version 1 release

namespace/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

namespace/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: namespace
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.0.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: 1.16.0

namespace/README.md

@@ -0,0 +1,211 @@
+# Project Userspace
+
+## One provisioner to rule them all
+
+### Quickstart
+
+1. Start Docker
+2. Run createprojectspace.sh
+
+```bash
+./createprojectspace.sh <server_fqdn> <username>
+```
+
+### Update a user
+
+```bash
+export USER=user
+helm template $USER ./namespace | kubectl --context admin apply -f -
+```
+
+### Objectives
+
+1. Provision a namespace with clusterroles, rolebindings, and a dedicated nfs-provisioner with one helm chart
+2. Create an easy way for users to sign their certificates
+3. Create a cleanup script without deleting user data
+4. profit
+
+### Userspace
+
+#### Namespace
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Release.Name }}
+```
+
+#### Roles
+
+```yaml
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: namespace-manager
+  namespace: {{ .Release.Name }}
+rules:
+- apiGroups:
+    - ""
+    - extensions
+    - apps
+    - batch
+    - autoscaling
+    - networking.k8s.io
+    - traefik.containo.us
+    - rbac.authorization.k8s.io
+    - metrics.k8s.io
+  resources: 
+    - deployments
+    - replicasets
+    - pods
+    - pods/exec
+    - pods/log
+    - pods/attach
+    - daemonsets
+    - statefulsets
+    - replicationcontrollers
+    - horizontalpodautoscalers
+    - services
+    - ingresses
+    - persistentvolumeclaims
+    - jobs
+    - cronjobs
+    - secrets
+    - configmaps
+    - serviceaccounts
+    - rolebindings
+    - ingressroutes
+    - middlewares
+    - endpoints
+  verbs: 
+    - "*"
+- apiGroups:
+    - ""
+    - metrics.k8s.io
+    - rbac.authorization.k8s.io
+  resources:
+    - resourcequotas
+    - roles
+  verbs:
+    - list
+```
+
+#### Rolebinding
+
+```yaml
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  namespace: {{ .Release.Name }}
+  name: namespace-manager
+subjects:
+- kind: User
+  name: {{ .Release.Name }}
+  apiGroup: ""
+roleRef:
+  kind: ClusterRole
+  name: namespace-manager
+  apiGroup: ""
+```
+
+### Create a kubernetes certsigner pod
+
+This keeps the client-ca crt and key secret and allows the cert to be signed and stored on the pod
+
+#### Create the certsigner secret
+
+```bash
+kubectl -n kube-system create secret generic certsigner --from-file /var/lib/rancher/k3s/server/tls/client-ca.crt --from-file /var/lib/rancher/k3s/server/tls/client-ca.key
+```
+
+#### Set up the certsigner pod
+
+```bash
+kubectl --context admin apply -f certsigner
+```
+
+#### Generate a cert
+
+```bash
+export USER=<user>
+docker run -it -v $(pwd)/users/$USER:/$USER python:latest openssl genrsa -out /$USER/$USER.key 2048
+docker run -it -v $(pwd)/users/$USER:/$USER python:latest openssl req -new -key /$USER/$USER.key -out /$USER/$USER.csr -subj "/CN=$USER/O=user"
+```
+
+#### Create a new Userspace
+
+```bash
+helm template $USER ./namespace | kubectl --context admin apply -f -
+```
+
+#### Sign the cert
+
+```bash
+export USER=<user>
+kubectl --context admin cp $(pwd)/users/$USER/$USER.csr certsigner:/certs/$USER.csr
+kubectl --context admin exec -it --context admin certsigner -- openssl x509 -in /certs/$USER.csr -req -CA /keys/client-ca.crt -CAkey /keys/client-ca.key -CAcreateserial -out /certs/$USER.crt -days 5000
+kubectl --context admin cp certsigner:/certs/$USER.crt $(pwd)/users/$USER/$USER.crt
+```
+
+#### Add to the config
+
+```bash
+kubectl config set-credentials $USER --client-certificate=$USER.crt  --client-key=$USER.key
+kubectl config set-context $USER --cluster=mainframe --namespace=$USER --user=$USER
+```
+
+#### Delete
+
+```bash
+kubectl config delete-context $USER
+helm template $USER ./namespace | kubectl --context admin delete -f -
+```
+
+### Signing a user cert - detailed notes
+
+NOTE: ca.crt and ca.key are in /var/lib/rancher/k3s/server/tls/client-ca.*
+
+```bash
+# First we create the credentials
+# /CN=<username> - the user
+# /O=<group> - the group
+
+# Navigate to the user directory
+export USER=<username>
+cd $USER
+
+# Generate a private key
+openssl genrsa -out $USER.key 2048
+# Check the key
+# openssl pkey -in ca.key -noout -text
+# Generate and send me the CSR
+# The "user" group is my default group
+openssl req -new -key $USER.key -out $USER.csr -subj "/CN=$USER/O=user"
+
+# Check the CSR
+# openssl req -in $USER.csr -noout -text
+# If satisfactory, sign the CSR
+# Copy from /var/lib/rancher/k3s/server/tls/client-ca.crt and client-ca.key
+openssl x509 -req -in $USER.csr -CA ../client-ca.crt -CAkey ../client-ca.key -CAcreateserial -out $USER.crt -days 5000
+# Review the certificate
+# openssl x509 -in $USER.crt -text -noout
+
+# Send back the crt
+# cp $USER.crt $USER.key ../server-ca.crt ~/.kube/
+kubectl config set-credentials $USER --client-certificate=$USER.crt  --client-key=$USER.key
+kubectl config set-context $USER --cluster=mainframe --namespace=$USER --user=$USER
+
+# Now we create the namespace, rolebindings, and resource quotas
+# kubectl apply -f k8s/
+
+# Add the cluster
+# CA file can be found at https://3.14.3.100:6443/cacerts
+- cluster:
+    certificate-authority: server-ca.crt
+    server: https://3.14.3.100:6443
+  name: mainframe
+
+# Test if everything worked
+kubectl --context=$USER-context get pods
+```

