To ensure MultiJuicer runs as smoothly during your CTF's / trainings / workshops, heres a list of things you might want to make sure is configured correctly before you run MultiJuicer in "production".
- Set
.balancer.cookie.cookieParserSecretto a random alpha-numeric value (recommended length 24 chars), this value is used to sign cookies. If you don't set this, eachhelm upgradeyou run will generate a new one, which invalidates all user sessions, forcing users to rejoin their team. - As you are running this with https (right?), you should set
balancer.cookie.securetotrue. This marks the cookie used to associate a browser with a team to transmitted via https only. - Make sure the value you have configured for
juiceShop.maxInstancesfits your CTF / training / whatever you are running. The default is set to only allow 10 instances. Set to -1 to remove any restrictions. - Set
balancer.replicasto at least 2, so that you have at least one fall back JuiceBalancer when one crashes or the node it lives on goes down. - When running a CTF with JuiceShop challenge flags, make sure to change
juiceShop.ctfKeyfrom the default. Otherwise users will be able to generate their own flags relatively easily. Additionally, include thejuiceShop.nodeEnvvalue and specify it as "ctf". This way, it will generate flags for the CTF event. The default behavior is to not generate them. - When using prometheus metrics, e.g. when you have followed the Monitoring SetUp Guide you'll want to change
balancer.metrics.basicAuth.passwordto a non default values. Otherwise users can use the default value to access the technical metrics of the JuiceBalancer pods.
Add SecurityContext and PodSecurityContext further isolate and secure your training platform.
Here's a example helm values file:
balancer:
replicas: 3
cookie:
cookieParserSecret: "THIS_IS_A_EXAMPLE_DONT_USE_THIS_AS_THE_ACTUAL_SECRET"
secure: true
metrics:
basicAuth:
password: "ROTATE_THIS_YOU_LAZY_ASS"
juiceShop:
maxInstances: 42
nodeEnv: "ctf"
ctfKey: "DONT_LET_ME_FIND_YOU_USING_THIS_EXACT_VALUE"