enable azure support in kubernetes.js

Signed-off-by: osamamagdy <[email protected]>

Author: osamamagdy

azure/README.md

@@ -45,11 +45,11 @@ terraform apply
 
 The storage account name should be in the output. Please use that to configure the Terraform backend in `main.tf` by uncommenting the part on the `backend "azurerm"` inside the `terraform` block. Assign the `storage_account_name` to the one from the output.
 
-**Note**: You'll need to follow the description [below](#wrongsecrets-ctf-party) in step 1 for the "existing resource group" i.e., use the `data.azurerm_resource_group.default` resource.
+**Note**: You'll need to follow the description [below](#wrongsecrets-ctf-party) in step 1 for the "existing resource group" i.e., use the `azurerm_resource_group.default` resource.
 
 ### WrongSecrets-ctf-party
 
-1. Set either a new resource group or use an existing resource group in `main.tf` (it defaults to the existing `OWASP-Projects` resource group). Note that you'll need to find/replace references to "data.azurerm_resource_group.default" to "arurerm_resource_group.default" if you want to create a new one.
+1. Set either a new resource group or use an existing resource group in `main.tf` (it defaults to the existing `OWASP-Projects` resource group). Note that you'll need to find/replace references to "azurerm_resource_group.default" to "arurerm_resource_group.default" if you want to create a new one.
 2. check whether you have the right project by doing `az account show` (after `az login`). Want to set the project as your default? Use `az account set --subscription <.id here>`.
 3. If not yet enabled, register the required services for the subscription, run:
     - `az provider register --namespace Microsoft.ContainerService`
@@ -58,7 +58,19 @@ The storage account name should be in the output. Please use that to configure t
 4. Run `terraform init` (if required, use `tfenv` to select TF 0.14.0 or higher )
 5. Run `terraform plan` to see what will be created (optional).
 6. Run `terraform apply`. Note: the apply will take 5 to 20 minutes depending on the speed of the Azure backplane.
-7. Run `./build-and-deploy-azure.sh`. Your kubeconfig file will automatically be updated.
+7. Go to the values of the helm chart and replace the wrongsecrets.config with this:
+
+    ```yaml
+    K8S_ENV: "azure"
+    ```
+
+    and replace the value of wrongsecrets.env having the name 'K8S_ENV' with this:
+
+    ```yaml
+    value: "azure"
+    ```
+
+8. Run `./build-and-deploy-azure.sh`. Your kubeconfig file will automatically be updated.
 
 Your AKS cluster should be visible in your resource group. Want a different region? You can modify `terraform.tfvars` or input it directly using the `region` variable in plan/apply.
 
@@ -173,6 +185,7 @@ No modules.
 | [azurerm_key_vault_secret.wrongsecret_2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.wrongsecret_3](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_kubernetes_cluster.cluster](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster) | resource |
+| [azurerm_resource_group.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_role_assignment.aks_extra_identity_operator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.aks_identity_operator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.aks_vm_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
@@ -182,7 +195,6 @@ No modules.
 | [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
-| [azurerm_resource_group.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [http_http.ip](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
 
 ## Inputs
@@ -191,6 +203,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The AKS cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The AKS cluster version to use | `string` | `"1.25"` | no |
+| <a name="input_region"></a> [region](#input\_region) | The Azure region to use | `string` | `"East US"` | no |
 
 ## Outputs
 

azure/build-and-deploy-azure.sh

@@ -60,16 +60,6 @@ export AZ_KEY_VAULT_NAME="$(terraform output -raw vault_name)"
 # Set the kubeconfig
 az aks get-credentials --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME
 
-
-# Install the secrets store CSI driver
-helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
-helm list --namespace kube-system | grep 'csi-secrets-store' &>/dev/null
-if [ $? == 0 ]; then
-  echo "CSI driver is already installed"
-else
-  helm upgrade --install -n kube-system csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --set enableSecretRotation=true --set rotationPollInterval=60s
-fi
-
 # Patch the default namespace to use the secrets store CSI driver
 echo "Patching default namespace"
 kubectl apply -f k8s/workspace-psa.yml
@@ -80,7 +70,7 @@ helm repo add csi-secrets-store-provider-azure https://azure.github.io/secrets-s
 
 helm list --namespace kube-system | grep 'csi-secrets-store' &>/dev/null
 if [ $? == 0 ]; then
-  echo "CSI driver is already installed"
+  echo "CSI driver provider is already installed"
 else
   echo "Installing CSI driver"
   helm install csi csi-secrets-store-provider-azure/csi-secrets-store-provider-azure --namespace kube-system
@@ -154,13 +144,19 @@ else
   echo "Cookie parser secret already set"
 fi
 
-echo "App password is ${APP_PASSWORD}"
+echo "App password is ${APP_PASSWORD}" > password.txt
+
+echo "You can find the app password in password.txt"
+
 helm upgrade --install mj ../helm/wrongsecrets-ctf-party \
   --set="balancer.env.K8S_ENV=azure" \
-  --set="balancer.env.REACT_APP_S3_BUCKET_URL='Azure Storage Account: ${AZ_STORAGE_ACCOUNT}'" \
   --set="balancer.env.REACT_APP_ACCESS_PASSWORD=${APP_PASSWORD}" \
   --set="balancer.env.REACT_APP_CREATE_TEAM_HMAC_KEY=${CREATE_TEAM_HMAC}" \
-  --set="balancer.cookie.cookieParserSecret=${COOKIE_PARSER_SECRET}"
+  --set="balancer.env.AZ_KEY_VAULT_NAME=${AZ_KEY_VAULT_NAME}" \
+  --set="balancer.env.AZ_KEY_VAULT_TENANT_ID=${AZ_KEY_VAULT_TENANT_ID}" \
+  --set="balancer.env.AZ_VAULT_URI=${AZ_VAULT_URI}" \
+  --set="balancer.env.AZ_POD_CLIENT_ID=${AZ_POD_CLIENT_ID}" \
+  --set="balancer.cookie.cookieParserSecret=${COOKIE_PARSER_SECRET}" \
 
 # Install CTFd
 echo "Installing CTFd"

azure/iam.tf

@@ -1,12 +1,12 @@
 resource "azurerm_user_assigned_identity" "aks_pod_identity" {
-  resource_group_name = data.azurerm_resource_group.default.name
-  location            = data.azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  location            = azurerm_resource_group.default.location
   name                = "wrongsecrets-identity"
 }
 
 resource "azurerm_user_assigned_identity" "aks_extra_pod_identity" {
-  resource_group_name = data.azurerm_resource_group.default.name
-  location            = data.azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  location            = azurerm_resource_group.default.location
   name                = "wrongsecrets-extra-identity"
 }
 

azure/k8s-nginx-lb-script.sh

@@ -16,13 +16,9 @@ az aks get-credentials --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME
 
 echo "Installing the nginx ingress controller chart"
 
-helm upgrade --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml
 
 
-echo "apply -f k8s/wrongsecrets-balancer-service.yml in 10 s"
-sleep 10
-kubectl apply -f k8s/wrongsecrets-balancer-service.yml
-
 echo "apply -f k8s/wrongsecrets-balancer-ingress.yml in 10 s"
 sleep 10
 kubectl apply -f k8s/wrongsecrets-balancer-ingress.yml

azure/k8s/pod-id.yml

@@ -39,7 +39,7 @@ spec:
             driver: secrets-store.csi.k8s.io
             readOnly: true
             volumeAttributes:
-              secretProviderClass: "wrongsecrets-azure-keyvault"
+              secretProviderClass: "azure-wrongsecrets-vault"
       containers:
         - image: jeroenwillemsen/wrongsecrets:1.6.7-k8s-vault
           imagePullPolicy: IfNotPresent

azure/k8s/secret-challenge-vault-deployment.yml

@@ -1,7 +1,7 @@
 apiVersion: secrets-store.csi.x-k8s.io/v1
 kind: SecretProviderClass
 metadata:
-  name: wrongsecrets-azure-keyvault
+  name: azure-wrongsecrets-vault
 spec:
   provider: azure
   parameters:

azure/k8s/secret-challenge-vault-deployment.yml.tpl

@@ -16,4 +16,4 @@ spec:
               service:
                 name: wrongsecrets-balancer
                 port:
-                  number: 80
+                  number: 3000