Merge pull request #111 from redhatrises/add_lookup_funcs

Add lookup functions to handle advanced use cases
CrowdStrike · Apr 1, 2022 · 6cb1a1a · 6cb1a1a
2 parents 7a562b1 + 9695961
commit 6cb1a1a
Show file tree

Hide file tree

Showing 7 changed files with 84 additions and 7 deletions.
diff --git a/helm-charts/falcon-sensor/Chart.yaml b/helm-charts/falcon-sensor/Chart.yaml
@@ -15,12 +15,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.13.0
+version: 1.14.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 1.13.0
+appVersion: 1.14.0
 
 keywords:
   - CrowdStrike

diff --git a/helm-charts/falcon-sensor/README.md b/helm-charts/falcon-sensor/README.md
@@ -126,6 +126,7 @@ To ensure a successful deployment, you will want to ensure that:
 1. When deploying the Falcon Container as a sidecar sensor, make sure that there are no firewall rules blocking communication to the Mutating Webhook. This will most likely result in a `context deadline exceeded` error. The default port for the Webhook is `4433`.
 1. The Falcon Container as a sidecar sensor should be deployed to Kubernetes managed environments, or environments that do not allow node access or installation via a Kubernetes DaemonSet.
 1. CrowdStrike's Helm Chart is a project, not a product, and released to the community as a way to automate sensor deployment to kubernetes clusters. The upstream repository for this project is [https://github.com/CrowdStrike/falcon-helm](https://github.com/CrowdStrike/falcon-helm).
+1. Be aware that there is advanced Helm Chart functionality in use and those specific features may not work fully with GitOps tools like ArgoCD. The reason for this is that ArgoCD does not fully support Helm when compared to FluxCD. For features that do not work in this instance, disable those features until ArgoCD supports Helm correctly.
 
 ### Install CrowdStrike Falcon Helm Chart in Kubernetes Cluster as a Sidecar
 

diff --git a/helm-charts/falcon-sensor/templates/container_deployment_webhook.yaml b/helm-charts/falcon-sensor/templates/container_deployment_webhook.yaml
@@ -5,9 +5,24 @@
 {{- $fullName = (printf "%s.%s.svc.%s" $name .Release.Namespace .Values.container.domainName) -}}
 {{- end }}
 {{- $certValid := (.Values.container.certExpiration | int) -}}
-{{- $altNames := list ( printf "%s" $fullName ) ( printf "%s.%s.svc" $name .Release.Namespace ) (  printf "%s.%s.svc.cluster.local" $name .Release.Namespace ) ( printf "%s.%s" $name .Release.Namespace ) ( printf "%s" $name ) -}}
+{{- $altNames := list ( printf "%s" $fullName ) ( printf "%s.%s.svc" $name .Release.Namespace ) ( printf "%s.%s.svc.cluster.local" $name .Release.Namespace ) ( printf "%s.%s" $name .Release.Namespace ) ( printf "%s" $name ) -}}
 {{- $ca := genCA ( printf "%s ca" .Release.Namespace ) $certValid -}}
 {{- $cert := genSignedCert $fullName nil $altNames $certValid $ca -}}
+{{- if not .Values.container.autoCertificateUpdate }}
+{{- $tlscrt := (lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" (include "falcon-sensor.name" .))).data -}}
+{{- if kindIs "map" $tlscrt }}
+{{- $cert = dict "Cert" (index $tlscrt "tls.crt" | b64dec ) "Key" (index $tlscrt "tls.key" | b64dec ) -}}
+{{- end }}
+{{- $tlsca := (lookup "admissionregistration.k8s.io/v1" "MutatingWebhookConfiguration" .Release.Namespace $name).webhooks -}}
+{{- if kindIs "slice" $tlsca }}
+{{- range $index, $wca := $tlsca -}}
+  {{- $ca = dict "Cert" ($wca.clientConfig.caBundle | b64dec) }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- $tlsCert := $cert.Cert | b64enc }}
+{{- $tlsKey := $cert.Key | b64enc }}
+{{- $caCert := $ca.Cert | b64enc }}
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -158,8 +173,9 @@ metadata:
     helm.sh/chart: {{ include "falcon-sensor.chart" . }}
 type: Opaque
 data:
-  tls.crt: {{ $cert.Cert | b64enc }}
-  tls.key: {{ $cert.Key | b64enc }}
+  tls.crt: {{ $tlsCert }}
+  tls.key: {{ $tlsKey }}
+  ca.crt: {{ $caCert }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
@@ -204,7 +220,7 @@ webhooks:
         namespace: {{ .Release.Namespace }}
         path: "/mutate"
       {{- end }}
-      caBundle: {{ $ca.Cert | b64enc }}
+      caBundle: {{ $caCert }}
     failurePolicy: Fail
     rules:
       - operations:

diff --git a/helm-charts/falcon-sensor/templates/container_secret.yaml b/helm-charts/falcon-sensor/templates/container_secret.yaml
@@ -11,7 +11,15 @@ data:
 type: kubernetes.io/dockerconfigjson
 {{- if .Values.container.image.pullSecrets.namespaces }}
 {{- $name := (printf "%s-pull-secret" (include "falcon-sensor.fullname" .)) }}
-{{- range $value := split "," .Values.container.image.pullSecrets.namespaces }}
+{{- $myns := list -}}
+{{- if .Values.container.image.pullSecrets.allNamespaces }}
+{{- range $index, $ns := (lookup "v1" "Namespace" "" "").items -}}
+  {{ $myns = append $myns $ns.metadata.name }}
+{{- end }}
+{{- else -}}
+{{- $myns := split "," .Values.container.image.pullSecrets.namespaces -}}
+{{- end }}
+{{- range $value := $myns }}
 ---
 apiVersion: v1
 kind: Secret

diff --git a/helm-charts/falcon-sensor/templates/container_webhook_upgrade.yaml b/helm-charts/falcon-sensor/templates/container_webhook_upgrade.yaml
@@ -1,6 +1,15 @@
 {{- if and .Values.container.enabled .Values.container.autoDeploymentUpdate }}
 {{- $name := (printf "%s-injector" (include "falcon-sensor.name" .)) -}}
 {{- $fullName := (printf "%s.%s.svc" $name .Release.Namespace) -}}
+{{- $caCert := "" -}}
+{{- $tlsca := (lookup "admissionregistration.k8s.io/v1" "MutatingWebhookConfiguration" .Release.Namespace $name).webhooks -}}
+{{- if kindIs "slice" $tlsca }}
+{{- $ca := dict }}
+{{- range $index, $wca := $tlsca -}}
+  {{- $ca = dict "Cert" ($wca.clientConfig.caBundle | b64dec) }}
+{{- end }}
+{{- $caCert := $ca.Cert | b64enc }}
+{{- end }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
@@ -26,6 +35,20 @@ webhooks:
       - v1beta1
     {{- end }}
     sideEffects: None
+    namespaceSelector:
+      matchExpressions:
+      - key: sensor.crowdstrike.com/injection
+        operator: {{ if .Values.container.disableNSInjection }}In{{ else }}NotIn{{- end }}
+        values:
+          - {{ if .Values.container.disableNSInjection }}enabled{{ else }}disabled{{- end }}
+      - key: sensor.falcon-system.crowdstrike.com/injection
+        operator: {{ if .Values.container.disableNSInjection }}In{{ else }}NotIn{{- end }}
+        values:
+          - {{ if .Values.container.disableNSInjection }}enabled{{ else }}disabled{{- end }}
+      - key: kubernetes.io/metadata.name
+        operator: "NotIn"
+        values:
+        - {{ .Release.Namespace }}
     clientConfig:
       {{- if .Values.container.domainName }}
       url: https://{{ $fullName }}:443/mutate
@@ -35,4 +58,15 @@ webhooks:
         namespace: {{ .Release.Namespace }}
         path: "/mutate"
       {{- end }}
+      caBundle: {{ $caCert }}
+    rules:
+      - operations:
+          - CREATE
+        apiGroups:
+          - ""
+        apiVersions:
+          - v1
+        resources:
+          - pods
+    timeoutSeconds: 30
 {{- end }}
diff --git a/helm-charts/falcon-sensor/values.schema.json b/helm-charts/falcon-sensor/values.schema.json
@@ -128,6 +128,10 @@
                         }
                     }
                 },
+                "autoCertificateUpdate": {
+                    "type": "boolean",
+                    "default": "true"
+                },
                 "autoDeploymentUpdate": {
                     "type": "boolean",
                     "default": "true"
@@ -174,6 +178,13 @@
                                     "type": "boolean",
                                     "default": "false"
                                 },
+                                "allNamespaces": {
+                                    "type": "boolean",
+                                    "default": "false"
+                                },
+                                "namespaces": {
+                                    "type": ["null", "string"]
+                                },
                                 "registryConfigJSON": {
                                     "type": ["null", "string"]
                                 }

diff --git a/helm-charts/falcon-sensor/values.yaml b/helm-charts/falcon-sensor/values.yaml
@@ -49,6 +49,9 @@ container:
   # When enabled, Helm chart deploys the Falcon Container Sensor to Pods through Webhooks
   enabled: false
 
+  # Auto update the certificates every time there is an update
+  autoCertificateUpdate: true
+
   # Update Webhook and roll out new Deployment on upgrade
   autoDeploymentUpdate: true
 
@@ -99,6 +102,10 @@ container:
       # namespaces: ns1,ns2,ns3
       namespaces:
 
+      # Attempt to create the Falcon sensor pull secret in all Namespaces
+      # instead of using "container.image.pullSecrets.namespaces"
+      allNamespaces: false
+
       # Value must be base64
       # The base64 encoded string of the docker config json for the pull secret can be
       # gotten through: