generate-kubeconfig-with-sa-token.sh

generate-kubeconfig-with-sa-token.sh

#!/usr/bin/env bash

# This extracts a Service Account Token from a previously created
# ServiceAccount that has sufficient RBAC permissions to deploy
# a Control Agent. The token is then set in a kubeconfig file 
# a non-admin user can use to deploy a Control Agent. cluster-admin 
# role is required to execute this script

# This script is based entirely on innovia/kubernetes_add_service_account_kubeconfig.sh
# located at https://gist.github.com/innovia/fbba8259042f71db98ea8d4ad19bd708

set -eo pipefail

if [[ -z "$1" ]] || [[ -z "$2" ]] || [[ -z "$3" ]]; then
 echo "usage: $0 <namespace> <service_account_name> <generated_kubecfg_dir>"
 exit 1
fi

NAMESPACE="$1"
SERVICE_ACCOUNT_NAME="$2"
GENERATED_KUBECFG_DIR="$3"
KUBECFG_FILE_NAME="${GENERATED_KUBECFG_DIR}/${SERVICE_ACCOUNT_NAME}-${NAMESPACE}.conf"

create_target_folder() {
    echo -e "\\nCreating target directory to hold files in ${GENERATED_KUBECFG_DIR}"
    mkdir -p "${GENERATED_KUBECFG_DIR}"
}

get_secret_name_from_service_account() {
    echo -e "\\nGetting secret of service account ${SERVICE_ACCOUNT_NAME} on ${NAMESPACE}"
    SECRET_NAME=$(kubectl get sa "${SERVICE_ACCOUNT_NAME}" --namespace="${NAMESPACE}" -o json | jq -r .secrets[].name)
    echo "Secret name: ${SECRET_NAME}"
}

extract_ca_crt_from_secret() {
    echo -e -n "\\nExtracting ca.crt from secret..."
    kubectl get secret --namespace "${NAMESPACE}" "${SECRET_NAME}" -o json | jq \
    -r '.data["ca.crt"]' | base64 -D > "${GENERATED_KUBECFG_DIR}/ca.crt"
}

get_user_token_from_secret() {
    echo -e -n "\\nGetting user token from secret"
    USER_TOKEN=$(kubectl get secret --namespace "${NAMESPACE}" "${SECRET_NAME}" -o json | jq -r '.data["token"]' | base64 -D)
}

set_kube_config_values() {
    context=$(kubectl config current-context)
    echo -e "\\nSetting current context to: $context"

    CLUSTER_NAME=$(kubectl config get-contexts "$context" | awk '{print $3}' | tail -n 1)
    echo "Cluster name: ${CLUSTER_NAME}"

    ENDPOINT=$(kubectl config view \
    -o jsonpath="{.clusters[?(@.name == \"${CLUSTER_NAME}\")].cluster.server}")
    echo "Endpoint: ${ENDPOINT}"

    # Set up the config
    echo -e "\\nPreparing k8s-${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-conf"
    echo -n "Setting a cluster entry in kubeconfig..."
    kubectl config set-cluster "${CLUSTER_NAME}" \
    --kubeconfig="${KUBECFG_FILE_NAME}" \
    --server="${ENDPOINT}" \
    --certificate-authority="${GENERATED_KUBECFG_DIR}/ca.crt" \
    --embed-certs=true

    echo -n "Setting token credentials entry in kubeconfig..."
    kubectl config set-credentials \
    "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \
    --kubeconfig="${KUBECFG_FILE_NAME}" \
    --token="${USER_TOKEN}"

    echo -n "Setting a context entry in kubeconfig..."
    kubectl config set-context \
    "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \
    --kubeconfig="${KUBECFG_FILE_NAME}" \
    --cluster="${CLUSTER_NAME}" \
    --user="${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \
    --namespace="${NAMESPACE}"

    echo -n "Setting the current-context in the kubeconfig file..."
    kubectl config use-context "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \
    --kubeconfig="${KUBECFG_FILE_NAME}"
    
    rm -f "${GENERATED_KUBECFG_DIR}/ca.crt"
}

create_target_folder
get_secret_name_from_service_account
extract_ca_crt_from_secret
get_user_token_from_secret
set_kube_config_values

echo -e "\\nDone"