Add createServiceAccount.sh

2024-08-29 11:20:02 +00:00 · 2024-08-29 11:20:02 +00:00 · 22071927a0
commit 22071927a0
parent 9fac14076a
1 changed files with 119 additions and 0 deletions
--- a/createServiceAccount.sh
+++ b/createServiceAccount.sh
@ -0,0 +1,119 @@
+#!/bin/bash
+
+# Extract namespace from values.yaml using yq
+NAMESPACE=$(yq e '.namespace' values.yaml)
+
+# Set the ServiceAccount, Role, and RoleBinding names based on the namespace
+SA_NAME="${NAMESPACE}-cicd"
+
+# Capture Helm template output directly with dynamic subchartData
+HELM_OUTPUT=$(helm template -g --set-json="subchartData=$(yq '.dependencies[0]' Chart.yaml -ojson | jq -rc)" .)
+
+# Extract unique apiVersion and kind pairs using yq and jq
+resources=$(echo "$HELM_OUTPUT" | yq -o=json | jq -rc '{apiVersion, kind}' | sort | uniq)
+
+cat <<EOFFF
+
+# Step 1: Set kubeconfig
+export KUBECONFIG=
+
+# Step 2: Create Service Account
+cat <<EOF | kubectl create -f -
+EOFFF
+
+
+# Print ServiceAccount YAML
+cat <<EOF
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: $SA_NAME
+  namespace: $NAMESPACE
+---
+EOF
+
+# Print Role YAML header
+cat <<EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: $SA_NAME
+  namespace: $NAMESPACE
+rules:
+EOF
+
+# Loop through unique apiVersion and kind pairs and append rules to the Role YAML
+echo "$resources" | while IFS= read -r resource; do
+  apiGroup=$(echo "$resource" | jq -r '.apiVersion' | awk -F'/' '{print $1}')
+  kind=$(echo "$resource" | jq -r '.kind' | tr '[:upper:]' '[:lower:]')
+
+  # Append rule for the current resource
+  cat <<EOF
+  - apiGroups: ["$apiGroup"]
+    resources:
+      - ${kind}s
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+EOF
+done
+
+# Print RoleBinding YAML
+cat <<EOF
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: $SA_NAME
+  namespace: $NAMESPACE
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: $SA_NAME
+subjects:
+  - kind: ServiceAccount
+    name: $SA_NAME
+    namespace: $NAMESPACE
+---
+EOF
+
+# Print Secret to create a token for the ServiceAccount
+cat <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ${SA_NAME}-token
+  namespace: $NAMESPACE
+  annotations:
+    kubernetes.io/service-account.name: $SA_NAME
+type: kubernetes.io/service-account-token
+EOF
+
+
+NEW_KUBECONFIG="kubeconfig-${NAMESPACE}-cicd.yaml"
+cat <<EOFFF
+---
+EOF
+
+# Step 3: generate kubeconfig
+CURRENT_CLUSTER=\$(kubectl config view --minify -o jsonpath='{.clusters[0].name}')
+TOKEN=\$(kubectl get secret "${NAMESPACE}-cicd-token" -n "$NAMESPACE" -o jsonpath="{.data.token}" | base64 --decode)
+cp \$KUBECONFIG $NEW_KUBECONFIG
+kubectl config --kubeconfig=$NEW_KUBECONFIG unset contexts
+kubectl config --kubeconfig=$NEW_KUBECONFIG unset users
+kubectl config --kubeconfig=$NEW_KUBECONFIG set-credentials "${NAMESPACE}-cicd" --token="\$TOKEN"
+kubectl config --kubeconfig=$NEW_KUBECONFIG set-cluster $CURRENT_CLUSTER --server="https://kubernetes.default.svc.cluster.local"
+kubectl config --kubeconfig=$NEW_KUBECONFIG set-context "${NAMESPACE}-cicd"-context --cluster=$CURRENT_CLUSTER --user="${NAMESPACE}-cicd"
+kubectl config --kubeconfig=$NEW_KUBECONFIG use-context "${NAMESPACE}-cicd" -context
+cat $NEW_KUBECONFIG
+rm $NEW_KUBECONFIG
+
+# Done!
+
+EOFFF