A lightweight REST service written in Go
leveraging the Gin
framework that automates the toil of creating Kubernetes
x509 certificates for users. KubeCSR is meant to make the entire process super simple and performs the following functions in one swift action:
- Creates an x509 Certificate Request (CSR) and a 2048-bit RSA Private Key
- Generates and submits a Kubernetes CSR leveraging an administrative base64 encoded
Kubeconfig
passed into the request body
- Automatically approves the Kubernetes CSR
- Pulls the approved user certificate from the
Kubernetes
CSR
- Extracts details like the cluster, server address, certificate CA, and other info from the administrative
Kubeconfig
- Returns a freshly generated base64 encoded user
Kubeconfig
that can be decoded and used to authenticate with the target Kubernetes
cluster
Basic Example
{
"certificateRequest": {
"user": "timmy"
},
"kubeconfig": "<BASE64_ENCODED_ADMIN_KUBECONFIG>"
}
Full Example wtih Groups
This example will create the Kubernetes
user linda
who will be part of the devops
group. If using RBAC
then Kubernetes
roles and rolebindings can then be associated with the devops
group so that linda
would inherit the permissions from anywhere that devops
is assigned.
{
"certificateRequest": {
"country": [
"United States"
],
"locality": [
"Los Angeles"
],
"organization": [
"devops"
],
"organizationUnit": [
"IT"
],
"postalCode": [
"55555"
],
"streetAddress": [
"123 Main St."
],
"user": "linda"
},
"kubeconfig": "<BASE64_ENCODED_ADMIN_KUBECONFIG>"
}