--- id: RAIL-BS-WP-0005 type: workplan title: "Kubeconfig delivery for netkingdom SSO/MFA stack apply" domain: railiance repo: railiance-cluster status: done owner: railiance-worker topic_slug: railiance capability_request_id: "34b97d89-e80a-42ae-a623-a9185e5b17f5" created: "2026-03-20" updated: "2026-03-20" state_hub_workstream_id: "b236de41-2f33-4ebc-bb84-5fcedb2982f8" --- # RAIL-BS-WP-0005 — Kubeconfig delivery for netkingdom SSO/MFA stack apply **Scope:** Fulfil capability request 34b97d89 — deliver a working local kubeconfig so the netkingdom SSO/MFA workstream (NK-WP-0001) can apply manifests (T02–T08) against the existing K3s cluster on HostEurope (92.205.130.254). **Context:** - Cluster is healthy: one node `Ready`, k3s v1.30.3, 200 days uptime. - K3s API listens on `*:6443` (all interfaces); UFW is inactive — direct public access works. - The in-cluster kubeconfig uses `server: https://127.0.0.1:6443`; must be rewritten to `https://92.205.130.254:6443` for off-server use. - No ops-bridge tunnel needed for kubectl (API is directly reachable). - Wrong catalog entry was filed (PostgreSQL HA instead of k3s provisioning) — noted, no API endpoint to correct it retroactively; document here. **Depends on:** RAIL-BS-WP-0002 (k3s-kubernetes-baseline) ✓ completed **Unblocks:** NK-WP-0001 T02–T08 (SSO/MFA stack apply) --- ## Task: Extract kubeconfig from HostEurope server ```task id: RAIL-BS-WP-0005-T01 status: done priority: high state_hub_task_id: "c59a8e0c-e1fd-4cfd-aa5e-7cbb895609f0" ``` ```bash ssh -i ~/.ssh/id_ops tegwick@92.205.130.254 \ "sudo cat /etc/rancher/k3s/k3s.yaml" > /tmp/k3s-raw.yaml ``` Verify file is non-empty and contains a valid YAML kubeconfig. --- ## Task: Rewrite server address and install kubeconfig ```task id: RAIL-BS-WP-0005-T02 status: done priority: high state_hub_task_id: "93d61bc6-47e7-442f-8611-97f5f2f208c4" ``` Replace `127.0.0.1` with `92.205.130.254` in the kubeconfig; place at `~/.kube/config` (create `~/.kube/` if absent). Back up any existing config first. ```bash mkdir -p ~/.kube # back up existing if present [ -f ~/.kube/config ] && cp ~/.kube/config ~/.kube/config.bak.$(date +%Y%m%d) # rewrite server and install sed 's|https://127.0.0.1:6443|https://92.205.130.254:6443|g' /tmp/k3s-raw.yaml \ > ~/.kube/config chmod 600 ~/.kube/config ``` --- ## Task: Smoke-test kubectl from local machine ```task id: RAIL-BS-WP-0005-T03 status: done priority: high state_hub_task_id: "f15626c2-73a0-443f-8aae-5515806ae0fa" ``` ```bash kubectl get nodes kubectl get pods -A ``` Expected: node `254.130.205.92.host.secureserver.net` in `Ready` state. If unreachable, check firewall on server: `ssh -i ~/.ssh/id_ops tegwick@92.205.130.254 "sudo ufw status"`. --- ## Task: Resolve capability request ```task id: RAIL-BS-WP-0005-T04 status: done priority: high state_hub_task_id: "8109450c-95df-4d01-96fd-8847c88beb34" ``` Patch capability request 34b97d89 to `completed` with a resolution note: ```bash curl -s -X PATCH "http://127.0.0.1:8000/capability-requests/34b97d89-e80a-42ae-a623-a9185e5b17f5/status" \ -H "Content-Type: application/json" \ -d '{ "status": "completed", "note": "Kubeconfig delivered to ~/.kube/config (server: 92.205.130.254:6443). kubectl smoke-test passed. NK-WP-0001 T02-T08 can proceed. Note: wrong catalog_entry_id filed (PostgreSQL HA eca6e5cc instead of k3s provisioning 9520cc98) — no retroactive API to correct." }' ``` --- ## Task: Register UFW-inactive finding as technical debt ```task id: RAIL-BS-WP-0005-T05 status: done priority: medium state_hub_task_id: "ea120464-fdeb-4259-99e1-e6743cd86797" ``` UFW is inactive on 92.205.130.254 — K3s API port 6443 is exposed to the internet, protected only by TLS mutual auth. Register as TD item in state-hub so it gets addressed in a future railiance-cluster security hardening workplan. ```bash curl -s -X POST "http://127.0.0.1:8000/technical-debt/" \ -H "Content-Type: application/json" \ -d '{ "domain": "railiance", "debt_type": "security", "severity": "medium", "title": "UFW inactive on HostEurope K3s node — API port 6443 exposed to internet", "description": "UFW is inactive on 92.205.130.254. K3s API (port 6443) is reachable from anywhere, protected only by TLS client certificates. Should be restricted to known IPs or tunnelled. Discovered 2026-03-20 during kubeconfig delivery workplan.", "status": "open" }' ```