Skip to content

Instantly share code, notes, and snippets.

@miry
Last active September 3, 2023 06:32
Show Gist options
  • Star 26 You must be signed in to star a gist
  • Fork 8 You must be signed in to fork a gist
  • Save miry/9fbb8947510294c25285bda2a6e11900 to your computer and use it in GitHub Desktop.
Save miry/9fbb8947510294c25285bda2a6e11900 to your computer and use it in GitHub Desktop.
Extract certificate from the kubernetes config.
require 'optparse'
require 'yaml'
require 'base64'
options = {
config_path: File.join(ENV['HOME'], '.kube', 'config'),
write_dir: File.join(ENV['HOME'], '.kube')
}
OptionParser.new do |opts|
opts.banner = "Usage: extract_crt.rb [options]"
opts.on('-s', '--source FILE_PATH', 'Path to the kube config') { |v| options[:config_path] = v }
opts.on('-d', '--destination DIR', 'Path to directory where save key and certs') { |v| options[:write_dir] = v }
end.parse!
kube_path = options[:write_dir]
file_config = File.read options[:config_path]
config = YAML.load file_config
ca = Base64.decode64 config["clusters"][0]["cluster"]["certificate-authority-data"]
File.open(File.join(kube_path, 'ca.crt'), File::CREAT|File::TRUNC|File::RDWR, 0644) do |f|
f.write(ca)
end
client_crt = Base64.decode64 config["users"][0]["user"]["client-certificate-data"]
File.open(File.join(kube_path, 'kubecfg.crt'), File::CREAT|File::TRUNC|File::RDWR, 0644) do |f|
f.write(client_crt)
end
client_key = Base64.decode64 config["users"][0]["user"]["client-key-data"]
File.open(File.join(kube_path, 'kubecfg.key'), File::CREAT|File::TRUNC|File::RDWR, 0644) do |f|
f.write(client_key)
end
#!/bin/bash
# Would ask for password to encrypt the key
openssl pkcs12 -export -clcerts -inkey ~/.kube/kubecfg.key -in ~/.kube/kubecfg.crt -out ~/.kube/kubecfg.p12 -name "kubernetes-client"
open ~/.kube/kubecfg.p12
@bjethwan
Copy link

bjethwan commented Apr 6, 2019

@carlosonunez
I think you were trying to write "-out -" in place of "-in -"?

sudo cat $KUBECONFIG_PATH | grep client-certificate-data | cut -f2 -d : | tr -d ' ' | base64 -d | openssl x509 -text -out -

@chris-cmsoft
Copy link

Late chime in here.

# minify for current
# raw for full output
kubectl config view --minify --raw --output 'jsonpath={..cluster.certificate-authority-data}'

@risentveber
Copy link

Seems full version is like that:

kubectl config view --minify --raw --output 'jsonpath={..cluster.certificate-authority-data}' | base64 -D | openssl x509 -text -out -

@wahmedswl
Copy link

Seems like there is mistake, it should be like

kubectl config view --minify --raw --output 'jsonpath={..cluster.certificate-authority-data}' | base64 -d | openssl x509 -text -out -

@migounette
Copy link

A small update with the user part... thanks for your valuable inputs...

# Extract the Cluster Certificate Authorithy
$ kubectl config view --minify --raw --output 'jsonpath={..cluster.certificate-authority-data}' | base64 -d | openssl x509 -text -out -
...

# Extract the Client Certificate
$kubectl config view --minify --raw --output 'jsonpath={..user.client-certificate-data}' | base64 -d | openssl x509 -text -out -
...

# Extract the Client Private Key
$ kubectl config view --minify --raw --output 'jsonpath={..user.client-key-data}' | base64 -d
...

For Windows user

choco install base64
choco install openssl

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment