enable azure support in kubernetes.js

Signed-off-by: osamamagdy <[email protected]>
OWASP · Aug 26, 2023 · 5ee5f65 · 5ee5f65
1 parent 0c3af2d
commit 5ee5f65
Show file tree

Hide file tree

Showing 14 changed files with 121 additions and 72 deletions.
diff --git a/azure/README.md b/azure/README.md
@@ -45,11 +45,11 @@ terraform apply
 
 The storage account name should be in the output. Please use that to configure the Terraform backend in `main.tf` by uncommenting the part on the `backend "azurerm"` inside the `terraform` block. Assign the `storage_account_name` to the one from the output.
 
-**Note**: You'll need to follow the description [below](#wrongsecrets-ctf-party) in step 1 for the "existing resource group" i.e., use the `data.azurerm_resource_group.default` resource.
+**Note**: You'll need to follow the description [below](#wrongsecrets-ctf-party) in step 1 for the "existing resource group" i.e., use the `azurerm_resource_group.default` resource.
 
 ### WrongSecrets-ctf-party
 
-1. Set either a new resource group or use an existing resource group in `main.tf` (it defaults to the existing `OWASP-Projects` resource group). Note that you'll need to find/replace references to "data.azurerm_resource_group.default" to "arurerm_resource_group.default" if you want to create a new one.
+1. Set either a new resource group or use an existing resource group in `main.tf` (it defaults to the existing `OWASP-Projects` resource group). Note that you'll need to find/replace references to "azurerm_resource_group.default" to "arurerm_resource_group.default" if you want to create a new one.
 2. check whether you have the right project by doing `az account show` (after `az login`). Want to set the project as your default? Use `az account set --subscription <.id here>`.
 3. If not yet enabled, register the required services for the subscription, run:
     - `az provider register --namespace Microsoft.ContainerService`
@@ -58,7 +58,19 @@ The storage account name should be in the output. Please use that to configure t
 4. Run `terraform init` (if required, use `tfenv` to select TF 0.14.0 or higher )
 5. Run `terraform plan` to see what will be created (optional).
 6. Run `terraform apply`. Note: the apply will take 5 to 20 minutes depending on the speed of the Azure backplane.
-7. Run `./build-and-deploy-azure.sh`. Your kubeconfig file will automatically be updated.
+7. Go to the values of the helm chart and replace the wrongsecrets.config with this:
+
+    ```yaml
+    K8S_ENV: "azure"
+    ```
+
+    and replace the value of wrongsecrets.env having the name 'K8S_ENV' with this:
+
+    ```yaml
+    value: "azure"
+    ```
+
+8. Run `./build-and-deploy-azure.sh`. Your kubeconfig file will automatically be updated.
 
 Your AKS cluster should be visible in your resource group. Want a different region? You can modify `terraform.tfvars` or input it directly using the `region` variable in plan/apply.
 
@@ -173,6 +185,7 @@ No modules.
 | [azurerm_key_vault_secret.wrongsecret_2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.wrongsecret_3](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_kubernetes_cluster.cluster](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster) | resource |
+| [azurerm_resource_group.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_role_assignment.aks_extra_identity_operator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.aks_identity_operator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.aks_vm_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
@@ -182,7 +195,6 @@ No modules.
 | [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
-| [azurerm_resource_group.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [http_http.ip](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
 
 ## Inputs
@@ -191,6 +203,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The AKS cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The AKS cluster version to use | `string` | `"1.25"` | no |
+| <a name="input_region"></a> [region](#input\_region) | The Azure region to use | `string` | `"East US"` | no |
 
 ## Outputs
 

diff --git a/azure/build-and-deploy-azure.sh b/azure/build-and-deploy-azure.sh
@@ -60,16 +60,6 @@ export AZ_KEY_VAULT_NAME="$(terraform output -raw vault_name)"
 # Set the kubeconfig
 az aks get-credentials --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME
 
-
-# Install the secrets store CSI driver
-helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
-helm list --namespace kube-system | grep 'csi-secrets-store' &>/dev/null
-if [ $? == 0 ]; then
-  echo "CSI driver is already installed"
-else
-  helm upgrade --install -n kube-system csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --set enableSecretRotation=true --set rotationPollInterval=60s
-fi
-
 # Patch the default namespace to use the secrets store CSI driver
 echo "Patching default namespace"
 kubectl apply -f k8s/workspace-psa.yml
@@ -80,7 +70,7 @@ helm repo add csi-secrets-store-provider-azure https://azure.github.io/secrets-s
 
 helm list --namespace kube-system | grep 'csi-secrets-store' &>/dev/null
 if [ $? == 0 ]; then
-  echo "CSI driver is already installed"
+  echo "CSI driver provider is already installed"
 else
   echo "Installing CSI driver"
   helm install csi csi-secrets-store-provider-azure/csi-secrets-store-provider-azure --namespace kube-system
@@ -154,13 +144,19 @@ else
   echo "Cookie parser secret already set"
 fi
 
-echo "App password is ${APP_PASSWORD}"
+echo "App password is ${APP_PASSWORD}" > password.txt
+
+echo "You can find the app password in password.txt"
+
 helm upgrade --install mj ../helm/wrongsecrets-ctf-party \
   --set="balancer.env.K8S_ENV=azure" \
-  --set="balancer.env.REACT_APP_S3_BUCKET_URL='Azure Storage Account: ${AZ_STORAGE_ACCOUNT}'" \
   --set="balancer.env.REACT_APP_ACCESS_PASSWORD=${APP_PASSWORD}" \
   --set="balancer.env.REACT_APP_CREATE_TEAM_HMAC_KEY=${CREATE_TEAM_HMAC}" \
-  --set="balancer.cookie.cookieParserSecret=${COOKIE_PARSER_SECRET}"
+  --set="balancer.env.AZ_KEY_VAULT_NAME=${AZ_KEY_VAULT_NAME}" \
+  --set="balancer.env.AZ_KEY_VAULT_TENANT_ID=${AZ_KEY_VAULT_TENANT_ID}" \
+  --set="balancer.env.AZ_VAULT_URI=${AZ_VAULT_URI}" \
+  --set="balancer.env.AZ_POD_CLIENT_ID=${AZ_POD_CLIENT_ID}" \
+  --set="balancer.cookie.cookieParserSecret=${COOKIE_PARSER_SECRET}" \
 
 # Install CTFd
 echo "Installing CTFd"

diff --git a/azure/iam.tf b/azure/iam.tf
@@ -1,12 +1,12 @@
 resource "azurerm_user_assigned_identity" "aks_pod_identity" {
-  resource_group_name = data.azurerm_resource_group.default.name
-  location            = data.azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  location            = azurerm_resource_group.default.location
   name                = "wrongsecrets-identity"
 }
 
 resource "azurerm_user_assigned_identity" "aks_extra_pod_identity" {
-  resource_group_name = data.azurerm_resource_group.default.name
-  location            = data.azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  location            = azurerm_resource_group.default.location
   name                = "wrongsecrets-extra-identity"
 }
 

diff --git a/azure/k8s-nginx-lb-script.sh b/azure/k8s-nginx-lb-script.sh
@@ -16,13 +16,9 @@ az aks get-credentials --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME
 
 echo "Installing the nginx ingress controller chart"
 
-helm upgrade --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml
 
 
-echo "apply -f k8s/wrongsecrets-balancer-service.yml in 10 s"
-sleep 10
-kubectl apply -f k8s/wrongsecrets-balancer-service.yml
-
 echo "apply -f k8s/wrongsecrets-balancer-ingress.yml in 10 s"
 sleep 10
 kubectl apply -f k8s/wrongsecrets-balancer-ingress.yml

diff --git a/azure/k8s/secret-challenge-vault-deployment.yml.tpl b/azure/k8s/secret-challenge-vault-deployment.yml.tpl
@@ -39,7 +39,7 @@ spec:
             driver: secrets-store.csi.k8s.io
             readOnly: true
             volumeAttributes:
-              secretProviderClass: "wrongsecrets-azure-keyvault"
+              secretProviderClass: "azure-wrongsecrets-vault"
       containers:
         - image: jeroenwillemsen/wrongsecrets:1.6.7-k8s-vault
           imagePullPolicy: IfNotPresent

diff --git a/azure/k8s/secret-volume.yml.tpl b/azure/k8s/secret-volume.yml.tpl
@@ -1,7 +1,7 @@
 apiVersion: secrets-store.csi.x-k8s.io/v1
 kind: SecretProviderClass
 metadata:
-  name: wrongsecrets-azure-keyvault
+  name: azure-wrongsecrets-vault
 spec:
   provider: azure
   parameters:

diff --git a/azure/k8s/wrongsecrets-balancer-ingress.yml b/azure/k8s/wrongsecrets-balancer-ingress.yml
@@ -16,4 +16,4 @@ spec:
               service:
                 name: wrongsecrets-balancer
                 port:
-                  number: 80
+                  number: 3000
diff --git a/azure/k8s/wrongsecrets-balancer-service.yml b/azure/k8s/wrongsecrets-balancer-service.yml
@@ -6,11 +6,10 @@ metadata:
   labels:
     app: wrongsecrets-balancer
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 80
       name: http
-      targetPort: 3000
       protocol: TCP
   selector:
     app.kubernetes.io/name: wrongsecrets-ctf-party
diff --git a/azure/main.tf b/azure/main.tf
@@ -24,21 +24,21 @@ data "azurerm_client_config" "current" {}
 
