Generating a kubeconfig for a user
• Mark Eschbach
Still paying for my sins or technical debt, depending on your point of view, from the payments due to the great AC
incident of June 2020. Still waiting for aliens to show up. Anyway, with my primary Jenkins instance (I know, old but
it works) operating on multiple clusters it’s finally got itself in a pickle. It has the wrong kubeconfig
for some
reason. Easiest way I can think to deal with it is to use another file secret and expose that for the correct
environment. I wish there was an easier way, and if there is I havne’t found one, to generate a configuration.
First up is to get the cluster’s info. When using that cluster locally you may get the configuration via
kubectl config view --flatten --minify -o json
for easy extraction. The particularly interesting parts are
.clusters[0].cluster[\"certificate-authority-data\"]
for the service certificate and .clusters[0].cluster.server
for
the address.
Next up is extracting the data from the service account itself. To locate the secret name for the token one must
kubectl get sa $service_account -n $service_namespace -o json |jq -r .secrets[0].name
. Let’s call that
$service_account_token
. That can be plugged into kubectl get secrets $service_account_token -n $service_namespace -o json
which will give us the Base64 encoding of the token. A simple base64 -D
will pull this into plain text.
Assuming you have $service_account
and $service_namespace
set to the appropriate values then the following should
produce a usable configuration on stdout
.
current_cluster=$(kubectl config view --flatten --minify -o json)
cluster_name=$(jq -r .clusters[0].name <<<$current_cluster)
role_secrets=$(kubectl get secrets $(kubectl get sa $service_account -n $service_namespace -o json |jq -r .secrets[0].name) -n $service_namespace -o json)
cat <<EOF
apiVersion: v1
kind: Config
users:
- name: $service_account
user:
token: $(jq -r .data.token <<<"$role_secrets" |base64 -D)
clusters:
- cluster:
certificate-authority-data: $(jq ".clusters[0].cluster[\"certificate-authority-data\"]" <<<"$current_cluster")
server: $(jq .clusters[0].cluster.server <<<"$current_cluster")
name: $cluster_name
contexts:
- context:
cluster: $cluster_name
user: $service_account
name: $service_account@$cluster_name
current-context: $service_account@$cluster_name
EOF