marcelaraujo/create.sh

## create.sh
Get the Service Account and Token. Generate the Kubeconfig

# Update these to match your environment
SERVICE_ACCOUNT_NAME=spinnaker-service-account
CONTEXT=$(kubectl config current-context)
NAMESPACE=spinnaker

NEW_CONTEXT=spinnaker
KUBECONFIG_FILE="kubeconfig-sa"


SECRET_NAME=$(kubectl get serviceaccount ${SERVICE_ACCOUNT_NAME} \
  --context ${CONTEXT} \
  --namespace ${NAMESPACE} \
  -o jsonpath='{.secrets[0].name}')
TOKEN_DATA=$(kubectl get secret ${SECRET_NAME} \
  --context ${CONTEXT} \
  --namespace ${NAMESPACE} \
  -o jsonpath='{.data.token}')

TOKEN=$(echo ${TOKEN_DATA} | base64 -d)

# Create dedicated kubeconfig
# Create a full copy
kubectl config view --raw > ${KUBECONFIG_FILE}.full.tmp
# Switch working context to correct context
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp config use-context ${CONTEXT}
# Minify
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp \
  config view --flatten --minify > ${KUBECONFIG_FILE}.tmp
# Rename context
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  rename-context ${CONTEXT} ${NEW_CONTEXT}
# Create token user
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  set-credentials ${CONTEXT}-${NAMESPACE}-token-user \
  --token ${TOKEN}
# Set context to use token user
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  set-context ${NEW_CONTEXT} --user ${CONTEXT}-${NAMESPACE}-token-user
# Set context to correct namespace
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  set-context ${NEW_CONTEXT} --namespace ${NAMESPACE}
# Flatten/minify kubeconfig
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  view --flatten --minify > ${KUBECONFIG_FILE}
# Remove tmp
rm ${KUBECONFIG_FILE}.full.tmp
rm ${KUBECONFIG_FILE}.tmp

## spinnaker-clusterrolebinding.yml
# spinnaker-clusterrolebinding.yml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: spinnaker-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: spinnaker-service-account
  namespace: NAMESPACE

## spinnaker-role-and-rolebinding-target.yml
# spinnaker-role-and-rolebinding-target.yml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: spinnaker-role
  namespace: target # Should be namespace you are granting access to
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: spinnaker-rolebinding
  namespace: target # Should be namespace you are granting access to
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: spinnaker-role # Should match name of Role
subjects:
- namespace: source # Should match namespace where SA lives
  kind: ServiceAccount
  name: spinnaker-service-account # Should match service account name, above

## spinnaker-service-account.yml
# spinnaker-service-account.yml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: spinnaker-service-account
  namespace: NAMESPACE
	Get the Service Account and Token. Generate the Kubeconfig

	# Update these to match your environment
	SERVICE_ACCOUNT_NAME=spinnaker-service-account
	CONTEXT=$(kubectl config current-context)
	NAMESPACE=spinnaker

	NEW_CONTEXT=spinnaker
	KUBECONFIG_FILE="kubeconfig-sa"


	SECRET_NAME=$(kubectl get serviceaccount ${SERVICE_ACCOUNT_NAME} \
	--context ${CONTEXT} \
	--namespace ${NAMESPACE} \
	-o jsonpath='{.secrets[0].name}')
	TOKEN_DATA=$(kubectl get secret ${SECRET_NAME} \
	--context ${CONTEXT} \
	--namespace ${NAMESPACE} \
	-o jsonpath='{.data.token}')

	TOKEN=$(echo ${TOKEN_DATA} \| base64 -d)

	# Create dedicated kubeconfig
	# Create a full copy
	kubectl config view --raw > ${KUBECONFIG_FILE}.full.tmp
	# Switch working context to correct context
	kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp config use-context ${CONTEXT}
	# Minify
	kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp \
	config view --flatten --minify > ${KUBECONFIG_FILE}.tmp
	# Rename context
	kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
	rename-context ${CONTEXT} ${NEW_CONTEXT}
	# Create token user
	kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
	set-credentials ${CONTEXT}-${NAMESPACE}-token-user \
	--token ${TOKEN}
	# Set context to use token user
	kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
	set-context ${NEW_CONTEXT} --user ${CONTEXT}-${NAMESPACE}-token-user
	# Set context to correct namespace
	kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
	set-context ${NEW_CONTEXT} --namespace ${NAMESPACE}
	# Flatten/minify kubeconfig
	kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
	view --flatten --minify > ${KUBECONFIG_FILE}
	# Remove tmp
	rm ${KUBECONFIG_FILE}.full.tmp
	rm ${KUBECONFIG_FILE}.tmp
	# spinnaker-clusterrolebinding.yml
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: ClusterRoleBinding
	metadata:
	name: spinnaker-admin
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: cluster-admin
	subjects:
	- kind: ServiceAccount
	name: spinnaker-service-account
	namespace: NAMESPACE
	# spinnaker-role-and-rolebinding-target.yml
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	name: spinnaker-role
	namespace: target # Should be namespace you are granting access to
	rules:
	- apiGroups: ["*"]
	resources: ["*"]
	verbs: ["*"]
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: spinnaker-rolebinding
	namespace: target # Should be namespace you are granting access to
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: spinnaker-role # Should match name of Role
	subjects:
	- namespace: source # Should match namespace where SA lives
	kind: ServiceAccount
	name: spinnaker-service-account # Should match service account name, above
	# spinnaker-service-account.yml
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: spinnaker-service-account
	namespace: NAMESPACE