feat(k8s/amour): add self signed https gateway

Author: uhthomas

k8s/amour/BUILD.bazel

@@ -70,13 +70,15 @@ cue_library(
     name = "cue_amour_library",
     srcs = [
         "apply_set_list.cue",
+        "cluster_issuer_list.cue",
         "cluster_secret_store_list.cue",
         "custom_resource_definition_list.cue",
         "gateway_class_list.cue",
     ],
     importpath = "github.com/uhthomas/automata/k8s/amour",
     visibility = ["//visibility:public"],
     deps = [
+        "//cue.mod/gen/github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1:cue_v1_library",
         "//cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1:cue_v1beta1_library",
         "//cue.mod/gen/k8s.io/api/core/v1:cue_v1_library",
         "//cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1:cue_v1_library",

k8s/amour/cert_manager/BUILD.bazel

@@ -3,6 +3,8 @@ load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_library")
 cue_library(
     name = "cue_cert_manager_library",
     srcs = [
+        "certificate_list.cue",
+        "cluster_issuer_list.cue",
         "cluster_role_binding_list.cue",
         "cluster_role_list.cue",
         "config_map_list.cue",
@@ -20,6 +22,8 @@ cue_library(
     importpath = "github.com/uhthomas/automata/k8s/amour/cert_manager",
     visibility = ["//visibility:public"],
     deps = [
+        "//cue.mod/gen/github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1:cue_v1_library",
+        "//cue.mod/gen/github.com/cert-manager/cert-manager/pkg/apis/config/controller/v1alpha1:cue_v1alpha1_library",
         "//cue.mod/gen/k8s.io/api/admissionregistration/v1:cue_v1_library",
         "//cue.mod/gen/k8s.io/api/apps/v1:cue_v1_library",
         "//cue.mod/gen/k8s.io/api/core/v1:cue_v1_library",

k8s/amour/cert_manager/certificate_list.cue

@@ -0,0 +1,26 @@
+package cert_manager
+
+import certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+
+#CertificateList: certmanagerv1.#CertificateList & {
+	apiVersion: "cert-manager.io/v1"
+	kind:       "CertificateList"
+	items: [...{
+		apiVersion: "cert-manager.io/v1"
+		kind:       "Certificate"
+	}]
+}
+
+#CertificateList: items: [{
+	metadata: name: "self-signed-ca"
+	spec: {
+		dnsNames: ["self-signed-ca"]
+		secretName: "self-signed-ca"
+		issuerRef: {
+			kind: certmanagerv1.#ClusterIssuerKind
+			name: "self-signed"
+		}
+		isCA: true
+		privateKey: rotationPolicy: "Always"
+	}
+}]

k8s/amour/cert_manager/cluster_issuer_list.cue

@@ -0,0 +1,17 @@
+package cert_manager
+
+import certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+
+#ClusterIssuerList: certmanagerv1.#ClusterIssuerList & {
+	apiVersion: "cert-manager.io/v1"
+	kind:       "ClusterIssuerList"
+	items: [...{
+		apiVersion: "cert-manager.io/v1"
+		kind:       "ClusterIssuer"
+	}]
+}
+
+#ClusterIssuerList: items: [{
+	metadata: name: "self-signed"
+	spec: selfSigned: {}
+}]

k8s/amour/cert_manager/config_map_list.cue

@@ -1,6 +1,11 @@
 package cert_manager
 
-import "k8s.io/api/core/v1"
+import (
+	"encoding/yaml"
+
+	certmanagercontrollerv1alpha1 "github.com/cert-manager/cert-manager/pkg/apis/config/controller/v1alpha1"
+	"k8s.io/api/core/v1"
+)
 
 #ConfigMapList: v1.#ConfigMapList & {
 	apiVersion: "v1"
@@ -12,6 +17,16 @@ import "k8s.io/api/core/v1"
 }
 
 #ConfigMapList: items: [{
+	data: "config.yaml": yaml.Marshal(certmanagercontrollerv1alpha1.#ControllerConfiguration & {
+		apiVersion:       "controller.config.cert-manager.io/v1alpha1"
+		kind:             "ControllerConfiguration"
+		enableGatewayAPI: true
+		logging: {
+			flushFrequency: "5s"
+			verbosity:      2
+		}
+	})
+}, {
 	metadata: {
 		name: "cert-manager-webhook"
 		labels: {

k8s/amour/cert_manager/deployment_list.cue

@@ -107,6 +107,10 @@ _#FeatureGates: {
 				}
 			}
 			spec: {
+				volumes: [{
+					name: "config"
+					configMap: name: #Name
+				}]
 				containers: [{
 					name:  "cert-manager-controller"
 					image: "quay.io/jetstack/cert-manager-controller:v\(#Version)"
@@ -124,6 +128,7 @@ _#FeatureGates: {
 							]}
 							"--feature-gates=\(featureGates.value)"
 						},
+						"--config=/var/cert-manager/config/config.yaml",
 					]
 					ports: [{
 						name:          "http-metrics"
@@ -136,6 +141,10 @@ _#FeatureGates: {
 						name: "POD_NAMESPACE"
 						valueFrom: fieldRef: fieldPath: "metadata.namespace"
 					}]
+					volumeMounts: [{
+						name:      "config"
+						mountPath: "/var/cert-manager/config"
+					}]
 					// LivenessProbe settings are based on those used for the Kubernetes
 					// controller-manager. See:
 					// https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245

k8s/amour/cert_manager/list.cue

@@ -28,6 +28,7 @@ import (
 #List: items: list.Concat(_items)
 
 _items: [
+	#CertificateList.items,
 	#ClusterRoleBindingList.items,
 	#ClusterRoleList.items,
 	#ConfigMapList.items,

k8s/amour/cilium/envoy/daemon_set_list.cue

@@ -74,6 +74,7 @@ import (
 					image: "quay.io/cilium/cilium-envoy:v\(#Version)"
 					command: ["/usr/bin/cilium-envoy-starter"]
 					args: [
+						"--keep-cap-net-bind-service",
 						"--",
 						"-c /var/run/cilium/envoy/bootstrap-config.json",
 						"--base-id 0",
@@ -154,7 +155,7 @@ import (
 							level: "s0"
 						}
 						capabilities: {
-							add: ["NET_ADMIN", "SYS_ADMIN"]
+							add: ["NET_ADMIN", "NET_BIND_SERVICE", "SYS_ADMIN"]
 							drop: ["ALL"]
 						}
 					}

k8s/amour/cluster_issuer_list.cue

@@ -0,0 +1,20 @@
+package amour
+
+import certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+
+#ClusterIssuerList: certmanagerv1.#ClusterIssuerList & {
+	apiVersion: "cert-manager.io/v1"
+	kind:       "ClusterIssuerList"
+	items: [...{
+		apiVersion: "cert-manager.io/v1"
+		kind:       "ClusterIssuer"
+	}]
+}
+
+#ClusterIssuerList: items: [{
+	metadata: name: "self-signed"
+	spec: selfSigned: {}
+}, {
+	metadata: name: "self-signed-ca"
+	spec: ca: secretName: "self-signed-ca"
+}]

k8s/amour/grafana/gateway_list.cue

@@ -12,12 +12,20 @@ import gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
 }
 
 #GatewayList: items: [{
+	metadata: annotations: "cert-manager.io/cluster-issuer": "self-signed-ca"
 	spec: {
 		gatewayClassName: "cilium"
 		listeners: [{
 			name:     "http"
+			hostname: "grafana-amour.hipparcos.net"
 			port:     80
 			protocol: gatewayv1.#HTTPProtocolType
+		}, {
+			name:     "https"
+			hostname: "grafana-amour.hipparcos.net"
+			port:     443
+			protocol: gatewayv1.#HTTPSProtocolType
+			tls: certificateRefs: [{name: "\(#Name)-tls"}]
 		}]
 	}
 }]