DownUnderCTF
diff --git a/‎README.md‎
Lines changed: 14 additions & 13 deletions b/‎README.md‎
Lines changed: 14 additions & 13 deletions
diff --git a/‎chart/Chart.yaml‎
Lines changed: 2 additions & 2 deletions b/‎chart/Chart.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎chart/crds/isolated-challenge.yaml‎
Lines changed: 0 additions & 32 deletions b/‎chart/crds/isolated-challenge.yaml‎
Lines changed: 0 additions & 32 deletions
diff --git a/‎chart/templates/cert-certificate-management.yaml‎
Lines changed: 1 addition & 1 deletion b/‎chart/templates/cert-certificate-management.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎chart/templates/cert-issuer.yaml‎
Lines changed: 1 addition & 1 deletion b/‎chart/templates/cert-issuer.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎chart/templates/challenge-manager.yaml‎
Lines changed: 10 additions & 51 deletions b/‎chart/templates/challenge-manager.yaml‎
Lines changed: 10 additions & 51 deletions
diff --git a/‎chart/templates/kube-janitor.yaml‎
Lines changed: 6 additions & 8 deletions b/‎chart/templates/kube-janitor.yaml‎
Lines changed: 6 additions & 8 deletions
diff --git a/‎chart/templates/landing.yaml‎
Lines changed: 10 additions & 7 deletions b/‎chart/templates/landing.yaml‎
Lines changed: 10 additions & 7 deletions
diff --git a/‎chart/templates/namespaces.yaml‎
Lines changed: 1 addition & 12 deletions b/‎chart/templates/namespaces.yaml‎
Lines changed: 1 addition & 12 deletions
diff --git a/‎chart/templates/traefik.yaml‎
Lines changed: 1 addition & 1 deletion b/‎chart/templates/traefik.yaml‎
Lines changed: 1 addition & 1 deletion
@@ -15,39 +15,40 @@ per-team challenge assignment for web challenges. Inspired by [kCTF](https://git
 ./scripts/cluster-configure
 ```
 
-3. Install the cluster resources.
-```sh
-./scripts/cluster-install
-```
-
-4. Create config/values.yaml and populate it with values.
+3. Create config/values.yaml and populate it with values.
 ```yaml
 domain:
   challenges: <root domain where challenges are hosted> # challenges will be a subdomain of this
 
 replicas:
   challenge-manager: 2
 
+containerRegistry: gcr.io/example # don't include the slash at the end
+
 cert:
   email: <contact email> # required for letsencrypt
   cfDNSToken: <cloudflare dns token> # used to configure dns-01 certificate validation
-
-
-googleProject: <project ID of the Google Project>
 ```
 
 4. Deploy the helm stack.
 ```sh
 helm install kubectf -f config/values.yaml chart/
 ```
 
-5. Upload the sample whoami challenge for testing.
+5. Upload the sample whoami challenge
 ```sh
-kubectl apply -f templates/whoami/kube-isolated.yaml
+GOOGLE_APPLICATION_CREDENTIALS=<sevice account json> ./scripts/process-isolated-challenges
 ```
 
-## How to Deploy Isolated Challenges
-See the README at [services/challenge-manager](services/challenge-manager)
+## How to Write Isolated Challenges
+TODO
+
+## TODO
+- `./scripts/process-isolated-challenges` already exists to process the challenge templates and upload them
+to Google Cloud Datastore. We should integrate this with GitHub actions in order to do automatic deployments
+on push.
+- Interface this with CTFd
+- TLS termination for challenges, which can be done by adding cert-manager.
 
 ## Authors
 - [BlueAlder](https://github.com/BlueAlder)
 
@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.17.0"
+appVersion: "1.16.0"
@@ -3,7 +3,7 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: {{ .Release.Name }}-cert-management
-  namespace: {{ .Release.Name }}-management
+  namespace: {{ .Release.Name }}-admin
   labels:
     app.kubernetes.io/name: kube-ctf
     app.kubernetes.io/instance: {{ .Release.Name }}
 
@@ -7,7 +7,7 @@ spec:
     server: https://acme-v02.api.letsencrypt.org/directory
     email: {{ .Values.cert.email }}
     privateKeySecretRef:
-      name: {{ .Release.Name }}-letsencrypt-prod
+      name: letsencrypt-prod
     solvers:
     - dns01:
         cloudflare:
 
@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: challenge-manager
-  namespace: {{ .Release.Name }}-management
+  namespace: {{ .Release.Name }}-admin
   labels:
     kube-ctf.downunderctf.com/service: challenge-manager
 spec:
@@ -18,19 +18,7 @@ spec:
       serviceAccountName: challenge-manager
       containers:
       - name: challenge-manager
-        image: {{ .Values.googleRegion }}-docker.pkg.dev/{{ .Values.googleProject }}/{{ .Values.googleRepositoryName }}/services/challenge-manager:latest
-        readinessProbe:
-          httpGet:
-            port: 3000
-            path: /healthz
-          initialDelaySeconds: 10
-          periodSeconds: 10
-        livenessProbe:
-          httpGet:
-            port: 3000
-            path: /healthz
-          initialDelaySeconds: 30
-          periodSeconds: 10
+        image: gcr.io/{{ .Values.googleProject }}/services/challenge-manager:latest
         env:
           - name: KUBECTF_BASE_DOMAIN
             value: {{ .Values.domain.challenges }}
@@ -40,8 +28,6 @@ spec:
             value: {{ .Release.Name }}-challenges-isolated
           - name: KUBECTF_MAX_OWNER_DEPLOYMENTS
             value: "4"
-          - name: KUBECTF_REGISTRY_PREFIX
-            value: {{ (index  .Values "challenge-manager").registryPrefix }}
           - name: KUBECTF_AUTH_SECRET
             valueFrom:
               secretKeyRef:
@@ -61,7 +47,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: challenge-manager
-  namespace: {{ .Release.Name }}-management
+  namespace: {{ .Release.Name }}-admin
   labels:
     kube-ctf.downunderctf.com/service: challenge-manager
 spec:
@@ -74,7 +60,7 @@ apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
   name: challenge-manager
-  namespace: {{ .Release.Name }}-management
+  namespace: {{ .Release.Name }}-admin
   labels:
     kube-ctf.downunderctf.com/service: challenge-manager
 spec:
@@ -97,7 +83,9 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: challenge-manager
-  namespace: {{ .Release.Name }}-management
+  namespace: {{ .Release.Name }}-admin
+  annotations:
+    iam.gke.io/gcp-service-account: gke-challenge-manager@{{ .Values.googleProject }}.iam.gserviceaccount.com
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -110,13 +98,10 @@ rules:
     resources:
       - ingresses
       - ingressroutes
-      - ingressroutetcps
       - pods
       - deployments
       - services
       - namespaces
-      - secrets
-      - networkpolicies
     verbs:
       - create
       - delete
@@ -127,19 +112,6 @@ rules:
       - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ .Release.Name }}-read-isolated-challenges
-rules:
-  - apiGroups:
-      - kube-ctf.downunderctf.com
-    resources:
-      - isolated-challenges
-    verbs:
-      - get
-      - list
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: challenge-manager
@@ -151,26 +123,13 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: challenge-manager
-  namespace: {{ .Release.Name }}-management
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ .Release.Name }}-challenge-manager-read-isolated-challenges
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ .Release.Name }}-read-isolated-challenges
-subjects:
-- kind: ServiceAccount
-  name: challenge-manager
-  namespace: {{ .Release.Name }}-management
+  namespace: {{ .Release.Name }}-admin
 ---
 apiVersion: v1
 kind: Secret
 metadata:
   name: challenge-manager
-  namespace: {{ .Release.Name }}-management
+  namespace: {{ .Release.Name }}-admin
 data:
   auth: "{{ b64enc (index .Values "challenge-manager").authSecret }}"
-  container: "{{ b64enc (index .Values "challenge-manager").containerSecret }}"
+  container: "{{ b64enc (index .Values "challenge-manager").containerSecret }}"
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: kube-janitor
-  namespace: {{ .Release.Name }}-management
+  namespace: {{ .Release.Name }}-admin
 data:
   rules.yaml: |
     rules:
@@ -11,7 +11,6 @@ data:
       resources:
       - deployments
       - ingressroutes
-      - ingressroutetcps
       - services
       - ingresses
       jmespath: "metadata.namespace == '{{ .Release.Name }}-challenges-isolated'"
@@ -24,7 +23,7 @@ metadata:
     application: kube-janitor
     version: v20.10.0
   name: kube-janitor
-  namespace: {{ .Release.Name }}-management
+  namespace: {{ .Release.Name }}-admin
 spec:
   replicas: 1
   selector:
@@ -63,7 +62,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: kube-janitor
-  namespace: {{ .Release.Name }}-management
+  namespace: {{ .Release.Name }}-admin
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -87,15 +86,14 @@ rules:
   - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
   name: {{ .Release.Name }}-kube-janitor
-  namespace: {{ .Release.Name }}-challenges-isolated
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ .Release.Name }}-kube-janitor
+  name: kube-janitor
 subjects:
 - kind: ServiceAccount
   name: kube-janitor
-  namespace: {{ .Release.Name }}-management
+  namespace: {{ .Release.Name }}-admin
@@ -7,7 +7,7 @@ metadata:
   labels:
     role: landing
 spec:
-  replicas: {{ (index  .Values "landing").replicas }}
+  replicas: 1
   selector:
     matchLabels:
       role: landing
@@ -19,12 +19,15 @@ spec:
       enableServiceLinks: false
       automountServiceAccountToken: false
       containers:
-      - name: web
-        image: {{ .Values.googleRegion }}-docker.pkg.dev/{{ .Values.googleProject }}/{{ .Values.googleRepositoryName }}/services/landing:latest
+      - name: nginx
+        image: gcr.io/{{ .Values.googleProject }}/services/landing:latest
         resources:
-{{ toYaml (index  .Values "landing").quota | indent 10 }}
-        ports:
-        - containerPort: 80
+          limits:
+            cpu: 100m
+            memory: 256Mi
+          requests:
+            cpu: 10m
+            memory: 64Mi
 ---
 apiVersion: v1
 kind: Service
@@ -55,7 +58,7 @@ spec:
   routes:
     - match: HostRegexp(`{{ .Values.domain.challenges }}`, `{subdomain:[\w-]+}.{{ .Values.domain.challenges }}`)
       kind: Rule
-      priority: 1
+      priority: 1000
       middlewares:
       - name: hsts
       services:
 
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: {{ .Release.Name }}-management
+  name: {{ .Release.Name }}-admin
   labels:
     app.kubernetes.io/name: kube-ctf
     app.kubernetes.io/instance: {{ .Release.Name }}
@@ -18,15 +18,4 @@ metadata:
     app.kubernetes.io/instance: {{ $relname }}
     app.kubernetes.io/component: {{ . }}
 ---
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: secure-headers
-  namespace: {{ $relname }}-{{ . }}
-spec:
-  headers:
-    stsSeconds: 15552000
-    forceSTSHeader: true
-    stsIncludeSubdomains: true
----
 {{- end }}
@@ -16,7 +16,7 @@ apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: hsts
-  namespace: {{ .Release.Name }}-management
+  namespace: {{ .Release.Name }}-admin
 spec:
   headers:
     stsSeconds: 15552000