Merge pull request #80 from awsjohns/no-grpc-mode-master

No grpc mode master

CMakeLists.txt

@@ -6,36 +6,30 @@ include(GNUInstallDirs)
 set(CMAKE_MODULE_PATH ${PROJECT_SOURCE_DIR}/cmake)
 
 set(CMAKE_CXX_FLAGS " -std=c++17 -g -Wall -Werror -pthread")
+#These commands are not supported in CMake available for Amazon Linux 2
+#cmake_host_system_information(RESULT PRETTY_NAME QUERY DISTRIB_PRETTY_NAME)
+#message(STATUS "${PRETTY_NAME}")
+#
+#cmake_host_system_information(RESULT DISTRO QUERY DISTRIB_INFO)
 
-set(protobuf_MODULE_COMPATIBLE TRUE)
-find_package(Protobuf REQUIRED)
-find_package(gRPC REQUIRED)
-set(_PROTOBUF_LIBPROTOBUF protobuf::libprotobuf)
-set(_REFLECTION gRPC::grpc++_reflection)
-find_program(_PROTOBUF_PROTOC protoc)
-find_program(_GRPC_CPP_PLUGIN_EXECUTABLE grpc_cpp_plugin)
-
-cmake_host_system_information(RESULT PRETTY_NAME QUERY DISTRIB_PRETTY_NAME)
-message(STATUS "${PRETTY_NAME}")
-
-cmake_host_system_information(RESULT DISTRO QUERY DISTRIB_INFO)
-
-foreach(VAR IN LISTS DISTRO)
-  message(STATUS "${VAR}=`${${VAR}}`")
-endforeach()
+#foreach(VAR IN LISTS DISTRO)
+#  message(STATUS "${VAR}=`${${VAR}}`")
+#endforeach()
 
 set(CMAKE_VERBOSE_MAKEFILE ON)
 
 set(config)
 add_subdirectory(config)
-set(api)
-add_subdirectory(api)
 set(renewal)
 add_subdirectory(renewal)
-set(daemon)
-add_subdirectory(daemon)
 set(metadata)
 add_subdirectory(metadata)
+set(auth)
+add_subdirectory(auth)
+set(daemon)
+add_subdirectory(daemon)
+set(sample_credspec)
+add_subdirectory(sample_credspec)
 
 if (NOT CF_KRB_DIR)
     set(CF_KRB_DIR "/var/credentials-fetcher/krbdir")
@@ -97,7 +91,7 @@ else()
             )
 endif()
 
-set(sources ${daemon} ${config} ${renewal})
+set(sources ${daemon} ${config} ${renewal} ${auth} ${metadata})
 
 add_executable(credentials-fetcherd ${sources})
 
@@ -107,19 +101,21 @@ check_pie_supported()
 if (CMAKE_C_LINK_PIE_SUPPORTED)
    set_property(TARGET credentials-fetcherd
                 PROPERTY POSITION_INDEPENDENT_CODE TRUE)
-   set_property(TARGET cf_gmsa_service_private
-                PROPERTY POSITION_INDEPENDENT_CODE TRUE)
 endif ()
 
 find_path(GLIB_INCLUDE_DIR glib.h "/usr/include" "/usr/include/glib-2.0")
 find_path(GLIB_CONFIG_DIR glibconfig.h "/usr/include" "/usr/lib64/glib-2.0/include" "/usr/lib/x86_64-linux-gnu/glib-2.0/include/")
+set(BOOST_FILESYSTEM_H "/usr/include/boost/filesystem")
+set(KRB5_CLIENT_H ${CMAKE_CURRENT_SOURCE_DIR}/auth/kinit_client/)
 
 target_include_directories(credentials-fetcherd
         PUBLIC
         common
         ${GLIB_INCLUDE_DIR}
         ${GLIB_CONFIG_DIR}
-        ${CMAKE_CURRENT_BINARY_DIR})
+	${BOOST_FILESYSTEM_H}
+        ${CMAKE_CURRENT_BINARY_DIR}
+	${KRB5_CLIENT_H})
 
 find_program(DOTNET dotnet ~/.dotnet /usr/bin)
 if (NOT DOTNET)
@@ -137,14 +133,16 @@ target_include_directories(credentials-fetcherd PUBLIC common)
 if(${DISTRO_ID} MATCHES "ubuntu")
 	message(STATUS "Linux distro detected as ubuntu")
 target_link_libraries(credentials-fetcherd
-        PUBLIC systemd krb5 glib-2.0 cf_gmsa_service_private
-        crypto protobuf kadm5srv_mit kdb5 gssrpc gssapi_krb5 gssrpc k5crypto com_err krb5support resolv utf8_validity)
+        PUBLIC systemd krb5 glib-2.0
+        crypto protobuf kadm5srv_mit kdb5 gssrpc gssapi_krb5 gssrpc k5crypto com_err krb5support resolv utf8_validity jsoncpp)
 else()
+
 target_link_libraries(credentials-fetcherd
-        PUBLIC systemd krb5 glib-2.0 cf_gmsa_service_private
+        PUBLIC systemd krb5 glib-2.0
         crypto
+        -L/usr/local/lib
         kadm5srv_mit kdb5 gssrpc gssapi_krb5 gssrpc k5crypto
-        com_err krb5support resolv)
+        com_err krb5support resolv jsoncpp)
 endif()
 
 install(FILES ${CMAKE_BINARY_DIR}/credentials-fetcherd

README-NOGRPC.MD

@@ -0,0 +1,140 @@
+"No gRPC Mode" is intended to be used for this scenario:
+* Neeeds to run on Amazon Linux 2 which does not have packages available for gRPC
+* EKS host not ECS
+* Need to run via command line and not configured via gRPC api calls
+* Containers do not need access to kerbos tickets
+
+#compile no_grpc_mode on AmazonLinux2
+
+```
+  sudo yum install cmake3
+  sudo yum install git -y
+  sudo yum install gcc10-c++ -y
+  sudo mv /usr/bin/gcc /usr/bin/gcc-7.3
+  sudo ln -s /usr/bin/gcc10-cc /usr/bin/gcc
+  sudo mv /usr/bin/g++ /usr/bin/g++-7.3
+  sudo ln -s /usr/bin/gcc10-c++ /usr/bin/g++
+  sudo ln -s /usr/bin/gcc10-c++ /usr/bin/g++
+  sudo mv /usr/bin/c++ /usr/bin/c++-7.3
+  sudo ln -s /usr/bin/gcc10-c++ /usr/bin/c++
+  sudo ln -s /usr/bin/gcc10-c++ /usr/bin/c++
+  sudo yum install openssl-devel -y
+  sudo yum install openssl-devel -y
+```
+
+  #install DotNet 6  
+```
+  sudo rpm -Uvh https://packages.microsoft.com/config/centos/7/packages-microsoft-prod.rpm  
+  sudo yum install aspnetcore-runtime-6.0 -y
+  sudo yum install dotnet-sdk-6.0 -y
+  cd ..
+```  
+  #Install packages need by Credentials-Fetcher
+``` 
+ sudo yum install glib* -y
+  sudo yum install jsoncpp-devel jsoncpp -y
+  sudo yum install systemd-devel -y
+ ```
+
+  #build Credentials-Fetcher
+```
+  
+  mkdir build
+  cd build
+   
+  cmake3 ../
+  make -j 4
+```
+
+#Copy helper app to /usr/sbin
+```
+  sudo cp credentials_fetcher_utf16_private.exe /usr/sbin/
+  sudo cp credentials_fetcher_utf16_private.runtimeconfig.json /usr/sbin/
+ ```
+
+  #install prereqs to run
+```
+  sudo yum install unzip
+  sudo yum install realmd -y
+  sudo yum install which -y
+  sudo yum install hostname -y
+  sudo yum install krb5-workstation -y
+  sudo yum install openldap -y
+  sudo yum install openldap-clients -y
+  sudo yum install cyrus-sasl-gssapi -y
+
+  #install AWS CLI used to read AWS secrets
+  curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+  unzip awscliv2.zip
+  sudo ./aws/install
+
+```  
+
+#set environment variables need to run in CLI mode 
+```
+  export CF_CRED_SPEC_FILE=/home/ec2-user/credentials-fetcher/no-grpc-mode/build/credspec.json  
+  #todo:make sure EC2 Instance Profile has permissions to AWS Secrets Manager
+  
+  #configure AWS region to your region
+  aws configure set default.region us-east-1
+```
+
+#run it in domainless mode by specific the AWS SecretsManger secret
+#Replace gmsa-plugin-input with your AWS SecretsManager secret name.
+
+```
+ ./credentials-fetcherd --aws_sm_secret_name gmsa-plugin-input
+```
+
+#You should see output similar to this
+```
+[root@ip-10-0-61-81 build]#  ./credentials-fetcherd --aws_sm_secret_name gmsa-plugin-input
+Option selected for domainless operation, AWS secrets manager secret-name = gmsa-plugin-input
+krb_files_dir = /var/credentials-fetcher/krbdir
+cred_file = /home/ec2-user/credentials-fetcher/no-grpc-mode/build/credspec.json (lease id: credspec)
+logging_dir = /var/credentials-fetcher/logging
+unix_socket_dir = /var/credentials-fetcher/socket
+Using existing cache: persistent:0:0
+Using principal: eks-portable-ident@EXAMPLE.COM
+prompt at 0x970ea702, 0x400,  '��
+prompt at 0x970ea702, 0x400,  '��
+Authenticated to Kerberos v5
+ldapsearch -H ldap://DC2.example.com -b 'CN=gmsaeks,CN=Managed Service Accounts,DC=example,DC=com' -s sub  "(objectClass=msDs-GroupManagedServiceAccount)"  msDS-ManagedPassword
+SASL/GSSAPI authentication started
+SASL username: eks-portable-ident@EXAMPLE.COM
+SASL SSF: 256
+SASL data security layer installed.
+dotnet /usr/sbin/credentials_fetcher_utf16_private.exe | kinit  -c /var/credentials-fetcher/krbdir/credspec/gmsaeks/krb5cc -V 'gmsaeks$'@EXAMPLE.COM
+Using specified cache: /var/credentials-fetcher/krbdir/credspec/gmsaeks/krb5cc
+Using principal: gmsaeks$@EXAMPLE.COM
+Password for gmsaeks$@EXAMPLE.COM: 
+Authenticated to Kerberos v5
+kinit return value = 0
+gMSA ticket is at /var/credentials-fetcher/krbdir/credspec/gmsaeks/krb5cc
+Thread 0: top of stack near 0x7fc7f18c7c88; argv_string=krb_ticket_refresh_thread
+
+```
+
+#build the RPM for distribution
+
+```
+sudo yum install -y rpmdevtools rpmlint -y
+sudo yum install chrpath
+
+rpmdev-setuptree
+
+sudo ln -s /usr/local/bin/cmake /usr/bin/cmake3
+
+
+cp ~/credentials-fetcher/package/credentials-fetcher.spec ~/rpmbuild/SPECS
+mkdir ~/tmp
+
+cp -r credentials-fetcher/ ~/tmp
+
+cd ~/tmp && mv credentials-fetcher credentials-fetcher-v.1.2.0
+tar cvfz v.1.2.0.tar.gz credentials-fetcher-v.1.2.0
+cp v.1.2.0.tar.gz ~/rpmbuild/SOURCES/
+
+rpmbuild -ba ~/rpmbuild/SPECS/credentials-fetcher.spec 
+
+```