Changes to make DamCTF work #53

detjensrobert · 2025-05-06T04:30:51Z

Changes during DamCTF crunch time to get things working.

Notable changes:

render templates in strict mode to error on undefined variables (added a helper for that)
check for helm binary in cluster-setup
add needed AWS ELB annotations to ingress and tcp services to get public load balancer
switch to official external-dns chart instead of bitnami external-dns because it works better ( closes Note for later: now using official external-dns chart #51 )
Basic documentation for challenge authors on the new challenge.yaml format
Apply registry.cluster image pull credentials to cluster
Hacky TCP challenge fix to use the challenge name as part of the DNS entry (will change in Switch to Gateway API for TCP and HTTP service ingress #64)
Render challenge information to a local markdown file instead of sending to frontend
Use local docker.io dockerhub credentials when building images if available ( closes use docker credentials during build #59 )
Allow specifying architecture in challenge pod config for pods that need to run on arm64 (defaults to amd64) ( closes Note for later: challenge pods now accept architecture: #55 )
Reworked deployment code structure to handle kube apply, s3 upload, and frontend updates on a per-challenge instead of separately to properly pass s3 info to frontend

Signed-off-by: Robert Detjens <[email protected]>

This consolidates (almost) all of the error display handling into the cli main(), which is idiomatic since the library side of this shouldn't need to worry about how its errors are presented. There are a couple spots where the Error case is a Vec of things, which can't be handled by the single error handler in main. These have been changed to do their custom error printing, then return a new error to main(). I added TODO comments to these. Signed-off-by: Robert Detjens <[email protected]>

Signed-off-by: Robert Detjens <[email protected]>

Pull secrets are namespace-scoped, so need to be present in all of our namespaces that use our images. Also update deployments to use these pull secrets. Signed-off-by: Robert Detjens <[email protected]>

Signed-off-by: Robert Detjens <[email protected]>

We're reusing the same tags, so always pull latest so not stuck on stale image Signed-off-by: Robert Detjens <[email protected]>

Signed-off-by: Robert Detjens <[email protected]>

KekoaM · 2025-06-02T06:45:23Z

src/asset_files/challenge_templates/http.yaml.j2

future consideration: do we want a way to use non-letsencrypt ACME?

KekoaM

Overall looks good
already tested in prod

KekoaM · 2025-06-02T06:48:09Z

src/clients.rs

@@ -48,6 +43,93 @@ pub async fn docker() -> Result<&'static bollard::Docker> {
    }
 }

+/// Fetch registry login credentials from ~/.docker/config.json or $DOCKER_CONFIG
+///
+/// For now, this is only `docker.io` credentials, as it is the only registry


Probably want to track this in an issue (perhaps separate from #59)

detjensrobert added 15 commits April 30, 2025 22:12

move render_strict helper to lib module

374380a

Signed-off-by: Robert Detjens <[email protected]>

Make sure helm binary is available for cluster-setup

b1d1c84

Signed-off-by: Robert Detjens <[email protected]>

Switch to better-documented official external-dns chart

372b456

Signed-off-by: Robert Detjens <[email protected]>

move extdns user values to end of template

cf19204

Signed-off-by: Robert Detjens <[email protected]>

use challenge domain as cert issuer email

506f22e

Signed-off-by: Robert Detjens <[email protected]>

fix cert issuer quoting

6131fa2

Signed-off-by: Robert Detjens <[email protected]>

add ingress aws lb config, request cert for challenge ingresses

5b1cad2

Signed-off-by: Robert Detjens <[email protected]>

Use strict render helper for challenge manifest templates

6d19acc

Signed-off-by: Robert Detjens <[email protected]>

fix tls config for chal ingress

1a1ce7a

Signed-off-by: Robert Detjens <[email protected]>

also add AWS LB config opts to tcp services

7d4d088

Signed-off-by: Robert Detjens <[email protected]>

create external-dns cnames instead of alias

af3aae0

Signed-off-by: Robert Detjens <[email protected]>

Add documentation for challenge description template fields

5c2b144

Signed-off-by: Robert Detjens <[email protected]>

Full docs on how to write challenge.yaml for chal authors

6af3086

Signed-off-by: Robert Detjens <[email protected]>

use our ingress class for cert challenges

76bb60c

Signed-off-by: Robert Detjens <[email protected]>

detjensrobert self-assigned this May 6, 2025

detjensrobert mentioned this pull request May 6, 2025

Changes to make damctf work #52

Closed

detjensrobert added 10 commits May 5, 2025 21:52

clarify provide is files only

bd3e348

Signed-off-by: Robert Detjens <[email protected]>

Add registry pull credentials to challenge namespaces

d0513ad

Pull secrets are namespace-scoped, so need to be present in all of our namespaces that use our images. Also update deployments to use these pull secrets. Signed-off-by: Robert Detjens <[email protected]>

use challenge name instead of category-name slug for tcp domains

8977698

Signed-off-by: Robert Detjens <[email protected]>

Fix flag reference in test chal bar

9880f03

Signed-off-by: Robert Detjens <[email protected]>

render out challenge information to markdown temporarily

034c11d

Signed-off-by: Robert Detjens <[email protected]>

add architecture selector for arm challenges

7cc91f6

Signed-off-by: Robert Detjens <[email protected]>

build container images for the pods arch

76d6139

Signed-off-by: Robert Detjens <[email protected]>

fix returned archive path for in-repo asset zips

0933877

Signed-off-by: Robert Detjens <[email protected]>

trim flag whitespace in chal info

33ab4c4

Signed-off-by: Robert Detjens <[email protected]>

Always pull latest challenge images

626fec0

We're reusing the same tags, so always pull latest so not stuck on stale image Signed-off-by: Robert Detjens <[email protected]>

detjensrobert force-pushed the dr/damctf-crunch branch from 1e59954 to 626fec0 Compare May 8, 2025 22:43

detjensrobert added 2 commits May 8, 2025 17:59

fix domains for chals with spaces

314443c

Signed-off-by: Robert Detjens <[email protected]>

fix hostname template

d91818f

Signed-off-by: Robert Detjens <[email protected]>

detjensrobert marked this pull request as ready for review May 13, 2025 03:41

detjensrobert requested a review from KekoaM May 16, 2025 04:48

Fetch docker.io credentials when building challenge images

2a94604

Signed-off-by: Robert Detjens <[email protected]>

detjensrobert force-pushed the dr/damctf-crunch branch from a856f51 to 2a94604 Compare May 31, 2025 01:41

KekoaM reviewed Jun 2, 2025

View reviewed changes

src/asset_files/challenge_templates/http.yaml.j2

Copy link

KekoaM Jun 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

future consideration: do we want a way to use non-letsencrypt ACME?

KekoaM approved these changes Jun 2, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Changes to make DamCTF work #53

Changes to make DamCTF work #53

Uh oh!

detjensrobert commented May 6, 2025 •

edited

Loading

Uh oh!

KekoaM Jun 2, 2025

Uh oh!

KekoaM left a comment

Uh oh!

KekoaM Jun 2, 2025

Uh oh!

Uh oh!

Changes to make DamCTF work #53

Are you sure you want to change the base?

Changes to make DamCTF work #53

Uh oh!

Conversation

detjensrobert commented May 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

KekoaM Jun 2, 2025

Choose a reason for hiding this comment

Uh oh!

KekoaM left a comment

Choose a reason for hiding this comment

Uh oh!

KekoaM Jun 2, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

detjensrobert commented May 6, 2025 •

edited

Loading