mirror of
https://github.com/holos-run/holos.git
synced 2026-03-21 17:55:01 +00:00
d81e25c4e4
Provisioner cluster:
This patch creates a Certificate resource in the provisioner for each
host associated with the project. By default, one host is created for
each stage with the short hostname set to the project name.
A namespace is also created for each project for eso creds refresher to
manage service accounts for SecretStore resources in the workload
clusters.
Workload cluster:
For each env, plus one system namespace per stage:
- Namespace per env
- SecretStore per env
- ExternalSecret per host in the env
Common names for the holos project, prod stage:
- holos.k1.ois.run
- holos.k2.ois.run
- holos.ois.run
Common names for the holos project, dev stage:
- holos.dev.k1.ois.run
- holos.dev.k2.ois.run
- holos.dev.ois.run
- holos.gary.k1.ois.run
- holos.gary.k2.ois.run
- holos.gary.ois.run
- holos.jeff.k1.ois.run
- holos.jeff.k2.ois.run
- holos.jeff.ois.run
- holos.nate.k1.ois.run
- holos.nate.k2.ois.run
- holos.nate.ois.run
Usage:
holos render --cluster-name=provisioner \
~/workspace/holos-run/holos/docs/examples/platforms/reference/clusters/provisioner/projects/...
holos render --cluster-name=k1 \
~/workspace/holos-run/holos/docs/examples/platforms/reference/clusters/workload/projects/...
holos render --cluster-name=k2 \
~/workspace/holos-run/holos/docs/examples/platforms/reference/clusters/workload/projects/...
302 lines
8.9 KiB
CUE
302 lines
8.9 KiB
CUE
package holos
|
|
|
|
import (
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
appsv1 "k8s.io/api/apps/v1"
|
|
corev1 "k8s.io/api/core/v1"
|
|
rbacv1 "k8s.io/api/rbac/v1"
|
|
batchv1 "k8s.io/api/batch/v1"
|
|
es "external-secrets.io/externalsecret/v1beta1"
|
|
ss "external-secrets.io/secretstore/v1beta1"
|
|
is "cert-manager.io/issuer/v1"
|
|
ci "cert-manager.io/clusterissuer/v1"
|
|
crt "cert-manager.io/certificate/v1"
|
|
gw "networking.istio.io/gateway/v1beta1"
|
|
vs "networking.istio.io/virtualservice/v1beta1"
|
|
pg "postgres-operator.crunchydata.com/postgrescluster/v1beta1"
|
|
)
|
|
|
|
// _apiVersion is the version of this schema. Defines the interface between CUE output and the holos cli.
|
|
_apiVersion: "holos.run/v1alpha1"
|
|
|
|
// #ComponentName is the name of the holos component.
|
|
// TODO: Refactor to support multiple components per BuildPlan
|
|
#ComponentName: #InputKeys.component
|
|
|
|
// #StageName is prod, dev, stage, etc... Usually prod for platform components.
|
|
#StageName: #InputKeys.stage
|
|
|
|
// #TargetNamespace is the target namespace for a holos component.
|
|
#TargetNamespace: string
|
|
|
|
#ClusterObject: {
|
|
_description: string | *""
|
|
metadata: metav1.#ObjectMeta & {
|
|
// labels: #CommonLabels
|
|
annotations: #Description & {
|
|
_Description: _description
|
|
...
|
|
}
|
|
}
|
|
...
|
|
}
|
|
|
|
#Description: {
|
|
_Description: string | *""
|
|
"holos.run/description": _Description
|
|
...
|
|
}
|
|
|
|
#NamespaceObject: #ClusterObject & {
|
|
metadata: name: string
|
|
metadata: namespace: string
|
|
...
|
|
}
|
|
|
|
// Kubernetes API Objects
|
|
#Namespace: corev1.#Namespace & {
|
|
metadata: name: string
|
|
metadata: labels: "kubernetes.io/metadata.name": metadata.name
|
|
}
|
|
|
|
#ClusterRole: #ClusterObject & rbacv1.#ClusterRole
|
|
#ClusterRoleBinding: #ClusterObject & rbacv1.#ClusterRoleBinding
|
|
#ClusterIssuer: #ClusterObject & ci.#ClusterIssuer & {...}
|
|
|
|
#Issuer: #NamespaceObject & is.#Issuer
|
|
#Role: #NamespaceObject & rbacv1.#Role
|
|
#RoleBinding: #NamespaceObject & rbacv1.#RoleBinding
|
|
#ConfigMap: #NamespaceObject & corev1.#ConfigMap
|
|
#ServiceAccount: #NamespaceObject & corev1.#ServiceAccount
|
|
#Pod: #NamespaceObject & corev1.#Pod
|
|
#Service: #NamespaceObject & corev1.#Service
|
|
#Job: #NamespaceObject & batchv1.#Job
|
|
#CronJob: #NamespaceObject & batchv1.#CronJob
|
|
#Deployment: #NamespaceObject & appsv1.#Deployment
|
|
#VirtualService: #NamespaceObject & vs.#VirtualService
|
|
#Certificate: #NamespaceObject & crt.#Certificate
|
|
#PostgresCluster: #NamespaceObject & pg.#PostgresCluster
|
|
|
|
#Gateway: #NamespaceObject & gw.#Gateway & {
|
|
metadata: namespace: string | *"istio-ingress"
|
|
spec: selector: istio: string | *"ingressgateway"
|
|
}
|
|
|
|
// #HTTP01Cert defines a http01 certificate.
|
|
#HTTP01Cert: {
|
|
_name: string
|
|
_secret: string | *_name
|
|
SecretName: _secret
|
|
Host: _name + "." + #ClusterDomain
|
|
object: #Certificate & {
|
|
metadata: {
|
|
name: _secret
|
|
namespace: string | *#TargetNamespace
|
|
}
|
|
spec: {
|
|
commonName: Host
|
|
dnsNames: [Host]
|
|
secretName: _secret
|
|
issuerRef: kind: "ClusterIssuer"
|
|
issuerRef: name: "letsencrypt"
|
|
}
|
|
}
|
|
}
|
|
|
|
// External Secrets CRDs
|
|
#ExternalSecret: #NamespaceObject & es.#ExternalSecret & {
|
|
_name: string
|
|
metadata: {
|
|
name: _name
|
|
namespace: #TargetNamespace
|
|
}
|
|
spec: {
|
|
refreshInterval: string | *"1h"
|
|
secretStoreRef: {
|
|
kind: string | *"SecretStore"
|
|
name: string | *"default"
|
|
}
|
|
target: {
|
|
name: _name
|
|
creationPolicy: string | *"Owner"
|
|
deletionPolicy: string | *"Retain"
|
|
}
|
|
// Copy fields 1:1 from external Secret to target Secret.
|
|
dataFrom: [{extract: key: _name}]
|
|
}
|
|
}
|
|
|
|
#SecretStore: #NamespaceObject & ss.#SecretStore & {
|
|
_namespace: string
|
|
metadata: {
|
|
name: string | *"default"
|
|
namespace: _namespace
|
|
}
|
|
spec: provider: {
|
|
kubernetes: {
|
|
remoteNamespace: _namespace
|
|
auth: token: bearerToken: {
|
|
name: string | *"eso-reader"
|
|
key: string | *"token"
|
|
}
|
|
server: {
|
|
caBundle: #InputKeys.provisionerCABundle
|
|
url: #InputKeys.provisionerURL
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// #InputKeys defines the set of cue tags required to build a cue holos component. The values are used as lookup keys into the #Platform data.
|
|
#InputKeys: {
|
|
// cluster is usually the only key necessary when working with a component on the command line.
|
|
cluster: string @tag(cluster, type=string)
|
|
// stage is usually set by the platform or project.
|
|
stage: *"prod" | string @tag(stage, type=string)
|
|
// service is usually set by the component.
|
|
service: *component | string @tag(service, type=string)
|
|
// component is the name of the component
|
|
component: string @tag(component, type=string)
|
|
|
|
// GCP Project Info used for the Provisioner Cluster
|
|
gcpProjectID: string @tag(gcpProjectID, type=string)
|
|
gcpProjectNumber: int @tag(gcpProjectNumber, type=int)
|
|
|
|
// Same as cluster certificate-authority-data field in ~/.holos/kubeconfig.provisioner
|
|
provisionerCABundle: string @tag(provisionerCABundle, type=string)
|
|
// Same as the cluster server field in ~/.holos/kubeconfig.provisioner
|
|
provisionerURL: string @tag(provisionerURL, type=string)
|
|
}
|
|
|
|
// #ClusterSpec is the specification of a holos platform cluster member.
|
|
#ClusterSpec: {
|
|
// name is the cluster name.
|
|
name: string
|
|
// pool is the optional ceph pool of the cluster.
|
|
pool?: string
|
|
// region is the geographic region of the cluster.
|
|
region?: string
|
|
// primary is true if name matches the primaryCluster name
|
|
primary: bool
|
|
}
|
|
|
|
// #Platform defines the primary lookup table for the platform. Lookup keys should be limited to those defined in #KeyTags.
|
|
#Platform: {
|
|
// org holds user defined values scoped organization wide. A platform has one and only one organization.
|
|
org: {
|
|
// e.g. "example"
|
|
name: string
|
|
// e.g. "example.com"
|
|
domain: string
|
|
// e.g. "Example"
|
|
displayName: string
|
|
// e.g. "platform@example.com"
|
|
contact: email: string
|
|
// e.g. "platform@example.com"
|
|
cloudflare: email: string
|
|
// e.g. "example"
|
|
github: orgs: primary: name: string
|
|
}
|
|
// Only one cluster may be primary at a time. All others are standby.
|
|
// Refer to [repo based standby](https://access.crunchydata.com/documentation/postgres-operator/latest/tutorials/backups-disaster-recovery/disaster-recovery#repo-based-standby)
|
|
primaryCluster: {
|
|
name: string
|
|
}
|
|
clusters: [Name=_]: #ClusterSpec & {
|
|
name: string & Name
|
|
if Name == primaryCluster.name {
|
|
primary: true
|
|
}
|
|
if Name != primaryCluster.name {
|
|
primary: false
|
|
}
|
|
}
|
|
stages: [ID=_]: {
|
|
name: string & ID
|
|
environments: [...{name: string}]
|
|
}
|
|
projects: [ID=_]: {
|
|
name: string & ID
|
|
}
|
|
services: [ID=_]: {
|
|
name: string & ID
|
|
}
|
|
}
|
|
|
|
// ManagedNamespace is a namespace to manage across all clusters in the holos platform.
|
|
#ManagedNamespace: {
|
|
namespace: {
|
|
metadata: {
|
|
name: string
|
|
labels: [string]: string
|
|
}
|
|
}
|
|
// clusterNames represents the set of clusters the namespace is managed on. Usually all clusters.
|
|
clusterNames: [...string]
|
|
}
|
|
|
|
// #ManagedNamepsaces is the union of all namespaces across all cluster types and optional services.
|
|
// Holos adopts the namespace sameness position of SIG Multicluster, refer to https://github.com/kubernetes/community/blob/dd4c8b704ef1c9c3bfd928c6fa9234276d61ad18/sig-multicluster/namespace-sameness-position-statement.md
|
|
#ManagedNamespaces: {
|
|
[Name=_]: #ManagedNamespace & {
|
|
namespace: metadata: name: Name
|
|
}
|
|
}
|
|
|
|
// #Backups defines backup configuration.
|
|
// TODO: Consider the best place for this, possibly as part of the site platform config. This represents the primary location for backups.
|
|
#Backups: {
|
|
s3: {
|
|
region: string
|
|
endpoint: string | *"s3.dualstack.\(region).amazonaws.com"
|
|
}
|
|
}
|
|
|
|
// #Chart defines an upstream helm chart
|
|
#Chart: {
|
|
name: string
|
|
version: string
|
|
release: string | *name
|
|
repository: {
|
|
name?: string
|
|
url?: string
|
|
}
|
|
}
|
|
|
|
// #ChartValues represent the values provided to a helm chart. Existing values may be imorted using cue import values.yaml -p holos then wrapping the values.cue content in #Values: {}
|
|
#ChartValues: {...}
|
|
|
|
// #SecretName is the name of a Secret, ususally coupling a Deployment to an ExternalSecret
|
|
#SecretName: string
|
|
|
|
// Cluster Domain is the cluster specific domain
|
|
#ClusterDomain: #InputKeys.cluster + "." + #Platform.org.domain
|
|
|
|
// #SidecarInject represents the istio sidecar inject label
|
|
#IstioSidecar: {
|
|
"sidecar.istio.io/inject": "true"
|
|
...
|
|
}
|
|
|
|
// #DefaultSecurityContext is the holos default security context to comply with the restricted namespace policy.
|
|
// Refer to https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
|
|
#DefaultSecurityContext: {
|
|
securityContext: {
|
|
allowPrivilegeEscalation: false
|
|
runAsNonRoot: true
|
|
capabilities: drop: ["ALL"]
|
|
seccompProfile: type: "RuntimeDefault"
|
|
}
|
|
...
|
|
}
|
|
|
|
// Certificate name should always match the secret name.
|
|
#Certificate: {
|
|
metadata: name: _
|
|
spec: secretName: metadata.name
|
|
}
|
|
|
|
// #IsPrimaryCluster is true if the cluster being rendered is the primary cluster
|
|
// Used by the iam project to determine where https://login.example.com is active.
|
|
#IsPrimaryCluster: bool & #ClusterName == #Platform.primaryCluster.name
|