cheshire
/
hscloud
forked from hswaw/hscloud
1
0
Fork 0
Code Pull Requests Activity
447 Commits
1 Branch
0 Tags
55 MiB
Commit Graph

447 Commits (6a0b75bd84480355c0eb6d2499bddc18815d5d83)

Author SHA1 Message Date
q3k 6a0b75bd84 personal/q3k/minecraft: enforce whitelist on main server 
Change-Id: I7edf0babd476b7aeb92551ea62ccffa2c79a13a1
 2020-05-16 21:05:09 +02:00
q3k 1223cde4d4 cluster: fix nuke's personal storage 
Change-Id: I422a6d9f7a483e7c44cc8dfd8c0d8a98d9e17e46
 2020-05-16 17:38:23 +02:00
q3k 741c08f66c cluster: add nuke's personal storage 
He needs some personal backup space, and we have enough best effort
spare capacity for that.

Change-Id: I75ed6f62e79d33907c0974ec5f2839389ce62543
 2020-05-14 18:13:53 +00:00
q3k a168c50132 SECURITY: cluster: limit api objects modifiable by namespace admins 
This previous allowed all namespace admins (ie. personal-$user namespace
users) to create any sort of obejct they wanted within that namespace.

This could've been exploited to allow creation of a RoleBinding that
would then allow to bind a serviceaccount to the insecure
podsecuritypolicy, thereby allowing escalation to root on nodes.

As far as I've checked, this hasn't been exploited, and the access to
the k8s cluster has so far also been limited to trusted users.

This has been deployed to production.

Change-Id: Icf8747d765ccfa9fed843ec9e7b0b957ff27d96e
 2020-05-11 20:49:31 +02:00
q3k e3432ee775 kube/policies: implement mostlysecure 
Change-Id: I0f5dc29f9fc3ad534ddda766a79bb18e64757a6c
 2020-05-11 20:17:11 +02:00
q3k 1743a6b4f3 Merge "cluster/rook: bump to 1.1.9" 2020-05-11 18:16:24 +00:00
q3k d1ccdcff3d personal/q3k/minecraft: init 
Change-Id: I39585afa33411f2a58185469015aed3b2b4dcdeb
 2020-05-06 20:35:48 +02:00
q3k d436de2010 cluster/rook: bump to 1.1.9 
This bumps Rook/Ceph. The new resources (mostly RBAC) come from
following https://rook.io/docs/rook/v1.1/ceph-upgrade.html .

It's already deployed on production. The new CSI driver has not been
tested, but the old flexvolume-based provisioners still work. We'll
migrate when Rook offers a nice solution for this.

We've hit a kubecfg bug that does not allow controlling the CephCluster
CRD directly anymore (I had to apply it via kubecfg show / kubectl apply
-f instead). This might be due to our bazel/prod k8s version mismatch,
or it might be related to https://github.com/bitnami/kubecfg/issues/259.

Change-Id: Icd69974b294b823e60b8619a656d4834bd6520fd
 2020-05-02 23:30:52 +02:00
Bartosz Stebel 98ef1518e0 add vpn insecure namespace 
Change-Id: I8a774ae625342af3521ad0ab11a8f6d4e4ef6c97
 2020-04-24 13:28:38 +02:00
q3k e9f4b77bf8 Merge "doc: add getting-started/your-first-change" 2020-04-22 12:11:03 +00:00
q3k ac1163d67a devtools/gerrit: disable owners-autoassign 
This plugin sounds good in practice, but has a flaw: it assigns _all_
owners automatically, even if a change is already submitted by one of
the other owners.

We might come back to it later - or implement something of our own.

Change-Id: Iff179ea623c1371c2c861b6d7ec2e7749c940369
 2020-04-13 12:26:00 +02:00
q3k 7b1d137d50 doc: add getting-started/your-first-change 
Change-Id: Ib3d3805507e2cb5ef0194605f081c74719f3b1a3
 2020-04-13 10:19:38 +00:00
q3k f3fac43938 Merge "*: add more OWNERS" 2020-04-13 09:04:11 +00:00
q3k ee0fc59685 Merge "devtools: deploy hackdoc&depotview" 2020-04-13 09:03:46 +00:00
q3k 006c1bf8f3 *: add more OWNERS 
Change-Id: If2740a0aaee845160b38b8ea0b23fea7bab3bded
 2020-04-13 01:46:15 +02:00
q3k 7480879222 devtools: deploy hackdoc&depotview 
Change-Id: If7ee65a99fae29f5015bb8ee8bb23e83c0f7dd3a
 2020-04-13 01:39:33 +02:00
q3k 4b4a33a693 devtools/hackdoc: propagate ref in imgs and redirects 
Change-Id: Ideb2a8f10f8193cd782b0e1d913e7aa99bbfa52f
 2020-04-13 01:35:33 +02:00
q3k b180a145d4 Merge "devtools/gerrit: bump to 3.0.8, add OWNERS plugins" 2020-04-12 16:38:14 +00:00
q3k 222a00a25a devtools/gerrit: bump to 3.0.8, add OWNERS plugins 
Change-Id: I161ca0339bec0486c9b1446b141ecf1424112d9c
 2020-04-12 18:37:21 +02:00
q3k 000b18beaf Merge "OWNER: init at root" 2020-04-12 16:32:11 +00:00
q3k 765e3b1e26 OWNER: init at root 
This should work with gerrit's 'owners' and 'owners-autoassign' plugins.

Change-Id: I312da6dc03b981be4856234d3e84f6b556066744
 2020-04-12 18:31:10 +02:00
q3k 9b50a69c11 Merge "app/matrix: upgrade and migrate to official appservice-irc image" 2020-04-12 12:50:31 +00:00
q3k ddd5c8e6e0 Merge "app/matrix: upgrade and migrate to official riot-web container image" 2020-04-12 12:50:27 +00:00
q3k ac43b3edac Merge "devtools/depotview: fix stale branches, clone bug" 2020-04-12 12:38:48 +00:00
q3k ebaa40894d devtools/depotview: fix stale branches, clone bug 
Change-Id: Ia2c680d511e3a8b632414caae3058db20d8231ba
 2020-04-12 14:38:27 +02:00
q3k adb72ccdec Merge "app/matrix: synapse upgrade" 2020-04-12 12:38:09 +00:00
q3k 5bce7ce9fd devtools/hackdoc: render TOC 
Change-Id: I03c224675c0d142d630d872994658faa2ac70691
 2020-04-11 20:16:58 +02:00
q3k bcf7363b4e doc/codelabs: add stub 
Change-Id: Iffec09edfa8373f15bc889697abfe2210f90ce01
 2020-04-10 22:15:36 +02:00
q3k 8adbd49051 *: more hackdoc updates 
Change-Id: Ib9830c66fe36c423d38f447905c470b67cde5399
 2020-04-10 22:10:18 +02:00
q3k 4f7cc0064f Revert "*: update docs for hackdoc" 
This reverts commit cc8c69c897.

Reason for revert: <INSERT REASONING HERE>

Change-Id: I1315e930e2ef69db3188eda05e4aa0b12db24274
 2020-04-10 20:09:35 +00:00
q3k cc8c69c897 *: update docs for hackdoc 
Change-Id: I256ec4499da2289f8f7ea3766ce40f2b0ffb0dc1
 2020-04-10 21:20:53 +02:00
q3k f157b4d632 devtools/{depotview,hackdoc}: tie both together 
Change-Id: I0a1ca3b4fa0e0a074eccbe0f8748839b926db9c1
 2020-04-10 19:24:48 +02:00
q3k 4c0e9b52c0 devtools/depotview: init 
This is a small service for accessing git repos read-only over gRPC.

It's going to be used to allow hackdoc to render arbitrary versions of
hscloud.

Change-Id: Ib3c5eb5a8bc679e8062142e6fa30505d9550e2fa
 2020-04-08 22:42:33 +02:00
q3k c881cf3c22 devtools/hackdoc: init 
This is hackdoc, a documentation rendering tool for monorepos.

This is the first code iteration, that can only serve from a local git
checkout.

The code is incomplete, and is WIP.

Change-Id: I68ef7a991191c1bb1b0fdd2a8d8353aba642e28f
 2020-04-08 20:03:12 +02:00
q3k 154baf1cf6 personal/q3k/factorio: add pymods server 
Change-Id: I080ae267ea3afc19ae7d65ca458f71206bb6ed4e
 2020-04-05 21:32:02 +02:00
q3k 6e985c4530 personal/q3k/factorio: fix deploy selectors 
Change-Id: Id116da7d2486f2a2a5206fe1f8b79283a545c4d2
 2020-04-01 02:21:45 +02:00
q3k 59786c5dfa personal/q3k/factorio: bump, add ds 
Change-Id: I15dbbfdd911fb61fc5769443ef4f2e862cf6c7e1
 2020-04-01 02:05:42 +02:00
q3k 0dcc702c64 cluster: bump nearly-expired certs 
This makes clustercfg ensure certificates are valid for at least 30
days, and renew them otherwise.

We use this to bump all the certs that were about to expire in a week.
They are now valid until 2021.

There's still some certs that expire in 2020. We need to figure out a
better story for this, especially as the next expiry is 2021 - todays
prod rollout was somewhat disruptive (basically this was done by a full
cluster upgrade-like rollout flow, via clustercfg).

We also drive-by bump the number of mons in ceph-waw3 to 3, as it shouls
be (this gets rid of a nasty SPOF that would've bitten us during this
upgrade otherwise).

Change-Id: Iee050b1b9cba4222bc0f3c7bce9e4cf9b25c8bdc
 2020-03-28 18:01:40 +01:00
informatic 973076c0fb app/covid-formity: covid19 hackerspace relief form 
Change-Id: I952ca040e85e6305d5241816c3afa8ae69031d5f
 2020-03-26 21:40:01 +01:00
q3k 97ce218339 Merge "env: fix missing hscloud_nixos export" 2020-03-26 14:15:48 +00:00
Serge Bazanski d7bc2ad53d well akshually 
Change-Id: I597e4a7c3419e2fe5fb255618c5ec97176d7a5d4
 2020-03-26 15:13:09 +01:00
Serge Bazanski 56c74ff0c2 personal/q3k/test: test 
Change-Id: I84e827e1ff9a446749fe58b065f9441bc2019d3b
 2020-03-26 15:12:30 +01:00
q3k 90e8e68bab crdb.k0: add bugless-dev (for q3k) 
Change-Id: I3988e1c37f0a0c54ef1ba248f01e026d6e8c72b6
 2020-03-25 10:55:05 +01:00
q3k 540663904b personal/q3k/factorio: bump 
Change-Id: I2a93d24f85d7517a1e2b6247668c5ae63f4e2732
 2020-03-25 10:48:52 +01:00
informatic 2259437930 env: fix missing hscloud_nixos export 
Change-Id: I1887a06908e8b50926288d4cd9c9a820dd795ae0
 2020-03-21 23:44:10 +01:00
informatic 57349d2a76 app/matrix: upgrade and migrate to official appservice-irc image 
Change-Id: I9104974bd0906739f08239146737c56efde36cfe
 2020-03-21 23:35:11 +01:00
informatic aca7e28f69 app/matrix: upgrade and migrate to official riot-web container image 
Change-Id: I438e5b6e1bfb4a20bb6613904497e1e8a6d86fc5
 2020-03-21 23:35:03 +01:00
informatic 8ebfc1d338 app/matrix: synapse upgrade 
Change-Id: Ice5f70be190126da5eecfc1d5ec5c1f746679ec9
 2020-03-03 21:01:18 +01:00
Michal Zagorski 5b1aa134fe personal/q3k/lelegram: changes by zagura 
* Log high verbose debug messages
  * New cli parameter irc_login
  * Change regex for IRC nicks
  * IRC channel names case insensitive
  * IRC usernames truncated to 9 chars without Telegram suffix

Signed-off-by: Michał Zagórski <zagura6@gmail.com>
Change-Id: Ifa32279580a4378cc3b9e255f0311216998e02c9
 2020-03-02 12:01:10 +01:00
q3k e186c87c1b cluster: bump rook to 1.0.6 
In preparation for updating to 1.1.0, which will be much more involved.

Also fix a typo in registry.libsonnet, whoops.

Change-Id: I7668bf53c7580f99fdf56fe6227f04a468f8de50
 2020-02-21 12:57:02 +01:00