diff --git a/.github/workflows/minikube-k8s-test.yml b/.github/workflows/minikube-k8s-test.yml index 592a668f8..5cf4d42cd 100644 --- a/.github/workflows/minikube-k8s-test.yml +++ b/.github/workflows/minikube-k8s-test.yml @@ -29,7 +29,7 @@ jobs: - name: test script run: | eval $(minikube docker-env) - ./build-an-deploy.sh + ./build-and-deploy.sh while [[ $(kubectl get pods -l app=wrongsecrets-balancer -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != *"True"* ]]; do echo "waiting for wrongsecrets-balancer" && sleep 2; done kubectl logs deployments/wrongsecrets-balancer -f >> pod.log & echo "port forwarding" diff --git a/aws/build-and-deploy-aws.sh b/aws/build-and-deploy-aws.sh index 09e6003a4..7bbd70c4a 100755 --- a/aws/build-and-deploy-aws.sh +++ b/aws/build-and-deploy-aws.sh @@ -10,7 +10,7 @@ echo "NOTE: WE ARE WORKING HERE WITH A 5 LEGGED LOAD BALANCER on AWS which costs echo "NOTE 2: You can replace balancer.cookie.cookieParserSecret with a value you fancy." echo "Note 3: Ensure you turn TLS on :)." -echo "Usage: ./build-an-deploy-aws.sh " +echo "Usage: ./build-and-deploy-aws.sh " source ./../scripts/check-available-commands.sh checkCommandsAvailable helm aws kubectl eksctl sed diff --git a/azure/k8s/secret-challenge-vault-deployment.yml.tpl b/azure/k8s/secret-challenge-vault-deployment.yml.tpl index 82729314f..71e28c3e3 100644 --- a/azure/k8s/secret-challenge-vault-deployment.yml.tpl +++ b/azure/k8s/secret-challenge-vault-deployment.yml.tpl @@ -41,7 +41,7 @@ spec: volumeAttributes: secretProviderClass: "azure-wrongsecrets-vault" containers: - - image: jeroenwillemsen/wrongsecrets:1.6.7-k8s-vault + - image: jeroenwillemsen/wrongsecrets:1.6.9-k8s-vault imagePullPolicy: IfNotPresent name: secret-challenge securityContext: diff --git a/build-and-deploy-container-minikube.sh b/build-and-deploy-container-minikube.sh index d255ddb5e..330c6e782 100755 --- a/build-and-deploy-container-minikube.sh +++ b/build-and-deploy-container-minikube.sh @@ -6,7 +6,7 @@ checkCommandsAvailable helm docker kubectl yq minikube minikube delete minikube start --cpus=6 --memory=8000MB --network-plugin=cni --cni=calico --driver=docker --kubernetes-version=1.25.6 eval $(minikube docker-env) -./build-an-deploy-container.sh +./build-and-deploy-container.sh sleep 5 diff --git a/build-an-deploy-container.sh b/build-and-deploy-container.sh similarity index 98% rename from build-an-deploy-container.sh rename to build-and-deploy-container.sh index 3b627fc71..1a4d27260 100755 --- a/build-an-deploy-container.sh +++ b/build-and-deploy-container.sh @@ -4,7 +4,7 @@ echo "This Script can be used to 'easily' build all WrongSecrets CTF party Compo echo "For this to work the local kubernetes cluster must have access to the same local registry / image cache which 'docker build ...' writes its image to" echo "For example docker-desktop with its included k8s cluster" -echo "Usage: ./build-an-deploy.sh" +echo "Usage: ./build-and-deploy.sh" source ./scripts/check-available-commands.sh checkCommandsAvailable helm docker kubectl yq diff --git a/build-and-deploy-minikube.sh b/build-and-deploy-minikube.sh index 63a9f27b6..1e3cb78e3 100755 --- a/build-and-deploy-minikube.sh +++ b/build-and-deploy-minikube.sh @@ -6,7 +6,7 @@ checkCommandsAvailable helm docker kubectl yq minikube minikube delete minikube start --cpus=6 --memory=8000MB --network-plugin=cni --cni=calico --driver=docker --kubernetes-version=1.25.6 eval $(minikube docker-env) -./build-an-deploy.sh +./build-and-deploy.sh sleep 15 diff --git a/build-an-deploy.sh b/build-and-deploy.sh similarity index 97% rename from build-an-deploy.sh rename to build-and-deploy.sh index 1b468e227..7774f2902 100755 --- a/build-an-deploy.sh +++ b/build-and-deploy.sh @@ -4,7 +4,7 @@ echo "This Script can be used to 'easily' build all WrongSecrets CTF party Compo echo "For this to work the local kubernetes cluster must have access to the same local registry / image cache which 'docker build ...' writes its image to" echo "For example docker-desktop with its included k8s cluster" -echo "Usage: ./build-an-deploy.sh" +echo "Usage: ./build-and-deploy.sh" source ./scripts/check-available-commands.sh