| local kube = import "../../../kube/kube.libsonnet"; |
| |
| { |
| Environment(clusterShort, realm): { |
| local env = self, |
| |
| realm:: realm, |
| clusterShort:: clusterShort, |
| clusterFQDN:: "%s.%s" % [clusterShort, realm], |
| |
| namespace:: "cert-manager", // https://github.com/jetstack/cert-manager/issues/2130 |
| |
| // An issuer that self-signs certificates, used for the CA certificate. |
| selfSignedIssuer: kube.Issuer("pki-selfsigned") { |
| metadata+: { |
| namespace: env.namespace, |
| }, |
| spec: { |
| selfSigned: {}, |
| }, |
| }, |
| |
| // CA keypair, self-signed by the above issuer. |
| selfSignedCert: kube.Certificate("pki-selfsigned") { |
| metadata+: { |
| namespace: env.namespace, |
| }, |
| spec: { |
| secretName: "pki-selfsigned-cert", |
| duration: "43800h0m0s", // 5 years, |
| isCA: true, |
| issuerRef: { |
| name: env.selfSignedIssuer.metadata.name, |
| }, |
| commonName: "pki-ca", |
| }, |
| }, |
| |
| // CA issuer, used to issue certificates signed by the CA. |
| issuer: kube.ClusterIssuer("pki-ca") { |
| spec: { |
| ca: { |
| secretName: env.selfSignedCert.spec.secretName, |
| }, |
| }, |
| }, |
| }, |
| } |