新增learn-kubernetes（https://github.com/yyong-brs/learn-kubernetes）相关文件

2024-02-20 17:15:27 +08:00
parent 6706e1a633
commit 34158042ad
1529 changed files with 177765 additions and 0 deletions
--- a/learn/learn-kubernetes-master/kiamol/ch17/docker-images/user-cert-generator/Dockerfile
+++ b/learn/learn-kubernetes-master/kiamol/ch17/docker-images/user-cert-generator/Dockerfile
@@ -0,0 +1,18 @@
+ARG ALPINE_VERSION="3.15"    
+FROM alpine:$ALPINE_VERSION
+
+RUN apk add --no-cache jq openssl
+RUN apk add --no-cache --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing kubectl
+
+COPY start.sh /
+RUN chmod +x /start.sh
+
+ENV USER_NAME="reader@kiamol.net" \
+    GROUP="kiamol" \
+    SET_CONTEXT="" \
+    PRINT_CERTS=""
+
+WORKDIR /certs
+CMD /start.sh
+
+COPY csr.yaml .
--- a/learn/learn-kubernetes-master/kiamol/ch17/docker-images/user-cert-generator/csr.yaml
+++ b/learn/learn-kubernetes-master/kiamol/ch17/docker-images/user-cert-generator/csr.yaml
@@ -0,0 +1,12 @@
+apiVersion: certificates.k8s.io/v1
+kind: CertificateSigningRequest
+metadata:
+  name: {USER_NAME}
+spec:
+  signerName: kubernetes.io/kube-apiserver-client
+  groups:
+  - system:authenticated
+  request: {CSR}
+  usages:
+  - client auth
+  
--- a/learn/learn-kubernetes-master/kiamol/ch17/docker-images/user-cert-generator/start.sh
+++ b/learn/learn-kubernetes-master/kiamol/ch17/docker-images/user-cert-generator/start.sh
@@ -0,0 +1,49 @@
+#!/bin/sh
+
+# set up access to Kube API
+kubectl config set-cluster default --server=https://kubernetes.default.svc.cluster.local --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+kubectl config set-context default --cluster=default
+kubectl config set-credentials user --token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+kubectl config set-context default --user=user
+kubectl config use-context default
+
+echo ----------------
+echo "Generating user cert - username: $USER_NAME; group: $GROUP"
+echo ----------------
+
+openssl genrsa -out user.key 2048
+openssl req -new -key user.key -out user.csr -subj "/C=UK/ST=LONDON/L=London/O=${GROUP}/CN=${USER_NAME}"
+
+csr=$(cat user.csr | base64 | tr -d "\n")
+sed -i "s/{CSR}/$csr/g" csr.yaml
+sed -i "s/{USER_NAME}/$USER_NAME/g" csr.yaml
+
+echo '** CSR generated.'
+
+kubectl apply -f csr.yaml
+kubectl certificate approve $USER_NAME
+
+echo '** Cert approved.'
+
+kubectl get csr/$USER_NAME -o json | jq '.status.certificate' -r | base64 -d > user.crt
+
+echo ----------------
+echo "Cert generated: /certs/user.key and /certs/user.crt"
+echo ----------------
+
+if [ -n "$SET_CONTEXT" ]; then
+    kubectl config set-credentials $USER_NAME --client-key=./user.key --client-certificate=./user.crt --embed-certs=true
+    kubectl config set-context $USER_NAME --user=$USER_NAME --cluster default
+    kubectl config use-context $USER_NAME
+
+    echo "** Using context for user: $USER_NAME; group: $GROUP"
+fi
+
+if [ -n "$PRINT_CERTS" ]; then
+    echo "user.key"
+    cat /certs/user.key
+    echo "user.crt"
+    cat /certs/user.crt
+else 
+    while true; do sleep 1000; done
+fi