prod{access,vider}: implement Prodaccess/Prodvider allow issuing short-lived certificates for all SSO users to access the kubernetes cluster. Currently, all users get a personal-$username namespace in which they have adminitrative rights. Otherwise, they get no access. In addition, we define a static CRB to allow some admins access to everything. In the future, this will be more granular. We also update relevant documentation. Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153

commit: b13b7ffcdb3d37022d4cad4603b9bdacc6c54936 [log] [tgz]
author: Sergiusz Bazanski <q3k@hackerspace.pl> Thu Aug 29 20:12:24 2019 +0200
committer: Sergiusz Bazanski <q3k@hackerspace.pl> Fri Aug 30 23:08:18 2019 +0200
tree: fa2309b04edc36fe855f9e344dae4a91ef376add
parent: d16454badc639bcec7ab4b54e7fe6a897b6052af [diff]
diff --git a/cluster/kube/lib/cockroachdb.libsonnet b/cluster/kube/lib/cockroachdb.libsonnet
index ac4c965..212104d 100644
--- a/cluster/kube/lib/cockroachdb.libsonnet
+++ b/cluster/kube/lib/cockroachdb.libsonnet

@@ -36,6 +36,7 @@
 
 local kube = import "../../../kube/kube.libsonnet";
 local cm = import "cert-manager.libsonnet";
+local policies = import "../../../kube/policies.libsonnet";
 
 {
     Cluster(name): {
@@ -70,6 +71,8 @@
             [if cluster.cfg.ownNamespace then "ns"]: kube.Namespace(cluster.namespaceName),
         },
 
+        insecurePolicy: policies.AllowNamespaceInsecure(cluster.namespaceName),
+
         name(suffix):: if cluster.cfg.ownNamespace then suffix else name + "-" + suffix,
 
         pki: {

diff --git a/cluster/kube/lib/metallb.libsonnet b/cluster/kube/lib/metallb.libsonnet
index a56fc90..7f3d746 100644
--- a/cluster/kube/lib/metallb.libsonnet
+++ b/cluster/kube/lib/metallb.libsonnet

@@ -1,6 +1,7 @@
 # Deploy MetalLB
 
 local kube = import "../../../kube/kube.libsonnet";
+local policies = import "../../../kube/policies.libsonnet";
 
 local bindServiceAccountClusterRole(sa, cr) = kube.ClusterRoleBinding(cr.metadata.name) {
     roleRef: {
@@ -32,6 +33,8 @@
 
         ns: if cfg.namespaceCreate then kube.Namespace(cfg.namespace),
 
+        insecurePolicy: policies.AllowNamespaceInsecure(cfg.namespace),
+
         saController: kube.ServiceAccount("controller") {
             metadata+: {
                 namespace: cfg.namespace,

diff --git a/cluster/kube/lib/nginx.libsonnet b/cluster/kube/lib/nginx.libsonnet
index a871b96..ab7bbc2 100644
--- a/cluster/kube/lib/nginx.libsonnet
+++ b/cluster/kube/lib/nginx.libsonnet

@@ -1,6 +1,7 @@
 # Deploy a per-cluster Nginx Ingress Controller
 
 local kube = import "../../../kube/kube.libsonnet";
+local policies = import "../../../kube/policies.libsonnet";
 
 {
     Environment: {
@@ -21,6 +22,8 @@
 
         namespace: kube.Namespace(cfg.namespace),
 
+        allowInsecure: policies.AllowNamespaceInsecure(cfg.namespace),
+
         maps: {
             make(name):: kube.ConfigMap(name) {
                 metadata+: env.metadata,

diff --git a/cluster/kube/lib/prodvider.libsonnet b/cluster/kube/lib/prodvider.libsonnet
new file mode 100644
index 0000000..5b75c79
--- /dev/null
+++ b/cluster/kube/lib/prodvider.libsonnet

