Skip to content

Instantly share code, notes, and snippets.

@so0k

so0k/add-user.sh Secret

Created Apr 20, 2017
Embed
What would you like to do?
Kubectl add user 1.5
#!/bin/bash
# Add user to k8s 1.5 using service account, no RBAC (unsafe)
if [[ -z "$1" ]] ;then
echo "usage: $0 <username>"
exit 1
fi
user=$1
kubectl create sa ${user}
secret=$(kubectl get sa ${user} -o json | jq -r .secrets[].name)
echo "secret = ${secret}"
kubectl get secret ${secret} -o json | jq -r '.data["ca.crt"]' | base64 -D > ca.crt
user_token=$(kubectl get secret ${secret} -o json | jq -r '.data["token"]' | base64 -D)
echo "token = ${user_token}"
c=`kubectl config current-context`
echo "context = $c"
cluster_name=`kubectl config get-contexts $c | awk '{print $3}' | tail -n 1`
echo "cluster_name= ${cluster_name}"
endpoint=`kubectl config view -o jsonpath="{.clusters[?(@.name == \"${cluster_name}\")].cluster.server}"`
echo "endpoint = ${endpoint}"
# Set up the config
KUBECONFIG=k8s-${user}-conf kubectl config set-cluster ${cluster_name} \
--embed-certs=true \
--server=${endpoint} \
--certificate-authority=./ca.crt
echo ">>>>>>>>>>>>ca.crt"
cat ca.crt
echo "<<<<<<<<<<<<ca.crt"
echo ">>>>>>>>>>>>${user}-setup.sh"
echo kubectl config set-cluster ${cluster_name} \
--embed-certs=true \
--server=${endpoint} \
--certificate-authority=./ca.crt
echo kubectl config set-credentials ${user}-${cluster_name#cluster-} --token=${user_token}
echo kubectl config set-context ${user}-${cluster_name#cluster-} \
--cluster=${cluster_name} \
--user=${user}-${cluster_name#cluster-}
echo kubectl config use-context ${user}-${cluster_name#cluster-}
echo "<<<<<<<<<<<<${user}-setup.sh"
echo "...preparing k8s-${user}-conf"
KUBECONFIG=k8s-${user}-conf kubectl config set-credentials ${user}-${cluster_name#cluster-} --token=${user_token}
KUBECONFIG=k8s-${user}-conf kubectl config set-context ${user}-${cluster_name#cluster-} \
--cluster=${cluster_name} \
--user=${user}-${cluster_name#cluster-}
KUBECONFIG=k8s-${user}-conf kubectl config use-context ${user}-${cluster_name#cluster-}
echo "done! Test with: "
echo "KUBECONFIG=k8s-${user}-conf kubectl get no"
@so0k

This comment has been minimized.

Copy link
Owner Author

@so0k so0k commented Nov 26, 2018

using jq version which has base64d function to decode base64 strings

$ jq --version
jq-1.6

and with_entries on the values, we can fetch all data quickly:

sa_name="droneio"

cluster_name="mycluster"
cluster_domain="example.com"

# we name our context by domain, so our context name is:
my_context="${cluster_name}.${cluster_domain}"

sa_secret=$(kubectl get --context ${my_context} sa ${sa_name} -o json | jq -r .secrets[0].name)
kubectl --context  ${my_context} get secret ${sa_secret} -o json | jq '.data | with_entries(.value |= @base64d)'

or just use a golang tool to automate Repository configuration - https://github.com/honestbee/devops-tools/tree/master/drone-kubeconfig#drone-kubeconfig

@so0k

This comment has been minimized.

Copy link
Owner Author

@so0k so0k commented Jun 17, 2020

btw, to decrypt a kube secret with jq - just use map_values(@base64d) instead of with_entries(.value |= @base64d)

@searsaw

This comment has been minimized.

Copy link

@searsaw searsaw commented Aug 25, 2020

To make this compatible with different versions of base64, use the --decode flag instead of -D.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.