feat: deploy containers to Google kCTF (#120)

Only Google Kubernetes Engine deployment type, with patched kCTF to support image caching and Artifact Registry

Signed-off-by: Tom Plant <[email protected]>

Author: pl4nty

.github/workflows/containers-kctf.yaml

@@ -0,0 +1,92 @@
+name: Deploy containers to kCTF
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  # based on https://github.com/google/kctf/blob/5d0f830d6adae029322570601f145a1866a50669/.github/workflows/update-images.yaml#L205
+  main:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    steps:
+      - uses: actions/[email protected]
+
+      - uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ vars.KCTF_IDENTITY }}
+      - uses: google-github-actions/setup-gcloud@v2
+        with:
+          install_components: gke-gcloud-auth-plugin
+
+      - uses: docker/[email protected]
+        id: buildkit
+      - name: Get auth params for buildx cache
+        uses: crazy-max/[email protected]
+
+      - name: Deploy containers
+        # Artefact Registry support https://github.com/google/kctf/pull/406
+        # have to --push for cache to hit https://github.com/moby/buildkit/issues/2887
+        run: |
+          curl -sSL https://github.com/HlynurOskar/kctf/archive/3976fdec31aeabc10d41dfeaa2337f0a789f6698.tar.gz | tar xz -C /tmp
+          mv /tmp/kctf-3976fdec31aeabc10d41dfeaa2337f0a789f6698/dist kctf
+          source kctf/activate
+
+          sed -i 's|docker build|docker build --load --cache-from type=gha,scope=${CHALLENGE_NAME}-${CONTAINER_NAME} --cache-to type=gha,mode=max,scope=${CHALLENGE_NAME}-${CONTAINER_NAME} --builder ${{ steps.buildkit.outputs.name }}|' kctf/bin/kctf-challenge
+          sed -i 's|IMAGE_URL="$.*|IMAGE_URL="${REGISTRY}/${PROJECT}/${CLUSTER_NAME}/${CHALLENGE_NAME}-${IMAGE_NAME}:${IMAGE_ID}"|' kctf/bin/kctf-challenge
+          mkdir kctf/config
+          echo "${{ vars.KCTF_CONFIG }}" | tr '\r\n' '\n' > kctf/config/kctf-cluster
+          source kctf/config/kctf-cluster
+          gcloud auth configure-docker $REGISTRY
+          kctf cluster load kctf-cluster
+
+          shopt -s extglob
+          for template in !(kctf)/*/; do
+            pushd $template
+              if [[ ! -e "challenge.yaml" ]]; then
+                continue
+              fi
+              if [[ -e "challenge/Makefile" ]]; then
+                make -C "challenge"
+              fi
+              CHALLENGE_NAME="$("${KCTF_BIN}/yq" eval '.metadata.name' challenge.yaml)"
+              echo "starting challenge ${CHALLENGE_NAME}"
+              kctf chal start
+              echo "challenge started, waiting for it to become available"
+              # We want to wait for the deployment to be available, but it
+              # might not have been created yet by the operator and wait will fail.
+              # So try to "kubectl get" the challenge a few times to make sure it exists.
+              # Ideally, we would expose the condition in the operator but I
+              # don't think that's currently possible.
+              for i in {1..5}; do
+                kubectl get "deployment/${CHALLENGE_NAME}" && break
+                echo "deployment/${CHALLENGE_NAME} doesn't exist yet, sleeping"
+                sleep 5
+              done
+              kubectl wait --for=condition=available --timeout=5m "deployment/${CHALLENGE_NAME}"
+            popd
+          done
+
+      - name: Setup GitHub container registry
+        uses: docker/[email protected]
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - name: Push container images to GitHub
+        run: |-
+          source kctf/config/kctf-cluster
+
+          images=$(docker images $REGISTRY/*:latest --format "{{.Repository}}")
+          for image in $images; do
+            lowercase=${GITHUB_REPOSITORY_OWNER,,}
+            newtag=${image//$REGISTRY/ghcr\.io\/$lowercase}:latest
+            docker tag $image:latest $newtag
+            docker push $newtag
+          done

README.md

@@ -12,14 +12,14 @@ Automatically deploy your CTF challenges from GitHub to CTFd. Also supports cont
 
 1. [Click here](https://github.com/new?template_name=auto-ctfd&template_owner=pl4nty) to create a repository for your CTF. Select "Private" to prevent public access
 2. [Allow GitHub Actions to create pull requests](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests)
-3. [Create the following secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository):
+3. [Create the following secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository)
 
 | Name | Value |
 | ---- | ----- |
 | `CTFD_TOKEN` | [CTFd admin access token](https://docs.ctfd.io/docs/api/getting-started#generating-an-admin-access-token) |
 | `CTFD_SITE_PASSWORD` (optional) | [CTFd site password](https://docs.ctfd.io/hosted/security/setting-site-password), if enabled |
 
-4. [Create the following variables](https://docs.github.com/en/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository):
+4. [Create the following variables](https://docs.github.com/en/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository)
 
 | Name | Value |
 | ---- | ----- |
@@ -53,7 +53,7 @@ Some challenges, like pwn or web, may need to run services in containers. These
 
 Note that managed CTFd has certain Dockerfile requirements and limitations. Please see the [CTFd documentation](https://docs.ctfd.io/tutorials/challenges/deploying-challenges) for more details.
 
-Create the following variables:
+Create the following variables
 
 | Name | Value |
 | ---- | ----- |
@@ -63,14 +63,14 @@ Create the following variables:
 
 1. Add a Compose file like `docker-compose.yml` to each of your challenge(s)
 2. Ensure TCP challenges have unique ports
-3. Create the following variables:
+3. Create the following variables
 
 | Name | Value |
 | ---- | ----- |
 | `REGISTRY` | A container registry accessible by the Kubernetes cluster |
 | `KUBE_HOST` | Hostname for challenges. HTTP challenges will be available via ingress on `example.KUBE_HOST`, and TCP challenges via load balancer service on `KUBE_HOST:port` |
 
-4. Create the following secrets:
+4. Create the following secrets
 
 | Name | Value |
 | ---- | ----- |
@@ -91,7 +91,7 @@ Create the following variables:
 4. [Create a user-assigned managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities#create-a-user-assigned-managed-identity) and
 5. [Create an Azure Container Registry](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal) and assign the `AcrPull` role on it to the managed identity
 6. (Optional) [Add a custom DNS suffix](https://learn.microsoft.com/en-us/azure/container-apps/environment-custom-dns-suffix) to the Container Apps environment
-6. Create the following variables:
+6. Create the following variables
 
 | Name | Value |
 | ---- | ----- |
@@ -101,3 +101,34 @@ Create the following variables:
 | `AZURE_CONTAINER_ENV` | Container Apps enviroment [resource ID](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-get-info?tabs=portal#get-the-resource-id-for-a-storage-account) |
 | `AZURE_CONTAINER_IDENTITY` | Managed identity resource ID |
 | `AZURE_CONTAINER_SUFFIX` | Container Apps environment DNS suffix, eg chals.example.com |
+
+### Google kCTF
+
+1. [Set up kCTF infrastructure](https://google.github.io/kctf/google-cloud.html)
+2. [Create a Workload Identity Pool and Provider](https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation)
+3. Grant Kubernetes Engine Developer and Artifact Registry Writer roles to the Pool
+
+```sh
+# TODO: replace ${PROJECT_ID}, ${WORKLOAD_IDENTITY_POOL_ID}, and ${REPO}
+# with your values below.
+#
+# ${REPO} is the full repo name including the parent GitHub organization,
+# such as "my-org/my-repo".
+#
+# ${WORKLOAD_IDENTITY_POOL_ID} is the full pool id, such as
+# "projects/123456789/locations/global/workloadIdentityPools/github".
+
+gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
+  --role="roles/container.developer" \
+  --member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/${REPO}"
+gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
+  --role="roles/artifactregistry.writer" \
+  --member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/${REPO}"
+```
+
+4. Create the following variables
+
+| Name | Value |
+| ---- | ----- |
+| `KCTF_CONFIG` | Contents of the kCTF config file `kctf/config/.lastconfig` |
+| `KCTF_IDENTITY` | Workload Identity Provider resource name |