Skip to content

Commit

Permalink
Add credential.hostAccountConfig for CCG scenario
Browse files Browse the repository at this point in the history 
This commit adds a new field `.Values.credential.hostAccountConfig` for situations where the default credential deployed by this chart utilizes CCG.

Here are the tests I ran with my changes:

```bash
$ helm template gmsa charts/gmsa | yq e 'select(.kind == "GMSACredentialSpec") | .credspec.ActiveDirectoryConfig.HostAccountConfig'

$ helm template --set="credential.enabled=true" gmsa charts/gmsa | yq e 'select(.kind == "GMSACredentialSpec") | .credspec.ActiveDirectoryConfig.HostAccountConfig'
null

$ helm template --set="credential.enabled=true" --set="credential.hostAccountConfig.badkey=hi" gmsa charts/gmsa | yq e 'select(.kind == "GMSACredentialSpec") | .credspec.ActiveDirectoryConfig.HostAccountConfig'
Error: execution error at (gmsa/templates/credentialspec.yaml:16:29): credential.hostAccountConfig.portableCCGVersion must be provided if credential.hostAccountConfig is set

Use --debug flag to render out invalid YAML

$ helm template --set="credential.enabled=true" --set="credential.hostAccountConfig.portableCcgVersion=1" --set="credential.hostAccountConfig.pluginGUID=myguid" gmsa charts/gmsa | yq e 'select(.kind == "GMSACredentialSpec") | .credspec.ActiveDirectoryConfig.HostAccountConfig'
Error: execution error at (gmsa/templates/credentialspec.yaml:18:22): credential.hostAccountConfig.pluginInput must be provided if credential.hostAccountConfig is set

Use --debug flag to render out invalid YAML

$ helm template --set="credential.enabled=true" --set="credential.hostAccountConfig.pluginGUID=myguid" --set="credential.hostAccountConfig.pluginInput=myinput" gmsa charts/gmsa | yq e 'select(.kind == "GMSACredentialSpec") | .credspec.ActiveDirectoryConfig.HostAccountConfig'
Error: execution error at (gmsa/templates/credentialspec.yaml:16:29): credential.hostAccountConfig.portableCCGVersion must be provided if credential.hostAccountConfig is set

Use --debug flag to render out invalid YAML

$ helm template --set="credential.enabled=true" --set="credential.hostAccountConfig.portableCcgVersion=1" --set="credential.hostAccountConfig.pluginInput=myinput" gmsa charts/gmsa | yq e 'select(.kind == "GMSACredentialSpec") | .credspec.ActiveDirectoryConfig.HostAccountConfig'
Error: execution error at (gmsa/templates/credentialspec.yaml:17:38): credential.hostAccountConfig.pluginGUID must be provided if credential.hostAccountConfig is set

Use --debug flag to render out invalid YAML

$ helm template --set="credential.enabled=true" --set="credential.hostAccountConfig.portableCcgVersion=1" --set="credential.hostAccountConfig.pluginGUID=myguid" --set="credential.hostAccountConfig.pluginInput=myinput" gmsa charts/gmsa | yq e 'select(.kind == "GMSACredentialSpec") | .credspec.ActiveDirectoryConfig.HostAccountConfig'
PortableCcgVersion: "1"
PluginGUID: "{myguid}"
PluginInput: "myinput"
```
  • Loading branch information
Arvind Iyengar committed Sep 29, 2023
1 parent c99bc40 commit 127a5ef
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 0 deletions.
3 changes: 3 additions & 0 deletions charts/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,9 @@ The following table lists the configurable parameters of the latest GMSA chart a
| `credential.domainJoinConfig.machineAccountName` | username of the GMSA account | |
| `credential.domainJoinConfig.netBiosName` | NETBIOS Domain Name | |
| `credential.domainJoinConfig.sid` | SID | |
| `credential.hostAccountConfig.pluginGUID` | GUID of CCG Plugin | |
| `credential.hostAccountConfigg.portableCcgVersion` | Version of CCG Plugin | |
| `credential.hostAccountConfig.pluginInput` | Input to CCG Plugin | |
| `image.repository` | image repository | `registry.k8s.io/gmsa-webhook/k8s-gmsa-webhook` |
| `image.tag` | image tag | `v0.4.0` |
| `image.imagePullPolicy` | image pull policy | `IfNotPresent` |
Expand Down
6 changes: 6 additions & 0 deletions charts/gmsa/templates/credentialspec.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,12 @@ credspec:
Scope: {{ .Values.credential.domainJoinConfig.netBiosName }} # NETBIOS Domain Name
- Name: {{ .Values.credential.domainJoinConfig.machineAccountName }} # Username of the GMSA account
Scope: {{ .Values.credential.domainJoinConfig.dnsName }} # DNS Domain Name
{{- if .Values.credential.hostAccountConfig }}
HostAccountConfig:
PortableCcgVersion: {{ required "credential.hostAccountConfig.portableCCGVersion must be provided if credential.hostAccountConfig is set" .Values.credential.hostAccountConfig.portableCcgVersion | quote }} # This needs to equal the current version of CCG which right now is '1'
PluginGUID: {{ printf "{%s}" (required "credential.hostAccountConfig.pluginGUID must be provided if credential.hostAccountConfig is set" .Values.credential.hostAccountConfig.pluginGUID) | quote }} # CCG Plugin GUID
PluginInput: {{ required "credential.hostAccountConfig.pluginInput must be provided if credential.hostAccountConfig is set" .Values.credential.hostAccountConfig.pluginInput | quote }} # Format of this field is dependent upon specific CCG Plugin
{{- end }}
CmsPlugins:
- ActiveDirectory
DomainJoinConfig:
Expand Down
4 changes: 4 additions & 0 deletions charts/gmsa/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ certificates:

credential:
enabled: false
hostAccountConfig: {}
# pluginGUID: "" # CCG Plugin GUID
# portableCcgVersion: "1" # This needs to equal the current version of CCG which right now is '1'
# pluginInput: "" # Format of this field is dependent upon specific CCG Plugin
domainJoinConfig:
dnsName: "" # DNS Domain Name
dnsTreeName: "" # DNS Domain Name Root
Expand Down

0 comments on commit 127a5ef

Please sign in to comment.