apps wc: end user as service account

robinAwallace · robinAwallace · commit 837fb395da47 · 2023-08-11T13:43:22.000+02:00
diff --git a/WIP-CHANGELOG.md b/WIP-CHANGELOG.md
@@ -8,6 +8,8 @@
 - Added basic alerts for Cluster-API
 - Add support for self-managed CRDs (Beta)
   - Add support for sealedsecrets and mongodb
+- Add end-user service account kube-config for devs
+  - Enabled developers to easily create a kube-config to act as an end-user
 
 ### Changed
 
diff --git a/bin/ck8s b/bin/ck8s
@@ -130,7 +130,7 @@ case "${1}" in
         sops_exec_file "${secrets[s3cfg_file]}" 's3cmd --config="{}" '"${*}"
     ;;
     kubeconfig)
-        [[ "${2}" =~ ^(user|admin)$ ]] || usage
+        [[ "${2}" =~ ^(user|dev|admin)$ ]] || usage
         shift
         "${here}/kubeconfig.bash" "${@}"
         ;;
diff --git a/bin/kubeconfig.bash b/bin/kubeconfig.bash
@@ -7,17 +7,102 @@ here="$(dirname "$(readlink -f "$0")")"
 source "${here}/common.bash"
 
 usage() {
-    echo "Usage: kubeconfig <user|admin <wc|sc> [cluster_name]>" >&2
+    echo "Usage: kubeconfig <user| dev <serviceaccount> |admin <wc|sc> [cluster_name]>" >&2
     exit 1
 }
 
+get_user_server() {
+    (
+        with_kubeconfig "${kubeconfig}" \
+            kubectl config view -o jsonpath="{.clusters[0].cluster.server}"
+    )
+}
+
+set_cluster() {
+
+    user_kubeconfig=$1
+
+    user_server=$(get_user_server)
+    user_certificate_authority=/tmp/user-authority.pem
+    append_trap "rm ${user_certificate_authority}" EXIT
+    (
+        with_kubeconfig "${kubeconfig}" \
+            kubectl config view --raw \
+                -o jsonpath="{.clusters[0].cluster.certificate-authority-data}" \
+                | base64 --decode > ${user_certificate_authority}
+    )
+
+    kubectl --kubeconfig="${user_kubeconfig}" config set-cluster "${cluster_name}" \
+    --server="${user_server}" \
+    --certificate-authority="${user_certificate_authority}" --embed-certs=true
+}
+
+set_dex_credentials() {
+    user_kubeconfig=$1
+    name=$2
+    cluster_name=$3
+
+    base_domain=$(yq4 '.global.baseDomain' "${cluster_config}")
+
+    kubectl --kubeconfig="${user_kubeconfig}" config set-credentials "${name}@${cluster_name}" \
+    --exec-command=kubectl \
+    --exec-api-version=client.authentication.k8s.io/v1beta1 \
+    --exec-arg=oidc-login \
+    --exec-arg=get-token \
+    --exec-arg=--oidc-issuer-url="https://dex.${base_domain}" \
+    --exec-arg=--oidc-client-id=kubelogin \
+    --exec-arg=--oidc-client-secret="$(sops -d --extract '["dex"]["kubeloginClientSecret"]' "${secrets[secrets_file]}")" \
+    --exec-arg=--oidc-extra-scope=email \
+    --exec-arg=--oidc-extra-scope=groups
+}
+
+set_context() {
+
+    user_kubeconfig=$1
+    cluster_name=$2
+    context_name=$3
+    user_name=$4
+    context_namespace=$5
+
+    kubectl --kubeconfig="${user_kubeconfig}" config set-context \
+    "${context_name}" \
+    --user "${user_name}@${cluster_name}" --cluster="${cluster_name}" --namespace="${context_namespace}"
+}
+
+use_context() {
+
+    user_kubeconfig=$1
+    cluster_name=$2
+
+    kubectl --kubeconfig="${user_kubeconfig}" config use-context \
+    "${cluster_name}"
+}
+
 case "${1}" in
     user)
         config_load wc
         cluster_config="${config[config_file_wc]}"
         kubeconfig="${config[kube_config_wc]}"
         user_kubeconfig=${CK8S_CONFIG_PATH}/user/secret/kubeconfig.yaml
     ;;
+    dev)
+        log_info "Adding dev ${2} context to wc-config"
+
+        config_load wc
+        cluster_config="${config[config_file_wc]}"
+        kubeconfig="${config[kube_config_wc]}"
+
+        token=$(with_kubeconfig "${kubeconfig}" kubectl get secrets secret-"${2}" -ojsonpath="{.data.token}" | base64 -d)
+        cluster_name=$(yq4 '.global.clusterName' "${cluster_config}")
+
+        kubectl --kubeconfig="${kubeconfig}" config set-credentials "${2}@${cluster_name}" \
+        --token="${token}"
+
+        set_context "${kubeconfig}" "${cluster_name}" "${2}" "${2}" "default"
+
+        log_info "Dev context finished"
+        exit
+    ;;
     admin)
         case "${2}" in
             sc)
@@ -47,42 +132,12 @@ if [[ ! -f "${kubeconfig}" ]]; then
     usage
 fi
 
