Skip to content

Instantly share code, notes, and snippets.

@relyt0925

relyt0925/csr-user-management.sh

Last active June 23, 2022 02:19
Show Gist options
  • Save relyt0925/052cb96a64e192cd269c0f6d19bd99d7 to your computer and use it in GitHub Desktop.
Save relyt0925/052cb96a64e192cd269c0f6d19bd99d7 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
csr-user-management.sh
APISERVER_ENDPOINT=https://c100-e.us-east.containers.cloud.ibm.com:31581
cat <<EOF >/tmp/sre-csr.json
{
"CN": "myorg-sre-1",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"O": "myorg-sre"
}
]
}
EOF
cat <<EOF >/tmp/dev-csr.json
{
"CN": "myorg-dev-1",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"O": "myorg-dev"
}
]
}
EOF
rm -rf /tmp/csr-dir
mkdir -p /tmp/csr-dir
set -o pipefail
cd /tmp/csr-dir || exit 1
cfssl genkey /tmp/sre-csr.json | cfssljson -bare sre
cfssl genkey /tmp/dev-csr.json | cfssljson -bare dev
DEV_CSR_CONTENT_64=$(cat dev.csr | base64 -w 0)
SRE_CSR_CONTENT_64=$(cat sre.csr | base64 -w 0)
DEV_KEY_CONTENT_64=$(cat dev-key.pem | base64 -w 0)
SRE_KEY_CONTENT_64=$(cat sre-key.pem | base64 -w 0)
cat <<EOF >/tmp/kube-csr-dev.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: myorg-dev-1
spec:
request: $DEV_CSR_CONTENT_64
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
EOF
cat <<EOF >/tmp/kube-csr-sre.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: myorg-sre-1
spec:
request: $SRE_CSR_CONTENT_64
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
EOF
kubectl apply -f /tmp/kube-csr-sre.yaml
kubectl apply -f /tmp/kube-csr-dev.yaml
kubectl certificate approve myorg-dev-1
kubectl certificate approve myorg-sre-1
DEV_CERTIFICATE_64=$(kubectl get csr myorg-dev-1 -o jsonpath='{.status.certificate}')
SRE_CERTIFICATE_64=$(kubectl get csr myorg-sre-1 -o jsonpath='{.status.certificate}')
cat <<EOF >/tmp/sre.kubeconfig
apiVersion: v1
clusters:
- cluster:
server: $APISERVER_ENDPOINT
name: mycluster
contexts:
- context:
cluster: mycluster
namespace: default
user: sre/mycluster
name: mycluster/sre
current-context: mycluster/sre
kind: Config
preferences: {}
users:
- name: sre/mycluster
user:
client-certificate-data: $SRE_CERTIFICATE_64
client-key-data: $SRE_KEY_CONTENT_64
EOF
cat <<EOF >/tmp/dev.kubeconfig
apiVersion: v1
clusters:
- cluster:
server: $APISERVER_ENDPOINT
name: mycluster
contexts:
- context:
cluster: mycluster
namespace: default
user: dev/mycluster
name: mycluster/dev
current-context: mycluster/dev
kind: Config
preferences: {}
users:
- name: dev/mycluster
user:
client-certificate-data: $DEV_CERTIFICATE_64
client-key-data: $DEV_KEY_CONTENT_64
EOF
cat <<EOF >/tmp/sre-namespace-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: myorg-sre-team
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: myorg-sre-team
subjects:
- kind: Group
name: myorg-sre
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: myorg-sre-team
namespace: kube-system
rules:
- apiGroups:
- ""
resources:
- "*"
verbs:
- "*"
EOF
cat <<EOF >/tmp/dev-namespace-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: myorg-dev-team
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: myorg-dev-team
subjects:
- kind: Group
name: myorg-dev
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: myorg-dev-team
namespace: default
rules:
- apiGroups:
- ""
resources:
- "*"
verbs:
- "*"
EOF
kubectl apply -f /tmp/dev-namespace-rbac.yaml
kubectl apply -f /tmp/sre-namespace-rbac.yaml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment