Add admin password support for Azure driver

Under Azure, an admin password is required in order to launch a VM from a Windows image. Add support for that. Also, shorten the node name to less than 15 characters in order to accomodate Windows restrictions. Change-Id: I899f3e02046ffdb5f9fd19fe90c4bc9afdb01a7c
2021-11-15 15:50:27 -08:00 · 2021-11-15 15:50:27 -08:00 · 44f3d63973
commit 44f3d63973
parent c6723ea88f
7 changed files with 147 additions and 6 deletions
--- a/doc/source/azure.rst
+++ b/doc/source/azure.rst
@ -248,6 +248,24 @@ section of the configuration.

         The username that should be used when connecting to the node.

+      .. attr:: password
+         :type: str
+
+         If booting a Windows image, an administrative password is
+         required.  Either supply it here, or set
+         :attr:`providers.[azure].cloud-images.generate-password`.
+         Nodepool does not provide the password to requesting clients;
+         to be used it must be provided in some other manner.
+
+      .. attr:: generate-password
+         :type: bool
+
+         If booting a Windows image, an administrative password is
+         required.  If the password is not actually used (e.g., the
+         image has key-based authentication enabled), a random
+         password can be provided by enabling this option.  The
+         password is not stored anywhere and is not retrievable.
+
      .. attr:: key
         :type: str

--- a/nodepool/driver/azure/adapter.py
+++ b/nodepool/driver/azure/adapter.py
@ -12,10 +12,12 @@
 # License for the specific language governing permissions and limitations
 # under the License.

-import os
-import math
-import logging
 import json
+import logging
+import math
+import os
+import random
+import string

 import cachetools.func

@ -41,6 +43,18 @@ def quota_info_from_sku(sku):
        instances=1)


+def generate_password():
+    while True:
+        chars = random.choices(string.ascii_lowercase +
+                               string.ascii_uppercase +
+                               string.digits,
+                               k=64)
+        if ((set(string.ascii_lowercase) & set(chars)) and
+            (set(string.ascii_uppercase) & set(chars)) and
+            (set(string.digits) & set(chars))):
+            return(''.join(chars))
+
+
 class AzureInstance(statemachine.Instance):
    def __init__(self, vm, nic=None, public_ipv4=None,
                 public_ipv6=None, sku=None):
@ -646,7 +660,7 @@ class AzureAdapter(statemachine.Adapter):
            else:
                image_reference = {'id': label.cloud_image.image_id}
        os_profile = {'computerName': hostname}
-        if image.username and image.key:
+        if image.key:
            linux_config = {
                'ssh': {
                    'publicKeys': [{
@ -657,8 +671,13 @@ class AzureAdapter(statemachine.Adapter):
                },
                "disablePasswordAuthentication": True,
            }
-            os_profile['adminUsername'] = image.username
            os_profile['linuxConfiguration'] = linux_config
+        if image.username:
+            os_profile['adminUsername'] = image.username
+        if image.password:
+            os_profile['adminPassword'] = image.password
+        elif image.generate_password:
+            os_profile['adminPassword'] = generate_password()
        if label.custom_data:
            os_profile['customData'] = label.custom_data

--- a/nodepool/driver/azure/config.py
+++ b/nodepool/driver/azure/config.py
@ -32,6 +32,8 @@ class AzureProviderCloudImage(ConfigValue):
        }
        self.name = image['name']
        self.username = image['username']
+        self.password = image.get('password')
+        self.generate_password = image.get('generate-password', False)
        # TODO(corvus): remove zuul_public_key
        self.key = image.get('key', zuul_public_key)
        self.image_reference = image.get('image-reference')
@ -60,6 +62,8 @@ class AzureProviderCloudImage(ConfigValue):
        return v.All({
            v.Required('name'): str,
            v.Required('username'): str,
+            'password': str,
+            'generate-password': bool,
            # TODO(corvus): make required when zuul_public_key removed
            'key': str,
            v.Exclusive('image-reference', 'spec'): azure_image_reference,
@ -89,6 +93,8 @@ class AzureProviderDiskImage(ConfigValue):
        self.python_path = image.get('python-path')
        self.shell_type = image.get('shell-type')
        self.username = image.get('username')
+        self.password = image.get('password')
+        self.generate_password = image.get('generate-password', False)
        self.key = image.get('key')
        self.connection_type = image.get('connection-type', 'ssh')
        self.connection_port = image.get(
--- a/nodepool/driver/statemachine.py
+++ b/nodepool/driver/statemachine.py
@ -122,7 +122,8 @@ class StateMachineNodeLauncher(stats.StatsReporter):
        self.node.connection_type = image.connection_type
        self.zk.storeNode(self.node)

-        hostname = 'nodepool-' + self.node.id
+        # Windows computer names can be no more than 15 chars long.
+        hostname = 'np' + self.node.id
        retries = self.manager.provider.launch_retries
        metadata = {'nodepool_node_id': self.node.id,
                    'nodepool_pool_name': self.handler.pool.name,
--- a/nodepool/tests/fixtures/azure.yaml
+++ b/nodepool/tests/fixtures/azure.yaml
@ -15,6 +15,10 @@ zookeeper-tls:
 labels:
  - name: bionic
    min-ready: 0
+  - name: windows-password
+    min-ready: 0
+  - name: windows-generate
+    min-ready: 0

 providers:
  - name: azure
@ -34,6 +38,22 @@ providers:
          publisher: Canonical
          version: latest
          offer: UbuntuServer
+      - name: windows-password
+        image-reference:
+          sku: 2022-datacenter-azure-edition
+          publisher: MicrosoftWindowsServer
+          version: latest
+          offer: WindowsServer
+        username: foobar
+        password: reallybadpassword123
+      - name: windows-generate
+        image-reference:
+          sku: 2022-datacenter-azure-edition
+          publisher: MicrosoftWindowsServer
+          version: latest
+          offer: WindowsServer
+        username: foobar
+        generate-password: True
    pools:
      - name: main
        max-servers: 10
@ -51,3 +71,11 @@ providers:
              systemPurpose: CI
            user-data: "This is the user data"
            custom-data: "This is the custom data"
+          - name: windows-password
+            cloud-image: windows-password
+            hardware-profile:
+              vm-size: Standard_B1ls
+          - name: windows-generate
+            cloud-image: windows-generate
+            hardware-profile:
+              vm-size: Standard_B1ls
--- a/nodepool/tests/unit/test_driver_azure.py
+++ b/nodepool/tests/unit/test_driver_azure.py
@ -139,3 +139,67 @@ class TestDriverAzure(tests.DBTestCase):
            "/subscriptions/c35cf7df-ed75-4c85-be00-535409a85120"
            "/resourceGroups/nodepool/providers/Microsoft.Compute"
            "/images/test-image-1234")
+
+    def test_azure_windows_image_password(self):
+        configfile = self.setup_config(
+            'azure.yaml',
+            auth_path=self.fake_azure.auth_file.name)
+        pool = self.useNodepool(configfile, watermark_sleep=1)
+        pool.start()
+        req = zk.NodeRequest()
+        req.state = zk.REQUESTED
+        req.node_types.append('windows-password')
+
+        self.zk.storeNodeRequest(req)
+        req = self.waitForNodeRequest(req)
+
+        self.assertEqual(req.state, zk.FULFILLED)
+        self.assertNotEqual(req.nodes, [])
+        node = self.zk.getNode(req.nodes[0])
+        self.assertEqual(node.allocated_to, req.id)
+        self.assertEqual(node.state, zk.READY)
+        self.assertIsNotNone(node.launcher)
+        self.assertEqual(node.connection_type, 'ssh')
+        self.assertEqual(node.attributes,
+                         {'key1': 'value1', 'key2': 'value2'})
+        self.assertEqual(node.host_keys, ['ssh-rsa FAKEKEY'])
+        self.assertEqual(
+            self.fake_azure.crud['Microsoft.Compute/virtualMachines'].
+            requests[0]['properties']['osProfile']['adminUsername'],
+            'foobar')
+        self.assertEqual(
+            self.fake_azure.crud['Microsoft.Compute/virtualMachines'].
+            requests[0]['properties']['osProfile']['adminPassword'],
+            'reallybadpassword123')
+
+    def test_azure_windows_image_generate(self):
+        configfile = self.setup_config(
+            'azure.yaml',
+            auth_path=self.fake_azure.auth_file.name)
+        pool = self.useNodepool(configfile, watermark_sleep=1)
+        pool.start()
+        req = zk.NodeRequest()
+        req.state = zk.REQUESTED
+        req.node_types.append('windows-generate')
+
+        self.zk.storeNodeRequest(req)
+        req = self.waitForNodeRequest(req)
+
+        self.assertEqual(req.state, zk.FULFILLED)
+        self.assertNotEqual(req.nodes, [])
+        node = self.zk.getNode(req.nodes[0])
+        self.assertEqual(node.allocated_to, req.id)
+        self.assertEqual(node.state, zk.READY)
+        self.assertIsNotNone(node.launcher)
+        self.assertEqual(node.connection_type, 'ssh')
+        self.assertEqual(node.attributes,
+                         {'key1': 'value1', 'key2': 'value2'})
+        self.assertEqual(node.host_keys, ['ssh-rsa FAKEKEY'])
+        self.assertEqual(
+            self.fake_azure.crud['Microsoft.Compute/virtualMachines'].
+            requests[0]['properties']['osProfile']['adminUsername'],
+            'foobar')
+        self.assertEqual(
+            len(self.fake_azure.crud['Microsoft.Compute/virtualMachines'].
+                requests[0]['properties']['osProfile']['adminPassword']),
+            64)
--- a/releasenotes/notes/azure-password-c70896bf49deab8a.yaml
+++ b/releasenotes/notes/azure-password-c70896bf49deab8a.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The Azure driver now supports setting an admin password, which is
+    required in order to launch Windows images on Azure.