This is an automated email from the ASF dual-hosted git repository.
lhotari pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar-helm-chart.git
The following commit(s) were added to refs/heads/master by this push:
new 20febea Add cert annotation configuration (#673)
20febea is described below
commit 20febea0aed531f3c7d090ee9b70f5d7b0294ad4
Author: Shaun Becker <[email protected]>
AuthorDate: Wed Apr 22 05:52:53 2026 -0400
Add cert annotation configuration (#673)
---
.ci/clusters/values-tls.yaml | 2 ++
charts/pulsar/templates/_certs.tpl | 4 ++++
charts/pulsar/values.yaml | 12 ++++++++++++
3 files changed, 18 insertions(+)
diff --git a/.ci/clusters/values-tls.yaml b/.ci/clusters/values-tls.yaml
index cbd09cc..9f3d70f 100644
--- a/.ci/clusters/values-tls.yaml
+++ b/.ci/clusters/values-tls.yaml
@@ -23,6 +23,8 @@ tls:
enabled: true
proxy:
enabled: true
+ secretAnnotations:
+ reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
broker:
enabled: true
bookie:
diff --git a/charts/pulsar/templates/_certs.tpl
b/charts/pulsar/templates/_certs.tpl
index 80efaf7..ab79ea1 100644
--- a/charts/pulsar/templates/_certs.tpl
+++ b/charts/pulsar/templates/_certs.tpl
@@ -75,6 +75,10 @@ metadata:
labels:
{{- include "pulsar.standardLabels" .root | nindent 4 }}
spec:
+{{- if .tlsConfig.secretAnnotations }}
+ secretTemplate:
+ annotations: {{ toYaml .tlsConfig.secretAnnotations | nindent 6 }}
+{{- end }}
# Secret names are always required.
secretName: "{{ .root.Release.Name }}-{{ .tlsConfig.cert_name }}"
{{- if .root.Values.tls.zookeeper.enabled }}
diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml
index b99be66..11494fe 100755
--- a/charts/pulsar/values.yaml
+++ b/charts/pulsar/values.yaml
@@ -264,6 +264,8 @@ tls:
# existingSecret: proxy-cacert
# secretKeys:
# - ca.crt
+ # Annotations to apply to the secrets generated by the cert-manager
certificate
+ # secretAnnotations: {}
# settings for generating certs for broker
broker:
enabled: false
@@ -282,6 +284,8 @@ tls:
# existingSecret: broker-cacert
# secretKeys:
# - ca.crt
+ # Annotations to apply to the secrets generated by the cert-manager
certificate
+ # secretAnnotations: {}
# settings for generating certs for bookies
bookie:
enabled: false
@@ -293,6 +297,8 @@ tls:
# existingSecret: bookie-cacert
# secretKeys:
# - ca.crt
+ # Annotations to apply to the secrets generated by the cert-manager
certificate
+ # secretAnnotations: {}
# settings for generating certs for zookeeper
zookeeper:
enabled: false
@@ -304,6 +310,8 @@ tls:
# existingSecret: zookeeper-cacert
# secretKeys:
# - ca.crt
+ # Annotations to apply to the secrets generated by the cert-manager
certificate
+ # secretAnnotations: {}
# settings for generating certs for recovery
autorecovery:
cert_name: tls-recovery
@@ -314,6 +322,8 @@ tls:
# existingSecret: autorecovery-cacert
# secretKeys:
# - ca.crt
+ # Annotations to apply to the secrets generated by the cert-manager
certificate
+ # secretAnnotations: {}
# settings for generating certs for toolset
toolset:
cert_name: tls-toolset
@@ -324,6 +334,8 @@ tls:
# existingSecret: toolset-cacert
# secretKeys:
# - ca.crt
+ # Annotations to apply to the secrets generated by the cert-manager
certificate
+ # secretAnnotations: {}
# TLS setting for function runtime instance
function_instance:
# controls the use of TLS for function runtime connections towards brokers
