diff --git a/README.md b/README.md index b93db68..aee6bbb 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,10 @@ Nix definitions to configure our physical servers. Currently, only one physical server (named jefke) is implemented but more are planned! +## Additional documentation + +- [Kubernetes](docs/kubernetes.md) + ## Prerequisites 1. Install the Nix package manager or NixOS ([link](https://nixos.org/download)) @@ -24,44 +28,5 @@ Additionally, it deploys an age identity, which is later used for decrypting sec ## Deployment -Deployment can simply be done as follows: `deploy` - -## Creating an admin certificate for k3s - -Create the admin's private key: -``` -openssl genpkey -algorithm ed25519 -out -key.pem -``` - -Create a CSR for the admin: -``` -openssl req -new -key -key.pem -out .csr -subj "/CN=" -``` - -Create a Kubernetes CSR object on the cluster: -``` -k3s kubectl create -f - <-csr -spec: - request: $(cat .csr | base64 | tr -d '\n') - expirationSeconds: 307584000 # 10 years - signerName: kubernetes.io/kube-apiserver-client - usages: - - digital signature - - key encipherment - - client auth -EOF -``` - -Approve and sign the admin's CSR: -``` -k3s kubectl certificate approve -csr -``` - -Extract the resulting signed certificate from the CSR object: -``` -k3s kubectl get csr -csr -o jsonpath='{.status.certificate}' | base64 --decode > .crt -``` +To deploy all servers at once: `deploy` +To deploy only one server: `deploy --targets .#` diff --git a/docs/kubernetes.md b/docs/kubernetes.md new file mode 100644 index 0000000..76d97a1 --- /dev/null +++ b/docs/kubernetes.md @@ -0,0 +1,41 @@ +# Kubernetes + +## Creating an admin certificate for k3s + +Create the admin's private key: +``` +openssl genpkey -algorithm ed25519 -out -key.pem +``` + +Create a CSR for the admin: +``` +openssl req -new -key -key.pem -out .csr -subj "/CN=" +``` + +Create a Kubernetes CSR object on the cluster: +``` +k3s kubectl create -f - <-csr +spec: + request: $(cat .csr | base64 | tr -d '\n') + expirationSeconds: 307584000 # 10 years + signerName: kubernetes.io/kube-apiserver-client + usages: + - digital signature + - key encipherment + - client auth +EOF +``` + +Approve and sign the admin's CSR: +``` +k3s kubectl certificate approve -csr +``` + +Extract the resulting signed certificate from the CSR object: +``` +k3s kubectl get csr -csr -o jsonpath='{.status.certificate}' | base64 --decode > .crt +```