andata
/
rancher-charts
mirror of https://git.rancher.io/charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Introduce Rancher Windows GMSA chart. 

Signed-off-by: Jamie Phillips <jamie.phillips@suse.com>
pull/1701/head
Jamie Phillips 2022-02-11 08:39:34 -05:00
parent caea7ddb57
commit 7875d86a03
No known key found for this signature in database
GPG Key ID: 31AB238C25E18826
19 changed files with 573 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
assets/logos/windows-gmsa.svg Normal file
View File

@ -0,0 +1 @@
<svg id="ada1a734-f5a0-4f30-8c41-a30875acb17e" xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18"><defs><linearGradient id="f92ae47d-0835-4bac-a4f5-649f41e19a24" x1="13.25" y1="13.06" x2="8.62" y2="4.29" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#1988d9" /><stop offset="0.9" stop-color="#54aef0" /></linearGradient><linearGradient id="f418fd20-54c9-41f7-a889-8b791ff60efa" x1="11.26" y1="10.51" x2="14.46" y2="16.03" gradientUnits="userSpaceOnUse"><stop offset="0.1" stop-color="#54aef0" /><stop offset="0.29" stop-color="#4fabee" /><stop offset="0.51" stop-color="#41a2e9" /><stop offset="0.74" stop-color="#2a93e0" /><stop offset="0.88" stop-color="#1988d9" /></linearGradient></defs><title>Icon-identity-222</title><polygon points="1.01 10.23 8.93 15.37 16.99 10.21 18 11.38 8.93 17.23 0 11.39 1.01 10.23" fill="#50e6ff" /><polygon points="1.61 9.57 8.93 0.85 16.4 9.58 8.93 14.3 1.61 9.57" fill="#fff" /><polygon points="8.93 0.85 8.93 14.3 1.61 9.57 8.93 0.85" fill="#50e6ff" /><polygon points="8.93 0.85 8.93 14.3 16.4 9.58 8.93 0.85" fill="url(#f92ae47d-0835-4bac-a4f5-649f41e19a24)" /><polygon points="8.93 7.8 16.4 9.58 8.93 14.3 8.93 7.8" fill="#53b1e0" /><polygon points="8.93 14.3 1.61 9.57 8.93 7.8 8.93 14.3" fill="#9cebff" /><polygon points="8.93 17.23 18 11.38 16.99 10.21 8.93 15.37 8.93 17.23" fill="url(#f418fd20-54c9-41f7-a889-8b791ff60efa)" /><polygon points="13.53 9.04 9.06 15.3 13.53 17.12 18 15.3 13.53 9.04" fill="#773adc" /><polygon points="13.53 9.04 9.06 15.3 13.53 17.12 13.53 9.04" fill="#f9f9f9" opacity="0.5" /></svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.6 KiB

28
packages/rancher-windows-gmsa/charts/Chart.yaml Normal file
View File

@ -0,0 +1,28 @@
annotations:
catalog.cattle.io/auto-install: rancher-windows-gmsa-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: Windows GMSA
catalog.cattle.io/experimental: "true"
catalog.cattle.io/kube-version: '>= 1.21.0-0'
catalog.cattle.io/namespace: cattle-windows-gmsa-system
catalog.cattle.io/os: windows
catalog.cattle.io/provides-gvr: windows.k8s.io.gmsacredentialspecs/v1
catalog.cattle.io/rancher-version: '>= 2.6.4-0 < 2.6.99-0'
catalog.cattle.io/release-name: rancher-windows-gmsa
apiVersion: v2
appVersion: 0.3.0
description: Windows GMSA Configuration
icon: https://charts.rancher.io/assets/logos/windows-gmsa.svg
keywords:
- Windows
- Windows GMSA
- GMSA
- Active Directory
maintainers:
- email: jamie.phillips@suse.com
name: Rancher
name: rancher-windows-gmsa
sources:
- https://github.com/kubernetes-sigs/windows-gmsa
type: application
version: 1.0.0

9
packages/rancher-windows-gmsa/charts/app-readme.md Normal file
View File

@ -0,0 +1,9 @@
# Windows GMSA Admission Webhook
This chart creates the GMSA CRD, Credential, and Admission Webhook. The official documentation and tutorials can be found [here](https://github.com/kubernetes-sigs/windows-gmsa).
## Prerequisites
- Active Directory that supports Group Managed Service Accounts
- A Group Managed Service Account
- Kubernetes v1.21+

119
packages/rancher-windows-gmsa/charts/crds/crds.yaml Executable file
View File

@ -0,0 +1,119 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: gmsacredentialspecs.windows.k8s.io
annotations:
"api-approved.kubernetes.io": "https://github.com/kubernetes/enhancements/tree/master/keps/sig-windows/689-windows-gmsa"
spec:
group: windows.k8s.io
versions:
- name: v1alpha1
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
credspec:
description: GMSA Credential Spec
type: object
properties:
ActiveDirectoryConfig:
type: object
properties:
GroupManagedServiceAccounts:
type: array
items:
type: object
properties:
Name:
type: string
Scope:
type: string
HostAccountConfig:
type: object
properties:
PluginGUID:
type: string
PluginInput:
type: string
PortableCcgVersion:
type: string
CmsPlugins:
type: array
items:
type: string
DomainJoinConfig:
type: object
properties:
DnsName:
type: string
DnsTreeName:
type: string
Guid:
type: string
MachineAccountName:
type: string
NetBiosName:
type: string
Sid:
type: string
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
credspec:
description: GMSA Credential Spec
type: object
properties:
ActiveDirectoryConfig:
type: object
properties:
GroupManagedServiceAccounts:
type: array
items:
type: object
properties:
Name:
type: string
Scope:
type: string
HostAccountConfig:
type: object
properties:
PluginGUID:
type: string
PluginInput:
type: string
PortableCcgVersion:
type: string
CmsPlugins:
type: array
items:
type: string
DomainJoinConfig:
type: object
properties:
DnsName:
type: string
DnsTreeName:
type: string
Guid:
type: string
MachineAccountName:
type: string
NetBiosName:
type: string
Sid:
type: string
conversion:
strategy: None
names:
kind: GMSACredentialSpec
plural: gmsacredentialspecs
scope: Cluster

53
packages/rancher-windows-gmsa/charts/questions.yaml Normal file
View File

@ -0,0 +1,53 @@
questions:
- variable: credential.enabled
default: true
description: Whether to create a GMSA Credential when installing GMSA Webhook
label: Whether to create a GMSA Credential
type: boolean
group: "Credential Spec"
show_subquestion_if: true
subquestions:
- variable: credential.domainJoinConfig.machineAccountName
label: GMSA Account Name
description: Username of the GMSA account
type: string
required: true
- variable: credential.domainJoinConfig.guid
label: GUID
description: GUID of the Service Account
type: string
required: true
- variable: credential.domainJoinConfig.sid
label: SID
description: SID of the GMSA Account
type: string
required: true
- variable: credential.domainJoinConfig.dnsName
label: DNS Domain Name
description: Name of the domain in DNS
type: string
required: true
- variable: credential.domainJoinConfig.dnsTreeName
label: DNS Tree Domain
description: Root name of the domain in DNS
type: string
required: true
- variable: credential.domainJoinConfig.netBiosName
label: NETBIOS Name
description: NETBIOS Name for the domain.
type: string
required: true
- variable: certificates.certManager.enabled
default: true
description: Use cert-manager to generate certificates for the webhook
label: Generate certificate through cert-manager
type: boolean
group: "Certificates"
show_subquestion_if: false
subquestions:
- variable: certificates.secretName
default: webhook-server-cert
description: Mount a CA Bundle from an existing Secret in the same namespace as the GMSA webhook. Secret must contain keys for the CA certificate (ca.crt), the TLS certificate (tls.crt), and the TLS private key (tls.key) to be used by the webhook.
label: CA Bundle From Existing Secret
type: string
required: true

