-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathosetupuser.sh
executable file
·182 lines (156 loc) · 5.5 KB
/
osetupuser.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
#!/bin/bash
# This script will create a set of kind k8s clusters based on the spec
# in passed in topology json file. The kubeconfig files will be saved
# in the specified directory. If not specified, the current working
# directory will be used. The topology json file may also specify
# kubeconfig file location, if that is the case, then that location
# override the target directory if that is also specified.
ColorOff='\033[0m' # Text Reset
Black='\033[0;30m' # Black
Red='\033[0;31m' # Red
Green='\033[0;32m' # Green
SCRIPTDIR=$(dirname $0)
set -e
# This script can only produce desired results on Linux systems.
envos=$(uname 2>/dev/null || true)
if [[ "${envos}" != "Darwin" ]]; then
echo "Your environment is not supported by this script."
exit 1
fi
# Check prerequisites
requisites=("kubectl" "openssl" "docker")
for item in "${requisites[@]}"; do
if [[ -z $(which "${item}") ]]; then
echo "${item} cannot be found on your system, please install ${item}"
exit 1
fi
done
# Function to print the usage message
function printHelp() {
echo "Usage: "
echo " $0 --cluster-name cluster1 --k8s-release 1.22.1 --ip-octet 255"
echo ""
echo "Where:"
echo " -n|--cluster-name - name of the k8s cluster to be created"
echo " -u|--user-name - the user name, required"
echo " -d|--delete - delete a specified cluster or all kind clusters"
echo " -h|--help - print the usage of this script"
}
CLUSTERNAME="cluster1"
UNAME=""
GNAME=""
WORKDIR="/tmp/work"
# Handling parameters
while [[ $# -gt 0 ]]; do
optkey="$1"
case $optkey in
-h|--help)
printHelp; exit 0;;
-n|--cluster-name)
CLUSTERNAME="$2";shift 2;;
-u|--user-name)
UNAME="$2";shift 2;;
-g|--group-name)
GNAME="$2";shift 2;;
-d|--delete)
ACTION="DEL";shift;;
*) # unknown option
echo "parameter $1 is not supported"; exit 1;;
esac
done
if [[ "$UNAME" == "" ]]; then
# User name cannot be empty
echo "user name was not sepcified, use -u parameter to specify a user name";
exit 1
fi
if [[ "$ACTION" == "DEL" ]]; then
# delete the user
exit 0
fi
# Check if the topology coming from stdin or pipe
if [[ -p /dev/stdin ]]; then
TOPOLOGYCONTENT="$(cat)"
fi
function getClusterCAKeyPair() {
if [[ ! -f "${WORKDIR}/ca.key" ]]; then
docker cp "${CLUSTERNAME}-control-plane:/etc/kubernetes/pki/ca.crt" "${WORKDIR}/ca.crt"
docker cp "${CLUSTERNAME}-control-plane:/etc/kubernetes/pki/ca.key" "${WORKDIR}/ca.key"
fi
}
function setupKubeConfig() {
fname=$1
# Create a user in the kubeconfig file
certData=$(cat "${WORKDIR}/${fname}.crt"|base64)
certKey=$(cat "${WORKDIR}/${fname}.key"|base64)
kubectl config set-credentials "${fname}" --embed-certs=true \
--client-certificate="${WORKDIR}/${fname}.crt" \
--client-key="${WORKDIR}/${fname}.key"
# Create context for the user
kubectl config set-context ${fname}-context \
--cluster="kind-${CLUSTERNAME}" --user="${fname}"
}
function removeTempFiles() {
fname=$1
rm -rf ${WORKDIR}/${fname}.*
rm -rf ${WORKDIR}/*.srl
}
function createUserUsingSigningRequest() {
# Remove space and comma in the user name to make a file name
fname="${UNAME// /-}"; fname="${fname//,/-}";
fname=$(tr '[:upper:]' '[:lower:]' <<< "$fname")
echo "Creating certificates for ${UNAME} using ${fname}"
# if already exists, remove first
# result=$(kg csr ${fname} 2>/dev/null || true)
# if [[ ! -z "${result}" ]]; then
# kubectl certificate deny ${fname}
# kubectl delete csr ${fname}
# fi
# Create private key
openssl genrsa -out "${WORKDIR}/${fname}.key" 2048
if [[ -z "${GNAME}" ]]; then
openssl req -new -key "${WORKDIR}/${fname}.key" -out "${WORKDIR}/${fname}.csr" -subj "/CN=${UNAME}"
else
openssl req -new -key "${WORKDIR}/${fname}.key" -out "${WORKDIR}/${fname}.csr" -subj "/CN=${UNAME}/O=${GNAME}"
fi
# the following method uses kubectl request for CertificateSigningRequest
encodedcsr=$(cat "${WORKDIR}/${fname}.csr"|base64 -b 0)
cat << EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ${fname}
spec:
request: ${encodedcsr}
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 864000 # 10 days
usages:
- client auth
EOF
# approve the certificate by the current user
kubectl certificate approve ${fname}
# get the new user certificate
kubectl get csr ${fname} -o jsonpath='{.status.certificate}' | base64 -d > ${WORKDIR}/${fname}.crt
setupKubeConfig ${fname}
removeTempFiles ${fname}
}
function createUserUsingCACertAndKey() {
getClusterCAKeyPair
# Remove space and comma in the user name to make a file name
fname="${UNAME// /-}"; fname="${fname//,/-}";
fname=$(tr '[:upper:]' '[:lower:]' <<< "$fname")
echo "Creating certificates for ${UNAME} using ${fname}"
# Create private key
openssl genrsa -out "${WORKDIR}/${fname}.key" 2048
if [[ -z "${GNAME}" ]]; then
openssl req -new -key "${WORKDIR}/${fname}.key" -out "${WORKDIR}/${fname}.csr" -subj "/CN=${UNAME}"
else
openssl req -new -key "${WORKDIR}/${fname}.key" -out "${WORKDIR}/${fname}.csr" -subj "/CN=${UNAME}/O=${GNAME}"
fi
# the following method uses copied ca cert and key from master node
openssl x509 -req -in "${WORKDIR}/${fname}.csr" -CA "${WORKDIR}/ca.crt" -CAkey "${WORKDIR}/ca.key" \
-CAcreateserial -out "${WORKDIR}/${fname}.crt" -days 500
setupKubeConfig ${fname}
removeTempFiles ${fname}
}
# createUserUsingSigningRequest
createUserUsingCACertAndKey