CrowdStrike
falcon-self-hosted-registry-assessment secret not found
Hi, during the falcon-self-hosted-registry-assessment deployment, when I'm using an existing secret for the registry, I'm getting an error:
time=2025-02-25T12:24:25.358701Z name=registryassessmentexecutor.sqlite level=Info legacy_level=[INFO] caller=sqlite/sqlite.go:79 msg="running migrations"
time=2025-02-25T12:24:25.360957Z name=registryassessmentexecutor.sqlite level=Info legacy_level=[INFO] caller=sqlite/sqlite.go:104 msg="migrations completed successfully"
time=2025-02-25T12:24:25.36102Z name=registryassessmentexecutor.sqlite level=Info legacy_level=[INFO] caller=sqlite/sqlite.go:79 msg="running migrations"
time=2025-02-25T12:24:25.361367Z name=registryassessmentexecutor.sqlite level=Info legacy_level=[INFO] caller=sqlite/sqlite.go:104 msg="migrations completed successfully"
time=2025-02-25T12:24:25.386734Z name=registryassessmentexecutor.kubernetes_client level=Info legacy_level=[INFO] caller=client/k8s.go:98 msg="Read registry credential secret success" kubernetes_server_version=v1.29.7 secret_name=docker-ib
time=2025-02-25T12:24:25.387223Z name=registryassessmentexecutor level=Error legacy_level=[ERROR] caller=./main.go:41 msg="existing main" error="Secret not found for named secret and registry" errorVerbose="Secret not found for named secret and registry\ngo.crwd.dev/cloudsec/registryassessmentexecutor/internal/registryassessmentexecutor/client.(*Client).GetCredFromNamedSecret\n\tgo.crwd.dev/cloudsec/registryassessmentexecutor/internal/registryassessmentexecutor/client/k8s.go:180\ngo.crwd.dev/cloudsec/registryassessmentexecutor/internal/registryassessmentexecutor/credentials.NewCredentials\n\tgo.crwd.dev/cloudsec/registryassessmentexecutor/internal/registryassessmentexecutor/credentials/credentials.go:128\ngo.crwd.dev/cloudsec/registryassessmentexecutor/internal/registryassessmentexecutor.Initialize\n\tgo.crwd.dev/cloudsec/registryassessmentexecutor/internal/registryassessmentexecutor/run.go:54\nmain.main\n\t./main.go:35\nruntime.main\n\truntime/proc.go:271\nruntime.goexit\n\truntime/asm_amd64.s:1695"
Values file example:
registryConfigs:
- type: artifactory
credentials:
kubernetesSecretName: "docker-ib"
kubernetesSecretNamespace: "crowdstrike-falcon-io-shra"
I'm using kubernetes.io/dockerconfigjson secret, e.g:
NAME TYPE DATA AGE
docker-ib kubernetes.io/dockerconfigjson 1 27m
If I specify username and password directly in Values file if works fine:
registryConfigs:
- type: artifactory
credentials:
username: "myusername"
password: "mypass"
Another thing that concerns me: when the service is deployed manually using username and password, the secret is stored in a ConfigMap. Shouldn't we use a Secret instead?
apiVersion: v1
data:
REGISTRY_CREDENTIALS: |-
[
{
"credential": {
"details": {
"password": "mypass",
"username": "myusername"
}
},
"credential_type": null,
"registry_host": "https://my-artifactory",
"registry_id": "my-id",
"registry_port": "443",
"registry_type": "artifactory"
}
]
kind: ConfigMap
Additional information
Secret created using command: kubectl create secret docker-registry docker-ib --docker-server="myrepo" --docker-username=myusernanme --docker-password="mypassword"
Chart version: 1.2.0
App version: 1.2.0
It looks like this problem with secret not found is fixed in the latest release 1.3.0:
Fixed
Registry credentials are now consistently retrieved from Kubernetes secrets.