Skip to content

Commit

Permalink
k8s-cp: generate admin kubeconfig real good
Browse files Browse the repository at this point in the history
  • Loading branch information
@samcday
samcday committed Jul 9, 2024
1 parent f3443f2 commit ced94d0
Show file tree
Hide file tree
Showing 4 changed files with 132 additions and 51 deletions.
37 changes: 37 additions & 0 deletions charts/k8s-control-plane/files/admin-kubeconfig-generator.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
template:
spec:
containers:
- name: admin-kubeconfig-generator
image: bitnami/kubectl:{{ $.Values.version }}
command:
- bash
- -uexo
- pipefail
- -c
- |
kubectl create secret generic admin-kubeconfig-external --from-file=value=<(KUBECONFIG=/kubeconfig-external kubectl config view --flatten --raw) --dry-run=client --output yaml \
| kubectl apply -f-
kubectl create secret generic admin-kubeconfig --from-file=value=<(KUBECONFIG=/kubeconfig kubectl config view --flatten --raw) --dry-run=client --output yaml \
| kubectl apply -f-
volumeMounts:
- name: cert
mountPath: /cert
- name: kubeconfig
mountPath: /kubeconfig
subPath: kubeconfig
- name: kubeconfig-external
mountPath: /kubeconfig-external
subPath: kubeconfig
serviceAccount: admin-kubeconfig-generator
volumes:
- name: cert
secret:
secretName: admin
- name: kubeconfig
configMap:
name: kubeconfig
- name: kubeconfig-external
configMap:
name: kubeconfig-external
restartPolicy: OnFailure
ttlSecondsAfterFinished: 60
80 changes: 42 additions & 38 deletions charts/k8s-control-plane/templates/admin-kubeconfig.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,43 +1,47 @@
apiVersion: cert-manager.io/v1
kind: Certificate
{{- $jobSpec := fromYaml (tpl ($.Files.Get "files/admin-kubeconfig-generator.yaml") $) -}}
apiVersion: batch/v1
kind: CronJob
metadata:
name: admin
name: admin-kubeconfig-generator
spec:
commonName: kubernetes-admin
duration: 336h # 2 weeks
issuerRef:
name: ca
kind: Issuer
secretName: admin
subject:
organizations: [system:masters]
usages: [client auth]
schedule: "@weekly"
jobTemplate:
spec:
{{- toYaml $jobSpec | nindent 6 }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: admin-kubeconfig-generator
spec:
{{- toYaml $jobSpec | nindent 2 }}
---
{{- $cert := (lookup "v1" "Secret" $.Release.Namespace "admin") -}}
apiVersion: v1
kind: Secret
kind: ServiceAccount
metadata:
name: admin-kubeconfig-generator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: admin-kubeconfig-generator
rules:
- apiGroups: [""]
resources: [secrets]
verbs: [create]
- apiGroups: [""]
resourceNames: [admin-kubeconfig, admin-kubeconfig-external]
resources: [secrets]
verbs: [get, update, patch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: admin-kubeconfig
annotations:
helm.sh/hook: post-install,post-upgrade
stringData:
kubeconfig: |
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: {{ get ($cert.data) "ca.crt" }}
server: https://{{ $.Values.externalHostname }}:6443
name: {{ $.Values.clusterName }}
contexts:
- context:
cluster: {{ $.Values.clusterName }}
user: {{ $.Values.clusterName }}-admin
name: {{ $.Values.clusterName }}-admin@{{ $.Values.clusterName }}
current-context: {{ $.Values.clusterName }}-admin@{{ $.Values.clusterName }}
kind: Config
preferences: {}
users:
- name: {{ $.Values.clusterName }}-admin
user:
client-certificate-data: {{ get ($cert.data) "tls.crt" }}
client-key-data: {{ get ($cert.data) "tls.key" }}
name: admin-kubeconfig-generator
subjects:
- kind: ServiceAccount
name: admin-kubeconfig-generator
roleRef:
kind: Role
name: admin-kubeconfig-generator
apiGroup: rbac.authorization.k8s.io
14 changes: 14 additions & 0 deletions charts/k8s-control-plane/templates/admin.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: admin
spec:
commonName: kubernetes-admin
duration: 336h # 2 weeks
issuerRef:
name: ca
kind: Issuer
secretName: admin
subject:
organizations: [system:masters]
usages: [client auth]
52 changes: 39 additions & 13 deletions charts/k8s-control-plane/templates/kubeconfig.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,20 +6,46 @@ data:
kubeconfig: |
apiVersion: v1
clusters:
- cluster:
certificate-authority: /cert/ca.crt
server: https://apiserver.{{ $.Release.Namespace }}.svc.{{ $.Values.parentClusterDomain }}:6443
name: default
- cluster:
certificate-authority: /cert/ca.crt
server: https://apiserver.{{ $.Release.Namespace }}.svc.{{ $.Values.parentClusterDomain }}:6443
name: {{ $.Values.clusterName }}
contexts:
- context:
cluster: default
user: default
name: default
current-context: default
- context:
cluster: {{ $.Values.clusterName }}
user: {{ $.Values.clusterName }}-admin
name: {{ $.Values.clusterName }}-admin@{{ $.Values.clusterName }}
current-context: {{ $.Values.clusterName }}-admin@{{ $.Values.clusterName }}
kind: Config
preferences: {}
users:
- name: default
user:
client-certificate: /cert/tls.crt
client-key: /cert/tls.key
- name: {{ $.Values.clusterName }}-admin
user:
client-certificate: /cert/tls.crt
client-key: /cert/tls.key
---
apiVersion: v1
kind: ConfigMap
metadata:
name: kubeconfig-external
data:
kubeconfig: |
apiVersion: v1
clusters:
- cluster:
certificate-authority: /cert/ca.crt
server: https://{{ $.Values.externalHostname }}:6443
name: {{ $.Values.clusterName }}
contexts:
- context:
cluster: {{ $.Values.clusterName }}
user: {{ $.Values.clusterName }}-admin
name: {{ $.Values.clusterName }}-admin@{{ $.Values.clusterName }}
current-context: {{ $.Values.clusterName }}-admin@{{ $.Values.clusterName }}
kind: Config
preferences: {}
users:
- name: {{ $.Values.clusterName }}-admin
user:
client-certificate: /cert/tls.crt
client-key: /cert/tls.key

0 comments on commit ced94d0

Please sign in to comment.