andata
/
rancher-charts
mirror of https://git.rancher.io/charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

make charts PACKAGE=rancher-windows-gmsa

pull/2114/head
Rayan Das 2022-09-26 16:27:57 +05:30
parent f0aa7cfeed
commit f6a14d40c0
21 changed files with 625 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/rancher-windows-gmsa-crd/rancher-windows-gmsa-crd-2.0.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-windows-gmsa/rancher-windows-gmsa-2.0.0.tgz Normal file
View File

Binary file not shown.

10
charts/rancher-windows-gmsa-crd/2.0.0/Chart.yaml Normal file
View File

@ -0,0 +1,10 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-windows-gmsa-system
catalog.cattle.io/release-name: rancher-windows-gmsa-crd
apiVersion: v1
description: Installs the CRDs for Windows GMSA.
name: rancher-windows-gmsa-crd
type: application
version: 2.0.0

119
charts/rancher-windows-gmsa-crd/2.0.0/templates/crds.yaml Normal file
View File

@ -0,0 +1,119 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: gmsacredentialspecs.windows.k8s.io
annotations:
"api-approved.kubernetes.io": "https://github.com/kubernetes/enhancements/tree/master/keps/sig-windows/689-windows-gmsa"
spec:
group: windows.k8s.io
versions:
- name: v1alpha1
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
credspec:
description: GMSA Credential Spec
type: object
properties:
ActiveDirectoryConfig:
type: object
properties:
GroupManagedServiceAccounts:
type: array
items:
type: object
properties:
Name:
type: string
Scope:
type: string
HostAccountConfig:
type: object
properties:
PluginGUID:
type: string
PluginInput:
type: string
PortableCcgVersion:
type: string
CmsPlugins:
type: array
items:
type: string
DomainJoinConfig:
type: object
properties:
DnsName:
type: string
DnsTreeName:
type: string
Guid:
type: string
MachineAccountName:
type: string
NetBiosName:
type: string
Sid:
type: string
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
credspec:
description: GMSA Credential Spec
type: object
properties:
ActiveDirectoryConfig:
type: object
properties:
GroupManagedServiceAccounts:
type: array
items:
type: object
properties:
Name:
type: string
Scope:
type: string
HostAccountConfig:
type: object
properties:
PluginGUID:
type: string
PluginInput:
type: string
PortableCcgVersion:
type: string
CmsPlugins:
type: array
items:
type: string
DomainJoinConfig:
type: object
properties:
DnsName:
type: string
DnsTreeName:
type: string
Guid:
type: string
MachineAccountName:
type: string
NetBiosName:
type: string
Sid:
type: string
conversion:
strategy: None
names:
kind: GMSACredentialSpec
plural: gmsacredentialspecs
scope: Cluster

29
charts/rancher-windows-gmsa/2.0.0/Chart.yaml Normal file
View File

@ -0,0 +1,29 @@
annotations:
catalog.cattle.io/auto-install: rancher-windows-gmsa-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: Windows GMSA
catalog.cattle.io/experimental: "true"
catalog.cattle.io/kube-version: '>= 1.21.0-0 < 1.24.0-0'
catalog.cattle.io/namespace: cattle-windows-gmsa-system
catalog.cattle.io/os: windows
catalog.cattle.io/permits-os: linux,windows
catalog.cattle.io/provides-gvr: windows.k8s.io.gmsacredentialspecs/v1
catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
catalog.cattle.io/release-name: rancher-windows-gmsa
apiVersion: v2
appVersion: 0.3.0
description: Windows GMSA Configuration
icon: https://charts.rancher.io/assets/logos/windows-gmsa.svg
keywords:
- Windows
- Windows GMSA
- GMSA
- Active Directory
maintainers:
- email: jamie.phillips@suse.com
name: Rancher
name: rancher-windows-gmsa
sources:
- https://github.com/kubernetes-sigs/windows-gmsa
type: application
version: 2.0.0

9
charts/rancher-windows-gmsa/2.0.0/app-readme.md Normal file
View File

@ -0,0 +1,9 @@
# Windows GMSA Admission Webhook
This chart creates the GMSA CRD, Credential, and Admission Webhook. The official documentation and tutorials can be found [here](https://github.com/kubernetes-sigs/windows-gmsa).
## Prerequisites
- Active Directory that supports Group Managed Service Accounts
- A Group Managed Service Account
- Kubernetes v1.21+

