cheshire
/
hscloud
forked from hswaw/hscloud
1
0
Fork 0
Code Pull Requests Activity
1,253 Commits
1 Branch
0 Tags
55 MiB
Commit Graph

7 Commits (a6592b845c6c2417c531bb8dc904286919b8acd7)

Author SHA1 Message Date
q3k 97b5cd7b58 go: re-do the entire thing 
This is a mega-change, but attempting to split this up further is
probably not worth the effort.

Summary:

1. Bump up bazel, rules_go, and others.
2. Switch to new go target naming (bye bye go_default_library)
3. Move go deps to go.mod/go.sum, use make gazelle generate from that
4. Bump up Python deps a bit

And also whatever was required to actually get things to work - loads of
small useless changes.

Tested to work on NixOS and Ubuntu 20.04:

   $ bazel build //...
   $ bazel test //...

Change-Id: I8364bdaa1406b9ae4d0385a6b607f3e7989f98a9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1583
Reviewed-by: q3k <q3k@hackerspace.pl>
 2023-09-22 21:50:19 +00:00
q3k ffdb97b7dd cluster/prodaccess: fix cert migration bug 
Change-Id: I7426e60731b09c571aa7385f5213e998f04675a6
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1510
Reviewed-by: ironbound <ironbound@hackerspace.pl>
 2023-04-14 08:13:39 +00:00
q3k 777aab92a9 cluster/prodaccess: use new kube CA cert 
Change-Id: I1bff03008a4a212ad93e5eaa112adaa2b0cad3e7
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1488
Reviewed-by: q3k <q3k@hackerspace.pl>
 2023-03-31 22:53:59 +00:00
q3k 0f8e5a2132 *: do not require env.sh 
This removes the need to source env.{sh,fish} when working with hscloud.

This is done by:

 1. Implementing a Go library to reliably detect the location of the
    active hscloud checkout. That in turn is enabled by
    BUILD_WORKSPACE_DIRECTORY being now a thing in Bazel.
 2. Creating a tool `hscloud`, with a command `hscloud workspace` that
    returns the workspace path.
 3. Wrapping this tool to be accessible from Python and Bash.
 4. Bumping all users of hscloud_root to use either the Go library or
    one of the two implemented wrappers.

We also drive-by replace tools/install.sh to be a proper sh_binary, and
make it yell at people if it isn't being ran as `bazel run
//tools:install`.

Finally, we also drive-by delete cluster/tools/nixops.sh which was never used.

Change-Id: I7873714319bfc38bbb930b05baa605c5aa36470a
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1169
Reviewed-by: informatic <informatic@hackerspace.pl>
 2021-10-17 21:21:58 +00:00
q3k bade46d45f go/pki: fix error return 
DeveloperCredentialsLocation used to glog.Exitf instead of returning an
error, and a consumer (prodaccess) used to not check the return code.
Bad refactor?

Change-Id: I6c2d05966ba6b3eb300c24a51584ccf5e324cd49
 2021-05-19 22:12:08 +00:00
q3k f3312ef77e *: developer machine HSPKI credentials 
In addition to k8s certificates, prodaccess now issues HSPKI
certificates, with DN=$username.sso.hswaw.net. These are installed into
XDG_CONFIG_HOME (or os equiv).

//go/pki will now automatically attempt to load these certificates. This
means you can now run any pki-dependant tool with -hspki_disable, and
with automatic mTLS!

Change-Id: I5b28e193e7c968d621bab0d42aabd6f0510fed6d
 2020-08-01 17:15:52 +02:00
q3k b13b7ffcdb prod{access,vider}: implement 
Prodaccess/Prodvider allow issuing short-lived certificates for all SSO
users to access the kubernetes cluster.

Currently, all users get a personal-$username namespace in which they
have adminitrative rights. Otherwise, they get no access.

In addition, we define a static CRB to allow some admins access to
everything. In the future, this will be more granular.

We also update relevant documentation.

Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153
 2019-08-30 23:08:18 +02:00