change k3s data dir to external disk

add additional SAN to k3s certificates update README with k8s certificate instructions open port for kubectl
2023-12-14 21:42:58 +01:00 · 2023-12-14 21:42:58 +01:00 · 1c0e4794a8
commit 1c0e4794a8
parent 4f41fd746a
4 changed files with 52 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -25,3 +25,47 @@ Additionally, it deploys an age identity, which is later used for decrypting sec
 ## Deployment

 Deployment can simply be done as follows: `deploy`
+
+## Creating an admin certificate for k3s
+
+Create the admin's private key:
+```
+openssl genpkey -algorithm ed25519 -out <username>-key.pem
+```
+
+Create a CSR for the admin:
+```
+openssl req -new -key <username>-key.pem -out <username>.csr -subj "/CN=<username>"
+```
+
+Create a Kubernetes CSR object on the cluster:
+```
+k3s kubectl create -f - <<EOF
+apiVersion: certificates.k8s.io/v1
+kind: CertificateSigningRequest
+metadata:
+  name: <username>-csr
+spec:
+  request: $(cat <username>.csr | base64 | tr -d '\n')
+  expirationSeconds: 307584000 # 10 years
+  signerName: kubernetes.io/kube-apiserver-client
+  usages:
+    - digital signature
+    - key encipherment
+    - client auth
+EOF
+```
+
+Approve and sign the admin's CSR:
+```
+k3s kubectl certificate approve <username>-csr
+```
+
+Extract the resulting signed certificate from the CSR object:
+```
+k3s kubectl get csr <username>-csr -o jsonpath='{.status.certificate}' | base64 --decode > <username>.crt
+```
+
+## TODO
+
+1. Manage the bootstrap k3s clusterrolebinding with kubenix: `k3s kubectl create clusterrolebinding pim-cluster-admin --user=pim --clusterrole=cluster-admin`.