Fixes for documentation mostly

Author: commjoen

guides/k8s/k8s.md

@@ -1,6 +1,8 @@
 # Example Setup with kubernetes(k8s)
 
 **WARNING:** It takes into account that you already have k8s cluster setup.
+**WARNING-2:** this document is not yet up to date, it will be fixed in [https://github.com/commjoen/wrongsecrets-ctf-party/issues/79](https://github.com/commjoen/wrongsecrets-ctf-party/issues/79).
+
 
 ## Prerequisites
 

guides/production-notes/production-notes.md

@@ -4,10 +4,12 @@ To ensure MultiJuicer runs as smoothly during your CTF's / trainings / workshops
 
 1. Set `.balancer.cookie.cookieParserSecret` to a random alpha-numeric value (recommended length 24 chars), this value is used to sign cookies. If you don't set this, each `helm upgrade` you run will generate a new one, which invalidates all user sessions, forcing users to rejoin their team.
 2. As you are running this with https (right?), you should set `balancer.cookie.secure` to `true`. This marks the cookie used to associate a browser with a team to transmitted via https only.
-3. Make sure the value you have configured for `juiceShop.maxInstances` fits your CTF / training / whatever you are running. The default is set to only allow 10 instances. Set to -1 to remove any restrictions.
+3. Make sure the value you have configured for `wrongsecrets.maxInstances` & `virtualdesktop.maxInstances` fits your CTF / training / whatever you are running. The default is set to only allow 10 instances. Set to -1 to remove any restrictions.
 4. Set `balancer.replicas` to at least 2, so that you have at least one fall back JuiceBalancer when one crashes or the node it lives on goes down.
 5. When running a CTF with JuiceShop challenge flags, make sure to change `juiceShop.ctfKey` from the default. Otherwise users will be able to generate their own flags relatively easily. See
 6. When using prometheus metrics, e.g. when you have followed the [Monitoring SetUp Guide](https://github.com/iteratec/multi-juicer/blob/main/guides/monitoring-setup/monitoring.md) you'll want to change `balancer.metrics.basicAuth.password` to a non default values. Otherwise users can use the default value to access the technical metrics of the JuiceBalancer pods.
+7. If you host this CTF in a public domain, change the `balancer.env.REACT_APP_ACCESS_PASSWORD` to a password you communicate to your users at the start of teh CTF.
+8. Make sure to rotate the `balancer.env.REACT_APP_CREATE_TEAM_HMAC_KEY` HMAC key for anti-infra-creation-fuzzing as well into something else than 'hardcodedkey' when you see players generating 100s of instances in minutes.
 
 ## TLDR
 
@@ -22,8 +24,12 @@ balancer:
   metrics:
     basicAuth:
       password: "ROTATE_THIS_YOU_LAZY_ASS"
+  env:
+    REACT_APP_ACCESS_PASSWORD: 'CHANGE_THIS_ASS_WELL'
+    REACT_APP_CREATE_TEAM_HMAC_KEY: 'PLEASE_CHANGE_ME'
 
 juiceShop:
   maxInstances: 42
   ctfKey: "DONT_LET_ME_FIND_YOU_USING_THIS_EXACT_VALUE"
 ```
+

helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/config-map.yaml

@@ -24,7 +24,7 @@ data:
         "enabled": true
       },
   {{- end }}
-      "juiceShop": {
+      "wrongsecrets": {
         "image": {{ .Values.wrongsecrets.image | quote }},
         "tag": {{ .Values.wrongsecrets.tag | quote }},
         "imagePullPolicy": {{ .Values.imagePullPolicy | quote }},

helm/wrongsecrets-ctf-party/values.yaml

@@ -63,15 +63,16 @@ balancer:
   # -- If set to true this skips setting ownerReferences on the teams JuiceShop Deployment and Services. This lets MultiJuicer run in older kubernetes cluster which don't support the reference type or the app/v1 deployment type
   skipOwnerReference: false
   env:
-    REACT_APP_MOVING_GIF_LOGO : 'https://i.gifer.com/9kGQ.gif'
-    REACT_APP_HEROKU_WRONGSECRETS_URL : 'https://wrongsecrets-ctf.herokuapp.com'
-    REACT_APP_CTFD_URL : 'https://ctfd.io'
-    REACT_APP_S3_BUCKET_URL : 's3://funstuff'
-    K8S_ENV: 'k8s' #oraws
+    REACT_APP_MOVING_GIF_LOGO : 'https://i.gifer.com/9kGQ.gif' #displayed at the frontend when you enter the CTF
+    REACT_APP_HEROKU_WRONGSECRETS_URL : 'https://wrongsecrets-ctf.herokuapp.com' #required for 3 domain setup
+    REACT_APP_CTFD_URL : 'https://ctfd.io' #requierd for 2 and 3 domain setup
+    REACT_APP_S3_BUCKET_URL : 's3://funstuff' #the s3 bucket you use for teh aws challenges, don't forget to make it accessible!
+    K8S_ENV: 'k8s' #or 'aws'
     REACT_APP_ACCESS_PASSWORD: '' #DEFAULT NO PASSWORD, PLAYING THIS IN PUBLIC? PUT A FANCY STRING HERE, BUT BE GENTLE: USERS NEED TO BE ABLE TO COPY THAT STUFF...
-    IRSA_ROLE: arn:aws:iam::233483431651:role/wrongsecrets-secret-manager
-    SECRETS_MANAGER_SECRET_ID_1: 'wrongsecret'
-    SECRETS_MANAGER_SECRET_ID_2: 'wrongsecret-2'
+    REACT_APP_CREATE_TEAM_HMAC_KEY: 'hardcodedkey'
+    IRSA_ROLE: arn:aws:iam::233483431651:role/wrongsecrets-secret-manager #change this in your own AWS role!
+    SECRETS_MANAGER_SECRET_ID_1: 'wrongsecret' #only change if you need non-default AWS SM entries
+    SECRETS_MANAGER_SECRET_ID_2: 'wrongsecret-2' #only change if you need non-default AWS SM entries
   metrics:
     # -- enables prometheus metrics for the balancer. If set to true you should change the prometheus-scraper password
     enabled: true
@@ -182,7 +183,7 @@ virtualdesktop:
   # -- Specifies how many JuiceShop instances MultiJuicer should start at max. Set to -1 to remove the max Juice Shop instance cap
   maxInstances: 500
   # -- Juice Shop Image to use
-  image: jeroenwillemsen/wrongsecrets-desktop
+  image: jeroenwillemsen/wrongsecrets-desktop-k8s
   tag: test2
   repository: commjoenie/wrongSecrets
   resources:

readme.md

@@ -49,7 +49,16 @@ You need 2 things:
 - A CTFD/Facebook-CTF host which is populated with the challenges based on your secondary hosted WrongSecrets application.
 
 
+### General Helm usage
 
+This setup works best if you have Calico installed as your CNI, if you want to use the helm directly, without the AWS Challenges, do:
+
+```shell
+
+helm upgrade --install mj ./helm/wrongsecrets-ctf-party 
+
+```
+from this repo. We will host the helm chart soon for you.
 
 ### Play with Minikube:
 
@@ -80,46 +89,14 @@ For AWS EKS follow the instrucrtions in the `/eks` folder.
 Then open a browser and go to [localhost:3000](http:localhost:3000) and have fun :D .
 
 
+### Some production notes
 
-
-
-
-
-
-
-
-
-ORIGINAL README:
-
-
-![MultiJuicer, High Level Architecture Diagram](./images/high-level-architecture.svg)
-
-## Installation
-
-MultiJuicer runs on kubernetes, to install it you'll need [helm](https://helm.sh).
-
-```sh
-helm repo add wrongsecrets-ctf-party https://iteratec.github.io/multi-juicer/
-
-helm install wrongsecrets-ctf-party wrongsecrets-ctf-party/wrongsecrets-ctf-party
-```
-
-See [production notes](./guides/production-notes/production-notes.md) for a checklist of values you'll likely need to configure before using MultiJuicer in proper events.
-
-### Installation Guides for specific Cloud Providers / Environments
-
-Generally MultiJuicer runs on pretty much any kubernetes cluster, but to make it easier for anybody who is new to kubernetes we got some guides on how to setup a kubernetes cluster with MultiJuicer installed for some specific Cloud providers.
-
-- [Digital Ocean](./guides/digital-ocean/digital-ocean.md)
-- [AWS](./guides/aws/aws.md)
-- [OpenShift](./guides/openshift/openshift.md)
-- [Plain Kubernetes](./guides/k8s/k8s.md)
-- [Azure](./guides/azure/azure.md)
+See [production notes](./guides/production-notes/production-notes.md) for a checklist of values you'll likely need to configure before using Wrongsecrets-ctf-party in proper events.
 
 ### Customizing the Setup
 
-You got some options on how to setup the stack, with some option to customize the JuiceShop instances to your own liking.
-You can find the default config values under: [helm/multi-juicer/values.yaml](helm/wrongsecrets-ctf-party/values.yaml)
+You got some options on how to setup the stack, with some option to customize the WrongSecrets and Virtual desktop instances to your own liking.
+You can find the default config values under: [helm/wrongsecrets-ctf-party/values.yaml](helm/wrongsecrets-ctf-party/values.yaml)
 
 Download & Save the file and tell helm to use your config file over the default by running:
 
@@ -135,21 +112,6 @@ helm delete wrongsecrets-ctf-party
 
 ## FAQ
 
-### How much compute resources will the cluster require?
-
-To be on the safe side calculate with:
-
-- _1GB memory & 1CPU overhead_, for the balancer & co
-- _200MB & 0.2CPU \* number of participants_, for the individual JuiceShop Instances
-
-The numbers above reflect the default resource limits. These can be tweaked, see: [Customizing the Setup](#customizing-the-setup)
-
-### How many users can MultiJuicer handle?
-
-There is no real fixed limit. (Even thought you can configure one 😉)
-The custom LoadBalancer, through which all traffic for the individual Instances flows, can be replicated as much as you'd like.
-You can also attach a [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) to automatically scale the LoadBalancer.
-
 ### Why a custom LoadBalancer?
 
 There are some special requirements which we didn't find to be easily solved with any pre build load balancer:
@@ -168,19 +130,22 @@ There are some pretty good reasons for this:
 - To ensure that pods are still properly associated with teams after a pod gets recreated. This is a non problem with separate deployment and really hard with scaled deployments.
 - The ability to embed the team name in the deployment name. This seems like a stupid reason but make debugging SOOO much easier, with just using `kubectl`.
 
-### How to manage JuiceShop easily using `kubectl`?
+### How to manage WrongSecrets easily using `kubectl`?
 
-You can list all JuiceShops with relevant information using the custom-columns feature of kubectl.
-You'll need to down load the juiceShop.txt from the repository first:
+You can list all WrongSecrets with relevant information using the custom-columns feature of kubectl.
+You'll need to down load the wrongsecrets.txt from the repository first:
 
