kube: move cert-manager resources to kube.local.libsonnet
This way kubernetes consumers don't have to import anything from
cluster/, hopefully.
We also create a small abstraction for local additions for
kube.libsonnet without having to modify upstream.
Change-Id: I209095781f91c8867250a647fe944370cddd67d0
diff --git a/cluster/kube/lib/cert-manager.libsonnet b/cluster/kube/lib/cert-manager.libsonnet
index e9e4a4b..93b9357 100644
--- a/cluster/kube/lib/cert-manager.libsonnet
+++ b/cluster/kube/lib/cert-manager.libsonnet
@@ -501,13 +501,13 @@
},
issuers: {
- webhookSelfsign: cm.Issuer("cert-manager-webhook-selfsign") {
+ webhookSelfsign: kube.Issuer("cert-manager-webhook-selfsign") {
metadata+: env.metadata,
spec: {
selfSigned: {},
},
},
- webhookCA: cm.Issuer("cert-manager-webhook-ca") {
+ webhookCA: kube.Issuer("cert-manager-webhook-ca") {
metadata+: env.metadata,
spec: {
ca: {
@@ -517,7 +517,7 @@
},
},
certificates: {
- webhookCA: cm.Certificate("cert-manager-webhook-ca") {
+ webhookCA: kube.Certificate("cert-manager-webhook-ca") {
metadata+: env.metadata,
spec: {
secretName: "cert-manager-webhook-ca",
@@ -529,7 +529,7 @@
isCA: true,
},
},
- webhookTLS: cm.Certificate("cert-manager-webhook-webhook-tls") {
+ webhookTLS: kube.Certificate("cert-manager-webhook-webhook-tls") {
metadata+: env.metadata,
spec: {
secretName: "cert-manager-webhook-webhook-tls",
@@ -696,16 +696,4 @@
],
},
},
-
- Issuer(name): kube._Object("certmanager.k8s.io/v1alpha1", "Issuer", name) {
- spec: error "spec must be specified",
- },
-
- ClusterIssuer(name): kube._Object("certmanager.k8s.io/v1alpha1", "ClusterIssuer", name) {
- spec: error "spec must be specified",
- },
-
- Certificate(name): kube._Object("certmanager.k8s.io/v1alpha1", "Certificate", name) {
- spec: error "spec must be specified",
- },
}
diff --git a/cluster/kube/lib/cockroachdb.libsonnet b/cluster/kube/lib/cockroachdb.libsonnet
index 212104d..0b58180 100644
--- a/cluster/kube/lib/cockroachdb.libsonnet
+++ b/cluster/kube/lib/cockroachdb.libsonnet
@@ -35,7 +35,6 @@
local kube = import "../../../kube/kube.libsonnet";
-local cm = import "cert-manager.libsonnet";
local policies = import "../../../kube/policies.libsonnet";
{
@@ -76,14 +75,14 @@
name(suffix):: if cluster.cfg.ownNamespace then suffix else name + "-" + suffix,
pki: {
- selfSignedIssuer: cm.Issuer(cluster.name("selfsigned")) {
+ selfSignedIssuer: kube.Issuer(cluster.name("selfsigned")) {
metadata+: cluster.metadata,
spec: {
selfSigned: {},
},
},
- selfSignedKeypair: cm.Certificate(cluster.name("cluster-ca")) {
+ selfSignedKeypair: kube.Certificate(cluster.name("cluster-ca")) {
metadata+: cluster.metadata,
spec: {
secretName: cluster.name("cluster-ca"),
@@ -96,7 +95,7 @@
},
},
- clusterIssuer: cm.Issuer(cluster.name("cluster-ca")) {
+ clusterIssuer: kube.Issuer(cluster.name("cluster-ca")) {
metadata+: cluster.metadata,
spec: {
ca: {
@@ -105,7 +104,7 @@
},
},
- nodeCertificate: cm.Certificate(cluster.name("node")) {
+ nodeCertificate: kube.Certificate(cluster.name("node")) {
metadata+: cluster.metadata,
spec: {
secretName: "cockroachdb-node-cert",
@@ -127,7 +126,7 @@
},
},
- clientCertificate: cm.Certificate(cluster.name("client")) {
+ clientCertificate: kube.Certificate(cluster.name("client")) {
metadata+: cluster.metadata,
spec: {
secretName: cluster.name("client-certificate"),
@@ -371,7 +370,7 @@
},
Client(name):: {
- certificate: cm.Certificate(cluster.name("client-%s" % name)) {
+ certificate: kube.Certificate(cluster.name("client-%s" % name)) {
metadata+: cluster.metadata,
spec: {
secretName: cluster.name("client-%s-certificate" % name),
diff --git a/cluster/kube/lib/registry.libsonnet b/cluster/kube/lib/registry.libsonnet
index 5272b2d..d457830 100644
--- a/cluster/kube/lib/registry.libsonnet
+++ b/cluster/kube/lib/registry.libsonnet
@@ -5,7 +5,6 @@
# kubectl get secrets rook-ceph-object-user-<ceph-pool>-object-registry -n <ceph-namespace> -o yaml --export | kubectl replace -f - -n registry
local kube = import "../../../kube/kube.libsonnet";
-local cm = import "cert-manager.libsonnet";
{
Environment: {
@@ -29,13 +28,13 @@
namespace: kube.Namespace(cfg.namespace),
- registryIssuer: cm.Issuer("registry-issuer") {
+ registryIssuer: kube.Issuer("registry-issuer") {
metadata+: env.metadata("registry-issuer"),
spec: {
selfSigned: {},
},
},
- authCertificate: cm.Certificate("auth") {
+ authCertificate: kube.Certificate("auth") {
metadata+: env.metadata("auth"),
spec: {
secretName: "auth-internal",
@@ -46,7 +45,7 @@
commonName: "auth.registry",
},
},
- registryCertificate: cm.Certificate("registry") {
+ registryCertificate: kube.Certificate("registry") {
metadata+: env.metadata("registry"),
spec: {
secretName: "registry-internal",