From ced94d0977ec8d895e2f06c8ab864fb99502a926 Mon Sep 17 00:00:00 2001
From: Sam Day <me@samcday.com>
Date: Tue, 9 Jul 2024 21:11:59 +0200
Subject: [PATCH] k8s-cp: generate admin kubeconfig real good

---
 .../files/admin-kubeconfig-generator.yaml     | 37 +++++++++
 .../templates/admin-kubeconfig.yaml           | 80 ++++++++++---------
 charts/k8s-control-plane/templates/admin.yaml | 14 ++++
 .../templates/kubeconfig.yaml                 | 52 +++++++++---
 4 files changed, 132 insertions(+), 51 deletions(-)
 create mode 100644 charts/k8s-control-plane/files/admin-kubeconfig-generator.yaml
 create mode 100644 charts/k8s-control-plane/templates/admin.yaml

diff --git a/charts/k8s-control-plane/files/admin-kubeconfig-generator.yaml b/charts/k8s-control-plane/files/admin-kubeconfig-generator.yaml
new file mode 100644
index 00000000..d25d4966
--- /dev/null
+++ b/charts/k8s-control-plane/files/admin-kubeconfig-generator.yaml
@@ -0,0 +1,37 @@
+template:
+  spec:
+    containers:
+      - name: admin-kubeconfig-generator
+        image: bitnami/kubectl:{{ $.Values.version }}
+        command:
+          - bash
+          - -uexo
+          - pipefail
+          - -c
+          - |
+            kubectl create secret generic admin-kubeconfig-external --from-file=value=<(KUBECONFIG=/kubeconfig-external kubectl config view --flatten --raw) --dry-run=client --output yaml \
+              | kubectl apply -f-
+            kubectl create secret generic admin-kubeconfig --from-file=value=<(KUBECONFIG=/kubeconfig kubectl config view --flatten --raw) --dry-run=client --output yaml \
+              | kubectl apply -f-
+        volumeMounts:
+          - name: cert
+            mountPath: /cert
+          - name: kubeconfig
+            mountPath: /kubeconfig
+            subPath: kubeconfig
+          - name: kubeconfig-external
+            mountPath: /kubeconfig-external
+            subPath: kubeconfig
+    serviceAccount: admin-kubeconfig-generator
+    volumes:
+      - name: cert
+        secret:
+          secretName: admin
+      - name: kubeconfig
+        configMap:
+          name: kubeconfig
+      - name: kubeconfig-external
+        configMap:
+          name: kubeconfig-external
+    restartPolicy: OnFailure
+ttlSecondsAfterFinished: 60
diff --git a/charts/k8s-control-plane/templates/admin-kubeconfig.yaml b/charts/k8s-control-plane/templates/admin-kubeconfig.yaml
index bc8d6485..3c1a4424 100644
--- a/charts/k8s-control-plane/templates/admin-kubeconfig.yaml
+++ b/charts/k8s-control-plane/templates/admin-kubeconfig.yaml
@@ -1,43 +1,47 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
+{{- $jobSpec := fromYaml (tpl ($.Files.Get "files/admin-kubeconfig-generator.yaml") $) -}}
+apiVersion: batch/v1
+kind: CronJob
 metadata:
-  name: admin
+  name: admin-kubeconfig-generator
 spec:
-  commonName: kubernetes-admin
-  duration: 336h # 2 weeks
-  issuerRef:
-    name: ca
-    kind: Issuer
-  secretName: admin
-  subject:
-    organizations: [system:masters]
-  usages: [client auth]
+  schedule: "@weekly"
+  jobTemplate:
+    spec:
+      {{- toYaml $jobSpec | nindent 6 }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: admin-kubeconfig-generator
+spec:
+  {{- toYaml $jobSpec | nindent 2 }}
 ---
-{{- $cert := (lookup "v1" "Secret" $.Release.Namespace "admin") -}}
 apiVersion: v1
-kind: Secret
+kind: ServiceAccount
+metadata:
+  name: admin-kubeconfig-generator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: admin-kubeconfig-generator
+rules:
+- apiGroups: [""]
+  resources: [secrets]
+  verbs: [create]
+- apiGroups: [""]
+  resourceNames: [admin-kubeconfig, admin-kubeconfig-external]
+  resources: [secrets]
+  verbs: [get, update, patch]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
 metadata:
-  name: admin-kubeconfig
-  annotations:
-    helm.sh/hook: post-install,post-upgrade
-stringData:
-    kubeconfig: |
-        apiVersion: v1
