fix: automated deployment via Actions

.env

@@ -11,8 +11,8 @@ export CTFD_SECRET_KEY=""
 export JUICE_FQDN=""
 # Max. number of JuiceShop instances that can be spawned (optional, defaults to 5)
 # export MAX_INSTANCES=5
-# Email address to receive TLS certificate expiration notices from LetsEncrypt (optional, but must be set)
-export TLS_CERT_EMAIL="noreply-cert@juicesh.op"
+# Email address to receive TLS certificate expiration notices from LetsEncrypt (required, must use a valid domain)
+export TLS_CERT_EMAIL=""
 
 # Password for the CTFd admin user (required)
 export CTFD_ADMIN_PASSWORD=""

.github/workflows/configure-ctfd.yaml

@@ -1,4 +1,4 @@
-name: Deploy CTF services on Azure Kubernetes Service
+name: Configure the CTFd instance
 on:
   workflow_dispatch:
     inputs:
@@ -29,6 +29,9 @@ jobs:
     name: Configure CTFd
     runs-on: ubuntu-latest
     environment: ${{ inputs.ENVIRONMENT }}
+    env:
+      AZURE_RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_GROUP }}
+      AZURE_DNS_NAME: ${{ vars.AZURE_DNS_NAME }}
     steps:
       - name: Run az login
         uses: azure/login@v1
@@ -60,6 +63,8 @@ jobs:
       - name: Configure the CTFd instance
         env:
           CTF_KEY: ${{ secrets.CTF_KEY }}
+          COOKIE_SECRET: ${{ secrets.COOKIE_SECRET }}
+          CTFD_SECRET_KEY: ${{ secrets.CTFD_SECRET_KEY }}
           JUICE_FQDN: ${{ vars.JUICE_FQDN }}
           CTFD_ADMIN_PASSWORD: ${{ secrets.CTFD_ADMIN_PASSWORD }}
           CTF_NAME: ${{ vars.CTF_NAME }}

ingress.yaml

@@ -10,7 +10,7 @@ spec:
   tls:
   - hosts:
     - $JUICE_FQDN
-    secretName: juice-tls-secret
+    secretName: $JUICE_TLS_SECRET_NAME
   rules:
   - host: $JUICE_FQDN
     http:

manage-ctfd.sh

@@ -6,7 +6,7 @@ SCRIPT_NAME=$(basename "$0")
 ### Required variables ###
 # Key used to generate the challenge flags. Should be rotated between CTF-events
 CTF_KEY="${CTF_KEY:?Missing required environment variable.}"
-# FQDN (Fully Qualified Domain Name) at which the setup is accessible
+# FQDN (Fully Qualified Domain Name) at which the setup is accessible (used for TLS and routing)
 JUICE_FQDN="${JUICE_FQDN:?Missing required environment variable.}"
 # Password for the CTFd admin user (CTFD_ADMIN_USERNAME)
 CTFD_ADMIN_PASSWORD="${CTFD_ADMIN_PASSWORD:?Missing required environment variable}"
@@ -61,16 +61,25 @@ if ! command -v "$_JUICESHOP_CLI_BINARY" &> /dev/null; then
   exit 1
 fi
 __REQUIRED_BINARIES=(
-    "kubectl"
-    "curl"
-    "jq"
+  "kubectl"
+  "curl"
+  "jq"
 )
 # Check that all required binaries are present
 for __REQ_PKG in "${__REQUIRED_BINARIES[@]}"; do
-    if ! which "$__REQ_PKG" &> /dev/null ; then
-        echo "ERROR: Missing required package '$__REQ_PKG'"
-        exit 1
-    fi
+  if ! which "$__REQ_PKG" &> /dev/null ; then
+    echo "ERROR: Missing required package '$__REQ_PKG'"
+    exit 1
+  fi
+done
+__REQ_BASH_UTILS=(
+  "mapfile"
+)
+for __REQ_UTIL in "${__REQ_BASH_UTILS[@]}"; do
+  if ! command -v "$__REQ_UTIL" &> /dev/null; then
+    echo "ERROR: Missing bash utility '$__REQ_UTIL'. Please upgrade bash before proceeding."
+    exit 1
+  fi
 done
 
 # Variables
@@ -178,7 +187,7 @@ function create_tunnel_to_pod() {
     failure "ERROR: In order to import the challenges from juice-shop, an instance of juice-shop must be running."
     fatal "Please navigate to the multi-juicer instance and create a new team to deploy a new instance, then re-run this script once the instance is ready."
   fi
-  (kubectl port-forward "$POD_NAME" "$_PORT_LOCAL:3000" &> /dev/null)&
+  (kubectl port-forward "$POD_NAME" "$_PORT_LOCAL:3000")&
   echo $! > "$_PIDFILE_PATH"
 }
 

manage-multijuicer.sh

@@ -13,6 +13,8 @@ COOKIE_SECRET="${COOKIE_SECRET:?Missing required environment variable.}"
 CTFD_SECRET_KEY="${CTFD_SECRET_KEY:?Missing required environment variable.}"
 # FQDN (Fully Qualified Domain Name) at which the setup is accessible (used for TLS)
 JUICE_FQDN="${JUICE_FQDN:?Missing required environment variable.}"
+# Email address to receive TLS certificate expiration notices from LetsEncrypt (required, must use a valid domain)
+TLS_CERT_EMAIL="${TLS_CERT_EMAIL:?Missing required environment variable.}"
 
 ### Default variables ###
 ## MultiJuicer / JuiceShop
@@ -132,6 +134,8 @@ __MONITORING_ENABLED="true"
 if [ "$MANAGE_MONITORING" -eq 0 ]; then
     __MONITORING_ENABLED="false"
 fi
+# Name for the TLS secret
+JUICE_TLS_SECRET_NAME=juice-tls-secret
 
 # Container Registry vars
 K8S_CONTAINER_REGISTRY="registry.k8s.io"
@@ -255,6 +259,15 @@ function apply_ingress() {
     < ingress.yaml envsubst | kubectl apply -f -
 }
 
+function wait_for_tls_cert() {
+  # Wait for juice-tls-secret to be ready...
+  info "Waiting for TLS (HTTPS) certificate to be ready..."
+  # Wait for certificate creation
+  sleep 2
+  # Wait for Ready condition
+  kubectl wait certificate --for=condition=Ready --timeout=120s "$JUICE_TLS_SECRET_NAME"
+}
+
 function deploy_monitoring() {
     info "Deploying monitoring services"
     # Add the helm repository for prometheus
@@ -374,6 +387,7 @@ function up() {
     deploy_cert_manager && success
     apply_cluster_issuer && success
     apply_ingress && success
+    wait_for_tls_cert && success
     info "DONE"
 }