fix: ctfd and ebs

bendehaan · bendehaan · commit 63882d35e38f · 2024-10-09T15:40:08.000+02:00
diff --git a/aws/.terraform.lock.hcl b/aws/.terraform.lock.hcl
diff --git a/aws/build-and-deploy-aws.sh b/aws/build-and-deploy-aws.sh
@@ -101,7 +101,7 @@ kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-
 
 echo "preparing calico via Helm"
 helm repo add projectcalico https://docs.projectcalico.org/charts
-helm upgrade --install calico projectcalico/tigera-operator --version v3.21.4
+helm upgrade --install calico projectcalico/tigera-operator --version v3.28.2
 
 echo "Generate secrets manager challenge secret 2"
 aws secretsmanager put-secret-value --secret-id wrongsecret-2 --secret-string "$(openssl rand -base64 24)" --region $AWS_REGION --output json --no-cli-pager
@@ -150,11 +150,8 @@ helm upgrade --install wrongsecrets ../helm/wrongsecrets-ctf-party \
 # Install CTFd
 echo "Installing CTFd"
 
-export HELM_EXPERIMENTAL_OCI=1
-kubectl create namespace ctfd
-
 # Double base64 encoding to prevent weird character errors in ctfd
-helm upgrade --install ctfd -n ctfd oci://ghcr.io/bman46/ctfd/ctfd --version 0.6.3\
+helm upgrade --install ctfd -n ctfd oci://ghcr.io/bman46/ctfd/ctfd --create-namespace --version v0.9.3\
   --set="redis.auth.password=$(openssl rand -base64 24 | base64)" \
   --set="mariadb.auth.rootPassword=$(openssl rand -base64 24 | base64)" \
   --set="mariadb.auth.password=$(openssl rand -base64 24 | base64)" \
diff --git a/aws/main.tf b/aws/main.tf
@@ -74,6 +74,11 @@ module "eks" {
     aws-ebs-csi-driver = {
       most_recent              = true
       service_account_role_arn = module.ebs_csi_irsa_role.iam_role_arn
+      configuration_values = jsonencode({
+        defaultStorageClass = {
+          enabled = true
+        }
+      })
     }
   }
 
@@ -89,32 +94,42 @@ module "eks" {
 
   create_cloudwatch_log_group            = true
   cluster_enabled_log_types              = ["api", "audit", "authenticator"]
-  cloudwatch_log_group_retention_in_days = 14 #it's a ctf , we don't need non-necessary costs!
+  cloudwatch_log_group_retention_in_days = 14 #it's a ctf , we don't need unnecessary costs!
 
   # apply when available: iam_role_permissions_boundary = "arn:aws:iam::${local.account_id}:policy/service-user-creation-permission-boundary"
   eks_managed_node_group_defaults = {
-    disk_size       = 256
-    disk_type       = "gp3"
-    disk_throughput = 150
-    disk_iops       = 3000
-    instance_types  = ["t3a.medium"]
+    instance_types = ["t3a.medium"]
+    block_device_mappings = [
+      {
+        device_name = "/dev/xvda"
+        ebs = {
+          volume_size           = 20
+          volume_type           = "gp3"
+          iops                  = 3000
+          throughput            = 150
+          delete_on_termination = true
+        }
+      }
+    ]
+    metadata_options = {
+      http_tokens = "required",
+    }
 
     iam_role_additional_policies = {
       AmazonEKSWorkerNodePolicy : "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
       AmazonEKS_CNI_Policy : "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
       AmazonEC2ContainerRegistryReadOnly : "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
       AmazonSSMManagedInstanceCore : "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
-      AmazonEKSVPCResourceController : "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
+      AmazonEKSVPCResourceController : "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController",
+      AmazonEBSCSIDriverPolicy : "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
     }
   }
 
   eks_managed_node_groups = {
     bottlerocket_default = {
-      use_custom_launch_template = false
-      min_size                   = 3
-      max_size                   = 50
-      desired_size               = 3
-
+      min_size      = 3
+      max_size      = 50
+      desired_size  = 3
       capacity_type = "ON_DEMAND"
 
