| Radek Pietruszewski | 56b2e04 | 2023-10-29 19:04:59 +0100 | [diff] [blame] | 1 | local kube = import "kube.libsonnet"; |
| 2 | |
| 3 | // HSPKI support |
| 4 | // (This is meant to be a simpler abstraction than mirko.libsonnet) |
| 5 | // To connect certificate to a HSPKI/Mirko service, use PodSpec and Container() or GoContainer() |
| 6 | { |
| 7 | local top = self, |
| 8 | local cfg = top.cfg, |
| 9 | |
| 10 | metadata:: { |
| 11 | namespace: error "namespace must be set", |
| 12 | }, |
| 13 | |
| 14 | cfg:: { |
| 15 | // name is used to generate certificate and secret names |
| 16 | // and should match name of the Service |
| 17 | name: error "name must be set", |
| 18 | namespace: top.metadata.namespace, |
| 19 | |
| 20 | certName: cfg.name + '-cert', |
| 21 | secretName: cfg.name + '-cert', |
| 22 | |
| 23 | realm: "hswaw.net", |
| 24 | clusterFQDN: "k0.hswaw.net", |
| 25 | }, |
| 26 | |
| 27 | local ns = kube.Namespace(cfg.namespace), |
| 28 | |
| 29 | cert: ns.Contain(kube.Certificate(cfg.certName)) { |
| 30 | spec: { |
| 31 | secretName: cfg.secretName, |
| 32 | duration: "35040h0m0s", // 4 years |
| 33 | issuerRef: { |
| 34 | // Contract with cluster/lib/pki.libsonnet. |
| 35 | name: "pki-ca", |
| 36 | kind: "ClusterIssuer", |
| 37 | }, |
| 38 | local name = cfg.name, |
| 39 | local namespace = cfg.namespace, |
| 40 | commonName: "%s.%s.svc.%s" % [name, namespace, cfg.clusterFQDN], |
| 41 | dnsNames: [ |
| 42 | "%s" % [name], |
| 43 | "%s.%s" % [name, namespace], |
| 44 | "%s.%s.svc" % [name, namespace], |
| 45 | "%s.%s.svc.cluster.local" % [name, namespace], |
| 46 | "%s.%s.svc.%s" % [name, namespace, cfg.clusterFQDN], |
| 47 | ], |
| 48 | }, |
| 49 | }, |
| 50 | |
| 51 | PodSpec:: kube.PodSpec { |
| 52 | volumes_+: { |
| 53 | hspki: { secret: { secretName: cfg.secretName } }, |
| 54 | }, |
| 55 | }, |
| 56 | |
| 57 | Container(name):: kube.Container(name) { |
| 58 | volumeMounts_+: { |
| 59 | hspki: { mountPath: "/mnt/pki" }, |
| 60 | }, |
| 61 | }, |
| 62 | |
| 63 | GoContainer(name):: top.Container(name) { |
| 64 | executable_:: error "executable_ must be set", |
| 65 | command: [ |
| 66 | self.executable_, |
| 67 | "-hspki_realm", cfg.realm, |
| 68 | "-hspki_cluster", cfg.clusterFQDN, |
| 69 | "-hspki_tls_ca_path", "/mnt/pki/ca.crt", |
| 70 | "-hspki_tls_certificate_path", "/mnt/pki/tls.crt", |
| 71 | "-hspki_tls_key_path", "/mnt/pki/tls.key", |
| 72 | // TODO: Remove this after go/hspki services are updated not to require it |
| 73 | "-logtostderr", |
| 74 | ], |
| 75 | } |
| 76 | } |