hswaw
/
hscloud
mirror of https://gerrit.hackerspace.pl/hscloud
4
0
Fork 2
Code Actions
1,408 Commits
2 Branches
0 Tags
55 MiB
Commit Graph

5 Commits (6dbe93ec11205483529f43f6e956b6e79d5a2f78)

Author SHA1 Message Date
q3k a4f8a459b9 cluster: partial cert bump 
Done:

 1. etcd peer CA & certs
 2. etcd client CA & certs
 3. kube CA (currently all components set to accept both new and old CA,
    new CA called ca-kube-new)
 4. kube apiserver
 5. kubelet & kube-proxy
 6. prodvider intermediate

TODO:

 1. kubernetes controller-manager & kubernetes scheduler
 2. kubefront CA
 3. admitomatic?
 4. undo bundle on kube CA components to fully transition away from old
    CA

Change-Id: If529eeaed9a6a2063bed23c9d81c57b36b9a0115
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1487
Reviewed-by: q3k <q3k@hackerspace.pl>
 2023-03-31 22:53:59 +00:00
q3k 3c31f32307 cluster: bump prodvider certs 
Change-Id: Ieefe3c733dd40a94c13a5e1c1648dd43d27c180a
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1386
Reviewed-by: implr <implr@hackerspace.pl>
 2022-09-10 15:46:39 +00:00
q3k 432fa30ded cluster/certs: bump ca-kube-prodivider 
Redeployed.

Change-Id: I01110433f89df5595de0f9587508104d6091a774
 2021-08-29 17:20:59 +00:00
patryk 8d069d8d1a cluster/certs: refresh prodvider CA 
Change-Id: I35578fb62ddf10e7419c2c347e70322cf4ea0b6a
 2020-09-01 22:02:52 +00:00
q3k b13b7ffcdb prod{access,vider}: implement 
Prodaccess/Prodvider allow issuing short-lived certificates for all SSO
users to access the kubernetes cluster.

Currently, all users get a personal-$username namespace in which they
have adminitrative rights. Otherwise, they get no access.

In addition, we define a static CRB to allow some admins access to
everything. In the future, this will be more granular.

We also update relevant documentation.

Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153
 2019-08-30 23:08:18 +02:00