Skip to content

Commit 323dc47

Browse files
implrsroettger
andauthored
Large batch dependency update (#415)
Updated operator-framework, k8s, controller-runtime, gke-managed-certs, golang, builder ubuntu images and so many other transitive things. Got rid of bundles and switched to an unified install.yaml (pretty much same as the old operator.yaml) --------- Co-authored-by: sroettger <[email protected]>
1 parent 1b309e8 commit 323dc47

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

50 files changed

+21062
-29701
lines changed

.github/workflows/update-images.yaml

Lines changed: 26 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ env:
1919

2020
jobs:
2121
build-docker:
22-
runs-on: ubuntu-latest
22+
runs-on: ubuntu-22.04
2323
if: github.event_name == 'push'
2424
outputs:
2525
challenge-modified: ${{ steps.set-modified.outputs.challenge-modified }}
@@ -34,7 +34,7 @@ jobs:
3434
matrix:
3535
image: ["challenge", "healthcheck", "gcsfuse", "certbot"]
3636
steps:
37-
- uses: actions/checkout@v2
37+
- uses: actions/checkout@v4
3838
with:
3939
fetch-depth: 0
4040

@@ -78,20 +78,20 @@ jobs:
7878
- name: Set up Python
7979
uses: actions/setup-python@v4
8080
with:
81-
python-version: '3.7'
81+
python-version: '3.13.2'
8282

8383
- name: 'Set up Cloud SDK auth'
84-
uses: 'google-github-actions/auth@v0'
84+
uses: 'google-github-actions/auth@v1'
8585
with:
8686
# not using workload identity because we use gsutil
8787
# TODO(evn) switch when supported
8888
# https://github.com/google-github-actions/setup-gcloud#authorization
8989
credentials_json: '${{ secrets.GKE_KEY }}'
9090

9191
- name: 'Set up Cloud SDK'
92-
uses: 'google-github-actions/setup-gcloud@v0'
92+
uses: 'google-github-actions/setup-gcloud@v2'
9393
with:
94-
version: '319.0.0'
94+
version: '516.0.0'
9595
service_account_email: ${{ secrets.GKE_EMAIL }}
9696

9797
- name: Configure docker to use the gcloud command-line tool as a credential helper
@@ -109,7 +109,7 @@ jobs:
109109
echo "::set-output name=${{ matrix.image }}-digest::${DIGEST}"
110110
111111
build-operator:
112-
runs-on: ubuntu-latest
112+
runs-on: ubuntu-22.04
113113
needs:
114114
- build-docker
115115
if: github.event_name == 'push'
@@ -162,15 +162,15 @@ jobs:
162162
- name: Set up Python
163163
uses: actions/setup-python@v4
164164
with:
165-
python-version: '3.7'
165+
python-version: '3.13.2'
166166

167167
- name: Export gcloud related env variable
168168
run: export CLOUDSDK_PYTHON="/usr/bin/python3"
169169

170170
- name: 'Set up Cloud SDK'
171-
uses: 'google-github-actions/setup-gcloud@v0'
171+
uses: 'google-github-actions/setup-gcloud@v2'
172172
with:
173-
version: '319.0.0'
173+
version: '516.0.0'
174174
service_account_email: ${{ secrets.GKE_EMAIL }}
175175

176176
- name: Configure docker to use the gcloud command-line tool as a credential helper
@@ -179,19 +179,23 @@ jobs:
179179
gcloud auth configure-docker
180180
181181
- name: 'Setup go version necessary for operator'
182-
uses: actions/setup-go@v2
182+
uses: actions/setup-go@v5
183183
with:
184-
go-version: '1.16.0'
184+
go-version: '1.24.1'
185185

