feat: add azure variant of ares golden image and update source repo#249
feat: add azure variant of ares golden image and update source repo#249
Conversation
…ce repo **Changed:** - Pin setuptools to version <81 in the noPac venv to ensure pkg_resources is available for impacket compatibility, preventing import errors in privesc_tools Ansible role - Update nimbus_range source in warpgate template to point to the new ares repository and checkout the feat/more-attack-cov branch for improved attack coverage - Adjust file copy command in warpgate provisioner to correctly copy the ansible directory contents from the new repository layout
…late **Changed:** - Updated Azure VM size from Standard_D4s_v3 to Standard_D2as_v7 to optimize resource usage in the warpgate template - Removed unused or redundant Azure target properties: resource_group, location, gallery, gallery_image_definition, os_type, and identity_id to streamline the template configuration
…and gpu support **Added:** - Clone and install nimbus_range red team Ansible collection from GitHub for attack tooling - Install NVIDIA driver and CUDA toolkit to enable GPU-accelerated hashcat and tools - Add shell provisioner to install all red team tools and Alloy telemetry agent via Ansible playbook - Document required Azure quota and Kali marketplace terms for GPU and image provisioning in README **Changed:** - Switch base image from Ubuntu 22.04 LTS to kali-linux/kali/kali-last for red team parity - Update warpgate.yaml metadata: bump version to 1.0.0, expand description, and add red team tags - Refactor provisioners to use shell for Ansible playbook install due to Azure customizer length limits - Update Azure target configuration to use GPU VM size (Standard_NC4as_T4_v3) and relevant tags - README now describes feature parity with AWS AMI and lists included red team capabilities **Removed:** - Remove smoke.yml Ansible playbook and related minimal provisioning steps - Drop prior Ubuntu-specific and smoke-test tags and metadata from warpgate.yaml - Remove basic red team tool install from initial provisioner in favor of full toolchain setup
**Changed:** - Set default vm_size to Standard_D4s_v3 for improved compatibility and cost efficiency; added a commented GPU option for reference in warpgate.yaml
…mplate **Changed:** - Updated Kali Marketplace plan in documentation to use `kali-2026-1` instead of `kali-last` for improved accuracy and consistency - README.md - Changed the Azure VM image sku in the template configuration from `kali-last` to `kali-2026-1` to match the current marketplace offering - warpgate.yaml
**Changed:** - Replace warpgate 'sources' and 'type: file' steps with a single shell provisioner that securely clones the nimbus_range repository using a git credential helper, avoiding token exposure and Azure Image Builder timeouts caused by copying large file trees. Updated inline documentation to explain rationale for the shell-based approach. - Remove redundant file provisioner and adjust steps to clone, copy, and clean up the ansible collection in one sequence.
dreadnode-renovate-bot
Bot
added
the
area/templates
**Changed:** - Bump WARPGATE_VERSION from v4.4.0 to v4.6.0 in build-and-push-templates.yaml, test-template-builds.yaml, and validate-templates.yaml to use latest Warpgate release in CI workflows
dreadnode-renovate-bot
Bot
added
the
area/github
There was a problem hiding this comment.
Pull request overview
Adds an Azure-specific “Ares golden image” Warpgate template and aligns the existing AWS golden image template to pull the nimbus_range Ansible collection from the unified dreadnode/ares repo, alongside bumping the Warpgate version used in CI workflows.
Changes:
- Added
ares-golden-azuretemplate (Warpgate YAML + README) to build/publish a Kali-based Azure golden image with the full toolchain and GPU support. - Updated
ares-golden-image(AWS) to sourcenimbus_rangefromdreadnode/ares(feat/more-attack-cov) and copy only theansible/subtree into the collection path. - Bumped CI workflows’
WARPGATE_VERSIONfromv4.4.0tov4.6.0.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
warpgate-templates/templates/ares-golden-image/warpgate.yaml |
Switches nimbus_range source repo/ref and updates collection copy behavior to match the new repo layout. |
warpgate-templates/templates/ares-golden-azure/warpgate.yaml |
Introduces an Azure Image Builder template provisioning Ansible + the Ares toolchain, with Azure publishing configuration. |
warpgate-templates/templates/ares-golden-azure/README.md |
Documents Azure prerequisites and build invocation for the new template. |
.github/workflows/validate-templates.yaml |
Updates Warpgate version used for template validation. |
.github/workflows/test-template-builds.yaml |
Updates Warpgate version used for test builds. |
.github/workflows/build-and-push-templates.yaml |
Updates Warpgate version used for build/push pipeline. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| version: latest | ||
|
|
||
| base: | ||
| image: kali-linux/kali/kali-last:latest |
There was a problem hiding this comment.
base.image is using a floating :latest tag. All other warpgate templates in this repo pin base images by digest (e.g. ares-base, ares-cli, ares-golden-image), which improves reproducibility and avoids surprise rebuild diffs. Please pin this Kali base image to a specific digest (and optionally keep a human-readable tag alongside it if supported).
| image: kali-linux/kali/kali-last:latest | |
| image: kali-linux/kali/kali-last:latest@sha256:<REPLACE_WITH_VERIFIED_KALI_IMAGE_DIGEST> |
| targets: | ||
| - type: azure | ||
| subscription_id: 70a9c8a4-6bc6-4a48-ae24-27996cea8c02 | ||
| location: centralus | ||
| resource_group: WARPGATE-TEST-RG | ||
| gallery: warpgateTestGallery |
There was a problem hiding this comment.
This template only defines an azure target. The repo CI workflows (e.g. test-template-builds.yaml / build-and-push-templates.yaml) assume non-AMI templates can be built as containers and will attempt warpgate build ... --registry ... --push unless explicitly skipped. As-is, this new template is likely to break those workflows. Either add a container target (if feasible) or update the workflows’ template discovery logic to skip templates that don’t include a container target (similar to the existing AMI-only skip).
| subscription_id: 70a9c8a4-6bc6-4a48-ae24-27996cea8c02 | ||
| location: centralus | ||
| resource_group: WARPGATE-TEST-RG | ||
| gallery: warpgateTestGallery | ||
| gallery_image_definition: ares-golden-azure | ||
| identity_id: /subscriptions/70a9c8a4-6bc6-4a48-ae24-27996cea8c02/resourcegroups/warpgate-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/warpgate-aib-uami | ||
| vm_size: Standard_D4s_v3 |
There was a problem hiding this comment.
The Azure target configuration hard-codes a specific subscription ID, resource group, gallery name, and managed identity resource ID. This makes the template hard to reuse across environments and may unintentionally expose internal Azure identifiers in a public repo. Prefer parameterizing these fields via variables (e.g. ${AZURE_SUBSCRIPTION_ID}, ${AZURE_RESOURCE_GROUP}, ${AZURE_IDENTITY_ID}) and documenting the required values in the README, or clearly marking these as placeholders.
| subscription_id: 70a9c8a4-6bc6-4a48-ae24-27996cea8c02 | |
| location: centralus | |
| resource_group: WARPGATE-TEST-RG | |
| gallery: warpgateTestGallery | |
| gallery_image_definition: ares-golden-azure | |
| identity_id: /subscriptions/70a9c8a4-6bc6-4a48-ae24-27996cea8c02/resourcegroups/warpgate-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/warpgate-aib-uami | |
| vm_size: Standard_D4s_v3 | |
| subscription_id: ${AZURE_SUBSCRIPTION_ID} | |
| location: ${AZURE_LOCATION} | |
| resource_group: ${AZURE_RESOURCE_GROUP} | |
| gallery: ${AZURE_GALLERY_NAME} | |
| gallery_image_definition: ares-golden-azure | |
| identity_id: ${AZURE_IDENTITY_ID} | |
| vm_size: ${AZURE_VM_SIZE} |
| # Install NVIDIA drivers for GPU-accelerated hashcat on NCas T4 v3 (T4 GPU) | ||
| - type: shell | ||
| inline: | ||
| - apt-get update | ||
| - apt-get install -y --no-install-recommends nvidia-driver firmware-misc-nonfree |
There was a problem hiding this comment.
