Create User (certificate-based)ΒΆ

Note

This function requires an account with cluster-admin activated.

You can create a user based on certificate instead of OpenID Connect.

Doing this requires 3 steps

  • Create a certificate
  • Sign it in Kubernetes
  • Create a kubeconfig file

Below you find a shell script that combines these steps.

Note

CLUSTER is the index number of your ASERGO cluster in .kube/config. The index starts at 0.

#!/bin/sh
USER="NAME"
ROLE="ROLE-DESCRIPTION"
CLUSTER="0"

# Generate TLS Cert
cd /tmp
openssl req -new -newkey rsa:4096 -nodes -keyout ${USER}-k8s.key -out ${USER}-k8s.csr -subj "/CN=${USER}/O=${ROLE}"
CERT=$(cat ${USER}-k8s.csr | base64 | tr -d '\n')

cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: ${USER}-access
spec:
  groups:
  - system:authenticated
  request: ${CERT}
  usages:
  - client auth
EOF

kubectl certificate approve ${USER}-access
kubectl get csr ${USER}-access -o jsonpath='{.status.certificate}' | base64 --decode > ${USER}-access.crt
kubectl config view -o jsonpath='{.clusters['"$CLUSTER"'].cluster.certificate-authority-data}' --raw | base64 --decode - > k8s-ca.crt

# Setting up the Cluster Configuration
kubectl config set-cluster $(kubectl config view -o jsonpath='{.clusters['"$CLUSTER"'].name}') \
--server=$(kubectl config view -o jsonpath='{.clusters['"$CLUSTER"'].cluster.server}') --certificate-authority=k8s-ca.crt \
--kubeconfig=${USER}-config --embed-certs

kubectl config set-credentials ${USER} --client-certificate=${USER}-access.crt --client-key=${USER}-k8s.key \
--embed-certs --kubeconfig=${USER}-config

kubectl config set-context ${USER} --cluster=$(kubectl config view -o jsonpath='{.clusters['"$CLUSTER"'].name}') \
--user=${USER} --kubeconfig=${USER}-config
kubectl config use-context ${USER} --kubeconfig=${USER}-config

# Test config
kubectl version --kubeconfig=${USER}-config

echo "kubectl created ${USER}-config"