falcon-helm icon indicating copy to clipboard operation
falcon-helm copied to clipboard
verified publisher icon CrowdStrike

Ability to read sensitive data (cid) from k8s secret

Open poonsalai opened this issue 1 year ago • 2 comments

Hi Team

Seems right now the helm chart for falcon-sensor is accepting the falcon-cid only via helm chart values.yaml. But as that is treated as a sensitive value, it would be great to have an option in chart where user can pass a k8s secret and the cid value can be read from there, with that way there will be no need to put the secret in helm or checked in repo as well.

https://github.com/CrowdStrike/falcon-helm/tree/falcon-sensor-1.28.1/helm-charts/falcon-sensor

FALCONCTL_OPT_CID: {{ .Values.falcon.cid }}

Could you please suggest if this can be taken on priority and worked upon.

Thanks Sharad

poonsalai avatar Oct 11 '24 19:10 poonsalai

They've closed multiple pull requests related to this and their reasoning makes no sense. Good luck.

https://github.com/CrowdStrike/falcon-helm/pull/273#issuecomment-2023072790

nmohoric avatar Oct 16 '24 15:10 nmohoric

I had a similar issue with another Helm chart where the option to specify an existing secret wasn’t available. If you are using Kustomization for your deployment, this might help you, e.g.: falcon-shra-executor-patch.yaml

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: falcon-shra-executor
  namespace: crowdstrike-falcon-io-shra
spec:
  template:
    spec:
      containers:
        - name: executor
          env:
            - name: "CLIENT_ID"
              valueFrom:
                secretKeyRef:
                  name: crowdstrike-config-secret
                  key: CLIENT_ID
            - name: "CLIENT_SECRET"
              valueFrom:
                secretKeyRef:
                  name: crowdstrike-config-secret
                  key: CLIENT_SECRET
      initContainers:
        - name: executor-init
          env:
            - name: "CLIENT_ID"
              valueFrom:
                secretKeyRef:
                  name: crowdstrike-config-secret
                  key: CLIENT_ID
            - name: "CLIENT_SECRET"
              valueFrom:
                secretKeyRef:
                  name: crowdstrike-config-secret
                  key: CLIENT_SECRET

Kustomization:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
metadata:
  name: crowdstrike-falcon-io-shra
  namespace: crowdstrike-falcon-io-shra

resources: 
  - crowdstrike-registry-sealed-secret.yaml
  - crowdstrike-config-sealed-secret.yaml
  - falcon-shra-executor-role.yaml
  - falcon-shra-executor-role-binding.yaml

helmCharts:
  - name: falcon-self-hosted-registry-assessment
    repo: https://crowdstrike.github.io/falcon-helm
    releaseName: falcon-shra
    namespace: crowdstrike-falcon-io-shra
    valuesFile: values.yaml
    version: 1.3.0

patchesStrategicMerge:
  - delete-clusterrole-patch.yaml
  - delete-clusterrole-binding-patch.yaml
  - falcon-shra-executor-patch.yaml

hrbasic avatar Mar 03 '25 10:03 hrbasic