CTFer

The CTFer component is in charge of the production-ready deployment of a CTF platform (CTFd) along its cache (Redis), database (PostgreSQL) and support of OpenTelemetry, in a Kubernetes environment.

Caution

This component is an internal work mostly used for development purposes. It is used for production purposes too, i.e. on Capture The Flag events.

Nonetheless, we do not include it in the repositories we are actively maintaining, and is subject to future major changes with no migration capability.

📦 Deployment

Configuration

The default configuration will work, but you might not end up with a ✨ perfect 🤌 setup.

To do so, you can look at the whole Pulumi.yaml configuration. We detail some of them here.

Custom images

If you want to use custom images of CTFd (e.g., with your plugins or theme).

pulumi config set --path platform.image ctferio/ctfd:3.8.1-0.9.0

Configure Chall-Manager URL

If you want to configure the ChallManager URL.

pulumi config set chall-manager-url http://chall-manager-svc.ctfer:8080/api/v1

Custom Certificate

If you want to use a custom certificate. We HIGHLY recommend it for production purposes, especially to avoid MitM attacks, credentials leakage and so on.

# export PULUMI_CONFIG_PASSPHRASE before
# https://github.com/pulumi/pulumi/issues/6015
cat /path/to/crt.pem | pulumi config set --secret --path platform.crt
cat /path/to/key.pem | pulumi config set --secret --path platform.key

Filesystem

If you want to have a larger filesystem, for instance for uploads on CTFd.

pulumi config set --path plateform.storage-size 10Gi

Workers and Replicas

If you want to configure several workers on CTFd.

pulumi config set-all \
  --path platform.workers 3 \
  --path platform.replicas 3

Warning

You will need a ReadWriteMany compatible CSI (e.g., Longhorn) if the Pods are scheduled on several nodes

pulumi config set-all \
  --path platform.pvc-access-modes[0] ReadWriteMany \
  --path platform.storage-class longhorn

Requests and Limits

If you want to configure other resources than default.

pulumi config set-all \
  --path platform.requests.cpu 1 \
  --path platform.requests.memory 2Gi \
  --path platform.limits.cpu 1 \
  --path platform.limits.memory 1Gi

If you don't need air-gap settings, you can directly skip to the deployment.

Air-gap environments

Requirements:

• Hauler

First of all, synchronize and your manifest with existing setup (e.g. online mock infrastructure).

cd hack
hauler store sync -f hauler-manifest-ha.yaml
hauler store copy registry://registry.dev1.ctfer-io.lab

Then, configure your Pulumi stack.

pulumi config set-all \
  images-repository registry.dev1.ctfer-io.lab \
  charts-repository oci://registry.dev1.ctfer-io.lab/hauler

Let's do it!

Now the last-mile for infrastructure-specific configuration, and you should be good to deploy CTFer! 💪

pulumi config set-all \
  --path platform.hostname ctfd.dev1.ctfer-io.lab \
  --path ingress-labels.name traefik \
  --path db.operator-namespace cnpg-system

pulumi up