Bash script to rotate DigitalOcean Kubernetes keys

rotate-do-keys

#!/usr/bin/env bash

set -euo pipefail

if ! [[ -x $(command -v doctl) ]]; then
    echo "This script needs doctl: https://github.com/digitalocean/doctl"
    exit 1
fi

if ! [[ -x $(command -v jq) ]]; then
    echo "This script needs jq: https://stedolan.github.io/jq/"
    exit 1
fi

if ! [[ -x $(command -v yq) ]]; then
    echo "This script needs yq: http://mikefarah.github.io/yq/"
    exit 1
fi

function show_usage {
    echo "Usage: rotate-do-keys [cluster-name...]"
    exit 0
}

SELECTED_CLUSTER_NAMES="${@:1}"

[ -z "$SELECTED_CLUSTER_NAMES" ] && show_usage

for CLUSTER_NAME in ${SELECTED_CLUSTER_NAMES[@]}; do
    echo "Rotating keys for ${CLUSTER_NAME}..."
    KUBECONFIG=$(doctl kubernetes clusters kubeconfig show $CLUSTER_NAME)
    USERNAME=$(yq read - 'users[0].name' <<< $KUBECONFIG)
    rm ${USERNAME}.crt ${USERNAME}.key
    yq read - 'users[0].user.client-certificate-data' <<< $KUBECONFIG | base64 -d > ${USERNAME}.crt
    yq read - 'users[0].user.client-key-data' <<< $KUBECONFIG | base64 -d > ${USERNAME}.key
    echo "Done."
    echo "Keys are in:"
    echo " $(pwd)/${USERNAME}.crt"
    echo " $(pwd)/${USERNAME}.key"
done;

reminder to self: of course it turns out this is completely useless because of https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins which is supported by the undocumented command doctl kubernetes cluster kubeconfig exec-credential

refer to the output of doctl kube cluster kubeconfig save.