-        clusters:
-        - cluster:
-            certificate-authority-data: {{ get ($cert.data) "ca.crt" }}
-            server: https://{{ $.Values.externalHostname }}:6443
-          name: {{ $.Values.clusterName }}
-        contexts:
-        - context:
-            cluster: {{ $.Values.clusterName }}
-            user: {{ $.Values.clusterName }}-admin
-          name: {{ $.Values.clusterName }}-admin@{{ $.Values.clusterName }}
-        current-context: {{ $.Values.clusterName }}-admin@{{ $.Values.clusterName }}
-        kind: Config
-        preferences: {}
-        users:
-        - name: {{ $.Values.clusterName }}-admin
-          user:
-            client-certificate-data: {{ get ($cert.data) "tls.crt" }}
-            client-key-data: {{ get ($cert.data) "tls.key" }}
+  name: admin-kubeconfig-generator
+subjects:
+  - kind: ServiceAccount
+    name: admin-kubeconfig-generator
+roleRef:
+  kind: Role
+  name: admin-kubeconfig-generator
+  apiGroup: rbac.authorization.k8s.io
diff --git a/charts/k8s-control-plane/templates/admin.yaml b/charts/k8s-control-plane/templates/admin.yaml
new file mode 100644
index 00000000..f85031da
--- /dev/null
+++ b/charts/k8s-control-plane/templates/admin.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: admin
+spec:
+  commonName: kubernetes-admin
+  duration: 336h # 2 weeks
+  issuerRef:
+    name: ca
+    kind: Issuer
+  secretName: admin
+  subject:
+    organizations: [system:masters]
+  usages: [client auth]
diff --git a/charts/k8s-control-plane/templates/kubeconfig.yaml b/charts/k8s-control-plane/templates/kubeconfig.yaml
index 93362189..b0f321cb 100644
--- a/charts/k8s-control-plane/templates/kubeconfig.yaml
+++ b/charts/k8s-control-plane/templates/kubeconfig.yaml
@@ -6,20 +6,46 @@ data:
     kubeconfig: |
         apiVersion: v1
         clusters:
-        - cluster:
-            certificate-authority: /cert/ca.crt
-            server: https://apiserver.{{ $.Release.Namespace }}.svc.{{ $.Values.parentClusterDomain }}:6443
-          name: default
+          - cluster:
+              certificate-authority: /cert/ca.crt
+              server: https://apiserver.{{ $.Release.Namespace }}.svc.{{ $.Values.parentClusterDomain }}:6443
+            name: {{ $.Values.clusterName }}
         contexts:
-        - context:
-            cluster: default
-            user: default
-          name: default
-        current-context: default
+          - context:
+              cluster: {{ $.Values.clusterName }}
+              user: {{ $.Values.clusterName }}-admin
+            name: {{ $.Values.clusterName }}-admin@{{ $.Values.clusterName }}
+        current-context: {{ $.Values.clusterName }}-admin@{{ $.Values.clusterName }}
         kind: Config
         preferences: {}
         users:
-        - name: default
-          user:
-            client-certificate: /cert/tls.crt
-            client-key: /cert/tls.key
+          - name: {{ $.Values.clusterName }}-admin
+            user:
+              client-certificate: /cert/tls.crt
+              client-key: /cert/tls.key
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kubeconfig-external
+data:
+    kubeconfig: |
+        apiVersion: v1
+        clusters:
+          - cluster:
+              certificate-authority: /cert/ca.crt
+              server: https://{{ $.Values.externalHostname }}:6443
+            name: {{ $.Values.clusterName }}
+        contexts:
+          - context:
+              cluster: {{ $.Values.clusterName }}
+              user: {{ $.Values.clusterName }}-admin
+            name: {{ $.Values.clusterName }}-admin@{{ $.Values.clusterName }}
+        current-context: {{ $.Values.clusterName }}-admin@{{ $.Values.clusterName }}
+        kind: Config
+        preferences: {}
+        users:
+          - name: {{ $.Values.clusterName }}-admin
+            user:
+              client-certificate: /cert/tls.crt
+              client-key: /cert/tls.key