local kube = import "kube.libsonnet"; // HSPKI support // (This is meant to be a simpler abstraction than mirko.libsonnet) // To connect certificate to a HSPKI/Mirko service, use PodSpec and Container() or GoContainer() { local top = self, local cfg = top.cfg, metadata:: { namespace: error "namespace must be set", }, cfg:: { // name is used to generate certificate and secret names // and should match name of the Service name: error "name must be set", namespace: top.metadata.namespace, certName: cfg.name + '-cert', secretName: cfg.name + '-cert', realm: "hswaw.net", clusterFQDN: "k0.hswaw.net", }, local ns = kube.Namespace(cfg.namespace), cert: ns.Contain(kube.Certificate(cfg.certName)) { spec: { secretName: cfg.secretName, duration: "35040h0m0s", // 4 years issuerRef: { // Contract with cluster/lib/pki.libsonnet. name: "pki-ca", kind: "ClusterIssuer", }, local name = cfg.name, local namespace = cfg.namespace, commonName: "%s.%s.svc.%s" % [name, namespace, cfg.clusterFQDN], dnsNames: [ "%s" % [name], "%s.%s" % [name, namespace], "%s.%s.svc" % [name, namespace], "%s.%s.svc.cluster.local" % [name, namespace], "%s.%s.svc.%s" % [name, namespace, cfg.clusterFQDN], ], }, }, PodSpec:: kube.PodSpec { volumes_+: { hspki: { secret: { secretName: cfg.secretName } }, }, }, Container(name):: kube.Container(name) { volumeMounts_+: { hspki: { mountPath: "/mnt/pki" }, }, }, GoContainer(name):: top.Container(name) { executable_:: error "executable_ must be set", command: [ self.executable_, "-hspki_realm", cfg.realm, "-hspki_cluster", cfg.clusterFQDN, "-hspki_tls_ca_path", "/mnt/pki/ca.crt", "-hspki_tls_certificate_path", "/mnt/pki/tls.crt", "-hspki_tls_key_path", "/mnt/pki/tls.key", // TODO: Remove this after go/hspki services are updated not to require it "-logtostderr", ], } }