Merge pull request #270 from osamamagdy/complete-helm-cleaning

Complete helm cleaning

Author: commjoen

helm/wrongsecrets-ctf-party/templates/cleanup/cron-job.yaml

@@ -20,30 +20,25 @@ spec:
             helm.sh/chart: {{ include "wrongsecrets-ctf-party.chart" . }}
         spec:
           serviceAccountName: 'wrongsecrets-cleaner'
+          {{- if .Values.wrongsecretsCleanup.podSecurityContext.enabled }}
           securityContext:
-            runAsUser: 1000
-            runAsGroup: 3000
-            fsGroup: 2000
+            {{- omit .Values.wrongsecretsCleanup.podSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           containers:
             - image: '{{ .Values.wrongsecretsCleanup.repository }}:{{ .Values.wrongsecretsCleanup.tag | default (printf "v%s" .Chart.Version) }}'
               imagePullPolicy: {{ .Values.imagePullPolicy | quote }}
+              {{- if .Values.wrongsecretsCleanup.containerSecurityContext.enabled }}
               securityContext:
-                allowPrivilegeEscalation: false
-                readOnlyRootFilesystem: true
-                runAsNonRoot: true
-                capabilities:
-                  drop:
-                    - ALL
-                seccompProfile:
-                  type: RuntimeDefault
+                {{- omit .Values.wrongsecretsCleanup.containerSecurityContext "enabled" | toYaml | nindent 16 }}
+              {{- end }}
               name: 'cleanup-job'
               env:
+                {{- range $k, $v := .Values.wrongsecretsCleanup.env}}
+                - name: {{ $k }}
+                  value: {{ $v | quote }}
+                {{- end }}
                 - name: NAMESPACE
                   value: {{ .Release.Namespace | quote }}
-                - name: MAX_INACTIVE_DURATION
-                  value: {{ .Values.wrongsecretsCleanup.gracePeriod }}
-                - name: SHOULD_DELETE
-                  value: {{ .Values.wrongsecretsCleanup.SHOULD_DELETE | quote }}
           restartPolicy: Never
           {{- with .Values.nodeSelector }}
           nodeSelector:

helm/wrongsecrets-ctf-party/templates/grafana/multijuicer-instances-dashboard.yaml renamed to helm/wrongsecrets-ctf-party/templates/grafana/wrongsecretsr-instances-dashboard.yaml

@@ -7,7 +7,7 @@ metadata:
 data:
   config.json: |
     {
-      "port": 3000,
+      "port": {{ .Values.balancer.containerPort }},
       "namespace": {{ .Release.Namespace | quote }},
       "deploymentContext": {{ .Release.Name | quote }},
       "maxJuiceShopInstances": {{ .Values.wrongsecrets.maxInstances}},
@@ -17,7 +17,7 @@ data:
         "secure": {{ .Values.balancer.cookie.secure }}
       },
       "admin": {
-        "username": "admin"
+        "username": {{ .Values.balancer.basicAuth.username | quote }}
       },
   {{- if .Values.balancer.metrics.enabled }}
       "metrics": {

helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/config-map.yaml

@@ -20,9 +20,9 @@ spec:
         {{- include "wrongsecrets-ctf-party.selectorLabels" . | nindent 8 }}
     spec:
       serviceAccountName: wrongsecrets-balancer
-      {{- with .Values.balancer.podSecurityContext }}
+      {{- if .Values.balancer.podSecurityContext.enabled }}
       securityContext:
-        {{- omit . "enabled" | toYaml | nindent 8 }}
+        {{- omit .Values.balancer.podSecurityContext "enabled" | toYaml | nindent 8 }}
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}
@@ -70,9 +70,9 @@ spec:
                   name: wrongsecrets-balancer-secret
                   key: metricsBasicAuthPassword
             {{- end }}
-          {{- with .Values.balancer.containerSecurityContext }}
+          {{- if .Values.balancer.containerSecurityContext.enabled }}
           securityContext:
-            {{- omit . "enabled" | toYaml | nindent 12 }}
+            {{- omit .Values.balancer.containerSecurityContext "enabled" | toYaml | nindent 12 }}
           {{- end }}
           {{- if .Values.balancer.volumeMounts }}
           volumeMounts:

helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/deployment.yaml

@@ -13,8 +13,8 @@ data:
   {{- else }}
   cookieParserSecret: {{ randAlphaNum 24 | b64enc | quote }}
   {{- end }}
-  {{- if .Values.balancer.adminPassword }}
-  adminPassword: {{ .Values.balancer.adminPassword | b64enc | quote }}
+  {{- if .Values.balancer.basicAuth.adminPassword }}
+  adminPassword: {{ .Values.balancer.basicAuth.adminPassword | b64enc | quote }}
   {{- else }}
   adminPassword: {{ randAlphaNum 8 | upper | b64enc | quote }}
   {{- end }}

helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/secret.yaml

@@ -30,4 +30,4 @@ spec:
     {{- include "wrongsecrets-ctf-party.selectorLabels" . | nindent 4 }}
   ports:
     - port: {{ .Values.service.port }}
-      name: web
+      name: {{ .Values.service.portName }}

helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/service.yaml

@@ -8,8 +8,8 @@ spec:
     matchLabels:
       {{- include "wrongsecrets-ctf-party.labels" . | nindent 6 }}
   endpoints:
-    - port: web
-      path: '/balancer/metrics'
+    - port: {{ .Values.service.portName }}
+      path: {{ .Values.balancer.metrics.serviceMonitor.path | quote }}
       basicAuth:
         username:
           name: wrongsecrets-balancer-secret

helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/servicemonitor.yaml

@@ -2,7 +2,7 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
-  name: juice-shops
+  name: wrongsecrets-metrics
 spec:
   targetLabels:
     - team
@@ -11,5 +11,5 @@ spec:
       app: wrongsecrets
       deployment-context: {{ .Release.Name | quote }}
   endpoints:
-    - targetPort: 3000
+    - targetPort: {{ .Values.balancer.metrics.serviceMonitor.targetPort }}
 {{- end }}

helm/wrongsecrets-ctf-party/templates/wrongsecrets/servicemonitor.yaml

@@ -27,6 +27,7 @@ ingress:
 service:
   type: ClusterIP
   port: 3000
+  portName: web
 
 balancer:
   cookie:
@@ -55,6 +56,12 @@ balancer:
     loadBalancerSourceRanges: null
     # -- IP address to assign to load balancer (if supported)
     externalIPs: null
+  # -- Credentials used in wrongsecrets-balancer-secret to authenticate with the wrongsecrets-api
+  basicAuth:
+    # -- Username for the basic auth credentials
+    username: admin
+    # -- Password for the basic auth credentials (will be generated if not set)
+    # adminPassword: admin
   # -- Probes settings for the balancer pods
   # -- livenessProbe: Checks if the balancer pod is still alive
   livenessProbe:
@@ -99,8 +106,12 @@ balancer:
       # -- if true, creates a Grafana Dashboard Config Map. (also requires metrics.enabled to be true). These will automatically be imported by Grafana when using the Grafana helm chart, see: https://github.com/helm/charts/tree/main/stable/grafana#sidecar-for-dashboards
       enabled: false
     serviceMonitor:
-      # -- If true, creates a Prometheus Operator ServiceMonitor (also requires metrics.enabled to be true). This will also deploy a servicemonitor which monitors metrics from the Juice Shop instances
+      # -- If true, creates a Prometheus Operator ServiceMonitor (also requires metrics.enabled to be true). This will also deploy a servicemonitor which monitors metrics from the Wrongsecrets instances
       enabled: false
+      # -- Target port for the ServiceMonitor to scrape
+      targetPort: 3000
+      # -- Path to scrape for metrics
+      path: '/balancer/metrics'
     basicAuth:
       username: prometheus-scraper
       # -- Should be changed when metrics are enabled.
@@ -200,9 +211,9 @@ wrongsecrets:
 
 #the virtual desktop for the deploymebt
 virtualdesktop:
-  # -- Specifies how many Wrongsecrets instances MultiJuicer should start at max. Set to -1 to remove the max Juice Shop instance cap
+  # -- Specifies how many Wrongsecrets instances balancer should start at max. Set to -1 to remove the max Wrongsecrets instance cap
   maxInstances: 500
-  # -- Juice Shop Image to use
+  # -- Wrongsecrets Image to use
   image: jeroenwillemsen/wrongsecrets-desktop-k8s
   tag: 1.6.6
   repository: commjoenie/wrongSecrets
@@ -267,14 +278,13 @@ wrongsecretsCleanup:
   repository: jeroenwillemsen/wrongsecrets-ctf-cleaner
   tag: 0.4
   enabled: true
-  # -- Specifies when Juice Shop instances will be deleted when unused for that period.
-  gracePeriod: 2d
-  # -- Specifies if the clean up job should delete the outdated namespaces or just report them. Set to false to only report outdated namespaces.
-  SHOULD_DELETE: false
   # -- Cron in which the clean up job is run. Defaults to once in a quarter. Change this if your grace period if shorter than 15 minutes. See "https://crontab.guru/#0,15,30,45_*_*_*_*" for more details.
   cron: "0,15,30,45 * * * *"
   successfulJobsHistoryLimit: 1
   failedJobsHistoryLimit: 1
+  env:
+    SHOULD_DELETE: false # -- Specifies if the clean up job should delete the outdated namespaces or just report them. Set to false to only report outdated namespaces.
+    MAX_INACTIVE_DURATION: 2d # -- Specifies when Wrongsecrets instances will be deleted when unused for that period.
   resources:
     requests:
       memory: 256Mi
@@ -284,3 +294,20 @@ wrongsecretsCleanup:
   affinity: {}
   # -- Optional Configure kubernetes toleration for the wrongsecretsCleanup Job (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
   tolerations: []
+  podSecurityContext:
+    # -- If true, sets the securityContext on the created pods. This is required for the podSecurityPolicy to work
+    enabled: true
+    runAsUser: 1000
+    runAsGroup: 3000
+    fsGroup: 2000
+  containerSecurityContext:
+    # -- If true, sets the securityContext on the created containers. This is required for the podSecurityPolicy to work
+    enabled: true
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault