Add DVWA and WebGoat chart

.github/workflows/ci.yml

@@ -1,4 +1,4 @@
-# title: Continuous Integration
+# title: Continuous Integration
 # uses:
 #   - https://github.com/helm/chart-testing-action
 #   - https://github.com/stackrox/kube-linter-action
@@ -38,22 +38,23 @@ jobs:
       - name: Build with VitePress
         run: npm run docs:build
       - name: Install Helm
-        uses: azure/setup-helm@v4.3.0
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2
         with:
           version: latest
-      - name: Install Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: '3.x'
-          check-latest: true
-      - name: Use KubeLinter
-        id: kube-lint-scan
-        uses: stackrox/kube-linter-action@v1
-        with:
-          directory: charts
-          config: .kube-linter.yaml
+      - name: Install kube-linter
+        env:
+          KUBE_LINTER_VERSION: "0.8.3"
+          KUBE_LINTER_SHA256: "1a6d8419b11971372971fdbc22682b684ebfb7cf1c39591662d1b6ca736c41df"
+        run: |
+          curl -sSLo kube-linter.tar.gz "https://github.com/stackrox/kube-linter/releases/download/v${KUBE_LINTER_VERSION}/kube-linter-linux.tar.gz"
+          echo "${KUBE_LINTER_SHA256}  kube-linter.tar.gz" | sha256sum -c -
+          tar -xzf kube-linter.tar.gz kube-linter
+          sudo mv kube-linter /usr/local/bin/
+          rm kube-linter.tar.gz
+      - name: Run kube-linter
+        run: kube-linter lint charts --config .kube-linter.yaml
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.8.0
+        uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f
       - name: Add dependency chart repositories
         run: ./scripts/add_helm_repo.sh
       - name: List changed charts

.github/workflows/pkg.yml

@@ -1,4 +1,4 @@
-# title: Continuous Delivery (Packaging)
+# title: Continuous Delivery (Packaging)
 # requirements:
 #   - Create manually "gh-pages" branch
 #   - Maintain pages files in "gh-pages" branch: index.tpl, placeholder.png
@@ -53,13 +53,13 @@ jobs:
           git config user.name "$GITHUB_ACTOR"
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
       - name: Install Helm
-        uses: azure/setup-helm@v4.3.0
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2
         with:
           version: latest
       - name: Add dependency chart repositories
         run: ./scripts/add_helm_repo.sh
       - name: Host charts repository on GitHub Pages
-        uses: helm/chart-releaser-action@v1.7.0
+        uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
       # important: it needs to be done in the same pipeline as another pages workflow won't be triggered by the pust on the gh-pages branch

.kube-linter.yaml

@@ -24,3 +24,5 @@
     - charts/**/charts/**
     # disable for now (too many issues for something to rework from the container image)
     - charts/nfs-ganesha/**
+    # disable as no easy solution for secret management for MariaDB
+    - charts/dvwa/**

CONTRIBUTING.md

@@ -1,4 +1,4 @@
-# Contributing
+# Contributing
 
 ## File organization
 
@@ -40,6 +40,8 @@ helm upgrade --install myapp . -f values.yaml --namespace myns --create-namespac
 
 ### Run locally CI checks
 
+<!--
+
 Lint charts with [helm/chart-testing](https://github.com/helm/chart-testing) (with workaround described at [issue #464](https://github.com/helm/chart-testing/issues/464)):
 
 ```bash
@@ -51,13 +53,18 @@ docker run --rm -it --workdir=/data --volume $(pwd):/data quay.io/helmpack/chart
 > Beware if you're on Windows, as some files may be with the EOL CRLF and could be seen as a difference needing a version bump.
 > You can find them with `find charts/ -type f -exec file {} \; | grep CLRF`, update the EOL (change save from VS Code), and also check on the repo with `git show main:charts/nfs-ganesha/.helmignore | od -c`.
 
+-->
+
 Lint charts with [KubeLinter](https://docs.kubelinter.io/):
 
