cheshire
/
hscloud
forked from hswaw/hscloud
1
0
Fork 0
Code Pull Requests Activity
463 Commits
1 Branch
0 Tags
55 MiB
Commit Graph

463 Commits (2a788d392a05f234bef0c93df8a8c453bdbd4517)

Author SHA1 Message Date
wasiumpks 2a788d392a rename dockerfile for spigot and add dockerfile for paper 
Change-Id: If70ee79f7aeba8c51a869a6b8b0f049bc08be357
 2020-06-03 15:50:15 +02:00
q3k 75fd2f4a13 Merge "personal/q3k/minecraft: add and deploy bridge" 2020-06-01 12:30:29 +00:00
patryk d600ebb5c8 Re-enable cz2 gpg key in secretstore.py 
Change-Id: Iccefecccafe3748c310e5922f366c86d5f2cf11d
 2020-05-31 16:46:58 +00:00
informatic cb96eb6df6 Merge "crdb.k0: add sso client" 2020-05-31 12:26:04 +00:00
q3k de3d3fa641 bgpwtf/invoice: hide invoicee VAT number when not given 
Also re-add go-bindata to WORKSPACE, something nuked it.

Change-Id: I723ebee7f843d0135a3e1121e2e93ae5fe56bc4b
 2020-05-31 00:12:11 +02:00
q3k e55493f635 calico: fix access to resources from controller 
This fixes even more networking issues.

Change-Id: I754656a01e3de8a34055280908b343a1a25a4707
 2020-05-30 17:57:05 +02:00
q3k ba375e62b2 calico: fix node name selection 
This was an attempt to make new calico nodes use a full FQDN. However,
this change seemingly also makes the calico control plane use the FQDN
for all existing nodes, as such breaking CNI for new pods.

We revert this change, thereby keeping all calico nodes names as
hostnames. We could fix this by editing /var/lib/calico/nodename on
hosts to FQDNs, but it might not be worth the effort.

See https://github.com/projectcalico/calico/issues/1093 for more
context.

Change-Id: I52bfb00f604053d57d3009aebd6c50db7dc74f58
 2020-05-30 16:18:13 +02:00
informatic 42da0e9aec crdb.k0: add sso client 
Change-Id: I7490a3594694d61a19910e436983937667ed34bd
 2020-05-30 14:34:33 +02:00
q3k d81bf72d7f calico: upgrade to 3.14, fix calicoctl 
We still use etcd as the data store (and as such didn't set up k8s CRDs
for Calico), but that's okay for now.

Change-Id: If6d66f505c6b40f2646ffae7d33d0d641d34a963
 2020-05-28 16:47:16 +02:00
vuko d13df642c5 Merge "personal/vuko/shells initial commit" 2020-05-22 20:04:32 +00:00
vuko 6c678e391e personal/vuko/shells initial commit 
Change-Id: Icba91e8d4ffe53fc8a7ab7946f3a1b45daf20290
 2020-05-22 22:02:22 +02:00
q3k 5786d5245d third_party/java: actually commit 
this unfucks master, whoops

Change-Id: I118b9d32aaf53e598333960b959bfb3c0fe33681
 2020-05-18 23:48:49 +02:00
q3k f316932930 personal/q3k/minecraft: add and deploy bridge 
Change-Id: Ie191690414840668f31f3de4cdf809b35c610248
 2020-05-18 23:47:37 +02:00
q3k 7fa92b4029 personal/q3k/minecraft: expose port 2137 (gRPC plugin) 
Change-Id: I0816d63f0307c6ca7cafcd752e93e857e6a41f7f
 2020-05-17 23:07:19 +00:00
q3k 32f8a58236 personal/q3k: add minecraft plugins 
Also drive-by modify WORKSPACE to add required deps.

Also drive-by update deps in WORKSPACE.

Also drive-by remove old stackb/proto library from WORKSPACE (only used
in cccampix, which is dead, and stackb/proto should be replaceable by
the main grpc lib by this point).

Change-Id: I7ac7fe2237e859dc1c45bf41a016174ed8e9ee71
 2020-05-17 23:06:42 +00:00
Rafał Hirsz 12ab93ac7e personal/q3k/minecraft: add worldedit+worldguard 
This assumes that a new Docker image will be built at tag spigot-1.15.2-r3.

Change-Id: Ia230510d2400faa3631bde99a96366d72e69a4bd
 2020-05-16 21:09:04 +02:00
q3k 6a0b75bd84 personal/q3k/minecraft: enforce whitelist on main server 
Change-Id: I7edf0babd476b7aeb92551ea62ccffa2c79a13a1
 2020-05-16 21:05:09 +02:00
q3k 1223cde4d4 cluster: fix nuke's personal storage 
Change-Id: I422a6d9f7a483e7c44cc8dfd8c0d8a98d9e17e46
 2020-05-16 17:38:23 +02:00
q3k 741c08f66c cluster: add nuke's personal storage 
He needs some personal backup space, and we have enough best effort
spare capacity for that.

Change-Id: I75ed6f62e79d33907c0974ec5f2839389ce62543
 2020-05-14 18:13:53 +00:00
q3k a168c50132 SECURITY: cluster: limit api objects modifiable by namespace admins 
This previous allowed all namespace admins (ie. personal-$user namespace
users) to create any sort of obejct they wanted within that namespace.

This could've been exploited to allow creation of a RoleBinding that
would then allow to bind a serviceaccount to the insecure
podsecuritypolicy, thereby allowing escalation to root on nodes.

As far as I've checked, this hasn't been exploited, and the access to
the k8s cluster has so far also been limited to trusted users.

This has been deployed to production.

Change-Id: Icf8747d765ccfa9fed843ec9e7b0b957ff27d96e
 2020-05-11 20:49:31 +02:00
q3k e3432ee775 kube/policies: implement mostlysecure 
Change-Id: I0f5dc29f9fc3ad534ddda766a79bb18e64757a6c
 2020-05-11 20:17:11 +02:00
q3k 1743a6b4f3 Merge "cluster/rook: bump to 1.1.9" 2020-05-11 18:16:24 +00:00
q3k d1ccdcff3d personal/q3k/minecraft: init 
Change-Id: I39585afa33411f2a58185469015aed3b2b4dcdeb
 2020-05-06 20:35:48 +02:00
q3k d436de2010 cluster/rook: bump to 1.1.9 
This bumps Rook/Ceph. The new resources (mostly RBAC) come from
following https://rook.io/docs/rook/v1.1/ceph-upgrade.html .

It's already deployed on production. The new CSI driver has not been
tested, but the old flexvolume-based provisioners still work. We'll
migrate when Rook offers a nice solution for this.

We've hit a kubecfg bug that does not allow controlling the CephCluster
CRD directly anymore (I had to apply it via kubecfg show / kubectl apply
-f instead). This might be due to our bazel/prod k8s version mismatch,
or it might be related to https://github.com/bitnami/kubecfg/issues/259.

Change-Id: Icd69974b294b823e60b8619a656d4834bd6520fd
 2020-05-02 23:30:52 +02:00
Bartosz Stebel 98ef1518e0 add vpn insecure namespace 
Change-Id: I8a774ae625342af3521ad0ab11a8f6d4e4ef6c97
 2020-04-24 13:28:38 +02:00
q3k e9f4b77bf8 Merge "doc: add getting-started/your-first-change" 2020-04-22 12:11:03 +00:00
q3k ac1163d67a devtools/gerrit: disable owners-autoassign 
This plugin sounds good in practice, but has a flaw: it assigns _all_
owners automatically, even if a change is already submitted by one of
the other owners.

We might come back to it later - or implement something of our own.

Change-Id: Iff179ea623c1371c2c861b6d7ec2e7749c940369
 2020-04-13 12:26:00 +02:00
q3k 7b1d137d50 doc: add getting-started/your-first-change 
Change-Id: Ib3d3805507e2cb5ef0194605f081c74719f3b1a3
 2020-04-13 10:19:38 +00:00
q3k f3fac43938 Merge "*: add more OWNERS" 2020-04-13 09:04:11 +00:00
q3k ee0fc59685 Merge "devtools: deploy hackdoc&depotview" 2020-04-13 09:03:46 +00:00
q3k 006c1bf8f3 *: add more OWNERS 
Change-Id: If2740a0aaee845160b38b8ea0b23fea7bab3bded
 2020-04-13 01:46:15 +02:00
q3k 7480879222 devtools: deploy hackdoc&depotview 
Change-Id: If7ee65a99fae29f5015bb8ee8bb23e83c0f7dd3a
 2020-04-13 01:39:33 +02:00
q3k 4b4a33a693 devtools/hackdoc: propagate ref in imgs and redirects 
Change-Id: Ideb2a8f10f8193cd782b0e1d913e7aa99bbfa52f
 2020-04-13 01:35:33 +02:00
q3k b180a145d4 Merge "devtools/gerrit: bump to 3.0.8, add OWNERS plugins" 2020-04-12 16:38:14 +00:00
q3k 222a00a25a devtools/gerrit: bump to 3.0.8, add OWNERS plugins 
Change-Id: I161ca0339bec0486c9b1446b141ecf1424112d9c
 2020-04-12 18:37:21 +02:00
q3k 000b18beaf Merge "OWNER: init at root" 2020-04-12 16:32:11 +00:00
q3k 765e3b1e26 OWNER: init at root 
This should work with gerrit's 'owners' and 'owners-autoassign' plugins.

Change-Id: I312da6dc03b981be4856234d3e84f6b556066744
 2020-04-12 18:31:10 +02:00
q3k 9b50a69c11 Merge "app/matrix: upgrade and migrate to official appservice-irc image" 2020-04-12 12:50:31 +00:00
q3k ddd5c8e6e0 Merge "app/matrix: upgrade and migrate to official riot-web container image" 2020-04-12 12:50:27 +00:00
q3k ac43b3edac Merge "devtools/depotview: fix stale branches, clone bug" 2020-04-12 12:38:48 +00:00
q3k ebaa40894d devtools/depotview: fix stale branches, clone bug 
Change-Id: Ia2c680d511e3a8b632414caae3058db20d8231ba
 2020-04-12 14:38:27 +02:00
q3k adb72ccdec Merge "app/matrix: synapse upgrade" 2020-04-12 12:38:09 +00:00
q3k 5bce7ce9fd devtools/hackdoc: render TOC 
Change-Id: I03c224675c0d142d630d872994658faa2ac70691
 2020-04-11 20:16:58 +02:00
q3k bcf7363b4e doc/codelabs: add stub 
Change-Id: Iffec09edfa8373f15bc889697abfe2210f90ce01
 2020-04-10 22:15:36 +02:00
q3k 8adbd49051 *: more hackdoc updates 
Change-Id: Ib9830c66fe36c423d38f447905c470b67cde5399
 2020-04-10 22:10:18 +02:00
q3k 4f7cc0064f Revert "*: update docs for hackdoc" 
This reverts commit cc8c69c897.

Reason for revert: <INSERT REASONING HERE>

Change-Id: I1315e930e2ef69db3188eda05e4aa0b12db24274
 2020-04-10 20:09:35 +00:00
q3k cc8c69c897 *: update docs for hackdoc 
Change-Id: I256ec4499da2289f8f7ea3766ce40f2b0ffb0dc1
 2020-04-10 21:20:53 +02:00
q3k f157b4d632 devtools/{depotview,hackdoc}: tie both together 
Change-Id: I0a1ca3b4fa0e0a074eccbe0f8748839b926db9c1
 2020-04-10 19:24:48 +02:00
q3k 4c0e9b52c0 devtools/depotview: init 
This is a small service for accessing git repos read-only over gRPC.

It's going to be used to allow hackdoc to render arbitrary versions of
hscloud.

Change-Id: Ib3c5eb5a8bc679e8062142e6fa30505d9550e2fa
 2020-04-08 22:42:33 +02:00
q3k c881cf3c22 devtools/hackdoc: init 
This is hackdoc, a documentation rendering tool for monorepos.

This is the first code iteration, that can only serve from a local git
checkout.

The code is incomplete, and is WIP.

Change-Id: I68ef7a991191c1bb1b0fdd2a8d8353aba642e28f
 2020-04-08 20:03:12 +02:00