-
-
Save avoidik/5daa41913e4374363b041b59807bb431 to your computer and use it in GitHub Desktop.
Create Kubernetes user using kubectl csr and cfssl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Create Kubernetes user. Require cfssl. | |
| # | |
| # Usage: | |
| # ./create-user.sh <kubernetes api host> <fulle name> <clusterrole> | |
| # | |
| # Example: | |
| # ./create-user.sh k8s-api.my-domain.com "Jane Doe" my-project:admin | |
| set -e | |
| if [ -z "$1" ]; then | |
| echo "Api host is mandatory" | |
| exit 1 | |
| fi | |
| if [ -z "$2" ]; then | |
| echo "Fullname is mandatory" | |
| exit 1 | |
| fi | |
| if [ -z "$3" ]; then | |
| echo "Cluster role is mandatory" | |
| exit 1 | |
| fi | |
| api_host="$1" | |
| fullname="$2" | |
| cluster_role="$3" | |
| username="$(echo ${fullname/ /.} | tr '[:upper:]' '[:lower:]')" | |
| read -p "Create user ${fullname} (${username}) with cluster role ${cluster_role}? [Y/n]" -n 1 -r | |
| echo | |
| if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then | |
| echo "Canceled." | |
| exit 1 | |
| fi | |
| cat <<EOF | cfssl genkey - | cfssljson -bare client | |
| { | |
| "hosts": [ | |
| "${api_host}" | |
| ], | |
| "CN": "${fullname}", | |
| "key": { | |
| "algo": "ecdsa", | |
| "size": 256 | |
| } | |
| } | |
| EOF | |
| cat <<EOF | kubectl create -f - | |
| apiVersion: certificates.k8s.io/v1beta1 | |
| kind: CertificateSigningRequest | |
| metadata: | |
| name: ${username} | |
| spec: | |
| groups: | |
| - system:authenticated | |
| request: $(cat client.csr | base64 | tr -d '\n') | |
| usages: | |
| - digital signature | |
| - key encipherment | |
| - client auth | |
| username: ${fullname} | |
| EOF | |
| kubectl certificate approve "${username}" | |
| kubectl get csr "${username}" -o jsonpath={.status.certificate} | base64 --decode > client.pem | |
| kubectl create clusterrolebinding "${username}" --clusterrole=${cluster_role} --user="${fullname}" | |
| echo " | |
| ------------------------------------------------------------------------------- | |
| You can now share the instructions and the following files to the user: | |
| * certificate authority - ca.pem | |
| * client certificate - client.pem | |
| * client key - client-key.pem | |
| Find below the informations to get started with the development cluster. | |
| 1. download certificates | |
| 2. run the following command to authenticate | |
| $ kubectl config set-cluster development --server=https://${api_host} --certificate-authority=ca.pem --embed-certs=true | |
| $ kubectl config set-credentials development --client-certificate=client.pem --client-key=client-key.pem --embed-certs=true | |
| $ kubectl config set-context dev --cluster=development --namespace=development --user=janedoe | |
| $ kubectl config use-context dev | |
| " |
kubectl config set-context --current --namespace=blah
kubectl patch service blah -n blah --type='json' --patch='[{"op": "replace", "path": "/spec/ports/0/nodePort", "value":31111}]'
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://github.com/cloudflare/cfssl/wiki/Creating-a-new-CSR
https://scriptcrunch.com/create-ca-tls-ssl-certificates-keys/