forked from brendandburns/kubernetes-adduser
-
Notifications
You must be signed in to change notification settings - Fork 0
/
add-user.sh
executable file
·63 lines (51 loc) · 1.43 KB
/
add-user.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#!/bin/bash
csr_name="my-client-csr"
name="${1:-my-user}"
cert_name="${name}-client"
if ! which cfssl; then
echo "Can't find the cfssl tool, please install from https://pkg.cfssl.org/"
exit 1
fi
if ! which cfssljson; then
echo "Can't find the cfssljson tool, please install from https://pkg.cfssl.org/"
exit 1
fi
echo "Generating signing request."
perl -p -e "s/%USER%/${name}/" cfssl.json.tmpl > cfssl.json
cfssl genkey cfssl.json | \
cfssljson -bare ${cert_name}
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ${csr_name}
spec:
signerName: kubernetes.io/kube-apiserver-client
groups:
- system:authenticated
request: $(cat ${cert_name}.csr | base64 | tr -d '\n')
signerName: kubernetes.io/kube-apiserver-client
usages:
- key encipherment
- client auth
EOF
echo
echo "Approving signing request."
kubectl certificate approve ${csr_name}
echo
echo "Downloading certificate."
kubectl get csr ${csr_name} -o jsonpath='{.status.certificate}' \
| base64 --decode > ${cert_name}.crt
echo
echo "Cleaning up"
kubectl delete csr ${csr_name}
rm ${cert_name}.csr
rm cfssl.json
echo
echo "Add the following to the 'users' list in your kubeconfig file:"
echo "- name: ${name}"
echo " user:"
echo " client-certificate: ${PWD}/${cert_name}.crt"
echo " client-key: ${PWD}/${cert_name}-key.pem"
echo
echo "Next you may want to add a role-binding for this user."