Still paying for my sins or technical debt, depending on your point of view, from the payments due to the great AC incident of June 2020. Still waiting for aliens to show up. Anyway, with my primary Jenkins instance (I know, old but it works) operating on multiple clusters it’s finally got itself in a pickle. It has the wrong kubeconfig for some reason. Easiest way I can think to deal with it is to use another file secret and expose that for the correct environment. I wish there was an easier way, and if there is I havne’t found one, to generate a configuration.

First up is to get the cluster’s info. When using that cluster locally you may get the configuration via kubectl config view --flatten --minify -o json for easy extraction. The particularly interesting parts are .clusters[0].cluster[\"certificate-authority-data\"] for the service certificate and .clusters[0].cluster.server for the address.

Next up is extracting the data from the service account itself. To locate the secret name for the token one must kubectl get sa $service_account -n $service_namespace -o json |jq -r .secrets[0].name. Let’s call that $service_account_token. That can be plugged into kubectl get secrets $service_account_token -n $service_namespace -o json which will give us the Base64 encoding of the token. A simple base64 -D will pull this into plain text.

Assuming you have $service_account and $service_namespace set to the appropriate values then the following should produce a usable configuration on stdout.

current_cluster=$(kubectl config view --flatten --minify -o json)
cluster_name=$(jq -r .clusters[0].name <<<$current_cluster)
role_secrets=$(kubectl get secrets $(kubectl get sa $service_account -n $service_namespace  -o json |jq -r .secrets[0].name) -n $service_namespace -o json)
cat <<EOF
apiVersion: v1
kind: Config
users:
- name: $service_account
  user:
    token: $(jq -r .data.token <<<"$role_secrets" |base64 -D)
clusters:
- cluster:
    certificate-authority-data: $(jq ".clusters[0].cluster[\"certificate-authority-data\"]" <<<"$current_cluster")
    server: $(jq .clusters[0].cluster.server <<<"$current_cluster")
  name: $cluster_name
contexts:
- context:
    cluster: $cluster_name
    user: $service_account
  name: $service_account@$cluster_name
current-context: $service_account@$cluster_name
EOF