Skip to content

Commit

Permalink
Creating a Helm chart and repository for GMSA.
Browse files Browse the repository at this point in the history 
Created a Helm chart for GMSA that supports installing the CRD, CertManager, and the Admission web hook. This also makes this repository a  Helm chart repo.

Signed-off-by: Jamie Phillips <[email protected]>

Fixed many things.
  • Loading branch information
@phillipsj
phillipsj committed Feb 8, 2022
1 parent 9fa8e91 commit 48617ad
Show file tree
Hide file tree
Showing 19 changed files with 511 additions and 0 deletions.
7 changes: 7 additions & 0 deletions CONTRIBUTING.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,13 @@ If your repo has certain guidelines for contribution, put them here ahead of the
- [Kubernetes Contributor Guide](http://git.k8s.io/community/contributors/guide) - Main contributor documentation, or you can just jump directly to the [contributing section](http://git.k8s.io/community/contributors/guide#contributing)
- [Contributor Cheat Sheet](https://git.k8s.io/community/contributors/guide/contributor-cheatsheet.md) - Common resources for existing developers

## Generating Helm Charts and Index

When a chart needs to be updated, create the new version and the chart information. Run helm pack, then generate a new Helm chart index.yaml with the following command.

```Bash
helm repo index --url https://raw.githubusercontent.com/kubernetes-sigs/windows-gmsa/master/charts .
```
## Mentorship

- [Mentoring Initiatives](https://git.k8s.io/community/mentoring) - We have a diverse set of mentorship programs available that are always looking for volunteers!
Expand Down
4 changes: 4 additions & 0 deletions admission-webhook/make/helm.mk
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
.PHONY: install-helm
install-helm:
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash

50 changes: 50 additions & 0 deletions charts/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# Install Windows GMSA with Helm 3

## Prerequisites
- [install Helm](https://helm.sh/docs/intro/quickstart/#install-helm)

### Tips


### install a specific version
```console
helm repo add windows-gmsa https://raw.githubusercontent.com/windows-gmsa/gmsa/master/charts
helm install windows-gmsa/gmsa --namespace kube-system --version v0.3.0
```

### search for all available chart versions
```console
helm search repo -l gmsa
```

## uninstall Windows GMSA
```console
helm uninstall gmsa -n kube-system
```

## latest chart configuration

The following table lists the configurable parameters of the latest GMSA chart and default values.

| Parameter | Description | Default |
|-------------------------------------------------------|-------------------------------------------------------------------|-------------------------------------------------------|
| `certificates.certManager.enabled` | enable cert manager integration | `true` |
| `certificates.certManager.version` | version of cert manager | |
| `certificates.caBundle` | cert-manager disabled, add self-signed ca.crt in base64 format | |
| `certificates.secretName` | cert-manager disabled, upload certs data as k8s secretName | `gmsa-server-cert` |
| `credential.enabled ` | enable creation of GMSA Credential | `true` |
| `credential.domainJoinConfig.dnsName` | DNS Domain Name | |
| `credential.domainJoinConfig.dnsTreeName` | DNS Domain Name Root | |
| `credential.domainJoinConfig.guid` | GUID | |
| `credential.domainJoinConfig.machineAccountName` | username of the GMSA account | |
| `credential.domainJoinConfig.netBiosName` | NETBIOS Domain Name | |
| `credential.domainJoinConfig.sid` | SID | |
| `image.repository` | image repository | `sigwindowstools/k8s-gmsa-webhook` |
| `image.tag` | image tag | `v0.3.0` |
| `image.imagePullPolicy` | image pull policy | `IfNotPresent` |
| `global.systemDefaultRegistry ` | container registry | |
| `tolerations` | tolerations | [] |

## troubleshooting
- Add `--wait -v=5 --debug` in `helm install` command to get detailed error
- Use `kubectl describe` to acquire more info
21 changes: 21 additions & 0 deletions charts/index.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: v1
entries:
gmsa:
- apiVersion: v2
appVersion: 0.3.0
created: "2022-02-06T13:46:51.4153248-05:00"
description: Windows GMSA Configuration
digest: 4e455b1af147cbf858def41ccd11bc74f43c324e7a9efd4fdc0dee9ff7cddb74
keywords:
- Windows
- Windows GMSA
- GMSA
- Active Directory
name: gmsa
sources:
- https://github.com/kubernetes-sigs/windows-gmsa
type: application
urls:
- https://raw.githubusercontent.com/kubernetes-sigs/windows-gmsa/master/charts/v0.3.0/gmsa-0.3.0.tgz
version: 0.3.0
generated: "2022-02-06T13:46:51.413394-05:00"
Binary file added charts/v0.3.0/gmsa-0.3.0.tgz
View file
Binary file not shown.
13 changes: 13 additions & 0 deletions charts/v0.3.0/gmsa/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: v2
appVersion: 0.3.0
description: Windows GMSA Configuration
keywords:
- Windows
- Windows GMSA
- GMSA
- Active Directory
name: gmsa
sources:
- https://github.com/kubernetes-sigs/windows-gmsa
type: application
version: 0.3.0
9 changes: 9 additions & 0 deletions charts/v0.3.0/gmsa/app-readme.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Windows GMSA Admission Webhook

This chart creates the GMSA CRD, Credential, and Admission Webhook. The official documentation and tutorials can be found [here](https://github.com/kubernetes-sigs/windows-gmsa).

## Prerequisites

- Active Directory that support Group Managed Service Accounts
- A Group Managed Service Account
- Kubernetes v1.21+
6 changes: 6 additions & 0 deletions charts/v0.3.0/gmsa/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{{- define "system_default_registry" -}}
{{- if .Values.global.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.systemDefaultRegistry -}}
{{- end -}}
{{- end -}}

16 changes: 16 additions & 0 deletions charts/v0.3.0/gmsa/templates/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# the RBAC role that the webhook needs to:
# * read GMSA custom resources
# * check authorizations to use GMSA cred specs
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Release.Name }}
labels:
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
rules:
- apiGroups: ["windows.k8s.io"]
resources: ["gmsacredentialspecs"]
verbs: ["get", "use"]
- apiGroups: ["authorization.k8s.io"]
resources: ["localsubjectaccessreviews"]
verbs: ["create"]
15 changes: 15 additions & 0 deletions charts/v0.3.0/gmsa/templates/clusterrolebinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# bind that role to the webhook's service account
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Release.Name }}
labels:
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}
namespace: {{.Release.Namespace}}
roleRef:
kind: ClusterRole
name: {{ .Release.Name }}
apiGroup: rbac.authorization.k8s.io
119 changes: 119 additions & 0 deletions charts/v0.3.0/gmsa/templates/crds/crds.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: gmsacredentialspecs.windows.k8s.io
annotations:
"api-approved.kubernetes.io": "https://github.com/kubernetes/enhancements/tree/master/keps/sig-windows/689-windows-gmsa"
spec:
group: windows.k8s.io
versions:
- name: v1alpha1
served: true
storage: false
deprecated: true
schema:
openAPIV3Schema:
type: object
properties:
credspec:
description: GMSA Credential Spec
type: object
properties:
ActiveDirectoryConfig:
type: object
properties:
GroupManagedServiceAccounts:
type: array
items:
type: object
properties:
Name:
type: string
Scope:
type: string
HostAccountConfig:
type: object
properties:
PluginGUID:
type: string
PluginInput:
type: string
PortableCcgVersion:
type: string
CmsPlugins:
type: array
items:
type: string
DomainJoinConfig:
type: object
properties:
DnsName:
type: string
DnsTreeName:
type: string
Guid:
type: string
MachineAccountName:
type: string
NetBiosName:
type: string
Sid:
type: string
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
credspec:
description: GMSA Credential Spec
type: object
properties:
ActiveDirectoryConfig:
type: object
properties:
GroupManagedServiceAccounts:
type: array
items:
type: object
properties:
Name:
type: string
Scope:
type: string
HostAccountConfig:
type: object
properties:
PluginGUID:
type: string
PluginInput:
type: string
PortableCcgVersion:
type: string
CmsPlugins:
type: array
items:
type: string
DomainJoinConfig:
type: object
properties:
DnsName:
type: string
DnsTreeName:
type: string
Guid:
type: string
MachineAccountName:
type: string
NetBiosName:
type: string
Sid:
type: string
conversion:
strategy: None
names:
kind: GMSACredentialSpec
plural: gmsacredentialspecs
scope: Cluster

24 changes: 24 additions & 0 deletions charts/v0.3.0/gmsa/templates/credentialspec.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{{- if .Values.credential.enabled -}}
apiVersion: windows.k8s.io/v1
kind: GMSACredentialSpec
metadata:
name: {{ lower .Values.credential.domainJoinConfig.machineAccountName }} #This is an arbitrary name but it will be used as a reference
labels:
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
credspec:
ActiveDirectoryConfig:
GroupManagedServiceAccounts:
- Name: {{ .Values.credential.domainJoinConfig.machineAccountNamename }} #Username of the GMSA account
Scope: {{ .Values.credential.domainJoinConfig.netBiosName }} #NETBIOS Domain Name
- Name: {{ .Values.credential.domainJoinConfig.machineAccountNamename }} #Username of the GMSA account
Scope: {{ .Values.credential.domainJoinConfig.dnsName }} #DNS Domain Name
CmsPlugins:
- ActiveDirectory
DomainJoinConfig:
DnsName: {{ .Values.credential.domainJoinConfig.dnsName }} #DNS Domain Name
DnsTreeName: {{ .Values.credential.domainJoinConfig.dnsName }} #DNS Domain Name Root
Guid: {{ .Values.credential.domainJoinConfig.guid }} #GUID
MachineAccountName: {{ .Values.credential.domainJoinConfig.machineAccountName }} #Username of the GMSA account
NetBiosName: {{ .Values.credential.domainJoinConfig.netBiosName }} #NETBIOS Domain Name
Sid: {{ .Values.credential.domainJoinConfig.sid }} #SID of GMSA
{{- end -}}
60 changes: 60 additions & 0 deletions charts/v0.3.0/gmsa/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name}}
namespace: {{.Release.Namespace}}
labels:
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ .Release.Name }}
spec:
serviceAccountName: {{ .Release.Name }}
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Release.Name }}
image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
imagePullPolicy: {{ .Values.image.imagePullPolicy }}
readinessProbe:
httpGet:
scheme: HTTPS
path: /health
port: 443
ports:
- containerPort: 443
volumeMounts:
- name: tls
mountPath: "/tls"
readOnly: true
env:
- name: TLS_KEY
value: /tls/key
- name: TLS_CRT
value: /tls/crt
volumes:
- name: tls
secret:
secretName: {{ .Values.certificates.secretName }}
items:
- key: tls.key
path: key
- key: tls.crt
path: crt
Loading

0 comments on commit 48617ad

Please sign in to comment.