mirror of https://git.rancher.io/charts
Introduce Rancher Windows GMSA chart.
Signed-off-by: Jamie Phillips <jamie.phillips@suse.com>pull/1701/head
parent
caea7ddb57
commit
7875d86a03
|
@ -0,0 +1 @@
|
||||||
|
<svg id="ada1a734-f5a0-4f30-8c41-a30875acb17e" xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18"><defs><linearGradient id="f92ae47d-0835-4bac-a4f5-649f41e19a24" x1="13.25" y1="13.06" x2="8.62" y2="4.29" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#1988d9" /><stop offset="0.9" stop-color="#54aef0" /></linearGradient><linearGradient id="f418fd20-54c9-41f7-a889-8b791ff60efa" x1="11.26" y1="10.51" x2="14.46" y2="16.03" gradientUnits="userSpaceOnUse"><stop offset="0.1" stop-color="#54aef0" /><stop offset="0.29" stop-color="#4fabee" /><stop offset="0.51" stop-color="#41a2e9" /><stop offset="0.74" stop-color="#2a93e0" /><stop offset="0.88" stop-color="#1988d9" /></linearGradient></defs><title>Icon-identity-222</title><polygon points="1.01 10.23 8.93 15.37 16.99 10.21 18 11.38 8.93 17.23 0 11.39 1.01 10.23" fill="#50e6ff" /><polygon points="1.61 9.57 8.93 0.85 16.4 9.58 8.93 14.3 1.61 9.57" fill="#fff" /><polygon points="8.93 0.85 8.93 14.3 1.61 9.57 8.93 0.85" fill="#50e6ff" /><polygon points="8.93 0.85 8.93 14.3 16.4 9.58 8.93 0.85" fill="url(#f92ae47d-0835-4bac-a4f5-649f41e19a24)" /><polygon points="8.93 7.8 16.4 9.58 8.93 14.3 8.93 7.8" fill="#53b1e0" /><polygon points="8.93 14.3 1.61 9.57 8.93 7.8 8.93 14.3" fill="#9cebff" /><polygon points="8.93 17.23 18 11.38 16.99 10.21 8.93 15.37 8.93 17.23" fill="url(#f418fd20-54c9-41f7-a889-8b791ff60efa)" /><polygon points="13.53 9.04 9.06 15.3 13.53 17.12 18 15.3 13.53 9.04" fill="#773adc" /><polygon points="13.53 9.04 9.06 15.3 13.53 17.12 13.53 9.04" fill="#f9f9f9" opacity="0.5" /></svg>
|
After Width: | Height: | Size: 1.6 KiB |
|
@ -0,0 +1,28 @@
|
||||||
|
annotations:
|
||||||
|
catalog.cattle.io/auto-install: rancher-windows-gmsa-crd=match
|
||||||
|
catalog.cattle.io/certified: rancher
|
||||||
|
catalog.cattle.io/display-name: Windows GMSA
|
||||||
|
catalog.cattle.io/experimental: "true"
|
||||||
|
catalog.cattle.io/kube-version: '>= 1.21.0-0'
|
||||||
|
catalog.cattle.io/namespace: cattle-windows-gmsa-system
|
||||||
|
catalog.cattle.io/os: windows
|
||||||
|
catalog.cattle.io/provides-gvr: windows.k8s.io.gmsacredentialspecs/v1
|
||||||
|
catalog.cattle.io/rancher-version: '>= 2.6.4-0 < 2.6.99-0'
|
||||||
|
catalog.cattle.io/release-name: rancher-windows-gmsa
|
||||||
|
apiVersion: v2
|
||||||
|
appVersion: 0.3.0
|
||||||
|
description: Windows GMSA Configuration
|
||||||
|
icon: https://charts.rancher.io/assets/logos/windows-gmsa.svg
|
||||||
|
keywords:
|
||||||
|
- Windows
|
||||||
|
- Windows GMSA
|
||||||
|
- GMSA
|
||||||
|
- Active Directory
|
||||||
|
maintainers:
|
||||||
|
- email: jamie.phillips@suse.com
|
||||||
|
name: Rancher
|
||||||
|
name: rancher-windows-gmsa
|
||||||
|
sources:
|
||||||
|
- https://github.com/kubernetes-sigs/windows-gmsa
|
||||||
|
type: application
|
||||||
|
version: 1.0.0
|
|
@ -0,0 +1,9 @@
|
||||||
|
# Windows GMSA Admission Webhook
|
||||||
|
|
||||||
|
This chart creates the GMSA CRD, Credential, and Admission Webhook. The official documentation and tutorials can be found [here](https://github.com/kubernetes-sigs/windows-gmsa).
|
||||||
|
|
||||||
|
## Prerequisites
|
||||||
|
|
||||||
|
- Active Directory that supports Group Managed Service Accounts
|
||||||
|
- A Group Managed Service Account
|
||||||
|
- Kubernetes v1.21+
|
|
@ -0,0 +1,119 @@
|
||||||
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
|
kind: CustomResourceDefinition
|
||||||
|
metadata:
|
||||||
|
name: gmsacredentialspecs.windows.k8s.io
|
||||||
|
annotations:
|
||||||
|
"api-approved.kubernetes.io": "https://github.com/kubernetes/enhancements/tree/master/keps/sig-windows/689-windows-gmsa"
|
||||||
|
spec:
|
||||||
|
group: windows.k8s.io
|
||||||
|
versions:
|
||||||
|
- name: v1alpha1
|
||||||
|
served: true
|
||||||
|
storage: false
|
||||||
|
deprecated: true
|
||||||
|
schema:
|
||||||
|
openAPIV3Schema:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
credspec:
|
||||||
|
description: GMSA Credential Spec
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
ActiveDirectoryConfig:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
GroupManagedServiceAccounts:
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
Name:
|
||||||
|
type: string
|
||||||
|
Scope:
|
||||||
|
type: string
|
||||||
|
HostAccountConfig:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
PluginGUID:
|
||||||
|
type: string
|
||||||
|
PluginInput:
|
||||||
|
type: string
|
||||||
|
PortableCcgVersion:
|
||||||
|
type: string
|
||||||
|
CmsPlugins:
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
DomainJoinConfig:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
DnsName:
|
||||||
|
type: string
|
||||||
|
DnsTreeName:
|
||||||
|
type: string
|
||||||
|
Guid:
|
||||||
|
type: string
|
||||||
|
MachineAccountName:
|
||||||
|
type: string
|
||||||
|
NetBiosName:
|
||||||
|
type: string
|
||||||
|
Sid:
|
||||||
|
type: string
|
||||||
|
- name: v1
|
||||||
|
served: true
|
||||||
|
storage: true
|
||||||
|
schema:
|
||||||
|
openAPIV3Schema:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
credspec:
|
||||||
|
description: GMSA Credential Spec
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
ActiveDirectoryConfig:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
GroupManagedServiceAccounts:
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
Name:
|
||||||
|
type: string
|
||||||
|
Scope:
|
||||||
|
type: string
|
||||||
|
HostAccountConfig:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
PluginGUID:
|
||||||
|
type: string
|
||||||
|
PluginInput:
|
||||||
|
type: string
|
||||||
|
PortableCcgVersion:
|
||||||
|
type: string
|
||||||
|
CmsPlugins:
|
||||||
|
type: array
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
DomainJoinConfig:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
DnsName:
|
||||||
|
type: string
|
||||||
|
DnsTreeName:
|
||||||
|
type: string
|
||||||
|
Guid:
|
||||||
|
type: string
|
||||||
|
MachineAccountName:
|
||||||
|
type: string
|
||||||
|
NetBiosName:
|
||||||
|
type: string
|
||||||
|
Sid:
|
||||||
|
type: string
|
||||||
|
conversion:
|
||||||
|
strategy: None
|
||||||
|
names:
|
||||||
|
kind: GMSACredentialSpec
|
||||||
|
plural: gmsacredentialspecs
|
||||||
|
scope: Cluster
|
||||||
|
|
|
@ -0,0 +1,53 @@
|
||||||
|
questions:
|
||||||
|
- variable: credential.enabled
|
||||||
|
default: true
|
||||||
|
description: Whether to create a GMSA Credential when installing GMSA Webhook
|
||||||
|
label: Whether to create a GMSA Credential
|
||||||
|
type: boolean
|
||||||
|
group: "Credential Spec"
|
||||||
|
show_subquestion_if: true
|
||||||
|
subquestions:
|
||||||
|
- variable: credential.domainJoinConfig.machineAccountName
|
||||||
|
label: GMSA Account Name
|
||||||
|
description: Username of the GMSA account
|
||||||
|
type: string
|
||||||
|
required: true
|
||||||
|
- variable: credential.domainJoinConfig.guid