186186
- name: Build image
187187
if: steps.modified.outputs.modified
188188
run: |
189+
curl -L https://storage.googleapis.com/etcd/v3.5.19/etcd-v3.5.19-linux-amd64.tar.gz -o /tmp/etcd.tar.gz
190+
sudo tar xzvf /tmp/etcd.tar.gz -C /usr/local/bin/ --strip-components=1
189191
cd kctf-operator
190-
curl -L https://github.com/operator-framework/operator-sdk/releases/download/v1.15.0/operator-sdk_linux_amd64 -o operator-sdk
192+
curl -L https://github.com/operator-framework/operator-sdk/releases/download/v1.36.0/operator-sdk_linux_amd64 -o operator-sdk
191193
chmod u+x operator-sdk
192194
sudo mv operator-sdk /usr/local/bin/
193-
make controller-gen
194-
make manifests docker-build IMG=kctf-operator
195+
make test
196+
make docker-build IMG=kctf-operator
197+
make build-installer IMG=kctf-operator
198+
mv dist/install.yaml ../dist/resources/install.yaml
195199
196200
- id: push
197201
name: Push images
@@ -203,7 +207,9 @@ jobs:
203207
echo "::set-output name=kctf-operator-digest::${DIGEST}"
204208
205209
update-image-and-commit:
206-
runs-on: ubuntu-latest
210+
runs-on: ubuntu-22.04
211+
permissions:
212+
contents: write
207213
needs:
208214
- build-docker
209215
- build-operator
@@ -246,7 +252,7 @@ jobs:
246252
if: needs.build-operator.outputs.kctf-operator-modified
247253
run: |
248254
IMAGE="gcr.io/${{ secrets.GCR_PROJECT }}/kctf-operator@${{ needs.build-operator.outputs.kctf-operator-digest }}"
249-
sed -i "s#image: .*kctf-operator.*#image: ${IMAGE}#" dist/resources/operator.yaml
255+
sed -i "s#image: .*kctf-operator.*#image: ${IMAGE}#" dist/resources/install.yaml
250256
251257
- name: Download kubectl
252258
run: |
@@ -257,7 +263,7 @@ jobs:
257263
- name: Set up Python
258264
uses: actions/setup-python@v4
259265
with:
260-
python-version: '3.7'
266+
python-version: '3.13.2'
261267

262268
- name: Export gcloud related env variable
263269
run: export CLOUDSDK_PYTHON="/usr/bin/python3"
@@ -271,7 +277,7 @@ jobs:
271277
credentials_json: '${{ secrets.GKE_KEY }}'
272278

273279
- name: 'Set up Cloud SDK'
274-
uses: 'google-github-actions/setup-gcloud@v0'
280+
uses: 'google-github-actions/setup-gcloud@v2'
275281
with:
276282
service_account_email: ${{ secrets.GKE_EMAIL }}
277283
install_components: 'gke-gcloud-auth-plugin'
@@ -334,9 +340,8 @@ jobs:
334340
run: |
335341
# git add returns success for files that exist and haven't been modified
336342
git add kctf-operator/resources/constants.go
337-
git add dist/resources/operator.yaml
343+
git add dist/resources/install.yaml
338344
git add kctf-operator/config/crd/bases/kctf.dev_challenges.yaml
339-
git add dist/resources/kctf.dev_challenges.yaml
340345
for dir in dist/challenge-templates/* samples/*; do
341346
if [[ ! -e "${dir}/challenge.yaml" ]]; then
342347
continue

dist/activate

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -19,8 +19,8 @@ if [[ "$OSTYPE" =~ ^darwin.* ]]; then
1919
KCTF_KIND_URL="https://kind.sigs.k8s.io/dl/v0.11.1/kind-darwin-amd64"
2020
KCTF_KIND_HASH="432bef555a70e9360b44661c759658265b9eaaf7f75f1beec4c4d1e6bbf97ce3"
2121

22-
KCTF_KUBECTL_URL="https://dl.k8s.io/release/v1.20.4/bin/darwin/amd64/kubectl"
23-
KCTF_KUBECTL_HASH="37f593731b8c9913bf2a3bfa36dacb3058dc176c7aeae2930c783822ea03a573"
22+
KCTF_KUBECTL_URL="https://dl.k8s.io/release/v1.29.3/bin/darwin/amd64/kubectl"
23+
KCTF_KUBECTL_HASH="1a1f9040bce74fb28c475dc157a86565fcabf883a697ca576993ab8372935836"
2424

