From 0c08596bd71566484419f2e3d444c43233834699 Mon Sep 17 00:00:00 2001 From: Ben de Haan <53901866+bendehaan@users.noreply.github.com> Date: Tue, 1 Jul 2025 15:57:20 +0200 Subject: [PATCH 1/8] fix: scaffold challenge 48 sealed secret --- build-and-deploy.sh | 2 +- wrongsecrets-balancer/package-lock.json | 10 +++++++ wrongsecrets-balancer/package.json | 1 + wrongsecrets-balancer/src/kubernetes.js | 38 ++++++++++++++++++++---- wrongsecrets-balancer/src/teams/teams.js | 12 ++++++++ 5 files changed, 57 insertions(+), 6 deletions(-) diff --git a/build-and-deploy.sh b/build-and-deploy.sh index 3578797d..9585fe4a 100755 --- a/build-and-deploy.sh +++ b/build-and-deploy.sh @@ -16,7 +16,7 @@ WRONGSECRETS_IMAGE=$(cat helm/wrongsecrets-ctf-party/values.yaml | yq '.wrongsec WRONGSECRETS_TAG=$(cat helm/wrongsecrets-ctf-party/values.yaml | yq '.wrongsecrets.tag') WEBTOP_IMAGE=$(cat helm/wrongsecrets-ctf-party/values.yaml | yq '.virtualdesktop.image') WEBTOP_TAG=$(cat helm/wrongsecrets-ctf-party/values.yaml | yq '.virtualdesktop.tag') -echo "doing workaround for selaed secrets" +echo "doing workaround for sealed secrets" helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets helm install ws-sealedsecrets sealed-secrets/sealed-secrets --namespace kube-system echo "Pulling in required images to actually run $WRONGSECRETS_IMAGE:$WRONGSECRETS_TAG & $WEBTOP_IMAGE:$WEBTOP_TAG." diff --git a/wrongsecrets-balancer/package-lock.json b/wrongsecrets-balancer/package-lock.json index 51e8c1b1..a85a5a1e 100644 --- a/wrongsecrets-balancer/package-lock.json +++ b/wrongsecrets-balancer/package-lock.json @@ -27,6 +27,7 @@ "joi": "^17.13.3", "lodash": "^4.17.21", "minimatch": "^10.0.1", + "node-forge": "^1.3.1", "on-finished": "^2.4.1", "prom-client": "^15.1.3", "winston": "^3.17.0" @@ -5840,6 +5841,15 @@ } } }, + "node_modules/node-forge": { + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz", + "integrity": "sha512-dPEtOeMvF9VMcYV/1Wb8CPoVAXtp6MKMlcbAt4ddqmGqUJ6fQZFXkNZNkNlfevtNkGtaSoXf/vNNNSvgrdXwtA==", + "license": "(BSD-3-Clause OR GPL-2.0)", + "engines": { + "node": ">= 6.13.0" + } + }, "node_modules/node-int64": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/node-int64/-/node-int64-0.4.0.tgz", diff --git a/wrongsecrets-balancer/package.json b/wrongsecrets-balancer/package.json index cbc25015..18ad7baf 100644 --- a/wrongsecrets-balancer/package.json +++ b/wrongsecrets-balancer/package.json @@ -29,6 +29,7 @@ "joi": "^17.13.3", "lodash": "^4.17.21", "minimatch": "^10.0.1", + "node-forge": "^1.3.1", "on-finished": "^2.4.1", "prom-client": "^15.1.3", "winston": "^3.17.0" diff --git a/wrongsecrets-balancer/src/kubernetes.js b/wrongsecrets-balancer/src/kubernetes.js index 6953d57e..b5857b60 100644 --- a/wrongsecrets-balancer/src/kubernetes.js +++ b/wrongsecrets-balancer/src/kubernetes.js @@ -8,6 +8,9 @@ const { NetworkingV1Api, } = require('@kubernetes/client-node'); +// Crypto library for sealed secret +const forge = require('node-forge'); + const kc = new KubeConfig(); kc.loadFromCluster(); @@ -251,6 +254,25 @@ const createChallenge33SecretForTeam = async (team) => { }); }; +/** + * @param {string} team - The team name + * @param {string} value - The challenge 48 secret + */ +const createChallenge48SecretForTeam = async (team, value) => { + const sealedSecretCert = getSealedSecretsPublicKey(); + const