moosavimaleki/add_cert_to_kubeconfig.sh

## add_cert_to_kubeconfig.sh
#!/usr/bin/env bash
set -euo pipefail

if [[ $# -ne 2 ]]; then
  echo "Usage: $0 <kubeconfig> <cert.p12>"
  exit 1
fi

KUBECONFIG_FILE="$1"
P12_FILE="$2"

export KUBECONFIG="$KUBECONFIG_FILE"

# ---------- 1) گرفتن پسورد P12 ----------
read -r -s -p "🔐 P12 password (if any): " P12_PASS
echo

TMP_DIR="$(mktemp -d)"
CHAIN_RAW="$TMP_DIR/chain-raw.pem"
CHAIN_PEM="$TMP_DIR/chain.pem"
KEY_RAW="$TMP_DIR/key-raw.pem"
KEY_PEM="$TMP_DIR/key.pem"
DB_PASS_FILE="$TMP_DIR/db_pass"

echo "$P12_PASS" > "$DB_PASS_FILE"
chmod 600 "$DB_PASS_FILE"

PASSIN_ARGS=()
if [[ -n "$P12_PASS" ]]; then
  PASSIN_ARGS=(-passin "pass:$P12_PASS")
fi

# ---------- 2) استخراج chain کامل از P12 (leaf + intermediate) ----------
echo "🔧 Extracting full certificate chain (leaf + intermediate) from P12..."
openssl pkcs12 -in "$P12_FILE" -nokeys -out "$CHAIN_RAW" "${PASSIN_ARGS[@]}" || {
  echo "❌ Failed to extract certificate chain; check P12 password or file."
  rm -rf "$TMP_DIR"
  exit 1
}

# فقط بلاک‌های CERT را نگه می‌داریم (Bag Attributes حذف شود)
awk '/-----BEGIN CERTIFICATE-----/{copy=1} copy{print}' "$CHAIN_RAW" > "$CHAIN_PEM"

# ---------- 3) استخراج کلید خصوصی بدون پسورد ----------
echo "🔧 Extracting unencrypted private key from P12..."
openssl pkcs12 -in "$P12_FILE" -nocerts -nodes -out "$KEY_RAW" "${PASSIN_ARGS[@]}" || {
  echo "❌ Failed to extract private key; check P12 password or file."
  rm -rf "$TMP_DIR"
  exit 1
}

# فقط بلاک PRIVATE KEY را نگه می‌داریم
awk '/-----BEGIN .*PRIVATE KEY-----/{copy=1} copy{print}' "$KEY_RAW" > "$KEY_PEM"

# ---------- 4) کپی به مسیر پایدار (برای kubectl + Git) ----------
CERT_DIR="$HOME/.git/certs/git.basalam.dev"
mkdir -p "$CERT_DIR"

CLIENT_CERT="$CERT_DIR/client-chain.pem"  # chain کامل
CLIENT_KEY="$CERT_DIR/client-key.pem"     # کلید بدون پسورد

cp "$CHAIN_PEM" "$CLIENT_CERT"
cp "$KEY_PEM"   "$CLIENT_KEY"
chmod 600 "$CLIENT_CERT" "$CLIENT_KEY"

echo "🔧 Persisted client cert+key:"
echo "    cert: $CLIENT_CERT"
echo "    key : $CLIENT_KEY"

# ---------- 5) به‌روزرسانی kubeconfig: اضافه کردن cert+key به userهای موجود ----------
echo "🔧 Updating kubeconfig users (production, stage) with client cert (full chain) + unencrypted key..."

for USER in production stage; do
  kubectl --kubeconfig "$KUBECONFIG_FILE" \
    config set-credentials "$USER" \
      --client-certificate="$CLIENT_CERT" \
      --client-key="$CLIENT_KEY" \
    >/dev/null
done

echo "   ✔ kubeconfig users 'production' و 'stage' حالا هم token دارند، هم client cert+key."

# ---------- 6) تنظیم Git برای git.basalam.dev ----------
echo "🔧 Cleaning up old Git SSL config entries..."
git config --global --unset http."https://git.basalam.dev/".sslCert || true
git config --global --unset http."https://git.basalam.dev/".sslKey  || true
git config --global --unset http."https://git.basalam.dev".sslCert  || true
git config --global --unset http."https://git.basalam.dev".sslKey   || true

echo "🔧 Configuring Git for git.basalam.dev with client chain + key..."
git config --global http."https://git.basalam.dev".sslCert "$CLIENT_CERT"
git config --global http."https://git.basalam.dev".sslKey  "$CLIENT_KEY"

# ---------- 7) NSS برای مرورگر (مثل قبل) ----------
echo "🔧 Ensuring NSS tools are installed..."
if ! command -v certutil &>/dev/null || ! command -v pk12util &>/dev/null; then
  if command -v apt-get &>/dev/null; then
    sudo apt-get update && sudo apt-get install -y libnss3-tools
  elif command -v yum &>/dev/null; then
    sudo yum install -y nss-tools
  else
    echo "❌ Install libnss3-tools (nss-tools) manually."
    rm -rf "$TMP_DIR"
    exit 1
  fi
fi

echo "🔄 Initializing NSS DB..."
NSSDB_DIR="$HOME/.pki/nssdb"
rm -rf "$NSSDB_DIR"
mkdir -p "$NSSDB_DIR"

INIT_CMD=(certutil -N -d "sql:$NSSDB_DIR")
if [[ -n "$P12_PASS" ]]; then
  INIT_CMD+=(-f "$DB_PASS_FILE")
else
  INIT_CMD+=(--empty-password)
fi
"${INIT_CMD[@]}"

echo "🔧 Importing P12 into NSS..."
if [[ -n "$P12_PASS" ]]; then
  pk12util -d "sql:$NSSDB_DIR" -i "$P12_FILE" -w "$DB_PASS_FILE" -k "$DB_PASS_FILE"
else
  pk12util -d "sql:$NSSDB_DIR" -i "$P12_FILE" -w "" -k ""
fi

echo "✅ NSS import succeeded."

# ---------- 8) پاک‌سازی ----------
echo "🔄 Cleaning up temporary files..."
rm -rf "$TMP_DIR"

echo "🚀 Done. kubeconfig (token + full-chain cert + unencrypted key)، Git و NSS به‌روز شدند."
	#!/usr/bin/env bash
	set -euo pipefail

	if [[ $# -ne 2 ]]; then
	echo "Usage: $0 <kubeconfig> <cert.p12>"
	exit 1
	fi

	KUBECONFIG_FILE="$1"
	P12_FILE="$2"

	export KUBECONFIG="$KUBECONFIG_FILE"

	# ---------- 1) گرفتن پسورد P12 ----------
	read -r -s -p "🔐 P12 password (if any): " P12_PASS
	echo

	TMP_DIR="$(mktemp -d)"
	CHAIN_RAW="$TMP_DIR/chain-raw.pem"
	CHAIN_PEM="$TMP_DIR/chain.pem"
	KEY_RAW="$TMP_DIR/key-raw.pem"
	KEY_PEM="$TMP_DIR/key.pem"
	DB_PASS_FILE="$TMP_DIR/db_pass"

	echo "$P12_PASS" > "$DB_PASS_FILE"
	chmod 600 "$DB_PASS_FILE"

	PASSIN_ARGS=()
	if [[ -n "$P12_PASS" ]]; then
	PASSIN_ARGS=(-passin "pass:$P12_PASS")
	fi

	# ---------- 2) استخراج chain کامل از P12 (leaf + intermediate) ----------
	echo "🔧 Extracting full certificate chain (leaf + intermediate) from P12..."
	openssl pkcs12 -in "$P12_FILE" -nokeys -out "$CHAIN_RAW" "${PASSIN_ARGS[@]}" \|\| {
	echo "❌ Failed to extract certificate chain; check P12 password or file."
	rm -rf "$TMP_DIR"
	exit 1
	}

	# فقط بلاک‌های CERT را نگه می‌داریم (Bag Attributes حذف شود)
	awk '/-----BEGIN CERTIFICATE-----/{copy=1} copy{print}' "$CHAIN_RAW" > "$CHAIN_PEM"

	# ---------- 3) استخراج کلید خصوصی بدون پسورد ----------
	echo "🔧 Extracting unencrypted private key from P12..."
	openssl pkcs12 -in "$P12_FILE" -nocerts -nodes -out "$KEY_RAW" "${PASSIN_ARGS[@]}" \|\| {
	echo "❌ Failed to extract private key; check P12 password or file."
	rm -rf "$TMP_DIR"
	exit 1
	}

