forked from hswaw/hscloud
110 lines
2.9 KiB
Go
110 lines
2.9 KiB
Go
|
package main
|
||
|
|
||
|
import (
|
||
|
"fmt"
|
||
|
"log"
|
||
|
"os"
|
||
|
"os/user"
|
||
|
"path/filepath"
|
||
|
|
||
|
"github.com/spf13/cobra"
|
||
|
"k8s.io/client-go/tools/clientcmd"
|
||
|
clientapi "k8s.io/client-go/tools/clientcmd/api"
|
||
|
|
||
|
"code.hackerspace.pl/hscloud/cluster/clustercfg/certs"
|
||
|
"code.hackerspace.pl/hscloud/go/workspace"
|
||
|
)
|
||
|
|
||
|
var admincredsCmd = &cobra.Command{
|
||
|
Use: "admincreds",
|
||
|
Short: "Acquire emergency Kubernetes credentials",
|
||
|
Long: `
|
||
|
Use secretstore secrets to generate a Kubernetes system:masters keypair and
|
||
|
certificate. Only for use in emergencies.
|
||
|
|
||
|
Your local username and hostname will make part of the cert and can be used
|
||
|
for auditing of accesses to apiservers.
|
||
|
`,
|
||
|
Run: func(cmd *cobra.Command, args []string) {
|
||
|
ws, err := workspace.Get()
|
||
|
if err != nil {
|
||
|
log.Fatalf("Could not figure out workspace: %v", err)
|
||
|
}
|
||
|
|
||
|
uname := "UNKNOWN"
|
||
|
if u, err := user.Current(); err == nil {
|
||
|
uname = u.Username
|
||
|
}
|
||
|
hostname := "UNKNOWN"
|
||
|
if h, err := os.Hostname(); err == nil {
|
||
|
hostname = h
|
||
|
}
|
||
|
breadcrumb := fmt.Sprintf("%s@%s", uname, hostname)
|
||
|
|
||
|
root := filepath.Join(ws, "cluster")
|
||
|
path := filepath.Join(ws, ".kubectl", "admincreds")
|
||
|
c := certs.Prepare(root, nil)
|
||
|
creds := c.MakeKubeEmergencyCreds(path, breadcrumb)
|
||
|
_ = creds
|
||
|
|
||
|
log.Printf("")
|
||
|
log.Printf("WARNING WARNING WARNING WARNING WARNING WARNING")
|
||
|
log.Printf("===============================================")
|
||
|
log.Printf("")
|
||
|
log.Printf("You are requesting ADMIN credentials.")
|
||
|
log.Printf("")
|
||
|
log.Printf("You likely shouldn't be doing this, and")
|
||
|
log.Printf("instead should be using `prodaccess`.")
|
||
|
log.Printf("")
|
||
|
log.Printf("===============================================")
|
||
|
log.Printf("WARNING WARNING WARNING WARNING WARNING WARNING")
|
||
|
log.Printf("")
|
||
|
|
||
|
log.Printf("Issuing certs...")
|
||
|
if err := creds.Ensure(); err != nil {
|
||
|
log.Fatalf("Failed: %v", err)
|
||
|
}
|
||
|
|
||
|
log.Printf("Configuring kubectl...")
|
||
|
caPath, certPath, keyPath := creds.Paths()
|
||
|
if err := installKubeletConfig(caPath, certPath, keyPath, "emergency.k0"); err != nil {
|
||
|
log.Fatalf("Failed: %v", err)
|
||
|
}
|
||
|
|
||
|
log.Fatalf("Done. Use kubectl --context=emergency.k0")
|
||
|
},
|
||
|
}
|
||
|
|
||
|
func installKubeletConfig(caPath, certPath, keyPath, configName string) error {
|
||
|
ca := clientcmd.NewDefaultPathOptions()
|
||
|
config, err := ca.GetStartingConfig()
|
||
|
if err != nil {
|
||
|
return fmt.Errorf("getting initial config failed: %w", err)
|
||
|
}
|
||
|
|
||
|
config.AuthInfos[configName] = &clientapi.AuthInfo{
|
||
|
ClientCertificate: certPath,
|
||
|
ClientKey: keyPath,
|
||
|
}
|
||
|
|
||
|
config.Clusters[configName] = &clientapi.Cluster{
|
||
|
CertificateAuthority: caPath,
|
||
|
Server: "https://k0.hswaw.net:4001",
|
||
|
}
|
||
|
|
||
|
config.Contexts[configName] = &clientapi.Context{
|
||
|
AuthInfo: configName,
|
||
|
Cluster: configName,
|
||
|
Namespace: "default",
|
||
|
}
|
||
|
|
||
|
if err := clientcmd.ModifyConfig(ca, *config, true); err != nil {
|
||
|
return fmt.Errorf("modifying config failed: %w", err)
|
||
|
}
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
func init() {
|
||
|
rootCmd.AddCommand(admincredsCmd)
|
||
|
}
|