48
packages/rancher-windows-gmsa/charts/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,48 @@
# Rancher
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- end -}}
{{- end -}}
{{/* Create chart name and version as used by the chart label. */}}
{{- define "gmsa.chartref" -}}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
{{- end }}
{{/* Determine apiVersion for cert-manager */}}
{{- define "cert-manager.apiversion" -}}
{{- $certmanagerVer := split "." .Values.certificates.certManager.version -}}
{{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 1) (ge (int $certmanagerVer._1) 0)) }}
apiVersion: cert-manager.io/v1
{{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }}
apiVersion: cert-manager.io/v1beta1
{{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
apiVersion: cert-manager.io/v1alpha2
{{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
apiVersion: cert-manager.io/v1alpha1
{{- else }}
apiVersion: cert-manager.io/v1
{{- end }}
{{- end }}
{{- define "certificates.cabundle"}}
{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.certificates.secretName) -}}
{{- if lt (len $secret) 1 -}}
{{- required (printf "CA Bundle secret '%s' in namespace '%s' must exist" .Values.certificates.secretName .Release.Namespace) "" -}}
{{- else -}}
{{- if not (hasKey $secret "data") -}}
{{- required (printf "CA Bundle secret '%s' in namespace '%s' is empty" .Values.certificates.secretName .Release.Namespace) "" -}}
{{- end -}}
{{- if or (not (hasKey $secret.data "ca.crt")) (not (hasKey $secret.data "tls.crt")) (not (hasKey $secret.data "tls.key")) -}}
{{- required (printf "CA Bundle secret '%s' in namespace '%s' must contain ca.crt, tls.key, and tls.cert; found the following keys in the secret: %s" .Values.certificates.secretName .Release.Namespace $secret.data) "" -}}
{{- end -}}
{{- end -}}
{{- get $secret.data "ca.crt" }}
{{- else -}}
INSERT_CERTIFICATE_FROM_SECRET
{{- end -}}
{{- end }}

16
packages/rancher-windows-gmsa/charts/templates/clusterrole.yaml Normal file
View File

@ -0,0 +1,16 @@
# the RBAC role that the webhook needs to:
# * read GMSA custom resources
# * check authorizations to use GMSA cred specs
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Release.Name }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
rules:
- apiGroups: ["windows.k8s.io"]
resources: ["gmsacredentialspecs"]
verbs: ["get", "use"]
- apiGroups: ["authorization.k8s.io"]
resources: ["localsubjectaccessreviews"]
verbs: ["create"]

15
packages/rancher-windows-gmsa/charts/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,15 @@
# bind that role to the webhook's service account
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Release.Name }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ .Release.Name }}
apiGroup: rbac.authorization.k8s.io

24
packages/rancher-windows-gmsa/charts/templates/credentialspec.yaml Normal file
View File

@ -0,0 +1,24 @@
{{- if .Values.credential.enabled -}}
apiVersion: windows.k8s.io/v1
kind: GMSACredentialSpec
metadata:
name: {{ .Values.credential.domainJoinConfig.machineAccountName | lower }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
credspec:
ActiveDirectoryConfig:
GroupManagedServiceAccounts:
- Name: {{ .Values.credential.domainJoinConfig.machineAccountNamename }}
Scope: {{ .Values.credential.domainJoinConfig.netBiosName }}
- Name: {{ .Values.credential.domainJoinConfig.machineAccountNamename }}
Scope: {{ .Values.credential.domainJoinConfig.dnsName }}
CmsPlugins:
- ActiveDirectory
DomainJoinConfig:
DnsName: {{ .Values.credential.domainJoinConfig.dnsName }}
DnsTreeName: {{ .Values.credential.domainJoinConfig.dnsName }}
Guid: {{ .Values.credential.domainJoinConfig.guid }}
MachineAccountName: {{ .Values.credential.domainJoinConfig.machineAccountName }}
NetBiosName: {{ .Values.credential.domainJoinConfig.netBiosName }}
Sid: {{ .Values.credential.domainJoinConfig.sid }}
{{- end -}}

68
packages/rancher-windows-gmsa/charts/templates/deployment.yaml Normal file
View File

@ -0,0 +1,68 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/pod: runtime/default
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ .Release.Name }}
spec:
{{- if .Values.podSecurityContext }}
securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }}
{{- end }}
serviceAccountName: {{ .Release.Name }}
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Release.Name }}
image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.imagePullPolicy }}
readinessProbe:
httpGet:
scheme: HTTPS
path: /health
port: 443
ports:
- containerPort: 443
{{- if .Values.securityContext }}
securityContext: {{ toYaml .Values.securityContext | nindent 12 }}
{{- end }}
volumeMounts:
- name: tls
mountPath: "/etc/ssl/rancher-windows-gmsa-webhook"
readOnly: true
env:
- name: TLS_KEY
value: /etc/ssl/rancher-windows-gmsa-webhook/tls.key
- name: TLS_CRT
value: /etc/ssl/rancher-windows-gmsa-webhook/tls.crt
volumes:
- name: tls
secret:
secretName: {{ .Values.certificates.secretName }}
items:
- key: tls.key
path: tls.key
- key: tls.crt
path: tls.crt

26
packages/rancher-windows-gmsa/charts/templates/issuer.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- if .Values.certificates.certManager.enabled -}}
{{ template "cert-manager.apiversion" . }}
kind: Certificate
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
spec:
dnsNames:
- {{ .Release.Name }}.{{ .Release.Namespace }}.svc
- {{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local
issuerRef:
kind: Issuer
name: {{ .Release.Name }}
secretName: {{ .Values.certificates.secretName }}
---
{{ template "cert-manager.apiversion" . }}
kind: Issuer
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
spec:
selfSigned: {}
{{- end -}}

34
packages/rancher-windows-gmsa/charts/templates/mutatingwebhook.yaml Normal file
View File

@ -0,0 +1,34 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: {{ .Release.Name }}
{{- if .Values.certificates.certManager.enabled }}
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }}
{{- end }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
webhooks:
- name: admission-webhook.windows-gmsa.sigs.k8s.io
clientConfig:
service:
name: {{ .Release.Name }}
namespace: {{.Release.Namespace}}
path: "/mutate"
{{- if not (.Values.certificates.certManager.enabled) }}
caBundle: {{ template "certificates.cabundle" . }}
{{- end }}
rules:
- operations: ["CREATE"]
apiGroups: [""]
apiVersions: ["*"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
# don't run on ${NAMESPACE}
namespaceSelector:
matchExpressions:
- key: gmsa-webhook
operator: NotIn
values: [disabled]

16
packages/rancher-windows-gmsa/charts/templates/networkpolicy.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-allow-all
namespace: {{ .Release.Namespace }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
spec:
podSelector: {}
ingress:
- {}
egress:
- {}
policyTypes:
- Ingress
- Egress

13
packages/rancher-windows-gmsa/charts/templates/service.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
spec:
ports:
- port: 443
targetPort: 443
selector:
app: {{ .Release.Name }}

8
packages/rancher-windows-gmsa/charts/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,8 @@
# the service account for the webhook
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}

34
packages/rancher-windows-gmsa/charts/templates/validatingwebhook.yaml Executable file
View File

@ -0,0 +1,34 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: {{ .Release.Name }}
{{- if .Values.certificates.certManager.enabled }}
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }}
{{- end }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
webhooks:
- name: admission-webhook.windows-gmsa.sigs.k8s.io
clientConfig:
service:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
path: "/validate"
{{- if not (.Values.certificates.certManager.enabled) }}
caBundle: {{ template "certificates.cabundle" . }}
{{- end }}
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: [""]
apiVersions: ["*"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
# don't run on ${NAMESPACE}
namespaceSelector:
matchExpressions:
- key: gmsa-webhook
operator: NotIn
values: [disabled]

42
packages/rancher-windows-gmsa/charts/values.yaml Normal file
View File

@ -0,0 +1,42 @@
certificates:
certManager:
# Enable cert manager integration. Cert manager should be already installed at the k8s cluster
enabled: true
version: ""
# If cert-manager integration is disabled, upload certs data (ca.crt, tls.crt and tls.key) as k8s secretName in the namespace
secretName: gmsa-server-cert
credential:
enabled: true
domainJoinConfig:
dnsName: "" #DNS Domain Name
dnsTreeName: "" #DNS Domain Name Root
guid: "" #GUID
machineAccountName: "" #Username of the GMSA account
netBiosName: "" #NETBIOS Domain Name
sid: "" #SID of GMSA
image:
repository: rancher/mirrored-sigwindowstools-k8s-gmsa-webhook
tag: v0.3.0
imagePullPolicy: IfNotPresent
global:
cattle:
systemDefaultRegistry: ""
kubectl:
repository: rancher/kubectl
tag: v1.22.6
pullPolicy: IfNotPresent
## SecurityContext holds pod-level security attributes and common container settings.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
podSecurityContext:
runAsNonRoot: false
# Currently, required to run as root due to port binding within the container.
runAsUser: 0
securityContext: {}
tolerations: []

9
packages/rancher-windows-gmsa/package.yaml Normal file
View File

@ -0,0 +1,9 @@
url: local
version: 1.0.0
additionalCharts:
- workingDir: charts-crd
crdOptions:
templateDirectory: crd-template
crdDirectory: templates
addCRDValidationToMainChart: true

10
packages/rancher-windows-gmsa/templates/crd-template/Chart.yaml Normal file
View File

@ -0,0 +1,10 @@
apiVersion: v1
version: 1.0.0
description: Installs the CRDs for Windows GMSA.
name: rancher-windows-gmsa-crd
type: application
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-windows-gmsa-system
catalog.cattle.io/release-name: rancher-windows-gmsa-crd