organize folders and MVP wireguard mesh
This commit is contained in:
@@ -1,38 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Use
|
||||
# ./removeuserspace <ssh_address> <server_fqdn (for kubectl)> <user>
|
||||
|
||||
export SERVER=$1
|
||||
export FQDN=$2
|
||||
export USER=$3
|
||||
|
||||
export CERT_DIR=$HOME/.kube/$FQDN/users/$USER
|
||||
export CA_CERT_DIR=$HOME/.kube/$FQDN
|
||||
|
||||
export SERVER_USER_DIR="~/.kube/users/$USER"
|
||||
export SERVER_NAME=$(echo "$FQDN" | sed 's/\./-/g')
|
||||
export SERVER_USER="$USER-$SERVER_NAME"
|
||||
|
||||
export KUBECONFIG="$HOME/.kube/$USER-config"
|
||||
|
||||
echo "Checking if project namespace exists"
|
||||
exists=$(ssh $SERVER "kubectl get namespace --output=jsonpath=\"{.items[?(@.metadata.name=='$USER')].metadata.name}\"")
|
||||
if [ -z $exists ]; then
|
||||
echo "Namespace not found, nothing to delete"
|
||||
exit 1
|
||||
else
|
||||
echo "Namespace exists, deleting"
|
||||
fi
|
||||
|
||||
echo "Deleting user namespace"
|
||||
ssh $SERVER "kubectl delete -f $SERVER_USER_DIR/namespace.yaml"
|
||||
|
||||
echo "Deleting remote cert dir"
|
||||
ssh $SERVER "rm -rf $SERVER_USER_DIR"
|
||||
|
||||
echo "Deleting local cert dir"
|
||||
rm -rf $CERT_DIR
|
||||
|
||||
echo "Removing from kubeconfig"
|
||||
rm $KUBECONFIG
|
||||
@@ -1,12 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Use
|
||||
# ./setup.sh <server_fqdn>
|
||||
|
||||
export SERVER=$1
|
||||
|
||||
ssh -t $SERVER sudo kubectl -n kube-system create secret generic certsigner --from-file /var/lib/rancher/k3s/server/tls/client-ca.crt --from-file /var/lib/rancher/k3s/server/tls/client-ca.key
|
||||
scp certsigner.yaml $SERVER:~/certsigner.yaml
|
||||
ssh $SERVER kubectl apply -f certsigner.yaml
|
||||
scp clusterrole.yaml $SERVER:~/clusterrole.yaml
|
||||
ssh $SERVER kubectl apply -f clusterrole.yaml
|
||||
@@ -1,140 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Use
|
||||
# ./upsert.sh <ssh_address> <server_fqdn (for kubectl)> <user>
|
||||
# Note, do not specify https:// or :port for the fqdn, just give the domain
|
||||
# Port is expected to be 6443. You can change this later in the generated conf
|
||||
# ./upsert.sh node1 containers.reeseapps.com testuser
|
||||
# ./upsert.sh 192.168.1.10 mydomain.ddns.net admin
|
||||
|
||||
export SERVER=$1
|
||||
export FQDN=$2
|
||||
export KUBE_USER=$3
|
||||
|
||||
export CERT_DIR=$HOME/.kube/$FQDN/users/$KUBE_USER
|
||||
export CA_CERT_DIR=$HOME/.kube/$FQDN
|
||||
|
||||
export SERVER_USER_DIR="~/.kube/users/$KUBE_USER"
|
||||
export SERVER_NAME=$(echo "$FQDN" | sed 's/\./-/g')
|
||||
export SERVER_USER="$KUBE_USER-$SERVER_NAME"
|
||||
|
||||
export KUBECONFIG="$HOME/.kube/$KUBE_USER-config"
|
||||
|
||||
if [ -z $KUBE_USER ]; then
|
||||
echo "No arguments supplied! Format is ./upsert.sh <SERVER_FQDN> <USER>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z $SERVER ]; then
|
||||
echo "No server supplied for user $KUBE_USER"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ $KUBE_USER = "admin" ]; then
|
||||
echo "Creating admin user for server $SERVER"
|
||||
fi
|
||||
|
||||
echo "Creating cert dir"
|
||||
mkdir -p $CERT_DIR
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Couldn't create cert dir at $CERT_DIR"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Generating openssl cert"
|
||||
podman run -it -v $CERT_DIR:/$KUBE_USER python:latest openssl genrsa -out /$KUBE_USER/$KUBE_USER.key 2048
|
||||
|
||||
if [ $KUBE_USER = "admin" ]; then
|
||||
podman run -it -v $CERT_DIR:/$KUBE_USER python:latest openssl req -new -key /$KUBE_USER/$KUBE_USER.key -out /$KUBE_USER/$KUBE_USER.csr -subj "/CN=$KUBE_USER/O=system:masters"
|
||||
else
|
||||
podman run -it -v $CERT_DIR:/$KUBE_USER python:latest openssl req -new -key /$KUBE_USER/$KUBE_USER.key -out /$KUBE_USER/$KUBE_USER.csr -subj "/CN=$KUBE_USER/O=user"
|
||||
fi
