Added cyberchef

charts/cyberchef/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/cyberchef/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: cyberchef
+  repository: oci://registry.gitlab.com/georgeraven/raven-helm-charts
+  version: 0.1.0
+digest: sha256:9ba972bb786679e2f294169b841c941259e2dfe2d9e4c45342ddf1a8fb1de923
+generated: "2025-06-05T23:49:00.173004516+01:00"

charts/cyberchef/Chart.yaml

@@ -0,0 +1,29 @@
+apiVersion: v2
+name: cyberchef
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
+
+dependencies:
+- name: cyberchef
+  version: 0.1.0
+  repository: "oci://registry.gitlab.com/georgeraven/raven-helm-charts"

charts/cyberchef/README.md

@@ -0,0 +1,32 @@
+# cyberchef
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
+
+A Helm chart for Kubernetes
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| oci://registry.gitlab.com/georgeraven/raven-helm-charts | cyberchef | 0.1.0 |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| cyberchef.cyberchef.ingress.annotations."cert-manager.io/cluster-issuer" | string | `"aux-issuer"` |  |
+| cyberchef.cyberchef.ingress.enabled | bool | `true` |  |
+| cyberchef.cyberchef.ingress.hosts[0].host | string | `"cyberchef.deepcypher.me"` |  |
+| cyberchef.cyberchef.ingress.hosts[0].paths[0].path | string | `"/"` |  |
+| cyberchef.cyberchef.ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` |  |
+| cyberchef.cyberchef.ingress.tls[0].hosts[0] | string | `"cyberchef.deepcypher.me"` |  |
+| cyberchef.cyberchef.ingress.tls[0].secretName | string | `"cyberchef.deepcypher.me-tls"` |  |
+| environment.baseDomain | string | `"deepcypher.me"` |  |
+| environment.contact.email | string | `"noreply@deepcypher.me"` |  |
+| environment.contact.name | string | `"George Onoufriou"` |  |
+| environment.hardware | string | `"metal"` |  |
+| environment.location.name | string | `"unknown"` |  |
+| environment.mode | string | `"production"` |  |
+| environment.name | string | `"unknown"` |  |
+| environment.revision | string | `"main"` |  |
+

charts/cyberchef/values.yaml

@@ -0,0 +1,27 @@
+cyberchef:
+  cyberchef:
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: "aux-issuer"
+      hosts:
+        - host: cyberchef.deepcypher.me
+          paths:
+            - path: /
+              pathType: ImplementationSpecific
+      tls:
+      - secretName: cyberchef.deepcypher.me-tls
+        hosts:
+          - cyberchef.deepcypher.me
+
+environment:
+  name: unknown # not to be used for hard checks but to display to user
+  hardware: metal # to be used to enable on-prem specific features like ceph, cilium, etc
+  mode: production # to be used to configure backup movement and additional debugging features
+  revision: main # to be used to pull from different git branches
+  baseDomain: deepcypher.me # to be used to override default chart domains to configure environments
+  location:
+    name: unknown # not to be used for hard checks purely informational
+  contact:
+    name: George Onoufriou
+    email: noreply@deepcypher.me

charts/infrastructure/templates/cyberchef.yaml

@@ -0,0 +1,75 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cyberchef
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    name: ''
+    namespace: cyberchef
+    server: 'https://kubernetes.default.svc'
+  source:
+    path: charts/cyberchef
+    repoURL: {{ .Values.global.repo }}
+    targetRevision: {{ .Values.environment.revision }}
+    helm:
+      values: |
+        {{- include "defaultEnvironment" . | indent 8 }}
+        {{- if eq .Values.environment.mode "staging" }}
+        {{- else if eq .Values.environment.mode "production" }}
+        {{- end }}
+  #project: cyberchef
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: cyberchef
+  namespace: argocd
+  # Finalizer that ensures that project is not deleted until it is not referenced by any application
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  description: Infra-level project to isolate cyberchef
+  # Allow manifests to deploy from any Git repos
+  sourceRepos:
+  - '*'
+  # Only permit applications to deploy to the guestbook namespace in the same cluster
+  destinations:
+  - namespace: cyberchef
+    server: https://kubernetes.default.svc
+  # Deny all cluster-scoped resources from being created, except for Namespace
+  clusterResourceWhitelist:
+  - group: ''
+    kind: Namespace
+  # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy
+  namespaceResourceBlacklist:
+  - group: ''
+    kind: ResourceQuota
+  - group: ''
+    kind: LimitRange
+  #- group: ''
+  #  kind: NetworkPolicy
+  # # Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet
+  # namespaceResourceWhitelist:
+  # - group: 'apps'
+  #   kind: Deployment
+  # - group: 'apps'
+  #   kind: StatefulSet
+  roles:
+  # A role which provides read-only access to all applications in the project
+  - name: read-only
+    description: Read-only privileges to cyberchef
+    policies:
+    - p, proj:my-project:read-only, applications, get, cyberchef/*, allow
+    groups:
+    - my-oidc-group