Skip to content

Latest commit



244 lines (182 loc) · 17.9 KB

File metadata and controls

244 lines (182 loc) · 17.9 KB

Setup your secrets in Azure

In this setup we integrate the secrets exercise with Azure AKS and let pods consume secrets from an Azure Key Vault. If you want to know more about integrating secrets with AKS, check this link. Please make sure that the account in which you run this exercise has either Log Analytics enabled, or is not linked to your current subscriptions and/or DTAP environment.


Have the following tools installed:

Make sure you have an active subscription at Azure for which you have configured the credentials on the system where you will execute the steps below.

Please note that this setup relies on bash scripts that have been tested in MacOS and Linux. We have no intention of supporting vanilla Windows at the moment.


Note-I: We create resources in east us by default. You can set the region by editing terraform.tfvars.

Note-II: The cluster you create has its access bound to the public IP of the creator. In other words: the cluster you create with this code has its access bound to your public IP-address if you apply it locally. If you switched to a different network, you'll need to run terraform apply again to update the firewall rules.

(Optional) Multi-user setup: shared state

If you want to host a multi-user setup, you will probably want to share the state file so that everyone can try related challenges. We have provided a starter to easily do so using an Azure storage container.

First, enable the Microsoft.Storage API (if it isn't already) using:

az provider register --namespace Microsoft.Storage

Then, apply the Terraform (optionally add -var="region=YOUR_DESIRED_REGION" to the apply to use a region other than the default East US):

cd shared-state
terraform init
terraform apply

The storage account name should be in the output. Please use that to configure the Terraform backend in by uncommenting the part on the backend "azurerm" inside the terraform block. Assign the storage_account_name to the one from the output.

Note: You'll need to follow the description below in step 1 for the "existing resource group" i.e., use the azurerm_resource_group.default resource.


  1. Set either a new resource group or use an existing resource group in (it defaults to the existing OWASP-Projects resource group). Note that you'll need to find/replace references to azurerm_resource_group.default to data.arurerm_resource_group.default if you want to create a new one.
  2. check whether you have the right project by doing az account show (after az login). Want to set the project as your default? Use az account set --subscription <.id here>.
  3. If not yet enabled, register the required services for the subscription, run:
        az provider register --namespace Microsoft.ContainerService
        az provider register --namespace Microsoft.KeyVault
        az provider register --namespace Microsoft.ManagedIdentity
  1. Run terraform init (if required, use tfenv to select TF 0.14.0 or higher )
  2. Run terraform plan to see what will be created (optional).
  3. Run terraform apply. Note: the apply will take 5 to 20 minutes depending on the speed of the Azure backplane.
  4. Run ./ Your kubeconfig file will automatically be updated.

Your AKS cluster should be visible in your resource group. Want a different region? You can modify terraform.tfvars or input it directly using the region variable in plan/apply.

Are you done playing? Please run terraform destroy twice to clean up.

Test it

When you have completed the installation steps, you can do kubectl port-forward service/wrongsecrets-balancer 3000:3000 and then go to http://localhost:3000.

Want to know how well your cluster is holding up? Check with

    kubectl top nodes
    kubectl top pods

Configuring CTFd

You can use the Juiceshop CTF CLI to generate CTFd configuration files.

Follow the following steps:

    npm install -g juice-shop-ctf-cli@10.0.1
    juice-shop-ctf #choose ctfd and as domain. No trailing slash! The key is 'test', by default feel free to enable hints. We do not support snippets or links/urls to code or hints.

Now visit the CTFd instance and setup your CTF. To test things locally before setting up a load balancer/ingress, you can use kubectl port-forward -n ctfd $(kubectl get pods --namespace ctfd -l "," -o jsonpath="{.items[0]}") 8000:8000 and go to localhost:8000 to visit CTFd.

!!NOTE: The following can be dangerous if you use CTFd >= 3.5.0 with wrongsecrets < 1.5.11. Check the challenges.json and make sure it's 1-indexed - a 0-indexed file will break CTFd! /NOTE!!

Then use the administrative backup function to import the zipfile you created with the juice-shop-ctf command. After that you will still need to override the flags with their actual values if you do use the 2-domain configuration. For a guide on how to do this see the 2-domain setup steps in the general README Want to setup your own? You can! Watch out for people finding your key though, so secure it properly: make sure the running container with the actual ctf-key is not exposed to the audience, similar to our heroku container.

Want to make the CTFD instance look pretty? Include the fragment located at ./k8s/ctfd_resources/index_fragment.html in your index.html via the admin panel.

If you want to share with others go to the When you want to share your environment with others (experimental) section.

Configuring the application

In the front page of the application you can edit the description to reference the right urls and the desplayed image. Use the following:

helm upgrade --install wrongsecrets ../helm/wrongsecrets-ctf-party \
  --set="balancer.env.REACT_APP_MOVING_GIF_LOGO=<>" \
  --set="balancer.env.REACT_APP_HEROKU_WRONGSECRETS_URL=<>" \
  --set="balancer.env.REACT_APP_CTFD_URL='<>'" \

Monitoring the cluster

For a guide on how to use the monitoring setup, see the monitoring guide.

Clean it up

When you're done:

  1. Kill the port forward.
  2. Run terraform destroy to clean up the infrastructure. Note that you may need to repeat the destroy to fully clean up.
  3. If you've used the shared state, cd to the shared-state folder and run terraform destroy there too.
  4. Run rm* to remove local state files.

A few things to consider

  1. Does your worker node now have access as well?
  2. Can you easily obtain the AKS managed identity of the Node?
  3. Can you get the secrets in the Key vault? Which paths do you see?

When you want to share your environment with others (experimental)

We added additional scripts for adding a Load Balancer and ingress so that you can use your cloud setup with multiple people. Do the following:

  1. Follow the installation section first.
  2. Run ./ and the script will return the url at which you can reach the application. (Be aware this opens the url's to the internet in general, if you'd like to limit the access please do this using the security groups in Azure)
  3. When you are done, before you do cleanup, first run ./

Note that you might have to do some manual cleanups after that.

Terraform documentation

The documentation below is auto-generated to give insight on what's created via Terraform.


Name Type
azurerm_key_vault.vault resource
azurerm_key_vault_access_policy.extra_identity_access resource
azurerm_key_vault_access_policy.identity_access resource
azurerm_key_vault_access_policy.user resource
azurerm_key_vault_secret.wrongsecret_1 resource
azurerm_key_vault_secret.wrongsecret_2 resource
azurerm_key_vault_secret.wrongsecret_3 resource
azurerm_kubernetes_cluster.cluster resource
azurerm_resource_group.default resource
azurerm_role_assignment.aks_extra_identity_operator resource
azurerm_role_assignment.aks_identity_operator resource
azurerm_role_assignment.aks_vm_contributor resource
azurerm_user_assigned_identity.aks_extra_pod_identity resource
azurerm_user_assigned_identity.aks_pod_identity resource
random_integer.suffix resource
random_password.password resource
random_string.suffix resource
azurerm_client_config.current data source
http_http.ip data source


Name Description Type Default Required
cluster_name The AKS cluster name string "wrongsecrets-exercise-cluster" no
cluster_version The AKS cluster version to use string "1.30" no
region The Azure region to use string "East US" no


Name Description
aad_extra_pod_identity_client_id Client ID for the Managed Identity for AAD Pod Identity
aad_extra_pod_identity_resource_id Resource ID for the Managed Identity for AAD Pod Identity
aad_pod_identity_client_id Client ID for the Managed Identity for AAD Pod Identity
aad_pod_identity_resource_id Resource ID for the Managed Identity for AAD Pod Identity
cluster_name AKS Cluster name
key_vault_url Azure KeyVault URI for the Demo Container
resource_group Resource group name
tenant_id Azure tenant ID
vault_name Vault name
vault_uri Vault URI


Name Type
azurerm_key_vault.vault resource
azurerm_key_vault_access_policy.extra_identity_access resource
azurerm_key_vault_access_policy.identity_access resource
azurerm_key_vault_access_policy.user resource
azurerm_key_vault_secret.wrongsecret_1 resource
azurerm_key_vault_secret.wrongsecret_2 resource
azurerm_key_vault_secret.wrongsecret_3 resource
azurerm_kubernetes_cluster.cluster resource
azurerm_resource_group.default resource
azurerm_role_assignment.aks_extra_identity_operator resource
azurerm_role_assignment.aks_identity_operator resource
azurerm_role_assignment.aks_vm_contributor resource
azurerm_user_assigned_identity.aks_extra_pod_identity resource
azurerm_user_assigned_identity.aks_pod_identity resource
random_integer.suffix resource
random_password.password resource
random_string.suffix resource
azurerm_client_config.current data source
http_http.ip data source


Name Description Type Default Required
cluster_name The AKS cluster name string "wrongsecrets-exercise-cluster" no
cluster_version The AKS cluster version to use string "1.30" no
region The Azure region to use string "East US" no


Name Description
aad_extra_pod_identity_client_id Client ID for the Managed Identity for AAD Pod Identity
aad_extra_pod_identity_resource_id Resource ID for the Managed Identity for AAD Pod Identity
aad_pod_identity_client_id Client ID for the Managed Identity for AAD Pod Identity
aad_pod_identity_resource_id Resource ID for the Managed Identity for AAD Pod Identity
cluster_name AKS Cluster name
key_vault_url Azure KeyVault URI for the Demo Container
resource_group Resource group name
tenant_id Azure tenant ID
vault_name Vault name
vault_uri Vault URI