commit b13b7ffcdb3d37022d4cad4603b9bdacc6c54936
author Sergiusz Bazanski <q3k@hackerspace.pl> Thu Aug 29 20:12:24 2019 +0200
committer Sergiusz Bazanski <q3k@hackerspace.pl> Fri Aug 30 23:08:18 2019 +0200
tree fa2309b04edc36fe855f9e344dae4a91ef376add
parent d16454badc639bcec7ab4b54e7fe6a897b6052af

prod{access,vider}: implement

Prodaccess/Prodvider allow issuing short-lived certificates for all SSO
users to access the kubernetes cluster.

Currently, all users get a personal-$username namespace in which they
have adminitrative rights. Otherwise, they get no access.

In addition, we define a static CRB to allow some admins access to
everything. In the future, this will be more granular.

We also update relevant documentation.

Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153

cluster/prodvider/BUILD.bazel

diff --git a/cluster/prodvider/BUILD.bazel b/cluster/prodvider/BUILD.bazel
new file mode 100644
index 0000000..14690b7
--- /dev/null
+++ b/cluster/prodvider/BUILD.bazel
@@ -0,0 +1,64 @@
+load("@io_bazel_rules_docker//container:container.bzl", "container_image", "container_layer", "container_push")
+load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "certs.go",
+        "kubernetes.go",
+        "main.go",
+        "service.go",
+    ],
+    importpath = "code.hackerspace.pl/hscloud/cluster/prodvider",
+    visibility = ["//visibility:private"],
+    deps = [
+        "//cluster/prodvider/proto:go_default_library",
+        "@com_github_cloudflare_cfssl//config:go_default_library",
+        "@com_github_cloudflare_cfssl//csr:go_default_library",
+        "@com_github_cloudflare_cfssl//signer:go_default_library",
+        "@com_github_cloudflare_cfssl//signer/local:go_default_library",
+        "@com_github_golang_glog//:go_default_library",
+        "@in_gopkg_ldap_v3//:go_default_library",
+        "@io_k8s_api//core/v1:go_default_library",
+        "@io_k8s_api//rbac/v1:go_default_library",
+        "@io_k8s_apimachinery//pkg/api/errors:go_default_library",
+        "@io_k8s_apimachinery//pkg/apis/meta/v1:go_default_library",
+        "@io_k8s_client_go//kubernetes:go_default_library",
+        "@io_k8s_client_go//rest:go_default_library",
+        "@org_golang_google_grpc//:go_default_library",
+        "@org_golang_google_grpc//codes:go_default_library",
+        "@org_golang_google_grpc//credentials:go_default_library",
+        "@org_golang_google_grpc//status:go_default_library",
+    ],
+)
+
+go_binary(
+    name = "prodvider",
+    embed = [":go_default_library"],
+    visibility = ["//visibility:public"],
+)
+
+container_layer(
+    name = "layer_bin",
+    files = [
+        ":prodvider",
+    ],
+    directory = "/cluster/prodvider/",
+)
+
+container_image(
+    name = "runtime",
+    base = "@prodimage-bionic//image",
+    layers = [
+        ":layer_bin",
+    ],
+)
+
+container_push(
+    name = "push",
+    image = ":runtime",
+    format = "Docker",
+    registry = "registry.k0.hswaw.net",
+    repository = "cluster/prodvider",
+    tag = "{BUILD_TIMESTAMP}-{STABLE_GIT_COMMIT}",
+)