README
¶
Fullchain
The Fullchain is an umbrella project that sacrifices the independent deployability of CTFer.io's stack in favor of a ready-to-use CTF (Capture The Flag) platform.
Its purpose is to help deploy production-like environment that the community might end up deploying themselves, for test purposes, demonstrations, or SaaS work on sponsored events.
It notably contains CTFd through our re-packaged image, Chall-Manager and its CTFd plugin already configured, along with the Monitoring stack. This list is expected to grow through time, as more services become mature enough for CTF infrastructures.
[!CAUTION]
This component is an internal work mostly used for development purposes. It is used for production purposes too, i.e. on Capture The Flag events.
Nonetheless, we do not include it in the repositories we are actively maintaining, and is subject to future major changes with no migration capability.
📦 Deployment
Configuration
The default configuration will work, but you might not end up with a ✨ perfect 🤌 setup.
To do so, you can look at the whole Pulumi.yaml configuration.
We detail some of them here.
Dedicated Challenges Cluster
If you want to configure a dedicated cluster for challenges.
# export PULUMI_CONFIG_PASSPHRASE before
# https://github.com/pulumi/pulumi/issues/6015
cat /path/to/kubeconfig | pulumi config set --secret --path chall-manager.kubeconfig
Custom Certificate
If you want to use a custom certificate. We HIGHLY recommend it for production purposes, especially to avoid MitM attacks, credentials leakage and so on.
# export PULUMI_CONFIG_PASSPHRASE before
# https://github.com/pulumi/pulumi/issues/6015
cat /path/to/crt.pem | pulumi config set --secret --path ctfer.platform.crt
cat /path/to/key.pem | pulumi config set --secret --path ctfer.platform.key
DNS Ingress hostname
If you want to expose your CTF platform to external people, through a DNS name.
pulumi config set --path ctfer.platform.hostname ctfd.yourdomain
Workers and Replicas
If you want to configure several workers on CTFd.
pulumi config set-all \
--path ctfer.platform.workers 3 \
--path ctfer.platform.replicas 3
[!WARNING] You will need a ReadWriteMany compatible CSI (e.g., Longhorn) if the Pods are scheduled on several nodes
pulumi config set-all \ --path ctfer.platform.pvc-access-modes[0] ReadWriteMany \ --path ctfer.platform.storage-class longhorn
Air-gap environments
If you don't need air-gap settings, you can directly skip to the deployment.
For air-gap environments, you need to download all images and upload them into your registry before deployment. You can use Hauler to download and push all images at once.
The following actions must be performed before the pulumi up -y.
-
Navigate to the
hackdirectory:cd hack -
Synchronize images with Hauler:
hauler store sync -f chaine-totale.yml -
Copy images to your registry:
hauler store copy registry://your-registry:5000 -
Configure the Registry to use on your stack:
pulumi config set registry your-registry:5000
Let's do it!
Now the last-mile for infrastructure-specific configuration, and you should be good to deploy CTFer! 💪
pulumi config set-all \
--path platform.hostname ctfd.dev1.ctfer-io.lab \
--path ingress-labels.name traefik
pulumi up
🏗️ Known limitations
Due to the maturity of the Fullchain some configurations are not yet easily customizable.
To use this project correctly, we recommend you:
- install the CNPG operator in the
cnpg-systemnamespace ; - install the Ingress Controller in the
ingress-controllernamespace ; - install Cilium as the CNI (and enable Hubble for debugging, perhaps is not necessary for production) ;
- use a CTFd image with
psycopg2-binarypackage, for instance our repackaged image (or create yours withctferio/ctfd).
Documentation
¶
There is no documentation for this package.
Source Files
Directories