Fork 0
Commit Graph

47 Commits (master)

Author SHA1 Message Date
q3k 97b5cd7b58 go: re-do the entire thing
This is a mega-change, but attempting to split this up further is
probably not worth the effort.


1. Bump up bazel, rules_go, and others.
2. Switch to new go target naming (bye bye go_default_library)
3. Move go deps to go.mod/go.sum, use make gazelle generate from that
4. Bump up Python deps a bit

And also whatever was required to actually get things to work - loads of
small useless changes.

Tested to work on NixOS and Ubuntu 20.04:

   $ bazel build //...
   $ bazel test //...

Change-Id: I8364bdaa1406b9ae4d0385a6b607f3e7989f98a9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1583
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-09-22 21:50:19 +00:00
palid b19e8123ad tools: fix install.sh for non-Nix systems
Change-Id: Id3aa846255129d90be22bce2aa38d468d78d816c
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1533
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-07-24 14:01:55 +00:00
implr 0544d27c04 tools, cluster/tools: bazel5 compat: remove unused import
Change-Id: I8b264a6c36e4d0f1535f38ad1f41495e62061f26
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1308
Reviewed-by: daz <daz@hackerspace.pl>
2022-06-04 19:56:40 +00:00
q3k 2ada80423a tools/hscloud/lib.py: fix newlines sneaking in
Change-Id: Iacf956c80486596f02efd901c48f4571f0a76adf
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1283
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-04-04 17:51:44 +00:00
q3k 0f8e5a2132 *: do not require env.sh
This removes the need to source env.{sh,fish} when working with hscloud.

This is done by:

 1. Implementing a Go library to reliably detect the location of the
    active hscloud checkout. That in turn is enabled by
    BUILD_WORKSPACE_DIRECTORY being now a thing in Bazel.
 2. Creating a tool `hscloud`, with a command `hscloud workspace` that
    returns the workspace path.
 3. Wrapping this tool to be accessible from Python and Bash.
 4. Bumping all users of hscloud_root to use either the Go library or
    one of the two implemented wrappers.

We also drive-by replace tools/install.sh to be a proper sh_binary, and
make it yell at people if it isn't being ran as `bazel run

Finally, we also drive-by delete cluster/tools/nixops.sh which was never used.

Change-Id: I7873714319bfc38bbb930b05baa605c5aa36470a
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1169
Reviewed-by: informatic <informatic@hackerspace.pl>
2021-10-17 21:21:58 +00:00
q3k f97c9688d5 tools/secretstore: fix gpg encryption for expired key
We also set --trust-model=always, as we explicitly ship GPG
fingerprints, so there's no need to rely on GPG's web of trust

Change-Id: If2976130315c044f1d1727c61a6f6d489c876a52
2021-07-10 16:53:59 +00:00
q3k 491542589b tools/gostatic: init
This adds Bazel/hscloud integration to gostatic, via gostatic_tarball.

A sample is provided in //tools/gostatic/example, it can be built using:

    bazel build //tools/gostatic/example

The resulting tarball can then be extracted and viewed in a web

Change-Id: Idf8d4a8e0ee3a5ae07f7449a25909478c2d8b105
2020-10-26 12:08:33 +01:00
q3k f00a701f27 tools: remove unused go_sdk.bzl
This is a leftover from an old attempt at NixOS compatibility.

Change-Id: I5050f76b83f47796cdfa6235db8ee5efe8daf3e2
2020-09-25 21:01:12 +00:00
q3k 6c1a712522 secretstore: fix decryption in sync
Change-Id: If5be7679e9e0b6e0acf78ffd871adb1f9af8d7f4
2020-07-30 20:55:54 +00:00
q3k 7371b7288b tools/secretstore: add sync command, re-encrypt
This kills two birds with one stone:

 - update the secretstore tool to be slightly smarter about secrets, to
   the point where we can now just point it at a secret directory and
   ask it to 'sync' all secrets in there
 - runs the new fancy sync command on all keys to update them, which
   is a follow up to gerrit/328.

Change-Id: I0eec4a3e8afcd9481b0b248154983aac25657c40
2020-06-04 19:25:07 +00:00
patryk d600ebb5c8 Re-enable cz2 gpg key in secretstore.py
Change-Id: Iccefecccafe3748c310e5922f366c86d5f2cf11d
2020-05-31 16:46:58 +00:00
q3k 02aae3628c hswaw/kube: encrypt keys, update expired keys
cz2's key has expired. Removing it for now as there's no easy way to
force gpg to encrypt content for expired keys.

Change-Id: Ib27b9a09385fcead1ba2d48ebf45426038d8b647
2020-02-18 23:28:14 +01:00
q3k c5a77b8f81 env/tools: fix NixOS detection, maybe
Change-Id: Ifa4c1c53ed918f67e68e190709edc417d0d3b4d6
2020-02-17 23:04:35 +01:00
q3k e03c217cc1 go: bump rules_go, autodetect nix for go toolchains
Change-Id: If10a7843e5e54ade82fbeec85f4e6727e4d2a117
2020-02-15 01:04:38 +01:00
q3k d493ab66ca *: add dcr01s{22,24}
Change-Id: I072e825e2e1d199d9da50b9d38a9ffba68e61182
2019-10-31 17:07:50 +01:00
q3k b13b7ffcdb prod{access,vider}: implement
Prodaccess/Prodvider allow issuing short-lived certificates for all SSO
users to access the kubernetes cluster.

Currently, all users get a personal-$username namespace in which they
have adminitrative rights. Otherwise, they get no access.

In addition, we define a static CRB to allow some admins access to
everything. In the future, this will be more granular.

We also update relevant documentation.

Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153
2019-08-30 23:08:18 +02:00
q3k 1663e0e93b tools: move cluster-specific stuff to cluster/tools
Change-Id: I1813bb221d1bff0d6067eceb84d23510face60ff
2019-07-21 14:26:51 +00:00
q3k b5ad364a32 tools/workspace-status.sh -> bzl/
This is bazel-specific.

Change-Id: I2592c30f4e8f5e414d2fb6cf90f36b36e069b7cb
2019-07-21 16:26:19 +02:00
Robert Gerus f1bdb9a984 Fix the shebang.
First step on the path of making bazel work here on NixOS.

Change-Id: Icc264dac250e116f4835a135f47423740a2e5096
2019-07-21 15:24:52 +02:00
Serge Bazanski 2ce367681a *: move away from python_rules
python_rules is completely broken when it comes to py2/py3 support.

Here, we replace it with native python rules from new Bazel versions [1] and rules_pip for PyPI dependencies [2].

rules_pip is somewhat little known and experimental, but it seems to work much better than what we had previously.

We also unpin rules_docker and fix .bazelrc to force Bazel into Python 2 mode - hopefully, this repo will now work
fine under operating systems where `python` is python2 (as the standard dictates).

[1] - https://docs.bazel.build/versions/master/be/python.html

[2] - https://github.com/apt-itude/rules_pip

Change-Id: Ibd969a4266db564bf86e9c96275deffb9610dd44
2019-07-16 22:22:05 +00:00
q3k 1e5e81227a Merge changes I4ef1f6ed,I20b0ecbb,Ida9dff72,I92e70536
* changes:
  cluster/cube/lib/cockroachdb: clean up topology
  cluster/kube/lib/cockroach: move client to deployment
  app/gerrit/kube: implement
  app/gerrit: import OAuth provider and add SSO support
2019-06-25 00:49:10 +00:00
q3k b094f08744 tools/: add __pycache__ to gitignore
Change-Id: Iaddfe140df1e82611df8e2594b7560e3bdafd896
2019-06-21 22:14:41 +02:00
q3k 573da78859 app/gerrit: import OAuth provider and add SSO support
This change:

 - imports gerrit-oauth-provider from upstream
 - adds sso.hackerspae.pl support to it

Change-Id: I92e7053614a9297bf1ced3aac044c0002acd836a
2019-06-21 20:09:01 +02:00
q3k 29afb4cc51 secretstore: restore implr 2019-05-19 03:10:25 +02:00
q3k cd6d0e7270 toolx/nixops: new keys 2019-05-17 18:10:23 +02:00
q3k a4b3767455 tools/nixops.sh: add 2019-05-15 19:23:38 +02:00
q3k e986728648 gcp: init, add service account 2019-05-15 19:19:19 +02:00
q3k bb77892924 tools/install.sh: soft requirement on nix 2019-05-15 19:13:11 +02:00
q3k 1e6b52a194 tools/: add nixops
This now means we require Nix to be installed globally. This shouldn't
be the case in the long run, but will be until
https://github.com/tweag/rules_nixpkgs/issues/75 gets fixed or we maybe
move from rules_nixpkgs to nix-bundle or something similar.
2019-05-15 19:08:25 +02:00
q3k a9bb1d5b5b tools/secretstore: fix decryption of updated secrets 2019-04-28 17:13:12 +02:00
informatic 2c5391b6e6 tools/rook-s3cmd-config: tool to generate s3cmd config from rook.io secrets 2019-04-09 23:30:38 +02:00
informatic c10f00b7da tools/secretstore: decrypt secrets when requesting plaintext path 2019-04-09 13:29:33 +02:00
q3k acd001bf83 tools: add cfssl 2019-04-09 13:17:06 +02:00
q3k 73cef11c85 *: rejigger tls certs and more
This pretty large change does the following:

 - moves nix from bootstrap.hswaw.net to nix/
 - changes clustercfg to use cfssl and moves it to cluster/clustercfg
 - changes clustercfg to source information about target location of
   certs from nix
 - changes clustercfg to push nix config
 - changes tls certs to have more than one CA
 - recalculates all TLS certs
   (it keeps the old serviceaccoutns key, otherwise we end up with
   invalid serviceaccounts - the cert doesn't match, but who cares,
   it's not used anyway)
2019-04-07 00:06:23 +02:00
q3k eeed6fb6da recertify all certs 2019-04-01 16:19:28 +02:00
q3k 2afe3e46fd tool/calicoctl: add secretstore to data 2019-01-18 01:37:45 +01:00
q3k a305bc9fb5 tool: add calicoctl wrapper 2019-01-18 01:34:20 +01:00
q3k 0752971f8a tools: add calicoctl 2019-01-18 01:24:38 +01:00
q3k 98691e9e5e tools: add python future module 2019-01-18 00:22:50 +01:00
q3k 41bd2b52c2 cluster/secrets: add implr 2019-01-17 23:37:36 +01:00
q3k f3010ee1cb cluster/secrets: add cz2 2019-01-17 21:35:52 +01:00
q3k af3be426ad cluster: deploy calico and metrics service 2019-01-17 18:57:19 +01:00
q3k 49b9a13d28 cluster: deploy coredns 2019-01-14 00:02:59 +01:00
q3k 4c186db2c1 clustercfg: do not use SAN section if no SAN names 2019-01-13 21:48:47 +01:00
q3k ae56b6a6a5 clustercfg: create .kubectl 2019-01-13 21:39:16 +01:00
q3k de061801db *: k0.hswaw.net somewhat working 2019-01-13 21:14:02 +01:00
q3k f2a812b9fd *: bazelify 2019-01-13 17:51:34 +01:00