(WIP) Upgrading to wrongsecrets 1.11.2 (WIP)

.github/workflows/minikube-k8s-test.yml

@@ -23,9 +23,9 @@ jobs:
       - name: Start minikube
         uses: medyagh/setup-minikube@master
         with:
-          minikube-version: 1.33.1
+          minikube-version: 1.35.0
           driver: docker
-          kubernetes-version: v1.30.0
+          kubernetes-version: v1.32.0
       - name: test script
         run: |
           eval $(minikube docker-env)
@@ -48,9 +48,9 @@ jobs:
       - name: Start minikube
         uses: medyagh/setup-minikube@master
         with:
-          minikube-version: 1.33.1
+          minikube-version: 1.35.0
           driver: docker
-          kubernetes-version: v1.30.0
+          kubernetes-version: v1.32.0
       - name: test script
         run: |
           eval $(minikube docker-env)

build-and-deploy-container-minikube.sh

@@ -4,7 +4,7 @@ source ./scripts/check-available-commands.sh
 checkCommandsAvailable helm docker kubectl yq minikube
 
 minikube delete
-minikube start  --cpus=6 --memory=8000MB --network-plugin=cni --cni=calico --driver=docker --kubernetes-version=1.30.0
+minikube start  --cpus=6 --memory=8000MB --network-plugin=cni --cni=calico --driver=docker --kubernetes-version=1.32.0
 eval $(minikube docker-env)
 ./build-and-deploy-container.sh
 

build-and-deploy-minikube.sh

@@ -4,7 +4,7 @@ source ./scripts/check-available-commands.sh
 checkCommandsAvailable helm docker kubectl yq minikube
 
 minikube delete
-minikube start  --cpus=6 --memory=8000MB --network-plugin=cni --cni=calico --driver=docker --kubernetes-version=1.30.0
+minikube start  --cpus=6 --memory=8000MB --network-plugin=cni --cni=calico --driver=docker --kubernetes-version=1.32.0
 eval $(minikube docker-env)
 ./build-and-deploy.sh
 

helm/wrongsecrets-ctf-party/Chart.yaml

@@ -28,11 +28,11 @@ type: application
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 1.8.5
+version: 1.11.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: 1.8.5
+appVersion: 1.11.3
 
 dependencies:
   - name: kube-prometheus-stack
@@ -46,3 +46,7 @@ dependencies:
   - name: promtail
     version: 3.11.0
     repository: https://grafana.github.io/helm-charts
+
+  - name: sealed-secrets
+    version: 0.28.0
+    repository: https://bitnami-labs.github.io/sealed-secrets

helm/wrongsecrets-ctf-party/README.md

@@ -41,7 +41,7 @@ To uninstall the chart:
     helm delete my-wrongsecrets-ctf-party
 # wrongsecrets-ctf-party
 
-![Version: 1.8.5](https://img.shields.io/badge/Version-1.8.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.5](https://img.shields.io/badge/AppVersion-1.8.5-informational?style=flat-square)
+![Version: 1.11.3](https://img.shields.io/badge/Version-1.11.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.3](https://img.shields.io/badge/AppVersion-1.11.3-informational?style=flat-square)
 
 Run Multi User "Capture the Flags" or Security Trainings with OWASP Wrongsecrets
 
@@ -55,6 +55,7 @@ Run Multi User "Capture the Flags" or Security Trainings with OWASP Wrongsecrets
 
 | Repository | Name | Version |
 |------------|------|---------|
+| https://bitnami-labs.github.io/sealed-secrets | sealed-secrets | 0.28.0 |
 | https://grafana.github.io/helm-charts | loki | 2.16.0 |
 | https://grafana.github.io/helm-charts | promtail | 3.11.0 |
 | https://prometheus-community.github.io/helm-charts | kube-prometheus-stack | 43.3.1 |
@@ -116,7 +117,7 @@ Run Multi User "Capture the Flags" or Security Trainings with OWASP Wrongsecrets
 | balancer.service.loadBalancerSourceRanges | string | `nil` | list of IP CIDRs allowed access to lb (if supported) |
 | balancer.service.type | string | `"ClusterIP"` | Kubernetes service type |
 | balancer.skipOwnerReference | bool | `false` | If set to true this skips setting ownerReferences on the teams wrongsecrets Deployment and Services. This lets MultiJuicer run in older kubernetes cluster which don't support the reference type or the app/v1 deployment type |
-| balancer.tag | string | `"1.8.5cloud"` |  |
+| balancer.tag | string | `"1.9.2-cloud"` |  |
 | balancer.tolerations | list | `[]` | Optional Configure kubernetes toleration for the created wrongsecrets instances (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
 | balancer.volumeMounts[0] | object | `{"mountPath":"/home/app/config/","name":"config-volume"}` | If true, creates a volumeMount for the created pods. This is required for the podSecurityPolicy to work |
 | balancer.volumes[0] | object | `{"configMap":{"name":"wrongsecrets-balancer-config"},"name":"config-volume"}` | If true, creates a volume for the created pods. This is required for the podSecurityPolicy to work |
@@ -141,6 +142,42 @@ Run Multi User "Capture the Flags" or Security Trainings with OWASP Wrongsecrets
 | kube-prometheus-stack.grafana.namespaceOverride | string | `""` |  |
 | kube-prometheus-stack.grafana.rbac.pspEnabled | bool | `false` | If true, Grafana PSPs will be created |
 | nodeSelector | object | `{}` |  |
+| sealed-secrets.clusterWide | bool | `true` |  |
+| sealed-secrets.controllerClusterRoleBindingName | string | `"sealed-secrets-controller"` | If true, creates a ClusterRoleBinding for the Sealed Secrets controller |
+| sealed-secrets.controllerClusterRoleName | string | `"sealed-secrets-controller"` | If true, creates a ClusterRole for the Sealed Secrets controller |
+| sealed-secrets.controllerConfigMapName | string | `"sealed-secrets-controller"` | If true, creates a ConfigMap for the Sealed Secrets controller |
+| sealed-secrets.controllerDeploymentName | string | `"sealed-secrets-controller"` | If true, creates a Deployment for the Sealed Secrets controller |
+| sealed-secrets.controllerPodDisruptionBudgetName | string | `"sealed-secrets-controller"` | If true, creates a PodDisruptionBudget for the Sealed Secrets controller |
+| sealed-secrets.controllerRoleBindingName | string | `"sealed-secrets-controller"` | If true, creates a RoleBinding for the Sealed Secrets controller |
+| sealed-secrets.controllerRoleName | string | `"sealed-secrets-controller"` | If true, creates a Role for the Sealed Secrets controller |
+| sealed-secrets.controllerSecretName | string | `"sealed-secrets-controller"` | If true, creates a Secret for the Sealed Secrets controller |
+| sealed-secrets.controllerServiceAccount | object | `{"annotations":{},"automountServiceAccountToken":true,"name":"sealed-secrets-controller"}` | If true, creates a ServiceAccount for the Sealed Secrets controller |
+| sealed-secrets.controllerServiceAccountName | string | `"sealed-secrets-controller"` | If true, creates a ServiceAccount for the Sealed Secrets controller |
+| sealed-secrets.controllerServiceName | string | `"sealed-secrets-controller"` | If true, creates a Service for the Sealed Secrets controller |
+| sealed-secrets.createClusterRole | bool | `true` | If true, creates a ClusterRole for the Sealed Secrets controller |
+| sealed-secrets.createClusterRoleBinding | bool | `true` | If true, creates a ClusterRoleBinding for the Sealed Secrets controller |
+| sealed-secrets.createConfigMap | bool | `true` | If true, creates a ConfigMap for the Sealed Secrets controller |
+| sealed-secrets.createControllerClusterRole | bool | `true` | If true, creates a ClusterRole for the Sealed Secrets controller |
+| sealed-secrets.createControllerClusterRoleBinding | bool | `true` | If true, creates a ClusterRoleBinding for the Sealed Secrets controller |
+| sealed-secrets.createControllerConfigMap | bool | `true` | If true, creates a ConfigMap for the Sealed Secrets controller |
+| sealed-secrets.createControllerDeployment | bool | `true` | If true, creates a Deployment for the Sealed Secrets controller |
+| sealed-secrets.createControllerPodDisruptionBudget | bool | `true` | If true, creates a PodDisruptionBudget for the Sealed Secrets controller |
+| sealed-secrets.createControllerRole | bool | `true` | If true, creates a Role for the Sealed Secrets controller |
+| sealed-secrets.createControllerRoleBinding | bool | `true` | If true, creates a RoleBinding for the Sealed Secrets controller |
+| sealed-secrets.createControllerSecret | bool | `true` | If true, creates a Secret for the Sealed Secrets controller |
+| sealed-secrets.createControllerService | bool | `true` | If true, creates a Service for the Sealed Secrets controller |
+| sealed-secrets.createControllerServiceAccount | bool | `true` | If true, creates a ServiceAccount for the Sealed Secrets controller |
+| sealed-secrets.createDeployment | bool | `true` | If true, creates a Deployment for the Sealed Secrets controller |
+| sealed-secrets.createPodDisruptionBudget | bool | `true` | If true, creates a PodDisruptionBudget for the Sealed Secrets controller |
+| sealed-secrets.createRole | bool | `true` | If true, creates a Role for the Sealed Secrets controller |
+| sealed-secrets.createRoleBinding | bool | `true` | If true, creates a RoleBinding for the Sealed Secrets controller |
+| sealed-secrets.createSealedSecretCRDs | bool | `true` |  |
+| sealed-secrets.createSecret | bool | `true` | If true, creates a Secret for the Sealed Secrets controller |
+| sealed-secrets.createService | bool | `true` | If true, creates a Service for the Sealed Secrets controller |
+| sealed-secrets.createServiceAccount | bool | `true` | If true, creates a ServiceAccount for the Sealed Secrets controller |
+| sealed-secrets.enabled | bool | `true` |  |
+| sealed-secrets.keySize | int | `4096` |  |
+| sealed-secrets.keyrenewperiod | string | `"0"` |  |
 | service.port | int | `3000` |  |
 | service.portName | string | `"web"` |  |
 | service.type | string | `"ClusterIP"` |  |
@@ -159,7 +196,7 @@ Run Multi User "Capture the Flags" or Security Trainings with OWASP Wrongsecrets
 | vaultContainer.securityContext.readOnlyRootFilesystem | bool | `true` |  |
 | vaultContainer.securityContext.runAsNonRoot | bool | `true` |  |
 | vaultContainer.securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
-| vaultContainer.tag | string | `"1.15.1"` |  |
+| vaultContainer.tag | string | `"1.19.3"` |  |
 | vaultContainer.tolerations | list | `[]` |  |
 | virtualdesktop.affinity | object | `{}` |  |
 | virtualdesktop.envFrom | list | `[]` |  |
@@ -176,7 +213,7 @@ Run Multi User "Capture the Flags" or Security Trainings with OWASP Wrongsecrets
 | virtualdesktop.securityContext.readOnlyRootFilesystem | bool | `true` |  |
 | virtualdesktop.securityContext.runAsNonRoot | bool | `true` |  |
 | virtualdesktop.securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
-| virtualdesktop.tag | string | `"1.9.2"` |  |
+| virtualdesktop.tag | string | `"1.11.2"` |  |
 | virtualdesktop.tolerations | list | `[]` |  |
 | wrongsecrets.affinity | object | `{}` | Optional Configure kubernetes scheduling affinity for the created Wrongsecrets instances (see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) |
 | wrongsecrets.config | string | See values.yaml for full details | Specify a custom Wrongsecrets config.yaml. See the Wrongsecrets Docs for any needed ENVs: https://github.com/OWASP/wrongsecrets |
@@ -189,7 +226,7 @@ Run Multi User "Capture the Flags" or Security Trainings with OWASP Wrongsecrets
 | wrongsecrets.resources | object | `{"requests":{"cpu":"256Mi","memory":"300Mi"}}` | Optional resources definitions to set for each Wrongsecrets instance |
 | wrongsecrets.runtimeClassName | string | `nil` | Optional Can be used to configure the runtime class for the Wrongsecrets instances pods to add an additional layer of isolation to reduce the impact of potential container escapes. (see: https://kubernetes.io/docs/concepts/containers/runtime-class/) |
 | wrongsecrets.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Optional securityContext definitions to set for each Wrongsecrets instance |
-| wrongsecrets.tag | string | `"1.9.2-no-vault"` |  |
+| wrongsecrets.tag | string | `"1.11.2-no-vault"` |  |
 | wrongsecrets.tolerations | list | `[]` | Optional Configure kubernetes toleration for the created Wrongsecrets instances (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
 | wrongsecrets.volumes | list | `[]` | Optional Volumes to set for each Wrongsecrets instance (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
 | wrongsecretsCleanup.affinity | object | `{}` | Optional Configure kubernetes scheduling affinity for the wrongsecretsCleanup Job(see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) |

