Create User (certificate-based)ΒΆ
Note
This function requires an account with cluster-admin activated.
You can create a user based on certificate instead of OpenID Connect.
Doing this requires 3 steps
- Create a certificate
- Sign it in Kubernetes
- Create a kubeconfig file
Below you find a shell script that combines these steps.
Note
CLUSTER is the index number of your ASERGO cluster in .kube/config. The index starts at 0.
#!/bin/sh
USER="NAME"
ROLE="ROLE-DESCRIPTION"
CLUSTER="0"
# Generate TLS Cert
cd /tmp
openssl req -new -newkey rsa:4096 -nodes -keyout ${USER}-k8s.key -out ${USER}-k8s.csr -subj "/CN=${USER}/O=${ROLE}"
CERT=$(cat ${USER}-k8s.csr | base64 | tr -d '\n')
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ${USER}-access
spec:
signerName: kubernetes.io/kube-apiserver-client
request: ${CERT}
usages:
- client auth
EOF
kubectl certificate approve ${USER}-access
kubectl get csr ${USER}-access -o jsonpath='{.status.certificate}' | base64 --decode > ${USER}-access.crt
kubectl config view -o jsonpath='{.clusters['"$CLUSTER"'].cluster.certificate-authority-data}' --raw | base64 --decode - > k8s-ca.crt
# Setting up the Cluster Configuration
kubectl config set-cluster $(kubectl config view -o jsonpath='{.clusters['"$CLUSTER"'].name}') \
--server=$(kubectl config view -o jsonpath='{.clusters['"$CLUSTER"'].cluster.server}') --certificate-authority=k8s-ca.crt \
--kubeconfig=${USER}-config --embed-certs
kubectl config set-credentials ${USER} --client-certificate=${USER}-access.crt --client-key=${USER}-k8s.key \
--embed-certs --kubeconfig=${USER}-config
kubectl config set-context ${USER} --cluster=$(kubectl config view -o jsonpath='{.clusters['"$CLUSTER"'].name}') \
--user=${USER} --kubeconfig=${USER}-config
kubectl config use-context ${USER} --kubeconfig=${USER}-config
# Test config
kubectl version --kubeconfig=${USER}-config
echo "kubectl created ${USER}-config"