 ```bash
-kubectl get -l app=wrongsecrets -o custom-columns-file=juiceShop.txt deployments
+kubectl get -l app=wrongsecrets -o custom-columns-file=wrongsecrets.txt deployments
 ```
 
+There are a few more ways how you can check whether all is going well: have a look in the [/scripts](/scripts/) folder for various tools that can help you to see if there are too many namespaces created for instance. This does require you to export the teams and players from ctfd.
+
+
 ### Did somebody actually ask any of these questions?
 
 No 😉
 
 ## Talk with Us!
 
-You can reach us in the `#project-juiceshop` channel of the OWASP Slack Workspace. We'd love to hear any feedback or usage reports you got. If you are not already in the OWASP Slack Workspace, you can join via [this link](https://owasp.slack.com/join/shared_invite/enQtNjExMTc3MTg0MzU4LWQ2Nzg3NGJiZGQ2MjRmNzkzN2Q4YzU1MWYyZTdjYjA2ZTA5M2RkNzE2ZjdkNzI5ZThhOWY5MjljYWZmYmY4ZjM)
+You can reach us in the `#project-wrongsecrets` channel of the OWASP Slack Workspace. We'd love to hear any feedback or usage reports you got. If you are not already in the OWASP Slack Workspace, you can join via [this link](https://owasp.slack.com/join/shared_invite/enQtNjExMTc3MTg0MzU4LWQ2Nzg3NGJiZGQ2MjRmNzkzN2Q4YzU1MWYyZTdjYjA2ZTA5M2RkNzE2ZjdkNzI5ZThhOWY5MjljYWZmYmY4ZjM)

wrongsecrets-balancer/config/config.json

@@ -38,5 +38,23 @@
     },
     "tolerations": [],
     "affinity": {}
+  },
+  "virtualdesktop": {
+    "image": "jeroenwillemsen/wrongsecrets-desktop-k8s",
+    "tag": "latest-no-vault",
+    "imagePullPolicy": "IfNotPresent",
+    "nodeEnv": "wrongsecrets-ctf-party",
+    "resources:": {
+      "requests": {
+        "memory": "256Mi",
+        "cpu": "200m"
+      },
+      "limits": {
+        "memory": "256Mi",
+        "cpu": "200m"
+      }
+    },
+    "tolerations": [],
+    "affinity": {}
   }
 }