Commit graph

16 commits

Author SHA1 Message Date
97b5cd7b58 go: re-do the entire thing
This is a mega-change, but attempting to split this up further is
probably not worth the effort.

Summary:

1. Bump up bazel, rules_go, and others.
2. Switch to new go target naming (bye bye go_default_library)
3. Move go deps to go.mod/go.sum, use make gazelle generate from that
4. Bump up Python deps a bit

And also whatever was required to actually get things to work - loads of
small useless changes.

Tested to work on NixOS and Ubuntu 20.04:

   $ bazel build //...
   $ bazel test //...

Change-Id: I8364bdaa1406b9ae4d0385a6b607f3e7989f98a9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1583
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-09-22 21:50:19 +00:00
0544d27c04 tools, cluster/tools: bazel5 compat: remove unused import
Change-Id: I8b264a6c36e4d0f1535f38ad1f41495e62061f26
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1308
Reviewed-by: daz <daz@hackerspace.pl>
2022-06-04 19:56:40 +00:00
0f8e5a2132 *: do not require env.sh
This removes the need to source env.{sh,fish} when working with hscloud.

This is done by:

 1. Implementing a Go library to reliably detect the location of the
    active hscloud checkout. That in turn is enabled by
    BUILD_WORKSPACE_DIRECTORY being now a thing in Bazel.
 2. Creating a tool `hscloud`, with a command `hscloud workspace` that
    returns the workspace path.
 3. Wrapping this tool to be accessible from Python and Bash.
 4. Bumping all users of hscloud_root to use either the Go library or
    one of the two implemented wrappers.

We also drive-by replace tools/install.sh to be a proper sh_binary, and
make it yell at people if it isn't being ran as `bazel run
//tools:install`.

Finally, we also drive-by delete cluster/tools/nixops.sh which was never used.

Change-Id: I7873714319bfc38bbb930b05baa605c5aa36470a
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1169
Reviewed-by: informatic <informatic@hackerspace.pl>
2021-10-17 21:21:58 +00:00
b13b7ffcdb prod{access,vider}: implement
Prodaccess/Prodvider allow issuing short-lived certificates for all SSO
users to access the kubernetes cluster.

Currently, all users get a personal-$username namespace in which they
have adminitrative rights. Otherwise, they get no access.

In addition, we define a static CRB to allow some admins access to
everything. In the future, this will be more granular.

We also update relevant documentation.

Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153
2019-08-30 23:08:18 +02:00
1663e0e93b tools: move cluster-specific stuff to cluster/tools
Change-Id: I1813bb221d1bff0d6067eceb84d23510face60ff
2019-07-21 14:26:51 +00:00
Serge Bazanski
2ce367681a *: move away from python_rules
python_rules is completely broken when it comes to py2/py3 support.

Here, we replace it with native python rules from new Bazel versions [1] and rules_pip for PyPI dependencies [2].

rules_pip is somewhat little known and experimental, but it seems to work much better than what we had previously.

We also unpin rules_docker and fix .bazelrc to force Bazel into Python 2 mode - hopefully, this repo will now work
fine under operating systems where `python` is python2 (as the standard dictates).

[1] - https://docs.bazel.build/versions/master/be/python.html

[2] - https://github.com/apt-itude/rules_pip

Change-Id: Ibd969a4266db564bf86e9c96275deffb9610dd44
2019-07-16 22:22:05 +00:00
e986728648 gcp: init, add service account 2019-05-15 19:19:19 +02:00
1e6b52a194 tools/: add nixops
This now means we require Nix to be installed globally. This shouldn't
be the case in the long run, but will be until
https://github.com/tweag/rules_nixpkgs/issues/75 gets fixed or we maybe
move from rules_nixpkgs to nix-bundle or something similar.
2019-05-15 19:08:25 +02:00
acd001bf83 tools: add cfssl 2019-04-09 13:17:06 +02:00
73cef11c85 *: rejigger tls certs and more
This pretty large change does the following:

 - moves nix from bootstrap.hswaw.net to nix/
 - changes clustercfg to use cfssl and moves it to cluster/clustercfg
 - changes clustercfg to source information about target location of
   certs from nix
 - changes clustercfg to push nix config
 - changes tls certs to have more than one CA
 - recalculates all TLS certs
   (it keeps the old serviceaccoutns key, otherwise we end up with
   invalid serviceaccounts - the cert doesn't match, but who cares,
   it's not used anyway)
2019-04-07 00:06:23 +02:00
2afe3e46fd tool/calicoctl: add secretstore to data 2019-01-18 01:37:45 +01:00
a305bc9fb5 tool: add calicoctl wrapper 2019-01-18 01:34:20 +01:00
0752971f8a tools: add calicoctl 2019-01-18 01:24:38 +01:00
98691e9e5e tools: add python future module 2019-01-18 00:22:50 +01:00
de061801db *: k0.hswaw.net somewhat working 2019-01-13 21:14:02 +01:00
f2a812b9fd *: bazelify 2019-01-13 17:51:34 +01:00