chore: do not check for cacert if it does not exist

charts/redpanda/templates/_helpers.tpl

@@ -492,10 +492,15 @@ runAsGroup: {{ dig "podSecurityContext" "fsGroup" .Values.statefulset.securityCo
 {{- define "admin-tls-curl-flags" -}}
   {{- $result := "" -}}
   {{- if (include "admin-internal-tls-enabled" . | fromJson).bool -}}
+    {{- $certificate :=  get .Values.tls.certs .Values.listeners.admin.tls.cert -}}
     {{- $path := (printf "/etc/tls/certs/%s" .Values.listeners.admin.tls.cert) -}}
     {{- $result = (printf "--cacert %s/tls.crt" $path) -}}
     {{- if .Values.listeners.admin.tls.requireClientAuth -}}
-      {{- $result = (printf "--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key" $path $path $path) -}}
+      {{- if $certificate.caEnabled -}}
+        {{- $result = (printf "--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key" $path $path $path) -}}
+      {{- else -}}
+        {{- $result = (printf "--cert %s/tls.crt --key %s/tls.key" $path $path $path) -}}
+      {{- end -}}
     {{- end -}}
   {{- end -}}
   {{- $result -}}

charts/redpanda/templates/configmap.yaml

@@ -323,7 +323,6 @@ data:
   {{- end }}
 {{- end }}
 {{- /* END LISTENERS */}}
-
     rpk:
       enable_usage_stats: {{ .Values.logging.usageStats.enabled }}
       overprovisioned: {{ dig "cpu" "overprovisioned" false .Values.resources }}

charts/redpanda/templates/secrets.yaml

@@ -28,16 +28,15 @@ type: Opaque
 stringData:
   common.sh: |-
     #!/usr/bin/env bash
+    
+    CURL_URL="{{ (include "admin-http-protocol" . ) }}://localhost:{{ .Values.listeners.admin.port }}"
 
-    # the SERVICE_NAME comes from the metadata.name of the pod, essentially the POD_NAME
-    CURL_URL="{{ include "admin-http-protocol" . }}://${SERVICE_NAME}.{{ template "redpanda.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain | trimSuffix "." }}:{{ .Values.listeners.admin.port }}"
-
-    # commands used throughout
-    CURL_NODE_ID_CMD="curl --silent --fail {{ include "admin-tls-curl-flags" . }} ${CURL_URL}/v1/node_config"
+    # commands used throughout    
+    CURL_NODE_ID_CMD="curl -sk --fail {{ (include "admin-tls-curl-flags" . ) }} ${CURL_URL}/v1/node_config"
 
-    CURL_MAINTENANCE_DELETE_CMD_PREFIX='curl -X DELETE --silent -o /dev/null -w "%{http_code}"'
-    CURL_MAINTENANCE_PUT_CMD_PREFIX='curl -X PUT --silent -o /dev/null -w "%{http_code}"'
-    CURL_MAINTENANCE_GET_CMD="curl -X GET --silent {{ include "admin-tls-curl-flags" . }} ${CURL_URL}/v1/maintenance"
+    CURL_MAINTENANCE_DELETE_CMD_PREFIX='curl -X DELETE -sk -w "%{http_code}"'  
+    CURL_MAINTENANCE_PUT_CMD_PREFIX='curl -X PUT -sk  -w "%{http_code}"'
+    CURL_MAINTENANCE_GET_CMD="curl -X GET -sk {{ (include "admin-tls-curl-flags" . ) }} ${CURL_URL}/v1/maintenance"    
 
   postStart.sh: |-
     #!/usr/bin/env bash
@@ -50,6 +49,7 @@ stringData:
 {{- if gt ( .Values.statefulset.replicas | int64 ) 2 }}
     set -ex
 
+
     until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do
         sleep 0.5
     done
@@ -59,6 +59,7 @@ stringData:
     # a 400 here would mean not in maintenance mode
     until [ "${status:-}" = '"200"' ] || [ "${status:-}" = '"400"' ]; do
         status=$(${CURL_MAINTENANCE_DELETE_CMD})
+        echo $status
         sleep 0.5
     done
 {{- end }}
@@ -80,7 +81,8 @@ stringData:
     # path below should match the path defined on the statefulset
     source /var/lifecycle/common.sh
 
-    set -ex
+    set -xe
+
 
 {{- if gt ( .Values.statefulset.replicas | int64 ) 2 }}
     until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do
@@ -96,6 +98,7 @@ stringData:
 
     until [ "${finished:-}" = "true" ] || [ "${draining:-}" = "false" ]; do
         res=$(${CURL_MAINTENANCE_GET_CMD})
+        echo $res
         finished=$(echo $res | grep -o '\"finished\":[^,}]*' | grep -o '[^: ]*$')
         draining=$(echo $res | grep -o '\"draining\":[^,}]*' | grep -o '[^: ]*$')
         sleep 0.5

charts/redpanda/templates/statefulset.yaml

@@ -209,19 +209,21 @@ spec:
                 - -c
                 {{- if (include "admin-internal-tls-enabled" . |fromJson).bool }}
                 - >
-                  curl https://localhost:{{ .Values.listeners.admin.port }}/v1/cluster/health_overview
-                  -svk --cacert /etc/tls/certs/{{ .Values.listeners.admin.tls.cert }}/ca.crt |
-                  awk '{
-                    id = $0; gsub(/.*"controller_id": /, "", id); gsub(/,.*/, "", id)
-                    nd_str = $0; gsub(/.*"nodes_down": \[/, "", nd_str); gsub(/\].*/, "", nd_str)
-                    FS=","
-                    split(nd_str, nd_list)
-                    for (i in nd_list) nodes_down[nd_list[i]]=""
-                    exit (id in nodes_down)
-                  }'
+                  PROTO="https";
+                  CURL_FLAGS="-svk";
+                  {{- $cert := get .Values.tls.certs .Values.listeners.admin.tls.cert }}
+                  {{- if $cert.caEnabled }}
+                  CA_CERT_FLAG={{ printf "--cacert /etc/tls/certs/%s/ca.crt" .Values.listeners.admin.tls.cert | quote }};
+                  {{- else }}
+                  CA_CERT_FLAG="";
+                  {{- end }}
                 {{- else }}
                 - >
-                  curl -sv http://localhost:{{ .Values.listeners.admin.port }}/v1/cluster/health_overview |
+                  PROTO="http";
+                  CURL_FLAGS="-sv";
+                  CA_CERT_FLAG="";
+                {{- end }}
+                  curl ${CURL_FLAGS} ${PROTO}://localhost:{{ .Values.listeners.admin.port }}/v1/cluster/health_overview ${CA_CERT_FLAG} |
                   awk '{
                     id = $0; gsub(/.*"controller_id": /, "", id); gsub(/,.*/, "", id)
                     nd_str = $0; gsub(/.*"nodes_down": \[/, "", nd_str); gsub(/\].*/, "", nd_str)
@@ -230,7 +232,6 @@ spec:
                     for (i in nd_list) nodes_down[nd_list[i]]=""
                     exit (id in nodes_down)
                   }'
-                {{- end }}
             initialDelaySeconds: {{ .Values.statefulset.startupProbe.initialDelaySeconds }}
             failureThreshold: {{ .Values.statefulset.startupProbe.failureThreshold }}
             periodSeconds: {{ .Values.statefulset.startupProbe.periodSeconds }}
@@ -241,12 +242,21 @@ spec:
                 - -c
                 {{- if (include "admin-internal-tls-enabled" . |fromJson).bool }}
                 - >
-                  curl https://localhost:{{ .Values.listeners.admin.port }}/v1/cluster/health_overview
-                  -svk --cacert /etc/tls/certs/{{ .Values.listeners.admin.tls.cert }}/ca.crt
+                  PROTO="https";
+                  CURL_FLAGS="-svk";
+                  {{- $cert := get .Values.tls.certs .Values.listeners.admin.tls.cert }}
+                  {{- if $cert.caEnabled }}
+                  CA_CERT_FLAG={{ printf "--cacert /etc/tls/certs/%s/ca.crt" .Values.listeners.admin.tls.cert | quote }};
+                  {{- else }}
+                  CA_CERT_FLAG="";
+                  {{- end }}
                 {{- else }}
                 - >
-                  curl -sv http://localhost:{{ .Values.listeners.admin.port }}/v1/cluster/health_overview
+                  PROTO="http";
+                  CURL_FLAGS="-sv";
+                  CA_CERT_FLAG="";
                 {{- end }}
+                  curl ${CURL_FLAGS} ${PROTO}://localhost:{{ .Values.listeners.admin.port }}/v1/cluster/health_overview ${CA_CERT_FLAG}
             initialDelaySeconds: {{ .Values.statefulset.livenessProbe.initialDelaySeconds }}
             failureThreshold: {{ .Values.statefulset.livenessProbe.failureThreshold }}
             periodSeconds: {{ .Values.statefulset.livenessProbe.periodSeconds }}
@@ -257,19 +267,21 @@ spec:
                 - -c
                 {{- if (include "admin-internal-tls-enabled" . |fromJson).bool }}
                 - >
-                  curl https://localhost:{{ .Values.listeners.admin.port }}/v1/cluster/health_overview
-                  -svk --cacert /etc/tls/certs/{{ .Values.listeners.admin.tls.cert }}/ca.crt |
-                  awk '{
-                    id = $0; gsub(/.*"controller_id": /, "", id); gsub(/,.*/, "", id)
-                    nd_str = $0; gsub(/.*"nodes_down": \[/, "", nd_str); gsub(/\].*/, "", nd_str)
-                    FS=","
-                    split(nd_str, nd_list)
-                    for (i in nd_list) nodes_down[nd_list[i]]=""
-                    exit (id in nodes_down)
-                  }'
+                  PROTO="https";
+                  CURL_FLAGS="-svk";
+                  {{- $cert := get .Values.tls.certs .Values.listeners.admin.tls.cert }}
+                  {{- if $cert.caEnabled }}
+                  CA_CERT_FLAG={{ printf "--cacert /etc/tls/certs/%s/ca.crt" .Values.listeners.admin.tls.cert | quote }};
+                  {{- else }}
+                  CA_CERT_FLAG="";
+                  {{- end }}
                 {{- else }}
                 - >
-                  curl -sv http://localhost:{{ .Values.listeners.admin.port }}/v1/cluster/health_overview |
+                  PROTO="http";
+                  CURL_FLAGS="-sv";
+                  CA_CERT_FLAG="";
+                {{- end }}
+                  curl ${CURL_FLAGS} ${PROTO}://localhost:{{ .Values.listeners.admin.port }}/v1/cluster/health_overview ${CA_CERT_FLAG} | 
                   awk '{
                     id = $0; gsub(/.*"controller_id": /, "", id); gsub(/,.*/, "", id)
                     nd_str = $0; gsub(/.*"nodes_down": \[/, "", nd_str); gsub(/\].*/, "", nd_str)
@@ -278,7 +290,6 @@ spec:
                     for (i in nd_list) nodes_down[nd_list[i]]=""
                     exit (id in nodes_down)
                   }'
-                {{- end }}
             initialDelaySeconds: {{ .Values.statefulset.readinessProbe.initialDelaySeconds }}
             failureThreshold: {{ .Values.statefulset.readinessProbe.failureThreshold }}
             periodSeconds: {{ .Values.statefulset.readinessProbe.periodSeconds }}