From ee6d7b149eb055e3c4a1548816f28405c8ab6e67 Mon Sep 17 00:00:00 2001 From: tegwick Date: Fri, 20 Mar 2026 23:43:17 +0100 Subject: [PATCH] new workplan --- .../RAIL-BS-WP-0005-kubeconfig-delivery.md | 143 ++++++++++++++++++ 1 file changed, 143 insertions(+) create mode 100644 workplans/RAIL-BS-WP-0005-kubeconfig-delivery.md diff --git a/workplans/RAIL-BS-WP-0005-kubeconfig-delivery.md b/workplans/RAIL-BS-WP-0005-kubeconfig-delivery.md new file mode 100644 index 0000000..3090860 --- /dev/null +++ b/workplans/RAIL-BS-WP-0005-kubeconfig-delivery.md @@ -0,0 +1,143 @@ +--- +id: RAIL-BS-WP-0005 +type: workplan +title: "Kubeconfig delivery for netkingdom SSO/MFA stack apply" +domain: railiance +repo: railiance-cluster +status: done +owner: railiance-worker +topic_slug: railiance +capability_request_id: "34b97d89-e80a-42ae-a623-a9185e5b17f5" +created: "2026-03-20" +updated: "2026-03-20" +state_hub_workstream_id: "b236de41-2f33-4ebc-bb84-5fcedb2982f8" +--- + +# RAIL-BS-WP-0005 — Kubeconfig delivery for netkingdom SSO/MFA stack apply + +**Scope:** Fulfil capability request 34b97d89 — deliver a working local kubeconfig so +the netkingdom SSO/MFA workstream (NK-WP-0001) can apply manifests (T02–T08) against +the existing K3s cluster on HostEurope (92.205.130.254). + +**Context:** +- Cluster is healthy: one node `Ready`, k3s v1.30.3, 200 days uptime. +- K3s API listens on `*:6443` (all interfaces); UFW is inactive — direct public access works. +- The in-cluster kubeconfig uses `server: https://127.0.0.1:6443`; must be rewritten + to `https://92.205.130.254:6443` for off-server use. +- No ops-bridge tunnel needed for kubectl (API is directly reachable). +- Wrong catalog entry was filed (PostgreSQL HA instead of k3s provisioning) — noted, + no API endpoint to correct it retroactively; document here. + +**Depends on:** RAIL-BS-WP-0002 (k3s-kubernetes-baseline) ✓ completed +**Unblocks:** NK-WP-0001 T02–T08 (SSO/MFA stack apply) + +--- + +## Task: Extract kubeconfig from HostEurope server + +```task +id: RAIL-BS-WP-0005-T01 +status: done +priority: high +state_hub_task_id: "c59a8e0c-e1fd-4cfd-aa5e-7cbb895609f0" +``` + +```bash +ssh -i ~/.ssh/id_ops tegwick@92.205.130.254 \ + "sudo cat /etc/rancher/k3s/k3s.yaml" > /tmp/k3s-raw.yaml +``` + +Verify file is non-empty and contains a valid YAML kubeconfig. + +--- + +## Task: Rewrite server address and install kubeconfig + +```task +id: RAIL-BS-WP-0005-T02 +status: done +priority: high +state_hub_task_id: "93d61bc6-47e7-442f-8611-97f5f2f208c4" +``` + +Replace `127.0.0.1` with `92.205.130.254` in the kubeconfig; place at +`~/.kube/config` (create `~/.kube/` if absent). Back up any existing config first. + +```bash +mkdir -p ~/.kube +# back up existing if present +[ -f ~/.kube/config ] && cp ~/.kube/config ~/.kube/config.bak.$(date +%Y%m%d) +# rewrite server and install +sed 's|https://127.0.0.1:6443|https://92.205.130.254:6443|g' /tmp/k3s-raw.yaml \ + > ~/.kube/config +chmod 600 ~/.kube/config +``` + +--- + +## Task: Smoke-test kubectl from local machine + +```task +id: RAIL-BS-WP-0005-T03 +status: done +priority: high +state_hub_task_id: "f15626c2-73a0-443f-8aae-5515806ae0fa" +``` + +```bash +kubectl get nodes +kubectl get pods -A +``` + +Expected: node `254.130.205.92.host.secureserver.net` in `Ready` state. +If unreachable, check firewall on server: `ssh -i ~/.ssh/id_ops tegwick@92.205.130.254 "sudo ufw status"`. + +--- + +## Task: Resolve capability request + +```task +id: RAIL-BS-WP-0005-T04 +status: done +priority: high +state_hub_task_id: "8109450c-95df-4d01-96fd-8847c88beb34" +``` + +Patch capability request 34b97d89 to `completed` with a resolution note: + +```bash +curl -s -X PATCH "http://127.0.0.1:8000/capability-requests/34b97d89-e80a-42ae-a623-a9185e5b17f5/status" \ + -H "Content-Type: application/json" \ + -d '{ + "status": "completed", + "note": "Kubeconfig delivered to ~/.kube/config (server: 92.205.130.254:6443). kubectl smoke-test passed. NK-WP-0001 T02-T08 can proceed. Note: wrong catalog_entry_id filed (PostgreSQL HA eca6e5cc instead of k3s provisioning 9520cc98) — no retroactive API to correct." + }' +``` + +--- + +## Task: Register UFW-inactive finding as technical debt + +```task +id: RAIL-BS-WP-0005-T05 +status: done +priority: medium +state_hub_task_id: "ea120464-fdeb-4259-99e1-e6743cd86797" +``` + +UFW is inactive on 92.205.130.254 — K3s API port 6443 is exposed to the internet, +protected only by TLS mutual auth. Register as TD item in state-hub so it gets +addressed in a future railiance-cluster security hardening workplan. + +```bash +curl -s -X POST "http://127.0.0.1:8000/technical-debt/" \ + -H "Content-Type: application/json" \ + -d '{ + "domain": "railiance", + "debt_type": "security", + "severity": "medium", + "title": "UFW inactive on HostEurope K3s node — API port 6443 exposed to internet", + "description": "UFW is inactive on 92.205.130.254. K3s API (port 6443) is reachable from anywhere, protected only by TLS client certificates. Should be restricted to known IPs or tunnelled. Discovered 2026-03-20 during kubeconfig delivery workplan.", + "status": "open" + }' +```