OWASP
diff --git a/‎.pre-commit-config.yaml
Lines changed: 5 additions & 1 deletion b/‎.pre-commit-config.yaml
Lines changed: 5 additions & 1 deletion
diff --git a/‎helm/package.json
Lines changed: 25 additions & 0 deletions b/‎helm/package.json
Lines changed: 25 additions & 0 deletions
diff --git a/‎helm/test-values.yaml
Lines changed: 246 additions & 0 deletions b/‎helm/test-values.yaml
Lines changed: 246 additions & 0 deletions
@@ -4,7 +4,11 @@ repos:
     rev: v4.3.0
     hooks:
       - id: check-yaml
-        exclude: ^helm/wrongsecrets-ctf-party/templates/
+        exclude: ^helm/wrongsecrets-ctf-party/templates/|^test.tmp.yaml)
+      - id: check-yaml
+        include: ^test.tmp.yaml
+        args: 
+          - --allow-multiple-documents
       - id: end-of-file-fixer
         exclude: ^(src/test/resources/yourkey.txt|src/test/resources/secondkey.txt)
       - id: trailing-whitespace
 
@@ -0,0 +1,25 @@
+{
+  "name": "charts",
+  "version": "v1.0.0",
+  "description": "Wrongsecrets helm chart",
+  "main": "index.js",
+  "scripts": {
+    "build": "helm package ./wrongsecrets-ctf-party",
+    "subcharts": "helm dependency update ./wrongsecrets-ctf-party",
+    "lint": "helm lint ./wrongsecrets-ctf-party",
+    "validate": "npm run lint && npm run test",
+    "template": "helm template --debug -f ./test-values.yaml myrelease ./wrongsecrets-ctf-party -n myns > test.tmp.yaml",
+    "dry-run": "helm install --dry-run -f ./test-values.yaml unknown ./wrongsecrets-ctf-party",
+    "doc": "helm-docs -s file",
+    "preversion": "git fetch --prune --prune-tags && npm run lint && npm run build",
+    "version": " export version=v$(node -p -e 'require(`./package.json`).version') && export app_version=$(echo $version | cut -d. -f2-).0 && yq e -i '.version=strenv(version)' ./wrongsecrets-ctf-party/Chart.yaml && yq e -i '.appVersion=strenv(app_version)' ./wrongsecrets-ctf-party/Chart.yaml && git add . ",
+    "postversion": "git push && git push --tags"
+  },
+  "repository": {
+    "type": "git",
+    "url": "[email protected]:OWASP/wrongsecrets-ctf-party.git"
+  },
+  "author": "Wrongsecrets",
+  "license": "Apache License 2.0",
+  "homepage": "https://owasp.org/www-project-wrongsecrets/" 
+}
@@ -0,0 +1,246 @@
+# Default values for Wrongecret-ctf-party.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+imagePullPolicy: IfNotPresent
+nodeSelector: {}
+
+ingress:
+  # -- If true, Wrongsecrets will create an Ingress object for the balancer service.
+  # Useful if you want to expose the balancer service externally for example with a loadbalancer in order to view any webpages that are hosted on the balancer service.
+  enabled: false
+  # -- Annotations to be added to the ingress object.
+  annotations: {}
+  # kubernetes.io/ingress.class: nginx
+  # kubernetes.io/tls-acme: "true"
+  # -- Hostnames to your Wrongsecrets balancer installation.
+  hosts:
+    - host: wrongsecrets-ctf-party.local
+      paths:
+        - "/"
+  # -- TLS configuration for Wrongsecrets balancer
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+service:
+  type: ClusterIP
+  port: 3000
+
+balancer:
+  cookie:
+    # SET THIS TO TRUE IF IN PRODUCTION
+    # Sets secure Flag in cookie
+    # -- Sets the secure attribute on cookie so that it only be send over https
+    secure: false
+    # -- Changes the cookies name used to identify teams. Note will automatically be prefixed with "__Secure-" when balancer.cookie.secure is set to `true`
+    name: balancer
+    # -- Set this to a fixed random alpa-numeric string (recommended length 24 chars). If not set this get randomly generated with every helm upgrade, each rotation invalidates all active cookies / sessions requirering users to login again.
