Skip to content

Commit 176ff52

Browse files
lecafardlecafard
committed
2025 update: sync with internal repo
Commit: 843ffc602f4e5e9b6a7a9c7691127b0cd80ce26f
1 parent be3ed5b commit 176ff52

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

73 files changed

+5509
-4022
lines changed

.gitignore

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,3 @@
11
config/
2-
venv/
2+
venv/
3+
*.tsbuildinfo

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,3 +58,4 @@ a goodwill effort. While we do not provide dedicated support, you can ask questi
5858
- [BlueAlder](https://github.com/BlueAlder)
5959
- [jordanbertasso](https://github.com/jordanbertasso)
6060
- [lecafard](https://github.com/lecafard)
61+

chart/templates/challenge-manager-ui.yaml

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
{{- $deployment := (index .Values "challenge-manager") }}
2+
apiVersion: apps/v1
3+
kind: Deployment
4+
metadata:
5+
name: challenge-manager-ui
6+
namespace: {{ .Release.Name }}-management
7+
labels:
8+
kube-ctf.downunderctf.com/service: challenge-manager-ui
9+
spec:
10+
replicas: {{ $deployment.replicas }}
11+
selector:
12+
matchLabels:
13+
kube-ctf.downunderctf.com/service: challenge-manager-ui
14+
template:
15+
metadata:
16+
labels:
17+
kube-ctf.downunderctf.com/service: challenge-manager-ui
18+
spec:
19+
containers:
20+
- name: challenge-manager-ui
21+
image: {{ .Values.registries.infra }}/services/challenge-manager-ui:latest
22+
readinessProbe:
23+
httpGet:
24+
port: 80
25+
path: /
26+
initialDelaySeconds: 10
27+
periodSeconds: 10
28+
livenessProbe:
29+
httpGet:
30+
port: 80
31+
path: /
32+
initialDelaySeconds: 30
33+
periodSeconds: 10
34+
resources:
35+
{{ toYaml $deployment.ui_quota | indent 12 }}
36+
ports:
37+
- containerPort: 80
38+
---
39+
apiVersion: v1
40+
kind: Service
41+
metadata:
42+
name: challenge-manager-ui
43+
namespace: {{ .Release.Name }}-management
44+
labels:
45+
kube-ctf.downunderctf.com/service: challenge-manager-ui
46+
spec:
47+
selector:
48+
kube-ctf.downunderctf.com/service: challenge-manager-ui
49+
ports:
50+
- port: 80
51+
---
52+
apiVersion: traefik.io/v1alpha1
53+
kind: IngressRoute
54+
metadata:
55+
name: challenge-manager-ui
56+
namespace: {{ .Release.Name }}-management
57+
labels:
58+
kube-ctf.downunderctf.com/service: challenge-manager-ui
59+
spec:
60+
entryPoints:
61+
- websecure
62+
tls:
63+
secretName: {{ .Release.Name }}-cert-management
64+
routes:
65+
- match: Host(`instancer.{{ .Values.domain.management }}`)
66+
kind: Rule
67+
priority: 1
68+
middlewares:
69+
- name: hsts
70+
services:
71+
- name: challenge-manager-ui
72+
port: 80

chart/templates/challenge-manager.yaml

Lines changed: 99 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,16 @@
1+
{{- $deployment := (index .Values "challenge-manager") }}
2+
apiVersion: v1
3+
kind: Secret
4+
metadata:
5+
name: challenge-manager-custom-ca
6+
namespace: {{ .Release.Name }}-management
7+
type: Opaque
8+
data:
9+
CACHEDIR.TAG: ""
10+
{{- if $deployment.redis.ca }}
11+
redis.pem: {{ $deployment.redis.ca | b64enc | quote }}
12+
{{- end }}
13+
---
114
apiVersion: apps/v1
215
kind: Deployment
316
metadata:
@@ -6,7 +19,7 @@ metadata:
619
labels:
720
kube-ctf.downunderctf.com/service: challenge-manager
821
spec:
9-
replicas: {{ (index .Values "challenge-manager").replicas }}
22+
replicas: {{ $deployment.replicas }}
1023
selector:
1124
matchLabels:
1225
kube-ctf.downunderctf.com/service: challenge-manager
@@ -16,46 +29,76 @@ spec:
1629
kube-ctf.downunderctf.com/service: challenge-manager
1730
spec:
1831
serviceAccountName: challenge-manager
32+
{{- if $redis.ca }}
33+
volumes:
34+
- name: custom-ca
35+
secret:
36+
secretName: challenge-manager-custom-ca
37+
{{- end }}
1938
containers:
20-
- name: challenge-manager
21-
image: {{ .Values.googleRegion }}-docker.pkg.dev/{{ .Values.googleProject }}/{{ .Values.googleRepositoryName }}/challenge-manager:latest
22-
readinessProbe:
23-
httpGet:
24-
port: 3000
25-
path: /healthz
26-
initialDelaySeconds: 10
27-
periodSeconds: 10
28-
livenessProbe:
29-
httpGet:
30-
port: 3000
31-
path: /healthz
32-
initialDelaySeconds: 30
33-
periodSeconds: 10
34-
env:
35-
- name: KUBECTF_BASE_DOMAIN
36-
value: {{ .Values.domain.challenges }}
37-
- name: KUBECTF_API_DOMAIN
38-
value: challenge-manager.{{ .Values.domain.management }}
39-
- name: KUBECTF_NAMESPACE
40-
value: {{ .Release.Name }}-challenges-isolated
41-
- name: KUBECTF_MAX_OWNER_DEPLOYMENTS
42-
value: "4"
43-
- name: KUBECTF_REGISTRY_PREFIX
44-
value: {{ (index .Values "challenge-manager").registryPrefix }}
45-
- name: KUBECTF_AUTH_SECRET
46-
valueFrom:
47-
secretKeyRef:
48-
name: challenge-manager
49-
key: auth
50-
- name: KUBECTF_CONTAINER_SECRET
51-
valueFrom:
52-
secretKeyRef:
53-
name: challenge-manager
54-
key: container
55-
resources:
56-
{{ toYaml (index .Values "challenge-manager").quota | indent 10 }}
57-
ports:
58-
- containerPort: 3000
39+
- name: challenge-manager
40+
image: {{ .Values.registries.infra }}/services/challenge-manager:latest
41+
{{- if $redis.ca }}
42+
volumeMounts:
43+
- name: custom-ca
44+
mountPath: /ssl/
45+
readOnly: true
46+
{{- end }}
47+
readinessProbe:
48+
httpGet:
49+
port: 3000
50+
path: /healthz
51+
initialDelaySeconds: 10
52+
periodSeconds: 10
53+
livenessProbe:
54+
httpGet:
55+
port: 3000
56+
path: /healthz
57+
initialDelaySeconds: 30
58+
periodSeconds: 10
59+
env:
60+
- name: KUBECTF_BASE_DOMAIN
61+
value: {{ .Values.domain.isolated }}
62+
- name: KUBECTF_API_DOMAIN
63+
value: instancer.{{ .Values.domain.management }}
64+
- name: KUBECTF_NAMESPACE
65+
value: {{ .Release.Name }}-challenges-isolated
66+
- name: KUBECTF_MAX_OWNER_DEPLOYMENTS
67+
value: "4"
68+
- name: KUBECTF_REGISTRY_PREFIX
69+
value: {{ $deployment.registryPrefix }}
70+
- name: KUBECTF_AUTH_SECRET
71+
valueFrom:
72+
secretKeyRef:
73+
name: challenge-manager
74+
key: auth
75+
- name: KUBECTF_CONTAINER_SECRET
76+
valueFrom:
77+
secretKeyRef:
78+
name: challenge-manager
79+
key: container
80+
{{- if $deployment.redis.host }}
81+
{{- $redis := (index $deployment "redis") }}
82+
- name: REDIS_URL
83+
value: "redis{{ if $redis.ca }}s{{ end }}://{{ if $redis.auth }}:{{ $redis.auth }}@{{ end }}{{ $redis.host }}/{{ $redis.db }}"
84+
{{- if $redis.ca }}
85+
- name: NODE_EXTRA_CA_CERTS
86+
value: "/ssl/redis.pem"
87+
{{- end }}
88+
{{- end }}
89+
90+
{{- if $deployment.oidc.serverUrl }}
91+
- name: OIDC_SERVER_URL
92+
value: {{ $deployment.oidc.serverUrl }}
93+
- name: OIDC_OWNER_ID_FIELD
94+
value: {{ $deployment.oidc.ownerIdField }}
95+
- name: OIDC_CLIENT_ID
96+
value: {{ $deployment.oidc.clientId }}
97+
{{- end }}
98+
resources:
99+
{{ toYaml $deployment.quota | indent 12 }}
100+
ports:
101+
- containerPort: 3000
59102
---
60103
apiVersion: v1
61104
kind: Service
@@ -71,6 +114,16 @@ spec:
71114
- port: 3000
72115
---
73116
apiVersion: traefik.io/v1alpha1
117+
kind: Middleware
118+
metadata:
119+
name: challenge-manager-strip-api-prefix
120+
namespace: {{ .Release.Name }}-management
121+
spec:
122+
stripPrefix:
123+
prefixes:
124+
- /api
125+
---
126+
apiVersion: traefik.io/v1alpha1
74127
kind: IngressRoute
75128
metadata:
76129
name: challenge-manager
@@ -79,19 +132,19 @@ metadata:
79132
kube-ctf.downunderctf.com/service: challenge-manager
80133
spec:
81134
entryPoints:
82-
- web
83135
- websecure
84136
tls:
85137
secretName: {{ .Release.Name }}-cert-management
86138
routes:
87-
- match: Host(`challenge-manager.{{ .Values.domain.management }}`)
139+
- match: Host(`instancer.{{ .Values.domain.management }}`) && PathPrefix(`/api/`)
88140
kind: Rule
89141
priority: 10
90142
middlewares:
91-
- name: hsts
143+
- name: hsts
144+
- name: challenge-manager-strip-api-prefix
92145
services:
93-
- name: challenge-manager
94-
port: 3000
146+
- name: challenge-manager
147+
port: 3000
95148
---
96149
apiVersion: v1
97150
kind: ServiceAccount
@@ -118,6 +171,7 @@ rules:
118171
- secrets
119172
- networkpolicies
120173
- configmaps
174+
- tlschallenges
121175
verbs:
122176
- create
123177
- delete

chart/templates/kube-janitor.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ data:
1414
- ingressroutetcps
1515
- services
1616
- ingresses
17+
- tlschallenges
1718
jmespath: "metadata.namespace == '{{ .Release.Name }}-challenges-isolated'"
1819
ttl: 8h
1920
---

chart/templates/landing.yaml

Lines changed: 18 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ spec:
2020
automountServiceAccountToken: false
2121
containers:
2222
- name: web
23-
image: {{ .Values.googleRegion }}-docker.pkg.dev/{{ .Values.googleProject }}/{{ .Values.googleRepositoryName }}/landing:latest
23+
image: {{ .Values.registries.infra }}/services/landing:latest
2424
resources:
2525
{{ toYaml (index .Values "landing").quota | indent 10 }}
2626
ports:
@@ -39,15 +39,13 @@ spec:
3939
ports:
4040
- port: 80
4141
---
42-
# default ingressroute
4342
apiVersion: traefik.io/v1alpha1
4443
kind: IngressRoute
4544
metadata:
46-
name: landing
45+
name: landing-https
4746
namespace: {{ .Release.Name }}-challenges
4847
spec:
4948
entryPoints:
50-
- web
5149
- websecure
5250
tls:
5351
store:
@@ -56,8 +54,22 @@ spec:
5654
- match: HostRegexp(`{{ .Values.domain.challenges }}`, `{subdomain:[\w-]+}.{{ .Values.domain.challenges }}`)
5755
kind: Rule
5856
priority: 1
59-
middlewares:
60-
- name: hsts
57+
services:
58+
- name: landing
59+
port: 80
60+
---
61+
apiVersion: traefik.io/v1alpha1
62+
kind: IngressRoute
63+
metadata:
64+
name: landing-http
65+
namespace: {{ .Release.Name }}-challenges
66+
spec:
67+
entryPoints:
68+
- web
69+
routes:
70+
- match: HostRegexp(`{{ .Values.domain.challenges }}`, `{subdomain:[\w-]+}.{{ .Values.domain.challenges }}`)
71+
kind: Rule
72+
priority: 1
6173
services:
6274
- name: landing
6375
port: 80

chart/templates/namespaces.yaml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,5 +28,4 @@ spec:
2828
stsSeconds: 15552000
2929
forceSTSHeader: true
3030
stsIncludeSubdomains: true
31-
---
3231
{{- end }}

chart/templates/networkpolicy.yaml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,21 @@ spec:
3535
- 203.0.113.0/24
3636
- 224.0.0.0/4
3737
- 240.0.0.0/4
38+
- to:
39+
- namespaceSelector:
40+
matchLabels:
41+
app.kubernetes.io/name: traefik
42+
- podSelector:
43+
matchLabels:
44+
app.kubernetes.io/name: traefik
45+
- to:
46+
- namespaceSelector:
47+
matchLabels:
48+
app.kubernetes.io/component: aincrad
49+
- podSelector:
50+
matchLabels:
51+
app.kubernetes.io/name: aincrad-fluct
52+
3853
---
3954
kind: NetworkPolicy
4055
apiVersion: networking.k8s.io/v1

chart/templates/traefik.yaml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,18 @@ spec:
1111
forceSTSHeader: true
1212
stsIncludeSubdomains: true
1313
---
14+
apiVersion: traefik.io/v1alpha1
15+
kind: Middleware
16+
metadata:
17+
name: ratelimit
18+
namespace: {{ $relname }}-{{ . }}
19+
spec:
20+
rateLimit:
21+
average: 50
22+
burst: 100
23+
sourceCriterion:
24+
ipStrategy:
25+
ipv6Subnet: 56
1426
{{- end }}
1527
apiVersion: traefik.io/v1alpha1
1628
kind: Middleware

0 commit comments

Comments
 (0)