Deploy containers to kCTF #35
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy containers to kCTF | |
| on: | |
| push: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| jobs: | |
| # based on https://github.com/google/kctf/blob/5d0f830d6adae029322570601f145a1866a50669/.github/workflows/update-images.yaml#L205 | |
| main: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write | |
| packages: write | |
| steps: | |
| - uses: actions/[email protected] | |
| - uses: google-github-actions/auth@v2 | |
| with: | |
| workload_identity_provider: ${{ vars.KCTF_IDENTITY }} | |
| - uses: google-github-actions/setup-gcloud@v2 | |
| with: | |
| install_components: gke-gcloud-auth-plugin | |
| - uses: docker/[email protected] | |
| id: buildkit | |
| - name: Get auth params for buildx cache | |
| uses: crazy-max/[email protected] | |
| - name: Deploy containers | |
| run: | | |
| curl -sSL https://kctf.dev/sdk | tar xz | |
| source kctf/activate | |
| docker buildx use ${{ steps.buildkit.outputs.name }} | |
| docker buildx ls | |
| docker() { | |
| if [ "$1" = "build" ]; then | |
| command docker buildx build --cache-from type=gha --cache-to type=gha,mode=max "${@:2}" | |
| else | |
| command docker "$@" | |
| fi | |
| } | |
| mkdir kctf/config | |
| echo "${{ vars.KCTF_CONFIG }}" | tr '\r\n' '\n' > kctf/config/kctf-cluster | |
| source kctf/config/kctf-cluster | |
| gcloud auth configure-docker $REGISTRY | |
| kctf cluster load kctf-cluster | |
| shopt -s extglob | |
| for template in !(kctf)/*/; do | |
| pushd $template | |
| if [[ ! -e "challenge.yaml" ]]; then | |
| continue | |
| fi | |
| if [[ -e "challenge/Makefile" ]]; then | |
| make -C "challenge" | |
| fi | |
| CHALLENGE_NAME="$("${KCTF_BIN}/yq" eval '.metadata.name' challenge.yaml)" | |
| echo "starting challenge ${CHALLENGE_NAME}" | |
| kctf chal start | |
| echo "challenge started, waiting for it to become available" | |
| # We want to wait for the deployment to be available, but it | |
| # might not have been created yet by the operator and wait will fail. | |
| # So try to "kubectl get" the challenge a few times to make sure it exists. | |
| # Ideally, we would expose the condition in the operator but I | |
| # don't think that's currently possible. | |
| for i in {1..5}; do | |
| kubectl get "deployment/${CHALLENGE_NAME}" && break | |
| echo "deployment/${CHALLENGE_NAME} doesn't exist yet, sleeping" | |
| sleep 5 | |
| done | |
| kubectl wait --for=condition=available --timeout=5m "deployment/${CHALLENGE_NAME}" | |
| popd | |
| done | |
| - name: Setup GitHub container registry | |
| uses: docker/[email protected] | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ github.token }} | |
| - name: Push container images to GitHub | |
| run: |- | |
| source kctf/config/.lastconfig | |
| images=$(docker images $REGISTRY/*:latest --format "{{.Repository}}") | |
| for image in $images; do | |
| lowercase=${GITHUB_REPOSITORY_OWNER,,} | |
| newtag=${image//$REGISTRY/ghcr\.io\/$lowercase}:latest | |
| docker tag $image:latest $newtag | |
| docker push $newtag | |
| done |