feat(k3s-baseline): complete WP-0002 T01-T05

- bootstrap.yml: install k3s (server+cluster-init, pinned v1.35.1+k3s1) and Helm (v3.17.3 with checksum verify); fetch kubeconfig to control node - tests/smoke_kube.sh: assert node Ready, helm, CoreDNS, Traefik - docs/kubeconfig.md: usage, merge, context-switch, security note - Makefile: k3s-install and smoke targets with make help Closes T01, T02, T03, T04, T05 of RAIL-BS-WP-0002. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-10 09:43:16 +00:00
parent fb6618e9ab
commit 901535ca44
3 changed files with 103 additions and 3 deletions
--- a/docs/kubeconfig.md
+++ b/docs/kubeconfig.md
@@ -0,0 +1,44 @@
+# Kubeconfig — HostEurope cluster
+
+## Where it lives
+
+After running `make k3s-install`, the bootstrap playbook fetches the kubeconfig
+from the HostEurope node to:
+
+```
+~/.kube/config-hosteurope
+```
+
+This file is gitignored (contains the cluster CA and client certificate) and
+must never be committed.
+
+## Using it directly
+
+```bash
+export KUBECONFIG=~/.kube/config-hosteurope
+kubectl get nodes
+```
+
+## Merging into ~/.kube/config
+
+```bash
+KUBECONFIG=~/.kube/config:~/.kube/config-hosteurope \
+  kubectl config view --flatten > /tmp/merged-config
+mv /tmp/merged-config ~/.kube/config
+chmod 600 ~/.kube/config
+```
+
+## Switching context
+
+```bash
+kubectl config get-contexts
+kubectl config use-context default   # or the context name shown above
+```
+
+## Security note
+
+The kubeconfig grants full cluster-admin access. Keep it on the control node
+only. Do not share or commit it. The server address inside the file is
+`127.0.0.1` (k3s default) — if you need to reach the cluster remotely you
+will need to either replace the address with the node's actual IP, or use an
+SSH tunnel.