adding self-hosted-registry-assessment

Author: mcrowson

helm-charts/falcon-self-hosted-registry-assessment/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm-charts/falcon-self-hosted-registry-assessment/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: registry-scanner
+description: CrowdStrike Self-hosted Registry Assessment
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.0.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.0.0"

helm-charts/falcon-self-hosted-registry-assessment/README.md

@@ -0,0 +1,34 @@
+fullnameOverride: "shra"
+executor:
+  image:
+    registry: "registry.crowdstrike.com"
+    repository: "falcon-selfhostedregistryassessment/release/falcon-registryassessmentexecutor"
+    tag: "0.11.0"
+
+  dbStorage:
+    storageClass: "standard"
+
+  assessmentStorage:
+    type: "local"
+
+jobController:
+  image:
+    registry: "registry.crowdstrike.com"
+    repository: "falcon-selfhostedregistryassessment/release/falcon-jobcontroller"
+    tag: "0.19.0"
+
+  dbStorage:
+    storageClass: "standard"
+
+crowdstrikeConfig:
+  clientID: "abcdefABCDEF0123456789abcdefABCD"
+  clientSecret: "abcdefABCDEF0123456789abcdefABCDEF012345"
+
+registryConfigs:
+  - type: dockerhub
+    credentials:
+      username: "userName"
+      password: "password"
+    port: "443"
+    host: "https://registry-1.docker.io"
+    cronSchedule: "* * * * *"

helm-charts/falcon-self-hosted-registry-assessment/ci/cid-values.yaml

@@ -0,0 +1,3 @@
+The Crowdstrike Self-hosted Registry Assessment is now deployed to your cluster under the {{ .Release.Namespace }} namespace as {{ include "ra-self-hosted.fullname" . }}. You can now check if the agent is running by running the following command:
+
+"kubectl -n {{ .Release.Namespace}} get pods"

helm-charts/falcon-self-hosted-registry-assessment/self-hosted-registry-assessment-flow.png

@@ -0,0 +1,234 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "ra-self-hosted.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "ra-self-hosted.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "ra-self-hosted-executor.fullname" -}}
+{{- printf "%s-%s" (include "ra-self-hosted.fullname" .) "executor" | trunc 63 | trimSuffix "-" }}
+{{- end -}}
+
+{{- define "ra-self-hosted-executor.pullsecret-name" -}}
+{{- printf "%s-%s-pullsecret" (include "ra-self-hosted.fullname" .) "executor" | trunc 63 | trimSuffix "-" }}
+{{- end -}}
+
+{{- define "ra-self-hosted-job-controller.fullname" -}}
+{{- printf "%s-%s" (include "ra-self-hosted.fullname" .) "job-controller" | trunc 63 | trimSuffix "-" }}
+{{- end -}}
+
+{{- define "ra-self-hosted-job-controller.pullsecret-name" -}}
+{{- printf "%s-%s-pullsecret" (include "ra-self-hosted.fullname" .) "job-controller" | trunc 63 | trimSuffix "-" }}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "ra-self-hosted.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "ra-self-hosted.labels-executor" -}}
+helm.sh/chart: {{ include "ra-self-hosted.chart" . }}
+{{ include "ra-self-hosted-executor.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.executor.labels }}
+{{ .Values.executor.labels }}
+{{- end }}
+{{- end }}
+
+{{- define "ra-self-hosted-job-controller.labels" -}}
+helm.sh/chart: {{ include "ra-self-hosted.chart" . }}
+{{ include "ra-self-hosted-job-controller.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.jobController.labels }}
+{{ .Values.jobController.labels }}
+{{- end }}
+{{- end }}
+
+{{- define "ra-self-hosted.labels" -}}
+helm.sh/chart: {{ include "ra-self-hosted.chart" . }}
+{{ include "ra-self-hosted.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.jobController.labels }}
+{{ .Values.jobController.labels }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "ra-self-hosted-executor.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "ra-self-hosted.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/component: executor
+{{- end }}
+
+{{- define "ra-self-hosted-job-controller.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "ra-self-hosted.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/component: job-controller
+{{- end }}
+
+{{- define "ra-self-hosted.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "ra-self-hosted.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{- define "ra-self-hosted-executor.imageRegistry" -}}
+{{- .Values.executor.image.registry -}}
+{{- end -}}
+
+{{- define "ra-self-hosted-executor.imageRepo" -}}
+{{- .Values.executor.image.repository -}}
+{{- end -}}
+
+
+{{- define "ra-self-hosted-executor.image" -}}
+{{- if .Values.executor.image.digest -}}
+{{- if contains "sha256:" .Values.executor.image.digest -}}
+{{- printf "%s/%s@%s" (include "ra-self-hosted-executor.imageRegistry" .) (include "ra-self-hosted-executor.imageRepo" .) .Values.executor.image.digest -}}
+{{- else -}}
+{{- printf "%s/%s@%s" (include "ra-self-hosted-executor.imageRegistry" .) (include "ra-self-hosted-executor.imageRepo" .) "sha256" .Values.executor.image.digest -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s/%s:%s" (include "ra-self-hosted-executor.imageRegistry" .) (include "ra-self-hosted-executor.imageRepo" .) .Values.executor.image.tag -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "ra-self-hosted-job-controller.imageRegistry" -}}
+{{- .Values.jobController.image.registry -}}
+{{- end -}}
+
+{{- define "ra-self-hosted-job-controller.imageRepo" -}}
+{{- .Values.jobController.image.repository -}}
+{{- end -}}
+
+
+{{- define "ra-self-hosted-job-controller.image" -}}
+{{- if .Values.jobController.image.digest -}}
+{{- if contains "sha256:" .Values.jobController.image.digest -}}
+{{- printf "%s/%s@%s" (include "ra-self-hosted-job-controller.imageRegistry" .) (include "ra-self-hosted-job-controller.imageRepo" .) .Values.jobController.image.digest -}}
+{{- else -}}
+{{- printf "%s/%s@%s" (include "ra-self-hosted-job-controller.imageRegistry" .) (include "ra-self-hosted-job-controller.imageRepo" .) "sha256" .Values.jobController.image.digest -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s/%s:%s" (include "ra-self-hosted-job-controller.imageRegistry" .) (include "ra-self-hosted-job-controller.imageRepo" .) .Values.jobController.image.tag -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "ra-self-hosted-job-controller.db-pvc-name" -}}
+{{- if .Values.jobController.dbStorage.create -}} {{- printf "%s-%s" (include "ra-self-hosted-job-controller.fullname" .) "db" | trunc 63 -}} {{- else -}} {{ .Values.jobController.dbStorage.existingClaimName }} {{- end -}}
+{{- end -}}
+
+{{- define "ra-self-hosted-executor.db-pvc-name" -}}
+{{- if .Values.executor.dbStorage.create -}} {{- printf "%s-%s" (include "ra-self-hosted-executor.fullname" .) "db" | trunc 63 -}} {{- else -}} {{ .Values.executor.dbStorage.existingClaimName }} {{- end -}}
+{{- end -}}
+
+{{- define "ra-self-hosted-executor.storage-pvc-name" -}}
+{{- if .Values.executor.assessmentStorage.pvc.create -}} {{- printf "%s-%s" (include "ra-self-hosted-executor.fullname" .) "storage" | trunc 63 -}} {{- else -}} {{ .Values.executor.assessmentStorage.pvc.existingClaimName }} {{- end -}}
+{{- end -}}
+
+{{- define "ra-self-hosted-executor.registry-credentials-json" -}}
+{{- $creds := list -}}
+{{- range $k, $v := .Values.registryConfigs -}}
+{{- $cred := dict -}}
+{{- $cred = set $cred "registry_type" $v.type -}}
+{{- $cred = set $cred "registry_host" $v.host -}}
+{{- $cred = set $cred "registry_port" $v.port -}}
+{{- $credDetails := dict -}}
+{{- $credsDict := (include "yamlToJson" $v.credentials | fromYaml )}}
+{{- $credString := ($credsDict | toString)}}
+{{- $credDetails = set $credDetails "details" $credsDict -}}
+{{- $cred = set $cred "credential" $credDetails -}}
+{{- $cred = set $cred "registry_id" (sha256sum (printf "%v:%v:%v" $v.host $v.port $credString)) -}}
+{{- $creds = append $creds $cred }}
+{{- end -}}
+{{ toPrettyJson $creds }}
+{{- end -}}
+
+{{- define "ra-self-hosted-job-controller.job-configs-json" -}}
+{{- $jobs := list -}}
+{{- $heartBeatJob := dict }}
+{{- $heartBeatJob = set $heartBeatJob "type" "agent_heartbeat" -}}
+{{- $heartBeatJob = set $heartBeatJob "cron_schedule" "* * * * *" -}}
+{{- $jobs = append $jobs $heartBeatJob -}}
+{{- range $k, $v := .Values.registryConfigs -}}
+{{- $job := dict -}}
+{{- $job = set $job "type" "registry_collection" -}}
+{{- $job = set $job "cron_schedule" $v.cronSchedule -}}
+{{- $props := dict -}}
+{{- $props = set $props "registry_host" $v.host -}}
+{{- $props = set $props "registry_port" $v.port -}}
+{{- $props = set $props "registry_type" $v.type -}}
+{{- $credsDict := (include "yamlToJson" $v.credentials | fromYaml )}}
+{{- $credString := ($credsDict | toString)}}
+{{- $props = set $props "registry_allowed_repositories" $v.allowedRepositories -}}
+{{- $props = set $props "registry_id" (sha256sum (printf "%v:%v:%v" $v.host $v.port $credString)) -}}
+{{- $job = set $job "properties" $props -}}
+{{- $jobs = append $jobs $job -}}
+{{- end -}}
+{{- toPrettyJson $jobs -}}
+{{- end -}}
+
+{{- define "ra-self-hosted-job-controller.job-type-configs-json" -}}
+{{- $configs := list -}}
+{{- range $k, $v := .Values.crowdstrikeConfig.jobTypeConfigs -}}
+{{- $configs = append $configs (set (include "yamlToJson" $v | fromYaml) "name" (snakecase $k)) -}}
+{{- end -}}
+{{- $heartBeatConfig := dict }}
+{{- $heartBeatConfig = set $heartBeatConfig "name" "agent_heartbeat" -}}
+{{- $heartBeatConfig = set $heartBeatConfig "threads_per_pod" 1 -}}
+{{- $configs = append $configs $heartBeatConfig -}}
+{{- toPrettyJson $configs -}}
+{{- end -}}
+
+{{- define "yamlToJson" -}}
+{{- $config := dict -}}
+{{- range $k, $v := . -}}
+{{- if kindIs "map" $v -}}
+{{- $config = set $config (snakecase $k) (include "yamlToJson" $v | fromYaml ) -}}
+{{- else -}}
+{{- $config = set $config (snakecase $k) $v -}}
+{{- end -}}
+{{- end -}}
+{{- $config | toYaml -}}
+{{- end -}}
+
+{{- define "ra-self-hosted.cert-secret-name" }}
+{{- if .Values.tls.useCertManager -}}
+{{- printf "%s-%s" (include "ra-self-hosted.fullname" .) "tls" | trunc 63 }}
+{{- else -}}
+{{- .Values.tls.existingSecret -}}
+{{- end -}}
+{{- end -}}

