testing and integrating

Signed-off-by: osamamagdy <[email protected]>

Author: osamamagdy

helm/test-values.yaml

@@ -39,9 +39,11 @@ balancer:
     # -- Set this to a fixed random alpa-numeric string (recommended length 24 chars). If not set this get randomly generated with every helm upgrade, each rotation invalidates all active cookies / sessions requirering users to login again.
     cookieParserSecret: null
   repository: jeroenwillemsen/wrongsecrets-balancer
-  tag: 1.6.4aws
+  tag: 1.6.5aws
   # -- Number of replicas of the wrongsecrets-balancer deployment. Changing this in a commit? PLEASE UPDATE THE GITHUB WORKLFOWS THEN!(NUMBER OF "TRUE")
   replicas: 2
+  # -- Port to expose on the balancer pods which the container listens on
+  containerPort: 3000
   service:
     # -- Kubernetes service type
     type: ClusterIP
@@ -53,6 +55,18 @@ balancer:
     loadBalancerSourceRanges: null
     # -- IP address to assign to load balancer (if supported)
     externalIPs: null
+  # -- Probes settings for the balancer pods
+  # -- livenessProbe: Checks if the balancer pod is still alive
+  livenessProbe:
+    httpGet:
+      path: /balancer/
+      port: http # -- Port to expose on the balancer pods which the container listens on. It is named http to be the same as the containerPort
+  # -- readinessProbe: Checks if the balancer pod is ready to receive traffic
+  readinessProbe:
+    httpGet:
+      path: /balancer/
+      port: http # -- Port to expose on the balancer pods which the container listens on. It is named http to be the same as the containerPort
+  # -- Resource limits and requests for the balancer pods
   resources:
     requests:
       memory: 256Mi
@@ -77,6 +91,7 @@ balancer:
     IRSA_ROLE: arn:aws:iam::233483431651:role/wrongsecrets-secret-manager #change this in your own AWS role!
     SECRETS_MANAGER_SECRET_ID_1: "wrongsecret" #only change if you need non-default AWS SM entries
     SECRETS_MANAGER_SECRET_ID_2: "wrongsecret-2" #only change if you need non-default AWS SM entries
+    CHALLENGE33_VALUE: "VkJVR2gzd3UvM0kxbmFIajFVZjk3WTBMcThCNS85MnExandwMy9hWVN3SFNKSThXcWRabllMajc4aEVTbGZQUEtmMVpLUGFwNHoyK3IrRzlOUndkRlUvWUJNVFkzY05ndU1tNUM2bDJwVEs5SmhQRm5VemVySXdNcm5odTlHanJxU0ZuL0J0T3ZMblFhL21TZ1hETkpZVU9VOGdDSEZzOUpFZVF2OWhwV3B5eGxCMk5xdTBNSHJQTk9EWTNab2hoa2pXWGF4YmpDWmk5U3BtSHlkVTA2WjdMcVd5RjM5RzZWOENGNkxCUGtkVW4zYUpBVisrRjBROUljU009Cg=="
   metrics:
     # -- enables prometheus metrics for the balancer. If set to true you should change the prometheus-scraper password
     enabled: true
@@ -112,13 +127,22 @@ balancer:
         - CAP_NET_BIND_SERVICE
     seccompProfile:
       type: RuntimeDefault
+  volumeMounts:
+    # -- If true, creates a volumeMount for the created pods. This is required for the podSecurityPolicy to work
+    - name: config-volume
+      mountPath: /home/app/config/
+  volumes:
+    # -- If true, creates a volume for the created pods. This is required for the podSecurityPolicy to work
+    - name: config-volume
+      configMap:
+        name: wrongsecrets-balancer-config
 
 wrongsecrets:
   # -- Specifies how many Wrongsecrets instances should start at max. Set to -1 to remove the max Wrongsecrets instance cap
   maxInstances: 500
   # -- Wrongsecrets Image to use
   image: jeroenwillemsen/wrongsecrets
-  tag: 1.6.4-no-vault
+  tag: 1.6.5-no-vault
   # -- Change the key when hosting a CTF event. This key gets used to generate the challenge flags. See: https://github.com/OWASP/wrongsecrets#ctf
   ctfKey: "[email protected]!9uR_K!NfkkTr"
   # -- Specify a custom Wrongsecrets config.yaml. See the Wrongsecrets Docs for any needed ENVs: https://github.com/OWASP/wrongsecrets
@@ -180,7 +204,7 @@ virtualdesktop:
   maxInstances: 500
   # -- Juice Shop Image to use
   image: jeroenwillemsen/wrongsecrets-desktop-k8s
-  tag: 1.6.4
+  tag: 1.6.5
   repository: commjoenie/wrongSecrets
   resources:
     request:
@@ -205,6 +229,39 @@ virtualdesktop:
   envFrom: []
   tolerations: []
 
+## preps for the vault container: see https://github.com/OWASP/wrongsecrets-ctf-party/issues/250
+vaultContainer:
+  # -- Specifies how many JuiceShop instances MultiJuicer should start at max. Set to -1 to remove the max Juice Shop instance cap
+  maxInstances: 500
+  # -- Juice Shop Image to use
+  image: hashicorp/vault
+  tag: 1.15.1
+  repository: commjoenie/wrongSecrets
+  resources:
+    request:
+      memory: 128mb
+      cpu: 50m
+    limits:
+      memory: 256mb
+      cpu: 1200m
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+  runtimeClassName: {}
+  affinity: {}
+  # -- Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables)
+
+  envFrom: []
+  tolerations: []
+
+
+
 # Deletes unused Wrongsecrets namespaces after a configurable period of inactivity
 wrongsecretsCleanup:
   repository: jeroenwillemsen/wrongsecrets-ctf-cleaner

helm/test.tmp.yaml

@@ -26,8 +26,8 @@ metadata:
     helm.sh/chart: wrongsecrets-ctf-party-0.1.0-alpha
 type: Opaque
 data:
-  cookieParserSecret: "eWdzMVRMSzhlWHA2bERLak1PZXlJSERn"
-  adminPassword: "Q1NZMjA0SlU="
+  cookieParserSecret: "ZmdDN3ZZdkhYbE9XbmRoT3c2Y0ttY0RK"
+  adminPassword: "RVpCMkFGWkk="
   metricsBasicAuthUsername: "cHJvbWV0aGV1cy1zY3JhcGVy"
   metricsBasicAuthPassword: "RVJ6Q1Q0cHdCRHhmQ0tSR21mck1hOEtROHNYZjhHS3k="
 ---
@@ -58,7 +58,7 @@ data:
       },
       "wrongsecrets": {
         "image": "jeroenwillemsen/wrongsecrets",
-        "tag": "1.6.4-no-vault",
+        "tag": "1.6.5-no-vault",
         "imagePullPolicy": "IfNotPresent",
         "ctfKey": "[email protected]!9uR_K!NfkkTr",
         "nodeEnv": "wrongsecrets-ctf-party",
@@ -230,8 +230,8 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: 2a7853a457c2434571059d61cce9505a5afd5736fd1346302daf1ed9205dc39d
-        checksum/secret: 1a1dcaeffddf0f226ff9635934715794c59d9d0ec0b6dbb9c5a23c4de785c944
+        checksum/config: f3575d7162cebea5a4ee8a5d79c3bbaa9bcc52999b00d5c4a992c13227ee47d4
+        checksum/secret: 81aa6bd591fa658d435e09120e7c93ce0b289d62a779b6d95795d3cd71120b9f
       labels:
         app: wrongsecrets-balancer
         app.kubernetes.io/name: wrongsecrets-ctf-party
@@ -246,7 +246,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: wrongsecrets-ctf-party
-          image: 'jeroenwillemsen/wrongsecrets-balancer:1.6.4aws'
+          image: 'jeroenwillemsen/wrongsecrets-balancer:1.6.5aws'
           imagePullPolicy: "IfNotPresent"
           ports:
             - name: http
@@ -260,6 +260,8 @@ spec:
               path: /balancer/
               port: http
           env:
+            - name: CHALLENGE33_VALUE
+              value: "VkJVR2gzd3UvM0kxbmFIajFVZjk3WTBMcThCNS85MnExandwMy9hWVN3SFNKSThXcWRabllMajc4aEVTbGZQUEtmMVpLUGFwNHoyK3IrRzlOUndkRlUvWUJNVFkzY05ndU1tNUM2bDJwVEs5SmhQRm5VemVySXdNcm5odTlHanJxU0ZuL0J0T3ZMblFhL21TZ1hETkpZVU9VOGdDSEZzOUpFZVF2OWhwV3B5eGxCMk5xdTBNSHJQTk9EWTNab2hoa2pXWGF4YmpDWmk5U3BtSHlkVTA2WjdMcVd5RjM5RzZWOENGNkxCUGtkVW4zYUpBVisrRjBROUljU009Cg=="
             - name: IRSA_ROLE
               value: "arn:aws:iam::233483431651:role/wrongsecrets-secret-manager"
             - name: K8S_ENV
@@ -280,6 +282,10 @@ spec:
               value: "wrongsecret"
             - name: SECRETS_MANAGER_SECRET_ID_2
               value: "wrongsecret-2"
+            - name: WRONGSECRETS_TAG
+              value: 1.6.5-no-vault
+            - name: WRONGSECRETS_DESKTOP_TAG
+              value: 1.6.5
             - name: COOKIEPARSER_SECRET
               valueFrom:
                 secretKeyRef: