chore: add windows ps1 hacks to native dockerfile (#635)

# Description containerd 1.6 still requires secrets to be mounted in hacky way, which is all AKS versions <1.27 Azure/AKS#3975 (comment) ## Related Issue If this pull request is related to any issue, please mention it here. Additionally, make sure that the issue is assigned to you before submitting this pull request. ## Checklist - [ ] I have read the [contributing documentation](https://retina.sh/docs/contributing). - [ ] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [ ] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [ ] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Please add any relevant screenshots or GIFs to showcase the changes made. ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project.
microsoft · Aug 27, 2024 · df20875 · df20875
1 parent 9751894
commit df20875
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 9 deletions.
diff --git a/cmd/legacy/daemon.go b/cmd/legacy/daemon.go
@@ -15,6 +15,8 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/kubernetes"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
 	ctrl "sigs.k8s.io/controller-runtime"
 	crcache "sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -92,11 +94,22 @@ func (d *Daemon) Start() error {
 	}
 
 	fmt.Println("init client-go")
-	cfg, err := kcfg.GetConfig()
-	if err != nil {
-		panic(err)
+	var cfg *rest.Config
+	if kubeconfig := os.Getenv("KUBECONFIG"); kubeconfig != "" {
+		fmt.Println("KUBECONFIG set, using kubeconfig: ", kubeconfig)
+		cfg, err = clientcmd.BuildConfigFromFlags("", kubeconfig)
+		if err != nil {
+			return fmt.Errorf("creating controller-runtime manager: %w", err)
+		}
+	} else {
+		cfg, err = kcfg.GetConfig()
+		if err != nil {
+			panic(err)
+		}
 	}
 
+	fmt.Println("api server: ", cfg.Host)
+
 	fmt.Println("init logger")
 	zl, err := log.SetupZapLogger(&log.LogOpts{
 		Level:                 daemonConfig.LogLevel,

diff --git a/cmd/root.go b/cmd/root.go
@@ -19,6 +19,7 @@ var (
 	probeAddr            string
 	enableLeaderElection bool
 	cfgFile              string
+	kubeConfigFileName   = ""
 
 	rootCmd = &cobra.Command{
 		Use:   "retina-agent",
@@ -41,6 +42,9 @@ func init() {
 	rootCmd.Flags().StringVar(&probeAddr, "health-probe-bind-address", ":18081", "The address the probe endpoint binds to.")
 	rootCmd.Flags().BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.")
 	rootCmd.Flags().StringVar(&cfgFile, "config", configFileName, "config file")
+
+	// this is read during GetConfigOrDie, not explicitly passed to any of our logic
+	rootCmd.Flags().StringVar(&kubeConfigFileName, "kubeconfig", kubeConfigFileName, "noop we just need cobra to not check since controller runtime can use this flag")
 }
 
 func Execute() {

diff --git a/controller/Dockerfile.windows-native b/controller/Dockerfile.windows-native
@@ -26,6 +26,8 @@ WORKDIR C:\\retina
 FROM --platform=windows/amd64 mcr.microsoft.com/windows/nanoserver:ltsc2022 AS final
 ADD https://github.com/microsoft/etl2pcapng/releases/download/v1.10.0/etl2pcapng.exe /etl2pcapng.exe
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'Continue';"]
+COPY --from=builder C:\\retina\\windows\\kubeconfigtemplate.yaml kubeconfigtemplate.yaml
+COPY --from=builder C:\\retina\\windows\\setkubeconfigpath.ps1 setkubeconfigpath.ps1
 COPY --from=builder C:\\retina\\controller.exe controller.exe
 COPY --from=pktmon-builder C:\\pktmon\\controller-pktmon.exe controller-pktmon.exe
 COPY --from=builder C:\\retina\\captureworkload.exe captureworkload.exe

diff --git a/pkg/plugin/windows/pktmon/pktmon_plugin_windows.go b/pkg/plugin/windows/pktmon/pktmon_plugin_windows.go
@@ -97,7 +97,16 @@ func (p *Plugin) RunPktMonServer(ctx context.Context) error {
 	defer p.stdWriter.Close()
 	p.errWriter = &zapio.Writer{Log: p.l.Logger, Level: zap.ErrorLevel}
 	defer p.errWriter.Close()
-	p.pktmonCmd = exec.CommandContext(ctx, "controller-pktmon.exe")
+
+	pwd, err := os.Getwd()
+	if err != nil {
+		return fmt.Errorf("failed to get current working directory for pktmon: %w", err)
+	}
+
+	cmd := pwd + "\\" + "controller-pktmon.exe"
+
+	p.pktmonCmd = exec.CommandContext(ctx, cmd)
+	p.pktmonCmd.Dir = pwd
 	p.pktmonCmd.Args = append(p.pktmonCmd.Args, "--socketpath", socket)
 	p.pktmonCmd.Env = os.Environ()
 	p.pktmonCmd.Stdout = p.stdWriter
@@ -106,7 +115,7 @@ func (p *Plugin) RunPktMonServer(ctx context.Context) error {
 	p.l.Info("calling start on pktmon stream server", zap.String("cmd", p.pktmonCmd.String()))
 
 	// block this thread, and should it ever return, it's a problem
-	err := p.pktmonCmd.Run()
+	err = p.pktmonCmd.Run()
 	if err != nil {
 		return fmt.Errorf("pktmon server exited when it should not have: %w", err)
 	}

diff --git a/windows/setkubeconfigpath.ps1 b/windows/setkubeconfigpath.ps1
@@ -1,11 +1,16 @@
 # pull the server value from the kubeconfig on host to construct our own kubeconfig, but using service principal settings
 # this is required to build a kubeconfig using the kubeconfig on disk in c:\k, and the service principle granted in the container mount, to generate clientset
-$cpEndpoint = Get-Content C:\k\config | ForEach-Object -Process {if($_.Contains("server:")) {$_.Trim().Split()[1]}}
+$cpEndpoint = Get-Content C:\k\config | ForEach-Object -Process { if ($_.Contains("server:")) { $_.Trim().Split()[1] } }
 $token = Get-Content -Path $env:CONTAINER_SANDBOX_MOUNT_POINT\var\run\secrets\kubernetes.io\serviceaccount\token
 $ca = Get-Content -Raw -Path $env:CONTAINER_SANDBOX_MOUNT_POINT\var\run\secrets\kubernetes.io\serviceaccount\ca.crt
 $caBase64 = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($ca))
 $server = "server: $cpEndpoint"
 (Get-Content $env:CONTAINER_SANDBOX_MOUNT_POINT\kubeconfigtemplate.yaml).
-    replace("<ca>", $caBase64).
-    replace("<server>", $server.Trim()).
-    replace("<token>", $token) | Set-Content $env:CONTAINER_SANDBOX_MOUNT_POINT\kubeconfig -Force
+replace("<ca>", $caBase64).
+replace("<server>", $server.Trim()).
+replace("<token>", $token) | Set-Content $env:CONTAINER_SANDBOX_MOUNT_POINT\kubeconfig -Force
+
+$env:KUBECONFIG = Join-Path -Path $env:CONTAINER_SANDBOX_MOUNT_POINT -ChildPath "kubeconfig"
+
+# Set the KUBECONFIG environment variable 
+[System.Environment]::SetEnvironmentVariable("KUBECONFIG", $env:KUBECONFIG, [System.EnvironmentVariableTarget]::Machine)