4
0
Fork 2
mirror of https://gerrit.hackerspace.pl/hscloud synced 2025-02-10 22:06:44 +00:00

cluster/prodaccess: practice proper savoir-vivre

important meme

Change-Id: If23019d03069ebfbbf98217f5d215533507dd291
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2089
Reviewed-by: noisersup <noisersup@hackerspace.pl>
Reviewed-by: q3k <q3k@hackerspace.pl>
This commit is contained in:
radex 2025-01-08 13:17:13 +01:00
parent 042eafadc4
commit 2ba5310aa9
2 changed files with 30 additions and 5 deletions

View file

@ -1,12 +1,12 @@
prodvider
=========
prodvider/prodaccess
====================
It provides access, yo.
Architecture
------------
Prodvider uses an intermedaite CA (the prodvider CA, signed by the kube CA), to generate the following:
Prodvider uses an intermediate CA (the prodvider CA, signed by the kube CA), to generate the following:
- a cert for prodvider to present itself over gRPC for prodaccess clients
- a cert for prodvider to authenticate itself to the kube apiserver
- client certificates for prodaccess consumers.
@ -21,6 +21,6 @@ Prodvider customers get certificates with a CN=`username@hackerspace.pl` and O=`
Kubernetes Structure
--------------------
After generating a user certificate, prodvider will also call kubernetes to set up a personal user namespace (`personal-username`), a RoleBinding to `system:admin-namespace` from their `User` in their namespace (thus, giving them full rights in it) and a ClusterRoleBinding to `system:viewer` from their `User` (thus, giving them some read access for all resources, but not to secure data (like secrets).
After generating a user certificate, prodvider will also call kubernetes to set up a personal user namespace (`personal-username`), a RoleBinding to `system:admin-namespace` from their `User` in their namespace (thus, giving them full rights in it) and a ClusterRoleBinding to `system:viewer` from their `User`, thus, giving them some read access for all resources, but not to secure data (like secrets).
`system:admin-namespace` and `system:viewer` are defined in `//cluster/kube`.

View file

@ -4,6 +4,7 @@ import (
"context"
"crypto/x509"
"flag"
"strings"
"fmt"
"os"
"os/user"
@ -71,7 +72,7 @@ func main() {
os.Exit(1)
}
} else {
fmt.Printf("Good evening professor. I see you have driven here in your Ferrari.\n")
greetings(strings.ToLower(flagUsername))
os.Exit(0)
}
}
@ -115,3 +116,27 @@ func password() string {
fmt.Printf("\n")
return string(bytePassword)
}
func greetings(username string) {
fmt.Printf("Good evening %s. I see you have driven here in your %s.\n", userTitle(username), userVehicle(username))
}
func userTitle(username string) string {
switch username {
case "drozdziak1":
return "Dr. Oździak"
case "radex":
return "Mr. Secretary"
default:
return "professor"
}
}
func userVehicle(username string) string {
switch username {
case "drozdziak1", "krnlexception":
return "Ford Focus"
default:
return "Ferrari"
}
}