Script now creates certsigner if not present
This commit is contained in:
ducoterra
8
admin.sh
8
admin.sh
@@ -1,8 +0,0 @@
|
||||
export USER=$1
|
||||
docker run -it -v $HOME/.kube/users/$USER:/$USER python:latest openssl genrsa -out /$USER/$USER.key 2048
|
||||
docker run -it -v $HOME/.kube/users/$USER:/$USER python:latest openssl req -new -key /$USER/$USER.key -out /$USER/$USER.csr -subj "/CN=admin/O=manager"
|
||||
kubectl --context admin cp $HOME/.kube/users/$USER/$USER.csr certsigner:/certs/$USER.csr
|
||||
kubectl --context admin exec certsigner -- openssl x509 -in /certs/$USER.csr -req -CA /keys/client-ca.crt -CAkey /keys/client-ca.key -set_serial $(python -c "import random; print(random.randint(1000000000, 9999999999))") -out /certs/$USER.crt -days 5000
|
||||
kubectl --context admin cp certsigner:/certs/$USER.crt $HOME/.kube/users/$USER/$USER.crt
|
||||
kubectl config set-credentials $USER --client-certificate=$HOME/.kube/users/$USER/$USER.crt --client-key=$HOME/.kube/users/$USER/$USER.key
|
||||
kubectl config set-context $USER --cluster=mainframe --namespace=kube-system --user=$USER
|
||||
89
createuserspace.sh
Executable file
89
createuserspace.sh
Executable file
@@ -0,0 +1,89 @@
|
||||
#!/bin/bash
|
||||
|
||||
export USER=$1
|
||||
export SERVER=$2
|
||||
export ADMIN=$3
|
||||
|
||||
export CERT_DIR=$HOME/.kube/$SERVER/users/$USER
|
||||
export CA_CERT_DIR=$HOME/.kube/$SERVER
|
||||
|
||||
export SERVER_USER_DIR="~/.kube/users/$USER"
|
||||
|
||||
echo "Creating cert dir"
|
||||
mkdir -p $CERT_DIR
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Couldn't create cert dir at $CERT_DIR"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Generating openssl cert"
|
||||
docker run -it -v $CERT_DIR:/$USER python:latest openssl genrsa -out /$USER/$USER.key 2048
|
||||
docker run -it -v $CERT_DIR:/$USER python:latest openssl req -new -key /$USER/$USER.key -out /$USER/$USER.csr -subj "/CN=$USER/O=user"
|
||||
# /CN=admin/O=manager
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Couldn't create cert with Docker. Are you sure it's running?"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Creating namespace dir on server"
|
||||
ssh $SERVER "mkdir -p $SERVER_USER_DIR"
|
||||
echo "Copying client csr to server cert dir"
|
||||
scp $CERT_DIR/$USER.csr $SERVER:$SERVER_USER_DIR/$USER.csr
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Failed to copy client csr to server cert dir"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Templating namespace with helm and copying to server"
|
||||
helm template $USER ./namespace | ssh $SERVER "cat - > $SERVER_USER_DIR/namespace.yaml"
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Failed to template namespace. Is helm installed?"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Creating namespace from template"
|
||||
ssh $SERVER "kubectl apply -f $SERVER_USER_DIR/namespace.yaml"
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Failed to create namespace"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Getting cert signing pod"
|
||||
export CERT_POD=$(ssh $SERVER "kubectl get pod -n kube-system --selector=app=certsigner --output=jsonpath={.items..metadata.name}")
|
||||
|
||||
if [ -z $CERT_POD ]; then
|
||||
echo "Installing certsigner"
|
||||
helm template certsigner ./certsigner | ssh $SERVER "sudo -E kubectl apply -f -"
|
||||
fi
|
||||
|
||||
while [ -z $CERT_POD ]; do
|
||||
echo "Getting cert signing pod"
|
||||
export CERT_POD=$(ssh $SERVER "kubectl get pod -n kube-system --selector=app=certsigner --output=jsonpath={.items..metadata.name}")
|
||||
sleep 2
|
||||
done
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Failed to install certsigner."
|
||||
fi
|
||||
|
||||
echo "Signing cert with pod $CERT_POD"
|
||||
ssh $SERVER "kubectl -n kube-system cp $SERVER_USER_DIR/$USER.csr $CERT_POD:/certs/$USER.csr"
|
||||
ssh $SERVER "kubectl -n kube-system exec $CERT_POD -- openssl x509 -in /certs/$USER.csr -req -CA /keys/client-ca.crt -CAkey /keys/client-ca.key -set_serial $(python -c 'import random; print(random.randint(1000000000, 9999999999))') -out /certs/$USER.crt -days 5000"
|
||||
ssh $SERVER "kubectl -n kube-system cp $CERT_POD:/certs/$USER.crt ~/.kube/users/$USER/$USER.crt"
|
||||
echo "retrieving signed cert"
|
||||
scp $SERVER:$SERVER_USER_DIR/$USER.crt $CERT_DIR/$USER.crt
|
||||
|
||||
|
||||
echo "retrieving server ca"
|
||||
wget --no-check-certificate https://$SERVER:6443/cacerts -O $CA_CERT_DIR/server-ca.pem
|
||||
echo "adding server to config with new context $SERVER-$USER"
|
||||
kubectl config set-cluster $SERVER --server=https://$SERVER:6443 --certificate-authority=$CA_CERT_DIR/server-ca.pem
|
||||
kubectl config set-credentials $USER-$SERVER --client-certificate=$CERT_DIR/$USER.crt --client-key=$CERT_DIR/$USER.key
|
||||
kubectl config set-context $SERVER-$USER --cluster=$SERVER --namespace=$USER --user=$USER-$SERVER
|
||||
kubectl config set current-context $SERVER-$USER
|
||||
echo "done"
|
||||
24
deleteuserspace.sh
Executable file
24
deleteuserspace.sh
Executable file
@@ -0,0 +1,24 @@
|
||||
#!/bin/bash
|
||||
|
||||
export USER=$1
|
||||
export SERVER=$2
|
||||
|
||||
export CERT_DIR=$HOME/.kube/$SERVER/users/$USER
|
||||
export CA_CERT_DIR=$HOME/.kube/$SERVER
|
||||
|
||||
export SERVER_USER_DIR="~/.kube/users/$USER"
|
||||
|
||||
echo "Removing server from config"
|
||||
kubectl config delete-cluster $SERVER
|
||||
kubectl config unset users.$USER-$SERVER
|
||||
kubectl config delete-context $SERVER-$USER
|
||||
kubectl config unset current-context
|
||||
|
||||
echo "Deleting user namespace"
|
||||
ssh $SERVER "kubectl delete -f $SERVER_USER_DIR/namespace.yaml"
|
||||
|
||||
echo "Deleting remote cert dir"
|
||||
ssh $SERVER "rm -rf $SERVER_USER_DIR"
|
||||
|
||||
echo "Deleting local cert dir"
|
||||
rm -rf $CERT_DIR
|
||||
@@ -1,33 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
export USER=$1
|
||||
export SERVER=$2
|
||||
|
||||
export CERT_DIR=$HOME/.kube/$SERVER/users/$USER
|
||||
export CA_CERT_DIR=$HOME/.kube/$SERVER
|
||||
|
||||
echo "generating certs"
|
||||
mkdir -p $CERT_DIR
|
||||
docker run -it -v $CERT_DIR:/$USER python:latest openssl genrsa -out /$USER/$USER.key 2048
|
||||
docker run -it -v $CERT_DIR:/$USER python:latest openssl req -new -key /$USER/$USER.key -out /$USER/$USER.csr -subj "/CN=$USER/O=user"
|
||||
echo "creating userspace"
|
||||
rsync -av ./namespace $SERVER:~/
|
||||
ssh $SERVER "/usr/local/bin/helm template $USER ./namespace | kubectl apply -f -"
|
||||
echo "copying csr"
|
||||
ssh $SERVER "mkdir -p ~/.kube/users/$USER"
|
||||
scp $CERT_DIR/$USER.csr $SERVER:/tmp/$USER.csr
|
||||
echo "signing cert"
|
||||
export CERT_POD=$(ssh k3os-alpha "kubectl get pod -n kube-system --selector=app=certsigner --output=jsonpath={.items..metadata.name}")
|
||||
ssh $SERVER "kubectl -n kube-system cp /tmp/$USER.csr $CERT_POD:/certs/$USER.csr"
|
||||
ssh $SERVER "kubectl -n kube-system exec $CERT_POD -- openssl x509 -in /certs/$USER.csr -req -CA /keys/client-ca.crt -CAkey /keys/client-ca.key -set_serial $(python -c 'import random; print(random.randint(1000000000, 9999999999))') -out /certs/$USER.crt -days 5000"
|
||||
ssh $SERVER "kubectl -n kube-system cp $CERT_POD:/certs/$USER.crt ~/.kube/users/$USER/$USER.crt"
|
||||
echo "retrieving signed cert"
|
||||
scp $SERVER:~/.kube/users/$USER/$USER.crt $CERT_DIR/$USER.crt
|
||||
echo "retrieving server ca"
|
||||
wget --no-check-certificate https://$SERVER:6443/cacerts -O $CA_CERT_DIR/server-ca.pem
|
||||
echo "adding server to config with new context $SERVER-$USER"
|
||||
kubectl config set-cluster $SERVER --server=https://$SERVER:6443 --certificate-authority=$CA_CERT_DIR/server-ca.pem
|
||||
kubectl config set-credentials $USER --client-certificate=$CERT_DIR/$USER.crt --client-key=$CERT_DIR/$USER.key
|
||||
kubectl config set-context $SERVER-$USER --cluster=$SERVER --namespace=$USER --user=$USER
|
||||
kubectl config set current-context $SERVER-$USER
|
||||
echo "done"
|
||||
Reference in New Issue
Block a user