From 14a89389e31aa20fb7316ad47f3d3a21992ee93d Mon Sep 17 00:00:00 2001 From: Sebastian Widmer Date: Wed, 31 May 2023 19:23:09 +0200 Subject: [PATCH] Document Dev SA account setup (#65) --- README.md | 57 +++++++++++++++++++++++++++++++++ scratchpad-help-sa-token.md | 64 ------------------------------------- 2 files changed, 57 insertions(+), 64 deletions(-) delete mode 100644 scratchpad-help-sa-token.md diff --git a/README.md b/README.md index d84ed0b..34a5c62 100644 --- a/README.md +++ b/README.md @@ -96,3 +96,60 @@ while read -r patch; do kubectl patch mutatingwebhookconfigurations mutating-webhook-configuration --type=json -p "${patch}" done <<< "$patches" ``` + +### Connect agent to control-api + +Create ServiceAccount in control-api and save token to kubeconfig. + +```sh +# Switch to the control-api cluster you want to create the access for +# $ kubectx appuio-api-integration +# Update the zone name to match your name +ZONE_NAME=my-test-zone + +# Create a service account and the token +NAMESPACE=default +mkdir -p tk && cat < tk/kustomization.yaml +resources: +- ../config/foreign_rbac +namespace: ${NAMESPACE} +namePrefix: ${ZONE_NAME}- +EOF +kubectl apply -k tk + +CONTEXT=$(kubectl config current-context) +NEW_CONTEXT=control-api-sa +KUBECONFIG_FILE="kubeconfig-control-api" +SECRET_NAME=${ZONE_NAME}-cloud-agent +TOKEN_DATA=$(kubectl get secret ${SECRET_NAME} \ + --context ${CONTEXT} \ + --namespace ${NAMESPACE} \ + -o jsonpath='{.data.token}') +TOKEN=$(echo ${TOKEN_DATA} | base64 -d) + +rm -rf tk + +# Create kubeconfig +kubectl config view --raw > ${KUBECONFIG_FILE}.full.tmp +kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp config use-context ${CONTEXT} +kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp \ + config view --flatten --minify > ${KUBECONFIG_FILE}.tmp +# Rename context +kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ + rename-context ${CONTEXT} ${NEW_CONTEXT} +# Create token user +kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ + set-credentials ${CONTEXT}-${NAMESPACE}-token-user \ + --token ${TOKEN} +kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ + set-context ${NEW_CONTEXT} --user ${CONTEXT}-${NAMESPACE}-token-user +# Set context to correct namespace +kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ + set-context ${NEW_CONTEXT} --namespace ${NAMESPACE} +# Flatten/minify kubeconfig +kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ + view --flatten --minify > ${KUBECONFIG_FILE} +# Remove tmp +rm ${KUBECONFIG_FILE}.full.tmp +rm ${KUBECONFIG_FILE}.tmp +``` diff --git a/scratchpad-help-sa-token.md b/scratchpad-help-sa-token.md deleted file mode 100644 index a790af3..0000000 --- a/scratchpad-help-sa-token.md +++ /dev/null @@ -1,64 +0,0 @@ - -# Service Account Token - -```sh -kubectl create sa myzone-agent - -kubectl apply -f - < ${KUBECONFIG_FILE}.full.tmp -# Switch working context to correct context -kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp config use-context ${CONTEXT} -# Minify -kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp \ - config view --flatten --minify > ${KUBECONFIG_FILE}.tmp -# Rename context -kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ - rename-context ${CONTEXT} ${NEW_CONTEXT} -# Create token user -kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ - set-credentials ${CONTEXT}-${NAMESPACE}-token-user \ - --token ${TOKEN} -# Set context to use token user -kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ - set-context ${NEW_CONTEXT} --user ${CONTEXT}-${NAMESPACE}-token-user -# Set context to correct namespace -kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ - set-context ${NEW_CONTEXT} --namespace ${NAMESPACE} -# Flatten/minify kubeconfig -kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ - view --flatten --minify > ${KUBECONFIG_FILE} -# Remove tmp -rm ${KUBECONFIG_FILE}.full.tmp -rm ${KUBECONFIG_FILE}.tmp -``` \ No newline at end of file