feat: Allow define crowdstrike credentials via secret

CrowdStrike · Jan 27, 2025 · 89f9f2b · 89f9f2b
1 parent c5a9e9d
commit 89f9f2b
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 28 deletions.
diff --git a/helm-charts/falcon-self-hosted-registry-assessment/README.md b/helm-charts/falcon-self-hosted-registry-assessment/README.md
@@ -12,30 +12,65 @@ These costs may or may not be offset by the savings for data egress costs incurr
 
 ## Table of Contents
 
-- [Supported registries](#supported-registries)
-- [How it works](#how-it-works)
-- [Kubernetes cluster compatibility](#kubernetes-cluster-compatibility)
-- [Requirements](#requirements)
-- [Create a basic config file](#create-a-basic-config-file)
-- [Customize your deployment](#customize-your-deployment)
-  - [Create the SHRA namespace](#create-the-shra-namespace)
-  - [Configure your CrowdStrike credentials](#configure-your-crowdstrike-credentials)
-  - [Copy the SHRA images to your registry](#copy-the-shra-images-to-your-registry)
-  - [Configure which registries to scan](#configure-which-registries-to-scan)
-  - [Configure your scanning schedules](#configure-your-scanning-schedules)
-  - [Optional. Configure which repositories to scan](#optional-configure-which-repositories-to-scan)
-  - [Configure persistent data storage](#configure-persistent-data-storage)
-  - [Configure temporary storage](#configure-temporary-storage)
-  - [Configure SHRA scaling](#configure-shra-scaling-to-meet-your-scanning-needs)
-  - [Allow traffic to CrowdStrike servers](#allow-traffic-to-crowdstrike-servers)
-  - [Optional. Configure CrowdStrike allow list](#optional-configure-crowdstrike-allow-list)
-  - [Optional. Configure gRPC over TLS](#optional-configure-grpc-over-tls)
-  - [Optional. Configure HTPP Proxy](#optional-configure-http-proxy)
-- [Forward SHRA Container Logs to Logscale](#forward-shra-container-logs-to-logscale)
-- [Install the SHRA Helm Chart](#install-the-shra-helm-chart)
-- [Update SHRA](#update-shra)
-- [Uninstall SHRA](#uninstall-shra)
-- [Falcon Chart configuration options](#falcon-chart-configuration-options)
+- [CrowdStrike Self-hosted Registry Assessment (SHRA) Helm Chart](#crowdstrike-self-hosted-registry-assessment-shra-helm-chart)
+  - [Table of Contents](#table-of-contents)
+  - [Supported registries](#supported-registries)
+  - [How it works](#how-it-works)
+    - [How SHRA determines if an image is new](#how-shra-determines-if-an-image-is-new)
+  - [Kubernetes cluster compatibility](#kubernetes-cluster-compatibility)
+  - [Requirements](#requirements)
+  - [Create a basic config file](#create-a-basic-config-file)
+  - [Customize your deployment](#customize-your-deployment)
+    - [Create the SHRA namespace](#create-the-shra-namespace)
+    - [Configure your CrowdStrike credentials](#configure-your-crowdstrike-credentials)
+    - [Copy the SHRA images to your registry](#copy-the-shra-images-to-your-registry)
+      - [Download the Falcon sensor pull script](#download-the-falcon-sensor-pull-script)
+      - [List available images](#list-available-images)
+      - [Copy the SHRA images to your registry](#copy-the-shra-images-to-your-registry-1)
