fix: ingress exposure missing information for it to work

ctfer-io · Jan 25, 2025 · 1b3e564 · 1b3e564
1 parent 1e63e14
commit 1b3e564
Show file tree

Hide file tree

Showing 4 changed files with 101 additions and 34 deletions.
diff --git a/examples/exposed-monopod/main.go b/examples/exposed-monopod/main.go
@@ -25,6 +25,14 @@ func main() {
 			Files: pulumi.StringMap{
 				"/app/flag.txt": variated,
 			},
+			// The following fits for a Traefik-based use case
+			IngressAnnotations: pulumi.ToStringMap(map[string]string{
+				"traefik.ingress.kubernetes.io/router.entrypoints": "web, websecure",
+			}),
+			IngressNamespace: pulumi.String("networking"),
+			IngressLabels: pulumi.ToStringMap(map[string]string{
+				"app": "traefik",
+			}),
 		}, opts...)
 		if err != nil {
 			return err

diff --git a/sdk/kubernetes/exposed-monopod.go b/sdk/kubernetes/exposed-monopod.go
@@ -51,7 +51,11 @@ type (
 		// WARNING: provisionning a file in a directory makes adjacent
 		// files unavailable.
 		// For more info, refer to https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#populate-a-volume-with-data-stored-in-a-configmap
-		Files    pulumi.StringMapInput
+		Files pulumi.StringMapInput
+
+		// FromCIDR can be configured to specify an IP range that will
+		// be able to access the pod.
+		// TODO @NicoFgrx support it when ExposeIngress too
 		FromCIDR pulumi.StringPtrInput
 		fromCIDR pulumi.StringOutput
 
@@ -61,6 +65,14 @@ type (
 		// put on the ingress, if the `ExposeType` is set to
 		// `ExposeIngress`.
 		IngressAnnotations pulumi.StringMapInput
+
+		// IngressNamespace must be configured to the namespace in
+		// which the ingress (e.g. nginx, traefik) is deployed.
+		IngressNamespace pulumi.StringInput
+
+		// IngressLabels must be configured to the labels of the ingress
+		// pods (e.g. app=traefik, ...).
+		IngressLabels pulumi.StringMapInput
 	}
 
 	ExposeType int
@@ -264,6 +276,41 @@ func (emp *ExposedMonopod) provision(ctx *pulumi.Context, args *ExposedMonopodAr
 
 	// Specific exposures
 	switch args.ExposeType {
+	case ExposeNodePort:
+		emp.ntp, err = netwv1.NewNetworkPolicy(ctx, "emp-ntp", &netwv1.NetworkPolicyArgs{
+			Metadata: metav1.ObjectMetaArgs{
+				Labels: labels,
+				Name:   pulumi.Sprintf("emp-ntp-%s", args.Identity),
+			},
+			Spec: netwv1.NetworkPolicySpecArgs{
+				PodSelector: metav1.LabelSelectorArgs{
+					MatchLabels: labels,
+				},
+				PolicyTypes: pulumi.ToStringArray([]string{
+					"Ingress",
+				}),
+				Ingress: netwv1.NetworkPolicyIngressRuleArray{
+					netwv1.NetworkPolicyIngressRuleArgs{
+						From: netwv1.NetworkPolicyPeerArray{
+							netwv1.NetworkPolicyPeerArgs{
+								IpBlock: &netwv1.IPBlockArgs{
+									Cidr: args.fromCIDR,
+								},
+							},
+						},
+						Ports: netwv1.NetworkPolicyPortArray{
+							netwv1.NetworkPolicyPortArgs{
+								Port: args.Port,
+							},
+						},
+					},
+				},
+			},
+		}, opts...)
+		if err != nil {
+			return err
+		}
+
 	case ExposeIngress:
 		emp.ing, err = netwv1.NewIngress(ctx, "emp-ing", &netwv1.IngressArgs{
 			Metadata: metav1.ObjectMetaArgs{
@@ -309,40 +356,45 @@ func (emp *ExposedMonopod) provision(ctx *pulumi.Context, args *ExposedMonopodAr
 		if err != nil {
 			return err
 		}
-	}
 
-	emp.ntp, err = netwv1.NewNetworkPolicy(ctx, "emp-ntp", &netwv1.NetworkPolicyArgs{
-		Metadata: metav1.ObjectMetaArgs{
-			Labels: labels,
-			Name:   pulumi.Sprintf("emp-ntp-%s", args.Identity),
-		},
-		Spec: netwv1.NetworkPolicySpecArgs{
-			PodSelector: metav1.LabelSelectorArgs{
-				MatchLabels: labels,
+		emp.ntp, err = netwv1.NewNetworkPolicy(ctx, "emp-ntp", &netwv1.NetworkPolicyArgs{
+			Metadata: metav1.ObjectMetaArgs{
+				Labels: labels,
+				Name:   pulumi.Sprintf("emp-ntp-%s", args.Identity),
 			},
-			PolicyTypes: pulumi.ToStringArray([]string{
-				"Ingress",
-			}),
-			Ingress: netwv1.NetworkPolicyIngressRuleArray{
-				netwv1.NetworkPolicyIngressRuleArgs{
-					From: netwv1.NetworkPolicyPeerArray{
-						netwv1.NetworkPolicyPeerArgs{
-							IpBlock: &netwv1.IPBlockArgs{
-								Cidr: args.fromCIDR,
+			Spec: netwv1.NetworkPolicySpecArgs{
+				PodSelector: metav1.LabelSelectorArgs{
+					MatchLabels: labels,
+				},
+				PolicyTypes: pulumi.ToStringArray([]string{
+					"Ingress",
+				}),
+				Ingress: netwv1.NetworkPolicyIngressRuleArray{
+					netwv1.NetworkPolicyIngressRuleArgs{
+						From: netwv1.NetworkPolicyPeerArray{
+							netwv1.NetworkPolicyPeerArgs{
+								NamespaceSelector: metav1.LabelSelectorArgs{
+									MatchLabels: pulumi.StringMap{
+										"kubernetes.io/metadata.name": args.IngressNamespace,
+									},
+								},
+								PodSelector: metav1.LabelSelectorArgs{
+									MatchLabels: args.IngressLabels,
+								},
 							},
 						},
-					},
-					Ports: netwv1.NetworkPolicyPortArray{
-						netwv1.NetworkPolicyPortArgs{
-							Port: args.Port,
+						Ports: netwv1.NetworkPolicyPortArray{
+							netwv1.NetworkPolicyPortArgs{
+								Port: args.Port,
+							},
 						},
 					},
 				},
 			},
-		},
-	}, opts...)
-	if err != nil {
-		return err
+		}, opts...)
+		if err != nil {
+			return
+		}
 	}
 
 	return nil

diff --git a/webdocs/challmaker-guides/software-development-kit/index.md b/webdocs/challmaker-guides/software-development-kit/index.md
@@ -62,15 +62,15 @@ func main() {
 		cm, err := kubernetes.NewExposedMonopod(req.Ctx, &kubernetes.ExposedMonopodArgs{
 			Image:      pulumi.String("myprofile/my-challenge:latest"),
 			Port:       pulumi.Int(8080),
-			ExposeType: kubernetes.ExposeIngress,
+			ExposeType: kubernetes.ExposeNodePort,
 			Hostname:   pulumi.String("brefctf.ctfer.io"),
 			Identity:   pulumi.String(req.Config.Identity),
 		}, opts...)
 		if err != nil {
 			return err
 		}
 
-		resp.ConnectionInfo = pulumi.Sprintf("curl -v https://%s", cm.URL)
+		resp.ConnectionInfo = pulumi.Sprintf("curl -v http://%s", cm.URL)
 		return nil
 	})
 }

diff --git a/webdocs/tutorials/a-complete-example/index.md b/webdocs/tutorials/a-complete-example/index.md
@@ -92,11 +92,18 @@ import (
 func main() {
 	sdk.Run(func(req *sdk.Request, resp *sdk.Response, opts ...pulumi.ResourceOption) error {
 		cm, err := kubernetes.NewExposedMonopod(req.Ctx, &kubernetes.ExposedMonopodArgs{
-			Image:      pulumi.String("account/challenge:latest"), // challenge Docker image
-			Port:       pulumi.Int(8080),                          // pod listens on port 8080
-			ExposeType: kubernetes.ExposeIngress,                  // expose the challenge through an ingress (HTTP)
-			Hostname:   pulumi.String("brefctf.ctfer.io"),         // CTF hostname
-			Identity:   pulumi.String(req.Config.Identity),        // identity will be prepended to hostname
+			Image:              pulumi.String("account/challenge:latest"), // challenge Docker image
+			Port:               pulumi.Int(8080),                          // pod listens on port 8080
+			ExposeType:         kubernetes.ExposeIngress,                  // expose the challenge through an ingress (HTTP)
+			Hostname:           pulumi.String("brefctf.ctfer.io"),         // CTF hostname
+			Identity:           pulumi.String(req.Config.Identity),        // identity will be prepended to hostname
+            IngressAnnotations: pulumi.ToStringMap(map[string]string{      // annotations for the ingress to target the service
+				"traefik.ingress.kubernetes.io/router.entrypoints": "web, websecure",
+			}),
+			IngressNamespace: pulumi.String("networking"),       // the namespace in which the ingress is deployed 
+			IngressLabels: pulumi.ToStringMap(map[string]string{ // the labels of the ingress pods
+				"app": "traefik",
+			}),
 		}, opts...)
 		if err != nil {
 			return err