OWASP
diff --git a/‎helm/package.json
Lines changed: 25 additions & 0 deletions b/‎helm/package.json
Lines changed: 25 additions & 0 deletions
diff --git a/‎helm/test-values.yaml
Lines changed: 249 additions & 0 deletions b/‎helm/test-values.yaml
Lines changed: 249 additions & 0 deletions
@@ -0,0 +1,25 @@
+{
+  "name": "charts",
+  "version": "v1.0.0",
+  "description": "Wrongsecrets helm chart",
+  "main": "index.js",
+  "scripts": {
+    "build": "helm package ./wrongsecrets-ctf-party",
+    "subcharts": "helm dependency update ./wrongsecrets-ctf-party",
+    "lint": "helm lint ./wrongsecrets-ctf-party",
+    "validate": "npm run lint && npm run test",
+    "template": "helm template --debug -f ./test-values.yaml myrelease ./wrongsecrets-ctf-party -n myns > test.tmp.yaml",
+    "dry-run": "helm install --dry-run -f ./test-values.yaml unknown ./wrongsecrets-ctf-party",
+    "doc": "helm-docs -s file",
+    "preversion": "git fetch --prune --prune-tags && npm run lint && npm run build",
+    "version": " export version=v$(node -p -e 'require(`./package.json`).version') && export app_version=$(echo $version | cut -d. -f2-).0 && yq e -i '.version=strenv(version)' ./tactful/Chart.yaml && yq e -i '.appVersion=strenv(app_version)' ./tactful/Chart.yaml && git add . ",
+    "postversion": "git push && git push --tags"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+ssh://[email protected]/slickblox/charts.git"
+  },
+  "author": "Tactful.ai",
+  "license": "ISC",
+  "homepage": "https://bitbucket.org/slickblox/charts#readme"
+}
@@ -0,0 +1,249 @@
+# Default values for Wrongecret-ctf-party.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+imagePullPolicy: Always
+nodeSelector: {}
+
+ingress:
+  enabled: false
+  annotations: {}
+  # kubernetes.io/ingress.class: nginx
+  # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: wrongsecrets-ctf-party.local
+      paths:
+        - "/"
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+service:
+  type: ClusterIP
+  port: 3000
+
+balancer:
+  cookie:
+    # SET THIS TO TRUE IF IN PRODUCTION
+    # Sets secure Flag in cookie
+    # -- Sets the secure attribute on cookie so that it only be send over https
+    secure: false
+    # -- Changes the cookies name used to identify teams. Note will automatically be prefixed with "__Secure-" when balancer.cookie.secure is set to `true`
+    name: balancer
+    # -- Set this to a fixed random alpa-numeric string (recommended length 24 chars). If not set this get randomly generated with every helm upgrade, each rotation invalidates all active cookies / sessions requirering users to login again.
+    cookieParserSecret: null
+  repository: jeroenwillemsen/wrongsecrets-balancer
+  tag: 1.6.4aws
+  # -- Number of replicas of the wrongsecrets-balancer deployment. Changing this in a commit? PLEASE UPDATE THE GITHUB WORKLFOWS THEN!(NUMBER OF "TRUE")
+  replicas: 2
+  service:
+    # -- Kubernetes service type
+    type: ClusterIP
+    # -- internal cluster service IP
+    clusterIP: null
+    # -- IP address to assign to load balancer (if supported)
+    loadBalancerIP: null
+    # -- list of IP CIDRs allowed access to lb (if supported)
+    loadBalancerSourceRanges: null
+    # -- IP address to assign to load balancer (if supported)
+    externalIPs: null
+  resources:
+    requests:
+      memory: 256Mi
+      cpu: 400m
+    limits:
+      memory: 1024Mi
+      cpu: 1000m
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    capabilities:
+      drop:
+        - ALL
+      add:
+        - CAP_NET_ADMIN
+        - CAP_NET_BIND_SERVICE
+    seccompProfile:
+      type: RuntimeDefault
+  # -- Optional Configure kubernetes scheduling affinity for the created JuiceShops (see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
+  affinity: {}
+  # -- Optional Configure kubernetes toleration for the created JuiceShops (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
+  tolerations: []
+  # -- If set to true this skips setting ownerReferences on the teams JuiceShop Deployment and Services. This lets MultiJuicer run in older kubernetes cluster which don't support the reference type or the app/v1 deployment type
+  skipOwnerReference: false
+  env:
+    REACT_APP_MOVING_GIF_LOGO: "https://i.gifer.com/9kGQ.gif" #displayed at the frontend when you enter the CTF
+    REACT_APP_HEROKU_WRONGSECRETS_URL: "https://wrongsecrets-ctf.herokuapp.com" #required for 3 domain setup
+    REACT_APP_CTFD_URL: "https://ctfd.io" #requierd for 2 and 3 domain setup
+    REACT_APP_S3_BUCKET_URL: "s3://funstuff" #the s3 bucket you use for teh aws challenges, don't forget to make it accessible!
+    K8S_ENV: "k8s" #or 'aws'
+    REACT_APP_ACCESS_PASSWORD: "" #DEFAULT NO PASSWORD, PLAYING THIS IN PUBLIC? PUT A FANCY STRING HERE, BUT BE GENTLE: USERS NEED TO BE ABLE TO COPY THAT STUFF...
+    REACT_APP_CREATE_TEAM_HMAC_KEY: "hardcodedkey"
+    IRSA_ROLE: arn:aws:iam::233483431651:role/wrongsecrets-secret-manager #change this in your own AWS role!
+    SECRETS_MANAGER_SECRET_ID_1: "wrongsecret" #only change if you need non-default AWS SM entries
+    SECRETS_MANAGER_SECRET_ID_2: "wrongsecret-2" #only change if you need non-default AWS SM entries
+  metrics:
+    # -- enables prometheus metrics for the balancer. If set to true you should change the prometheus-scraper password
+    enabled: true
+    dashboards:
+      # -- if true, creates a Grafana Dashboard Config Map. (also requires metrics.enabled to be true). These will automatically be imported by Grafana when using the Grafana helm chart, see: https://github.com/helm/charts/tree/main/stable/grafana#sidecar-for-dashboards
+      enabled: false
+    serviceMonitor:
+      # -- If true, creates a Prometheus Operator ServiceMonitor (also requires metrics.enabled to be true). This will also deploy a servicemonitor which monitors metrics from the Juice Shop instances
+      enabled: false
+    basicAuth:
+      username: prometheus-scraper
+      # -- Should be changed when metrics are enabled.
+      password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy
+
+##TODO:
+#1. UPDATE WRONGSECRETS TO DEFINITION WHERE K8S IS USED FOR AWS!
+#2. UPDATE VIRTUALDESKTOP TO DEFINITION WHERE IT CN BE USED
+#3. ADD VAULT INSTANCE PER TEAM!
+
+wrongsecrets:
+  # -- Specifies how many Wrongsecrets instances should start at max. Set to -1 to remove the max Wrongsecrets instance cap
+  maxInstances: 500
+  # -- Wrongsecrets Image to use
+  image: jeroenwillemsen/wrongsecrets
+  tag: 1.6.4-no-vault
+  # -- Change the key when hosting a CTF event. This key gets used to generate the challenge flags. See: https://github.com/OWASP/wrongsecrets#ctf
+  ctfKey: "[email protected]!9uR_K!NfkkTr"
+  # -- Specify a custom Juice Shop config.yaml. See the JuiceShop Config Docs for more detail: https://pwning.owasp-juice.shop/part1/customization.html#yaml-configuration-file
+  # @default -- See values.yaml for full details
+  config: |
+    K8S_ENV: aws
+  #    application:
+  #      logo: https://raw.githubusercontent.com/iteratec/multi-juicer/main/images/multijuicer-icon-only-padding.png
+  #      favicon: https://raw.githubusercontent.com/iteratec/multi-juicer/main/wrongsecrets-balancer/ui/public/favicon.ico
+  #      showVersionNumber: false
+  #      showGitHubLinks: false
+  #    challenges:
+  #      showHints: true
+  #    hackingInstructor:
+  #      isEnabled: true
+  #    ctf:
+  #      showFlagsInNotifications: false
+  # -- Specify a custom NODE_ENV for JuiceShop. If value is changed to something other than 'wrongsecrets-ctf-party' it's not possible to set a custom config via `juiceShop.config`.
