| Radek Pietruszewski | 56b2e04 | 2023-10-29 19:04:59 +0100 | [diff] [blame] | 1 | // HSPKI support |
| 2 | // (This is meant to be a simpler abstraction than mirko.libsonnet) |
| 3 | // To connect certificate to a HSPKI/Mirko service, use PodSpec and Container() or GoContainer() |
| 4 | { |
| radex | e96971d | 2025-01-17 22:57:21 +0100 | [diff] [blame] | 5 | kube:: import "kube.libsonnet", |
| 6 | local kube = self.kube, |
| 7 | |
| Radek Pietruszewski | 56b2e04 | 2023-10-29 19:04:59 +0100 | [diff] [blame] | 8 | local top = self, |
| 9 | local cfg = top.cfg, |
| 10 | |
| 11 | metadata:: { |
| 12 | namespace: error "namespace must be set", |
| 13 | }, |
| 14 | |
| 15 | cfg:: { |
| 16 | // name is used to generate certificate and secret names |
| 17 | // and should match name of the Service |
| 18 | name: error "name must be set", |
| 19 | namespace: top.metadata.namespace, |
| 20 | |
| 21 | certName: cfg.name + '-cert', |
| 22 | secretName: cfg.name + '-cert', |
| 23 | |
| radex | 7d904c6 | 2025-01-22 13:26:31 +0100 | [diff] [blame] | 24 | // short name (k0, k1, etc.) |
| 25 | cluster: error 'cluster must be set', |
| Radek Pietruszewski | 56b2e04 | 2023-10-29 19:04:59 +0100 | [diff] [blame] | 26 | realm: "hswaw.net", |
| radex | 7d904c6 | 2025-01-22 13:26:31 +0100 | [diff] [blame] | 27 | clusterFQDN: '%s.%s' % [cfg.cluster, cfg.realm], |
| Radek Pietruszewski | 56b2e04 | 2023-10-29 19:04:59 +0100 | [diff] [blame] | 28 | }, |
| 29 | |
| 30 | local ns = kube.Namespace(cfg.namespace), |
| 31 | |
| 32 | cert: ns.Contain(kube.Certificate(cfg.certName)) { |
| 33 | spec: { |
| 34 | secretName: cfg.secretName, |
| radex | 5989d4c | 2025-03-31 21:44:56 +0200 | [diff] [blame] | 35 | duration: "35040h0m0s", // 4 years |
| Radek Pietruszewski | 56b2e04 | 2023-10-29 19:04:59 +0100 | [diff] [blame] | 36 | issuerRef: { |
| 37 | // Contract with cluster/lib/pki.libsonnet. |
| 38 | name: "pki-ca", |
| 39 | kind: "ClusterIssuer", |
| 40 | }, |
| 41 | local name = cfg.name, |
| 42 | local namespace = cfg.namespace, |
| 43 | commonName: "%s.%s.svc.%s" % [name, namespace, cfg.clusterFQDN], |
| 44 | dnsNames: [ |
| 45 | "%s" % [name], |
| 46 | "%s.%s" % [name, namespace], |
| 47 | "%s.%s.svc" % [name, namespace], |
| 48 | "%s.%s.svc.cluster.local" % [name, namespace], |
| 49 | "%s.%s.svc.%s" % [name, namespace, cfg.clusterFQDN], |
| 50 | ], |
| 51 | }, |
| 52 | }, |
| 53 | |
| 54 | PodSpec:: kube.PodSpec { |
| 55 | volumes_+: { |
| 56 | hspki: { secret: { secretName: cfg.secretName } }, |
| 57 | }, |
| 58 | }, |
| 59 | |
| 60 | Container(name):: kube.Container(name) { |
| 61 | volumeMounts_+: { |
| 62 | hspki: { mountPath: "/mnt/pki" }, |
| 63 | }, |
| 64 | }, |
| 65 | |
| 66 | GoContainer(name):: top.Container(name) { |
| 67 | executable_:: error "executable_ must be set", |
| 68 | command: [ |
| 69 | self.executable_, |
| radex | 5989d4c | 2025-03-31 21:44:56 +0200 | [diff] [blame] | 70 | "-hspki_realm", |
| 71 | cfg.realm, |
| 72 | "-hspki_cluster", |
| 73 | cfg.clusterFQDN, |
| 74 | "-hspki_tls_ca_path", |
| 75 | "/mnt/pki/ca.crt", |
| 76 | "-hspki_tls_certificate_path", |
| 77 | "/mnt/pki/tls.crt", |
| 78 | "-hspki_tls_key_path", |
| 79 | "/mnt/pki/tls.key", |
| Radek Pietruszewski | 56b2e04 | 2023-10-29 19:04:59 +0100 | [diff] [blame] | 80 | // TODO: Remove this after go/hspki services are updated not to require it |
| 81 | "-logtostderr", |
| 82 | ], |
| radex | 5989d4c | 2025-03-31 21:44:56 +0200 | [diff] [blame] | 83 | }, |
| Radek Pietruszewski | 56b2e04 | 2023-10-29 19:04:59 +0100 | [diff] [blame] | 84 | } |