userspace/genuserspace.sh

#!/bin/bash

export USER=$1
export SERVER=$2

export CERT_DIR=$HOME/.kube/$SERVER/users/$USER
export CA_CERT_DIR=$HOME/.kube/$SERVER

echo "generating certs"
mkdir -p $CERT_DIR
docker run -it -v $CERT_DIR:/$USER python:latest openssl genrsa -out /$USER/$USER.key 2048
docker run -it -v $CERT_DIR:/$USER python:latest openssl req -new -key /$USER/$USER.key -out /$USER/$USER.csr -subj "/CN=$USER/O=user"
echo "creating userspace"
rsync -av ./namespace $SERVER:~/
ssh $SERVER "/usr/local/bin/helm template $USER ./namespace | kubectl apply -f -"
echo "copying csr"
ssh $SERVER "mkdir -p ~/.kube/users/$USER"
scp $CERT_DIR/$USER.csr $SERVER:/tmp/$USER.csr
echo "signing cert"
export CERT_POD=$(ssh k3os-alpha "kubectl get pod -n kube-system --selector=app=certsigner --output=jsonpath={.items..metadata.name}")
ssh $SERVER "kubectl -n kube-system cp /tmp/$USER.csr $CERT_POD:/certs/$USER.csr"
ssh $SERVER "kubectl -n kube-system exec $CERT_POD -- openssl x509 -in /certs/$USER.csr -req -CA /keys/client-ca.crt -CAkey /keys/client-ca.key -set_serial $(python -c 'import random; print(random.randint(1000000000, 9999999999))') -out /certs/$USER.crt -days 5000"
ssh $SERVER "kubectl -n kube-system cp $CERT_POD:/certs/$USER.crt ~/.kube/users/$USER/$USER.crt"
echo "retrieving signed cert"
scp $SERVER:~/.kube/users/$USER/$USER.crt $CERT_DIR/$USER.crt
echo "retrieving server ca"
wget --no-check-certificate https://$SERVER:6443/cacerts -O $CA_CERT_DIR/server-ca.pem
echo "adding server to config with new context $SERVER-$USER"
kubectl config set-cluster $SERVER --server=https://$SERVER:6443 --certificate-authority=$CA_CERT_DIR/server-ca.pem
kubectl config set-credentials $USER --client-certificate=$CERT_DIR/$USER.crt --client-key=$CERT_DIR/$USER.key
kubectl config set-context $SERVER-$USER --cluster=$SERVER --namespace=$USER --user=$USER
kubectl config set current-context $SERVER-$USER
echo "done"