Skip to content

Instantly share code, notes, and snippets.

@sat0yu

sat0yu/generate_k3s_user.sh

Last active June 30, 2021 06:23
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sat0yu/7ce2844a03a1f5b3c3e5d5ab81a12a9d to your computer and use it in GitHub Desktop.
Save sat0yu/7ce2844a03a1f5b3c3e5d5ab81a12a9d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
generate_k3s_user.sh
#!/bin/bash -eux
if [ $# -ne 3 ]; then
echo "./generate.sh USER_NAME CLUSTER_NAME HOSTNAME" 1>&2
exit 1
fi
USER_NAME=$1
CLUSTER_NAME=$2
HOSTNAME=$3
mkdir $USER_NAME && cd $USER_NAME
sudo ctr run --rm --mount type=bind,src=$PWD,dst=/ctx,options=rbind:rw docker.io/alpine/openssl:latest oneshot-task openssl genrsa -out /ctx/$USER_NAME.pem 2048
sudo ctr run --rm --mount type=bind,src=$PWD,dst=/ctx,options=rbind:rw docker.io/alpine/openssl:latest oneshot-task openssl req -new -key /ctx/$USER_NAME.pem -out /ctx/$USER_NAME.csr -subj "/CN=${USER_NAME}/O=homma:admin"
UID=`id -u $USER`
sudo chown $UID:$UID $USER_NAME.pem $USER_NAME.csr
REQUEST=`cat $USER_NAME.csr | base64 -w 0`
cat << EOS > homma_admin.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: homma-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: homma:admin
EOS
cat << EOS > $USER_NAME.csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: user-request-$USER_NAME
spec:
groups:
- system:authenticated
request: $REQUEST
signerName: kubernetes.io/kube-apiserver-client
usages:
- digital signature
- key encipherment
- client auth
EOS
sudo kubectl apply -f homma_admin.yaml
sudo kubectl create -f $USER_NAME.csr.yaml
sudo kubectl certificate approve user-request-$USER_NAME
sudo kubectl get csr user-request-$USER_NAME -o jsonpath='{.status.certificate}' | base64 -d > $USER_NAME.crt
CONTEXT_NAME=$CLUSTER_NAME
cat << EOS > install.sh
kubectl config set-cluster $CLUSTER_NAME --insecure-skip-tls-verify=true --server=https://$HOSTNAME:6443
kubectl config set-credentials $USER_NAME --client-certificate=$USER_NAME.crt --client-key=$USER_NAME.pem --embed-certs=true
kubectl config set-context $CONTEXT_NAME --cluster=$CLUSTER_NAME --user=$USER_NAME
kubectl config use-context $CONTEXT_NAME
EOS
cd ..
tar czvf $USER_NAME.tar.gz $USER_NAME
rm -rf $USER_NAME
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment