Merge pull request #1800 from mboersma/windows-password-generation

k8s-ci-robot · web-flow · commit e3c2f5536994 · 2025-07-04T02:23:26.000-07:00
Force setting windows_admin_password for OVA and Nutanix
diff --git a/images/capi/Makefile b/images/capi/Makefile
@@ -467,7 +467,7 @@ SCALEWAY_VALIDATE_TARGETS	:= $(addprefix validate-,$(SCALEWAY_BUILD_NAMES))
 $(NODE_OVA_LOCAL_BUILD_TARGETS): deps-ova set-ssh-password
     # This uses a packer file builder to input unattend variables into a JSON file to be consumed by the python script before running the vmware-iso provisioner
 	$(if $(findstring windows,$@),$(PACKER) build $(PACKER_WINDOWS_NODE_FLAGS) -var-file="packer/ova/packer-common.json" -var-file="$(abspath packer/ova/$(subst build-node-ova-local-,,$@).json)" -only=file $(ABSOLUTE_PACKER_VAR_FILES) packer/ova/packer-windows.json,)
-	$(if $(findstring windows,$@),hack/windows-ova-unattend.py --unattend-file='./packer/ova/windows/$(subst build-node-ova-local-,,$@)/autounattend.xml',)
+	$(if $(findstring windows,$@),hack/windows-unattend.py --unattend-file='./packer/ova/windows/$(subst build-node-ova-local-,,$@)/autounattend.xml',)
 	$(PACKER) build $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="packer/ova/packer-common.json" -var-file="$(abspath packer/ova/$(subst build-node-ova-local-,,$@).json)" -except=vsphere -only=vmware-iso $(ABSOLUTE_PACKER_VAR_FILES) packer/ova/packer-$(if $(findstring windows,$@),windows,node).json
 
 .PHONY: $(NODE_OVA_LOCAL_VALIDATE_TARGETS)
@@ -486,7 +486,7 @@ $(NODE_OVA_LOCAL_BASE_BUILD_TARGETS): deps-ova set-ssh-password
 $(NODE_OVA_VSPHERE_BUILD_TARGETS): deps-ova set-ssh-password
     # This uses a packer file builder to input unattend variables into a JSON file to be consumed by the python script before running the vsphere provisioner
 	$(if $(findstring windows,$@),$(PACKER) build $(PACKER_WINDOWS_NODE_FLAGS) -var-file="packer/ova/packer-common.json" -var-file="$(abspath packer/ova/$(subst build-node-ova-vsphere-,,$@).json)" -only=file $(ABSOLUTE_PACKER_VAR_FILES) packer/ova/packer-windows.json,)
-	$(if $(findstring windows,$@),hack/windows-ova-unattend.py --unattend-file='./packer/ova/windows/$(subst build-node-ova-vsphere-,,$@)/autounattend.xml',)
+	$(if $(findstring windows,$@),hack/windows-unattend.py --unattend-file='./packer/ova/windows/$(subst build-node-ova-vsphere-,,$@)/autounattend.xml',)
 	$(PACKER) build $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS))  -var-file="packer/ova/packer-common.json" -var-file="$(abspath packer/ova/$(subst build-node-ova-vsphere-,,$@).json)" -var-file="packer/ova/vsphere.json"  -except=local -only=vsphere-iso $(ABSOLUTE_PACKER_VAR_FILES) -only=vsphere packer/ova/packer-$(if $(findstring windows,$@),windows,node).json
 
 .PHONY: $(NODE_OVA_VSPHERE_BASE_BUILD_TARGETS)
@@ -624,6 +624,8 @@ $(NUTANIX_BUILD_TARGETS): deps-nutanix set-ssh-password
 	$(eval NUTANIX_USERDATA:=$(shell cat $(abspath packer/nutanix/linux/cloud-init/$(subst -,/,$(if $(findstring ubuntu,$@),$(call GET_UBUNTU_DOTTED_SEMVER,$(subst build-nutanix-,,$@)),$(subst build-nutanix-,,$@)))/user-data) | base64 -w0))
 	$(eval NUTANIX_VAR_FILE:=$(abspath packer/nutanix/$(subst build-nutanix-,,$@).json))
 	jq '.user_data = "$(NUTANIX_USERDATA)"' $(NUTANIX_VAR_FILE) > $(NUTANIX_VAR_FILE).templated && mv $(NUTANIX_VAR_FILE).templated $(NUTANIX_VAR_FILE)
+	# This uses a packer file builder to input unattend variables into a JSON file to be consumed by the python script before running the nutanix provisioner
+	$(if $(findstring windows,$@),hack/windows-unattend.py --unattend-file='./packer/nutanix/windows/$(subst build-nutanix-,,$@)/autounattend.xml',)
 	$(PACKER) build $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="packer/nutanix/nutanix.json" -var-file="$(abspath packer/nutanix/$(subst build-nutanix-,,$@).json)" $(ABSOLUTE_PACKER_VAR_FILES) packer/nutanix/packer$(if $(findstring windows,$@),-windows,).json
 