 # If you're using an existing resource group, modify this part.
 # Note that you'll need to find/replace references to "azurerm_resource_group.default" to "data.azurerm_resource_group.default"
-data "azurerm_resource_group" "default" {
-  name = "owasp-wrongsecrets"
-}
+# data "azurerm_resource_group" "default" {
+#   name = "owasp-wrongsecrets"
+# }
 
 # If you're using an existing resource group, comment this.
-# resource "azurerm_resource_group" "default" {
-#   name     = "owasp-wrongsecrets"
-#   location = var.region
-# }
+resource "azurerm_resource_group" "default" {
+  name     = "owasp-wrongsecrets"
+  location = var.region
+}
 
 
 resource "azurerm_kubernetes_cluster" "cluster" {
   name                = var.cluster_name
-  location            = data.azurerm_resource_group.default.location
-  resource_group_name = data.azurerm_resource_group.default.name
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
   dns_prefix          = "wrongsecrets"
 
   kubernetes_version = var.cluster_version

diff --git a/azure/secrets.tf b/azure/secrets.tf
@@ -16,8 +16,8 @@ resource "random_string" "suffix" {
 
 resource "azurerm_key_vault" "vault" {
   name                = "wrongsecrets-${random_string.suffix.result}-${random_integer.suffix.result}"
-  location            = data.azurerm_resource_group.default.location
-  resource_group_name = data.azurerm_resource_group.default.name
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
   tenant_id           = data.azurerm_client_config.current.tenant_id
   sku_name            = "standard"
 

diff --git a/azure/variables.tf b/azure/variables.tf
@@ -1,3 +1,9 @@
+variable "region" {
+  description = "The Azure region to use"
+  type        = string
+  default     = "East US"
+}
+
 variable "cluster_version" {
   description = "The AKS cluster version to use"
   type        = string

