Make image configurable, no more re-release of proxy for new version of wrongecrets required

commjoen · commjoen · commit 448332001098 · 2022-09-28T09:19:29.000+02:00
diff --git a/aws/build-an-deploy-aws.sh b/aws/build-an-deploy-aws.sh
@@ -109,4 +109,4 @@ wait
 DEFAULT_PASSWORD=thankyou
 #TODO: REWRITE ABOVE, REWRITE THE HARDCODED DEPLOYMENT VALS INTO VALUES AND OVERRIDE THEM HERE!
 echo "default password is ${DEFAULT_PASSWORD}"
-helm upgrade --install mj ../helm/wrongsecrets-ctf-party --set="imagePullPolicy=Always" --set="balancer.env.K8S_ENV=aws" --set="balancer.env.REACT_APP_ACCESS_PASSWORD=${DEFAULT_PASSWORD}" --set="balancer.cookie.cookieParserSecret=thisisanewrandomvaluesowecanworkatit" --set="balancer.repository=jeroenwillemsen/wrongsecrets-balancer" --set="balancer.tag=0.87aws" --set="balancer.replicas=4" --set="wrongsecretsCleanup.repository=jeroenwillemsen/wrongsecrets-ctf-cleaner" --set="wrongsecretsCleanup.tag=0.2"
+helm upgrade --install mj ../helm/wrongsecrets-ctf-party --set="imagePullPolicy=Always" --set="balancer.env.K8S_ENV=aws" --set"balancer.env.IRSA_ROLE=arn:aws:iam::${ACCOUNT_ID}:role/wrongsecrets-secret-manager" --set="balancer.env.REACT_APP_ACCESS_PASSWORD=${DEFAULT_PASSWORD}" --set="balancer.cookie.cookieParserSecret=thisisanewrandomvaluesowecanworkatit" --set="balancer.repository=jeroenwillemsen/wrongsecrets-balancer" --set="balancer.tag=0.87aws" --set="balancer.replicas=4" --set="wrongsecretsCleanup.repository=jeroenwillemsen/wrongsecrets-ctf-cleaner" --set="wrongsecretsCleanup.tag=0.2"
diff --git a/helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/deployment.yaml b/helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/deployment.yaml
@@ -56,6 +56,12 @@ spec:
               value: {{ .Values.balancer.env.K8S_ENV }}
             - name: IRSA_ROLE
               value: {{ .Values.balancer.env.IRSA_ROLE }} #REPLACE WITH THE ACTUAL AWS ROLE IF IN AWS MODE
+            - name: WRONGSECRETS_TAG
+              value: {{ .Values.wrongsecrets.tag}}
+            - name: SECRETS_MANAGER_SECRET_ID_1
+              value: {{ .Values.balancer.env.SECRETS_MANAGER_SECRET_ID_1 }}
+            - name: SECRETS_MANAGER_SECRET_ID_2
+              value: {{ .Values.balancer.env.SECRETS_MANAGER_SECRET_ID_2 }}
             - name: COOKIEPARSER_SECRET
               valueFrom:
                 secretKeyRef:
diff --git a/helm/wrongsecrets-ctf-party/values.yaml b/helm/wrongsecrets-ctf-party/values.yaml
@@ -70,6 +70,8 @@ balancer:
     K8S_ENV: 'k8s' #oraws
     REACT_APP_ACCESS_PASSWORD: '' #DEFAULT NO PASSWORD, PLAYING THIS IN PUBLIC? PUT A FANCY STRING HERE, BUT BE GENTLE: USERS NEED TO BE ABLE TO COPY THAT STUFF...
     IRSA_ROLE: arn:aws:iam::233483431651:role/wrongsecrets-secret-manager
+    SECRETS_MANAGER_SECRET_ID_1: 'wrongsecret'
+    SECRETS_MANAGER_SECRET_ID_2: 'wrongsecret-2'
   metrics:
     # -- enables prometheus metrics for the balancer. If set to true you should change the prometheus-scraper password
     enabled: true
@@ -94,7 +96,7 @@ wrongsecrets:
   maxInstances: 500
   # -- Juice Shop Image to use
   image: jeroenwillemsens/wrongsecrets
-  tag: 1.5.3-no-vault
+  tag: 1.5.5-no-vault
   # -- Change the key when hosting a CTF event. This key gets used to generate the challenge flags. See: https://github.com/commjoen/wrongsecrets#ctf
   ctfKey: "zLp@.-6fMW6L-7R3b!9uR_K!NfkkTr"
   # -- Specify a custom Juice Shop config.yaml. See the JuiceShop Config Docs for more detail: https://pwning.owasp-juice.shop/part1/customization.html#yaml-configuration-file
diff --git a/wrongsecrets-balancer/src/kubernetes.js b/wrongsecrets-balancer/src/kubernetes.js
@@ -16,6 +16,9 @@ const k8sCustomAPI = kc.makeApiClient(CustomObjectsApi);
 const k8sRBACAPI = kc.makeApiClient(RbacAuthorizationV1Api);
 const k8sNetworkingApi = kc.makeApiClient(NetworkingV1Api);
 const awsAccountEnv = process.env.IRSA_ROLE || 'youdidnotprovideanirsarole,goodluck';
+const secretsmanagerSecretName1 = process.env.SECRETS_MANAGER_SECRET_ID_1 || 'wrongsecret';
+const secretsmanagerSecretName2 = process.env.SECRETS_MANAGER_SECRET_ID_2 || 'wrongsecret-2';
+const wrongSecretsContainterTag = process.env.WRONGSECRETS_TAG || '1.5.4-no-vault';
 const heroku_wrongsecret_ctf_url = process.env.REACT_APP_HEROKU_WRONGSECRETS_URL || 'not_ets';
 
 const { get } = require('./config');
@@ -136,8 +139,7 @@ const createK8sDeploymentForTeam = async ({ team, passcodeHash }) => {
           containers: [
             {
               name: 'wrongsecrets',
-              //TODO REPLACE HARDCODED BELOW WITH PROPPER GETS: image: `${get('wrongsecrets.image')}:${get('wrongsecrets.tag')}`,
-              image: 'jeroenwillemsen/wrongsecrets:1.5.5RC1-no-vault',
+              image: `jeroenwillemsen/wrongsecrets:${wrongSecretsContainterTag}`,
               imagePullPolicy: get('wrongsecrets.imagePullPolicy'),
               // resources: get('wrongsecrets.resources'),
               securityContext: {
@@ -285,8 +287,7 @@ const createAWSSecretsProviderForTeam = async (team) => {
     spec: {
       provider: 'aws',
       parameters: {
-        objects:
-          '- objectName: "wrongsecret"\n  objectType: "secretsmanager"\n- objectName: "wrongsecret-2"\n  objectType: "secretsmanager"\n',
+        objects: `- objectName: "${secretsmanagerSecretName1}"\n  objectType: "secretsmanager"\n- objectName: "${secretsmanagerSecretName2}"\n  objectType: "secretsmanager"\n`,
       },
     },
   };
@@ -393,8 +394,7 @@ const createAWSDeploymentForTeam = async ({ team, passcodeHash }) => {
           containers: [
             {
               name: 'wrongsecrets',
-              //TODO REPLACE HARDCODED BELOW WITH PROPPER GETS: image: `${get('wrongsecrets.image')}:${get('wrongsecrets.tag')}`,
-              image: 'jeroenwillemsen/wrongsecrets:1.5.4-no-vault',
+              image: `jeroenwillemsen/wrongsecrets:${wrongSecretsContainterTag}`,
               imagePullPolicy: get('wrongsecrets.imagePullPolicy'),
               // resources: get('wrongsecrets.resources'),
               securityContext: {
