first upload

setup-kind-users.sh

@@ -0,0 +1,140 @@
+#!/bin/bash
+
+set -euo pipefail
+
+CLUSTER_NAME="kind-kind-demo"
+NAMESPACE="dev"
+OUTPUT_DIR="./rbac-users"
+
+mkdir -p "$OUTPUT_DIR"
+
+echo "[+] Kivonjuk a CA tanúsítványt és kulcsot kubeconfigból..."
+
+CA_CERT_PATH="${OUTPUT_DIR}/ca.crt"
+CA_KEY_PATH="${OUTPUT_DIR}/ca.key"
+
+docker cp kind-demo-control-plane:/etc/kubernetes/pki/ca.crt $OUTPUT_DIR/ca.crt
+docker cp kind-demo-control-plane:/etc/kubernetes/pki/ca.key $OUTPUT_DIR/ca.key
+
+# Felhasználók listája
+USERS=("readonly" "dev-admin")
+
+for USER in "${USERS[@]}"; do
+  echo -e "\n[+] Tanúsítvány generálása: $USER"
+
+  openssl genrsa -out "${OUTPUT_DIR}/${USER}.key" 2048
+  openssl req -new -key "${OUTPUT_DIR}/${USER}.key" \
+    -out "${OUTPUT_DIR}/${USER}.csr" \
+    -subj "/CN=${USER}/O=devs"
+
+  openssl x509 -req \
+    -in "${OUTPUT_DIR}/${USER}.csr" \
+    -CA "$CA_CERT_PATH" \
+    -CAkey "$CA_KEY_PATH" \
+    -CAcreateserial \
+    -out "${OUTPUT_DIR}/${USER}.crt" \
+    -days 365 \
+    -sha256
+done
+
+echo -e "\n[+] RBAC létrehozása"
+
+# Readonly user: cluster-wide view
+cat <<EOF | kubectl apply -f -
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: readonly-user
+subjects:
+- kind: User
+  name: readonly
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: view
+  apiGroup: rbac.authorization.k8s.io
+EOF
+
+# Namespace létrehozás, ha még nem létezik
+kubectl create namespace "$NAMESPACE" --dry-run=client -o yaml | kubectl apply -f -
+
+# dev-admin user: admin jogosultság a dev namespace-ben
+cat <<EOF | kubectl apply -f -
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dev-admin-binding
+  namespace: $NAMESPACE
+subjects:
+- kind: User
+  name: dev-admin
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: admin
+  apiGroup: rbac.authorization.k8s.io
+EOF
+
+cat <<EOF | kubectl apply -f -
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dev-admin-readonly-global
+subjects:
+- kind: User
+  name: dev-admin
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: view
+  apiGroup: rbac.authorization.k8s.io
+EOF
+
+
+echo -e "\n[+] Kubeconfig fájlok generálása..."
+
+SERVER=$(kubectl config view --raw -o jsonpath="{.clusters[?(@.name==\"$CLUSTER_NAME\")].cluster.server}")
+
+for USER in "${USERS[@]}"; do
+  KUBECONFIG_USER="${OUTPUT_DIR}/kubeconfig-${USER}"
+
+  kubectl config --kubeconfig="${KUBECONFIG_USER}" set-cluster "$CLUSTER_NAME" \
+    --server="$SERVER" \
+    --certificate-authority="${CA_CERT_PATH}" \
+    --embed-certs=true
+
+  kubectl config --kubeconfig="${KUBECONFIG_USER}" set-credentials "$USER" \
+    --client-certificate="${OUTPUT_DIR}/${USER}.crt" \
+    --client-key="${OUTPUT_DIR}/${USER}.key" \
+    --embed-certs=true
+
+  kubectl config --kubeconfig="${KUBECONFIG_USER}" set-context "$USER-context" \
+    --cluster="$CLUSTER_NAME" \
+    --user="$USER"
+
+  kubectl config --kubeconfig="${KUBECONFIG_USER}" use-context "$USER-context"
+
+  echo -e "\n  [✔] Létrejött: ${KUBECONFIG_USER}"
+done
+
+echo -e "\nUserek mergelése:"
+echo
+kubectl config set-credentials readonly \
+  --client-certificate=$OUTPUT_DIR/readonly.crt \
+  --client-key=$OUTPUT_DIR/readonly.key \
+  --embed-certs=true
+
+kubectl config set-context readonly-context \
+  --cluster=kind-kind-demo \
+  --user=readonly
+
+kubectl config set-credentials dev-admin \
+  --client-certificate=$OUTPUT_DIR/dev-admin.crt \
+  --client-key=$OUTPUT_DIR/dev-admin.key \
+  --embed-certs=true
+
+kubectl config set-context dev-admin-context \
+  --cluster=kind-kind-demo \
+  --user=dev-admin
+
+echo "[✅ KÉSZ]"