Create trackboard chart

.kube-linter.yaml

@@ -20,6 +20,7 @@
     - run-as-non-root
     - sorted-keys
     - privileged-ports
+    - no-rolling-update-strategy
   ignorePaths:
     - charts/**/charts/**
     # disable for now (too many issues for something to rework from the container image)

charts/drupal/CONTRIBUTING.md

@@ -5,30 +5,59 @@
 Create a `values.mine.yaml` file:
 
 ```yaml
+image: drupal
+tag: 8.9.20
+
 ingress:
   enabled: true
   className: "traefik"
   annotations:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
   tls:
     enabled: true
+
+persistence:
+  enabled: true
+  initImage: ghcr.io/devpro/drupal:8.5.0-postinstall
+  dbType: sqlite
 ```
 
 Install the chart:
 
 ```bash
-helm upgrade --install drupal . -f values.yaml -f values.mine.yaml --namespace drupal --create-namespace \
-  --set ingress.domain="drupal.console.$SANDBOX_ID.instruqt.io"
+helm upgrade --install drupal . -f values.yaml -f values.mine.yaml \
+  --set ingress.domain="drupal.server.$SANDBOX_ID.instruqt.io" \
+  --namespace drupal --create-namespace
 ```
 
 Wait for all pods to be ready:
 
 ```bash
-kubectl get pod,rs,deploy,svc,ingress,certificate -n drupal
+kubectl get pod,rs,deploy,svc,ingress,certificate,pvc,pv -n drupal
+```
+
+Check init container logs:
+
+```bash
+kubectl logs -n drupal -l app=drupal -c init-sites
 ```
 
 Open the web application in a browser:
 
 ```bash
-echo https://drupal.console.$SANDBOX_ID.instruqt.io
+echo https://drupal.server.$SANDBOX_ID.instruqt.io
+```
+
+Cleanup:
+
+```bash
+helm uninstall drupal -n drupal
+kubectl get pv --watch
+kubectl delete namespace drupal
+kubectl get pv | grep drupal
 ```
+
+<!--
+on the server if local-path storage class is used
+ls /var/lib/rancher/k3s/storage/
+!-->

charts/drupal/Chart.yaml

@@ -2,8 +2,8 @@
 name: drupal
 description: Drupal Web Application - for container security workshops
 type: application
-version: 1.0.0
-appVersion: "1.0.0"
+version: 1.0.1
+appVersion: "8.5.0"
 keywords:
   - security
   - vulnerable

charts/drupal/templates/deployment.yaml

@@ -2,10 +2,12 @@
 kind: Deployment
 metadata:
   name: drupal
+  labels:
+    app: drupal
 spec:
   replicas: {{ .Values.replicaCount }}
   strategy:
-    type: RollingUpdate
+    type: {{ if eq .Values.persistence.dbType "sqlite" }}Recreate{{ else }}RollingUpdate{{ end }}
   selector:
     matchLabels:
       app: drupal
@@ -14,6 +16,27 @@ spec:
       labels:
         app: drupal
     spec:
+      {{- if and .Values.persistence.enabled .Values.persistence.initImage }}
+      initContainers:
+        - name: init-sites
+          image: {{ .Values.persistence.initImage }}
+          imagePullPolicy: IfNotPresent
+          command:
+            - sh
+            - -c
+            - |
+              # only copy if the PVC is empty (first boot)
+              if [ -z "$(ls -A /mnt/sites)" ]; then
+                echo "PVC is empty — seeding from image..."
+                cp -a /var/www/html/sites/. /mnt/sites/
+                echo "Done."
+              else
+                echo "PVC already has data — skipping copy."
+              fi
+          volumeMounts:
+            - name: sites
+              mountPath: /mnt/sites
+      {{- end }}
       containers:
         - name: drupal
           image: {{ .Values.image }}:{{ .Values.tag }}
@@ -28,3 +51,15 @@ spec:
               port: 80
             initialDelaySeconds: 10
             periodSeconds: 10
+          {{- if .Values.persistence.enabled }}
+          volumeMounts:
+            - name: sites
+              mountPath: /var/www/html/sites
+          {{- end }}
+      {{- if .Values.persistence.enabled }}
+      volumes:
+        - name: sites
+          persistentVolumeClaim:
+            claimName: drupal
+      {{- end }}
+      restartPolicy: Always

charts/drupal/templates/ingress.yaml

@@ -3,6 +3,8 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: drupal
+  labels:
+    app: drupal
   {{- with .Values.ingress.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}

charts/drupal/templates/pvc.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.persistence.enabled }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: drupal
+  labels:
+    app: drupal
+spec:
+  accessModes:
+    - ReadWriteOnce
+  {{- if .Values.persistence.storageClass }}
+  storageClassName: {{ .Values.persistence.storageClass | quote }}
+  {{- end }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size | quote }}
+{{- end }}

