Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Domainless gMSA linux capability and gRPC endpoints #3678

Merged
merged 2 commits into from
May 10, 2023
Merged

Domainless gMSA linux capability and gRPC endpoints #3678

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f6f5112
changes domainlesslinux capbility
saikiranakula-amzn May 7, 2023
451ea59
Plumb credentialSpecs field into container
arun-annamalai May 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions agent/config/parse.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,15 @@ const (
// domain join check validation. This is useful for integration and
// functional-tests but should not be set for any non-test use-case.
envSkipDomainJoinCheck = "ZZZ_SKIP_DOMAIN_JOIN_CHECK_NOT_SUPPORTED_IN_PRODUCTION"
// envSkipDomainLessCheck is an environment setting that can be used to skip
// domain less gMSA support check validation. This is useful for integration and
// functional-tests but should not be set for any non-test use-case.
envSkipDomainLessCheck = "ZZZ_SKIP_DOMAIN_LESS_CHECK_NOT_SUPPORTED_IN_PRODUCTION"
// envGmsaEcsSupport is an environment setting that can be used to enable gMSA support on ECS
envGmsaEcsSupport = "ECS_GMSA_SUPPORTED"
// envCredentialsFetcherHostDir is an environment setting that is set in ecs-init identifying
// location of the credentials-fetcher location on the machine
envCredentialsFetcherHostDir = "CREDENTIALS_FETCHER_HOST_DIR"
)

func parseCheckpoint(dataDir string) BooleanDefaultFalse {
Expand Down
32 changes: 29 additions & 3 deletions agent/config/parse_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package config

import (
"errors"
"io/fs"
"os"
"strings"

Expand All @@ -26,7 +27,7 @@ import (
)

func parseGMSACapability() BooleanDefaultFalse {
envStatus := utils.ParseBool(os.Getenv("ECS_GMSA_SUPPORTED"), true)
envStatus := utils.ParseBool(os.Getenv(envGmsaEcsSupport), true)
if envStatus {
// Check if domain join check override is present
skipDomainJoinCheck := utils.ParseBool(os.Getenv(envSkipDomainJoinCheck), false)
Expand All @@ -37,10 +38,10 @@ func parseGMSACapability() BooleanDefaultFalse {

// check if the credentials fetcher socket is created and exists
// this env variable is set in ecs-init module
if credentialsfetcherHostDir := os.Getenv("CREDENTIALS_FETCHER_HOST_DIR"); credentialsfetcherHostDir != "" {
if credentialsfetcherHostDir := os.Getenv(envCredentialsFetcherHostDir); credentialsfetcherHostDir != "" {
_, err := os.Stat(credentialsfetcherHostDir)
if err != nil {
if os.IsNotExist(err) {
if errors.Is(err, fs.ErrNotExist) {
seelog.Errorf("CREDENTIALS_FETCHER_HOST_DIR not found, err: %v", err)
return BooleanDefaultFalse{Value: ExplicitlyDisabled}
}
Expand Down Expand Up @@ -72,7 +73,32 @@ func parseFSxWindowsFileServerCapability() BooleanDefaultFalse {
return BooleanDefaultFalse{Value: ExplicitlyDisabled}
}

// parseGMSADomainlessCapability is used to determine if gMSA domainless support can be enabled
func parseGMSADomainlessCapability() BooleanDefaultFalse {
envStatus := utils.ParseBool(os.Getenv(envGmsaEcsSupport), false)
if envStatus {
// Check if domain less check override is present
skipDomainLessCheck := utils.ParseBool(os.Getenv(envSkipDomainLessCheck), false)
if skipDomainLessCheck {
seelog.Infof("Skipping domain less validation based on environment override")
return BooleanDefaultFalse{Value: ExplicitlyEnabled}
}

// check if the credentials fetcher socket is created and exists
// this env variable is set in ecs-init module
if credentialsfetcherHostDir := os.Getenv(envCredentialsFetcherHostDir); credentialsfetcherHostDir != "" {
_, err := os.Stat(credentialsfetcherHostDir)
if err != nil {
if errors.Is(err, fs.ErrNotExist) {
seelog.Errorf("CREDENTIALS_FETCHER_HOST_DIR not found, err: %v", err)
return BooleanDefaultFalse{Value: ExplicitlyDisabled}
}
saikiranakula-amzn marked this conversation as resolved.
Show resolved Hide resolved
seelog.Errorf("Error associated with CREDENTIALS_FETCHER_HOST_DIR, err: %v", err)
}
return BooleanDefaultFalse{Value: ExplicitlyEnabled}
amogh09 marked this conversation as resolved.
Show resolved Hide resolved
}
}
seelog.Debug("env variables to support gMSA are not set")
return BooleanDefaultFalse{Value: ExplicitlyDisabled}
}

Expand Down
21 changes: 21 additions & 0 deletions agent/config/parse_linux_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,3 +49,24 @@ func TestSkipDomainJoinCheckParseGMSACapability(t *testing.T) {

assert.True(t, parseGMSACapability().Enabled())
}

func TestParseGMSADomainLessCapabilitySupported(t *testing.T) {
t.Setenv("ECS_GMSA_SUPPORTED", "True")
t.Setenv("CREDENTIALS_FETCHER_HOST_DIR", "/var/run")

assert.True(t, parseGMSADomainlessCapability().Enabled())
}

func TestParseGMSADomainLessCapabilityUnSupported(t *testing.T) {
t.Setenv("ECS_GMSA_SUPPORTED", "True")
t.Setenv("CREDENTIALS_FETCHER_HOST_DIR", "")

assert.False(t, parseGMSADomainlessCapability().Enabled())
}

func TestSkipDomainLessCheckParseGMSACapability(t *testing.T) {
t.Setenv("ECS_GMSA_SUPPORTED", "True")
t.Setenv("ZZZ_SKIP_DOMAIN_LESS_CHECK_NOT_SUPPORTED_IN_PRODUCTION", "True")

assert.True(t, parseGMSADomainlessCapability().Enabled())
}
Loading