Add support for ClusterIssuer for certificates (#630)

lhotari · web-flow · commit 5aad65c28761 · 2025-09-16T15:11:33.000+03:00
* Add support for ClusterIssuer

* Add validation that kind must be Issuer when issuer is created as part of the deployment
diff --git a/charts/pulsar/templates/_certs.tpl b/charts/pulsar/templates/_certs.tpl
@@ -107,12 +107,8 @@ spec:
   # Issuer references are always required.
   issuerRef:
     name: "{{ template "pulsar.certs.issuers.ca.name" .root }}"
-    # We can reference ClusterIssuers by changing the kind here.
-    # The default value is Issuer (i.e. a locally namespaced Issuer)
-    kind: Issuer
-    # This is optional since cert-manager will default to this value however
-    # if you are using an external issuer, change this to that issuer group.
-    group: cert-manager.io
+    kind: "{{ default "Issuer" .root.Values.certs.issuers.ca.kind }}"
+    group: "{{ default "cert-manager.io" .root.Values.certs.issuers.ca.group }}"
 {{- end -}}
 
 {{/*
diff --git a/charts/pulsar/templates/tls-cert-internal-issuer.yaml b/charts/pulsar/templates/tls-cert-internal-issuer.yaml
@@ -55,6 +55,9 @@ spec:
     group: cert-manager.io
 ---
 {{- end }}
+{{- if and (eq .Values.certs.internal_issuer.type "ca") (not (eq .Values.certs.issuers.ca.kind "Issuer")) -}}
+{{- fail "Set certs.internal_issuer.enabled to false when using certs.issuers.ca.kind other than Issuer." -}}
+{{- end }}
 apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
 kind: Issuer
 metadata:
diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml
@@ -397,6 +397,10 @@ certs:
       # The secret name of the CA certificate, it is mandatory to specify this value if TLS is enabled
       # and selfsigning is not used
       secretName:
+      # The k8s kind of the ca issuer: Issuer or ClusterIssuer
+      kind: Issuer
+      # Issuer group
+      group: cert-manager.io
 
 ######################################################################
 # Below are settings for each component