 .PHONY: $(NUTANIX_VALIDATE_TARGETS)
diff --git a/images/capi/hack/windows-unattend.py b/images/capi/hack/windows-unattend.py
@@ -48,7 +48,7 @@ def main():
                         help='The Unattend file')
     args = parser.parse_args()
 
-    print("windows-ova-unattend: cd %s" % args.build_dir)
+    print("windows-unattend: cd %s" % args.build_dir)
 
     # Load the packer manifest JSON
     data = None
@@ -61,26 +61,32 @@ def main():
     ET.register_namespace('', "urn:schemas-microsoft-com:unattend")
     ET.register_namespace('wcm', "http://schemas.microsoft.com/WMIConfig/2002/State")
     ET.register_namespace('xsi', "http://www.w3.org/2001/XMLSchema-instance")
-    
+
     root = unattend.getroot()
 
     if data.get("unattend_timezone"):
       modified=1
       setting = set_xmlstring(root, ".//*[@pass='oobeSystem']/*[@name='Microsoft-Windows-Shell-Setup']",'{urn:schemas-microsoft-com:unattend}TimeZone', data["unattend_timezone"])
-      print("windows-ova-unattend: Setting Timezone to %s" % data["unattend_timezone"])
-    
-    admin_password = data.get("admin_password")
-    if admin_password:
+      print("windows-unattend: Setting Timezone to %s" % data["unattend_timezone"])
+
+    # Setting a windows_admin_password is required
+    BAD_PASSWORD = "S3cr3t0!"
+    admin_password = os.environ.get("WINDOWS_ADMIN_PASSWORD") or data.get("admin_password")
+    if not admin_password:
+      raise ValueError("windows-unattend: No administrator password set, please set the environment variable WINDOWS_ADMIN_PASSWORD or provide it in the unattend.json file")
+    elif admin_password == BAD_PASSWORD:
+      raise ValueError("windows-unattend: The administrator password \"%s\" is disallowed, please set the environment variable WINDOWS_ADMIN_PASSWORD to a different value or provide it in the unattend.json file" % BAD_PASSWORD)
+    else:
       modified=1
       set_xmlstring(root, ".//*[@pass='oobeSystem']/*[@name='Microsoft-Windows-Shell-Setup']/{*}UserAccounts/{*}AdministratorPassword",'{urn:schemas-microsoft-com:unattend}Value', admin_password)
       set_xmlstring(root, ".//*[@pass='oobeSystem']/*[@name='Microsoft-Windows-Shell-Setup']/{*}AutoLogon/{*}Password",'{urn:schemas-microsoft-com:unattend}Value', admin_password)
-      print("windows-ova-unattend: Setting Administrator Password")
+      print("windows-unattend: Setting Administrator Password")
 
     if modified == 1:
-      print("windows-ova-unattend: Updating %s ..." % args.unattend_file)
+      print("windows-unattend: Updating %s ..." % args.unattend_file)
       unattend.write(args.unattend_file)
     else:
-      print("windows-ova-unattend: skipping...")
+      print("windows-unattend: skipping...")
 
 if __name__ == "__main__":
     main()
diff --git a/images/capi/packer/nutanix/packer-windows.json b/images/capi/packer/nutanix/packer-windows.json
@@ -45,7 +45,7 @@
         "subnet_name": "{{user `nutanix_subnet_name`}}"
       },
       "winrm_insecure": true,
-      "winrm_password": "S3cr3t0!",
+      "winrm_password": "{{user `windows_admin_password`}}",
       "winrm_port": 5986,
       "winrm_timeout": "4h",
       "winrm_use_ssl": true,
diff --git a/images/capi/packer/nutanix/windows/windows-2022/autounattend.xml b/images/capi/packer/nutanix/windows/windows-2022/autounattend.xml
@@ -1,3 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
 <!--*************************************************
 Windows Server 2019 Answer File Generator
 Created using Windows AFG found at:
@@ -6,8 +7,6 @@ Created using Windows AFG found at:
 Installation Notes:
 - This file need to be adapted based on your needs
 **************************************************-->
-
-<?xml version="1.0" encoding="utf-8"?>
 <unattend xmlns="urn:schemas-microsoft-com:unattend">
     <settings pass="windowsPE">
         <component name="Microsoft-Windows-PnpCustomizationsWinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
@@ -141,7 +140,7 @@ Installation Notes:
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
             <AutoLogon>
                 <Password>
-                    <Value>S3cr3t0!</Value>
+                    <Value></Value>
                     <PlainText>true</PlainText>
                 </Password>
                 <Enabled>true</Enabled>
@@ -248,7 +247,7 @@ Installation Notes:
             <TimeZone>Pacific Standard Time</TimeZone>
             <UserAccounts>
                 <AdministratorPassword>
-                    <Value>S3cr3t0!</Value>
+                    <Value></Value>
                     <PlainText>true</PlainText>
                 </AdministratorPassword>
                 <LocalAccounts>
diff --git a/images/capi/packer/ova/packer-windows.json b/images/capi/packer/ova/packer-windows.json
@@ -261,7 +261,7 @@
     "output_dir": "./output/{{user `build_version`}}",
     "prepull": null,
     "unattend_timezone": "Pacific Standard Time",
-    "windows_admin_password": "S3cr3t0!",
+    "windows_admin_password": "{{user `windows_admin_password`}}",
     "windows_service_manager": null,
     "windows_updates_categories": null,
     "windows_updates_kbs": null
diff --git a/images/capi/packer/ova/windows/windows-2019-efi/autounattend.xml b/images/capi/packer/ova/windows/windows-2019-efi/autounattend.xml
@@ -121,7 +121,7 @@ Installation Notes:
         </component>
     </settings>
     <settings pass="specialize">
-        <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" 
+        <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
             xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
             <RunSynchronous>
@@ -169,7 +169,7 @@ Installation Notes:
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
             <AutoLogon>
                 <Password>
-                    <Value>S3cr3t0!</Value>
+                    <Value></Value>
                     <PlainText>true</PlainText>
                 </Password>
                 <Enabled>true</Enabled>
@@ -251,7 +251,7 @@ Installation Notes:
             <TimeZone>Pacific Standard Time</TimeZone>
             <UserAccounts>
                 <AdministratorPassword>
-                    <Value>S3cr3t0!</Value>
+                    <Value></Value>
                     <PlainText>true</PlainText>
                 </AdministratorPassword>
                 <LocalAccounts>
diff --git a/images/capi/packer/ova/windows/windows-2019/autounattend.xml b/images/capi/packer/ova/windows/windows-2019/autounattend.xml
@@ -113,7 +113,7 @@ Installation Notes:
         </component>
     </settings>
     <settings pass="specialize">
-        <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" 
+        <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
             xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
             <RunSynchronous>
@@ -161,7 +161,7 @@ Installation Notes:
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
             <AutoLogon>
                 <Password>
-                    <Value>S3cr3t0!</Value>
+                    <Value></Value>
                     <PlainText>true</PlainText>
                 </Password>
                 <Enabled>true</Enabled>
@@ -243,7 +243,7 @@ Installation Notes:
             <TimeZone>Pacific Standard Time</TimeZone>
             <UserAccounts>
                 <AdministratorPassword>
-                    <Value>S3cr3t0!</Value>
+                    <Value></Value>
                     <PlainText>true</PlainText>
                 </AdministratorPassword>
                 <LocalAccounts>
diff --git a/images/capi/packer/ova/windows/windows-2022-efi/autounattend.xml b/images/capi/packer/ova/windows/windows-2022-efi/autounattend.xml
@@ -121,7 +121,7 @@ Installation Notes:
         </component>
     </settings>
     <settings pass="specialize">
-        <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" 
+        <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
             xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
             <RunSynchronous>
@@ -169,7 +169,7 @@ Installation Notes:
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
             <AutoLogon>
                 <Password>
-                    <Value>S3cr3t0!</Value>
+                    <Value></Value>
                     <PlainText>true</PlainText>
                 </Password>
                 <Enabled>true</Enabled>
@@ -251,7 +251,7 @@ Installation Notes:
             <TimeZone>Pacific Standard Time</TimeZone>
             <UserAccounts>
                 <AdministratorPassword>
-                    <Value>S3cr3t0!</Value>
+                    <Value></Value>
                     <PlainText>true</PlainText>
                 </AdministratorPassword>
                 <LocalAccounts>
diff --git a/images/capi/packer/ova/windows/windows-2022/autounattend.xml b/images/capi/packer/ova/windows/windows-2022/autounattend.xml
@@ -113,7 +113,7 @@ Installation Notes:
         </component>
     </settings>
     <settings pass="specialize">
-        <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" 
+        <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
             xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
             <RunSynchronous>
@@ -161,7 +161,7 @@ Installation Notes:
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
             <AutoLogon>
                 <Password>
-                    <Value>S3cr3t0!</Value>
+                    <Value></Value>
                     <PlainText>true</PlainText>
                 </Password>
                 <Enabled>true</Enabled>
@@ -243,7 +243,7 @@ Installation Notes:
             <TimeZone>Pacific Standard Time</TimeZone>
             <UserAccounts>
                 <AdministratorPassword>
-                    <Value>S3cr3t0!</Value>
+                    <Value></Value>
                     <PlainText>true</PlainText>
                 </AdministratorPassword>
                 <LocalAccounts>
