From 1c0e4794a84e426ae07caefacbdd78fbc6002197 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 14 Dec 2023 21:42:58 +0100 Subject: [PATCH] change k3s data dir to external disk add additional SAN to k3s certificates update README with k8s certificate instructions open port for kubectl --- README.md | 44 ++++++++++++++++++++++++++++++++++++++++++++ configuration.nix | 5 +++++ flake.nix | 2 ++ nftables.conf | 1 + 4 files changed, 52 insertions(+) diff --git a/README.md b/README.md index c8e0376..bddf974 100644 --- a/README.md +++ b/README.md @@ -25,3 +25,47 @@ Additionally, it deploys an age identity, which is later used for decrypting sec ## Deployment Deployment can simply be done as follows: `deploy` + +## Creating an admin certificate for k3s + +Create the admin's private key: +``` +openssl genpkey -algorithm ed25519 -out -key.pem +``` + +Create a CSR for the admin: +``` +openssl req -new -key -key.pem -out .csr -subj "/CN=" +``` + +Create a Kubernetes CSR object on the cluster: +``` +k3s kubectl create -f - <-csr +spec: + request: $(cat .csr | base64 | tr -d '\n') + expirationSeconds: 307584000 # 10 years + signerName: kubernetes.io/kube-apiserver-client + usages: + - digital signature + - key encipherment + - client auth +EOF +``` + +Approve and sign the admin's CSR: +``` +k3s kubectl certificate approve -csr +``` + +Extract the resulting signed certificate from the CSR object: +``` +k3s kubectl get csr -csr -o jsonpath='{.status.certificate}' | base64 --decode > .crt +``` + +## TODO + +1. Manage the bootstrap k3s clusterrolebinding with kubenix: `k3s kubectl create clusterrolebinding pim-cluster-admin --user=pim --clusterrole=cluster-admin`. diff --git a/configuration.nix b/configuration.nix index 2dfc05a..2b1387f 100644 --- a/configuration.nix +++ b/configuration.nix @@ -177,4 +177,9 @@ services.k3s.enable = true; services.k3s.role = "server"; + # Temporary fix: by default the full hostname of the server (jefke.hyp) is not included into the Subject Alternative Name of certificates of the server. + # We can hardcode this as a CLI flag to k3s. + services.k3s.extraFlags = "--tls-san jefke.hyp --data-dir /mnt/data/k3s"; + + virtualisation.libvirtd.enable = true; } diff --git a/flake.nix b/flake.nix index bc3ce12..ce3af39 100644 --- a/flake.nix +++ b/flake.nix @@ -24,6 +24,7 @@ pkgs = nixpkgs.legacyPackages.${system}; pkgs-unstable = nixpkgs-unstable.legacyPackages.${system}; machines = import ./machines; + # TODO: Maybe use mergeAttrLists mkNixosSystems = systemDef: nixpkgs.lib.foldlAttrs (acc: name: machine: acc // { @@ -44,6 +45,7 @@ pkgs-unstable.deploy-rs pkgs.openssl pkgs.postgresql_15 + pkgs.kubectl ]; }; diff --git a/nftables.conf b/nftables.conf index 46dd6cb..10d456f 100644 --- a/nftables.conf +++ b/nftables.conf @@ -15,6 +15,7 @@ table inet nixos-fw { chain input-allow { tcp dport 22 accept tcp dport 5432 accept comment "PostgreSQL server" + tcp dport 6443 accept comment "k3s" icmp type echo-request accept comment "allow ping" icmpv6 type != { nd-redirect, 139 } accept comment "Accept all ICMPv6 messages except redirects and node information queries (type 139). See RFC 4890, section 4.4." ip6 daddr fe80::/64 udp dport 546 accept comment "DHCPv6 client"