yaml b/charts/redpanda/templates/tests/test-kafka-sasl-status.yaml deleted file mode 100644 index 0519c44bb..000000000 --- a/charts/redpanda/templates/tests/test-kafka-sasl-status.yaml +++ /dev/null @@ -1,79 +0,0 @@ -{{/* -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} -{{- if and .Values.tests.enabled (include "sasl-enabled" . | fromJson).bool }} -{{- $sasl := .Values.auth.sasl }} -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "redpanda.fullname" . }}-test-kafka-sasl-status" - namespace: {{ .Release.Namespace | quote }} - labels: -{{- with include "full.labels" . }} - {{- . | nindent 4 }} -{{- end }} - annotations: - "helm.sh/hook": test - "helm.sh/hook-delete-policy": before-hook-creation -spec: - restartPolicy: Never - securityContext: {{ include "pod-security-context" . | nindent 4 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: {{- toYaml . | nindent 4 }} - {{- end }} - containers: - - name: {{ template "redpanda.name" . }} - image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} - command: - - /usr/bin/timeout - - "120" - - bash - - -c - - | - set -xe - -{{- if .Values.auth.sasl.enabled }} - old_setting=${-//[^x]/} - set +x - IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) - {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} - RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} - {{- else }} - REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} - {{- end }} - export {{ include "rpk-sasl-environment-variables" . }} - if [[ -n "$old_setting" ]]; then set -x; fi -{{- end }} - - until rpk acl user delete myuser - do sleep 2 - done - sleep 3 - - {{ include "rpk-cluster-info" $ }} - {{ include "rpk-acl-user-create" $ }} - {{ include "rpk-acl-create" $ }} - sleep 3 - {{ include "rpk-topic-create" $ }} - {{ include "rpk-topic-describe" $ }} - {{ include "rpk-topic-delete" $ }} - rpk acl user delete myuser - volumeMounts: {{ include "default-mounts" . | nindent 8 }} - resources: -{{- toYaml .Values.statefulset.resources | nindent 12 }} - securityContext: {{ include "container-security-context" . | nindent 8 }} - volumes: {{ include "default-volumes" . | nindent 4 }} -{{- end }} diff --git a/charts/redpanda/templates/tests/test-license-with-console.yaml b/charts/redpanda/templates/tests/test-license-with-console.yaml deleted file mode 100644 index 1edf7a350..000000000 --- a/charts/redpanda/templates/tests/test-license-with-console.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{/* -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - -http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} -{{- if and .Values.tests.enabled (include "is-licensed" . | fromJson).bool .Values.console.enabled }} -{{- $consolePort := (get (fromJson (include "console.ContainerPort" (dict "a" (list (dict "Values" (dict "AsMap" .Values.console)) )))) "r" ) }} -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "redpanda.fullname" . }}-test-license-with-console" - namespace: {{ .Release.Namespace | quote }} - labels: - {{- with include "full.labels" . }} - {{- . | nindent 4 }} - {{- end }} - annotations: - "helm.sh/hook": test - "helm.sh/hook-delete-policy": before-hook-creation -spec: - restartPolicy: Never - securityContext: - runAsUser: 65535 - runAsGroup: 65535 - {{- with .Values.imagePullSecrets }} - imagePullSecrets: {{- toYaml . | nindent 4 }} - {{- end }} - containers: - - name: {{ template "redpanda.name" . }} - image: mintel/docker-alpine-bash-curl-jq:latest - command: [ "/bin/bash", "-c" ] - args: - - | - echo "testing that we do NOT have an open source license" - set -xe - - max_iteration=10 - curl -vm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq . - type=$(curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq -r .console.license.type) - while [[ $max_iteration -gt 0 && ("$type" == "open_source" || "$type" == "") ]]; do - max_iteration=$(( max_iteration - 1 )) - type=$(curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq -r .console.license.type) - done - if [[ "$type" == "open_source" || "$type" == "" ]]; then - curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq . - exit 1 - fi - set +x - echo "license test passed." -{{- end }} diff --git a/charts/redpanda/templates/tests/test-lifecycle-scripts.yaml b/charts/redpanda/templates/tests/test-lifecycle-scripts.yaml deleted file mode 100644 index 5c72e1d9f..000000000 --- a/charts/redpanda/templates/tests/test-lifecycle-scripts.yaml +++ /dev/null @@ -1,66 +0,0 @@ -{{/* -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} -{{- if .Values.tests.enabled }} -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "redpanda.fullname" . }}-test-lifecycle" - namespace: {{ .Release.Namespace | quote }} - labels: - {{- with include "full.labels" . }} - {{- . | nindent 4 }} - {{- end }} - annotations: - helm.sh/hook: test - helm.sh/hook-delete-policy: before-hook-creation -spec: - restartPolicy: Never - securityContext: {{ include "pod-security-context" . | nindent 4 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: {{- toYaml . | nindent 4 }} - {{- end }} - containers: - - name: {{ template "redpanda.name" . }} - image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} - env: - - name: SERVICE_NAME - value: {{ include "redpanda.fullname" . }}-0 - command: - - /bin/timeout - - "{{ mul .Values.statefulset.terminationGracePeriodSeconds 2 }}" - - bash - - -xec - - | - /bin/timeout -v {{ div .Values.statefulset.terminationGracePeriodSeconds 2 }} bash -x /var/lifecycle/preStop.sh - ls -l /tmp/preStop* - test -f /tmp/preStopHookStarted - test -f /tmp/preStopHookFinished - - /bin/timeout -v {{ div .Values.statefulset.terminationGracePeriodSeconds 2 }} bash -x /var/lifecycle/postStart.sh - ls -l /tmp/postStart* - test -f /tmp/postStartHookStarted - test -f /tmp/postStartHookFinished - volumeMounts: {{ include "default-mounts" . | nindent 8 }} - - name: lifecycle-scripts - mountPath: /var/lifecycle - securityContext: {{ include "container-security-context" . | nindent 8 }} - volumes: {{ include "default-volumes" . | nindent 4 }} - - name: lifecycle-scripts - secret: - secretName: {{ (include "redpanda.fullname" . | trunc 50 ) }}-sts-lifecycle - defaultMode: 0o775 - {{- end }} \ No newline at end of file diff --git a/charts/redpanda/templates/tests/test-loadbalancer-tls.yaml b/charts/redpanda/templates/tests/test-loadbalancer-tls.yaml deleted file mode 100644 index 4db3523d2..000000000 --- a/charts/redpanda/templates/tests/test-loadbalancer-tls.yaml +++ /dev/null @@ -1,173 +0,0 @@ -{{/* - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - */}} -{{- if and .Values.tests.enabled .Values.tls.enabled ( eq .Values.external.type "LoadBalancer" ) -}} - {{- $values := .Values }} -apiVersion: v1 -kind: Pod -metadata: - name: {{ include "redpanda.fullname" . }}-test-loadbalancer-tls - namespace: {{ .Release.Namespace | quote }} - labels: - {{- with include "full.labels" . }} - {{- . | nindent 4 }} - {{- end }} - annotations: - "helm.sh/hook": test - "helm.sh/hook-delete-policy": before-hook-creation -spec: - serviceAccountName: test-loadbalancer-tls-redpanda - restartPolicy: Never - securityContext: {{ include "pod-security-context" . | nindent 4 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: {{- toYaml . | nindent 4 }} - {{- end }} - containers: - - name: {{ template "redpanda.name" . }} - image: mintel/docker-alpine-bash-curl-jq:latest - command: - - bash - - -c - - | - set -x - export APISERVER=https://kubernetes.default.svc - export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount - export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) - export TOKEN=$(cat ${SERVICEACCOUNT}/token) - export CACERT=${SERVICEACCOUNT}/ca.crt - - ip_list="" - - replicas={{ .Values.statefulset.replicas }} - if [ "${replicas}" -lt "1" ]; then - echo "replicas cannot be less than 1" - exit 1 - fi - - range=$(expr $replicas - 1) - ordinal_list=$(seq 0 $range) - - set -e - - for i in $ordinal_list - do - POD_DESC=$(curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \ - -X GET ${APISERVER}/api/v1/namespaces/{{ .Release.Namespace }}/services/lb-{{ template "redpanda.fullname" . }}-$i) - ip=$(echo $POD_DESC | jq -r .status.loadBalancer.ingress[0].ip ) - ip_list="$ip $ip_list" - done - - echo test will be run against $ip_list - echo testing LoadBalancer connectivity - - {{- range $name, $cert := $values.tls.certs }} - {{- if $cert.secretRef }} - {{- if eq $cert.secretRef.name "external-tls-secret" }} - echo "---> testing external tls" - - {{- if eq $values.listeners.kafka.external.default.tls.cert $name }} - echo "-----> testing external tls: kafka api" - {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }} - - for ip in $ip_list - do - openssl s_client -verify_return_error -prexit \ - {{- if $cert.caEnabled -}} - -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ - {{- end -}} - -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }} - done - {{- end }} - - {{- if (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }} - {{- if eq $values.listeners.schemaRegistry.external.default.tls.cert $name }} - echo "-----> testing external tls: schema registry" - {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }} - for ip in $ip_list - do - openssl s_client -verify_return_error -prexit \ - {{- if $cert.caEnabled -}} - -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ - {{- end -}} - -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }} - done - {{- end }} - - {{- if eq $values.listeners.http.external.default.tls.cert $name }} - echo "-----> testing external tls: http api" - {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }} - for ip in $ip_list - do - openssl s_client -verify_return_error -prexit \ - {{- if $cert.caEnabled -}} - -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ - {{- end -}} - -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }} - done - {{- end }} - {{- end }} - - {{- end }} - {{- end }} - {{- end }} - volumeMounts: {{ include "default-mounts" . | nindent 8 }} - securityContext: {{ include "container-security-context" . | nindent 8 }} - volumes: {{ include "default-volumes" . | nindent 4 }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: test-loadbalancer-tls-redpanda - annotations: - helm.sh/hook-weight: "-100" - helm.sh/hook: test - helm.sh/hook-delete-policy: before-hook-creation ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: test-loadbalancer-tls-redpanda - annotations: - helm.sh/hook-weight: "-100" - helm.sh/hook: test - helm.sh/hook-delete-policy: before-hook-creation -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: test-loadbalancer-tls-redpanda -subjects: - - kind: ServiceAccount - name: test-loadbalancer-tls-redpanda - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: test-loadbalancer-tls-redpanda - annotations: - helm.sh/hook-weight: "-100" - helm.sh/hook: test - helm.sh/hook-delete-policy: before-hook-creation -rules: - - apiGroups: - - "" - resources: - - pods - - services - verbs: - - get - -{{- end -}} diff --git a/charts/redpanda/templates/tests/test-nodeport-tls.yaml b/charts/redpanda/templates/tests/test-nodeport-tls.yaml deleted file mode 100644 index 4310eaf3a..000000000 --- a/charts/redpanda/templates/tests/test-nodeport-tls.yaml +++ /dev/null @@ -1,173 +0,0 @@ -{{/* - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - */}} -{{- if and .Values.tests.enabled .Values.tls.enabled ( eq .Values.external.type "NodePort" ) -}} - {{- $values := .Values }} -apiVersion: v1 -kind: Pod -metadata: - name: {{ include "redpanda.fullname" . }}-test-nodeport-tls - namespace: {{ .Release.Namespace | quote }} - labels: - {{- with include "full.labels" . }} - {{- . | nindent 4 }} - {{- end }} - annotations: - helm.sh/hook: test - helm.sh/hook-delete-policy: before-hook-creation -spec: - serviceAccountName: test-nodeport-tls-redpanda-no-a-test - restartPolicy: Never - securityContext: {{ include "pod-security-context" . | nindent 4 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: {{- toYaml . | nindent 4 }} - {{- end }} - containers: - - name: {{ template "redpanda.name" . }} - image: mintel/docker-alpine-bash-curl-jq:latest - command: - - bash - - -c - - | - set -x - export APISERVER=https://kubernetes.default.svc - export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount - export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) - export TOKEN=$(cat ${SERVICEACCOUNT}/token) - export CACERT=${SERVICEACCOUNT}/ca.crt - - ip_list="" - - replicas={{ .Values.statefulset.replicas }} - if [ "${replicas}" -lt "1" ]; then - echo "replicas cannot be less than 1" - exit 1 - fi - - range=$(expr $replicas - 1) - ordinal_list=$(seq 0 $range) - - set -e - - for i in $ordinal_list - do - POD_DESC=$(curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \ - -X GET ${APISERVER}/api/v1/namespaces/{{ .Release.Namespace }}/pods/{{ template "redpanda.fullname" . }}-$i) - ip=$(echo $POD_DESC | jq -r .status.hostIP ) - ip_list="$ip $ip_list" - done - - echo test will be run against $ip_list - echo testing NodePort connectivity - {{- range $name, $cert := $values.tls.certs }} - {{- if $cert.secretRef }} - {{- if eq $cert.secretRef.name "external-tls-secret" }} - echo "---> testing external tls" - - {{- if eq $values.listeners.kafka.external.default.tls.cert $name }} - echo "-----> testing external tls: kafka api" - {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }} - for ip in $ip_list - do - openssl s_client -verify_return_error -prexit \ - {{- if $cert.caEnabled }} - -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ - {{- end }} - -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \ - -connect ${ip}:{{ $port }} - done - {{- end }} - - {{- if (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }} - {{- if eq $values.listeners.schemaRegistry.external.default.tls.cert $name }} - echo "-----> testing external tls: schema registry" - {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }} - for ip in $ip_list - do - openssl s_client -verify_return_error -prexit \ - {{- if $cert.caEnabled }} - -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ - {{- end }} - -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \ - -connect ${ip}:{{ $port }} - done - {{- end }} - - {{- if eq $values.listeners.http.external.default.tls.cert $name }} - echo "-----> testing external tls: http api" - {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }} - for ip in $ip_list - do - openssl s_client -verify_return_error -prexit \ - {{- if $cert.caEnabled }} - -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ - {{- end }} - -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \ - -connect ${ip}:{{ $port }} - done - {{- end }} - {{- end }} - - {{- end }} - {{- end }} - {{- end }} - volumeMounts: {{ include "default-mounts" . | nindent 8 }} - securityContext: {{ include "container-security-context" . | nindent 8 }} - volumes: {{ include "default-volumes" . | nindent 4 }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: test-nodeport-tls-redpanda-no-a-test - annotations: - helm.sh/hook: test - helm.sh/hook-delete-policy: before-hook-creation - helm.sh/hook-weight: "-100" ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: test-nodeport-tls-redpanda-no-a-test - annotations: - helm.sh/hook: test - helm.sh/hook-delete-policy: before-hook-creation - helm.sh/hook-weight: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: test-nodeport-tls-redpanda-no-a-test -subjects: - - kind: ServiceAccount - name: test-nodeport-tls-redpanda-no-a-test - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: test-nodeport-tls-redpanda-no-a-test - annotations: - helm.sh/hook: test - helm.sh/hook-delete-policy: before-hook-creation - helm.sh/hook-weight: "-100" -rules: - - apiGroups: - - "" - resources: - - pods - - services - verbs: - - get -{{- end -}} diff --git a/charts/redpanda/templates/tests/test-pandaproxy-internal-tls-status.yaml b/charts/redpanda/templates/tests/test-pandaproxy-internal-tls-status.yaml deleted file mode 100644 index 4cb6aaa0f..000000000 --- a/charts/redpanda/templates/tests/test-pandaproxy-internal-tls-status.yaml +++ /dev/null @@ -1,81 +0,0 @@ -{{/* -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} -{{- if and .Values.tests.enabled (include "http-internal-tls-enabled" . | fromJson).bool .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool -}} - {{- $service := .Values.listeners.http -}} - {{- $cert := get .Values.tls.certs $service.tls.cert -}} - {{- $sasl := .Values.auth.sasl }} -apiVersion: v1 -kind: Pod -metadata: - name: {{ include "redpanda.fullname" . }}-test-pandaproxy-internal-tls-status - namespace: {{ .Release.Namespace | quote }} - labels: - {{- with include "full.labels" . }} - {{- . | nindent 4 }} - {{- end }} - annotations: - "helm.sh/hook": test - "helm.sh/hook-delete-policy": before-hook-creation -spec: - restartPolicy: Never - securityContext: {{ include "pod-security-context" . | nindent 4 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: {{- toYaml . | nindent 4 }} - {{- end }} - containers: - - name: {{ template "redpanda.name" . }} - image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} - command: [ "/bin/bash", "-c" ] - args: - - | - {{- if .Values.auth.sasl.enabled }} - old_setting=${-//[^x]/} - set +x - IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) - {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} - RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} - {{- else }} - REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} - {{- end }} - export {{ include "rpk-sasl-environment-variables" . }} - RPK_USER="${RPK_USER:-${REDPANDA_SASL_USERNAME}}" - RPK_PASS="${RPK_PASS:-${REDPANDA_SASL_PASSWORD}}" - if [[ -n "$old_setting" ]]; then set -x; fi - {{- end }} - - curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \ - {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }} - -u ${RPK_USER}:${RPK_PASS} \ - {{- end }} - {{- if $cert.caEnabled }} - --cacert /etc/tls/certs/{{ $service.tls.cert }}/ca.crt \ - {{- end }} - https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.http.port }}/brokers - - curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \ - {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }} - -u ${RPK_USER}:${RPK_PASS} \ - {{- end }} - {{- if $cert.caEnabled }} - --cacert /etc/tls/certs/{{ $service.tls.cert }}/ca.crt \ - {{- end }} - https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.http.port }}/topics - volumeMounts: {{ include "default-mounts" . | nindent 8 }} - resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} - securityContext: {{ include "container-security-context" . | nindent 8 }} - volumes: {{ include "default-volumes" . | nindent 4 }} -{{- end -}} diff --git a/charts/redpanda/templates/tests/test-pandaproxy-status.yaml b/charts/redpanda/templates/tests/test-pandaproxy-status.yaml deleted file mode 100644 index 4f5ee6bb7..000000000 --- a/charts/redpanda/templates/tests/test-pandaproxy-status.yaml +++ /dev/null @@ -1,72 +0,0 @@ -{{/* -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} -{{- if and .Values.tests.enabled (not (include "http-internal-tls-enabled" . | fromJson).bool) .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool -}} - {{- $sasl := .Values.auth.sasl }} -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "redpanda.fullname" . }}-test-pandaproxy-status" - namespace: {{ .Release.Namespace | quote }} - labels: - {{- with include "full.labels" . }} - {{- . | nindent 4 }} - {{- end }} - annotations: - "helm.sh/hook": test - "helm.sh/hook-delete-policy": before-hook-creation -spec: - restartPolicy: Never - securityContext: {{ include "pod-security-context" . | nindent 4 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: {{- toYaml . | nindent 4 }} - {{- end }} - containers: - - name: {{ template "redpanda.name" . }} - image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} - command: [ "/bin/bash", "-c" ] - args: - - | - {{- if .Values.auth.sasl.enabled }} - old_setting=${-//[^x]/} - set +x - IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) - {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} - RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} - {{- else }} - REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} - {{- end }} - export {{ include "rpk-sasl-environment-variables" . }} - RPK_USER="${RPK_USER:-${REDPANDA_SASL_USERNAME}}" - RPK_PASS="${RPK_PASS:-${REDPANDA_SASL_PASSWORD}}" - if [[ -n "$old_setting" ]]; then set -x; fi - {{- end }} - - curl {{ template "curl-options" . }} \ - {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }} - -u ${RPK_USER}:${RPK_PASS} \ - {{- end }} - http://{{ include "redpanda.servicename" . }}:{{ .Values.listeners.http.port }}/brokers - - curl {{ template "curl-options" . }} \ - {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }} - -u ${RPK_USER}:${RPK_PASS} \ - {{- end }} - http://{{ include "redpanda.servicename" . }}:{{ .Values.listeners.http.port }}/topics - volumeMounts: {{ include "default-mounts" . | nindent 8 }} - securityContext: {{ include "container-security-context" . | nindent 8 }} - volumes: {{ include "default-volumes" . | nindent 4 }} -{{- end }} diff --git a/charts/redpanda/templates/tests/test-prometheus-targets.yaml b/charts/redpanda/templates/tests/test-prometheus-targets.yaml deleted file mode 100644 index 81f83a34e..000000000 --- a/charts/redpanda/templates/tests/test-prometheus-targets.yaml +++ /dev/null @@ -1,84 +0,0 @@ -{{/* - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - */}} - -{{- if and .Values.tests.enabled .Values.monitoring.enabled }} -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "redpanda.fullname" . }}-test-prometheus-targets" - namespace: {{ .Release.Namespace | quote }} - labels: - {{- with include "full.labels" . }} - {{- . | nindent 4 }} - {{- end }} - annotations: - "helm.sh/hook": test - "helm.sh/hook-delete-policy": before-hook-creation -spec: - restartPolicy: Never - securityContext: {{ include "pod-security-context" . | nindent 4 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: {{- toYaml . | nindent 4 }} - {{- end }} - containers: - - name: {{ template "redpanda.name" . }} - image: registry.gitlab.com/gitlab-ci-utils/curl-jq:latest - command: [ "/bin/bash", "-c" ] - args: - - | - set -xe - - HEALTHY=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/-/healthy) - if [ $HEALTHY != 200 ]; then - echo "prometheus is not healthy, exiting" - exit 1 - fi - - echo "prometheus is healthy, checking if ready..." - - READY=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/-/ready) - if [ $READY != 200 ]; then - echo "prometheus is not ready, exiting" - exit 1 - fi - - echo "prometheus is ready, requesting target information..." - - - curl_prometheus() { - - # Run the command, and save the exit code - # from: https://prometheus.io/docs/prometheus/latest/querying/api/ - local RESULT=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/api/v1/targets?scrapePool=serviceMonitor/{{ .Release.Namespace }}/{{ include "redpanda.fullname" . }}/0 | jq '.data.activeTargets[].health | select(. == "up")' | wc -l ) - - echo $RESULT - } - for d in $(seq 1 30); do - RESULT=$(curl_prometheus) - if [ $RESULT == {{ .Values.statefulset.replicas }} ]; then - break - fi - sleep 15 - done - - set +x - if [ $RESULT != {{ .Values.statefulset.replicas }} ]; then - curl --fail http://prometheus-operated.prometheus.svc.cluster.local:9090/api/v1/targets?scrapePool=serviceMonitor/{{ .Release.Namespace }}/{{ include "redpanda.fullname" . }}/0 | jq . - echo "the number of targets unexpected; got ${RESULT} targets 'up', but was expecting {{ .Values.statefulset.replicas }}" - exit 1 - fi -{{- end }} diff --git a/charts/redpanda/templates/tests/test-rack-awareness.yaml b/charts/redpanda/templates/tests/test-rack-awareness.yaml deleted file mode 100644 index 82a31937f..000000000 --- a/charts/redpanda/templates/tests/test-rack-awareness.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{/* -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} -{{- if .Values.tests.enabled }} -apiVersion: v1 -kind: Pod -metadata: - name: {{ include "redpanda.fullname" . }}-test-rack-awareness - namespace: {{ .Release.Namespace | quote }} -{{- with include "full.labels" . }} - labels: {{- . | nindent 4 }} -{{- end }} - annotations: - "helm.sh/hook": test - "helm.sh/hook-delete-policy": before-hook-creation -spec: - restartPolicy: Never - securityContext: {{ include "pod-security-context" . | nindent 4 }} -{{- with .Values.imagePullSecrets }} - imagePullSecrets: {{- toYaml . | nindent 4 }} -{{- end }} - containers: - - name: {{ template "redpanda.name" . }} - image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} - command: - - /bin/bash - - -c - - | - set -e -{{- if and .Values.rackAwareness.enabled (include "redpanda-atleast-22-3-0" . | fromJson).bool }} - curl {{ template "curl-options" . }} \ - {{- if (include "tls-enabled" . | fromJson).bool }} - {{- if (dig "default" "caEnabled" false .Values.tls.certs) }} - --cacert "/etc/tls/certs/default/ca.crt" \ - {{- end }} - https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }}/v1/node_config | grep '"rack":"rack[1-4]"' - {{- else }} - http://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }}/v1/node_config | grep '"rack":"rack[1-4]"' - {{- end }} -{{- end }} - - rpk redpanda admin config print --host {{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }} | grep '"enable_rack_awareness": {{ .Values.rackAwareness.enabled }}' - - rpk cluster config get enable_rack_awareness - volumeMounts: {{ include "default-mounts" . | nindent 8 }} - securityContext: {{ include "container-security-context" . | nindent 8 }} - volumes: {{ include "default-volumes" . | nindent 4 }} -{{- end }} \ No newline at end of file diff --git a/charts/redpanda/templates/tests/test-rpk-debug-bundle.yaml b/charts/redpanda/templates/tests/test-rpk-debug-bundle.yaml deleted file mode 100644 index 3230f0881..000000000 --- a/charts/redpanda/templates/tests/test-rpk-debug-bundle.yaml +++ /dev/null @@ -1,104 +0,0 @@ -{{/* -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{/* - -This test currently fails because of a bug where when multiple containers exist -The api returns an error. We should be requesting logs from each container. - - -{{- if and .Values.tests.enabled .Values.rbac.enabled (include "redpanda-atleast-23-1-1" .|fromJson).bool -}} - {{- $sasl := .Values.auth.sasl }} - {{- $useSaslSecret := and $sasl.enabled (not (empty $sasl.secretRef )) }} - - -apiVersion: v1 -kind: Pod -metadata: - name: {{ include "redpanda.fullname" . }}-test-rpk-debug-bundle - namespace: {{ .Release.Namespace | quote }} - labels: -{{- with include "full.labels" . }} - {{- . | nindent 4 }} -{{- end }} - annotations: - "helm.sh/hook": test - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -spec: - restartPolicy: Never - securityContext: {{ include "pod-security-context" . | nindent 4 }} - affinity: - podAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - statefulset.kubernetes.io/pod-name: {{ include "redpanda.fullname" . }}-0 - topologyKey: kubernetes.io/hostname - {{- with .Values.imagePullSecrets }} - imagePullSecrets: {{- toYaml . | nindent 4 }} - {{- end }} - initContainers: - - name: {{ template "redpanda.name" . }} - image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }} - volumeMounts: {{ include "default-mounts" . | nindent 8 }} - - name: shared-data - mountPath: /usr/share/redpanda/test - - name: datadir - mountPath: /var/lib/redpanda/data - command: - - /bin/bash - - -c - - | - set -e - {{- if .Values.auth.sasl.enabled }} - old_setting=${-//[^x]/} - set +x - IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) - {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} - RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} - {{- else }} - REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} - {{- end }} - export {{ include "rpk-sasl-environment-variables" . }} - if [[ -n "$old_setting" ]]; then set -x; fi - {{- end }} - rpk debug bundle -o /usr/share/redpanda/test/debug-test.zip -n {{ .Release.Namespace }} - containers: - - name: {{ template "redpanda.name" . }}-tester - image: busybox:latest - volumeMounts: {{ include "default-mounts" . | nindent 8 }} - - name: shared-data - mountPath: /test - command: - - /bin/ash - - -c - - | - set -e - unzip /test/debug-test.zip -d /tmp/bundle - - test -f /tmp/bundle/logs/{{ .Release.Namespace }}-0.txt - test -f /tmp/bundle/logs/{{ .Release.Namespace }}-1.txt - test -f /tmp/bundle/logs/{{ .Release.Namespace }}-2.txt - - test -d /tmp/bundle/controller - - test -f /tmp/bundle/k8s/pods.json - test -f /tmp/bundle/k8s/configmaps.json - securityContext: {{ include "container-security-context" . | nindent 8 }} - volumes: {{ include "default-volumes" . | nindent 4 }} -{{- end -}} -*/}} \ No newline at end of file diff --git a/charts/redpanda/templates/tests/test-sasl-updated.yaml b/charts/redpanda/templates/tests/test-sasl-updated.yaml deleted file mode 100644 index 5f61be552..000000000 --- a/charts/redpanda/templates/tests/test-sasl-updated.yaml +++ /dev/null @@ -1,71 +0,0 @@ -{{/* -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if and .Values.tests.enabled (include "sasl-enabled" . | fromJson).bool (eq .Values.auth.sasl.secretRef "some-users") -}} -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "redpanda.fullname" . }}-test-update-sasl-users" - namespace: {{ .Release.Namespace | quote }} - labels: -{{- with include "full.labels" . }} - {{- . | nindent 4 }} -{{- end }} - annotations: - "helm.sh/hook": test - "helm.sh/hook-delete-policy": before-hook-creation -spec: - restartPolicy: Never - securityContext: {{ include "pod-security-context" . | nindent 4 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: {{- toYaml . | nindent 4 }} - {{- end }} - containers: - - name: {{ template "redpanda.name" . }} - image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} - command: - - /usr/bin/timeout - - "120" - - bash - - -c - - | - set -e - IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) - {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} - RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} - {{- else }} - REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} - {{- end }} - export {{ include "rpk-sasl-environment-variables" . }} - - set -x - - # check that the users list did update - ready_result_exit_code=1 - while [[ ${ready_result_exit_code} -ne 0 ]]; do - ready_result=$(rpk acl user list | grep anotheranotherme 2>&1) && ready_result_exit_code=$? - sleep 2 - done - - # check that sasl is not broken - {{ include "rpk-cluster-info" $ }} - volumeMounts: {{ include "default-mounts" . | nindent 8 }} - resources: -{{- toYaml .Values.statefulset.resources | nindent 12 }} - securityContext: {{ include "container-security-context" . | nindent 8 }} - volumes: {{ include "default-volumes" . | nindent 4 }} -{{- end }} diff --git a/charts/redpanda/testdata/template-cases.golden.txtar b/charts/redpanda/testdata/template-cases.golden.txtar index 89dddaa5e..4650327fb 100644 --- a/charts/redpanda/testdata/template-cases.golden.txtar +++ b/charts/redpanda/testdata/template-cases.golden.txtar @@ -9435,8 +9435,6 @@ spec: initialDelaySeconds: 1 periodSeconds: 10 volumeMounts: - - mountPath: /etc/tls/certs/cert2 - name: redpanda-cert2-cert - mountPath: /etc/tls/certs/default name: redpanda-default-cert - mountPath: /etc/tls/certs/external @@ -9495,8 +9493,6 @@ spec: resources: {} securityContext: {} volumeMounts: - - mountPath: /etc/tls/certs/cert2 - name: redpanda-cert2-cert - mountPath: /etc/tls/certs/default name: redpanda-default-cert - mountPath: /etc/tls/certs/external @@ -9523,8 +9519,6 @@ spec: runAsGroup: 0 runAsUser: 0 volumeMounts: - - mountPath: /etc/tls/certs/cert2 - name: redpanda-cert2-cert - mountPath: /etc/tls/certs/default name: redpanda-default-cert - mountPath: /etc/tls/certs/external @@ -9564,8 +9558,6 @@ spec: runAsNonRoot: null runAsUser: 101 volumeMounts: - - mountPath: /etc/tls/certs/cert2 - name: redpanda-cert2-cert - mountPath: /etc/tls/certs/default name: redpanda-default-cert - mountPath: /etc/tls/certs/external @@ -9620,10 +9612,6 @@ spec: topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway volumes: - - name: redpanda-cert2-cert - secret: - defaultMode: 288 - secretName: redpanda-cert2-cert - name: redpanda-default-cert secret: defaultMode: 288 @@ -9688,32 +9676,6 @@ spec: # Source: redpanda/templates/entry-point.yaml apiVersion: cert-manager.io/v1 kind: Certificate -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-5.10.4 - name: redpanda-cert2-root-certificate - namespace: default -spec: - commonName: redpanda-cert2-root-certificate - duration: 43800h0m0s - isCA: true - issuerRef: - group: cert-manager.io - kind: Issuer - name: redpanda-cert2-selfsigned-issuer - privateKey: - algorithm: ECDSA - size: 256 - secretName: redpanda-cert2-root-certificate ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate metadata: creationTimestamp: null labels: @@ -9766,44 +9728,6 @@ spec: # Source: redpanda/templates/entry-point.yaml apiVersion: cert-manager.io/v1 kind: Certificate -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-5.10.4 - name: redpanda-cert2-cert - namespace: default -spec: - dnsNames: - - redpanda-cluster.redpanda.default.svc.cluster.local - - redpanda-cluster.redpanda.default.svc - - redpanda-cluster.redpanda.default - - '*.redpanda-cluster.redpanda.default.svc.cluster.local' - - '*.redpanda-cluster.redpanda.default.svc' - - '*.redpanda-cluster.redpanda.default' - - redpanda.default.svc.cluster.local - - redpanda.default.svc - - redpanda.default - - '*.redpanda.default.svc.cluster.local' - - '*.redpanda.default.svc' - - '*.redpanda.default' - duration: 43800h0m0s - isCA: false - issuerRef: - group: cert-manager.io - kind: Issuer - name: redpanda-cert2-root-issuer - privateKey: - algorithm: ECDSA - size: 256 - secretName: redpanda-cert2-cert ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate metadata: creationTimestamp: null labels: @@ -9880,39 +9804,6 @@ spec: # Source: redpanda/templates/entry-point.yaml apiVersion: cert-manager.io/v1 kind: Issuer -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-5.10.4 - name: redpanda-cert2-selfsigned-issuer - namespace: default -spec: - selfSigned: {} ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-5.10.4 - name: redpanda-cert2-root-issuer - namespace: default -spec: - ca: - secretName: redpanda-cert2-root-certificate ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Issuer metadata: creationTimestamp: null labels: @@ -10047,8 +9938,6 @@ spec: runAsGroup: 101 runAsUser: 101 volumeMounts: - - mountPath: /etc/tls/certs/cert2 - name: redpanda-cert2-cert - mountPath: /etc/tls/certs/default name: redpanda-default-cert - mountPath: /etc/tls/certs/external @@ -10092,10 +9981,6 @@ spec: serviceAccountName: redpanda tolerations: [] volumes: - - name: redpanda-cert2-cert - secret: - defaultMode: 288 - secretName: redpanda-cert2-cert - name: redpanda-default-cert secret: defaultMode: 288 @@ -64973,9 +64858,9 @@ data: pandaproxy_api_tls: null pandaproxy_client: broker_tls: - cert_file: /etc/tls/certs/redpanda-client/tls.crt + cert_file: /etc/tls/certs/kafka-internal-0-client/tls.crt enabled: true - key_file: /etc/tls/certs/redpanda-client/tls.key + key_file: /etc/tls/certs/kafka-internal-0-client/tls.key require_client_auth: true truststore_file: /etc/tls/certs/kafka-internal-0/ca.crt brokers: @@ -65056,8 +64941,8 @@ data: - redpanda-2.redpanda.default.svc.cluster.local.:9092 tls: ca_file: /etc/tls/certs/kafka-internal-0/ca.crt - cert_file: /etc/tls/certs/redpanda-client/tls.crt - key_file: /etc/tls/certs/redpanda-client/tls.key + cert_file: /etc/tls/certs/kafka-internal-0-client/tls.crt + key_file: /etc/tls/certs/kafka-internal-0-client/tls.key overprovisioned: false schema_registry: addresses: @@ -65090,9 +64975,9 @@ data: truststore_file: /etc/tls/certs/external/ca.crt schema_registry_client: broker_tls: - cert_file: /etc/tls/certs/redpanda-client/tls.crt + cert_file: /etc/tls/certs/kafka-internal-0-client/tls.crt enabled: true - key_file: /etc/tls/certs/redpanda-client/tls.key + key_file: /etc/tls/certs/kafka-internal-0-client/tls.key require_client_auth: true truststore_file: /etc/tls/certs/kafka-internal-0/ca.crt brokers: @@ -65131,8 +65016,8 @@ data: - redpanda-2:31092 tls: ca_file: ca.crt - cert_file: /etc/tls/certs/redpanda-client/tls.crt - key_file: /etc/tls/certs/redpanda-client/tls.key + cert_file: /etc/tls/certs/kafka-internal-0-client/tls.crt + key_file: /etc/tls/certs/kafka-internal-0-client/tls.key name: default schema_registry: addresses: @@ -65490,6 +65375,8 @@ spec: name: redpanda-external-cert - mountPath: /etc/tls/certs/kafka-internal-0 name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/kafka-internal-0-client + name: redpanda-kafka-internal-0-client-cert - mountPath: /etc/redpanda name: config - mountPath: /tmp/base-config @@ -65550,6 +65437,8 @@ spec: name: redpanda-external-cert - mountPath: /etc/tls/certs/kafka-internal-0 name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/kafka-internal-0-client + name: redpanda-kafka-internal-0-client-cert - mountPath: /etc/redpanda name: config - mountPath: /var/run/secrets/kubernetes.io/serviceaccount @@ -65578,6 +65467,8 @@ spec: name: redpanda-external-cert - mountPath: /etc/tls/certs/kafka-internal-0 name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/kafka-internal-0-client + name: redpanda-kafka-internal-0-client-cert - mountPath: /etc/redpanda name: base-config - command: @@ -65619,6 +65510,8 @@ spec: name: redpanda-external-cert - mountPath: /etc/tls/certs/kafka-internal-0 name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/kafka-internal-0-client + name: redpanda-kafka-internal-0-client-cert - mountPath: /etc/redpanda name: config - mountPath: /tmp/base-config @@ -65681,6 +65574,10 @@ spec: secret: defaultMode: 288 secretName: redpanda-kafka-internal-0-cert + - name: redpanda-kafka-internal-0-client-cert + secret: + defaultMode: 288 + secretName: redpanda-kafka-internal-0-client-cert - name: lifecycle-scripts secret: defaultMode: 509 @@ -65937,9 +65834,10 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: redpanda helm.sh/chart: redpanda-5.10.4 - name: redpanda-client + name: redpanda-kafka-internal-0-client + namespace: default spec: - commonName: redpanda-client + commonName: redpanda--kafka-internal-0-client duration: 43800h0m0s isCA: false issuerRef: @@ -65949,7 +65847,7 @@ spec: privateKey: algorithm: ECDSA size: 256 - secretName: redpanda-client + secretName: redpanda-kafka-internal-0-client-cert --- # Source: redpanda/templates/entry-point.yaml apiVersion: cert-manager.io/v1 @@ -66104,6 +66002,8 @@ spec: name: redpanda-external-cert - mountPath: /etc/tls/certs/kafka-internal-0 name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/kafka-internal-0-client + name: redpanda-kafka-internal-0-client-cert - mountPath: /tmp/config name: config - mountPath: /tmp/base-config @@ -66155,6 +66055,10 @@ spec: secret: defaultMode: 288 secretName: redpanda-kafka-internal-0-cert + - name: redpanda-kafka-internal-0-client-cert + secret: + defaultMode: 288 + secretName: redpanda-kafka-internal-0-client-cert - configMap: name: redpanda name: base-config @@ -79245,8 +79149,6 @@ spec: - mountPath: /etc/secrets/users name: users readOnly: true - - mountPath: /etc/tls/certs/default - name: redpanda-default-cert - mountPath: /etc/tls/certs/external name: redpanda-external-cert - mountPath: /etc/tls/certs/letsencrypt @@ -79325,8 +79227,6 @@ spec: - mountPath: /etc/secrets/users name: users readOnly: true - - mountPath: /etc/tls/certs/default - name: redpanda-default-cert - mountPath: /etc/tls/certs/external name: redpanda-external-cert - mountPath: /etc/tls/certs/letsencrypt @@ -79364,8 +79264,6 @@ spec: - mountPath: /etc/secrets/users name: users readOnly: true - - mountPath: /etc/tls/certs/default - name: redpanda-default-cert - mountPath: /etc/tls/certs/external name: redpanda-external-cert - mountPath: /etc/tls/certs/letsencrypt @@ -79427,8 +79325,6 @@ spec: - mountPath: /etc/secrets/users name: users readOnly: true - - mountPath: /etc/tls/certs/default - name: redpanda-default-cert - mountPath: /etc/tls/certs/external name: redpanda-external-cert - mountPath: /etc/tls/certs/letsencrypt @@ -79490,10 +79386,6 @@ spec: topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway volumes: - - name: redpanda-default-cert - secret: - defaultMode: 288 - secretName: redpanda-default-cert - name: redpanda-external-cert secret: defaultMode: 288 @@ -79578,32 +79470,6 @@ spec: # Source: redpanda/templates/entry-point.yaml apiVersion: cert-manager.io/v1 kind: Certificate -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-5.10.4 - name: redpanda-default-root-certificate - namespace: default -spec: - commonName: redpanda-default-root-certificate - duration: 43800h0m0s - isCA: true - issuerRef: - group: cert-manager.io - kind: Issuer - name: redpanda-default-selfsigned-issuer - privateKey: - algorithm: ECDSA - size: 256 - secretName: redpanda-default-root-certificate ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate metadata: creationTimestamp: null labels: @@ -79630,46 +79496,6 @@ spec: # Source: redpanda/templates/entry-point.yaml apiVersion: cert-manager.io/v1 kind: Certificate -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-5.10.4 - name: redpanda-default-cert - namespace: default -spec: - dnsNames: - - redpanda-cluster.redpanda.default.svc.cluster.local - - redpanda-cluster.redpanda.default.svc - - redpanda-cluster.redpanda.default - - '*.redpanda-cluster.redpanda.default.svc.cluster.local' - - '*.redpanda-cluster.redpanda.default.svc' - - '*.redpanda-cluster.redpanda.default' - - redpanda.default.svc.cluster.local - - redpanda.default.svc - - redpanda.default - - '*.redpanda.default.svc.cluster.local' - - '*.redpanda.default.svc' - - '*.redpanda.default' - - some.local.dev.domain - - '*.some.local.dev.domain' - duration: 43800h0m0s - isCA: false - issuerRef: - group: cert-manager.io - kind: Issuer - name: redpanda-default-root-issuer - privateKey: - algorithm: ECDSA - size: 256 - secretName: redpanda-default-cert ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate metadata: creationTimestamp: null labels: @@ -79710,39 +79536,6 @@ spec: # Source: redpanda/templates/entry-point.yaml apiVersion: cert-manager.io/v1 kind: Issuer -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-5.10.4 - name: redpanda-default-selfsigned-issuer - namespace: default -spec: - selfSigned: {} ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-5.10.4 - name: redpanda-default-root-issuer - namespace: default -spec: - ca: - secretName: redpanda-default-root-certificate ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Issuer metadata: creationTimestamp: null labels: @@ -79875,8 +79668,6 @@ spec: - mountPath: /etc/secrets/users name: users readOnly: true - - mountPath: /etc/tls/certs/default - name: redpanda-default-cert - mountPath: /etc/tls/certs/external name: redpanda-external-cert - mountPath: /etc/tls/certs/letsencrypt @@ -79927,10 +79718,6 @@ spec: operator: Equal value: redpanda volumes: - - name: redpanda-default-cert - secret: - defaultMode: 288 - secretName: redpanda-default-cert - name: redpanda-external-cert secret: defaultMode: 288 @@ -80782,8 +80569,6 @@ spec: - mountPath: /etc/secrets/users name: users readOnly: true - - mountPath: /etc/tls/certs/default - name: redpanda-default-cert - mountPath: /etc/tls/certs/external name: redpanda-external-cert - mountPath: /etc/tls/certs/letsencrypt @@ -80862,8 +80647,6 @@ spec: - mountPath: /etc/secrets/users name: users readOnly: true - - mountPath: /etc/tls/certs/default - name: redpanda-default-cert - mountPath: /etc/tls/certs/external name: redpanda-external-cert - mountPath: /etc/tls/certs/letsencrypt @@ -80901,8 +80684,6 @@ spec: - mountPath: /etc/secrets/users name: users readOnly: true - - mountPath: /etc/tls/certs/default - name: redpanda-default-cert - mountPath: /etc/tls/certs/external name: redpanda-external-cert - mountPath: /etc/tls/certs/letsencrypt @@ -80964,8 +80745,6 @@ spec: - mountPath: /etc/secrets/users name: users readOnly: true - - mountPath: /etc/tls/certs/default - name: redpanda-default-cert - mountPath: /etc/tls/certs/external name: redpanda-external-cert - mountPath: /etc/tls/certs/letsencrypt @@ -81027,10 +80806,6 @@ spec: topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway volumes: - - name: redpanda-default-cert - secret: - defaultMode: 288 - secretName: redpanda-default-cert - name: redpanda-external-cert secret: defaultMode: 288 @@ -81115,32 +80890,6 @@ spec: # Source: redpanda/templates/entry-point.yaml apiVersion: cert-manager.io/v1 kind: Certificate -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-5.10.4 - name: redpanda-default-root-certificate - namespace: default -spec: - commonName: redpanda-default-root-certificate - duration: 43800h0m0s - isCA: true - issuerRef: - group: cert-manager.io - kind: Issuer - name: redpanda-default-selfsigned-issuer - privateKey: - algorithm: ECDSA - size: 256 - secretName: redpanda-default-root-certificate ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate metadata: creationTimestamp: null labels: @@ -81167,46 +80916,6 @@ spec: # Source: redpanda/templates/entry-point.yaml apiVersion: cert-manager.io/v1 kind: Certificate -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-5.10.4 - name: redpanda-default-cert - namespace: default -spec: - dnsNames: - - redpanda-cluster.redpanda.default.svc.cluster.local - - redpanda-cluster.redpanda.default.svc - - redpanda-cluster.redpanda.default - - '*.redpanda-cluster.redpanda.default.svc.cluster.local' - - '*.redpanda-cluster.redpanda.default.svc' - - '*.redpanda-cluster.redpanda.default' - - redpanda.default.svc.cluster.local - - redpanda.default.svc - - redpanda.default - - '*.redpanda.default.svc.cluster.local' - - '*.redpanda.default.svc' - - '*.redpanda.default' - - some.local.dev.domain - - '*.some.local.dev.domain' - duration: 43800h0m0s - isCA: false - issuerRef: - group: cert-manager.io - kind: Issuer - name: redpanda-default-root-issuer - privateKey: - algorithm: ECDSA - size: 256 - secretName: redpanda-default-cert ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate metadata: creationTimestamp: null labels: @@ -81247,39 +80956,6 @@ spec: # Source: redpanda/templates/entry-point.yaml apiVersion: cert-manager.io/v1 kind: Issuer -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-5.10.4 - name: redpanda-default-selfsigned-issuer - namespace: default -spec: - selfSigned: {} ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-5.10.4 - name: redpanda-default-root-issuer - namespace: default -spec: - ca: - secretName: redpanda-default-root-certificate ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Issuer metadata: creationTimestamp: null labels: @@ -81412,8 +81088,6 @@ spec: - mountPath: /etc/secrets/users name: users readOnly: true - - mountPath: /etc/tls/certs/default - name: redpanda-default-cert - mountPath: /etc/tls/certs/external name: redpanda-external-cert - mountPath: /etc/tls/certs/letsencrypt @@ -81464,10 +81138,6 @@ spec: operator: Equal value: redpanda volumes: - - name: redpanda-default-cert - secret: - defaultMode: 288 - secretName: redpanda-default-cert - name: redpanda-external-cert secret: defaultMode: 288 @@ -113289,11 +112959,11 @@ stringData: CURL_URL="https://${SERVICE_NAME}.redpanda.default.svc.cluster.local:9644" # commands used throughout - CURL_NODE_ID_CMD="curl --silent --fail --cacert /etc/tls/certs/default/ca.crt ${CURL_URL}/v1/node_config" + CURL_NODE_ID_CMD="curl --silent --fail --cacert /etc/tls/certs/for-internal/tls.crt ${CURL_URL}/v1/node_config" CURL_MAINTENANCE_DELETE_CMD_PREFIX='curl -X DELETE --silent -o /dev/null -w "%{http_code}"' CURL_MAINTENANCE_PUT_CMD_PREFIX='curl -X PUT --silent -o /dev/null -w "%{http_code}"' - CURL_MAINTENANCE_GET_CMD="curl -X GET --silent --cacert /etc/tls/certs/default/ca.crt ${CURL_URL}/v1/maintenance" + CURL_MAINTENANCE_GET_CMD="curl -X GET --silent --cacert /etc/tls/certs/for-internal/tls.crt ${CURL_URL}/v1/maintenance" postStart.sh: |- #!/usr/bin/env bash # This code should be similar if not exactly the same as that found in the panda-operator, see @@ -113312,7 +112982,7 @@ stringData: done echo "Clearing maintenance mode on node ${NODE_ID}" - CURL_MAINTENANCE_DELETE_CMD="${CURL_MAINTENANCE_DELETE_CMD_PREFIX} --cacert /etc/tls/certs/default/ca.crt ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" + CURL_MAINTENANCE_DELETE_CMD="${CURL_MAINTENANCE_DELETE_CMD_PREFIX} --cacert /etc/tls/certs/for-internal/tls.crt ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" # a 400 here would mean not in maintenance mode until [ "${status:-}" = '"200"' ] || [ "${status:-}" = '"400"' ]; do status=$(${CURL_MAINTENANCE_DELETE_CMD}) @@ -113342,7 +113012,7 @@ stringData: done echo "Setting maintenance mode on node ${NODE_ID}" - CURL_MAINTENANCE_PUT_CMD="${CURL_MAINTENANCE_PUT_CMD_PREFIX} --cacert /etc/tls/certs/default/ca.crt ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" + CURL_MAINTENANCE_PUT_CMD="${CURL_MAINTENANCE_PUT_CMD_PREFIX} --cacert /etc/tls/certs/for-internal/tls.crt ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" until [ "${status:-}" = '"200"' ]; do status=$(${CURL_MAINTENANCE_PUT_CMD}) sleep 0.5 @@ -113469,18 +113139,18 @@ data: name: default port: 9645 admin_api_tls: - - cert_file: /etc/tls/certs/default/tls.crt + - cert_file: /etc/tls/certs/for-internal/tls.crt enabled: true - key_file: /etc/tls/certs/default/tls.key + key_file: /etc/tls/certs/for-internal/tls.key name: internal require_client_auth: false - truststore_file: /etc/tls/certs/default/ca.crt - - cert_file: /etc/tls/certs/external/tls.crt + truststore_file: /etc/ssl/certs/ca-certificates.crt + - cert_file: /etc/tls/certs/for-external/tls.crt enabled: true - key_file: /etc/tls/certs/external/tls.key + key_file: /etc/tls/certs/for-external/tls.key name: default require_client_auth: false - truststore_file: /etc/tls/certs/external/ca.crt + truststore_file: /etc/ssl/certs/ca-certificates.crt crash_loop_limit: 5 empty_seed_starts_cluster: false kafka_api: @@ -113534,7 +113204,7 @@ data: - redpanda-1.redpanda.default.svc.cluster.local.:9644 - redpanda-2.redpanda.default.svc.cluster.local.:9644 tls: - ca_file: /etc/tls/certs/default/ca.crt + ca_file: /etc/tls/certs/for-internal/tls.crt enable_memory_locking: false kafka_api: brokers: @@ -113669,7 +113339,7 @@ data: adminApi: enabled: true tls: - caFilepath: /etc/tls/certs/default/ca.crt + caFilepath: /etc/tls/certs/for-internal/tls.crt certFilepath: "" enabled: true insecureSkipTlsVerify: false @@ -113933,8 +113603,8 @@ spec: template: metadata: annotations: - checksum-redpanda-chart/config: 38d4b884564b205ee525c0da5ebdf2aa101b671080f21e0a0b37e733a8b565b9 - checksum/config: bd4c7e4795a5f9bfddf73642e7c62cc83001fa849818cd04a3dfc0751bf59274 + checksum-redpanda-chart/config: 53f91bad55df093662f4cc63a5114ab675f073ba42960e7293d248856d31915f + checksum/config: 2c4a5a958faec4cf01ec3698a9b3dc84e3869bbbe3c41ba69a923cf56e01deaa creationTimestamp: null labels: app.kubernetes.io/instance: redpanda @@ -113982,8 +113652,6 @@ spec: readOnly: true - mountPath: /etc/tls/certs/for-internal name: redpanda-for-internal-cert - - mountPath: /etc/tls/certs/default - name: redpanda-default-cert imagePullSecrets: [] initContainers: null nodeSelector: {} @@ -114002,10 +113670,6 @@ spec: secret: defaultMode: 272 secretName: some-secret - - name: redpanda-default-cert - secret: - defaultMode: 272 - secretName: redpanda-default-cert --- # Source: redpanda/templates/entry-point.yaml apiVersion: apps/v1 @@ -114032,7 +113696,7 @@ spec: template: metadata: annotations: - config.redpanda.com/checksum: 9a27a058371023eacfdf490e992b689b7ffa8dfc1569887cd1e5a13f95b2e173 + config.redpanda.com/checksum: 8eb9a418d8217f65cc9c6d4d6be3d9c40bd88a4d20055fe146ae310754043966 creationTimestamp: null labels: app.kubernetes.io/component: redpanda-statefulset @@ -114092,7 +113756,7 @@ spec: command: - /bin/sh - -c - - curl --silent --fail -k -m 5 --cacert /etc/tls/certs/default/ca.crt + - curl --silent --fail -k -m 5 --cacert /etc/tls/certs/for-internal/tls.crt "https://${SERVICE_NAME}.redpanda.default.svc.cluster.local.:9644/v1/status/ready" failureThreshold: 3 initialDelaySeconds: 10 @@ -114133,7 +113797,7 @@ spec: - -c - | set -e - RESULT=$(curl --silent --fail -k -m 5 --cacert /etc/tls/certs/default/ca.crt "https://${SERVICE_NAME}.redpanda.default.svc.cluster.local.:9644/v1/status/ready") + RESULT=$(curl --silent --fail -k -m 5 --cacert /etc/tls/certs/for-internal/tls.crt "https://${SERVICE_NAME}.redpanda.default.svc.cluster.local.:9644/v1/status/ready") echo $RESULT echo $RESULT | grep ready failureThreshold: 120 @@ -131950,9 +131614,9 @@ data: truststore_file: /etc/tls/certs/external/ca.crt