mirror of
https://gerrit.hackerspace.pl/hscloud
synced 2025-01-20 14:23:54 +00:00
radex
274e70f557
Change-Id: I01fa3c40ac00cfa022d438163ba9e2d3ef66ac72 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2090 Reviewed-by: q3k <q3k@hackerspace.pl>
117 lines
3.2 KiB
Go
117 lines
3.2 KiB
Go
package main
|
|
|
|
import (
|
|
"fmt"
|
|
"log"
|
|
"os"
|
|
"os/user"
|
|
"path/filepath"
|
|
|
|
"github.com/spf13/cobra"
|
|
"k8s.io/client-go/tools/clientcmd"
|
|
clientapi "k8s.io/client-go/tools/clientcmd/api"
|
|
|
|
"code.hackerspace.pl/hscloud/cluster/clustercfg/certs"
|
|
"code.hackerspace.pl/hscloud/cluster/clustercfg/clusters"
|
|
"code.hackerspace.pl/hscloud/go/workspace"
|
|
)
|
|
|
|
var admincredsCmd = &cobra.Command{
|
|
Use: "admincreds",
|
|
Short: "Acquire emergency Kubernetes credentials",
|
|
Long: `
|
|
Use secretstore secrets to generate a Kubernetes system:masters keypair and
|
|
certificate. Only for use in emergencies.
|
|
|
|
Your local username and hostname will make part of the cert and can be used
|
|
for auditing of accesses to apiservers.
|
|
`,
|
|
Run: func(cmd *cobra.Command, args []string) {
|
|
ws, err := workspace.Get()
|
|
if err != nil {
|
|
log.Fatalf("Could not figure out workspace: %v", err)
|
|
}
|
|
|
|
clusterName := flagCluster
|
|
cluster, ok := clusters.Clusters[clusterName]
|
|
if !ok {
|
|
log.Fatalf("Unknown cluster: %q", clusterName)
|
|
}
|
|
|
|
uname := "UNKNOWN"
|
|
if u, err := user.Current(); err == nil {
|
|
uname = u.Username
|
|
}
|
|
hostname := "UNKNOWN"
|
|
if h, err := os.Hostname(); err == nil {
|
|
hostname = h
|
|
}
|
|
breadcrumb := fmt.Sprintf("%s@%s", uname, hostname)
|
|
|
|
root := filepath.Join(ws, "cluster")
|
|
path := filepath.Join(ws, ".kubectl", "admincreds-"+cluster.Name)
|
|
c := certs.Prepare(root, cluster, nil)
|
|
creds := c.MakeKubeEmergencyCreds(path, breadcrumb)
|
|
_ = creds
|
|
|
|
log.Printf("")
|
|
log.Printf("WARNING WARNING WARNING WARNING WARNING WARNING")
|
|
log.Printf("===============================================")
|
|
log.Printf("")
|
|
log.Printf("You are requesting ADMIN credentials for %s.", cluster.Name)
|
|
log.Printf("")
|
|
log.Printf("You likely shouldn't be doing this, and")
|
|
log.Printf("instead should be using `prodaccess`.")
|
|
log.Printf("")
|
|
log.Printf("===============================================")
|
|
log.Printf("WARNING WARNING WARNING WARNING WARNING WARNING")
|
|
log.Printf("")
|
|
|
|
log.Printf("Issuing certs...")
|
|
if err := creds.Ensure(); err != nil {
|
|
log.Fatalf("Failed: %v", err)
|
|
}
|
|
|
|
log.Printf("Configuring kubectl...")
|
|
caPath, certPath, keyPath := creds.Paths()
|
|
contextName := "emergency." + cluster.Name
|
|
if err := installKubeletConfig(caPath, certPath, keyPath, cluster, contextName); err != nil {
|
|
log.Fatalf("Failed: %v", err)
|
|
}
|
|
|
|
log.Fatalf("Done. Use kubectl --context=%s", contextName)
|
|
},
|
|
}
|
|
|
|
func installKubeletConfig(caPath, certPath, keyPath string, cluster clusters.Cluster, configName string) error {
|
|
ca := clientcmd.NewDefaultPathOptions()
|
|
config, err := ca.GetStartingConfig()
|
|
if err != nil {
|
|
return fmt.Errorf("getting initial config failed: %w", err)
|
|
}
|
|
|
|
config.AuthInfos[configName] = &clientapi.AuthInfo{
|
|
ClientCertificate: certPath,
|
|
ClientKey: keyPath,
|
|
}
|
|
|
|
config.Clusters[configName] = &clientapi.Cluster{
|
|
CertificateAuthority: caPath,
|
|
Server: cluster.ApiServerUrl().String(),
|
|
}
|
|
|
|
config.Contexts[configName] = &clientapi.Context{
|
|
AuthInfo: configName,
|
|
Cluster: configName,
|
|
Namespace: "default",
|
|
}
|
|
|
|
if err := clientcmd.ModifyConfig(ca, *config, true); err != nil {
|
|
return fmt.Errorf("modifying config failed: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func init() {
|
|
rootCmd.AddCommand(admincredsCmd)
|
|
}
|