From dbfd9d423c4c319e87da5e689e782d70ac807f7a Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Wed, 29 Apr 2026 23:05:02 -0600 Subject: [PATCH 01/10] fix: pin setuptools version for impacket and update nimbus_range source repo **Changed:** - Pin setuptools to version <81 in the noPac venv to ensure pkg_resources is available for impacket compatibility, preventing import errors in privesc_tools Ansible role - Update nimbus_range source in warpgate template to point to the new ares repository and checkout the feat/more-attack-cov branch for improved attack coverage - Adjust file copy command in warpgate provisioner to correctly copy the ansible directory contents from the new repository layout --- warpgate-templates/templates/ares-golden-image/warpgate.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/warpgate-templates/templates/ares-golden-image/warpgate.yaml b/warpgate-templates/templates/ares-golden-image/warpgate.yaml index bd18b1bd..73dfdb59 100644 --- a/warpgate-templates/templates/ares-golden-image/warpgate.yaml +++ b/warpgate-templates/templates/ares-golden-image/warpgate.yaml @@ -36,7 +36,8 @@ base: sources: - name: nimbus_range git: - repository: https://github.com/dreadnode/ansible-collection-nimbus_range.git + repository: https://github.com/dreadnode/ares.git + ref: feat/more-attack-cov depth: 1 auth: token: ${GITHUB_TOKEN} @@ -60,7 +61,7 @@ provisioners: - type: shell inline: - mkdir -p /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range - - cp -r /tmp/nimbus_range/* /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/ + - cp -r /tmp/nimbus_range/ansible/. /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/ - rm -rf /tmp/nimbus_range # Install NVIDIA drivers for GPU-accelerated hashcat on g4dn (T4 GPU) From 4c7f325f73f8f2e9eeac3fe1d956f02615633a0d Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Wed, 29 Apr 2026 17:26:17 -0600 Subject: [PATCH 02/10] feat: add Azure golden image template --- .../templates/ares-golden-azure/README.md | 29 ++++++++++ .../ares-golden-azure/playbooks/smoke.yml | 24 ++++++++ .../templates/ares-golden-azure/warpgate.yaml | 58 +++++++++++++++++++ 3 files changed, 111 insertions(+) create mode 100644 warpgate-templates/templates/ares-golden-azure/README.md create mode 100644 warpgate-templates/templates/ares-golden-azure/playbooks/smoke.yml create mode 100644 warpgate-templates/templates/ares-golden-azure/warpgate.yaml diff --git a/warpgate-templates/templates/ares-golden-azure/README.md b/warpgate-templates/templates/ares-golden-azure/README.md new file mode 100644 index 00000000..8094df9a --- /dev/null +++ b/warpgate-templates/templates/ares-golden-azure/README.md @@ -0,0 +1,29 @@ +# ares-golden-azure + +Azure variant of the Ares golden image. Builds an Ubuntu 22.04 LTS image via Azure +VM Image Builder and publishes a version into the `warpgateTestGallery` Compute +Gallery. + +This template is intentionally lighter than `ares-golden-image` (the AMI variant) — +its purpose is to prove the warpgate Azure pipeline works end-to-end. It exercises: + +- shell customizer +- ansible customizer (with auto-bootstrap of ansible-core) +- gallery image version publish + +## Prerequisites + +Provisioned manually (one-time): + +- Resource group `warpgate-test-rg` in `eastus` +- Compute Gallery `warpgateTestGallery` +- Image definition `ares-golden-azure` (Linux, Generalized, HyperV V2, + publisher=`dreadnode`, offer=`ares`, sku=`golden`) +- User-assigned managed identity `warpgate-aib-uami` + with Contributor on `warpgate-test-rg` + +## Build + +```bash +warpgate build path/to/ares-golden-azure --target azure +``` diff --git a/warpgate-templates/templates/ares-golden-azure/playbooks/smoke.yml b/warpgate-templates/templates/ares-golden-azure/playbooks/smoke.yml new file mode 100644 index 00000000..388e33a7 --- /dev/null +++ b/warpgate-templates/templates/ares-golden-azure/playbooks/smoke.yml @@ -0,0 +1,24 @@ +--- +- hosts: localhost + connection: local + gather_facts: true + become: true + tasks: + - name: Confirm ansible bootstrap reached the target + ansible.builtin.copy: + dest: /etc/ares-ansible-stamp + mode: '0644' + content: | + ansible_bootstrap_ok=true + host={{ ansible_hostname }} + os_family={{ ansible_os_family }} + distribution={{ ansible_distribution }} {{ ansible_distribution_version }} + + - name: Install a representative red-team CLI tool (nmap) + ansible.builtin.apt: + name: + - nmap + - tcpdump + - net-tools + state: present + update_cache: true diff --git a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml new file mode 100644 index 00000000..76395d57 --- /dev/null +++ b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml @@ -0,0 +1,58 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/cowdogmoo/warpgate/main/schema/warpgate-template.json +metadata: + name: ares-golden-azure + version: 0.1.0 + description: Azure variant of the Ares golden image. Proves the Azure VM Image Builder + Compute Gallery pipeline end-to-end. + author: Dreadnode + license: MIT + tags: + - ares + - golden-image + - azure + - smoke-test + requires: + warpgate: '>=1.0.0' + +name: ares-golden-azure +version: latest + +base: + image: Canonical/0001-com-ubuntu-server-jammy/22_04-lts-gen2:latest + +provisioners: + - type: shell + inline: + - apt-get update + - DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends ca-certificates curl jq python3 python3-pip python3-venv pipx + - pipx ensurepath + - echo "ares-golden-azure base packages installed at $(date -u)" | tee /etc/ares-build-stamp + + - type: ansible + playbook_path: ./playbooks/smoke.yml + + - type: shell + inline: + - echo "ares-golden-azure provisioning complete" | tee -a /etc/ares-build-stamp + - apt-get clean + - rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +targets: + - type: azure + subscription_id: 70a9c8a4-6bc6-4a48-ae24-27996cea8c02 + resource_group: warpgate-test-rg + location: eastus + gallery: warpgateTestGallery + gallery_image_definition: ares-golden-azure + vm_size: Standard_D4s_v3 + os_type: Linux + identity_id: /subscriptions/70a9c8a4-6bc6-4a48-ae24-27996cea8c02/resourcegroups/warpgate-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/warpgate-aib-uami + source_image: + marketplace: + publisher: Canonical + offer: 0001-com-ubuntu-server-jammy + sku: 22_04-lts-gen2 + version: latest + image_tags: + Project: ares + ManagedBy: warpgate + Variant: azure-smoke-test From acdecb4e22d5205cf9680c50528c658f6b8d8770 Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Wed, 29 Apr 2026 23:07:36 -0600 Subject: [PATCH 03/10] fix: update azure vm_size and remove unused target properties in template **Changed:** - Updated Azure VM size from Standard_D4s_v3 to Standard_D2as_v7 to optimize resource usage in the warpgate template - Removed unused or redundant Azure target properties: resource_group, location, gallery, gallery_image_definition, os_type, and identity_id to streamline the template configuration --- .../templates/ares-golden-azure/warpgate.yaml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml index 76395d57..206046f4 100644 --- a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml +++ b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml @@ -39,13 +39,7 @@ provisioners: targets: - type: azure subscription_id: 70a9c8a4-6bc6-4a48-ae24-27996cea8c02 - resource_group: warpgate-test-rg - location: eastus - gallery: warpgateTestGallery - gallery_image_definition: ares-golden-azure - vm_size: Standard_D4s_v3 - os_type: Linux - identity_id: /subscriptions/70a9c8a4-6bc6-4a48-ae24-27996cea8c02/resourcegroups/warpgate-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/warpgate-aib-uami + vm_size: Standard_D2as_v7 source_image: marketplace: publisher: Canonical From 86968e0cc9b7332181a51c2d904bfe7e9160db64 Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Thu, 30 Apr 2026 11:20:06 -0600 Subject: [PATCH 04/10] fix: update azure vm_size in warpgate template --- .../templates/ares-golden-azure/warpgate.yaml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml index 206046f4..e6307ea6 100644 --- a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml +++ b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml @@ -22,6 +22,8 @@ base: provisioners: - type: shell inline: + - cloud-init status --wait || true + - rm -rf /var/lib/apt/lists/* - apt-get update - DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends ca-certificates curl jq python3 python3-pip python3-venv pipx - pipx ensurepath @@ -39,7 +41,12 @@ provisioners: targets: - type: azure subscription_id: 70a9c8a4-6bc6-4a48-ae24-27996cea8c02 - vm_size: Standard_D2as_v7 + location: centralus + resource_group: WARPGATE-TEST-RG + gallery: warpgateTestGallery + gallery_image_definition: ares-golden-azure + identity_id: /subscriptions/70a9c8a4-6bc6-4a48-ae24-27996cea8c02/resourcegroups/warpgate-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/warpgate-aib-uami + vm_size: Standard_L2aos_v4 source_image: marketplace: publisher: Canonical From 535946bf7d28d3a193f1e2dfaa3ce540b717287f Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Thu, 30 Apr 2026 12:26:04 -0600 Subject: [PATCH 05/10] feat: upgrade ares-golden-azure to kali with full red team toolchain and gpu support **Added:** - Clone and install nimbus_range red team Ansible collection from GitHub for attack tooling - Install NVIDIA driver and CUDA toolkit to enable GPU-accelerated hashcat and tools - Add shell provisioner to install all red team tools and Alloy telemetry agent via Ansible playbook - Document required Azure quota and Kali marketplace terms for GPU and image provisioning in README **Changed:** - Switch base image from Ubuntu 22.04 LTS to kali-linux/kali/kali-last for red team parity - Update warpgate.yaml metadata: bump version to 1.0.0, expand description, and add red team tags - Refactor provisioners to use shell for Ansible playbook install due to Azure customizer length limits - Update Azure target configuration to use GPU VM size (Standard_NC4as_T4_v3) and relevant tags - README now describes feature parity with AWS AMI and lists included red team capabilities **Removed:** - Remove smoke.yml Ansible playbook and related minimal provisioning steps - Drop prior Ubuntu-specific and smoke-test tags and metadata from warpgate.yaml - Remove basic red team tool install from initial provisioner in favor of full toolchain setup --- .../templates/ares-golden-azure/README.md | 19 +++-- .../ares-golden-azure/playbooks/smoke.yml | 24 ------ .../templates/ares-golden-azure/warpgate.yaml | 82 +++++++++++++++---- 3 files changed, 78 insertions(+), 47 deletions(-) delete mode 100644 warpgate-templates/templates/ares-golden-azure/playbooks/smoke.yml diff --git a/warpgate-templates/templates/ares-golden-azure/README.md b/warpgate-templates/templates/ares-golden-azure/README.md index 8094df9a..76daf53c 100644 --- a/warpgate-templates/templates/ares-golden-azure/README.md +++ b/warpgate-templates/templates/ares-golden-azure/README.md @@ -1,15 +1,17 @@ # ares-golden-azure -Azure variant of the Ares golden image. Builds an Ubuntu 22.04 LTS image via Azure +Azure variant of the Ares golden image. Builds a Kali Linux image via Azure VM Image Builder and publishes a version into the `warpgateTestGallery` Compute -Gallery. +Gallery, with feature parity against the AWS `ares-golden-image` AMI. -This template is intentionally lighter than `ares-golden-image` (the AMI variant) — -its purpose is to prove the warpgate Azure pipeline works end-to-end. It exercises: +Ships the same red-team toolchain installed by +`ansible/playbooks/ares/goad_attack_box.yml`: -- shell customizer -- ansible customizer (with auto-bootstrap of ansible-core) -- gallery image version publish +- recon, credential access, privilege escalation +- password cracking (hashcat from source, GPU-accelerated) +- lateral movement, ACL abuse, coercion +- Alloy telemetry agent +- NVIDIA driver + CUDA toolkit for T4 GPU acceleration ## Prerequisites @@ -21,6 +23,9 @@ Provisioned manually (one-time): publisher=`dreadnode`, offer=`ares`, sku=`golden`) - User-assigned managed identity `warpgate-aib-uami` with Contributor on `warpgate-test-rg` +- Quota for `Standard_NC4as_T4_v3` in `centralus` (T4 GPU family) +- Kali Marketplace terms accepted on the subscription: + `az vm image terms accept --publisher kali-linux --offer kali --plan kali-last` ## Build diff --git a/warpgate-templates/templates/ares-golden-azure/playbooks/smoke.yml b/warpgate-templates/templates/ares-golden-azure/playbooks/smoke.yml deleted file mode 100644 index 388e33a7..00000000 --- a/warpgate-templates/templates/ares-golden-azure/playbooks/smoke.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -- hosts: localhost - connection: local - gather_facts: true - become: true - tasks: - - name: Confirm ansible bootstrap reached the target - ansible.builtin.copy: - dest: /etc/ares-ansible-stamp - mode: '0644' - content: | - ansible_bootstrap_ok=true - host={{ ansible_hostname }} - os_family={{ ansible_os_family }} - distribution={{ ansible_distribution }} {{ ansible_distribution_version }} - - - name: Install a representative red-team CLI tool (nmap) - ansible.builtin.apt: - name: - - nmap - - tcpdump - - net-tools - state: present - update_cache: true diff --git a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml index e6307ea6..18960ff1 100644 --- a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml +++ b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml @@ -1,15 +1,22 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/cowdogmoo/warpgate/main/schema/warpgate-template.json metadata: name: ares-golden-azure - version: 0.1.0 - description: Azure variant of the Ares golden image. Proves the Azure VM Image Builder + Compute Gallery pipeline end-to-end. + version: 1.0.0 + description: Azure variant of the Ares golden image with all red team tools - recon, credential access, privesc, cracking, lateral movement, ACL abuse, and coercion author: Dreadnode license: MIT tags: - ares - golden-image - azure - - smoke-test + - red-team + - reconnaissance + - credential-access + - privilege-escalation + - password-cracking + - lateral-movement + - acl + - coercion requires: warpgate: '>=1.0.0' @@ -17,26 +24,68 @@ name: ares-golden-azure version: latest base: - image: Canonical/0001-com-ubuntu-server-jammy/22_04-lts-gen2:latest + image: kali-linux/kali/kali-last:latest + +sources: + - name: nimbus_range + git: + repository: https://github.com/dreadnode/ares.git + ref: feat/more-attack-cov + depth: 1 + auth: + token: ${GITHUB_TOKEN} provisioners: + # Install pipx and Ansible - type: shell inline: - - cloud-init status --wait || true - - rm -rf /var/lib/apt/lists/* - apt-get update - - DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends ca-certificates curl jq python3 python3-pip python3-venv pipx + - apt-get install -y --no-install-recommends ca-certificates git procps sudo python3-apt python3-pip python3-venv pipx + - 'sed -i ''s|^PATH="|PATH="/root/.local/bin:/root/.cargo/bin:|'' /etc/environment || echo ''PATH="/root/.local/bin:/root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'' > /etc/environment' + - pipx install --force uv + - pipx install --force ansible-core - pipx ensurepath - - echo "ares-golden-azure base packages installed at $(date -u)" | tee /etc/ares-build-stamp - - type: ansible - playbook_path: ./playbooks/smoke.yml + # Copy ansible collection from source (cloned securely by warpgate without embedding token in shell commands) + - type: file + source: ${sources.nimbus_range} + destination: /tmp/nimbus_range + + - type: shell + inline: + - mkdir -p /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range + - cp -r /tmp/nimbus_range/ansible/. /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/ + - rm -rf /tmp/nimbus_range + + # Install NVIDIA drivers for GPU-accelerated hashcat on NCas T4 v3 (T4 GPU) + - type: shell + inline: + - apt-get update + - apt-get install -y --no-install-recommends nvidia-driver firmware-misc-nonfree + - nvidia-smi || echo "nvidia-smi not available during image build (expected if no GPU attached)" + + # Attack Box - all red team tools + Alloy telemetry + # NOTE: Using shell instead of ansible provisioner because the playbook + # exceeds Azure VM Image Builder's customizer length limit when inlined. + - type: shell + inline: + - PATH=/root/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ansible-galaxy collection install -r /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/requirements.yml --force + - HOME=/root ANSIBLE_REMOTE_TMP=/tmp/ansible-tmp-$USER PATH=/root/.local/bin:/root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ansible-playbook /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/playbooks/ares/goad_attack_box.yml -i localhost, -c local -e ansible_shell_executable=/bin/bash -e ansible_python_interpreter=/usr/bin/python3 -e cracking_tools_gpu_support=true -e cracking_tools_hashcat_from_source=true -e cracking_tools_nvidia_opencl_icd=true + + # NVIDIA GPU drivers + CUDA toolkit for hashcat GPU acceleration. + # Kernel headers + dkms are required so the nvidia module builds for the + # running kernel. The image then works on GPU instances (e.g. NCas T4 v3) + # without manual driver setup. + - type: shell + inline: + - DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends linux-headers-$(uname -r) dkms nvidia-driver nvidia-cuda-toolkit + # Cleanup - type: shell inline: - - echo "ares-golden-azure provisioning complete" | tee -a /etc/ares-build-stamp - apt-get clean - rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + - echo "Ares golden azure build completed successfully" targets: - type: azure @@ -46,14 +95,15 @@ targets: gallery: warpgateTestGallery gallery_image_definition: ares-golden-azure identity_id: /subscriptions/70a9c8a4-6bc6-4a48-ae24-27996cea8c02/resourcegroups/warpgate-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/warpgate-aib-uami - vm_size: Standard_L2aos_v4 + vm_size: Standard_NC4as_T4_v3 source_image: marketplace: - publisher: Canonical - offer: 0001-com-ubuntu-server-jammy - sku: 22_04-lts-gen2 + publisher: kali-linux + offer: kali + sku: kali-last version: latest image_tags: Project: ares + Role: RedTeamAttackBox ManagedBy: warpgate - Variant: azure-smoke-test + Tools: recon,credential-access,privesc,cracker,lateral-movement,acl-abuse,coercion From 3258b2f354cd8de18086146b8c6bd1c6b44fcb68 Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Thu, 30 Apr 2026 12:33:24 -0600 Subject: [PATCH 06/10] fix: update vm_size to Standard_D4s_v3 for ares-golden-azure template **Changed:** - Set default vm_size to Standard_D4s_v3 for improved compatibility and cost efficiency; added a commented GPU option for reference in warpgate.yaml --- warpgate-templates/templates/ares-golden-azure/warpgate.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml index 18960ff1..2ebb79f8 100644 --- a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml +++ b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml @@ -95,7 +95,9 @@ targets: gallery: warpgateTestGallery gallery_image_definition: ares-golden-azure identity_id: /subscriptions/70a9c8a4-6bc6-4a48-ae24-27996cea8c02/resourcegroups/warpgate-test-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/warpgate-aib-uami - vm_size: Standard_NC4as_T4_v3 + vm_size: Standard_D4s_v3 + # For GPU: + # vm_size: Standard_NC4as_T4_v3 source_image: marketplace: publisher: kali-linux From 1076e35e9a08f053af0d48a1b3d124cde608b4c5 Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Thu, 30 Apr 2026 12:45:00 -0600 Subject: [PATCH 07/10] fix: update kali marketplace plan and sku to kali-2026-1 for azure template **Changed:** - Updated Kali Marketplace plan in documentation to use `kali-2026-1` instead of `kali-last` for improved accuracy and consistency - README.md - Changed the Azure VM image sku in the template configuration from `kali-last` to `kali-2026-1` to match the current marketplace offering - warpgate.yaml --- warpgate-templates/templates/ares-golden-azure/README.md | 2 +- warpgate-templates/templates/ares-golden-azure/warpgate.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/warpgate-templates/templates/ares-golden-azure/README.md b/warpgate-templates/templates/ares-golden-azure/README.md index 76daf53c..e47df0ae 100644 --- a/warpgate-templates/templates/ares-golden-azure/README.md +++ b/warpgate-templates/templates/ares-golden-azure/README.md @@ -25,7 +25,7 @@ Provisioned manually (one-time): with Contributor on `warpgate-test-rg` - Quota for `Standard_NC4as_T4_v3` in `centralus` (T4 GPU family) - Kali Marketplace terms accepted on the subscription: - `az vm image terms accept --publisher kali-linux --offer kali --plan kali-last` + `az vm image terms accept --publisher kali-linux --offer kali --plan kali-2026-1` ## Build diff --git a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml index 2ebb79f8..e80dd968 100644 --- a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml +++ b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml @@ -102,7 +102,7 @@ targets: marketplace: publisher: kali-linux offer: kali - sku: kali-last + sku: kali-2026-1 version: latest image_tags: Project: ares From 336b62e6135707ada18274bdf14501aeab82f084 Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Thu, 30 Apr 2026 13:03:34 -0600 Subject: [PATCH 08/10] fix: update warpgate template --- warpgate-templates/templates/ares-golden-azure/warpgate.