#!/bin/bash
set -e
fail(){
echo "error: $*"
echo "usage: ./k3s-new-cert <name> [subject=/O=admin]"
exit 1
}
name=$1
[ -z "$name" ] && fail No name
: ${SUBJECT:=$2}
: ${DAYS:=3650}
[ -f "$name.key" ] || {
# openssl ecparam -name prime256v1 -genkey -noout -out $name.key
openssl genrsa -out $name.key 4096
echo genrsa key
}
[ -f "$name.csr" ] || {
openssl req -new -key $name.key -out $name.csr -subj "/CN=$name$SUBJECT"
echo create csr
}
[ -f "$name.crt" ] || {
openssl x509 -req -in $name.csr -CA k3s/client-ca.crt -CAkey k3s/client-ca.key -CAcreateserial -out $name.crt -days $DAYS
echo create cert
}
cluster=$(kubectl config view --minify --output 'jsonpath={.clusters[0].name}')
namespace=$(kubectl config view --minify --output 'jsonpath={..namespace}')
server=$(kubectl config view --minify --output 'jsonpath={.clusters[0].cluster.server}')
: ${CONTEXT:=$cluster-$name}
KUBECTL="kubectl --kubeconfig=$name.yaml"
$KUBECTL config set-cluster $cluster --embed-certs --server=$server --certificate-authority=k3s/server-ca.crt
$KUBECTL config set-credentials $name --embed-certs --client-certificate=$name.crt --client-key=$name.key
$KUBECTL config set-context $CONTEXT --cluster=$cluster --namespace=$namespace --user=$name
$KUBECTL config set current-context $CONTEXT
$KUBECTL version
