djpbessems/ClusterAPI.imageBuilder
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Test dependencies
Some checks failed
continuous-integration/drone Build is failing
Details

Browse Source
This commit is contained in:
Danny Bessems
2023-02-22 21:24:42 +01:00
commit f2b0a5e7c7
429 changed files with 20330 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ansible/windows/OWNERS Normal file
View File

@ -0,0 +1,4 @@
# See the OWNERS docs at https://go.k8s.io/owners
approvers:
- image-builder-windows-maintainers

48
ansible/windows/ansible_winrm.ps1 Normal file
View File

@ -0,0 +1,48 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This file is from packer documentation:
# https://www.packer.io/docs/provisioners/ansible.html#winrm-communicator
# https://www.packer.io/docs/builders/amazon/ebs#connecting-to-windows-instances-using-winrm
Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore
# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "stop"
# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
# Create a self-signed certificate to let ssl work
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force
# WinRM
write-output "Setting up WinRM"
write-host "(host) setting up WinRM"
cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start= auto
cmd.exe /c net start winrm

38
ansible/windows/example.vars.yml Normal file
View File

@ -0,0 +1,38 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
kubernetes_base_url: https://dl.k8s.io/release/v1.19.2/bin/windows/amd64
cloudbase_init_url: https://github.com/cloudbase/cloudbase-init/releases/download/1.1.2/CloudbaseInitSetup_1_1_2_x64.msi
wins_url: https://github.com/rancher/wins/releases/download/v0.0.4/wins.exe
nssm_url: https://azurek8scishared.blob.core.windows.net/nssm/nssm.exe
gmsa_keyvault_url: https://kubernetesartifacts.azureedge.net/ccgakvplugin/v1.1.4/binaries/windows-gmsa-ccgakvplugin-v1.1.4.zip
runtime: docker-ee
docker_ee_version: "19.03.12"
kubernetes_install_path: 'c:\k'
windows_service_manager: 'nssm'
pause_image: "registry.k8s.io/pause:3.9"
load_additional_components: true
additional_registry_images: true
additional_registry_images_list: "docker.io/sigwindowstools/flannel:0.12.0, docker.io/sigwindowstools/kube-proxy:v1.19.2"
prepull: false
distribution_version: 2019
cloudbase_metadata_services: "cloudbaseinit.metadata.services.azureservice.AzureService, cloudbaseinit.metadata.services.ovfservice.OvfService"
cloudbase_plugins: "cloudbaseinit.plugins.common.ephemeraldisk.EphemeralDiskPlugin, cloudbaseinit.plugins.common.userdata.UserDataPlugin, cloudbaseinit.plugins.common.localscripts.LocalScriptsPlugin"
cloudbase_metadata_services_unattend: "cloudbaseinit.metadata.services.azureservice.AzureService, cloudbaseinit.metadata.services.ovfservice.OvfService"
cloudbase_plugins_unattend: "cloudbaseinit.plugins.common.mtu.MTUPlugin"
debug_tools: true
additional_debug_files: "https://raw.githubusercontent.com/kubernetes-sigs/sig-windows-tools/master/hack/DebugWindowsNode.ps1"

105
ansible/windows/node_windows.yml Normal file
View File

@ -0,0 +1,105 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- hosts: all
vars:
node_custom_roles_pre: ""
node_custom_roles_post: ""
custom_role_names: ""
tasks:
- name: Check if cloudbase-init url is set
set_fact:
install_cloudbase_init: '{{ true if (cloudbase_init_url is defined) and (cloudbase_init_url|length > 0) else false }}'
- name: Check if wins url is set
set_fact:
use_wins: '{{ true if (wins_url is defined) and (wins_url|length > 0) else false }}'
# https://docs.ansible.com/ansible/latest/user_guide/windows_performance.html
- name: Optimise powershell
win_shell: |
function Optimize-PowershellAssemblies {
# NGEN powershell assembly, improves startup time of powershell by 10x
$old_path = $env:path
try {
$env:path = [Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory()
[AppDomain]::CurrentDomain.GetAssemblies() | % {
if (! $_.location) {continue}
$Name = Split-Path $_.location -leaf
if ($Name.startswith("Microsoft.PowerShell.")) {
Write-Progress -Activity "Native Image Installation" -Status "$name"
ngen install $_.location | % {"`t$_"}
}
}
} finally {
$env:path = $old_path
}
}
Optimize-PowershellAssemblies
become: yes
become_method: runas
become_user: SYSTEM
- name: Get Install Drive
win_shell: $env:SYSTEMDRIVE
register: systemdrive
- name: Get Program Files Directory
win_shell: $env:ProgramFiles
register: programfiles
- name: Get All Users profile path
win_shell: $env:ALLUSERSPROFILE.Replace("\", "\\")
register: alluserprofile
- name: Get TEMP Directory
win_shell: $env:TEMP
register: tempdir
- include_role:
name: "{{ role }}"
loop: "{{ node_custom_roles_pre.split() }}"
loop_control:
loop_var: role
when: node_custom_roles_pre != ""
- include_role:
name: systemprep
- include_role:
name: cloudbase-init
when: install_cloudbase_init
- include_role:
name: providers
- include_role:
name: runtimes
- include_role:
name: kubernetes
- include_role:
name: gmsa
- include_role:
name: load_additional_components
when: load_additional_components | bool
- include_role:
name: debug
- include_role:
name: "{{ role }}"
loop: "{{ custom_role_names.split() + node_custom_roles_post.split() }}"
loop_control:
loop_var: role
when: custom_role_names != "" or node_custom_roles_post != ""
environment:
HTTP_PROXY: "{{ http_proxy | default('') }}"
HTTPS_PROXY: "{{ https_proxy | default('') }}"
NO_PROXY: "{{ no_proxy | default('') }}"

53
ansible/windows/roles/cloudbase-init/tasks/main.yml Normal file
View File

@ -0,0 +1,53 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Download Cloudbase-init
win_get_url:
url: "{{ cloudbase_init_url }}"
dest: '{{ tempdir.stdout | trim }}\CloudbaseInitSetup.msi'
register: installer
retries: 5
delay: 3
until: installer is not failed
- name: Ensure log directory
win_file:
path: '{{ systemdrive.stdout | trim }}\logs'
state: directory
- name: Install Cloudbase-init
win_package:
path: '{{ installer.dest }}'
log_path: '{{ systemdrive.stdout | trim }}\logs\cloudbase-install-log-{{lookup("pipe", "date +%Y%m%dT%H%M%S")}}.log'
# configuration modified from https://github.com/cloudbase/windows-openstack-imaging-tools/tree/master/Examples/config/azure
- name: Set up cloudbase-init unattend configuration
win_template:
src: templates/cloudbase-init-unattend.conf
dest: '{{ programfiles.stdout | trim }}\Cloudbase Solutions\Cloudbase-Init\conf\cloudbase-init-unattend.conf'
# configuration modified from https://github.com/cloudbase/windows-openstack-imaging-tools/tree/master/Examples/config/azure
- name: Set up cloudbase-init configuration
win_template:
src: templates/cloudbase-init.conf
dest: '{{ programfiles.stdout | trim }}\Cloudbase Solutions\Cloudbase-Init\conf\cloudbase-init.conf'
- name: Configure set up complete
win_shell: |
# If this file already exists then the following command fails
Remove-Item -Force {{ systemdrive.stdout | trim }}\Windows\Setup\Scripts\SetupComplete.cmd
& "{{ programfiles.stdout | trim }}\Cloudbase Solutions\Cloudbase-Init\bin\SetSetupComplete.cmd"
become: yes
become_method: runas
become_user: System

28
ansible/windows/roles/cloudbase-init/templates/cloudbase-init-unattend.conf Normal file
View File

@ -0,0 +1,28 @@
[DEFAULT]
# This configuration with SetUserPasswordPlugin and CreateUserPlugin will create a user capi
# and generate a 123 charater random password. SSH can be configred on the machine to enable access.
username=capi
groups=Administrators
inject_user_password=false
user_password_length=123
first_logon_behaviour=no
config_drive_raw_hhd=true
config_drive_cdrom=true
config_drive_vfat=true
bsdtar_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\bsdtar.exe
mtools_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\
verbose=true
debug=true
logdir=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\log\
logfile=cloudbase-init-unattend.log
default_log_levels=comtypes=INFO,suds=INFO,iso8601=WARN,requests=WARN
logging_serial_port_settings={{ cloudbase_logging_serial_port }}
mtu_use_dhcp_config=true
ntp_use_dhcp_config=true
local_scripts_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\LocalScripts\
metadata_services={{ cloudbase_metadata_services_unattend }}
plugins={{ cloudbase_plugins_unattend }}
allow_reboot=false
stop_service_on_exit=false
check_latest_version=false

36
ansible/windows/roles/cloudbase-init/templates/cloudbase-init.conf Normal file
View File

@ -0,0 +1,36 @@
[DEFAULT]
# This configuration with SetUserPasswordPlugin and CreateUserPlugin will create a user capi
# and generate a 123 charater random password. SSH can be configred on the machine to enable access.
username=capi
groups=Administrators
inject_user_password=false
user_password_length=123
first_logon_behaviour=no
rename_admin_user=true
config_drive_raw_hhd=true
config_drive_cdrom=true
config_drive_vfat=true
bsdtar_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\bsdtar.exe
mtools_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\
verbose=true
debug=true
logdir=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\log\
logfile=cloudbase-init.log
default_log_levels=comtypes=INFO,suds=INFO,iso8601=WARN,requests=WARN
logging_serial_port_settings={{ cloudbase_logging_serial_port }}
mtu_use_dhcp_config=true
ntp_use_dhcp_config=true
local_scripts_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\LocalScripts\
san_policy=OnlineAll
trim_enabled=True
metadata_report_provisioning_started=True
metadata_report_provisioning_completed=True
ephemeral_disk_volume_label="Temporary Storage"
netbios_host_name_compatibility={{ netbios_host_name_compatibility }}
metadata_services={{ cloudbase_metadata_services }}
plugins=cloudbaseinit.plugins.common.userdata.UserDataPlugin,
{{ cloudbase_plugins }}

27
ansible/windows/roles/debug/defaults/main.yml Normal file
View File

@ -0,0 +1,27 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
debug_files:
- "https://github.com/microsoft/SDN/raw/master/Kubernetes/windows/debug/collectlogs.ps1"
- "https://github.com/microsoft/SDN/raw/master/Kubernetes/windows/debug/dumpVfpPolicies.ps1"
- "https://github.com/microsoft/SDN/raw/master/Kubernetes/windows/debug/portReservationTest.ps1"
- "https://github.com/microsoft/SDN/raw/master/Kubernetes/windows/debug/starthnstrace.cmd"
- "https://github.com/microsoft/SDN/raw/master/Kubernetes/windows/debug/startpacketcapture.cmd"
- "https://github.com/microsoft/SDN/raw/master/Kubernetes/windows/debug/stoppacketcapture.cmd"
- "https://github.com/Microsoft/SDN/raw/master/Kubernetes/windows/debug/VFP.psm1"
- "https://github.com/microsoft/SDN/raw/master/Kubernetes/windows/helper.psm1"
- "https://github.com/Microsoft/SDN/raw/master/Kubernetes/windows/hns.psm1"
- "https://raw.githubusercontent.com/kubernetes-sigs/sig-windows-tools/master/hack/DebugWindowsNode.ps1"
additional_debug_files_list: "{{ additional_debug_files.split(',') if (additional_debug_files is defined) and (additional_debug_files|length > 0) else [] }}"

33
ansible/windows/roles/debug/tasks/main.yml Normal file
View File

@ -0,0 +1,33 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Add debug tools directory
win_file:
path: '{{ kubernetes_install_path }}\debug'
state: directory
when: (debug_tools | default(true) | bool) or (additional_debug_files_list|length > 0)
- name: Get debug files
win_get_url:
url: '{{ item }}'
dest: '{{ kubernetes_install_path }}\debug\'
loop: '{{ debug_files }}'
when: debug_tools | default(true)|bool
- name: Get additional debug files
win_get_url:
url: '{{ item }}'
dest: '{{ kubernetes_install_path }}\debug\'
loop: "{{ additional_debug_files_list }}"
when: additional_debug_files_list|length > 0

16
ansible/windows/roles/gmsa/defaults/main.yml Normal file
View File

@ -0,0 +1,16 @@
# Copyright 2022 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
gmsa_keyvault: '{{ true if (gmsa_keyvault_url is defined) and (gmsa_keyvault_url | length > 0) else false }}'

134
ansible/windows/roles/gmsa/files/install-gmsa-keyvault-plugin.ps1 Normal file
View File

@ -0,0 +1,134 @@
# Copyright 2022 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# script modified from https://github.com/Azure/AgentBaker/blob/8d5323f3b1a622d558e624e5a6b0963229f80b2a/staging/cse/windows/configfunc.ps1 under MIT
$ErrorActionPreference = 'Stop'
function Enable-Privilege {
param($Privilege)
$Definition = @'
using System;
using System.Runtime.InteropServices;
public class AdjPriv {
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr rele);
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name,
ref long pluid);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid {
public int Count;
public long Luid;
public int Attr;
}
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool EnablePrivilege(long processHandle, string privilege) {
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = new IntPtr(processHandle);
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
ref htok);
tp.Count = 1;
tp.Luid = 0;
tp.Attr = SE_PRIVILEGE_ENABLED;
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero,
IntPtr.Zero);
return retVal;
}
}
'@
$ProcessHandle = (Get-Process -id $pid).Handle
$type = Add-Type $definition -PassThru
$type[0]::EnablePrivilege($processHandle, $Privilege)
}
function Aquire-Privilege {
param($Privilege)
write-output "Acquiring the $Privilege privilege"
$enablePrivilegeResponse=$false
for($i = 0; $i -lt 10; $i++) {
write-output "Retry $i : Trying to enable the $Privilege privilege"
$enablePrivilegeResponse = Enable-Privilege -Privilege "$Privilege" -ErrorAction 'Continue'
if ($enablePrivilegeResponse) {
break
}
Start-Sleep 1
}
if(!$enablePrivilegeResponse) {
write-output "Failed to enable the $Privilege privilege."
exit 1
}
}
# Enable the PowerShell privilege to set the registry permissions.
Aquire-Privilege -Privilege "SeTakeOwnershipPrivilege"
# Set the registry permissions.
write-output "Setting GMSA plugin registry permissions"
try {
$ccgKeyPath = "System\CurrentControlSet\Control\CCG\COMClasses"
$owner = [System.Security.Principal.NTAccount]"BUILTIN\Administrators"
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(
$ccgKeyPath,
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
[System.Security.AccessControl.RegistryRights]::TakeOwnership)
$acl = $key.GetAccessControl()
$originalOwner = $acl.owner
$acl.SetOwner($owner)
$key.SetAccessControl($acl)
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(
$ccgKeyPath,
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
[System.Security.AccessControl.RegistryRights]::ChangePermissions)
$acl = $key.GetAccessControl()
$rule = New-Object System.Security.AccessControl.RegistryAccessRule(
$owner,
[System.Security.AccessControl.RegistryRights]::FullControl,
[System.Security.AccessControl.AccessControlType]::Allow)
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)
} catch {
write-output "Failed to set GMSA plugin registry permissions. $_"
exit 1
}
# Set the appropriate registry values.
try {
write-output "Setting the appropriate GMSA plugin registry values"
reg.exe import "registerplugin.reg"
} catch {
write-output "Failed to set GMSA plugin registry values. $_"
exit 1
}
write-output "Restore original access to registry key"
$acl = $key.GetAccessControl()
$acl.RemoveAccessRule($rule)
$acl.SetOwner([System.Security.Principal.NTAccount]$originalowner)
Aquire-Privilege -Privilege "SeRestorePrivilege"
$key.SetAccessControl($acl)
$key.close()
write-output "Successfully installed the GMSA plugin"

64
ansible/windows/roles/gmsa/tasks/gmsa_keyvault.yml Normal file
View File

@ -0,0 +1,64 @@
# Copyright 2022 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Download gMSA Key Vault plugin
win_get_url:
url: '{{ gmsa_keyvault_url }}'
dest: '{{ tempdir.stdout | trim }}\windows-gmsa-ccgakvplugin.zip'
async: 1800
poll: 60
retries: 5
delay: 3
register: gmsadownload
until: gmsadownload is not failed
- name: Unzip gMSA Key Vault Archive
win_unzip:
src: '{{ gmsadownload.dest }}'
dest: '{{ kubernetes_install_path }}'
recurse: no
delete_archive: yes
- name: Copy gMSA Key Vault plugin to System32
win_shell: |
Move-Item -Force -Path {{ kubernetes_install_path }}\CCGAKVPlugin.dll -Destination {{ systemdrive.stdout | trim }}\Windows\System32\
# This is done via a script because Ansible doesn't have the ability to take ownership of registry keys
# The script enables the privilege for the process running and modifies the reg keys. Once process exits it no longer has privileges
# See https://groups.google.com/g/ansible-project/c/5Bt7jgq6ZFA/m/_XJtVzmhBwAJ
- name: Copy gMSA Key Vault installer file
win_copy:
src: install-gmsa-keyvault-plugin.ps1
dest: '{{ kubernetes_install_path }}'
- name: Register gMSA Key Vault plugin
win_shell: |
{{ kubernetes_install_path }}\install-gmsa-keyvault-plugin.ps1
- name: Install registry CCG logging manifest
win_shell: |
wevtutil.exe um {{ kubernetes_install_path }}\CCGEvents.man
wevtutil.exe im {{ kubernetes_install_path }}\CCGEvents.man
- name: Install registry Key Vault plugin logging manifest
win_shell: |
wevtutil.exe um {{ kubernetes_install_path }}\CCGAKVPluginEvents.man
wevtutil.exe im {{ kubernetes_install_path }}\CCGAKVPluginEvents.man
- name: Clean up gMSA install files
win_shell: |
Remove-Item {{ kubernetes_install_path }}\CCGEvents.man
Remove-Item {{ kubernetes_install_path }}\CCGAKVPluginEvents.man
Remove-Item {{ kubernetes_install_path }}\registerplugin.reg
Remove-Item {{ kubernetes_install_path }}\install-gmsa-keyvault-plugin.ps1

17
ansible/windows/roles/gmsa/tasks/main.yml Normal file
View File

@ -0,0 +1,17 @@
# Copyright 2022 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- import_tasks: gmsa_keyvault.yml
when: gmsa_keyvault | bool

18
ansible/windows/roles/kubernetes/defaults/main.yml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2018 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
kubernetes_bins:
- kubeadm
- kubectl
- kubelet

58
ansible/windows/roles/kubernetes/tasks/kubelet.yml Normal file
View File

@ -0,0 +1,58 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Create kubelet directory structure
win_file:
path: "{{ item }}"
state: directory
loop:
- '{{ systemdrive.stdout | trim }}\var\log\kubelet'
- '{{ systemdrive.stdout | trim }}\etc\kubernetes'
- '{{ systemdrive.stdout | trim }}\etc\kubernetes\manifests'
- '{{ systemdrive.stdout | trim }}\etc\kubernetes\pki'
# this is required in 1.22 and below due to invalid absolute path handling
# https://github.com/kubernetes-sigs/image-builder/issues/853
- name: Symlink kubelet pki folder
win_shell: New-Item -path $env:SystemDrive\var\lib\kubelet\etc\kubernetes\pki -type SymbolicLink -value $env:SystemDrive\etc\kubernetes\pki\ -Force
when: kubernetes_semver is version('v1.23.0', '<')
- import_tasks: nssm.yml
when: windows_service_manager == "nssm"
- import_tasks: sc.yml
when: windows_service_manager == "windows_service"
# Dependency selection: https://www.reddit.com/r/ansible/comments/imfdgn/setting_a_variable_conditionally/g41anaf/?utm_source=reddit&utm_medium=web2x&context=3
- name: Ensure kubelet is installed
win_service:
name: kubelet
dependencies: [ "{{ runtime_service }}" ]
start_mode: auto
vars:
dependencies:
containerd: containerd
docker-ee: docker
default: docker
runtime_service: "{{ dependencies[runtime] | default(dependencies['docker']) }}"
- name: Add firewall rule for kubelet
win_firewall_rule:
name: kubelet
localport: 10250
action: allow
direction: in
protocol: tcp
state: present
enabled: yes

31
ansible/windows/roles/kubernetes/tasks/main.yml Normal file
View File

@ -0,0 +1,31 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Create kubernetes directory structure
win_file:
path: '{{ kubernetes_install_path }}'
state: directory
- import_tasks: url.yml
- name: Add kubernetes folder to path
win_path:
elements:
- '{{ kubernetes_install_path }}'
scope: Machine
- import_tasks: kubelet.yml
- import_tasks: wins.yml
when: use_wins

39
ansible/windows/roles/kubernetes/tasks/nssm.yml Normal file
View File

@ -0,0 +1,39 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Download nssm
win_get_url:
url: '{{ nssm_url }}'
dest: '{{ kubernetes_install_path }}\'
retries: 5
delay: 3
register: nssm_download
until: nssm_download is not failed
- name: Create kubelet start file for nssm
win_template:
src: templates/StartKubelet.ps1
dest: '{{ kubernetes_install_path }}\StartKubelet.ps1'
- name: Install kubelet via nssm
win_nssm:
name: kubelet
start_mode: auto
state: present
application: '%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe'
arguments: '-ExecutionPolicy Bypass -NoProfile {{ kubernetes_install_path }}\StartKubelet.ps1'
app_rotate_bytes: 10485760
stderr_file: '{{ systemdrive.stdout | trim }}\var\log\kubelet\kubelet.err.log'
stdout_file: '{{ systemdrive.stdout | trim }}\var\log\kubelet\kubelet.log'
app_rotate_online: 1

27
ansible/windows/roles/kubernetes/tasks/sc.yml Normal file
View File

@ -0,0 +1,27 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# Install kubelet as a windows service
# Requires --windows-service flag: https://github.com/kubernetes/kubernetes/blob/7f23a743e8c23ac6489340bbb34fa6f1d392db9d/cmd/kubelet/app/options/osflags_windows.go#L26
# Does not support kubeadm KUBELET_KUBEADM_ARGS which is used by Cluster API to pass extra user args
- name: Set dockershim args
set_fact:
additional_kubelet_args: "--image-pull-progress-deadline=20m --network-plugin=cni"
when: runtime == "docker-ee" and kubernetes_semver is version('v1.24.0', '<')
- name: Install kubelet as service
win_service:
name: kubelet
start_mode: manual
path: '{{ kubernetes_install_path }}\kubelet.exe --windows-service --cert-dir={{ systemdrive.stdout | trim }}/var/lib/kubelet/pki --config={{ systemdrive.stdout | trim }}/var/lib/kubelet/config.yaml --bootstrap-kubeconfig={{ systemdrive.stdout | trim }}/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig={{ systemdrive.stdout | trim }}/etc/kubernetes/kubelet.conf --hostname-override=$(hostname) --pod-infra-container-image=`"{{ pause_image }}`" --enable-debugging-handlers --cgroups-per-qos=false --enforce-node-allocatable=`"`" --resolv-conf=`"`" --log-dir={{ systemdrive.stdout | trim }}/var/log/kubelet --logtostderr=false {{ additional_kubelet_args if additional_kubelet_args is defined }}'

24
ansible/windows/roles/kubernetes/tasks/url.yml Normal file
View File

@ -0,0 +1,24 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Download kubernetes binaries
win_get_url:
url: "{{ kubernetes_base_url }}/{{ item }}.exe"
dest: '{{ kubernetes_install_path }}\'
loop: "{{ kubernetes_bins }}"
retries: 5
delay: 3
register: kubernetes_download
until: kubernetes_download is not failed

29
ansible/windows/roles/kubernetes/tasks/wins.yml Normal file
View File

@ -0,0 +1,29 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Get wins
win_get_url:
url: '{{ wins_url }}'
dest: '{{ kubernetes_install_path }}'
retries: 5
delay: 3
register: wins_download
until: wins_download is not failed
- name: Register wins.exe
win_command: wins.exe srv app run --register
- name: Ensure that wins service is running
win_service:
name: rancher-wins

43
ansible/windows/roles/kubernetes/templates/StartKubelet.ps1 Normal file
View File

@ -0,0 +1,43 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# From https://github.com/kubernetes-sigs/sig-windows-tools/blob/master/kubeadm/scripts/PrepareNode.ps1
$FileContent = Get-Content -Path "/var/lib/kubelet/kubeadm-flags.env"
$kubeAdmArgs = $FileContent.TrimStart('KUBELET_KUBEADM_ARGS=').Trim('"')
$args = "--cert-dir=$env:SYSTEMDRIVE/var/lib/kubelet/pki",
"--config=$env:SYSTEMDRIVE/var/lib/kubelet/config.yaml",
"--bootstrap-kubeconfig=$env:SYSTEMDRIVE/etc/kubernetes/bootstrap-kubelet.conf",
"--kubeconfig=$env:SYSTEMDRIVE/etc/kubernetes/kubelet.conf",
"--hostname-override=$(hostname)",
"--pod-infra-container-image=`"{{ pause_image }}`"",
"--enable-debugging-handlers",
"--cgroups-per-qos=false",
"--enforce-node-allocatable=`"`"",
"--resolv-conf=`"`""
{% if runtime == "docker-ee" and kubernetes_semver is version('v1.24.0', '<') %}
{% raw %}
$netId = docker network ls -f name=host --format "{{ .ID }}"
{% endraw %}
if ($netId.Length -lt 1) {
docker network create -d nat host
}
$args += "--image-pull-progress-deadline=20m",
"--network-plugin=cni"
{% endif %}
$kubeletCommandLine = "{{ kubernetes_install_path }}\kubelet.exe " + ($args -join " ") + " $kubeAdmArgs"
Invoke-Expression $kubeletCommandLine

22
ansible/windows/roles/load_additional_components/defaults/main.yml Normal file
View File

@ -0,0 +1,22 @@
# Copyright 2021 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
additional_registry_images: ""
additional_registry_images_list: ""
additional_url_images: ""
additional_url_images_list: ""
additional_executables: ""
additional_executables_list: ""
additional_executables_destination_path: ""

31
ansible/windows/roles/load_additional_components/tasks/executables.yml Normal file
View File

@ -0,0 +1,31 @@
# Copyright 2021 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Create temporary download dir
win_file:
path: "{{ additional_executables_destination_path }}/"
state: directory
- name: Download additional executables
win_get_url:
url: "{{ item }}"
dest: "{{ additional_executables_destination_path }}/"
loop: "{{ additional_executables_list.split(',') }}"
async: 1800
poll: 60
retries: 5
delay: 3
register: download
until: download is not failed

22
ansible/windows/roles/load_additional_components/tasks/main.yml Normal file
View File

@ -0,0 +1,22 @@
# Copyright 2021 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- import_tasks: executables.yml
when: additional_executables | bool
- import_tasks: registry.yml
when: additional_registry_images | bool
- import_tasks: url.yml
when: additional_url_images | bool

39
ansible/windows/roles/load_additional_components/tasks/registry.yml Normal file
View File

@ -0,0 +1,39 @@
# Copyright 2021 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Pull containerd additional images
win_shell: |
#refresh the path to ensure ansible sees update
$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine")
ctr.exe -n k8s.io images pull {{ item }}
loop: "{{ additional_registry_images_list.split(',') }}"
async: 1800
poll: 60
retries: 5
delay: 3
register: pull
until: pull is not failed
when: runtime == "containerd"
- name: Pre-pull docker additional images
win_shell: docker pull {{ item }}
loop: "{{ additional_registry_images_list.split(',') }}"
async: 1800
poll: 60
retries: 5
delay: 3
register: pull
until: pull is not failed
when: runtime == "docker-ee"

83
ansible/windows/roles/load_additional_components/tasks/url.yml Normal file
View File

@ -0,0 +1,83 @@
# Copyright 2021 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Create temporary download dir
win_file:
path: '{{ tempdir.stdout | trim }}\images'
state: directory
when: runtime == "containerd"
- name: Download additional images from url
win_get_url:
url: "{{ item }}"
dest: '{{ tempdir.stdout | trim }}\images\'
register: images
loop: "{{ additional_url_images_list.split(',') }}"
async: 1800
poll: 60
retries: 5
delay: 3
when: runtime == "containerd"
- name: Load additional images to containerd
win_shell: |
Function DeGZip-File{
Param(
$infile,
$outfile = ($infile -replace '\.gz$','')
)
$input = New-Object System.IO.FileStream $inFile, ([IO.FileMode]::Open), ([IO.FileAccess]::Read), ([IO.FileShare]::Read)
$output = New-Object System.IO.FileStream $outFile, ([IO.FileMode]::Create), ([IO.FileAccess]::Write), ([IO.FileShare]::None)
$gzipStream = New-Object System.IO.Compression.GzipStream $input, ([IO.Compression.CompressionMode]::Decompress)
$buffer = New-Object byte[](1024)
while($true){
$read = $gzipstream.Read($buffer, 0, 1024)
if ($read -le 0){break}
$output.Write($buffer, 0, $read)
}
$gzipStream.Close()
$output.Close()
$input.Close()
}
$file = "{{ item.dest }}"
$ext = $file.substring($file.length - 3, 3)
if ($ext -eq ".gz") {
DeGZip-File $file
$file = ($file -replace '\.gz$','')
}
#refresh the path to ensure ansible sees update
$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine")
ctr.exe -n k8s.io images import --no-unpack $file
loop: "{{ images.results }}"
when: runtime == "containerd"
- name: Load additional docker images
win_shell: |
docker import {{ item }}
loop: "{{ additional_url_images_list.split(',') }}"
async: 1800
poll: 60
retries: 5
delay: 3
register: import
until: import is not failed
when: runtime == "docker"
- name: Remove downloaded files
win_file:
state: absent
path: '{{ tempdir.stdout | trim }}\images'
when: runtime == "containerd"

15
ansible/windows/roles/providers/defaults/main.yml Normal file
View File

@ -0,0 +1,15 @@
# Copyright 2021 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
packer_builder_type: ""

48
ansible/windows/roles/providers/tasks/azure.yml Normal file
View File

@ -0,0 +1,48 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Create Azure wireserver access group
ansible.windows.win_group:
name: WireServerAccess
description: Controls access to the Azure WireServer
# AzureGuestAgent and Cloudbase-init need access to wireserver otherwise VM doesn't boot
# So we give the users access via the firewall security filters
# https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallsecurityfilter
#
# Permissions set on the Firewall rule:
# S-1-1-0 is Everyone. We mark this as Allow (A) to ensure the Block is enforced for all users other than on the exception list.
# S-1-5-18 is LocalSystem used by AzureGuestAgent. We mark this as Deny (D) to add to Block exception list.
# We also add the newly created group WireServerAccess to the block exception list and add Cloudbase-init user later.
#
# View the details of the SDDL string used with ConvertFrom-SddlString and see well known sids: https://docs.microsoft.com/en-us/windows/win32/secauthz/well-known-sids
- name: Block traffic to 168.63.129.16 port 80 for cve-2021-27075
win_shell: |
$wsg = Get-LocalGroup -n "WireServerAccess"
$r = New-NetFirewallRule -DisplayName 'Block-Outbound-168.63.129.16-port-80-for-cve-2021-27075' -Direction Outbound -RemoteAddress '168.63.129.16' -RemotePort '80' -Protocol TCP -Action Block
$r | Get-NetFirewallSecurityFilter | Set-NetFirewallSecurityFilter -LocalUser "O:LSD:(D;;CC;;;S-1-5-18)(D;;CC;;;$($wsg.SID.Value))(A;;CC;;;S-1-1-0)"
become: yes
become_method: runas
become_user: SYSTEM
- name: Add users to WireServerAccessGroup
ansible.windows.win_group_membership:
name: WireServerAccess
members:
- cloudbase-init
- name: Add additional users
ansible.windows.win_group_membership:
name: WireServerAccess
members: "{{ users }}"
vars:
users: "{{ wire_server_users.split(',') if (wire_server_users is defined) and (wire_server_users|length > 0) else [] }}"

14
ansible/windows/roles/providers/tasks/main.yml Normal file
View File

@ -0,0 +1,14 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- include_tasks: azure.yml
when: packer_builder_type.startswith('azure')

28
ansible/windows/roles/runtimes/defaults/main.yml Normal file
View File

@ -0,0 +1,28 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
pause_image: mcr.microsoft.com/oss/kubernetes/pause:3.9
containerd_additional_settings: ""
containerd_config_file: "config.toml"
prepull: false
prepull_images:
2019:
- mcr.microsoft.com/windows/servercore:ltsc2019
- mcr.microsoft.com/windows/nanoserver:1809
- "{{ pause_image }}"
2004:
- mcr.microsoft.com/windows/servercore:2004
- mcr.microsoft.com/windows/nanoserver:2004
- "{{ pause_image }}"

111
ansible/windows/roles/runtimes/tasks/containerd.yml Normal file
View File

@ -0,0 +1,111 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Download containerd
win_get_url:
url: '{{ containerd_url }}'
dest: '{{ tempdir.stdout | trim }}\containerd.tar.gz'
checksum: '{{ containerd_sha256 }}'
checksum_algorithm: "sha256"
url_timeout: 300
register: containerd
retries: 5
delay: 3
until: containerd is not failed
- name: Create containerd directory structure
win_file:
path: "{{ item }}"
state: directory
loop:
- '{{ programfiles.stdout | trim }}\containerd'
- '{{ alluserprofile.stdout | trim }}\containerd\state'
- '{{ alluserprofile.stdout | trim }}\containerd\root'
- '{{ systemdrive.stdout | trim }}/opt/cni/bin'
- '{{ systemdrive.stdout | trim }}/etc/cni/net.d'
- name: Check if containerd exists
win_stat:
path: '{{ programfiles.stdout | trim }}\containerd\containerd.exe'
register: containerd_file
- name: Unpack containerd binaries
win_command: cmd /c tar -zxvf {{ containerd.dest }} -C "{{ programfiles.stdout | trim }}\containerd" --strip-components 1
when: not containerd_file.stat.exists
- name: Add containerd to path
win_path:
elements:
- '{{ programfiles.stdout | trim }}\containerd'
scope: machine
- name: Copy containerd config file {{ containerd_config_file }}
win_template:
dest: '{{ programfiles.stdout | trim }}\containerd\config.toml'
src: "{{ containerd_config_file }}"
vars:
allusersprofile: "{{ alluserprofile.stdout | trim }}"
plugin_bin_dir: "{{ systemdrive.stdout | trim }}/opt/cni/bin"
plugin_conf_dir: "{{ systemdrive.stdout | trim }}/etc/cni/net.d"
# programfiles is C:\Program Files, but should be C:\\Program Files
# otherwise task Register Containerd fails with "invalid escape sequence: \P"
containerd_conf_dir: '{{ programfiles.stdout | trim | regex_replace("\\", "\\\\") }}\\\\containerd'
- name: Check if a Containerd service is installed
win_service:
name: containerd
register: containerd_service
- name: Register Containerd
win_shell: |
#refresh the path to ensure ansible sees update
$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine")
containerd.exe --register-service
when: containerd_service.exists == false
# Enables DNS resolution of SMB shares
# https://github.com/kubernetes-sigs/windows-gmsa/issues/30#issuecomment-802240945
- name: Apply SMB Resolution Fix for containerd
win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\hns\State
state: present
name: EnableCompartmentNamespace
data: 1
type: dword
- name: Create Windows Defender Exclusions
win_shell: |
Add-MpPreference -ExclusionProcess "{{ programfiles.stdout | trim }}\containerd\containerd.exe"
Add-MpPreference -ExclusionProcess "{{ programfiles.stdout | trim }}\containerd\ctr.exe"
- name: Ensure Containerd Service is running
win_service:
name: containerd
start_mode: auto
state: started
- name: Pre-pull containerd images
win_shell: |
#refresh the path to ensure ansible sees update
$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine")
ctr.exe -n k8s.io images pull {{ item }}
loop: "{{ images }}"
async: 1800
poll: 60
retries: 5
register: pull
until: pull is not failed
when: (prepull | bool)
vars:
images: "{{ prepull_images[distribution_version] | default([]) }}"

45
ansible/windows/roles/runtimes/tasks/docker_ee.yml Normal file
View File

@ -0,0 +1,45 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# Requires license. If you running on Azure License is currently provided with Windows Server images.
- name: Install docker via OneGet
win_shell: |
Install-PackageProvider -Name DockerMsftProvider -Force -ForceBootstrap | Out-Null
$package = Find-Package -Name Docker -ProviderName DockerMsftProvider -RequiredVersion {{ docker_ee_version }}
$package | Install-Package -Force | Out-Null
- name: Start Docker Service
win_service:
name: docker
start_mode: auto
state: started
- name: Set up Docker Network
win_shell: |
$exists=docker network ls -f name=host -q
if (-not $exists) { docker network create -d nat host }
- name: Pre-pull docker images
win_command: docker pull {{ item }}
loop: "{{ images }}"
async: 1800
poll: 60
retries: 5
register: pull
until: pull is not failed
when: (prepull | bool)
vars:
images: "{{ prepull_images[distribution_version] | default([]) }}"

19
ansible/windows/roles/runtimes/tasks/main.yml Normal file
View File

@ -0,0 +1,19 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- import_tasks: containerd.yml
when: runtime == "containerd"
- import_tasks: docker_ee.yml
when: runtime == "docker-ee"

37
ansible/windows/roles/runtimes/templates/config.toml Normal file
View File

@ -0,0 +1,37 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
root = "{{ allusersprofile }}\\containerd\\root"
state = "{{ allusersprofile }}\\containerd\\state"
version = 2
{% if 'imports' not in containerd_additional_settings | b64decode %}
imports = ["{{ containerd_conf_dir }}\\conf.d\\*.toml"]
{% endif %}
[grpc]
address = "\\\\.\\pipe\\containerd-containerd"
[plugins]
[plugins."io.containerd.grpc.v1.cri"]
sandbox_image = "{{ pause_image }}"
[plugins."io.containerd.grpc.v1.cri".cni]
bin_dir = "{{ plugin_bin_dir }}"
conf_dir = "{{ plugin_conf_dir }}"
{% if packer_builder_type.startswith('azure') %}
[plugins."io.containerd.grpc.v1.cri".registry.headers]
X-Meta-Source-Client = ["azure/capz"]
{% endif %}
{{containerd_additional_settings | b64decode}}

17
ansible/windows/roles/systemprep/defaults/main.yml Normal file
View File

@ -0,0 +1,17 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
windows_updates_kbs_numbers: "{{ windows_updates_kbs.split() if (windows_updates_kbs is defined) and (windows_updates_kbs|length > 0) else [] }}"
windows_updates_category_names: "{{ windows_updates_categories.split() if (windows_updates_categories is defined) and (windows_updates_categories|length > 0) else [] }}"
ssh_source_url: "{{ ssh_source_url if ssh_source_url is defined else ''}}"

179
ansible/windows/roles/systemprep/tasks/main.yml Normal file
View File

@ -0,0 +1,179 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# This file was adapted from https://github.com/Azure/aks-engine/blob/master/vhd/packer/configure-windows-vhd.ps1 for ansible
- name: Remove Windows updates default registry settings
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
state: absent
delete_key: yes
- name: Add Windows update registry path
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
state: present
- name: Add Windows automatic update registry path
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
state: present
# https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry
- name: Disable Windows automatic updates in registry
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
state: present
name: NoAutoUpdate
data: 1
type: dword
- name: Set Windows automatic updates to notify only in registry
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
state: present
name: AUOptions
data: 2
type: dword
# Hyper-V messes with networking components on startup after the feature is enabled
# causing issues with communication over winrm and setting winrm to delayed start
# gives Hyper-V enough time to finish configuration before having packer continue.
- name: Set WinRm Service to delayed start
win_command: sc.exe config winrm start=delayed-auto
# Best effort to update defender signatures
# This can fail if there is already a signature
# update running which means we will get them anyways
# Also at the time the VM is provisioned Defender will trigger any required updates
- name: Update Windows Defender signatures
win_shell: |
$service = Get-Service "Windefend"
$service.WaitForStatus("Running","00:5:00")
Update-MpSignature
ignore_errors: yes
# Find KB Article numbers:
# - WS 2019 https://support.microsoft.com/en-us/help/4464619
# - WS 2022 https://support.microsoft.com/topic/windows-server-2022-update-history-e1caa597-00c5-4ab9-9f3e-8212fe80b2ee
# Task to install specific updates by KB. All categories are specified as the module
# won't install the update unless the category matches. Setting windows_updates_kbs_numbers to []
# will skip this task.
- name: Install Windows updates based on KB numbers
win_updates:
whitelist: "{{ windows_updates_kbs_numbers }}"
reboot: yes
category_names:
- Application
- Connectors
- CriticalUpdates
- DefinitionUpdates
- DeveloperKits
- Drivers
- FeaturePacks
- Guidance
- SecurityUpdates
- ServicePacks
- Tools
- UpdateRollups
- Updates
when: windows_updates_kbs_numbers|length > 0
# Task to install any outstanding updates that belong to specific categories. Setting
# windows_updates_category_names to [] will skip this task.
- name: Install Windows updates based on Categories
win_updates:
category_names: "{{ windows_updates_category_names }}"
reboot: yes
when: windows_updates_category_names|length > 0
- import_tasks: ssh-feature.yml
when: ssh_source_url == ""
- import_tasks: ssh-archive.yml
when: ssh_source_url != ""
- name: Set default SSH shell to Powershell
win_regedit:
path: HKLM:\SOFTWARE\OpenSSH
state: present
name: DefaultShell
data: '{{ systemdrive.stdout | trim }}\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
type: string
- name: Create SSH program data folder
win_shell: If (-Not (Test-Path -Path "$env:ProgramData\ssh")) { mkdir "$env:ProgramData\ssh" }
- name: Enable ssh login without a password
win_shell: Add-Content -Path "$env:ProgramData\ssh\sshd_config" -Value "PasswordAuthentication no`nPubkeyAuthentication yes"
- name: Set SSH service startup mode to auto and ensure it is started
win_service:
name: sshd
start_mode: auto
state: started
# Apply HNS flags for fixes that need to be enabled via Registry
# these eventually get turned on automatically and can be removed in future releases
- name: Apply HNS control Flags 0x40 and 0x10 in 2022-11B patches
win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\hns\State
state: present
name: HNSControlFlag
data: 0x50
type: dword
when: distribution_version == "2019"
- name: Apply WCIFS fix
win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\wcifs
state: present
name: WcifsSOPCountDisabled
data: 0
type: dword
when: distribution_version == "2019"
- name: Expand dynamic port range to 34000-65535 to avoid port exhaustion
win_shell: netsh int ipv4 set dynamicportrange tcp 34000 31536
- name: Add required Windows Features
win_feature:
name:
- Containers
- Hyper-V-PowerShell
state: present
register: win_feature
# Due to a limitation in some CNI plugins the Hyper-V role needs to be installed in order
# to use the VMSwitch Powershell Cmdlets.
# An issue has been logged to have the networking components to be split out but until
# that is complete, environments that do not support running a hypervisor require the
# below which skips the CPU check for Hypervisor support and still installs the VMSwitch Cmlets
# when disable_hypervisor is set to true
# https://github.com/microsoft/Windows-Containers/issues/80
- name: Add Hyper-V
win_shell: |
dism /online /enable-feature /featurename:Microsoft-Hyper-V /all /NoRestart
register: hyperv_installed
failed_when: hyperv_installed.rc != 1 and hyperv_installed.rc != 0
- name: Disable Hypervisor
win_shell: |
dism /online /disable-feature /featurename:Microsoft-Hyper-V-Online /NoRestart
when: (disable_hypervisor | default(false) | bool)
register: hypervisor_disabled
failed_when: hypervisor_disabled.rc != 1 and hypervisor_disabled.rc != 0
- name: Reboot
win_reboot:

73
ansible/windows/roles/systemprep/tasks/ssh-archive.yml Normal file
View File

@ -0,0 +1,73 @@
# Copyright 2021 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create OpenSSH directory structure
win_file:
path: "{{ item }}"
state: directory
loop:
- '{{ programfiles.stdout | trim }}\OpenSSH'
- '{{ alluserprofile.stdout | trim }}\ssh'
# Win32-OpenSSH requires SYSTEM and Administrator groups having Write
# permissions on directory 'C:\Program Files\OpenSSH', authenticated
# users having only Read and Execute permissions on it, see:
# https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH
#
# "Make sure binary location has the Write permissions to just to SYSTEM,
# Administrator groups. Authenticated users should and only have Read and
# Execute."
#
# Folder 'C:\Program Files\OpenSSH' inherits users and permissions from its
# parent folder when it is created, by default, SYSTEM and Administrator
# already have Write permissions on it, the only exception is the inherited
# user BUILTIN\Users has ReadAndExecute permission but only authenticated
# users are allowed to have such permission, this prevent us from connecting
# to the sshd server, just remove it.
- name: Disable inheritance of OpenSSH directory
win_acl_inheritance:
path: '{{ programfiles.stdout | trim }}\OpenSSH'
state: absent
reorganize: yes
- name: Remove permission for Users
win_acl:
path: '{{ programfiles.stdout | trim }}\OpenSSH'
user: BUILTIN\Users
rights: ReadAndExecute,Synchronize
type: allow
state: absent
inherit: 'None'
propagation: 'None'
- name: Download OpenSSH Archive
win_get_url:
url: '{{ ssh_source_url }}'
dest: '{{ tempdir.stdout | trim }}\OpenSSH.zip'
register: ssh
retries: 5
delay: 3
until: ssh is not failed
- name: Unzip OpenSSH Archive
win_unzip:
src: '{{ ssh.dest }}'
dest: '{{ tempdir.stdout | trim }}'
recurse: no
delete_archive: yes
- name: Install OpenSSH
win_shell: |
Get-ChildItem -Path "{{ tempdir.stdout | trim }}\OpenSSH-Win64\*" -Recurse | Move-Item -Destination "{{ programfiles.stdout | trim }}\OpenSSH"
Get-ChildItem -Path "{{ programfiles.stdout | trim }}\OpenSSH" | Unblock-File
& 'C:\Program Files\OpenSSH\install-sshd.ps1'

21
ansible/windows/roles/systemprep/tasks/ssh-feature.yml Normal file
View File

@ -0,0 +1,21 @@
# Copyright 2021 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Requires admin rights to install
# https://docs.ansible.com/ansible/latest/user_guide/become.html#become-and-windows
- name: Install OpenSSH
win_shell: Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
become: yes
become_method: runas
become_user: SYSTEM