Skip to content

feat: add extra objects to support secret related operators #476

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
augustkang wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add extra objects to support secret related operators #476

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions helm-charts/falcon-sensor/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,12 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 1.34.1
version: 1.35.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
appVersion: 1.34.1
appVersion: 1.35.0

keywords:
- CrowdStrike
Expand Down
57 changes: 57 additions & 0 deletions helm-charts/falcon-sensor/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,13 +126,70 @@ The following tables lists the more common configurable parameters of the chart
| `node.image.registryConfigJSON` | base64 encoded docker config json for the pull secret | None (Conflicts with node.image.pullSecrets) |
| `node.daemonset.resources` | Configure Node sensor resource requests and limits (eBPF mode only)<br><br><div class="warning">:warning: **Warning**:<br>If you configure resources, you must configure the CPU and Memory Resource requests and limits correctly for your node instances for the node sensor to run properly!</div> | None (Minimum setting of 250m CPU and 500Mi memory allowed). Default for GKE Autopilot is 750m CPU and 1.5Gi memory. |
| `node.cleanupOnly` | Run the cleanup Daemonset only. | `false` Requires `node.hooks.postDelete.enabled: true` |
| `node.extraVolumes` | Additional volumes appended to the node daemonset pod spec (e.g., CSI SecretProviderClass, projected secrets). | `[]` |
| `node.extraVolumeMounts` | Additional volume mounts for the node sensor container; names must match `node.extraVolumes`. | `[]` |
| `node.extraInitVolumeMounts` | Additional volume mounts for the init container. | `[]` |
| `falcon.cid` | CrowdStrike Customer ID (CID) | None (Required if falconSecret.enabled is false) |
| `falcon.cloud` | CrowdStrike cloud region (`us-1`, `us-2`, `eu-1`, `us-gov-1`, `us-gov-2`)<br><br>**NOTE:** This option is supported by Falcon sensor version 7.28 and above | None |
| `falconSecret.enabled` | Enable k8s secrets to inject sensitive Falcon values | false (Must be true if falcon.cid is not set) |
| `falconSecret.secretName` | Existing k8s secret name to inject sensitive Falcon values.<br> The secret must be under the same namespace as the sensor deployment. | None (Existing secret must include `FALCONCTL_OPT_CID`) |
| `extraObjects` | List of additional manifests to render with the release (e.g., SecretProviderClass, ExternalSecret). | `[]` |

`falcon.cid` and `node.image.repository` are required values.

#### Using external secret providers
When you do not want to place `falcon.cid` (or other Falcon API values) directly in `values.yaml`, enable `falconSecret` and supply the secret name that will contain `FALCONCTL_OPT_CID` (and any other keys). You can render operator CRDs such as a Secrets Store CSI `SecretProviderClass` with `extraObjects` and mount it with the new volume hooks:

```
falconSecret:
enabled: true
secretName: falcon-credentials

extraObjects:
- apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: falcon-credentials
spec:
provider: aws
parameters:
objects: |
- objectName: "falcon/credentials"
objectType: secretsmanager
jmesPath:
- path: "FALCONCTL_OPT_CID"
objectAlias: "FALCONCTL_OPT_CID"
- path: "FALCON_CLIENT_ID"
objectAlias: "FALCON_CLIENT_ID"
- path: "FALCON_CLIENT_SECRET"
objectAlias: "FALCON_CLIENT_SECRET"
secretObjects:
- secretName: falcon-credentials
type: Opaque
data:
- key: FALCONCTL_OPT_CID
objectName: FALCONCTL_OPT_CID
- key: FALCON_CLIENT_ID
objectName: FALCON_CLIENT_ID
- key: FALCON_CLIENT_SECRET
objectName: FALCON_CLIENT_SECRET

node:
extraVolumes:
- name: falcon-credentials
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: falcon-credentials
extraVolumeMounts:
- name: falcon-credentials
mountPath: /var/run/secrets/falcon
readOnly: true
```

The SecretProviderClass above syncs a Kubernetes Secret named `falcon-credentials` so the daemonset can read `FALCONCTL_OPT_*` keys via `falconSecret`; the CSI volume mount triggers the sync and optionally exposes materialized files if you need them.

For a complete listing of configurable parameters, run the following command:

```
Expand Down
12 changes: 12 additions & 0 deletions helm-charts/falcon-sensor/templates/daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,12 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
{{- if .Values.node.extraInitVolumeMounts }}
volumeMounts:
{{- with .Values.node.extraInitVolumeMounts }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- end }}
containers:
- name: falcon-node-sensor
image: "{{ include "falcon-sensor.image" . }}"
Expand Down Expand Up @@ -189,10 +195,16 @@ spec:
volumeMounts:
- name: falconstore
mountPath: /opt/CrowdStrike/falconstore
{{- with .Values.node.extraVolumeMounts }}
{{- toYaml . | nindent 10 }}
{{- end }}
volumes:
- name: falconstore
hostPath:
path: /opt/CrowdStrike/falconstore
{{- with .Values.node.extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ .Values.serviceAccount.name }}
terminationGracePeriodSeconds: {{ .Values.node.terminationGracePeriod }}
{{- if or .Values.node.daemonset.priorityClassName .Values.node.gke.autopilot }}
Expand Down
6 changes: 6 additions & 0 deletions helm-charts/falcon-sensor/templates/extra-objects.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{{- if .Values.extraObjects }}
{{- range $index, $object := .Values.extraObjects }}
---
{{- tpl (toYaml $object) $ }}
{{- end }}
{{- end }}
12 changes: 12 additions & 0 deletions helm-charts/falcon-sensor/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -273,6 +273,15 @@
"default": "60",
"pattern": "^[0-9]+$"
},
"extraVolumes": {
"type": "array"
},
"extraVolumeMounts": {
"type": "array"
},
"extraInitVolumeMounts": {
"type": "array"
},
"hooks": {
"type": "object",
"properties": {
Expand Down Expand Up @@ -482,6 +491,9 @@
}
}
},
"extraObjects": {
"type": "array"
},
"serviceAccount": {
"type": "object",
"properties": {
Expand Down
8 changes: 8 additions & 0 deletions helm-charts/falcon-sensor/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,11 @@ node:
# How long to wait for Falcon pods to stop gracefully
terminationGracePeriod: 60

# Extra volumes and mounts for the daemonset (e.g., CSI SecretProviderClass mounts)
extraVolumes: []
extraVolumeMounts: []
extraInitVolumeMounts: []

hooks:
# Settings for the node post-delete helm hook
postDelete:
Expand Down Expand Up @@ -260,6 +265,9 @@ container:
cpu: 10m
memory: 20Mi

# Render arbitrary Kubernetes manifests (e.g., SecretProviderClass, ExternalSecret)
extraObjects: []

serviceAccount:
name: crowdstrike-falcon-sa
annotations: {}
Expand Down