monester/kubeconfig-from-ssl.py

## kubeconfig-from-ssl.py
#!/usr/bin/env python3

import os
import sys
import json
import base64
import tempfile
from subprocess import check_output, DEVNULL, run


ca_config = {
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "kubernetes": {
        "usages": ["signing", "key encipherment", "server auth", "client auth"],
        "expiry": "8760h"
      }
    }
  }
}

admin_csr = {
  "CN": "admin",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "Portland",
      "O": "system:masters",
      "OU": "Kubernetes The Hard Way",
      "ST": "Oregon"
    }
  ]
}


def get_tools():
    release = check_output('curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt', shell=True).decode('utf8').strip()
    print(f'curl -L https://storage.googleapis.com/kubernetes-release/release/{release}/bin/linux/amd64/kubectl -o /usr/local/bin/kubectl')
    run(f'curl -L https://storage.googleapis.com/kubernetes-release/release/{release}/bin/linux/amd64/kubectl -o /usr/local/bin/kubectl', shell=True)
    run('chmod +x /usr/local/bin/kubectl', shell=True)
    run('curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl', shell=True)
    run('chmod +x /usr/local/bin/cfssl', shell=True)
    run('curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson', shell=True)
    run('chmod +x /usr/local/bin/cfssljson', shell=True)


def create(path, server):
    # create admin certificate
    if not os.path.exists('/usr/local/bin/kubectl'):
        get_tools()

    if not os.path.exists('admin.pem'):
        json.dump(ca_config, open('ca-config.json', 'w'))
        json.dump(admin_csr, open('admin-csr.json', 'w'))

        run(f'cfssl gencert -ca {path}/kube-ca.pem -ca-key {path}/kube-ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin', shell=True)


    name = 'local-admin'

    check_output(f'kubectl config set-cluster {name} --server https://{server}:6443 --embed-certs --certificate-authority={path}/kube-ca.pem', shell=True, stderr=DEVNULL)
    check_output(f'kubectl config set-credentials {name} --embed-certs --client-certificate admin.pem --client-key admin-key.pem', shell=True, stderr=DEVNULL)
    check_output(f'kubectl config set-context {name} --user {name} --cluster {name}', shell=True)
    check_output(f'kubectl config use-context {name}', shell=True)

    print(f'Test:\nkubectl get pods\nkubectl auth can-i \'*\' \'*\' --all-namespaces\n')
    run('kubectl auth can-i \'*\' \'*\' --all-namespaces', shell=True)


if __name__ == '__main__':
    if '--help' in sys.argv or '-h' in sys.argv:
        print('Usage: %s [/etc/kubernetes/ssl] [127.0.0.1]' % sys.argv[0])
        exit(0)

    path = sys.argv[1] if len(sys.argv) > 1 else '/etc/kubernetes/ssl'
    server = sys.argv[2] if len(sys.argv) > 2 else '127.0.0.1'
    create(path, server)
	#!/usr/bin/env python3

	import os
	import sys
	import json
	import base64
	import tempfile
	from subprocess import check_output, DEVNULL, run


	ca_config = {
	"signing": {
	"default": {
	"expiry": "8760h"
	},
	"profiles": {
	"kubernetes": {
	"usages": ["signing", "key encipherment", "server auth", "client auth"],
	"expiry": "8760h"
	}
	}
	}
	}

	admin_csr = {
	"CN": "admin",
	"key": {
	"algo": "rsa",
	"size": 2048
	},
	"names": [
	{
	"C": "US",
	"L": "Portland",
	"O": "system:masters",
	"OU": "Kubernetes The Hard Way",
	"ST": "Oregon"
	}
	]
	}


	def get_tools():
	release = check_output('curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt', shell=True).decode('utf8').strip()
	print(f'curl -L https://storage.googleapis.com/kubernetes-release/release/{release}/bin/linux/amd64/kubectl -o /usr/local/bin/kubectl')
	run(f'curl -L https://storage.googleapis.com/kubernetes-release/release/{release}/bin/linux/amd64/kubectl -o /usr/local/bin/kubectl', shell=True)
	run('chmod +x /usr/local/bin/kubectl', shell=True)
	run('curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl', shell=True)
	run('chmod +x /usr/local/bin/cfssl', shell=True)
	run('curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson', shell=True)
	run('chmod +x /usr/local/bin/cfssljson', shell=True)



	def create(path, server):
	# create admin certificate
	if not os.path.exists('/usr/local/bin/kubectl'):
	get_tools()

	if not os.path.exists('admin.pem'):
	json.dump(ca_config, open('ca-config.json', 'w'))
	json.dump(admin_csr, open('admin-csr.json', 'w'))

	run(f'cfssl gencert -ca {path}/kube-ca.pem -ca-key {path}/kube-ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json \| cfssljson -bare admin', shell=True)


	name = 'local-admin'

	check_output(f'kubectl config set-cluster {name} --server https://{server}:6443 --embed-certs --certificate-authority={path}/kube-ca.pem', shell=True, stderr=DEVNULL)
	check_output(f'kubectl config set-credentials {name} --embed-certs --client-certificate admin.pem --client-key admin-key.pem', shell=True, stderr=DEVNULL)
	check_output(f'kubectl config set-context {name} --user {name} --cluster {name}', shell=True)
	check_output(f'kubectl config use-context {name}', shell=True)

	print(f'Test:\nkubectl get pods\nkubectl auth can-i \'\' \'\' --all-namespaces\n')
	run('kubectl auth can-i \'\' \'\' --all-namespaces', shell=True)


	if __name__ == '__main__':
	if '--help' in sys.argv or '-h' in sys.argv:
	print('Usage: %s [/etc/kubernetes/ssl] [127.0.0.1]' % sys.argv[0])
	exit(0)

	path = sys.argv[1] if len(sys.argv) > 1 else '/etc/kubernetes/ssl'
	server = sys.argv[2] if len(sys.argv) > 2 else '127.0.0.1'
	create(path, server)