You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by si...@apache.org on 2021/08/26 06:14:12 UTC
[pulsar-helm-chart] branch master updated: updates pulsar ca name
generation to use suffix making cert swappable (#141)
This is an automated email from the ASF dual-hosted git repository.
sijie pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar-helm-chart.git
The following commit(s) were added to refs/heads/master by this push:
new f307cc3 updates pulsar ca name generation to use suffix making cert swappable (#141)
f307cc3 is described below
commit f307cc32af530c369c34a021bb6c96f2d4907fcd
Author: Peter Tinti <vo...@gmail.com>
AuthorDate: Wed Aug 25 23:14:03 2021 -0700
updates pulsar ca name generation to use suffix making cert swappable (#141)
Updates CA name generation to be configurable allowing the swapping in of a CA.
### Motivation
We recently swapped out cert issuers and found that with the current helm chart we were unable to do a hot swap without downtime (via helm) because the CA cert name is not configurable. Being able to change the name of the CA allows us to create a new CA first -> Validate -> then swap over in follow up apply/release.
### Modifications
Adds the ability to specify the suffix used to generate the CA name (not the whole name in order to preserve back compatibility regardless of the release name.)
---
charts/pulsar/templates/_autorecovery.tpl | 2 +-
charts/pulsar/templates/_bookkeeper.tpl | 2 +-
charts/pulsar/templates/_broker.tpl | 2 +-
charts/pulsar/templates/_toolset.tpl | 2 +-
charts/pulsar/templates/proxy-statefulset.yaml | 2 +-
charts/pulsar/templates/tls-cert-internal-issuer.yaml | 4 ++--
charts/pulsar/templates/toolset-statefulset.yaml | 2 +-
charts/pulsar/templates/zookeeper-statefulset.yaml | 2 +-
charts/pulsar/values.yaml | 1 +
scripts/pulsar/clean_tls.sh | 9 ++++++++-
scripts/pulsar/upload_tls.sh | 9 ++++++++-
11 files changed, 26 insertions(+), 11 deletions(-)
diff --git a/charts/pulsar/templates/_autorecovery.tpl b/charts/pulsar/templates/_autorecovery.tpl
index e1e74d5..8343589 100644
--- a/charts/pulsar/templates/_autorecovery.tpl
+++ b/charts/pulsar/templates/_autorecovery.tpl
@@ -55,7 +55,7 @@ Define autorecovery tls certs volumes
path: tls.key
- name: ca
secret:
- secretName: "{{ .Release.Name }}-ca-tls"
+ secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/templates/_bookkeeper.tpl b/charts/pulsar/templates/_bookkeeper.tpl
index bd319ff..5b96953 100644
--- a/charts/pulsar/templates/_bookkeeper.tpl
+++ b/charts/pulsar/templates/_bookkeeper.tpl
@@ -56,7 +56,7 @@ Define bookie tls certs volumes
path: tls.key
- name: ca
secret:
- secretName: "{{ .Release.Name }}-ca-tls"
+ secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/templates/_broker.tpl b/charts/pulsar/templates/_broker.tpl
index 758a0b6..5614e8e 100644
--- a/charts/pulsar/templates/_broker.tpl
+++ b/charts/pulsar/templates/_broker.tpl
@@ -62,7 +62,7 @@ Define broker tls certs volumes
path: tls.key
- name: ca
secret:
- secretName: "{{ .Release.Name }}-ca-tls"
+ secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/templates/_toolset.tpl b/charts/pulsar/templates/_toolset.tpl
index 5b149b5..c6bf857 100644
--- a/charts/pulsar/templates/_toolset.tpl
+++ b/charts/pulsar/templates/_toolset.tpl
@@ -55,7 +55,7 @@ Define toolset tls certs volumes
path: tls.key
- name: ca
secret:
- secretName: "{{ .Release.Name }}-ca-tls"
+ secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/templates/proxy-statefulset.yaml b/charts/pulsar/templates/proxy-statefulset.yaml
index 96c24bf..0433d1b 100644
--- a/charts/pulsar/templates/proxy-statefulset.yaml
+++ b/charts/pulsar/templates/proxy-statefulset.yaml
@@ -260,7 +260,7 @@ spec:
{{- if .Values.tls.proxy.enabled }}
- name: ca
secret:
- secretName: "{{ .Release.Name }}-ca-tls"
+ secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/templates/tls-cert-internal-issuer.yaml b/charts/pulsar/templates/tls-cert-internal-issuer.yaml
index 60ac91a..e9c3a2f 100644
--- a/charts/pulsar/templates/tls-cert-internal-issuer.yaml
+++ b/charts/pulsar/templates/tls-cert-internal-issuer.yaml
@@ -34,7 +34,7 @@ metadata:
name: "{{ template "pulsar.fullname" . }}-ca"
namespace: {{ template "pulsar.namespace" . }}
spec:
- secretName: "{{ .Release.Name }}-ca-tls"
+ secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
commonName: "{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
duration: "{{ .Values.certs.internal_issuer.duration }}"
renewBefore: "{{ .Values.certs.internal_issuer.renewBefore }}"
@@ -59,6 +59,6 @@ metadata:
namespace: {{ template "pulsar.namespace" . }}
spec:
ca:
- secretName: "{{ .Release.Name }}-ca-tls"
+ secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
{{- end }}
{{- end }}
diff --git a/charts/pulsar/templates/toolset-statefulset.yaml b/charts/pulsar/templates/toolset-statefulset.yaml
index 1f50c7d..8e3b8d5 100644
--- a/charts/pulsar/templates/toolset-statefulset.yaml
+++ b/charts/pulsar/templates/toolset-statefulset.yaml
@@ -112,7 +112,7 @@ spec:
{{- if and .Values.tls.enabled (or .Values.tls.broker.enabled .Values.tls.proxy.enabled) }}
- name: proxy-ca
secret:
- secretName: "{{ .Release.Name }}-ca-tls"
+ secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/templates/zookeeper-statefulset.yaml b/charts/pulsar/templates/zookeeper-statefulset.yaml
index 9b36634..f1ffb88 100644
--- a/charts/pulsar/templates/zookeeper-statefulset.yaml
+++ b/charts/pulsar/templates/zookeeper-statefulset.yaml
@@ -205,7 +205,7 @@ spec:
path: tls.key
- name: ca
secret:
- secretName: "{{ .Release.Name }}-ca-tls"
+ secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
items:
- key: ca.crt
path: ca.crt
diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml
index 88e8942..8a218a8 100644
--- a/charts/pulsar/values.yaml
+++ b/charts/pulsar/values.yaml
@@ -191,6 +191,7 @@ images:
