Merge pull request #666 from OWASP/update-k8s

update k8s to 1.30 on all platforms

Author: commjoen

.github/workflows/minikube-k8s-test.yml

@@ -23,9 +23,9 @@ jobs:
       - name: Start minikube
         uses: medyagh/setup-minikube@master
         with:
-          minikube-version: 1.31.2
+          minikube-version: 1.33.1
           driver: docker
-          kubernetes-version: v1.28.1
+          kubernetes-version: v1.30.0
       - name: test script
         run: |
           eval $(minikube docker-env)
@@ -48,9 +48,9 @@ jobs:
       - name: Start minikube
         uses: medyagh/setup-minikube@master
         with:
-          minikube-version: 1.31.2
+          minikube-version: 1.33.1
           driver: docker
-          kubernetes-version: v1.28.1
+          kubernetes-version: v1.30.0
       - name: test script
         run: |
           eval $(minikube docker-env)

aws/.terraform.lock.hcl

@@ -205,7 +205,7 @@ The documentation below is auto-generated to give insight on what's created via
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The EKS cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no |
-| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.28"` | no |
+| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.30"` | no |
 | <a name="input_extra_allowed_ip_ranges"></a> [extra\_allowed\_ip\_ranges](#input\_extra\_allowed\_ip\_ranges) | Allowed IP ranges in addition to creator IP | `list(string)` | `[]` | no |
 | <a name="input_region"></a> [region](#input\_region) | The AWS region to use | `string` | `"eu-west-1"` | no |
 | <a name="input_state_bucket_arn"></a> [state\_bucket\_arn](#input\_state\_bucket\_arn) | ARN of the state bucket to grant access to the s3 user | `string` | n/a | yes |

aws/README.md

@@ -137,8 +137,10 @@ else
 fi
 
 echo "App password is ${APP_PASSWORD}"
+echo "executing helm install of wrongsecrets"
 helm upgrade --install wrongsecrets ../helm/wrongsecrets-ctf-party \
   --set="balancer.env.K8S_ENV=aws" \
+  --set="balancer.tag=1.9.0alpha5-cloud" \
   --set="balancer.env.IRSA_ROLE=${IRSA_ROLE_ARN}" \
   --set="balancer.env.REACT_APP_ACCESS_PASSWORD=${APP_PASSWORD}" \
   --set="balancer.env.REACT_APP_S3_BUCKET_URL=s3://${STATE_BUCKET}" \
@@ -152,7 +154,7 @@ export HELM_EXPERIMENTAL_OCI=1
 kubectl create namespace ctfd
 
 # Double base64 encoding to prevent weird character errors in ctfd
-helm upgrade --install ctfd -n ctfd oci://ghcr.io/bman46/ctfd/ctfd \
+helm upgrade --install ctfd -n ctfd oci://ghcr.io/bman46/ctfd/ctfd --version 0.6.3\
   --set="redis.auth.password=$(openssl rand -base64 24 | base64)" \
   --set="mariadb.auth.rootPassword=$(openssl rand -base64 24 | base64)" \
   --set="mariadb.auth.password=$(openssl rand -base64 24 | base64)" \

aws/build-and-deploy-aws.sh

@@ -7,7 +7,7 @@ variable "region" {
 variable "cluster_version" {
   description = "The EKS cluster version to use"
   type        = string
-  default     = "1.28"
+  default     = "1.30"
 }
 
 variable "cluster_name" {

aws/shared-state/.terraform.lock.hcl

@@ -21,7 +21,7 @@ Please note that this setup relies on bash scripts that have been tested in MacO
 
 ## Installation
 
-**Note-I**: We create resources in `east us` by default. You can set the region by editing `terraform.tfvars`.
+**Note-I**: We create resources in `east us` by default. You can set the region by editing [`terraform.tfvars`](./terraform.tfvars).
 
 **Note-II**: The cluster you create has its access bound to the public IP of the creator. In other words: the cluster you create with this code has its access bound to your public IP-address if you apply it locally. If you switched to a different network, you'll need to run `terraform apply` again to update the firewall rules.
 
@@ -43,34 +43,24 @@ terraform init
 terraform apply
 ```
 
-The storage account name should be in the output. Please use that to configure the Terraform backend in `main.tf` by uncommenting the part on the `backend "azurerm"` inside the `terraform` block. Assign the `storage_account_name` to the one from the output.
+The storage account name should be in the output. Please use that to configure the Terraform backend in [`main.tf`](./main.tf) by uncommenting the part on the `backend "azurerm"` inside the `terraform` block. Assign the `storage_account_name` to the one from the output.
 
 **Note**: You'll need to follow the description [below](#wrongsecrets-ctf-party) in step 1 for the "existing resource group" i.e., use the `azurerm_resource_group.default` resource.
 
 ### WrongSecrets-ctf-party
 
-1. Set either a new resource group or use an existing resource group in `main.tf` (it defaults to the existing `OWASP-Projects` resource group). Note that you'll need to find/replace references to "azurerm_resource_group.default" to "arurerm_resource_group.default" if you want to create a new one.
+1. Set either a new resource group or use an existing resource group in [`main.tf`](main.tf) (it defaults to the existing `OWASP-Projects` resource group). Note that you'll need to find/replace references to `azurerm_resource_group.default` to `data.arurerm_resource_group.default` if you want to create a new one.
 2. check whether you have the right project by doing `az account show` (after `az login`). Want to set the project as your default? Use `az account set --subscription <.id here>`.
 3. If not yet enabled, register the required services for the subscription, run:
-    - `az provider register --namespace Microsoft.ContainerService`
-    - `az provider register --namespace Microsoft.KeyVault`
-    - `az provider register --namespace Microsoft.ManagedIdentity`
+```shell
+        az provider register --namespace Microsoft.ContainerService
+        az provider register --namespace Microsoft.KeyVault
+        az provider register --namespace Microsoft.ManagedIdentity
+```
 4. Run `terraform init` (if required, use `tfenv` to select TF 0.14.0 or higher )
 5. Run `terraform plan` to see what will be created (optional).
 6. Run `terraform apply`. Note: the apply will take 5 to 20 minutes depending on the speed of the Azure backplane.
-7. Go to the values of the helm chart and replace the wrongsecrets.config with this:
-
-    ```yaml
-    K8S_ENV: "azure"
-    ```
-
-    and replace the value of wrongsecrets.env having the name 'K8S_ENV' with this:
-
-    ```yaml
-    value: "azure"
-    ```
-
-8. Run `./build-and-deploy-azure.sh`. Your kubeconfig file will automatically be updated.
+7. Run `./build-and-deploy-azure.sh`. Your kubeconfig file will automatically be updated.
 
 Your AKS cluster should be visible in your resource group. Want a different region? You can modify `terraform.tfvars` or input it directly using the `region` variable in plan/apply.
 
@@ -206,7 +196,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The AKS cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no |
-| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The AKS cluster version to use | `string` | `"1.27"` | no |
+| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The AKS cluster version to use | `string` | `"1.30"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The Azure region to use | `string` | `"East US"` | no |
 
 ## Outputs

aws/variables.tf

@@ -32,6 +32,7 @@ esac
 
 echo "This is a script to bootstrap the configuration. You need to have installed: helm, kubectl, vault, grep, cat, sed, envsubst, and azure cli, and is only tested on mac, Debian and Ubuntu"
 
+echo "obtaining the shared state locally, if you use shared state you will see an error below, there is no problem in that case"
 # The storage account to store the terraform state file
 export AZ_STORAGE_ACCOUNT="$(terraform -chdir=./shared-state output -raw storage_account_name)"
 
@@ -152,6 +153,7 @@ echo "You can find the app password in password.txt"
 
 helm upgrade --install wrongsecrets ../helm/wrongsecrets-ctf-party \
   --set="balancer.env.K8S_ENV=azure" \
+  --set="balancer.tag=1.9.0alpha5-cloud" \
   --set="balancer.env.REACT_APP_AZ_BLOB_URL=https://${AZ_STORAGE_ACCOUNT}.blob.core.windows.net/tfstate" \
   --set="balancer.env.REACT_APP_ACCESS_PASSWORD=${APP_PASSWORD}" \
   --set="balancer.env.REACT_APP_CREATE_TEAM_HMAC_KEY=${CREATE_TEAM_HMAC}" \

azure/README.md

@@ -7,7 +7,7 @@ variable "region" {
 variable "cluster_version" {
   description = "The AKS cluster version to use"
   type        = string
-  default     = "1.27"
+  default     = "1.30"
 }
 
 variable "cluster_name" {