Skip to content

Support IAR CID from existing secret #523

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pkill2913 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Support IAR CID from existing secret #523

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion helm-charts/falcon-image-analyzer/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 1.1.20
version: 1.1.21

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand Down
12 changes: 8 additions & 4 deletions helm-charts/falcon-image-analyzer/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,13 +47,17 @@ The Falcon Image Analyzer Helm chart has been tested to deploy on the following

| Helm Chart Version | Falcon Image Analyzer Version | Notes |
|:-------------------|:------------------------------|:-------------------------------------------------------------------------------------------------|
| `1.1.21` | `>= 1.0.24` | Added support for providing `AGENT_CID` through `crowdstrikeConfig.existingSecret`. |
| `1.1.20` | `>= 1.0.24` | falcon-imageanalyzer images now use a non-regionalized unified image repo, starting with 1.0.24. |
| `1.1.19` | `>= 1.0.21` | — |
| `1.1.18` | `>= 1.0.21` | — |
| `1.1.17` | `>= 1.0.21` | Added Image Analyzer Agent service to allow Falcon KAC to request image scan data. |


## New updates in current release
### Helm (1.1.21) + iar 1.0.24
- Added support for providing the Falcon CID through `crowdstrikeConfig.existingSecret` using `AGENT_CID`.

### Helm (1.1.19) + iar 1.0.23
- Adding support for excluding specific images from scanning.

Expand Down Expand Up @@ -117,11 +121,11 @@ The following tables list the Falcon sensor configurable parameters and their de
| `crowdstrikeConfig.clusterName` optional | Cluster name | None |
| `crowdstrikeConfig.enableDebug` optional | Set to `true` for debug level log verbosity. | false |
| `crowdstrikeConfig.enableKlogs` optional | Set to `true` for kubernetes api log verbosity. | false |
| `crowdstrikeConfig.clientID` required | CrowdStrike Falcon OAuth API Client ID | None |
| `crowdstrikeConfig.clientSecret` required | CrowdStrike Falcon OAuth API Client secret | None |
| `crowdstrikeConfig.cid` required | Customer ID (CID) | None |
| `crowdstrikeConfig.clientID` required unless using an existing secret | CrowdStrike Falcon OAuth API Client ID | None |
| `crowdstrikeConfig.clientSecret` required unless using an existing secret | CrowdStrike Falcon OAuth API Client secret | None |
| `crowdstrikeConfig.cid` required unless using `global.falcon.cid` or an existing secret | Customer ID (CID) | None |
| `crowdstrikeConfig.dockerAPIToken` optional | Crowdstrike Artifactory Image Pull Token for pulling IAR image directly from `[CROWDSTRIKE_IMAGE_REGISTRY] described below` | None |
| `crowdstrikeConfig.existingSecret` optional | Existing secret ref name of the customer Kubernetes cluster | None |
| `crowdstrikeConfig.existingSecret` optional | Existing secret ref name containing `AGENT_CID`, `AGENT_CLIENT_ID`, and `AGENT_CLIENT_SECRET` | None |
| `crowdstrikeConfig.agentRegion` required | Region of the CrowdStrike API to connect to value should be one of `us-1/us-2/eu-1/gov1/gov2` | None |
| `crowdstrikeConfig.agentRuntime` required ( if daemonset ) | The underlying runtime of the OS. docker/containerd/podman/crio. ONLY TO BE USED with `daemonset.enabled` = `true` | None |
| `crowdstrikeConfig.agentRuntimeSocket` optional | The unix socket path for the runtime socket. For example: `unix///var/run/docker.sock`. ONLY TO BE USED with ONLY TO BE USED with `daemonset.enabled` = `true` | None |
Expand Down
13 changes: 12 additions & 1 deletion helm-charts/falcon-image-analyzer/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -229,7 +229,7 @@ Get Falcon CID from global value if it exists
{{- if and .Values.global.falcon.cid (not .Values.crowdstrikeConfig.cid) -}}
{{- .Values.global.falcon.cid -}}
{{- else -}}
{{- .Values.crowdstrikeConfig.cid -}}
{{- .Values.crowdstrikeConfig.cid | default "" -}}
{{- end -}}
{{- end -}}

Expand All @@ -244,6 +244,17 @@ Get Falcon secret name from global value if it exists
{{- end -}}
{{- end -}}

{{/*
Validate that Falcon CID is provided directly or by an existing secret.
*/}}
{{- define "falcon-image-analyzer.validateFalconCidOrFalconSecret" -}}
{{- $hasCid := include "falcon-image-analyzer.falconCid" . | trim -}}
{{- $hasSecret := include "falcon-image-analyzer.falconSecretName" . | trim -}}
{{- if and (not $hasCid) (not $hasSecret) -}}
{{- fail "Must configure one of global.falcon.cid, crowdstrikeConfig.cid, or an existing secret with AGENT_CID data" }}
{{- end -}}
{{- end -}}

{{/*
Get container registry pull secret from global value if it exists
*/}}
Expand Down
6 changes: 5 additions & 1 deletion helm-charts/falcon-image-analyzer/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
{{- include "falcon-image-analyzer.validateFalconCidOrFalconSecret" . }}
{{- $falconCid := include "falcon-image-analyzer.falconCid" . | trim }}
apiVersion: v1
kind: ConfigMap
metadata:
Expand All @@ -12,7 +14,9 @@ data:
IS_KUBERNETES: {{ include "falcon-image-analyzer.isKubernetes" . | quote }}
AGENT_HELM_VERSION: {{ .Chart.Version | quote }}
LOG_OUTPUT: {{ .Values.log.output | quote }}
AGENT_CID: {{ include "falcon-image-analyzer.falconCid" . | quote }}
{{- if $falconCid }}
AGENT_CID: {{ $falconCid | quote }}
{{- end }}
AGENT_CLUSTER_NAME: {{ .Values.crowdstrikeConfig.clusterName | quote }}
AGENT_REGISTRY_CREDENTIALS: {{ .Values.privateRegistries.credentials | quote }}
AGENT_NAMESPACE_EXCLUSIONS: {{ .Values.exclusions.namespace | quote }}
Expand Down
55 changes: 49 additions & 6 deletions helm-charts/falcon-image-analyzer/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,19 @@
"pattern": "^[0-9a-fA-F]{32}-[0-9a-fA-F]{2}$"
}
}
},
"falconSecret": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"default": false
},
"secretName": {
"type": "string",
"description": "Name of existing Kubernetes secret containing Falcon configuration values"
}
}
}
}
}
Expand Down Expand Up @@ -308,19 +321,49 @@
},
{
"if": {
"properties": {
"global": {
"allOf": [
{
"properties": {
"falcon": {
"global": {
"properties": {
"cid": {
"const": null
"falcon": {
"properties": {
"cid": {
"const": null
}
}
}
}
}
}
},
{
"properties": {
"global": {
"properties": {
"falconSecret": {
"properties": {
"secretName": {
"const": ""
}
}
}
}
}
}
},
{
"properties": {
"crowdstrikeConfig": {
"properties": {
"existingSecret": {
"const": ""
}
}
}
}
}
}
]
},
"then": {
"properties": {
Expand Down
3 changes: 2 additions & 1 deletion helm-charts/falcon-image-analyzer/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ crowdstrikeConfig:

# Use this value if you have an existing secret
# defined in your k8s that may contain secrets
# for falcon api client id and pw
# for Falcon CID, api client id, and pw
existingSecret: ""
agentRegion: "autodiscovery"
agentRuntime: ""
Expand All @@ -226,6 +226,7 @@ global:
falcon:
cid:
falconSecret:
enabled: false
secretName: ""
containerRegistry:
pullSecret: ""
Expand Down
6 changes: 3 additions & 3 deletions helm-charts/falcon-platform/Chart.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@ dependencies:
version: 1.6.0
- name: falcon-image-analyzer
repository: file://../falcon-image-analyzer
version: 1.1.20
digest: sha256:df5d3f9047c9ae430112c5c69860afc7f9a27771590ea9a872e85cd8ae27ae11
generated: "2026-05-05T10:37:59.520948-04:00"
version: 1.1.21
digest: sha256:03ecf92048161d9348dee071f7e64d8399140fb915a4d03738dac7a4a33f3cea
generated: "2026-06-10T07:29:50.844508-05:00"
4 changes: 2 additions & 2 deletions helm-charts/falcon-platform/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 1.4.0
version: 1.4.1

keywords:
- CrowdStrike
Expand Down Expand Up @@ -43,6 +43,6 @@ dependencies:
repository: file://../falcon-kac
condition: falcon-kac.enabled
- name: falcon-image-analyzer
version: 1.1.20
version: 1.1.21
repository: file://../falcon-image-analyzer
condition: falcon-image-analyzer.enabled
18 changes: 16 additions & 2 deletions helm-charts/falcon-platform/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,13 +64,26 @@ The table below shows the subchart versions bundled with each falcon-platform re

| falcon-platform | falcon-sensor | falcon-kac | falcon-image-analyzer |
|:----------------|:--------------|:-----------|:----------------------|
| `1.4.1` | `1.36.0` | `1.6.0` | `1.1.21` |
| `1.4.0` | `1.36.0` | `1.6.0` | `1.1.20` |
| `1.3.0` | `1.35.0` | `1.6.0` | `1.1.20` |
| `1.2.0` | `1.34.2` | `1.6.0` | `1.1.18` |
| `1.1.0` | `1.34.1` | `1.5.2` | `1.1.17` |
| `1.0.0` | `1.34.1` | `1.5.1` | `1.1.16` |


<details>
<summary><b>falcon-platform 1.4.1</b></summary>

| Component | Helm Version | Sensor Version | Notes |
|:----------|:--------|:---------------|:------|
| falcon-sensor (node) | `1.36.0` | `>= 7.35` | — |
| falcon-sensor (container) | `1.36.0` | `>= 7.37` | Added AI-DR support. |
| falcon-kac | `1.6.0` | `>= 7.33` | — |
| falcon-image-analyzer | `1.1.21` | `>= 1.0.24` | Added support for providing `AGENT_CID` through an existing secret. |

</details>

<details>
<summary><b>falcon-platform 1.4.0</b></summary>

Expand Down Expand Up @@ -455,6 +468,7 @@ Falcon Image Analyzer specific configurations must be prefixed with `falcon-imag
Instead of specifying sensitive values directly in Helm values, you can use existing Kubernetes secrets for the following env vars:
- `FALCONCTL_OPT_CID`: Falcon CID - Required for falcon-sensor and falcon-kac
- `FALCONCTL_OPT_PROVISIONING_TOKEN`: Falcon provisioning token - Optional for falcon-sensor and falcon-kac
- `AGENT_CID`: Falcon CID - Required for falcon-image-analyzer
- `AGENT_CLIENT_ID`: Falcon OAuth client ID - Required for falcon-image-analyzer
- `AGENT_CLIENT_SECRET`: Falcon OAuth client secret - Required for falcon-image-analyzer

Expand All @@ -481,6 +495,7 @@ kubectl create secret generic $FALCON_SECRET_NAME -n falcon-kac \

# Create secret with required values for falcon-image-analyzer
kubectl create secret generic $FALCON_SECRET_NAME -n falcon-image-analyzer \
--from-literal=AGENT_CID=$FALCON_CID \
--from-literal=AGENT_CLIENT_ID=$FALCON_CLIENT_ID \
--from-literal=AGENT_CLIENT_SECRET=$FALCON_CLIENT_SECRET
```
Expand All @@ -501,8 +516,7 @@ helm install falcon-platform crowdstrike/falcon-platform --version 1.0.0 -n falc
--set falcon-image-analyzer.image.repository=$IAR_REGISTRY \
--set falcon-image-analyzer.image.tag=$IAR_IMAGE_TAG \
--set falcon-image-analyzer.crowdstrikeConfig.agentRuntime=$IAR_AGENT_RUNTIME \
--set falcon-image-analyzer.crowdstrikeConfig.clusterName=$CLUSTER_NAME \
--set falcon-image-analyzer.crowdstrikeConfig.cid=$FALCON_CID # IAR Falcon CID is not yet supported by existing secrets
--set falcon-image-analyzer.crowdstrikeConfig.clusterName=$CLUSTER_NAME
```

## Upgrade Strategy
Expand Down
1 change: 1 addition & 0 deletions helm-charts/falcon-platform/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ global:
# Required data for falcon-sensor and falcon-kac:
# - FALCONCTL_OPT_CID
# Required data for falcon-image-analyzer:
# - AGENT_CID
# - AGENT_CLIENT_ID
# - AGENT_CLIENT_SECRET
# Optional data:
Expand Down