smsgw: productionize, implement kube/mirko
This productionizes smsgw.
We also add some jsonnet machinery to provide a unified service for Go
micro/mirkoservices.
This machinery provides all the nice stuff:
- a deployment
- a service for all your types of pots
- TLS certificates for HSPKI
We also update and test hspki for a new name scheme.
Change-Id: I292d00f858144903cbc8fe0c1c26eb1180d636bc
diff --git a/cluster/kube/cluster.jsonnet b/cluster/kube/cluster.jsonnet
index 60cbaaa..e89a801 100644
--- a/cluster/kube/cluster.jsonnet
+++ b/cluster/kube/cluster.jsonnet
@@ -13,11 +13,16 @@
local prodvider = import "lib/prodvider.libsonnet";
local registry = import "lib/registry.libsonnet";
local rook = import "lib/rook.libsonnet";
+local pki = import "lib/pki.libsonnet";
-local Cluster(fqdn) = {
+local Cluster(short, realm) = {
local cluster = self,
local cfg = cluster.cfg,
+ short:: short,
+ realm:: realm,
+ fqdn:: "%s.%s" % [cluster.short, cluster.realm],
+
cfg:: {
// Storage class used for internal services (like registry). This must
// be set to a valid storage class. This can either be a cloud provider class
@@ -54,7 +59,7 @@
apiGroup: "rbac.authorization.k8s.io",
kind: "User",
# A cluster API Server authenticates with a certificate whose CN is == to the FQDN of the cluster.
- name: fqdn,
+ name: cluster.fqdn,
},
],
},
@@ -159,7 +164,7 @@
cfg+: {
cluster_domains: [
"cluster.local",
- fqdn,
+ cluster.fqdn,
],
},
},
@@ -203,12 +208,15 @@
// Docker registry
registry: registry.Environment {
cfg+: {
- domain: "registry.%s" % [fqdn],
+ domain: "registry.%s" % [cluster.fqdn],
storageClassName: cfg.storageClassNameParanoid,
objectStorageName: "waw-hdd-redundant-2-object",
},
},
+ // TLS PKI machinery
+ pki: pki.Environment(cluster.short, cluster.realm),
+
// Prodvider
prodvider: prodvider.Environment {
cfg+: {
@@ -221,7 +229,7 @@
{
k0: {
local k0 = self,
- cluster: Cluster("k0.hswaw.net") {
+ cluster: Cluster("k0", "hswaw.net") {
cfg+: {
storageClassNameParanoid: k0.ceph.blockParanoid.name,
},
diff --git a/cluster/kube/lib/pki.libsonnet b/cluster/kube/lib/pki.libsonnet
new file mode 100644
index 0000000..b9b9df3
--- /dev/null
+++ b/cluster/kube/lib/pki.libsonnet
@@ -0,0 +1,48 @@
+local kube = import "../../../kube/kube.libsonnet";
+
+{
+ Environment(clusterShort, realm): {
+ local env = self,
+
+ realm:: realm,
+ clusterShort:: clusterShort,
+ clusterFQDN:: "%s.%s" % [clusterShort, realm],
+
+ namespace:: "cert-manager", // https://github.com/jetstack/cert-manager/issues/2130
+
+ // An issuer that self-signs certificates, used for the CA certificate.
+ selfSignedIssuer: kube.Issuer("pki-selfsigned") {
+ metadata+: {
+ namespace: env.namespace,
+ },
+ spec: {
+ selfSigned: {},
+ },
+ },
+
+ // CA keypair, self-signed by the above issuer.
+ selfSignedCert: kube.Certificate("pki-selfsigned") {
+ metadata+: {
+ namespace: env.namespace,
+ },
+ spec: {
+ secretName: "pki-selfsigned-cert",
+ duration: "43800h0m0s", // 5 years,
+ isCA: true,
+ issuerRef: {
+ name: env.selfSignedIssuer.metadata.name,
+ },
+ commonName: "pki-ca",
+ },
+ },
+
+ // CA issuer, used to issue certificates signed by the CA.
+ issuer: kube.ClusterIssuer("pki-ca") {
+ spec: {
+ ca: {
+ secretName: env.selfSignedCert.spec.secretName,
+ },
+ },
+ },
+ },
+}