53
charts/rancher-windows-gmsa/2.0.0/questions.yaml Normal file
View File

@ -0,0 +1,53 @@
questions:
- variable: credential.enabled
default: true
description: Whether to create a GMSA Credential when installing GMSA Webhook
label: Whether to create a GMSA Credential
type: boolean
group: "Credential Spec"
show_subquestion_if: true
subquestions:
- variable: credential.domainJoinConfig.machineAccountName
label: GMSA Account Name
description: Username of the GMSA account
type: string
required: true
- variable: credential.domainJoinConfig.guid
label: GUID
description: GUID of the Service Account
type: string
required: true
- variable: credential.domainJoinConfig.sid
label: SID
description: SID of the GMSA Account
type: string
required: true
- variable: credential.domainJoinConfig.dnsName
label: DNS Domain Name
description: Name of the domain in DNS
type: string
required: true
- variable: credential.domainJoinConfig.dnsTreeName
label: DNS Tree Domain
description: Root name of the domain in DNS
type: string
required: true
- variable: credential.domainJoinConfig.netBiosName
label: NETBIOS Name
description: NETBIOS Name for the domain.
type: string
required: true
- variable: certificates.certManager.enabled
default: true
description: Use cert-manager to generate certificates for the webhook
label: Generate certificate through cert-manager
type: boolean
group: "Certificates"
show_subquestion_if: false
subquestions:
- variable: certificates.secretName
default: webhook-server-cert
description: Mount a CA Bundle from an existing Secret in the same namespace as the GMSA webhook. Secret must contain keys for the CA certificate (ca.crt), the TLS certificate (tls.crt), and the TLS private key (tls.key) to be used by the webhook.
label: CA Bundle From Existing Secret
type: string
required: true

48
charts/rancher-windows-gmsa/2.0.0/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,48 @@
# Rancher
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- end -}}
{{- end -}}
{{/* Create chart name and version as used by the chart label. */}}
{{- define "gmsa.chartref" -}}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
{{- end }}
{{/* Determine apiVersion for cert-manager */}}
{{- define "cert-manager.apiversion" -}}
{{- $certmanagerVer := split "." .Values.certificates.certManager.version -}}
{{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 1) (ge (int $certmanagerVer._1) 0)) }}
apiVersion: cert-manager.io/v1
{{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }}
apiVersion: cert-manager.io/v1beta1
{{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
apiVersion: cert-manager.io/v1alpha2
{{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
apiVersion: cert-manager.io/v1alpha1
{{- else }}
apiVersion: cert-manager.io/v1
{{- end }}
{{- end }}
{{- define "certificates.cabundle"}}
{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.certificates.secretName) -}}
{{- if lt (len $secret) 1 -}}
{{- required (printf "CA Bundle secret '%s' in namespace '%s' must exist" .Values.certificates.secretName .Release.Namespace) "" -}}
{{- else -}}
{{- if not (hasKey $secret "data") -}}
{{- required (printf "CA Bundle secret '%s' in namespace '%s' is empty" .Values.certificates.secretName .Release.Namespace) "" -}}
{{- end -}}
{{- if or (not (hasKey $secret.data "ca.crt")) (not (hasKey $secret.data "tls.crt")) (not (hasKey $secret.data "tls.key")) -}}
{{- required (printf "CA Bundle secret '%s' in namespace '%s' must contain ca.crt, tls.key, and tls.cert; found the following keys in the secret: %s" .Values.certificates.secretName .Release.Namespace $secret.data) "" -}}
{{- end -}}
{{- end -}}
{{- get $secret.data "ca.crt" }}
{{- else -}}
INSERT_CERTIFICATE_FROM_SECRET
{{- end -}}
{{- end }}

16
charts/rancher-windows-gmsa/2.0.0/templates/clusterrole.yaml Normal file
View File

@ -0,0 +1,16 @@
# the RBAC role that the webhook needs to:
# * read GMSA custom resources
# * check authorizations to use GMSA cred specs
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Release.Name }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
rules:
- apiGroups: ["windows.k8s.io"]
resources: ["gmsacredentialspecs"]
verbs: ["get", "use"]
- apiGroups: ["authorization.k8s.io"]
resources: ["localsubjectaccessreviews"]
verbs: ["create"]

15
charts/rancher-windows-gmsa/2.0.0/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,15 @@
# bind that role to the webhook's service account
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Release.Name }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ .Release.Name }}
apiGroup: rbac.authorization.k8s.io

24
charts/rancher-windows-gmsa/2.0.0/templates/credentialspec.yaml Normal file
View File

@ -0,0 +1,24 @@
{{- if .Values.credential.enabled -}}
apiVersion: windows.k8s.io/v1
kind: GMSACredentialSpec
metadata:
name: {{ .Values.credential.domainJoinConfig.machineAccountName | lower }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
credspec:
ActiveDirectoryConfig:
GroupManagedServiceAccounts:
- Name: {{ .Values.credential.domainJoinConfig.machineAccountNamename }}
Scope: {{ .Values.credential.domainJoinConfig.netBiosName }}
- Name: {{ .Values.credential.domainJoinConfig.machineAccountNamename }}
Scope: {{ .Values.credential.domainJoinConfig.dnsName }}
CmsPlugins:
- ActiveDirectory
DomainJoinConfig:
DnsName: {{ .Values.credential.domainJoinConfig.dnsName }}
DnsTreeName: {{ .Values.credential.domainJoinConfig.dnsName }}
Guid: {{ .Values.credential.domainJoinConfig.guid }}
MachineAccountName: {{ .Values.credential.domainJoinConfig.machineAccountName }}
NetBiosName: {{ .Values.credential.domainJoinConfig.netBiosName }}
Sid: {{ .Values.credential.domainJoinConfig.sid }}
{{- end -}}

68
charts/rancher-windows-gmsa/2.0.0/templates/deployment.yaml Normal file
View File

@ -0,0 +1,68 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/pod: runtime/default
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ .Release.Name }}
spec:
{{- if .Values.podSecurityContext }}
securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }}
{{- end }}
serviceAccountName: {{ .Release.Name }}
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Release.Name }}
image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.imagePullPolicy }}
readinessProbe:
httpGet:
scheme: HTTPS
path: /health
port: 443
ports:
- containerPort: 443
{{- if .Values.securityContext }}
securityContext: {{ toYaml .Values.securityContext | nindent 12 }}
{{- end }}
volumeMounts:
- name: tls
mountPath: "/etc/ssl/rancher-windows-gmsa-webhook"
readOnly: true
env:
- name: TLS_KEY
value: /etc/ssl/rancher-windows-gmsa-webhook/tls.key
- name: TLS_CRT
value: /etc/ssl/rancher-windows-gmsa-webhook/tls.crt
volumes:
- name: tls
secret:
secretName: {{ .Values.certificates.secretName }}
items:
- key: tls.key
path: tls.key
- key: tls.crt
path: tls.crt

26
charts/rancher-windows-gmsa/2.0.0/templates/issuer.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- if .Values.certificates.certManager.enabled -}}
{{ template "cert-manager.apiversion" . }}
kind: Certificate
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
spec:
dnsNames:
- {{ .Release.Name }}.{{ .Release.Namespace }}.svc
- {{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local
issuerRef:
kind: Issuer
name: {{ .Release.Name }}
secretName: {{ .Values.certificates.secretName }}
---
{{ template "cert-manager.apiversion" . }}
kind: Issuer
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
spec:
selfSigned: {}
{{- end -}}

34
charts/rancher-windows-gmsa/2.0.0/templates/mutatingwebhook.yaml Normal file
View File

@ -0,0 +1,34 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: {{ .Release.Name }}
{{- if .Values.certificates.certManager.enabled }}
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }}
{{- end }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
webhooks:
- name: admission-webhook.windows-gmsa.sigs.k8s.io
clientConfig:
service:
name: {{ .Release.Name }}
namespace: {{.Release.Namespace}}
path: "/mutate"
{{- if not (.Values.certificates.certManager.enabled) }}
caBundle: {{ template "certificates.cabundle" . }}
{{- end }}
rules:
- operations: ["CREATE"]
apiGroups: [""]
apiVersions: ["*"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
# don't run on ${NAMESPACE}
namespaceSelector:
matchExpressions:
- key: gmsa-webhook
operator: NotIn
values: [disabled]

16
charts/rancher-windows-gmsa/2.0.0/templates/networkpolicy.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-allow-all
namespace: {{ .Release.Namespace }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
spec:
podSelector: {}
ingress:
- {}
egress:
- {}
policyTypes:
- Ingress
- Egress

13
charts/rancher-windows-gmsa/2.0.0/templates/service.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
spec:
ports:
- port: 443
targetPort: 443
selector:
app: {{ .Release.Name }}

8
charts/rancher-windows-gmsa/2.0.0/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,8 @@
# the service account for the webhook
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}

14
charts/rancher-windows-gmsa/2.0.0/templates/validate-install-crd.yaml Normal file
View File

@ -0,0 +1,14 @@
#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
# {{- $found := dict -}}
# {{- set $found "windows.k8s.io/v1alpha1/GMSACredentialSpec" false -}}
# {{- range .Capabilities.APIVersions -}}
# {{- if hasKey $found (toString .) -}}
# {{- set $found (toString .) true -}}
# {{- end -}}
# {{- end -}}
# {{- range $_, $exists := $found -}}
# {{- if (eq $exists false) -}}
# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
# {{- end -}}
# {{- end -}}
#{{- end -}}

34
charts/rancher-windows-gmsa/2.0.0/templates/validatingwebhook.yaml Normal file
View File

@ -0,0 +1,34 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: {{ .Release.Name }}
{{- if .Values.certificates.certManager.enabled }}
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }}
{{- end }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
webhooks:
- name: admission-webhook.windows-gmsa.sigs.k8s.io
clientConfig:
service:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
path: "/validate"
{{- if not (.Values.certificates.certManager.enabled) }}
caBundle: {{ template "certificates.cabundle" . }}
{{- end }}
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: [""]
apiVersions: ["*"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
# don't run on ${NAMESPACE}
namespaceSelector:
matchExpressions:
- key: gmsa-webhook
operator: NotIn
values: [disabled]

42
charts/rancher-windows-gmsa/2.0.0/values.yaml Normal file
View File

@ -0,0 +1,42 @@
certificates:
certManager:
# Enable cert manager integration. Cert manager should be already installed at the k8s cluster
enabled: true
version: ""
# If cert-manager integration is disabled, upload certs data (ca.crt, tls.crt and tls.key) as k8s secretName in the namespace
secretName: gmsa-server-cert
credential:
enabled: true
domainJoinConfig:
dnsName: "" #DNS Domain Name
dnsTreeName: "" #DNS Domain Name Root
guid: "" #GUID
machineAccountName: "" #Username of the GMSA account
netBiosName: "" #NETBIOS Domain Name
sid: "" #SID of GMSA
image:
repository: rancher/mirrored-sigwindowstools-k8s-gmsa-webhook
tag: v0.3.0
imagePullPolicy: IfNotPresent
global:
cattle:
systemDefaultRegistry: ""
kubectl:
repository: rancher/kubectl
tag: v1.22.6
pullPolicy: IfNotPresent
## SecurityContext holds pod-level security attributes and common container settings.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
podSecurityContext:
runAsNonRoot: false
# Currently, required to run as root due to port binding within the container.
runAsUser: 0
securityContext: {}
tolerations: []

47
index.yaml
View File

@ -9973,6 +9973,39 @@ entries:
- assets/rancher-windows-exporter/rancher-windows-exporter-0.1.000.tgz
version: 0.1.000
rancher-windows-gmsa:
- annotations:
catalog.cattle.io/auto-install: rancher-windows-gmsa-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: Windows GMSA
catalog.cattle.io/experimental: "true"
catalog.cattle.io/kube-version: '>= 1.21.0-0 < 1.24.0-0'
catalog.cattle.io/namespace: cattle-windows-gmsa-system
catalog.cattle.io/os: windows
catalog.cattle.io/permits-os: linux,windows
catalog.cattle.io/provides-gvr: windows.k8s.io.gmsacredentialspecs/v1
catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
catalog.cattle.io/release-name: rancher-windows-gmsa
apiVersion: v2
appVersion: 0.3.0
created: "2022-09-26T16:24:43.952186869+05:30"
description: Windows GMSA Configuration
digest: a244c64385be695e3149d55f707b124f95377fd564b369fca364b1896310706c
icon: https://charts.rancher.io/assets/logos/windows-gmsa.svg
keywords:
- Windows
- Windows GMSA
- GMSA
- Active Directory
maintainers:
- email: jamie.phillips@suse.com
name: Rancher
name: rancher-windows-gmsa
sources:
- https://github.com/kubernetes-sigs/windows-gmsa
type: application
urls:
- assets/rancher-windows-gmsa/rancher-windows-gmsa-2.0.0.tgz
version: 2.0.0
- annotations:
catalog.cattle.io/auto-install: rancher-windows-gmsa-crd=match
catalog.cattle.io/certified: rancher
@ -10007,6 +10040,20 @@ entries:
- assets/rancher-windows-gmsa/rancher-windows-gmsa-1.0.0.tgz
version: 1.0.0
rancher-windows-gmsa-crd:
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-windows-gmsa-system
catalog.cattle.io/release-name: rancher-windows-gmsa-crd
apiVersion: v1
created: "2022-09-26T16:24:43.952477917+05:30"
description: Installs the CRDs for Windows GMSA.
digest: 6724e8d4275fcc6fde7bae81779fb487de37676a5d9951fde61d9391ad832c78
name: rancher-windows-gmsa-crd
type: application
urls:
- assets/rancher-windows-gmsa-crd/rancher-windows-gmsa-crd-2.0.0.tgz
version: 2.0.0
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"