Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/ecs domainless gmsa #3735

Merged
merged 10 commits into from
Jun 5, 2023
Prev Previous commit
Added integration test gMSA domainless
saikiranakula-amzn authored and arun-annamalai committed Jun 5, 2023
commit bbc4a3fac960390b043f382692e93470fd1e9f41
2 changes: 1 addition & 1 deletion agent/config/parse_linux.go
Original file line number Diff line number Diff line change
@@ -27,7 +27,7 @@ import (
)

func parseGMSACapability() BooleanDefaultFalse {
envStatus := utils.ParseBool(os.Getenv(envGmsaEcsSupport), true)
envStatus := utils.ParseBool(os.Getenv(envGmsaEcsSupport), false)
if envStatus {
// Check if domain join check override is present
skipDomainJoinCheck := utils.ParseBool(os.Getenv(envSkipDomainJoinCheck), false)
94 changes: 92 additions & 2 deletions agent/engine/engine_sudo_linux_integ_test.go
Original file line number Diff line number Diff line change
@@ -808,6 +808,8 @@ func TestGMSATaskFile(t *testing.T) {
err = ioutil.WriteFile(testCredSpecFilePath, testCredSpecData, 0755)
require.NoError(t, err)

defer os.RemoveAll(testCredSpecFilePath)

testContainer := createTestContainer()
testContainer.Name = "testGMSATaskFile"

@@ -842,11 +844,99 @@ func TestGMSATaskFile(t *testing.T) {
assert.NoError(t, err, "Could not kill container")

verifyTaskIsStopped(stateChangeEvents, testTask)
}

func TestGMSADomainlessTaskFile(t *testing.T) {
t.Setenv("ECS_GMSA_SUPPORTED", "True")
t.Setenv("ZZZ_SKIP_DOMAIN_JOIN_CHECK_NOT_SUPPORTED_IN_PRODUCTION", "True")
t.Setenv("ZZZ_SKIP_CREDENTIALS_FETCHER_INVOCATION_CHECK_NOT_SUPPORTED_IN_PRODUCTION", "True")

cfg := defaultTestConfigIntegTest()
cfg.TaskCPUMemLimit.Value = config.ExplicitlyDisabled
cfg.TaskCleanupWaitDuration = 3 * time.Second
cfg.GMSACapable = config.BooleanDefaultFalse{Value: config.ExplicitlyEnabled}
cfg.AWSRegion = "us-west-2"

taskEngine, done, _ := setupGMSALinux(cfg, nil, t)
defer done()

stateChangeEvents := taskEngine.StateChangeEvents()

// Setup test gmsa file
credentialSpecDataDir := "/tmp"
testFileName := "test-gmsa.json"
testCredSpecFilePath := filepath.Join(credentialSpecDataDir, testFileName)
_, err := os.Create(testCredSpecFilePath)
require.NoError(t, err)

// add local credentialspec file for domainless gmsa support
testCredSpecData := []byte(`{
"CmsPlugins": [
"ActiveDirectory"
],
"DomainJoinConfig": {
"Sid": "S-1-5-21-975084816-3050680612-2826754290",
"MachineAccountName": "gmsa-acct-test",
"Guid": "92a07e28-bd9f-4bf3-b1f7-0894815a5257",
"DnsTreeName": "gmsa.test.com",
"DnsName": "gmsa.test.com",
"NetBiosName": "gmsa"
},
"ActiveDirectoryConfig": {
"GroupManagedServiceAccounts": [
{
"Name": "gmsa-acct-test",
"Scope": "gmsa.test.com"
}
],
"HostAccountConfig": {
"PortableCcgVersion": "1",
"PluginGUID": "{859E1386-BDB4-49E8-85C7-3070B13920E1}",
"PluginInput": {
"CredentialArn": "arn:aws:secretsmanager:us-west-2:123456789:secret:gmsausersecret-xb5Qev"
}
}
}
}`)

err = ioutil.WriteFile(testCredSpecFilePath, testCredSpecData, 0755)
require.NoError(t, err)

defer os.RemoveAll(testCredSpecFilePath)

// Cleanup the test file
err = os.RemoveAll(testCredSpecFilePath)
testContainer := createTestContainer()
testContainer.Name = "testGMSADomainlessTaskFile"

testContainer.CredentialSpecs = []string{"credentialspecdomainless:file:///tmp/test-gmsa.json"}

testTask := &apitask.Task{
Arn: "testGMSAFileTaskARN",
Family: "family",
Version: "1",
DesiredStatusUnsafe: apitaskstatus.TaskRunning,
Containers: []*apicontainer.Container{testContainer},
}
testTask.Containers[0].TransitionDependenciesMap = make(map[apicontainerstatus.ContainerStatus]apicontainer.TransitionDependencySet)
testTask.ResourcesMapUnsafe = make(map[string][]taskresource.TaskResource)
testTask.Containers[0].Command = getLongRunningCommand()

go taskEngine.AddTask(testTask)

verifyTaskIsRunning(stateChangeEvents, testTask)

client, _ := sdkClient.NewClientWithOpts(sdkClient.WithHost(endpoint), sdkClient.WithVersion(sdkclientfactory.GetDefaultVersion().String()))
containerMap, _ := taskEngine.(*DockerTaskEngine).state.ContainerMapByArn(testTask.Arn)
cid := containerMap[testTask.Containers[0].Name].DockerID

expectedBind := "/tmp/tgt:/var/credentials-fetcher/krbdir:ro"
err = verifyContainerBindMount(client, cid, expectedBind)
assert.NoError(t, err)

// Kill the existing container now
err = client.ContainerKill(context.TODO(), cid, "SIGKILL")
assert.NoError(t, err, "Could not kill container")

verifyTaskIsStopped(stateChangeEvents, testTask)
}

func verifyContainerBindMount(client *sdkClient.Client, id, expectedBind string) error {