From b996a17be60c8adb3a46df8ac874b9a05eb9e694 Mon Sep 17 00:00:00 2001 From: yecs1999 Date: Tue, 1 Nov 2022 17:31:03 -0700 Subject: [PATCH] separate name for client and node certmanagerissuer --- build/templates/README.md | 19 +++++++++++-------- build/templates/values.yaml | 16 ++++++++++------ cockroachdb/README.md | 19 +++++++++++-------- cockroachdb/templates/certificate.client.yaml | 10 +++++----- cockroachdb/templates/certificate.node.yaml | 10 +++++----- cockroachdb/values.yaml | 16 ++++++++++------ 6 files changed, 52 insertions(+), 38 deletions(-) diff --git a/build/templates/README.md b/build/templates/README.md index ddcc3693..073bbbe1 100644 --- a/build/templates/README.md +++ b/build/templates/README.md @@ -147,7 +147,7 @@ By enabling `tls.certs.tlsSecret` the tls secrets are projected on to the correc If you wish to supply certificates with [cert-manager][3], set * `tls.certs.certManager` to `yes`/`true` -* `tls.certs.certManagerIssuer` to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer, you have set up in the cluster +* `tls.certs.nodeCertManagerIssuer` or `tls.certs.clientCertManagerIssuer` to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer, you have set up in the cluster Example issuer: @@ -403,13 +403,16 @@ For details see the [`values.yaml`](values.yaml) file. | `tls.certs.selfSigner.readinessWait` | Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true | `30s` | | `tls.certs.selfSigner.podUpdateTimeout` | Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true | `2m` | | `tls.certs.certManager` | Provision certificates with cert-manager | `false` | -| `tls.certs.certManagerIssuer.group` | IssuerRef group to use when generating certificates | `cert-manager.io` | -| `tls.certs.certManagerIssuer.kind` | IssuerRef kind to use when generating certificates | `Issuer` | -| `tls.certs.certManagerIssuer.name` | IssuerRef name to use when generating certificates | `cockroachdb` | -| `tls.certs.certManagerIssuer.clientCertDuration` | Duration of client cert in hours | `672h` | -| `tls.certs.certManagerIssuer.clientCertExpiryWindow` | Expiry window of client cert means a window before actual expiry in which client cert should be rotated | `48h` | -| `tls.certs.certManagerIssuer.nodeCertDuration` | Duration of node cert in hours | `8760h` | -| `tls.certs.certManagerIssuer.nodeCertExpiryWindow` | Expiry window of node certificates means a window before actual expiry in which node certs should be rotated. | `168h` | +| `tls.certs.clientCertManagerIssuer.group` | IssuerRef group to use when generating client certificates | `cert-manager.io` | +| `tls.certs.clientCertManagerIssuer.kind` | IssuerRef kind to use when generating client certificates | `Issuer` | +| `tls.certs.clientCertManagerIssuer.name` | IssuerRef name to use when generating client certificates | `cockroachdb` | +| `tls.certs.nodeCertManagerIssuer.group` | IssuerRef group to use when generating node certificates | `cert-manager.io` | +| `tls.certs.nodeCertManagerIssuer.kind` | IssuerRef kind to use when generating node certificates | `Issuer` | +| `tls.certs.nodeCertManagerIssuer.name` | IssuerRef name to use when generating node certificates | `cockroachdb` | +| `tls.certs.clientCertManagerIssuer.certDuration` | Duration of client cert in hours | `672h` | +| `tls.certs.clientCertManagerIssuer.certExpiryWindow` | Expiry window of client cert means a window before actual expiry in which client cert should be rotated | `48h` | +| `tls.certs.nodeCertManagerIssuer.certDuration` | Duration of node cert in hours | `8760h` | +| `tls.certs.nodeCertManagerIssuer.certExpiryWindow` | Expiry window of node certificates means a window before actual expiry in which node certs should be rotated. | `168h` | | `tls.selfSigner.image.repository` | Image to use for self signing TLS certificates | `cockroachlabs-helm-charts/cockroach-self-signer-cert`| | `tls.selfSigner.image.tag` | Image tag to use for self signing TLS certificates | `0.1` | | `tls.selfSigner.image.pullPolicy` | Self signing TLS certificates container pull policy | `IfNotPresent` | diff --git a/build/templates/values.yaml b/build/templates/values.yaml