set template for ca issuer name and secret name + geo-replication installation example

charts/pulsar/templates/_autorecovery.tpl

@@ -75,7 +75,7 @@ Define autorecovery tls certs volumes
 - name: ca
   secret:
     {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
     {{- end }}
     {{- if eq .Values.certs.internal_issuer.type "ca" }}
     secretName: "{{ .Values.certs.issuers.ca.secretName }}"

charts/pulsar/templates/_bookkeeper.tpl

@@ -76,7 +76,7 @@ Define bookie tls certs volumes
 - name: ca
   secret:
     {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
     {{- end }}
     {{- if eq .Values.certs.internal_issuer.type "ca" }}
     secretName: "{{ .Values.certs.issuers.ca.secretName }}"

charts/pulsar/templates/_broker.tpl

@@ -82,7 +82,7 @@ Define broker tls certs volumes
 - name: ca
   secret:
     {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
     {{- end }}
     {{- if eq .Values.certs.internal_issuer.type "ca" }}
     secretName: "{{ .Values.certs.issuers.ca.secretName }}"

charts/pulsar/templates/_certs.tpl

@@ -0,0 +1,40 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+*/}}
+
+{{/*
+Define the pulsar certs ca issuer name
+*/}}
+{{- define "pulsar.certs.issuers.ca.name" -}}
+{{- if .Values.certs.issuers.ca.name -}}
+{{- .Values.certs.issuers.ca.name -}}
+{{- else -}}
+{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer
+{{- end -}}
+{{- end -}}
+
+{{/*
+Define the pulsar certs ca issuer secret name
+*/}}
+{{- define "pulsar.certs.issuers.ca.secretName" -}}
+{{- if .Values.certs.issuers.ca.secretName -}}
+{{- .Values.certs.issuers.ca.secretName -}}
+{{- else -}}
+{{ printf "%s-%s" .Release.Name .Values.tls.ca_suffix }}
+{{- end -}}
+{{- end -}}

charts/pulsar/templates/_toolset.tpl

@@ -75,7 +75,7 @@ Define toolset tls certs volumes
 - name: ca
   secret:
     {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
     {{- end }}
     {{- if eq .Values.certs.internal_issuer.type "ca" }}
     secretName: "{{ .Values.certs.issuers.ca.secretName }}"

charts/pulsar/templates/proxy-statefulset.yaml

@@ -297,7 +297,7 @@ spec:
         - name: ca
           secret:
             {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-            secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+            secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
             {{- end }}
             {{- if eq .Values.certs.internal_issuer.type "ca" }}
             secretName: "{{ .Values.certs.issuers.ca.secretName }}"

charts/pulsar/templates/tls-cert-internal-issuer.yaml

@@ -33,7 +33,7 @@ metadata:
   name: "{{ template "pulsar.fullname" . }}-ca"
   namespace: {{ template "pulsar.namespace" . }}
 spec:
-  secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+  secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
   commonName: "{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
   duration: "{{ .Values.certs.internal_issuer.duration }}"
   renewBefore: "{{ .Values.certs.internal_issuer.renewBefore }}"
@@ -53,17 +53,17 @@ spec:
 apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
 kind: Issuer
 metadata:
-  name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+  name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
   namespace: {{ template "pulsar.namespace" . }}
 spec:
   ca:
-    secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+    secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
 {{- end }}
 {{- if eq .Values.certs.internal_issuer.type "ca" }}
 apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
 kind: Issuer
 metadata:
-  name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+  name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
   namespace: {{ template "pulsar.namespace" . }}
 spec:
   ca:

charts/pulsar/templates/tls-certs-internal.yaml

@@ -18,7 +18,6 @@
 #
 
 {{- if .Values.tls.enabled }}
-{{- if .Values.certs.internal_issuer.enabled }}
 
 {{- if .Values.tls.proxy.enabled }}
 {{- if .Values.tls.proxy.createCert }}
@@ -66,7 +65,7 @@ spec:
     -  "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}"
   # Issuer references are always required.
   issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
     # We can reference ClusterIssuers by changing the kind here.
     # The default value is Issuer (i.e. a locally namespaced Issuer)
     kind: Issuer
@@ -122,7 +121,7 @@ spec:
     -  "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}"
   # Issuer references are always required.
   issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
     # We can reference ClusterIssuers by changing the kind here.
     # The default value is Issuer (i.e. a locally namespaced Issuer)
     kind: Issuer
@@ -176,7 +175,7 @@ spec:
     -  "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}"
   # Issuer references are always required.
   issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
     # We can reference ClusterIssuers by changing the kind here.
     # The default value is Issuer (i.e. a locally namespaced Issuer)
     kind: Issuer
@@ -230,7 +229,7 @@ spec:
     -  "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}"
   # Issuer references are always required.
   issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
     # We can reference ClusterIssuers by changing the kind here.
     # The default value is Issuer (i.e. a locally namespaced Issuer)
     kind: Issuer
@@ -281,7 +280,7 @@ spec:
     -  "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
   # Issuer references are always required.
   issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
     # We can reference ClusterIssuers by changing the kind here.
     # The default value is Issuer (i.e. a locally namespaced Issuer)
     kind: Issuer
@@ -332,7 +331,7 @@ spec:
     -  "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}"
   # Issuer references are always required.
   issuerRef:
-    name: "{{ template "pulsar.fullname" . }}-{{ .Values.certs.internal_issuer.component }}-ca-issuer"
+    name: "{{ template "pulsar.certs.issuers.ca.name" . }}"
     # We can reference ClusterIssuers by changing the kind here.
     # The default value is Issuer (i.e. a locally namespaced Issuer)
     kind: Issuer
@@ -342,4 +341,3 @@ spec:
 {{- end }}
 
 {{- end }}
-{{- end }}

charts/pulsar/templates/toolset-statefulset.yaml

@@ -129,7 +129,7 @@ spec:
       - name: proxy-ca
         secret:
           {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-          secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+          secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
           {{- end }}
           {{- if eq .Values.certs.internal_issuer.type "ca" }}
           secretName: "{{ .Values.certs.issuers.ca.secretName }}"

charts/pulsar/templates/zookeeper-statefulset.yaml

@@ -253,7 +253,7 @@ spec:
       - name: ca
         secret:
           {{- if eq .Values.certs.internal_issuer.type "selfsigning" }}
-          secretName: "{{ .Release.Name }}-{{ .Values.tls.ca_suffix }}"
+          secretName: "{{ template "pulsar.certs.issuers.ca.secretName" . }}"
           {{- end }}
           {{- if eq .Values.certs.internal_issuer.type "ca" }}
           secretName: "{{ .Values.certs.issuers.ca.secretName }}"

charts/pulsar/values.yaml

@@ -295,7 +295,7 @@ auth:
 ######################################################################
 
 ## cert-manager
-## templates/tls-cert-issuer.yaml
+## templates/tls-cert-internal-issuer.yaml
 ##
 ## Cert manager is used for automatically provisioning TLS certificates
 ## for components within a Pulsar cluster
@@ -311,10 +311,11 @@ certs:
     # 15d
     renewBefore: 360h
   issuers:
-    # Used for certs.type as selfsigning, the selfsigned issuer has no dependency on any other resource.
+    # Used for certs.internal_issuer.type as selfsigning, the selfsigned issuer has no dependency on any other resource.
     selfsigning:
-    # used for certs.type as ca, the CA issuer needs to reference a Secret which contains your CA certificate and signing private key.
+    # used for certs.internal_issuer.type as ca, the CA issuer needs to reference a Secret which contains your CA certificate and signing private key.
     ca:
+      name:
       secretName:
 
 ######################################################################

examples/geo-replication/README.md

@@ -0,0 +1,26 @@
+# Apache Pulsar geo-replication
+
+This example is used to test apache pulsar geo-replication in the same namespace with self signed certificates :
+
+1. Install the global zookeeper cluster with `values-global-zookeeper.yaml` values. 
+
+   It will also create the CA issuer used to create certificates for all components.
+
+   The helm release name is supposed to be `global-zookeeper`, otherwise you nedd to change `broker.configData.configurationStoreServers` in ths following pulsar clusters values.
+
+2. Install the first pulsar cluster with `values-pulsar-cluster-1.yaml` values.
+
+3. Install the second pulsar cluster with `values-pulsar-cluster-2.yaml` values.
+
+When connecting to the global zookeeper, you can see the 2 pulsar clusters :
+
+```
+$ kubectl exec global-zookeeper-zookeeper-0 -i -t -- /pulsar/bin/pulsar zookeeper-shell
+...
+[zk: localhost:2181(CONNECTED) 0] ls /
+[admin, zookeeper]
+[zk: localhost:2181(CONNECTED) 1] ls /admin
+[clusters, policies]
+[zk: localhost:2181(CONNECTED) 2] ls /admin/clusters
+[cluster-1, cluster-2]
+```

examples/geo-replication/values-global-zookeeper.yaml

@@ -0,0 +1,26 @@
+components:
+  zookeeper: true
+  oxia: false
+  bookkeeper: false
+  autorecovery: false
+  broker: false
+  functions: false
+  proxy: false
+  toolset: false
+  pulsar_manager: false
+
+tls:
+  enabled: true
+  zookeeper:
+    enabled: true
+
+certs:
+  internal_issuer:
+    # Create a self-signed issuer
+    enabled: true
+    type: selfsigning
+  issuers:
+    # Set CA issuer name and secret name so we can reuse them for the other pulsar clusters
+    ca:
+      name: pulsar-ca-issuer
+      secretName: pulsar-ca-issuer-tls

examples/geo-replication/values-pulsar-cluster-1.yaml

@@ -0,0 +1,31 @@
+clusterName: cluster-1
+
+components:
+  zookeeper: true
+  oxia: false
+  bookkeeper: true
+  autorecovery: false
+  broker: true
+  functions: false
+  proxy: false
+  toolset: false
+  pulsar_manager: false
+
+tls:
+  enabled: true
+  zookeeper:
+    enabled: true
+
+certs:
+  internal_issuer:
+    enabled: false
+  issuers:
+    # Use global zookeeper issuer name and secret
+    ca:
+      name: pulsar-ca-issuer
+      secretName: pulsar-ca-issuer-tls
+
+broker:
+  configData:
+    # global zookeeper svc name and TLS port
+    configurationStoreServers: "global-zookeeper:2281"

examples/geo-replication/values-pulsar-cluster-2.yaml

@@ -0,0 +1,31 @@
+clusterName: cluster-2
+
+components:
+  zookeeper: true
+  oxia: false
+  bookkeeper: true
+  autorecovery: false
+  broker: true
+  functions: false
+  proxy: false
+  toolset: false
+  pulsar_manager: false
+
+tls:
+  enabled: true
+  zookeeper:
+    enabled: true
+
+certs:
+  internal_issuer:
+    enabled: false
+  issuers:
+    # Use global zookeeper issuer name and secret
+    ca:
+      name: pulsar-ca-issuer
+      secretName: pulsar-ca-issuer-tls
+
+broker:
+  configData:
+    # global zookeeper svc name and TLS port
+    configurationStoreServers: "global-zookeeper:2281"