Merge pull request #3 from DownUnderCTF/update/2023

2023 Update

README.md

@@ -15,40 +15,39 @@ per-team challenge assignment for web challenges. Inspired by [kCTF](https://git
 ./scripts/cluster-configure
 ```
 
-3. Create config/values.yaml and populate it with values.
+3. Install the cluster resources.
+```sh
+./scripts/cluster-install
+```
+
+4. Create config/values.yaml and populate it with values.
 ```yaml
 domain:
   challenges: <root domain where challenges are hosted> # challenges will be a subdomain of this
 
 replicas:
   challenge-manager: 2
 
-containerRegistry: gcr.io/example # don't include the slash at the end
-
 cert:
   email: <contact email> # required for letsencrypt
   cfDNSToken: <cloudflare dns token> # used to configure dns-01 certificate validation
+
+
+googleProject: <project ID of the Google Project>
 ```
 
 4. Deploy the helm stack.
 ```sh
 helm install kubectf -f config/values.yaml chart/
 ```
 
-5. Upload the sample whoami challenge
+5. Upload the sample whoami challenge for testing.
 ```sh
-GOOGLE_APPLICATION_CREDENTIALS=<sevice account json> ./scripts/process-isolated-challenges
+kubectl apply -f templates/whoami/kube-isolated.yaml
 ```
 
-## How to Write Isolated Challenges
-TODO
-
-## TODO
-- `./scripts/process-isolated-challenges` already exists to process the challenge templates and upload them
-to Google Cloud Datastore. We should integrate this with GitHub actions in order to do automatic deployments
-on push.
-- Interface this with CTFd
-- TLS termination for challenges, which can be done by adding cert-manager.
+## How to Deploy Isolated Challenges
+See the README at [services/challenge-manager](services/challenge-manager)
 
 ## Authors
 - [BlueAlder](https://github.com/BlueAlder)

chart/Chart.yaml

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "1.17.0"

chart/templates/challenge-manager.yaml

@@ -18,7 +18,7 @@ spec:
       serviceAccountName: challenge-manager
       containers:
       - name: challenge-manager
-        image: gcr.io/{{ .Values.googleProject }}/services/challenge-manager:latest
+        image: {{ .Values.googleRegion }}-docker.pkg.dev/{{ .Values.googleProject }}/{{ .Values.googleRepositoryName }}/services/challenge-manager:latest
         readinessProbe:
           httpGet:
             port: 3000
@@ -116,6 +116,7 @@ rules:
       - services
       - namespaces
       - secrets
+      - networkpolicies
     verbs:
       - create
       - delete

chart/templates/landing.yaml

@@ -20,7 +20,7 @@ spec:
       automountServiceAccountToken: false
       containers:
       - name: web
-        image: gcr.io/{{ .Values.googleProject }}/services/landing:latest
+        image: {{ .Values.googleRegion }}-docker.pkg.dev/{{ .Values.googleProject }}/{{ .Values.googleRepositoryName }}/services/landing:latest
         resources:
 {{ toYaml (index  .Values "landing").quota | indent 10 }}
         ports:

chart/values.yaml

@@ -2,7 +2,6 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
-
 kube-janitor:
   quota:
     limits:
@@ -33,19 +32,21 @@ landing:
     requests:
       cpu: 50m
       memory: 256Mi
-      
+
 domain:
   challenges: chal.example.com
   management: management.example.com
 
 # google project ID
 googleProject: example
+googleRegion: australia-southeast1
+googleRepositoryName: example
 
 cert:
   email: [email protected]
   cfDNSToken: example
 
 # Don't change these unless you know what you're doing
 challengeNamespaces:
-- challenges
-- challenges-isolated
+  - challenges
+  - challenges-isolated

scripts/cluster-configure

@@ -4,62 +4,17 @@
 source `dirname "$0"`"/util"
 
 PROJECT_ID=`gcloud config get-value project`
-APPENGINE_REGION=`gcloud app describe | grep -oP '^locationId: \K[\da-z-]+'`
-BASE_DOMAIN="example.com"
 KUBECTF_NAMESPACE="kubectf"
-# ADMIN_EMAIL="[email protected]"
-
 
 # ask the questions
 CLUSTER_NAME=`ask_with_default "Cluster name" ""`
-APPENGINE_REGION=`ask_with_default "App Engine Region" "$APPENGINE_REGION"`
 KUBECTF_NAMESPACE=`ask_with_default "KubeCTF Instance (should be the same as in values.yaml)" "$KUBECTF_NAMESPACE"`
 SERVICE_ACCOUNT_CHALLENGE_MANAGER="gke-challenge-manager"
-# BASE_DOMAIN=`ask_with_default "Base Domain" "$BASE_DOMAIN"`
-# ADMIN_EMAIL=`ask_with_default "Admin Email Address" "$ADMIN_EMAIL"`
-
-# # clean up old dir
-# rm -rf services/
 
-# # generate configs
-# for file in `find service-templates/ -type f -name "*.yml"`
-# do
-#   new_file="services/"`echo "$file" | cut -d'/' -f2-`
-#   mkdir -p `dirname "$new_file"`
-#   envsubst < "$file" > "$new_file"
-# done
-
-# # create datastore for deployment templates and create iam user
-gcloud app create --region="$APPENGINE_REGION"
-gcloud datastore databases create --region "$APPENGINE_REGION"
 
 gcloud iam service-accounts create "$SERVICE_ACCOUNT_CHALLENGE_MANAGER"
 
-gcloud projects add-iam-policy-binding "$PROJECT_ID" \
-    --member="serviceAccount:$SERVICE_ACCOUNT_CHALLENGE_MANAGER@$PROJECT_ID.iam.gserviceaccount.com" \
-    --role=roles/datastore.viewer
-
 gcloud iam service-accounts add-iam-policy-binding \
     --role roles/iam.workloadIdentityUser \
     --member "serviceAccount:$PROJECT_ID.svc.id.goog[$KUBECTF_NAMESPACE-management/challenge-manager]" \
     "$SERVICE_ACCOUNT_CHALLENGE_MANAGER@$PROJECT_ID.iam.gserviceaccount.com"
-
-
-# create namespaces
-kubectl create namespace traefik
-kubectl label namespace cert-manager app.kubernetes.io/name=cert-manager   
-kubectl label namespace traefik app.kubernetes.io/name=traefik  
-
-# install helm stuff
-helm repo add jetstack https://charts.jetstack.io
-helm repo add traefik https://helm.traefik.io/traefik
-helm repo update
-
-# install the proxification stuff
-helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace \
-    --version v1.9.1 \
-    --set installCRDs=true
-helm install traefik traefik/traefik \
-    --namespace traefik \
-    --create-namespace \
-    --set "deployment.kind=DaemonSet,providers.kubernetesCRD.allowCrossNamespaces=true,logs.general.level=INFO,service.spec.externalTrafficPolicy=Local"

scripts/cluster-deploy

@@ -2,14 +2,17 @@
 
 source `dirname "$0"`"/util"
 
+set -e
+
 PROJECT_ID=`gcloud config get-value project`
 CLUSTER_NAME="ctf-cluster"
-CLUSTER_REGION="us-west1-a"
-CLUSTER_VERSION="1.22.11-gke.400"
-MACHINE_TYPE="e2-small"
-DISK_SIZE="48"
+CLUSTER_REGION="us-central1-a"
+CLUSTER_VERSION="1.27.3-gke.100"
+MACHINE_TYPE="e2-medium"
+DISK_SIZE="30"
 DISK_TYPE="pd-standard"
-NUM_NODES="1"
+NUM_NODES="3"
+VPC_NAME="ductf-network"
 
 CLUSTER_NAME=`ask_with_default "Cluster Name" "$CLUSTER_NAME"`
 CLUSTER_REGION=`ask_with_default "Cluster Zone" "$CLUSTER_REGION"`
@@ -18,9 +21,13 @@ MACHINE_TYPE=`ask_with_default "Machine Type" "$MACHINE_TYPE"`
 DISK_SIZE=`ask_with_default "Disk Size (GB)" "$DISK_SIZE"`
 DISK_TYPE=`ask_with_default "Disk Type (pd-standard or pd-ssd)" "$DISK_TYPE"`
 NUM_NODES=`ask_with_default "Number of Nodes" "$NUM_NODES"`
+VPC_NAME=`ask_with_default "VPC to create" "$VPC_NAME"`
 
+gcloud services enable compute.googleapis.com
 gcloud services enable container.googleapis.com
 
+# gcloud compute networks create $VPC_NAME --subnet-mode=auto 
+
 gcloud beta container clusters create "$CLUSTER_NAME" \
   --zone "$CLUSTER_REGION" \
   --no-enable-basic-auth \
@@ -41,6 +48,8 @@ gcloud beta container clusters create "$CLUSTER_NAME" \
   --addons HorizontalPodAutoscaling,GcePersistentDiskCsiDriver \
   --max-surge-upgrade 1 \
   --max-unavailable-upgrade 0 \
-  --enable-shielded-nodes
+  --enable-shielded-nodes \
+  --location-policy BALANCED \
+  --network ${VPC_NAME}
 
 gcloud container clusters --region "$CLUSTER_REGION" get-credentials "$CLUSTER_NAME"

scripts/cluster-install

@@ -1,6 +1,7 @@
 #!/bin/bash
 
 kubectl create namespace traefik
+kubectl create namespace cert-manager
 kubectl label namespace cert-manager app.kubernetes.io/name=cert-manager   
 kubectl label namespace traefik app.kubernetes.io/name=traefik  
 
@@ -10,8 +11,8 @@ helm repo add traefik https://helm.traefik.io/traefik
 helm repo update
 
 # install the proxification stuff
-helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace \
-    --version v1.9.1 \
+helm install cert-manager jetstack/cert-manager --namespace cert-manager \
+    --version v1.12.3 \
     --set installCRDs=true
 helm install traefik traefik/traefik \
     --namespace traefik \
@@ -25,11 +26,17 @@ providers:
     allowCrossNamespaces: true
 logs:
   general:
-    level: 'INFO'
+    # This is fatal since traefik spits errors whenever an instance is spun up
+    level: 'FATAL'
 service:
   spec:
     externalTrafficPolicy: 'Local'
 ports:
+  blockchain:
+    port: 8545
+    expose: true
+    protocol: 'TCP'
+    exposedPort: 8545
   tcpsecure:
     port: 40000
     expose: true

scripts/services-build

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -e
+
+source `dirname "$0"`"/util"
+
+PROJECT_ID=`gcloud config get-value project`
+REPO_NAME="ductf"
+REPO_LOCATION="australia-southeast1"
+
+PROJECT_ID=`ask_with_default "Project ID" "$PROJECT_ID"`
+REPO_NAME=`ask_with_default "AR Repo Name" "$REPO_NAME"`
+REPO_LOCATION=`ask_with_default "AR Repo Location" "$REPO_LOCATION"`
+
+
+gcloud services enable artifactregistry.googleapis.com
+gcloud services enable cloudbuild.googleapis.com
+
+# Create artifact registry repo
+gcloud artifacts repositories create ${REPO_NAME} \
+  --repository-format=docker \
+  --location=${REPO_LOCATION} \
+  --description="registry for CTF related images" 
+
+
+gcloud builds submit ./services/challenge-manager/ \
+  --config ./services/challenge-manager/cloudbuild.yaml \
+  --region ${REPO_LOCATION} \
+  --async
+gcloud builds submit ./services/landing/ \
+  --config ./services/landing/cloudbuild.yaml \
+  --region ${REPO_LOCATION} \
+  --async