Deployment
Categories:
You can deploy the Chall-Manager in many ways. The following table summarize the properties of each one.
| Name | Maintained | Isolation | Scalable | Janitor |
|---|---|---|---|---|
| Kubernetes | ✅ | ✅ | ✅ | ✅ |
| Binary | ⛏️ | ❌¹ | ❌ | ✅ |
| Docker | ❌ | ✅ | ✅² | ✅ |
- ✅ Supported
- ❌ Unsupported
- ⛏️ Work In Progress…
¹ We do not harden the configuration in the installation script, but recommend you digging into it more as your security model requires it (especially for production purposes).
² Autoscaling is possible with an hypervisor (e.g. Docker Swarm).
Kubernetes
Note
We highly recommend the use of this deployment strategy.
We use it to test the chall-manager, and will ease parallel deployments.
This deployment strategy guarantee you a valid infrastructure regarding our functionalities and security guidelines. Moreover, if you are afraid of Pulumi you’ll have trouble creating scenarios, so it’s a good place to start !
The requirements are:
- a distributed block storage solution such as Longhorn, if you want replicas.
- an OpenTelemetry Collector, if you want telemetry data.
# Get the repository and its own Pulumi factory
git clone git@github.com:ctfer-io/chall-manager.git
cd chall-manager/deploy
# Use it straightly !
# Don't forget to configure your stack if necessary.
# Refer to Pulumi's doc if necessary.
pulumi up
Now, you’re done !
Micro Services Architecture of chall-manager deployed in a Kubernetes cluster.
Binary
Security
We highly discourage the use of this mode for production purposes, as it does not guarantee proper isolation. The chall-manager is basically a RCE-as-a-Service carrier, so if you run this on your host machine, prepare for dramatic issues.To install it on a host machine as systemd services and timers, you can run the following script.
curl -fsSL https://github.com/ctfer-io/chall-manager/blob/main/hack/setup.sh | sh
It requires:
jqslsa-verifier- a privileged account
Don’t forget that chall-manager requires Pulumi to be installed.
Docker
If you are unsatisfied of the way the binary install works on installation, unexisting update mecanisms or isolation, the Docker install may fit your needs.
To deploy it using Docker images, you can use the official images:
You can verify their integrity using the following commands.
slsa-verifier slsa-verifier verify-image "ctferio/chall-manager:<tag>@sha256:<digest>" \
--source-uri "github.com/ctfer-io/chall-manager" \
--source-tag "<tag>"
slsa-verifier slsa-verifier verify-image "ctferio/chall-manager-janitor:<tag>@sha256:<digest>" \
--source-uri "github.com/ctfer-io/chall-manager" \
--source-tag "<tag>"
We let the reader deploy it as (s)he needs it, but recommend you take a look at how we use systemd services and timers in the binary setup.sh script.
Additionally, we recommend you create a specific network to isolate the docker images from other adjacent services.
Feedback
Was this page helpful?