Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / master / . / kube / hspki.libsonnet
blob: d6e8d33121587baee62907dfe264cae9396dc273 [file] [log] [blame]
local kube = import "kube.libsonnet";
// HSPKI support
// (This is meant to be a simpler abstraction than mirko.libsonnet)
// To connect certificate to a HSPKI/Mirko service, use PodSpec and Container() or GoContainer()
{
local top = self,
local cfg = top.cfg,
metadata:: {
namespace: error "namespace must be set",
},
cfg:: {
// name is used to generate certificate and secret names
// and should match name of the Service
name: error "name must be set",
namespace: top.metadata.namespace,
certName: cfg.name + '-cert',
secretName: cfg.name + '-cert',
realm: "hswaw.net",
clusterFQDN: "k0.hswaw.net",
},
local ns = kube.Namespace(cfg.namespace),
cert: ns.Contain(kube.Certificate(cfg.certName)) {
spec: {
secretName: cfg.secretName,
duration: "35040h0m0s", // 4 years
issuerRef: {
// Contract with cluster/lib/pki.libsonnet.
name: "pki-ca",
kind: "ClusterIssuer",
},
local name = cfg.name,
local namespace = cfg.namespace,
commonName: "%s.%s.svc.%s" % [name, namespace, cfg.clusterFQDN],
dnsNames: [
"%s" % [name],
"%s.%s" % [name, namespace],
"%s.%s.svc" % [name, namespace],
"%s.%s.svc.cluster.local" % [name, namespace],
"%s.%s.svc.%s" % [name, namespace, cfg.clusterFQDN],
],
},
},
PodSpec:: kube.PodSpec {
volumes_+: {
hspki: { secret: { secretName: cfg.secretName } },
},
},
Container(name):: kube.Container(name) {
volumeMounts_+: {
hspki: { mountPath: "/mnt/pki" },
},
},
GoContainer(name):: top.Container(name) {
executable_:: error "executable_ must be set",
command: [
self.executable_,
"-hspki_realm", cfg.realm,
"-hspki_cluster", cfg.clusterFQDN,
"-hspki_tls_ca_path", "/mnt/pki/ca.crt",
"-hspki_tls_certificate_path", "/mnt/pki/tls.crt",
"-hspki_tls_key_path", "/mnt/pki/tls.key",
// TODO: Remove this after go/hspki services are updated not to require it
"-logtostderr",
],
}
}