In this setup we integrate the secrets exercise with GCP GKE and let pods consume secrets from the GCP Secret manager. If you want to know more about integrating secrets with GKE, check this link. Please make sure that the account in which you run this exercise has either Cloud Audit Logs enabled, or is not linked to your current organization and/or DTAP environment.
Have the following tools installed:
- gcloud CLI - Installation
- Tfenv (Optional) - Installation
- Terraform CLI - Installation
- Wget - Installation
- Helm Installation
- Kubectl Installation
- jq Installation
Make sure you have an active account at GCP for which you have configured the credentials on the system where you will execute the steps below.
Please note that this setup relies on bash scripts that have been tested in MacOS and Linux. We have no intention of supporting vanilla Windows at the moment.
If you want to host a multi-user setup, you will probably want to share the state file so that everyone can try related challenges. We have provided a starter to easily do so using a Terraform gcs backend.
First, create an storage bucket:
- Check whether you have the right project by doing
gcloud config list. Otherwise configure it by doinggcloud init. - Change the
project_idin theterraform.tfvarsfile to your project id - Run
gcloud auth application-default loginto be able to use your account credentials for terraform. - Navigate to the 'shared-state' directory
cd shared-state - Run
terraform init - Run
terraform apply.
The bucket name should be in the output. Please use that to configure the Terraform gcs backend in main.tf.
Note: Applying the Terraform means you are creating cloud infrastructure which actually costs you money. The authors are not responsible for any cost coming from following the instructions below. If you have a brand new GCP account, you could use the $300 in credits to set up the infrastructure for free.
Note-II: We create resources in europe-west4 by default. You can set the region by editing terraform.tfvars.
Note-III: The cluster you create has its access bound to the public IP of the creator. In other words: the cluster you create with this code has its access bound to your public IP-address if you apply it locally.
- Check whether you have the right project by doing
gcloud config list. Otherwise configure it by doinggcloud init. - Change the
project_idin theterraform.tfvarsfile to your project id - Run
gcloud auth application-default loginto be able to use your account credentials for terraform. - Enable the required gcloud services using
gcloud services enable compute.googleapis.com container.googleapis.com secretmanager.googleapis.com - Run
terraform init(if required, use tfenv to select TF 0.14.0 or higher ) - Run
terraform plan - Run
terraform apply. Note: the apply will take 10 to 20 minutes depending on the speed of the GCP backplane. - Run
export USE_GKE_GCLOUD_AUTH_PLUGIN=True - When creation is done, run
gcloud container clusters get-credentials wrongsecrets-exercise-cluster --region YOUR_REGION. Note if it errors on a missing plugin to supportkubectl, then rungcloud components install gke-gcloud-auth-pluginandgcloud container clusters get-credentials wrongsecrets-exercise-cluster --region YOUR_REGION. - Run
./build-and-deploy-gcp.sh
Your GKE cluster should be visible in EU-West4 by default. Want a different region? You can modify terraform.tfvars or input it directly using the region variable in plan/apply.
Are you done playing? Please run terraform destroy twice to clean up.
When you have completed the installation steps, you can do kubectl port-forward service/wrongsecrets-balancer 3000:3000 and then go to http://localhost:3000.
Want to know how well your cluster is holding up? Check with
kubectl top nodes
kubectl top podsYou can use the Juiceshop CTF CLI to generate CTFd configuration files.
Follow the following steps:
npm install -g [email protected]
juice-shop-ctf #choose ctfd and https://wrongsecrets-ctf.herokuapp.com as domain. No trailing slash! The key is 'test', by default feel free to enable hints. We do not support snippets or links/urls to code or hints.Now visit the CTFd instance and setup your CTF. To test things locally before setting up a load balancer/ingress, you can use kubectl port-forward -n ctfd $(kubectl get pods --namespace ctfd -l "app.kubernetes.io/name=ctfd,app.kubernetes.io/instance=ctfd" -o jsonpath="{.items[0].metadata.name}") 8000:8000 and go to localhost:8000 to visit CTFd.
!!NOTE: The following can be dangerous if you use CTFd >= 3.5.0 with wrongsecrets < 1.5.11. Check the challenges.json and make sure it's 1-indexed - a 0-indexed file will break CTFd! /NOTE!!
Then use the administrative backup function to import the zipfile you created with the juice-shop-ctf command. After that you will still need to override the flags with their actual values if you do use the 2-domain configuration. For a guide on how to do this see the 2-domain setup steps in the general README Want to setup your own? You can! Watch out for people finding your key though, so secure it properly: make sure the running container with the actual ctf-key is not exposed to the audience, similar to our heroku container.
Want to make the CTFD instance look pretty? Include the fragment located at ./k8s/ctfd_resources/index_fragment.html in your index.html via the admin panel.
If you want to share with others go to the When you want to share your environment with others (experimental) section.
In the front page of the application you can edit the description to reference the right urls and the desplayed image. Use the following:
helm upgrade --install wrongsecrets ../helm/wrongsecrets-ctf-party \
--set="balancer.env.REACT_APP_MOVING_GIF_LOGO=<>" \
--set="balancer.env.REACT_APP_HEROKU_WRONGSECRETS_URL=<>" \
--set="balancer.env.REACT_APP_CTFD_URL='<>'" \For a guide on how to use the monitoring setup, see the monitoring guide.
When you're done:
- Kill the port forward.
- Run
terraform destroyto clean up the infrastructure. Note that you may need to repeat the destroy to fully clean up. - If you've used the shared state,
cdto theshared-statefolder and runterraform destroythere too. - Run
rm terraform.tf*to remove local state files.
- Does your worker node now have access as well?
- Can you easily obtain the AKS managed identity of the Node?
- Can you get the secrets in the Key vault? Which paths do you see?
We added additional scripts for adding a Load Balancer and ingress so that you can use your cloud setup with multiple people. Do the following:
- Follow the installation section first.
- Run
./k8s-nginx-lb-script.shand the script will return the url at which you can reach the application. (Be aware this opens the url's to the internet in general, if you'd like to limit the access please do this using the security groups in gcp) - When you are done, before you do cleanup, first run
./k8s-nginx-lb-script-cleanup.sh.
Note that you might have to do some manual cleanups after that.
The documentation below is auto-generated to give insight on what's created via Terraform.
| Name | Version |
|---|---|
| terraform | ~> 1.1 |
| ~> 6.0.1 | |
| google-beta | ~> 6.0.1 |
| http | ~> 3.4.0 |
| random | ~> 3.5.1 |
| Name | Version |
|---|---|
| 6.0.1 | |
| google-beta | 6.0.1 |
| http | 3.4.4 |
| random | 3.5.1 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cluster_name | The GKE cluster name | string |
"wrongsecrets-exercise-cluster" |
no |
| cluster_version | The GKE cluster version to use | string |
"1.30" |
no |
| project_id | project id | string |
n/a | yes |
| region | The GCP region to use | string |
"eu-west4" |
no |
| Name | Description |
|---|---|
| gke_config | config string for the cluster credentials |
| kubernetes_cluster_host | GKE Cluster Host |
| kubernetes_cluster_name | GKE Cluster Name |
| project_id | GCloud Project ID |
| region | GCloud Region |