Sergiusz Bazanski | 6f773e0 | 2019-10-02 20:46:48 +0200 | [diff] [blame] | 1 | local kube = import "../../../kube/kube.libsonnet"; |
| 2 | |
| 3 | { |
| 4 | Environment(clusterShort, realm): { |
| 5 | local env = self, |
| 6 | |
| 7 | realm:: realm, |
| 8 | clusterShort:: clusterShort, |
| 9 | clusterFQDN:: "%s.%s" % [clusterShort, realm], |
| 10 | |
| 11 | namespace:: "cert-manager", // https://github.com/jetstack/cert-manager/issues/2130 |
| 12 | |
| 13 | // An issuer that self-signs certificates, used for the CA certificate. |
| 14 | selfSignedIssuer: kube.Issuer("pki-selfsigned") { |
| 15 | metadata+: { |
| 16 | namespace: env.namespace, |
| 17 | }, |
| 18 | spec: { |
| 19 | selfSigned: {}, |
| 20 | }, |
| 21 | }, |
| 22 | |
| 23 | // CA keypair, self-signed by the above issuer. |
| 24 | selfSignedCert: kube.Certificate("pki-selfsigned") { |
| 25 | metadata+: { |
| 26 | namespace: env.namespace, |
| 27 | }, |
| 28 | spec: { |
| 29 | secretName: "pki-selfsigned-cert", |
| 30 | duration: "43800h0m0s", // 5 years, |
| 31 | isCA: true, |
| 32 | issuerRef: { |
| 33 | name: env.selfSignedIssuer.metadata.name, |
| 34 | }, |
| 35 | commonName: "pki-ca", |
| 36 | }, |
| 37 | }, |
| 38 | |
| 39 | // CA issuer, used to issue certificates signed by the CA. |
| 40 | issuer: kube.ClusterIssuer("pki-ca") { |
| 41 | spec: { |
| 42 | ca: { |
| 43 | secretName: env.selfSignedCert.spec.secretName, |
| 44 | }, |
| 45 | }, |
| 46 | }, |
| 47 | }, |
| 48 | } |