Generating a User kubeconfig and using that kubeconfig instead of Cluster Admin for onboarding Arc

onboarder-kubeconfig-gen.sh

# Here is a sample set of roles we'd want our SA/User account to have, this can be anything and the kubeconfig will inherit it
kubectl apply -f https://gist.githubusercontent.com/mdrakiburrahman/d94613872601c397f3a052492f168827/raw/a7909c131beb02f45970f2b605178859c6882555/tina-onboarder-rbac.yaml

# = = = = = = = = =
# Create a kubeconfig from this that overwrites our Cluster Admin that we get when we install a new K8s cluster
# = = = = = = = = =

# Service Account is in default but because of ClusterRoleBinding it has Cluster scope
namespace=default
serviceAccount=arc-data-deployer
clusterName=microk8s-cluster
server=https://172.21.192.194:16443 # Replace every new cluster

# Cache variables for Kubeconfig
secretName=$(kubectl --namespace $namespace get serviceAccount $serviceAccount -o jsonpath='{.secrets[0].name}')
ca=$(kubectl --namespace $namespace get secret/$secretName -o jsonpath='{.data.ca\.crt}')
token=$(kubectl --namespace $namespace get secret/$secretName -o jsonpath='{.data.token}' | base64 --decode)

# Remove previous cluster-admin kubeconfig
rm $HOME/.kube/config

kubectl get pods --all-namespaces # This will not work since we blew away the kubeconfig
# The connection to the server localhost:8080 was refused - did you specify the right host or port?

# Create scoped kubeconfig
echo "
apiVersion: v1
kind: Config
clusters:
  - name: ${clusterName}
    cluster:
      certificate-authority-data: ${ca}
      server: ${server}
contexts:
  - name: ${serviceAccount}@${clusterName}
    context:
      cluster: ${clusterName}
      namespace: ${namespace}
      user: ${serviceAccount}
users:
  - name: ${serviceAccount}
    user:
      token: ${token}
current-context: ${serviceAccount}@${clusterName}
" >> $HOME/.kube/config

# Now, any kubectl commands we run takes on the permissions of the SA/User Account
kubectl get pods