Have separate Issuers for Client and Node Certs

build/templates/README.md

@@ -147,7 +147,7 @@ By enabling `tls.certs.tlsSecret` the tls secrets are projected on to the correc
 If you wish to supply certificates with [cert-manager][3], set
 
 * `tls.certs.certManager` to `yes`/`true`
-* `tls.certs.certManagerIssuer` to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer, you have set up in the cluster
+* `tls.certs.nodeCertManagerIssuer` or `tls.certs.clientCertManagerIssuer` to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer, you have set up in the cluster
 
 Example issuer:
 
@@ -403,13 +403,16 @@ For details see the [`values.yaml`](values.yaml) file.
 | `tls.certs.selfSigner.readinessWait` | Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true | `30s` |
 | `tls.certs.selfSigner.podUpdateTimeout` | Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true | `2m` |
 | `tls.certs.certManager` | Provision certificates with cert-manager | `false` |
-| `tls.certs.certManagerIssuer.group` | IssuerRef group to use when generating certificates | `cert-manager.io` |
-| `tls.certs.certManagerIssuer.kind` | IssuerRef kind to use when generating certificates | `Issuer` |
-| `tls.certs.certManagerIssuer.name` | IssuerRef name to use when generating certificates | `cockroachdb` |
-| `tls.certs.certManagerIssuer.clientCertDuration` | Duration of client cert in hours | `672h` |
-| `tls.certs.certManagerIssuer.clientCertExpiryWindow` | Expiry window of client cert means a window before actual expiry in which client cert should be rotated | `48h` |
-| `tls.certs.certManagerIssuer.nodeCertDuration` | Duration of node cert in hours | `8760h` |
-| `tls.certs.certManagerIssuer.nodeCertExpiryWindow` | Expiry window of node certificates means a window before actual expiry in which node certs should be rotated. | `168h` |
+| `tls.certs.clientCertManagerIssuer.group` | IssuerRef group to use when generating client certificates | `cert-manager.io` |
+| `tls.certs.clientCertManagerIssuer.kind` | IssuerRef kind to use when generating client certificates | `Issuer` |
+| `tls.certs.clientCertManagerIssuer.name` | IssuerRef name to use when generating client certificates | `cockroachdb` |
+| `tls.certs.nodeCertManagerIssuer.group` | IssuerRef group to use when generating node certificates | `cert-manager.io` |
+| `tls.certs.nodeCertManagerIssuer.kind` | IssuerRef kind to use when generating node certificates | `Issuer` |
+| `tls.certs.nodeCertManagerIssuer.name` | IssuerRef name to use when generating node certificates | `cockroachdb` |
+| `tls.certs.clientCertManagerIssuer.certDuration` | Duration of client cert in hours | `672h` |
+| `tls.certs.clientCertManagerIssuer.certExpiryWindow` | Expiry window of client cert means a window before actual expiry in which client cert should be rotated | `48h` |
+| `tls.certs.nodeCertManagerIssuer.certDuration` | Duration of node cert in hours | `8760h` |
+| `tls.certs.nodeCertManagerIssuer.certExpiryWindow` | Expiry window of node certificates means a window before actual expiry in which node certs should be rotated. | `168h` |
 | `tls.selfSigner.image.repository` | Image to use for self signing TLS certificates | `cockroachlabs-helm-charts/cockroach-self-signer-cert`|
 | `tls.selfSigner.image.tag` | Image tag to use for self signing TLS certificates | `0.1` |
 | `tls.selfSigner.image.pullPolicy` | Self signing TLS certificates container pull policy | `IfNotPresent` |

build/templates/values.yaml

@@ -481,18 +481,22 @@ tls:
  # Specify an Issuer or a ClusterIssuer to use, when issuing
  # node and client certificates. The values correspond to the
  # issuerRef specified in the certificate.
- certManagerIssuer:
+ clientCertManagerIssuer:
  group: cert-manager.io
  kind: Issuer
- name: cockroachdb
+ name: cockroachdb-client
  # Duration of Client certificates in hours
- clientCertDuration: 672h
+ certDuration: 672h
  # Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
- clientCertExpiryWindow: 48h
+ certExpiryWindow: 48h
+ nodeCertManagerIssuer:
+ group: cert-manager.io
+ kind: Issuer
+ name: cockroachdb-node
  # Duration of node certificates in hours
- nodeCertDuration: 8760h
+ certDuration: 8760h
  # Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
- nodeCertExpiryWindow: 168h
+ certExpiryWindow: 168h
  # Enable if you run cert-manager >=1.0 on K8s <=1.15 with legacy CRDs
  # Legacy CRDs only support cert-manager.io/v1 API Versions
  useCertManagerV1CRDs: false

cockroachdb/README.md

@@ -148,7 +148,7 @@ By enabling `tls.certs.tlsSecret` the tls secrets are projected on to the correc
 If you wish to supply certificates with [cert-manager][3], set
 
 * `tls.certs.certManager` to `yes`/`true`
-* `tls.certs.certManagerIssuer` to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer, you have set up in the cluster
+* `tls.certs.nodeCertManagerIssuer` or `tls.certs.clientCertManagerIssuer` to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer, you have set up in the cluster
 
 Example issuer:
 
@@ -404,13 +404,16 @@ For details see the [`values.yaml`](values.yaml) file.
 | `tls.certs.selfSigner.readinessWait` | Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true | `30s` |
 | `tls.certs.selfSigner.podUpdateTimeout` | Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true | `2m` |
 | `tls.certs.certManager` | Provision certificates with cert-manager | `false` |
-| `tls.certs.certManagerIssuer.group` | IssuerRef group to use when generating certificates | `cert-manager.io` |
-| `tls.certs.certManagerIssuer.kind` | IssuerRef kind to use when generating certificates | `Issuer` |
-| `tls.certs.certManagerIssuer.name` | IssuerRef name to use when generating certificates | `cockroachdb` |
-| `tls.certs.certManagerIssuer.clientCertDuration` | Duration of client cert in hours | `672h` |
-| `tls.certs.certManagerIssuer.clientCertExpiryWindow` | Expiry window of client cert means a window before actual expiry in which client cert should be rotated | `48h` |
-| `tls.certs.certManagerIssuer.nodeCertDuration` | Duration of node cert in hours | `8760h` |
-| `tls.certs.certManagerIssuer.nodeCertExpiryWindow` | Expiry window of node certificates means a window before actual expiry in which node certs should be rotated. | `168h` |
+| `tls.certs.clientCertManagerIssuer.group` | IssuerRef group to use when generating client certificates | `cert-manager.io` |
+| `tls.certs.clientCertManagerIssuer.kind` | IssuerRef kind to use when generating client certificates | `Issuer` |
+| `tls.certs.clientCertManagerIssuer.name` | IssuerRef name to use when generating client certificates | `cockroachdb` |
+| `tls.certs.nodeCertManagerIssuer.group` | IssuerRef group to use when generating node certificates | `cert-manager.io` |
+| `tls.certs.nodeCertManagerIssuer.kind` | IssuerRef kind to use when generating node certificates | `Issuer` |
+| `tls.certs.nodeCertManagerIssuer.name` | IssuerRef name to use when generating node certificates | `cockroachdb` |
+| `tls.certs.clientCertManagerIssuer.clientCertDuration` | Duration of client cert in hours | `672h` |
+| `tls.certs.clientCertManagerIssuer.clientCertExpiryWindow` | Expiry window of client cert means a window before actual expiry in which client cert should be rotated | `48h` |
+| `tls.certs.nodeCertManagerIssuer.nodeCertDuration` | Duration of node cert in hours | `8760h` |
+| `tls.certs.nodeCertManagerIssuer.nodeCertExpiryWindow` | Expiry window of node certificates means a window before actual expiry in which node certs should be rotated. | `168h` |
 | `tls.selfSigner.image.repository` | Image to use for self signing TLS certificates | `cockroachlabs-helm-charts/cockroach-self-signer-cert`|
 | `tls.selfSigner.image.tag` | Image tag to use for self signing TLS certificates | `0.1` |
 | `tls.selfSigner.image.pullPolicy` | Self signing TLS certificates container pull policy | `IfNotPresent` |

