blob: 110c54d50a641b5bf3c5c5ca0d2dee09f53f0773 [file] [log] [blame]
package main
import (
"fmt"
"log"
"os"
"os/user"
"path/filepath"
"github.com/spf13/cobra"
"k8s.io/client-go/tools/clientcmd"
clientapi "k8s.io/client-go/tools/clientcmd/api"
"code.hackerspace.pl/hscloud/cluster/clustercfg/certs"
"code.hackerspace.pl/hscloud/go/workspace"
)
var admincredsCmd = &cobra.Command{
Use: "admincreds",
Short: "Acquire emergency Kubernetes credentials",
Long: `
Use secretstore secrets to generate a Kubernetes system:masters keypair and
certificate. Only for use in emergencies.
Your local username and hostname will make part of the cert and can be used
for auditing of accesses to apiservers.
`,
Run: func(cmd *cobra.Command, args []string) {
ws, err := workspace.Get()
if err != nil {
log.Fatalf("Could not figure out workspace: %v", err)
}
uname := "UNKNOWN"
if u, err := user.Current(); err == nil {
uname = u.Username
}
hostname := "UNKNOWN"
if h, err := os.Hostname(); err == nil {
hostname = h
}
breadcrumb := fmt.Sprintf("%s@%s", uname, hostname)
root := filepath.Join(ws, "cluster")
path := filepath.Join(ws, ".kubectl", "admincreds")
c := certs.Prepare(root, nil)
creds := c.MakeKubeEmergencyCreds(path, breadcrumb)
_ = creds
log.Printf("")
log.Printf("WARNING WARNING WARNING WARNING WARNING WARNING")
log.Printf("===============================================")
log.Printf("")
log.Printf("You are requesting ADMIN credentials.")
log.Printf("")
log.Printf("You likely shouldn't be doing this, and")
log.Printf("instead should be using `prodaccess`.")
log.Printf("")
log.Printf("===============================================")
log.Printf("WARNING WARNING WARNING WARNING WARNING WARNING")
log.Printf("")
log.Printf("Issuing certs...")
if err := creds.Ensure(); err != nil {
log.Fatalf("Failed: %v", err)
}
log.Printf("Configuring kubectl...")
caPath, certPath, keyPath := creds.Paths()
if err := installKubeletConfig(caPath, certPath, keyPath, "emergency.k0"); err != nil {
log.Fatalf("Failed: %v", err)
}
log.Fatalf("Done. Use kubectl --context=emergency.k0")
},
}
func installKubeletConfig(caPath, certPath, keyPath, configName string) error {
ca := clientcmd.NewDefaultPathOptions()
config, err := ca.GetStartingConfig()
if err != nil {
return fmt.Errorf("getting initial config failed: %w", err)
}
config.AuthInfos[configName] = &clientapi.AuthInfo{
ClientCertificate: certPath,
ClientKey: keyPath,
}
config.Clusters[configName] = &clientapi.Cluster{
CertificateAuthority: caPath,
Server: "https://k0.hswaw.net:4001",
}
config.Contexts[configName] = &clientapi.Context{
AuthInfo: configName,
Cluster: configName,
Namespace: "default",
}
if err := clientcmd.ModifyConfig(ca, *config, true); err != nil {
return fmt.Errorf("modifying config failed: %w", err)
}
return nil
}
func init() {
rootCmd.AddCommand(admincredsCmd)
}