namespace/app-readme.md

@@ -0,0 +1,3 @@
+# Namespace
+
+Makes a namespace. Good Stuff.

namespace/questions.yaml

@@ -0,0 +1,37 @@
+groups:
+  - name: "Container Images"
+    description: "Image to be used for container"
+questions:
+  - variable: image
+    description: "Docker Image Details"
+    group: "Container Images"
+    label: "Docker Image"
+    schema:
+      type: dict
+      required: true
+      attrs:
+        - variable: repository
+          description: "Docker image repository"
+          label: "Image repository"
+          schema:
+            type: string
+            required: true
+        - variable: tag
+          description: "Tag to use for specified image"
+          label: "Image Tag"
+          schema:
+            type: string
+            default: "latest"
+        - variable: pullPolicy
+          description: "Docker Image Pull Policy"
+          label: "Image Pull Policy"
+          schema:
+            type: string
+            default: "IfNotPresent"
+            enum:
+              - value: "IfNotPresent"
+                description: "Only pull image if not present on host"
+              - value: "Always"
+                description: "Always pull image even if present on host"
+              - value: "Never"
+                description: "Never pull image even if it's not present on host"

namespace/templates/clusterrole.yaml

@@ -0,0 +1,12 @@
+# kind: ClusterRole
+# apiVersion: rbac.authorization.k8s.io/v1
+# metadata:
+#   name: user-readonly
+# rules:
+# - apiGroups:
+#     - rbac.authorization.k8s.io
+#   resources: 
+#     - clusterroles
+#   verbs: 
+#     - list
+#     - watch

namespace/templates/limitrange.yaml

@@ -0,0 +1,14 @@
+# apiVersion: v1
+# kind: LimitRange
+# metadata:
+#   name: default
+#   namespace: {{ .Release.Name }}
+# spec:
+#   limits:
+#   - default:
+#       memory: 128Mi
+#       cpu: 100m
+#     defaultRequest:
+#       memory: 1Mi
+#       cpu: 1m
+#     type: Container

namespace/templates/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Release.Name }}

namespace/templates/resourcequota.yaml

@@ -0,0 +1,11 @@
+# apiVersion: v1
+# kind: ResourceQuota
+# metadata:
+#   name: default
+#   namespace: {{ .Release.Name }}
+# spec:
+#   hard:
+#     requests.cpu: "6"
+#     requests.memory: "6Gi"
+#     limits.cpu: "24"
+#     limits.memory: "20Gi"

namespace/templates/role.yaml

@@ -0,0 +1,105 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: namespace-manager
+  namespace: {{ .Release.Name }}
+rules:
+- apiGroups:
+    - ""
+    - extensions
+    - apps
+    - batch
+    - autoscaling
+    - networking.k8s.io
+    - traefik.containo.us
+    - rbac.authorization.k8s.io
+    - metrics.k8s.io
+    - policy
+    - cert-manager.io
+  resources: 
+    - deployments
+    - replicasets
+    - pods
+    - pods/exec
+    - pods/log
+    - pods/attach
+    - daemonsets
+    - statefulsets
+    - replicationcontrollers
+    - horizontalpodautoscalers
+    - services
+    - ingresses
+    - persistentvolumeclaims
+    - jobs
+    - cronjobs
+    - secrets
+    - configmaps
+    - serviceaccounts
+    - rolebindings
+    - ingressroutes
+    - middlewares
+    - endpoints
+    - deployments/scale
+    - poddisruptionbudgets
+    - certificates
+    - roles
+  verbs: 
+    - "*"
+- apiGroups:
+    - ""
+    - metrics.k8s.io
+    - rbac.authorization.k8s.io
+    - policy
+  resources:
+    - resourcequotas
+    - roles
+  verbs:
+    - list
+    - get
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: namespace-readonly
+  namespace: {{ .Release.Name }}
+rules:
+- apiGroups:
+    - ""
+    - extensions
+    - apps
+    - batch
+    - autoscaling
+    - networking.k8s.io
+    - traefik.containo.us
+    - rbac.authorization.k8s.io
+    - metrics.k8s.io
+    - storage.k8s.io
+  resources: 
+    - deployments
+    - replicasets
+    - pods
+    - pods/exec
+    - pods/log
+    - pods/attach
+    - daemonsets
+    - statefulsets
+    - replicationcontrollers
+    - horizontalpodautoscalers
+    - services
+    - ingresses
+    - persistentvolumeclaims
+    - jobs
+    - cronjobs
+    - secrets
+    - configmaps
+    - serviceaccounts
+    - rolebindings
+    - ingressroutes
+    - middlewares
+    - resourcequotas
+    - roles
+    - endpoints
+    - clusterroles
+  verbs: 
+    - list
+    - watch

namespace/templates/rolebinding.yaml

@@ -0,0 +1,26 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: namespace-manager
+  namespace: {{ .Release.Name }}
+subjects:
+- kind: User
+  name: {{ .Values.user }}
+  apiGroup: ""
+roleRef:
+  kind: Role
+  name: namespace-manager
+  apiGroup: ""
+# ---
+# kind: ClusterRoleBinding
+# apiVersion: rbac.authorization.k8s.io/v1
+# metadata:
+#   name: user-readonly
+# subjects:
+# - kind: User
+#   name: {{ .Values.user }}
+#   apiGroup: ""
+# roleRef:
+#   kind: ClusterRole
+#   name: user-readonly
+#   apiGroup: ""

namespace/values.yaml

@@ -0,0 +1 @@
+user: admin