Creating a Helm chart and repository for GMSA.

.github/workflows/build.yaml

@@ -100,3 +100,16 @@ jobs:
         NUM_NODES: 0
         WITHOUT_ENVSUBST: 1
         EXTRA_GMSA_DEPLOY_ARGS: --tolerate-master
+  chart-integration:
+    runs-on: ubuntu-18.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: 1.16
+    - id: test-runner
+      uses: ./.github/actions/tests
+      env:
+        T: integration
+        DEPLOY_METHOD: chart

CONTRIBUTING.md

@@ -16,6 +16,13 @@ If your repo has certain guidelines for contribution, put them here ahead of the
 - [Kubernetes Contributor Guide](http://git.k8s.io/community/contributors/guide) - Main contributor documentation, or you can just jump directly to the [contributing section](http://git.k8s.io/community/contributors/guide#contributing)
 - [Contributor Cheat Sheet](https://git.k8s.io/community/contributors/guide/contributor-cheatsheet.md) - Common resources for existing developers
 
+## Generating Helm Charts and Index
+
+When a chart needs to be updated, create the new version and the chart information. Run helm pack, then generate a new Helm chart index.yaml with the following command.
+
+```Bash
+helm repo index --url https://raw.githubusercontent.com/kubernetes-sigs/windows-gmsa/master/charts .
+```
 ## Mentorship
 
 - [Mentoring Initiatives](https://git.k8s.io/community/mentoring) - We have a diverse set of mentorship programs available that are always looking for volunteers!

admission-webhook/Makefile

@@ -37,6 +37,9 @@ unit_tests:
 .PHONY: integration_tests
 integration_tests: image_build deploy_webhook run_integration_tests
 
+.PHONY: integration_tests_chart
+integration_tests_chart: image_build deploy_chart run_integration_tests
+
 .PHONY: integration_tests_with_dev_image
 integration_tests_with_dev_image: image_build_dev deploy_dev_webhook run_integration_tests
 

admission-webhook/make/dev_cluster.mk

@@ -1,8 +1,10 @@
 # K8S version can be overriden
 # see available versions at https://hub.docker.com/r/kindest/node/tags
-KUBERNETES_VERSION ?= 1.21.1
+KUBERNETES_VERSION ?= 1.23.4
 # see https://github.com/kubernetes-sigs/kind/releases
-KIND_VERSION = 0.11.0
+KIND_VERSION = 0.12.0
+# https://github.com/helm/helm/releases
+HELM_VERSION ?= 3.8.0
 
 CLUSTER_NAME ?= windows-gmsa-dev
 DEPLOYMENT_NAME ?= windows-gmsa-dev
@@ -24,7 +26,7 @@ ifeq ($(KUBECTL),)
 KUBECTL = $(DEV_DIR)/kubectl-$(KUBERNETES_VERSION)
 endif
 
-KUBECONFIG = ~/.kube/kind-config-$(CLUSTER_NAME)
+KUBECONFIG?="~/.kube/kind-config-$(CLUSTER_NAME)"
 
 # starts a new kind cluster (see https://github.com/kubernetes-sigs/kind)
 .PHONY: cluster_start
@@ -37,8 +39,8 @@ cluster_start: $(KIND) $(KUBECTL)
 	KUBECONFIG=$(KUBECONFIG) $(KUBECTL) delete -n kube-system deployment.apps/coredns || true
 	# kind removes the taint on master when NUM_NODES is 0 - but we do want to test that case too!
 	KUBECONFIG=$(KUBECONFIG) $(KUBECTL) taint node $(CLUSTER_NAME)-control-plane 'node-role.kubernetes.io/master=true:NoSchedule' --overwrite
-	@ echo -e 'Cluster started, KUBECONFIG available at $(KUBECONFIG), eg\nexport KUBECONFIG=$(KUBECONFIG)'
-	@ $(MAKE) cluster_symlinks
+	#@ echo -e 'Cluster started, KUBECONFIG available at $(KUBECONFIG), eg\nexport KUBECONFIG=$(KUBECONFIG)'
+	#@ $(MAKE) cluster_symlinks
 
 # removes the kind cluster
 .PHONY: cluster_clean

admission-webhook/make/helm.mk

@@ -0,0 +1,57 @@
+HELM = $(shell which helm 2> /dev/null)
+HELM_URL = https://get.helm.sh/helm-v$(HELM_VERSION)-$(UNAME)-amd64.tar.gz
+
+ifeq ($(HELM),)
+HELM = $(DEV_DIR)/HELM-$(HELM_VERSION)
+endif
+
+.PHONY: install-helm
+install-helm:
+	curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
+
+.PHONY: helm-chart
+helm-chart:
+	$(HELM) package ../charts/$(VERSION)/gmsa -d ../charts/$(VERSION)
+
+.PHONY: helm-index
+helm-index:
+	$(HELM) repo index ../charts
+
+.PHONY: helm-lint
+helm-lint:
+	$(HELM) lint ../charts/$(VERSION)/gmsa
+
+# deploys the chart to the kind cluster with the release image
+.PHONY: deploy_chart
+deploy_chart: install-helm
+	K8S_GMSA_IMAGE=$(IMAGE_NAME) $(MAKE) _deploy_chart
+
+# removes the chart from the kind cluster
+.PHONY: remove_chart
+remove_chart:
+	KUBECONFIG=$(KUBECONFIG) $(HELM) uninstall $(DEPLOYMENT_NAME)
+
+# deploys the webhook to the kind cluster using helm
+# if $K8S_GMSA_DEPLOY_METHOD is set to "download", then it will deploy by downloading
+# the deploy script as documented in the README, using $K8S_GMSA_DEPLOY_CHART_REPO and
+# $K8S_GMSA_DEPLOY_CHART_VERSION env variables to build the download URL. If VERSION is
+# not set then latest is used.
+.PHONY: _deploy_chart
+_deploy_chart:  _deploy_certmanager
+ifeq ($(K8S_GMSA_CHART),)
+	@ echo "Cannot call target $@ without setting K8S_GMSA_CHART"
+	exit 1
+endif
+	mkdir -p $(dir $(MANIFESTS_FILE))
+	@ echo "installing helm deployment $(DEPLOYMENT_NAME) with chart $(K8S_GMSA_CHART) and image $(IMAGE_REPO):$(VERSION)"
+	KUBECONFIG=$(KUBECONFIG) $(HELM) version
+	KUBECONFIG=$(KUBECONFIG) $(HELM) install $(DEPLOYMENT_NAME) --set image.repository=$(IMAGE_REPO) --set image.tag=$(VERSION) $(K8S_GMSA_CHART)
+
+.PHONY: _deploy_certmanager
+_deploy_certmanager: remove_certmanager
+	KUBECONFIG=$(KUBECONFIG) $(KUBECTL) create namespace cert-manager
+	KUBECONFIG=$(KUBECONFIG) $(KUBECTL) apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.7.1/cert-manager.yaml
+
+.PHONY: remove_certmanager
+remove_certmanager:
+	KUBECONFIG=$(KUBECONFIG) $(KUBECTL) delete namespace cert-manager || true

admission-webhook/run-ci.sh

@@ -29,10 +29,13 @@ run_integration_tests() {
         sudo rm -f "$(command -v envsubst)"
     fi
 
+    export DEPLOYMENT_NAME=windows-gmsa-dev
+    export NAMESPACE=windows-gmsa-dev
+
     if [[ "$DEPLOY_METHOD" == 'download' ]]; then
         export K8S_GMSA_DEPLOY_METHOD='download'
 
-        if [ "GITHUB_HEAD_REF" ]; then
+        if [ "$GITHUB_HEAD_REF" ]; then
             # GITHUB_HEAD_REF is only set if it's a pull request
             export K8S_GMSA_DEPLOY_DOWNLOAD_REPO="$GITHUB_REPOSITORY"
             export K8S_GMSA_DEPLOY_DOWNLOAD_REV="$GITHUB_SHA"
@@ -45,9 +48,29 @@ run_integration_tests() {
         fi
     fi
 
-    export DEPLOYMENT_NAME=windows-gmsa-dev
-    export NAMESPACE=windows-gmsa-dev
+    if [[ "$DEPLOY_METHOD" == 'chart' ]]; then
+       export K8S_GMSA_DEPLOY_METHOD='chart'
+
+       if [ "$GITHUB_HEAD_REF" ]; then
+           # GITHUB_HEAD_REF is only set if it's a pull request
+           # Similar logic goes here, but installs the chart using the repo.
+           export K8S_GMSA_DEPLOY_DOWNLOAD_REPO="$GITHUB_REPOSITORY"
+           export K8S_GMSA_DEPLOY_DOWNLOAD_REV="$GITHUB_SHA"
+           echo "Running pull request: $K8S_GMSA_DEPLOY_DOWNLOAD_REPO $K8S_GMSA_DEPLOY_DOWNLOAD_REV"
+       else
+           # not a pull request
+           # Installs the chart using the local copy.
+           export K8S_GMSA_DEPLOY_DOWNLOAD_REPO="kubernetes-sigs/windows-gmsa"
+           export K8S_GMSA_DEPLOY_DOWNLOAD_REV="$(git rev-parse HEAD)"
+           echo "Running: $K8S_GMSA_DEPLOY_DOWNLOAD_REPO $K8S_GMSA_DEPLOY_DOWNLOAD_REV"
+
+           export K8S_GMSA_CHART=$GITHUB_WORKSPACE/charts/v0.4.0/gmsa
+           make integration_tests_chart
+           exit 
+       fi
+    fi
 
+
     if [ "$WITH_DEV_IMAGE" ]; then
         make integration_tests_with_dev_image
 

charts/README.md

@@ -0,0 +1,50 @@
+# Install Windows GMSA with Helm 3
+
+## Prerequisites
+- [install Helm](https://helm.sh/docs/intro/quickstart/#install-helm)
+
+### Tips
+
+
+### install a specific version
+```console
+helm repo add windows-gmsa https://raw.githubusercontent.com/windows-gmsa/gmsa/master/charts
+helm install windows-gmsa/gmsa --namespace kube-system --version v0.3.0
+```
+
+### search for all available chart versions
+```console
+helm search repo -l gmsa
+```
+
+## uninstall Windows GMSA
+```console
+helm uninstall gmsa -n kube-system
+```
+
+## latest chart configuration
+
+The following table lists the configurable parameters of the latest GMSA chart and default values.
+
+| Parameter                                             | Description                                                       | Default                                               |
+|-------------------------------------------------------|-------------------------------------------------------------------|-------------------------------------------------------|
+| `certificates.certManager.enabled`                    | enable cert manager integration                                   | `true`                                                |
+| `certificates.certManager.version`                    | version of cert manager                                           |                                                       |
+| `certificates.caBundle`                               | cert-manager disabled, add self-signed ca.crt in base64 format    |                                                       |
+| `certificates.secretName`                             | cert-manager disabled, upload certs data as k8s secretName        | `gmsa-server-cert`                                    |
+| `credential.enabled `                                 | enable creation of GMSA Credential                                | `true`                                                |
+| `credential.domainJoinConfig.dnsName`                 | DNS Domain Name                                                   |                                                       |
+| `credential.domainJoinConfig.dnsTreeName`             | DNS Domain Name Root                                              |                                                       |
+| `credential.domainJoinConfig.guid`                    | GUID                                                              |                                                       |
+| `credential.domainJoinConfig.machineAccountName`      | username of the GMSA account                                      |                                                       |
+| `credential.domainJoinConfig.netBiosName`             | NETBIOS Domain Name                                               |                                                       |
+| `credential.domainJoinConfig.sid`                     | SID                                                               |                                                       |
+| `image.repository`                                    | image repository                                                  | `sigwindowstools/k8s-gmsa-webhook`                    |
+| `image.tag`                                           | image tag                                                         | `v0.3.0`                                              |
+| `image.imagePullPolicy`                               | image pull policy                                                 | `IfNotPresent`                                        |
+| `global.systemDefaultRegistry `                       | container registry                                                |                                                       |
+| `tolerations`                                         | tolerations                                                       | []                                                    |
+
+## troubleshooting
+- Add `--wait -v=5 --debug` in `helm install` command to get detailed error
+- Use `kubectl describe` to acquire more info

charts/index.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+entries:
+  gmsa:
+  - apiVersion: v2
+    appVersion: 0.4.0
+    created: "2022-04-10T13:16:01.700697-04:00"
+    description: Windows GMSA Configuration
+    digest: 7f29d22ba85d90a18e5b9c4e1a7d9ba1149d5827a2ca37b9a6fe1966e3598767
+    keywords:
+    - Windows
+    - Windows GMSA
+    - GMSA
+    - Active Directory
+    name: gmsa
+    sources:
+    - https://github.com/kubernetes-sigs/windows-gmsa
+    type: application
+    urls:
+    - v0.4.0/gmsa-0.4.0.tgz
+    version: 0.4.0
+generated: "2022-04-10T13:16:01.700137-04:00"

charts/v0.4.0/gmsa/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+appVersion: 0.4.0
+description: Windows GMSA Configuration
+keywords:
+- Windows
+- Windows GMSA
+- GMSA
+- Active Directory
+name: gmsa
+sources:
+- https://github.com/kubernetes-sigs/windows-gmsa
+type: application
+version: 0.4.0

charts/v0.4.0/gmsa/app-readme.md

@@ -0,0 +1,9 @@
+# Windows GMSA Admission Webhook
+
+This chart creates the GMSA CRD, Credential, and Admission Webhook. The official documentation and tutorials can be found [here](https://github.com/kubernetes-sigs/windows-gmsa).
+
+## Prerequisites
+
+- Active Directory that support Group Managed Service Accounts
+- A Group Managed Service Account
+- Kubernetes v1.21+

charts/v0.4.0/gmsa/templates/_helpers.tpl

@@ -0,0 +1,46 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.systemDefaultRegistry -}}
+{{- end -}}
+{{- end -}}
+
+{{/* Create chart name and version as used by the chart label. */}}
+{{- define "gmsa.chartref" -}}
+chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+{{- end }}
+
+{{/* Determine apiVersion for cert-manager */}}
+{{- define "cert-manager.apiversion" -}}
+  {{- $certmanagerVer :=  split "." .Values.certificates.certManager.version -}}
+  {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 1) (ge (int $certmanagerVer._1) 0)) }}
+apiVersion: cert-manager.io/v1
+  {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }}
+apiVersion: cert-manager.io/v1beta1
+  {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
+apiVersion: cert-manager.io/v1alpha2
+  {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
+apiVersion: cert-manager.io/v1alpha1
+  {{- else }}
+apiVersion: cert-manager.io/v1
+  {{- end }}
+{{- end }}
+
+{{- define "certificates.cabundle"}}
+{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.certificates.secretName) -}}
+{{- if lt (len $secret) 1 -}}
+{{- required (printf "CA Bundle secret '%s' in namespace '%s' must exist" .Values.certificates.secretName .Release.Namespace) "" -}}
+{{- else -}}
+{{- if not (hasKey $secret "data") -}}
+{{- required (printf "CA Bundle secret '%s' in namespace '%s' is empty" .Values.certificates.secretName .Release.Namespace) "" -}}
+{{- end -}}
+{{- if or (not (hasKey $secret.data "ca.crt")) (not (hasKey $secret.data "tls.crt")) (not (hasKey $secret.data "tls.key")) -}}
+{{- required (printf "CA Bundle secret '%s' in namespace '%s' must contain ca.crt, tls.key, and tls.cert; found the following keys in the secret: %s" .Values.certificates.secretName .Release.Namespace $secret.data) "" -}}
+{{- end -}}
+{{- end -}}
+{{- get $secret.data "ca.crt" }}
+{{- else -}}
+INSERT_CERTIFICATE_FROM_SECRET
+{{- end -}}
+{{- end }}
+

charts/v0.4.0/gmsa/templates/clusterrole.yaml

@@ -0,0 +1,16 @@
+# the RBAC role that the webhook needs to:
+#  * read GMSA custom resources
+#  * check authorizations to use GMSA cred specs
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}
+  labels: {{ include "gmsa.chartref" . | nindent 4 }}
+rules:
+  - apiGroups: ["windows.k8s.io"]
+    resources: ["gmsacredentialspecs"]
+    verbs: ["get", "use"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["localsubjectaccessreviews"]
+    verbs: ["create"]
+

charts/v0.4.0/gmsa/templates/clusterrolebinding.yaml

@@ -0,0 +1,15 @@
+# bind that role to the webhook's service account
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}
+  labels: {{ include "gmsa.chartref" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}
+    namespace: {{.Release.Namespace}}
+roleRef:
+  kind: ClusterRole
+  name: {{ .Release.Name }}
+  apiGroup: rbac.authorization.k8s.io
+