Last active
June 30, 2021 06:23
-
-
Save sat0yu/7ce2844a03a1f5b3c3e5d5ab81a12a9d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash -eux | |
if [ $# -ne 3 ]; then | |
echo "./generate.sh USER_NAME CLUSTER_NAME HOSTNAME" 1>&2 | |
exit 1 | |
fi | |
USER_NAME=$1 | |
CLUSTER_NAME=$2 | |
HOSTNAME=$3 | |
mkdir $USER_NAME && cd $USER_NAME | |
sudo ctr run --rm --mount type=bind,src=$PWD,dst=/ctx,options=rbind:rw docker.io/alpine/openssl:latest oneshot-task openssl genrsa -out /ctx/$USER_NAME.pem 2048 | |
sudo ctr run --rm --mount type=bind,src=$PWD,dst=/ctx,options=rbind:rw docker.io/alpine/openssl:latest oneshot-task openssl req -new -key /ctx/$USER_NAME.pem -out /ctx/$USER_NAME.csr -subj "/CN=${USER_NAME}/O=homma:admin" | |
UID=`id -u $USER` | |
sudo chown $UID:$UID $USER_NAME.pem $USER_NAME.csr | |
REQUEST=`cat $USER_NAME.csr | base64 -w 0` | |
cat << EOS > homma_admin.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: homma-admin | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: cluster-admin | |
subjects: | |
- apiGroup: rbac.authorization.k8s.io | |
kind: Group | |
name: homma:admin | |
EOS | |
cat << EOS > $USER_NAME.csr.yaml | |
apiVersion: certificates.k8s.io/v1 | |
kind: CertificateSigningRequest | |
metadata: | |
name: user-request-$USER_NAME | |
spec: | |
groups: | |
- system:authenticated | |
request: $REQUEST | |
signerName: kubernetes.io/kube-apiserver-client | |
usages: | |
- digital signature | |
- key encipherment | |
- client auth | |
EOS | |
sudo kubectl apply -f homma_admin.yaml | |
sudo kubectl create -f $USER_NAME.csr.yaml | |
sudo kubectl certificate approve user-request-$USER_NAME | |
sudo kubectl get csr user-request-$USER_NAME -o jsonpath='{.status.certificate}' | base64 -d > $USER_NAME.crt | |
CONTEXT_NAME=$CLUSTER_NAME | |
cat << EOS > install.sh | |
kubectl config set-cluster $CLUSTER_NAME --insecure-skip-tls-verify=true --server=https://$HOSTNAME:6443 | |
kubectl config set-credentials $USER_NAME --client-certificate=$USER_NAME.crt --client-key=$USER_NAME.pem --embed-certs=true | |
kubectl config set-context $CONTEXT_NAME --cluster=$CLUSTER_NAME --user=$USER_NAME | |
kubectl config use-context $CONTEXT_NAME | |
EOS | |
cd .. | |
tar czvf $USER_NAME.tar.gz $USER_NAME | |
rm -rf $USER_NAME |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment