Create and approve Kubernetes certificates for users

approve-csr.sh

#!/usr/bin/env bash

export USERNAME="$1"
export BASE64_CSR="$2"

cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: $USERNAME
spec:
  request: $BASE64_CSR
  signerName: kubernetes.io/kube-apiserver-client
#  expirationSeconds: 86400  # one day
  usages:
  - client auth
EOF

kubectl get csr

kubectl certificate approve "$USERNAME"


kubectl get csr $USERNAME -o jsonpath='{.status.certificate}'| base64 -d > certs/$USERNAME.crt

create-csr.sh

#!/usr/bin/env bash

mkdir -p certs
cd certs || exit

NAME=$1
GROUP=${2:-dev}

echo "Creating private key for $NAME ..."

openssl genrsa -out "$NAME.key" 4096

cat > csr.conf <<EOF

[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[ dn ]
CN = $NAME
O = $GROUP

[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth

EOF


echo "Creating certificate sign request for $NAME ..."

openssl req -new -key "$NAME.key" -config ./csr.conf -out "$NAME.csr"

echo
echo "Copy the following encoded certificate signing request, and give it to cluster admin to sign it."
echo

cat ./"$NAME.csr" | base64 | tr -d '\n'