forked from hswaw/hscloud
Sergiusz Bazanski
b13b7ffcdb
Prodaccess/Prodvider allow issuing short-lived certificates for all SSO users to access the kubernetes cluster. Currently, all users get a personal-$username namespace in which they have adminitrative rights. Otherwise, they get no access. In addition, we define a static CRB to allow some admins access to everything. In the future, this will be more granular. We also update relevant documentation. Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153
64 lines
2 KiB
Python
64 lines
2 KiB
Python
load("@io_bazel_rules_docker//container:container.bzl", "container_image", "container_layer", "container_push")
|
|
load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
|
|
|
|
go_library(
|
|
name = "go_default_library",
|
|
srcs = [
|
|
"certs.go",
|
|
"kubernetes.go",
|
|
"main.go",
|
|
"service.go",
|
|
],
|
|
importpath = "code.hackerspace.pl/hscloud/cluster/prodvider",
|
|
visibility = ["//visibility:private"],
|
|
deps = [
|
|
"//cluster/prodvider/proto:go_default_library",
|
|
"@com_github_cloudflare_cfssl//config:go_default_library",
|
|
"@com_github_cloudflare_cfssl//csr:go_default_library",
|
|
"@com_github_cloudflare_cfssl//signer:go_default_library",
|
|
"@com_github_cloudflare_cfssl//signer/local:go_default_library",
|
|
"@com_github_golang_glog//:go_default_library",
|
|
"@in_gopkg_ldap_v3//:go_default_library",
|
|
"@io_k8s_api//core/v1:go_default_library",
|
|
"@io_k8s_api//rbac/v1:go_default_library",
|
|
"@io_k8s_apimachinery//pkg/api/errors:go_default_library",
|
|
"@io_k8s_apimachinery//pkg/apis/meta/v1:go_default_library",
|
|
"@io_k8s_client_go//kubernetes:go_default_library",
|
|
"@io_k8s_client_go//rest:go_default_library",
|
|
"@org_golang_google_grpc//:go_default_library",
|
|
"@org_golang_google_grpc//codes:go_default_library",
|
|
"@org_golang_google_grpc//credentials:go_default_library",
|
|
"@org_golang_google_grpc//status:go_default_library",
|
|
],
|
|
)
|
|
|
|
go_binary(
|
|
name = "prodvider",
|
|
embed = [":go_default_library"],
|
|
visibility = ["//visibility:public"],
|
|
)
|
|
|
|
container_layer(
|
|
name = "layer_bin",
|
|
files = [
|
|
":prodvider",
|
|
],
|
|
directory = "/cluster/prodvider/",
|
|
)
|
|
|
|
container_image(
|
|
name = "runtime",
|
|
base = "@prodimage-bionic//image",
|
|
layers = [
|
|
":layer_bin",
|
|
],
|
|
)
|
|
|
|
container_push(
|
|
name = "push",
|
|
image = ":runtime",
|
|
format = "Docker",
|
|
registry = "registry.k0.hswaw.net",
|
|
repository = "cluster/prodvider",
|
|
tag = "{BUILD_TIMESTAMP}-{STABLE_GIT_COMMIT}",
|
|
)
|