|
||||||
|
label: GUID
|
||||||
|
description: GUID of the Service Account
|
||||||
|
type: string
|
||||||
|
required: true
|
||||||
|
- variable: credential.domainJoinConfig.sid
|
||||||
|
label: SID
|
||||||
|
description: SID of the GMSA Account
|
||||||
|
type: string
|
||||||
|
required: true
|
||||||
|
- variable: credential.domainJoinConfig.dnsName
|
||||||
|
label: DNS Domain Name
|
||||||
|
description: Name of the domain in DNS
|
||||||
|
type: string
|
||||||
|
required: true
|
||||||
|
- variable: credential.domainJoinConfig.dnsTreeName
|
||||||
|
label: DNS Tree Domain
|
||||||
|
description: Root name of the domain in DNS
|
||||||
|
type: string
|
||||||
|
required: true
|
||||||
|
- variable: credential.domainJoinConfig.netBiosName
|
||||||
|
label: NETBIOS Name
|
||||||
|
description: NETBIOS Name for the domain.
|
||||||
|
type: string
|
||||||
|
required: true
|
||||||
|
- variable: certificates.certManager.enabled
|
||||||
|
default: true
|
||||||
|
description: Use cert-manager to generate certificates for the webhook
|
||||||
|
label: Generate certificate through cert-manager
|
||||||
|
type: boolean
|
||||||
|
group: "Certificates"
|
||||||
|
show_subquestion_if: false
|
||||||
|
subquestions:
|
||||||
|
- variable: certificates.secretName
|
||||||
|
default: webhook-server-cert
|
||||||
|
description: Mount a CA Bundle from an existing Secret in the same namespace as the GMSA webhook. Secret must contain keys for the CA certificate (ca.crt), the TLS certificate (tls.crt), and the TLS private key (tls.key) to be used by the webhook.
|
||||||
|
label: CA Bundle From Existing Secret
|
||||||
|
type: string
|
||||||
|
required: true
|
|
@ -0,0 +1,48 @@
|
||||||
|
# Rancher
|
||||||
|
|
||||||
|
{{- define "system_default_registry" -}}
|
||||||
|
{{- if .Values.global.cattle.systemDefaultRegistry -}}
|
||||||
|
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/* Create chart name and version as used by the chart label. */}}
|
||||||
|
{{- define "gmsa.chartref" -}}
|
||||||
|
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/* Determine apiVersion for cert-manager */}}
|
||||||
|
{{- define "cert-manager.apiversion" -}}
|
||||||
|
{{- $certmanagerVer := split "." .Values.certificates.certManager.version -}}
|
||||||
|
{{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 1) (ge (int $certmanagerVer._1) 0)) }}
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
{{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }}
|
||||||
|
apiVersion: cert-manager.io/v1beta1
|
||||||
|
{{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
|
||||||
|
apiVersion: cert-manager.io/v1alpha2
|
||||||
|
{{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
|
||||||
|
apiVersion: cert-manager.io/v1alpha1
|
||||||
|
{{- else }}
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "certificates.cabundle"}}
|
||||||
|
{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
|
||||||
|
{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.certificates.secretName) -}}
|
||||||
|
{{- if lt (len $secret) 1 -}}
|
||||||
|
{{- required (printf "CA Bundle secret '%s' in namespace '%s' must exist" .Values.certificates.secretName .Release.Namespace) "" -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- if not (hasKey $secret "data") -}}
|
||||||
|
{{- required (printf "CA Bundle secret '%s' in namespace '%s' is empty" .Values.certificates.secretName .Release.Namespace) "" -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- if or (not (hasKey $secret.data "ca.crt")) (not (hasKey $secret.data "tls.crt")) (not (hasKey $secret.data "tls.key")) -}}
|
||||||
|
{{- required (printf "CA Bundle secret '%s' in namespace '%s' must contain ca.crt, tls.key, and tls.cert; found the following keys in the secret: %s" .Values.certificates.secretName .Release.Namespace $secret.data) "" -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- get $secret.data "ca.crt" }}
|
||||||
|
{{- else -}}
|
||||||
|
INSERT_CERTIFICATE_FROM_SECRET
|
||||||
|
{{- end -}}
|
||||||
|
{{- end }}
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
# the RBAC role that the webhook needs to:
|
||||||
|
# * read GMSA custom resources
|
||||||
|
# * check authorizations to use GMSA cred specs
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: {{ .Release.Name }}
|
||||||
|
labels: {{ include "gmsa.chartref" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["windows.k8s.io"]
|
||||||
|
resources: ["gmsacredentialspecs"]
|
||||||
|
verbs: ["get", "use"]
|
||||||
|
- apiGroups: ["authorization.k8s.io"]
|
||||||
|
resources: ["localsubjectaccessreviews"]
|
||||||
|
verbs: ["create"]
|
||||||
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
# bind that role to the webhook's service account
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: {{ .Release.Name }}
|
||||||
|
labels: {{ include "gmsa.chartref" . | nindent 4 }}
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ .Release.Name }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ .Release.Name }}
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
{{- if .Values.credential.enabled -}}
|
||||||
|
apiVersion: windows.k8s.io/v1
|
||||||
|
kind: GMSACredentialSpec
|
||||||
|
metadata:
|
||||||
|
name: {{ .Values.credential.domainJoinConfig.machineAccountName | lower }}
|
||||||
|
labels: {{ include "gmsa.chartref" . | nindent 4 }}
|
||||||
|
credspec:
|
||||||
|
ActiveDirectoryConfig:
|
||||||
|
GroupManagedServiceAccounts:
|
||||||
|
- Name: {{ .Values.credential.domainJoinConfig.machineAccountNamename }}
|
||||||
|
Scope: {{ .Values.credential.domainJoinConfig.netBiosName }}
|
||||||
|
- Name: {{ .Values.credential.domainJoinConfig.machineAccountNamename }}
|
||||||
|
Scope: {{ .Values.credential.domainJoinConfig.dnsName }}
|
||||||
|
CmsPlugins:
|
||||||
|
- ActiveDirectory
|
||||||
|
DomainJoinConfig:
|
||||||
|
DnsName: {{ .Values.credential.domainJoinConfig.dnsName }}
|
||||||
|
DnsTreeName: {{ .Values.credential.domainJoinConfig.dnsName }}
|
||||||
|
Guid: {{ .Values.credential.domainJoinConfig.guid }}
|
||||||
|
MachineAccountName: {{ .Values.credential.domainJoinConfig.machineAccountName }}
|
||||||
|
NetBiosName: {{ .Values.credential.domainJoinConfig.netBiosName }}
|
||||||
|
Sid: {{ .Values.credential.domainJoinConfig.sid }}
|
||||||
|
{{- end -}}
|
||||||
|
|
|
@ -0,0 +1,68 @@
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
seccomp.security.alpha.kubernetes.io/pod: runtime/default
|
||||||
|
name: {{ .Release.Name }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels: {{ include "gmsa.chartref" . | nindent 4 }}
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: {{ .Release.Name }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
{{- if .Values.podSecurityContext }}
|
||||||
|
securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
serviceAccountName: {{ .Release.Name }}
|
||||||
|
affinity:
|
||||||
|
nodeAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
nodeSelectorTerms:
|
||||||
|
- matchExpressions:
|
||||||
|
- key: kubernetes.io/os
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- linux
|
||||||
|
{{- with .Values.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: {{ .Release.Name }}
|
||||||
|
image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
|
||||||
|
imagePullPolicy: {{ .Values.image.imagePullPolicy }}
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
scheme: HTTPS
|
||||||
|
path: /health
|
||||||
|
port: 443
|
||||||
|
ports:
|
||||||
|
- containerPort: 443
|
||||||
|
{{- if .Values.securityContext }}
|
||||||
|
securityContext: {{ toYaml .Values.securityContext | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
volumeMounts:
|
||||||
|
- name: tls
|
||||||
|
mountPath: "/etc/ssl/rancher-windows-gmsa-webhook"
|
||||||
|
readOnly: true
|
||||||
|
env:
|
||||||
|
- name: TLS_KEY
|
||||||
|
value: /etc/ssl/rancher-windows-gmsa-webhook/tls.key
|
||||||
|
- name: TLS_CRT
|
||||||
|
value: /etc/ssl/rancher-windows-gmsa-webhook/tls.crt
|
||||||
|
volumes:
|
||||||
|
- name: tls
|
||||||
|
secret:
|
||||||
|
secretName: {{ .Values.certificates.secretName }}
|
||||||
|
items:
|
||||||
|
- key: tls.key
|
||||||
|
path: tls.key
|
||||||
|
- key: tls.crt
|
||||||
|
path: tls.crt
|
||||||
|
|
|
@ -0,0 +1,26 @@
|
||||||
|
{{- if .Values.certificates.certManager.enabled -}}
|
||||||
|
{{ template "cert-manager.apiversion" . }}
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: {{ .Release.Name }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels: {{ include "gmsa.chartref" . | nindent 4 }}
|
||||||
|
spec:
|
||||||
|
dnsNames:
|
||||||
|
- {{ .Release.Name }}.{{ .Release.Namespace }}.svc
|
||||||
|
- {{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local
|
||||||
|
issuerRef:
|
||||||
|
kind: Issuer
|
||||||
|
name: {{ .Release.Name }}
|
||||||
|
secretName: {{ .Values.certificates.secretName }}
|
||||||
|
---
|
||||||
|
{{ template "cert-manager.apiversion" . }}
|
||||||
|
kind: Issuer
|
||||||
|
metadata:
|
||||||
|
name: {{ .Release.Name }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels: {{ include "gmsa.chartref" . | nindent 4 }}
|
||||||
|
spec:
|
||||||
|
selfSigned: {}
|
||||||
|
{{- end -}}
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
apiVersion: admissionregistration.k8s.io/v1
|
||||||
|
kind: MutatingWebhookConfiguration
|
||||||
|
metadata:
|
||||||
|
name: {{ .Release.Name }}
|
||||||
|
{{- if .Values.certificates.certManager.enabled }}
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }}
|
||||||
|
{{- end }}
|
||||||
|
labels: {{ include "gmsa.chartref" . | nindent 4 }}
|
||||||
|
webhooks:
|
||||||
|
- name: admission-webhook.windows-gmsa.sigs.k8s.io
|
||||||
|
clientConfig:
|
||||||
|
service:
|
||||||
|
name: {{ .Release.Name }}
|
||||||
|
namespace: {{.Release.Namespace}}
|
||||||
|
path: "/mutate"
|
||||||
|
{{- if not (.Values.certificates.certManager.enabled) }}
|
||||||
|
caBundle: {{ template "certificates.cabundle" . }}
|
||||||
|
{{- end }}
|
||||||
|
rules:
|
||||||
|
- operations: ["CREATE"]
|
||||||
|
apiGroups: [""]
|
||||||
|
apiVersions: ["*"]
|
||||||
|
resources: ["pods"]
|
||||||
|
failurePolicy: Fail
|
||||||
|
admissionReviewVersions: ["v1", "v1beta1"]
|
||||||
|
sideEffects: None
|
||||||
|
# don't run on ${NAMESPACE}
|
||||||
|
namespaceSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: gmsa-webhook
|
||||||
|
operator: NotIn
|
||||||
|
values: [disabled]
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: NetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: default-allow-all
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels: {{ include "gmsa.chartref" . | nindent 4 }}
|
||||||
|
spec:
|
||||||
|
podSelector: {}
|
||||||
|
ingress:
|
||||||
|
- {}
|
||||||
|
egress:
|
||||||
|
- {}
|
||||||
|
policyTypes:
|
||||||
|
- Ingress
|
||||||
|
- Egress
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ .Release.Name }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels: {{ include "gmsa.chartref" . | nindent 4 }}
|
||||||
|
spec:
|
||||||
|
ports:
|
||||||
|
- port: 443
|
||||||
|
targetPort: 443
|
||||||
|
selector:
|
||||||
|
app: {{ .Release.Name }}
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