       ami_type = "BOTTLEROCKET_x86_64"
@@ -144,7 +159,7 @@ module "eks" {
 # Cluster Autoscaler IRSA
 module "cluster_autoscaler_irsa_role" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "~> 5.44.0"
+  version = "~> 5.46"
 
 
   role_name                        = "wrongsecrets-cluster-autoscaler"
@@ -161,7 +176,7 @@ module "cluster_autoscaler_irsa_role" {
 
 module "ebs_csi_irsa_role" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "~> 5.44.0"
+  version = "~> 5.46"
 
   role_name             = "wrongsecrets-ebs-csi"
   attach_ebs_csi_policy = true
@@ -176,7 +191,7 @@ module "ebs_csi_irsa_role" {
 
 module "load_balancer_controller_irsa_role" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "~> 5.44.0"
+  version = "~> 5.46"
 
   role_name                              = "wrongsecrets-load-balancer-controller"
   attach_load_balancer_controller_policy = true
diff --git a/aws/shared-state/.terraform.lock.hcl b/aws/shared-state/.terraform.lock.hcl
diff --git a/aws/shared-state/main.tf b/aws/shared-state/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_version = "~> 1.1"
   required_providers {
     aws = {
-      version = "~> 4.0"
+      version = "~> 5.0"
     }
   }
 }
diff --git a/azure/build-and-deploy-azure.sh b/azure/build-and-deploy-azure.sh
@@ -170,7 +170,7 @@ export HELM_EXPERIMENTAL_OCI=1
 kubectl create namespace ctfd
 
 # Double base64 encoding to prevent weird character errors in ctfd
-helm upgrade --install ctfd -n ctfd oci://ghcr.io/bman46/ctfd/ctfd --version 0.6.3 \
+helm upgrade --install ctfd -n ctfd oci://ghcr.io/bman46/ctfd/ctfd --version 0.9.3 \
   --values ./k8s/ctfd-values.yaml \
   --set="redis.auth.password=$(openssl rand -base64 24 | base64)" \
   --set="mariadb.auth.rootPassword=$(openssl rand -base64 24 | base64)" \
diff --git a/gcp/build-and-deploy-gcp.sh b/gcp/build-and-deploy-gcp.sh
@@ -122,7 +122,7 @@ export HELM_EXPERIMENTAL_OCI=1
 kubectl create namespace ctfd
 
 # Double base64 encoding to prevent weird character errors in ctfd
-helm upgrade --install ctfd -n ctfd oci://ghcr.io/bman46/ctfd/ctfd --version 0.6.3 \
+helm upgrade --install ctfd -n ctfd oci://ghcr.io/bman46/ctfd/ctfd --version 0.9.3 \
   --values ./k8s/ctfd-values.yaml \
   --set="redis.auth.password=$(openssl rand -base64 24 | base64)" \
   --set="mariadb.auth.rootPassword=$(openssl rand -base64 24 | base64)" \
diff --git a/helm/wrongsecrets-ctf-party/requirements.lock b/helm/wrongsecrets-ctf-party/requirements.lock
diff --git a/wrongsecrets-balancer/src/kubernetes.js b/wrongsecrets-balancer/src/kubernetes.js
@@ -1835,8 +1835,8 @@ const createDesktopDeploymentForTeam = async ({ team, passcodeHash }) => {
                   'ephemeral-storage': '4Gi',
                 },
                 limits: {
-                  memory: '3.5G',
-                  cpu: '1900m',
+                  memory: '4.0G',
+                  cpu: '2000m',
                   'ephemeral-storage': '8Gi',
                 },
               },

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@ terraform {`
`2`	`2`	`required_version = "~> 1.1"`
`3`	`3`	`required_providers {`
`4`	`4`	`aws = {`
`5`		`- version = "~> 4.0"`
	`5`	`+ version = "~> 5.0"`
`6`	`6`	`}`
`7`	`7`	`}`
`8`	`8`	`}`