charts/drupal/values.yaml

@@ -1,6 +1,7 @@
 replicaCount: 1
 image: vulhub/drupal
 tag: 8.5.0
+
 ingress:
   enabled: false
   className: ""    # traefik
@@ -9,3 +10,10 @@ ingress:
     # cert-manager.io/cluster-issuer: letsencrypt-prod
   tls:
     enabled: false
+
+persistence:
+  enabled: false
+  storageClass: ""
+  size: 500Mi
+  initImage: ""
+  dbType: ""

charts/trackboard/CONTRIBUTING.md

@@ -0,0 +1,46 @@
+# Contribution guide
+
+## Validate on a test cluster
+
+Create the chart configuration file:
+
+```bash
+# example with Traefik ingress controller, cert-manager and Let's Encrypt
+cat > values.mine.yaml << 'EOF'
+ingress:
+  enabled: true
+  className: "traefik"
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+  tls:
+    enabled: true
+EOF
+```
+
+<!--
+helm template trackboard . -f values.yaml -f values.mine.yaml \
+  --set ingress.domain=trackboard.server.$SANDBOX_ID.instruqt.io \
+  --set admin.password=mysecretpassword \
+  --namespace trackboard > temp.yaml
+-->
+
+Install the chart:
+
+```bash
+helm upgrade --install trackboard . -f values.yaml -f values.mine.yaml \
+  --set ingress.domain=trackboard.server.$SANDBOX_ID.instruqt.io \
+  --set admin.password=mysecretpassword \
+  --namespace trackboard --create-namespace
+```
+
+Wait for all pods to be ready:
+
+```bash
+kubectl get all -n trackboard
+```
+
+Open the web application in a browser.
+
+```bash
+echo "https://trackboard.server.${SANDBOX_ID}.instruqt.io"
+```

charts/trackboard/Chart.yaml

@@ -0,0 +1,14 @@
+apiVersion: v2
+name: trackboard
+description: Trackboard web application
+type: application
+version: 0.1.0
+appVersion: "0.1.0"
+keywords:
+  - event
+  - ctf
+  - dashboard
+  - live
+maintainers:
+  - name: devpro
+    email: bertrand@devpro.fr

charts/trackboard/README.md

@@ -0,0 +1,34 @@
+# Trackboard Helm Chart
+
+Helm chart for [Trackboard Web Application](https://github.com/devpro/container-images/tree/main/src/trackboard) — designed for container security workshops.
+
+## Quick Start
+
+Add the chart repository:
+
+```bash
+helm repo add devpro https://devpro.github.io/helm-charts
+helm repo update
+```
+
+Create the `values.yaml` file to override [default values](values.yaml).
+
+Install the chart:
+
+```bash
+helm upgrade --install trackboard devpro/trackboard -f values.yaml --namespace trackboard --create-namespace
+```
+
+## Uninstall
+
+```bash
+helm uninstall trackboard -n trackboard
+kubectl delete namespace trackboard
+```
+
+## Going further
+
+Check the [contribution guide](CONTRIBUTING.md).
+
+---
+> ⚠️ **FOR WORKSHOP USE ONLY** — intentionally vulnerable, never expose to the internet.

charts/trackboard/templates/NOTES.txt

@@ -0,0 +1,20 @@
+1. Trackboard web application has been deployed.
+
+{{- if .Values.ingress.enabled }}
+   URL: https://{{ .Values.ingress.domain }}
+
+   TLS certificate will be issued automatically by cert-manager.
+   Watch progress with:
+     kubectl get certificate -n {{ .Release.Namespace }}
+     kubectl describe certificaterequest -n {{ .Release.Namespace }}
+{{- else }}
+   Port-forward to access locally:
+     kubectl port-forward svc/{{ include "trackboard.fullname" . }} 3000:3000 -n {{ .Release.Namespace }}
+   then open http://localhost:3000
+{{- end }}
+
+2. Check pod status:
+     kubectl get pods -n {{ .Release.Namespace }} -l app.kubernetes.io/name={{ include "trackboard.name" . }}
+
+3. View logs:
+     kubectl logs -n {{ .Release.Namespace }} -l app.kubernetes.io/name={{ include "trackboard.name" . }} -f

charts/trackboard/templates/_helpers.tpl

@@ -0,0 +1,49 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "trackboard.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+*/}}
+{{- define "trackboard.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Chart label.
+*/}}
+{{- define "trackboard.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels.
+*/}}
+{{- define "trackboard.labels" -}}
+helm.sh/chart: {{ include "trackboard.chart" . }}
+{{ include "trackboard.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels.
+*/}}
+{{- define "trackboard.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "trackboard.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}