cert = forge.pki.certificateFromPem(sealedSecretCert); + const key = cert.publicKey; + const encrypted = key.encrypt(value, 'RSA-OAEP', { + md: forge.md.sha256.create(), + mgf1: { md: forge.md.sha1.create() }, + }); + createSealedSecretForTeam( + team, + 'challenge48secret', + Buffer.from(encrypted, 'binary').toString('base64') + ); +}; + /** * Create a SealedSecret in the team's namespace for secure secret management * @param {string} team - The team name @@ -307,7 +329,6 @@ const createSealedSecretForTeam = async (team, secretName, secretData) => { /** * Create a sealed secret for challenge 33 specific to the team - * TODO: REPLACE WITH CHALLENGE 53 FOR ACTUAL SEALED SECRET * @param {string} team - The team name */ const createSealedChallenge33SecretForTeam = async (team) => { @@ -325,8 +346,14 @@ const createSealedChallenge33SecretForTeam = async (team) => { */ const getSealedSecretsPublicKey = async () => { try { + const list = await k8sCoreApi.readNamespacedSecret({ + namespace: 'kube-system', + labelSelector: { "sealedsecrets.bitnami.com/sealed-secrets-key": "active" }, + }); + console.log(list.items); + secretName = list.items[0].metadata.name; const response = await k8sCoreApi.readNamespacedSecret({ - name: 'sealed-secrets-key', + name: secretName, namespace: 'kube-system', }); return response.data['tls.crt']; @@ -751,9 +778,9 @@ const createK8sDeploymentForTeam = async ({ team, passcodeHash }) => { ); throw new Error( error.message || - error.body?.message || - 'Failed to create deployment for body: ' + - JSON.stringify(deploymentWrongSecretsConfig, null, 2) + error.body?.message || + 'Failed to create deployment for body: ' + + JSON.stringify(deploymentWrongSecretsConfig, null, 2) ); }); }; @@ -2524,6 +2551,7 @@ module.exports = { createK8sChallenge53DeploymentForTeam, getChallenge53InstanceForTeam, deleteChallenge53DeploymentForTeam, + createChallenge48SecretForTeam, // AWS functions createAWSSecretsProviderForTeam, diff --git a/wrongsecrets-balancer/src/teams/teams.js b/wrongsecrets-balancer/src/teams/teams.js index 9cb4124b..f88460d3 100644 --- a/wrongsecrets-balancer/src/teams/teams.js +++ b/wrongsecrets-balancer/src/teams/teams.js @@ -9,6 +9,8 @@ const promClient = require('prom-client'); const accessPassword = process.env.REACT_APP_ACCESS_PASSWORD; const hmac_key = process.env.REACT_APP_CREATE_TEAM_HMAC_KEY || 'hardcodedkey'; +const challenge48secret = cryptoRandomString({ length: 32 }).toUpperCase(); + const validator = expressJoiValidation.createValidator(); const k8sEnv = process.env.K8S_ENV || 'k8s'; const router = express.Router(); @@ -40,6 +42,7 @@ const { createRoleBindingForWebtop, createNSPsforTeam, createK8sChallenge53DeploymentForTeam, + createChallenge48SecretForTeam, } = require('../kubernetes'); const loginCounter = new promClient.Counter({ @@ -300,6 +303,15 @@ async function createTeam(req, res) { logger.error(`Error while creating challenge33 secretsfile ${team}: ${error}`); res.status(500).send({ message: 'Failed to Create Instance' }); } + + try { + logger.info(`Creating challenge48 secret for team '${team}'`); + await createChallenge48SecretForTeam(team, challenge48secret); + } catch (error) { + logger.error(`Error while creating challenge48 secret ${team}: ${error}`); + res.status(500).send({ message: 'Failed to Create Instance' }); + } + try { logger.info(`Creating WrongSecrets Deployment for team '${team}' with k8s (no cloud)`); await createK8sDeploymentForTeam({ team, passcodeHash: hash }); From f3f0c7e53a486d4d1c7207c33895e5e76b2c7233 Mon Sep 17 00:00:00 2001 From: Ben de Haan <53901866+bendehaan@users.noreply.github.com> Date: Tue, 1 Jul 2025 16:01:52 +0200 Subject: [PATCH 2/8] fix: convert read to list --- wrongsecrets-balancer/src/kubernetes.