cmcconnell1 · August 21, 2019 00:58
diff --git a/k8s-service-account-kubeconfig.sh b/k8s-service-account-kubeconfig.sh
 #!/usr/bin/env bash
 # ref: https://gist.github.com/ericchiang/d2a838ddad3f44436ae001a342e1001e
 # thanks to ericchiang for the initial gist, just tweaked for macos or linux and dynamic file naming.
 # Creates kubeconfig files using tokens.
 # Copy these files to where the ci or cd processes/envs run kubectl commands--i.e.: jenkins, etc.
 #
 # Usage ./k8s-service-account-kubeconfig.sh ( namespace ) ( service account name )
 # i.e.:  k8-sevice-account-kubeconfig.sh ci ci
 # i.e.:  k8-sevice-account-kubeconfig.sh cd cd
 # this is for the naming the kubeconfig file naming us "kubeconfig-$KUBE_USER"
 # this script is called from the apply script and will be called with the following args: $1=ns $2=user
 # they should be the same for users such as ci, cd, etc.
 # i.e.: we call this from wrapper script like this:
 # ./k8-sevice-account-kubeconfig.sh $KUBE_NS $KUBE_USER
 KUBE_NS="$1"
 KUBE_USER="$2"

 TEMPDIR=$(mktemp -d)
 SA_SECRET=$(kubectl get sa -n $KUBE_NS $KUBE_USER -o jsonpath='{.secrets[0].name}')
 CLUSTER_URL=$(kubectl config view -o jsonpath='{.clusters[0].cluster.server}')

 uname=$(uname)
 if [[ "${uname}" == "Darwin" ]]; then
  # on a Mac with JQ and base64 installed
  platform="darwin"
  # Pull the bearer token and cluster CA from the service account secret.
  BEARER_TOKEN=$(kubectl get secrets -n $KUBE_NS $SA_SECRET -o jsonpath='{.data.token}' | base64 -D)
  kubectl get secrets -n $KUBE_NS $SA_SECRET -o jsonpath='{.data.ca\.crt}' | base64 -D > $TEMPDIR/ca.crt
  export TOKEN=$(kubectl -n $KUBE_NS get secret $(kubectl -n $KUBE_NS get secret | grep $KUBE_NS | awk '{print $1}') -o json | jq -r '.data.token' | base64 -D)

 elif [[ "${uname}" == "Linux" ]]; then
  # The other needed item is the token for use with Jenkins. On Ubuntu with jq installed:
  platform="linux"
  # Pull the bearer token and cluster CA from the service account secret.
  BEARER_TOKEN=$(kubectl get secrets -n $KUBE_NS $SA_SECRET -o jsonpath='{.data.token}' | base64 -d)
  kubectl get secrets -n $KUBE_NS $SA_SECRET -o jsonpath='{.data.ca\.crt}' | base64 -d > $TEMPDIR/ca.crt
  export TOKEN=$(kubectl -n $KUBE_NS get secret $(kubectl -n $KUBE_NS get secret | grep $KUBE_NS | awk '{print $1}') -o json | jq -r '.data.token' | base64 -d)
 else
  echo "Unknown, unsupported platform: (${uname})."
  echo "Supported platforms: Linux, Darwin."
  echo "Bailing out."
  exit 2
 fi

 KUBECONFIG="kubeconfig-${KUBE_USER}"

 kubectl config --kubeconfig=$KUBECONFIG \
    set-cluster \
    $CLUSTER_URL \
    --server=$CLUSTER_URL \
    --certificate-authority=$TEMPDIR/ca.crt \
    --embed-certs=true

 kubectl config --kubeconfig=$KUBECONFIG \
    set-credentials $KUBE_USER --token=$BEARER_TOKEN

 kubectl config --kubeconfig=$KUBECONFIG \
    set-context registry \
    --cluster=$CLUSTER_URL \
    --user=$KUBE_USER

 kubectl config --kubeconfig=$KUBECONFIG \
    use-context registry

 echo "kubeconfig written to file \"$KUBECONFIG\""

