mirror of https://gerrit.hackerspace.pl/hscloud
77 lines
2.3 KiB
Plaintext
77 lines
2.3 KiB
Plaintext
local kube = import "kube.libsonnet";
|
|
|
|
// HSPKI support
|
|
// (This is meant to be a simpler abstraction than mirko.libsonnet)
|
|
// To connect certificate to a HSPKI/Mirko service, use PodSpec and Container() or GoContainer()
|
|
{
|
|
local top = self,
|
|
local cfg = top.cfg,
|
|
|
|
metadata:: {
|
|
namespace: error "namespace must be set",
|
|
},
|
|
|
|
cfg:: {
|
|
// name is used to generate certificate and secret names
|
|
// and should match name of the Service
|
|
name: error "name must be set",
|
|
namespace: top.metadata.namespace,
|
|
|
|
certName: cfg.name + '-cert',
|
|
secretName: cfg.name + '-cert',
|
|
|
|
realm: "hswaw.net",
|
|
clusterFQDN: "k0.hswaw.net",
|
|
},
|
|
|
|
local ns = kube.Namespace(cfg.namespace),
|
|
|
|
cert: ns.Contain(kube.Certificate(cfg.certName)) {
|
|
spec: {
|
|
secretName: cfg.secretName,
|
|
duration: "35040h0m0s", // 4 years
|
|
issuerRef: {
|
|
// Contract with cluster/lib/pki.libsonnet.
|
|
name: "pki-ca",
|
|
kind: "ClusterIssuer",
|
|
},
|
|
local name = cfg.name,
|
|
local namespace = cfg.namespace,
|
|
commonName: "%s.%s.svc.%s" % [name, namespace, cfg.clusterFQDN],
|
|
dnsNames: [
|
|
"%s" % [name],
|
|
"%s.%s" % [name, namespace],
|
|
"%s.%s.svc" % [name, namespace],
|
|
"%s.%s.svc.cluster.local" % [name, namespace],
|
|
"%s.%s.svc.%s" % [name, namespace, cfg.clusterFQDN],
|
|
],
|
|
},
|
|
},
|
|
|
|
PodSpec:: kube.PodSpec {
|
|
volumes_+: {
|
|
hspki: { secret: { secretName: cfg.secretName } },
|
|
},
|
|
},
|
|
|
|
Container(name):: kube.Container(name) {
|
|
volumeMounts_+: {
|
|
hspki: { mountPath: "/mnt/pki" },
|
|
},
|
|
},
|
|
|
|
GoContainer(name):: top.Container(name) {
|
|
executable_:: error "executable_ must be set",
|
|
command: [
|
|
self.executable_,
|
|
"-hspki_realm", cfg.realm,
|
|
"-hspki_cluster", cfg.clusterFQDN,
|
|
"-hspki_tls_ca_path", "/mnt/pki/ca.crt",
|
|
"-hspki_tls_certificate_path", "/mnt/pki/tls.crt",
|
|
"-hspki_tls_key_path", "/mnt/pki/tls.key",
|
|
// TODO: Remove this after go/hspki services are updated not to require it
|
|
"-logtostderr",
|
|
],
|
|
}
|
|
}
|