From ca26f34542daf3943b0fb6c79f3b467269176b24 Mon Sep 17 00:00:00 2001 From: GeorgeRaven Date: Thu, 5 Jun 2025 23:51:30 +0100 Subject: [PATCH] Added cyberchef --- charts/cyberchef/.helmignore | 23 ++++++ charts/cyberchef/Chart.lock | 6 ++ charts/cyberchef/Chart.yaml | 29 +++++++ charts/cyberchef/README.md | 32 ++++++++ charts/cyberchef/values.yaml | 27 +++++++ .../infrastructure/templates/cyberchef.yaml | 75 +++++++++++++++++++ 6 files changed, 192 insertions(+) create mode 100644 charts/cyberchef/.helmignore create mode 100644 charts/cyberchef/Chart.lock create mode 100644 charts/cyberchef/Chart.yaml create mode 100644 charts/cyberchef/README.md create mode 100644 charts/cyberchef/values.yaml create mode 100644 charts/infrastructure/templates/cyberchef.yaml diff --git a/charts/cyberchef/.helmignore b/charts/cyberchef/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/cyberchef/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/cyberchef/Chart.lock b/charts/cyberchef/Chart.lock new file mode 100644 index 00000000..5fdce0b0 --- /dev/null +++ b/charts/cyberchef/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: cyberchef + repository: oci://registry.gitlab.com/georgeraven/raven-helm-charts + version: 0.1.0 +digest: sha256:9ba972bb786679e2f294169b841c941259e2dfe2d9e4c45342ddf1a8fb1de923 +generated: "2025-06-05T23:49:00.173004516+01:00" diff --git a/charts/cyberchef/Chart.yaml b/charts/cyberchef/Chart.yaml new file mode 100644 index 00000000..4bbd96d3 --- /dev/null +++ b/charts/cyberchef/Chart.yaml @@ -0,0 +1,29 @@ +apiVersion: v2 +name: cyberchef +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" + +dependencies: +- name: cyberchef + version: 0.1.0 + repository: "oci://registry.gitlab.com/georgeraven/raven-helm-charts" diff --git a/charts/cyberchef/README.md b/charts/cyberchef/README.md new file mode 100644 index 00000000..1c70a799 --- /dev/null +++ b/charts/cyberchef/README.md @@ -0,0 +1,32 @@ +# cyberchef + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) + +A Helm chart for Kubernetes + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| oci://registry.gitlab.com/georgeraven/raven-helm-charts | cyberchef | 0.1.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| cyberchef.cyberchef.ingress.annotations."cert-manager.io/cluster-issuer" | string | `"aux-issuer"` | | +| cyberchef.cyberchef.ingress.enabled | bool | `true` | | +| cyberchef.cyberchef.ingress.hosts[0].host | string | `"cyberchef.deepcypher.me"` | | +| cyberchef.cyberchef.ingress.hosts[0].paths[0].path | string | `"/"` | | +| cyberchef.cyberchef.ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | +| cyberchef.cyberchef.ingress.tls[0].hosts[0] | string | `"cyberchef.deepcypher.me"` | | +| cyberchef.cyberchef.ingress.tls[0].secretName | string | `"cyberchef.deepcypher.me-tls"` | | +| environment.baseDomain | string | `"deepcypher.me"` | | +| environment.contact.email | string | `"noreply@deepcypher.me"` | | +| environment.contact.name | string | `"George Onoufriou"` | | +| environment.hardware | string | `"metal"` | | +| environment.location.name | string | `"unknown"` | | +| environment.mode | string | `"production"` | | +| environment.name | string | `"unknown"` | | +| environment.revision | string | `"main"` | | + diff --git a/charts/cyberchef/values.yaml b/charts/cyberchef/values.yaml new file mode 100644 index 00000000..ea3af704 --- /dev/null +++ b/charts/cyberchef/values.yaml @@ -0,0 +1,27 @@ +cyberchef: + cyberchef: + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: "aux-issuer" + hosts: + - host: cyberchef.deepcypher.me + paths: + - path: / + pathType: ImplementationSpecific + tls: + - secretName: cyberchef.deepcypher.me-tls + hosts: + - cyberchef.deepcypher.me + +environment: + name: unknown # not to be used for hard checks but to display to user + hardware: metal # to be used to enable on-prem specific features like ceph, cilium, etc + mode: production # to be used to configure backup movement and additional debugging features + revision: main # to be used to pull from different git branches + baseDomain: deepcypher.me # to be used to override default chart domains to configure environments + location: + name: unknown # not to be used for hard checks purely informational + contact: + name: George Onoufriou + email: noreply@deepcypher.me diff --git a/charts/infrastructure/templates/cyberchef.yaml b/charts/infrastructure/templates/cyberchef.yaml new file mode 100644 index 00000000..ee0399a2 --- /dev/null +++ b/charts/infrastructure/templates/cyberchef.yaml @@ -0,0 +1,75 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cyberchef + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + name: '' + namespace: cyberchef + server: 'https://kubernetes.default.svc' + source: + path: charts/cyberchef + repoURL: {{ .Values.global.repo }} + targetRevision: {{ .Values.environment.revision }} + helm: + values: | + {{- include "defaultEnvironment" . | indent 8 }} + {{- if eq .Values.environment.mode "staging" }} + {{- else if eq .Values.environment.mode "production" }} + {{- end }} + #project: cyberchef + project: default + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true +--- +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: cyberchef + namespace: argocd + # Finalizer that ensures that project is not deleted until it is not referenced by any application + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + description: Infra-level project to isolate cyberchef + # Allow manifests to deploy from any Git repos + sourceRepos: + - '*' + # Only permit applications to deploy to the guestbook namespace in the same cluster + destinations: + - namespace: cyberchef + server: https://kubernetes.default.svc + # Deny all cluster-scoped resources from being created, except for Namespace + clusterResourceWhitelist: + - group: '' + kind: Namespace + # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy + namespaceResourceBlacklist: + - group: '' + kind: ResourceQuota + - group: '' + kind: LimitRange + #- group: '' + # kind: NetworkPolicy + # # Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet + # namespaceResourceWhitelist: + # - group: 'apps' + # kind: Deployment + # - group: 'apps' + # kind: StatefulSet + roles: + # A role which provides read-only access to all applications in the project + - name: read-only + description: Read-only privileges to cyberchef + policies: + - p, proj:my-project:read-only, applications, get, cyberchef/*, allow + groups: + - my-oidc-group