prod{access,vider}: implement
Prodaccess/Prodvider allow issuing short-lived certificates for all SSO
users to access the kubernetes cluster.
Currently, all users get a personal-$username namespace in which they
have adminitrative rights. Otherwise, they get no access.
In addition, we define a static CRB to allow some admins access to
everything. In the future, this will be more granular.
We also update relevant documentation.
Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153
diff --git a/cluster/prodvider/proto/prodvider.proto b/cluster/prodvider/proto/prodvider.proto
new file mode 100644
index 0000000..1ae2798
--- /dev/null
+++ b/cluster/prodvider/proto/prodvider.proto
@@ -0,0 +1,29 @@
+syntax = "proto3";
+package prodvider;
+option go_package = "code.hackerspace.pl/hscloud/cluster/prodvider/proto";
+
+message AuthenticateRequest {
+ string username = 1;
+ string password = 2;
+}
+
+message AuthenticateResponse {
+ enum Result {
+ RESULT_INVALID = 0;
+ RESULT_AUTHENTICATED = 1;
+ RESULT_INVALID_CREDENTIALS = 2;
+ }
+ Result result = 1;
+ KubernetesKeys kubernetes_keys = 2;
+}
+
+message KubernetesKeys {
+ string cluster = 1;
+ bytes ca = 2;
+ bytes cert = 3;
+ bytes key = 4;
+}
+
+service Prodvider {
+ rpc Authenticate(AuthenticateRequest) returns (AuthenticateResponse);
+}