upgrade script and fix a few issues

README.md

@@ -12,6 +12,15 @@ kubectl apply -f certsigner
 ./userspace.sh tester
 ```
 
+```bash
+export USER=$1
+openssl req -in $HOME/.kube/users/$USER/$USER.csr -noout -text
+helm template $USER ./namespace | kubectl --context admin apply -f -
+kubectl --context admin cp $HOME/.kube/users/$USER/$USER.csr certsigner:/certs/$USER.csr
+kubectl --context admin exec --context admin certsigner -- openssl x509 -in /certs/$USER.csr -req -CA /keys/client-ca.crt -CAkey /keys/client-ca.key -set_serial $(python -c "import random; print(random.randint(1000000000, 9999999999))") -out /certs/$USER.crt -days 5000
+kubectl --context admin cp certsigner:/certs/$USER.crt $HOME/.kube/users/$USER/$USER.crt
+```
+
 ### Update a user
 
 ```bash

example.config

@@ -0,0 +1,20 @@
+apiVersion: v1
+clusters:
+- cluster:
+    certificate-authority: server-ca.crt
+    server: https://3.14.3.100:6443
+  name: mainframe
+contexts:
+- context:
+    cluster: mainframe
+    namespace: $USER
+    user: $USER
+  name: $USER
+current-context: $USER
+kind: Config
+preferences: {}
+users:
+- name: $USER
+  user:
+    client-certificate: users/$USER/$USER.crt
+    client-key: users/$USER/$USER.key

genuserspace.sh

@@ -1,8 +1,18 @@
 #!/bin/bash
 
 export USER=$1
-openssl req -in $HOME/.kube/users/$USER/$USER.csr -noout -text
-helm template $USER ./namespace | kubectl --context admin apply -f -
-kubectl --context admin cp $HOME/.kube/users/$USER/$USER.csr certsigner:/certs/$USER.csr
-kubectl --context admin exec --context admin certsigner -- openssl x509 -in /certs/$USER.csr -req -CA /keys/client-ca.crt -CAkey /keys/client-ca.key -set_serial $(python -c "import random; print(random.randint(1000000000, 9999999999))") -out /certs/$USER.crt -days 5000
-kubectl --context admin cp certsigner:/certs/$USER.crt $HOME/.kube/users/$USER/$USER.crt
+echo "setting up certsigner"
+kubectl apply -f ./certsigner
+sleep 5
+echo "generating certs"
+mkdir $HOME/.kube/users/$USER
+docker run -it -v $HOME/.kube/users/$USER:/$USER python:latest openssl genrsa -out /$USER/$USER.key 2048
+docker run -it -v $HOME/.kube/users/$USER:/$USER python:latest openssl req -new -key /$USER/$USER.key -out /$USER/$USER.csr -subj "/CN=$USER/O=user"
+echo "creating userspace"
+helm template $USER ./namespace | kubectl apply -f -
+echo "copying and signing certs"
+kubectl cp $HOME/.kube/users/$USER/$USER.csr certsigner:/certs/$USER.csr
+kubectl exec certsigner -- openssl x509 -in /certs/$USER.csr -req -CA /keys/client-ca.crt -CAkey /keys/client-ca.key -set_serial $(python -c "import random; print(random.randint(1000000000, 9999999999))") -out /certs/$USER.crt -days 5000
+kubectl cp certsigner:/certs/$USER.crt $HOME/.kube/users/$USER/$USER.crt
+echo "deleting certsigner"
+kubectl delete -f ./certsigner

namespace/templates/limitrange.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: LimitRange
+metadata:
+  name: default
+  namespace: {{ .Release.Name }}
+spec:
+  limits:
+  - default:
+      memory: 128Mi
+      cpu: 100m
+    defaultRequest:
+      memory: 1Mi
+      cpu: 1m
+    type: Container

namespace/templates/resourcequota.yaml

@@ -9,8 +9,7 @@ spec:
     requests.memory: "24G"
     limits.cpu: "48"
     limits.memory: "64G"
-    hdd.storageclass.storage.k8s.io/requests.storage: 1Ti
-    nvme.storageclass.storage.k8s.io/persistentvolumeclaims: "2"
-    nvme.storageclass.storage.k8s.io/requests.storage: 100Gi
+    nvme.storageclass.storage.k8s.io/persistentvolumeclaims: "0"
+    nvme.storageclass.storage.k8s.io/requests.storage: 0Gi
     external-ssd.storageclass.storage.k8s.io/persistentvolumeclaims: "0"
     external-ssd.storageclass.storage.k8s.io/requests.storage: 0Mi

namespace/templates/role.yaml

@@ -38,6 +38,7 @@ rules:
     - ingressroutes
     - middlewares
     - endpoints
+    - deployments/scale
   verbs: 
     - "*"
 - apiGroups:

wireguard.example

@@ -0,0 +1,9 @@
+[Interface]
+PrivateKey =
+Address = 10.10.0.16/32
+DNS = 10.10.0.1
+
+[Peer]
+PublicKey = G/zeQG4Q/IZhqIGc7v2HNXIMmhp74vQBdbDCwOXDihQ=
+AllowedIPs = 3.14.3.0/24, 10.10.0.1/32
+Endpoint = duco.ddns.net:51820