coulomb/railiance-cluster
2
0
Fork 0
Code Issues Pull Requests Actions 2 Projects Releases Wiki Activity
Files
main
railiance-cluster/workplans/RAIL-BS-WP-0005-kubeconfig-delivery.md
tegwick ee6d7b149e
Some checks failed
railiance-tests / smoke (push) Has been cancelled
Details
new workplan
2026-03-20 23:43:17 +01:00

144 lines
4.4 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
id: RAIL-BS-WP-0005
type: workplan
title: "Kubeconfig delivery for netkingdom SSO/MFA stack apply"
domain: railiance
repo: railiance-cluster
status: done
owner: railiance-worker
topic_slug: railiance
capability_request_id: "34b97d89-e80a-42ae-a623-a9185e5b17f5"
created: "2026-03-20"
updated: "2026-03-20"
state_hub_workstream_id: "b236de41-2f33-4ebc-bb84-5fcedb2982f8"
---
# RAIL-BS-WP-0005 — Kubeconfig delivery for netkingdom SSO/MFA stack apply
**Scope:** Fulfil capability request 34b97d89 — deliver a working local kubeconfig so
the netkingdom SSO/MFA workstream (NK-WP-0001) can apply manifests (T02T08) against
the existing K3s cluster on HostEurope (92.205.130.254).
**Context:**
- Cluster is healthy: one node `Ready`, k3s v1.30.3, 200 days uptime.
- K3s API listens on `*:6443` (all interfaces); UFW is inactive — direct public access works.
- The in-cluster kubeconfig uses `server: https://127.0.0.1:6443`; must be rewritten
to `https://92.205.130.254:6443` for off-server use.
- No ops-bridge tunnel needed for kubectl (API is directly reachable).
- Wrong catalog entry was filed (PostgreSQL HA instead of k3s provisioning) — noted,
no API endpoint to correct it retroactively; document here.
**Depends on:** RAIL-BS-WP-0002 (k3s-kubernetes-baseline) ✓ completed
**Unblocks:** NK-WP-0001 T02T08 (SSO/MFA stack apply)
---
## Task: Extract kubeconfig from HostEurope server
```task
id: RAIL-BS-WP-0005-T01
status: done
priority: high
state_hub_task_id: "c59a8e0c-e1fd-4cfd-aa5e-7cbb895609f0"
```
```bash
ssh -i ~/.ssh/id_ops tegwick@92.205.130.254 \
"sudo cat /etc/rancher/k3s/k3s.yaml" > /tmp/k3s-raw.yaml
```
Verify file is non-empty and contains a valid YAML kubeconfig.
---
## Task: Rewrite server address and install kubeconfig
```task
id: RAIL-BS-WP-0005-T02
status: done
priority: high
state_hub_task_id: "93d61bc6-47e7-442f-8611-97f5f2f208c4"
```
Replace `127.0.0.1` with `92.205.130.254` in the kubeconfig; place at
`~/.kube/config` (create `~/.kube/` if absent). Back up any existing config first.
```bash
mkdir -p ~/.kube
# back up existing if present
[ -f ~/.kube/config ] && cp ~/.kube/config ~/.kube/config.bak.$(date +%Y%m%d)
# rewrite server and install
sed 's|https://127.0.0.1:6443|https://92.205.130.254:6443|g' /tmp/k3s-raw.yaml \
> ~/.kube/config
chmod 600 ~/.kube/config
```
---
## Task: Smoke-test kubectl from local machine
```task
id: RAIL-BS-WP-0005-T03
status: done
priority: high
state_hub_task_id: "f15626c2-73a0-443f-8aae-5515806ae0fa"
```
```bash
kubectl get nodes
kubectl get pods -A
```
Expected: node `254.130.205.92.host.secureserver.net` in `Ready` state.
If unreachable, check firewall on server: `ssh -i ~/.ssh/id_ops tegwick@92.205.130.254 "sudo ufw status"`.
---
## Task: Resolve capability request
```task
id: RAIL-BS-WP-0005-T04
status: done
priority: high
state_hub_task_id: "8109450c-95df-4d01-96fd-8847c88beb34"
```
Patch capability request 34b97d89 to `completed` with a resolution note:
```bash
curl -s -X PATCH "http://127.0.0.1:8000/capability-requests/34b97d89-e80a-42ae-a623-a9185e5b17f5/status" \
-H "Content-Type: application/json" \
-d '{
"status": "completed",
"note": "Kubeconfig delivered to ~/.kube/config (server: 92.205.130.254:6443). kubectl smoke-test passed. NK-WP-0001 T02-T08 can proceed. Note: wrong catalog_entry_id filed (PostgreSQL HA eca6e5cc instead of k3s provisioning 9520cc98) — no retroactive API to correct."
}'
```
---
## Task: Register UFW-inactive finding as technical debt
```task
id: RAIL-BS-WP-0005-T05
status: done
priority: medium
state_hub_task_id: "ea120464-fdeb-4259-99e1-e6743cd86797"
```
UFW is inactive on 92.205.130.254 — K3s API port 6443 is exposed to the internet,
protected only by TLS mutual auth. Register as TD item in state-hub so it gets
addressed in a future railiance-cluster security hardening workplan.
```bash
curl -s -X POST "http://127.0.0.1:8000/technical-debt/" \
-H "Content-Type: application/json" \
-d '{
"domain": "railiance",
"debt_type": "security",
"severity": "medium",
"title": "UFW inactive on HostEurope K3s node — API port 6443 exposed to internet",
"description": "UFW is inactive on 92.205.130.254. K3s API (port 6443) is reachable from anywhere, protected only by TLS client certificates. Should be restricted to known IPs or tunnelled. Discovered 2026-03-20 during kubeconfig delivery workplan.",
"status": "open"
}'
```
Reference in New Issue View Git Blame Copy Permalink