helm-charts/falcon-self-hosted-registry-assessment/templates/NOTES.txt

@@ -0,0 +1,17 @@
+{{- if (and .Values.tls.enable .Values.tls.useCertManager) -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "ra-self-hosted.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "ra-self-hosted.labels" . | indent 4 }}
+spec:
+  secretName: {{ include "ra-self-hosted.cert-secret-name" . }}
+  issuerRef:
+{{ .Values.tls.issuer | toYaml | indent 4 }}
+  dnsNames:
+    - {{ include "ra-self-hosted-job-controller.fullname" . }}
+  duration: "2160h"
+  renewBefore: "360h"
+{{- end -}}

helm-charts/falcon-self-hosted-registry-assessment/templates/_helpers.tpl

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "ra-self-hosted-executor.fullname" . }}
+  labels:
+  {{- include "ra-self-hosted.labels-executor" . | nindent 4 }}
+rules:
+  - apiGroups:
+    - ""
+    resources:
+    - secrets
+    - namespaces
+    verbs:
+    - get
+    - watch
+    - list

helm-charts/falcon-self-hosted-registry-assessment/templates/cetificate.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.registryConfigs -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "ra-self-hosted-executor.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "ra-self-hosted.labels-executor" . | nindent 4 }}
+data:
+  REGISTRY_CREDENTIALS: |-
+{{ include "ra-self-hosted-executor.registry-credentials-json" . | indent 4 }}
+{{- if .Values.proxyConfig.HTTP_PROXY }}
+  HTTP_PROXY: {{ .Values.proxyConfig.HTTP_PROXY }}
+{{- end }}
+{{- if .Values.proxyConfig.HTTPS_PROXY }}
+  HTTPS_PROXY: {{ .Values.proxyConfig.HTTPS_PROXY }}
+{{- end }}
+{{- if .Values.proxyConfig.NO_PROXY }}
+  NO_PROXY: {{ .Values.proxyConfig.NO_PROXY }}
+{{- end }}
+{{- end -}}

helm-charts/falcon-self-hosted-registry-assessment/templates/executor-cluster-role.yaml

@@ -0,0 +1,16 @@
+{{ if .Values.executor.dbStorage.create -}}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "ra-self-hosted-executor.db-pvc-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "ra-self-hosted.labels-executor" . | nindent 4 }}
+spec:
+  accessModes:
+    {{- .Values.executor.dbStorage.accessModes | toYaml | nindent 4 }}
+  storageClassName: {{ .Values.executor.dbStorage.storageClass }}
+  resources:
+    requests:
+      storage: {{ .Values.executor.dbStorage.size }}
+{{ end -}}