CrowdStrike · papanito · Jan 24, 2025 · Jan 27, 2025
diff --git a/helm-charts/falcon-self-hosted-registry-assessment/README.md b/helm-charts/falcon-self-hosted-registry-assessment/README.md
@@ -12,30 +12,65 @@ These costs may or may not be offset by the savings for data egress costs incurr
 
 ## Table of Contents
 
-- [Supported registries](#supported-registries)
-- [How it works](#how-it-works)
-- [Kubernetes cluster compatibility](#kubernetes-cluster-compatibility)
-- [Requirements](#requirements)
-- [Create a basic config file](#create-a-basic-config-file)
-- [Customize your deployment](#customize-your-deployment)
-  - [Create the SHRA namespace](#create-the-shra-namespace)
-  - [Configure your CrowdStrike credentials](#configure-your-crowdstrike-credentials)
-  - [Copy the SHRA images to your registry](#copy-the-shra-images-to-your-registry)
-  - [Configure which registries to scan](#configure-which-registries-to-scan)
-  - [Configure your scanning schedules](#configure-your-scanning-schedules)
-  - [Optional. Configure which repositories to scan](#optional-configure-which-repositories-to-scan)
-  - [Configure persistent data storage](#configure-persistent-data-storage)
-  - [Configure temporary storage](#configure-temporary-storage)
-  - [Configure SHRA scaling](#configure-shra-scaling-to-meet-your-scanning-needs)
-  - [Allow traffic to CrowdStrike servers](#allow-traffic-to-crowdstrike-servers)
-  - [Optional. Configure CrowdStrike allow list](#optional-configure-crowdstrike-allow-list)
-  - [Optional. Configure gRPC over TLS](#optional-configure-grpc-over-tls)
-  - [Optional. Configure HTPP Proxy](#optional-configure-http-proxy)
-- [Forward SHRA Container Logs to Logscale](#forward-shra-container-logs-to-logscale)
-- [Install the SHRA Helm Chart](#install-the-shra-helm-chart)
-- [Update SHRA](#update-shra)
-- [Uninstall SHRA](#uninstall-shra)
-- [Falcon Chart configuration options](#falcon-chart-configuration-options)
+- [CrowdStrike Self-hosted Registry Assessment (SHRA) Helm Chart](#crowdstrike-self-hosted-registry-assessment-shra-helm-chart)
+  - [Table of Contents](#table-of-contents)
+  - [Supported registries](#supported-registries)
+  - [How it works](#how-it-works)
+    - [How SHRA determines if an image is new](#how-shra-determines-if-an-image-is-new)
+  - [Kubernetes cluster compatibility](#kubernetes-cluster-compatibility)
+  - [Requirements](#requirements)
+  - [Create a basic config file](#create-a-basic-config-file)
+  - [Customize your deployment](#customize-your-deployment)
+    - [Create the SHRA namespace](#create-the-shra-namespace)
+    - [Configure your CrowdStrike credentials](#configure-your-crowdstrike-credentials)
+    - [Copy the SHRA images to your registry](#copy-the-shra-images-to-your-registry)
+      - [Download the Falcon sensor pull script](#download-the-falcon-sensor-pull-script)
+      - [List available images](#list-available-images)
+      - [Copy the SHRA images to your registry](#copy-the-shra-images-to-your-registry-1)
+      - [Prepare credentials for your registry](#prepare-credentials-for-your-registry)
+      - [Add registry and image details to the configuration](#add-registry-and-image-details-to-the-configuration)
+    - [Configure which registries to scan](#configure-which-registries-to-scan)
+      - [Amazon Elastic Container Registry (AWS ECR)](#amazon-elastic-container-registry-aws-ecr)
+      - [Azure Container Registry](#azure-container-registry)
+      - [Docker Hub](#docker-hub)
+      - [Docker Registry V2](#docker-registry-v2)
+      - [GitHub](#github)
+      - [GitLab](#gitlab)
+      - [Google Artifact Registry (GAR)](#google-artifact-registry-gar)
+      - [Google Container Registry (GCR)](#google-container-registry-gcr)
+      - [Harbor](#harbor)
+        - [IBM Cloud Registry](#ibm-cloud-registry)
+      - [Jfrog Artifactory](#jfrog-artifactory)
+      - [Mirantis Secure Registry (MCR)](#mirantis-secure-registry-mcr)
+      - [Oracle Container Registry](#oracle-container-registry)
+      - [Red Hat OpenShift](#red-hat-openshift)
+      - [Red Hat Quay.io](#red-hat-quayio)
+      - [Sonatype Nexus](#sonatype-nexus)
+      - [Validate the credentials locally](#validate-the-credentials-locally)
+      - [Apply your changes to the configuration file](#apply-your-changes-to-the-configuration-file)
+    - [Configure your scanning schedules](#configure-your-scanning-schedules)
+    - [Optional. Configure which repositories to scan](#optional-configure-which-repositories-to-scan)
+    - [Configure persistent data storage](#configure-persistent-data-storage)
+      - [Change persistent storage retention](#change-persistent-storage-retention)
+    - [Configure temporary storage](#configure-temporary-storage)
+    - [Configure SHRA scaling to meet your scanning needs](#configure-shra-scaling-to-meet-your-scanning-needs)
+    - [Allow traffic to CrowdStrike servers](#allow-traffic-to-crowdstrike-servers)
+    - [Optional. Configure CrowdStrike allow list](#optional-configure-crowdstrike-allow-list)
+    - [Optional. Configure gRPC over TLS](#optional-configure-grpc-over-tls)
+      - [Option 1. Enable gRPC TLS with Cert Manager](#option-1-enable-grpc-tls-with-cert-manager)
+      - [Option 2. Enable gRPC TLS with custom secret](#option-2-enable-grpc-tls-with-custom-secret)
+      - [Option 3. Enable gRPC TLS with custom certificate files](#option-3-enable-grpc-tls-with-custom-certificate-files)
+    - [Optional. Configure HTTP Proxy](#optional-configure-http-proxy)
+  - [Forward SHRA Container Logs to LogScale](#forward-shra-container-logs-to-logscale)
+    - [Configure SHRA log levels](#configure-shra-log-levels)
+    - [Create the HEC Ingest Connector](#create-the-hec-ingest-connector)
+    - [Start the Kubernetes LogScale Collector in your SHRA namespace](#start-the-kubernetes-logscale-collector-in-your-shra-namespace)
+      - [Review logs in the UI](#review-logs-in-the-ui)
+    - [Configure saved searches to monitor SHRA](#configure-saved-searches-to-monitor-shra)
+  - [Install the SHRA Helm Chart](#install-the-shra-helm-chart)
+  - [Update SHRA](#update-shra)
+  - [Uninstall SHRA](#uninstall-shra)
+  - [Falcon Chart configuration options](#falcon-chart-configuration-options)
 
 ## Supported registries
 
@@ -243,6 +278,7 @@ crowdstrikeConfig:
 |:------------------------------------|-----------|:------------------------------------------------------------------------------------------------------|:----------|
 | `crowdstrikeConfig.clientID`        | required  | The client id used to authenticate the self-hosted registry assessment service with CrowdStrike.      | ""        |
 | `crowdstrikeConfig.clientSecret`    | required  | The client secret used to authenticate the self-hosted registry assessment service with CrowdStrike.  | ""        |
+| `crowdstrikeConfig.clientSecretRef` | optional  | Refernce to a secret which contains `clientID` (`CLIENT_ID`) and `clientSecret` (`CLIENT_SECRET`).  | ""
 
 ### Copy the SHRA images to your registry
 

diff --git a/helm-charts/falcon-self-hosted-registry-assessment/templates/_helpers.tpl b/helm-charts/falcon-self-hosted-registry-assessment/templates/_helpers.tpl
@@ -13,11 +13,11 @@ If release name contains chart name it will be used as a full name.
 {{- define "ra-self-hosted.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 40 | trimSuffix "-" }}
-{{- else }}
+{{- else -}}
 {{- $name := default "shra" .Values.nameOverride }}
 {{- if contains $name .Release.Name }}
 {{- .Release.Name | trunc 40 | trimSuffix "-" }}
-{{- else }}
+{{- else -}}
 {{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }}
 {{- end }}
 {{- end }}

