diff --git a/assets/rancher-windows-gmsa-crd/rancher-windows-gmsa-crd-3.0.0.tgz b/assets/rancher-windows-gmsa-crd/rancher-windows-gmsa-crd-3.0.0.tgz new file mode 100644 index 000000000..708bb3817 Binary files /dev/null and b/assets/rancher-windows-gmsa-crd/rancher-windows-gmsa-crd-3.0.0.tgz differ diff --git a/assets/rancher-windows-gmsa/rancher-windows-gmsa-3.0.0.tgz b/assets/rancher-windows-gmsa/rancher-windows-gmsa-3.0.0.tgz new file mode 100644 index 000000000..9252a344a Binary files /dev/null and b/assets/rancher-windows-gmsa/rancher-windows-gmsa-3.0.0.tgz differ diff --git a/charts/rancher-windows-gmsa-crd/3.0.0/Chart.yaml b/charts/rancher-windows-gmsa-crd/3.0.0/Chart.yaml new file mode 100644 index 000000000..3478358ca --- /dev/null +++ b/charts/rancher-windows-gmsa-crd/3.0.0/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-windows-gmsa-system + catalog.cattle.io/release-name: rancher-windows-gmsa-crd +apiVersion: v1 +description: Installs the CRDs for Windows GMSA. +name: rancher-windows-gmsa-crd +type: application +version: 3.0.0 diff --git a/charts/rancher-windows-gmsa-crd/3.0.0/templates/crds.yaml b/charts/rancher-windows-gmsa-crd/3.0.0/templates/crds.yaml new file mode 100644 index 000000000..de31c4561 --- /dev/null +++ b/charts/rancher-windows-gmsa-crd/3.0.0/templates/crds.yaml @@ -0,0 +1,119 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: gmsacredentialspecs.windows.k8s.io + annotations: + "api-approved.kubernetes.io": "https://github.com/kubernetes/enhancements/tree/master/keps/sig-windows/689-windows-gmsa" +spec: + group: windows.k8s.io + versions: + - name: v1alpha1 + served: true + storage: false + deprecated: true + schema: + openAPIV3Schema: + type: object + properties: + credspec: + description: GMSA Credential Spec + type: object + properties: + ActiveDirectoryConfig: + type: object + properties: + GroupManagedServiceAccounts: + type: array + items: + type: object + properties: + Name: + type: string + Scope: + type: string + HostAccountConfig: + type: object + properties: + PluginGUID: + type: string + PluginInput: + type: string + PortableCcgVersion: + type: string + CmsPlugins: + type: array + items: + type: string + DomainJoinConfig: + type: object + properties: + DnsName: + type: string + DnsTreeName: + type: string + Guid: + type: string + MachineAccountName: + type: string + NetBiosName: + type: string + Sid: + type: string + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + credspec: + description: GMSA Credential Spec + type: object + properties: + ActiveDirectoryConfig: + type: object + properties: + GroupManagedServiceAccounts: + type: array + items: + type: object + properties: + Name: + type: string + Scope: + type: string + HostAccountConfig: + type: object + properties: + PluginGUID: + type: string + PluginInput: + type: string + PortableCcgVersion: + type: string + CmsPlugins: + type: array + items: + type: string + DomainJoinConfig: + type: object + properties: + DnsName: + type: string + DnsTreeName: + type: string + Guid: + type: string + MachineAccountName: + type: string + NetBiosName: + type: string + Sid: + type: string + conversion: + strategy: None + names: + kind: GMSACredentialSpec + plural: gmsacredentialspecs + scope: Cluster + diff --git a/charts/rancher-windows-gmsa/3.0.0/Chart.yaml b/charts/rancher-windows-gmsa/3.0.0/Chart.yaml new file mode 100644 index 000000000..52c25c8ce --- /dev/null +++ b/charts/rancher-windows-gmsa/3.0.0/Chart.yaml @@ -0,0 +1,29 @@ +annotations: + catalog.cattle.io/auto-install: rancher-windows-gmsa-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Windows GMSA + catalog.cattle.io/experimental: "true" + catalog.cattle.io/kube-version: '>= 1.21.0-0 < 1.24.0-0' + catalog.cattle.io/namespace: cattle-windows-gmsa-system + catalog.cattle.io/os: windows + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: windows.k8s.io.gmsacredentialspecs/v1 + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-windows-gmsa +apiVersion: v2 +appVersion: 0.3.0 +description: Windows GMSA Configuration +icon: https://charts.rancher.io/assets/logos/windows-gmsa.svg +keywords: +- Windows +- Windows GMSA +- GMSA +- Active Directory +maintainers: +- email: jamie.phillips@suse.com + name: Rancher +name: rancher-windows-gmsa +sources: +- https://github.com/kubernetes-sigs/windows-gmsa +type: application +version: 3.0.0 diff --git a/charts/rancher-windows-gmsa/3.0.0/app-readme.md b/charts/rancher-windows-gmsa/3.0.0/app-readme.md new file mode 100644 index 000000000..b6a21b135 --- /dev/null +++ b/charts/rancher-windows-gmsa/3.0.0/app-readme.md @@ -0,0 +1,9 @@ +# Windows GMSA Admission Webhook + +This chart creates the GMSA CRD, Credential, and Admission Webhook. The official documentation and tutorials can be found [here](https://github.com/kubernetes-sigs/windows-gmsa). + +## Prerequisites + +- Active Directory that supports Group Managed Service Accounts +- A Group Managed Service Account +- Kubernetes v1.21+ diff --git a/charts/rancher-windows-gmsa/3.0.0/questions.yaml b/charts/rancher-windows-gmsa/3.0.0/questions.yaml new file mode 100644 index 000000000..70f16989e --- /dev/null +++ b/charts/rancher-windows-gmsa/3.0.0/questions.yaml @@ -0,0 +1,53 @@ +questions: + - variable: credential.enabled + default: true + description: Whether to create a GMSA Credential when installing GMSA Webhook + label: Whether to create a GMSA Credential + type: boolean + group: "Credential Spec" + show_subquestion_if: true + subquestions: + - variable: credential.domainJoinConfig.machineAccountName + label: GMSA Account Name + description: Username of the GMSA account + type: string + required: true + - variable: credential.domainJoinConfig.guid + label: GUID + description: GUID of the Service Account + type: string + required: true + - variable: credential.domainJoinConfig.sid + label: SID + description: SID of the GMSA Account + type: string + required: true + - variable: credential.domainJoinConfig.dnsName + label: DNS Domain Name + description: Name of the domain in DNS + type: string + required: true + - variable: credential.domainJoinConfig.dnsTreeName + label: DNS Tree Domain + description: Root name of the domain in DNS + type: string + required: true + - variable: credential.domainJoinConfig.netBiosName + label: NETBIOS Name + description: NETBIOS Name for the domain. + type: string + required: true + - variable: certificates.certManager.enabled + default: true + description: Use cert-manager to generate certificates for the webhook + label: Generate certificate through cert-manager + type: boolean + group: "Certificates" + show_subquestion_if: false + subquestions: + - variable: certificates.secretName + default: webhook-server-cert + description: Mount a CA Bundle from an existing Secret in the same namespace as the GMSA webhook. Secret must contain keys for the CA certificate (ca.crt), the TLS certificate (tls.crt), and the TLS private key (tls.key) to be used by the webhook. + label: CA Bundle From Existing Secret + type: string + required: true diff --git a/charts/rancher-windows-gmsa/3.0.0/templates/_helpers.tpl b/charts/rancher-windows-gmsa/3.0.0/templates/_helpers.tpl new file mode 100644 index 000000000..61576a7c8 --- /dev/null +++ b/charts/rancher-windows-gmsa/3.0.0/templates/_helpers.tpl @@ -0,0 +1,48 @@ +# Rancher + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- end -}} +{{- end -}} + +{{/* Create chart name and version as used by the chart label. */}} +{{- define "gmsa.chartref" -}} +chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +{{- end }} + +{{/* Determine apiVersion for cert-manager */}} +{{- define "cert-manager.apiversion" -}} + {{- $certmanagerVer := split "." .Values.certificates.certManager.version -}} + {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 1) (ge (int $certmanagerVer._1) 0)) }} +apiVersion: cert-manager.io/v1 + {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }} +apiVersion: cert-manager.io/v1beta1 + {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }} +apiVersion: cert-manager.io/v1alpha2 + {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }} +apiVersion: cert-manager.io/v1alpha1 + {{- else }} +apiVersion: cert-manager.io/v1 + {{- end }} +{{- end }} + +{{- define "certificates.cabundle"}} +{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.certificates.secretName) -}} +{{- if lt (len $secret) 1 -}} +{{- required (printf "CA Bundle secret '%s' in namespace '%s' must exist" .Values.certificates.secretName .Release.Namespace) "" -}} +{{- else -}} +{{- if not (hasKey $secret "data") -}} +{{- required (printf "CA Bundle secret '%s' in namespace '%s' is empty" .Values.certificates.secretName .Release.Namespace) "" -}} +{{- end -}} +{{- if or (not (hasKey $secret.data "ca.crt")) (not (hasKey $secret.data "tls.crt")) (not (hasKey $secret.data "tls.key")) -}} +{{- required (printf "CA Bundle secret '%s' in namespace '%s' must contain ca.crt, tls.key, and tls.cert; found the following keys in the secret: %s" .Values.certificates.secretName .Release.Namespace $secret.data) "" -}} +{{- end -}} +{{- end -}} +{{- get $secret.data "ca.crt" }} +{{- else -}} +INSERT_CERTIFICATE_FROM_SECRET +{{- end -}} +{{- end }} + diff --git a/charts/rancher-windows-gmsa/3.0.0/templates/clusterrole.yaml b/charts/rancher-windows-gmsa/3.0.0/templates/clusterrole.yaml new file mode 100644 index 000000000..6e7667209 --- /dev/null +++ b/charts/rancher-windows-gmsa/3.0.0/templates/clusterrole.yaml @@ -0,0 +1,16 @@ +# the RBAC role that the webhook needs to: +# * read GMSA custom resources +# * check authorizations to use GMSA cred specs +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }} + labels: {{ include "gmsa.chartref" . | nindent 4 }} +rules: + - apiGroups: ["windows.k8s.io"] + resources: ["gmsacredentialspecs"] + verbs: ["get", "use"] + - apiGroups: ["authorization.k8s.io"] + resources: ["localsubjectaccessreviews"] + verbs: ["create"] + diff --git a/charts/rancher-windows-gmsa/3.0.0/templates/clusterrolebinding.yaml b/charts/rancher-windows-gmsa/3.0.0/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..7f477c426 --- /dev/null +++ b/charts/rancher-windows-gmsa/3.0.0/templates/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +# bind that role to the webhook's service account +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }} + labels: {{ include "gmsa.chartref" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Name }} + apiGroup: rbac.authorization.k8s.io + diff --git a/charts/rancher-windows-gmsa/3.0.0/templates/credentialspec.yaml b/charts/rancher-windows-gmsa/3.0.0/templates/credentialspec.yaml new file mode 100644 index 000000000..f4ff13efd --- /dev/null +++ b/charts/rancher-windows-gmsa/3.0.0/templates/credentialspec.yaml @@ -0,0 +1,24 @@ +{{- if .Values.credential.enabled -}} +apiVersion: windows.k8s.io/v1 +kind: GMSACredentialSpec +metadata: + name: {{ .Values.credential.domainJoinConfig.machineAccountName | lower }} + labels: {{ include "gmsa.chartref" . | nindent 4 }} +credspec: + ActiveDirectoryConfig: + GroupManagedServiceAccounts: + - Name: {{ .Values.credential.domainJoinConfig.machineAccountNamename }} + Scope: {{ .Values.credential.domainJoinConfig.netBiosName }} + - Name: {{ .Values.credential.domainJoinConfig.machineAccountNamename }} + Scope: {{ .Values.credential.domainJoinConfig.dnsName }} + CmsPlugins: + - ActiveDirectory + DomainJoinConfig: + DnsName: {{ .Values.credential.domainJoinConfig.dnsName }} + DnsTreeName: {{ .Values.credential.domainJoinConfig.dnsName }} + Guid: {{ .Values.credential.domainJoinConfig.guid }} + MachineAccountName: {{ .Values.credential.domainJoinConfig.machineAccountName }} + NetBiosName: {{ .Values.credential.domainJoinConfig.netBiosName }} + Sid: {{ .Values.credential.domainJoinConfig.sid }} +{{- end -}} + diff --git a/charts/rancher-windows-gmsa/3.0.0/templates/deployment.yaml b/charts/rancher-windows-gmsa/3.0.0/templates/deployment.yaml new file mode 100644 index 000000000..9dc4d7fb5 --- /dev/null +++ b/charts/rancher-windows-gmsa/3.0.0/templates/deployment.yaml @@ -0,0 +1,68 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: {{ include "gmsa.chartref" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ .Release.Name }} + spec: + {{- if .Values.podSecurityContext }} + securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} + serviceAccountName: {{ .Release.Name }} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Release.Name }} + image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ .Values.image.imagePullPolicy }} + readinessProbe: + httpGet: + scheme: HTTPS + path: /health + port: 443 + ports: + - containerPort: 443 + {{- if .Values.securityContext }} + securityContext: {{ toYaml .Values.securityContext | nindent 12 }} + {{- end }} + volumeMounts: + - name: tls + mountPath: "/etc/ssl/rancher-windows-gmsa-webhook" + readOnly: true + env: + - name: TLS_KEY + value: /etc/ssl/rancher-windows-gmsa-webhook/tls.key + - name: TLS_CRT + value: /etc/ssl/rancher-windows-gmsa-webhook/tls.crt + volumes: + - name: tls + secret: + secretName: {{ .Values.certificates.secretName }} + items: + - key: tls.key + path: tls.key + - key: tls.crt + path: tls.crt + diff --git a/charts/rancher-windows-gmsa/3.0.0/templates/issuer.yaml b/charts/rancher-windows-gmsa/3.0.0/templates/issuer.yaml new file mode 100644 index 000000000..d100da93b --- /dev/null +++ b/charts/rancher-windows-gmsa/3.0.0/templates/issuer.yaml @@ -0,0 +1,26 @@ +{{- if .Values.certificates.certManager.enabled -}} +{{ template "cert-manager.apiversion" . }} +kind: Certificate +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: {{ include "gmsa.chartref" . | nindent 4 }} +spec: + dnsNames: + - {{ .Release.Name }}.{{ .Release.Namespace }}.svc + - {{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local + issuerRef: + kind: Issuer + name: {{ .Release.Name }} + secretName: {{ .Values.certificates.secretName }} +--- +{{ template "cert-manager.apiversion" . }} +kind: Issuer +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: {{ include "gmsa.chartref" . | nindent 4 }} +spec: + selfSigned: {} +{{- end -}} + diff --git a/charts/rancher-windows-gmsa/3.0.0/templates/mutatingwebhook.yaml b/charts/rancher-windows-gmsa/3.0.0/templates/mutatingwebhook.yaml new file mode 100644 index 000000000..321394565 --- /dev/null +++ b/charts/rancher-windows-gmsa/3.0.0/templates/mutatingwebhook.yaml @@ -0,0 +1,34 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ .Release.Name }} + {{- if .Values.certificates.certManager.enabled }} + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }} + {{- end }} + labels: {{ include "gmsa.chartref" . | nindent 4 }} +webhooks: + - name: admission-webhook.windows-gmsa.sigs.k8s.io + clientConfig: + service: + name: {{ .Release.Name }} + namespace: {{.Release.Namespace}} + path: "/mutate" + {{- if not (.Values.certificates.certManager.enabled) }} + caBundle: {{ template "certificates.cabundle" . }} + {{- end }} + rules: + - operations: ["CREATE"] + apiGroups: [""] + apiVersions: ["*"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + # don't run on ${NAMESPACE} + namespaceSelector: + matchExpressions: + - key: gmsa-webhook + operator: NotIn + values: [disabled] + diff --git a/charts/rancher-windows-gmsa/3.0.0/templates/networkpolicy.yaml b/charts/rancher-windows-gmsa/3.0.0/templates/networkpolicy.yaml new file mode 100644 index 000000000..4d60f0915 --- /dev/null +++ b/charts/rancher-windows-gmsa/3.0.0/templates/networkpolicy.yaml @@ -0,0 +1,16 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ .Release.Namespace }} + labels: {{ include "gmsa.chartref" . | nindent 4 }} +spec: + podSelector: {} + ingress: + - {} + egress: + - {} + policyTypes: + - Ingress + - Egress + diff --git a/charts/rancher-windows-gmsa/3.0.0/templates/service.yaml b/charts/rancher-windows-gmsa/3.0.0/templates/service.yaml new file mode 100644 index 000000000..768f3f25d --- /dev/null +++ b/charts/rancher-windows-gmsa/3.0.0/templates/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: {{ include "gmsa.chartref" . | nindent 4 }} +spec: + ports: + - port: 443 + targetPort: 443 + selector: + app: {{ .Release.Name }} + diff --git a/charts/rancher-windows-gmsa/3.0.0/templates/serviceaccount.yaml b/charts/rancher-windows-gmsa/3.0.0/templates/serviceaccount.yaml new file mode 100644 index 000000000..d4bfa87c0 --- /dev/null +++ b/charts/rancher-windows-gmsa/3.0.0/templates/serviceaccount.yaml @@ -0,0 +1,8 @@ +# the service account for the webhook +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: {{ include "gmsa.chartref" . | nindent 4 }} + diff --git a/charts/rancher-windows-gmsa/3.0.0/templates/validate-install-crd.yaml b/charts/rancher-windows-gmsa/3.0.0/templates/validate-install-crd.yaml new file mode 100644 index 000000000..3f1ad6df7 --- /dev/null +++ b/charts/rancher-windows-gmsa/3.0.0/templates/validate-install-crd.yaml @@ -0,0 +1,14 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "windows.k8s.io/v1alpha1/GMSACredentialSpec" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-windows-gmsa/3.0.0/templates/validatingwebhook.yaml b/charts/rancher-windows-gmsa/3.0.0/templates/validatingwebhook.yaml new file mode 100644 index 000000000..e13c5b33b --- /dev/null +++ b/charts/rancher-windows-gmsa/3.0.0/templates/validatingwebhook.yaml @@ -0,0 +1,34 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ .Release.Name }} + {{- if .Values.certificates.certManager.enabled }} + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }} + {{- end }} + labels: {{ include "gmsa.chartref" . | nindent 4 }} +webhooks: + - name: admission-webhook.windows-gmsa.sigs.k8s.io + clientConfig: + service: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + path: "/validate" + {{- if not (.Values.certificates.certManager.enabled) }} + caBundle: {{ template "certificates.cabundle" . }} + {{- end }} + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: [""] + apiVersions: ["*"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + # don't run on ${NAMESPACE} + namespaceSelector: + matchExpressions: + - key: gmsa-webhook + operator: NotIn + values: [disabled] + diff --git a/charts/rancher-windows-gmsa/3.0.0/values.yaml b/charts/rancher-windows-gmsa/3.0.0/values.yaml new file mode 100644 index 000000000..f7ea06ba0 --- /dev/null +++ b/charts/rancher-windows-gmsa/3.0.0/values.yaml @@ -0,0 +1,42 @@ +certificates: + certManager: + # Enable cert manager integration. Cert manager should be already installed at the k8s cluster + enabled: true + version: "" + # If cert-manager integration is disabled, upload certs data (ca.crt, tls.crt and tls.key) as k8s secretName in the namespace + secretName: gmsa-server-cert + +credential: + enabled: true + domainJoinConfig: + dnsName: "" #DNS Domain Name + dnsTreeName: "" #DNS Domain Name Root + guid: "" #GUID + machineAccountName: "" #Username of the GMSA account + netBiosName: "" #NETBIOS Domain Name + sid: "" #SID of GMSA + +image: + repository: rancher/mirrored-sigwindowstools-k8s-gmsa-webhook + tag: v0.3.0 + imagePullPolicy: IfNotPresent + +global: + cattle: + systemDefaultRegistry: "" + kubectl: + repository: rancher/kubectl + tag: v1.22.6 + pullPolicy: IfNotPresent + +## SecurityContext holds pod-level security attributes and common container settings. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +podSecurityContext: + runAsNonRoot: false + # Currently, required to run as root due to port binding within the container. + runAsUser: 0 +securityContext: {} + +tolerations: [] + diff --git a/index.yaml b/index.yaml index 9c368efa6..0577b0821 100755 --- a/index.yaml +++ b/index.yaml @@ -15776,6 +15776,39 @@ entries: - assets/rancher-windows-exporter/rancher-windows-exporter-0.1.000.tgz version: 0.1.000 rancher-windows-gmsa: + - annotations: + catalog.cattle.io/auto-install: rancher-windows-gmsa-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Windows GMSA + catalog.cattle.io/experimental: "true" + catalog.cattle.io/kube-version: '>= 1.21.0-0 < 1.24.0-0' + catalog.cattle.io/namespace: cattle-windows-gmsa-system + catalog.cattle.io/os: windows + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: windows.k8s.io.gmsacredentialspecs/v1 + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-windows-gmsa + apiVersion: v2 + appVersion: 0.3.0 + created: "2023-09-21T11:38:26.167179-07:00" + description: Windows GMSA Configuration + digest: 5e04fb626c5546bc5afdba5770e767b53a4eaea2c04f847748dbba46a656589a + icon: https://charts.rancher.io/assets/logos/windows-gmsa.svg + keywords: + - Windows + - Windows GMSA + - GMSA + - Active Directory + maintainers: + - email: jamie.phillips@suse.com + name: Rancher + name: rancher-windows-gmsa + sources: + - https://github.com/kubernetes-sigs/windows-gmsa + type: application + urls: + - assets/rancher-windows-gmsa/rancher-windows-gmsa-3.0.0.tgz + version: 3.0.0 - annotations: catalog.cattle.io/auto-install: rancher-windows-gmsa-crd=match catalog.cattle.io/certified: rancher @@ -15843,6 +15876,20 @@ entries: - assets/rancher-windows-gmsa/rancher-windows-gmsa-1.0.0.tgz version: 1.0.0 rancher-windows-gmsa-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-windows-gmsa-system + catalog.cattle.io/release-name: rancher-windows-gmsa-crd + apiVersion: v1 + created: "2023-09-21T11:38:26.168407-07:00" + description: Installs the CRDs for Windows GMSA. + digest: bae5dee0ade0816af85f0ba2d987d087bc0b6835db827d4709bb5492f13ea9a2 + name: rancher-windows-gmsa-crd + type: application + urls: + - assets/rancher-windows-gmsa-crd/rancher-windows-gmsa-crd-3.0.0.tgz + version: 3.0.0 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/packages/rancher-windows-gmsa/package.yaml b/packages/rancher-windows-gmsa/package.yaml index 05dd818f4..701bd3dc7 100644 --- a/packages/rancher-windows-gmsa/package.yaml +++ b/packages/rancher-windows-gmsa/package.yaml @@ -1,9 +1,8 @@ url: local -version: 2.0.0 +version: 3.0.0 additionalCharts: - workingDir: charts-crd crdOptions: templateDirectory: crd-template crdDirectory: templates addCRDValidationToMainChart: true -doNotRelease: true diff --git a/release.yaml b/release.yaml index 0db878d25..4a79009d4 100644 --- a/release.yaml +++ b/release.yaml @@ -78,3 +78,7 @@ rancher-logging: - 103.0.0+up3.17.10 rancher-logging-crd: - 103.0.0+up3.17.10 +rancher-windows-gmsa: + - 3.0.0 +rancher-windows-gmsa-crd: + - 3.0.0