Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inject domainless gmsa cred spec into Windows Container #3682

Merged
merged 1 commit into from
May 16, 2023
Merged

Inject domainless gmsa cred spec into Windows Container #3682

merged 1 commit into from
May 16, 2023

Conversation

arun-annamalai
Copy link
Contributor

@arun-annamalai arun-annamalai commented May 8, 2023
edited
Loading

Summary

This pull request injects the domainless gMSA cred spec into the Windows container runtime (docker). It also sets the plugin execution role credentials for the domainless gMSA plugin to use.

Implementation details

Domainless gMSA requires a pluginInput field in the credential spec to be populated. This change parses in the customer JSON, and modifies the pluginInput to point to the correct registry key that holds the task execution role credentials. It also sets the task execution role credentials to the aforementioned registry key.

Testing

These changes are unit tests and also manually tested by running a domainless task on a EC2 instance that is registered against gamma.

New tests cover the changes:
yes

Description for the changelog

Inject domainless gmsa cred spec into Windows Container

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@arun-annamalai arun-annamalai changed the title Inject domainless gmsa cred spec into Windows Container Inject domainless gmsa cred spec into Windows Container [DRAFT DONT REVIEW] May 8, 2023
@arun-annamalai arun-annamalai changed the title Inject domainless gmsa cred spec into Windows Container [DRAFT DONT REVIEW] Inject domainless gmsa cred spec into Windows Container [DRAFT] May 10, 2023
@arun-annamalai arun-annamalai force-pushed the windows_injection2 branch 2 times, most recently from bc0f373 to 8d88030 Compare May 15, 2023 16:49
@arun-annamalai arun-annamalai changed the title Inject domainless gmsa cred spec into Windows Container [DRAFT] Inject domainless gmsa cred spec into Windows Container May 15, 2023
@arun-annamalai arun-annamalai marked this pull request as ready for review May 15, 2023 16:49
@arun-annamalai arun-annamalai requested a review from a team as a code owner May 15, 2023 16:49
mythri-garaga
mythri-garaga previously approved these changes May 15, 2023
View reviewed changes
amogh09
amogh09 reviewed May 15, 2023
View reviewed changes
agent/taskresource/credentialspec/credentialspec_windows.go Outdated Show resolved Hide resolved
agent/taskresource/credentialspec/credentialspec_windows.go Outdated Show resolved Hide resolved
agent/taskresource/credentialspec/credentialspec_windows.go Show resolved Hide resolved
agent/taskresource/credentialspec/credentialspec_windows.go Show resolved Hide resolved
agent/taskresource/credentialspec/credentialspec_windows.go Outdated Show resolved Hide resolved
agent/taskresource/credentialspec/credentialspec_windows_test.go Show resolved Hide resolved
agent/taskresource/credentialspec/credentialspec_windows.go Show resolved Hide resolved
agent/taskresource/credentialspec/credentialspec_windows_test.go Outdated Show resolved Hide resolved
agent/taskresource/credentialspec/credentialspec_windows_test.go Show resolved Hide resolved
agent/taskresource/credentialspec/credentialspec_windows_test.go
err := cs.handleSSMCredentialspecFile(ssmCredentialSpec, credentialSpecSSMARN, iamCredentials)
assert.NoError(t, err)
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Not required in this PR] I think there is a lot of room to break down the credentialspec package into smaller units and test them individually. The package is juggling way too many responsibilities in its current state. The amount of set up in this test function is staggering.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will bring this up with WCT team and plan for a refactor

@arun-annamalai arun-annamalai force-pushed the windows_injection2 branch 4 times, most recently from b628b25 to 404f9c3 Compare May 16, 2023 16:43
@arun-annamalai arun-annamalai force-pushed the windows_injection2 branch 3 times, most recently from 1659233 to cf402c1 Compare May 16, 2023 17:11
@arun-annamalai arun-annamalai merged commit f4687b5 into aws:feature/ecs-domainless-gmsa May 16, 2023
@arun-annamalai arun-annamalai mentioned this pull request Jun 5, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jterry75 jterry75 jterry75 left review comments

@mythri-garaga mythri-garaga mythri-garaga approved these changes

@amogh09 amogh09 amogh09 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@arun-annamalai @jterry75 @amogh09 @mythri-garaga @amazon-ecs-bot