manugarg/gist:81d68bc17b455664bfacff541f29cea3

## gistfile1.txt
# Generate private key for RDS
openssl genrsa -out rds.key 4096

# Create certificate signing request config (config for CSR: [1])
cat > /tmp/csr.cnf <<END
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[ dn ]
CN = rds  # Coressponds to username in K8s
O = bbmc  # Corresponds to group name in K8s

[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
END

openssl req -config /tmp/csr.cnf -new -key rds.key -nodes -out rds.csr

# Create certificate signing request for kubernetes
cat > csr.yaml <<EOF
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: rdscsr
spec:
  groups:
  - system:authenticated
  request: ${BASE64_CSR}
  usages:
  - digital signature
  - key encipherment
  - server auth
  - client auth
EOF

export BASE64_CSR=$(cat ./rds.csr | base64 | tr -d '\n')
cat csr.yaml | envsubst | kubectl apply -f -

# Approve the above request
kubectl certificate approve rdscsr

# Download certificate
kubectl get csr rdscsr -o jsonpath={.status.certificate} \
  | base64 --decode > rds.crt


# Now let's give access to the rds user. For that let's create a role that
# gives permissions to get and list the resources, and create a cluster role
# binding for it.
cat <<EOF | kubectl apply -f -
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
  name: resource-reader
  namespace: default
rules:
- apiGroups: [""]
  resources: ["pods", "endpoints", "services"]
  verbs: ["get", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: rds-resource-reader
 namespace: default
subjects:
- kind: User
  name: rds
  apiGroup: rbac.authorization.k8s.io
roleRef:
 kind: ClusterRole
 name: resource-reader
 apiGroup: rbac.authorization.k8s.io
EOF
	# Generate private key for RDS
	openssl genrsa -out rds.key 4096

	# Create certificate signing request config (config for CSR: [1])
	cat > /tmp/csr.cnf <<END
	[ req ]
	default_bits = 2048
	prompt = no
	default_md = sha256
	distinguished_name = dn

	[ dn ]
	CN = rds # Coressponds to username in K8s
	O = bbmc # Corresponds to group name in K8s

	[ v3_ext ]
	authorityKeyIdentifier=keyid,issuer:always
	basicConstraints=CA:FALSE
	keyUsage=keyEncipherment,dataEncipherment
	extendedKeyUsage=serverAuth,clientAuth
	END

	openssl req -config /tmp/csr.cnf -new -key rds.key -nodes -out rds.csr

	# Create certificate signing request for kubernetes
	cat > csr.yaml <<EOF
	apiVersion: certificates.k8s.io/v1beta1
	kind: CertificateSigningRequest
	metadata:
	name: rdscsr
	spec:
	groups:
	- system:authenticated
	request: ${BASE64_CSR}
	usages:
	- digital signature
	- key encipherment
	- server auth
	- client auth
	EOF

	export BASE64_CSR=$(cat ./rds.csr \| base64 \| tr -d '\n')
	cat csr.yaml \| envsubst \| kubectl apply -f -

	# Approve the above request
	kubectl certificate approve rdscsr

	# Download certificate
	kubectl get csr rdscsr -o jsonpath={.status.certificate} \
	\| base64 --decode > rds.crt


	# Now let's give access to the rds user. For that let's create a role that
	# gives permissions to get and list the resources, and create a cluster role
	# binding for it.
	cat <<EOF \| kubectl apply -f -
	kind: ClusterRole
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	annotations:
	rbac.authorization.kubernetes.io/autoupdate: "true"
	labels:
	name: resource-reader
	namespace: default
	rules:
	- apiGroups: [""]
	resources: ["pods", "endpoints", "services"]
	verbs: ["get", "list"]
	---
	kind: ClusterRoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: rds-resource-reader
	namespace: default
	subjects:
	- kind: User
	name: rds
	apiGroup: rbac.authorization.k8s.io
	roleRef:
	kind: ClusterRole
	name: resource-reader
	apiGroup: rbac.authorization.k8s.io
	EOF