diff --git a/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml b/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml
@@ -23,7 +23,11 @@ spec:
     spec:
       serviceAccountName: {{ include "ra-self-hosted-executor.fullname" . }}
       securityContext:
-        fsGroup: 2001
+{{ if .Values.executor.podSecurityContext -}}
+{{ .Values.executor.podSecurityContext | toYaml | indent 8 }}
+{{- else -}}
+{{ .Values.podSecurityContext | toYaml | indent 8 }}
+{{- end }}
      {{- if or (.Values.executor.image.pullSecret) (.Values.executor.image.registryConfigJSON) }}
       imagePullSecrets:
        {{ if .Values.executor.image.registryConfigJSON }}
@@ -44,10 +48,12 @@ spec:
               value: "/db"
             - name: "REGION"
               value: {{ .Values.crowdstrikeConfig.region }}
+            {{ if not .Values.crowdstrikeConfig.clientSecretRef }}
             - name: "CLIENT_ID"
               value: {{ .Values.crowdstrikeConfig.clientID }}
             - name: "CLIENT_SECRET"
               value: {{ .Values.crowdstrikeConfig.clientSecret }}
+            {{- end }} 
             - name: "STORAGE_ENGINE"
               value: "sqlite"
             - name: "AGENT_RUN_MODE"
@@ -60,15 +66,20 @@ spec:
               value: {{ .value }}
             {{- end }}
             {{- end }}
-          {{ if (or .Values.registryConfigs .Values.executor.additionalCMEnvFrom .Values.executor.additionalSecretEnvFrom) -}} 
+          {{ if (or .Values.registryConfigs .Values.executor.additionalCMEnvFrom .Values.executor.additionalSecretEnvFrom ) -}} 
           envFrom:
             {{- if .Values.registryConfigs }}
             - configMapRef:
                 name: {{ include "ra-self-hosted-executor.fullname" . }}
             {{- end }}
-            {{- range .Values.executor.additionalSecretEnvFrom }}
+            {{ if (or .Values.executor.additionalSecretEnvFrom .Values.crowdstrikeConfig.clientSecretRef) -}}
             - secretRef:
+            {{- range .Values.executor.additionalSecretEnvFrom }}
 {{ . | toYaml | indent 16 }}
+            {{- end }}
+            {{- if .Values.crowdstrikeConfig.clientSecretRef }}
+                name: {{ .Values.crowdstrikeConfig.clientSecretRef }}
+            {{- end }}
             {{- end }}
             {{- range .Values.executor.additionalCMEnvFrom }}
             - configMapRef:
@@ -85,11 +96,11 @@ spec:
 {{ .Values.executor.resources | toYaml | indent 12 }}
           {{- end }}
           securityContext:
-            runAsUser: 1001
-            runAsGroup: 2001
-            runAsNonRoot: true
-            readOnlyRootFilesystem: true
-            allowPrivilegeEscalation: false
+{{ if .Values.executor.securityContext }}
+{{ .Values.executor.securityContext | toYaml | indent 12 }}
+{{- else -}}
+{{ .Values.securityContext | toYaml | indent 12 }}
+{{- end }}
       containers:
         - name: executor
           image: {{ include "ra-self-hosted-executor.image" . }}
@@ -105,25 +116,32 @@ spec:
               value: "/db"
             - name: "REGION"
               value: {{ .Values.crowdstrikeConfig.region }}
+            {{ if not .Values.crowdstrikeConfig.clientSecretRef -}}
             - name: "CLIENT_ID"
               value: {{ .Values.crowdstrikeConfig.clientID }}
             - name: "CLIENT_SECRET"
               value: {{ .Values.crowdstrikeConfig.clientSecret }}
+            {{- end }} 
             - name: "STORAGE_ENGINE"
               value: "sqlite"
             - name: "LOG_LEVEL"
               value: {{ .Values.executor.logLevel | quote }}
             - name: "CATALOG_PER_PAGE_RATE"
               value: {{ .Values.executor.catalogPerPageRate | quote }}
-          {{ if (or .Values.registryConfigs .Values.executor.additionalCMEnvFrom .Values.executor.additionalSecretEnvFrom) -}}
+          {{ if (or .Values.registryConfigs .Values.executor.additionalCMEnvFrom .Values.executor.additionalSecretEnvFrom ) -}}
           envFrom:
             {{- if .Values.registryConfigs }}
             - configMapRef:
                 name: {{ include "ra-self-hosted-executor.fullname" . }}
             {{- end }}
-            {{- range .Values.executor.additionalSecretEnvFrom }}
+            {{ if (or .Values.executor.additionalSecretEnvFrom .Values.crowdstrikeConfig.clientSecretRef) -}}
             - secretRef:
+            {{- range .Values.executor.additionalSecretEnvFrom }}
 {{ . | toYaml | indent 16 }}
+            {{- end }}
+            {{- if .Values.crowdstrikeConfig.clientSecretRef }}
+                name: {{ .Values.crowdstrikeConfig.clientSecretRef }}
+            {{- end }}
             {{- end }}
             {{- range .Values.executor.additionalCMEnvFrom }}
             - configMapRef:
@@ -144,11 +162,11 @@ spec:
 {{ .Values.executor.resources | toYaml | indent 12 }}
           {{- end }}
           securityContext:
-            runAsUser: 1001
-            runAsGroup: 2001
-            runAsNonRoot: true
-            readOnlyRootFilesystem: true
-            allowPrivilegeEscalation: false
+{{ if .Values.executor.securityContext }}
+{{ .Values.executor.securityContext | toYaml | indent 19 }}
+{{- else -}}
+{{ .Values.securityContext | toYaml | indent 12 }}
+{{- end }}
       {{- if .Values.executor.nodeSelector }}
       nodeSelector:
         {{- .Values.executor.nodeSelector | toYaml | nindent 8 }}

diff --git a/helm-charts/falcon-self-hosted-registry-assessment/templates/job-controller-deployment.yaml b/helm-charts/falcon-self-hosted-registry-assessment/templates/job-controller-deployment.yaml
@@ -19,7 +19,11 @@ spec:
         checksum/config: {{ include (print $.Template.BasePath "/job-controller-configmap.yaml") . | sha256sum }}
     spec:
       securityContext:
-        fsGroup: 2001
+{{ if .Values.jobController.podSecurityContext -}}
+{{ .Values.jobController.podSecurityContext | toYaml | indent 8 }}
+{{- else -}}
+{{ .Values.podSecurityContext | toYaml | indent 8 }}
+{{- end }}
      {{- if or (.Values.jobController.image.pullSecret) (.Values.jobController.image.registryConfigJSON) }}
       imagePullSecrets:
        {{ if .Values.jobController.image.registryConfigJSON }}
@@ -73,11 +77,11 @@ spec:
               name: tls
             {{- end }}
           securityContext:
-            runAsUser: 1001
-            runAsGroup: 2001
-            runAsNonRoot: true
-            readOnlyRootFilesystem: true
-            allowPrivilegeEscalation: false
+{{ if .Values.jobController.securityContext }}
+{{ .Values.jobController.securityContext | toYaml | indent 12 }}
+{{- else -}}
+{{ .Values.securityContext | toYaml | indent 12 }}
+{{- end }}
       containers:
         - name: job-controller
           image: {{ include "ra-self-hosted-job-controller.image" . }}
@@ -131,11 +135,11 @@ spec:
               name: tls
             {{- end }}
           securityContext:
-            runAsUser: 1001
-            runAsGroup: 2001
-            runAsNonRoot: true
-            readOnlyRootFilesystem: true
-            allowPrivilegeEscalation: false
+{{ if .Values.jobController.securityContext }}
+{{ .Values.jobController.securityContext | toYaml | indent 12 }}
+{{- else -}}
+{{ .Values.securityContext | toYaml | indent 12 }}
+{{- end }}
       {{- if .Values.jobController.nodeSelector }}
       nodeSelector:
         {{- .Values.jobController.nodeSelector | toYaml | nindent 8 }}

diff --git a/helm-charts/falcon-self-hosted-registry-assessment/values.yaml b/helm-charts/falcon-self-hosted-registry-assessment/values.yaml
@@ -4,6 +4,26 @@
 nameOverride: ""
 fullnameOverride: ""
 
+podSecurityContext:
+  runAsUser: 1001
+  runAsGroup: 2001
+  fsGroup: 2001
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+
+securityContext:
+  runAsUser: 1001
+  runAsGroup: 2001
+  runAsNonRoot: true
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+    - ALL
+
 executor:
   replicaCount: 1
   image:
@@ -47,6 +67,28 @@ executor:
       accessModes:
         - ReadWriteOnce
 
+  # Use to override the global podSecurityContext        
+  # podSecurityContext:
+  #   runAsUser: 1001
+  #   runAsGroup: 2001
+  #   fsGroup: 2001
+  #   runAsNonRoot: true
+  #   seccompProfile:
+  #     type: RuntimeDefault
+
+  # Use to override the global securityContext
+  # securityContext:
+  #   runAsUser: 1001
+  #   runAsGroup: 2001
+  #   runAsNonRoot: true
+  #   readOnlyRootFilesystem: true
+  #   allowPrivilegeEscalation: false
+  #   seccompProfile:
+  #     type: RuntimeDefault
+  #   capabilities:
+  #     drop:
+  #     - ALL
+
   logLevel: 3  # log level to be set for the service (1:error, 2:warning, 3:info, 4:debug)
   catalogPerPageRate: 100  # page size per catalog request
 
@@ -169,8 +211,31 @@ jobController:
 
   additionalSecretEnvFrom: []
 
+  # Use to override the global podSecurityContext        
+  # podSecurityContext:
+  #   runAsUser: 1001
+  #   runAsGroup: 2001
+  #   fsGroup: 2001
+  #   runAsNonRoot: true
+  #   seccompProfile:
+  #     type: RuntimeDefault
+
+  # Use to override the global securityContext
+  # securityContext:
+  #   runAsUser: 1001
+  #   runAsGroup: 2001
+  #   runAsNonRoot: true
+  #   readOnlyRootFilesystem: true
+  #   allowPrivilegeEscalation: false
+  #   seccompProfile:
+  #     type: RuntimeDefault
+  #   capabilities:
+  #     drop:
+  #     - ALL
+
 crowdstrikeConfig:
   region: "autodiscovery"  # autodiscovery, us-1, us-2, eu-1, gov1, or gov2
+  # clientSecretRef: "" # use that instead `clientID` and `clientSecret`
   clientID: ""
   clientSecret: ""