Adding sniffer-agent to BC

.github/workflows/release.yml

@@ -21,8 +21,8 @@ jobs:
           git config --global user.email "[email protected]"
           git config --global user.name "Bright Security"
 
-      - name: Change name to unstable
         if: ${{ github.ref == 'refs/heads/unstable' }}
+      - name: Change name to unstable
         run: |
           sed -i 's/brokencrystals/brokencrystals-unstable/g' ./charts/brokencrystals/Chart.yaml
           sed -i 's/brkn/brkn-unstbl/g' ./charts/brokencrystals/Chart.yaml

README.md

@@ -33,25 +33,33 @@ docker-compose --file=docker-compose.local.yml up -d --build
 ## Running application with helm chart
 Helm command example:
 ```bash
-helm upgrade --install --namespace distributor broken       \
-  --set repeaterID=5r9Kci7AKLx4bkN58yYCDz                   \
-  --set token=nptbmxr.nexp.kkaux80olef2mew3n3r3rw08tww3c4f5 \
-  --set cluster=hotel.playground.neuralegion.com            \
-  --set timeout=40000                                       \
-  --set repeaterImageTag=v11.5.0-next.4                     \
-  --set ingress.url=broken.k3s.brokencrystals.nexploit.app  \
-  --set ingress.cert=distributorwildcard                    \
+helm upgrade --install --namespace distributor broken          \
+  --set snifferApiURL=https://hotel.playground.neuralegion.com \
+  --set snifferProjectID=ud8v8jwUaG14JiAihMQx1M                \
+  --set snifferApiKey=6g0daym.nexp.spkuhhishhttv               \
+  --set snifferNetworkInterface=lo0                            \
+  --set repeaterID=5r9Kci7AKLx4bkN58yYCDz                      \
+  --set token=nptbmxr.nexp.kkaux80olef2mew3n3r3rw08tww3c4f5    \
+  --set cluster=hotel.playground.neuralegion.com               \
+  --set timeout=40000                                          \
+  --set repeaterImageTag=v11.5.0-next.4                        \
+  --set ingress.url=broken.k3s.brokencrystals.nexploit.app     \
+  --set ingress.cert=distributorwildcard                       \
   --set ingress.authlevel=- . --wait
 ```
 
 ### Arguments info
 
 **repeaterID, token and cluster** - These argument values are required if you want to use repeater. In case you don't set any of these fields, repeater container won't be run. In that case this will be regular bc deployment. (Required arguments if repeater container is to be used).
 
-**timeout** - this is optional argument with default value 30000 if it is not set, it's only used in conjuction with main repeater options (optional argument).
+**timeout** - this is optional argument for repeater deployment with default value 30000 if it is not set, it's only used in conjuction with main repeater options (optional argument).
 
 **repeaterImageTag** - this argument is optional with default value latest if field is not set. Notice these are docker tags and not repeater versions. They are similar but not the same. Dockerhub tags usually have "v" in front of repeater version. this argument is only used in conjuction with main repeater options (optional argument).
 
+**snifferApiURL, snifferProjectID and snifferApiKey** - These argument values are required if you want to use sniffer. In case you don't set any of these fields, sniffer container won't be run. In that case this will be regular bc deployment. (Required arguments if sniffer container is to be used).
+
+**snifferNetworkInterface** - this is optional argument for sniffer deployment with default value set to **"eth0"** if it is not set explicitly, it's only used in conjuction with main sniffer options (optional argument).
+
 **namespace** - kubernetes namespace where app will be spawned.
 
 **ingress.url** - Domain name that will be used to access app from Internet.

charts/brokencrystals/Chart.yaml

@@ -4,7 +4,7 @@ description: |
   Benchmark application that uses modern technologies and implements a set of
   common security vulnerabilities
 type: application
-version: 0.0.69
+version: 0.0.65
 keywords:
   - brokencrystals
   - brkn

charts/brokencrystals/templates/deployment.yaml

@@ -201,6 +201,33 @@ spec:
               value: "{{ .Values.cluster }}"
             - name: TIMEOUT
               value: "{{ .Values.timeout | default "30000" }}"
+        restartPolicy: Always      
+        {{- end }}
+
+        {{- if and .Values.snifferApiKey .Values.snifferProjectID .Values.snifferApiURL }}
+        - name: sniffer-agent
+          securityContext:
+            capabilities:
+              add: ["NET_RAW", "NET_ADMIN"]
+          image: ghcr.io/neuralegion/sniffer-agent:latest
+          args:
+          - "-a=$(API_URL)"
+          - "-t=$(API_KEY)"
+          - "-p=$(PROJECT_ID)" 
+          - "-i=$(NETWORK_INTERFACE)"        
+          resources:
+            requests:
+              cpu: 200m
+              memory: 100Mi
+          env:
+            - name: API_URL
+              value: "{{ .Values.snifferApiURL }}"
+            - name: API_KEY
+              value: "{{ .Values.snifferApiKey }}"
+            - name: PROJECT_ID
+              value: "{{ .Values.snifferProjectID }}"
+            - name: NETWORK_INTERFACE
+              value: "{{ .Values.snifferNetworkInterface | default "eth0" }}"
         {{- end }}
       restartPolicy: Always
 

charts/brokencrystals/values.yaml

@@ -10,3 +10,8 @@ repeaterID: ""
 token: ""
 cluster: ""
 timeout: ""
+snifferApiURL: ""
+snifferApiKey: ""
+snifferProjectID: ""
+snifferNetworkInterface: ""
+