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml index e80dd968..6e162a23 100644 --- a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml +++ b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml @@ -104,6 +104,10 @@ targets: offer: kali sku: kali-2026-1 version: latest + plan: + name: kali-2026-1 + product: kali + publisher: kali-linux image_tags: Project: ares Role: RedTeamAttackBox From 5fc9aee76b9904b62180f16a353a155b5dbcd929 Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Thu, 30 Apr 2026 15:43:55 -0600 Subject: [PATCH 09/10] fix: streamline ansible collection clone to avoid azure build timeouts **Changed:** - Replace warpgate 'sources' and 'type: file' steps with a single shell provisioner that securely clones the nimbus_range repository using a git credential helper, avoiding token exposure and Azure Image Builder timeouts caused by copying large file trees. Updated inline documentation to explain rationale for the shell-based approach. - Remove redundant file provisioner and adjust steps to clone, copy, and clean up the ansible collection in one sequence. --- .../templates/ares-golden-azure/warpgate.yaml | 25 ++++++------------- 1 file changed, 7 insertions(+), 18 deletions(-) diff --git a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml index 6e162a23..5bfa20c0 100644 --- a/warpgate-templates/templates/ares-golden-azure/warpgate.yaml +++ b/warpgate-templates/templates/ares-golden-azure/warpgate.yaml @@ -26,17 +26,13 @@ version: latest base: image: kali-linux/kali/kali-last:latest -sources: - - name: nimbus_range - git: - repository: https://github.com/dreadnode/ares.git - ref: feat/more-attack-cov - depth: 1 - auth: - token: ${GITHUB_TOKEN} - provisioners: - # Install pipx and Ansible + # Install pipx + Ansible, then fetch the nimbus_range collection on the build VM. + # We re-clone in shell rather than using warpgate's `sources` + `type: file` + # pattern (see ares-golden-image) because Azure Image Builder expands `type: file` + # into one customizer per file and times out on the 2000+ file ansible/ tree. + # Token is passed via a credential helper so it never appears in the clone URL + # or AIB customizer logs; ref tracks the AMI variant. - type: shell inline: - apt-get update @@ -45,14 +41,7 @@ provisioners: - pipx install --force uv - pipx install --force ansible-core - pipx ensurepath - - # Copy ansible collection from source (cloned securely by warpgate without embedding token in shell commands) - - type: file - source: ${sources.nimbus_range} - destination: /tmp/nimbus_range - - - type: shell - inline: + - GITHUB_TOKEN=${GITHUB_TOKEN} git -c 'credential.helper=!f() { echo username=x-access-token; echo password=$GITHUB_TOKEN; }; f' clone --depth 1 --branch feat/more-attack-cov https://github.com/dreadnode/ares.git /tmp/nimbus_range - mkdir -p /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range - cp -r /tmp/nimbus_range/ansible/. /root/.ansible/collections/ansible_collections/dreadnode/nimbus_range/ - rm -rf /tmp/nimbus_range From 9541bfaf10c439c343f433168c0c352c3dc94673 Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Thu, 30 Apr 2026 16:31:56 -0600 Subject: [PATCH 10/10] ci: update Warpgate version to v4.6.0 in GitHub Actions workflows **Changed:** - Bump WARPGATE_VERSION from v4.4.0 to v4.6.0 in build-and-push-templates.yaml, test-template-builds.yaml, and validate-templates.yaml to use latest Warpgate release in CI workflows --- .github/workflows/build-and-push-templates.yaml | 2 +- .github/workflows/test-template-builds.yaml | 2 +- .github/workflows/validate-templates.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-and-push-templates.yaml b/.github/workflows/build-and-push-templates.yaml index 54c6f300..63535b4d 100644 --- a/.github/workflows/build-and-push-templates.yaml +++ b/.github/workflows/build-and-push-templates.yaml @@ -30,7 +30,7 @@ env: PYTHON_VERSION: 3.13.7 TASK_VERSION: 3.45.5 TASK_X_REMOTE_TASKFILES: 1 - WARPGATE_VERSION: "v4.4.0" + WARPGATE_VERSION: "v4.6.0" jobs: discover-templates: diff --git a/.github/workflows/test-template-builds.yaml b/.github/workflows/test-template-builds.yaml index 0a086e53..8d34e217 100644 --- a/.github/workflows/test-template-builds.yaml +++ b/.github/workflows/test-template-builds.yaml @@ -24,7 +24,7 @@ concurrency: env: DEBIAN_FRONTEND: noninteractive PYTHON_VERSION: "3.13.7" - WARPGATE_VERSION: "v4.4.0" + WARPGATE_VERSION: "v4.6.0" jobs: detect-changes: diff --git a/.github/workflows/validate-templates.yaml b/.github/workflows/validate-templates.yaml index 911f72e9..35bed776 100644 --- a/.github/workflows/validate-templates.yaml +++ b/.github/workflows/validate-templates.yaml @@ -21,7 +21,7 @@ on: workflow_dispatch: env: - WARPGATE_VERSION: "v4.4.0" + WARPGATE_VERSION: "v4.6.0" PYTHON_VERSION: "3.13.7" TASK_VERSION: "3.45.5" TASK_X_REMOTE_TASKFILES: 1