4
0
Fork 2
mirror of https://gerrit.hackerspace.pl/hscloud synced 2024-10-15 05:47:45 +00:00
Commit graph

45 commits

Author SHA1 Message Date
0544d27c04 tools, cluster/tools: bazel5 compat: remove unused import
Change-Id: I8b264a6c36e4d0f1535f38ad1f41495e62061f26
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1308
Reviewed-by: daz <daz@hackerspace.pl>
2022-06-04 19:56:40 +00:00
2ada80423a tools/hscloud/lib.py: fix newlines sneaking in
Change-Id: Iacf956c80486596f02efd901c48f4571f0a76adf
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1283
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-04-04 17:51:44 +00:00
0f8e5a2132 *: do not require env.sh
This removes the need to source env.{sh,fish} when working with hscloud.

This is done by:

 1. Implementing a Go library to reliably detect the location of the
    active hscloud checkout. That in turn is enabled by
    BUILD_WORKSPACE_DIRECTORY being now a thing in Bazel.
 2. Creating a tool `hscloud`, with a command `hscloud workspace` that
    returns the workspace path.
 3. Wrapping this tool to be accessible from Python and Bash.
 4. Bumping all users of hscloud_root to use either the Go library or
    one of the two implemented wrappers.

We also drive-by replace tools/install.sh to be a proper sh_binary, and
make it yell at people if it isn't being ran as `bazel run
//tools:install`.

Finally, we also drive-by delete cluster/tools/nixops.sh which was never used.

Change-Id: I7873714319bfc38bbb930b05baa605c5aa36470a
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1169
Reviewed-by: informatic <informatic@hackerspace.pl>
2021-10-17 21:21:58 +00:00
f97c9688d5 tools/secretstore: fix gpg encryption for expired key
We also set --trust-model=always, as we explicitly ship GPG
fingerprints, so there's no need to rely on GPG's web of trust
shenanigans.

Change-Id: If2976130315c044f1d1727c61a6f6d489c876a52
2021-07-10 16:53:59 +00:00
491542589b tools/gostatic: init
This adds Bazel/hscloud integration to gostatic, via gostatic_tarball.

A sample is provided in //tools/gostatic/example, it can be built using:

    bazel build //tools/gostatic/example

The resulting tarball can then be extracted and viewed in a web
browser.

Change-Id: Idf8d4a8e0ee3a5ae07f7449a25909478c2d8b105
2020-10-26 12:08:33 +01:00
f00a701f27 tools: remove unused go_sdk.bzl
This is a leftover from an old attempt at NixOS compatibility.

Change-Id: I5050f76b83f47796cdfa6235db8ee5efe8daf3e2
2020-09-25 21:01:12 +00:00
6c1a712522 secretstore: fix decryption in sync
Change-Id: If5be7679e9e0b6e0acf78ffd871adb1f9af8d7f4
2020-07-30 20:55:54 +00:00
7371b7288b tools/secretstore: add sync command, re-encrypt
This kills two birds with one stone:

 - update the secretstore tool to be slightly smarter about secrets, to
   the point where we can now just point it at a secret directory and
   ask it to 'sync' all secrets in there
 - runs the new fancy sync command on all keys to update them, which
   is a follow up to gerrit/328.

Change-Id: I0eec4a3e8afcd9481b0b248154983aac25657c40
2020-06-04 19:25:07 +00:00
d600ebb5c8 Re-enable cz2 gpg key in secretstore.py
Change-Id: Iccefecccafe3748c310e5922f366c86d5f2cf11d
2020-05-31 16:46:58 +00:00
02aae3628c hswaw/kube: encrypt keys, update expired keys
cz2's key has expired. Removing it for now as there's no easy way to
force gpg to encrypt content for expired keys.

Change-Id: Ib27b9a09385fcead1ba2d48ebf45426038d8b647
2020-02-18 23:28:14 +01:00
c5a77b8f81 env/tools: fix NixOS detection, maybe
Change-Id: Ifa4c1c53ed918f67e68e190709edc417d0d3b4d6
2020-02-17 23:04:35 +01:00
e03c217cc1 go: bump rules_go, autodetect nix for go toolchains
Change-Id: If10a7843e5e54ade82fbeec85f4e6727e4d2a117
2020-02-15 01:04:38 +01:00
d493ab66ca *: add dcr01s{22,24}
Change-Id: I072e825e2e1d199d9da50b9d38a9ffba68e61182
2019-10-31 17:07:50 +01:00
b13b7ffcdb prod{access,vider}: implement
Prodaccess/Prodvider allow issuing short-lived certificates for all SSO
users to access the kubernetes cluster.

Currently, all users get a personal-$username namespace in which they
have adminitrative rights. Otherwise, they get no access.

In addition, we define a static CRB to allow some admins access to
everything. In the future, this will be more granular.

We also update relevant documentation.

Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153
2019-08-30 23:08:18 +02:00
1663e0e93b tools: move cluster-specific stuff to cluster/tools
Change-Id: I1813bb221d1bff0d6067eceb84d23510face60ff
2019-07-21 14:26:51 +00:00
b5ad364a32 tools/workspace-status.sh -> bzl/
This is bazel-specific.

Change-Id: I2592c30f4e8f5e414d2fb6cf90f36b36e069b7cb
2019-07-21 16:26:19 +02:00
Robert Gerus
f1bdb9a984 Fix the shebang.
First step on the path of making bazel work here on NixOS.

Change-Id: Icc264dac250e116f4835a135f47423740a2e5096
2019-07-21 15:24:52 +02:00
Serge Bazanski
2ce367681a *: move away from python_rules
python_rules is completely broken when it comes to py2/py3 support.

Here, we replace it with native python rules from new Bazel versions [1] and rules_pip for PyPI dependencies [2].

rules_pip is somewhat little known and experimental, but it seems to work much better than what we had previously.

We also unpin rules_docker and fix .bazelrc to force Bazel into Python 2 mode - hopefully, this repo will now work
fine under operating systems where `python` is python2 (as the standard dictates).

[1] - https://docs.bazel.build/versions/master/be/python.html

[2] - https://github.com/apt-itude/rules_pip

Change-Id: Ibd969a4266db564bf86e9c96275deffb9610dd44
2019-07-16 22:22:05 +00:00
q3k
1e5e81227a Merge changes I4ef1f6ed,I20b0ecbb,Ida9dff72,I92e70536
* changes:
  cluster/cube/lib/cockroachdb: clean up topology
  cluster/kube/lib/cockroach: move client to deployment
  app/gerrit/kube: implement
  app/gerrit: import OAuth provider and add SSO support
2019-06-25 00:49:10 +00:00
b094f08744 tools/: add __pycache__ to gitignore
Change-Id: Iaddfe140df1e82611df8e2594b7560e3bdafd896
2019-06-21 22:14:41 +02:00
573da78859 app/gerrit: import OAuth provider and add SSO support
This change:

 - imports gerrit-oauth-provider from upstream
 - adds sso.hackerspae.pl support to it

Change-Id: I92e7053614a9297bf1ced3aac044c0002acd836a
2019-06-21 20:09:01 +02:00
29afb4cc51 secretstore: restore implr 2019-05-19 03:10:25 +02:00
cd6d0e7270 toolx/nixops: new keys 2019-05-17 18:10:23 +02:00
a4b3767455 tools/nixops.sh: add 2019-05-15 19:23:38 +02:00
e986728648 gcp: init, add service account 2019-05-15 19:19:19 +02:00
bb77892924 tools/install.sh: soft requirement on nix 2019-05-15 19:13:11 +02:00
1e6b52a194 tools/: add nixops
This now means we require Nix to be installed globally. This shouldn't
be the case in the long run, but will be until
https://github.com/tweag/rules_nixpkgs/issues/75 gets fixed or we maybe
move from rules_nixpkgs to nix-bundle or something similar.
2019-05-15 19:08:25 +02:00
a9bb1d5b5b tools/secretstore: fix decryption of updated secrets 2019-04-28 17:13:12 +02:00
2c5391b6e6 tools/rook-s3cmd-config: tool to generate s3cmd config from rook.io secrets 2019-04-09 23:30:38 +02:00
c10f00b7da tools/secretstore: decrypt secrets when requesting plaintext path 2019-04-09 13:29:33 +02:00
acd001bf83 tools: add cfssl 2019-04-09 13:17:06 +02:00
73cef11c85 *: rejigger tls certs and more
This pretty large change does the following:

 - moves nix from bootstrap.hswaw.net to nix/
 - changes clustercfg to use cfssl and moves it to cluster/clustercfg
 - changes clustercfg to source information about target location of
   certs from nix
 - changes clustercfg to push nix config
 - changes tls certs to have more than one CA
 - recalculates all TLS certs
   (it keeps the old serviceaccoutns key, otherwise we end up with
   invalid serviceaccounts - the cert doesn't match, but who cares,
   it's not used anyway)
2019-04-07 00:06:23 +02:00
eeed6fb6da recertify all certs 2019-04-01 16:19:28 +02:00
2afe3e46fd tool/calicoctl: add secretstore to data 2019-01-18 01:37:45 +01:00
a305bc9fb5 tool: add calicoctl wrapper 2019-01-18 01:34:20 +01:00
0752971f8a tools: add calicoctl 2019-01-18 01:24:38 +01:00
98691e9e5e tools: add python future module 2019-01-18 00:22:50 +01:00
41bd2b52c2 cluster/secrets: add implr 2019-01-17 23:37:36 +01:00
f3010ee1cb cluster/secrets: add cz2 2019-01-17 21:35:52 +01:00
af3be426ad cluster: deploy calico and metrics service 2019-01-17 18:57:19 +01:00
49b9a13d28 cluster: deploy coredns 2019-01-14 00:02:59 +01:00
4c186db2c1 clustercfg: do not use SAN section if no SAN names 2019-01-13 21:48:47 +01:00
ae56b6a6a5 clustercfg: create .kubectl 2019-01-13 21:39:16 +01:00
de061801db *: k0.hswaw.net somewhat working 2019-01-13 21:14:02 +01:00
f2a812b9fd *: bazelify 2019-01-13 17:51:34 +01:00