Skip to content

Instantly share code, notes, and snippets.

@leafney

leafney/show_k8s_ca_and_token_from_service_account.sh

Last active October 13, 2019 18:32
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save leafney/ecb4eaf5e418f37ad82578d5e2bafc72 to your computer and use it in GitHub Desktop.
Save leafney/ecb4eaf5e418f37ad82578d5e2bafc72 to your computer and use it in GitHub Desktop.
Download ZIP
Get k8s/k3s token and ca.crt from ServiceAccount
Raw
show_k8s_ca_and_token_from_service_account.sh
#!/bin/bash
set -e
set -o pipefail
if [[ -z "$1" ]] || [[ -z "$2" ]]; then
echo "usage: $0 <service_account_name> <namespace>"
exit 1
fi
SERVICE_ACCOUNT_NAME=$1
NAMESPACE="$2"
TARGET_FOLDER="./tmp"
create_target_folder() {
echo -n "Creating target directory to hold files in ${TARGET_FOLDER}..."
mkdir -p "${TARGET_FOLDER}"
printf "done"
}
get_secret_name_from_service_account() {
echo -e "\\nGetting secret of service account [${SERVICE_ACCOUNT_NAME}] on [${NAMESPACE}]"
SECRET_NAME=$(kubectl get sa "${SERVICE_ACCOUNT_NAME}" --namespace="${NAMESPACE}" -o json | jq -r .secrets[].name)
echo -e "\\nSecret name: ${SECRET_NAME}"
}
extract_ca_crt_from_secret() {
echo -e -n "\\nExtracting ca.crt from secret..."
kubectl get secret --namespace "${NAMESPACE}" "${SECRET_NAME}" -o json | jq \
-r '.data["ca.crt"]' | base64 --decode > "${TARGET_FOLDER}/ca.crt"
printf "done"
}
get_user_token_from_secret() {
echo -e -n "\\nExtracting user token from secret..."
kubectl get secret --namespace "${NAMESPACE}" "${SECRET_NAME}" -o json | jq -r '.data["token"]' | base64 --decode > "${TARGET_FOLDER}/user.token"
echo -e -n "\\n" >> "${TARGET_FOLDER}/user.token"
printf "done"
}
create_target_folder
get_secret_name_from_service_account
extract_ca_crt_from_secret
get_user_token_from_secret
echo -e "\\nAll done!"
@leafney
Copy link
Author

leafney commented Oct 13, 2019
edited

How to use?

Need to specify two parameters service_account_name and namespace

Install jq package first

Ubuntu
sudo apt-get install jq
CentOS
sudo yum -y install epel-release
sudo yum clean all
sudo yum makecache

sudo yum install jq
Mac
brew install jq

Example

$ sh ./show_k8s_ca_and_token_from_service_account.sh traefik-ingress-controller kube-system
Creating target directory to hold files in ./tmp...done
Getting secret of service account [traefik-ingress-controller] on [kube-system]

Secret name: traefik-ingress-controller-token-zsbq5

Extracting ca.crt from secret...done
Extracting user token from secret...done
All done!

$ ls tmp/
ca.crt  user.token

$ cat tmp/ca.crt
-----BEGIN CERTIFICATE-----
MIIBVzCB/qADAgECAgEAMAoGCCqGSM49BAMCMCMxITA...
-----END CERTIFICATE-----

$ cat tmp/user.token
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5l...

Reference from https://gist.github.com/innovia/fbba8259042f71db98ea8d4ad19bd708

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment