-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.jsonnet
123 lines (115 loc) · 3.93 KB
/
main.jsonnet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
local acme = import 'acme.libsonnet';
local cm = import 'lib/cert-manager.libsonnet';
local com = import 'lib/commodore.libjsonnet';
local kap = import 'lib/kapitan.libjsonnet';
local kube = import 'lib/kube.libjsonnet';
local resourcelocker = import 'lib/resource-locker.libjsonnet';
local inv = kap.inventory();
local params = inv.parameters.openshift4_ingress;
local hasAcmeSupport = std.objectHas(params.cloud, params.cloud.provider);
local ingressControllers =
if params.ingressControllers != null
then std.objectFields(params.ingressControllers)
else [];
local usesAcme(name) = hasAcmeSupport && !std.objectHas(params.ingressControllers[name], 'defaultCertificate');
local anyControllerUsesAcme = std.foldl(
function(x, field) x || usesAcme(field),
ingressControllers,
false,
);
local defaultNamespacePatch = resourcelocker.Patch(kube.Namespace('default'), {
metadata: {
labels: {
'network.openshift.io/policy-group': 'hostNetwork',
},
},
});
local isTlsSecret(secret) =
local secretKeys = std.set(std.objectFields(secret.stringData));
local keyDiff = std.setDiff(secretKeys, std.set([
'ca.crt',
'tls.crt',
'tls.key',
]));
secret.type == 'kubernetes.io/tls' && std.length(keyDiff) == 0;
local extraSecrets = std.filter(
function(it) it != null,
[
local scontent = params.secrets[s];
local secret = kube.Secret(kube.hyphenate(s)) {
type: 'kubernetes.io/tls',
metadata+: {
namespace: params.namespace,
},
} + com.makeMergeable(scontent);
if scontent != null then
if isTlsSecret(secret) then
secret {
stringData+: {
[if 'tls.key' in secret.stringData then 'tls.key']: super['tls.key'] + '\n',
[if 'tls.crt' in secret.stringData then 'tls.crt']: super['tls.crt'] + '\n',
[if 'ca.crt' in secret.stringData then 'ca.crt']: super['ca.crt'] + '\n',
},
}
else
error "Invalid secret definition for key '%s'. This component expects secret definitions which are valid for kubernetes.io/tls secrets." % s
for s in std.objectFields(params.secrets)
]
);
local extraCerts = std.filter(
function(it) it != null,
[
local cname = kube.hyphenate(c);
local cert = params.cert_manager_certs[c];
if cert != null then
cm.cert(cname) {
metadata+: {
namespace: params.namespace,
},
spec+: {
secretName: '%s' % cname,
},
} + com.makeMergeable(cert)
for c in std.objectFields(params.cert_manager_certs)
]
);
if std.length(ingressControllers) > 0 then
{
local acmeCertName = 'acme-wildcard-' + name,
local annotations =
if std.objectHas(params.ingressControllerAnnotations, name) then
params.ingressControllerAnnotations[name],
[name]:
[ kube._Object('operator.openshift.io/v1', 'IngressController', name) {
metadata+: {
namespace: params.namespace + '-operator',
[if annotations != null then 'annotations']: annotations,
},
spec: {
[if hasAcmeSupport then 'defaultCertificate']: {
name: acmeCertName,
},
} + params.ingressControllers[name],
} ] +
if usesAcme(name) then
[
acme.cert(acmeCertName, [ '*.' + params.ingressControllers[name].domain ]),
] else []
for name in ingressControllers
} + {
'00_label_patches': defaultNamespacePatch,
'01_aggregated_clusterroles': (import 'aggregated-clusterroles.libsonnet'),
[if anyControllerUsesAcme then 'acmeIssuer']: acme.issuer,
[if std.length(extraSecrets) > 0 then '10_extra_secrets']: extraSecrets,
[if std.length(extraCerts) > 0 then '10_extra_certificates']: extraCerts,
} +
if params.monitoring.enabled && std.member(inv.applications, 'prometheus') then
import 'monitoring.libsonnet'
else
{}
else
// if no ingressControllers are configured, only emit an empty `.gitkeep`
// file.
{
'.gitkeep': {},
}