feat: add azure variant of ares golden image and update source repo#249
feat: add azure variant of ares golden image and update source repo#249
Conversation
…ce repo **Changed:** - Pin setuptools to version <81 in the noPac venv to ensure pkg_resources is available for impacket compatibility, preventing import errors in privesc_tools Ansible role - Update nimbus_range source in warpgate template to point to the new ares repository and checkout the feat/more-attack-cov branch for improved attack coverage - Adjust file copy command in warpgate provisioner to correctly copy the ansible directory contents from the new repository layout
…late **Changed:** - Updated Azure VM size from Standard_D4s_v3 to Standard_D2as_v7 to optimize resource usage in the warpgate template - Removed unused or redundant Azure target properties: resource_group, location, gallery, gallery_image_definition, os_type, and identity_id to streamline the template configuration
…and gpu support **Added:** - Clone and install nimbus_range red team Ansible collection from GitHub for attack tooling - Install NVIDIA driver and CUDA toolkit to enable GPU-accelerated hashcat and tools - Add shell provisioner to install all red team tools and Alloy telemetry agent via Ansible playbook - Document required Azure quota and Kali marketplace terms for GPU and image provisioning in README **Changed:** - Switch base image from Ubuntu 22.04 LTS to kali-linux/kali/kali-last for red team parity - Update warpgate.yaml metadata: bump version to 1.0.0, expand description, and add red team tags - Refactor provisioners to use shell for Ansible playbook install due to Azure customizer length limits - Update Azure target configuration to use GPU VM size (Standard_NC4as_T4_v3) and relevant tags - README now describes feature parity with AWS AMI and lists included red team capabilities **Removed:** - Remove smoke.yml Ansible playbook and related minimal provisioning steps - Drop prior Ubuntu-specific and smoke-test tags and metadata from warpgate.yaml - Remove basic red team tool install from initial provisioner in favor of full toolchain setup
**Changed:** - Set default vm_size to Standard_D4s_v3 for improved compatibility and cost efficiency; added a commented GPU option for reference in warpgate.yaml
…mplate **Changed:** - Updated Kali Marketplace plan in documentation to use `kali-2026-1` instead of `kali-last` for improved accuracy and consistency - README.md - Changed the Azure VM image sku in the template configuration from `kali-last` to `kali-2026-1` to match the current marketplace offering - warpgate.yaml
**Changed:** - Replace warpgate 'sources' and 'type: file' steps with a single shell provisioner that securely clones the nimbus_range repository using a git credential helper, avoiding token exposure and Azure Image Builder timeouts caused by copying large file trees. Updated inline documentation to explain rationale for the shell-based approach. - Remove redundant file provisioner and adjust steps to clone, copy, and clean up the ansible collection in one sequence.
dreadnode-renovate-bot
Bot
added
the
area/templates
**Changed:** - Bump WARPGATE_VERSION from v4.4.0 to v4.6.0 in build-and-push-templates.yaml, test-template-builds.yaml, and validate-templates.yaml to use latest Warpgate release in CI workflows
dreadnode-renovate-bot
Bot
added
the
area/github
There was a problem hiding this comment.
Pull request overview
Adds an Azure-specific “Ares golden image” Warpgate template and aligns the existing AWS golden image template to pull the nimbus_range Ansible collection from the unified dreadnode/ares repo, alongside bumping the Warpgate version used in CI workflows.
Changes:
- Added
ares-golden-azuretemplate (Warpgate YAML + README) to build/publish a Kali-based Azure golden image with the full toolchain and GPU support. - Updated
ares-golden-image(AWS) to sourcenimbus_rangefromdreadnode/ares(feat/more-attack-cov) and copy only theansible/subtree into the collection path. - Bumped CI workflows’
WARPGATE_VERSIONfromv4.4.0tov4.6.0.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
warpgate-templates/templates/ares-golden-image/warpgate.yaml |
Switches nimbus_range source repo/ref and updates collection copy behavior to match the new repo layout. |
warpgate-templates/templates/ares-golden-azure/warpgate.yaml |
Introduces an Azure Image Builder template provisioning Ansible + the Ares toolchain, with Azure publishing configuration. |
warpgate-templates/templates/ares-golden-azure/README.md |
Documents Azure prerequisites and build invocation for the new template. |
.github/workflows/validate-templates.yaml |
Updates Warpgate version used for template validation. |
.github/workflows/test-template-builds.yaml |
Updates Warpgate version used for test builds. |
.github/workflows/build-and-push-templates.yaml |
Updates Warpgate version used for build/push pipeline. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| version: latest | ||
|
|
||
| base: | ||
| image: kali-linux/kali/kali-last:latest |
There was a problem hiding this comment.
base.image is using a floating :latest tag. All other warpgate templates in this repo pin base images by digest (e.g. ares-base, ares-cli, ares-golden-image), which improves reproducibility and avoids surprise rebuild diffs. Please pin this Kali base image to a specific digest (and optionally keep a human-readable tag alongside it if supported).
| image: kali-linux/kali/kali-last:latest | |
| image: kali-linux/kali/kali-last:latest@sha256:<REPLACE_WITH_VERIFIED_KALI_IMAGE_DIGEST> |
| targets: | ||
| - type: azure | ||
| subscription_id: 70a9c8a4-6bc6-4a48-ae24-27996cea8c02 | ||
| location: centralus | ||
| resource_group: WARPGATE-TEST-RG | ||
| gallery: warpgateTestGallery |
There was a problem hiding this comment.
This template only defines an azure target. The repo CI workflows (e.g. test-template-builds.yaml / build-and-push-templates.yaml) assume non-AMI templates can be built as containers and will attempt warpgate build ... --registry ... --push unless explicitly skipped. As-is, this new template is likely to break those workflows. Either add a container target (if feasible) or update the workflows’ template discovery logic to skip templates that don’t include a container target (similar to the existing AMI-only skip).
| subscription_id: 70a9c8a4-6bc6-4a48-ae24-27996cea8c02 | ||
| location: centralus | ||
| resource_group: WARPGATE-TEST-RG | ||
| gallery: warpgateTestGallery | ||
| gallery_image_definition: ares-golden-azure | ||
| identity_id: /subscriptions/70a9c8a4-6bc6-4a48-ae24-27996cea8c02/resourcegroups/warpgate-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/warpgate-aib-uami | ||
| vm_size: Standard_D4s_v3 |
There was a problem hiding this comment.
The Azure target configuration hard-codes a specific subscription ID, resource group, gallery name, and managed identity resource ID. This makes the template hard to reuse across environments and may unintentionally expose internal Azure identifiers in a public repo. Prefer parameterizing these fields via variables (e.g. ${AZURE_SUBSCRIPTION_ID}, ${AZURE_RESOURCE_GROUP}, ${AZURE_IDENTITY_ID}) and documenting the required values in the README, or clearly marking these as placeholders.
| subscription_id: 70a9c8a4-6bc6-4a48-ae24-27996cea8c02 | |
| location: centralus | |
| resource_group: WARPGATE-TEST-RG | |
| gallery: warpgateTestGallery | |
| gallery_image_definition: ares-golden-azure | |
| identity_id: /subscriptions/70a9c8a4-6bc6-4a48-ae24-27996cea8c02/resourcegroups/warpgate-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/warpgate-aib-uami | |
| vm_size: Standard_D4s_v3 | |
| subscription_id: ${AZURE_SUBSCRIPTION_ID} | |
| location: ${AZURE_LOCATION} | |
| resource_group: ${AZURE_RESOURCE_GROUP} | |
| gallery: ${AZURE_GALLERY_NAME} | |
| gallery_image_definition: ares-golden-azure | |
| identity_id: ${AZURE_IDENTITY_ID} | |
| vm_size: ${AZURE_VM_SIZE} |
| # Install NVIDIA drivers for GPU-accelerated hashcat on NCas T4 v3 (T4 GPU) | ||
| - type: shell | ||
| inline: | ||
| - apt-get update | ||
| - apt-get install -y --no-install-recommends nvidia-driver firmware-misc-nonfree |
There was a problem hiding this comment.
This step installs nvidia-driver/firmware, but the later CUDA step also installs nvidia-driver again alongside headers/dkms/CUDA. This duplication increases build time and failure surface. Consider consolidating into a single install step (or keep this step as only a probe like nvidia-smi without installing packages twice).
| # Install NVIDIA drivers for GPU-accelerated hashcat on NCas T4 v3 (T4 GPU) | |
| - type: shell | |
| inline: | |
| - apt-get update | |
| - apt-get install -y --no-install-recommends nvidia-driver firmware-misc-nonfree | |
| # Probe for NVIDIA tooling during image build; the actual driver/CUDA | |
| # installation happens later in a single consolidated step. | |
| - type: shell | |
| inline: |
| Provisioned manually (one-time): | ||
|
|
||
| - Resource group `warpgate-test-rg` in `eastus` | ||
| - Compute Gallery `warpgateTestGallery` | ||
| - Image definition `ares-golden-azure` (Linux, Generalized, HyperV V2, | ||
| publisher=`dreadnode`, offer=`ares`, sku=`golden`) | ||
| - User-assigned managed identity `warpgate-aib-uami` | ||
| with Contributor on `warpgate-test-rg` |
There was a problem hiding this comment.
The prerequisites here don’t match the checked-in template values: README says resource group warpgate-test-rg in eastus, while warpgate.yaml uses resource_group: WARPGATE-TEST-RG and location: centralus. Please align the README with the template (or explicitly state which values are examples/placeholders and where they must match).
| Provisioned manually (one-time): | |
| - Resource group `warpgate-test-rg` in `eastus` | |
| - Compute Gallery `warpgateTestGallery` | |
| - Image definition `ares-golden-azure` (Linux, Generalized, HyperV V2, | |
| publisher=`dreadnode`, offer=`ares`, sku=`golden`) | |
| - User-assigned managed identity `warpgate-aib-uami` | |
| with Contributor on `warpgate-test-rg` | |
| Provisioned manually (one-time). These values match the checked-in | |
| `warpgate.yaml` and should be kept in sync if the template values change: | |
| - Resource group `WARPGATE-TEST-RG` in `centralus` | |
| - Compute Gallery `warpgateTestGallery` | |
| - Image definition `ares-golden-azure` (Linux, Generalized, HyperV V2, | |
| publisher=`dreadnode`, offer=`ares`, sku=`golden`) | |
| - User-assigned managed identity `warpgate-aib-uami` | |
| with Contributor on `WARPGATE-TEST-RG` |
|
|
||
| env: | ||
| WARPGATE_VERSION: "v4.4.0" | ||
| WARPGATE_VERSION: "v4.6.0" |
There was a problem hiding this comment.
WARPGATE_VERSION was bumped to v4.6.0, but the JSON schema download later in this workflow is still hard-coded to v4.4.0 (schema_url = .../v4.4.0/schema/warpgate-template.json). This can lead to misleading schema validation warnings/errors when templates use fields added/changed in newer versions. Consider constructing schema_url from WARPGATE_VERSION (or updating it to v4.6.0) so schema validation stays in sync.
| WARPGATE_VERSION: "v4.6.0" | |
| WARPGATE_VERSION: "v4.6.0" | |
| WARPGATE_SCHEMA_URL: "https://raw.githubusercontent.com/warp-tech/warpgate/v4.6.0/schema/warpgate-template.json" |
| sources: | ||
| - name: nimbus_range | ||
| git: | ||
| repository: https://github.com/dreadnode/ansible-collection-nimbus_range.git | ||
| repository: https://github.com/dreadnode/ares.git | ||
| ref: feat/more-attack-cov | ||
| depth: 1 |
There was a problem hiding this comment.
The sources entry is still named nimbus_range, but it now clones dreadnode/ares.git. This is confusing when reading/debugging template sources (and differs from other templates that name the source after the repo, e.g. ares-cli). Consider renaming the source to ares (or similar) and updating ${sources.*} references accordingly, while keeping the destination path /tmp/nimbus_range if you want to preserve the collection path semantics.
Key Changes:
Added:
ares-golden-azuredirectory containingREADME.mdandwarpgate.yamlto provide an Azure-specific variant of the Ares golden image. This includes documentation, provisioning steps, NVIDIA GPU support, and red-team tool installation using the nimbus_range Ansible collection. The template supports publishing to Azure Compute Gallery with all required resource and identity settings.Changed:
ares-golden-image/warpgate.yamlto pull the nimbus_range collection from thedreadnode/aresrepository at thefeat/more-attack-covbranch instead of the old repository, ensuring alignment with Azure and consolidated feature set.ansiblesubdirectory from the source repo into the target Ansible collection path, matching the new repo structure and preventing unnecessary files from being copied.