Add tinyfilemanager chart

charts/nextportal/CONTRIBUTING.md

@@ -21,7 +21,7 @@ Install the chart:
 
 ```bash
 helm upgrade --install nextportal . -f values.yaml -f values.mine.yaml \
-  --set ingress.domain=nextportal.console.$SANDBOX_ID.instruqt.io \
+  --set ingress.domain=nextportal.server.$SANDBOX_ID.instruqt.io \
   --namespace nextportal --create-namespace
 ```
 
@@ -34,5 +34,5 @@ kubectl get all -n nextportal
 Open the web application in a browser.
 
 ```bash
-echo "https://nextportal.console.${SANDBOX_ID}.instruqt.io"
+echo "https://nextportal.server.${SANDBOX_ID}.instruqt.io"
 ```

charts/nextportal/Chart.yaml

@@ -2,7 +2,7 @@
 name: nextportal
 description: NextPortal web application - intentionally vulnerable by default for security workshops
 type: application
-version: 0.1.0
+version: 1.0.0
 appVersion: "0.1.0"
 keywords:
   - security

charts/nextportal/templates/networkpolicy.yaml

@@ -0,0 +1,35 @@
+{{- if .Values.networkpolicy.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "nextportal.fullname" . }}
+  labels:
+    {{- include "nextportal.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "nextportal.selectorLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # allow traffic only from the ingress controller namespace
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - protocol: TCP
+          port: {{ .Values.service.port }}
+  egress:
+    # allows DNS resolution
+    - ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+    # allows outbound HTTPS (for Google Fonts CDN)
+    - ports:
+        - protocol: TCP
+          port: 443
+{{- end }}

charts/nextportal/values.yaml

@@ -72,6 +72,9 @@ nodeSelector: {}
 tolerations: []
 affinity: {}
 
+networkpolicy:
+  enabled: false
+
 env:
   NODE_ENV: production
   NEXT_TELEMETRY_DISABLED: "1"

charts/tinyfilemanager/CONTRIBUTING.md

@@ -0,0 +1,38 @@
+# Contribution guide
+
+## Validate on a test cluster
+
+Create the chart configuration file:
+
+```bash
+# example for an Instruqt track, with a Traefik ingress controller, with cert-manager and Let's Encrypt
+cat > values.mine.yaml << 'EOF'
+ingress:
+  enabled: true
+  className: "traefik"
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+  tls:
+    enabled: true
+EOF
+```
+
+Install the chart:
+
+```bash
+helm upgrade --install tinyfilemanager . -f values.yaml -f values.mine.yaml \
+  --set ingress.domain=tinyfilemanager.server.$SANDBOX_ID.instruqt.io \
+  --namespace tinyfilemanager --create-namespace
+```
+
+Wait for all pods to be ready:
+
+```bash
+kubectl get all -n tinyfilemanager
+```
+
+Open the web application in a browser.
+
+```bash
+echo "https://tinyfilemanager.server.${SANDBOX_ID}.instruqt.io"
+```

charts/tinyfilemanager/Chart.yaml

@@ -0,0 +1,14 @@
+apiVersion: v2
+name: tinyfilemanager
+description: Tiny File Manager - intentionally vulnerable by default for security workshops
+type: application
+version: 1.0.0
+appVersion: "2.4.6"
+keywords:
+  - security
+  - vulnerable
+  - workshop
+  - owasp
+maintainers:
+  - name: devpro
+    email: bertrand@devpro.fr

charts/tinyfilemanager/README.md

@@ -0,0 +1,34 @@
+# Tiny File Manager Helm Chart
+
+Helm chart for [Tiny File Manager](https://tinyfilemanager.github.io/) — designed for container security workshops.
+
+## Quick Start
+
+Add the chart repository:
+
+```bash
+helm repo add devpro https://devpro.github.io/helm-charts
+helm repo update
+```
+
+Create the `values.yaml` file to override [default values](values.yaml).
+
+Install the chart:
+
+```bash
+helm upgrade --install tinyfilemanager devpro/nextportal -f values.yaml --namespace tinyfilemanager --create-namespace
+```
+
+## Uninstall
+
+```bash
+helm uninstall tinyfilemanager -n tinyfilemanager
+kubectl delete namespace tinyfilemanager
+```
+
+## Going further
+
+Check the [contribution guide](CONTRIBUTING.md).
+
+---
+> ⚠️ **FOR WORKSHOP USE ONLY** — intentionally vulnerable, never expose to the internet.

charts/tinyfilemanager/templates/NOTES.txt

@@ -0,0 +1,20 @@
+1. Tiny File Manager web application has been deployed.
+
+{{- if .Values.ingress.enabled }}
+   URL: https://{{ .Values.ingress.domain }}
+
+   TLS certificate will be issued automatically by cert-manager.
+   Watch progress with:
+     kubectl get certificate -n {{ .Release.Namespace }}
+     kubectl describe certificaterequest -n {{ .Release.Namespace }}
+{{- else }}
+   Port-forward to access locally:
+     kubectl port-forward svc/{{ include "tinyfilemanager.fullname" . }} 3000:3000 -n {{ .Release.Namespace }}
+   then open http://localhost:3000
+{{- end }}
+
+2. Check pod status:
+     kubectl get pods -n {{ .Release.Namespace }} -l app.kubernetes.io/name={{ include "tinyfilemanager.name" . }}
+
+3. View logs:
+     kubectl logs -n {{ .Release.Namespace }} -l app.kubernetes.io/name={{ include "tinyfilemanager.name" . }} -f

charts/tinyfilemanager/templates/_helpers.tpl

@@ -0,0 +1,49 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "tinyfilemanager.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+*/}}
+{{- define "tinyfilemanager.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Chart label.
+*/}}
+{{- define "tinyfilemanager.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels.
+*/}}
+{{- define "tinyfilemanager.labels" -}}
+helm.sh/chart: {{ include "tinyfilemanager.chart" . }}
+{{ include "tinyfilemanager.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels.
+*/}}
+{{- define "tinyfilemanager.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "tinyfilemanager.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

charts/tinyfilemanager/templates/deployment.yaml

@@ -0,0 +1,76 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "tinyfilemanager.fullname" . }}
+  labels:
+    {{- include "tinyfilemanager.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  strategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      {{- include "tinyfilemanager.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        # forces a rollout when values change even if the image tag is the same
+        checksum/config: {{ toYaml .Values.env | sha256sum }}
+        {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      labels:
+        {{- include "tinyfilemanager.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.containerSecurityContext }}
+          securityContext:
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- end }}
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          env:
+            {{- range $key, $val := .Values.env }}
+            - name: {{ $key }}
+              value: {{ $val | quote }}
+            {{- end }}
+          {{- with .Values.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          livenessProbe:
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
+          {{- if .Values.resources }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      restartPolicy: Always

charts/tinyfilemanager/templates/hpa.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "tinyfilemanager.fullname" . }}
+  labels:
+    {{- include "tinyfilemanager.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "tinyfilemanager.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+{{- end }}

charts/tinyfilemanager/templates/ingress.yaml

@@ -0,0 +1,33 @@
+{{- if .Values.ingress.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "tinyfilemanager.fullname" . }}
+  labels:
+    {{- include "tinyfilemanager.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.ingress.domain | quote }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "tinyfilemanager.fullname" $ }}
+                port:
+                  name: http
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - secretName: tinyfilemanager-tls
+      hosts:
+        - {{ .Values.ingress.domain | quote }}
+  {{- end }}
+{{- end }}