+  nodeEnv: "wrongsecrets-ctf-party"
+  # -- Optional resources definitions to set for each JuiceShop instance
+  resources:
+    requests:
+      cpu: 256Mi
+      memory: 300Mi
+  #  limits:
+  #    cpu: 100m
+  #    memory: 200Mi
+  # -- Optional securityContext definitions to set for each JuiceShop instance
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+  # -- Optional environment variables to set for each JuiceShop instance (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
+  env:
+    - name: K8S_ENV
+      value: k8s
+    - name: SPECIAL_K8S_SECRET
+      valueFrom:
+        configMapKeyRef:
+          name: secrets-file
+          key: funny.entry
+    - name: SPECIAL_SPECIAL_K8S_SECRET
+      valueFrom:
+        secretKeyRef:
+          name: funnystuff
+          key: funnier
+  # env:
+  #   - name: FOO
+  #     valueFrom:
+  #       secretKeyRef:
+  #         key: FOO
+  #         name: secret-resource
+  # -- Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables)
+  envFrom: []
+  # -- Optional Volumes to set for each JuiceShop instance (see: https://kubernetes.io/docs/concepts/storage/volumes/)
+  volumes: []
+  # create config map with a custom logo via: kubectl create configmap custom-logo --from-file custom.png=your-logo.png
+  # then switch out the logo parameter in the wrongsecrets config section above to the mounted filename.
+  # volumes:
+  # - name: logo
+  #   configMap:
+  #     name: custom-logo
+  # -- Optional VolumeMounts to set for each JuiceShop instance (see: https://kubernetes.io/docs/concepts/storage/volumes/)
+  volumeMounts: []
+  # volumeMounts:
+  # - name: logo
+  #   mountPath: /wrongsecrets/frontend/dist/frontend/assets/public/images/custom.png
+  #   subPath: custom.png
+  #   readOnly: true
+
+  # -- Optional Configure kubernetes scheduling affinity for the created JuiceShops (see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
+  affinity: {}
+  # -- Optional Configure kubernetes toleration for the created JuiceShops (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
+  tolerations: []
+
+  # -- Optional Can be used to configure the runtime class for the JuiceShop pods to add an additional layer of isolation to reduce the impact of potential container escapes. (see: https://kubernetes.io/docs/concepts/containers/runtime-class/)
+  runtimeClassName: null
+
+# Deletes unused JuiceShop instances after a configurable period of inactivity
+
+#the virtual desktop for the deploymebt
+virtualdesktop:
+  # -- Specifies how many JuiceShop instances MultiJuicer should start at max. Set to -1 to remove the max Juice Shop instance cap
+  maxInstances: 500
+  # -- Juice Shop Image to use
+  image: jeroenwillemsen/wrongsecrets-desktop-k8s
+  tag: 1.6.4
+  repository: commjoenie/wrongSecrets
+  resources:
+    request:
+      memory: 1GB
+      cpu: 50m
+    limits:
+      memory: 2GB
+      cpu: 1200m
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+  runtimeClassName: {}
+  affinity: {}
+  # -- Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables)
+
+  envFrom: []
+  tolerations: []
+
+# Deletes unused Wrongsecrets namespaces after a configurable period of inactivity
+wrongsecretsCleanup:
+  repository: jeroenwillemsen/wrongsecrets-ctf-cleaner
+  tag: 0.4
+  enabled: true
+  # -- Specifies when Juice Shop instances will be deleted when unused for that period.
+  gracePeriod: 2d
+  # -- Specifies if the clean up job should delete the outdated namespaces or just report them. Set to false to only report outdated namespaces.
+  SHOULD_DELETE: false
+  # -- Cron in which the clean up job is run. Defaults to once in a quarter. Change this if your grace period if shorter than 15 minutes. See "https://crontab.guru/#0,15,30,45_*_*_*_*" for more details.
+  cron: "0,15,30,45 * * * *"
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  resources:
+    requests:
+      memory: 256Mi
+    limits:
+      memory: 256Mi
+  # -- Optional Configure kubernetes scheduling affinity for the wrongsecretsCleanup Job(see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
+  affinity: {}
+  # -- Optional Configure kubernetes toleration for the wrongsecretsCleanup Job (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
+  tolerations: []