Categorygithub.com/rancher/Rancher-Plugin-gMSApkgprovider
package
0.2.0
Repository: https://github.com/rancher/rancher-plugin-gmsa.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
11
Dependents
1
Files
70 SLOC

# README

Rancher gMSA Account Provider

This directory contains the source code for the Rancher gMSA Account Provider. The gMSA Account provider is an HTTP/s API which listens on localhost and is used to retrieve Kubernetes secrets containing the username, password, and domain name for various gMSA impersonation accounts.

The account provider API is implemented as a small Gin server, and uses a Norman client to retrieve Kubernetes secrets from within the provider's namespace. The account provider API is expected to be called by CCG Plugins, and participates in the non-domain joined gMSA CCG authentication flow. More details on this flow can be found here

HTTP API

The account provider exposes a single endpoint on localhost to be used by a CCG plugin DLL. In normal operation, a client will need to utilize the mTLS certs generated by the account provider to make a request against the API. The port used is assigned by the host, checking the logs or the port.txt file will give you the current port the server is listening on. mTLS can be disabled via the --disable-mtls flag.

  • Endpoint: /provider
    • Method GET
    • Protocol: HTTP/s using mTLS
    • Headers:
      • Name: object
      • Type: string
      • Example: object: secret-one
      • Description: The name of a secret containing an impersonation account

Host Artifacts

The account provider will write several files to the host filesystem to support the functionality of the Rancher CCG Plugin. The following files and directories are written to the host upon starting the API

  • /var/lib/rancher/gmsa/<NAMESPACE>
    • This is the root directory where all metadata and certificates for the rancher-gmsa-account-provider instance are stored
  • /var/lib/rancher/gmsa/<NAMESPACE>/port.txt
    • This is a plain text file containing the current port used by the rancher-gmsa-account-provider instance
  • /var/lib/rancher/gmsa/<NAMESPACE>/ssl
    • This directory contains all mTLS certificates. All certificates are imported into the Windows certificate store as they are written to disk.
    • /var/lib/rancher/gmsa/<NAMESPACE>/ssl/client
      • tls.pfx
      • tls.crt
    • /var/lib/rancher/gmsa/<NAMESPACE>/ssl/server
      • ca.crt
      • tls.crt
    • /var/lib/rancher/gmsa/<NAMESPACE>/ssl/ca
      • ca.crt
      • tls.crt

All certificates used by the Account Provider are generated and managed using cert-manager, and all files are updated each time the Account Provider is deployed onto a host, ensuring that the latest information is available to the CCG plugin.

You can use the skip-artifacts flag when starting rancher-gmsa-account-provider to avoid writing any files to the host filesystem, however this will also implicitly disable mTLS (as no certificates will be available).

# Packages

No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author

# Functions

No description provided by the author
No description provided by the author