Skip to content

Commit 30c8386

Browse files
committed
add some documentation for CTFd and make some pre-commit fixes
1 parent 92c0431 commit 30c8386

File tree

15 files changed

+77
-42
lines changed

15 files changed

+77
-42
lines changed

.github/workflows/codeql-analysis.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -46,11 +46,11 @@ jobs:
4646
# If you wish to specify custom queries, you can do so here or in a config file.
4747
# By default, queries listed here will override any specified in a config file.
4848
# Prefix the list here with "+" to use these queries and those in the config file.
49-
49+
5050
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
5151
# queries: security-extended,security-and-quality
5252

53-
53+
5454
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
5555
# If this step fails, then you should remove it and run the build manually (see below)
5656
- name: Autobuild
@@ -59,7 +59,7 @@ jobs:
5959
# ℹ️ Command-line programs to run using the OS shell.
6060
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
6161

62-
# If the Autobuild fails above, remove it and uncomment the following three lines.
62+
# If the Autobuild fails above, remove it and uncomment the following three lines.
6363
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
6464

6565
# - run: |

.github/workflows/minikube-k8s-test.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ jobs:
2828
kubernetes-version: v1.23.12
2929
- name: test script
3030
run: |
31-
eval $(minikube docker-env)
31+
eval $(minikube docker-env)
3232
./build-an-deploy.sh
3333
while [[ $(kubectl get pods -l app=wrongsecrets-balancer -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for wrongsecrets-balancer" && sleep 2; done
3434
kubectl logs deployments/wrongsecrets-balancer -f >> pod.log &

.gitignore

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,4 +14,4 @@ db.zip
1414
.DS_Store
1515
.letsencrypt
1616

17-
*.auto.tfvars
17+
*.auto.tfvars

aws/README.md

Lines changed: 35 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -8,14 +8,14 @@ Please make sure that the account in which you run this exercise has either Clou
88

99
Have the following tools installed:
1010

11-
- AWS CLI - [Installation](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html)
12-
- EKS CTL - [Installation](https://docs.aws.amazon.com/eks/latest/userguide/eksctl.html)
13-
- Tfenv (Optional) - [Installation](https://github.com/tfutils/tfenv)
14-
- Terraform CLI - [Installation](https://learn.hashicorp.com/tutorials/terraform/install-cli)
15-
- Wget - [Installation](https://www.jcchouinard.com/wget/)
16-
- Helm [Installation](https://helm.sh/docs/intro/install/)
17-
- Kubectl [Installation](https://kubernetes.io/docs/tasks/tools/)
18-
- jq [Installation](https://stedolan.github.io/jq/download/)
11+
- AWS CLI - [Installation](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html)
12+
- EKS CTL - [Installation](https://docs.aws.amazon.com/eks/latest/userguide/eksctl.html)
13+
- Tfenv (Optional) - [Installation](https://github.com/tfutils/tfenv)
14+
- Terraform CLI - [Installation](https://learn.hashicorp.com/tutorials/terraform/install-cli)
15+
- Wget - [Installation](https://www.jcchouinard.com/wget/)
16+
- Helm [Installation](https://helm.sh/docs/intro/install/)
17+
- Kubectl [Installation](https://kubernetes.io/docs/tasks/tools/)
18+
- jq [Installation](https://stedolan.github.io/jq/download/)
1919

2020
Make sure you have an active account at AWS for which you have configured the credentials on the system where you will execute the steps below. In this example we stored the credentials under an aws profile as `awsuser`.
2121

@@ -55,6 +55,7 @@ Your EKS cluster should be visible in [EU-West-1](https://eu-west-1.console.aws.
5555
Are you done playing? Please run `terraform destroy` twice to clean up.
5656

5757
### Test it
58+
5859
When you have completed the installation steps, you can do `kubectl port-forward service/wrongsecrets-balancer 3000:3000` and then go to [http://localhost:3000](http://localhost:3000).
5960

6061
Want to know how well your cluster is holding up? Check with
@@ -64,14 +65,30 @@ Want to know how well your cluster is holding up? Check with
6465
kubectl top pods
6566
```
6667

68+
### Configuring CTFd
69+
70+
You can use the [Juiceshop CTF CLI](https://github.com/juice-shop/juice-shop-ctf) to generate CTFd configuration files.
71+
72+
Follow the following steps:
73+
74+
```shell
75+
npm install -g [email protected]
76+
juice-shop-ctf #choose ctfd and https://wrongsecrets-ctf.herokuapp.com as domain. No trailing slash! The key is 'test', by default feel free to enable hints. We do not support snippets or links/urls to code or hints.
77+
```
78+
79+
Now visit the CTFd instance and setup your CTF. If you haven't set up a load balancer/ingress, the you can use `kubectl port-forward -n ctfd $(kubectl get pods --namespace ctfd -l "app.kubernetes.io/name=ctfd,app.kubernetes.io/instance=ctfd" -o jsonpath="{.items[0].metadata.name}") 8000:8000` and go to `localhost:8000` to visit CTFd.
80+
81+
Then use the administrative backup function to import the zipfile you created with the juice-shop-ctf command.
82+
Want to setup your own? You can! Watch out for people finding your key though, so secure it properly: make sure the running container with the actual ctf-key is not exposed to the audience, similar to our heroku container.
83+
6784
### Clean it up
6885

6986
When you're done:
7087

7188
1. Kill the port forward.
7289
2. Run the cleanup script: `cleanup-aws-autoscaling-and-helm.sh`
7390
3. Run `terraform destroy` to clean up the infrastructure.
74-
1. If you've deployed the `shared-state` s3 bucket, also `cd shared-state` and `terraform destroy` there.
91+
1. If you've deployed the `shared-state` s3 bucket, also `cd shared-state` and `terraform destroy` there.
7592
4. Run `unset KUBECONFIG` to unset the KUBECONFIG env var.
7693
5. Run `rm ~/.kube/wrongsecrets` to remove the kubeconfig file.
7794
6. Run `rm terraform.tfstate*` to remove local state files.
@@ -96,6 +113,7 @@ Do the following:
96113
Note that you might have to do some manual cleanups after that.
97114

98115
## Terraform documentation
116+
99117
The documentation below is auto-generated to give insight on what's created via Terraform.
100118

101119
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -120,8 +138,8 @@ The documentation below is auto-generated to give insight on what's created via
120138

121139
| Name | Source | Version |
122140
|------|--------|---------|
123-
| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | 18.29.0 |
124-
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.14.4 |
141+
| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | 18.30.2 |
142+
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.18.1 |
125143

126144
## Resources
127145

@@ -130,7 +148,9 @@ The documentation below is auto-generated to give insight on what's created via
130148
| [aws_iam_policy.secret_deny](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
131149
| [aws_iam_policy.secret_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
132150
| [aws_iam_role.irsa_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
151+
| [aws_iam_role.secret_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
133152
| [aws_iam_role.user_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
153+
| [aws_iam_role_policy.user_secret_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
134154
| [aws_iam_role_policy_attachment.irsa_role_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
135155
| [aws_iam_role_policy_attachment.user_role_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
136156
| [aws_secretsmanager_secret.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
@@ -143,18 +163,21 @@ The documentation below is auto-generated to give insight on what's created via
143163
| [random_password.password2](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
144164
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
145165
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
166+
| [aws_iam_policy_document.assume_role_for_secret_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
146167
| [aws_iam_policy_document.assume_role_with_oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
147168
| [aws_iam_policy_document.secret_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
148169
| [aws_iam_policy_document.user_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
149170
| [aws_iam_policy_document.user_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
171+
| [aws_iam_policy_document.user_secret_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
150172
| [http_http.ip](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
151173

152174
## Inputs
153175

154176
| Name | Description | Type | Default | Required |
155177
|------|-------------|------|---------|:--------:|
156178
| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The EKS cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no |
157-
| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.22"` | no |
179+
| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.23"` | no |
180+
| <a name="input_extra_allowed_ip_ranges"></a> [extra\_allowed\_ip\_ranges](#input\_extra\_allowed\_ip\_ranges) | Allowed IP ranges in addition to creator IP | `list(string)` | `[]` | no |
158181
| <a name="input_region"></a> [region](#input\_region) | The AWS region to use | `string` | `"eu-west-1"` | no |
159182

160183
## Outputs

aws/build-an-deploy-aws.sh

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -121,7 +121,7 @@ helm upgrade --install mj ../helm/wrongsecrets-ctf-party \
121121
--set="balancer.repository=jeroenwillemsen/wrongsecrets-balancer" \
122122
--set="balancer.replicas=4" \
123123
--set="wrongsecretsCleanup.repository=jeroenwillemsen/wrongsecrets-ctf-cleaner" \
124-
--set="wrongsecrets.ctfKey=test"
124+
--set="wrongsecrets.ctfKey=test" # this key isn't actually necessary in a setup with CTFd
125125

126126
# Install CTFd
127127

@@ -132,4 +132,4 @@ helm -n ctfd install ctfd oci://ghcr.io/bman46/ctfd/ctfd \
132132
--set="mariadb.auth.rootPassword=${$(openssl rand -base64 24)}" \
133133
--set="mariadb.auth.password=${$(openssl rand -base64 24)}" \
134134
--set="mariadb.auth.replicationPassword=${$(openssl rand -base64 24)}" \
135-
--set="env.open.SECRET_KEY=test"
135+
--set="env.open.SECRET_KEY=test" # this key isn't actually necessary in a setup with CTFd

aws/cluster-autoscaler-policy.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,4 +28,4 @@
2828
"Resource": "*"
2929
}
3030
]
31-
}
31+
}

aws/shared-state/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ The documentation below is auto-generated to give insight on what's created via
1313

1414
| Name | Version |
1515
|------|---------|
16-
| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.0 |
16+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.38.0 |
1717

1818
## Modules
1919

build-an-deploy.sh

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,9 +14,9 @@ WRONGSECRETS_IMAGE=$(cat helm/wrongsecrets-ctf-party/values.yaml| yq '.wrongsecr
1414
WRONGSECRETS_TAG=$(cat helm/wrongsecrets-ctf-party/values.yaml| yq '.wrongsecrets.tag')
1515
WEBTOP_IMAGE=$(cat helm/wrongsecrets-ctf-party/values.yaml| yq '.virtualdesktop.image')
1616
WEBTOP_TAG=$(cat helm/wrongsecrets-ctf-party/values.yaml| yq '.virtualdesktop.tag')
17-
echo "Pulling in required images to actually run $WRONGSECRETS_IMAGE:$WRONGSECRETS_TAG & $WEBTOP_IMAGE:$WEBTOP_TAG."
17+
echo "Pulling in required images to actually run $WRONGSECRETS_IMAGE:$WRONGSECRETS_TAG & $WEBTOP_IMAGE:$WEBTOP_TAG."
1818
echo "If you see an authentication failure: pull them manually by the following 2 commands"
19-
echo "'docker pull $WRONGSECRETS_IMAGE:$WRONGSECRETS_TAG'"
19+
echo "'docker pull $WRONGSECRETS_IMAGE:$WRONGSECRETS_TAG'"
2020
echo "'docker pull jeroenwillemsen/jeroenwillemsen/$WEBTOP_IMAGE:$WEBTOP_TAG'" &
2121
docker pull $WRONGSECRETS_IMAGE:$WRONGSECRETS_TAG &
2222
docker pull jeroenwillemsen/jeroenwillemsen/$WEBTOP_IMAGE:$WEBTOP_TAG &

guides/production-notes/production-notes.md

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,4 +32,3 @@ juiceShop:
3232
maxInstances: 42
3333
ctfKey: "DONT_LET_ME_FIND_YOU_USING_THIS_EXACT_VALUE"
3434
```
35-

helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/role.yaml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,10 +38,9 @@ rules:
3838
- apiGroups: ['secrets-store.csi.x-k8s.io']
3939
resources: ['secretproviderclasses']
4040
verbs: ['create', 'get', 'list', 'delete']
41-
- apiGroups: ['networking.k8s.io']
41+
- apiGroups: ['networking.k8s.io']
4242
resources: ['networkpolicies']
4343
verbs: ['create', 'get', 'list', 'delete']
4444
- apiGroups: ['']
4545
resources: ['endpoints']
4646
verbs: [ 'get', 'list']
47-

0 commit comments

Comments
 (0)