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wrongsecrets-balancer/src/kubernetes.js b/wrongsecrets-balancer/src/kubernetes.js index b5857b60..7b7a3e19 100644 --- a/wrongsecrets-balancer/src/kubernetes.js +++ b/wrongsecrets-balancer/src/kubernetes.js @@ -346,7 +346,7 @@ const createSealedChallenge33SecretForTeam = async (team) => { */ const getSealedSecretsPublicKey = async () => { try { - const list = await k8sCoreApi.readNamespacedSecret({ + const list = await k8sCoreApi.listNamespacedSecret({ namespace: 'kube-system', labelSelector: { "sealedsecrets.bitnami.com/sealed-secrets-key": "active" }, }); @@ -356,7 +356,7 @@ const getSealedSecretsPublicKey = async () => { name: secretName, namespace: 'kube-system', }); - return response.data['tls.crt']; + return Buffer.from(response.data['tls.crt'], 'base64').toString('utf-8'); } catch (error) { logger.error('Failed to get Sealed Secrets public key:', error.body || error); throw new Error(`Failed to get public key: ${error.message}`); From f1090dc9c22569d0b5c4c39676386a12f91235c8 Mon Sep 17 00:00:00 2001 From: Ben de Haan <53901866+bendehaan@users.noreply.github.com> Date: Tue, 1 Jul 2025 16:13:54 +0200 Subject: [PATCH 3/8] fix: add logger --- wrongsecrets-balancer/src/kubernetes.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wrongsecrets-balancer/src/kubernetes.js b/wrongsecrets-balancer/src/kubernetes.js index 7b7a3e19..a52e63e5 100644 --- a/wrongsecrets-balancer/src/kubernetes.js +++ b/wrongsecrets-balancer/src/kubernetes.js @@ -350,7 +350,7 @@ const getSealedSecretsPublicKey = async () => { namespace: 'kube-system', labelSelector: { "sealedsecrets.bitnami.com/sealed-secrets-key": "active" }, }); - console.log(list.items); + logger.info(`Secret list: ${list.items}`); secretName = list.items[0].metadata.name; const response = await k8sCoreApi.readNamespacedSecret({ name: secretName, From 83879fa46f9ddd6ea2fe355b5589ba4ff5a8b31f Mon Sep 17 00:00:00 2001 From: Ben de Haan <53901866+bendehaan@users.noreply.github.com> Date: Tue, 1 Jul 2025 16:41:38 +0200 Subject: [PATCH 4/8] fix: linting --- wrongsecrets-balancer/src/kubernetes.js | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/wrongsecrets-balancer/src/kubernetes.js b/wrongsecrets-balancer/src/kubernetes.js index a52e63e5..8edbf3ef 100644 --- a/wrongsecrets-balancer/src/kubernetes.js +++ b/wrongsecrets-balancer/src/kubernetes.js @@ -348,10 +348,12 @@ const getSealedSecretsPublicKey = async () => { try { const list = await k8sCoreApi.listNamespacedSecret({ namespace: 'kube-system', - labelSelector: { "sealedsecrets.bitnami.com/sealed-secrets-key": "active" }, + labelSelector: { 'sealedsecrets.bitnami.com/sealed-secrets-key': 'active' }, + limit: 1, }); + logger.info(`Anything? ${list}`); logger.info(`Secret list: ${list.items}`); - secretName = list.items[0].metadata.name; + const secretName = list.items.map((secret) => secret.metadata.name).find((name) => name); const response = await k8sCoreApi.readNamespacedSecret({ name: secretName, namespace: 'kube-system', @@ -778,9 +780,9 @@ const createK8sDeploymentForTeam = async ({ team, passcodeHash }) => { ); throw new Error( error.message || - error.body?.message || - 'Failed to create deployment for body: ' + - JSON.stringify(deploymentWrongSecretsConfig, null, 2) + error.body?.message || + 'Failed to create deployment for body: ' + + JSON.stringify(deploymentWrongSecretsConfig, null, 2) ); }); }; From 88e0fefeabcad1d6fb89a6e9f2c7f8b2ec0923fb Mon Sep 17 00:00:00 2001 From: Ben de Haan <53901866+bendehaan@users.noreply.github.com> Date: Tue, 1 Jul 2025 17:07:43 +0200 Subject: [PATCH 5/8] add debug statements --- wrongsecrets-balancer/src/kubernetes.js | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/wrongsecrets-balancer/src/kubernetes.js b/wrongsecrets-balancer/src/kubernetes.js index 8edbf3ef..087f8538 100644 --- a/wrongsecrets-balancer/src/kubernetes.js +++ b/wrongsecrets-balancer/src/kubernetes.js @@ -259,7 +259,8 @@ const createChallenge33SecretForTeam = async (team) => { * @param {string} value - The challenge 48 secret */ const createChallenge48SecretForTeam = async (team, value) => { - const sealedSecretCert = getSealedSecretsPublicKey(); + const sealedSecretCert = await getSealedSecretsPublicKey(); + logger.info(`Cert: ${sealedSecretCert}`); const cert = forge.pki.certificateFromPem(sealedSecretCert); const key = cert.publicKey; const encrypted = key.encrypt(value, 'RSA-OAEP', { @@ -780,9 +781,9 @@ const createK8sDeploymentForTeam = async ({ team, passcodeHash }) => { ); throw new Error( error.message || - error.body?.message || - 'Failed to create deployment for body: ' + - JSON.stringify(deploymentWrongSecretsConfig, null, 2) + error.body?.message || + 'Failed to create deployment for body: ' + + JSON.stringify(deploymentWrongSecretsConfig, null, 2) ); }); }; From e3a3f23692f61d27a8b19f4ab790da6dbdb56a26 Mon Sep 17 00:00:00 2001 From: Ben de Haan <53901866+bendehaan@users.noreply.github.com> Date: Tue, 1 Jul 2025 19:56:36 +0200 Subject: [PATCH 6/8] fix: secret data diagnostics --- cleaner/Dockerfile | 2 +- wrongsecrets-balancer/src/kubernetes.js | 24 +++++++++--------------- 2 files changed, 10 insertions(+), 16 deletions(-) diff --git a/cleaner/Dockerfile b/cleaner/Dockerfile index 5c81949d..21c9ad32 100644 --- a/cleaner/Dockerfile +++ b/cleaner/Dockerfile @@ -1,4 +1,4 @@ -FROM node:20-alpine as build +FROM node:20-alpine AS build RUN mkdir -p /home/app WORKDIR /home/app COPY package.json package-lock.json ./ diff --git a/wrongsecrets-balancer/src/kubernetes.js b/wrongsecrets-balancer/src/kubernetes.js index 087f8538..7cd7b8eb 100644 --- a/wrongsecrets-balancer/src/kubernetes.js +++ b/wrongsecrets-balancer/src/kubernetes.js @@ -260,18 +260,15 @@ const createChallenge33SecretForTeam = async (team) => { */ const createChallenge48SecretForTeam = async (team, value) => { const sealedSecretCert = await getSealedSecretsPublicKey(); - logger.info(`Cert: ${sealedSecretCert}`); const cert = forge.pki.certificateFromPem(sealedSecretCert); const key = cert.publicKey; const encrypted = key.encrypt(value, 'RSA-OAEP', { md: forge.md.sha256.create(), mgf1: { md: forge.md.sha1.create() }, }); - createSealedSecretForTeam( - team, - 'challenge48secret', - Buffer.from(encrypted, 'binary').toString('base64') - ); + const secretData = Buffer.from(encrypted, 'binary').toString('base64'); + + createSealedSecretForTeam(team, 'challenge48secret', secretData.toString()); }; /** @@ -282,8 +279,7 @@ const createChallenge48SecretForTeam = async (team, value) => { */ const createSealedSecretForTeam = async (team, secretName, secretData) => { try { - // Note: In production, you would seal the data using kubeseal CLI or the controller's public key - // For this example, we're creating a template that would need to be sealed externally + logger.info(`Secret data: ${secretData}`); const sealedSecretManifest = { apiVersion: 'bitnami.com/v1alpha1', kind: 'SealedSecret', @@ -308,7 +304,7 @@ const createSealedSecretForTeam = async (team, secretName, secretData) => { }, type: 'Opaque', }, - encryptedData: secretData, // This should be pre-sealed data + encryptedData: { secret: secretData }, }, }; @@ -349,11 +345,9 @@ const getSealedSecretsPublicKey = async () => { try { const list = await k8sCoreApi.listNamespacedSecret({ namespace: 'kube-system', - labelSelector: { 'sealedsecrets.bitnami.com/sealed-secrets-key': 'active' }, + labelSelector: 'sealedsecrets.bitnami.com/sealed-secrets-key=active', limit: 1, }); - logger.info(`Anything? ${list}`); - logger.info(`Secret list: ${list.items}`); const secretName = list.items.map((secret) => secret.metadata.name).find((name) => name); const response = await k8sCoreApi.readNamespacedSecret({ name: secretName, @@ -781,9 +775,9 @@ const createK8sDeploymentForTeam = async ({ team, passcodeHash }) => { ); throw new Error( error.message || - error.body?.message || - 'Failed to create deployment for body: ' + - JSON.stringify(deploymentWrongSecretsConfig, null, 2) + error.body?.message || + 'Failed to create deployment for body: ' + + JSON.stringify(deploymentWrongSecretsConfig, null, 2) ); }); }; From 7e840adb9143634f7709c3871276b1ecca616533 Mon Sep 17 00:00:00 2001 From: Ben de Haan <53901866+bendehaan@users.noreply.github.com> Date: Tue, 1 Jul 2025 21:33:03 +0200 Subject: [PATCH 7/8] fix: make challenge 48 run --- wrongsecrets-balancer/src/kubernetes.js | 29 +++++++++++++------------ 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/wrongsecrets-balancer/src/kubernetes.js b/wrongsecrets-balancer/src/kubernetes.js index 7cd7b8eb..a2cae027 100644 --- a/wrongsecrets-balancer/src/kubernetes.js +++ b/wrongsecrets-balancer/src/kubernetes.js @@ -255,10 +255,9 @@ const createChallenge33SecretForTeam = async (team) => { }; /** - * @param {string} team - The team name - * @param {string} value - The challenge 48 secret + * @param {string} value - the value to be sealed */ -const createChallenge48SecretForTeam = async (team, value) => { +const sealSecret = async (value) => { const sealedSecretCert = await getSealedSecretsPublicKey(); const cert = forge.pki.certificateFromPem(sealedSecretCert); const key = cert.publicKey; @@ -266,9 +265,16 @@ const createChallenge48SecretForTeam = async (team, value) => { md: forge.md.sha256.create(), mgf1: { md: forge.md.sha1.create() }, }); - const secretData = Buffer.from(encrypted, 'binary').toString('base64'); + return Buffer.from(encrypted, 'binary').toString('base64'); +}; - createSealedSecretForTeam(team, 'challenge48secret', secretData.toString()); +/** + * @param {string} team - The team name + * @param {string} value - The challenge 48 secret + */ +const createChallenge48SecretForTeam = async (team, value) => { + const secretValue = await sealSecret(value); + createSealedSecretForTeam(team, 'challenge48secret', { secret: secretValue }); }; /** @@ -279,7 +285,7 @@ const createChallenge48SecretForTeam = async (team, value) => { */ const createSealedSecretForTeam = async (team, secretName, secretData) => { try { - logger.info(`Secret data: ${secretData}`); + logger.info(`Secret name: ${secretName}, Secret data: ${JSON.stringify(secretData)}`); const sealedSecretManifest = { apiVersion: 'bitnami.com/v1alpha1', kind: 'SealedSecret', @@ -304,7 +310,7 @@ const createSealedSecretForTeam = async (team, secretName, secretData) => { }, type: 'Opaque', }, - encryptedData: { secret: secretData }, + encryptedData: secretData, }, }; @@ -329,13 +335,8 @@ const createSealedSecretForTeam = async (team, secretName, secretData) => { * @param {string} team - The team name */ const createSealedChallenge33SecretForTeam = async (team) => { - const secretName = 'challenge33'; - const secretData = { - // Note: These values should be sealed using kubeseal before deployment - answer: challenge33Value || 'default-challenge33-value', - }; - - return createSealedSecretForTeam(team, secretName, secretData); + const secretValue = await sealSecret(challenge33Value || 'default-challenge33-value'); + return createSealedSecretForTeam(team, 'challenge33', { answer: secretValue }); }; /** From 7297baa26e4013f3c6c68117ff7d0a12e7a07ece Mon Sep 17 00:00:00 2001 From: Ben de Haan <53901866+bendehaan@users.noreply.github.com> Date: Tue, 1 Jul 2025 23:52:05 +0200 Subject: [PATCH 8/8] fix: add ns scope --- build-and-deploy.sh | 2 +- wrongsecrets-balancer/package-lock.json | 8 ++++++++ wrongsecrets-balancer/package.json | 1 + wrongsecrets-balancer/src/kubernetes.js | 26 +++++++------------------ 4 files changed, 17 insertions(+), 20 deletions(-) diff --git a/build-and-deploy.sh b/build-and-deploy.sh index 9585fe4a..ff1b3bd8 100755 --- a/build-and-deploy.sh +++ b/build-and-deploy.sh @@ -18,7 +18,7 @@ WEBTOP_IMAGE=$(cat helm/wrongsecrets-ctf-party/values.yaml | yq '.virtualdesktop WEBTOP_TAG=$(cat helm/wrongsecrets-ctf-party/values.yaml | yq '.virtualdesktop.tag') echo "doing workaround for sealed secrets" helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets -helm install ws-sealedsecrets sealed-secrets/sealed-secrets --namespace kube-system +helm install ws-sealedsecrets sealed-secrets/sealed-secrets --namespace kube-system --set-string fullnameOverride=sealed-secrets-controller echo "Pulling in required images to actually run $WRONGSECRETS_IMAGE:$WRONGSECRETS_TAG & $WEBTOP_IMAGE:$WEBTOP_TAG." echo "If you see an authentication failure: pull them manually by the following 2 commands" echo "'docker pull $WRONGSECRETS_IMAGE:$WRONGSECRETS_TAG'" diff --git a/wrongsecrets-balancer/package-lock.json b/wrongsecrets-balancer/package-lock.json index a85a5a1e..061ec426 100644 --- a/wrongsecrets-balancer/package-lock.json +++ b/wrongsecrets-balancer/package-lock.json @@ -35,6 +35,7 @@ "devDependencies": { "@eslint/eslintrc": "^3.1.0", "@eslint/js": "^9.14.0", + "@types/bcryptjs": "^2.4.6", "cookie-signature": "^1.2.2", "eslint": "^9.14.0", "eslint-plugin-prettier": "^5.2.1", @@ -1709,6 +1710,13 @@ "@babel/types": "^7.20.7" } }, + "node_modules/@types/bcryptjs": { + "version": "2.4.6", + "resolved": "https://registry.npmjs.org/@types/bcryptjs/-/bcryptjs-2.4.6.tgz", + "integrity": "sha512-9xlo6R2qDs5uixm0bcIqCeMCE6HiQsIyel9KQySStiyqNl2tnj2mP3DX1Nf56MD6KMenNNlBBsy3LJ7gUEQPXQ==", + "dev": true, + "license": "MIT" + }, "node_modules/@types/caseless": { "version": "0.12.5", "resolved": "https://registry.npmjs.org/@types/caseless/-/caseless-0.12.5.tgz", diff --git a/wrongsecrets-balancer/package.json b/wrongsecrets-balancer/package.json index 18ad7baf..88387b02 100644 --- a/wrongsecrets-balancer/package.json +++ b/wrongsecrets-balancer/package.json @@ -37,6 +37,7 @@ "devDependencies": { "@eslint/eslintrc": "^3.1.0", "@eslint/js": "^9.14.0", + "@types/bcryptjs": "^2.4.6", "cookie-signature": "^1.2.2", "eslint": "^9.14.0", "eslint-plugin-prettier": "^5.2.1", diff --git a/wrongsecrets-balancer/src/kubernetes.js b/wrongsecrets-balancer/src/kubernetes.js index a2cae027..e658c48a 100644 --- a/wrongsecrets-balancer/src/kubernetes.js +++ b/wrongsecrets-balancer/src/kubernetes.js @@ -132,7 +132,7 @@ const checkSealedSecretsController = async () => { const response = await safeApiCall( () => k8sAppsApi.readNamespacedDeployment({ - name: 'ws-sealedsecrets-sealed-secrets', + name: 'sealed-secrets-controller', namespace: 'kube-system', }), 'Check Sealed Secrets controller' @@ -297,6 +297,9 @@ const createSealedSecretForTeam = async (team, secretName, secretData) => { 'app.kubernetes.io/instance': `wrongsecrets-${team}`, 'app.kubernetes.io/part-of': 'wrongsecrets-ctf-party', }, + annotations: { + 'sealedsecrets.bitnami.com/namespace-wide': 'true', + }, }, spec: { template: { @@ -307,6 +310,9 @@ const createSealedSecretForTeam = async (team, secretName, secretData) => { 'app.kubernetes.io/name': 'wrongsecrets', 'app.kubernetes.io/instance': `wrongsecrets-${team}`, }, + annotations: { + 'sealedsecrets.bitnami.com/namespace-wide': 'true', + }, }, type: 'Opaque', }, @@ -330,15 +336,6 @@ const createSealedSecretForTeam = async (team, secretName, secretData) => { } }; -/** - * Create a sealed secret for challenge 33 specific to the team - * @param {string} team - The team name - */ -const createSealedChallenge33SecretForTeam = async (team) => { - const secretValue = await sealSecret(challenge33Value || 'default-challenge33-value'); - return createSealedSecretForTeam(team, 'challenge33', { answer: secretValue }); -}; - /** * Get the Sealed Secrets controller public key for sealing secrets */ @@ -582,14 +579,6 @@ const deleteChallenge53DeploymentForTeam = async (team) => { * Enhanced deployment creation with SealedSecret integration */ const createK8sDeploymentForTeam = async ({ team, passcodeHash }) => { - // Check if we should use SealedSecrets - const useSealedSecrets = await checkSealedSecretsController(); - - if (useSealedSecrets) { - // Create sealed secrets for the team - await createSealedChallenge33SecretForTeam(team); - } - const deploymentWrongSecretsConfig = { metadata: { namespace: `t-${team}`, @@ -2542,7 +2531,6 @@ module.exports = { createSecretsfileForTeam, createChallenge33SecretForTeam, createSealedSecretForTeam, - createSealedChallenge33SecretForTeam, getSealedSecretsPublicKey, createNameSpaceForTeam, createK8sDeploymentForTeam,