forked from juice-shop/multi-juicer
-
-
Notifications
You must be signed in to change notification settings - Fork 11
/
values.yaml
370 lines (345 loc) · 15.8 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
# Default values for Wrongecret-ctf-party.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
imagePullPolicy: IfNotPresent
nodeSelector: {}
ingress:
# -- If true, Wrongsecrets will create an Ingress object for the balancer service.
# Useful if you want to expose the balancer service externally for example with a loadbalancer in order to view any webpages that are hosted on the balancer service.
enabled: false
# -- Annotations to be added to the ingress object.
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# -- Hostnames to your Wrongsecrets balancer installation.
hosts:
- host: wrongsecrets-ctf-party.local
paths:
- "/"
# -- TLS configuration for Wrongsecrets balancer
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
service:
type: ClusterIP
port: 3000
portName: web
balancer:
cookie:
# SET THIS TO TRUE IF IN PRODUCTION
# Sets secure Flag in cookie
# -- Sets the secure attribute on cookie so that it only be send over https
secure: false
# -- Changes the cookies name used to identify teams. Note will automatically be prefixed with "__Secure-" when balancer.cookie.secure is set to `true`
name: balancer
# -- Set this to a fixed random alpa-numeric string (recommended length 24 chars). If not set this get randomly generated with every helm upgrade, each rotation invalidates all active cookies / sessions requirering users to login again.
cookieParserSecret: null
repository: jeroenwillemsen/wrongsecrets-balancer
tag: 1.8.5cloud
# -- Number of replicas of the wrongsecrets-balancer deployment. Changing this in a commit? PLEASE UPDATE THE GITHUB WORKLFOWS THEN!(NUMBER OF "TRUE")
replicas: 2
# -- Port to expose on the balancer pods which the container listens on
containerPort: 3000
service:
# -- Kubernetes service type
type: ClusterIP
# -- internal cluster service IP
clusterIP: null
# -- IP address to assign to load balancer (if supported)
loadBalancerIP: null
# -- list of IP CIDRs allowed access to lb (if supported)
loadBalancerSourceRanges: null
# -- IP address to assign to load balancer (if supported)
externalIPs: null
# -- Credentials used in wrongsecrets-balancer-secret to authenticate with the wrongsecrets-api
basicAuth:
# -- Username for the basic auth credentials
username: admin
# -- Password for the basic auth credentials (will be generated if not set)
# adminPassword: admin
# -- Probes settings for the balancer pods
# -- livenessProbe: Checks if the balancer pod is still alive
livenessProbe:
httpGet:
path: /balancer/
port: http # -- Port to expose on the balancer pods which the container listens on. It is named http to be the same as the containerPort
# -- readinessProbe: Checks if the balancer pod is ready to receive traffic
readinessProbe:
httpGet:
path: /balancer/
port: http # -- Port to expose on the balancer pods which the container listens on. It is named http to be the same as the containerPort
# -- Resource limits and requests for the balancer pods
resources:
requests:
memory: 256Mi
cpu: 400m
limits:
memory: 1024Mi
cpu: 1000m
# -- Optional Configure kubernetes scheduling affinity for the created wrongsecrets instances (see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
affinity: {}
# -- Optional Configure kubernetes toleration for the created wrongsecrets instances (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
tolerations: []
# -- If set to true this skips setting ownerReferences on the teams wrongsecrets Deployment and Services. This lets MultiJuicer run in older kubernetes cluster which don't support the reference type or the app/v1 deployment type
skipOwnerReference: false
env:
REACT_APP_MOVING_GIF_LOGO: "https://i.gifer.com/9kGQ.gif" #displayed at the frontend when you enter the CTF
REACT_APP_HEROKU_WRONGSECRETS_URL: "https://wrongsecrets-ctf.herokuapp.com" #required for 3 domain setup
REACT_APP_CTFD_URL: "https://ctfd.io" #requierd for 2 and 3 domain setup
REACT_APP_S3_BUCKET_URL: "s3://funstuff" #the s3 bucket you use for the aws challenges, don't forget to make it accessible!
REACT_APP_GCP_BUCKET_URL: "gs://funstuff" #the gcp bucket you use for the gcp challenges, don't forget to make it accessible!
REACT_APP_AZ_BLOB_URL: "az://funstuff" #the azure blob storage you use for the azure challenges, don't forget to make it accessible!
K8S_ENV: "k8s" #or 'aws', 'azure', or 'gcp'
REACT_APP_ACCESS_PASSWORD: "" #DEFAULT NO PASSWORD, PLAYING THIS IN PUBLIC? PUT A FANCY STRING HERE, BUT BE GENTLE: USERS NEED TO BE ABLE TO COPY THAT STUFF...
REACT_APP_CREATE_TEAM_HMAC_KEY: "hardcodedkey"
IRSA_ROLE: arn:aws:iam::233483431651:role/wrongsecrets-secret-manager #change this in your own AWS role!
AWS_SECRETS_MANAGER_SECRET_ID_1: "wrongsecret" #only change if you need non-default AWS SM entries
AWS_SECRETS_MANAGER_SECRET_ID_2: "wrongsecret-2" #only change if you need non-default AWS SM entries
AZ_KEYVAULT_SECRET_ID_1: "wrongsecret" #only change if you need non-default Azure KV entries
AZ_KEYVAULT_SECRET_ID_2: "wrongsecret-2" #only change if you need non-default Azure KV entries
AZ_KEY_VAULT_NAME: "" #Change this to your Azure Key Vault name
AZ_KEY_VAULT_TENANT_ID: "" #Change this to your Azure Key Vault tenant ID
AZ_VAULT_URI: "" #Change this to your Azure Key Vault URI
AZ_POD_CLIENT_ID: "" #Change this to your Azure pod client ID
GCP_SECRETS_MANAGER_SECRET_ID_1: "wrongsecret" #only change if you need non-default GCP SM entries
GCP_SECRETS_MANAGER_SECRET_ID_2: "wrongsecret-2" #only change if you need non-default GCP SM entries
GCP_PROJECT_ID: "" #Change this to your GCP project ID
CHALLENGE33_VALUE: "VkJVR2gzd3UvM0kxbmFIajFVZjk3WTBMcThCNS85MnExandwMy9hWVN3SFNKSThXcWRabllMajc4aEVTbGZQUEtmMVpLUGFwNHoyK3IrRzlOUndkRlUvWUJNVFkzY05ndU1tNUM2bDJwVEs5SmhQRm5VemVySXdNcm5odTlHanJxU0ZuL0J0T3ZMblFhL21TZ1hETkpZVU9VOGdDSEZzOUpFZVF2OWhwV3B5eGxCMk5xdTBNSHJQTk9EWTNab2hoa2pXWGF4YmpDWmk5U3BtSHlkVTA2WjdMcVd5RjM5RzZWOENGNkxCUGtkVW4zYUpBVisrRjBROUljU009Cg=="
podSecurityContext:
# -- If true, sets the securityContext on the created pods. This is required for the podSecurityPolicy to work
enabled: true
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
containerSecurityContext:
# -- If true, sets the securityContext on the created containers. This is required for the podSecurityPolicy to work
enabled: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
add:
- CAP_NET_ADMIN
- CAP_NET_BIND_SERVICE
seccompProfile:
type: RuntimeDefault
volumeMounts:
# -- If true, creates a volumeMount for the created pods. This is required for the podSecurityPolicy to work
- name: config-volume
mountPath: /home/app/config/
volumes:
# -- If true, creates a volume for the created pods. This is required for the podSecurityPolicy to work
- name: config-volume
configMap:
name: wrongsecrets-balancer-config
wrongsecrets:
# -- Specifies how many Wrongsecrets instances should start at max. Set to -1 to remove the max Wrongsecrets instance cap
maxInstances: 500
# -- Wrongsecrets Image to use
image: jeroenwillemsen/wrongsecrets
tag: 1.8.5-no-vault
# -- Change the key when hosting a CTF event. This key gets used to generate the challenge flags. See: https://github.com/OWASP/wrongsecrets#ctf
ctfKey: "[email protected]!9uR_K!NfkkTr"
# -- Specify a custom Wrongsecrets config.yaml. See the Wrongsecrets Docs for any needed ENVs: https://github.com/OWASP/wrongsecrets
# @default -- See values.yaml for full details
config: |
K8S_ENV: k8s
# "aws" is for using the cluster with eks and "k8s" is for using the cluster with miniKube which will enable specific challenges
# -- Specify a custom NODE_ENV for Wrongsecrets. If value is changed to something other than 'wrongsecrets-ctf-party' it's not possible to set a custom config via `wrongsecrets-balancer-config`.
nodeEnv: "wrongsecrets-ctf-party"
# -- Optional resources definitions to set for each Wrongsecrets instance
resources:
requests:
cpu: 256Mi
memory: 300Mi
# limits:
# cpu: 100m
# memory: 200Mi
# -- Optional securityContext definitions to set for each Wrongsecrets instance
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# -- Optional environment variables to set for each Wrongsecrets instance (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
env:
- name: K8S_ENV
value: k8s
- name: SPECIAL_K8S_SECRET
valueFrom:
configMapKeyRef:
name: secrets-file
key: funny.entry
- name: SPECIAL_SPECIAL_K8S_SECRET
valueFrom:
secretKeyRef:
name: funnystuff
key: funnier
# -- Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables)
envFrom: []
# -- Optional Volumes to set for each Wrongsecrets instance (see: https://kubernetes.io/docs/concepts/storage/volumes/)
volumes: []
# -- Optional Configure kubernetes scheduling affinity for the created Wrongsecrets instances (see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
affinity: {}
# -- Optional Configure kubernetes toleration for the created Wrongsecrets instances (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
tolerations: []
# -- Optional Can be used to configure the runtime class for the Wrongsecrets instances pods to add an additional layer of isolation to reduce the impact of potential container escapes. (see: https://kubernetes.io/docs/concepts/containers/runtime-class/)
runtimeClassName: null
# Deletes unused Wrongsecrets instances after a configurable period of inactivity
#the virtual desktop for the deploymebt
virtualdesktop:
# -- Specifies how many Wrongsecrets instances balancer should start at max. Set to -1 to remove the max Wrongsecrets instance cap
maxInstances: 500
# -- Wrongsecrets Image to use
image: jeroenwillemsen/wrongsecrets-desktop-k8s
tag: 1.8.5
repository: commjoenie/wrongSecrets
resources:
request:
memory: 1GB
cpu: 50m
limits:
memory: 2GB
cpu: 1200m
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
runtimeClassName: {}
affinity: {}
# -- Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables)
envFrom: []
tolerations: []
## preps for the vault container: see https://github.com/OWASP/wrongsecrets-ctf-party/issues/250
vaultContainer:
# -- Specifies how many JuiceShop instances MultiJuicer should start at max. Set to -1 to remove the max Juice Shop instance cap
maxInstances: 500
# -- Juice Shop Image to use
image: hashicorp/vault
tag: 1.15.1
repository: commjoenie/wrongSecrets
resources:
request:
memory: 128mb
cpu: 50m
limits:
memory: 256mb
cpu: 1200m
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
runtimeClassName: {}
affinity: {}
# -- Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables)
envFrom: []
tolerations: []
# Deletes unused Wrongsecrets namespaces after a configurable period of inactivity
wrongsecretsCleanup:
repository: jeroenwillemsen/wrongsecrets-ctf-cleaner
tag: 0.5
enabled: true
# -- Cron in which the clean up job is run. Defaults to once in a quarter. Change this if your grace period if shorter than 15 minutes. See "https://crontab.guru/#0,15,30,45_*_*_*_*" for more details.
cron: "0,15,30,45 * * * *"
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 1
env:
SHOULD_DELETE: false # -- Specifies if the clean up job should delete the outdated namespaces or just report them. Set to false to only report outdated namespaces.
MAX_INACTIVE_DURATION: 2d # -- Specifies when Wrongsecrets instances will be deleted when unused for that period.
resources:
requests:
memory: 256Mi
limits:
memory: 256Mi
# -- Optional Configure kubernetes scheduling affinity for the wrongsecretsCleanup Job(see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
affinity: {}
# -- Optional Configure kubernetes toleration for the wrongsecretsCleanup Job (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
tolerations: []
podSecurityContext:
# -- If true, sets the securityContext on the created pods. This is required for the podSecurityPolicy to work
enabled: true
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
containerSecurityContext:
# -- If true, sets the securityContext on the created containers. This is required for the podSecurityPolicy to work
enabled: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
kube-prometheus-stack:
# -- If true, installs the kube-prometheus-stack chart which includes Prometheus, Alertmanager, Grafana, and other monitoring components
enabled: true
grafana:
enabled: true
namespaceOverride: ""
# -- ForceDeployDatasources Create datasource configmap even if grafana deployment has been disabled
forceDeployDatasources: false
# -- ForceDeployDashboard Create dashboard configmap even if grafana deployment has been disabled
forceDeployDashboards: false
# -- Deploy default dashboards
defaultDashboardsEnabled: true
# -- Timezone for the default dashboards
# -- Other options are: browser or a specific timezone, i.e. Europe/Luxembourg
defaultDashboardsTimezone: utc
# -- Password for the default "admin" user
adminPassword: prom-operator
rbac:
# -- If true, Grafana PSPs will be created
pspEnabled: false
ingress:
# -- If true, Grafana Ingress will be created
# --
enabled: false
# -- IngressClassName for Grafana Ingress.
# -- Should be provided if Ingress is enable.
# --
# ingressClassName: nginx
# -- Annotations for Grafana Ingress
# --
annotations:
{}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# -- Labels to be added to the Ingress
# --
labels: {}
# -- Hostnames.
# -- Must be provided if Ingress is enable.
# --
# hosts:
# - grafana.domain.com
hosts: []
# -- Path for grafana ingress
path: /
# -- TLS configuration for grafana Ingress
# -- Secret must be manually created in the namespace
# --
tls: []
# - secretName: grafana-general-tls
# hosts:
# - grafana.example.com