# the service account for the webhook
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: {{ .Release.Name }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels: {{ include "gmsa.chartref" . | nindent 4 }}
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
apiVersion: admissionregistration.k8s.io/v1
|
||||||
|
kind: ValidatingWebhookConfiguration
|
||||||
|
metadata:
|
||||||
|
name: {{ .Release.Name }}
|
||||||
|
{{- if .Values.certificates.certManager.enabled }}
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }}
|
||||||
|
{{- end }}
|
||||||
|
labels: {{ include "gmsa.chartref" . | nindent 4 }}
|
||||||
|
webhooks:
|
||||||
|
- name: admission-webhook.windows-gmsa.sigs.k8s.io
|
||||||
|
clientConfig:
|
||||||
|
service:
|
||||||
|
name: {{ .Release.Name }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
path: "/validate"
|
||||||
|
{{- if not (.Values.certificates.certManager.enabled) }}
|
||||||
|
caBundle: {{ template "certificates.cabundle" . }}
|
||||||
|
{{- end }}
|
||||||
|
rules:
|
||||||
|
- operations: ["CREATE", "UPDATE"]
|
||||||
|
apiGroups: [""]
|
||||||
|
apiVersions: ["*"]
|
||||||
|
resources: ["pods"]
|
||||||
|
failurePolicy: Fail
|
||||||
|
admissionReviewVersions: ["v1", "v1beta1"]
|
||||||
|
sideEffects: None
|
||||||
|
# don't run on ${NAMESPACE}
|
||||||
|
namespaceSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: gmsa-webhook
|
||||||
|
operator: NotIn
|
||||||
|
values: [disabled]
|
||||||
|
|
|
@ -0,0 +1,42 @@
|
||||||
|
certificates:
|
||||||
|
certManager:
|
||||||
|
# Enable cert manager integration. Cert manager should be already installed at the k8s cluster
|
||||||
|
enabled: true
|
||||||
|
version: ""
|
||||||
|
# If cert-manager integration is disabled, upload certs data (ca.crt, tls.crt and tls.key) as k8s secretName in the namespace
|
||||||
|
secretName: gmsa-server-cert
|
||||||
|
|
||||||
|
credential:
|
||||||
|
enabled: true
|
||||||
|
domainJoinConfig:
|
||||||
|
dnsName: "" #DNS Domain Name
|
||||||
|
dnsTreeName: "" #DNS Domain Name Root
|
||||||
|
guid: "" #GUID
|
||||||
|
machineAccountName: "" #Username of the GMSA account
|
||||||
|
netBiosName: "" #NETBIOS Domain Name
|
||||||
|
sid: "" #SID of GMSA
|
||||||
|
|
||||||
|
image:
|
||||||
|
repository: rancher/mirrored-sigwindowstools-k8s-gmsa-webhook
|
||||||
|
tag: v0.3.0
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
|
||||||
|
global:
|
||||||
|
cattle:
|
||||||
|
systemDefaultRegistry: ""
|
||||||
|
kubectl:
|
||||||
|
repository: rancher/kubectl
|
||||||
|
tag: v1.22.6
|
||||||
|
pullPolicy: IfNotPresent
|
||||||
|
|
||||||
|
## SecurityContext holds pod-level security attributes and common container settings.
|
||||||
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||||
|
##
|
||||||
|
podSecurityContext:
|
||||||
|
runAsNonRoot: false
|
||||||
|
# Currently, required to run as root due to port binding within the container.
|
||||||
|
runAsUser: 0
|
||||||
|
securityContext: {}
|
||||||
|
|
||||||
|
tolerations: []
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
url: local
|
||||||
|
version: 1.0.0
|
||||||
|
additionalCharts:
|
||||||
|
- workingDir: charts-crd
|
||||||
|
crdOptions:
|
||||||
|
templateDirectory: crd-template
|
||||||
|
crdDirectory: templates
|
||||||
|
addCRDValidationToMainChart: true
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
apiVersion: v1
|
||||||
|
version: 1.0.0
|
||||||
|
description: Installs the CRDs for Windows GMSA.
|
||||||
|
name: rancher-windows-gmsa-crd
|
||||||
|
type: application
|
||||||
|
annotations:
|
||||||
|
catalog.cattle.io/certified: rancher
|
||||||
|
catalog.cattle.io/hidden: "true"
|
||||||
|
catalog.cattle.io/namespace: cattle-windows-gmsa-system
|
||||||
|
catalog.cattle.io/release-name: rancher-windows-gmsa-crd
|
Loading…
Reference in New Issue