@@ -0,0 +1,85 @@
+# Deploy prodvider (prodaccess server) in cluster.
+
+local kube = import "../../../kube/kube.libsonnet";
+
+{
+    Environment: {
+        local env = self,
+        local cfg = env.cfg,
+
+        cfg:: {
+            namespace: "prodvider",
+            image: "registry.k0.hswaw.net/cluster/prodvider:1567199084-2e1c08fa7a41faac2ef3f79a1bb82f8841a68016",
+
+            pki: {
+                intermediate: {
+                    cert: importstr "../../certs/ca-kube-prodvider.cert",
+                    key: importstr "../../secrets/plain/ca-kube-prodvider.key",
+                },
+                kube: {
+                    cert: importstr "../../certs/ca-kube.crt",
+                },
+            }
+        },
+
+        namespace: kube.Namespace(cfg.namespace),
+
+        metadata(component):: {
+            namespace: cfg.namespace,
+            labels: {
+                "app.kubernetes.io/name": "prodvider",
+                "app.kubernetes.io/managed-by": "kubecfg",
+                "app.kubernetes.io/component": component,
+            },
+        },
+
+        secret: kube.Secret("ca") {
+            metadata+: env.metadata("prodvider"),
+            data_: {
+                "intermediate-ca.crt": cfg.pki.intermediate.cert,
+                "intermediate-ca.key": cfg.pki.intermediate.key,
+                "ca.crt": cfg.pki.kube.cert,
+            },
+        },
+
+        deployment: kube.Deployment("prodvider") {
+            metadata+: env.metadata("prodvider"),
+            spec+: {
+                replicas: 3,
+                template+: {
+                    spec+: {
+                        volumes_: {
+                            ca: kube.SecretVolume(env.secret),
+                        },
+                        containers_: {
+                            prodvider: kube.Container("prodvider") {
+                                image: cfg.image,
+                                args: [
+                                    "/cluster/prodvider/prodvider",
+                                    "-listen_address", "0.0.0.0:8080",
+                                    "-ca_key_path", "/opt/ca/intermediate-ca.key",
+                                    "-ca_certificate_path", "/opt/ca/intermediate-ca.crt",
+                                    "-kube_ca_certificate_path", "/opt/ca/ca.crt",
+                                ],
+                                volumeMounts_: {
+                                    ca: { mountPath: "/opt/ca" },
+                                }
+                            },
+                        },
+                    },
+                },
+            },
+        },
+
+        svc: kube.Service("prodvider") {
+            metadata+: env.metadata("prodvider"),
+            target_pod:: env.deployment.spec.template,
+            spec+: {
+                type: "LoadBalancer",
+                ports: [
+                    { name: "public", port: 443, targetPort: 8080, protocol: "TCP" },
+                ],
+            },
+        },
+    },
+}

diff --git a/cluster/kube/lib/registry.libsonnet b/cluster/kube/lib/registry.libsonnet
index 1ce022d..a791acf 100644
--- a/cluster/kube/lib/registry.libsonnet
+++ b/cluster/kube/lib/registry.libsonnet

@@ -152,11 +152,12 @@
                     },
                     local data = self,
                     pushers:: [
-                            { who: ["q3k", "inf"], what: "vms/*" },
-                            { who: ["q3k", "inf"], what: "app/*" },
-                            { who: ["q3k", "inf"], what: "go/svc/*" },
+                            { who: ["q3k", "informatic"], what: "vms/*" },
+                            { who: ["q3k", "informatic"], what: "app/*" },
+                            { who: ["q3k", "informatic"], what: "go/svc/*" },
                             { who: ["q3k"], what: "bgpwtf/*" },
                             { who: ["q3k"], what: "devtools/*" },
+                            { who: ["q3k", "informatic"], what: "cluster/*" },
                     ],
                     acl: [
                         {
commit	b13b7ffcdb3d37022d4cad4603b9bdacc6c54936	[log] [tgz]
author	Sergiusz Bazanski <q3k@hackerspace.pl>	Thu Aug 29 20:12:24 2019 +0200
committer	Sergiusz Bazanski <q3k@hackerspace.pl>	Fri Aug 30 23:08:18 2019 +0200
tree	fa2309b04edc36fe855f9e344dae4a91ef376add
parent	d16454badc639bcec7ab4b54e7fe6a897b6052af [diff]