In this setup we integrate the secrets-exercise online with AWS EKS and let Pods consume secrets from the AWS Parameter Store and AWS Secrets Manager. We use managed node groups so as we don't want the hassle of managing the EC2 instances ourselves, and Fargate doesn't suit our needs since we use a StatefulSet. If you want to know more about integrating secrets with EKS, check EKS and SSM Parameter Store and EKS and Secrets Manager. Please make sure that the account in which you run this exercise has either CloudTrail enabled, or is not linked to your current organization and/or DTAP environment.
Have the following tools installed:
- AWS CLI - Installation
- EKS CTL - Installation
- Tfenv (Optional) - Installation
- Terraform CLI - Installation
- Wget - Installation
- Helm Installation
- Kubectl Installation
- jq Installation
Make sure you have an active account at AWS for which you have configured the credentials on the system where you will execute the steps below. In this example we stored the credentials under an aws profile as awsuser.
First, we want to create a shared state. We've provided the terraform code for this in the shared-state subfolder.
To create an s3 bucket (optionally add -var="region=YOUR_DESIRED_REGION" to the apply to use a region other than the default eu-west-1):
cd shared-state
terraform init
terraform applyThe bucket name should be in the output. Please use that to configure the Terraform backend in main.tf.
The bucket ARN will be printed, make a note of this as it will be used in the next steps. It should look something like arn:aws:s3:::terraform-20230102231352749300000001.
The terraform code is loosely based on this EKS managed Node Group TF example.
Note: Applying the Terraform means you are creating cloud infrastructure which actually costs you money. the current boundary is 50 t3a-(X)large nodes. Please adapt the servers you deploy to in main.tf in this folder to your liking to reduce possible costs. Note that this project can run on a single T3A-Large instance, but this would require reducing the amount of wrongsecretbalancers to 1 (balancer.replicas=1). The authors are not responsible for any cost coming from following the instructions below.
Note-II: The cluster you create has its access bound to the public IP of the creator. In other words: the cluster you create with this code has its access bound to your public IP-address if you apply it locally.
- export your AWS credentials (
export AWS_PROFILE=awsuser) - check whether you have the right profile by doing
aws sts get-caller-identity. Make sure you have the right account and have the rights to do this. - Do
terraform init(if required, use tfenv to select TF 0.14.0 or higher ) - The bucket ARN will be asked in the next 2 steps. Take the one provided to you in the output earlier (e.g.,
arn:aws:s3:::terraform-20230102231352749300000001). - Do
terraform plan - Do
terraform apply. Note: the apply will take 10 to 20 minutes depending on the speed of the AWS backplane. - When creation is done, do
aws eks update-kubeconfig --region eu-west-1 --name wrongsecrets-exercise-cluster --kubeconfig ~/.kube/wrongsecrets - Do
export KUBECONFIG=~/.kube/wrongsecrets - Run
./build-and-deploy-aws.shto install all the required materials (helm for calico, secrets management, autoscaling, etc.)
Your EKS cluster should be visible in eu-west-1 by default. Want a different region? You can modify terraform.tfvars or input it directly using the region variable in plan/apply.
Are you done playing? Please run terraform destroy twice to clean up (first in the main aws folder, then the shared-state subfolder).
When you have completed the installation steps, you can do kubectl port-forward service/wrongsecrets-balancer 3000:3000 and then go to http://localhost:3000.
Want to know how well your cluster is holding up? Check with
kubectl top nodes
kubectl top podsYou can use the Juiceshop CTF CLI to generate CTFd configuration files.
Follow the following steps:
npm install -g juice-shop-ctf-cli@9.1.2
juice-shop-ctf #choose ctfd and https://wrongsecrets-ctf.herokuapp.com as domain. No trailing slash! The key is 'test', by default feel free to enable hints. We do not support snippets or links/urls to code or hints.Now visit the CTFd instance and setup your CTF. If you haven't set up a load balancer/ingress, the you can use kubectl port-forward -n ctfd $(kubectl get pods --namespace ctfd -l "app.kubernetes.io/name=ctfd,app.kubernetes.io/instance=ctfd" -o jsonpath="{.items[0].metadata.name}") 8000:8000 and go to localhost:8000 to visit CTFd.
!!NOTE: The following can be dangerous if you use CTFd >= 3.5.0 with wrongsecrets < 1.5.11. Check the challenges.json and make sure it's 1-indexed - a 0-indexed file will break CTFd! /NOTE!!
Then use the administrative backup function to import the zipfile you created with the juice-shop-ctf command. After that you will still need to override the flags with their actual values if you do use the 2-domain configuration. For a guide on how to do this see the 2-domain setup steps in the general README Want to setup your own? You can! Watch out for people finding your key though, so secure it properly: make sure the running container with the actual ctf-key is not exposed to the audience, similar to our heroku container.
Want to make the CTFD instance look pretty? Include the fragment located at ./k8s/ctfd_resources/index_fragment.html in your index.html via the admin panel.
In the front page of the application you can edit the description to reference the right urls and the desplayed image. Use the following:
helm upgrade --install wrongsecrets ../helm/wrongsecrets-ctf-party \
--set="balancer.env.REACT_APP_MOVING_GIF_LOGO=<>" \
--set="balancer.env.REACT_APP_HEROKU_WRONGSECRETS_URL=<>" \
--set="balancer.env.REACT_APP_CTFD_URL='<>'" \For a guide on how to use the monitoring setup, see the monitoring guide.
When you're done:
- Kill the port forward.
- Run the cleanup script:
./cleanup-aws-autoscaling-and-helm.sh - Run
terraform destroyto clean up the infrastructure.- If you've deployed the
shared-states3 bucket, alsocd shared-stateandterraform destroythere.
- If you've deployed the
- Run
unset KUBECONFIGto unset the KUBECONFIG env var. - Run
rm ~/.kube/wrongsecretsto remove the kubeconfig file. - Run
rm terraform.tfstate*to remove local state files.
- Does your worker node now have access as well?
- Can you easily obtain the instance profile of the Node?
- Can you get the secrets in the SSM Parameter Store and Secrets Manager easily? Which paths do you see?
- Which of the 2 (SSM Parameter Store and Secrets Manager) works cross-account?
- If you have applied the secrets to the cluster, you should see at the configuration details of the cluster that Secrets encryption is "Disabled", what does that mean?
We added additional scripts for adding an ALB and ingress so that you can use your cloudsetup with multiple people. Do the following:
- Follow the installation section first.
- Run
./k8s-aws-alb-script.shand the script will return the url at which you can reach the application. (Be aware this opens the url's to the internet in general, if you'd like to limit the access please do this using the security groups in AWS) - When you are done, before you do cleanup, first run
./k8s-aws-alb-script-cleanup.sh.
Note that you might have to do some manual cleanups after that.
The documentation below is auto-generated to give insight on what's created via Terraform.
| Name | Version |
|---|---|
| terraform | ~> 1.1 |
| aws | ~> 5.0 |
| http | ~> 3.1 |
| random | ~> 3.0 |
| Name | Version |
|---|---|
| aws | 5.47.0 |
| http | 3.4.2 |
| random | 3.6.1 |
| Name | Source | Version |
|---|---|---|
| cluster_autoscaler_irsa_role | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.39.0 |
| ebs_csi_irsa_role | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.39.0 |
| eks | terraform-aws-modules/eks/aws | 20.8.5 |
| load_balancer_controller_irsa_role | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.39.0 |
| vpc | terraform-aws-modules/vpc/aws | ~> 5.8.1 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cluster_name | The EKS cluster name | string |
"wrongsecrets-exercise-cluster" |
no |
| cluster_version | The EKS cluster version to use | string |
"1.28" |
no |
| extra_allowed_ip_ranges | Allowed IP ranges in addition to creator IP | list(string) |
[] |
no |
| region | The AWS region to use | string |
"eu-west-1" |
no |
| state_bucket_arn | ARN of the state bucket to grant access to the s3 user | string |
n/a | yes |
| Name | Description |
|---|---|
| cluster_autoscaler_role | Cluster autoscaler role |
| cluster_autoscaler_role_arn | Cluster autoscaler role arn |
| cluster_endpoint | Endpoint for EKS control plane. |
| cluster_id | The id of the cluster |
| cluster_name | The EKS cluster name |
| cluster_security_group_id | Security group ids attached to the cluster control plane. |
| ebs_role | EBS CSI driver role |
| ebs_role_arn | EBS CSI driver role |
| irsa_role | The role name used in the IRSA setup |
| irsa_role_arn | The role ARN used in the IRSA setup |
| load_balancer_controller_role | Load balancer controller role |
| load_balancer_controller_role_arn | Load balancer controller role arn |
| secrets_manager_secret_name | The name of the secrets manager secret |
| state_bucket_name | Terraform s3 state bucket name |