Changes to make DamCTF work

Cargo.toml

@@ -39,6 +39,8 @@ rust-s3 = { version = "0.35.1", default-features = false, features = [
 minijinja = { version = "2.6.0", features = ["json"] }
 duct = "0.13.7"
 fastrand = "2.3.0"
+base64ct = { version = "1.7.3", features = ["alloc"] }
+docker_credential = "1.3.2"
 
 
 [dev-dependencies]

docs/for-challenge-authors.md

@@ -0,0 +1,199 @@
+# How to write beaverCDS challenge.yaml config
+
+tldr: see [the TCP example](#full-tcp-example) or [the web example](#full-http-example).
+
+### Metadata
+
+Self explanatory.
+
+```yaml
+name: yet another pyjail
+author: somebody, John Author
+```
+
+### Description
+
+Challenge description supports markdown and Jinja-style templating for challenge info.
+The Jinja template fields available are:
+
+| Field name  | Description |
+| ----------- | ----------- |
+| `hostname`  | The hostname or domain for the challenge
+| `port`      | The port that the challenge is listening on
+| `nc`        | Insert the `nc` command to connect to TCP challenges (`nc {{hostname}} {{port}}`)
+| `link`      | Create a Markdown link to the exposed hostname/port
+| `url`       | The URL from `link` without the accompanying Markdown
+| `challenge` | The full challenge.yaml config for this challenge, with subfields
+
+You probably only want `{{ nc }}` or `{{ link }}`.
+
+Example:
+
+```yaml
+description: |
+    Some example challenge. Blah blah blah flavor text.
+
+    In case you missed it, this was written by {{ challenge.author }}
+    and is called {{ challenge.name }}.
+
+    {{ link }}    # -becomes-> [example.chals.thectf.com](https://example.chals.thectf.com)
+    {{ nc }}      # -becomes-> `nc example.chals.thectf.com 12345`
+```
+
+
+### Flag
+
+Read flag from file:
+
+```yaml
+flag:
+  file: ./flag
+```
+
+### Pods
+
+Defines how any container images for this challenge are built and deployed.
+
+The pod `name` is also used for extracting files, see [Providing files to
+users](<for-challenge-authors#Providing files to users>).
+
+`build` works similar to [Docker Compose](https://docs.docker.com/reference/compose-file/build/#illustrative-example),
+either:
+  - a string path to the build context folder
+  - yaml with explicit `context` path, `dockerfile` path within context folder, and `args` build args \
+    (only `context`, `dockerfile`, and `args` are supported for the detailed form)
+
+`ports` controls how the container is exposed. This should be a list of what port the container is listening, and how
+that port should be exposed to players:
+- For TCP challenges, set `expose.tcp` to the subdomain and port: `<subdomain>:<port>`
+- For HTTP challenges, set `expose.http` to the subdomain only: `<subdomain>` \
+  The website domain will automatically be set up with an HTTPS cert.
+
+
+```yaml
+pods:
+  - name: tcp-example
+    build: .
+    replicas: 2
+    ports:
+      - internal: 31337
+        expose:
+          tcp: thechal:30124  # exposed at thechal.<challenges_domain>:30124
+
+  - name: web-example
+    build:
+      context: src/
+      dockerfile: Containerfile
+    replicas: 2
+    ports:
+      - internal: 31337
+        expose:
+          http: webchal  # exposed at https://webchal.<challenges_domain>
+```
+
+
+
+
+This can be omitted if there are no containers for the challenge.
+
+### Providing files to users
+
+Files to give to players as downloads in frontend.
+
+These can be from the challenge folder in the repository, or from the
+challenge's built container. These can also be zipped together into one file, or
+uploaded separately. These need to be files, directories or globs are not (yet)
+supported.
+
+This can be omitted if there are no files provided.
+
+```yaml
+provide:
+  # file from the challenge folder in the repo
+  - somefile.txt
+
+  # multiple files from chal_folder/src/, zipped as together.zip
+  - as: together.zip
+    include:
+      - src/file1
+      - src/file2
+      - src/file3
+
+  # extract these files from inside of the container image
+  # for the `main` pod (see previous section)
+  - from: main
+    include:
+      - /chal/notsh
+      - /lib/x86_64-linux-gnu/libc.so.6
+
+  # same as above, but now zipped together
+  - from: main
+    as: notsh.zip
+    include:
+      - /chal/notsh
+      - /lib/x86_64-linux-gnu/libc.so.6
+```
+
+
+
+
+
+# Examples
+
+## Full TCP example
+
+```yaml
+name: notsh
+author: John Author
+description: |-
+  This challenge isn't a shell
+
+  {{ nc }}
+
+provide:
+  - from: main
+    include:
+      - /chal/notsh
+      - /lib/x86_64-linux-gnu/libc.so.6
+
+flag:
+  file: ./flag
+
+pods:
+  - name: main
+    build: .
+    replicas: 2
+    ports:
+      - internal: 31337
+        expose:
+          tcp: 30124
+```
+
+## Full HTTP example
+
+```yaml
+name: bar
+author: somebody
+description: |
+  can you order a drink from the webserver?
+
+  {{ url }}
+
+difficulty: 1
+
+flag:
+  file: ./flag
+
+# no provide: section needed if no files
+
+pods:
+  - name: bar
+    build:
+      context: .
+      dockerfile: Containerfile
+    replicas: 1
+    ports:
+      - internal: 80
+        expose:
+          http: bar # subdomain only
+```

src/access_handlers/docker.rs

@@ -10,8 +10,8 @@ use minijinja;
 use tokio;
 use tracing::{debug, error, info, trace, warn};
 
-use crate::clients::{docker, render_strict};
 use crate::configparser::{get_config, get_profile_config};
+use crate::{clients::docker, utils::render_strict};
 
 /// container registry / daemon access checks
 #[tokio::main(flavor = "current_thread")] // make this a sync function

src/asset_files/challenge_templates/deployment.yaml.j2

@@ -19,9 +19,14 @@ spec:
       labels:
         rctf/part-of: "{{ slug }}-{{ pod.name }}"
     spec:
+      imagePullSecrets:
+        - name: "rcds-{{ slug }}-pull"
+      nodeSelector:
+        kubernetes.io/arch: {{ pod.architecture }}
       containers:
         - name: "{{ pod.name }}"
           image: "{{ pod_image }}"
+          imagePullPolicy: Always
           ports:
             {% for p in pod.ports -%}
             - containerPort: {{ p.internal }}

src/asset_files/challenge_templates/http.yaml.j2

@@ -24,6 +24,7 @@ metadata:
   namespace: "rcds-{{ slug }}"
   annotations:
     app.kubernetes.io/managed-by: rcds
+    cert-manager.io/cluster-issuer: letsencrypt
 spec:
   ingressClassName: beavercds
   rules:
@@ -39,3 +40,10 @@ spec:
               port:
                 number: {{ p.internal }}
   {% endfor -%}
+
+  tls:
+    - hosts:
+      {%- for p in http_ports %}
+        - "{{ p.expose.http }}.{{ domain }}"
+      {% endfor -%}
+      secretName: "rcds-tls-{{ slug }}-{{ pod.name }}"

src/asset_files/challenge_templates/namespace.yaml.j2

@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: rcds-{{ slug }}
+  name: "rcds-{{ slug }}"
   annotations:
     app.kubernetes.io/managed-by: rcds
     rctf/challenge: "{{ chal.name }}"

src/asset_files/challenge_templates/pull-secret.yaml.j2

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+  name: "rcds-{{ slug }}-pull"
+  namespace: "rcds-{{ slug }}"
+stringData:
+  .dockerconfigjson: |
+    {
+      "auths": {
+        "{{ registry_domain }}": {
+          "auth": "{{ creds_b64 }}"
+        }
+      }
+    }

src/asset_files/challenge_templates/tcp.yaml.j2

@@ -8,7 +8,15 @@ metadata:
     app.kubernetes.io/managed-by: rcds
     # still use separate domain for these, since exposed LoadBalancer services
     # will all have different ips from each other
-    external-dns.alpha.kubernetes.io/hostname: "{{ slug }}.{{ domain }}"
+    external-dns.alpha.kubernetes.io/hostname: "{{ name_slug }}.{{ domain }}"
+
+    # aws-specific annotations for lb options
+    service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
+    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+    service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: "true"
+
 spec:
   type: LoadBalancer
   selector:

src/asset_files/setup_manifests/external-dns.helm.yaml.j2

@@ -2,8 +2,6 @@
 rbac:
   create: true
 
-{{ provider_credentials }}
-
 # Watch these resources for new DNS records
 sources:
   - service
@@ -20,10 +18,10 @@ txtOwnerId: "k8s-external-dns"
 txtPrefix: "k8s-owner."
 
 extraArgs:
-  # ignore any services with internal ips
-  #exclude-target-net: "10.0.0.0/8"
   # special character replacement
-  txt-wildcard-replacement: star
+  - --txt-wildcard-replacement=star
+  # use CNAME instead of ALIAS for alb targets
+  - --aws-prefer-cname
 
 ## Limit external-dns resources
 resources:
@@ -34,3 +32,6 @@ resources:
     cpu: 10m
 
 logLevel: debug
+
+# assign last to override any previous values if required
+{{ provider_credentials }}

src/asset_files/setup_manifests/ingress-nginx.helm.yaml

@@ -3,6 +3,15 @@ controller:
   ingressClassResource:
     name: beavercds
 
+  # set variety of annotations needed for the cloud providers
+
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
+    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+    service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: "true"
+
 # nginx values for tcp ports will be set separately in other values file
 # this will make it easier for `deploy` to update those values without
 # subsequent calls to `cluster-setup` overwriting changes.