Add userspace chart and docs

This allows easy creation of user namespaces with limited permissions.
2023-10-31 10:02:43 -04:00
parent 8189068eec
commit 65245cc157
17 changed files with 953 additions and 0 deletions
--- a/scripts/adduser.sh
+++ b/scripts/adduser.sh
@@ -0,0 +1,135 @@
+#!/bin/bash
+
+# Use
+# ./adduser.sh <server_fqdn> <user>
+
+export SERVER=$1
+export USER=$2
+
+export CERT_DIR=$HOME/.kube/$SERVER/users/$USER
+export CA_CERT_DIR=$HOME/.kube/$SERVER
+
+export SERVER_USER_DIR="~/.kube/users/$USER"
+export SERVER_NAME=$(echo "$SERVER" | sed 's/\./-/g')
+export SERVER_USER="$USER-$SERVER_NAME"
+
+export KUBECONFIG="$HOME/.kube/$USER-config"
+
+if [ -z $USER ]; then
+echo "No arguments supplied! Format is ./adduser.sh <SERVER_FQDN> <USER>"
+exit 1
+fi
+
+if [ -z $SERVER ]; then
+echo "No server supplied for user $USER"
+exit 1   
+fi
+
+if [ $USER = "admin" ]; then
+echo "Creating admin user for server $SERVER"
+fi
+
+echo "Creating cert dir"
+mkdir -p $CERT_DIR
+
+if [ $? -ne 0 ]; then
+    echo "Couldn't create cert dir at $CERT_DIR"
+    exit 1
+fi
+
+echo "Generating openssl cert"
+docker run -u $UID -it -v $CERT_DIR:/$USER python:latest openssl genrsa -out /$USER/$USER.key 2048
+
+if [ $USER = "admin" ]; then
+docker run -u $UID -it -v $CERT_DIR:/$USER python:latest openssl req -new -key /$USER/$USER.key -out /$USER/$USER.csr -subj "/CN=$USER/O=system:masters"
+else
+docker run -u $UID -it -v $CERT_DIR:/$USER python:latest openssl req -new -key /$USER/$USER.key -out /$USER/$USER.csr -subj "/CN=$USER/O=user"
+fi
+# /CN=admin/O=manager
+
+if [ $? -ne 0 ]; then
+    echo "Couldn't create cert with Docker. Are you sure it's running?"
+    exit 1
+fi
+
+echo "Creating namespace dir on server"
+ssh $SERVER "mkdir -p $SERVER_USER_DIR"
+echo "Copying client csr to server cert dir"
+scp $CERT_DIR/$USER.csr $SERVER:$SERVER_USER_DIR/$USER.csr
+
+if [ $? -ne 0 ]; then
+    echo "Failed to copy client csr to server cert dir"
+    exit 1
+fi
+
+echo "Getting cert signing pod"
+export CERT_POD=$(ssh $SERVER "kubectl get pod -n kube-system --selector=app=certsigner --output=jsonpath={.items..metadata.name}")
+
+if [ -z $CERT_POD ]; then
+    echo "Installing certsigner"
+    helm template certsigner ./certsigner | ssh $SERVER "sudo -t -E kubectl apply -f -"
+fi
+
+while [ -z $CERT_POD ]; do
+    echo "Getting cert signing pod"
+    export CERT_POD=$(ssh $SERVER "kubectl get pod -n kube-system --selector=app=certsigner --output=jsonpath={.items..metadata.name}")
+    sleep 2
+done
+
+if [ $? -ne 0 ]; then
+echo "Failed to install certsigner."
+exit 1
+fi
+
+echo "Signing cert with pod $CERT_POD"
+ssh $SERVER "kubectl -n kube-system cp $SERVER_USER_DIR/$USER.csr $CERT_POD:/certs/$USER.csr"
+ssh $SERVER "kubectl -n kube-system exec $CERT_POD -- openssl x509 -in /certs/$USER.csr -req -CA /keys/client-ca.crt -CAkey /keys/client-ca.key -set_serial $(python -c 'import random; print(random.randint(1000000000, 9999999999))') -out /certs/$USER.crt -days 5000"
+ssh $SERVER "kubectl -n kube-system cp $CERT_POD:/certs/$USER.crt ~/.kube/users/$USER/$USER.crt"
+echo "retrieving signed cert"
+scp $SERVER:$SERVER_USER_DIR/$USER.crt $CERT_DIR/$USER.crt
+
+echo "retrieving server ca"
+wget --no-check-certificate https://$SERVER:6443/cacerts -O $CA_CERT_DIR/server-ca.pem
+
+echo "creating $SERVER-$USER context"
+kubectl config set-context $SERVER-$USER
+
+echo "setting $SERVER-$USER as current context"
+kubectl config set current-context $SERVER-$USER
+
+echo "adding server to config with new context $SERVER-$USER"
+kubectl config set-cluster $SERVER --server=https://$SERVER:6443 --certificate-authority=$CA_CERT_DIR/server-ca.pem
+kubectl config set contexts.$(kubectl config current-context).cluster $SERVER
+
+echo "adding user to config file"
+kubectl config set-credentials $SERVER_USER --client-certificate=$CERT_DIR/$USER.crt --client-key=$CERT_DIR/$USER.key
+
+echo "setting user context"
+kubectl config set contexts.$(kubectl config current-context).user $SERVER_USER
+
+if [ $USER = "admin" ]; then
+echo "Admin user created, skipping namespace"
+echo "export KUBECONFIG=$KUBECONFIG"
+exit 0
+fi
+
+echo "Templating namespace with helm and copying to server"
+helm template $USER --set user=$USER ./helm/namespace | ssh $SERVER "cat - > $SERVER_USER_DIR/namespace.yaml"
+
+if [ $? -ne 0 ]; then
+    echo "Failed to template namespace. Is helm installed?"
+    exit 1
+fi
+
+echo "Creating namespace from template"
+ssh $SERVER "kubectl apply -f $SERVER_USER_DIR/namespace.yaml"
+
+echo "Setting namespace context"
+kubectl config set contexts.$(kubectl config current-context).namespace $USER
+
+if [ $? -ne 0 ]; then
+    echo "Failed to create namespace"
+    exit 1
+fi
+
+echo "export KUBECONFIG=$KUBECONFIG"
--- a/scripts/removeuser.sh
+++ b/scripts/removeuser.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Use
+# ./removeuserspace <server_fqdn> <user>
+
+export SERVER=$1
+export USER=$2
+
+export CERT_DIR=$HOME/.kube/$SERVER/users/$USER
+export CA_CERT_DIR=$HOME/.kube/$SERVER
+
+export SERVER_USER_DIR="~/.kube/users/$USER"
+export SERVER_NAME=$(echo "$SERVER" | sed 's/\./-/g')
+export SERVER_USER="$USER-$SERVER_NAME"
+
+export KUBECONFIG="$HOME/.kube/$USER-config"
+
+echo "Checking if project namespace exists"
+exists=$(ssh $SERVER "kubectl get namespace --output=jsonpath=\"{.items[?(@.metadata.name=='$USER')].metadata.name}\"")
+if [ -z $exists ]; then
+    echo "Namespace not found, nothing to delete"
+    exit 1
+else
+    echo "Namespace exists, deleting"
+fi
+
+echo "Deleting user namespace"
+ssh $SERVER "kubectl delete -f $SERVER_USER_DIR/namespace.yaml"
+
+echo "Deleting remote cert dir"
+ssh $SERVER "rm -rf $SERVER_USER_DIR"
+
+echo "Deleting local cert dir"
+rm -rf $CERT_DIR
+
+echo "Removing from kubeconfig"
+kubectl config delete-user $SERVER_USER
--- a/scripts/setup.sh
+++ b/scripts/setup.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# Use
+# ./setup.sh <server_fqdn>
+
+export SERVER=$1
+
+ssh -t $SERVER sudo kubectl -n kube-system create secret generic certsigner --from-file /var/lib/rancher/k3s/server/tls/client-ca.crt --from-file /var/lib/rancher/k3s/server/tls/client-ca.key
+scp certsigner.yaml $SERVER:~/certsigner.yaml
+ssh $SERVER kubectl apply -f certsigner.yaml
+scp clusterrole.yaml $SERVER:~/clusterrole.yaml
+ssh $SERVER kubectl apply -f clusterrole.yaml
--- a/scripts/updateprojectspace.sh
+++ b/scripts/updateprojectspace.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Use
+# ./updateprojectspace <server_fqdn> <user> <project>
+
+export SERVER=$1
+export USER=$2
+export PROJECT=$3
+
+export SERVER_PROJECT_DIR="~/.kube/projects/$PROJECT"
+
+export KUBECONFIG="$HOME/.kube/$USER-config"
+
+echo "Checking if project namespace exists"
+exists=$(ssh $SERVER "kubectl get namespace --output=jsonpath=\"{.items[?(@.metadata.name=='$PROJECT')].metadata.name}\"")
+if [ -z $exists ]; then
+    echo "Namespace not found, nothing to update"
+    exit 1
+else
+    echo "Namespace exists, updating"
+fi
+
+echo "Templating namespace with helm and copying to server"
+helm template $PROJECT ./helm/namespace --set user=$USER | ssh $SERVER "cat - > $SERVER_PROJECT_DIR/namespace.yaml"
+
+if [ $? -ne 0 ]; then
+    echo "Failed to template namespace. Is helm installed?"
+    exit 1
+fi
+
+echo "Updating namespace with template"
+ssh $SERVER "kubectl apply -f $SERVER_PROJECT_DIR/namespace.yaml"
+
+if [ $? -ne 0 ]; then
+    echo "Failed to update namespace"
+    exit 1
+fi
+
+echo "done"