Sample Configs

Multi-Container Web Challenge

This challenge uses Redis and NGINX containers in addition to the main app container. The containers communicate with each other by host name. Adapted from Viper from redpwnCTF 2020.

name: viper
author: Jim
description: |-
  Don't you want your own ascii viper? No? Well here is Viper as a Service.
  If you experience any issues, send it
  [here](https://admin-bot.redpwnc.tf/submit?challenge=viper)

  Site: {{link}}

flag:
  file: ./app/flag.txt

provide:
  - ./viper.tar.gz

containers:
  app:
    build: ./app
    resources:
      limits:
        cpu: 100m
        memory: 100M
    ports: [31337]
  nginx:
    build: ./nginx
    resources:
      limits:
        cpu: 100m
        memory: 100M
    ports: [80]
  redis:
    image: redis
    resources:
      limits:
        cpu: 100m
        memory: 100M
    ports: [6379]

expose:
  nginx:
    - target: 80
      http: viper

GKE and rCTF on GitLab CI

This is the configuration used for redpwnCTF 2020.

# rcds.yaml
docker:
  image:
    prefix: gcr.io/project/ctf/2020

flagFormat: flag\{[a-zA-Z0-9_,.'?!@$<>*:-]*\}

defaults:
  containers:
    resources:
      limits:
        cpu: 100m
        memory: 150Mi
      requests:
        cpu: 10m
        memory: 30Mi

backends:
- resolve: k8s
  options:
    kubeContext: gke_project_zone_cluster
    domain: challs.2020.example.com
    annotations:
      ingress:
        traefik.ingress.kubernetes.io/router.tls: "true"
        traefik.ingress.kubernetes.io/router.middlewares: "ingress-nocontenttype@kubernetescrd"
- resolve: rctf
  options:
    scoring:
      minPoints: 100
      maxPoints: 500

# .gitlab-ci.yml
image: google/cloud-sdk:slim

services:
  - docker:dind

stages:
  - deploy

variables:
  DOCKER_HOST: tcp://docker:2375
  RCDS_RCTF_URL: https://2020.example.com/

before_script:
  - pip3 install rcds
  - gcloud auth activate-service-account service-account@project.iam.gserviceaccount.com --key-file=$GCLOUD_SA_TOKEN
  - gcloud config set project project
  - gcloud auth configure-docker gcr.io --quiet
  - gcloud container clusters get-credentials cluster --zone=zone

deploy:
  stage: deploy
  when: manual
  environment:
    name: production
  script:
    - rcds deploy

The config creates Kubernetes Ingress objects compatible with Traefik, and references the following middleware CRD exists to disable Traefik’s Content-Type auto-detection (change the name and namespace, both in the CRD and the ingress annotation, to suit your setup):

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: nocontenttype
  namespace: ingress
spec:
  contentType:
    autoDetect: false