 ```bash
-docker run --rm -v $(pwd)/charts:/charts -v $(pwd)/.kube-linter.yaml:/etc/config.yaml stackrox/kube-linter \
-  lint /charts --config /etc/config.yaml
+kube-linter lint charts --config .kube-linter.yaml
 ```
 
+<!--
+docker run --rm -it -v $(pwd):/workspace -w /workspace ubuntu:24.04 bash
+-->
+
 ## Documentation website
 
 ### Static Site Generator

charts/dvwa/.helmignore

@@ -0,0 +1,4 @@
+.DS_Store
+.git
+.gitignore
+README.md

charts/dvwa/CONTRIBUTING.md

@@ -0,0 +1,31 @@
+# Contribution guide
+
+## Validate on a test cluster
+
+Create a `values.mine.yaml` file:
+
+```yaml
+ingress:
+  enabled: true
+  domain: "tfbckmdb.console.$SANDBOX_ID.instruqt.io"
+  className: "traefik"
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+  tls:
+    enabled: true
+
+```
+
+Install the chart:
+
+```bash
+helm upgrade --install dvwa . -f values.yaml -f values.mine.yaml --namespace dvwa --create-namespace
+```
+
+Wait for all pods to be ready:
+
+```bash
+kubectl get all -n dvwa
+```
+
+Open the web application in a browser.

charts/dvwa/Chart.yaml

@@ -0,0 +1,14 @@
+apiVersion: v2
+name: dvwa
+description: Damn Vulnerable Web Application - for container security workshops
+type: application
+version: 1.0.0
+appVersion: "1.0.0"
+keywords:
+  - security
+  - vulnerable
+  - workshop
+  - training
+maintainers:
+  - name: devpro
+    email: bertrand@devpro.fr

charts/dvwa/README.md

@@ -0,0 +1,65 @@
+# DVWA Helm Chart
+
+Helm chart for [Damn Vulnerable Web Application](https://github.com/digininja/DVWA) — designed for container security workshops.
+
+## Architecture
+
+Single pod with two containers:
+
+- **DVWA** — the PHP web app (port 80)
+- **MariaDB** — sidecar database (port 3306, localhost only)
+
+## Quick Start
+
+Add the chart repository:
+
+```bash
+helm repo add devpro https://devpro.github.io/helm-charts
+helm repo update
+```
+
+Create the `values.yaml` file to override [default values](values.yaml).
+
+Install the chart:
+
+```bash
+helm upgrade --install dvwa devpro/dvwa -f values.yaml --namespace dvwa --create-namespace
+```
+
+### First-time Setup
+
+1. Browse to the URL above
+2. Log in: `admin` / `password`
+3. Click **Create / Reset Database**
+4. Log in again — ready!
+
+## Values
+
+Key                   | Default    | Description
+----------------------|------------|-----------------------------------------
+`dvwa.adminUsername`  | `admin`    | DVWA login
+`dvwa.adminPassword`  | `password` | DVWA password
+`dvwa.securityLevel`  | `low`      | `low` / `medium` / `high` / `impossible`
+`persistence.enabled` | `false`    | Persist MariaDB data across pod restarts
+
+## Security Level
+
+Change mid-workshop to increase difficulty:
+
+```bash
+helm upgrade dvwa ./dvwa -n dvwa --set dvwa.securityLevel=medium
+```
+
+## Uninstall
+
+```bash
+helm uninstall dvwa -n dvwa
+kubectl delete namespace dvwa
+```
+
+## Going further
+
+Check the [contribution guide](CONTRIBUTING.md).
+
+---
+> ⚠️ **FOR WORKSHOP USE ONLY** — intentionally vulnerable, never expose to the internet.

charts/dvwa/templates/NOTES.txt

@@ -0,0 +1,56 @@
+🎯 DVWA (Damn Vulnerable Web Application) deployed!
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  ACCESS THE APP
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+{{- if and .Values.ingress.enabled .Values.ingress.domain }}
+  {{- if .Values.ingress.tls.enabled }}
+  URL: https://{{ .Values.ingress.domain }}
+  {{- else }}
+  URL: http://{{ .Values.ingress.domain }}
+  {{- end }}
+
+  TLS certificate will be issued automatically by cert-manager.
+  Check status: kubectl get certificate -n {{ .Release.Namespace }}
+{{- else }}
+  Port-forward:
+    kubectl port-forward svc/{{ include "dvwa.fullname" . }} 8080:80 -n {{ .Release.Namespace }}
+  Then open: http://localhost:8080
+{{- end }}
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  CREDENTIALS
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  Username : {{ .Values.dvwa.adminUsername }}
+  Password : {{ .Values.dvwa.adminPassword }}
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  FIRST-TIME SETUP (important!)
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+1. Wait ~30s for MariaDB to initialise
+2. Browse to the URL above
+3. Log in with the credentials above
+4. Click  "Create / Reset Database"  on the setup page
+5. Log in again — you're ready!
+
+Current security level: {{ .Values.dvwa.securityLevel | upper }}
+
+Change security level mid-workshop:
+  helm upgrade {{ .Release.Name }} ./dvwa -n {{ .Release.Namespace }} \
+    --set ingress.domain={{ .Values.ingress.domain }} \
+    --set dvwa.securityLevel=medium
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  USEFUL COMMANDS
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Certificate status
+  kubectl get certificate,certificaterequest -n {{ .Release.Namespace }}
+
+  # Pod logs
+  kubectl logs -l app.kubernetes.io/name=dvwa -n {{ .Release.Namespace }} -c dvwa
+
+  # MariaDB logs
+  kubectl logs -l app.kubernetes.io/name=dvwa -n {{ .Release.Namespace }} -c mariadb
+
+⚠️  FOR WORKSHOP USE ONLY — never expose to the internet long-term!

charts/dvwa/templates/_helpers.tpl

@@ -0,0 +1,49 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "dvwa.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+*/}}
+{{- define "dvwa.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart label.
+*/}}
+{{- define "dvwa.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels.
+*/}}
+{{- define "dvwa.labels" -}}
+helm.sh/chart: {{ include "dvwa.chart" . }}
+{{ include "dvwa.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels.
+*/}}
+{{- define "dvwa.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "dvwa.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}