hscloud

cheshire

hscloud

forked from hswaw/hscloud

Fork 0

Commit Graph

Author	SHA1	Message	Date
q3k	a4f8a459b9	cluster: partial cert bump Done: 1. etcd peer CA & certs 2. etcd client CA & certs 3. kube CA (currently all components set to accept both new and old CA, new CA called ca-kube-new) 4. kube apiserver 5. kubelet & kube-proxy 6. prodvider intermediate TODO: 1. kubernetes controller-manager & kubernetes scheduler 2. kubefront CA 3. admitomatic? 4. undo bundle on kube CA components to fully transition away from old CA Change-Id: If529eeaed9a6a2063bed23c9d81c57b36b9a0115 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1487 Reviewed-by: q3k <q3k@hackerspace.pl>	2023-03-31 22:53:59 +00:00
q3k	7371b7288b	tools/secretstore: add sync command, re-encrypt This kills two birds with one stone: - update the secretstore tool to be slightly smarter about secrets, to the point where we can now just point it at a secret directory and ask it to 'sync' all secrets in there - runs the new fancy sync command on all keys to update them, which is a follow up to gerrit/328. Change-Id: I0eec4a3e8afcd9481b0b248154983aac25657c40	2020-06-04 19:25:07 +00:00
q3k	b13b7ffcdb	prod{access,vider}: implement Prodaccess/Prodvider allow issuing short-lived certificates for all SSO users to access the kubernetes cluster. Currently, all users get a personal-$username namespace in which they have adminitrative rights. Otherwise, they get no access. In addition, we define a static CRB to allow some admins access to everything. In the future, this will be more granular. We also update relevant documentation. Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153	2019-08-30 23:08:18 +02:00

Author

SHA1

Message

Date

q3k

a4f8a459b9

cluster: partial cert bump

Done:

 1. etcd peer CA & certs
 2. etcd client CA & certs
 3. kube CA (currently all components set to accept both new and old CA,
    new CA called ca-kube-new)
 4. kube apiserver
 5. kubelet & kube-proxy
 6. prodvider intermediate

TODO:

 1. kubernetes controller-manager & kubernetes scheduler
 2. kubefront CA
 3. admitomatic?
 4. undo bundle on kube CA components to fully transition away from old
    CA

Change-Id: If529eeaed9a6a2063bed23c9d81c57b36b9a0115
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1487
Reviewed-by: q3k <q3k@hackerspace.pl>

2023-03-31 22:53:59 +00:00

q3k

7371b7288b

tools/secretstore: add sync command, re-encrypt

This kills two birds with one stone:

 - update the secretstore tool to be slightly smarter about secrets, to
   the point where we can now just point it at a secret directory and
   ask it to 'sync' all secrets in there
 - runs the new fancy sync command on all keys to update them, which
   is a follow up to gerrit/328.

Change-Id: I0eec4a3e8afcd9481b0b248154983aac25657c40

2020-06-04 19:25:07 +00:00

q3k

b13b7ffcdb

prod{access,vider}: implement

Prodaccess/Prodvider allow issuing short-lived certificates for all SSO
users to access the kubernetes cluster.

Currently, all users get a personal-$username namespace in which they
have adminitrative rights. Otherwise, they get no access.

In addition, we define a static CRB to allow some admins access to
everything. In the future, this will be more granular.

We also update relevant documentation.

Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153

2019-08-30 23:08:18 +02:00

3 Commits (6f0d852568b02020e5528e109284041ce18d8eb0)