helm/wrongsecrets-ctf-party/values.yaml

@@ -40,7 +40,7 @@ balancer:
     # -- Set this to a fixed random alpa-numeric string (recommended length 24 chars). If not set this get randomly generated with every helm upgrade, each rotation invalidates all active cookies / sessions requirering users to login again.
     cookieParserSecret: null
   repository: jeroenwillemsen/wrongsecrets-balancer
-  tag: 1.8.5cloud
+  tag: 1.9.2-cloud
   # -- Number of replicas of the wrongsecrets-balancer deployment. Changing this in a commit? PLEASE UPDATE THE GITHUB WORKLFOWS THEN!(NUMBER OF "TRUE")
   replicas: 2
   # -- Port to expose on the balancer pods which the container listens on
@@ -147,7 +147,7 @@ wrongsecrets:
   maxInstances: 500
   # -- Wrongsecrets Image to use
   image: jeroenwillemsen/wrongsecrets
-  tag: 1.9.2-no-vault
+  tag: 1.11.2-no-vault
   # -- Change the key when hosting a CTF event. This key gets used to generate the challenge flags. See: https://github.com/OWASP/wrongsecrets#ctf
   ctfKey: "[email protected]!9uR_K!NfkkTr"
   # -- Specify a custom Wrongsecrets config.yaml. See the Wrongsecrets Docs for any needed ENVs: https://github.com/OWASP/wrongsecrets
@@ -209,7 +209,7 @@ virtualdesktop:
   maxInstances: 500
   # -- Wrongsecrets Image to use
   image: jeroenwillemsen/wrongsecrets-desktop-k8s
-  tag: 1.9.2
+  tag: 1.11.2
   repository: commjoenie/wrongSecrets
   resources:
     request:
@@ -240,7 +240,7 @@ vaultContainer:
   maxInstances: 500
   # -- Juice Shop Image to use
   image: hashicorp/vault
-  tag: 1.15.1
+  tag: 1.19.3
   repository: commjoenie/wrongSecrets
   resources:
     request:
@@ -303,6 +303,85 @@ wrongsecretsCleanup:
         - ALL
     seccompProfile:
       type: RuntimeDefault
+sealed-secrets:
+  # Install the controller
+  enabled: true
+
+  # Install the CRDs
+  createSealedSecretCRDs: true
+
+  # Make the controller cluster-wide so it can manage keys in all namespaces
+  clusterWide: true
+
+  # Optionally, set this to true to automatically create a key in every namespace
+  keyrenewperiod: "0" # disables automatic key rotation
+  keySize: 4096
+  # -- If true, creates a ServiceAccount for the Sealed Secrets controller
+  createServiceAccount: true
+  # -- If true, creates a Role for the Sealed Secrets controller
+  createRole: true
+  # -- If true, creates a RoleBinding for the Sealed Secrets controller
+  createRoleBinding: true
+  # -- If true, creates a ClusterRole for the Sealed Secrets controller
+  createClusterRole: true
+  # -- If true, creates a ClusterRoleBinding for the Sealed Secrets controller
+  createClusterRoleBinding: true
+  # -- If true, creates a Service for the Sealed Secrets controller
+  createService: true
+  # -- If true, creates a Deployment for the Sealed Secrets controller
+  createDeployment: true
+  # -- If true, creates a PodDisruptionBudget for the Sealed Secrets controller
+  createPodDisruptionBudget: true
+  # -- If true, creates a ConfigMap for the Sealed Secrets controller
+  createConfigMap: true
+  # -- If true, creates a Secret for the Sealed Secrets controller
+  createSecret: true
+  # -- If true, creates a ServiceAccount for the Sealed Secrets controller
+  createControllerServiceAccount: true
+  # -- If true, creates a Role for the Sealed Secrets controller
+  createControllerRole: true
+  # -- If true, creates a RoleBinding for the Sealed Secrets controller
+  createControllerRoleBinding: true
+  # -- If true, creates a ClusterRole for the Sealed Secrets controller
+  createControllerClusterRole: true
+  # -- If true, creates a ClusterRoleBinding for the Sealed Secrets controller
+  createControllerClusterRoleBinding: true
+  # -- If true, creates a Service for the Sealed Secrets controller
+  createControllerService: true
+  # -- If true, creates a Deployment for the Sealed Secrets controller
+  createControllerDeployment: true
+  # -- If true, creates a PodDisruptionBudget for the Sealed Secrets controller
+  createControllerPodDisruptionBudget: true
+  # -- If true, creates a ConfigMap for the Sealed Secrets controller
+  createControllerConfigMap: true
+  # -- If true, creates a Secret for the Sealed Secrets controller
+  createControllerSecret: true
+  # -- If true, creates a ServiceAccount for the Sealed Secrets controller
+  controllerServiceAccountName: "sealed-secrets-controller"
+  # -- If true, creates a Role for the Sealed Secrets controller
+  controllerRoleName: "sealed-secrets-controller"
+  # -- If true, creates a RoleBinding for the Sealed Secrets controller
+  controllerRoleBindingName: "sealed-secrets-controller"
+  # -- If true, creates a ClusterRole for the Sealed Secrets controller
+  controllerClusterRoleName: "sealed-secrets-controller"
+  # -- If true, creates a ClusterRoleBinding for the Sealed Secrets controller
+  controllerClusterRoleBindingName: "sealed-secrets-controller"
+  # -- If true, creates a Service for the Sealed Secrets controller
+  controllerServiceName: "sealed-secrets-controller"
+  # -- If true, creates a Deployment for the Sealed Secrets controller
+  controllerDeploymentName: "sealed-secrets-controller"
+  # -- If true, creates a PodDisruptionBudget for the Sealed Secrets controller
+  controllerPodDisruptionBudgetName: "sealed-secrets-controller"
+  # -- If true, creates a ConfigMap for the Sealed Secrets controller
+  controllerConfigMapName: "sealed-secrets-controller"
+  # -- If true, creates a Secret for the Sealed Secrets controller
+  controllerSecretName: "sealed-secrets-controller"
+  # -- If true, creates a ServiceAccount for the Sealed Secrets controller
+  controllerServiceAccount:
+    name: "sealed-secrets-controller"
+    annotations: {} # -- Annotations to be added to the ServiceAccount
+    automountServiceAccountToken: true # -- If true, the ServiceAccount will automatically mount the service account token
+
 kube-prometheus-stack:
   # -- If true, installs the kube-prometheus-stack chart which includes Prometheus, Alertmanager, Grafana, and other monitoring components
   enabled: true