121 lines
3.4 KiB
Bash
Executable File
121 lines
3.4 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
TARGET_USER="$1"
|
|
|
|
if [ -z "$TARGET_USER" ]; then
|
|
echo "❌ Bitte gib den Namen eines Linux-Users als Argument an."
|
|
echo " Beispiel: sudo ./setup-k8s-user-kubeconfig.sh dashboarduser"
|
|
exit 1
|
|
fi
|
|
|
|
USERNAME="$TARGET_USER"
|
|
NAMESPACE="kube-system"
|
|
SECRET_NAME="${USERNAME}-token"
|
|
CONFIG_PATH="/home/${TARGET_USER}/.kube/config"
|
|
BASHRC_PATH="/home/${TARGET_USER}/.bashrc"
|
|
|
|
function check_user_exists() {
|
|
id "$1" &>/dev/null || {
|
|
echo "❌ Linux-User '$1' existiert nicht!"
|
|
exit 1
|
|
}
|
|
}
|
|
|
|
function create_k8s_resources() {
|
|
echo "🔧 Erstelle ServiceAccount und ClusterRoleBinding für '$USERNAME'..."
|
|
kubectl create serviceaccount "${USERNAME}" -n "${NAMESPACE}" --dry-run=client -o yaml | kubectl apply -f -
|
|
|
|
kubectl create clusterrolebinding "${USERNAME}-binding" \
|
|
--clusterrole=cluster-admin \
|
|
--serviceaccount="${NAMESPACE}:${USERNAME}" \
|
|
--dry-run=client -o yaml | kubectl apply -f -
|
|
}
|
|
|
|
function create_static_token_secret() {
|
|
echo "🔐 Erstelle statisches Token (Secret) für '$USERNAME'..."
|
|
|
|
# Prüfen ob Secret schon existiert
|
|
if ! kubectl get secret "${SECRET_NAME}" -n "${NAMESPACE}" &>/dev/null; then
|
|
cat <<EOF | kubectl apply -f -
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: ${SECRET_NAME}
|
|
namespace: ${NAMESPACE}
|
|
annotations:
|
|
kubernetes.io/service-account.name: "${USERNAME}"
|
|
type: kubernetes.io/service-account-token
|
|
EOF
|
|
fi
|
|
|
|
echo "⏳ Warte, bis Token im Secret verfügbar ist..."
|
|
|
|
for i in {1..10}; do
|
|
TOKEN=$(kubectl get secret "${SECRET_NAME}" -n "${NAMESPACE}" -o jsonpath="{.data.token}" | base64 -d 2>/dev/null)
|
|
[ -n "$TOKEN" ] && break
|
|
sleep 1
|
|
done
|
|
|
|
if [ -z "$TOKEN" ]; then
|
|
echo "❌ Token konnte nicht aus dem Secret gelesen werden."
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
function get_cluster_info() {
|
|
echo "🌐 Lese Cluster-Info..."
|
|
SERVER=$(kubectl config view --raw -o jsonpath='{.clusters[0].cluster.server}')
|
|
CA=$(kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}')
|
|
}
|
|
|
|
function write_kubeconfig() {
|
|
echo "📝 Schreibe Kubeconfig nach ${CONFIG_PATH}..."
|
|
sudo -u "${TARGET_USER}" mkdir -p "/home/${TARGET_USER}/.kube"
|
|
|
|
cat <<EOF | sudo tee "${CONFIG_PATH}" > /dev/null
|
|
apiVersion: v1
|
|
kind: Config
|
|
clusters:
|
|
- cluster:
|
|
certificate-authority-data: ${CA}
|
|
server: ${SERVER}
|
|
name: k3s
|
|
contexts:
|
|
- context:
|
|
cluster: k3s
|
|
user: ${USERNAME}
|
|
name: ${USERNAME}@k3s
|
|
current-context: ${USERNAME}@k3s
|
|
users:
|
|
- name: ${USERNAME}
|
|
user:
|
|
token: ${TOKEN}
|
|
EOF
|
|
|
|
sudo chown "${TARGET_USER}:${TARGET_USER}" "${CONFIG_PATH}"
|
|
echo "✅ Kubeconfig für ${TARGET_USER} mit statischem Token erstellt."
|
|
}
|
|
|
|
function add_kubectl_hint_to_bashrc() {
|
|
if ! sudo grep -q 'kubectl' "${BASHRC_PATH}" 2>/dev/null; then
|
|
echo "🧠 Füge kubectl-Alias zur bashrc hinzu..."
|
|
echo "" | sudo tee -a "${BASHRC_PATH}" > /dev/null
|
|
echo "# kubectl completion & config (automatisch hinzugefügt)" | sudo tee -a "${BASHRC_PATH}" > /dev/null
|
|
echo "export KUBECONFIG=\$HOME/.kube/config" | sudo tee -a "${BASHRC_PATH}" > /dev/null
|
|
echo "source <(kubectl completion bash)" | sudo tee -a "${BASHRC_PATH}" > /dev/null
|
|
fi
|
|
}
|
|
|
|
# === Ausführung ===
|
|
|
|
check_user_exists "${TARGET_USER}"
|
|
create_k8s_resources
|
|
create_static_token_secret
|
|
get_cluster_info
|
|
write_kubeconfig
|
|
add_kubectl_hint_to_bashrc
|
|
|
|
echo "🚀 Alles erledigt für Benutzer '${TARGET_USER}'!"
|
|
echo "💡 Melde dich mit dem Token im Kubernetes Dashboard an, oder nutze:"
|
|
echo " kubectl get pods -A"
|