commit 5aad65c28761c02842108fe2eadf701e59ab930d
author Lari Hotari <lhotari@users.noreply.github.com> Tue Sep 16 15:11:33 2025 +0300
committer GitHub <noreply@github.com> Tue Sep 16 15:11:33 2025 +0300
tree ad5c109f684f83181a4c8cf13a55cc15417ec073
parent ab99e914df5719b396a3ccfc2fc00cee8756df8b

Add support for ClusterIssuer for certificates (#630)

* Add support for ClusterIssuer

* Add validation that kind must be Issuer when issuer is created as part of the deployment

charts/pulsar/templates/_certs.tpl

diff --git a/charts/pulsar/templates/_certs.tpl b/charts/pulsar/templates/_certs.tpl
index 5aad491..4240b60 100644
--- a/charts/pulsar/templates/_certs.tpl
+++ b/charts/pulsar/templates/_certs.tpl
@@ -107,12 +107,8 @@
   # Issuer references are always required.
   issuerRef:
     name: "{{ template "pulsar.certs.issuers.ca.name" .root }}"
-    # We can reference ClusterIssuers by changing the kind here.
-    # The default value is Issuer (i.e. a locally namespaced Issuer)
-    kind: Issuer
-    # This is optional since cert-manager will default to this value however
-    # if you are using an external issuer, change this to that issuer group.
-    group: cert-manager.io
+    kind: "{{ default "Issuer" .root.Values.certs.issuers.ca.kind }}"
+    group: "{{ default "cert-manager.io" .root.Values.certs.issuers.ca.group }}"
 {{- end -}}
 
 {{/*

charts/pulsar/templates/tls-cert-internal-issuer.yaml

diff --git a/charts/pulsar/templates/tls-cert-internal-issuer.yaml b/charts/pulsar/templates/tls-cert-internal-issuer.yaml
index f2ede04..cecc665 100644
--- a/charts/pulsar/templates/tls-cert-internal-issuer.yaml
+++ b/charts/pulsar/templates/tls-cert-internal-issuer.yaml
@@ -55,6 +55,9 @@
     group: cert-manager.io
 ---
 {{- end }}
+{{- if and (eq .Values.certs.internal_issuer.type "ca") (not (eq .Values.certs.issuers.ca.kind "Issuer")) -}}
+{{- fail "Set certs.internal_issuer.enabled to false when using certs.issuers.ca.kind other than Issuer." -}}
+{{- end }}
 apiVersion: "{{ .Values.certs.internal_issuer.apiVersion }}"
 kind: Issuer
 metadata:

charts/pulsar/values.yaml

diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml
index 0c65860..3e90311 100755
--- a/charts/pulsar/values.yaml
+++ b/charts/pulsar/values.yaml
@@ -397,6 +397,10 @@
       # The secret name of the CA certificate, it is mandatory to specify this value if TLS is enabled
       # and selfsigning is not used
       secretName:
+      # The k8s kind of the ca issuer: Issuer or ClusterIssuer
+      kind: Issuer
+      # Issuer group
+      group: cert-manager.io
 
 ######################################################################
 # Below are settings for each component