Merge pull request #107 from OWASP/feat/ctfd

Add CTFd via helm chart

Author: commjoen

.gitignore

@@ -9,6 +9,9 @@ aws/terraform.tfstate.backup
 aws/.terraform.tfstate.lock.info
 aws/cluster-autoscaler-autodiscover.yaml
 aws/cluster-autoscaler-autodiscover.yaml-e
-
+db.zip
 .idea
-.DS_Store
+.DS_Store
+.letsencrypt
+
+*.auto.tfvars

aws/build-an-deploy-aws.sh

@@ -112,4 +112,24 @@ wait
 DEFAULT_PASSWORD=thankyou
 #TODO: REWRITE ABOVE, REWRITE THE HARDCODED DEPLOYMENT VALS INTO VALUES AND OVERRIDE THEM HERE!
 echo "default password is ${DEFAULT_PASSWORD}"
-helm upgrade --install mj ../helm/wrongsecrets-ctf-party --set="imagePullPolicy=Always" --set="balancer.env.K8S_ENV=aws" --set="balancer.env.IRSA_ROLE=arn:aws:iam::${ACCOUNT_ID}:role/wrongsecrets-secret-manager" --set="balancer.env.REACT_APP_ACCESS_PASSWORD=${DEFAULT_PASSWORD}" --set="balancer.cookie.cookieParserSecret=thisisanewrandomvaluesowecanworkatit" --set="balancer.repository=jeroenwillemsen/wrongsecrets-balancer" --set="balancer.tag=1.0aws" --set="balancer.replicas=4" --set="wrongsecretsCleanup.repository=jeroenwillemsen/wrongsecrets-ctf-cleaner" --set="wrongsecretsCleanup.tag=0.2"
+helm upgrade --install mj ../helm/wrongsecrets-ctf-party \
+  --set="imagePullPolicy=Always" \
+  --set="balancer.env.K8S_ENV=aws" \
+  --set="balancer.env.IRSA_ROLE=arn:aws:iam::${ACCOUNT_ID}:role/wrongsecrets-secret-manager" \
+  --set="balancer.env.REACT_APP_ACCESS_PASSWORD=${DEFAULT_PASSWORD}" \
+  --set="balancer.cookie.cookieParserSecret=thisisanewrandomvaluesowecanworkatit" \
+  --set="balancer.repository=jeroenwillemsen/wrongsecrets-balancer" \
+  --set="balancer.replicas=4" \
+  --set="wrongsecretsCleanup.repository=jeroenwillemsen/wrongsecrets-ctf-cleaner" \
+  --set="wrongsecrets.ctfKey=test"
+
+# Install CTFd
+
+export HELM_EXPERIMENTAL_OCI=1
+kubectl create namespace ctfd
+helm -n ctfd install ctfd oci://ghcr.io/bman46/ctfd/ctfd \
+  --set="redis.auth.password=${$(openssl rand -base64 24)}" \
+  --set="mariadb.auth.rootPassword=${$(openssl rand -base64 24)}" \
+  --set="mariadb.auth.password=${$(openssl rand -base64 24)}" \
+  --set="mariadb.auth.replicationPassword=${$(openssl rand -base64 24)}" \
+  --set="env.open.SECRET_KEY=test"

aws/k8s-aws-alb-script.sh

@@ -102,9 +102,12 @@ echo "apply -f k8s/wrongsecrets-balancer-ingress.yml in 10 s"
 sleep 10
 kubectl apply -f k8s/wrongsecrets-balancer-ingress.yml
 
+kubectl apply -f k8s/ctfd-service.yaml
+kubectl apply -f k8s/ctfd-ingress.yaml
 
 echo "waiting 10 s for loadBalancer"
 sleep 10
-echo "http://$(kubectl get ingress wrongsecrets-balancer -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')"
+echo "Wrongsecrets ingress: http://$(kubectl get ingress wrongsecrets-balancer -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')"
+echo "ctfd ingress: http://$(kubectl get ingress -n ctfd ctfd -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')"
 
 echo "Do not forget to cleanup afterwards! Run k8s-aws-alb-script-cleanup.sh"

aws/k8s/ctfd-ingress.yaml

@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: ctfd
+  name: ctfd
+  annotations:
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/target-type: instance
+    acme.cert-manager.io/http01-edit-in-place: "true"
+    # cert-manager.io/issue-temporary-certificate: "true"
+    #uncomment and configure below if you want to use tls, don't forget to override the cookie to a secure value!
+    # alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:<region>:<account>:certificate/xxxxxx
+    # alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
+    # alb.ingress.kubernetes.io/actions.ssl-redirect: '443'
+spec:
+  ingressClassName: alb
+  rules:
+    - http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: ctfd
+                port:
+                  number: 80

aws/k8s/ctfd-service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: ctfd
+  name: ctfd
+  labels:
+    app: ctfd
+spec:
+  type: NodePort
+  ports:
+    - port: 80
+      name: http
+      targetPort: 8000
+      protocol: TCP
+  selector:
+    app.kubernetes.io/name: ctfd

aws/k8s/ctfd-values.yaml

@@ -0,0 +1,163 @@
+# Default values for ctfd.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: ctfd/ctfd
+  tag: 3.5.0
+  pullPolicy: IfNotPresent
+
+# Set K8s securityContext for the CTFd deployment:
+security:
+  fsGroup: 1001
+  runAsNonRoot: true
+  runAsUser: 1001
+
+# Bitnami helm redis deployment
+# See bitnami redis values.yaml for more details
+redis:
+  # Enable Redis server provided by helm:
+  enabled: True
+  auth:
+    enabled: true
+    password: "ChangeMe!123"
+  # Redis® architecture. Allowed values: standalone or replication
+  architecture: standalone
+
+mariadb:
+  # Enable mariadb server provided by helm:
+  enabled: True
+  # Login credentials:
+  auth:
+    rootPassword: "ChangeMe!123"
+    database: ctfd
+    username: "ctfd"
+    password: "ChangeMe!123"
+
+    replicationUser: "replicate"
+    replicationPassword: "ChangeMe!123"
+
+  persistence:
+    enabled: true
+    storageClass: ""
+    accessModes:
+      - ReadWriteOnce
+    size: 15Gi
+
+externalDB:
+  # (required if mariadb-galera is disabled) External SQL Database URI. Example: mysql+pymysql://root:ctfd@db/ctfd
+  DATABASE_URL: ""
+  # (required if redis is disabled) External Redis URI. Example: redis://cache:6379
+  REDIS_URL: ""
+
+env:
+  open:
+    # Required if more than 1 worker (randomly generate)
+    SECRET_KEY: "ChangeMe!123"
+    # Amount of CTFd workers
+    WORKERS: 5
+    # If behing ingress proxy or nginx:
+    REVERSE_PROXY: True
+  secret:
+  existingSecret:
+  # Stores Environment Variable to secret key name mappings
+  existingSecretMappings:
+    DATABASE_URL:
+    REDIS_URL:
+
+# For uploads to the CTFd server (images and other content)
+# Not for DB
+persistence:
+  uploads:
+    enabled: true
+    #ReadWriteMany may be desired here if using multiple CTFd pods
+    accessMode: ReadWriteOnce
+    size: 10Gi
+    labels: {}
+    # name: value
+    # existingClaim:
+    # storageClass: "-"
+
+service:
+  type: ClusterIP
+  port: 80
+  targetPort: 8000
+  #if service.type = loadbalancer
+  # loadBalancerSourceRanges: []
+  # loadBalancerIP: ""
+
+probes:
+  liveness:
+    initialDelaySeconds: 25
+    periodSeconds: 5
+    timeoutSeconds: 2
+    successThreshold: 1
+    failureThreshold: 5
+  readiness:
+    initialDelaySeconds: 20
+    periodSeconds: 5
+    timeoutSeconds: 2
+    successThreshold: 1
+    failureThreshold: 5
+
+# CTFd ingress:
+ingress:
+  enabled: false
+  annotations:
+    {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: ctf.your.domain.com
+      path: "/"
+
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+resources:
+  {}
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+nameOverride: ""
+fullnameOverride: ""
+
+metrics:
+  enabled: false
+  image:
+    registry: docker.io
+    repository: bitnami/mysqld-exporter
+    tag: 0.12.1-debian-10-r27
+    pullPolicy: IfNotPresent
+  resources: {}
+  annotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/port: "9104"
+
+  # Enable this if you're using https://github.com/coreos/prometheus-operator
+  serviceMonitor:
+    enabled: false
+    ## Specify a namespace if needed
+    # namespace: monitoring
+    # fallback to the prometheus default unless specified
+    # interval: 10s
+    # scrapeTimeout: 10s
+    ## Defaults to what's used if you follow CoreOS [Prometheus Install Instructions](https://github.com/helm/charts/tree/master/stable/prometheus-operator#tldr)
+    ## [Prometheus Selector Label](https://github.com/helm/charts/tree/master/stable/prometheus-operator#prometheus-operator-1)
+    ## [Kube Prometheus Selector Label](https://github.com/helm/charts/tree/master/stable/prometheus-operator#exporters)
+    selector:
+      prometheus: kube-prometheus

aws/k8s/wrongsecrets-balancer-ingress.yml

@@ -6,6 +6,8 @@ metadata:
   annotations:
     alb.ingress.kubernetes.io/scheme: internet-facing
     alb.ingress.kubernetes.io/target-type: instance
+    acme.cert-manager.io/http01-edit-in-place: "true"
+    # cert-manager.io/issue-temporary-certificate: "true"
     #uncomment and configure below if you want to use tls, don't forget to override the cookie to a secure value!
     # alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:<region>:<account>:certificate/xxxxxx
     # alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
@@ -22,4 +24,3 @@ spec:
                 name: wrongsecrets-balancer
                 port:
                   number: 80
-                  

aws/main.tf

@@ -73,12 +73,12 @@ module "eks" {
 
   cluster_endpoint_private_access = true
 
-  cluster_endpoint_public_access_cidrs = ["${data.http.ip.body}/32"]
+  cluster_endpoint_public_access_cidrs = compact(concat(["${data.http.ip.body}/32"], var.extra_allowed_ip_ranges))
 
   enable_irsa = true
 
-  create_cloudwatch_log_group = true
-  cluster_enabled_log_types   = ["api", "audit", "authenticator"]
+  create_cloudwatch_log_group            = true
+  cluster_enabled_log_types              = ["api", "audit", "authenticator"]
   cloudwatch_log_group_retention_in_days = 14 #it's a ctf , we don't need non-necessary costs!
 
   # apply when available: iam_role_permissions_boundary = "arn:aws:iam::${local.account_id}:policy/service-user-creation-permission-boundary"

aws/variables.tf

@@ -15,3 +15,9 @@ variable "cluster_name" {
   type        = string
   default     = "wrongsecrets-exercise-cluster"
 }
+
+variable "extra_allowed_ip_ranges" {
+  description = "Allowed IP ranges in addition to creator IP"
+  type        = list(string)
+  default     = []
+}

helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/deployment.yaml

@@ -61,7 +61,7 @@ spec:
             - name: WRONGSECRETS_TAG
               value: {{ .Values.wrongsecrets.tag}}
             - name: WRONGSECRETS_DESKTOP_TAG
-              value: 1.5.8
+              value: {{ .Values.virtualdesktop.tag }}
             - name: REACT_APP_CREATE_TEAM_HMAC_KEY
               value: hardcodedkey
             - name: SECRETS_MANAGER_SECRET_ID_1

helm/wrongsecrets-ctf-party/values.yaml

@@ -35,7 +35,7 @@ balancer:
     # -- Set this to a fixed random alpa-numeric string (recommended length 24 chars). If not set this get randomly generated with every helm upgrade, each rotation invalidates all active cookies / sessions requirering users to login again.
     cookieParserSecret: null
   repository: jeroenwillemsen/wrongsecrets-balancer
-  tag: 1.0aws
+  tag: 1.2aws
   # -- Number of replicas of the wrongsecrets-balancer deployment
   replicas: 1
   service:
@@ -97,7 +97,7 @@ wrongsecrets:
   maxInstances: 500
   # -- Juice Shop Image to use
   image: jeroenwillemsens/wrongsecrets
-  tag: 1.5.9-no-vault
+  tag: 1.5.10-no-vault
   # -- Change the key when hosting a CTF event. This key gets used to generate the challenge flags. See: https://github.com/OWASP/wrongsecrets#ctf
   ctfKey: "[email protected]!9uR_K!NfkkTr"
   # -- Specify a custom Juice Shop config.yaml. See the JuiceShop Config Docs for more detail: https://pwning.owasp-juice.shop/part1/customization.html#yaml-configuration-file
@@ -184,7 +184,7 @@ virtualdesktop:
   maxInstances: 500
   # -- Juice Shop Image to use
   image: jeroenwillemsen/wrongsecrets-desktop-k8s
-  tag: 1.5.9
+  tag: 1.5.10
   repository: commjoenie/wrongSecrets
   resources:
     request:
@@ -203,10 +203,10 @@ virtualdesktop:
   envFrom: [ ]
   tolerations: [ ]
 
-# Deletes unused JuiceShop instances after a configurable period of inactivity
+# Deletes unused Wrongsecrets namespaces after a configurable period of inactivity
 wrongsecretsCleanup:
   repository: jeroenwillemsen/wrongsecrets-ctf-cleaner
-  tag: null
+  tag: 0.3
   enabled: true
   # -- Specifies when Juice Shop instances will be deleted when unused for that period.
   gracePeriod: 2d