Skip to content

raesene/teisteanas

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Client Certificate Creator

This is just a small program that can be used to create and approve a Client Signing Request in a Kubernetes cluster and then create a new kubeconfig based on that approved certificate.

The code is heavily based on this article with some modifications for new CSR API versions and things I needed for this example. Setting expirationSeconds will add that to the CSR. Kubernetes servers tend to have upper limits for how long they'll issue a certificate for (although these times vary wildly), and generally 600 is the lower bound for what you can set.

It connects to a cluster based on the current Kubernetes context for the running user.

There are five command line parameters :-

  • --username - The username for the certificate. (MANDATORY)
  • --group - The group for the certificate. Defaults to none. (OPTIONAL)
  • --output-file - Filename for the output kubeconfig file. Default is [username].config (OPTIONAL)
  • --expirationSeconds - Number of seconds for the certificate to be valid. If not specified this will take the server's default setting. (OPTIONAL)

Known Limitations

  • This won't work on EKS clusters because they don't issue certificates for Client authentication. This issue is undocumented but there's a discussion here
  • This won't work with clusters earlier than 1.19 as we're using v1 of the CSR API which was issued then.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages