Support providing Windows gMSA credentials via a container-level env var for use by Garden/Winc (#4393)

* Set WINDOWS_GMSA_CREDENTIAL_REF var when GMSA service bound

- When a service is bound that has a credential with the
  'credhub-windows-gmsa-credential-ref' key, the DesiredLRP or Task
  containers will have a container-level env var set with its value
- winc will be updated to react to the WINDOWS_GMSA_CREDENTIAL_REF
var and create Windows containers using the GMSA credentials it
references

Author: tcdowney

app/models/runtime/app_model.rb

@@ -125,6 +125,12 @@ def database_uri
       DatabaseUriGenerator.new(service_binding_uris).database_uri
     end
 
+    def windows_gmsa_credential_refs
+      service_bindings.sort_by(&:id).map do |binding|
+        binding.credentials['credhub-windows-gmsa-credential-ref'] if binding.credentials.present?
+      end.compact
+    end
+
     def staging_in_progress?
       builds_dataset.where(state: BuildModel::STAGING_STATE).any?
     end

app/models/runtime/process_model.rb

@@ -453,6 +453,8 @@ def database_uri
       DatabaseUriGenerator.new(service_binding_uris).database_uri
     end
 
+    delegate :windows_gmsa_credential_refs, to: :app
+
     def max_app_disk_in_mb
       VCAP::CloudController::Config.config.get(:maximum_app_disk_in_mb)
     end

lib/cloud_controller/diego/buildpack/desired_lrp_builder.rb

@@ -17,6 +17,7 @@ def initialize(config, opts)
           @checksum_algorithm = opts[:checksum_algorithm]
           @checksum_value = opts[:checksum_value]
           @start_command = opts[:start_command]
+          @additional_container_env_vars = opts[:additional_container_env_vars]
         end
 
         def cached_dependencies
@@ -94,7 +95,7 @@ def image_layers
         end
 
         def global_environment_variables
-          [::Diego::Bbs::Models::EnvironmentVariable.new(name: 'LANG', value: DEFAULT_LANG)]
+          [::Diego::Bbs::Models::EnvironmentVariable.new(name: 'LANG', value: DEFAULT_LANG)] + @additional_container_env_vars
         end
 
         def ports

lib/cloud_controller/diego/cnb/desired_lrp_builder.rb

@@ -17,6 +17,7 @@ def initialize(config, opts)
           @checksum_algorithm = opts[:checksum_algorithm]
           @checksum_value = opts[:checksum_value]
           @start_command = opts[:start_command]
+          @additional_container_env_vars = opts[:additional_container_env_vars]
         end
 
         def cached_dependencies
@@ -94,11 +95,7 @@ def image_layers
         end
 
         def global_environment_variables
-          [
-            ::Diego::Bbs::Models::EnvironmentVariable.new(name: 'LANG', value: DEFAULT_LANG),
-            ::Diego::Bbs::Models::EnvironmentVariable.new(name: 'CNB_LAYERS_DIR', value: '/home/vcap/layers'),
-            ::Diego::Bbs::Models::EnvironmentVariable.new(name: 'CNB_APP_DIR', value: '/home/vcap/workspace')
-          ]
+          default_container_env + @additional_container_env_vars
         end
 
         def ports
@@ -120,6 +117,16 @@ def privileged?
         def action_user
           'vcap'
         end
+
+        private
+
+        def default_container_env
+          [
+            ::Diego::Bbs::Models::EnvironmentVariable.new(name: 'LANG', value: DEFAULT_LANG),
+            ::Diego::Bbs::Models::EnvironmentVariable.new(name: 'CNB_LAYERS_DIR', value: '/home/vcap/layers'),
+            ::Diego::Bbs::Models::EnvironmentVariable.new(name: 'CNB_APP_DIR', value: '/home/vcap/workspace')
+          ]
+        end
       end
     end
   end

lib/cloud_controller/diego/docker/desired_lrp_builder.rb

@@ -10,6 +10,7 @@ def initialize(config, opts)
           @execution_metadata = opts[:execution_metadata]
           @ports = opts[:ports]
           @start_command = opts[:start_command]
+          @additional_container_env_vars = opts[:additional_container_env_vars]
         end
 
         def cached_dependencies
@@ -43,7 +44,7 @@ def image_layers
         end
 
         def global_environment_variables
-          []
+          [] + @additional_container_env_vars
         end
 
         def ports

lib/cloud_controller/diego/docker/lifecycle_protocol.rb

@@ -1,6 +1,7 @@
 require 'cloud_controller/diego/docker/lifecycle_data'
 require 'cloud_controller/diego/docker/staging_action_builder'
 require 'cloud_controller/diego/docker/task_action_builder'
+require 'cloud_controller/diego/windows_environment_sage'
 
 module VCAP
   module CloudController
@@ -35,9 +36,15 @@ def builder_opts(process)
               ports: process.open_ports,
               docker_image: process.actual_droplet.docker_receipt_image,
               execution_metadata: process.execution_metadata,
-              start_command: process.command
+              start_command: process.command,
+              additional_container_env_vars: container_env_vars_for_process(process)
             }
           end
+
+          def container_env_vars_for_process(process)
+            additional_env = []
+            additional_env + WindowsEnvironmentSage.ponder(process.app)
+          end
         end
       end
     end

lib/cloud_controller/diego/lifecycle_protocol.rb

@@ -1,3 +1,5 @@
+require 'cloud_controller/diego/windows_environment_sage'
+
 module VCAP::CloudController
   module Diego
     module LifecycleProtocol
@@ -63,7 +65,8 @@ def builder_opts(process)
           stack: process.app.lifecycle_data.stack,
           checksum_algorithm: checksum_info['type'],
           checksum_value: checksum_info['value'],
-          start_command: process.started_command
+          start_command: process.started_command,
+          additional_container_env_vars: container_env_vars_for_process(process)
         }
       end
 
@@ -81,6 +84,11 @@ def droplet_download_uri(task)
         download_url
       end
 
+      def container_env_vars_for_process(process)
+        additional_env = []
+        additional_env + WindowsEnvironmentSage.ponder(process.app)
+      end
+
       def logger
         @logger ||= Steno.logger('cc.diego.tr')
       end

lib/cloud_controller/diego/task_environment_variable_collector.rb

@@ -9,6 +9,7 @@ def for_task(task)
           running_envs = VCAP::CloudController::EnvironmentVariableGroup.running.environment_json
           envs = VCAP::CloudController::Diego::TaskEnvironment.new(app, task, app.space, running_envs).build
           diego_envs = VCAP::CloudController::Diego::BbsEnvironmentBuilder.build(envs)
+          diego_envs += optional_windows_envs(app)
 
           logger.debug2("task environment: #{diego_envs.map(&:name)}")
 
@@ -17,6 +18,10 @@ def for_task(task)
 
         private
 
+        def optional_windows_envs(app)
+          VCAP::CloudController::Diego::WindowsEnvironmentSage.ponder(app)
+        end
+
         def logger
           @logger ||= Steno.logger('cc.diego.tr')
         end

lib/cloud_controller/diego/windows_environment_sage.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require 'cloud_controller/diego/bbs_environment_builder'
+
+module VCAP::CloudController
+  module Diego
+    class WindowsEnvironmentSage
+      def self.ponder(app)
+        windows_gmsa_credential_env(app)
+      end
+
+      def self.windows_gmsa_credential_env(app)
+        credential_refs = app.windows_gmsa_credential_refs
+        return [] if credential_refs.empty?
+
+        BbsEnvironmentBuilder.build('WINDOWS_GMSA_CREDENTIAL_REF' => credential_refs.first)
+      end
+      private_class_method :windows_gmsa_credential_env
+    end
+  end
+end

spec/unit/lib/cloud_controller/diego/buildpack/desired_lrp_builder_spec.rb

@@ -20,10 +20,12 @@ module Buildpack
             ports: ports,
             checksum_algorithm: 'checksum-algorithm',
             checksum_value: 'checksum-value',
-            start_command: 'dd if=/dev/random of=/dev/null'
+            start_command: 'dd if=/dev/random of=/dev/null',
+            additional_container_env_vars: additional_env_vars
           }
         end
         let(:ports) { [1111, 2222, 3333] }
+        let(:additional_env_vars) { [] }
         let(:config) do
           Config.new({
                        diego: {
@@ -274,8 +276,24 @@ module Buildpack
         end
 
         describe '#global_environment_variables' do
-          it 'returns a list' do
-            expect(builder.global_environment_variables).to contain_exactly(::Diego::Bbs::Models::EnvironmentVariable.new(name: 'LANG', value: DEFAULT_LANG))
+          context 'when there are additional container-level env vars provided' do
+            let(:additional_env_vars) do
+              BbsEnvironmentBuilder.build('WINDOWS_GMSA_CREDENTIAL_REF' => 'some-credhub-ref', 'OTHER_ENV_VAR' => 'some-other-value')
+            end
+
+            it 'includes them along with the default container-level env vars' do
+              expect(builder.global_environment_variables).to contain_exactly(
+                ::Diego::Bbs::Models::EnvironmentVariable.new(name: 'LANG', value: DEFAULT_LANG),
+                ::Diego::Bbs::Models::EnvironmentVariable.new(name: 'WINDOWS_GMSA_CREDENTIAL_REF', value: 'some-credhub-ref'),
+                ::Diego::Bbs::Models::EnvironmentVariable.new(name: 'OTHER_ENV_VAR', value: 'some-other-value')
+              )
+            end
+          end
+
+          context 'when there are NOT additional container-level env vars provided' do
+            it 'returns the default container-level env vars' do
+              expect(builder.global_environment_variables).to contain_exactly(::Diego::Bbs::Models::EnvironmentVariable.new(name: 'LANG', value: DEFAULT_LANG))
+            end
           end
         end