4
0
Fork 2
mirror of https://gerrit.hackerspace.pl/hscloud synced 2025-01-24 16:43:54 +00:00
Commit graph

11 commits

Author SHA1 Message Date
31a32a816c cluster/prodaccess: use the correct cluster CA cert
Adds //cluster/k1/certs go package, and changes prodaccess to look up the correct one based on the -cluster flag. This should complete the transition of prodaccess to multicluster.

Change-Id: If65fab8f898a48ec16e6de7eeb02fd0aacee30b4
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2117
Reviewed-by: q3k <q3k@hackerspace.pl>
2025-01-17 22:35:29 +00:00
1254c9905b bazel: rename io_bazel_rules_go to rules_go
Change-Id: Ib66d48dd4b5eab23c31bb4931855b2f9c7a6d57c
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2093
Reviewed-by: q3k <q3k@hackerspace.pl>
Reviewed-by: radex <radex@hackerspace.pl>
2025-01-11 20:40:37 +00:00
63f0adde2f cluster/prodaccess: add multi-cluster support
- allow passing -cluster to select another cluster (k0 remains the default for the time being)
- default prodvider dns to prodvider.<cluster>.hswaw.net
- scope kube config username and certs storage by cluster name

additionally:

- force username to be lowercase (LDAP is case-insensitive, but e.g. kubernetes namespaces are not)
- fix some Go deprecations

Change-Id: Ibf4a6ced7a635940f6a7c568c79714cd8ac60ce9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2101
Reviewed-by: radex <radex@hackerspace.pl>
2025-01-11 15:22:45 +00:00
2ba5310aa9 cluster/prodaccess: practice proper savoir-vivre
important meme

Change-Id: If23019d03069ebfbbf98217f5d215533507dd291
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2089
Reviewed-by: noisersup <noisersup@hackerspace.pl>
Reviewed-by: q3k <q3k@hackerspace.pl>
2025-01-08 14:28:11 +00:00
97b5cd7b58 go: re-do the entire thing
This is a mega-change, but attempting to split this up further is
probably not worth the effort.

Summary:

1. Bump up bazel, rules_go, and others.
2. Switch to new go target naming (bye bye go_default_library)
3. Move go deps to go.mod/go.sum, use make gazelle generate from that
4. Bump up Python deps a bit

And also whatever was required to actually get things to work - loads of
small useless changes.

Tested to work on NixOS and Ubuntu 20.04:

   $ bazel build //...
   $ bazel test //...

Change-Id: I8364bdaa1406b9ae4d0385a6b607f3e7989f98a9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1583
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-09-22 21:50:19 +00:00
ffdb97b7dd cluster/prodaccess: fix cert migration bug
Change-Id: I7426e60731b09c571aa7385f5213e998f04675a6
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1510
Reviewed-by: ironbound <ironbound@hackerspace.pl>
2023-04-14 08:13:39 +00:00
777aab92a9 cluster/prodaccess: use new kube CA cert
Change-Id: I1bff03008a4a212ad93e5eaa112adaa2b0cad3e7
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1488
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-31 22:53:59 +00:00
0f8e5a2132 *: do not require env.sh
This removes the need to source env.{sh,fish} when working with hscloud.

This is done by:

 1. Implementing a Go library to reliably detect the location of the
    active hscloud checkout. That in turn is enabled by
    BUILD_WORKSPACE_DIRECTORY being now a thing in Bazel.
 2. Creating a tool `hscloud`, with a command `hscloud workspace` that
    returns the workspace path.
 3. Wrapping this tool to be accessible from Python and Bash.
 4. Bumping all users of hscloud_root to use either the Go library or
    one of the two implemented wrappers.

We also drive-by replace tools/install.sh to be a proper sh_binary, and
make it yell at people if it isn't being ran as `bazel run
//tools:install`.

Finally, we also drive-by delete cluster/tools/nixops.sh which was never used.

Change-Id: I7873714319bfc38bbb930b05baa605c5aa36470a
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1169
Reviewed-by: informatic <informatic@hackerspace.pl>
2021-10-17 21:21:58 +00:00
bade46d45f go/pki: fix error return
DeveloperCredentialsLocation used to glog.Exitf instead of returning an
error, and a consumer (prodaccess) used to not check the return code.
Bad refactor?

Change-Id: I6c2d05966ba6b3eb300c24a51584ccf5e324cd49
2021-05-19 22:12:08 +00:00
f3312ef77e *: developer machine HSPKI credentials
In addition to k8s certificates, prodaccess now issues HSPKI
certificates, with DN=$username.sso.hswaw.net. These are installed into
XDG_CONFIG_HOME (or os equiv).

//go/pki will now automatically attempt to load these certificates. This
means you can now run any pki-dependant tool with -hspki_disable, and
with automatic mTLS!

Change-Id: I5b28e193e7c968d621bab0d42aabd6f0510fed6d
2020-08-01 17:15:52 +02:00
b13b7ffcdb prod{access,vider}: implement
Prodaccess/Prodvider allow issuing short-lived certificates for all SSO
users to access the kubernetes cluster.

Currently, all users get a personal-$username namespace in which they
have adminitrative rights. Otherwise, they get no access.

In addition, we define a static CRB to allow some admins access to
everything. In the future, this will be more granular.

We also update relevant documentation.

Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153
2019-08-30 23:08:18 +02:00