falcon-operator icon indicating copy to clipboard operation
falcon-operator copied to clipboard

Published 20 hours ago verified publisher icon CrowdStrike

[Feature Request] - Operator FalconNodeSensor API Secrets

Open darktempla opened this issue 1 year ago • 3 comments

Overview

As a user I would like to reference a secret to provide the falcon_api.client_id and falcon_api.client_secret sensitive values to the FalconNodeSensor object so that I can safely store it in source control.

Extra Information

  • Using version 0.9.1 of the Operator on OpenShift.
  • This is an enabler from a GitOps point of view and allows users to leverage other secret management solutions to create the secret object and keep sensitive information out of source control.
  • This change would bring feature parity to the operator aligning it to the HELM chart. ** https://github.com/CrowdStrike/falcon-helm/pull/87

darktempla avatar Jan 09 '24 01:01 darktempla

Hello,

Please use the imagePullSecrets, or if using git, it is recommended for these values to be injected by a post-merge job from CI/CD or GH/Gitlab secrets that injects the values in into the CR config and updates the deployment post-merge of a PR. Otherwise, we don't have plans to implement this since imagePullSecrets and git with CI/CD and/or GH/Gitlab secrets should be used for this. The forthcoming helm chart for the operator will also be another way to handle this as well.

redhatrises avatar Jan 09 '24 23:01 redhatrises

Forgive my ignorance as I'm still trying to understand the differences between using the falcon API and using an image from a registry. I would like to use the falcon api but not being able to specify a secret that stores the client_secret is a blocker. Can I use image pull secrets without specifying a custom image?

apiVersion: falcon.crowdstrike.com/v1alpha1
kind: FalconNodeSensor
metadata:
  name: falcon-node-sensor
spec:
  falcon:
    cid: <CID>
  node:
    imagePullSecrets: <IMAGE_PULL_SECRET>

Why is recommended to not use a secret if using git? We use dozens of helm charts and a handful of operators and none of them dictate that users should not store secrets in secrets. They allow referencing native k8s secrets in CRDs and charts. That being said they are all open source so maybe I'm misunderstanding how this operator is supposed to work given some of the constraints here.

tskinner-oppfi avatar Mar 15 '24 02:03 tskinner-oppfi

We're using the Operator on GKE with Autopilot, which is prevent us to use Flacon image from a private repository (at least 2 weeks GKE support isn't able to add our repository the an allow-list as mentioned in the doc). So we have to use client_id and client_secret.

aprohorov-callsign avatar Jul 31 '24 07:07 aprohorov-callsign