(#30) Add httpbin Certificate to verify the mesh

Also fix certmanager which was not installing role bindings correctly
because the flux kustomization was writing over the metadata namespace
field.

docs/examples/platforms/reference/clusters/workload/cloud/mesh/certmanager/certmanager.cue

@@ -10,7 +10,9 @@ package holos
 }
 
 #HelmChart & {
-	values: installCRDs: true
+	values: #UpstreamValues & {
+		installCRDs: true
+	}
 	namespace: #TargetNamespace
 	chart: {
 		name:    "cert-manager"

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/httpbin/httpbin.cue

@@ -0,0 +1,32 @@
+package holos
+
+let Name = "httpbin"
+let Host = Name + "." + #ClusterDomain
+
+#InputKeys: component: Name
+
+#TargetNamespace: "istio-ingress"
+#DependsOn:       _IngressGateway
+
+#Metadata: namespace: #TargetNamespace
+SecretName: #InputKeys.cluster + "-" + Name
+
+#KubernetesObjects & {
+	apiObjects: {
+		Certificate: {
+			httpbin: #Certificate & {
+				metadata: {
+					#Metadata
+					name: SecretName
+				}
+				spec: {
+					commonName: Host
+					dnsNames: [Host]
+					secretName: SecretName
+					issuerRef: kind: "ClusterIssuer"
+					issuerRef: name: "letsencrypt"
+				}
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/mesh.cue

@@ -4,11 +4,11 @@ package holos
 #InputKeys: project: "mesh"
 
 // Shared dependencies for all components in this collection.
-#Kustomization: spec: targetNamespace: #TargetNamespace
 #DependsOn: _Namespaces
 
 // Common Dependencies
-_CertManager: CertManager: name: "\(#InstancePrefix)-certmanager"
-_Namespaces: Namespaces: name:   "\(#StageName)-secrets-namespaces"
-_IstioBase: IstioBase: name:     "\(#InstancePrefix)-istio-base"
-_IstioD: IstioD: name:           "\(#InstancePrefix)-istiod"
+_CertManager: CertManager: name:       "\(#InstancePrefix)-certmanager"
+_Namespaces: Namespaces: name:         "\(#StageName)-secrets-namespaces"
+_IstioBase: IstioBase: name:           "\(#InstancePrefix)-istio-base"
+_IstioD: IstioD: name:                 "\(#InstancePrefix)-istiod"
+_IngressGateway: IngressGateway: name: "\(#InstancePrefix)-ingress"

docs/examples/schema.cue

@@ -10,6 +10,7 @@ import (
 	es "external-secrets.io/externalsecret/v1beta1"
 	ss "external-secrets.io/secretstore/v1beta1"
 	ci "cert-manager.io/clusterissuer/v1"
+	crt "cert-manager.io/certificate/v1"
 	gw "networking.istio.io/gateway/v1beta1"
 	vs "networking.istio.io/virtualservice/v1beta1"
 	"encoding/yaml"
@@ -71,6 +72,7 @@ _apiVersion: "holos.run/v1alpha1"
 
 #NamespaceObject: #ClusterObject & {
 	metadata: namespace: string
+	...
 }
 
 // Kubernetes API Objects
@@ -94,6 +96,7 @@ _apiVersion: "holos.run/v1alpha1"
 #Deployment:     #NamespaceObject & appsv1.#Deployment
 #Gateway:        #NamespaceObject & gw.#Gateway
 #VirtualService: #NamespaceObject & vs.#VirtualService
+#Certificate:    #NamespaceObject & crt.#Certificate
 
 // Flux Kustomization CRDs
 #Kustomization: #NamespaceObject & ksv1.#Kustomization & {
@@ -318,6 +321,9 @@ _apiVersion: "holos.run/v1alpha1"
 // #SecretName is the name of a Secret, ususally coupling a Deployment to an ExternalSecret
 #SecretName: string
 
+// Cluster Domain is the cluster specific domain
+#ClusterDomain: #InputKeys.cluster + "." + #Platform.org.domain
+
 // By default, render kind: Skipped so holos knows to skip over intermediate cue files.
 // This enables the use of holos render ./foo/bar/baz/... when bar contains intermediary constraints which are not complete components.
 // Holos skips over these intermediary cue instances.

pkg/version/embedded/patch

@@ -1 +1 @@
-3
+4