index f4f89d79..700e09ba 100644 --- a/build/templates/values.yaml +++ b/build/templates/values.yaml @@ -481,18 +481,22 @@ tls: # Specify an Issuer or a ClusterIssuer to use, when issuing # node and client certificates. The values correspond to the # issuerRef specified in the certificate. - certManagerIssuer: + clientCertManagerIssuer: group: cert-manager.io kind: Issuer - name: cockroachdb + name: cockroachdb-client # Duration of Client certificates in hours - clientCertDuration: 672h + certDuration: 672h # Expiry window of client certificates means a window before actual expiry in which client certs should be rotated. - clientCertExpiryWindow: 48h + certExpiryWindow: 48h + nodeCertManagerIssuer: + group: cert-manager.io + kind: Issuer + name: cockroachdb-node # Duration of node certificates in hours - nodeCertDuration: 8760h + certDuration: 8760h # Expiry window of node certificates means a window before actual expiry in which node certs should be rotated. - nodeCertExpiryWindow: 168h + certExpiryWindow: 168h # Enable if you run cert-manager >=1.0 on K8s <=1.15 with legacy CRDs # Legacy CRDs only support cert-manager.io/v1 API Versions useCertManagerV1CRDs: false diff --git a/cockroachdb/README.md b/cockroachdb/README.md index 15db8e06..f4533464 100644 --- a/cockroachdb/README.md +++ b/cockroachdb/README.md @@ -148,7 +148,7 @@ By enabling `tls.certs.tlsSecret` the tls secrets are projected on to the correc If you wish to supply certificates with [cert-manager][3], set * `tls.certs.certManager` to `yes`/`true` -* `tls.certs.certManagerIssuer` to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer, you have set up in the cluster +* `tls.certs.nodeCertManagerIssuer` or `tls.certs.clientCertManagerIssuer` to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer, you have set up in the cluster Example issuer: @@ -404,13 +404,16 @@ For details see the [`values.yaml`](values.yaml) file. | `tls.certs.selfSigner.readinessWait` | Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true | `30s` | | `tls.certs.selfSigner.podUpdateTimeout` | Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true | `2m` | | `tls.certs.certManager` | Provision certificates with cert-manager | `false` | -| `tls.certs.certManagerIssuer.group` | IssuerRef group to use when generating certificates | `cert-manager.io` | -| `tls.certs.certManagerIssuer.kind` | IssuerRef kind to use when generating certificates | `Issuer` | -| `tls.certs.certManagerIssuer.name` | IssuerRef name to use when generating certificates | `cockroachdb` | -| `tls.certs.certManagerIssuer.clientCertDuration` | Duration of client cert in hours | `672h` | -| `tls.certs.certManagerIssuer.clientCertExpiryWindow` | Expiry window of client cert means a window before actual expiry in which client cert should be rotated | `48h` | -| `tls.certs.certManagerIssuer.nodeCertDuration` | Duration of node cert in hours | `8760h` | -| `tls.certs.certManagerIssuer.nodeCertExpiryWindow` | Expiry window of node certificates means a window before actual expiry in which node certs should be rotated. | `168h` | +| `tls.certs.clientCertManagerIssuer.group` | IssuerRef group to use when generating client certificates | `cert-manager.io` | +| `tls.certs.clientCertManagerIssuer.kind` | IssuerRef kind to use when generating client certificates | `Issuer` | +| `tls.certs.clientCertManagerIssuer.name` | IssuerRef name to use when generating client certificates | `cockroachdb` | +| `tls.certs.nodeCertManagerIssuer.group` | IssuerRef group to use when generating node certificates | `cert-manager.io` | +| `tls.certs.nodeCertManagerIssuer.kind` | IssuerRef kind to use when generating node certificates | `Issuer` | +| `tls.certs.nodeCertManagerIssuer.name` | IssuerRef name to use when generating node certificates | `cockroachdb` | +| `tls.certs.clientCertManagerIssuer.clientCertDuration` | Duration of client cert in hours | `672h` | +| `tls.certs.clientCertManagerIssuer.clientCertExpiryWindow` | Expiry window of client cert means a window before actual expiry in which client cert should be rotated | `48h` | +| `tls.certs.nodeCertManagerIssuer.nodeCertDuration` | Duration of node cert in hours | `8760h` | +| `tls.certs.nodeCertManagerIssuer.nodeCertExpiryWindow` | Expiry window of node certificates means a window before actual expiry in which node certs should be rotated. | `168h` | | `tls.selfSigner.image.repository` | Image to use for self signing TLS certificates | `cockroachlabs-helm-charts/cockroach-self-signer-cert`| | `tls.selfSigner.image.tag` | Image tag to use for self signing TLS certificates | `0.1` | | `tls.selfSigner.image.pullPolicy` | Self signing TLS certificates container pull policy | `IfNotPresent` | diff --git a/cockroachdb/templates/certificate.client.yaml b/cockroachdb/templates/certificate.client.yaml index b32d0c76..19414565 100644 --- a/cockroachdb/templates/certificate.client.yaml +++ b/cockroachdb/templates/certificate.client.yaml @@ -17,8 +17,8 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - duration: {{ .Values.tls.certs.certManagerIssuer.clientCertDuration }} - renewBefore: {{ .Values.tls.certs.certManagerIssuer.clientCertExpiryWindow }} + duration: {{ .Values.tls.certs.clientCertManagerIssuer.certDuration }} + renewBefore: {{ .Values.tls.certs.clientCertManagerIssuer.certExpiryWindow }} usages: - digital signature - key encipherment @@ -42,7 +42,7 @@ spec: {{- end }} secretName: {{ .Values.tls.certs.clientRootSecret }} issuerRef: - name: {{ .Values.tls.certs.certManagerIssuer.name }} - kind: {{ .Values.tls.certs.certManagerIssuer.kind }} - group: {{ .Values.tls.certs.certManagerIssuer.group }} + name: {{ .Values.tls.certs.clientCertManagerIssuer.name }} + kind: {{ .Values.tls.certs.clientCertManagerIssuer.kind }} + group: {{ .Values.tls.certs.clientCertManagerIssuer.group }} {{- end }} diff --git a/cockroachdb/templates/certificate.node.yaml b/cockroachdb/templates/certificate.node.yaml index 38ff1bff..8dadd036 100644 --- a/cockroachdb/templates/certificate.node.yaml +++ b/cockroachdb/templates/certificate.node.yaml @@ -17,8 +17,8 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - duration: {{ .Values.tls.certs.certManagerIssuer.nodeCertDuration }} - renewBefore: {{ .Values.tls.certs.certManagerIssuer.nodeCertExpiryWindow }} + duration: {{ .Values.tls.certs.nodeCertManagerIssuer.certDuration }} + renewBefore: {{ .Values.tls.certs.nodeCertManagerIssuer.certExpiryWindow }} usages: - digital signature - key encipherment @@ -52,7 +52,7 @@ spec: - {{ printf "*.%s.%s.svc.%s" (include "cockroachdb.fullname" .) .Release.Namespace .Values.clusterDomain | quote }} secretName: {{ .Values.tls.certs.nodeSecret }} issuerRef: - name: {{ .Values.tls.certs.certManagerIssuer.name }} - kind: {{ .Values.tls.certs.certManagerIssuer.kind }} - group: {{ .Values.tls.certs.certManagerIssuer.group }} + name: {{ .Values.tls.certs.nodeCertManagerIssuer.name }} + kind: {{ .Values.tls.certs.nodeCertManagerIssuer.kind }} + group: {{ .Values.tls.certs.nodeCertManagerIssuer.group }} {{- end }} diff --git a/cockroachdb/values.yaml b/cockroachdb/values.yaml index 52e4c4be..cf20b008 100644 --- a/cockroachdb/values.yaml +++ b/cockroachdb/values.yaml @@ -482,18 +482,22 @@ tls: # Specify an Issuer or a ClusterIssuer to use, when issuing # node and client certificates. The values correspond to the # issuerRef specified in the certificate. - certManagerIssuer: + clientCertManagerIssuer: group: cert-manager.io kind: Issuer - name: cockroachdb + name: cockroachdb-client # Duration of Client certificates in hours - clientCertDuration: 672h + certDuration: 672h # Expiry window of client certificates means a window before actual expiry in which client certs should be rotated. - clientCertExpiryWindow: 48h + certExpiryWindow: 48h + nodeCertManagerIssuer: + group: cert-manager.io + kind: Issuer + name: cockroachdb-node # Duration of node certificates in hours - nodeCertDuration: 8760h + certDuration: 8760h # Expiry window of node certificates means a window before actual expiry in which node certs should be rotated. - nodeCertExpiryWindow: 168h + certExpiryWindow: 168h # Enable if you run cert-manager >=1.0 on K8s <=1.15 with legacy CRDs # Legacy CRDs only support cert-manager.io/v1 API Versions useCertManagerV1CRDs: false