Merge pull request #25 from commjoen/nspfun

small steps for the nsps

Author: commjoen

aws/README.md

@@ -48,7 +48,8 @@ The terraform code is loosely based on [this EKS managed Node Group TF example](
 5. Do `terraform apply`. Note: the apply will take 10 to 20 minutes depending on the speed of the AWS backplane.
 6. When creation is done, do `aws eks update-kubeconfig --region eu-west-1 --name wrongsecrets-exercise-cluster --kubeconfig ~/.kube/wrongsecrets`
 7. Do `export KUBECONFIG=~/.kube/wrongsecrets`
-8. Run `cd .. && ./build-and-deploy-aws.sh` to install the helm chart for the wrongsecrets-ctf-party.
+8. Run `cd ..`
+9. Run `./build-an-deploy-aws.sh` to install the helm chart for the wrongsecrets-ctf-party.
 
 Your EKS cluster should be visible in [EU-West-1](https://eu-west-1.console.aws.amazon.com/eks/home?region=eu-west-1#/clusters) by default. Want a different region? You can modify `terraform.tfvars` or input it directly using the `region` variable in plan/apply.
 

aws/main.tf

@@ -77,6 +77,7 @@ module "eks" {
 
   enable_irsa = true
 
+  # apply when available: iam_role_permissions_boundary = "arn:aws:iam::${local.account_id}:policy/service-user-creation-permission-boundary"
   eks_managed_node_group_defaults = {
     disk_size       = 50
     disk_type       = "gp3"

build-an-deploy-aws.sh

@@ -10,10 +10,15 @@ echo "Usage: ./build-and-deploy-aws.sh"
 version="$(uuidgen)"
 AWS_REGION="eu-west-1"
 
-helm install -n kube-system csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --set enableSecretRotation=true --set rotationPollInterval=60s
+helm upgrade -n kube-system csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --set enableSecretRotation=true --set rotationPollInterval=60s
 echo "Install ACSP"
 kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml
 
+echo "preparing calico via Helm"
+helm repo add projectcalico https://docs.projectcalico.org/charts
+helm upgrade calico projectcalico/tigera-operator --version v3.21.4
+
+
 echo "Generate secrets manager challenge secret 2"
 aws secretsmanager put-secret-value --secret-id wrongsecret-2 --secret-string "$(openssl rand -base64 24)" --region $AWS_REGION --output json --no-cli-pager
 
@@ -24,4 +29,4 @@ aws ssm put-parameter --name wrongsecretvalue --overwrite --type SecureString --
 wait
 
 #TODO: REWRITE ABOVE, REWRITE THE HARDCODED DEPLOYMENT VALS INTO VALUES AND OVERRIDE THEM HERE!
-helm upgrade --install mj ./helm/wrongsecrets-ctf-party --set="imagePullPolicy=Always" --set="balancer.env.K8S_ENV=aws" --set="balancer.repository=jeroenwillemsen/wrongsecrets-balancer" --set="balancer.tag=0.69aws" --set="wrongsecretsCleanup.repository=jeroenwillemsen/wrongsecrets-ctf-cleaner" --set="wrongsecretsCleanup.tag=0.2"
+helm upgrade --install mj ./helm/wrongsecrets-ctf-party --set="imagePullPolicy=Always" --set="balancer.env.K8S_ENV=aws" --set="balancer.repository=jeroenwillemsen/wrongsecrets-balancer" --set="balancer.tag=0.76aws" --set="wrongsecretsCleanup.repository=jeroenwillemsen/wrongsecrets-ctf-cleaner" --set="wrongsecretsCleanup.tag=0.2"

guides/aws/aws.md renamed to guides-archived-use-readme-only/aws/aws.md

@@ -38,3 +38,6 @@ rules:
   - apiGroups: ['secrets-store.csi.x-k8s.io']
     resources: ['secretproviderclasses']
     verbs: ['create', 'get', 'list', 'delete']
+  - apiGroups: ['networking.k8s.io'] 
+    resources: ['networkpolicies']
+    verbs: ['create', 'get', 'list', 'delete']

guides/aws/loadbalancer.yaml renamed to guides-archived-use-readme-only/aws/loadbalancer.yaml

@@ -35,9 +35,9 @@ balancer:
     # -- Set this to a fixed random alpa-numeric string (recommended length 24 chars). If not set this get randomly generated with every helm upgrade, each rotation invalidates all active cookies / sessions requirering users to login again.
     cookieParserSecret: null
   repository: jeroenwillemsen/wrongsecrets-balancer
-  tag: 0.69aws
+  tag: 0.76aws
   # -- Number of replicas of the wrongsecrets-balancer deployment
-  replicas: 3
+  replicas: 1
   service:
     # -- Kubernetes service type
     type: ClusterIP
@@ -54,8 +54,8 @@ balancer:
       memory: 256Mi
       cpu: 400m
     limits:
-      memory: 512Mi
-      cpu: 800m
+      memory: 1024Mi
+      cpu: 1000m
   # -- Optional Configure kubernetes scheduling affinity for the created JuiceShops (see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
   affinity: { }
   # -- Optional Configure kubernetes toleration for the created JuiceShops (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
@@ -89,7 +89,7 @@ balancer:
 
 wrongsecrets:
   # -- Specifies how many JuiceShop instances MultiJuicer should start at max. Set to -1 to remove the max Juice Shop instance cap
-  maxInstances: 100
+  maxInstances: 500
   # -- Juice Shop Image to use
   image: jeroenwillemsens/wrongsecrets
   tag: 1.5.3-no-vault
@@ -191,7 +191,7 @@ wrongsecrets:
 #the virtual desktop for the deploymebt
 virtualdesktop:
   # -- Specifies how many JuiceShop instances MultiJuicer should start at max. Set to -1 to remove the max Juice Shop instance cap
-  maxInstances: 100
+  maxInstances: 500
   # -- Juice Shop Image to use
   image: jeroenwillemsen/wrongsecrets-desktop
   tag: latest

guides/azure/azure.md renamed to guides-archived-use-readme-only/azure/azure.md

@@ -24,12 +24,16 @@ We currently only support minikube and AWS EKS (_**But the latter needs you to u
 For minikube, run:
 
 ```shell
-minikube start
+
+minikube start --network-plugin=cni --cni=calico
 eval $(minikube docker-env)
-./build-an-deploy
+./build-an-deploy.sh
 kubectl port-forward service/wrongsecrets-balancer 3000:3000
+
 ```
 
+For AWS EKS follow the instrucrtions in the `/eks` folder.
+
 Then open a browser and go to [localhost:3000](http:localhost:3000) and have fun :D .
 
 

guides/azure/ssl.md renamed to guides-archived-use-readme-only/azure/ssl.md

@@ -8,6 +8,7 @@ module.exports = {
   createServiceForTeam: jest.fn(),
   createDesktopServiceForTeam: jest.fn(),
   createServiceAccountForWebTop: jest.fn(),
+  createNSPsforTeam: jest.fn(),
   createRoleForWebTop: jest.fn(),
   createRoleBindingForWebtop: jest.fn(),
   getJuiceShopInstanceForTeamname: jest.fn(() => ({

guides/digital-ocean/digital-ocean.md renamed to guides-archived-use-readme-only/digital-ocean/digital-ocean.md

@@ -6,7 +6,7 @@ const promClient = require('prom-client');
 const basicAuth = require('basic-auth-connect');
 const onFinished = require('on-finished');
 
-const { get } = require('./config');
+const { get, extractTeamName } = require('./config');
 
 const app = express();
 
@@ -61,10 +61,7 @@ app.get('/balancer/dynamics', (req, res) =>
 app.use(cookieParser(get('cookieParser.secret')));
 app.use('/balancer', express.json());
 app.use((req, res, next) => {
-  const teamname =
-    process.env['NODE_ENV'] === 'test'
-      ? req.cookies[get('cookieParser.cookieName')]
-      : req.signedCookies[get('cookieParser.cookieName')];
+  const teamname = extractTeamName(req);
 
   req.teamname = teamname;
   if (teamname) {

guides/digital-ocean/do-lb.yaml renamed to guides-archived-use-readme-only/digital-ocean/do-lb.yaml

@@ -13,3 +13,10 @@ const fetchConfigValue = (name, defaultValue) => {
 
 const get = memoize(fetchConfigValue);
 module.exports.get = get;
+
+const extractTeamName = (req) => {
+  return process.env['NODE_ENV'] === 'test'
+    ? req.cookies[get('cookieParser.cookieName')]
+    : req.signedCookies[get('cookieParser.cookieName')];
+};
+module.exports.extractTeamName = extractTeamName;