+      - [Prepare credentials for your registry](#prepare-credentials-for-your-registry)
+      - [Add registry and image details to the configuration](#add-registry-and-image-details-to-the-configuration)
+    - [Configure which registries to scan](#configure-which-registries-to-scan)
+      - [Amazon Elastic Container Registry (AWS ECR)](#amazon-elastic-container-registry-aws-ecr)
+      - [Azure Container Registry](#azure-container-registry)
+      - [Docker Hub](#docker-hub)
+      - [Docker Registry V2](#docker-registry-v2)
+      - [GitHub](#github)
+      - [GitLab](#gitlab)
+      - [Google Artifact Registry (GAR)](#google-artifact-registry-gar)
+      - [Google Container Registry (GCR)](#google-container-registry-gcr)
+      - [Harbor](#harbor)
+        - [IBM Cloud Registry](#ibm-cloud-registry)
+      - [Jfrog Artifactory](#jfrog-artifactory)
+      - [Mirantis Secure Registry (MCR)](#mirantis-secure-registry-mcr)
+      - [Oracle Container Registry](#oracle-container-registry)
+      - [Red Hat OpenShift](#red-hat-openshift)
+      - [Red Hat Quay.io](#red-hat-quayio)
+      - [Sonatype Nexus](#sonatype-nexus)
+      - [Validate the credentials locally](#validate-the-credentials-locally)
+      - [Apply your changes to the configuration file](#apply-your-changes-to-the-configuration-file)
+    - [Configure your scanning schedules](#configure-your-scanning-schedules)
+    - [Optional. Configure which repositories to scan](#optional-configure-which-repositories-to-scan)
+    - [Configure persistent data storage](#configure-persistent-data-storage)
+      - [Change persistent storage retention](#change-persistent-storage-retention)
+    - [Configure temporary storage](#configure-temporary-storage)
+    - [Configure SHRA scaling to meet your scanning needs](#configure-shra-scaling-to-meet-your-scanning-needs)
+    - [Allow traffic to CrowdStrike servers](#allow-traffic-to-crowdstrike-servers)
+    - [Optional. Configure CrowdStrike allow list](#optional-configure-crowdstrike-allow-list)
+    - [Optional. Configure gRPC over TLS](#optional-configure-grpc-over-tls)
+      - [Option 1. Enable gRPC TLS with Cert Manager](#option-1-enable-grpc-tls-with-cert-manager)
+      - [Option 2. Enable gRPC TLS with custom secret](#option-2-enable-grpc-tls-with-custom-secret)
+      - [Option 3. Enable gRPC TLS with custom certificate files](#option-3-enable-grpc-tls-with-custom-certificate-files)
+    - [Optional. Configure HTTP Proxy](#optional-configure-http-proxy)
+  - [Forward SHRA Container Logs to LogScale](#forward-shra-container-logs-to-logscale)
+    - [Configure SHRA log levels](#configure-shra-log-levels)
+    - [Create the HEC Ingest Connector](#create-the-hec-ingest-connector)
+    - [Start the Kubernetes LogScale Collector in your SHRA namespace](#start-the-kubernetes-logscale-collector-in-your-shra-namespace)
+      - [Review logs in the UI](#review-logs-in-the-ui)
+    - [Configure saved searches to monitor SHRA](#configure-saved-searches-to-monitor-shra)
+  - [Install the SHRA Helm Chart](#install-the-shra-helm-chart)
+  - [Update SHRA](#update-shra)
+  - [Uninstall SHRA](#uninstall-shra)
+  - [Falcon Chart configuration options](#falcon-chart-configuration-options)
 
