Skip to content

Instantly share code, notes, and snippets.

@rcarrata
Last active October 27, 2023 19:27
Show Gist options
  • Star 11 You must be signed in to star a gist
  • Fork 6 You must be signed in to fork a gist
  • Save rcarrata/016da295c1421cccbfbd66ed9a7922bc to your computer and use it in GitHub Desktop.
Save rcarrata/016da295c1421cccbfbd66ed9a7922bc to your computer and use it in GitHub Desktop.
Script for regenerating the kubeconfig for system:admin user
#!/bin/bash
AUTH_NAME="auth2kube"
NEW_KUBECONFIG="newkubeconfig"
echo "create a certificate request for system:admin user"
openssl req -new -newkey rsa:4096 -nodes -keyout $AUTH_NAME.key -out $AUTH_NAME.csr -subj "/CN=system:admin"
echo "create signing request resource definition"
oc delete csr $AUTH_NAME-access # Delete old csr with the same name
cat << EOF >> $AUTH_NAME-csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: $AUTH_NAME-access
spec:
signerName: kubernetes.io/kube-apiserver-client
groups:
- system:authenticated
request: $(cat $AUTH_NAME.csr | base64 | tr -d '\n')
usages:
- client auth
EOF
oc create -f $AUTH_NAME-csr.yaml
echo "approve csr and extract client cert"
oc get csr
oc adm certificate approve $AUTH_NAME-access
oc get csr $AUTH_NAME-access -o jsonpath='{.status.certificate}' | base64 -d > $AUTH_NAME-access.crt
echo "add system:admin credentials, context to the kubeconfig"
oc config set-credentials system:admin --client-certificate=$AUTH_NAME-access.crt \
--client-key=$AUTH_NAME.key --embed-certs --kubeconfig=/tmp/$NEW_KUBECONFIG
echo "create context for the system:admin"
oc config set-context system:admin --cluster=$(oc config view -o jsonpath='{.clusters[0].name}') \
--namespace=default --user=system:admin --kubeconfig=/tmp/$NEW_KUBECONFIG
echo "extract certificate authority"
oc -n openshift-authentication rsh `oc get pods -n openshift-authentication -o name | head -1` \
cat /run/secrets/kubernetes.io/serviceaccount/ca.crt > ingress-ca.crt
echo "set certificate authority data"
oc config set-cluster $(oc config view -o jsonpath='{.clusters[0].name}') \
--server=$(oc config view -o jsonpath='{.clusters[0].cluster.server}') --certificate-authority=ingress-ca.crt --kubeconfig=/tmp/$NEW_KUBECONFIG --embed-certs
echo "set current context to system:admin"
oc config use-context system:admin --kubeconfig=/tmp/$NEW_KUBECONFIG
echo "test client certificate authentication with system:admin"
export KUBECONFIG=/tmp/$NEW_KUBECONFIG
oc login -u system:admin
oc get pod -n openshift-console
@rcarrata
Copy link
Author

glad that helped @lousyd! :)

@rodolof
Copy link

rodolof commented Oct 14, 2021

Hi Roberto, it worked flawlessly for me yesterday in a 4.8 cluster. Then I tried to set a second kubeconfig file for a different cluster, same OCP, same version etc. But it failed. After several hours, I tried with a fresh terminal, and then it worked. I post this here, just in case it happens to anybody else.

Muchísimas gracias, menuda currada, enhorabuena!

@rcarrata
Copy link
Author

@rodolof Thanks for the information and for the comment! And also happy that this scripts helped :)

Gracias a ti! Un abrazo!!

@rcarrata
Copy link
Author

Updated to support also OpenShift 4.9 version

@voyasas
Copy link

voyasas commented Mar 13, 2023

does the KUBECONFIG env variable needs to be set before running all these steps? I got the following error without setting KUBECONFIG:

[root@dstrlaae9201 auth]# oc create -f auth2kube-csr.yaml
error: Missing or incomplete configuration info. Please point to an existing, complete config file:

The problem is we don't have a working kubeconfig. Any suggestion?

@rcarrata
Copy link
Author

@voyasas a valid Kubeconfig in .kube/config or specifying the KUBECONFIG env variable needs to be defined in order to perform this series of commands yes.

@worldofgeese
Copy link

@rcarrata these kubeconfig files are still time-bound. Do you have a method of regenerating a kubeconfig that doesn't expire? I lost my original.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment