Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to read sensitive data (cid) from k8s secret #326

Open
poonsalai opened this issue Oct 11, 2024 · 2 comments
Open

Ability to read sensitive data (cid) from k8s secret #326

poonsalai opened this issue Oct 11, 2024 · 2 comments

Comments

@poonsalai
Copy link

Hi Team

Seems right now the helm chart for falcon-sensor is accepting the falcon-cid only via helm chart values.yaml.
But as that is treated as a sensitive value, it would be great to have an option in chart where user can pass a k8s secret and the cid value can be read from there, with that way there will be no need to put the secret in helm or checked in repo as well.

https://github.com/CrowdStrike/falcon-helm/tree/falcon-sensor-1.28.1/helm-charts/falcon-sensor

FALCONCTL_OPT_CID: {{ .Values.falcon.cid }}

Could you please suggest if this can be taken on priority and worked upon.

Thanks
Sharad
@nmohoric
Copy link

They've closed multiple pull requests related to this and their reasoning makes no sense. Good luck.

#273 (comment)

@hrbasic
Copy link

hrbasic commented Mar 3, 2025

I had a similar issue with another Helm chart where the option to specify an existing secret wasn’t available. If you are using Kustomization for your deployment, this might help you, e.g.:
falcon-shra-executor-patch.yaml

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: falcon-shra-executor
  namespace: crowdstrike-falcon-io-shra
spec:
  template:
    spec:
      containers:
        - name: executor
          env:
            - name: "CLIENT_ID"
              valueFrom:
                secretKeyRef:
                  name: crowdstrike-config-secret
                  key: CLIENT_ID
            - name: "CLIENT_SECRET"
              valueFrom:
                secretKeyRef:
                  name: crowdstrike-config-secret
                  key: CLIENT_SECRET
      initContainers:
        - name: executor-init
          env:
            - name: "CLIENT_ID"
              valueFrom:
                secretKeyRef:
                  name: crowdstrike-config-secret
                  key: CLIENT_ID
            - name: "CLIENT_SECRET"
              valueFrom:
                secretKeyRef:
                  name: crowdstrike-config-secret
                  key: CLIENT_SECRET

Kustomization:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
metadata:
  name: crowdstrike-falcon-io-shra
  namespace: crowdstrike-falcon-io-shra

resources: 
  - crowdstrike-registry-sealed-secret.yaml
  - crowdstrike-config-sealed-secret.yaml
  - falcon-shra-executor-role.yaml
  - falcon-shra-executor-role-binding.yaml

helmCharts:
  - name: falcon-self-hosted-registry-assessment
    repo: https://crowdstrike.github.io/falcon-helm
    releaseName: falcon-shra
    namespace: crowdstrike-falcon-io-shra
    valuesFile: values.yaml
    version: 1.3.0

patchesStrategicMerge:
  - delete-clusterrole-patch.yaml
  - delete-clusterrole-binding-patch.yaml
  - falcon-shra-executor-patch.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nmohoric @hrbasic @poonsalai