prod{access,vider}: implement
Prodaccess/Prodvider allow issuing short-lived certificates for all SSO
users to access the kubernetes cluster.
Currently, all users get a personal-$username namespace in which they
have adminitrative rights. Otherwise, they get no access.
In addition, we define a static CRB to allow some admins access to
everything. In the future, this will be more granular.
We also update relevant documentation.
Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153
diff --git a/cluster/kube/lib/cockroachdb.libsonnet b/cluster/kube/lib/cockroachdb.libsonnet
index ac4c965..212104d 100644
--- a/cluster/kube/lib/cockroachdb.libsonnet
+++ b/cluster/kube/lib/cockroachdb.libsonnet
@@ -36,6 +36,7 @@
local kube = import "../../../kube/kube.libsonnet";
local cm = import "cert-manager.libsonnet";
+local policies = import "../../../kube/policies.libsonnet";
{
Cluster(name): {
@@ -70,6 +71,8 @@
[if cluster.cfg.ownNamespace then "ns"]: kube.Namespace(cluster.namespaceName),
},
+ insecurePolicy: policies.AllowNamespaceInsecure(cluster.namespaceName),
+
name(suffix):: if cluster.cfg.ownNamespace then suffix else name + "-" + suffix,
pki: {