New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support external cert secret #559

Open

ericsyh wants to merge 7 commits into apache:master from ericsyh:support-external-certSecret

ericsyh commented Dec 11, 2024

Fixes #

Motivation

To support the scenario that users have pre-generated tls certificates. Case like users have existing certificate secrets created by cert-manager or by manual, with this PR we can allow the zk, bk, broker, proxy and toolset to use the pre-generated secrets.

Modifications

In the values, we add several new fields:

tls.common.caSecretName: the pre-generated ca certificate, only used when the untrustedCa equals true
tls.component.certSecretName: the pre-generated tls certificate for each component.
tls.component.untrustedCa: untrustedCa means the selfsigned, and will require the caSecret.

Verifying this change

Make sure that the change passes the CI checks.

ericsyh added 3 commits

December 11, 2024 21:22


          feat: support external certSecrets

e7dceef

Signed-off-by: ericsyh <ericshenyuhao@outlook.com>


          update ca template

790a71c

Signed-off-by: ericsyh <ericshenyuhao@outlook.com>


          fix issues

bf6cb77

Signed-off-by: ericsyh <ericshenyuhao@outlook.com>

lhotari reviewed

View reviewed changes

charts/pulsar/values.yaml Outdated

                 # settings for generating certs for proxy
                 proxy:
                   enabled: false
                   cert_name: tls-proxy
                   createCert: true  # set to false if you want to use an existing certificate
+                  # specify name of secret contain certificate if using pre-generated certificate
+                  certSecretName:
+                  untrustedCa: true

Member

lhotari Dec 11, 2024

Please add documentation comments for the added untrustedCa configuration keys. I wonder if this is the best possible name for the configuration key. Please consider a better name, for example mountKeyAndCertificate etc. if that's what this is about.

Author

ericsyh Dec 13, 2024

updated the description in 20ed697

charts/pulsar/values.yaml Outdated

                 # settings for generating certs for broker
                 broker:
                   enabled: false
                   cert_name: tls-broker
+                  # specify name of secret contain certificate if using pre-generated certificate
+                  certSecretName:
+                  untrustedCa: true

Member

lhotari Dec 11, 2024

I don't see this key Values.broker.untrustedCa being referenced in the templates.

Author

ericsyh Dec 13, 2024

this comment is fixed by 736dbf8 commit

charts/pulsar/values.yaml Outdated

                 # settings for generating certs for bookies
                 bookie:
                   enabled: false
                   cert_name: tls-bookie
+                  # specify name of secret contain certificate if using pre-generated certificate
+                  certSecretName:
+                  untrustedCa: true

Member

lhotari Dec 11, 2024

I don't see this key Values.bookie.untrustedCa being referenced in the templates.

Author

ericsyh Dec 13, 2024

this comment is fixed by 736dbf8 commit

charts/pulsar/values.yaml Outdated

                 # settings for generating certs for zookeeper
                 zookeeper:
                   enabled: false
                   cert_name: tls-zookeeper
+                  # specify name of secret contain certificate if using pre-generated certificate
+                  certSecretName:
+                  untrustedCa: true

Member

lhotari Dec 11, 2024

I don't see this key Values.zookeeper.untrustedCa being referenced in the templates.

Author

ericsyh Dec 13, 2024

this comment is fixed by 736dbf8 commit

charts/pulsar/values.yaml Outdated

                 # settings for generating certs for recovery
                 autorecovery:
                   cert_name: tls-recovery
+                  # specify name of secret contain certificate if using pre-generated certificate
+                  certSecretName:
+                  untrustedCa: true

Member

lhotari Dec 11, 2024

I don't see this key Values.autorecovery.untrustedCa being referenced in the templates.

Author

ericsyh Dec 13, 2024

this comment is fixed by 736dbf8 commit

charts/pulsar/values.yaml Outdated

                 # settings for generating certs for toolset
                 toolset:
                   cert_name: tls-toolset
+                  # specify name of secret contain certificate if using pre-generated certificate
+                  certSecretName:
+                  untrustedCa: true

Member

lhotari Dec 11, 2024

I don't see this key Values.toolset.untrustedCa being referenced in the templates.

Author

ericsyh Dec 13, 2024

this comment is fixed by 736dbf8 commit

ericsyh added 4 commits

December 12, 2024 10:00


          fix review comments

736dbf8

Signed-off-by: ericsyh <ericshenyuhao@outlook.com>


          update the configuration names

8392e2b

Signed-off-by: ericsyh <ericshenyuhao@outlook.com>


          update description

20ed697

Signed-off-by: ericsyh <ericshenyuhao@outlook.com>


          add example

2db632c

Signed-off-by: ericsyh <ericshenyuhao@outlook.com>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet