separate name for client and node certmanagerissuer

Author: yecs1999

build/templates/README.md

@@ -147,7 +147,7 @@ By enabling `tls.certs.tlsSecret` the tls secrets are projected on to the correc
 If you wish to supply certificates with [cert-manager][3], set
 
 * `tls.certs.certManager` to `yes`/`true`
-* `tls.certs.certManagerIssuer` to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer, you have set up in the cluster
+* `tls.certs.nodeCertManagerIssuer` or `tls.certs.clientCertManagerIssuer` to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer, you have set up in the cluster
 
 Example issuer:
 
@@ -403,13 +403,16 @@ For details see the [`values.yaml`](values.yaml) file.
 | `tls.certs.selfSigner.readinessWait`                      | Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true                                    | `30s`                                             |
 | `tls.certs.selfSigner.podUpdateTimeout`                   | Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true                                    | `2m`                                             |
 | `tls.certs.certManager`                                   | Provision certificates with cert-manager                        | `false`                                               |
-| `tls.certs.certManagerIssuer.group`                       | IssuerRef group to use when generating certificates             | `cert-manager.io`                                     |
-| `tls.certs.certManagerIssuer.kind`                        | IssuerRef kind to use when generating certificates              | `Issuer`                                              |
-| `tls.certs.certManagerIssuer.name`                        | IssuerRef name to use when generating certificates              | `cockroachdb`                                         |
-| `tls.certs.certManagerIssuer.clientCertDuration`          | Duration of client cert in hours                                | `672h`                                                |
-| `tls.certs.certManagerIssuer.clientCertExpiryWindow`      | Expiry window of client cert means a window before actual expiry in which client cert should be rotated                   | `48h`                                       |
-| `tls.certs.certManagerIssuer.nodeCertDuration`            | Duration of node cert in hours                                  | `8760h`                                               |
-| `tls.certs.certManagerIssuer.nodeCertExpiryWindow`        | Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.             | `168h`                                      |
+| `tls.certs.clientCertManagerIssuer.group`                       | IssuerRef group to use when generating client certificates             | `cert-manager.io`                                     |
+| `tls.certs.clientCertManagerIssuer.kind`                        | IssuerRef kind to use when generating client certificates              | `Issuer`                                              |
+| `tls.certs.clientCertManagerIssuer.name`                        | IssuerRef name to use when generating client certificates              | `cockroachdb`                                         |
+| `tls.certs.nodeCertManagerIssuer.group`                         | IssuerRef group to use when generating node certificates              | `cert-manager.io`                                     |
+| `tls.certs.nodeCertManagerIssuer.kind`                        | IssuerRef kind to use when generating node certificates                  | `Issuer`                                              |
+| `tls.certs.nodeCertManagerIssuer.name`                        | IssuerRef name to use when generating node certificates                 | `cockroachdb`                                         |
+| `tls.certs.clientCertManagerIssuer.certDuration`          | Duration of client cert in hours                                | `672h`                                                |
+| `tls.certs.clientCertManagerIssuer.certExpiryWindow`      | Expiry window of client cert means a window before actual expiry in which client cert should be rotated                   | `48h`                                       |
+| `tls.certs.nodeCertManagerIssuer.certDuration`            | Duration of node cert in hours                                  | `8760h`                                               |
+| `tls.certs.nodeCertManagerIssuer.certExpiryWindow`        | Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.             | `168h`                                      |
 | `tls.selfSigner.image.repository`                         | Image to use for self signing TLS certificates                  | `cockroachlabs-helm-charts/cockroach-self-signer-cert`|
 | `tls.selfSigner.image.tag`                                | Image tag to use for self signing TLS certificates              | `0.1`                                                 |
 | `tls.selfSigner.image.pullPolicy`                         | Self signing TLS certificates container pull policy             | `IfNotPresent`                                        |

build/templates/values.yaml

@@ -481,18 +481,22 @@ tls:
     # Specify an Issuer or a ClusterIssuer to use, when issuing
     # node and client certificates. The values correspond to the
     # issuerRef specified in the certificate.
-    certManagerIssuer:
+    clientCertManagerIssuer:
       group: cert-manager.io
       kind: Issuer
-      name: cockroachdb
+      name: cockroachdb-client
       # Duration of Client certificates in hours
-      clientCertDuration: 672h
+      certDuration: 672h
       # Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
-      clientCertExpiryWindow: 48h
+      certExpiryWindow: 48h
+    nodeCertManagerIssuer:
+      group: cert-manager.io
+      kind: Issuer
+      name: cockroachdb-node
       # Duration of node certificates in hours
-      nodeCertDuration: 8760h
+      certDuration: 8760h
       # Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
-      nodeCertExpiryWindow: 168h
+      certExpiryWindow: 168h
     # Enable if you run cert-manager >=1.0 on K8s <=1.15 with legacy CRDs
     # Legacy CRDs only support cert-manager.io/v1 API Versions
     useCertManagerV1CRDs: false

cockroachdb/README.md

@@ -148,7 +148,7 @@ By enabling `tls.certs.tlsSecret` the tls secrets are projected on to the correc
 If you wish to supply certificates with [cert-manager][3], set
 
 * `tls.certs.certManager` to `yes`/`true`
-* `tls.certs.certManagerIssuer` to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer, you have set up in the cluster
+* `tls.certs.nodeCertManagerIssuer` or `tls.certs.clientCertManagerIssuer` to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer, you have set up in the cluster
 
 Example issuer:
 
@@ -404,13 +404,16 @@ For details see the [`values.yaml`](values.yaml) file.
 | `tls.certs.selfSigner.readinessWait`                      | Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true                                    | `30s`                                             |
 | `tls.certs.selfSigner.podUpdateTimeout`                   | Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true                                    | `2m`                                             |
 | `tls.certs.certManager`                                   | Provision certificates with cert-manager                        | `false`                                               |
-| `tls.certs.certManagerIssuer.group`                       | IssuerRef group to use when generating certificates             | `cert-manager.io`                                     |
-| `tls.certs.certManagerIssuer.kind`                        | IssuerRef kind to use when generating certificates              | `Issuer`                                              |
-| `tls.certs.certManagerIssuer.name`                        | IssuerRef name to use when generating certificates              | `cockroachdb`                                         |
-| `tls.certs.certManagerIssuer.clientCertDuration`          | Duration of client cert in hours                                | `672h`                                                |
-| `tls.certs.certManagerIssuer.clientCertExpiryWindow`      | Expiry window of client cert means a window before actual expiry in which client cert should be rotated                   | `48h`                                       |
-| `tls.certs.certManagerIssuer.nodeCertDuration`            | Duration of node cert in hours                                  | `8760h`                                               |
-| `tls.certs.certManagerIssuer.nodeCertExpiryWindow`        | Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.             | `168h`                                      |
+| `tls.certs.clientCertManagerIssuer.group`                       | IssuerRef group to use when generating client certificates             | `cert-manager.io`                                     |
+| `tls.certs.clientCertManagerIssuer.kind`                        | IssuerRef kind to use when generating client certificates              | `Issuer`                                              |
+| `tls.certs.clientCertManagerIssuer.name`                        | IssuerRef name to use when generating client certificates              | `cockroachdb`                                         |
+| `tls.certs.nodeCertManagerIssuer.group`                         | IssuerRef group to use when generating node certificates              | `cert-manager.io`                                     |
+| `tls.certs.nodeCertManagerIssuer.kind`                          | IssuerRef kind to use when generating node certificates               | `Issuer`                                              |
+| `tls.certs.nodeCertManagerIssuer.name`                          | IssuerRef name to use when generating node certificates               | `cockroachdb`                                         |
+| `tls.certs.clientCertManagerIssuer.clientCertDuration`          | Duration of client cert in hours                                | `672h`                                                |
+| `tls.certs.clientCertManagerIssuer.clientCertExpiryWindow`      | Expiry window of client cert means a window before actual expiry in which client cert should be rotated                   | `48h`                                       |
+| `tls.certs.nodeCertManagerIssuer.nodeCertDuration`            | Duration of node cert in hours                                  | `8760h`                                               |
+| `tls.certs.nodeCertManagerIssuer.nodeCertExpiryWindow`        | Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.             | `168h`                                      |
 | `tls.selfSigner.image.repository`                         | Image to use for self signing TLS certificates                  | `cockroachlabs-helm-charts/cockroach-self-signer-cert`|
 | `tls.selfSigner.image.tag`                                | Image tag to use for self signing TLS certificates              | `0.1`                                                 |
 | `tls.selfSigner.image.pullPolicy`                         | Self signing TLS certificates container pull policy             | `IfNotPresent`                                        |

cockroachdb/templates/certificate.client.yaml

@@ -17,8 +17,8 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
-  duration: {{ .Values.tls.certs.certManagerIssuer.clientCertDuration }}
-  renewBefore: {{ .Values.tls.certs.certManagerIssuer.clientCertExpiryWindow }}
+  duration: {{ .Values.tls.certs.clientCertManagerIssuer.certDuration }}
+  renewBefore: {{ .Values.tls.certs.clientCertManagerIssuer.certExpiryWindow }}
   usages:
     - digital signature
     - key encipherment
@@ -42,7 +42,7 @@ spec:
 {{- end }}
   secretName: {{ .Values.tls.certs.clientRootSecret }}
   issuerRef:
-    name: {{ .Values.tls.certs.certManagerIssuer.name }}
-    kind: {{ .Values.tls.certs.certManagerIssuer.kind }}
-    group: {{ .Values.tls.certs.certManagerIssuer.group }}
+    name: {{ .Values.tls.certs.clientCertManagerIssuer.name }}
+    kind: {{ .Values.tls.certs.clientCertManagerIssuer.kind }}
+    group: {{ .Values.tls.certs.clientCertManagerIssuer.group }}
 {{- end }}

cockroachdb/templates/certificate.node.yaml

@@ -17,8 +17,8 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
-  duration: {{ .Values.tls.certs.certManagerIssuer.nodeCertDuration }}
-  renewBefore: {{ .Values.tls.certs.certManagerIssuer.nodeCertExpiryWindow }}
+  duration: {{ .Values.tls.certs.nodeCertManagerIssuer.certDuration }}
+  renewBefore: {{ .Values.tls.certs.nodeCertManagerIssuer.certExpiryWindow }}
   usages:
     - digital signature
     - key encipherment
@@ -52,7 +52,7 @@ spec:
     - {{ printf "*.%s.%s.svc.%s" (include "cockroachdb.fullname" .) .Release.Namespace .Values.clusterDomain | quote }}
   secretName: {{ .Values.tls.certs.nodeSecret }}
   issuerRef:
-    name: {{ .Values.tls.certs.certManagerIssuer.name }}
-    kind: {{ .Values.tls.certs.certManagerIssuer.kind }}
-    group: {{ .Values.tls.certs.certManagerIssuer.group }}
+    name: {{ .Values.tls.certs.nodeCertManagerIssuer.name }}
+    kind: {{ .Values.tls.certs.nodeCertManagerIssuer.kind }}
+    group: {{ .Values.tls.certs.nodeCertManagerIssuer.group }}
 {{- end }}

cockroachdb/values.yaml

@@ -482,18 +482,22 @@ tls:
     # Specify an Issuer or a ClusterIssuer to use, when issuing
     # node and client certificates. The values correspond to the
     # issuerRef specified in the certificate.
-    certManagerIssuer:
+    clientCertManagerIssuer:
       group: cert-manager.io
       kind: Issuer
-      name: cockroachdb
+      name: cockroachdb-client
       # Duration of Client certificates in hours
-      clientCertDuration: 672h
+      certDuration: 672h
       # Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
-      clientCertExpiryWindow: 48h
+      certExpiryWindow: 48h
+    nodeCertManagerIssuer:
+      group: cert-manager.io
+      kind: Issuer
+      name: cockroachdb-node
       # Duration of node certificates in hours
-      nodeCertDuration: 8760h
+      certDuration: 8760h
       # Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
-      nodeCertExpiryWindow: 168h
+      certExpiryWindow: 168h
     # Enable if you run cert-manager >=1.0 on K8s <=1.15 with legacy CRDs
     # Legacy CRDs only support cert-manager.io/v1 API Versions
     useCertManagerV1CRDs: false