OWASP · commjoen · Jun 29, 2023 · May 20, 2023 · May 30, 2023 · May 30, 2023
@@ -1,10 +1,13 @@
-# WARNING: File managed by eadf-bot, changes committed to individual repo will be overwritten
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.3.0
     hooks:
       - id: check-yaml
-        exclude: ^helm/wrongsecrets-ctf-party/templates/
+        exclude: ^(helm/wrongsecrets-ctf-party/templates/|helm/test.tmp.yaml)
+      - id: check-yaml
+        files: ^helm/test.tmp.yaml
+        args:
+          - --allow-multiple-documents
       - id: end-of-file-fixer
         exclude: ^(src/test/resources/yourkey.txt|src/test/resources/secondkey.txt)
       - id: trailing-whitespace

@@ -0,0 +1,25 @@
+{
+  "name": "charts",
+  "version": "v1.0.0",
+  "description": "WrongSecrets helm chart",
+  "main": "index.js",
+  "scripts": {
+    "build": "helm package ./wrongsecrets-ctf-party",
+    "subcharts": "helm dependency update ./wrongsecrets-ctf-party",
+    "lint": "helm lint ./wrongsecrets-ctf-party",
+    "validate": "npm run lint && npm run test",
+    "template": "helm template --debug -f ./test-values.yaml myrelease ./wrongsecrets-ctf-party -n myns > test.tmp.yaml",
+    "dry-run": "helm install --dry-run -f ./test-values.yaml unknown ./wrongsecrets-ctf-party",
+    "doc": "helm-docs -s file",
+    "preversion": "git fetch --prune --prune-tags && npm run lint && npm run build",
+    "version": " export version=v$(node -p -e 'require(`./package.json`).version') && export app_version=$(echo $version | cut -d. -f2-).0 && yq e -i '.version=strenv(version)' ./wrongsecrets-ctf-party/Chart.yaml && yq e -i '.appVersion=strenv(app_version)' ./wrongsecrets-ctf-party/Chart.yaml && git add . ",
+    "postversion": "git push && git push --tags"
+  },
+  "repository": {
+    "type": "git",
+    "url": "[email protected]:OWASP/wrongsecrets-ctf-party.git"
+  },
+  "author": "WrongSecrets",
+  "license": "Apache License 2.0",
+  "homepage": "https://owasp.org/www-project-wrongsecrets/"
+}
@@ -19,55 +19,35 @@ spec:
         app: wrongsecrets-balancer
         {{- include "wrongsecrets-ctf-party.selectorLabels" . | nindent 8 }}
     spec:
-      securityContext:
-        runAsUser: 1000
-        runAsGroup: 3000
-        fsGroup: 2000
-        seccompProfile:
-          type: RuntimeDefault
       serviceAccountName: wrongsecrets-balancer
+      {{- with .Values.balancer.podSecurityContext }}
+      securityContext:
+        {{- omit . "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: '{{ .Values.balancer.repository }}:{{ .Values.balancer.tag | default (printf "v%s" .Chart.Version) }}'
           imagePullPolicy: {{ .Values.imagePullPolicy | quote }}
           ports:
             - name: http
-              containerPort: 3000
+              containerPort: {{ .Values.balancer.containerPort }}
+          {{- if .Values.balancer.livenessProbe }}
           livenessProbe:
-            httpGet:
-              path: /balancer/
-              port: http
+          {{- toYaml .Values.balancer.livenessProbe | nindent 12 }}
+          {{- end }}
+          {{- if .Values.balancer.readinessProbe }}
           readinessProbe:
-            httpGet:
-              path: /balancer/
-              port: http
+          {{- toYaml .Values.balancer.readinessProbe | nindent 12 }}
+          {{- end }}
           env:
-            - name: REACT_APP_MOVING_GIF_LOGO
-              value: {{ .Values.balancer.env.REACT_APP_MOVING_GIF_LOGO }}
-            - name: REACT_APP_ACCESS_PASSWORD
-              value: {{ .Values.balancer.env.REACT_APP_ACCESS_PASSWORD }}
-            - name: REACT_APP_HEROKU_WRONGSECRETS_URL
-              value: {{ .Values.balancer.env.REACT_APP_HEROKU_WRONGSECRETS_URL }}
-            - name: REACT_APP_CTFD_URL
-              value: {{ .Values.balancer.env.REACT_APP_CTFD_URL }}
-            - name: REACT_APP_S3_BUCKET_URL
-              value: {{ .Values.balancer.env.REACT_APP_S3_BUCKET_URL }}
-            - name: K8S_ENV
-              value: {{ .Values.balancer.env.K8S_ENV }}
-            - name: IRSA_ROLE
-              value: {{ .Values.balancer.env.IRSA_ROLE }} #REPLACE WITH THE ACTUAL AWS ROLE IF IN AWS MODE
+            {{- range $k, $v := .Values.balancer.env}}
+            - name: {{ $k }}
+              value: {{ $v | quote }}
+            {{- end }}
             - name: WRONGSECRETS_TAG
               value: {{ .Values.wrongsecrets.tag}}
             - name: WRONGSECRETS_DESKTOP_TAG
               value: {{ .Values.virtualdesktop.tag }}
-            - name: REACT_APP_CREATE_TEAM_HMAC_KEY
-              value: hardcodedkey
-            - name: SECRETS_MANAGER_SECRET_ID_1
-              value: {{ .Values.balancer.env.SECRETS_MANAGER_SECRET_ID_1 }}
-            - name: SECRETS_MANAGER_SECRET_ID_2
-              value: {{ .Values.balancer.env.SECRETS_MANAGER_SECRET_ID_2 }}
-            - name: CHALLENGE33_VALUE
-              value: {{ .Values.balancer.env.CHALLENGE33_VALUE }}
             - name: COOKIEPARSER_SECRET
               valueFrom:
                 secretKeyRef:
@@ -90,27 +70,20 @@ spec:
                   name: wrongsecrets-balancer-secret
                   key: metricsBasicAuthPassword
             {{- end }}
+          {{- with .Values.balancer.containerSecurityContext }}
           securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            capabilities:
-              drop:
-                - ALL
-              add:
-                - CAP_NET_ADMIN
-                - CAP_NET_BIND_SERVICE
-            seccompProfile:
-              type: RuntimeDefault
+            {{- omit . "enabled" | toYaml | nindent 12 }}
+          {{- end }}
+          {{- if .Values.balancer.volumeMounts }}
           volumeMounts:
-            - name: config-volume
-              mountPath: /home/app/config/
+            {{- toYaml .Values.balancer.volumeMounts | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.balancer.resources | nindent 12 }}
+      {{- if .Values.balancer.volumes }}
       volumes:
-        - name: config-volume
-          configMap:
-            name: wrongsecrets-balancer-config
+        {{- toYaml .Values.balancer.volumes | nindent 8 }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

@@ -5,7 +5,6 @@ metadata:
   labels:
     {{- include "wrongsecrets-ctf-party.labels" . | nindent 4 }}
 spec:
-  type: {{ .Values.balancer.service.type }}
 {{- if (or (eq .Values.balancer.service.type "ClusterIP") (empty .Values.balancer.service.type)) }}
   type: ClusterIP
   {{- if .Values.balancer.service.clusterIP }}

@@ -2,18 +2,23 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
-imagePullPolicy: Always
+imagePullPolicy: IfNotPresent
 nodeSelector: {}
 
 ingress:
+  # -- If true, Wrongsecrets will create an Ingress object for the balancer service.
+  # Useful if you want to expose the balancer service externally for example with a loadbalancer in order to view any webpages that are hosted on the balancer service.
   enabled: false
+  # -- Annotations to be added to the ingress object.
   annotations: {}
   # kubernetes.io/ingress.class: nginx
   # kubernetes.io/tls-acme: "true"
+  # -- Hostnames to your Wrongsecrets balancer installation.
   hosts:
     - host: wrongsecrets-ctf-party.local
       paths:
         - "/"
+  # -- TLS configuration for Wrongsecrets balancer
   tls: []
   #  - secretName: chart-example-tls
   #    hosts:
@@ -37,6 +42,8 @@ balancer:
   tag: 1.6.5aws
   # -- Number of replicas of the wrongsecrets-balancer deployment. Changing this in a commit? PLEASE UPDATE THE GITHUB WORKLFOWS THEN!(NUMBER OF "TRUE")
   replicas: 2
+  # -- Port to expose on the balancer pods which the container listens on
+  containerPort: 3000
   service:
     # -- Kubernetes service type
     type: ClusterIP
@@ -48,30 +55,30 @@ balancer:
     loadBalancerSourceRanges: null
     # -- IP address to assign to load balancer (if supported)
     externalIPs: null
+  # -- Probes settings for the balancer pods
+  # -- livenessProbe: Checks if the balancer pod is still alive
+  livenessProbe:
+    httpGet:
+      path: /balancer/
+      port: http # -- Port to expose on the balancer pods which the container listens on. It is named http to be the same as the containerPort
+  # -- readinessProbe: Checks if the balancer pod is ready to receive traffic
+  readinessProbe:
+    httpGet:
+      path: /balancer/
+      port: http # -- Port to expose on the balancer pods which the container listens on. It is named http to be the same as the containerPort
+  # -- Resource limits and requests for the balancer pods
   resources:
     requests:
       memory: 256Mi
       cpu: 400m
     limits:
       memory: 1024Mi
       cpu: 1000m
-  securityContext:
-    allowPrivilegeEscalation: false
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    capabilities:
-      drop:
-        - ALL
-      add:
-        - CAP_NET_ADMIN
-        - CAP_NET_BIND_SERVICE
-    seccompProfile:
-      type: RuntimeDefault
-  # -- Optional Configure kubernetes scheduling affinity for the created JuiceShops (see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
+  # -- Optional Configure kubernetes scheduling affinity for the created wrongsecrets instances (see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
   affinity: {}
-  # -- Optional Configure kubernetes toleration for the created JuiceShops (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
+  # -- Optional Configure kubernetes toleration for the created wrongsecrets instances (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
   tolerations: []
-  # -- If set to true this skips setting ownerReferences on the teams JuiceShop Deployment and Services. This lets MultiJuicer run in older kubernetes cluster which don't support the reference type or the app/v1 deployment type
+  # -- If set to true this skips setting ownerReferences on the teams wrongsecrets Deployment and Services. This lets MultiJuicer run in older kubernetes cluster which don't support the reference type or the app/v1 deployment type
   skipOwnerReference: false
   env:
     REACT_APP_MOVING_GIF_LOGO: "https://i.gifer.com/9kGQ.gif" #displayed at the frontend when you enter the CTF
@@ -98,11 +105,37 @@ balancer:
       username: prometheus-scraper
       # -- Should be changed when metrics are enabled.
       password: ERzCT4pwBDxfCKRGmfrMa8KQ8sXf8GKy
-
-##TODO:
-#1. UPDATE WRONGSECRETS TO DEFINITION WHERE K8S IS USED FOR AWS!
-#2. UPDATE VIRTUALDESKTOP TO DEFINITION WHERE IT CN BE USED
-#3. ADD VAULT INSTANCE PER TEAM!
+  podSecurityContext:
+    # -- If true, sets the securityContext on the created pods. This is required for the podSecurityPolicy to work
+    enabled: true
+    runAsUser: 1000
+    runAsGroup: 3000
+    fsGroup: 2000
+    seccompProfile:
+      type: RuntimeDefault
+  containerSecurityContext:
+    # -- If true, sets the securityContext on the created containers. This is required for the podSecurityPolicy to work
+    enabled: true
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    capabilities:
+      drop:
+        - ALL
+      add:
+        - CAP_NET_ADMIN
+        - CAP_NET_BIND_SERVICE
+    seccompProfile:
+      type: RuntimeDefault
+  volumeMounts:
+    # -- If true, creates a volumeMount for the created pods. This is required for the podSecurityPolicy to work
+    - name: config-volume
+      mountPath: /home/app/config/
+  volumes:
+    # -- If true, creates a volume for the created pods. This is required for the podSecurityPolicy to work
+    - name: config-volume
+      configMap:
+        name: wrongsecrets-balancer-config
 
 wrongsecrets:
   # -- Specifies how many Wrongsecrets instances should start at max. Set to -1 to remove the max Wrongsecrets instance cap
@@ -112,32 +145,22 @@ wrongsecrets:
   tag: 1.6.5-no-vault
   # -- Change the key when hosting a CTF event. This key gets used to generate the challenge flags. See: https://github.com/OWASP/wrongsecrets#ctf
   ctfKey: "[email protected]!9uR_K!NfkkTr"
-  # -- Specify a custom Juice Shop config.yaml. See the JuiceShop Config Docs for more detail: https://pwning.owasp-juice.shop/part1/customization.html#yaml-configuration-file
+  # -- Specify a custom Wrongsecrets config.yaml. See the Wrongsecrets Docs for any needed ENVs: https://github.com/OWASP/wrongsecrets
   # @default -- See values.yaml for full details
   config: |
     K8S_ENV: aws
-  #    application:
-  #      logo: https://raw.githubusercontent.com/iteratec/multi-juicer/main/images/multijuicer-icon-only-padding.png
-  #      favicon: https://raw.githubusercontent.com/iteratec/multi-juicer/main/wrongsecrets-balancer/ui/public/favicon.ico
-  #      showVersionNumber: false
-  #      showGitHubLinks: false
-  #    challenges:
-  #      showHints: true
-  #    hackingInstructor:
-  #      isEnabled: true
-  #    ctf:
-  #      showFlagsInNotifications: false
-  # -- Specify a custom NODE_ENV for JuiceShop. If value is changed to something other than 'wrongsecrets-ctf-party' it's not possible to set a custom config via `juiceShop.config`.
+  # "aws" is for using the cluster with eks and "k8s" is for using the cluster with miniKube which will enable specific challenges
+  # -- Specify a custom NODE_ENV for Wrongsecrets. If value is changed to something other than 'wrongsecrets-ctf-party' it's not possible to set a custom config via `wrongsecrets-balancer-config`.
   nodeEnv: "wrongsecrets-ctf-party"
-  # -- Optional resources definitions to set for each JuiceShop instance
+  # -- Optional resources definitions to set for each Wrongsecrets instance
   resources:
     requests:
       cpu: 256Mi
       memory: 300Mi
   #  limits:
   #    cpu: 100m
   #    memory: 200Mi
-  # -- Optional securityContext definitions to set for each JuiceShop instance
+  # -- Optional securityContext definitions to set for each Wrongsecrets instance
   securityContext:
     allowPrivilegeEscalation: false
     readOnlyRootFilesystem: true
@@ -147,7 +170,7 @@ wrongsecrets:
         - ALL
     seccompProfile:
       type: RuntimeDefault
-  # -- Optional environment variables to set for each JuiceShop instance (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
+  # -- Optional environment variables to set for each Wrongsecrets instance (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
   env:
     - name: K8S_ENV
       value: k8s
@@ -161,43 +184,23 @@ wrongsecrets:
         secretKeyRef:
           name: funnystuff
           key: funnier
-  # env:
-  #   - name: FOO
-  #     valueFrom:
-  #       secretKeyRef:
-  #         key: FOO
-  #         name: secret-resource
   # -- Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables)
   envFrom: []
-  # -- Optional Volumes to set for each JuiceShop instance (see: https://kubernetes.io/docs/concepts/storage/volumes/)
+  # -- Optional Volumes to set for each Wrongsecrets instance (see: https://kubernetes.io/docs/concepts/storage/volumes/)
   volumes: []
-  # create config map with a custom logo via: kubectl create configmap custom-logo --from-file custom.png=your-logo.png
-  # then switch out the logo parameter in the wrongsecrets config section above to the mounted filename.
-  # volumes:
-  # - name: logo
-  #   configMap:
-  #     name: custom-logo
-  # -- Optional VolumeMounts to set for each JuiceShop instance (see: https://kubernetes.io/docs/concepts/storage/volumes/)
-  volumeMounts: []
-  # volumeMounts:
-  # - name: logo
-  #   mountPath: /wrongsecrets/frontend/dist/frontend/assets/public/images/custom.png
-  #   subPath: custom.png
-  #   readOnly: true
-
-  # -- Optional Configure kubernetes scheduling affinity for the created JuiceShops (see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
+  # -- Optional Configure kubernetes scheduling affinity for the created Wrongsecrets instances (see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
   affinity: {}
-  # -- Optional Configure kubernetes toleration for the created JuiceShops (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
+  # -- Optional Configure kubernetes toleration for the created Wrongsecrets instances (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
   tolerations: []
 
-  # -- Optional Can be used to configure the runtime class for the JuiceShop pods to add an additional layer of isolation to reduce the impact of potential container escapes. (see: https://kubernetes.io/docs/concepts/containers/runtime-class/)
+  # -- Optional Can be used to configure the runtime class for the Wrongsecrets instances pods to add an additional layer of isolation to reduce the impact of potential container escapes. (see: https://kubernetes.io/docs/concepts/containers/runtime-class/)
   runtimeClassName: null
 
-# Deletes unused JuiceShop instances after a configurable period of inactivity
+# Deletes unused Wrongsecrets instances after a configurable period of inactivity
 
 #the virtual desktop for the deploymebt
 virtualdesktop:
-  # -- Specifies how many JuiceShop instances MultiJuicer should start at max. Set to -1 to remove the max Juice Shop instance cap
+  # -- Specifies how many Wrongsecrets instances MultiJuicer should start at max. Set to -1 to remove the max Juice Shop instance cap
   maxInstances: 500
   # -- Juice Shop Image to use
   image: jeroenwillemsen/wrongsecrets-desktop-k8s