(#30) Add httpbin Gateway and VirtualService

There isn't a default Gateway yet, so use a specific `httpbin` gateway
to test istio instead.

docs/examples/cue.mod/gen/networking.istio.io/virtualservice/v1beta1/types_gen.cue

@@ -324,13 +324,7 @@ import "strings"
 			// withoutHeader has the same syntax with the header, but has
 			// opposite meaning.
 			withoutHeaders?: {
-				[string]: ({} | {
-					exact: _
-				} | {
-					prefix: _
-				} | {
-					regex: _
-				}) & {
+				[string]: {
 					exact?:  string
 					prefix?: string
 
@@ -383,11 +377,7 @@ import "strings"
 
 		// A HTTP rule can either return a direct_response, redirect or
 		// forward (default) traffic.
-		redirect?: ({} | {
-			port: _
-		} | {
-			derivePort: _
-		}) & {
+		redirect?: {
 			// On a redirect, overwrite the Authority/Host portion of the URL
 			// with this value.
 			authority?: string

docs/examples/cue.mod/usr/k8s.io/api/core/v1/types.cue

@@ -19,3 +19,8 @@ package v1
   apiVersion: "v1"
   kind: "Pod"
 }
+
+#Service: {
+  apiVersion: "v1"
+  kind: "Service"
+}

docs/examples/namespaces.cue

@@ -4,6 +4,7 @@ package holos
 #PlatformNamespace: {
 	name: string
 	labels?: {[string]: string}
+	annotations?: {[string]: string}
 }
 
 // #PlatformNamespaces is a list of namespaces to manage across the platform.

docs/examples/platforms/reference/clusters/workload/cloud/mesh/certmanager/certmanager.cue

@@ -10,7 +10,9 @@ package holos
 }
 
 #HelmChart & {
-	values: installCRDs: true
+	values: #UpstreamValues & {
+		installCRDs: true
+	}
 	namespace: #TargetNamespace
 	chart: {
 		name:    "cert-manager"

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/httpbin/httpbin.cue

@@ -0,0 +1,75 @@
+package holos
+
+let Name = "httpbin"
+let SecretName = #InputKeys.cluster + "-" + Name
+let MatchLabels = {app: Name} & #SelectorLabels
+let Metadata = {
+	name:      Name
+	namespace: #TargetNamespace
+	labels: app: Name
+}
+
+#InputKeys: component: Name
+
+#TargetNamespace: "istio-ingress"
+#DependsOn:       _IngressGateway
+
+let Cert = #HTTP01Cert & {
+	_name:   Name
+	_secret: SecretName
+}
+
+#KubernetesObjects & {
+	apiObjects: {
+		Certificate: httpbin: Cert.object
+		Deployment: httpbin: #Deployment & {
+			metadata: Metadata
+			spec: selector: matchLabels: MatchLabels
+			spec: template: {
+				metadata: labels: MatchLabels
+				metadata: labels: #CommonLabels
+				metadata: labels: #IstioSidecar
+				spec: securityContext: seccompProfile: type: "RuntimeDefault"
+				spec: containers: [{
+					name:  Name
+					image: "quay.io/holos/mccutchen/go-httpbin"
+					ports: [{containerPort: 8080}]
+					securityContext: {
+						seccompProfile: type: "RuntimeDefault"
+						allowPrivilegeEscalation: false
+						runAsNonRoot:             true
+						runAsUser:                1337
+						runAsGroup:               1337
+						capabilities: drop: ["ALL"]
+					}}]
+			}
+		}
+		Service: httpbin: #Service & {
+			metadata: Metadata
+			spec: selector: MatchLabels
+			spec: ports: [
+				{port: 80, targetPort: 8080, protocol: "TCP", name: "http"},
+			]
+		}
+		Gateway: httpbin: #Gateway & {
+			metadata: Metadata
+			spec: selector: istio: "ingressgateway"
+			spec: servers: [
+				{
+					hosts: ["\(#TargetNamespace)/\(Cert.Host)"]
+					port: name:          "https-\(#InstanceName)"
+					port: number:        443
+					port: protocol:      "HTTPS"
+					tls: credentialName: Cert.SecretName
+					tls: mode:           "SIMPLE"
+				},
+			]
+		}
+		VirtualService: httpbin: #VirtualService & {
+			metadata: Metadata
+			spec: hosts: [Cert.Host]
+			spec: gateways: ["\(#TargetNamespace)/\(Name)"]
+			spec: http: [{route: [{destination: host: Name}]}]
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/ingress/ingress.cue

@@ -50,28 +50,74 @@ import "encoding/json"
 _ProxyProtocol: gatewayTopology: proxyProtocol: {}
 
 // Additional holos specific API Objects
-let LoopbackName = #GatewayValues.name + "-loopback"
+let Name = #GatewayValues.name
+let GatewayLabels = {
+	app:   Name
+	istio: "ingressgateway"
+}
+let RedirectMetaName = {
+	name:      Name + "-https-redirect"
+	namespace: #TargetNamespace
+}
+
+// https-redirect
+_APIObjects: {
+	Gateway: {
+		httpsRedirect: #Gateway & {
+			metadata: RedirectMetaName
+			spec: selector: GatewayLabels
+			spec: servers: [{
+				port: {
+					number:   80
+					name:     "http2"
+					protocol: "HTTP2"
+				}
+				hosts: ["*"]
+				// handled by the VirtualService
+				tls: httpsRedirect: false
+			}]
+		}
+	}
+	VirtualService: {
+		httpsRedirect: #VirtualService & {
+			metadata: RedirectMetaName
+			spec: hosts: ["*"]
+			spec: gateways: [RedirectMetaName.name]
+			spec: http: [{
+				match: [{withoutHeaders: ":path": prefix: "/.well-known/acme-challenge/"}]
+				redirect: {
+					scheme:       "https"
+					redirectCode: 302
+				}
+			}]
+		}
+	}
+}
+
+let LoopbackName = Name + "-loopback"
 let LoopbackDescription = "Allows in-cluster traffic to stay in cluster via traffic routing"
 let LoopbackLabels = {
 	app:   LoopbackName
 	istio: "ingressgateway"
 }
+let LoopbackMetaName = {
+	name:      LoopbackName
+	namespace: #TargetNamespace
+}
 
+// istio-ingressgateway-loopback
 _APIObjects: {
 	Deployment: {
 		loopback: #Deployment & {
 			_description: LoopbackDescription
-			metadata: {
-				name:      LoopbackName
-				namespace: #TargetNamespace
-			}
+			metadata:     LoopbackMetaName
 			spec: {
 				selector: matchLabels: LoopbackLabels
 				template: {
 					metadata: {
-						annotations: #CommonAnnotations & {
-							_Description:                LoopbackDescription
-							"inject.istio.io/templates": "gateway"
+						annotations: "inject.istio.io/templates": "gateway"
+						annotations: #Description & {
+							_Description: LoopbackDescription
 						}
 						labels: LoopbackLabels & {"sidecar.istio.io/inject": "true"}
 					}
@@ -98,4 +144,12 @@ _APIObjects: {
 			}
 		}
 	}
+	Service: {
+		loopback: #Service & {
+			_description: LoopbackDescription
+			metadata:     LoopbackMetaName
+			spec: selector:      LoopbackLabels
+			spec: ports: [{port: 80, name: "http"}, {port: 443, name: "https"}]
+		}
+	}
 }

docs/examples/platforms/reference/clusters/workload/cloud/mesh/mesh.cue

@@ -4,11 +4,11 @@ package holos
 #InputKeys: project: "mesh"
 
 // Shared dependencies for all components in this collection.
-#Kustomization: spec: targetNamespace: #TargetNamespace
 #DependsOn: _Namespaces
 
 // Common Dependencies
-_CertManager: CertManager: name: "\(#InstancePrefix)-certmanager"
-_Namespaces: Namespaces: name:   "\(#StageName)-secrets-namespaces"
-_IstioBase: IstioBase: name:     "\(#InstancePrefix)-istio-base"
-_IstioD: IstioD: name:           "\(#InstancePrefix)-istiod"
+_CertManager: CertManager: name:       "\(#InstancePrefix)-certmanager"
+_Namespaces: Namespaces: name:         "\(#StageName)-secrets-namespaces"
+_IstioBase: IstioBase: name:           "\(#InstancePrefix)-istio-base"
+_IstioD: IstioD: name:                 "\(#InstancePrefix)-istiod"
+_IngressGateway: IngressGateway: name: "\(#InstancePrefix)-ingress"

docs/examples/schema.cue

@@ -9,7 +9,10 @@ import (
 	batchv1 "k8s.io/api/batch/v1"
 	es "external-secrets.io/externalsecret/v1beta1"
 	ss "external-secrets.io/secretstore/v1beta1"
-	cm "cert-manager.io/clusterissuer/v1"
+	ci "cert-manager.io/clusterissuer/v1"
+	crt "cert-manager.io/certificate/v1"
+	gw "networking.istio.io/gateway/v1beta1"
+	vs "networking.istio.io/virtualservice/v1beta1"
 	"encoding/yaml"
 )
 
@@ -37,11 +40,17 @@ _apiVersion: "holos.run/v1alpha1"
 // #TargetNamespace is the target namespace for a holos component.
 #TargetNamespace: string
 
+// #SelectorLabels are mixed into selectors.
+#SelectorLabels: {
+	"holos.run/stage.name":     #StageName
+	"holos.run/project.name":   #CollectionName
+	"holos.run/component.name": #ComponentName
+	...
+}
+
 // #CommonLabels are mixed into every kubernetes api object.
 #CommonLabels: {
-	"holos.run/stage.name":        #StageName
-	"holos.run/project.name":      #CollectionName
-	"holos.run/component.name":    #ComponentName
+	#SelectorLabels
 	"app.kubernetes.io/part-of":   #StageName
 	"app.kubernetes.io/name":      #CollectionName
 	"app.kubernetes.io/component": #ComponentName
@@ -50,26 +59,26 @@ _apiVersion: "holos.run/v1alpha1"
 }
 
 #ClusterObject: {
+	_description: string | *""
 	metadata: metav1.#ObjectMeta & {
 		labels: #CommonLabels
+		annotations: #Description & {
+			_Description: _description
+			...
+		}
 	}
 	...
 }
 
-#CommonAnnotations: {
+#Description: {
 	_Description:            string | *""
 	"holos.run/description": _Description
 	...
 }
 
 #NamespaceObject: #ClusterObject & {
-	_description: string | *""
-	metadata: {
-		namespace: string
-		annotations: #CommonAnnotations & {
-			_Description: _description
-		}
-	}
+	metadata: namespace: string
+	...
 }
 
 // Kubernetes API Objects
@@ -81,15 +90,40 @@ _apiVersion: "holos.run/v1alpha1"
 }
 #ClusterRole:        #ClusterObject & rbacv1.#ClusterRole
 #ClusterRoleBinding: #ClusterObject & rbacv1.#ClusterRoleBinding
-#ClusterIssuer: #ClusterObject & cm.#ClusterIssuer & {...}
+#ClusterIssuer: #ClusterObject & ci.#ClusterIssuer & {...}
 #Role:           #NamespaceObject & rbacv1.#Role
 #RoleBinding:    #NamespaceObject & rbacv1.#RoleBinding
 #ConfigMap:      #NamespaceObject & corev1.#ConfigMap
 #ServiceAccount: #NamespaceObject & corev1.#ServiceAccount
 #Pod:            #NamespaceObject & corev1.#Pod
+#Service:        #NamespaceObject & corev1.#Service
 #Job:            #NamespaceObject & batchv1.#Job
 #CronJob:        #NamespaceObject & batchv1.#CronJob
 #Deployment:     #NamespaceObject & appsv1.#Deployment
+#Gateway:        #NamespaceObject & gw.#Gateway
+#VirtualService: #NamespaceObject & vs.#VirtualService
+#Certificate:    #NamespaceObject & crt.#Certificate
+
+// #HTTP01Cert defines a http01 certificate.
+#HTTP01Cert: {
+	_name:      string
+	_secret:    string | *_name
+	SecretName: _secret
+	Host:       _name + "." + #ClusterDomain
+	object: #Certificate & {
+		metadata: {
+			name:      _secret
+			namespace: string | *#TargetNamespace
+		}
+		spec: {
+			commonName: Host
+			dnsNames: [Host]
+			secretName: _secret
+			issuerRef: kind: "ClusterIssuer"
+			issuerRef: name: "letsencrypt"
+		}
+	}
+}
 
 // Flux Kustomization CRDs
 #Kustomization: #NamespaceObject & ksv1.#Kustomization & {
@@ -314,6 +348,15 @@ _apiVersion: "holos.run/v1alpha1"
 // #SecretName is the name of a Secret, ususally coupling a Deployment to an ExternalSecret
 #SecretName: string
 
+// Cluster Domain is the cluster specific domain
+#ClusterDomain: #InputKeys.cluster + "." + #Platform.org.domain
+
+// #SidecarInject represents the istio sidecar inject label
+#IstioSidecar: {
+	"sidecar.istio.io/inject": "true"
+	...
+}
+
 // By default, render kind: Skipped so holos knows to skip over intermediate cue files.
 // This enables the use of holos render ./foo/bar/baz/... when bar contains intermediary constraints which are not complete components.
 // Holos skips over these intermediary cue instances.

pkg/version/embedded/patch

@@ -1 +1 @@
-2
+7