prod{access,vider}: implement
Prodaccess/Prodvider allow issuing short-lived certificates for all SSO
users to access the kubernetes cluster.
Currently, all users get a personal-$username namespace in which they
have adminitrative rights. Otherwise, they get no access.
In addition, we define a static CRB to allow some admins access to
everything. In the future, this will be more granular.
We also update relevant documentation.
Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153
diff --git a/cluster/kube/lib/prodvider.libsonnet b/cluster/kube/lib/prodvider.libsonnet
new file mode 100644
index 0000000..5b75c79
--- /dev/null
+++ b/cluster/kube/lib/prodvider.libsonnet
@@ -0,0 +1,85 @@
+# Deploy prodvider (prodaccess server) in cluster.
+
+local kube = import "../../../kube/kube.libsonnet";
+
+{
+ Environment: {
+ local env = self,
+ local cfg = env.cfg,
+
+ cfg:: {
+ namespace: "prodvider",
+ image: "registry.k0.hswaw.net/cluster/prodvider:1567199084-2e1c08fa7a41faac2ef3f79a1bb82f8841a68016",
+
+ pki: {
+ intermediate: {
+ cert: importstr "../../certs/ca-kube-prodvider.cert",
+ key: importstr "../../secrets/plain/ca-kube-prodvider.key",
+ },
+ kube: {
+ cert: importstr "../../certs/ca-kube.crt",
+ },
+ }
+ },
+
+ namespace: kube.Namespace(cfg.namespace),
+
+ metadata(component):: {
+ namespace: cfg.namespace,
+ labels: {
+ "app.kubernetes.io/name": "prodvider",
+ "app.kubernetes.io/managed-by": "kubecfg",
+ "app.kubernetes.io/component": component,
+ },
+ },
+
+ secret: kube.Secret("ca") {
+ metadata+: env.metadata("prodvider"),
+ data_: {
+ "intermediate-ca.crt": cfg.pki.intermediate.cert,
+ "intermediate-ca.key": cfg.pki.intermediate.key,
+ "ca.crt": cfg.pki.kube.cert,
+ },
+ },
+
+ deployment: kube.Deployment("prodvider") {
+ metadata+: env.metadata("prodvider"),
+ spec+: {
+ replicas: 3,
+ template+: {
+ spec+: {
+ volumes_: {
+ ca: kube.SecretVolume(env.secret),
+ },
+ containers_: {
+ prodvider: kube.Container("prodvider") {
+ image: cfg.image,
+ args: [
+ "/cluster/prodvider/prodvider",
+ "-listen_address", "0.0.0.0:8080",
+ "-ca_key_path", "/opt/ca/intermediate-ca.key",
+ "-ca_certificate_path", "/opt/ca/intermediate-ca.crt",
+ "-kube_ca_certificate_path", "/opt/ca/ca.crt",
+ ],
+ volumeMounts_: {
+ ca: { mountPath: "/opt/ca" },
+ }
+ },
+ },
+ },
+ },
+ },
+ },
+
+ svc: kube.Service("prodvider") {
+ metadata+: env.metadata("prodvider"),
+ target_pod:: env.deployment.spec.template,
+ spec+: {
+ type: "LoadBalancer",
+ ports: [
+ { name: "public", port: 443, targetPort: 8080, protocol: "TCP" },
+ ],
+ },
+ },
+ },
+}