zhangyoufu · August 8, 2025 15:25
diff --git a/aliyun-cs-credential.sh b/aliyun-cs-credential.sh
 #!/bin/bash
 set -euo pipefail

 : $CLUSTER_ID
 : ${PRIVATE:=false} # auto use private IP if public IP not available
 : ${MINUTES:=60} # defaults to 1 hour
 : ${SHOW_CLUSTER:=}
 : ${REGION_ID:=cn-shanghai} # choose nearest region as OpenAPI endpoint, don't need to match ACK cluster location

 echo >&2 '+ aliyun cs DescribeClusterUserKubeconfig'
 JSON=$(aliyun cs DescribeClusterUserKubeconfig "$@" --region "$REGION_ID" --ClusterId "$CLUSTER_ID" --PrivateIpAddress "$PRIVATE" --TemporaryDurationMinutes "$MINUTES")
 YAML=$(jq -r .config <<< "$JSON")
 [ -n "$SHOW_CLUSTER" ] && yq '.clusters[0].cluster' <<< "$YAML" >&2
 export EXPIRATION=$(jq -r .expiration <<< "$JSON")
 export CLIENT_CERTIFICATE_DATA=$(yq -r '.users[0].user.client-certificate-data' <<< "$YAML" | base64 -d)
 export CLIENT_KEY_DATA=$(yq -r '.users[0].user.client-key-data' <<< "$YAML" | base64 -d)
 jq -cn '{apiVersion:"client.authentication.k8s.io/v1",kind:"ExecCredential",status:{expirationTimestamp:env.EXPIRATION,clientCertificateData:env.CLIENT_CERTIFICATE_DATA,clientKeyData:env.CLIENT_KEY_DATA}}'
diff --git a/kubeconfig.yaml b/kubeconfig.yaml
 apiVersion: v1
 kind: Config
 clusters:
 - name: 0123456789abcdef0123456789abcdef0
  cluster:
    server: https://192.0.2.1:6443
    certificate-authority-data: LS0t...LS0K
 users:
 - name: foo
    exec:
      apiVersion: client.authentication.k8s.io/v1
      command: ./aliyun-cs-credential.sh
      env:
      - name: ALIBABA_CLOUD_PROFILE
        value: your-aliyun-cli-profile-name-here
      - name: CLUSTER_ID
        value: 0123456789abcdef0123456789abcdef0
      interactiveMode: Never
 contexts:
 - name: a-meaningful-cluster-name-for-you
  context:
    cluster: 0123456789abcdef0123456789abcdef0
    user: 0123456789abcdef0123456789abcdef0
	#!/bin/bash
	set -euo pipefail

	: $CLUSTER_ID
	: ${PRIVATE:=false} # auto use private IP if public IP not available
	: ${MINUTES:=60} # defaults to 1 hour
	: ${SHOW_CLUSTER:=}
	: ${REGION_ID:=cn-shanghai} # choose nearest region as OpenAPI endpoint, don't need to match ACK cluster location

	echo >&2 '+ aliyun cs DescribeClusterUserKubeconfig'
	JSON=$(aliyun cs DescribeClusterUserKubeconfig "$@" --region "$REGION_ID" --ClusterId "$CLUSTER_ID" --PrivateIpAddress "$PRIVATE" --TemporaryDurationMinutes "$MINUTES")
	YAML=$(jq -r .config <<< "$JSON")
	[ -n "$SHOW_CLUSTER" ] && yq '.clusters[0].cluster' <<< "$YAML" >&2
	export EXPIRATION=$(jq -r .expiration <<< "$JSON")
	export CLIENT_CERTIFICATE_DATA=$(yq -r '.users[0].user.client-certificate-data' <<< "$YAML" \| base64 -d)
	export CLIENT_KEY_DATA=$(yq -r '.users[0].user.client-key-data' <<< "$YAML" \| base64 -d)
	jq -cn '{apiVersion:"client.authentication.k8s.io/v1",kind:"ExecCredential",status:{expirationTimestamp:env.EXPIRATION,clientCertificateData:env.CLIENT_CERTIFICATE_DATA,clientKeyData:env.CLIENT_KEY_DATA}}'
	apiVersion: v1
	kind: Config
	clusters:
	- name: 0123456789abcdef0123456789abcdef0
	cluster:
	server: https://192.0.2.1:6443
	certificate-authority-data: LS0t...LS0K
	users:
	- name: foo
	exec:
	apiVersion: client.authentication.k8s.io/v1
	command: ./aliyun-cs-credential.sh
	env:
	- name: ALIBABA_CLOUD_PROFILE
	value: your-aliyun-cli-profile-name-here
	- name: CLUSTER_ID
	value: 0123456789abcdef0123456789abcdef0
	interactiveMode: Never
	contexts:
	- name: a-meaningful-cluster-name-for-you
	context:
	cluster: 0123456789abcdef0123456789abcdef0
	user: 0123456789abcdef0123456789abcdef0