smsgw: productionize, implement kube/mirko
This productionizes smsgw.
We also add some jsonnet machinery to provide a unified service for Go
micro/mirkoservices.
This machinery provides all the nice stuff:
- a deployment
- a service for all your types of pots
- TLS certificates for HSPKI
We also update and test hspki for a new name scheme.
Change-Id: I292d00f858144903cbc8fe0c1c26eb1180d636bc
diff --git a/cluster/kube/lib/pki.libsonnet b/cluster/kube/lib/pki.libsonnet
new file mode 100644
index 0000000..b9b9df3
--- /dev/null
+++ b/cluster/kube/lib/pki.libsonnet
@@ -0,0 +1,48 @@
+local kube = import "../../../kube/kube.libsonnet";
+
+{
+ Environment(clusterShort, realm): {
+ local env = self,
+
+ realm:: realm,
+ clusterShort:: clusterShort,
+ clusterFQDN:: "%s.%s" % [clusterShort, realm],
+
+ namespace:: "cert-manager", // https://github.com/jetstack/cert-manager/issues/2130
+
+ // An issuer that self-signs certificates, used for the CA certificate.
+ selfSignedIssuer: kube.Issuer("pki-selfsigned") {
+ metadata+: {
+ namespace: env.namespace,
+ },
+ spec: {
+ selfSigned: {},
+ },
+ },
+
+ // CA keypair, self-signed by the above issuer.
+ selfSignedCert: kube.Certificate("pki-selfsigned") {
+ metadata+: {
+ namespace: env.namespace,
+ },
+ spec: {
+ secretName: "pki-selfsigned-cert",
+ duration: "43800h0m0s", // 5 years,
+ isCA: true,
+ issuerRef: {
+ name: env.selfSignedIssuer.metadata.name,
+ },
+ commonName: "pki-ca",
+ },
+ },
+
+ // CA issuer, used to issue certificates signed by the CA.
+ issuer: kube.ClusterIssuer("pki-ca") {
+ spec: {
+ ca: {
+ secretName: env.selfSignedCert.spec.secretName,
+ },
+ },
+ },
+ },
+}