local k = import 'ksonnet/ksonnet.beta.4/k.libsonnet';
{
// Generates the manifests for all objects in kp except those starting with "_"
generate(kp):: (
{
[std.asciiLower(module) + '-' + name]: kp[module][name]
for module in std.objectFieldsAll(kp)
if !std.startsWith(module, '_')
for name in std.objectFields(kp[module])
}
),
// Join multiple objects into one
join_objects(objs)::
local aux(arr, i, running) =
if i >= std.length(arr) then
running
else
aux(arr, i + 1, running + arr[i]) tailstrict;
aux(objs, 0, {}),
// Creates serviceaccount
newServiceAccount(name, namespace, labels):: (
local serviceAccount = k.core.v1.serviceAccount;
serviceAccount.new(name)
+ (if labels != null then serviceAccount.mixin.metadata.withLabels(labels) else {})
+ serviceAccount.mixin.metadata.withNamespace(namespace)
),
// Creates ClusterRoles
// roles format example: [{apis: ['authentication.k8s.io'],
// res: ['tokenreviews'],
// verbs: ['create']
// },[{...}]]
newClusterRole(name, roles, labels):: (
local clusterRole = k.rbac.v1.clusterRole;
local policyRule = clusterRole.rulesType;
local p(apigroups, resources, verbs) = policyRule.new()
+ policyRule.withApiGroups([a for a in apigroups])
+ policyRule.withResources([r for r in resources])
+ policyRule.withVerbs([v for v in verbs]);
local r = [p(pol.apis, pol.res, pol.verbs) for pol in roles];
local rules = r;
local c = clusterRole.new()
+ (if labels != null then clusterRole.mixin.metadata.withLabels(labels) else {})
+ clusterRole.mixin.metadata.withName(name)
+ clusterRole.withRules(rules);
c
),
// Creates a ClusterRoleBinding between a `clusterRole` and a `serviceAccount` on `serviceAccountNamespace`
newClusterRoleBinding(name, serviceAccount, serviceAccountNamespace, clusterRole, labels):: (
local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
clusterRoleBinding.new()
+ clusterRoleBinding.mixin.metadata.withName(name)
+ (if labels != null then clusterRoleBinding.mixin.metadata.withLabels(labels) else {})
+ clusterRoleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io')
+ clusterRoleBinding.mixin.roleRef.withName(clusterRole)
+ clusterRoleBinding.mixin.roleRef.mixinInstance({ kind: 'ClusterRole' })
+ clusterRoleBinding.withSubjects([{ kind: 'ServiceAccount', name: serviceAccount, namespace: serviceAccountNamespace }])
),
// Creates endpoint objects
newEndpoint(name, namespace, ips, portName, portNumber):: (
local endpoints = k.core.v1.endpoints;
local endpointSubset = endpoints.subsetsType;
local endpointPort = endpointSubset.portsType;
local Port = endpointPort.new()
+ endpointPort.withName(portName)
+ endpointPort.withPort(portNumber)
+ endpointPort.withProtocol('TCP');
local subset = endpointSubset.new()
+ endpointSubset.withAddresses([
{ ip: IP }
for IP in ips
])
+ endpointSubset.withPorts(Port);
endpoints.new()
+ endpoints.mixin.metadata.withName(name)
+ endpoints.mixin.metadata.withNamespace(namespace)
+ endpoints.mixin.metadata.withLabels({ 'k8s-app': name })
+ endpoints.withSubsets(subset)
),
// Creates ingress objects
newIngress(name, namespace, host, path, serviceName, servicePort):: (
local ingress = k.extensions.v1beta1.ingress;
local ingressTls = ingress.mixin.spec.tlsType;
local ingressRule = ingress.mixin.spec.rulesType;
local httpIngressPath = ingressRule.mixin.http.pathsType;
ingress.new()
+ ingress.mixin.metadata.withName(name)
+ ingress.mixin.metadata.withNamespace(namespace)
+ ingress.mixin.spec.withRules(
ingressRule.new()
+ ingressRule.withHost(host)
+ ingressRule.mixin.http.withPaths(
httpIngressPath.new()
+ httpIngressPath.withPath(path)
+ httpIngressPath.mixin.backend.withServiceName(serviceName)
+ httpIngressPath.mixin.backend.withServicePort(servicePort)
),
)
),
// Add TLS to Ingress resource with secret containing the certificates if exists
addIngressTLS(I, S=''):: (
local ingress = k.extensions.v1beta1.ingress;
local ingressTls = ingress.mixin.spec.tlsType;
local host = I.spec.rules[0].host;
local namespace = I.metadata.namespace;
I + ingress.mixin.spec.withTls(
ingressTls.new() +
ingressTls.withHosts(host) +
(if S != '' then { secretName: S } else {})
)
),
// Creates a new TLS Secred with Certificate and Key
newTLSSecret(name, namespace, crt, key):: (
local secret = k.core.v1.secret;
secret.new('ingress-secret') +
secret.mixin.metadata.withNamespace(namespace) +
secret.withType('kubernetes.io/tls') +
secret.withData(
{
'tls.crt': std.base64(crt),
'tls.key': std.base64(key),
}
)
),
// Creates new basic deployments
newDeployment(name, namespace, image, cmd, port):: (
local deployment = k.apps.v1.deployment;
local container = k.apps.v1.deployment.mixin.spec.template.spec.containersType;
local containerPort = container.portsType;
local con =
container.new(name, image)
+ (if cmd != null then container.withCommand(cmd) else {})
+ container.withPorts(containerPort.newNamed(port, name));
local c = [con];
local d = deployment.new(name, 1, c, { app: name })
+ deployment.mixin.metadata.withNamespace(namespace)
+ deployment.mixin.metadata.withLabels({ app: name })
+ deployment.mixin.spec.selector.withMatchLabels({ app: name })
+ deployment.mixin.spec.strategy.withType('RollingUpdate')
+ deployment.mixin.spec.template.spec.withRestartPolicy('Always');
d
),
newService(name, namespace, port):: (
local service = k.core.v1.service;
local servicePort = k.core.v1.service.mixin.spec.portsType;
local p = servicePort.newNamed(name, port, port);
local s = service.new(name, { app: name }, p)
+ service.mixin.metadata.withNamespace(namespace)
+ service.mixin.metadata.withLabels({ app: name });
s
),
// Creates http ServiceMonitor objects
newServiceMonitor(name, namespace, matchLabel, matchNamespace, portName, portScheme, path='metrics'):: (
{
apiVersion: 'monitoring.coreos.com/v1',
kind: 'ServiceMonitor',
metadata: {
name: name,
namespace: namespace,
labels: {
app: name,
},
},
spec: {
jobLabel: name + '-exporter',
selector: {
matchLabels: matchLabel,
},
endpoints: [
{
port: portName,
scheme: portScheme,
interval: '30s',
relabelings: [
{
action: 'replace',
regex: '(.*)',
replacement: '$1',
sourceLabels: ['__meta_kubernetes_pod_node_name'],
targetLabel: 'instance',
},
],
},
],
namespaceSelector: {
matchNames: [matchNamespace],
},
},
}
),
// Creates https ServiceMonitor objects
newServiceMonitorHTTPS(name, namespace, matchLabel, matchNamespace, portName, portScheme, token):: (
local s = $.newServiceMonitor(name, namespace, matchLabel, matchNamespace, portName, portScheme);
// Replace endpoint with https and token
local t = {
spec: {
endpoints: [{
port: portName,
scheme: portScheme,
interval: '30s',
bearerTokenFile: token,
tlsConfig: {
insecureSkipVerify: true,
},
relabelings: [
{
action: 'replace',
regex: '(.*)',
replacement: '$1',
sourceLabels: ['__meta_kubernetes_pod_node_name'],
targetLabel: 'instance',
},
],
}],
},
};
std.mergePatch(s, t)
),
// Adds arguments to a container in a deployment
// args is an array of arguments in the format
// ["arg1","arg2",]
addArguments(deployment, container, args):: (
{ spec+: {
template+: {
spec+: {
containers:
std.map(
function(c)
if c.name == container then
c { args+: args }
else c,
super.containers
),
},
},
} }
),
// Adds environment variables to a container in a deployment
// envs is an array of environment variables in the format
// [{name: 'VARNAME', value: 'var_value'},{...},]
addEnviromnentVars(deployment, container, envs):: (
{ spec+: {
template+: {
spec+: {
containers:
std.map(
function(c)
if c.name == container then
c { env+: envs }
else c,
super.containers
),
},
},
} }
),
}