added sync-certs-job

2025-06-05 11:51:05 +00:00
parent 077be73b69
commit c5726df9c4
8 changed files with 235 additions and 34 deletions
--- a/casa-limbosolutions-com/icarus/k3s-admin.md
+++ b/casa-limbosolutions-com/icarus/k3s-admin.md
@@ -0,0 +1,95 @@
+# casa on Icarus - admin
+
+Requires kubernetes admin user access to icarus. All documentation and scripts must be executed on icarus context with an admin account.
+
+Currently using an symbolic on icarus project on my dev device to this file.
+
+## kubernetes Namespace
+
+```bash
+# delete namespace
+kubectl create namespace casa-limbosolutions-com
+```
+
+```bash
+# delete namespace
+kubectl delete namespace casa-limbosolutions-com
+```
+
+## Roles and Bindings
+
+``` yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  namespace: casa-limbosolutions-com
+  name: casa-limbosolutions-com
+rules:
+  - apiGroups: 
+      - ""
+      - cert-manager.io # to access deployments certs from cert-manager
+      - apps # to access deployments
+      - networking.k8s.io # to access ingresses
+    resources: 
+      - pods
+      - services
+      - secrets
+      - certificates
+      - deployments
+      - configmaps
+      - ingresses
+      - persistentvolumeclaims
+    verbs: 
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+      - deletecollection
+```
+
+``` yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: casa-limbosolutions-com-rb  # Replace with your role binding name
+  namespace: casa-limbosolutions-com     # Replace with your namespace
+subjects:
+- kind: User                   # or "ServiceAccount" for service accounts
+  name: casa           # Replace with the username or service account name
+  apiGroup: rbac.authorization.k8s.io
+  namespace: casa-limbosolutions-com
+roleRef:
+  kind: ClusterRole
+  name: casa-limbosolutions-com          # The name of the role you created
+  apiGroup: rbac.authorization.k8s.io
+```
+
+### kubernetes User
+
+```bash
+#Deploy csr to k3s
+cat <<EOF | kubectl apply -f -
+apiVersion: certificates.k8s.io/v1
+kind: CertificateSigningRequest
+metadata:
+  name: casa-user-csr
+spec:
+  request: $(cat ../.env.d/.kube/casa@icarus-user.csr | base64 | tr -d '\n')
+  signerName: kubernetes.io/kube-apiserver-client
+  usages:
+  - client auth
+EOF
+```
+
+```bash
+# Approve csr
+kubectl certificate approve casa-user-csr
+```
+
+```bash
+# Download kubernet user crt
+kubectl get csr casa-user-csr -o jsonpath='{.status.certificate}' | base64 --decode > ./.env.d/casa@icarus-user.crt
+```