Install Azure Key Vault gMSA plugin if configured

[jsturtevant]

What this PR does / why we need it:

This installs the key vault ccg plugin on Azure VMs. This allows for Windows gMSA to be used without domain joining the host. It will allow for CAPZ cluster to pass the gMSA upstream windows tests.

I put this into its own role because eventually there could be other gMSA providers and although at first glance this seems like it could only be used by Azure, other providers could potentially interact and store things in Azure keyvault and this would enable that scenario. Some of the registration scripts could eventually be shared as well.

Which issue(s) this PR fixes (optional, in fixes #(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged): Fixes #

Additional context
Add any other context for the reviewers

/sig windows
/assign @marosset @knabben

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jsturtevant

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• images/capi/OWNERS [jsturtevant]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[stuartpreston]

@jsturtevant There definitely will be other CCG plugins ;) - for example we have one prototyped which is a little bit more generic that we will also want to deploy on Azure (not AKS) at some point - unless the CCG/Keyvault plugin is built in the open and we could contribute to that instead? Anyway with that in mind I wonder if that changes any of the naming choices especially around the role naming?

[jsturtevant]

looks like the goss commands failed which is interesting since the VM (that i built with this) has the setting correct. Looking into it

[jsturtevant]

@jsturtevant There definitely will be other CCG plugins ;) - for example we have one prototyped which is a little bit more generic that we will also want to deploy on Azure (not AKS) at some point - unless the CCG/Keyvault plugin is built in the open and we could contribute to that instead?

Great to hear! It is not opensource right now but will pass on the feedback.

Anyway with that in mind I wonder if that changes any of the naming choices especially around the role naming?

Good point, this plugin works as long as you have connection to Keyvault not only in AKS, so the file name shouldn't be gmsa_aks.yml but instead gmsa_keyvault. I left it generic everywhere else but it makes more sense to make it generic key-vault.

[jsturtevant]

@stuartpreston good news! the gmsa plugin is available at https://github.com/microsoft/Azure-Key-Vault-Plugin-gMSA 🥳

[jsturtevant]

looks like the goss commands failed which is interesting since the VM (that i built with this) has the setting correct. Looking into it

I had a few typos in the powershell commands. Fixed

[marosset]

yuck... It would be nice use an MSI or something to install this so we don't need to do any of this privilege escalation in powershell.
I'm not sure how feasible that is tho...

[jsturtevant]

left a note here: microsoft/Azure-Key-Vault-Plugin-gMSA#2 (comment)

[marosset]

thanks for the updates.

Powershell code looks good to me (except it would be nice if we didn't need to have any of it!)

[jsturtevant]

sigs failure was #766
/retest

[knabben]

more a question - will this value be the default?
the plugin is going to always be installed until the user pass gmsa_keyvault_url="" ??

[jsturtevant]

At this time, it is only configured to install by default for Azure VM images.

[marosset]

Should tihs URL be https://kubernetesartifacts.azureedge.net/ccgakvplugin/v1.1.4/binaries/windows-gmsa-ccgakvplugin-v1.1.4.zip
?

[jsturtevant]

updated

[knabben]

lgtm

will defer the last approve for @marosset

[marosset]

/lgtm

[jsturtevant]

/retest

[jsturtevant]

looks like a different flake than previous on OVA
/retest