-
Notifications
You must be signed in to change notification settings - Fork 406
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Install Azure Key Vault gMSA plugin if configured #835
Install Azure Key Vault gMSA plugin if configured #835
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jsturtevant The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@jsturtevant There definitely will be other CCG plugins ;) - for example we have one prototyped which is a little bit more generic that we will also want to deploy on Azure (not AKS) at some point - unless the CCG/Keyvault plugin is built in the open and we could contribute to that instead? Anyway with that in mind I wonder if that changes any of the naming choices especially around the role naming? |
looks like the goss commands failed which is interesting since the VM (that i built with this) has the setting correct. Looking into it |
Great to hear! It is not opensource right now but will pass on the feedback.
Good point, this plugin works as long as you have connection to Keyvault not only in AKS, so the file name shouldn't be |
@stuartpreston good news! the gmsa plugin is available at https://github.com/microsoft/Azure-Key-Vault-Plugin-gMSA 🥳 |
fae7863
to
2cb4bb0
Compare
I had a few typos in the powershell commands. Fixed |
# limitations under the License. | ||
|
||
# script modified from https://github.com/Azure/AgentBaker/blob/8d5323f3b1a622d558e624e5a6b0963229f80b2a/staging/cse/windows/configfunc.ps1 under MIT | ||
function Enable-Privilege { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yuck... It would be nice use an MSI or something to install this so we don't need to do any of this privilege escalation in powershell.
I'm not sure how feasible that is tho...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
left a note here: microsoft/Azure-Key-Vault-Plugin-gMSA#2 (comment)
images/capi/ansible/windows/roles/gmsa/files/install-keyvault-gmsa.ps1
Outdated
Show resolved
Hide resolved
images/capi/ansible/windows/roles/gmsa/files/install-keyvault-gmsa.ps1
Outdated
Show resolved
Hide resolved
images/capi/ansible/windows/roles/gmsa/files/install-keyvault-gmsa.ps1
Outdated
Show resolved
Hide resolved
images/capi/ansible/windows/roles/gmsa/files/install-keyvault-gmsa.ps1
Outdated
Show resolved
Hide resolved
images/capi/ansible/windows/roles/gmsa/files/install-keyvault-gmsa.ps1
Outdated
Show resolved
Hide resolved
f205b4a
to
bb9cbd7
Compare
thanks for the updates. Powershell code looks good to me (except it would be nice if we didn't need to have any of it!) |
sigs failure was #766 |
@@ -194,6 +196,7 @@ | |||
"cloudbase_plugins_unattend": "cloudbaseinit.plugins.common.mtu.MTUPlugin", | |||
"containerd_url": "", | |||
"containerd_version": null, | |||
"gmsa_keyvault_url": "https://acs-mirror.azureedge.net/ccgakvplugin/v1.1.4/binaries/windows-gmsa-ccgakvplugin-v1.1.4.zip", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
more a question - will this value be the default?
the plugin is going to always be installed until the user pass gmsa_keyvault_url="" ??
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At this time, it is only configured to install by default for Azure VM images.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
lgtm will defer the last approve for @marosset |
7d77474
to
cc26db5
Compare
images/capi/ansible/windows/roles/gmsa/files/install-gmsa-keyvault-plugin.ps1
Show resolved
Hide resolved
cc26db5
to
624f89e
Compare
624f89e
to
1310a49
Compare
/lgtm |
/retest |
looks like a different flake than previous on OVA |
What this PR does / why we need it:
This installs the key vault ccg plugin on Azure VMs. This allows for Windows gMSA to be used without domain joining the host. It will allow for CAPZ cluster to pass the gMSA upstream windows tests.
I put this into its own role because eventually there could be other gMSA providers and although at first glance this seems like it could only be used by Azure, other providers could potentially interact and store things in Azure keyvault and this would enable that scenario. Some of the registration scripts could eventually be shared as well.
Which issue(s) this PR fixes (optional, in fixes #(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged): Fixes #
Additional context
Add any other context for the reviewers
/sig windows
/assign @marosset @knabben