-get_user_server() {
-    (
-        with_kubeconfig "${kubeconfig}" \
-            kubectl config view -o jsonpath="{.clusters[0].cluster.server}"
-    )
-}
-
 log_info "Creating kubeconfig for the ${1}"
 
 cluster_name=$(yq4 '.global.clusterName' "${cluster_config}")
-base_domain=$(yq4 '.global.baseDomain' "${cluster_config}")
-
-# Get server and certificate from the admin kubeconfig
-user_server=$(get_user_server)
-user_certificate_authority=/tmp/user-authority.pem
-append_trap "rm ${user_certificate_authority}" EXIT
-(
-    with_kubeconfig "${kubeconfig}" \
-        kubectl config view --raw \
-            -o jsonpath="{.clusters[0].cluster.certificate-authority-data}" \
-            | base64 --decode > ${user_certificate_authority}
-)
-
-kubectl --kubeconfig="${user_kubeconfig}" config set-cluster "${cluster_name}" \
-    --server="${user_server}" \
-    --certificate-authority="${user_certificate_authority}" --embed-certs=true
-kubectl --kubeconfig="${user_kubeconfig}" config set-credentials "${1}@${cluster_name}" \
-    --exec-command=kubectl \
-    --exec-api-version=client.authentication.k8s.io/v1beta1 \
-    --exec-arg=oidc-login \
-    --exec-arg=get-token \
-    --exec-arg=--oidc-issuer-url="https://dex.${base_domain}" \
-    --exec-arg=--oidc-client-id=kubelogin \
-    --exec-arg=--oidc-client-secret="$(sops -d --extract '["dex"]["kubeloginClientSecret"]' "${secrets[secrets_file]}")" \
-    --exec-arg=--oidc-extra-scope=email \
-    --exec-arg=--oidc-extra-scope=groups
+
+set_cluster "${user_kubeconfig}"
+set_dex_credentials "${user_kubeconfig}" "${1}" "${cluster_name}"
 
 # Create context with relevant namespace
 # Pick the first namespace
@@ -92,10 +147,7 @@ else
     context_namespace="default"
 fi
 
-kubectl --kubeconfig="${user_kubeconfig}" config set-context \
-    "${cluster_name}" \
-    --user "${1}@${cluster_name}" --cluster="${cluster_name}" --namespace="${context_namespace}"
-kubectl --kubeconfig="${user_kubeconfig}" config use-context \
-    "${cluster_name}"
+set_context "${user_kubeconfig}" "${cluster_name}" "${cluster_name}" "${1}" "${context_namespace}"
+use_context "${user_kubeconfig}" "${cluster_name}"
 
 log_info "User kubeconfig can now be found at ${user_kubeconfig}."
diff --git a/config/config/wc-config.yaml b/config/config/wc-config.yaml
@@ -30,6 +30,9 @@ user:
     - set-me
     - admin@example.com
 
+  ## List of serviceAccounts to create RBAC rules for, used for dev situations.
+  serviceAccounts: []
+
   ## List of groups to create RBAC rules for.
   adminGroups:
     - set-me
diff --git a/docs/end-user-dev-kubeconifg.md b/docs/end-user-dev-kubeconifg.md
@@ -0,0 +1,32 @@
+# User admin for development
+
+There can be situations where you as a developer needs to act as a end user.
+This document describes how to add a service account to act as a end user for development purposes.
+
+First add a name for the service account in your `wc-config.yaml`
+
+```diff
+...
+user:
+  namespaces:
+    - production
++  serviceAccounts:
++    - test
+  adminUsers:
+    - admin@example.com
+...
+```
+
+Then run `bin/ck8s kubeconfig dev test`.
+
+This will add a possible context to your `kube_config_wc.yaml`.
+
+To see the new context `kubectl config get-contexts`
+
+```console
+CURRENT   NAME         CLUSTER      AUTHINFO           NAMESPACE
+          test         foo-wc       test@foo-wc        default
+*         foo-wc       foo-wc       admin@foo-wc       default
+```
+
+To switch to the new context run the following `kubectl config use-context test`
diff --git a/helmfile/charts/user-rbac/templates/clusterrolebindings/user-admin-cluster-wide-delegation.yaml b/helmfile/charts/user-rbac/templates/clusterrolebindings/user-admin-cluster-wide-delegation.yaml
@@ -18,3 +18,8 @@ subjects:
   kind: Group
   name: {{ $group }}
 {{- end }}
+{{- range $serviceAccount := $.Values.serviceAccounts }}
+- kind: ServiceAccount
+  name: {{ $serviceAccount }}
+  namespace: default
+{{- end }}
diff --git a/helmfile/charts/user-rbac/templates/clusterrolebindings/user-crds.yaml b/helmfile/charts/user-rbac/templates/clusterrolebindings/user-crds.yaml
@@ -18,3 +18,8 @@ subjects:
   kind: Group
   name: {{ $group }}
 {{- end }}
+{{- range $serviceAccount := $.Values.serviceAccounts }}
+- kind: ServiceAccount
+  name: {{ $serviceAccount }}
+  namespace: default
+{{- end }}
diff --git a/helmfile/charts/user-rbac/templates/clusterrolebindings/user-view.yaml b/helmfile/charts/user-rbac/templates/clusterrolebindings/user-view.yaml
@@ -18,3 +18,8 @@ subjects:
   kind: Group
   name: {{ $group }}
 {{- end }}
+{{- range $serviceAccount := $.Values.serviceAccounts }}
+- kind: ServiceAccount
+  name: {{ $serviceAccount }}
+  namespace: default
+{{- end }}
diff --git a/helmfile/charts/user-rbac/templates/rolebindings/falco-viewer.yaml b/helmfile/charts/user-rbac/templates/rolebindings/falco-viewer.yaml
@@ -20,4 +20,9 @@ subjects:
   kind: Group
   name: {{ $group }}
 {{- end }}
+{{- range $serviceAccount := $.Values.serviceAccounts }}
+- kind: ServiceAccount
+  name: {{ $serviceAccount }}
+  namespace: default
+{{- end }}
 {{- end }}
diff --git a/helmfile/charts/user-rbac/templates/rolebindings/fluentd-configurer.yaml b/helmfile/charts/user-rbac/templates/rolebindings/fluentd-configurer.yaml
@@ -19,3 +19,8 @@ subjects:
   kind: Group
   name: {{ $group }}
 {{- end }}
+{{- range $serviceAccount := $.Values.serviceAccounts }}
+- kind: ServiceAccount
+  name: {{ $serviceAccount }}
+  namespace: default
+{{- end }}
diff --git a/helmfile/charts/user-rbac/templates/rolebindings/prometheus.yaml b/helmfile/charts/user-rbac/templates/rolebindings/prometheus.yaml
@@ -18,3 +18,8 @@ subjects:
   kind: Group
   name: {{ $group }}
 {{- end }}
+{{- range $serviceAccount := $.Values.serviceAccounts }}
+- kind: ServiceAccount
+  name: {{ $serviceAccount }}
+  namespace: default
+{{- end }}
diff --git a/helmfile/charts/user-rbac/templates/rolebindings/workload-admin.yaml b/helmfile/charts/user-rbac/templates/rolebindings/workload-admin.yaml
@@ -20,6 +20,11 @@ subjects:
   kind: Group
   name: {{ $group }}
 {{- end }}
+{{- range $serviceAccount := $.Values.serviceAccounts }}
+- kind: ServiceAccount
+  name: {{ $serviceAccount }}
+  namespace: default
+{{- end }}
 {{- $known := lookup "v1" "Service" "default" "kubernetes" }}
 {{- $value := lookup "rbac.authorization.k8s.io/v1" "RoleBinding" $namespace.name "extra-workload-admins" }}
 {{- if and $known (not $value) (or $.Release.IsInstall $.Release.IsUpgrade) }}
diff --git a/helmfile/charts/user-rbac/templates/serviceAccounts/sa.yaml b/helmfile/charts/user-rbac/templates/serviceAccounts/sa.yaml
@@ -0,0 +1,16 @@
+{{- range $serviceAccount := $.Values.serviceAccounts }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $serviceAccount }}
+  namespace: default
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secret-{{ $serviceAccount }}
+  namespace: default
+  annotations:
+    kubernetes.io/service-account.name: "{{ $serviceAccount }}"
+type: kubernetes.io/service-account-token
+{{- end }}
diff --git a/helmfile/charts/user-rbac/values.yaml b/helmfile/charts/user-rbac/values.yaml
@@ -1,6 +1,7 @@
 namespaces: []
 users: []
 groups: []
+serviceAccounts: []
 createNamespaces: true
 enableFalcoViewer: false
 
diff --git a/helmfile/values/user-rbac.yaml.gotmpl b/helmfile/values/user-rbac.yaml.gotmpl
@@ -11,6 +11,7 @@ namespaces:
 
 users: {{ toYaml .Values.user.adminUsers | nindent 2 }}
 groups: {{ toYaml .Values.user.adminGroups | nindent 2 }}
+serviceAccounts: {{ toYaml .Values.user.serviceAccounts | nindent 2 }}
 createNamespaces: {{ .Values.user.createNamespaces }}
 enableFalcoViewer: {{ toYaml .Values.falco.enabled | nindent 2 }}
 
