Add credential util for alternator, job to create alternator creds

cue.mod/usr/k8s.io/api/batch/v1/types.cue

@@ -0,0 +1,6 @@
+package v1
+
+#Job: {
+  apiVersion: "batch/v1"
+  kind: "Job"
+}

flake.nix

@@ -143,9 +143,17 @@
             digest = "a0fab1443750719105fc3fba09862a7a325ca9a6241edfec1f45f29117786066";
           };
         };
+        alternator-credentials = let 
+            craneLib = (crane.mkLib pkgs).overrideToolchain pkgs.rust-bin.stable.latest.default;
+        in craneLib.buildPackage {
+          src = craneLib.cleanCargoSource (craneLib.path ./src/alternator-credentials);
+          nativeBuildInputs = [ pkgs.pkg-config ];
+          buildInputs = [ pkgs.openssl.dev ];
+          strictDeps = true;
+        };
         gerrit-image = oci.fromDockerArchive {
           name = "gerrit-image-oci";
-          src = gerrit.gerrit-image;
+          src = gerrit.gerrit-image alternator-credentials;
         };
       in {
         _module.args.pkgs = import inputs.nixpkgs {
@@ -331,7 +339,8 @@
         };
         devShells = {
           default = pkgs.mkShell {
-            buildInputs = with pkgs; [ pkgs.cue pkgs.timoni postgresql jq nodejs nodePackages.npm typescript kubernetes-helm flux umoci skopeo weave-gitops yq-go go xxd talosctl pkgs.crane openldap operator-sdk jdk19 maven gradle pkgs.cargo pkgs.rustc ];
+          #default = ((crane.mkLib pkgs).overrideToolchain (pkgs.rust-bin.stable.latest.default.override {extensions = ["rust-analyzer"];})).devShell {
+            buildInputs = with pkgs; [ pkgs.cue pkgs.timoni postgresql jq nodejs nodePackages.npm typescript kubernetes-helm flux umoci skopeo weave-gitops yq-go go xxd talosctl pkgs.crane openldap operator-sdk jdk19 maven gradle pkgs.cargo pkgs.rustc gcc pkg-config openssl.dev cassandra ];
           };
           push = pkgs.mkShell {
             buildInputs = [ pkgs.crane ];

k8s/gerrit/gerrit.cue

@@ -9,6 +9,7 @@ import (
   //externalsecrets "external-secrets.io/externalsecret/v1beta1"
   issuers "cert-manager.io/issuer/v1"
   corev1 "k8s.io/api/core/v1"
+  //batchv1 "k8s.io/api/batch/v1"
   //rbacv1 "k8s.io/api/rbac/v1"
 )
 
@@ -84,9 +85,56 @@ kustomizations: $default: manifest: {
       }
     }
   }
-  "global-refdb-ca": issuers.#Issuer & {
+  refdbIssuer="global-refdb-ca": issuers.#Issuer & {
     spec: ca: secretName: "\(refdb.metadata.name)-local-client-ca"
   }
+  //"global-refdb-gerrit-credentials": batchv1.#Job & {
+  "global-refdb-gerrit-credentials":  {
+    apiVersion: "batch/v1"
+    kind: "Job"
+    spec: template: spec: {
+      containers: [{
+        name: "gerrit-credentials"
+        image: "ghcr.io/pythoner6/netserv/gerrit@\(#Images[appName].digest)"
+        command: [
+          "alternator-credentials", "generate",
+          "--ca", "/certs/ca/tls.crt",
+          "--cert", "/certs/admin/tls.crt",
+          "--key", "/certs/admin/tls.key",
+          "--nodes", "\(refdb.metadata.name)-client.\(appName).svc:9142",
+          "--role", "gerrit",
+        ]
+        volumeMounts: [
+          {
+            mountPath: "/certs/ca/"
+            name: "ca"
+          },
+          {
+            mountPath: "/certs/admin/"
+            name: "admin"
+          },
+        ]
+      }]
+      volumes: [
+        {
+          name: "ca"
+          secret: {
+            items: [{key: "tls.crt", path: "tls.crt"}]
+            secretName: "\(refdb.metadata.name)-local-serving-ca"
+          }
+        },
+        {
+          name: "admin"
+          csi: {
+            driver: "csi.cert-manager.io"
+            readOnly: true
+            "csi.cert-manager.io/issuer-name": refdbIssuer.metadata.name
+            "csi.cert-manager.io/common-name": "admin"
+          }
+        },
+      ]
+    }
+  }
   "events-broker-node-pool": kafkanodepools.#KafkaNodePool & {
     metadata: labels: "strimzi.io/cluster": broker.metadata.name
     spec: {