	# فقط بلاک PRIVATE KEY را نگه می‌داریم
	awk '/-----BEGIN .*PRIVATE KEY-----/{copy=1} copy{print}' "$KEY_RAW" > "$KEY_PEM"

	# ---------- 4) کپی به مسیر پایدار (برای kubectl + Git) ----------
	CERT_DIR="$HOME/.git/certs/git.basalam.dev"
	mkdir -p "$CERT_DIR"

	CLIENT_CERT="$CERT_DIR/client-chain.pem" # chain کامل
	CLIENT_KEY="$CERT_DIR/client-key.pem" # کلید بدون پسورد

	cp "$CHAIN_PEM" "$CLIENT_CERT"
	cp "$KEY_PEM" "$CLIENT_KEY"
	chmod 600 "$CLIENT_CERT" "$CLIENT_KEY"

	echo "🔧 Persisted client cert+key:"
	echo " cert: $CLIENT_CERT"
	echo " key : $CLIENT_KEY"

	# ---------- 5) به‌روزرسانی kubeconfig: اضافه کردن cert+key به userهای موجود ----------
	echo "🔧 Updating kubeconfig users (production, stage) with client cert (full chain) + unencrypted key..."

	for USER in production stage; do
	kubectl --kubeconfig "$KUBECONFIG_FILE" \
	config set-credentials "$USER" \
	--client-certificate="$CLIENT_CERT" \
	--client-key="$CLIENT_KEY" \
	>/dev/null
	done

	echo " ✔ kubeconfig users 'production' و 'stage' حالا هم token دارند، هم client cert+key."

	# ---------- 6) تنظیم Git برای git.basalam.dev ----------
	echo "🔧 Cleaning up old Git SSL config entries..."
	git config --global --unset http."https://git.basalam.dev/".sslCert \|\| true
	git config --global --unset http."https://git.basalam.dev/".sslKey \|\| true
	git config --global --unset http."https://git.basalam.dev".sslCert \|\| true
	git config --global --unset http."https://git.basalam.dev".sslKey \|\| true

	echo "🔧 Configuring Git for git.basalam.dev with client chain + key..."
	git config --global http."https://git.basalam.dev".sslCert "$CLIENT_CERT"
	git config --global http."https://git.basalam.dev".sslKey "$CLIENT_KEY"

	# ---------- 7) NSS برای مرورگر (مثل قبل) ----------
	echo "🔧 Ensuring NSS tools are installed..."
	if ! command -v certutil &>/dev/null \|\| ! command -v pk12util &>/dev/null; then
	if command -v apt-get &>/dev/null; then
	sudo apt-get update && sudo apt-get install -y libnss3-tools
	elif command -v yum &>/dev/null; then
	sudo yum install -y nss-tools
	else
	echo "❌ Install libnss3-tools (nss-tools) manually."
	rm -rf "$TMP_DIR"
	exit 1
	fi
	fi

	echo "🔄 Initializing NSS DB..."
	NSSDB_DIR="$HOME/.pki/nssdb"
	rm -rf "$NSSDB_DIR"
	mkdir -p "$NSSDB_DIR"

	INIT_CMD=(certutil -N -d "sql:$NSSDB_DIR")
	if [[ -n "$P12_PASS" ]]; then
	INIT_CMD+=(-f "$DB_PASS_FILE")
	else
	INIT_CMD+=(--empty-password)
	fi
	"${INIT_CMD[@]}"

	echo "🔧 Importing P12 into NSS..."
	if [[ -n "$P12_PASS" ]]; then
	pk12util -d "sql:$NSSDB_DIR" -i "$P12_FILE" -w "$DB_PASS_FILE" -k "$DB_PASS_FILE"
	else
	pk12util -d "sql:$NSSDB_DIR" -i "$P12_FILE" -w "" -k ""
	fi

	echo "✅ NSS import succeeded."

	# ---------- 8) پاک‌سازی ----------
	echo "🔄 Cleaning up temporary files..."
	rm -rf "$TMP_DIR"

	echo "🚀 Done. kubeconfig (token + full-chain cert + unencrypted key)، Git و NSS به‌روز شدند."
No results found