Skip to content

Commit 455071e

Browse files
lecafardlecafard
committed
2025 update: sync with internal repo
Commit: 0e3ce8508752dd4b635c0081cd49fbde31909145
1 parent be3ed5b commit 455071e

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

73 files changed

+5510
-4022
lines changed

.gitignore

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,3 @@
11
config/
2-
venv/
2+
venv/
3+
*.tsbuildinfo

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,3 +58,4 @@ a goodwill effort. While we do not provide dedicated support, you can ask questi
5858
- [BlueAlder](https://github.com/BlueAlder)
5959
- [jordanbertasso](https://github.com/jordanbertasso)
6060
- [lecafard](https://github.com/lecafard)
61+

chart/templates/challenge-manager-ui.yaml

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
{{- $deployment := (index .Values "challenge-manager") }}
2+
apiVersion: apps/v1
3+
kind: Deployment
4+
metadata:
5+
name: challenge-manager-ui
6+
namespace: {{ .Release.Name }}-management
7+
labels:
8+
kube-ctf.downunderctf.com/service: challenge-manager-ui
9+
spec:
10+
replicas: {{ $deployment.replicas }}
11+
selector:
12+
matchLabels:
13+
kube-ctf.downunderctf.com/service: challenge-manager-ui
14+
template:
15+
metadata:
16+
labels:
17+
kube-ctf.downunderctf.com/service: challenge-manager-ui
18+
spec:
19+
containers:
20+
- name: challenge-manager-ui
21+
image: {{ .Values.registries.infra }}/services/challenge-manager-ui:latest
22+
readinessProbe:
23+
httpGet:
24+
port: 80
25+
path: /
26+
initialDelaySeconds: 10
27+
periodSeconds: 10
28+
livenessProbe:
29+
httpGet:
30+
port: 80
31+
path: /
32+
initialDelaySeconds: 30
33+
periodSeconds: 10
34+
resources:
35+
{{ toYaml $deployment.ui_quota | indent 12 }}
36+
ports:
37+
- containerPort: 80
38+
---
39+
apiVersion: v1
40+
kind: Service
41+
metadata:
42+
name: challenge-manager-ui
43+
namespace: {{ .Release.Name }}-management
44+
labels:
45+
kube-ctf.downunderctf.com/service: challenge-manager-ui
46+
spec:
47+
selector:
48+
kube-ctf.downunderctf.com/service: challenge-manager-ui
49+
ports:
50+
- port: 80
51+
---
52+
apiVersion: traefik.io/v1alpha1
53+
kind: IngressRoute
54+
metadata:
55+
name: challenge-manager-ui
56+
namespace: {{ .Release.Name }}-management
57+
labels:
58+
kube-ctf.downunderctf.com/service: challenge-manager-ui
59+
spec:
60+
entryPoints:
61+
- websecure
62+
tls:
63+
secretName: {{ .Release.Name }}-cert-management
64+
routes:
65+
- match: Host(`instancer.{{ .Values.domain.management }}`)
66+
kind: Rule
67+
priority: 1
68+
middlewares:
69+
- name: hsts
70+
services:
71+
- name: challenge-manager-ui
72+
port: 80

chart/templates/challenge-manager.yaml

Lines changed: 95 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,16 @@
1+
{{- $deployment := (index .Values "challenge-manager") }}
2+
apiVersion: v1
3+
kind: Secret
4+
metadata:
5+
name: challenge-manager-custom-ca
6+
namespace: {{ .Release.Name }}-management
7+
type: Opaque
8+
data:
9+
CACHEDIR.TAG: ""
10+
{{- if $deployment.redis.ca }}
11+
redis.pem: {{ $deployment.redis.ca | b64enc | quote }}
12+
{{- end }}
13+
---
114
apiVersion: apps/v1
215
kind: Deployment
316
metadata:
@@ -6,7 +19,7 @@ metadata:
619
labels:
720
kube-ctf.downunderctf.com/service: challenge-manager
821
spec:
9-
replicas: {{ (index .Values "challenge-manager").replicas }}
22+
replicas: {{ $deployment.replicas }}
1023
selector:
1124
matchLabels:
1225
kube-ctf.downunderctf.com/service: challenge-manager
@@ -16,46 +29,72 @@ spec:
1629
kube-ctf.downunderctf.com/service: challenge-manager
1730
spec:
1831
serviceAccountName: challenge-manager
32+
volumes:
33+
- name: custom-ca
34+
secret:
35+
secretName: challenge-manager-custom-ca
1936
containers:
20-
- name: challenge-manager
21-
image: {{ .Values.googleRegion }}-docker.pkg.dev/{{ .Values.googleProject }}/{{ .Values.googleRepositoryName }}/challenge-manager:latest
22-
readinessProbe:
23-
httpGet:
24-
port: 3000
25-
path: /healthz
26-
initialDelaySeconds: 10
27-
periodSeconds: 10
28-
livenessProbe:
29-
httpGet:
30-
port: 3000
31-
path: /healthz
32-
initialDelaySeconds: 30
33-
periodSeconds: 10
34-
env:
35-
- name: KUBECTF_BASE_DOMAIN
36-
value: {{ .Values.domain.challenges }}
37-
- name: KUBECTF_API_DOMAIN
38-
value: challenge-manager.{{ .Values.domain.management }}
39-
- name: KUBECTF_NAMESPACE
40-
value: {{ .Release.Name }}-challenges-isolated
41-
- name: KUBECTF_MAX_OWNER_DEPLOYMENTS
42-
value: "4"
43-
- name: KUBECTF_REGISTRY_PREFIX
44-
value: {{ (index .Values "challenge-manager").registryPrefix }}
45-
- name: KUBECTF_AUTH_SECRET
46-
valueFrom:
47-
secretKeyRef:
48-
name: challenge-manager
49-
key: auth
50-
- name: KUBECTF_CONTAINER_SECRET
51-
valueFrom:
52-
secretKeyRef:
53-
name: challenge-manager
54-
key: container
55-
resources:
56-
{{ toYaml (index .Values "challenge-manager").quota | indent 10 }}
57-
ports:
58-
- containerPort: 3000
37+
- name: challenge-manager
38+
image: {{ .Values.registries.infra }}/services/challenge-manager:latest
39+
volumeMounts:
40+
- name: custom-ca
41+
mountPath: /ssl/
42+
readOnly: true
43+
readinessProbe:
44+
httpGet:
45+
port: 3000
46+
path: /healthz
47+
initialDelaySeconds: 10
48+
periodSeconds: 10
49+
livenessProbe:
50+
httpGet:
51+
port: 3000
52+
path: /healthz
53+
initialDelaySeconds: 30
54+
periodSeconds: 10
55+
env:
56+
- name: KUBECTF_BASE_DOMAIN
57+
value: {{ .Values.domain.isolated }}
58+
- name: KUBECTF_API_DOMAIN
59+
value: instancer.{{ .Values.domain.management }}
60+
- name: KUBECTF_NAMESPACE
61+
value: {{ .Release.Name }}-challenges-isolated
62+
- name: KUBECTF_MAX_OWNER_DEPLOYMENTS
63+
value: "4"
64+
- name: KUBECTF_REGISTRY_PREFIX
65+
value: {{ $deployment.registryPrefix }}
66+
- name: KUBECTF_AUTH_SECRET
67+
valueFrom:
68+
secretKeyRef:
69+
name: challenge-manager
70+
key: auth
71+
- name: KUBECTF_CONTAINER_SECRET
72+
valueFrom:
73+
secretKeyRef:
74+
name: challenge-manager
75+
key: container
76+
{{- if $deployment.redis.host }}
77+
{{- $redis := (index $deployment "redis") }}
78+
- name: REDIS_URL
79+
value: "redis{{ if $redis.ca }}s{{ end }}://{{ if $redis.auth }}:{{ $redis.auth }}@{{ end }}{{ $redis.host }}/{{ $redis.db }}"
80+
{{- if $redis.ca }}
81+
- name: NODE_EXTRA_CA_CERTS
82+
value: "/ssl/redis.pem"
83+
{{- end }}
84+
{{- end }}
85+
86+
{{- if $deployment.oidc.serverUrl }}
87+
- name: OIDC_SERVER_URL
88+
value: {{ $deployment.oidc.serverUrl }}
89+
- name: OIDC_OWNER_ID_FIELD
90+
value: {{ $deployment.oidc.ownerIdField }}
91+
- name: OIDC_CLIENT_ID
92+
value: {{ $deployment.oidc.clientId }}
93+
{{- end }}
94+
resources:
95+
{{ toYaml $deployment.quota | indent 12 }}
96+
ports:
97+
- containerPort: 3000
5998
---
6099
apiVersion: v1
61100
kind: Service
@@ -71,6 +110,16 @@ spec:
71110
- port: 3000
72111
---
73112
apiVersion: traefik.io/v1alpha1
113+
kind: Middleware
114+
metadata:
115+
name: challenge-manager-strip-api-prefix
116+
namespace: {{ .Release.Name }}-management
117+
spec:
118+
stripPrefix:
119+
prefixes:
120+
- /api
121+
---
122+
apiVersion: traefik.io/v1alpha1
74123
kind: IngressRoute
75124
metadata:
76125
name: challenge-manager
@@ -79,19 +128,19 @@ metadata:
79128
kube-ctf.downunderctf.com/service: challenge-manager
80129
spec:
81130
entryPoints:
82-
- web
83131
- websecure
84132
tls:
85133
secretName: {{ .Release.Name }}-cert-management
86134
routes:
87-
- match: Host(`challenge-manager.{{ .Values.domain.management }}`)
135+
- match: Host(`instancer.{{ .Values.domain.management }}`) && PathPrefix(`/api/`)
88136
kind: Rule
89137
priority: 10
90138
middlewares:
91-
- name: hsts
139+
- name: hsts
140+
- name: challenge-manager-strip-api-prefix
92141
services:
93-
- name: challenge-manager
94-
port: 3000
142+
- name: challenge-manager
143+
port: 3000
95144
---
96145
apiVersion: v1
97146
kind: ServiceAccount
@@ -118,6 +167,7 @@ rules:
118167
- secrets
119168
- networkpolicies
120169
- configmaps
170+
- tlschallenges
121171
verbs:
122172
- create
123173
- delete

chart/templates/kube-janitor.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ data:
1414
- ingressroutetcps
1515
- services
1616
- ingresses
17+
- tlschallenges
1718
jmespath: "metadata.namespace == '{{ .Release.Name }}-challenges-isolated'"
1819
ttl: 8h
1920
---

chart/templates/landing.yaml

Lines changed: 18 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ spec:
2020
automountServiceAccountToken: false
2121
containers:
2222
- name: web
23-
image: {{ .Values.googleRegion }}-docker.pkg.dev/{{ .Values.googleProject }}/{{ .Values.googleRepositoryName }}/landing:latest
23+
image: {{ .Values.registries.infra }}/services/landing:latest
2424
resources:
2525
{{ toYaml (index .Values "landing").quota | indent 10 }}
2626
ports:
@@ -39,15 +39,13 @@ spec:
3939
ports:
4040
- port: 80
4141
---
42-
# default ingressroute
4342
apiVersion: traefik.io/v1alpha1
4443
kind: IngressRoute
4544
metadata:
46-
name: landing
45+
name: landing-https
4746
namespace: {{ .Release.Name }}-challenges
4847
spec:
4948
entryPoints:
50-
- web
5149
- websecure
5250
tls:
5351
store:
@@ -56,8 +54,22 @@ spec:
5654
- match: HostRegexp(`{{ .Values.domain.challenges }}`, `{subdomain:[\w-]+}.{{ .Values.domain.challenges }}`)
5755
kind: Rule
5856
priority: 1
59-
middlewares:
60-
- name: hsts
57+
services:
58+
- name: landing
59+
port: 80
60+
---
61+
apiVersion: traefik.io/v1alpha1
62+
kind: IngressRoute
63+
metadata:
64+
name: landing-http
65+
namespace: {{ .Release.Name }}-challenges
66+
spec:
67+
entryPoints:
68+
- web
69+
routes:
70+
- match: HostRegexp(`{{ .Values.domain.challenges }}`, `{subdomain:[\w-]+}.{{ .Values.domain.challenges }}`)
71+
kind: Rule
72+
priority: 1
6173
services:
6274
- name: landing
6375
port: 80

chart/templates/namespaces.yaml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,5 +28,4 @@ spec:
2828
stsSeconds: 15552000
2929
forceSTSHeader: true
3030
stsIncludeSubdomains: true
31-
---
3231
{{- end }}

chart/templates/networkpolicy.yaml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,21 @@ spec:
3535
- 203.0.113.0/24
3636
- 224.0.0.0/4
3737
- 240.0.0.0/4
38+
- to:
39+
- namespaceSelector:
40+
matchLabels:
41+
app.kubernetes.io/name: traefik
42+
- podSelector:
43+
matchLabels:
44+
app.kubernetes.io/name: traefik
45+
- to:
46+
- namespaceSelector:
47+
matchLabels:
48+
app.kubernetes.io/component: aincrad
49+
- podSelector:
50+
matchLabels:
51+
app.kubernetes.io/name: aincrad-fluct
52+
3853
---
3954
kind: NetworkPolicy
4055
apiVersion: networking.k8s.io/v1

chart/templates/traefik.yaml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,18 @@ spec:
1111
forceSTSHeader: true
1212
stsIncludeSubdomains: true
1313
---
14+
apiVersion: traefik.io/v1alpha1
15+
kind: Middleware
16+
metadata:
17+
name: ratelimit
18+
namespace: {{ $relname }}-{{ . }}
19+
spec:
20+
rateLimit:
21+
average: 50
22+
burst: 100
23+
sourceCriterion:
24+
ipStrategy:
25+
ipv6Subnet: 56
1426
{{- end }}
1527
apiVersion: traefik.io/v1alpha1
1628
kind: Middleware

0 commit comments

Comments
 (0)