checkCommandsAvailable helm docker kubectl yq diff --git a/helm/wrongsecrets-ctf-party/Chart.yaml b/helm/wrongsecrets-ctf-party/Chart.yaml index 82ded1745..56fb5f0a7 100644 --- a/helm/wrongsecrets-ctf-party/Chart.yaml +++ b/helm/wrongsecrets-ctf-party/Chart.yaml @@ -28,10 +28,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 1.6.7 +version: 1.6.9 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 1.6.7 +appVersion: 1.6.9 dependencies: [] diff --git a/helm/wrongsecrets-ctf-party/README.md b/helm/wrongsecrets-ctf-party/README.md index 14c82e4b1..fad44c6dd 100644 --- a/helm/wrongsecrets-ctf-party/README.md +++ b/helm/wrongsecrets-ctf-party/README.md @@ -40,7 +40,7 @@ To uninstall the chart: helm delete my-wrongsecrets-ctf-party # wrongsecrets-ctf-party -![Version: 1.6.7](https://img.shields.io/badge/Version-1.6.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.7](https://img.shields.io/badge/AppVersion-1.6.7-informational?style=flat-square) +![Version: 1.6.9](https://img.shields.io/badge/Version-1.6.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.9](https://img.shields.io/badge/AppVersion-1.6.9-informational?style=flat-square) Run Multi User "Capture the Flags" or Security Trainings with OWASP Wrongsecrets @@ -109,7 +109,7 @@ Run Multi User "Capture the Flags" or Security Trainings with OWASP Wrongsecrets | balancer.service.loadBalancerSourceRanges | string | `nil` | list of IP CIDRs allowed access to lb (if supported) | | balancer.service.type | string | `"ClusterIP"` | Kubernetes service type | | balancer.skipOwnerReference | bool | `false` | If set to true this skips setting ownerReferences on the teams wrongsecrets Deployment and Services. This lets MultiJuicer run in older kubernetes cluster which don't support the reference type or the app/v1 deployment type | -| balancer.tag | string | `"1.6.7aws"` | | +| balancer.tag | string | `"1.6.9aws"` | | | balancer.tolerations | list | `[]` | Optional Configure kubernetes toleration for the created wrongsecrets instances (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | balancer.volumeMounts[0] | object | `{"mountPath":"/home/app/config/","name":"config-volume"}` | If true, creates a volumeMount for the created pods. This is required for the podSecurityPolicy to work | | balancer.volumes[0] | object | `{"configMap":{"name":"wrongsecrets-balancer-config"},"name":"config-volume"}` | If true, creates a volume for the created pods. This is required for the podSecurityPolicy to work | @@ -154,7 +154,7 @@ Run Multi User "Capture the Flags" or Security Trainings with OWASP Wrongsecrets | virtualdesktop.securityContext.readOnlyRootFilesystem | bool | `true` | | | virtualdesktop.securityContext.runAsNonRoot | bool | `true` | | | virtualdesktop.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | -| virtualdesktop.tag | string | `"1.6.7"` | | +| virtualdesktop.tag | string | `"1.6.9"` | | | virtualdesktop.tolerations | list | `[]` | | | wrongsecrets.affinity | object | `{}` | Optional Configure kubernetes scheduling affinity for the created Wrongsecrets instances (see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | | wrongsecrets.config | string | See values.yaml for full details | Specify a custom Wrongsecrets config.yaml. See the Wrongsecrets Docs for any needed ENVs: https://github.com/OWASP/wrongsecrets | @@ -167,7 +167,7 @@ Run Multi User "Capture the Flags" or Security Trainings with OWASP Wrongsecrets | wrongsecrets.resources | object | `{"requests":{"cpu":"256Mi","memory":"300Mi"}}` | Optional resources definitions to set for each Wrongsecrets instance | | wrongsecrets.runtimeClassName | string | `nil` | Optional Can be used to configure the runtime class for the Wrongsecrets instances pods to add an additional layer of isolation to reduce the impact of potential container escapes. (see: https://kubernetes.io/docs/concepts/containers/runtime-class/) | | wrongsecrets.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Optional securityContext definitions to set for each Wrongsecrets instance | -| wrongsecrets.tag | string | `"1.6.7-no-vault"` | | +| wrongsecrets.tag | string | `"1.6.9-no-vault"` | | | wrongsecrets.tolerations | list | `[]` | Optional Configure kubernetes toleration for the created Wrongsecrets instances (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | wrongsecrets.volumes | list | `[]` | Optional Volumes to set for each Wrongsecrets instance (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | wrongsecretsCleanup.affinity | object | `{}` | Optional Configure kubernetes scheduling affinity for the wrongsecretsCleanup Job(see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | diff --git a/helm/wrongsecrets-ctf-party/values.yaml b/helm/wrongsecrets-ctf-party/values.yaml index 9f49a270b..ba50ac5ac 100644 --- a/helm/wrongsecrets-ctf-party/values.yaml +++ b/helm/wrongsecrets-ctf-party/values.yaml @@ -40,7 +40,7 @@ balancer: # -- Set this to a fixed random alpa-numeric string (recommended length 24 chars). If not set this get randomly generated with every helm upgrade, each rotation invalidates all active cookies / sessions requirering users to login again. cookieParserSecret: null repository: jeroenwillemsen/wrongsecrets-balancer - tag: 1.6.7aws + tag: 1.6.9aws # -- Number of replicas of the wrongsecrets-balancer deployment. Changing this in a commit? PLEASE UPDATE THE GITHUB WORKLFOWS THEN!(NUMBER OF "TRUE") replicas: 2 # -- Port to expose on the balancer pods which the container listens on @@ -117,7 +117,7 @@ balancer: # -- Target port for the ServiceMonitor to scrape targetPort: 3000 # -- Path to scrape for metrics - path: '/balancer/metrics' + path: "/balancer/metrics" basicAuth: username: prometheus-scraper # -- Should be changed when metrics are enabled. @@ -159,7 +159,7 @@ wrongsecrets: maxInstances: 500 # -- Wrongsecrets Image to use image: jeroenwillemsen/wrongsecrets - tag: 1.6.7-no-vault + tag: 1.6.9-no-vault # -- Change the key when hosting a CTF event. This key gets used to generate the challenge flags. See: https://github.com/OWASP/wrongsecrets#ctf ctfKey: "zLp@.-6fMW6L-7R3b!9uR_K!NfkkTr" # -- Specify a custom Wrongsecrets config.yaml. See the Wrongsecrets Docs for any needed ENVs: https://github.com/OWASP/wrongsecrets @@ -221,7 +221,7 @@ virtualdesktop: maxInstances: 500 # -- Wrongsecrets Image to use image: jeroenwillemsen/wrongsecrets-desktop-k8s - tag: 1.6.7 + tag: 1.6.9 repository: commjoenie/wrongSecrets resources: request: @@ -277,8 +277,6 @@ vaultContainer: envFrom: [] tolerations: [] - - # Deletes unused Wrongsecrets namespaces after a configurable period of inactivity wrongsecretsCleanup: repository: jeroenwillemsen/wrongsecrets-ctf-cleaner diff --git a/readme.md b/readme.md index 14c5a737a..d77ceec83 100644 --- a/readme.md +++ b/readme.md @@ -113,7 +113,7 @@ For minikube, run: minikube start --cpus=6 --memory=10000MB --network-plugin=cni --cni=calico --driver=docker --kubernetes-version=1.25.6 eval $(minikube docker-env) -./build-an-deploy-container.sh +./build-and-deploy-container.sh kubectl port-forward service/wrongsecrets-balancer 3000:3000 ``` @@ -134,7 +134,7 @@ kubectl top pods minikube start --cpus=6 --memory=10000MB --network-plugin=cni --cni=calico --driver=docker --kubernetes-version=1.25.6 eval $(minikube docker-env) -./build-an-deploy.sh +./build-and-deploy.sh kubectl port-forward service/wrongsecrets-balancer 3000:3000 ``` @@ -158,7 +158,7 @@ See [production notes](./guides/production-notes/production-notes.md) for a chec You got some options on how to setup the stack, with some option to customize the WrongSecrets and Virtual desktop instances to your own liking. You can find the default config values under: [helm/wrongsecrets-ctf-party/values.yaml](helm/wrongsecrets-ctf-party/values.yaml) -The default ctfd config values are here: [aws/k8s/ctfd-values.yaml](aws/k8s/ctfd-values.yaml). Note that these values are not used, and instead only se in the file [aws/build-an-deploy-aws.sh](aws/build-an-deploy-aws.sh). +The default ctfd config values are here: [aws/k8s/ctfd-values.yaml](aws/k8s/ctfd-values.yaml). Note that these values are not used, and instead only se in the file [aws/build-and-deploy-aws.sh](aws/build-and-deploy-aws.sh). Download & Save the file and tell helm to use your config file over the default by running: