home/nixos-servers
home/nixos-servers
2
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

restructure documentation

Browse source
This commit is contained in:
Pim Kunis 2023-12-29 12:51:42 +01:00
parent 6d258fe5ae
commit ace5df1b43
2 changed files with 47 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
README.md
View file

@ -3,6 +3,10 @@
Nix definitions to configure our physical servers. Nix definitions to configure our physical servers.
Currently, only one physical server (named jefke) is implemented but more are planned! Currently, only one physical server (named jefke) is implemented but more are planned!
## Additional documentation
- [Kubernetes](docs/kubernetes.md)
## Prerequisites ## Prerequisites
1. Install the Nix package manager or NixOS ([link](https://nixos.org/download)) 1. Install the Nix package manager or NixOS ([link](https://nixos.org/download))
@ -24,44 +28,5 @@ Additionally, it deploys an age identity, which is later used for decrypting sec
## Deployment ## Deployment
Deployment can simply be done as follows: `deploy` To deploy all servers at once: `deploy`
To deploy only one server: `deploy --targets .#<host>`
## Creating an admin certificate for k3s
Create the admin's private key:
```
openssl genpkey -algorithm ed25519 -out <username>-key.pem
```
Create a CSR for the admin:
```
openssl req -new -key <username>-key.pem -out <username>.csr -subj "/CN=<username>"
```
Create a Kubernetes CSR object on the cluster:
```
k3s kubectl create -f - <<EOF
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: <username>-csr
spec:
request: $(cat <username>.csr | base64 | tr -d '\n')
expirationSeconds: 307584000 # 10 years
signerName: kubernetes.io/kube-apiserver-client
usages:
- digital signature
- key encipherment
- client auth
EOF
```
Approve and sign the admin's CSR:
```
k3s kubectl certificate approve <username>-csr
```
Extract the resulting signed certificate from the CSR object:
```
k3s kubectl get csr <username>-csr -o jsonpath='{.status.certificate}' | base64 --decode > <username>.crt
```

41
docs/kubernetes.md Normal file
View file

@ -0,0 +1,41 @@
# Kubernetes
## Creating an admin certificate for k3s
Create the admin's private key:
```
openssl genpkey -algorithm ed25519 -out <username>-key.pem
```
Create a CSR for the admin:
```
openssl req -new -key <username>-key.pem -out <username>.csr -subj "/CN=<username>"
```
Create a Kubernetes CSR object on the cluster:
```
k3s kubectl create -f - <<EOF
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: <username>-csr
spec:
request: $(cat <username>.csr | base64 | tr -d '\n')
expirationSeconds: 307584000 # 10 years
signerName: kubernetes.io/kube-apiserver-client
usages:
- digital signature
- key encipherment
- client auth
EOF
```
Approve and sign the admin's CSR:
```
k3s kubectl certificate approve <username>-csr
```
Extract the resulting signed certificate from the CSR object:
```
k3s kubectl get csr <username>-csr -o jsonpath='{.status.certificate}' | base64 --decode > <username>.crt
```