|
||||
# /CN=admin/O=manager
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Couldn't create cert with Podman. Are you sure it's running?"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Creating namespace dir on server"
|
||||
ssh $SERVER "mkdir -p $SERVER_USER_DIR"
|
||||
echo "Copying client csr to server cert dir"
|
||||
scp $CERT_DIR/$KUBE_USER.csr $SERVER:$SERVER_USER_DIR/$KUBE_USER.csr
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Failed to copy client csr to server cert dir"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Getting cert signing pod"
|
||||
export CERT_POD=$(ssh $SERVER "kubectl get pod -n kube-system --selector=app=certsigner --output=jsonpath={.items..metadata.name}")
|
||||
|
||||
if [ -z $CERT_POD ]; then
|
||||
echo "Installing certsigner"
|
||||
helm template certsigner ./certsigner | ssh $SERVER "sudo -t -E kubectl apply -f -"
|
||||
fi
|
||||
|
||||
while [ -z $CERT_POD ]; do
|
||||
echo "Getting cert signing pod"
|
||||
export CERT_POD=$(ssh $SERVER "kubectl get pod -n kube-system --selector=app=certsigner --output=jsonpath={.items..metadata.name}")
|
||||
sleep 2
|
||||
done
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Failed to install certsigner."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Signing cert with pod $CERT_POD"
|
||||
ssh $SERVER "kubectl -n kube-system cp $SERVER_USER_DIR/$KUBE_USER.csr $CERT_POD:/certs/$KUBE_USER.csr"
|
||||
ssh $SERVER "kubectl -n kube-system exec $CERT_POD -- openssl x509 -in /certs/$KUBE_USER.csr -req -CA /keys/client-ca.crt -CAkey /keys/client-ca.key -set_serial $(python -c 'import random; print(random.randint(1000000000, 9999999999))') -out /certs/$KUBE_USER.crt -days 5000"
|
||||
ssh $SERVER "kubectl -n kube-system cp $CERT_POD:/certs/$KUBE_USER.crt ~/.kube/users/$KUBE_USER/$KUBE_USER.crt"
|
||||
echo "retrieving signed cert"
|
||||
scp $SERVER:$SERVER_USER_DIR/$KUBE_USER.crt $CERT_DIR/$KUBE_USER.crt
|
||||
|
||||
echo "retrieving server ca"
|
||||
wget --no-check-certificate https://$FQDN:6443/cacerts -O $CA_CERT_DIR/server-ca.pem
|
||||
|
||||
echo "creating $FQDN-$KUBE_USER context"
|
||||
kubectl config set-context $FQDN-$KUBE_USER
|
||||
|
||||
echo "setting $FQDN-$KUBE_USER as current context"
|
||||
kubectl config set current-context $FQDN-$KUBE_USER
|
||||
|
||||
echo "adding server to config with new context $FQDN-$KUBE_USER"
|
||||
kubectl config set-cluster $FQDN --server=https://$FQDN:6443 --certificate-authority=$CA_CERT_DIR/server-ca.pem
|
||||
kubectl config set contexts.$(kubectl config current-context).cluster $FQDN
|
||||
|
||||
echo "adding user to config file"
|
||||
kubectl config set-credentials $SERVER_USER --client-certificate=$CERT_DIR/$KUBE_USER.crt --client-key=$CERT_DIR/$KUBE_USER.key
|
||||
|
||||
echo "setting user context"
|
||||
kubectl config set contexts.$(kubectl config current-context).user $SERVER_USER
|
||||
|
||||
if [ $KUBE_USER = "admin" ]; then
|
||||
echo "Admin user created, skipping namespace"
|
||||
echo "export KUBECONFIG=$KUBECONFIG"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "Templating namespace with helm and copying to server"
|
||||
helm template $KUBE_USER --set user=$KUBE_USER ./helm/namespace | ssh $SERVER "cat - > $SERVER_USER_DIR/namespace.yaml"
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Failed to template namespace. Is helm installed?"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Creating namespace from template"
|
||||
ssh $SERVER "kubectl apply -f $SERVER_USER_DIR/namespace.yaml"
|
||||
|
||||
echo "Setting namespace context"
|
||||
kubectl config set contexts.$(kubectl config current-context).namespace $KUBE_USER
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Failed to create namespace"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "export KUBECONFIG=$KUBECONFIG"
|
||||
Reference in New Issue
Block a user