forked from projectcapsule/capsule
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcreate-user.sh
executable file
·134 lines (114 loc) · 3.4 KB
/
create-user.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#!/bin/bash
# This script uses Kubernetes CertificateSigningRequest (CSR) to generate a
# certificate signed by the Kubernetes CA itself.
# It requires cluster admin permission.
#
# e.g.: ./create-user.sh alice oil
# where `oil` is the Tenant and `alice` the owner
# Exit immediately if a command exits with a non-zero status.
set -e
# Check if OpenSSL is installed
if [[ ! -x "$(command -v openssl)" ]]; then
echo "Error: openssl not found"
exit 1
fi
# Check if kubectl is installed
if [[ ! -x "$(command -v kubectl)" ]]; then
echo "Error: kubectl not found"
exit 1
fi
# Check if jq is installed
if [[ ! -x "$(command -v jq)" ]]; then
echo "Error: jq not found"
exit 1
fi
USER=$1
TENANT=$2
GROUP=$3
if [[ -z ${USER} ]]; then
echo "User has not been specified!"
exit 1
fi
if [[ -z ${TENANT} ]]; then
echo "Tenant has not been specified!"
exit 1
fi
if [[ -z ${GROUP} ]]; then
GROUP=capsule.clastix.io
fi
TMPDIR=$(mktemp -d)
echo "creating certs in TMPDIR ${TMPDIR} "
MERGED_GROUPS=$(echo "/O=$GROUP" | sed "s/,/\/O=/g")
echo "merging groups ${MERGED_GROUPS}"
openssl genrsa -out ${USER}-${TENANT}.key 2048
openssl req -new -key ${USER}-${TENANT}.key -subj "/CN=${USER}${MERGED_GROUPS}" -out ${TMPDIR}/${USER}-${TENANT}.csr
# Clean any previously created CSR for the same user.
kubectl delete csr ${USER}-${TENANT} 2>/dev/null || true
#
# Create a new CSR file.
#
if [ $(kubectl version -o json | jq -r .serverVersion.minor) -gt 19 ]; then
cat <<EOF > ${TMPDIR}/${USER}-${TENANT}-csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ${USER}-${TENANT}
spec:
signerName: kubernetes.io/kube-apiserver-client
groups:
- system:authenticated
request: $(cat ${TMPDIR}/${USER}-${TENANT}.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- client auth
EOF
else
cat <<EOF > ${TMPDIR}/${USER}-${TENANT}-csr.yaml
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: ${USER}-${TENANT}
spec:
groups:
- system:authenticated
request: $(cat ${TMPDIR}/${USER}-${TENANT}.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- client auth
EOF
fi
# Create the CSR
kubectl apply -f ${TMPDIR}/${USER}-${TENANT}-csr.yaml
# Approve and fetch the signed certificate
kubectl certificate approve ${USER}-${TENANT}
kubectl get csr ${USER}-${TENANT} -o jsonpath='{.status.certificate}' | base64 --decode > ${USER}-${TENANT}.crt
# Create the kubeconfig file
CONTEXT=$(kubectl config current-context)
CLUSTER=$(kubectl config view -o jsonpath="{.contexts[?(@.name == \"$CONTEXT\"})].context.cluster}")
SERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name == \"${CLUSTER}\"})].cluster.server}")
CA=$(kubectl config view --flatten -o jsonpath="{.clusters[?(@.name == \"${CLUSTER}\"})].cluster.certificate-authority-data}")
cat > ${USER}-${TENANT}.kubeconfig <<EOF
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: $CA
server: ${SERVER}
name: ${CLUSTER}
contexts:
- context:
cluster: ${CLUSTER}
user: ${USER}
name: ${USER}-${TENANT}
current-context: ${USER}-${TENANT}
kind: Config
preferences: {}
users:
- name: ${USER}
user:
client-certificate: ${USER}-${TENANT}.crt
client-key: ${USER}-${TENANT}.key
EOF
echo "kubeconfig file is:" ${USER}-${TENANT}.kubeconfig
echo "to use it as" ${USER} "export KUBECONFIG="${USER}-${TENANT}.kubeconfig