(#30) Add httpbin Deployment in istio-ingress namespace

This patch gets the Deployment running with a restricted seccomp
profile.

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/httpbin/httpbin.cue

@@ -1,31 +1,43 @@
 package holos
 
 let Name = "httpbin"
-let Host = Name + "." + #ClusterDomain
+let SecretName = #InputKeys.cluster + "-" + Name
+let MatchLabels = {app: Name} & #SelectorLabels
 
 #InputKeys: component: Name
 
 #TargetNamespace: "istio-ingress"
 #DependsOn:       _IngressGateway
 
-#Metadata: namespace: #TargetNamespace
-SecretName: #InputKeys.cluster + "-" + Name
-
 #KubernetesObjects & {
 	apiObjects: {
-		Certificate: {
-			httpbin: #Certificate & {
-				metadata: {
-					#Metadata
-					name: SecretName
-				}
-				spec: {
-					commonName: Host
-					dnsNames: [Host]
-					secretName: SecretName
-					issuerRef: kind: "ClusterIssuer"
-					issuerRef: name: "letsencrypt"
-				}
+		Certificate: httpbin: #HTTP01Cert & {
+			_name:   Name
+			_secret: SecretName
+		}
+		Deployment: httpbin: #Deployment & {
+			metadata: {
+				name:      Name
+				namespace: #TargetNamespace
+				labels: app: Name
+			}
+			spec: selector: matchLabels: MatchLabels
+			spec: template: {
+				metadata: labels: #CommonLabels
+				metadata: labels: #IstioSidecar
+				spec: securityContext: seccompProfile: type: "RuntimeDefault"
+				spec: containers: [{
+					name:  Name
+					image: "quay.io/holos/mccutchen/go-httpbin"
+					ports: [{containerPort: 8080}]
+					securityContext: {
+						seccompProfile: type: "RuntimeDefault"
+						allowPrivilegeEscalation: false
+						runAsNonRoot:             true
+						runAsUser:                1337
+						runAsGroup:               1337
+						capabilities: drop: ["ALL"]
+					}}]
 			}
 		}
 	}

docs/examples/schema.cue

@@ -40,11 +40,17 @@ _apiVersion: "holos.run/v1alpha1"
 // #TargetNamespace is the target namespace for a holos component.
 #TargetNamespace: string
 
+// #SelectorLabels are mixed into selectors.
+#SelectorLabels: {
+	"holos.run/stage.name":     #StageName
+	"holos.run/project.name":   #CollectionName
+	"holos.run/component.name": #ComponentName
+	...
+}
+
 // #CommonLabels are mixed into every kubernetes api object.
 #CommonLabels: {
-	"holos.run/stage.name":        #StageName
-	"holos.run/project.name":      #CollectionName
-	"holos.run/component.name":    #ComponentName
+	#SelectorLabels
 	"app.kubernetes.io/part-of":   #StageName
 	"app.kubernetes.io/name":      #CollectionName
 	"app.kubernetes.io/component": #ComponentName
@@ -98,6 +104,24 @@ _apiVersion: "holos.run/v1alpha1"
 #VirtualService: #NamespaceObject & vs.#VirtualService
 #Certificate:    #NamespaceObject & crt.#Certificate
 
+// #HTTP01Cert defines a http01 certificate.
+#HTTP01Cert: #Certificate & {
+	_name:   string
+	_secret: string | *_name
+	let Host = _name + "." + #ClusterDomain
+	metadata: {
+		name:      _secret
+		namespace: string | *#TargetNamespace
+	}
+	spec: {
+		commonName: Host
+		dnsNames: [Host]
+		secretName: _secret
+		issuerRef: kind: "ClusterIssuer"
+		issuerRef: name: "letsencrypt"
+	}
+}
+
 // Flux Kustomization CRDs
 #Kustomization: #NamespaceObject & ksv1.#Kustomization & {
 	metadata: {
@@ -324,6 +348,12 @@ _apiVersion: "holos.run/v1alpha1"
 // Cluster Domain is the cluster specific domain
 #ClusterDomain: #InputKeys.cluster + "." + #Platform.org.domain
 
+// #SidecarInject represents the istio sidecar inject label
+#IstioSidecar: {
+	"sidecar.istio.io/inject": "true"
+	...
+}
+
 // By default, render kind: Skipped so holos knows to skip over intermediate cue files.
 // This enables the use of holos render ./foo/bar/baz/... when bar contains intermediary constraints which are not complete components.
 // Holos skips over these intermediary cue instances.

pkg/version/embedded/patch

@@ -1 +1 @@
-4
+5