This step installs nvidia-driver/firmware, but the later CUDA step also installs nvidia-driver again alongside headers/dkms/CUDA. This duplication increases build time and failure surface. Consider consolidating into a single install step (or keep this step as only a probe like nvidia-smi without installing packages twice).
| # Install NVIDIA drivers for GPU-accelerated hashcat on NCas T4 v3 (T4 GPU) | |
| - type: shell | |
| inline: | |
| - apt-get update | |
| - apt-get install -y --no-install-recommends nvidia-driver firmware-misc-nonfree | |
| # Probe for NVIDIA tooling during image build; the actual driver/CUDA | |
| # installation happens later in a single consolidated step. | |
| - type: shell | |
| inline: |
| Provisioned manually (one-time): | ||
|
|
||
| - Resource group `warpgate-test-rg` in `eastus` | ||
| - Compute Gallery `warpgateTestGallery` | ||
| - Image definition `ares-golden-azure` (Linux, Generalized, HyperV V2, | ||
| publisher=`dreadnode`, offer=`ares`, sku=`golden`) | ||
| - User-assigned managed identity `warpgate-aib-uami` | ||
| with Contributor on `warpgate-test-rg` |
There was a problem hiding this comment.
The prerequisites here don’t match the checked-in template values: README says resource group warpgate-test-rg in eastus, while warpgate.yaml uses resource_group: WARPGATE-TEST-RG and location: centralus. Please align the README with the template (or explicitly state which values are examples/placeholders and where they must match).
| Provisioned manually (one-time): | |
| - Resource group `warpgate-test-rg` in `eastus` | |
| - Compute Gallery `warpgateTestGallery` | |
| - Image definition `ares-golden-azure` (Linux, Generalized, HyperV V2, | |
| publisher=`dreadnode`, offer=`ares`, sku=`golden`) | |
| - User-assigned managed identity `warpgate-aib-uami` | |
| with Contributor on `warpgate-test-rg` | |
| Provisioned manually (one-time). These values match the checked-in | |
| `warpgate.yaml` and should be kept in sync if the template values change: | |
| - Resource group `WARPGATE-TEST-RG` in `centralus` | |
| - Compute Gallery `warpgateTestGallery` | |
| - Image definition `ares-golden-azure` (Linux, Generalized, HyperV V2, | |
| publisher=`dreadnode`, offer=`ares`, sku=`golden`) | |
| - User-assigned managed identity `warpgate-aib-uami` | |
| with Contributor on `WARPGATE-TEST-RG` |
|
|
||
| env: | ||
| WARPGATE_VERSION: "v4.4.0" | ||
| WARPGATE_VERSION: "v4.6.0" |
There was a problem hiding this comment.
WARPGATE_VERSION was bumped to v4.6.0, but the JSON schema download later in this workflow is still hard-coded to v4.4.0 (schema_url = .../v4.4.0/schema/warpgate-template.json). This can lead to misleading schema validation warnings/errors when templates use fields added/changed in newer versions. Consider constructing schema_url from WARPGATE_VERSION (or updating it to v4.6.0) so schema validation stays in sync.
| WARPGATE_VERSION: "v4.6.0" | |
| WARPGATE_VERSION: "v4.6.0" | |
| WARPGATE_SCHEMA_URL: "https://raw.githubusercontent.com/warp-tech/warpgate/v4.6.0/schema/warpgate-template.json" |
| sources: | ||
| - name: nimbus_range | ||
| git: | ||
| repository: https://github.com/dreadnode/ansible-collection-nimbus_range.git | ||
| repository: https://github.com/dreadnode/ares.git | ||
| ref: feat/more-attack-cov | ||
| depth: 1 |
There was a problem hiding this comment.
The sources entry is still named nimbus_range, but it now clones dreadnode/ares.git. This is confusing when reading/debugging template sources (and differs from other templates that name the source after the repo, e.g. ares-cli). Consider renaming the source to ares (or similar) and updating ${sources.*} references accordingly, while keeping the destination path /tmp/nimbus_range if you want to preserve the collection path semantics.
…r filtering **Added:** - Parameterized Azure resource values in ares-golden-azure template and README to use environment variables, making the template reusable across subscriptions and environments - Documented required environment variables and provided explicit export instructions in the ares-golden-azure README **Changed:** - Updated container filtering logic in build-and-push-templates and test-template-builds workflows to generically skip all non-container templates (not just AMI-only), enhancing clarity and flexibility in matrix construction and test selection - Improved echo/log messaging in workflows to reflect generalized template skipping - Synchronized schema validation in validate-templates workflow to pin schema version dynamically from the WARPGATE_VERSION environment variable, ensuring validator and schema stay in lockstep - Updated ares-golden-azure warpgate.yaml to use a specific Kali rolling image by digest for reproducibility and security - Consolidated NVIDIA driver and CUDA installation steps in ares-golden-azure warpgate.yaml for more robust GPU support and moved all GPU-related provisioning to a single shell provisioner - Made VM size, subscription, and identity parameters in ares-golden-azure warpgate.yaml fully dynamic via env vars, with documentation for both GPU and CPU build scenarios - Renamed sources.nimbus_range to sources.ares in ares-golden-image warpgate.yaml and clarified comments to match new repo and collection name, while retaining the destination directory for compatibility **Removed:** - Eliminated hardcoded Azure resource identifiers and static example values from the ares-golden-azure template and README, reducing risk of misconfiguration and improving portability - Removed redundant NVIDIA driver installation provisioner in ares-golden-azure warpgate.yaml in favor of a unified approach
…ation **Added:** - Introduced placeholder values for Azure and GitHub environment variables in the warpgate validation job to allow syntax-only checks without requiring real secrets or IDs
**Changed:** - Bump WARPGATE_VERSION from v4.6.0 to v4.7.0 in build-and-push-templates, test-template-builds, and validate-templates workflows - Update yamllint configuration in validate-templates workflow to use the project-wide .hooks/linters/yamllint.yaml for consistent linting and reduced log noise
…4.7.0 (#265) **Key Changes:** - Replace git-based source for ares-golden-image with a warpgate `local` source pointing at the in-repo `ansible/` tree, eliminating GITHUB_TOKEN usage and branch ref drift at build time - Bump WARPGATE_VERSION from v4.6.0 to v4.7.0 across all three template workflows so CI uses a binary that supports the `local` source type - Adjust the in-VM collection copy path to match the new source layout (`/tmp/nimbus_range/.` instead of `/tmp/nimbus_range/ansible/.`) **Changed:** - Switch `warpgate-templates/templates/ares-golden-image/warpgate.yaml` from a `git` source (cloning dreadnode/ares.git@feat/more-attack-cov via GITHUB_TOKEN) to a `local` source at `../../../ansible`, so builds always match the working copy and ship only the ansible tree - Update the post-copy provisioner shell step to `cp -r /tmp/nimbus_range/. /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/` to reflect that the local source is rooted at `ansible/` rather than the full repo - Bump `WARPGATE_VERSION` to `v4.7.0` in `.github/workflows/build-and-push-templates.yaml`, `.github/workflows/test-template-builds.yaml`, and `.github/workflows/validate-templates.yaml`, since the `local` source type was added in CowDogMoo/warpgate#1841 and released in v4.7.0 - Refresh the inline comments in `warpgate.yaml` to describe the local-source setup instead of the prior secure-clone behavior
Key Changes:
Added:
ares-golden-azuredirectory containingREADME.mdandwarpgate.yamlto provide an Azure-specific variant of the Ares golden image. This includes documentation, provisioning steps, NVIDIA GPU support, and red-team tool installation using the nimbus_range Ansible collection. The template supports publishing to Azure Compute Gallery with all required resource and identity settings.Changed:
ares-golden-image/warpgate.yamlto pull the nimbus_range collection from thedreadnode/aresrepository at thefeat/more-attack-covbranch instead of the old repository, ensuring alignment with Azure and consolidated feature set.ansiblesubdirectory from the source repo into the target Ansible collection path, matching the new repo structure and preventing unnecessary files from being copied.