## brokers and proxies.
tls:
enabled: false
+ ca_suffix: ca-tls
# common settings for generating certs
common:
# 90d
diff --git a/scripts/pulsar/clean_tls.sh b/scripts/pulsar/clean_tls.sh
index 8dba53d..092e7d4 100755
--- a/scripts/pulsar/clean_tls.sh
+++ b/scripts/pulsar/clean_tls.sh
@@ -25,6 +25,7 @@ cd ${CHART_HOME}
namespace=${namespace:-pulsar}
release=${release:-pulsar-dev}
+caSuffix=${caSuffix:-ca-tls}
clientComponents=${clientComponents:-"toolset"}
serverComponents=${serverComponents:-"bookie,broker,proxy,recovery,zookeeper"}
@@ -35,6 +36,7 @@ Options:
-h,--help prints the usage message
-n,--namespace the k8s namespace to install the pulsar helm chart. Defaut to ${namespace}.
-k,--release the pulsar helm release name. Default to ${release}.
+ -ca,--ca-suffix the suffix used to name the CA certificate. Default to ${caSuffix}.
-c,--client-components the client components of pulsar cluster. a comma separated list of components. Default to ${clientComponents}.
-s,--server-components the server components of pulsar cluster. a comma separated list of components. Default to ${serverComponents}.
Usage:
@@ -57,6 +59,11 @@ case $key in
shift
shift
;;
+ -ca|--ca-suffix)
+ caSuffix="$2"
+ shift
+ shift
+ ;;
-c|--client-components)
clientComponents="$2"
shift
@@ -80,7 +87,7 @@ esac
done
function delete_ca() {
- local tls_ca_secret="${release}-ca-tls"
+ local tls_ca_secret="${release}-${caSuffix}"
kubectl delete secret ${tls_ca_secret} -n ${namespace}
}
diff --git a/scripts/pulsar/upload_tls.sh b/scripts/pulsar/upload_tls.sh
index 3485089..7a993fe 100755
--- a/scripts/pulsar/upload_tls.sh
+++ b/scripts/pulsar/upload_tls.sh
@@ -25,6 +25,7 @@ cd ${CHART_HOME}
namespace=${namespace:-pulsar}
release=${release:-pulsar-dev}
+caSuffix=${caSuffix:-ca-tls}
tlsdir=${tlsdir:-"${HOME}/.config/pulsar/security_tool/gen/ca"}
clientComponents=${clientComponents:-""}
serverComponents=${serverComponents:-"bookie,broker,proxy,recovery,zookeeper,toolset"}
@@ -37,6 +38,7 @@ Options:
-h,--help prints the usage message
-n,--namespace the k8s namespace to install the pulsar helm chart. Defaut to ${namespace}.
-k,--release the pulsar helm release name. Default to ${release}.
+ -ca,--ca-suffix the suffix used to name the CA certificate. Default to ${caSuffix}.
-d,--dir the dir for storing tls certs. Default to ${tlsdir}.
-c,--client-components the client components of pulsar cluster. a comma separated list of components. Default to ${clientComponents}.
-s,--server-components the server components of pulsar cluster. a comma separated list of components. Default to ${serverComponents}.
@@ -61,6 +63,11 @@ case $key in
shift
shift
;;
+ -ca|--ca-suffix)
+ caSuffix="$2"
+ shift
+ shift
+ ;;
-d|--dir)
tlsdir="$2"
shift
@@ -95,7 +102,7 @@ done
ca_cert_file=${tlsdir}/certs/ca.cert.pem
function upload_ca() {
- local tls_ca_secret="${release}-ca-tls"
+ local tls_ca_secret="${release}-${caSuffix}"
kubectl create secret generic ${tls_ca_secret} -n ${namespace} --from-file="ca.crt=${ca_cert_file}" ${local:+ -o yaml --dry-run=client}
}