apache · gulecroc · Jan 22, 2025 · Feb 24, 2025 · Feb 24, 2025 · lhotari
diff --git a/charts/pulsar/templates/_autorecovery.tpl b/charts/pulsar/templates/_autorecovery.tpl
@@ -74,12 +74,7 @@ Define autorecovery tls certs volumes
       path: tls.key
 - name: ca
   secret:
-    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
-    {{- end }}
-    {{- if eq .Values.certs.internal_issuer.type "ca" }}
-    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-    {{- end }}
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
     items:
     - key: ca.crt
       path: ca.crt

diff --git a/charts/pulsar/templates/_bookkeeper.tpl b/charts/pulsar/templates/_bookkeeper.tpl
@@ -75,12 +75,7 @@ Define bookie tls certs volumes
       path: tls.key
 - name: ca
   secret:
-    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
-    {{- end }}
-    {{- if eq .Values.certs.internal_issuer.type "ca" }}
-    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-    {{- end }}
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
     items:
     - key: ca.crt
       path: ca.crt

diff --git a/charts/pulsar/templates/_broker.tpl b/charts/pulsar/templates/_broker.tpl
@@ -81,12 +81,7 @@ Define broker tls certs volumes
       path: tls.key
 - name: ca
   secret:
-    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
-    {{- end }}
-    {{- if eq .Values.certs.internal_issuer.type "ca" }}
-    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-    {{- end }}
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
     items:
     - key: ca.crt
       path: ca.crt

diff --git a/charts/pulsar/templates/_certs.tpl b/charts/pulsar/templates/_certs.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/}}
+
+{{/*
+Define the pulsar certs ca issuer name
+*/}}
+{{- define "pulsar.certs.issuers.ca.name" -}}
+{{- if .Values.certs.issuers.ca.name -}}
+{{- .Values.certs.issuers.ca.name -}}
+{{- else -}}
+{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer
+{{- end -}}
+{{- end -}}
+
+{{/*
+Define the pulsar certs ca issuer secret name
+*/}}
+{{- define "pulsar.certs.issuers.ca.secretName" -}}
+{{- if .Values.certs.issuers.ca.secretName -}}
+{{- .Values.certs.issuers.ca.secretName -}}
+{{- else -}}
+{{ printf "%s-%s" .Release.Name .Values.tls.ca_suffix }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/pulsar/templates/_toolset.tpl b/charts/pulsar/templates/_toolset.tpl
@@ -74,12 +74,7 @@ Define toolset tls certs volumes
       path: tls.key
 - name: ca
   secret:
-    {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
-    {{- end }}
-    {{- if eq .Values.certs.internal_issuer.type "ca" }}
-    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-    {{- end }}
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
     items:
     - key: ca.crt
       path: ca.crt

diff --git a/charts/pulsar/templates/proxy-statefulset.yaml b/charts/pulsar/templates/proxy-statefulset.yaml
@@ -297,7 +297,7 @@ spec:
         - name: ca
           secret:
             {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-            secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+            secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
             {{- end }}
             {{- if eq .Values.certs.internal_issuer.type "ca" }}
             secretName: "{{ .Values.certs.issuers.ca.secretName }}"

diff --git a/charts/pulsar/templates/tls-cert-internal-issuer.yaml b/charts/pulsar/templates/tls-cert-internal-issuer.yaml
@@ -33,7 +33,7 @@ metadata:
   name: "{{ template "pulsar.fullname" . }}-ca"
   namespace: {{ template "pulsar.namespace" . }}
 spec:
-  secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+  secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
   commonName: "{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
   duration: "{{ .Values.certs.internal_issuer.duration }}"
   renewBefore: "{{ .Values.certs.internal_issuer.renewBefore }}"
@@ -50,23 +50,13 @@ spec:
     # if you are using an external issuer, change this to that issuer group.
     group: cert-manager.io
 ---
-apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
-kind: Issuer
-metadata:
-  name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
-  namespace: {{ template "pulsar.namespace" . }}
-spec:
-  ca:
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
 {{- end }}
-{{- if eq .Values.certs.internal_issuer.type "ca" }}
 apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
 kind: Issuer
 metadata:
-  name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+  name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
   namespace: {{ template "pulsar.namespace" . }}
 spec:
   ca:
-    secretName: "{{ .Values.certs.issuers.ca.secretName }}"
-{{- end }}
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
 {{- end }}
diff --git a/charts/pulsar/templates/tls-certs-internal.yaml b/charts/pulsar/templates/tls-certs-internal.yaml
@@ -18,7 +18,6 @@
 #
 
 {{- if .Values.tls.enabled }}
-{{- if .Values.certs.internal_issuer.enabled }}
 
 {{- if .Values.tls.proxy.enabled }}
 {{- if .Values.tls.proxy.createCert }}
@@ -66,7 +65,7 @@ spec:
     -  "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
   # Issuer references are always required.
   issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
     # We can reference ClusterIssuers by changing the kind here.
     # The default value is Issuer (i.e. a locally namespaced Issuer)
     kind: Issuer
@@ -122,7 +121,7 @@ spec:
     -  "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
   # Issuer references are always required.
   issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
     # We can reference ClusterIssuers by changing the kind here.
     # The default value is Issuer (i.e. a locally namespaced Issuer)
     kind: Issuer
@@ -176,7 +175,7 @@ spec:
     -  "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
   # Issuer references are always required.
   issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
     # We can reference ClusterIssuers by changing the kind here.
     # The default value is Issuer (i.e. a locally namespaced Issuer)
     kind: Issuer
@@ -230,7 +229,7 @@ spec:
     -  "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}"
   # Issuer references are always required.
   issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
     # We can reference ClusterIssuers by changing the kind here.
     # The default value is Issuer (i.e. a locally namespaced Issuer)
     kind: Issuer
@@ -281,7 +280,7 @@ spec:
     -  "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
   # Issuer references are always required.
   issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
     # We can reference ClusterIssuers by changing the kind here.
     # The default value is Issuer (i.e. a locally namespaced Issuer)
     kind: Issuer
@@ -332,7 +331,7 @@ spec:
     -  "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
   # Issuer references are always required.
   issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
     # We can reference ClusterIssuers by changing the kind here.
     # The default value is Issuer (i.e. a locally namespaced Issuer)
     kind: Issuer
@@ -342,4 +341,3 @@ spec:
 {{- end }}
 
 {{- end }}
-{{- end }}
diff --git a/charts/pulsar/templates/toolset-statefulset.yaml b/charts/pulsar/templates/toolset-statefulset.yaml
@@ -129,7 +129,7 @@ spec:
       - name: proxy-ca
         secret:
           {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-          secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+          secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
           {{- end }}
           {{- if eq .Values.certs.internal_issuer.type "ca" }}
           secretName: "{{ .Values.certs.issuers.ca.secretName }}"

diff --git a/charts/pulsar/templates/zookeeper-statefulset.yaml b/charts/pulsar/templates/zookeeper-statefulset.yaml
@@ -253,7 +253,7 @@ spec:
       - name: ca
         secret:
           {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-          secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+          secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
           {{- end }}
           {{- if eq .Values.certs.internal_issuer.type "ca" }}
           secretName: "{{ .Values.certs.issuers.ca.secretName }}"

diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml
@@ -295,7 +295,7 @@ auth:
 ######################################################################
 
 ## cert-manager
-## templates/tls-cert-issuer.yaml
+## templates/tls-cert-internal-issuer.yaml
 ##
 ## Cert manager is used for automatically provisioning TLS certificates
 ## for components within a Pulsar cluster
@@ -311,10 +311,11 @@ certs:
     # 15d
     renewBefore: 360h
   issuers:
-    # Used for certs.type as selfsigning, the selfsigned issuer has no dependency on any other resource.
+    # Used for certs.internal_issuer.type as selfsigning, the selfsigned issuer has no dependency on any other resource.
     selfsigning:
-    # used for certs.type as ca, the CA issuer needs to reference a Secret which contains your CA certificate and signing private key.
+    # used for certs.internal_issuer.type as ca, the CA issuer needs to reference a Secret which contains your CA certificate and signing private key.
     ca:
+      name:
       secretName:
 
 ######################################################################