coulomb/railiance-cluster
2
0
Fork 0
Code Issues Pull Requests Actions 2 Projects Releases Wiki Activity

new workplan
Some checks failed
railiance-tests / smoke (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Bernd Worsch
2026-03-20 23:43:17 +01:00
parent a747445790
commit ee6d7b149e
1 changed files with 143 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

143
workplans/RAIL-BS-WP-0005-kubeconfig-delivery.md Normal file
View File

@@ -0,0 +1,143 @@
---
id: RAIL-BS-WP-0005
type: workplan
title: "Kubeconfig delivery for netkingdom SSO/MFA stack apply"
domain: railiance
repo: railiance-cluster
status: done
owner: railiance-worker
topic_slug: railiance
capability_request_id: "34b97d89-e80a-42ae-a623-a9185e5b17f5"
created: "2026-03-20"
updated: "2026-03-20"
state_hub_workstream_id: "b236de41-2f33-4ebc-bb84-5fcedb2982f8"
---
# RAIL-BS-WP-0005 — Kubeconfig delivery for netkingdom SSO/MFA stack apply
**Scope:** Fulfil capability request 34b97d89 — deliver a working local kubeconfig so
the netkingdom SSO/MFA workstream (NK-WP-0001) can apply manifests (T02T08) against
the existing K3s cluster on HostEurope (92.205.130.254).
**Context:**
- Cluster is healthy: one node `Ready`, k3s v1.30.3, 200 days uptime.
- K3s API listens on `*:6443` (all interfaces); UFW is inactive — direct public access works.
- The in-cluster kubeconfig uses `server: https://127.0.0.1:6443`; must be rewritten
to `https://92.205.130.254:6443` for off-server use.
- No ops-bridge tunnel needed for kubectl (API is directly reachable).
- Wrong catalog entry was filed (PostgreSQL HA instead of k3s provisioning) — noted,
no API endpoint to correct it retroactively; document here.
**Depends on:** RAIL-BS-WP-0002 (k3s-kubernetes-baseline) ✓ completed
**Unblocks:** NK-WP-0001 T02T08 (SSO/MFA stack apply)
---
## Task: Extract kubeconfig from HostEurope server
```task
id: RAIL-BS-WP-0005-T01
status: done
priority: high
state_hub_task_id: "c59a8e0c-e1fd-4cfd-aa5e-7cbb895609f0"
```
```bash
ssh -i ~/.ssh/id_ops tegwick@92.205.130.254 \
"sudo cat /etc/rancher/k3s/k3s.yaml" > /tmp/k3s-raw.yaml
```
Verify file is non-empty and contains a valid YAML kubeconfig.
---
## Task: Rewrite server address and install kubeconfig
```task
id: RAIL-BS-WP-0005-T02
status: done
priority: high
state_hub_task_id: "93d61bc6-47e7-442f-8611-97f5f2f208c4"
```
Replace `127.0.0.1` with `92.205.130.254` in the kubeconfig; place at
`~/.kube/config` (create `~/.kube/` if absent). Back up any existing config first.
```bash
mkdir -p ~/.kube
# back up existing if present
[ -f ~/.kube/config ] && cp ~/.kube/config ~/.kube/config.bak.$(date +%Y%m%d)
# rewrite server and install
sed 's|https://127.0.0.1:6443|https://92.205.130.254:6443|g' /tmp/k3s-raw.yaml \
> ~/.kube/config
chmod 600 ~/.kube/config
```
---
## Task: Smoke-test kubectl from local machine
```task
id: RAIL-BS-WP-0005-T03
status: done
priority: high
state_hub_task_id: "f15626c2-73a0-443f-8aae-5515806ae0fa"
```
```bash
kubectl get nodes
kubectl get pods -A
```
Expected: node `254.130.205.92.host.secureserver.net` in `Ready` state.
If unreachable, check firewall on server: `ssh -i ~/.ssh/id_ops tegwick@92.205.130.254 "sudo ufw status"`.
---
## Task: Resolve capability request
```task
id: RAIL-BS-WP-0005-T04
status: done
priority: high
state_hub_task_id: "8109450c-95df-4d01-96fd-8847c88beb34"
```
Patch capability request 34b97d89 to `completed` with a resolution note:
```bash
curl -s -X PATCH "http://127.0.0.1:8000/capability-requests/34b97d89-e80a-42ae-a623-a9185e5b17f5/status" \
-H "Content-Type: application/json" \
-d '{
"status": "completed",
"note": "Kubeconfig delivered to ~/.kube/config (server: 92.205.130.254:6443). kubectl smoke-test passed. NK-WP-0001 T02-T08 can proceed. Note: wrong catalog_entry_id filed (PostgreSQL HA eca6e5cc instead of k3s provisioning 9520cc98) — no retroactive API to correct."
}'
```
---
## Task: Register UFW-inactive finding as technical debt
```task
id: RAIL-BS-WP-0005-T05
status: done
priority: medium
state_hub_task_id: "ea120464-fdeb-4259-99e1-e6743cd86797"
```
UFW is inactive on 92.205.130.254 — K3s API port 6443 is exposed to the internet,
protected only by TLS mutual auth. Register as TD item in state-hub so it gets
addressed in a future railiance-cluster security hardening workplan.
```bash
curl -s -X POST "http://127.0.0.1:8000/technical-debt/" \
-H "Content-Type: application/json" \
-d '{
"domain": "railiance",
"debt_type": "security",
"severity": "medium",
"title": "UFW inactive on HostEurope K3s node — API port 6443 exposed to internet",
"description": "UFW is inactive on 92.205.130.254. K3s API (port 6443) is reachable from anywhere, protected only by TLS client certificates. Should be restricted to known IPs or tunnelled. Discovered 2026-03-20 during kubeconfig delivery workplan.",
"status": "open"
}'
```