cockroachdb/templates/certificate.client.yaml

@@ -17,8 +17,8 @@ metadata:
  {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
- duration: {{ .Values.tls.certs.certManagerIssuer.clientCertDuration }}
- renewBefore: {{ .Values.tls.certs.certManagerIssuer.clientCertExpiryWindow }}
+ duration: {{ .Values.tls.certs.clientCertManagerIssuer.certDuration }}
+ renewBefore: {{ .Values.tls.certs.clientCertManagerIssuer.certExpiryWindow }}
  usages:
  - digital signature
  - key encipherment
@@ -42,7 +42,7 @@ spec:
 {{- end }}
  secretName: {{ .Values.tls.certs.clientRootSecret }}
  issuerRef:
- name: {{ .Values.tls.certs.certManagerIssuer.name }}
- kind: {{ .Values.tls.certs.certManagerIssuer.kind }}
- group: {{ .Values.tls.certs.certManagerIssuer.group }}
+ name: {{ .Values.tls.certs.clientCertManagerIssuer.name }}
+ kind: {{ .Values.tls.certs.clientCertManagerIssuer.kind }}
+ group: {{ .Values.tls.certs.clientCertManagerIssuer.group }}
 {{- end }}

cockroachdb/templates/certificate.node.yaml

@@ -17,8 +17,8 @@ metadata:
  {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
- duration: {{ .Values.tls.certs.certManagerIssuer.nodeCertDuration }}
- renewBefore: {{ .Values.tls.certs.certManagerIssuer.nodeCertExpiryWindow }}
+ duration: {{ .Values.tls.certs.nodeCertManagerIssuer.certDuration }}
+ renewBefore: {{ .Values.tls.certs.nodeCertManagerIssuer.certExpiryWindow }}
  usages:
  - digital signature
  - key encipherment
@@ -52,7 +52,7 @@ spec:
  - {{ printf "*.%s.%s.svc.%s" (include "cockroachdb.fullname" .) .Release.Namespace .Values.clusterDomain | quote }}
  secretName: {{ .Values.tls.certs.nodeSecret }}
  issuerRef:
- name: {{ .Values.tls.certs.certManagerIssuer.name }}
- kind: {{ .Values.tls.certs.certManagerIssuer.kind }}
- group: {{ .Values.tls.certs.certManagerIssuer.group }}
+ name: {{ .Values.tls.certs.nodeCertManagerIssuer.name }}
+ kind: {{ .Values.tls.certs.nodeCertManagerIssuer.kind }}
+ group: {{ .Values.tls.certs.nodeCertManagerIssuer.group }}
 {{- end }}

cockroachdb/values.yaml

@@ -482,18 +482,22 @@ tls:
  # Specify an Issuer or a ClusterIssuer to use, when issuing
  # node and client certificates. The values correspond to the
  # issuerRef specified in the certificate.
- certManagerIssuer:
+ clientCertManagerIssuer:
  group: cert-manager.io
  kind: Issuer
- name: cockroachdb
+ name: cockroachdb-client
  # Duration of Client certificates in hours
- clientCertDuration: 672h
+ certDuration: 672h
  # Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
- clientCertExpiryWindow: 48h
+ certExpiryWindow: 48h
+ nodeCertManagerIssuer:
+ group: cert-manager.io
+ kind: Issuer
+ name: cockroachdb-node
  # Duration of node certificates in hours
- nodeCertDuration: 8760h
+ certDuration: 8760h
  # Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
- nodeCertExpiryWindow: 168h
+ certExpiryWindow: 168h
  # Enable if you run cert-manager >=1.0 on K8s <=1.15 with legacy CRDs
  # Legacy CRDs only support cert-manager.io/v1 API Versions
  useCertManagerV1CRDs: false