prod{access,vider}: implement Prodaccess/Prodvider allow issuing short-lived certificates for all SSO users to access the kubernetes cluster. Currently, all users get a personal-$username namespace in which they have adminitrative rights. Otherwise, they get no access. In addition, we define a static CRB to allow some admins access to everything. In the future, this will be more granular. We also update relevant documentation. Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153

commit: b13b7ffcdb3d37022d4cad4603b9bdacc6c54936 [log] [tgz]
author: Sergiusz Bazanski <q3k@hackerspace.pl> Thu Aug 29 20:12:24 2019 +0200
committer: Sergiusz Bazanski <q3k@hackerspace.pl> Fri Aug 30 23:08:18 2019 +0200
tree: fa2309b04edc36fe855f9e344dae4a91ef376add
parent: d16454badc639bcec7ab4b54e7fe6a897b6052af [diff] [blame]
diff --git a/cluster/prodvider/proto/prodvider.proto b/cluster/prodvider/proto/prodvider.proto
new file mode 100644
index 0000000..1ae2798
--- /dev/null
+++ b/cluster/prodvider/proto/prodvider.proto

@@ -0,0 +1,29 @@
+syntax = "proto3";
+package prodvider;
+option go_package = "code.hackerspace.pl/hscloud/cluster/prodvider/proto";
+
+message AuthenticateRequest {
+    string username = 1;
+    string password = 2;
+}
+
+message AuthenticateResponse {
+    enum Result {
+        RESULT_INVALID = 0;
+        RESULT_AUTHENTICATED = 1;
+        RESULT_INVALID_CREDENTIALS = 2;
+    }
+    Result result = 1;
+    KubernetesKeys kubernetes_keys = 2;
+}
+
+message KubernetesKeys {
+    string cluster = 1;
+    bytes ca = 2;
+    bytes cert = 3;
+    bytes key = 4;
+}
+
+service Prodvider {
+    rpc Authenticate(AuthenticateRequest) returns (AuthenticateResponse);
+}
commit	b13b7ffcdb3d37022d4cad4603b9bdacc6c54936	[log] [tgz]
author	Sergiusz Bazanski <q3k@hackerspace.pl>	Thu Aug 29 20:12:24 2019 +0200
committer	Sergiusz Bazanski <q3k@hackerspace.pl>	Fri Aug 30 23:08:18 2019 +0200
tree	fa2309b04edc36fe855f9e344dae4a91ef376add
parent	d16454badc639bcec7ab4b54e7fe6a897b6052af [diff] [blame]