 rm -rf "${TEMPDIR}"
	#!/usr/bin/env bash
	# ref: https://gist.github.com/ericchiang/d2a838ddad3f44436ae001a342e1001e
	# thanks to ericchiang for the initial gist, just tweaked for macos or linux and dynamic file naming.
	# Creates kubeconfig files using tokens.
	# Copy these files to where the ci or cd processes/envs run kubectl commands--i.e.: jenkins, etc.
	#
	# Usage ./k8s-service-account-kubeconfig.sh ( namespace ) ( service account name )
	# i.e.: k8-sevice-account-kubeconfig.sh ci ci
	# i.e.: k8-sevice-account-kubeconfig.sh cd cd
	# this is for the naming the kubeconfig file naming us "kubeconfig-$KUBE_USER"
	# this script is called from the apply script and will be called with the following args: $1=ns $2=user
	# they should be the same for users such as ci, cd, etc.
	# i.e.: we call this from wrapper script like this:
	# ./k8-sevice-account-kubeconfig.sh $KUBE_NS $KUBE_USER
	KUBE_NS="$1"
	KUBE_USER="$2"

	TEMPDIR=$(mktemp -d)
	SA_SECRET=$(kubectl get sa -n $KUBE_NS $KUBE_USER -o jsonpath='{.secrets[0].name}')
	CLUSTER_URL=$(kubectl config view -o jsonpath='{.clusters[0].cluster.server}')

	uname=$(uname)
	if [[ "${uname}" == "Darwin" ]]; then
	# on a Mac with JQ and base64 installed
	platform="darwin"
	# Pull the bearer token and cluster CA from the service account secret.
	BEARER_TOKEN=$(kubectl get secrets -n $KUBE_NS $SA_SECRET -o jsonpath='{.data.token}' \| base64 -D)
	kubectl get secrets -n $KUBE_NS $SA_SECRET -o jsonpath='{.data.ca\.crt}' \| base64 -D > $TEMPDIR/ca.crt
	export TOKEN=$(kubectl -n $KUBE_NS get secret $(kubectl -n $KUBE_NS get secret \| grep $KUBE_NS \| awk '{print $1}') -o json \| jq -r '.data.token' \| base64 -D)

	elif [[ "${uname}" == "Linux" ]]; then
	# The other needed item is the token for use with Jenkins. On Ubuntu with jq installed:
	platform="linux"
	# Pull the bearer token and cluster CA from the service account secret.
	BEARER_TOKEN=$(kubectl get secrets -n $KUBE_NS $SA_SECRET -o jsonpath='{.data.token}' \| base64 -d)
	kubectl get secrets -n $KUBE_NS $SA_SECRET -o jsonpath='{.data.ca\.crt}' \| base64 -d > $TEMPDIR/ca.crt
	export TOKEN=$(kubectl -n $KUBE_NS get secret $(kubectl -n $KUBE_NS get secret \| grep $KUBE_NS \| awk '{print $1}') -o json \| jq -r '.data.token' \| base64 -d)
	else
	echo "Unknown, unsupported platform: (${uname})."
	echo "Supported platforms: Linux, Darwin."
	echo "Bailing out."
	exit 2
	fi

	KUBECONFIG="kubeconfig-${KUBE_USER}"

	kubectl config --kubeconfig=$KUBECONFIG \
	set-cluster \
	$CLUSTER_URL \
	--server=$CLUSTER_URL \
	--certificate-authority=$TEMPDIR/ca.crt \
	--embed-certs=true

	kubectl config --kubeconfig=$KUBECONFIG \
	set-credentials $KUBE_USER --token=$BEARER_TOKEN

	kubectl config --kubeconfig=$KUBECONFIG \
	set-context registry \
	--cluster=$CLUSTER_URL \
	--user=$KUBE_USER

	kubectl config --kubeconfig=$KUBECONFIG \
	use-context registry

	echo "kubeconfig written to file \"$KUBECONFIG\""

	rm -rf "${TEMPDIR}"