lawrencejones/config.libsonnet

## config.libsonnet
{
  _images+:: {
    external_dns: "registry.opensource.zalan.do/teapot/external-dns:v0.5.17",
  },
  _config+:: {
    external_dns: {
      namespace: "external-dns",
      domain_filter: [
        "lawrjone.xyz",
      ],
      gcp_service_account_name: "external-dns",
    },
  },
}

## environment.libsonnet
(import "cert_manager/cert_manager.libsonnet") +
(import "external_dns/external_dns.libsonnet") +
{
  _config+:: {
    gcp_project: "lawrjone",
  }
}

## external_dns.libsonnet
local k = import "k.libsonnet";
local config = import "config.libsonnet";

k + config + {
  local namespaceName = $._config.external_dns.namespace,
  local gcpServiceAccountEmail = "%s@%s.iam.gserviceaccount.com" % [
    $._config.external_dns.gcp_service_account_name,
    $._config.gcp_project,
  ],

  namespace: $.core.v1.namespace.new(namespaceName),

  service_account: $.core.v1.serviceAccount.
    new("external-dns").
    withNamespace(namespaceName).
    withAnnotationsMixin({
      "iam.gke.io/gcp-service-account": gcpServiceAccountEmail,
    }),

  local clusterRole = $.rbac.v1.clusterRole,
  local clusterRoleBinding = $.rbac.v1.clusterRoleBinding,
  local roleRef = clusterRoleBinding.roleRefType,
  local subject = $.rbac.v1beta1.clusterRoleBinding.subjectsType,
  local policyRule = $.rbac.v1beta1.clusterRole.rulesType,

  cluster_role:
    clusterRole.new() +
    clusterRole.mixin.metadata.withNamespace(namespaceName) +
    clusterRole.mixin.metadata.withName("external-dns") +
    clusterRole.withRules(
      [
        // Watch cluster local resources for DNS
        policyRule.new() +
        policyRule.withApiGroups([""]) +
        policyRule.withResources(["services", "pods", "nodes"]) +
        policyRule.withVerbs(["get", "list", "watch"]),
        // Watch ingresses, as we need to respond to ingress changes
        policyRule.new() +
        policyRule.withApiGroups(["extensions"]) +
        policyRule.withResources(["ingresses"]) +
        policyRule.withVerbs(["get", "list", "watch"]),
      ],
    ),

  cluster_role_binding:
    clusterRoleBinding.new() +
    clusterRoleBinding.mixin.metadata.withName("external-dns-viewer") +
    clusterRoleBinding.mixin.roleRef.withApiGroup("rbac.authorization.k8s.io") +
    clusterRoleBinding.mixin.roleRef.withKind("ClusterRole") +
    clusterRoleBinding.mixin.roleRef.withName(self.cluster_role.metadata.name) +
    clusterRoleBinding.withSubjects([
      subject.new() +
      subject.withName(self.service_account.metadata.name) +
      subject.withKind(self.service_account.kind) +
      subject.withNamespace(namespaceName),
    ]),

  local deployment = $.apps.v1beta1.deployment,
  local container = deployment.mixin.spec.template.spec.containersType,

  local externalDnsContainer =
    container.new("app", $._images.external_dns) +
    container.withArgs([
      "--interval=30s",
      "--source=ingress",
      "--source=service",
      "--domain-filter", std.join(",", $._config.external_dns.domain_filter),
      "--provider=google",
    ]),

  deployment:
    deployment.new("external-dns", 1, externalDnsContainer, { app: "external-dns" }) +
    deployment.mixin.spec.strategy.withType("Recreate"),
}

## output.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: external-dns
  namespace: external-dns
rules:
- apiGroups:
  - ""
  resources:
  - services
  - pods
  - nodes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: external-dns-viewer
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: external-dns
subjects:
- kind: ServiceAccount
  name: external-dns
  namespace: external-dns
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: external-dns
  namespace: default
spec:
  replicas: 1
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: external-dns
    spec:
      containers:
      - args:
        - --interval=30s
        - --source=ingress
        - --source=service
        - --domain-filter
        - lawrjone.xyz
        - --provider=google
        image: registry.opensource.zalan.do/teapot/external-dns:v0.5.17
        name: app
---
apiVersion: v1
kind: Namespace
metadata:
  name: external-dns
  namespace: default
---
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    iam.gke.io/gcp-service-account: external-dns@lawrjone.iam.gserviceaccount.com
  name: external-dns
  namespace: external-dns
	{
	_images+:: {
	external_dns: "registry.opensource.zalan.do/teapot/external-dns:v0.5.17",
	},
	_config+:: {
	external_dns: {
	namespace: "external-dns",
	domain_filter: [
	"lawrjone.xyz",
	],
	gcp_service_account_name: "external-dns",
	},
	},
	}
	(import "cert_manager/cert_manager.libsonnet") +
	(import "external_dns/external_dns.libsonnet") +
	{
	_config+:: {
	gcp_project: "lawrjone",
	}
	}
	local k = import "k.libsonnet";
	local config = import "config.libsonnet";

	k + config + {
	local namespaceName = $._config.external_dns.namespace,
	local gcpServiceAccountEmail = "%s@%s.iam.gserviceaccount.com" % [
	$._config.external_dns.gcp_service_account_name,
	$._config.gcp_project,
	],

	namespace: $.core.v1.namespace.new(namespaceName),

	service_account: $.core.v1.serviceAccount.
	new("external-dns").
	withNamespace(namespaceName).
	withAnnotationsMixin({
	"iam.gke.io/gcp-service-account": gcpServiceAccountEmail,
	}),

	local clusterRole = $.rbac.v1.clusterRole,
	local clusterRoleBinding = $.rbac.v1.clusterRoleBinding,
	local roleRef = clusterRoleBinding.roleRefType,
	local subject = $.rbac.v1beta1.clusterRoleBinding.subjectsType,
	local policyRule = $.rbac.v1beta1.clusterRole.rulesType,

	cluster_role:
	clusterRole.new() +
	clusterRole.mixin.metadata.withNamespace(namespaceName) +
	clusterRole.mixin.metadata.withName("external-dns") +
	clusterRole.withRules(
	[
	// Watch cluster local resources for DNS
	policyRule.new() +
	policyRule.withApiGroups([""]) +
	policyRule.withResources(["services", "pods", "nodes"]) +
	policyRule.withVerbs(["get", "list", "watch"]),
	// Watch ingresses, as we need to respond to ingress changes
	policyRule.new() +
	policyRule.withApiGroups(["extensions"]) +
	policyRule.withResources(["ingresses"]) +
	policyRule.withVerbs(["get", "list", "watch"]),
	],
	),

	cluster_role_binding:
	clusterRoleBinding.new() +
	clusterRoleBinding.mixin.metadata.withName("external-dns-viewer") +
	clusterRoleBinding.mixin.roleRef.withApiGroup("rbac.authorization.k8s.io") +
	clusterRoleBinding.mixin.roleRef.withKind("ClusterRole") +
	clusterRoleBinding.mixin.roleRef.withName(self.cluster_role.metadata.name) +
	clusterRoleBinding.withSubjects([
	subject.new() +
	subject.withName(self.service_account.metadata.name) +
	subject.withKind(self.service_account.kind) +
	subject.withNamespace(namespaceName),
	]),

	local deployment = $.apps.v1beta1.deployment,
	local container = deployment.mixin.spec.template.spec.containersType,

	local externalDnsContainer =
	container.new("app", $._images.external_dns) +
	container.withArgs([
	"--interval=30s",
	"--source=ingress",
	"--source=service",
	"--domain-filter", std.join(",", $._config.external_dns.domain_filter),
	"--provider=google",
	]),

	deployment:
	deployment.new("external-dns", 1, externalDnsContainer, { app: "external-dns" }) +
	deployment.mixin.spec.strategy.withType("Recreate"),
	}
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: external-dns
	namespace: external-dns
	rules:
	- apiGroups:
	- ""
	resources:
	- services
	- pods
	- nodes
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- extensions
	resources:
	- ingresses
	verbs:
	- get
	- list
	- watch
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: external-dns-viewer
	namespace: default
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: external-dns
	subjects:
	- kind: ServiceAccount
	name: external-dns
	namespace: external-dns
	---
	apiVersion: apps/v1beta1
	kind: Deployment
	metadata:
	name: external-dns
	namespace: default
	spec:
	replicas: 1
	strategy:
	type: Recreate
	template:
	metadata:
	labels:
	app: external-dns
	spec:
	containers:
	- args:
	- --interval=30s
	- --source=ingress
	- --source=service
	- --domain-filter
	- lawrjone.xyz
	- --provider=google
	image: registry.opensource.zalan.do/teapot/external-dns:v0.5.17
	name: app
	---
	apiVersion: v1
	kind: Namespace
	metadata:
	name: external-dns
	namespace: default
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	annotations:
	iam.gke.io/gcp-service-account: external-dns@lawrjone.iam.gserviceaccount.com
	name: external-dns
	namespace: external-dns