(#30) Add httpbin Gateway and VirtualService

There isn't a default Gateway yet, so use a specific `httpbin` gateway
to test istio instead.

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/httpbin/httpbin.cue

@@ -1,32 +1,75 @@
 package holos
 
 let Name = "httpbin"
-let Host = Name + "." + #ClusterDomain
+let SecretName = #InputKeys.cluster + "-" + Name
+let MatchLabels = {app: Name} & #SelectorLabels
+let Metadata = {
+	name:      Name
+	namespace: #TargetNamespace
+	labels: app: Name
+}
 
 #InputKeys: component: Name
 
 #TargetNamespace: "istio-ingress"
 #DependsOn:       _IngressGateway
 
-#Metadata: namespace: #TargetNamespace
-SecretName: #InputKeys.cluster + "-" + Name
+let Cert = #HTTP01Cert & {
+	_name:   Name
+	_secret: SecretName
+}
 
 #KubernetesObjects & {
 	apiObjects: {
-		Certificate: {
-			httpbin: #Certificate & {
-				metadata: {
-					#Metadata
-					name: SecretName
-				}
-				spec: {
-					commonName: Host
-					dnsNames: [Host]
-					secretName: SecretName
-					issuerRef: kind: "ClusterIssuer"
-					issuerRef: name: "letsencrypt"
-				}
+		Certificate: httpbin: Cert.object
+		Deployment: httpbin: #Deployment & {
+			metadata: Metadata
+			spec: selector: matchLabels: MatchLabels
+			spec: template: {
+				metadata: labels: MatchLabels
+				metadata: labels: #CommonLabels
+				metadata: labels: #IstioSidecar
+				spec: securityContext: seccompProfile: type: "RuntimeDefault"
+				spec: containers: [{
+					name:  Name
+					image: "quay.io/holos/mccutchen/go-httpbin"
+					ports: [{containerPort: 8080}]
+					securityContext: {
+						seccompProfile: type: "RuntimeDefault"
+						allowPrivilegeEscalation: false
+						runAsNonRoot:             true
+						runAsUser:                1337
+						runAsGroup:               1337
+						capabilities: drop: ["ALL"]
+					}}]
 			}
 		}
+		Service: httpbin: #Service & {
+			metadata: Metadata
+			spec: selector: MatchLabels
+			spec: ports: [
+				{port: 80, targetPort: 8080, protocol: "TCP", name: "http"},
+			]
+		}
+		Gateway: httpbin: #Gateway & {
+			metadata: Metadata
+			spec: selector: istio: "ingressgateway"
+			spec: servers: [
+				{
+					hosts: ["\(#TargetNamespace)/\(Cert.Host)"]
+					port: name:          "https-\(#InstanceName)"
+					port: number:        443
+					port: protocol:      "HTTPS"
+					tls: credentialName: Cert.SecretName
+					tls: mode:           "SIMPLE"
+				},
+			]
+		}
+		VirtualService: httpbin: #VirtualService & {
+			metadata: Metadata
+			spec: hosts: [Cert.Host]
+			spec: gateways: ["\(#TargetNamespace)/\(Name)"]
+			spec: http: [{route: [{destination: host: Name}]}]
+		}
 	}
 }

docs/examples/schema.cue

@@ -40,11 +40,17 @@ _apiVersion: "holos.run/v1alpha1"
 // #TargetNamespace is the target namespace for a holos component.
 #TargetNamespace: string
 
+// #SelectorLabels are mixed into selectors.
+#SelectorLabels: {
+	"holos.run/stage.name":     #StageName
+	"holos.run/project.name":   #CollectionName
+	"holos.run/component.name": #ComponentName
+	...
+}
+
 // #CommonLabels are mixed into every kubernetes api object.
 #CommonLabels: {
-	"holos.run/stage.name":        #StageName
-	"holos.run/project.name":      #CollectionName
-	"holos.run/component.name":    #ComponentName
+	#SelectorLabels
 	"app.kubernetes.io/part-of":   #StageName
 	"app.kubernetes.io/name":      #CollectionName
 	"app.kubernetes.io/component": #ComponentName
@@ -98,6 +104,27 @@ _apiVersion: "holos.run/v1alpha1"
 #VirtualService: #NamespaceObject & vs.#VirtualService
 #Certificate:    #NamespaceObject & crt.#Certificate
 
+// #HTTP01Cert defines a http01 certificate.
+#HTTP01Cert: {
+	_name:      string
+	_secret:    string | *_name
+	SecretName: _secret
+	Host:       _name + "." + #ClusterDomain
+	object: #Certificate & {
+		metadata: {
+			name:      _secret
+			namespace: string | *#TargetNamespace
+		}
+		spec: {
+			commonName: Host
+			dnsNames: [Host]
+			secretName: _secret
+			issuerRef: kind: "ClusterIssuer"
+			issuerRef: name: "letsencrypt"
+		}
+	}
+}
+
 // Flux Kustomization CRDs
 #Kustomization: #NamespaceObject & ksv1.#Kustomization & {
 	metadata: {
@@ -324,6 +351,12 @@ _apiVersion: "holos.run/v1alpha1"
 // Cluster Domain is the cluster specific domain
 #ClusterDomain: #InputKeys.cluster + "." + #Platform.org.domain
 
+// #SidecarInject represents the istio sidecar inject label
+#IstioSidecar: {
+	"sidecar.istio.io/inject": "true"
+	...
+}
+
 // By default, render kind: Skipped so holos knows to skip over intermediate cue files.
 // This enables the use of holos render ./foo/bar/baz/... when bar contains intermediary constraints which are not complete components.
 // Holos skips over these intermediary cue instances.

pkg/version/embedded/patch

@@ -1 +1 @@
-4
+7