prod{access,vider}: implement Prodaccess/Prodvider allow issuing short-lived certificates for all SSO users to access the kubernetes cluster. Currently, all users get a personal-$username namespace in which they have adminitrative rights. Otherwise, they get no access. In addition, we define a static CRB to allow some admins access to everything. In the future, this will be more granular. We also update relevant documentation. Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153

commit: b13b7ffcdb3d37022d4cad4603b9bdacc6c54936 [log] [tgz]
author: Sergiusz Bazanski <q3k@hackerspace.pl> Thu Aug 29 20:12:24 2019 +0200
committer: Sergiusz Bazanski <q3k@hackerspace.pl> Fri Aug 30 23:08:18 2019 +0200
tree: fa2309b04edc36fe855f9e344dae4a91ef376add
parent: d16454badc639bcec7ab4b54e7fe6a897b6052af [diff] [blame]
diff --git a/cluster/kube/lib/cockroachdb.libsonnet b/cluster/kube/lib/cockroachdb.libsonnet
index ac4c965..212104d 100644
--- a/cluster/kube/lib/cockroachdb.libsonnet
+++ b/cluster/kube/lib/cockroachdb.libsonnet

@@ -36,6 +36,7 @@
 
 local kube = import "../../../kube/kube.libsonnet";
 local cm = import "cert-manager.libsonnet";
+local policies = import "../../../kube/policies.libsonnet";
 
 {
     Cluster(name): {
@@ -70,6 +71,8 @@
             [if cluster.cfg.ownNamespace then "ns"]: kube.Namespace(cluster.namespaceName),
         },
 
+        insecurePolicy: policies.AllowNamespaceInsecure(cluster.namespaceName),
+
         name(suffix):: if cluster.cfg.ownNamespace then suffix else name + "-" + suffix,
 
         pki: {
commit	b13b7ffcdb3d37022d4cad4603b9bdacc6c54936	[log] [tgz]
author	Sergiusz Bazanski <q3k@hackerspace.pl>	Thu Aug 29 20:12:24 2019 +0200
committer	Sergiusz Bazanski <q3k@hackerspace.pl>	Fri Aug 30 23:08:18 2019 +0200
tree	fa2309b04edc36fe855f9e344dae4a91ef376add
parent	d16454badc639bcec7ab4b54e7fe6a897b6052af [diff] [blame]