pandaproxy_client: broker_tls: - cert_file: /etc/tls/certs/redpanda-client/tls.crt + cert_file: /etc/tls/certs/kafka-internal-0-client/tls.crt enabled: true - key_file: /etc/tls/certs/redpanda-client/tls.key + key_file: /etc/tls/certs/kafka-internal-0-client/tls.key require_client_auth: true truststore_file: /etc/tls/certs/kafka-internal-0/ca.crt brokers: @@ -132046,8 +131710,8 @@ data: - redpanda-2.redpanda.default.svc.cluster.local.:9093 tls: ca_file: /etc/tls/certs/kafka-internal-0/ca.crt - cert_file: /etc/tls/certs/redpanda-client/tls.crt - key_file: /etc/tls/certs/redpanda-client/tls.key + cert_file: /etc/tls/certs/kafka-internal-0-client/tls.crt + key_file: /etc/tls/certs/kafka-internal-0-client/tls.key overprovisioned: false schema_registry: addresses: @@ -132080,9 +131744,9 @@ data: truststore_file: /etc/tls/certs/external/ca.crt schema_registry_client: broker_tls: - cert_file: /etc/tls/certs/redpanda-client/tls.crt + cert_file: /etc/tls/certs/kafka-internal-0-client/tls.crt enabled: true - key_file: /etc/tls/certs/redpanda-client/tls.key + key_file: /etc/tls/certs/kafka-internal-0-client/tls.key require_client_auth: true truststore_file: /etc/tls/certs/kafka-internal-0/ca.crt brokers: @@ -132122,8 +131786,8 @@ data: - redpanda-2:31092 tls: ca_file: ca.crt - cert_file: /etc/tls/certs/redpanda-client/tls.crt - key_file: /etc/tls/certs/redpanda-client/tls.key + cert_file: /etc/tls/certs/kafka-internal-0-client/tls.crt + key_file: /etc/tls/certs/kafka-internal-0-client/tls.key name: default schema_registry: addresses: @@ -132170,10 +131834,10 @@ data: - https://redpanda-2.redpanda.default.svc.cluster.local.:8081 tls: caFilepath: /etc/tls/certs/kafka-internal-0/ca.crt - certFilepath: /etc/tls/certs/kafka-internal-0/tls.crt + certFilepath: /etc/tls/certs/kafka-internal-0-client/tls.crt enabled: true insecureSkipTlsVerify: false - keyFilepath: /etc/tls/certs/kafka-internal-0/tls.key + keyFilepath: /etc/tls/certs/kafka-internal-0-client/tls.key redpanda: adminApi: enabled: true @@ -132442,8 +132106,8 @@ spec: template: metadata: annotations: - checksum-redpanda-chart/config: a907d902cf1dd1037ff542934e2e7456064eafd161fc194bb9a5ff488b8e8d2d - checksum/config: e90cdb08cc28471e349293969d71eb681ac9d0c91f565d15663b8ef8da0b5794 + checksum-redpanda-chart/config: b86c8d2d277816c62b79054c162a11ad74c81f236ae28113455187a9eea651ae + checksum/config: d2f52f74ab663148fc7b1cdb724f635684655fc479609bba9b996bd776674c34 creationTimestamp: null labels: app.kubernetes.io/instance: redpanda @@ -132655,6 +132319,8 @@ spec: name: redpanda-external-cert - mountPath: /etc/tls/certs/kafka-internal-0 name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/kafka-internal-0-client + name: redpanda-kafka-internal-0-client-cert - mountPath: /etc/redpanda name: config - mountPath: /tmp/base-config @@ -132715,6 +132381,8 @@ spec: name: redpanda-external-cert - mountPath: /etc/tls/certs/kafka-internal-0 name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/kafka-internal-0-client + name: redpanda-kafka-internal-0-client-cert - mountPath: /etc/redpanda name: config - mountPath: /var/run/secrets/kubernetes.io/serviceaccount @@ -132743,6 +132411,8 @@ spec: name: redpanda-external-cert - mountPath: /etc/tls/certs/kafka-internal-0 name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/kafka-internal-0-client + name: redpanda-kafka-internal-0-client-cert - mountPath: /etc/redpanda name: base-config - command: @@ -132784,6 +132454,8 @@ spec: name: redpanda-external-cert - mountPath: /etc/tls/certs/kafka-internal-0 name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/kafka-internal-0-client + name: redpanda-kafka-internal-0-client-cert - mountPath: /etc/redpanda name: config - mountPath: /tmp/base-config @@ -132846,6 +132518,10 @@ spec: secret: defaultMode: 288 secretName: redpanda-kafka-internal-0-cert + - name: redpanda-kafka-internal-0-client-cert + secret: + defaultMode: 288 + secretName: redpanda-kafka-internal-0-client-cert - name: lifecycle-scripts secret: defaultMode: 509 @@ -133102,9 +132778,10 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: redpanda helm.sh/chart: redpanda-5.10.4 - name: redpanda-client + name: redpanda-kafka-internal-0-client + namespace: default spec: - commonName: redpanda-client + commonName: redpanda--kafka-internal-0-client duration: 43800h0m0s isCA: false issuerRef: @@ -133114,7 +132791,7 @@ spec: privateKey: algorithm: ECDSA size: 256 - secretName: redpanda-client + secretName: redpanda-kafka-internal-0-client-cert --- # Source: redpanda/templates/entry-point.yaml apiVersion: cert-manager.io/v1 @@ -133292,6 +132969,8 @@ spec: name: redpanda-external-cert - mountPath: /etc/tls/certs/kafka-internal-0 name: redpanda-kafka-internal-0-cert + - mountPath: /etc/tls/certs/kafka-internal-0-client + name: redpanda-kafka-internal-0-client-cert - mountPath: /tmp/config name: config - mountPath: /tmp/base-config @@ -133343,6 +133022,10 @@ spec: secret: defaultMode: 288 secretName: redpanda-kafka-internal-0-cert + - name: redpanda-kafka-internal-0-client-cert + secret: + defaultMode: 288 + secretName: redpanda-kafka-internal-0-client-cert - configMap: name: redpanda name: base-config @@ -152050,11 +151733,11 @@ stringData: CURL_URL="https://${SERVICE_NAME}.redpanda.default.svc.cluster.local:9643" # commands used throughout - CURL_NODE_ID_CMD="curl --silent --fail --cacert /etc/tls/certs/redpanda-client/ca.crt --cert /etc/tls/certs/redpanda-client/tls.crt --key /etc/tls/certs/redpanda-client/tls.key ${CURL_URL}/v1/node_config" + CURL_NODE_ID_CMD="curl --silent --fail --cacert /etc/tls/certs/default-client/ca.crt --cert /etc/tls/certs/default-client/tls.crt --key /etc/tls/certs/default-client/tls.key ${CURL_URL}/v1/node_config" CURL_MAINTENANCE_DELETE_CMD_PREFIX='curl -X DELETE --silent -o /dev/null -w "%{http_code}"' CURL_MAINTENANCE_PUT_CMD_PREFIX='curl -X PUT --silent -o /dev/null -w "%{http_code}"' - CURL_MAINTENANCE_GET_CMD="curl -X GET --silent --cacert /etc/tls/certs/redpanda-client/ca.crt --cert /etc/tls/certs/redpanda-client/tls.crt --key /etc/tls/certs/redpanda-client/tls.key ${CURL_URL}/v1/maintenance" + CURL_MAINTENANCE_GET_CMD="curl -X GET --silent --cacert /etc/tls/certs/default-client/ca.crt --cert /etc/tls/certs/default-client/tls.crt --key /etc/tls/certs/default-client/tls.key ${CURL_URL}/v1/maintenance" postStart.sh: |- #!/usr/bin/env bash # This code should be similar if not exactly the same as that found in the panda-operator, see @@ -152073,7 +151756,7 @@ stringData: done echo "Clearing maintenance mode on node ${NODE_ID}" - CURL_MAINTENANCE_DELETE_CMD="${CURL_MAINTENANCE_DELETE_CMD_PREFIX} --cacert /etc/tls/certs/redpanda-client/ca.crt --cert /etc/tls/certs/redpanda-client/tls.crt --key /etc/tls/certs/redpanda-client/tls.key ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" + CURL_MAINTENANCE_DELETE_CMD="${CURL_MAINTENANCE_DELETE_CMD_PREFIX} --cacert /etc/tls/certs/default-client/ca.crt --cert /etc/tls/certs/default-client/tls.crt --key /etc/tls/certs/default-client/tls.key ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" # a 400 here would mean not in maintenance mode until [ "${status:-}" = '"200"' ] || [ "${status:-}" = '"400"' ]; do status=$(${CURL_MAINTENANCE_DELETE_CMD}) @@ -152103,7 +151786,7 @@ stringData: done echo "Setting maintenance mode on node ${NODE_ID}" - CURL_MAINTENANCE_PUT_CMD="${CURL_MAINTENANCE_PUT_CMD_PREFIX} --cacert /etc/tls/certs/redpanda-client/ca.crt --cert /etc/tls/certs/redpanda-client/tls.crt --key /etc/tls/certs/redpanda-client/tls.key ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" + CURL_MAINTENANCE_PUT_CMD="${CURL_MAINTENANCE_PUT_CMD_PREFIX} --cacert /etc/tls/certs/default-client/ca.crt --cert /etc/tls/certs/default-client/tls.crt --key /etc/tls/certs/default-client/tls.key ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance" until [ "${status:-}" = '"200"' ]; do status=$(${CURL_MAINTENANCE_PUT_CMD}) sleep 0.5 @@ -152211,9 +151894,9 @@ data: truststore_file: /etc/truststores/configmaps/redpanda-company-cacrt-ca.crt pandaproxy_client: broker_tls: - cert_file: /etc/tls/certs/redpanda-client/tls.crt + cert_file: /etc/tls/certs/default-client/tls.crt enabled: true - key_file: /etc/tls/certs/redpanda-client/tls.key + key_file: /etc/tls/certs/default-client/tls.key require_client_auth: true truststore_file: /etc/truststores/configmaps/redpanda-company-cacrt-ca.crt brokers: @@ -152298,8 +151981,8 @@ data: - redpanda-2.redpanda.default.svc.cluster.local.:9643 tls: ca_file: /etc/truststores/configmaps/redpanda-company-cacrt-ca.crt - cert_file: /etc/tls/certs/redpanda-client/tls.crt - key_file: /etc/tls/certs/redpanda-client/tls.key + cert_file: /etc/tls/certs/default-client/tls.crt + key_file: /etc/tls/certs/default-client/tls.key enable_memory_locking: false kafka_api: brokers: @@ -152308,8 +151991,8 @@ data: - redpanda-2.redpanda.default.svc.cluster.local.:9093 tls: ca_file: /etc/truststores/configmaps/redpanda-company-cacrt-ca.crt - cert_file: /etc/tls/certs/redpanda-client/tls.crt - key_file: /etc/tls/certs/redpanda-client/tls.key + cert_file: /etc/tls/certs/default-client/tls.crt + key_file: /etc/tls/certs/default-client/tls.key overprovisioned: false schema_registry: addresses: @@ -152318,8 +152001,8 @@ data: - redpanda-2.redpanda.default.svc.cluster.local.:8081 tls: ca_file: /etc/truststores/configmaps/redpanda-company-cacrt-ca.crt - cert_file: /etc/tls/certs/redpanda-client/tls.crt - key_file: /etc/tls/certs/redpanda-client/tls.key + cert_file: /etc/tls/certs/default-client/tls.crt + key_file: /etc/tls/certs/default-client/tls.key tune_aio_events: true schema_registry: schema_registry_api: @@ -152344,9 +152027,9 @@ data: truststore_file: /etc/truststores/configmaps/redpanda-company-cacrt-ca.crt schema_registry_client: broker_tls: - cert_file: /etc/tls/certs/redpanda-client/tls.crt + cert_file: /etc/tls/certs/default-client/tls.crt enabled: true - key_file: /etc/tls/certs/redpanda-client/tls.key + key_file: /etc/tls/certs/default-client/tls.key require_client_auth: true truststore_file: /etc/truststores/configmaps/redpanda-company-cacrt-ca.crt brokers: @@ -152379,8 +152062,8 @@ data: - redpanda-2.:9644 tls: ca_file: ca.crt - cert_file: /etc/tls/certs/redpanda-client/tls.crt - key_file: /etc/tls/certs/redpanda-client/tls.key + cert_file: /etc/tls/certs/default-client/tls.crt + key_file: /etc/tls/certs/default-client/tls.key kafka_api: brokers: - redpanda-0.:9094 @@ -152388,8 +152071,8 @@ data: - redpanda-2.:9094 tls: ca_file: ca.crt - cert_file: /etc/tls/certs/redpanda-client/tls.crt - key_file: /etc/tls/certs/redpanda-client/tls.key + cert_file: /etc/tls/certs/default-client/tls.crt + key_file: /etc/tls/certs/default-client/tls.key name: default schema_registry: addresses: @@ -152398,8 +152081,8 @@ data: - redpanda-2.:8084 tls: ca_file: ca.crt - cert_file: /etc/tls/certs/redpanda-client/tls.crt - key_file: /etc/tls/certs/redpanda-client/tls.key + cert_file: /etc/tls/certs/default-client/tls.crt + key_file: /etc/tls/certs/default-client/tls.key kind: ConfigMap metadata: creationTimestamp: null @@ -152428,29 +152111,29 @@ data: enabled: true tls: caFilepath: /etc/tls/certs/default/ca.crt - certFilepath: /etc/tls/certs/default/tls.crt + certFilepath: /etc/tls/certs/default-client/tls.crt enabled: true insecureSkipTlsVerify: false - keyFilepath: /etc/tls/certs/default/tls.key + keyFilepath: /etc/tls/certs/default-client/tls.key urls: - https://redpanda-0.redpanda.default.svc.cluster.local.:8081 - https://redpanda-1.redpanda.default.svc.cluster.local.:8081 - https://redpanda-2.redpanda.default.svc.cluster.local.:8081 tls: caFilepath: /etc/tls/certs/default/ca.crt - certFilepath: /etc/tls/certs/default/tls.crt + certFilepath: /etc/tls/certs/default-client/tls.crt enabled: true insecureSkipTlsVerify: false - keyFilepath: /etc/tls/certs/default/tls.key + keyFilepath: /etc/tls/certs/default-client/tls.key redpanda: adminApi: enabled: true tls: caFilepath: /etc/tls/certs/default/ca.crt - certFilepath: /etc/tls/certs/default/tls.crt + certFilepath: /etc/tls/certs/default-client/tls.crt enabled: true insecureSkipTlsVerify: false - keyFilepath: /etc/tls/certs/default/tls.key + keyFilepath: /etc/tls/certs/default-client/tls.key urls: - https://redpanda.default.svc.cluster.local.:9643 kind: ConfigMap @@ -152812,8 +152495,8 @@ spec: template: metadata: annotations: - checksum-redpanda-chart/config: 64f636eba32661bf937727194d717a465e0f149bc006ac2ac16c7013655f1395 - checksum/config: 6576f7a7fcee32308b828d12cafb10178b433523816bf2c78920b6d680780963 + checksum-redpanda-chart/config: 6c07ba9c6aca5968dc5cb9b2294af1c981c9b429c39630533e1215e0ab5634d3 + checksum/config: 8c17be4634a3cbadca3b550872bd856756734459438b38a65070076f14f19b5a creationTimestamp: null labels: app.kubernetes.io/instance: redpanda @@ -152976,8 +152659,8 @@ spec: command: - /bin/sh - -c - - curl --silent --fail -k -m 5 --cacert /etc/tls/certs/redpanda-client/ca.crt - --cert /etc/tls/certs/redpanda-client/tls.crt --key /etc/tls/certs/redpanda-client/tls.key + - curl --silent --fail -k -m 5 --cacert /etc/tls/certs/default-client/ca.crt + --cert /etc/tls/certs/default-client/tls.crt --key /etc/tls/certs/default-client/tls.key "https://${SERVICE_NAME}.redpanda.default.svc.cluster.local.:9643/v1/status/ready" failureThreshold: 3 initialDelaySeconds: 10 @@ -153018,7 +152701,7 @@ spec: - -c - | set -e - RESULT=$(curl --silent --fail -k -m 5 --cacert /etc/tls/certs/redpanda-client/ca.crt --cert /etc/tls/certs/redpanda-client/tls.crt --key /etc/tls/certs/redpanda-client/tls.key "https://${SERVICE_NAME}.redpanda.default.svc.cluster.local.:9643/v1/status/ready") + RESULT=$(curl --silent --fail -k -m 5 --cacert /etc/tls/certs/default-client/ca.crt --cert /etc/tls/certs/default-client/tls.crt --key /etc/tls/certs/default-client/tls.key "https://${SERVICE_NAME}.redpanda.default.svc.cluster.local.:9643/v1/status/ready") echo $RESULT echo $RESULT | grep ready failureThreshold: 120 @@ -153027,10 +152710,8 @@ spec: volumeMounts: - mountPath: /etc/tls/certs/default name: redpanda-default-cert - - mountPath: /etc/tls/certs/external - name: redpanda-external-cert - - mountPath: /etc/tls/certs/redpanda-client - name: mtls-client + - mountPath: /etc/tls/certs/default-client + name: redpanda-default-client-cert - mountPath: /etc/redpanda name: config - mountPath: /tmp/base-config @@ -153090,10 +152771,8 @@ spec: volumeMounts: - mountPath: /etc/tls/certs/default name: redpanda-default-cert - - mountPath: /etc/tls/certs/external - name: redpanda-external-cert - - mountPath: /etc/tls/certs/redpanda-client - name: mtls-client + - mountPath: /etc/tls/certs/default-client + name: redpanda-default-client-cert - mountPath: /etc/redpanda name: config - mountPath: /var/run/secrets/kubernetes.io/serviceaccount @@ -153118,10 +152797,8 @@ spec: volumeMounts: - mountPath: /etc/tls/certs/default name: redpanda-default-cert - - mountPath: /etc/tls/certs/external - name: redpanda-external-cert - - mountPath: /etc/tls/certs/redpanda-client - name: mtls-client + - mountPath: /etc/tls/certs/default-client + name: redpanda-default-client-cert - mountPath: /etc/redpanda name: base-config - command: @@ -153159,10 +152836,8 @@ spec: volumeMounts: - mountPath: /etc/tls/certs/default name: redpanda-default-cert - - mountPath: /etc/tls/certs/external - name: redpanda-external-cert - - mountPath: /etc/tls/certs/redpanda-client - name: mtls-client + - mountPath: /etc/tls/certs/default-client + name: redpanda-default-client-cert - mountPath: /etc/redpanda name: config - mountPath: /tmp/base-config @@ -153217,11 +152892,7 @@ spec: secret: defaultMode: 288 secretName: redpanda-tls-cert - - name: redpanda-external-cert - secret: - defaultMode: 288 - secretName: redpanda-external-cert - - name: mtls-client + - name: redpanda-default-client-cert secret: defaultMode: 288 secretName: redpanda-admin-cert @@ -153286,105 +152957,6 @@ spec: storage: 20Gi status: {} --- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-5.10.4 - name: redpanda-external-root-certificate - namespace: default -spec: - commonName: redpanda-external-root-certificate - duration: 43800h0m0s - isCA: true - issuerRef: - group: cert-manager.io - kind: Issuer - name: redpanda-external-selfsigned-issuer - privateKey: - algorithm: ECDSA - size: 256 - secretName: redpanda-external-root-certificate ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-5.10.4 - name: redpanda-external-cert - namespace: default -spec: - dnsNames: - - redpanda-cluster.redpanda.default.svc.cluster.local - - redpanda-cluster.redpanda.default.svc - - redpanda-cluster.redpanda.default - - '*.redpanda-cluster.redpanda.default.svc.cluster.local' - - '*.redpanda-cluster.redpanda.default.svc' - - '*.redpanda-cluster.redpanda.default' - - redpanda.default.svc.cluster.local - - redpanda.default.svc - - redpanda.default - - '*.redpanda.default.svc.cluster.local' - - '*.redpanda.default.svc' - - '*.redpanda.default' - - - - '*.' - duration: 43800h0m0s - isCA: false - issuerRef: - group: cert-manager.io - kind: Issuer - name: redpanda-external-root-issuer - privateKey: - algorithm: ECDSA - size: 256 - secretName: redpanda-external-cert ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-5.10.4 - name: redpanda-external-selfsigned-issuer - namespace: default -spec: - selfSigned: {} ---- -# Source: redpanda/templates/entry-point.yaml -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: redpanda - app.kubernetes.io/instance: redpanda - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redpanda - helm.sh/chart: redpanda-5.10.4 - name: redpanda-external-root-issuer - namespace: default -spec: - ca: - secretName: redpanda-external-root-certificate ---- # Source: redpanda/charts/console/templates/tests/test-connection.yaml apiVersion: v1 kind: Pod @@ -153458,10 +153030,8 @@ spec: volumeMounts: - mountPath: /etc/tls/certs/default name: redpanda-default-cert - - mountPath: /etc/tls/certs/external - name: redpanda-external-cert - - mountPath: /etc/tls/certs/redpanda-client - name: mtls-client + - mountPath: /etc/tls/certs/default-client + name: redpanda-default-client-cert - mountPath: /tmp/config name: config - mountPath: /tmp/base-config @@ -153505,11 +153075,7 @@ spec: secret: defaultMode: 288 secretName: redpanda-tls-cert - - name: redpanda-external-cert - secret: - defaultMode: 288 - secretName: redpanda-external-cert - - name: mtls-client + - name: redpanda-default-client-cert secret: defaultMode: 288 secretName: redpanda-admin-cert diff --git a/charts/redpanda/testdata/template-cases.txtar b/charts/redpanda/testdata/template-cases.txtar index bd7a2f9da..2335aa613 100644 --- a/charts/redpanda/testdata/template-cases.txtar +++ b/charts/redpanda/testdata/template-cases.txtar @@ -111,6 +111,14 @@ tls: # ASSERT-NO-GVK ["cert-manager.io/v1", "Certificate"] # ASSERT-STATEFULSET-ALL-VOLUMES-ARE-USED listeners: + admin: + external: + default: + tls: + cert: for-external + requireClientAuth: false + tls: + cert: for-internal http: external: default: diff --git a/charts/redpanda/values.go b/charts/redpanda/values.go index 33aa53695..d3f218c9c 100644 --- a/charts/redpanda/values.go +++ b/charts/redpanda/values.go @@ -49,11 +49,6 @@ const ( // RedpandaControllersContainerName is the container that can perform day // 2 operation similarly to Redpanda operator. RedpandaControllersContainerName = "redpanda-controllers" - - // certificateMountPoint is a common mount point for any TLS certificate - // defined as external truststore or as certificate that would be - // created by cert-manager. - certificateMountPoint = "/etc/tls/certs" ) type MebiBytes = int64 @@ -974,6 +969,65 @@ type Listeners struct { } `json:"rpc" jsonschema:"required"` } +// InUseServerCerts returns a set of names (As a sorted slice) of all TLS +// certificates that are referenced via listeners and enabled. +func (l *Listeners) InUseServerCerts(tls *TLS) []string { + listeners := []ListenerConfig[string]{ + l.Admin.AsString(), + l.Kafka.AsString(), + l.HTTP.AsString(), + l.SchemaRegistry.AsString(), + } + + certs := map[string]bool{} + + if l.RPC.TLS.IsEnabled(tls) { + certs[l.RPC.TLS.Cert] = true + } + + for _, listener := range listeners { + if !listener.TLS.IsEnabled(tls) { + continue + } + + certs[listener.TLS.Cert] = true + + for _, external := range helmette.SortedMap(listener.External) { + if !external.IsEnabled() || !external.TLS.IsEnabled(&listener.TLS, tls) { + continue + } + + certs[external.TLS.GetCertName(&listener.TLS)] = true + } + } + + return helmette.SortedKeys(certs) +} + +func (l *Listeners) InUseClientCerts(tls *TLS) []string { + listeners := []ListenerConfig[string]{ + l.Admin.AsString(), + l.Kafka.AsString(), + l.HTTP.AsString(), + l.SchemaRegistry.AsString(), + } + + certs := map[string]bool{} + + if l.RPC.TLS.IsEnabled(tls) && l.RPC.TLS.RequireClientAuth { + certs[l.RPC.TLS.Cert] = true + } + + for _, listener := range listeners { + if !listener.TLS.IsEnabled(tls) || !listener.TLS.RequireClientAuth { + continue + } + certs[listener.TLS.Cert] = true + } + + return helmette.SortedKeys(certs) +} + func (l *Listeners) CreateSeedServers(replicas int32, fullname, internalDomain string) []map[string]any { var result []map[string]any for i := int32(0); i < replicas; i++ { @@ -1275,6 +1329,73 @@ type TLSCert struct { ClientSecretRef *corev1.LocalObjectReference `json:"clientSecretRef"` } +func (c *TLSCert) ServerVolumeName(name string) string { + // NB: Volume names are intentionally hardcoded to redpanda to make + // overrides easier. + return fmt.Sprintf("redpanda-%s-cert", name) +} + +func (c *TLSCert) ClientVolumeName(name string) string { + // NB: Volume names are intentionally hardcoded to redpanda to make + // overrides easier. + return fmt.Sprintf("redpanda-%s-client-cert", name) +} + +func (c *TLSCert) ServerMountPoint(name string) string { + // NB: The path here is intentionally hardcoded to discourage manual + // construct of this mount point. + return fmt.Sprintf("/etc/tls/certs/%s", name) +} + +func (c *TLSCert) ClientMountPoint(name string) string { + // NB: The path here is intentionally hardcoded to discourage manual + // construct of this mount point. + return fmt.Sprintf("/etc/tls/certs/%s-client", name) +} + +func (c *TLSCert) ServerSecretName(state *helmette.Dot, name string) string { + if c.SecretRef != nil { + return c.SecretRef.Name + } + return fmt.Sprintf("%s-%s-cert", Fullname(state), name) +} + +func (c *TLSCert) ClientSecretName(dot *helmette.Dot, name string) string { + if c.ClientSecretRef != nil { + return c.ClientSecretRef.Name + } + return fmt.Sprintf("%s-%s-client-cert", Fullname(dot), name) +} + +func (c *TLSCert) RootSecretName(dot *helmette.Dot, name string) string { + return fmt.Sprintf(`%s-%s-root-certificate`, Fullname(dot), name) +} + +func (c *TLSCert) CASecretRef(dot *helmette.Dot, name string) corev1.SecretKeySelector { + // If no SecretRef is specified, we know that the CA was generated by cert-manager. + if c.SecretRef == nil { + return corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: c.RootSecretName(dot, name), + }, + Key: corev1.TLSCertKey, + } + } + + // Otherwise we have to use the provided SecretRef. + key := corev1.TLSCertKey + if c.CAEnabled { + key = "ca.crt" + } + + return corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: c.ServerSecretName(dot, name), + }, + Key: key, + } +} + type TLSCertMap map[string]TLSCert // +gotohelm:ignore=true @@ -1438,8 +1559,9 @@ func (t *InternalTLS) TrustStoreFilePath(tls *TLS) string { return t.TrustStore.TrustStoreFilePath() } - if tls.Certs.MustGet(t.Cert).CAEnabled { - return fmt.Sprintf("%s/%s/ca.crt", certificateMountPoint, t.Cert) + cert := tls.Certs.MustGet(t.Cert) + if cert.CAEnabled { + return fmt.Sprintf("%s/ca.crt", cert.ServerMountPoint(t.Cert)) } return defaultTruststorePath @@ -1452,15 +1574,74 @@ func (t *InternalTLS) ServerCAPath(tls *TLS) string { return t.TrustStore.TrustStoreFilePath() } - if tls.Certs.MustGet(t.Cert).CAEnabled { - return fmt.Sprintf("%s/%s/ca.crt", certificateMountPoint, t.Cert) + cert := tls.Certs.MustGet(t.Cert) + if cert.CAEnabled { + return fmt.Sprintf("%s/ca.crt", cert.ServerMountPoint(t.Cert)) } + // Strange but technically correct, if CAEnabled is false, we can't safely // assume that a ca.crt file will exist. So we fallback to using the // server's certificate itself. // Other options would be: failing or falling back to the container's // default truststore. - return fmt.Sprintf("%s/%s/tls.crt", certificateMountPoint, t.Cert) + return fmt.Sprintf("%s/tls.crt", cert.ServerMountPoint(t.Cert)) +} + +// ServerMountPoint is a helper to call [TLSCert.ServerMountPoint] on the +// configure certificate. +func (t *InternalTLS) ServerMountPoint(tls *TLS) string { + cert := tls.Certs.MustGet(t.Cert) + return cert.ServerMountPoint(t.Cert) +} + +// ClientMountPoint is a helper to call [TLSCert.ClientMountPoint] on the +// configure certificate. +func (t *InternalTLS) ClientMountPoint(tls *TLS) string { + cert := tls.Certs.MustGet(t.Cert) + return cert.ClientMountPoint(t.Cert) +} + +// ConsoleTLS is a struct that represents TLS configuration used +// in console configuration in Kafka, Schema Registry and +// Redpanda Admin API. +// For the above configuration helm chart could import struct, but +// as of the writing the struct fields tag have only `yaml` annotation. +// `sigs.k8s.io/yaml` requires `json` tags. +type ConsoleTLS struct { + Enabled bool `json:"enabled"` + CaFilepath string `json:"caFilepath"` + CertFilepath string `json:"certFilepath"` + KeyFilepath string `json:"keyFilepath"` + InsecureSkipTLSVerify bool `json:"insecureSkipTlsVerify"` +} + +func (l *ListenerConfig[T]) ConsoleTLS(tls *TLS) ConsoleTLS { + t := ConsoleTLS{Enabled: l.TLS.IsEnabled(tls)} + if !t.Enabled { + return t + } + + cert := tls.Certs.MustGet(l.TLS.Cert) + + // Strange but technically correct, if CAEnabled is false, we can't safely + // assume that a ca.crt file will exist. So we fallback to using the + // server's certificate itself. + // Other options would be: failing or falling back to the container's + // default truststore. + if tls.Certs.MustGet(l.TLS.Cert).CAEnabled { + t.CaFilepath = fmt.Sprintf("%s/ca.crt", cert.ServerMountPoint(l.TLS.Cert)) + } else { + t.CaFilepath = fmt.Sprintf("%s/tls.crt", cert.ServerMountPoint(l.TLS.Cert)) + } + + if !l.TLS.RequireClientAuth { + return t + } + + t.CertFilepath = fmt.Sprintf("%s/tls.crt", cert.ClientMountPoint(l.TLS.Cert)) + t.KeyFilepath = fmt.Sprintf("%s/tls.key", cert.ClientMountPoint(l.TLS.Cert)) + + return t } // ExternalTLS is the TLS configuration associated with a given "external" @@ -1490,8 +1671,9 @@ func (t *ExternalTLS) TrustStoreFilePath(i *InternalTLS, tls *TLS) string { return t.TrustStore.TrustStoreFilePath() } - if t.GetCert(i, tls).CAEnabled { - return fmt.Sprintf("%s/%s/ca.crt", certificateMountPoint, t.GetCertName(i)) + name := t.GetCertName(i) + if cert := t.GetCert(i, tls); cert.CAEnabled { + return fmt.Sprintf("%s/ca.crt", cert.ServerMountPoint(name)) } return defaultTruststorePath @@ -1517,6 +1699,28 @@ type ListenerConfig[T ~string] struct { AuthenticationMethod *T `json:"authenticationMethod,omitempty"` } +func (l *ListenerConfig[T]) AsString() ListenerConfig[string] { + ext := map[string]ExternalListener[string]{} + for name, l := range l.External { + ext[name] = l.AsString() + } + + var auth *string + if l.AuthenticationMethod != nil { + authAStr := string(*l.AuthenticationMethod) + auth = &authAStr + } + + return ListenerConfig[string]{ + Enabled: l.Enabled, + External: ext, + Port: l.Port, + TLS: l.TLS, + AppProtocol: l.AppProtocol, + AuthenticationMethod: auth, + } +} + // +gotohelm:ignore=true func (ListenerConfig[T]) JSONSchemaExtend(schema *jsonschema.Schema) { makeNullable(schema, "authenticationMethod") @@ -1638,12 +1842,13 @@ func (l *ListenerConfig[T]) ListenersTLS(tls *TLS) []map[string]any { } certName := lis.TLS.GetCertName(&l.TLS) + cert := tls.Certs.MustGet(certName) pp = append(pp, map[string]any{ "name": k, "enabled": true, - "cert_file": fmt.Sprintf("%s/%s/tls.crt", certificateMountPoint, certName), - "key_file": fmt.Sprintf("%s/%s/tls.key", certificateMountPoint, certName), + "cert_file": fmt.Sprintf("%s/tls.crt", cert.ServerMountPoint(certName)), + "key_file": fmt.Sprintf("%s/tls.key", cert.ServerMountPoint(certName)), "require_client_auth": ptr.Deref(lis.TLS.RequireClientAuth, false), "truststore_file": lis.TLS.TrustStoreFilePath(&l.TLS, tls), }) @@ -1651,49 +1856,6 @@ func (l *ListenerConfig[T]) ListenersTLS(tls *TLS) []map[string]any { return pp } -// ConsoleTLS is a struct that represents TLS configuration used -// in console configuration in Kafka, Schema Registry and -// Redpanda Admin API. -// For the above configuration helm chart could import struct, but -// as of the writing the struct fields tag have only `yaml` annotation. -// `sigs.k8s.io/yaml` requires `json` tags. -type ConsoleTLS struct { - Enabled bool `json:"enabled"` - CaFilepath string `json:"caFilepath"` - CertFilepath string `json:"certFilepath"` - KeyFilepath string `json:"keyFilepath"` - InsecureSkipTLSVerify bool `json:"insecureSkipTlsVerify"` -} - -func (l *ListenerConfig[T]) ConsoleTLS(tls *TLS) ConsoleTLS { - t := ConsoleTLS{Enabled: l.TLS.IsEnabled(tls)} - if !t.Enabled { - return t - } - - adminAPIPrefix := fmt.Sprintf("%s/%s", certificateMountPoint, l.TLS.Cert) - - // Strange but technically correct, if CAEnabled is false, we can't safely - // assume that a ca.crt file will exist. So we fallback to using the - // server's certificate itself. - // Other options would be: failing or falling back to the container's - // default truststore. - if tls.Certs.MustGet(l.TLS.Cert).CAEnabled { - t.CaFilepath = fmt.Sprintf("%s/ca.crt", adminAPIPrefix) - } else { - t.CaFilepath = fmt.Sprintf("%s/tls.crt", adminAPIPrefix) - } - - if !l.TLS.RequireClientAuth { - return t - } - - t.CertFilepath = fmt.Sprintf("%s/tls.crt", adminAPIPrefix) - t.KeyFilepath = fmt.Sprintf("%s/tls.key", adminAPIPrefix) - - return t -} - type ExternalListener[T ~string] struct { Enabled *bool `json:"enabled"` AdvertisedPorts []int32 `json:"advertisedPorts" jsonschema:"minItems=1"` @@ -1706,6 +1868,24 @@ type ExternalListener[T ~string] struct { PrefixTemplate *string `json:"prefixTemplate,omitempty"` } +func (l *ExternalListener[T]) AsString() ExternalListener[string] { + var auth *string + if l.AuthenticationMethod != nil { + authAStr := string(*l.AuthenticationMethod) + auth = &authAStr + } + + return ExternalListener[string]{ + Enabled: l.Enabled, + AdvertisedPorts: l.AdvertisedPorts, + Port: l.Port, + NodePort: l.NodePort, + TLS: l.TLS, + AuthenticationMethod: auth, + PrefixTemplate: l.PrefixTemplate, + } +} + // +gotohelm:ignore=true func (ExternalListener[T]) JSONSchemaExtend(schema *jsonschema.Schema) { makeNullable(schema, "authenticationMethod") diff --git a/pkg/helm/helm.go b/pkg/helm/helm.go index b40d8f451..b40677733 100644 --- a/pkg/helm/helm.go +++ b/pkg/helm/helm.go @@ -563,9 +563,20 @@ func (c *Client) runHelmInDir(ctx context.Context, dir string, args ...string) ( cmd.Env = c.env cmd.Stderr = &stderr cmd.Stdout = &stdout + // Setting Cancel and WaitDelay will cause SIGINT to be sent upon context + // cancellation and send SIGKILL after 5s. (i.e. a graceful shutdown with a + // 5s grace period). + cmd.WaitDelay = 5 * time.Second + cmd.Cancel = func() error { + return cmd.Process.Signal(os.Interrupt) + } err := cmd.Run() - return stdout.Bytes(), stderr.Bytes(), errors.Wrapf(err, "stderr: %s", stderr.String()) + + return stdout.Bytes(), stderr.Bytes(), errors.Join( + ctx.Err(), + errors.Wrapf(err, "stderr: %s", stderr.String()), + ) } // writeValues writes a helm values file to a unique file in HELM_CONFIG_HOME