 ## Supported registries
 
@@ -243,6 +278,7 @@ crowdstrikeConfig:
 |:------------------------------------|-----------|:------------------------------------------------------------------------------------------------------|:----------|
 | `crowdstrikeConfig.clientID`        | required  | The client id used to authenticate the self-hosted registry assessment service with CrowdStrike.      | ""        |
 | `crowdstrikeConfig.clientSecret`    | required  | The client secret used to authenticate the self-hosted registry assessment service with CrowdStrike.  | ""        |
+| `crowdstrikeConfig.clientSecretRef` | optional  | Refernce to a secret which contains `clientID` (`CLIENT_ID`) and `clientSecret` (`CLIENT_SECRET`).  | ""
 
 ### Copy the SHRA images to your registry
 

diff --git a/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml b/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml
@@ -48,6 +48,7 @@ spec:
               value: "/db"
             - name: "REGION"
               value: {{ .Values.crowdstrikeConfig.region }}
+            {{ if not .Values.crowdstrikeConfig.clientSecretRef }}
             - name: "CLIENT_ID"
               value: {{ .Values.crowdstrikeConfig.clientID }}
             - name: "CLIENT_SECRET"
@@ -65,15 +66,20 @@ spec:
               value: {{ .value }}
             {{- end }}
             {{- end }}
-          {{ if (or .Values.registryConfigs .Values.executor.additionalCMEnvFrom .Values.executor.additionalSecretEnvFrom) -}} 
+          {{ if (or .Values.registryConfigs .Values.executor.additionalCMEnvFrom .Values.executor.additionalSecretEnvFrom ) -}} 
           envFrom:
             {{- if .Values.registryConfigs }}
             - configMapRef:
                 name: {{ include "ra-self-hosted-executor.fullname" . }}
             {{- end }}
-            {{- range .Values.executor.additionalSecretEnvFrom }}
+            {{ if (or .Values.executor.additionalSecretEnvFrom .Values.crowdstrikeConfig.clientSecretRef) -}}
             - secretRef:
+            {{- range .Values.executor.additionalSecretEnvFrom }}
 {{ . | toYaml | indent 16 }}
+            {{- end }}
+            {{- if .Values.crowdstrikeConfig.clientSecretRef }}
+                name: {{ .Values.crowdstrikeConfig.clientSecretRef }}
+            {{- end }}
             {{- end }}
             {{- range .Values.executor.additionalCMEnvFrom }}
             - configMapRef:
@@ -110,25 +116,32 @@ spec:
               value: "/db"
             - name: "REGION"
               value: {{ .Values.crowdstrikeConfig.region }}
+            {{ if not .Values.crowdstrikeConfig.clientSecretRef -}}
             - name: "CLIENT_ID"
               value: {{ .Values.crowdstrikeConfig.clientID }}
             - name: "CLIENT_SECRET"
               value: {{ .Values.crowdstrikeConfig.clientSecret }}
+            {{- end }} 
             - name: "STORAGE_ENGINE"
               value: "sqlite"
             - name: "LOG_LEVEL"
               value: {{ .Values.executor.logLevel | quote }}
             - name: "CATALOG_PER_PAGE_RATE"
               value: {{ .Values.executor.catalogPerPageRate | quote }}
-          {{ if (or .Values.registryConfigs .Values.executor.additionalCMEnvFrom .Values.executor.additionalSecretEnvFrom) -}}
+          {{ if (or .Values.registryConfigs .Values.executor.additionalCMEnvFrom .Values.executor.additionalSecretEnvFrom ) -}}
           envFrom:
             {{- if .Values.registryConfigs }}
             - configMapRef:
                 name: {{ include "ra-self-hosted-executor.fullname" . }}
             {{- end }}
-            {{- range .Values.executor.additionalSecretEnvFrom }}
+            {{ if (or .Values.executor.additionalSecretEnvFrom .Values.crowdstrikeConfig.clientSecretRef) -}}
             - secretRef:
+            {{- range .Values.executor.additionalSecretEnvFrom }}
 {{ . | toYaml | indent 16 }}
+            {{- end }}
+            {{- if .Values.crowdstrikeConfig.clientSecretRef }}
+                name: {{ .Values.crowdstrikeConfig.clientSecretRef }}
+            {{- end }}
             {{- end }}
             {{- range .Values.executor.additionalCMEnvFrom }}
             - configMapRef:

diff --git a/helm-charts/falcon-self-hosted-registry-assessment/values.yaml b/helm-charts/falcon-self-hosted-registry-assessment/values.yaml
@@ -235,6 +235,7 @@ jobController:
 
 crowdstrikeConfig:
   region: "autodiscovery"  # autodiscovery, us-1, us-2, eu-1, gov1, or gov2
+  # clientSecretRef: "" # use that instead `clientID` and `clientSecret`
   clientID: ""
   clientSecret: ""