coulomb/railiance-cluster
2
0
Fork 0
Code Issues Pull Requests Actions 2 Projects Releases Wiki Activity
Files
main
railiance-cluster/workplans/RAIL-BS-WP-0005-kubeconfig-delivery.md
tegwick ee6d7b149e
Some checks failed
railiance-tests / smoke (push) Has been cancelled
Details
new workplan
2026-03-20 23:43:17 +01:00

4.4 KiB
Raw Permalink Blame History

id, type, title, domain, repo, status, owner, topic_slug, capability_request_id, created, updated, state_hub_workstream_id
id type title domain repo status owner topic_slug capability_request_id created updated state_hub_workstream_id
RAIL-BS-WP-0005 workplan Kubeconfig delivery for netkingdom SSO/MFA stack apply railiance railiance-cluster done railiance-worker railiance 34b97d89-e80a-42ae-a623-a9185e5b17f5 2026-03-20 2026-03-20 b236de41-2f33-4ebc-bb84-5fcedb2982f8

RAIL-BS-WP-0005 — Kubeconfig delivery for netkingdom SSO/MFA stack apply

Scope: Fulfil capability request 34b97d89 — deliver a working local kubeconfig so the netkingdom SSO/MFA workstream (NK-WP-0001) can apply manifests (T02T08) against the existing K3s cluster on HostEurope (92.205.130.254).

Context:

  • Cluster is healthy: one node Ready, k3s v1.30.3, 200 days uptime.
  • K3s API listens on *:6443 (all interfaces); UFW is inactive — direct public access works.
  • The in-cluster kubeconfig uses server: https://127.0.0.1:6443; must be rewritten to https://92.205.130.254:6443 for off-server use.
  • No ops-bridge tunnel needed for kubectl (API is directly reachable).
  • Wrong catalog entry was filed (PostgreSQL HA instead of k3s provisioning) — noted, no API endpoint to correct it retroactively; document here.

Depends on: RAIL-BS-WP-0002 (k3s-kubernetes-baseline) ✓ completed Unblocks: NK-WP-0001 T02T08 (SSO/MFA stack apply)

Task: Extract kubeconfig from HostEurope server

id: RAIL-BS-WP-0005-T01
status: done
priority: high
state_hub_task_id: "c59a8e0c-e1fd-4cfd-aa5e-7cbb895609f0"

ssh -i ~/.ssh/id_ops tegwick@92.205.130.254 \
  "sudo cat /etc/rancher/k3s/k3s.yaml" > /tmp/k3s-raw.yaml

Verify file is non-empty and contains a valid YAML kubeconfig.

Task: Rewrite server address and install kubeconfig

id: RAIL-BS-WP-0005-T02
status: done
priority: high
state_hub_task_id: "93d61bc6-47e7-442f-8611-97f5f2f208c4"

Replace 127.0.0.1 with 92.205.130.254 in the kubeconfig; place at ~/.kube/config (create ~/.kube/ if absent). Back up any existing config first.

mkdir -p ~/.kube
# back up existing if present
[ -f ~/.kube/config ] && cp ~/.kube/config ~/.kube/config.bak.$(date +%Y%m%d)
# rewrite server and install
sed 's|https://127.0.0.1:6443|https://92.205.130.254:6443|g' /tmp/k3s-raw.yaml \
  > ~/.kube/config
chmod 600 ~/.kube/config

Task: Smoke-test kubectl from local machine

id: RAIL-BS-WP-0005-T03
status: done
priority: high
state_hub_task_id: "f15626c2-73a0-443f-8aae-5515806ae0fa"

kubectl get nodes
kubectl get pods -A

Expected: node 254.130.205.92.host.secureserver.net in Ready state. If unreachable, check firewall on server: ssh -i ~/.ssh/id_ops tegwick@92.205.130.254 "sudo ufw status".

Task: Resolve capability request

id: RAIL-BS-WP-0005-T04
status: done
priority: high
state_hub_task_id: "8109450c-95df-4d01-96fd-8847c88beb34"

Patch capability request 34b97d89 to completed with a resolution note:

curl -s -X PATCH "http://127.0.0.1:8000/capability-requests/34b97d89-e80a-42ae-a623-a9185e5b17f5/status" \
  -H "Content-Type: application/json" \
  -d '{
    "status": "completed",
    "note": "Kubeconfig delivered to ~/.kube/config (server: 92.205.130.254:6443). kubectl smoke-test passed. NK-WP-0001 T02-T08 can proceed. Note: wrong catalog_entry_id filed (PostgreSQL HA eca6e5cc instead of k3s provisioning 9520cc98) — no retroactive API to correct."
  }'

Task: Register UFW-inactive finding as technical debt

id: RAIL-BS-WP-0005-T05
status: done
priority: medium
state_hub_task_id: "ea120464-fdeb-4259-99e1-e6743cd86797"

UFW is inactive on 92.205.130.254 — K3s API port 6443 is exposed to the internet, protected only by TLS mutual auth. Register as TD item in state-hub so it gets addressed in a future railiance-cluster security hardening workplan.

curl -s -X POST "http://127.0.0.1:8000/technical-debt/" \
  -H "Content-Type: application/json" \
  -d '{
    "domain": "railiance",
    "debt_type": "security",
    "severity": "medium",
    "title": "UFW inactive on HostEurope K3s node — API port 6443 exposed to internet",
    "description": "UFW is inactive on 92.205.130.254. K3s API (port 6443) is reachable from anywhere, protected only by TLS client certificates. Should be restricted to known IPs or tunnelled. Discovered 2026-03-20 during kubeconfig delivery workplan.",
    "status": "open"
  }'
Reference in New Issue View Git Blame Copy Permalink