+    cookieParserSecret: null
+  repository: jeroenwillemsen/wrongsecrets-balancer
+  tag: 1.6.4aws
+  # -- Number of replicas of the wrongsecrets-balancer deployment. Changing this in a commit? PLEASE UPDATE THE GITHUB WORKLFOWS THEN!(NUMBER OF "TRUE")
+  replicas: 2
+  service:
+    # -- Kubernetes service type
+    type: ClusterIP
+    # -- internal cluster service IP
+    clusterIP: null
+    # -- IP address to assign to load balancer (if supported)
+    loadBalancerIP: null
+    # -- list of IP CIDRs allowed access to lb (if supported)
+    loadBalancerSourceRanges: null
+    # -- IP address to assign to load balancer (if supported)
+    externalIPs: null
+  resources:
+    requests:
+      memory: 256Mi
+      cpu: 400m
+    limits:
+      memory: 1024Mi
+      cpu: 1000m
+  # -- Optional Configure kubernetes scheduling affinity for the created wrongsecrets instances (see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
+  affinity: {}
+  # -- Optional Configure kubernetes toleration for the created wrongsecrets instances (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
+  tolerations: []
+  # -- If set to true this skips setting ownerReferences on the teams wrongsecrets Deployment and Services. This lets MultiJuicer run in older kubernetes cluster which don't support the reference type or the app/v1 deployment type
+  skipOwnerReference: false
+  env:
+    REACT_APP_MOVING_GIF_LOGO: "https://i.gifer.com/9kGQ.gif" #displayed at the frontend when you enter the CTF
+    REACT_APP_HEROKU_WRONGSECRETS_URL: "https://wrongsecrets-ctf.herokuapp.com" #required for 3 domain setup
+    REACT_APP_CTFD_URL: "https://ctfd.io" #requierd for 2 and 3 domain setup
+    REACT_APP_S3_BUCKET_URL: "s3://funstuff" #the s3 bucket you use for teh aws challenges, don't forget to make it accessible!
+    K8S_ENV: "k8s" #or 'aws'
+    REACT_APP_ACCESS_PASSWORD: "" #DEFAULT NO PASSWORD, PLAYING THIS IN PUBLIC? PUT A FANCY STRING HERE, BUT BE GENTLE: USERS NEED TO BE ABLE TO COPY THAT STUFF...
+    REACT_APP_CREATE_TEAM_HMAC_KEY: "hardcodedkey"
+    IRSA_ROLE: arn:aws:iam::233483431651:role/wrongsecrets-secret-manager #change this in your own AWS role!
+    SECRETS_MANAGER_SECRET_ID_1: "wrongsecret" #only change if you need non-default AWS SM entries
+    SECRETS_MANAGER_SECRET_ID_2: "wrongsecret-2" #only change if you need non-default AWS SM entries
+  metrics:
+    # -- enables prometheus metrics for the balancer. If set to true you should change the prometheus-scraper password
+    enabled: true
+    dashboards:
+      # -- if true, creates a Grafana Dashboard Config Map. (also requires metrics.enabled to be true). These will automatically be imported by Grafana when using the Grafana helm chart, see: https://github.com/helm/charts/tree/main/stable/grafana#sidecar-for-dashboards
+      enabled: false
+    serviceMonitor:
+      # -- If true, creates a Prometheus Operator ServiceMonitor (also requires metrics.enabled to be true). This will also deploy a servicemonitor which monitors metrics from the Juice Shop instances
+      enabled: false
+    basicAuth:
+      username: prometheus-scraper
+      # -- Should be changed when metrics are enabled.
+      password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy
+  podSecurityContext:
+    # -- If true, sets the securityContext on the created pods. This is required for the podSecurityPolicy to work
+    enabled: true
+    runAsUser: 1000
+    runAsGroup: 3000
+    fsGroup: 2000
+    seccompProfile:
+      type: RuntimeDefault
+  containerSecurityContext:
+    # -- If true, sets the securityContext on the created containers. This is required for the podSecurityPolicy to work
+    enabled: true
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    capabilities:
+      drop:
+        - ALL
+      add:
+        - CAP_NET_ADMIN
+        - CAP_NET_BIND_SERVICE
+    seccompProfile:
+      type: RuntimeDefault
+
+wrongsecrets:
+  # -- Specifies how many Wrongsecrets instances should start at max. Set to -1 to remove the max Wrongsecrets instance cap
+  maxInstances: 500
+  # -- Wrongsecrets Image to use
+  image: jeroenwillemsen/wrongsecrets
+  tag: 1.6.4-no-vault
+  # -- Change the key when hosting a CTF event. This key gets used to generate the challenge flags. See: https://github.com/OWASP/wrongsecrets#ctf
+  ctfKey: "[email protected]!9uR_K!NfkkTr"
+  # -- Specify a custom Wrongsecrets config.yaml. See the Wrongsecrets Docs for any needed ENVs: https://github.com/OWASP/wrongsecrets
+  # @default -- See values.yaml for full details
+  config: |
+    K8S_ENV: aws  
+  # "aws" is for using the cluster with eks and "k8s" is for using the cluster with miniKube which will enable specific challenges 
+  #    application:
+  #      logo: https://raw.githubusercontent.com/iteratec/multi-juicer/main/images/multijuicer-icon-only-padding.png
+  #      favicon: https://raw.githubusercontent.com/iteratec/multi-juicer/main/wrongsecrets-balancer/ui/public/favicon.ico
+  #      showVersionNumber: false
+  #      showGitHubLinks: false
+  #    challenges:
+  #      showHints: true
+  #    hackingInstructor:
+  #      isEnabled: true
+  #    ctf:
+  #      showFlagsInNotifications: false
+  # -- Specify a custom NODE_ENV for Wrongsecrets. If value is changed to something other than 'wrongsecrets-ctf-party' it's not possible to set a custom config via `wrongsecrets-balancer-config`.
+  nodeEnv: "wrongsecrets-ctf-party"
+  # -- Optional resources definitions to set for each Wrongsecrets instance
+  resources:
+    requests:
+      cpu: 256Mi
+      memory: 300Mi
+  #  limits:
+  #    cpu: 100m
+  #    memory: 200Mi
+  # -- Optional securityContext definitions to set for each Wrongsecrets instance
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+  # -- Optional environment variables to set for each Wrongsecrets instance (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
+  env:
+    - name: K8S_ENV
+      value: k8s
+    - name: SPECIAL_K8S_SECRET
+      valueFrom:
+        configMapKeyRef:
+          name: secrets-file
+          key: funny.entry
+    - name: SPECIAL_SPECIAL_K8S_SECRET
+      valueFrom:
+        secretKeyRef:
+          name: funnystuff
+          key: funnier
+  # env:
+  #   - name: FOO
+  #     valueFrom:
+  #       secretKeyRef:
+  #         key: FOO
+  #         name: secret-resource
+  # -- Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables)
+  envFrom: []
+  # -- Optional Volumes to set for each Wrongsecrets instance (see: https://kubernetes.io/docs/concepts/storage/volumes/)
+  volumes: []
+  # -- Optional Configure kubernetes scheduling affinity for the created Wrongsecrets instances (see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
+  affinity: {}
+  # -- Optional Configure kubernetes toleration for the created Wrongsecrets instances (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
+  tolerations: []
+
+  # -- Optional Can be used to configure the runtime class for the Wrongsecrets instances pods to add an additional layer of isolation to reduce the impact of potential container escapes. (see: https://kubernetes.io/docs/concepts/containers/runtime-class/)
+  runtimeClassName: null
+
+# Deletes unused Wrongsecrets instances after a configurable period of inactivity
+
+#the virtual desktop for the deploymebt
+virtualdesktop:
+  # -- Specifies how many Wrongsecrets instances MultiJuicer should start at max. Set to -1 to remove the max Juice Shop instance cap
+  maxInstances: 500
+  # -- Juice Shop Image to use
+  image: jeroenwillemsen/wrongsecrets-desktop-k8s
+  tag: 1.6.4
+  repository: commjoenie/wrongSecrets
+  resources:
+    request:
+      memory: 1GB
+      cpu: 50m
+    limits:
+      memory: 2GB
+      cpu: 1200m
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+  runtimeClassName: {}
+  affinity: {}
+  # -- Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables)
+
+  envFrom: []
+  tolerations: []
+
+# Deletes unused Wrongsecrets namespaces after a configurable period of inactivity
+wrongsecretsCleanup:
+  repository: jeroenwillemsen/wrongsecrets-ctf-cleaner
+  tag: 0.4
+  enabled: true
+  # -- Specifies when Juice Shop instances will be deleted when unused for that period.
+  gracePeriod: 2d
+  # -- Specifies if the clean up job should delete the outdated namespaces or just report them. Set to false to only report outdated namespaces.
+  SHOULD_DELETE: false
+  # -- Cron in which the clean up job is run. Defaults to once in a quarter. Change this if your grace period if shorter than 15 minutes. See "https://crontab.guru/#0,15,30,45_*_*_*_*" for more details.
+  cron: "0,15,30,45 * * * *"
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  resources:
+    requests:
+      memory: 256Mi
+    limits:
+      memory: 256Mi
+  # -- Optional Configure kubernetes scheduling affinity for the wrongsecretsCleanup Job(see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
+  affinity: {}
+  # -- Optional Configure kubernetes toleration for the wrongsecretsCleanup Job (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
+  tolerations: []