Sealed Secret in Kubernetes Challenge

[Shubham-Patel07]

What kind of changes does this PR include?

• Fixes or refactors
• A new challenge
• Additional documentation
• Something else

Relation

Fixes part of #858

Description

Added new challenge Related to Bitnami Sealed Secrets

Checklist:

• All the contributions made are solely the work of me and my co-authors
• I tested the changes in this PR (if applicable)
• I added unit tests to ensure my change works (when change in Java or on front-end code)
• I added UI tests to ensure my UI changes work (when change in the overall UI, not needed if just adding a challenge)
• The PR passes pre-commit hooks and automated tests

[Shubham-Patel07]

@commjoen Please Guide me further in which File i need to mention ACTUAL_ANSWER_CHALLENGE48 variable
What are the further things i need to figure out

[commjoen]

Great start! let's go to the next steps!

1. would you please write the challenge texts common tests and add a challenge configuration as in https://github.com/OWASP/wrongsecrets/blob/master/CONTRIBUTING.md#how-to-add-a-challenge. ?
2. the SEALED_SECRET_ANSWER needs to be the env-var in https://github.com/OWASP/wrongsecrets/pull/1452/files#diff-3295830e52e2c56ac68ea925b7cc6ec7892a1b4f8401c27ff14345ef4a0129a2R9 so it will override the application.properties value.
3. last but not least: can you extend the end2end tests in https://github.com/OWASP/wrongsecrets/tree/master/src/test/K8s-tests/cypress/e2e please? it needs to check whether your challenge shows the default value you gave it here in application.properties, or actually shows the data you defined in the sealed secret (so the test only needs to check that the appliction.properties value is not present in /spoil/ for your challenge.

[Shubham-Patel07]

So i did what you said sir @commjoen , but still the challenge is not visible when i run using k8s-vault-minikubw-start.sh
What else i need to figure out

[commjoen]

We will have to build a new container to show it in k8s. I can do that tomorrow. If you run it locally: is the challenge then visible?

[Shubham-Patel07]

Hi @commjoen
I abruptly faced this error and not able to troubleshoot it

I even tried to run mvn clean install and got this error

these occurred so abruptly, even without changing anything

[commjoen]

Hi @commjoen

I abruptly faced this error and not able to troubleshoot it

I even tried to run mvn clean install and got this error

these occurred so abruptly, even without changing anything

It looks like you have the wrong JDK version: can you upgrade to the latest please?🙏

[Shubham-Patel07]

Hi @commjoen
I abruptly faced this error and not able to troubleshoot it

I even tried to run mvn clean install and got this error

these occurred so abruptly, even without changing anything

It looks like you have the wrong JDK version: can you upgrade to the latest please?🙏

im using latest openJDK 22 version

[commjoen]

Suggested change

	short-name: "challenge-48"
	sources:
	- class-name: "org.owasp.wrongsecrets.challenges.kubernetes.Challenge48"
	explanation: "explanations/challenge48.adoc"
	hint: "explanations/challenge48_hint.adoc"
	reason: "explanations/challenge48_reason.adoc"
	environments: [ *k8s, *gcp, *aws, *azure ]
	difficulty: *normal
	category: *secrets
	ctf:
	enabled: false
	missing_environment: "explanations/missing_k8s.adoc"
	short-name: "challenge-48"
	sources:
	- class-name: "org.owasp.wrongsecrets.challenges.kubernetes.Challenge48"
	explanation: "explanations/challenge48.adoc"
	hint: "explanations/challenge48_hint.adoc"
	reason: "explanations/challenge48_reason.adoc"
	environments: [ *k8s, *gcp, *aws, *azure ]
	difficulty: *normal
	category: *secrets
	ctf:
	enabled: false
	missing_environment: "explanations/missing_k8s.adoc"

it looks like it is failing due to identation: can you make short-name and the rest allign with name place?
and then, with docker for desktop enabled, use ./mvnw clean install to get it running again.

[commjoen]

I have created a container with tag challenge48-no-vault based on the current challenge-code.

[commjoen]

in order to use it, can you create teh following modifications to your k8s deployment yamls? in https://github.com/Shubham-Patel07/wrongsecrets/blob/fix/Issue858/k8s/secret-challenge-vault-deployment.yml#L53 use - image: jeroenwillemsen/wrongsecrets:challenge48-k8s-vault and in https://github.com/Shubham-Patel07/wrongsecrets/blob/fix/Issue858/k8s/secret-challenge-deployment.yml#L31 use - image: jeroenwillemsen/wrongsecrets:challenge48-no-vault this should load up the container with the new challenge

[commjoen]

after this, you will have to updat the k8s deployment manifest to use the sealed secret under the env-var SEALED_SECRET_ANSWER

[Shubham-Patel07]

hi @commjoen,
I tried using the challenge48-no-vault and challenge48-k8s-vault but still the challenge is not available please can you check containers again

[commjoen]

The javacode is fixed, now all we need is the correct override of the env var SEALED_SECRET_ANSWER by means of the sealed secret. Alternatively we can make the javacode load a file injected by the controler (CC @bendehaan).
Once this is done there are a few items left, let's enumerate them here:

• get sealed secret exposed in java (See above)
• review all the texts
• create e2e tests for this challenge in https://github.com/OWASP/wrongsecrets/tree/master/src/test/K8s-tests/cypress/e2e
• update k8s definitions for the cloud providers and test them over there.