Generate k8s user access key

generate.sh

#!/bin/bash
set -ex

[[ -z $3 ]] && exit 1

#user="worker"
#lb_url="https://k8s-master.example.com:6443"
#master_host="root@master1"
user=$1
lb_url=$2
master_host=$3

mkdir ${user}
cd ${user}

openssl genrsa -out ${user}-user.pem 2048
openssl req -new -key ${user}-user.pem -out ${user}-user.csr -subj "/CN=${user}-user"

cat >signing-request.yml <<EOF
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: user-request-${user}-user
spec:
  groups:
  - system:authenticated
  request: $(cat ${user}-user.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - client auth
EOF

kubectl create ns ${user} || true
kubectl create -f signing-request.yml
kubectl certificate approve user-request-${user}-user
kubectl get csr user-request-${user}-user -o jsonpath='{.status.certificate}' | base64 --decode > ${user}-user.crt

kubectl --kubeconfig config-${user}-user config set-cluster cluster.local --insecure-skip-tls-verify=true --server=${lb_url}
kubectl --kubeconfig config-${user}-user config set-credentials ${user}-user --client-certificate=${user}-user.crt --client-key=${user}-user.pem --embed-certs=true

kubectl create rolebinding ${user}-admin-binding --clusterrole=admin --user=${user}-user --namespace=${user}

kubectl --kubeconfig=config-${user}-user config set-context ${user} --cluster=cluster.local --user=${user}-user
kubectl --kubeconfig=config-${user}-user config use-context ${user}
kubectl --kubeconfig=config-${user}-user get pods -n ${user}

dd if=/dev/random count=10 bs=1| base64 | cut -d = -f 1 > ${user}-user-password.txt
ssh ${master_host} sudo cat /etc/kubernetes/ssl/ca.crt >ca.crt

# check that ca.crt is correct
openssl x509 -in ca.crt -text -noout

openssl pkcs12 -export -out ${user}-user.p12 -inkey ${user}-user.pem -in ${user}-user.crt -certfile ca.crt -password pass:$(cat ${user}-user-password.txt)