Skip to content

Commit

Permalink
separate name for client and node certmanagerissuer
Browse files Browse the repository at this point in the history
  • Loading branch information
yecs1999 committed Nov 2, 2022
1 parent 5c3a510 commit 5ebba26
Show file tree
Hide file tree
Showing 6 changed files with 52 additions and 38 deletions.
19 changes: 11 additions & 8 deletions build/templates/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,7 @@ By enabling `tls.certs.tlsSecret` the tls secrets are projected on to the correc
If you wish to supply certificates with [cert-manager][3], set

* `tls.certs.certManager` to `yes`/`true`
* `tls.certs.certManagerIssuer` to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer, you have set up in the cluster
* `tls.certs.nodeCertManagerIssuer` or `tls.certs.clientCertManagerIssuer` to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer, you have set up in the cluster

Example issuer:

Expand Down Expand Up @@ -403,13 +403,16 @@ For details see the [`values.yaml`](values.yaml) file.
| `tls.certs.selfSigner.readinessWait` | Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true | `30s` |
| `tls.certs.selfSigner.podUpdateTimeout` | Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true | `2m` |
| `tls.certs.certManager` | Provision certificates with cert-manager | `false` |
| `tls.certs.certManagerIssuer.group` | IssuerRef group to use when generating certificates | `cert-manager.io` |
| `tls.certs.certManagerIssuer.kind` | IssuerRef kind to use when generating certificates | `Issuer` |
| `tls.certs.certManagerIssuer.name` | IssuerRef name to use when generating certificates | `cockroachdb` |
| `tls.certs.certManagerIssuer.clientCertDuration` | Duration of client cert in hours | `672h` |
| `tls.certs.certManagerIssuer.clientCertExpiryWindow` | Expiry window of client cert means a window before actual expiry in which client cert should be rotated | `48h` |
| `tls.certs.certManagerIssuer.nodeCertDuration` | Duration of node cert in hours | `8760h` |
| `tls.certs.certManagerIssuer.nodeCertExpiryWindow` | Expiry window of node certificates means a window before actual expiry in which node certs should be rotated. | `168h` |
| `tls.certs.clientCertManagerIssuer.group` | IssuerRef group to use when generating client certificates | `cert-manager.io` |
| `tls.certs.clientCertManagerIssuer.kind` | IssuerRef kind to use when generating client certificates | `Issuer` |
| `tls.certs.clientCertManagerIssuer.name` | IssuerRef name to use when generating client certificates | `cockroachdb` |
| `tls.certs.nodeCertManagerIssuer.group` | IssuerRef group to use when generating node certificates | `cert-manager.io` |
| `tls.certs.nodeCertManagerIssuer.kind` | IssuerRef kind to use when generating node certificates | `Issuer` |
| `tls.certs.nodeCertManagerIssuer.name` | IssuerRef name to use when generating node certificates | `cockroachdb` |
| `tls.certs.clientCertManagerIssuer.certDuration` | Duration of client cert in hours | `672h` |
| `tls.certs.clientCertManagerIssuer.certExpiryWindow` | Expiry window of client cert means a window before actual expiry in which client cert should be rotated | `48h` |
| `tls.certs.nodeCertManagerIssuer.certDuration` | Duration of node cert in hours | `8760h` |
| `tls.certs.nodeCertManagerIssuer.certExpiryWindow` | Expiry window of node certificates means a window before actual expiry in which node certs should be rotated. | `168h` |
| `tls.selfSigner.image.repository` | Image to use for self signing TLS certificates | `cockroachlabs-helm-charts/cockroach-self-signer-cert`|
| `tls.selfSigner.image.tag` | Image tag to use for self signing TLS certificates | `0.1` |
| `tls.selfSigner.image.pullPolicy` | Self signing TLS certificates container pull policy | `IfNotPresent` |
Expand Down
16 changes: 10 additions & 6 deletions build/templates/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -481,18 +481,22 @@ tls:
# Specify an Issuer or a ClusterIssuer to use, when issuing
# node and client certificates. The values correspond to the
# issuerRef specified in the certificate.
certManagerIssuer:
clientCertManagerIssuer:
group: cert-manager.io
kind: Issuer
name: cockroachdb
name: cockroachdb-client
# Duration of Client certificates in hours
clientCertDuration: 672h
certDuration: 672h
# Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
clientCertExpiryWindow: 48h
certExpiryWindow: 48h
nodeCertManagerIssuer:
group: cert-manager.io
kind: Issuer
name: cockroachdb-node
# Duration of node certificates in hours
nodeCertDuration: 8760h
certDuration: 8760h
# Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
nodeCertExpiryWindow: 168h
certExpiryWindow: 168h
# Enable if you run cert-manager >=1.0 on K8s <=1.15 with legacy CRDs
# Legacy CRDs only support cert-manager.io/v1 API Versions
useCertManagerV1CRDs: false
Expand Down
19 changes: 11 additions & 8 deletions cockroachdb/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -148,7 +148,7 @@ By enabling `tls.certs.tlsSecret` the tls secrets are projected on to the correc
If you wish to supply certificates with [cert-manager][3], set

