Add script to automate creation of k8s users
This commit is contained in:
parent
d5c31c0d32
commit
153a31ae27
GPG key ID:
1F7C896B34B28164
64
tools/createuser.sh
Executable file
64
tools/createuser.sh
Executable file
|
|
@ -0,0 +1,64 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
CLUSTER="matrixtest"
|
||||||
|
|
||||||
|
|
||||||
|
function usage() {
|
||||||
|
echo "Usage: ${0#*/} <username> [group1,group2,...]"
|
||||||
|
echo "If no group is given the default one is user"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
if [[ ! "${1}" =~ ^[a-z0-9]+$ ]]; then
|
||||||
|
usage
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
if [[ -z "${2}" ]]; then
|
||||||
|
groups=( 'user' )
|
||||||
|
elif [[ "${2}" =~ ^[-_a-z1-9]+(,[-_a-z1-9]+)*$ ]]; then
|
||||||
|
groups=( ${2//,/ } )
|
||||||
|
else
|
||||||
|
echo -e "[Error] Fail to validate grouplist\nWe will exit"
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
|
||||||
|
basepath=${HOME}/ssl/kube/${CLUSTER}/${1}
|
||||||
|
|
||||||
|
echo "Generate key and certificate request"
|
||||||
|
mkdir -p "${basepath}"
|
||||||
|
openssl genrsa -out ${basepath}/${1}.key 4096
|
||||||
|
subj="/CN=${1}"
|
||||||
|
for group in "${groups[@]}"; do
|
||||||
|
subj+="/O=${group}"
|
||||||
|
done
|
||||||
|
echo "subj: ${subj}"
|
||||||
|
openssl req -new -key "${basepath}/${1}.key" -out "${basepath}/${1}.csr" -subj "${subj}"
|
||||||
|
|
||||||
|
cat <<EOF > "${basepath}/req-${1}.yaml"
|
||||||
|
apiVersion: certificates.k8s.io/v1
|
||||||
|
kind: CertificateSigningRequest
|
||||||
|
metadata:
|
||||||
|
name: ${1}-req
|
||||||
|
spec:
|
||||||
|
request: $(cat ${basepath}/${1}.csr | base64 | tr -d "\n")
|
||||||
|
signerName: kubernetes.io/kube-apiserver-client
|
||||||
|
expirationSeconds: $((86400*3650)) # 10 years
|
||||||
|
usages:
|
||||||
|
- client auth
|
||||||
|
EOF
|
||||||
|
status=0
|
||||||
|
kubectl apply -f "${basepath}/req-${1}.yaml" || { status=1; echo "Failed to submit cerificate request to cluster" ;}
|
||||||
|
kubectl certificate approve ${1}-req || { status=1; echo "Failed to approve cerificate request by cluster ca";}
|
||||||
|
[[ "${status}" == "1" ]] && exit 1
|
||||||
|
|
||||||
|
# Retrieving signed cert
|
||||||
|
kubectl get "csr/${1}-req" -o jsonpath='{.status.certificate}' | base64 -d > "${basepath}/${1}.crt" || { status=1;echo "[Error] Failed to extract certificate from request status";}
|
||||||
|
[[ "${status}" == "1" ]] && exit 1
|
||||||
|
kubectl delete "csr/${1}-req"
|
||||||
|
|
||||||
|
echo -e "\nRun these commands to create or update the user/context in .kube/config"
|
||||||
|
echo -e "\nkubectl config set-credentials ${1} --client-certificate=${basepath}/${1}.crt --client-key=${basepath}/${1}.key"
|
||||||
|
echo "kubectl config set-context <contextname> --cluster=<clustername> --namespace=default --user=${1}"
|
||||||
|
|
||||||
Loading…
Reference in a new issue