Move cert-manager manifest changes out of vendor

Signed-off-by: JoshVanL <[email protected]>

Author: JoshVanL

demo/config.dist.jsonnet

@@ -5,8 +5,8 @@ function(cloud='google') main {
   // this will only run the google cluster
   clouds: {
     google: main.clouds.google,
-    amazon: null,
-    digitalocean: null,
+    amazon: main.clouds.amazon,
+    digitalocean: main.clouds.digitalocean,
   },
   base_domain: '.kubernetes.example.net',
   cert_manager+: {

demo/manifests/components/cert-manager.jsonnet

@@ -1,11 +1,19 @@
-local upstream_cert_manager = import '../vendor/kube-prod-runtime/components/cert-manager.jsonnet';
 local kube = import '../vendor/kube-prod-runtime/lib/kube.libsonnet';
+local cert_manager_manifests = import './cert-manager/cert-manager.json';
 
 local CERT_MANAGER_IMAGE = '';
 
-upstream_cert_manager {
+{
   ca_secret_name:: 'ca-key-pair',
 
+  p:: '',
+  metadata:: {
+    metadata+: {
+      namespace: 'kubeprod',
+    },
+  },
+  letsencrypt_contact_email:: error 'Letsencrypt contact e-mail is undefined',
+
   // create simple to use certificate resource
   Certificate(namespace, name, issuer, solver, domains):: kube._Object($.certCRD.spec.group + '/' + $.certCRD.spec.version, $.certCRD.spec.names.kind, name) + {
     metadata+: {
@@ -21,4 +29,47 @@ upstream_cert_manager {
       },
     },
   },
+
+  // Letsencrypt environments
+  letsencrypt_environments:: {
+    prod: $.letsencryptProd.metadata.name,
+    staging: $.letsencryptStaging.metadata.name,
+  },
+  // Letsencrypt environment (defaults to the production one)
+  letsencrypt_environment:: 'prod',
+
+  Issuer(name):: kube._Object('certmanager.k8s.io/v1alpha1', 'Issuer', name) {
+  },
+
+  ClusterIssuer(name):: kube._Object('certmanager.k8s.io/v1alpha1', 'ClusterIssuer', name) {
+  },
+
+  certCRD: kube.CustomResourceDefinition('certmanager.k8s.io', 'v1alpha1', 'Certificate') {
+    spec+: { names+: { shortNames+: ['cert', 'certs'] } },
+  },
+
+  deploy: cert_manager_manifests,
+
+  letsencryptStaging: $.ClusterIssuer($.p + 'letsencrypt-staging') {
+    local this = self,
+    spec+: {
+      acme+: {
+        server: 'https://acme-staging-v02.api.letsencrypt.org/directory',
+        email: $.letsencrypt_contact_email,
+        privateKeySecretRef: { name: this.metadata.name },
+        http01: {},
+      },
+    },
+  },
+
+  letsencryptProd: $.letsencryptStaging {
+    metadata+: { name: $.p + 'letsencrypt-prod' },
+    spec+: {
+      acme+: {
+        server: 'https://acme-v02.api.letsencrypt.org/directory',
+      },
+    },
+  },
+
+  solvers+:: [],
 }

demo/manifests/vendor/kube-prod-runtime/components/cert-manager/cert-manager.json renamed to demo/manifests/components/cert-manager/cert-manager.json

@@ -17,58 +17,136 @@
  * limitations under the License.
  */
 
-local kube = import '../lib/kube.libsonnet';
-local cert_manager_manifests = import './cert-manager/cert-manager.json';
+local kube = import "../lib/kube.libsonnet";
+local CERT_MANAGER_IMAGE = (import "images.json")["cert-manager"];
 
 {
-  p:: '',
+  p:: "",
   metadata:: {
     metadata+: {
-      namespace: 'kubeprod',
+      namespace: "kubeprod",
     },
   },
-  letsencrypt_contact_email:: error 'Letsencrypt contact e-mail is undefined',
+  letsencrypt_contact_email:: error "Letsencrypt contact e-mail is undefined",
 
   // Letsencrypt environments
   letsencrypt_environments:: {
-    prod: $.letsencryptProd.metadata.name,
-    staging: $.letsencryptStaging.metadata.name,
+    "prod": $.letsencryptProd.metadata.name,
+    "staging": $.letsencryptStaging.metadata.name,
   },
   // Letsencrypt environment (defaults to the production one)
-  letsencrypt_environment:: 'prod',
+  letsencrypt_environment:: "prod",
 
-  Issuer(name):: kube._Object('certmanager.k8s.io/v1alpha1', 'Issuer', name) {
+  Issuer(name):: kube._Object("certmanager.k8s.io/v1alpha1", "Issuer", name) {
   },
 
-  ClusterIssuer(name):: kube._Object('certmanager.k8s.io/v1alpha1', 'ClusterIssuer', name) {
+  ClusterIssuer(name):: kube._Object("certmanager.k8s.io/v1alpha1", "ClusterIssuer", name) {
   },
 
-  certCRD: kube.CustomResourceDefinition('certmanager.k8s.io', 'v1alpha1', 'Certificate') {
-    spec+: { names+: { shortNames+: ['cert', 'certs'] } },
+  certCRD: kube.CustomResourceDefinition("certmanager.k8s.io", "v1alpha1", "Certificate") {
+    spec+: { names+: { shortNames+: ["cert", "certs"] } },
+
   },
 
-  deploy: cert_manager_manifests,
+  issuerCRD: kube.CustomResourceDefinition("certmanager.k8s.io", "v1alpha1", "Issuer"),
+
+  clusterissuerCRD: kube.CustomResourceDefinition("certmanager.k8s.io", "v1alpha1", "ClusterIssuer") {
+    spec+: {
+      scope: "Cluster",
+    },
+  },
 
-  letsencryptStaging: $.ClusterIssuer($.p + 'letsencrypt-staging') {
+  sa: kube.ServiceAccount($.p + "cert-manager") + $.metadata {
+  },
+
+  clusterRole: kube.ClusterRole($.p + "cert-manager") {
+    rules: [
+      {
+        apiGroups: ["certmanager.k8s.io"],
+        resources: ["certificates", "issuers", "clusterissuers"],
+        // FIXME: audit - the helm chart just has "*"
+        verbs: ["get", "list", "watch", "create", "patch", "update", "delete"],
+      },
+      {
+        apiGroups: [""],
+        resources: ["secrets", "configmaps", "services", "pods"],
+        // FIXME: audit - the helm chart just has "*"
+        verbs: ["get", "list", "watch", "create", "patch", "update", "delete"],
+      },
+      {
+        apiGroups: ["extensions"],
+        resources: ["ingresses"],
+        // FIXME: audit - the helm chart just has "*"
+        verbs: ["get", "list", "watch", "create", "patch", "update", "delete"],
+      },
+      {
+        apiGroups: [""],
+        resources: ["events"],
+        verbs: ["create", "patch", "update"],
+      },
+    ],
+  },
+
+  clusterRoleBinding: kube.ClusterRoleBinding($.p+"cert-manager") {
+    roleRef_: $.clusterRole,
+    subjects_+: [$.sa],
+  },
+
+  deploy: kube.Deployment($.p+"cert-manager") + $.metadata {
+    spec+: {
+      template+: {
+        metadata+: {
+          annotations+: {
+            "prometheus.io/scrape": "true",
+            "prometheus.io/port": "9402",
+            "prometheus.io/path": "/metrics",
+          },
+        },
+        spec+: {
+          serviceAccountName: $.sa.metadata.name,
+          containers_+: {
+            default: kube.Container("cert-manager") {
+              image: CERT_MANAGER_IMAGE,
+              args_+: {
+                "cluster-resource-namespace": "$(POD_NAMESPACE)",
+                "leader-election-namespace": "$(POD_NAMESPACE)",
+                "default-issuer-name": $.letsencrypt_environments[$.letsencrypt_environment],
+                "default-issuer-kind": "ClusterIssuer",
+              },
+              env_+: {
+                POD_NAMESPACE: kube.FieldRef("metadata.namespace"),
+              },
+              ports_+: {
+                prometheus: {containerPort: 9402},
+              },
+              resources: {
+                requests: {cpu: "10m", memory: "32Mi"},
+              },
+            },
+          },
+        },
+      },
+    },
+  },
+
+  letsencryptStaging: $.ClusterIssuer($.p+"letsencrypt-staging") {
     local this = self,
     spec+: {
       acme+: {
-        server: 'https://acme-staging-v02.api.letsencrypt.org/directory',
+        server: "https://acme-staging-v02.api.letsencrypt.org/directory",
         email: $.letsencrypt_contact_email,
-        privateKeySecretRef: { name: this.metadata.name },
+        privateKeySecretRef: {name: this.metadata.name},
         http01: {},
       },
     },
   },
 
   letsencryptProd: $.letsencryptStaging {
-    metadata+: { name: $.p + 'letsencrypt-prod' },
+    metadata+: {name: $.p+"letsencrypt-prod"},
     spec+: {
       acme+: {
-        server: 'https://acme-v02.api.letsencrypt.org/directory',
+        server: "https://acme-v02.api.letsencrypt.org/directory",
       },
     },
   },
-
-  solvers+:: [],
 }