diff --git a/helm/wrongsecrets-ctf-party/README.md b/helm/wrongsecrets-ctf-party/README.md
@@ -69,6 +69,10 @@ Run Multi User "Capture the Flags" or Security Trainings with OWASP Wrongsecrets
 | balancer.cookie.cookieParserSecret | string | `nil` | Set this to a fixed random alpa-numeric string (recommended length 24 chars). If not set this get randomly generated with every helm upgrade, each rotation invalidates all active cookies / sessions requirering users to login again. |
 | balancer.cookie.name | string | `"balancer"` | Changes the cookies name used to identify teams. Note will automatically be prefixed with "__Secure-" when balancer.cookie.secure is set to `true` |
 | balancer.cookie.secure | bool | `false` | Sets the secure attribute on cookie so that it only be send over https |
+| balancer.env.AZ_KEY_VAULT_NAME | string | `""` |  |
+| balancer.env.AZ_KEY_VAULT_TENANT_ID | string | `""` |  |
+| balancer.env.AZ_POD_CLIENT_ID | string | `""` |  |
+| balancer.env.AZ_VAULT_URI | string | `""` |  |
 | balancer.env.CHALLENGE33_VALUE | string | `"VkJVR2gzd3UvM0kxbmFIajFVZjk3WTBMcThCNS85MnExandwMy9hWVN3SFNKSThXcWRabllMajc4aEVTbGZQUEtmMVpLUGFwNHoyK3IrRzlOUndkRlUvWUJNVFkzY05ndU1tNUM2bDJwVEs5SmhQRm5VemVySXdNcm5odTlHanJxU0ZuL0J0T3ZMblFhL21TZ1hETkpZVU9VOGdDSEZzOUpFZVF2OWhwV3B5eGxCMk5xdTBNSHJQTk9EWTNab2hoa2pXWGF4YmpDWmk5U3BtSHlkVTA2WjdMcVd5RjM5RzZWOENGNkxCUGtkVW4zYUpBVisrRjBROUljU009Cg=="` |  |
 | balancer.env.IRSA_ROLE | string | `"arn:aws:iam::233483431651:role/wrongsecrets-secret-manager"` |  |
 | balancer.env.K8S_ENV | string | `"k8s"` |  |
@@ -155,7 +159,7 @@ Run Multi User "Capture the Flags" or Security Trainings with OWASP Wrongsecrets
 | wrongsecrets.affinity | object | `{}` | Optional Configure kubernetes scheduling affinity for the created Wrongsecrets instances (see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) |
 | wrongsecrets.config | string | See values.yaml for full details | Specify a custom Wrongsecrets config.yaml. See the Wrongsecrets Docs for any needed ENVs: https://github.com/OWASP/wrongsecrets |
 | wrongsecrets.ctfKey | string | `"[email protected]!9uR_K!NfkkTr"` | Change the key when hosting a CTF event. This key gets used to generate the challenge flags. See: https://github.com/OWASP/wrongsecrets#ctf |
-| wrongsecrets.env | list | `[{"name":"K8S_ENV","value":"k8s"},{"name":"SPECIAL_K8S_SECRET","valueFrom":{"configMapKeyRef":{"key":"funny.entry","name":"secrets-file"}}},{"name":"SPECIAL_SPECIAL_K8S_SECRET","valueFrom":{"secretKeyRef":{"key":"funnier","name":"funnystuff"}}}]` | Optional environment variables to set for each Wrongsecrets instance (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
+| wrongsecrets.env | list | `[{"name":"K8S_ENV","value":"azure"},{"name":"SPECIAL_K8S_SECRET","valueFrom":{"configMapKeyRef":{"key":"funny.entry","name":"secrets-file"}}},{"name":"SPECIAL_SPECIAL_K8S_SECRET","valueFrom":{"secretKeyRef":{"key":"funnier","name":"funnystuff"}}}]` | Optional environment variables to set for each Wrongsecrets instance (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
 | wrongsecrets.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) |
 | wrongsecrets.image | string | `"jeroenwillemsen/wrongsecrets"` | Wrongsecrets Image to use |
 | wrongsecrets.maxInstances | int | `500` | Specifies how many Wrongsecrets instances should start at max. Set to -1 to remove the max Wrongsecrets instance cap |
@@ -190,4 +194,4 @@ Run Multi User "Capture the Flags" or Security Trainings with OWASP Wrongsecrets
 | wrongsecretsCleanup.tolerations | list | `[]` | Optional Configure kubernetes toleration for the wrongsecretsCleanup Job (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
+Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0)
diff --git a/helm/wrongsecrets-ctf-party/values.yaml b/helm/wrongsecrets-ctf-party/values.yaml
@@ -98,8 +98,12 @@ balancer:
     IRSA_ROLE: arn:aws:iam::233483431651:role/wrongsecrets-secret-manager #change this in your own AWS role!
     SECRETS_MANAGER_SECRET_ID_1: "wrongsecret" #only change if you need non-default AWS SM entries
     SECRETS_MANAGER_SECRET_ID_2: "wrongsecret-2" #only change if you need non-default AWS SM entries
-    KEYVAULT_SECRET_ID_1: "wrongsecret"
-    KEYVAULT_SECRET_ID_2: "wrongsecret-2"
+    KEYVAULT_SECRET_ID_1: "wrongsecret" #only change if you need non-default Azure KV entries
+    KEYVAULT_SECRET_ID_2: "wrongsecret-2" #only change if you need non-default Azure KV entries
+    AZ_KEY_VAULT_NAME: "" #Change this to your Azure Key Vault name
+    AZ_KEY_VAULT_TENANT_ID: "" #Change this to your Azure Key Vault tenant ID
+    AZ_VAULT_URI: "" #Change this to your Azure Key Vault URI
+    AZ_POD_CLIENT_ID: "" #Change this to your Azure pod client ID
     CHALLENGE33_VALUE: "VkJVR2gzd3UvM0kxbmFIajFVZjk3WTBMcThCNS85MnExandwMy9hWVN3SFNKSThXcWRabllMajc4aEVTbGZQUEtmMVpLUGFwNHoyK3IrRzlOUndkRlUvWUJNVFkzY05ndU1tNUM2bDJwVEs5SmhQRm5VemVySXdNcm5odTlHanJxU0ZuL0J0T3ZMblFhL21TZ1hETkpZVU9VOGdDSEZzOUpFZVF2OWhwV3B5eGxCMk5xdTBNSHJQTk9EWTNab2hoa2pXWGF4YmpDWmk5U3BtSHlkVTA2WjdMcVd5RjM5RzZWOENGNkxCUGtkVW4zYUpBVisrRjBROUljU009Cg=="
   metrics:
     # -- enables prometheus metrics for the balancer. If set to true you should change the prometheus-scraper password
@@ -161,7 +165,7 @@ wrongsecrets:
   # -- Specify a custom Wrongsecrets config.yaml. See the Wrongsecrets Docs for any needed ENVs: https://github.com/OWASP/wrongsecrets
   # @default -- See values.yaml for full details
   config: |
-    K8S_ENV: aws
+    K8S_ENV: azure
   # "aws" is for using the cluster with eks and "k8s" is for using the cluster with miniKube which will enable specific challenges
   # -- Specify a custom NODE_ENV for Wrongsecrets. If value is changed to something other than 'wrongsecrets-ctf-party' it's not possible to set a custom config via `wrongsecrets-balancer-config`.
   nodeEnv: "wrongsecrets-ctf-party"
@@ -186,7 +190,7 @@ wrongsecrets:
   # -- Optional environment variables to set for each Wrongsecrets instance (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
   env:
     - name: K8S_ENV
-      value: k8s
+      value: azure
     - name: SPECIAL_K8S_SECRET
       valueFrom:
         configMapKeyRef: