From 2b72a10ac6305a016e2826492068affdb14fffc2 Mon Sep 17 00:00:00 2001 From: augustkang Date: Fri, 28 Nov 2025 19:15:51 +0900 Subject: [PATCH] feat: add extra objects to support secret related operators --- helm-charts/falcon-sensor/Chart.yaml | 4 +- helm-charts/falcon-sensor/README.md | 57 +++++++++++++++++++ .../falcon-sensor/templates/daemonset.yaml | 12 ++++ .../templates/extra-objects.yaml | 6 ++ helm-charts/falcon-sensor/values.schema.json | 12 ++++ helm-charts/falcon-sensor/values.yaml | 8 +++ 6 files changed, 97 insertions(+), 2 deletions(-) create mode 100644 helm-charts/falcon-sensor/templates/extra-objects.yaml diff --git a/helm-charts/falcon-sensor/Chart.yaml b/helm-charts/falcon-sensor/Chart.yaml index 1c744671..08117dc2 100644 --- a/helm-charts/falcon-sensor/Chart.yaml +++ b/helm-charts/falcon-sensor/Chart.yaml @@ -15,12 +15,12 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.34.1 +version: 1.35.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 1.34.1 +appVersion: 1.35.0 keywords: - CrowdStrike diff --git a/helm-charts/falcon-sensor/README.md b/helm-charts/falcon-sensor/README.md index acfe595e..b59065e0 100644 --- a/helm-charts/falcon-sensor/README.md +++ b/helm-charts/falcon-sensor/README.md @@ -126,13 +126,70 @@ The following tables lists the more common configurable parameters of the chart | `node.image.registryConfigJSON` | base64 encoded docker config json for the pull secret | None (Conflicts with node.image.pullSecrets) | | `node.daemonset.resources` | Configure Node sensor resource requests and limits (eBPF mode only)

:warning: **Warning**:
If you configure resources, you must configure the CPU and Memory Resource requests and limits correctly for your node instances for the node sensor to run properly!
| None (Minimum setting of 250m CPU and 500Mi memory allowed). Default for GKE Autopilot is 750m CPU and 1.5Gi memory. | | `node.cleanupOnly` | Run the cleanup Daemonset only. | `false` Requires `node.hooks.postDelete.enabled: true` | +| `node.extraVolumes` | Additional volumes appended to the node daemonset pod spec (e.g., CSI SecretProviderClass, projected secrets). | `[]` | +| `node.extraVolumeMounts` | Additional volume mounts for the node sensor container; names must match `node.extraVolumes`. | `[]` | +| `node.extraInitVolumeMounts` | Additional volume mounts for the init container. | `[]` | | `falcon.cid` | CrowdStrike Customer ID (CID) | None (Required if falconSecret.enabled is false) | | `falcon.cloud` | CrowdStrike cloud region (`us-1`, `us-2`, `eu-1`, `us-gov-1`, `us-gov-2`)

**NOTE:** This option is supported by Falcon sensor version 7.28 and above | None | | `falconSecret.enabled` | Enable k8s secrets to inject sensitive Falcon values | false (Must be true if falcon.cid is not set) | | `falconSecret.secretName` | Existing k8s secret name to inject sensitive Falcon values.
The secret must be under the same namespace as the sensor deployment. | None (Existing secret must include `FALCONCTL_OPT_CID`) | +| `extraObjects` | List of additional manifests to render with the release (e.g., SecretProviderClass, ExternalSecret). | `[]` | `falcon.cid` and `node.image.repository` are required values. +#### Using external secret providers +When you do not want to place `falcon.cid` (or other Falcon API values) directly in `values.yaml`, enable `falconSecret` and supply the secret name that will contain `FALCONCTL_OPT_CID` (and any other keys). You can render operator CRDs such as a Secrets Store CSI `SecretProviderClass` with `extraObjects` and mount it with the new volume hooks: + +``` +falconSecret: + enabled: true + secretName: falcon-credentials + +extraObjects: + - apiVersion: secrets-store.csi.x-k8s.io/v1 + kind: SecretProviderClass + metadata: + name: falcon-credentials + spec: + provider: aws + parameters: + objects: | + - objectName: "falcon/credentials" + objectType: secretsmanager + jmesPath: + - path: "FALCONCTL_OPT_CID" + objectAlias: "FALCONCTL_OPT_CID" + - path: "FALCON_CLIENT_ID" + objectAlias: "FALCON_CLIENT_ID" + - path: "FALCON_CLIENT_SECRET" + objectAlias: "FALCON_CLIENT_SECRET" + secretObjects: + - secretName: falcon-credentials + type: Opaque + data: + - key: FALCONCTL_OPT_CID + objectName: FALCONCTL_OPT_CID + - key: FALCON_CLIENT_ID + objectName: FALCON_CLIENT_ID + - key: FALCON_CLIENT_SECRET + objectName: FALCON_CLIENT_SECRET + +node: + extraVolumes: + - name: falcon-credentials + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: falcon-credentials + extraVolumeMounts: + - name: falcon-credentials + mountPath: /var/run/secrets/falcon + readOnly: true +``` + +The SecretProviderClass above syncs a Kubernetes Secret named `falcon-credentials` so the daemonset can read `FALCONCTL_OPT_*` keys via `falconSecret`; the CSI volume mount triggers the sync and optionally exposes materialized files if you need them. + For a complete listing of configurable parameters, run the following command: ``` diff --git a/helm-charts/falcon-sensor/templates/daemonset.yaml b/helm-charts/falcon-sensor/templates/daemonset.yaml index c8b1a60e..677405b7 100644 --- a/helm-charts/falcon-sensor/templates/daemonset.yaml +++ b/helm-charts/falcon-sensor/templates/daemonset.yaml @@ -137,6 +137,12 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName + {{- if .Values.node.extraInitVolumeMounts }} + volumeMounts: + {{- with .Values.node.extraInitVolumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- end }} containers: - name: falcon-node-sensor image: "{{ include "falcon-sensor.image" . }}" @@ -189,10 +195,16 @@ spec: volumeMounts: - name: falconstore mountPath: /opt/CrowdStrike/falconstore + {{- with .Values.node.extraVolumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} volumes: - name: falconstore hostPath: path: /opt/CrowdStrike/falconstore + {{- with .Values.node.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} serviceAccountName: {{ .Values.serviceAccount.name }} terminationGracePeriodSeconds: {{ .Values.node.terminationGracePeriod }} {{- if or .Values.node.daemonset.priorityClassName .Values.node.gke.autopilot }} diff --git a/helm-charts/falcon-sensor/templates/extra-objects.yaml b/helm-charts/falcon-sensor/templates/extra-objects.yaml new file mode 100644 index 00000000..0f348205 --- /dev/null +++ b/helm-charts/falcon-sensor/templates/extra-objects.yaml @@ -0,0 +1,6 @@ +{{- if .Values.extraObjects }} +{{- range $index, $object := .Values.extraObjects }} +--- +{{- tpl (toYaml $object) $ }} +{{- end }} +{{- end }} diff --git a/helm-charts/falcon-sensor/values.schema.json b/helm-charts/falcon-sensor/values.schema.json index a6ec9af6..a84a7167 100644 --- a/helm-charts/falcon-sensor/values.schema.json +++ b/helm-charts/falcon-sensor/values.schema.json @@ -273,6 +273,15 @@ "default": "60", "pattern": "^[0-9]+$" }, + "extraVolumes": { + "type": "array" + }, + "extraVolumeMounts": { + "type": "array" + }, + "extraInitVolumeMounts": { + "type": "array" + }, "hooks": { "type": "object", "properties": { @@ -482,6 +491,9 @@ } } }, + "extraObjects": { + "type": "array" + }, "serviceAccount": { "type": "object", "properties": { diff --git a/helm-charts/falcon-sensor/values.yaml b/helm-charts/falcon-sensor/values.yaml index 6b15d418..e55085b1 100644 --- a/helm-charts/falcon-sensor/values.yaml +++ b/helm-charts/falcon-sensor/values.yaml @@ -103,6 +103,11 @@ node: # How long to wait for Falcon pods to stop gracefully terminationGracePeriod: 60 + # Extra volumes and mounts for the daemonset (e.g., CSI SecretProviderClass mounts) + extraVolumes: [] + extraVolumeMounts: [] + extraInitVolumeMounts: [] + hooks: # Settings for the node post-delete helm hook postDelete: @@ -260,6 +265,9 @@ container: cpu: 10m memory: 20Mi +# Render arbitrary Kubernetes manifests (e.g., SecretProviderClass, ExternalSecret) +extraObjects: [] + serviceAccount: name: crowdstrike-falcon-sa annotations: {}