Erich Blume
e032e27b66
Step 0.10 implementation: - Recreate minikube with --apiserver-names=indri --listen-address=0.0.0.0 - Add kubectl-credential-1password exec plugin for 1Password integration - Client certs fetched from 1Password on-demand (no private keys on disk) - CA cert stored locally (not secret - public key for server verification) Minikube role updates: - Add minikube_apiserver_names and minikube_listen_address variables - Update tasks to include remote access flags This mirrors the 1Password SSH agent pattern - biometric auth required for each kubectl command that needs credentials. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
31 lines
966 B
Bash
Executable file
31 lines
966 B
Bash
Executable file
#!/bin/bash
|
|
# kubectl exec credential plugin for 1Password
|
|
# Usage: kubectl-credential-1password <vault-id> <item-id> <cert-field> <key-field>
|
|
#
|
|
# Fetches client certificate and key from 1Password and outputs
|
|
# ExecCredential JSON for kubectl authentication.
|
|
|
|
set -euo pipefail
|
|
|
|
VAULT_ID="$1"
|
|
ITEM_ID="$2"
|
|
CERT_FIELD="$3"
|
|
KEY_FIELD="$4"
|
|
|
|
# Fetch credentials from 1Password (strips surrounding quotes from text fields)
|
|
CLIENT_CERT=$(op --vault "$VAULT_ID" item get "$ITEM_ID" --fields "$CERT_FIELD" | sed 's/^"//; s/"$//')
|
|
CLIENT_KEY=$(op --vault "$VAULT_ID" item get "$ITEM_ID" --fields "$KEY_FIELD" | sed 's/^"//; s/"$//')
|
|
|
|
# Output ExecCredential JSON
|
|
# Note: jq is used to properly escape the PEM data for JSON
|
|
jq -n \
|
|
--arg cert "$CLIENT_CERT" \
|
|
--arg key "$CLIENT_KEY" \
|
|
'{
|
|
"apiVersion": "client.authentication.k8s.io/v1beta1",
|
|
"kind": "ExecCredential",
|
|
"status": {
|
|
"clientCertificateData": $cert,
|
|
"clientKeyData": $key
|
|
}
|
|
}'
|