fix: add permissions

Author: bendehaan

build-and-deploy.sh

@@ -18,7 +18,7 @@ WEBTOP_IMAGE=$(cat helm/wrongsecrets-ctf-party/values.yaml | yq '.virtualdesktop
 WEBTOP_TAG=$(cat helm/wrongsecrets-ctf-party/values.yaml | yq '.virtualdesktop.tag')
 echo "doing workaround for selaed secrets"
 helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
-helm install ws-sealedsecrets sealed-secrets/sealed-secrets -n kube-system
+helm install ws-sealedsecrets sealed-secrets/sealed-secrets --namespace kube-system
 echo "Pulling in required images to actually run $WRONGSECRETS_IMAGE:$WRONGSECRETS_TAG & $WEBTOP_IMAGE:$WEBTOP_TAG."
 echo "If you see an authentication failure: pull them manually by the following 2 commands"
 echo "'docker pull $WRONGSECRETS_IMAGE:$WRONGSECRETS_TAG'"

helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/role.yaml

@@ -44,3 +44,6 @@ rules:
   - apiGroups: ['']
     resources: ['endpoints']
     verbs: [ 'get', 'list']
+  - apiGroups: ['bitnami.com']
+    resources: ['sealedsecrets']
+    verbs: ['get', 'create', 'list', 'delete', 'patch', 'watch', 'update']

wrongsecrets-balancer/src/kubernetes.js

@@ -157,12 +157,12 @@ const getJuiceShopInstanceForTeamname = async (teamname) => {
       () => k8sAppsApi.readNamespacedDeployment({name: deploymentName, namespace: namespace}),
       `Check deployment for team ${teamname}`
     );
-    if (!res || !res.body) {
+    if (!res) {
       logger.info(`No deployment found for team ${teamname}`);
       return undefined;
     }
 
-    const deployment = res.body;
+    const deployment = res;
 
     if (
       Object.prototype.hasOwnProperty.call(deployment, 'metadata') &&
@@ -199,7 +199,7 @@ const createConfigmapForTeam = async (team) => {
     },
   };
   return k8sCoreApi.createNamespacedConfigMap({namespace: 't-' + team, body: configmap}).catch((error) => {
-    throw new Error(error.response.body.message);
+    throw new Error(error.response.message);
   });
 };
 
@@ -217,7 +217,7 @@ const createSecretsfileForTeam = async (team) => {
     },
   };
   return k8sCoreApi.createNamespacedSecret({namespace: 't-' + team, body: secret}).catch((error) => {
-    throw new Error(error.response.body.message);
+    throw new Error(error.response.message);
   });
 };
 
@@ -239,7 +239,7 @@ const createChallenge33SecretForTeam = async (team) => {
     },
   };
   return k8sCoreApi.createNamespacedSecret({namespace: 't-' + team, body: secret}).catch((error) => {
-    throw new Error(error.response.body.message);
+    throw new Error(error.response.message);
   });
 };
 
@@ -314,7 +314,7 @@ const getSealedSecretsPublicKey = async () => {
       {name: 'sealed-secrets-key',
       namespace: 'kube-system'}
     );
-    return response.body.data['tls.crt'];
+    return response.data['tls.crt'];
   } catch (error) {
     logger.error('Failed to get Sealed Secrets public key:', error.body || error);
     throw new Error(`Failed to get public key: ${error.message}`);
@@ -1862,7 +1862,7 @@ const deleteNamespaceForTeam = async (team) => {
 const deletePodForTeam = async (team) => {
   const res = await k8sCoreApi.listNamespacedPod({namespace: `t-${team}`, pretty: true, allowWatchBookmarks: true, _continue: undefined, fieldSelector: undefined, labelSelector: `app=wrongsecrets,team=${team},deployment-context=${get('deploymentContext')}`});
 
-  const pods = res.body.items;
+  const pods = res.items;
 
   if (pods.length !== 1) {
     throw new Error(`Unexpected number of pods ${pods.length}`);
@@ -1876,7 +1876,7 @@ const deletePodForTeam = async (team) => {
 const deleteDesktopPodForTeam = async (team) => {
   const res = await k8sCoreApi.listNamespacedPod({namespace: `t-${team}`, pretty: true, allowWatchBookmarks: true, _continue: undefined, fieldSelector: undefined, labelSelector: `app=virtualdesktop,team=${team},deployment-context=${get('deploymentContext')}`});
 
-  const pods = res.body.items;
+  const pods = res.items;
 
   if (pods.length !== 1) {
     throw new Error(`Unexpected number of pods ${pods.length}`);