Allow use of ClusterIssuer for all component certs

[jonathanhartley]

In our environments we use a ClusterIssuer for all "in cluster" generated certs
This allows clients to verify those certs as we supply a configMap of the CA cert (not key) in all namespaces

The issue with this helm chart is that it generates its own "CA" by requesting a cert/key from our ClusterIssuer and then uses that to generate an "Issuer" (namespace scoped) to then generate all component certs from.

So unless clients have access to the "CA" to insert into their chain they cannot verify the certs.

The fix would be to allow ALL component certs to use the configured ClusterIssuer

This would mean it does not have to rotate its CA every 90 days and it cuts out extra components (the Issuer)

[jonrhartley]

pulsar-diff.txt

Here is a quick example of how I would accomplish this

[lhotari]

including pulsar-diff.txt here as comment so that it's easier to comment on it.

diff --git a/charts/pulsar/templates/_certs.tpl b/charts/pulsar/templates/_certs.tpl
index 5aad491..2c683cb 100644
--- a/charts/pulsar/templates/_certs.tpl
+++ b/charts/pulsar/templates/_certs.tpl
@@ -67,6 +67,9 @@ Usage: {{- include "pulsar.cert.template" (dict "root" . "componentConfig" .Valu
 {{- if eq .root.Values.certs.internal_issuer.apiVersion "cert-manager.io/v1beta1" -}}
 {{- fail "cert-manager.io/v1beta1 is no longer supported. Please set certs.internal_issuer.apiVersion to cert-manager.io/v1" -}}
 {{- end -}}
+{{- if and .root.Values.certs.internal_issuer.enabled .root.Values.certs.cluster_issuer.enabled -}}
+{{- fail "Please only enable one of internal_issuer or cluster_issuer" -}}
+{{- end -}}
 apiVersion: "{{ .root.Values.certs.internal_issuer.apiVersion }}"
 kind: Certificate
 metadata:
@@ -106,10 +109,18 @@ spec:
     - {{ printf "%s-%s" (include "pulsar.fullname" .root) .componentConfig.component | quote }}
   # Issuer references are always required.
   issuerRef:
+{{- if .root.Values.certs.cluster_issuer.enabled }}
+    name: {{ .root.Values.certs.cluster_issuer.name | quote }}
+{{- else }}
     name: "{{ template "pulsar.certs.issuers.ca.name" .root }}"
+{{- end }}
     # We can reference ClusterIssuers by changing the kind here.
     # The default value is Issuer (i.e. a locally namespaced Issuer)
+{{- if .root.Values.certs.cluster_issuer.enabled }}
+    kind: ClusterIssuer
+{{- else }}
     kind: Issuer
+{{- end }}
     # This is optional since cert-manager will default to this value however
     # if you are using an external issuer, change this to that issuer group.
     group: cert-manager.io
diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml
index 0c65860..c5be28a 100755
--- a/charts/pulsar/values.yaml
+++ b/charts/pulsar/values.yaml
@@ -397,6 +397,11 @@ certs:
       # The secret name of the CA certificate, it is mandatory to specify this value if TLS is enabled
       # and selfsigning is not used
       secretName:
+  cluster_issuer:
+    # set this to true if you want to use a ClusterIssuer and not create the Issuer
+    # ensure you dont set both to enabled (cluster_issuer and internal_issuer)
+    enabled: false
:...skipping...
diff --git a/charts/pulsar/templates/_certs.tpl b/charts/pulsar/templates/_certs.tpl
index 5aad491..2c683cb 100644
--- a/charts/pulsar/templates/_certs.tpl
+++ b/charts/pulsar/templates/_certs.tpl
@@ -67,6 +67,9 @@ Usage: {{- include "pulsar.cert.template" (dict "root" . "componentConfig" .Valu
 {{- if eq .root.Values.certs.internal_issuer.apiVersion "cert-manager.io/v1beta1" -}}
 {{- fail "cert-manager.io/v1beta1 is no longer supported. Please set certs.internal_issuer.apiVersion to cert-manager.io/v1" -}}
 {{- end -}}
+{{- if and .root.Values.certs.internal_issuer.enabled .root.Values.certs.cluster_issuer.enabled -}}
+{{- fail "Please only enable one of internal_issuer or cluster_issuer" -}}
+{{- end -}}
 apiVersion: "{{ .root.Values.certs.internal_issuer.apiVersion }}"
 kind: Certificate
 metadata:
@@ -106,10 +109,18 @@ spec:
     - {{ printf "%s-%s" (include "pulsar.fullname" .root) .componentConfig.component | quote }}
   # Issuer references are always required.
   issuerRef:
+{{- if .root.Values.certs.cluster_issuer.enabled }}
+    name: {{ .root.Values.certs.cluster_issuer.name | quote }}
+{{- else }}
     name: "{{ template "pulsar.certs.issuers.ca.name" .root }}"
+{{- end }}
     # We can reference ClusterIssuers by changing the kind here.
     # The default value is Issuer (i.e. a locally namespaced Issuer)
+{{- if .root.Values.certs.cluster_issuer.enabled }}
+    kind: ClusterIssuer
+{{- else }}
     kind: Issuer
+{{- end }}
     # This is optional since cert-manager will default to this value however
     # if you are using an external issuer, change this to that issuer group.
     group: cert-manager.io
diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml
index 0c65860..c5be28a 100755
--- a/charts/pulsar/values.yaml
+++ b/charts/pulsar/values.yaml
@@ -397,6 +397,11 @@ certs:
       # The secret name of the CA certificate, it is mandatory to specify this value if TLS is enabled
       # and selfsigning is not used
       secretName:
+  cluster_issuer:
+    # set this to true if you want to use a ClusterIssuer and not create the Issuer
+    # ensure you dont set both to enabled (cluster_issuer and internal_issuer)
+    enabled: false
+    name: cluster-issuer-name

 ######################################################################
 # Below are settings for each component

[lhotari]

I guess the starting point would be to make it clear and consistent from the configuration in values.yaml how to use a ClusterIssuer while keeping backwards compatibility. This is the current certs key in values.yaml:

pulsar-helm-chart/charts/pulsar/values.yaml

Lines 367 to 399 in ab99e91

	## cert-manager
	## templates/tls-cert-internal-issuer.yaml
	##
	## Cert manager is used for automatically provisioning TLS certificates
	## for components within a Pulsar cluster
	certs:
	internal_issuer:
	apiVersion: cert-manager.io/v1
	# To enable internal issuer for TLS certificates, set this to true
	# It is necessary to have cert-manager installed in the cluster
	enabled: false
	component: internal-cert-issuer
	# The type of issuer, supports selfsigning and ca
	type: selfsigning
	# 90d
	duration: 2160h
	# 15d
	renewBefore: 360h
	issuers:
	# Used for certs.internal_issuer.type as selfsigning
	selfsigning:
	# The name of the issuer, if not specified, the default value is used
	name:
	# The secret name of the selfsigned CA certificate, if not specified, the default value is used
	secretName:
	# used for certs.internal_issuer.type as ca or when internal_issuer is disabled
	ca:
	# The name of the issuer, it is mandatory to specify this value if TLS is enabled
	# and selfsigning is not used
	name:
	# The secret name of the CA certificate, it is mandatory to specify this value if TLS is enabled
	# and selfsigning is not used
	secretName:

I think that instead of adding certs.cluster_issuer key, that the correct solution would be to add a type under certs.issuers.ca key instead:

certs:
# ...
    # used for certs.internal_issuer.type as ca or when internal_issuer is disabled
    ca:
      # The name of the issuer, it is mandatory to specify this value if TLS is enabled
      # and selfsigning is not used
      name:
      # The secret name of the CA certificate, it is mandatory to specify this value if TLS is enabled
      # and selfsigning is not used
      secretName:
      # The k8s kind of the issuer: Issuer or ClusterIssuer
      kind: Issuer

[lhotari]

@jonrhartley Please check if #630 would cover your needs