Skip to content

Commit

Permalink
Fixing the integration tests for helm chart.
Browse files Browse the repository at this point in the history 
This PR makes tweaks and fixes some assumptions that
prevented the integration test from actually working.

This also adds a latest chart.
  • Loading branch information
@phillipsj
phillipsj committed May 25, 2022
1 parent fd533c3 commit 9e538f2
Show file tree
Hide file tree
Showing 18 changed files with 501 additions and 15 deletions.
13 changes: 8 additions & 5 deletions admission-webhook/make/helm.mk
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,29 +29,32 @@ deploy_chart: install-helm
# removes the chart from the kind cluster
.PHONY: remove_chart
remove_chart:
KUBECONFIG=$(KUBECONFIG) $(HELM) uninstall $(DEPLOYMENT_NAME)
KUBECONFIG=$(KUBECONFIG) $(HELM) uninstall $(DEPLOYMENT_NAME) --namespace $(NAMESPACE)

# deploys the webhook to the kind cluster using helm
# if $K8S_GMSA_DEPLOY_METHOD is set to "download", then it will deploy by downloading
# the deploy script as documented in the README, using $K8S_GMSA_DEPLOY_CHART_REPO and
# $K8S_GMSA_DEPLOY_CHART_VERSION env variables to build the download URL. If VERSION is
# not set then latest is used.
.PHONY: _deploy_chart
_deploy_chart: _deploy_certmanager
_deploy_chart: _start_cluster_if_not_running _deploy_certmanager
ifeq ($(K8S_GMSA_CHART),)
@ echo "Cannot call target $@ without setting K8S_GMSA_CHART"
exit 1
endif
mkdir -p $(dir $(MANIFESTS_FILE))
@ echo "installing helm deployment $(DEPLOYMENT_NAME) with chart $(K8S_GMSA_CHART) and image $(IMAGE_REPO):$(VERSION)"
KUBECONFIG=$(KUBECONFIG) $(KUBECTL) create namespace $(NAMESPACE)
KUBECONFIG=$(KUBECONFIG) $(HELM) version
KUBECONFIG=$(KUBECONFIG) $(HELM) install $(DEPLOYMENT_NAME) --set image.repository=$(IMAGE_REPO) --set image.tag=$(VERSION) $(K8S_GMSA_CHART)
KUBECONFIG=$(KUBECONFIG) $(HELM) install $(DEPLOYMENT_NAME) $(K8S_GMSA_CHART) --namespace $(NAMESPACE)
KUBECONFIG=$(KUBECONFIG) $(KUBECTL) wait -n $(NAMESPACE) pod -l app=$(DEPLOYMENT_NAME) --for=condition=Ready

.PHONY: _deploy_certmanager
_deploy_certmanager: remove_certmanager
KUBECONFIG=$(KUBECONFIG) $(KUBECTL) create namespace cert-manager
KUBECONFIG=$(KUBECONFIG) $(KUBECTL) apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cert-manager.yaml

KUBECONFIG=$(KUBECONFIG) $(KUBECTL) wait -n cert-manager pod -l app=cainjector --for=condition=Ready
KUBECONFIG=$(KUBECONFIG) $(KUBECTL) wait -n cert-manager pod -l app=webhook --for=condition=Ready

.PHONY: remove_certmanager
remove_certmanager:
KUBECONFIG=$(KUBECONFIG) $(KUBECTL) delete namespace cert-manager || true
23 changes: 15 additions & 8 deletions admission-webhook/run-ci.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ export CLUSTER_NAME="windows-gmsa-$GITHUB_JOB"
export KUBECTL="$GITHUB_WORKSPACE/admission-webhook/dev/kubectl-$CLUSTER_NAME"
export KUBECONFIG="$GITHUB_WORKSPACE/admission-webhook/dev/kubeconfig-$CLUSTER_NAME"

if [-z "${CHART_VERSION}"]; then
CHART_VERSION="latest"
fi

main() {
case "$T" in
unit)
Expand Down Expand Up @@ -46,27 +50,25 @@ run_integration_tests() {
export K8S_GMSA_DEPLOY_DOWNLOAD_REV="$(git rev-parse HEAD)"
echo "Running: $K8S_GMSA_DEPLOY_DOWNLOAD_REPO $K8S_GMSA_DEPLOY_DOWNLOAD_REV"
fi
fi

if [[ "$DEPLOY_METHOD" == 'chart' ]]; then
elif [[ "$DEPLOY_METHOD" == 'chart' ]]; then
export K8S_GMSA_DEPLOY_METHOD='chart'

echo "deploy method: $K8S_GMSA_DEPLOY_METHOD"
if [ "$GITHUB_HEAD_REF" ]; then
# GITHUB_HEAD_REF is only set if it's a pull request
# Similar logic goes here, but installs the chart using the repo.
export K8S_GMSA_DEPLOY_DOWNLOAD_REPO="$GITHUB_REPOSITORY"
export K8S_GMSA_DEPLOY_DOWNLOAD_REV="$GITHUB_SHA"
echo "Running pull request: $K8S_GMSA_DEPLOY_DOWNLOAD_REPO $K8S_GMSA_DEPLOY_DOWNLOAD_REV"

export K8S_GMSA_CHART="$GITHUB_WORKSPACE/charts/$CHART_VERSION/gmsa"
else
# not a pull request
# Installs the chart using the local copy.
export K8S_GMSA_DEPLOY_DOWNLOAD_REPO="kubernetes-sigs/windows-gmsa"
export K8S_GMSA_DEPLOY_DOWNLOAD_REV="$(git rev-parse HEAD)"
echo "Running: $K8S_GMSA_DEPLOY_DOWNLOAD_REPO $K8S_GMSA_DEPLOY_DOWNLOAD_REV"

export K8S_GMSA_CHART=$GITHUB_WORKSPACE/charts/v0.4.0/gmsa
make integration_tests_chart
exit
export K8S_GMSA_CHART="$GITHUB_WORKSPACE/charts/$CHART_VERSION/gmsa"
fi
fi

Expand Down Expand Up @@ -95,7 +97,12 @@ run_integration_tests() {
exit 1
fi
else
make integration_tests
if [[ "$DEPLOY_METHOD" == 'download' ]]; then
make integration_tests
fi
if [[ "$DEPLOY_METHOD" == 'chart' ]]; then
make integration_tests_chart
fi
fi
}

Expand Down
21 changes: 19 additions & 2 deletions charts/index.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,24 @@ entries:
gmsa:
- apiVersion: v2
appVersion: 0.4.0
created: "2022-04-10T13:16:01.700697-04:00"
created: "2022-05-25T10:13:21.364962697-04:00"
description: Windows GMSA Configuration
digest: 0316e3e42d32faf3ff426bf8b603c16f6e141550bb341e397ba68b2310840ea1
keywords:
- Windows
- Windows GMSA
- GMSA
- Active Directory
name: gmsa
sources:
- https://github.com/kubernetes-sigs/windows-gmsa
type: application
urls:
- latest/gmsa-0.4.1.tgz
version: 0.4.1
- apiVersion: v2
appVersion: 0.4.0
created: "2022-05-25T10:13:21.366099651-04:00"
description: Windows GMSA Configuration
digest: 7f29d22ba85d90a18e5b9c4e1a7d9ba1149d5827a2ca37b9a6fe1966e3598767
keywords:
Expand All @@ -18,4 +35,4 @@ entries:
urls:
- v0.4.0/gmsa-0.4.0.tgz
version: 0.4.0
generated: "2022-04-10T13:16:01.700137-04:00"
generated: "2022-05-25T10:13:21.364389967-04:00"
Binary file added charts/latest/gmsa-0.4.1.tgz
View file
Binary file not shown.
13 changes: 13 additions & 0 deletions charts/latest/gmsa/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: v2
appVersion: 0.4.0
description: Windows GMSA Configuration
keywords:
- Windows
- Windows GMSA
- GMSA
- Active Directory
name: gmsa
sources:
- https://github.com/kubernetes-sigs/windows-gmsa
type: application
version: 0.4.1
9 changes: 9 additions & 0 deletions charts/latest/gmsa/app-readme.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Windows GMSA Admission Webhook

This chart creates the GMSA CRD, Credential, and Admission Webhook. The official documentation and tutorials can be found [here](https://github.com/kubernetes-sigs/windows-gmsa).

## Prerequisites

- Active Directory that support Group Managed Service Accounts
- A Group Managed Service Account
- Kubernetes v1.21+
46 changes: 46 additions & 0 deletions charts/latest/gmsa/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
{{- define "system_default_registry" -}}
{{- if .Values.global.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.systemDefaultRegistry -}}
{{- end -}}
{{- end -}}

{{/* Create chart name and version as used by the chart label. */}}
{{- define "gmsa.chartref" -}}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
{{- end }}

{{/* Determine apiVersion for cert-manager */}}
{{- define "cert-manager.apiversion" -}}
{{- $certmanagerVer := split "." .Values.certificates.certManager.version -}}
{{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 1) (ge (int $certmanagerVer._1) 0)) }}
apiVersion: cert-manager.io/v1
{{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }}
apiVersion: cert-manager.io/v1beta1
{{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
apiVersion: cert-manager.io/v1alpha2
{{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
apiVersion: cert-manager.io/v1alpha1
{{- else }}
apiVersion: cert-manager.io/v1
{{- end }}
{{- end }}

{{- define "certificates.cabundle"}}
{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.certificates.secretName) -}}
{{- if lt (len $secret) 1 -}}
{{- required (printf "CA Bundle secret '%s' in namespace '%s' must exist" .Values.certificates.secretName .Release.Namespace) "" -}}
{{- else -}}
{{- if not (hasKey $secret "data") -}}
{{- required (printf "CA Bundle secret '%s' in namespace '%s' is empty" .Values.certificates.secretName .Release.Namespace) "" -}}
{{- end -}}
{{- if or (not (hasKey $secret.data "ca.crt")) (not (hasKey $secret.data "tls.crt")) (not (hasKey $secret.data "tls.key")) -}}
{{- required (printf "CA Bundle secret '%s' in namespace '%s' must contain ca.crt, tls.key, and tls.cert; found the following keys in the secret: %s" .Values.certificates.secretName .Release.Namespace $secret.data) "" -}}
{{- end -}}
{{- end -}}
{{- get $secret.data "ca.crt" }}
{{- else -}}
INSERT_CERTIFICATE_FROM_SECRET
{{- end -}}
{{- end }}

16 changes: 16 additions & 0 deletions charts/latest/gmsa/templates/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# the RBAC role that the webhook needs to:
# * read GMSA custom resources
# * check authorizations to use GMSA cred specs
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Release.Name }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
rules:
- apiGroups: ["windows.k8s.io"]
resources: ["gmsacredentialspecs"]
verbs: ["get", "use"]
- apiGroups: ["authorization.k8s.io"]
resources: ["localsubjectaccessreviews"]
verbs: ["create"]

15 changes: 15 additions & 0 deletions charts/latest/gmsa/templates/clusterrolebinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# bind that role to the webhook's service account
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Release.Name }}
labels: {{ include "gmsa.chartref" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}
namespace: {{.Release.Namespace}}
roleRef:
kind: ClusterRole
name: {{ .Release.Name }}
apiGroup: rbac.authorization.k8s.io

119 changes: 119 additions & 0 deletions charts/latest/gmsa/templates/crds/crds.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: gmsacredentialspecs.windows.k8s.io
annotations:
"api-approved.kubernetes.io": "https://github.com/kubernetes/enhancements/tree/master/keps/sig-windows/689-windows-gmsa"
spec:
group: windows.k8s.io
versions:
- name: v1alpha1
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
credspec:
description: GMSA Credential Spec
type: object
properties:
ActiveDirectoryConfig:
type: object
properties:
GroupManagedServiceAccounts:
type: array
items:
type: object
properties:
Name:
type: string
Scope:
type: string
HostAccountConfig:
type: object
properties:
PluginGUID:
type: string
PluginInput:
type: string
PortableCcgVersion:
type: string
CmsPlugins:
type: array
items:
type: string
DomainJoinConfig:
type: object
properties:
DnsName:
type: string
DnsTreeName:
type: string
Guid:
type: string
MachineAccountName:
type: string
NetBiosName:
type: string
Sid:
type: string
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
credspec:
description: GMSA Credential Spec
type: object
properties:
ActiveDirectoryConfig:
type: object
properties:
GroupManagedServiceAccounts:
type: array
items:
type: object
properties:
Name:
type: string
Scope:
type: string
HostAccountConfig:
type: object
properties:
PluginGUID:
type: string
PluginInput:
type: string
PortableCcgVersion:
type: string
CmsPlugins:
type: array
items:
type: string
DomainJoinConfig:
type: object
properties:
DnsName:
type: string
DnsTreeName:
type: string
Guid:
type: string
MachineAccountName:
type: string
NetBiosName:
type: string
Sid:
type: string
conversion:
strategy: None
names:
kind: GMSACredentialSpec
plural: gmsacredentialspecs
scope: Cluster

24 changes: 24 additions & 0 deletions charts/latest/gmsa/templates/credentialspec.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{{- if .Values.credential.enabled -}}
apiVersion: windows.k8s.io/v1
kind: GMSACredentialSpec
metadata:
name: {{ lower .Values.credential.domainJoinConfig.machineAccountName }} #This is an arbitrary name but it will be used as a reference
labels: {{ include "gmsa.chartref" . | nindent 4 }}
credspec:
ActiveDirectoryConfig:
GroupManagedServiceAccounts:
- Name: {{ .Values.credential.domainJoinConfig.machineAccountName }} #Username of the GMSA account
Scope: {{ .Values.credential.domainJoinConfig.netBiosName }} #NETBIOS Domain Name
- Name: {{ .Values.credential.domainJoinConfig.machineAccountName }} #Username of the GMSA account
Scope: {{ .Values.credential.domainJoinConfig.dnsName }} #DNS Domain Name
CmsPlugins:
- ActiveDirectory
DomainJoinConfig:
DnsName: {{ .Values.credential.domainJoinConfig.dnsName }} #DNS Domain Name
DnsTreeName: {{ .Values.credential.domainJoinConfig.dnsName }} #DNS Domain Name Root
Guid: {{ .Values.credential.domainJoinConfig.guid }} #GUID
MachineAccountName: {{ .Values.credential.domainJoinConfig.machineAccountName }} #Username of the GMSA account
NetBiosName: {{ .Values.credential.domainJoinConfig.netBiosName }} #NETBIOS Domain Name
Sid: {{ .Values.credential.domainJoinConfig.sid }} #SID of GMSA
{{- end -}}

Loading

0 comments on commit 9e538f2

Please sign in to comment.