forked from hswaw/hscloud
49 lines
1.4 KiB
Plaintext
49 lines
1.4 KiB
Plaintext
local kube = import "../../../kube/kube.libsonnet";
|
|
|
|
{
|
|
Environment(clusterShort, realm): {
|
|
local env = self,
|
|
|
|
realm:: realm,
|
|
clusterShort:: clusterShort,
|
|
clusterFQDN:: "%s.%s" % [clusterShort, realm],
|
|
|
|
namespace:: "cert-manager", // https://github.com/jetstack/cert-manager/issues/2130
|
|
|
|
// An issuer that self-signs certificates, used for the CA certificate.
|
|
selfSignedIssuer: kube.Issuer("pki-selfsigned") {
|
|
metadata+: {
|
|
namespace: env.namespace,
|
|
},
|
|
spec: {
|
|
selfSigned: {},
|
|
},
|
|
},
|
|
|
|
// CA keypair, self-signed by the above issuer.
|
|
selfSignedCert: kube.Certificate("pki-selfsigned") {
|
|
metadata+: {
|
|
namespace: env.namespace,
|
|
},
|
|
spec: {
|
|
secretName: "pki-selfsigned-cert",
|
|
duration: "43800h0m0s", // 5 years,
|
|
isCA: true,
|
|
issuerRef: {
|
|
name: env.selfSignedIssuer.metadata.name,
|
|
},
|
|
commonName: "pki-ca",
|
|
},
|
|
},
|
|
|
|
// CA issuer, used to issue certificates signed by the CA.
|
|
issuer: kube.ClusterIssuer("pki-ca") {
|
|
spec: {
|
|
ca: {
|
|
secretName: env.selfSignedCert.spec.secretName,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|