* `tls.certs.certManager` to `yes`/`true`
* `tls.certs.certManagerIssuer` to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer, you have set up in the cluster
* `tls.certs.nodeCertManagerIssuer` or `tls.certs.clientCertManagerIssuer` to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer, you have set up in the cluster

Example issuer:

Expand Down Expand Up @@ -404,13 +404,16 @@ For details see the [`values.yaml`](values.yaml) file.
| `tls.certs.selfSigner.readinessWait` | Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true | `30s` |
| `tls.certs.selfSigner.podUpdateTimeout` | Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true | `2m` |
| `tls.certs.certManager` | Provision certificates with cert-manager | `false` |
| `tls.certs.certManagerIssuer.group` | IssuerRef group to use when generating certificates | `cert-manager.io` |
| `tls.certs.certManagerIssuer.kind` | IssuerRef kind to use when generating certificates | `Issuer` |
| `tls.certs.certManagerIssuer.name` | IssuerRef name to use when generating certificates | `cockroachdb` |
| `tls.certs.certManagerIssuer.clientCertDuration` | Duration of client cert in hours | `672h` |
| `tls.certs.certManagerIssuer.clientCertExpiryWindow` | Expiry window of client cert means a window before actual expiry in which client cert should be rotated | `48h` |
| `tls.certs.certManagerIssuer.nodeCertDuration` | Duration of node cert in hours | `8760h` |
| `tls.certs.certManagerIssuer.nodeCertExpiryWindow` | Expiry window of node certificates means a window before actual expiry in which node certs should be rotated. | `168h` |
| `tls.certs.clientCertManagerIssuer.group` | IssuerRef group to use when generating client certificates | `cert-manager.io` |
| `tls.certs.clientCertManagerIssuer.kind` | IssuerRef kind to use when generating client certificates | `Issuer` |
| `tls.certs.clientCertManagerIssuer.name` | IssuerRef name to use when generating client certificates | `cockroachdb` |
| `tls.certs.nodeCertManagerIssuer.group` | IssuerRef group to use when generating node certificates | `cert-manager.io` |
| `tls.certs.nodeCertManagerIssuer.kind` | IssuerRef kind to use when generating node certificates | `Issuer` |
| `tls.certs.nodeCertManagerIssuer.name` | IssuerRef name to use when generating node certificates | `cockroachdb` |
| `tls.certs.clientCertManagerIssuer.clientCertDuration` | Duration of client cert in hours | `672h` |
| `tls.certs.clientCertManagerIssuer.clientCertExpiryWindow` | Expiry window of client cert means a window before actual expiry in which client cert should be rotated | `48h` |
| `tls.certs.nodeCertManagerIssuer.nodeCertDuration` | Duration of node cert in hours | `8760h` |
| `tls.certs.nodeCertManagerIssuer.nodeCertExpiryWindow` | Expiry window of node certificates means a window before actual expiry in which node certs should be rotated. | `168h` |
| `tls.selfSigner.image.repository` | Image to use for self signing TLS certificates | `cockroachlabs-helm-charts/cockroach-self-signer-cert`|
| `tls.selfSigner.image.tag` | Image tag to use for self signing TLS certificates | `0.1` |
| `tls.selfSigner.image.pullPolicy` | Self signing TLS certificates container pull policy | `IfNotPresent` |
Expand Down
10 changes: 5 additions & 5 deletions cockroachdb/templates/certificate.client.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,8 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
duration: {{ .Values.tls.certs.certManagerIssuer.clientCertDuration }}
renewBefore: {{ .Values.tls.certs.certManagerIssuer.clientCertExpiryWindow }}
duration: {{ .Values.tls.certs.clientCertManagerIssuer.certDuration }}
renewBefore: {{ .Values.tls.certs.clientCertManagerIssuer.certExpiryWindow }}
usages:
- digital signature
- key encipherment
Expand All @@ -42,7 +42,7 @@ spec:
{{- end }}
secretName: {{ .Values.tls.certs.clientRootSecret }}
issuerRef:
name: {{ .Values.tls.certs.certManagerIssuer.name }}
kind: {{ .Values.tls.certs.certManagerIssuer.kind }}
group: {{ .Values.tls.certs.certManagerIssuer.group }}
name: {{ .Values.tls.certs.clientCertManagerIssuer.name }}
kind: {{ .Values.tls.certs.clientCertManagerIssuer.kind }}
group: {{ .Values.tls.certs.clientCertManagerIssuer.group }}
{{- end }}
10 changes: 5 additions & 5 deletions cockroachdb/templates/certificate.node.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,8 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
duration: {{ .Values.tls.certs.certManagerIssuer.nodeCertDuration }}
renewBefore: {{ .Values.tls.certs.certManagerIssuer.nodeCertExpiryWindow }}
duration: {{ .Values.tls.certs.nodeCertManagerIssuer.certDuration }}
renewBefore: {{ .Values.tls.certs.nodeCertManagerIssuer.certExpiryWindow }}
usages:
- digital signature
- key encipherment
Expand Down Expand Up @@ -52,7 +52,7 @@ spec:
- {{ printf "*.%s.%s.svc.%s" (include "cockroachdb.fullname" .) .Release.Namespace .Values.clusterDomain | quote }}
secretName: {{ .Values.tls.certs.nodeSecret }}
issuerRef:
name: {{ .Values.tls.certs.certManagerIssuer.name }}
kind: {{ .Values.tls.certs.certManagerIssuer.kind }}
group: {{ .Values.tls.certs.certManagerIssuer.group }}
name: {{ .Values.tls.certs.nodeCertManagerIssuer.name }}
kind: {{ .Values.tls.certs.nodeCertManagerIssuer.kind }}
group: {{ .Values.tls.certs.nodeCertManagerIssuer.group }}
{{- end }}
16 changes: 10 additions & 6 deletions cockroachdb/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -482,18 +482,22 @@ tls:
# Specify an Issuer or a ClusterIssuer to use, when issuing
# node and client certificates. The values correspond to the
# issuerRef specified in the certificate.
certManagerIssuer:
clientCertManagerIssuer:
group: cert-manager.io
kind: Issuer
name: cockroachdb
name: cockroachdb-client
# Duration of Client certificates in hours
clientCertDuration: 672h
certDuration: 672h
# Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
clientCertExpiryWindow: 48h
certExpiryWindow: 48h
nodeCertManagerIssuer:
group: cert-manager.io
kind: Issuer
name: cockroachdb-node
# Duration of node certificates in hours
nodeCertDuration: 8760h
certDuration: 8760h
# Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
nodeCertExpiryWindow: 168h
certExpiryWindow: 168h
# Enable if you run cert-manager >=1.0 on K8s <=1.15 with legacy CRDs
# Legacy CRDs only support cert-manager.io/v1 API Versions
useCertManagerV1CRDs: false
Expand Down

0 comments on commit 5ebba26

Please sign in to comment.