eldios · October 29, 2018 15:33
diff --git a/get_kubeconfig.sh b/get_kubeconfig.sh
 #!/bin/bash
 # Copyright 2018 Gravitational, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #    http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # This script receives a new set of credentials for auth server
 # that are based on TLS client certificates. This is better than using
 # cloud provider specific auth "plugins" because it works on any cluster
 # and does not require any extra binaries. It produces kubeconfig to build/kubeconfig
 # Install cfssljson from cfssl and openssl
 # Produce CSR request first
 mkdir -p build
 pushd build
 cat > csr <<EOF
 {
  "hosts": [
  ],
  "CN": "jenkins",
  "names": [{
        "O": "system:masters"
    }],
  "key": {
    "algo": "ecdsa",
    "size": 256
  }
 }
 EOF
 cat csr | cfssl genkey - | cfssljson -bare server
 REQUEST_ID=$(uuid)
 # Create Kubernetes CSR
 cat <<EOF | kubectl create -f -
 apiVersion: certificates.k8s.io/v1beta1
 kind: CertificateSigningRequest
 metadata:
  name: ${REQUEST_ID}
 spec:
  groups:
  - system:authenticated
  request: $(cat server.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - server auth
 EOF
 kubectl certificate approve ${REQUEST_ID}
 kubectl get csr ${REQUEST_ID} -o jsonpath='{.status.certificate}' \
    | base64 -d > server.crt
 kubectl -n kube-system exec $(kubectl get pods -n kube-system -l k8s-app=kube-dns  -o jsonpath='{.items[0].metadata.name}') -c kubedns -- /bin/cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt > ca.crt
 # Extract cluster IP from the current context
 CURRENT_CONTEXT=$(kubectl config current-context)
 CURRENT_CLUSTER=$(kubectl config view -o jsonpath="{.contexts[?(@.name == \"${CURRENT_CONTEXT}\"})].context.cluster}")
 CURRENT_CLUSTER_ADDR=$(kubectl config view -o jsonpath="{.clusters[?(@.name == \"${CURRENT_CLUSTER}\"})].cluster.server}")
 cat > kubeconfig <<EOF
 apiVersion: v1
 clusters:
 - cluster:
    certificate-authority-data: $(cat ca.crt | base64 -w 0)
    server: ${CURRENT_CLUSTER_ADDR}
  name: k8s
 contexts:
 - context:
    cluster: k8s
    user: jenkins
  name: k8s
 current-context: k8s
 kind: Config
 preferences: {}
 users:
 - name: jenkins
  user:
    client-certificate-data: $(cat server.crt | base64 -w 0)
    client-key-data: $(cat server-key.pem | base64 -w 0)
 EOF
 popd
	#!/bin/bash
	# Copyright 2018 Gravitational, Inc.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	# This script receives a new set of credentials for auth server
	# that are based on TLS client certificates. This is better than using
	# cloud provider specific auth "plugins" because it works on any cluster
	# and does not require any extra binaries. It produces kubeconfig to build/kubeconfig
	# Install cfssljson from cfssl and openssl
	# Produce CSR request first
	mkdir -p build
	pushd build
	cat > csr <<EOF
	{
	"hosts": [
	],
	"CN": "jenkins",
	"names": [{
	"O": "system:masters"
	}],
	"key": {
	"algo": "ecdsa",
	"size": 256
	}
	}
	EOF
	cat csr \| cfssl genkey - \| cfssljson -bare server
	REQUEST_ID=$(uuid)
	# Create Kubernetes CSR
	cat <<EOF \| kubectl create -f -
	apiVersion: certificates.k8s.io/v1beta1
	kind: CertificateSigningRequest
	metadata:
	name: ${REQUEST_ID}
	spec:
	groups:
	- system:authenticated
	request: $(cat server.csr \| base64 \| tr -d '\n')
	usages:
	- digital signature
	- key encipherment
	- server auth
	EOF
	kubectl certificate approve ${REQUEST_ID}
	kubectl get csr ${REQUEST_ID} -o jsonpath='{.status.certificate}' \
	\| base64 -d > server.crt
	kubectl -n kube-system exec $(kubectl get pods -n kube-system -l k8s-app=kube-dns -o jsonpath='{.items[0].metadata.name}') -c kubedns -- /bin/cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt > ca.crt
	# Extract cluster IP from the current context
	CURRENT_CONTEXT=$(kubectl config current-context)
	CURRENT_CLUSTER=$(kubectl config view -o jsonpath="{.contexts[?(@.name == \"${CURRENT_CONTEXT}\"})].context.cluster}")
	CURRENT_CLUSTER_ADDR=$(kubectl config view -o jsonpath="{.clusters[?(@.name == \"${CURRENT_CLUSTER}\"})].cluster.server}")
	cat > kubeconfig <<EOF
	apiVersion: v1
	clusters:
	- cluster:
	certificate-authority-data: $(cat ca.crt \| base64 -w 0)
	server: ${CURRENT_CLUSTER_ADDR}
	name: k8s
	contexts:
	- context:
	cluster: k8s
	user: jenkins
	name: k8s
	current-context: k8s
	kind: Config
	preferences: {}
	users:
	- name: jenkins
	user:
	client-certificate-data: $(cat server.crt \| base64 -w 0)
	client-key-data: $(cat server-key.pem \| base64 -w 0)
	EOF
	popd