Forked from ericchiang/k8s-service-account-kubeconfig.sh
Last active
August 21, 2019 00:58
-
-
Save cmcconnell1/ba663198ddd5f9ee259152cb775675af to your computer and use it in GitHub Desktop.
dynamic generation of kubeconfig files for ci and cd macos and linux
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # ref: https://gist.github.com/ericchiang/d2a838ddad3f44436ae001a342e1001e | |
| # thanks to ericchiang for the initial gist, just tweaked for macos or linux and dynamic file naming. | |
| # Creates kubeconfig files using tokens. | |
| # Copy these files to where the ci or cd processes/envs run kubectl commands--i.e.: jenkins, etc. | |
| # | |
| # Usage ./k8s-service-account-kubeconfig.sh ( namespace ) ( service account name ) | |
| # i.e.: k8-sevice-account-kubeconfig.sh ci ci | |
| # i.e.: k8-sevice-account-kubeconfig.sh cd cd | |
| # this is for the naming the kubeconfig file naming us "kubeconfig-$KUBE_USER" | |
| # this script is called from the apply script and will be called with the following args: $1=ns $2=user | |
| # they should be the same for users such as ci, cd, etc. | |
| # i.e.: we call this from wrapper script like this: | |
| # ./k8-sevice-account-kubeconfig.sh $KUBE_NS $KUBE_USER | |
| KUBE_NS="$1" | |
| KUBE_USER="$2" | |
| TEMPDIR=$(mktemp -d) | |
| SA_SECRET=$(kubectl get sa -n $KUBE_NS $KUBE_USER -o jsonpath='{.secrets[0].name}') | |
| CLUSTER_URL=$(kubectl config view -o jsonpath='{.clusters[0].cluster.server}') | |
| uname=$(uname) | |
| if [[ "${uname}" == "Darwin" ]]; then | |
| # on a Mac with JQ and base64 installed | |
| platform="darwin" | |
| # Pull the bearer token and cluster CA from the service account secret. | |
| BEARER_TOKEN=$(kubectl get secrets -n $KUBE_NS $SA_SECRET -o jsonpath='{.data.token}' | base64 -D) | |
| kubectl get secrets -n $KUBE_NS $SA_SECRET -o jsonpath='{.data.ca\.crt}' | base64 -D > $TEMPDIR/ca.crt | |
| export TOKEN=$(kubectl -n $KUBE_NS get secret $(kubectl -n $KUBE_NS get secret | grep $KUBE_NS | awk '{print $1}') -o json | jq -r '.data.token' | base64 -D) | |
| elif [[ "${uname}" == "Linux" ]]; then | |
| # The other needed item is the token for use with Jenkins. On Ubuntu with jq installed: | |
| platform="linux" | |
| # Pull the bearer token and cluster CA from the service account secret. | |
| BEARER_TOKEN=$(kubectl get secrets -n $KUBE_NS $SA_SECRET -o jsonpath='{.data.token}' | base64 -d) | |
| kubectl get secrets -n $KUBE_NS $SA_SECRET -o jsonpath='{.data.ca\.crt}' | base64 -d > $TEMPDIR/ca.crt | |
| export TOKEN=$(kubectl -n $KUBE_NS get secret $(kubectl -n $KUBE_NS get secret | grep $KUBE_NS | awk '{print $1}') -o json | jq -r '.data.token' | base64 -d) | |
| else | |
| echo "Unknown, unsupported platform: (${uname})." | |
| echo "Supported platforms: Linux, Darwin." | |
| echo "Bailing out." | |
| exit 2 | |
| fi | |
| KUBECONFIG="kubeconfig-${KUBE_USER}" | |
| kubectl config --kubeconfig=$KUBECONFIG \ | |
| set-cluster \ | |
| $CLUSTER_URL \ | |
| --server=$CLUSTER_URL \ | |
| --certificate-authority=$TEMPDIR/ca.crt \ | |
| --embed-certs=true | |
| kubectl config --kubeconfig=$KUBECONFIG \ | |
| set-credentials $KUBE_USER --token=$BEARER_TOKEN | |
| kubectl config --kubeconfig=$KUBECONFIG \ | |
| set-context registry \ | |
| --cluster=$CLUSTER_URL \ | |
| --user=$KUBE_USER | |
| kubectl config --kubeconfig=$KUBECONFIG \ | |
| use-context registry | |
| echo "kubeconfig written to file \"$KUBECONFIG\"" | |
| rm -rf "${TEMPDIR}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment