You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
✨ feat(security): add Windows VM support and Secret-based cloud-init storage
Implement comprehensive Windows VM support and enhance security through
unified Kubernetes Secret storage for all VM credentials and initialization data.
**Windows VM Support:**
- Add Cloudbase-Init support for Windows VMs (pwsh shell)
- Shell-based OS detection: bash → Linux, pwsh → Windows
- OS-specific cloud-init generation (Linux: bcrypt, Windows: plaintext)
- Cloudbase-Init plugin configuration and troubleshooting guide
**Security Enhancements:**
- Unified Kubernetes Secret storage for SSH credentials + cloud-init userdata
- Use UserDataSecretRef to reference cloud-init from Secret (no inline userdata)
- Passwords never visible in VM specs (kubectl describe vmi)
- Secret cleanup in garbage collection (gc.go) to prevent accumulation
- Secret cleanup in job cleanup phase (cleanup.go)
**Testing & Documentation:**
- Add comprehensive test suite (security_test.go) with 20+ sub-tests
- Test coverage: password generation, bcrypt hashing, Linux/Windows cloud-init
- Update README with Windows configuration examples and requirements
- Document Secret structure and security benefits
**Backward Compatibility:**
- Zero breaking changes - existing Linux configs work unchanged
- CreateSSHSecret maintained as backward-compatible alias
Orphaned VMs are automatically tagged with TTL labels for cleanup:
127
+
Orphaned VMs are automatically tagged with TTL labels for cleanup. The garbage collector automatically deletes both VMs and their associated credential Secrets (containing SSH credentials and cloud-init data):
128
128
129
129
```bash
130
130
# List VMs with their expiration info
131
131
kubectl get vmi -n gitlab-runner -l io.kubevirt.gitlab-runner/id --show-labels
132
132
133
-
# Manual cleanup of expired VMs
133
+
# Manual cleanup of expired VMs (also deletes associated Secrets)
**Note:** Garbage collection cleans up both VirtualMachineInstances and their credential Secrets (containing SSH credentials and cloud-init userdata) to prevent Secret accumulation.
144
+
143
145
**Automated cleanup** with CronJob:
144
146
145
147
```yaml
@@ -180,6 +182,210 @@ The container image includes both `gitlab-runner` (standard GitLab Runner) and `
180
182
181
183
**Note:** When using the GitLab Runner Helm chart with custom executor configuration, you don't need to set this variable as the executor directly calls `/bin/gitlab-runner-kubevirt`.
182
184
185
+
### Security
186
+
187
+
#### SSH Credential Management
188
+
189
+
GitLab Runner KubeVirt uses a secure credential management system to protect SSH access to VMs:
190
+
191
+
**Automatic Security Features:**
192
+
193
+
1. **Unique Random Passwords**: Each VM receives a cryptographically secure 32-character random password
194
+
2. **Kubernetes Secrets**: Credentials and cloud-init data stored in RBAC-protected Secrets (not plaintext in VM specs)
195
+
3. **Cloud-init Injection**: Cloud-init userdata stored as Secret, referenced by VM (passwords never visible in VM objects)
196
+
4. **Automatic Cleanup**: Secrets automatically deleted when VMs are cleaned up
197
+
5. **No Plaintext Storage**: Passwords never stored in VM annotations, logs, or VM specifications
198
+
199
+
**How it works:**
200
+
201
+
```
202
+
Prepare Phase:
203
+
1. Generate random password (crypto/rand)
204
+
2. Generate cloud-init with bcrypt-hashed password (Linux) or plaintext (Windows)
205
+
3. Create Kubernetes Secret with:
206
+
- SSH username and password (for Run phase)
207
+
- Cloud-init userdata (for VM initialization)
208
+
4. Create VM with Secret reference (not inline userdata)
209
+
5. Store only Secret reference in VM annotation
210
+
211
+
Run Phase:
212
+
1. Retrieve Secret reference from VM annotation
213
+
2. Fetch SSH credentials from Kubernetes Secret
214
+
3. Connect to VM via SSH
215
+
216
+
Cleanup Phase:
217
+
1. Retrieve Secret reference from VM annotation
218
+
2. Delete Kubernetes Secret (removes both SSH creds and cloud-init data)
219
+
3. Delete VM
220
+
```
221
+
222
+
**RBAC Requirements:**
223
+
224
+
The GitLab Runner service account requires these permissions for Secret management:
0 commit comments