Script for regenerating the kubeconfig for system:admin user

regenerate-kubeconfig.sh

#!/bin/bash

AUTH_NAME="auth2kube"
NEW_KUBECONFIG="newkubeconfig"

echo "create a certificate request for system:admin user"
openssl req -new -newkey rsa:4096 -nodes -keyout $AUTH_NAME.key -out $AUTH_NAME.csr -subj "/CN=system:admin/O=system:masters"

echo "create signing request resource definition"

oc delete csr $AUTH_NAME-access # Delete old csr with the same name

cat << EOF >> $AUTH_NAME-csr.yaml
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: $AUTH_NAME-access
spec:
  groups:
  - system:authenticated
  request: $(cat $AUTH_NAME.csr | base64 | tr -d '\n')
  usages:
  - client auth
EOF

oc create -f $AUTH_NAME-csr.yaml

echo "approve csr and extract client cert"
oc get csr
oc adm certificate approve $AUTH_NAME-access
oc get csr $AUTH_NAME-access -o jsonpath='{.status.certificate}' | base64 -d > $AUTH_NAME-access.crt

echo "add system:admin credentials, context to the kubeconfig"
oc config set-credentials system:admin --client-certificate=$AUTH_NAME-access.crt \
--client-key=$AUTH_NAME.key --embed-certs --kubeconfig=/tmp/$NEW_KUBECONFIG

echo "create context for the system:admin"
oc config set-context system:admin --cluster=$(oc config view -o jsonpath='{.clusters[0].name}') \
--namespace=default --user=system:admin --kubeconfig=/tmp/$NEW_KUBECONFIG

echo "extract certificate authority"
oc -n openshift-authentication rsh `oc get pods -n openshift-authentication -o name | head -1` \
cat /run/secrets/kubernetes.io/serviceaccount/ca.crt > ingress-ca.crt

echo "set certificate authority data"
oc config set-cluster $(oc config view -o jsonpath='{.clusters[0].name}') \
--server=$(oc config view -o jsonpath='{.clusters[0].cluster.server}') --certificate-authority=ingress-ca.crt --kubeconfig=/tmp/$NEW_KUBECONFIG --embed-certs

echo "set current context to system:admin"
oc config use-context system:admin --kubeconfig=/tmp/$NEW_KUBECONFIG

echo "test client certificate authentication with system:admin"
export KUBECONFIG=/tmp/$NEW_KUBECONFIG
oc login -u system:admin
oc get pod -n openshift-console

Tested in ocp4.4.17 but valid in all ocp4 and ocp3(I guess) clusters:

# bash -x regenerate-kubeconfig.sh
+ AUTH_NAME=auth2kube
+ NEW_KUBECONFIG=newkubeconfig
+ echo 'create a certificate request for system:admin user'
create a certificate request for system:admin user
+ openssl req -new -newkey rsa:4096 -nodes -keyout auth2kube.key -out auth2kube.csr -subj /CN=system:admin/O=system:masters
Generating a 4096 bit RSA private key
.......................................................++
....................................++
writing new private key to 'auth2kube.key'
-----
+ echo 'create signing request resource definition'
create signing request resource definition
+ oc delete csr auth2kube-access
Error from server (NotFound): certificatesigningrequests.certificates.k8s.io "auth2kube-access" not found
+ cat
++ cat auth2kube.csr
++ base64
++ tr -d '\n'
+ oc create -f auth2kube-csr.yaml
certificatesigningrequest.certificates.k8s.io/auth2kube-access created
+ echo 'approve csr and extract client cert'
approve csr and extract client cert
+ oc get csr
NAME               AGE   REQUESTOR                                            CONDITION
auth2kube-access   1s    admin                                                Pending
dev-aws-926rz      41m   system:serviceaccount:dev-aws:dev-aws-bootstrap-sa   Approved,Issued
+ oc adm certificate approve auth2kube-access
certificatesigningrequest.certificates.k8s.io/auth2kube-access approved
+ oc get csr auth2kube-access -o 'jsonpath={.status.certificate}'
+ base64 -d
+ echo 'add system:admin credentials, context to the kubeconfig'
add system:admin credentials, context to the kubeconfig
+ oc config set-credentials system:admin --client-certificate=auth2kube-access.crt --client-key=auth2kube.key --embed-certs --kubeconfig=/tmp/newkubeconfig
User "system:admin" set.
+ echo 'create context for the system:admin'
create context for the system:admin
++ oc config view -o 'jsonpath={.clusters[0].name}'
+ oc config set-context system:admin --cluster=api-cluster-1502-1502-sandbox373-opentlc-com:6443 --namespace=default --user=system:admin --kubeconfig=/tmp/newkubeconfig
Context "system:admin" modified.
+ echo 'extract certificate authority'
extract certificate authority
++ oc get pods -n openshift-authentication -o name
++ head -1
+ oc -n openshift-authentication rsh pod/oauth-openshift-68b6886c4f-7m9f5 cat /run/secrets/kubernetes.io/serviceaccount/ca.crt
+ echo 'set certificate authority data'
set certificate authority data
++ oc config view -o 'jsonpath={.clusters[0].name}'
++ oc config view -o 'jsonpath={.clusters[0].cluster.server}'
+ oc config set-cluster api-cluster-1502-1502-sandbox373-opentlc-com:6443 --server=https://api.cluster-1502.1502.sandbox373.opentlc.com:6443 --certificate-authority=ingress-ca.crt --kubeconfig=/tmp/newkubeconfig --embed-certs
Cluster "api-cluster-1502-1502-sandbox373-opentlc-com:6443" set.
+ echo 'set current context to system:admin'
set current context to system:admin
+ oc config use-context system:admin --kubeconfig=/tmp/newkubeconfig
Switched to context "system:admin".
+ echo 'test client certificate authentication with system:admin'
test client certificate authentication with system:admin
+ export KUBECONFIG=/tmp/newkubeconfig
+ KUBECONFIG=/tmp/newkubeconfig
+ oc login -u system:admin
Logged into "https://api.cluster-1502.1502.sandbox373.opentlc.com:6443" as "system:admin" using existing credentials.

You have access to 65 projects, the list has been suppressed. You can list all projects with 'oc projects'

Using project "default".
+ oc get pod -n openshift-console
NAME                        READY   STATUS    RESTARTS   AGE
console-56d5945c85-q7rjp    1/1     Running   0          2d3h
console-56d5945c85-x5669    1/1     Running   0          2d3h
downloads-9cb4cd587-dqdsr   1/1     Running   0          2d3h
downloads-9cb4cd587-m6pzz   1/1     Running   0          2d3h