2525
STAT="gstat"
2626
MKTEMP="gmktemp"
@@ -38,8 +38,8 @@ else
3838
KCTF_KIND_URL="https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64"
3939
KCTF_KIND_HASH="949f81b3c30ca03a3d4effdecda04f100fa3edc07a28b19400f72ede7c5f0491"
4040

41-
KCTF_KUBECTL_URL="https://dl.k8s.io/release/v1.20.4/bin/linux/amd64/kubectl"
42-
KCTF_KUBECTL_HASH="98e8aea149b00f653beeb53d4bd27edda9e73b48fed156c4a0aa1dabe4b1794c"
41+
KCTF_KUBECTL_URL="https://dl.k8s.io/release/v1.29.3/bin/linux/amd64/kubectl"
42+
KCTF_KUBECTL_HASH="89c0435cec75278f84b62b848b8c0d3e15897d6947b6c59a49ddccd93d7312bf"
4343

4444
STAT="stat"
4545
MKTEMP="mktemp"

dist/bin/kctf-cluster

Lines changed: 7 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -393,24 +393,24 @@ function kctf_cluster_ip_ranges {
393393
set_cloud_armor_policy "${RANGES}" || return
394394

395395
# stop the operator
396-
"${KCTF_BIN}/yq" eval "select(.kind == \"Deployment\")" "${KCTF_CTF_DIR}/kctf/resources/operator.yaml" \
396+
"${KCTF_BIN}/yq" eval "select(.kind == \"Deployment\")" "${KCTF_CTF_DIR}/kctf/resources/install.yaml" \
397397
| "${KCTF_BIN}/kubectl" delete -f - || return
398398

399399
start_operator_gce || return
400400
}
401401

402402
function start_operator_gce {
403403
if [[ "${DISABLE_SRC_RANGES}" == "1" ]]; then
404-
"${KCTF_BIN}/kubectl" apply -f "${KCTF_CTF_DIR}/kctf/resources/operator.yaml" || return
404+
"${KCTF_BIN}/kubectl" apply --server-side -f "${KCTF_CTF_DIR}/kctf/resources/install.yaml" || return
405405
else
406406
get_cloud_armor_policy || return
407407
RANGES=$ret
408408
SUFFIX=$(echo "${PROJECT}-${CLUSTER_NAME}-${ZONE}" | sha1sum)
409409
POLICY_NAME="kctf-policy-${SUFFIX:0:16}"
410410
# restart the operator with the new range
411-
"${KCTF_BIN}/yq" eval "(select(.kind == \"Deployment\").spec.template.spec.containers[] | select(.name == \"manager\").env[] | select(.name == \"ALLOWED_IPS\").value) |= \"${RANGES}\"" "${KCTF_CTF_DIR}/kctf/resources/operator.yaml" \
411+
"${KCTF_BIN}/yq" eval "(select(.kind == \"Deployment\").spec.template.spec.containers[] | select(.name == \"manager\").env[] | select(.name == \"ALLOWED_IPS\").value) |= \"${RANGES}\"" "${KCTF_CTF_DIR}/kctf/resources/install.yaml" \
412412
| "${KCTF_BIN}/yq" eval "(select(.kind == \"Deployment\").spec.template.spec.containers[] | select(.name == \"manager\").env[] | select(.name == \"SECURITY_POLICY\").value) |= \"${POLICY_NAME}\"" - \
413-
| "${KCTF_BIN}/kubectl" apply -f - || return
413+
| "${KCTF_BIN}/kubectl" apply --server-side -f - || return
414414
fi
415415
}
416416

@@ -441,17 +441,13 @@ function create_cloud_armor_policy {
441441
}
442442

443443
function create_operator {
444-
# Creating CRD, rbac and operator
445-
"${KCTF_BIN}/kubectl" apply -f "${KCTF_CTF_DIR}/kctf/resources/kctf.dev_challenges.yaml" || return
446-
"${KCTF_BIN}/kubectl" apply -f "${KCTF_CTF_DIR}/kctf/resources/kctf-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml" || return
447-
"${KCTF_BIN}/kubectl" apply -f "${KCTF_CTF_DIR}/kctf/resources/kctf-operator-manager-config_v1_configmap.yaml" || return
448-
"${KCTF_BIN}/kubectl" apply -f "${KCTF_CTF_DIR}/kctf/resources/kctf-operator-controller-manager-metrics-service_v1_service.yaml" || return
444+
# install.yaml is an unified file for creating CRD, rbac and operator
449445
if [[ "$CLUSTER_TYPE" == "gce" ]]; then
450446
start_operator_gce || return
451447
else
452-
"${KCTF_BIN}/kubectl" apply -f "${KCTF_CTF_DIR}/kctf/resources/operator.yaml" || return
448+
"${KCTF_BIN}/kubectl" apply --server-side -f "${KCTF_CTF_DIR}/kctf/resources/install.yaml" || return
453449
fi
454-
OPERATOR_IMAGE=$("${KCTF_BIN}/yq" eval '.spec.template.spec.containers[].image | select(.=="*kctf-operator*")' "${KCTF_CTF_DIR}/kctf/resources/operator.yaml")
450+
OPERATOR_IMAGE=$("${KCTF_BIN}/yq" eval '.spec.template.spec.containers[].image | select(.=="*kctf-operator*")' "${KCTF_CTF_DIR}/kctf/resources/install.yaml")
455451
if [[ $? -ne 0 ]]; then
456452
echo "Failed to find the operator image." >&2
457453
return 1

dist/challenge-templates/pwn/challenge/Dockerfile

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,12 +13,13 @@
1313
# limitations under the License.
1414
FROM ubuntu:24.04 as chroot
1515

16-
RUN /usr/sbin/useradd --no-create-home -u 1000 user
16+
# ubuntu24 includes the ubuntu user by default
17+
RUN /usr/sbin/userdel -r ubuntu && /usr/sbin/useradd --no-create-home -u 1000 user
1718

1819
COPY flag /
1920
COPY chal /home/user/
2021

21-
FROM gcr.io/kctf-docker/challenge@sha256:eb0f8c3b97460335f9820732a42702c2fa368f7d121a671c618b45bbeeadab28
22+
FROM gcr.io/kctf-docker/challenge@sha256:2008bc49ea75d2e4be6dd71b09e51b2405517fdde7318245436ca36f8402d3e6
2223

2324
COPY --from=chroot / /chroot
2425

dist/challenge-templates/pwn/healthcheck/Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
1212
# See the License for the specific language governing permissions and
1313
# limitations under the License.
14-
FROM gcr.io/kctf-docker/healthcheck@sha256:35a21466f658914ad33b700c2b1c938ed6ec739ecf73c8766ab565509d203660
14+
FROM gcr.io/kctf-docker/healthcheck@sha256:7534eb90c4c21270f42c691e6ee211cc55188b2d3526051a9db8922a557ea3fa
1515

1616
COPY healthcheck_loop.sh healthcheck.py healthz_webserver.py /home/user/
1717

dist/challenge-templates/web/challenge/Dockerfile

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -13,17 +13,16 @@
1313
# limitations under the License.
1414
FROM ubuntu:24.04 as chroot
1515

16-
RUN /usr/sbin/useradd -u 1000 user
16+
# ubuntu24 includes the ubuntu user by default
17+
RUN /usr/sbin/userdel -r ubuntu && /usr/sbin/useradd --no-create-home -u 1000 user
1718

1819
RUN apt-get update \
1920
&& apt-get install -yq --no-install-recommends \
2021
curl ca-certificates socat gnupg lsb-release software-properties-common php-cgi \
2122
&& rm -rf /var/lib/apt/lists/*
2223

23-
RUN curl -sSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add - \
24-
&& (echo "deb https://deb.nodesource.com/node_10.x $(lsb_release -s -c) main";\
25-
echo "deb-src https://deb.nodesource.com/node_10.x $(lsb_release -s -c) main") \
26-
> /etc/apt/sources.list.d/nodesource.list \
24+
RUN curl -fsSL https://deb.nodesource.com/setup_20.x -o nodesource_setup.sh \
25+
&& bash nodesource_setup.sh \
2726
&& add-apt-repository universe \
2827
&& apt-get update \
2928
&& apt-get install -yq --no-install-recommends nodejs socat \
@@ -40,7 +39,7 @@ COPY web-servers /web-servers
4039

4140
COPY flag /
4241

43-
FROM gcr.io/kctf-docker/challenge@sha256:eb0f8c3b97460335f9820732a42702c2fa368f7d121a671c618b45bbeeadab28
42+
FROM gcr.io/kctf-docker/challenge@sha256:2008bc49ea75d2e4be6dd71b09e51b2405517fdde7318245436ca36f8402d3e6
4443

4544
RUN apt-get update \
4645
&& DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends tzdata apache2 \

dist/challenge-templates/web/healthcheck/Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
1212
# See the License for the specific language governing permissions and
1313
# limitations under the License.
14-
FROM gcr.io/kctf-docker/healthcheck@sha256:35a21466f658914ad33b700c2b1c938ed6ec739ecf73c8766ab565509d203660
14+
FROM gcr.io/kctf-docker/healthcheck@sha256:7534eb90c4c21270f42c691e6ee211cc55188b2d3526051a9db8922a557ea3fa
1515

1616
COPY healthcheck_loop.sh healthcheck.py healthz_webserver.py /home/user/
1717

dist/challenge-templates/xss-bot/challenge/Dockerfile

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
1212
# See the License for the specific language governing permissions and
1313
# limitations under the License.
14-
FROM gcr.io/kctf-docker/challenge@sha256:eb0f8c3b97460335f9820732a42702c2fa368f7d121a671c618b45bbeeadab28
14+
FROM gcr.io/kctf-docker/challenge@sha256:2008bc49ea75d2e4be6dd71b09e51b2405517fdde7318245436ca36f8402d3e6
1515

1616
RUN apt-get update && apt-get install -y gnupg2 wget
1717

@@ -21,13 +21,13 @@ RUN apt-get update && apt-get install -y gnupg2 wget
2121
# plus libxshmfence1 which seems to be missing
2222
RUN wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - \
2323
&& sh -c 'echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list' \
24-
&& wget -q -O - https://deb.nodesource.com/setup_16.x | bash - \
24+
&& wget -q -O - https://deb.nodesource.com/setup_20.x | bash - \
2525
&& apt-get update \
2626
&& DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends \
2727
ca-certificates \
2828
fonts-liberation \
2929
libappindicator3-1 \
30-
libasound2 \
30+
libasound2t64 \
3131
libatk-bridge2.0-0 \
3232
libatk1.0-0 \
3333
libc6 \

dist/challenge-templates/xss-bot/challenge/bot.js

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ if (BLOCK_SUBORIGINS) {
2929
'--proxy-pac-url=data:application/x-ns-proxy-autoconfig;base64,'+PAC_B64,
3030
];
3131
}
32+
puppeter_args.args.push('--incognito');
3233

3334
(async function(){
3435
const browser = await puppeteer.launch(puppeter_args);
@@ -50,7 +51,7 @@ if (BLOCK_SUBORIGINS) {
5051
socket.state = 'LOADED';
5152
let cookie = JSON.parse(fs.readFileSync('/home/user/cookie'));
5253

53-
const context = await browser.createIncognitoBrowserContext();
54+
const context = await browser.createBrowserContext();
5455
const page = await context.newPage();
5556
await page.setCookie(cookie);
5657
socket.write(`Loading page ${url}.\n`);

dist/challenge-templates/xss-bot/healthcheck/Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
1212
# See the License for the specific language governing permissions and
1313
# limitations under the License.
14-
FROM gcr.io/kctf-docker/healthcheck@sha256:35a21466f658914ad33b700c2b1c938ed6ec739ecf73c8766ab565509d203660
14+
FROM gcr.io/kctf-docker/healthcheck@sha256:7534eb90c4c21270f42c691e6ee211cc55188b2d3526051a9db8922a557ea3fa
1515

1616
COPY healthcheck_loop.sh healthcheck.py healthz_webserver.py /home/user/
1717

0 commit comments

Comments
 (0)