feat(iar): adding registryConfigJSON and fixing the pullSecret usage

- pullSecret property is not working : it was creating a secret based on the value and not doing a reference to it - adding the support of the registryConfigJSON to have a consistent way to deploy like other agents (simpler to use than the dockerAPIToken based on the tooling we have today) - bump Chart to v1.1.2
CrowdStrike · Feb 8, 2024 · 4d56371 · 4d56371
1 parent de2cd6f
commit 4d56371
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 24 deletions.
diff --git a/helm-charts/falcon-image-analyzer/Chart.yaml b/helm-charts/falcon-image-analyzer/Chart.yaml
@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.1.1
+version: 1.1.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.1.1"
+appVersion: "1.1.2"
diff --git a/helm-charts/falcon-image-analyzer/templates/daemonset.yaml b/helm-charts/falcon-image-analyzer/templates/daemonset.yaml
@@ -21,13 +21,18 @@ spec:
       labels:
     {{- include "falcon-image-analyzer.labels" . | nindent 8 }}
     spec:
-      {{- if .Values.crowdstrikeConfig.dockerAPIToken }}
-      imagePullSecrets:
-        - name: {{ include "falcon-image-analyzer.fullname" . }}-pull-secret
-      {{- end }}
-      {{- if .Values.image.pullSecret }}
+      {{- if or (.Values.image.pullSecret) (.Values.image.registryConfigJSON) (.Values.crowdstrikeConfig.dockerAPIToken) }}
       imagePullSecrets:
+        {{- if and (.Values.crowdstrikeConfig.dockerAPIToken) (.Values.image.registryConfigJSON) }}
+          {{- fail "crowdstrikeConfig.dockerAPIToken and image.registryConfigJSON cannot be used together." }}
+        {{- else -}}
+        {{ if or (.Values.crowdstrikeConfig.dockerAPIToken) (.Values.image.registryConfigJSON) }}
         - name: {{ include "falcon-image-analyzer.fullname" . }}-pull-secret
+        {{- end }}
+        {{- end }}
+        {{- if .Values.image.pullSecret }}
+        - name: {{ .Values.image.pullSecret }}
+        {{- end }}
       {{- end }}
       serviceAccountName: {{ .Values.serviceAccount.name | default ( include "falcon-image-analyzer.fullname" . ) }}
       securityContext:

diff --git a/helm-charts/falcon-image-analyzer/templates/deployment.yaml b/helm-charts/falcon-image-analyzer/templates/deployment.yaml
@@ -22,13 +22,18 @@ spec:
       labels:
     {{- include "falcon-image-analyzer.labels" . | nindent 8 }}
     spec:
-      {{- if .Values.crowdstrikeConfig.dockerAPIToken }}
-      imagePullSecrets:
-        - name: {{ include "falcon-image-analyzer.fullname" . }}-pull-secret
-      {{- end }}
-      {{- if .Values.image.pullSecret }}
+      {{- if or (.Values.image.pullSecret) (.Values.image.registryConfigJSON) (.Values.crowdstrikeConfig.dockerAPIToken) }}
       imagePullSecrets:
+        {{- if and (.Values.crowdstrikeConfig.dockerAPIToken) (.Values.image.registryConfigJSON) }}
+          {{- fail "crowdstrikeConfig.dockerAPIToken and image.registryConfigJSON cannot be used together." }}
+        {{- else -}}
+        {{ if or (.Values.crowdstrikeConfig.dockerAPIToken) (.Values.image.registryConfigJSON) }}
         - name: {{ include "falcon-image-analyzer.fullname" . }}-pull-secret
+        {{- end }}
+        {{- end }}
+        {{- if .Values.image.pullSecret }}
+        - name: {{ .Values.image.pullSecret }}
+        {{- end }}
       {{- end }}
       serviceAccountName: {{ .Values.serviceAccount.name | default ( include "falcon-image-analyzer.fullname" . ) }}
       securityContext:

diff --git a/helm-charts/falcon-image-analyzer/templates/docker-secret.yaml b/helm-charts/falcon-image-analyzer/templates/docker-secret.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.crowdstrikeConfig.dockerAPIToken -}}
+{{ if or (.Values.crowdstrikeConfig.dockerAPIToken) (.Values.image.registryConfigJSON) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -8,16 +8,10 @@ metadata:
   {{- include "falcon-image-analyzer.labels" . | nindent 4 }}
 type: kubernetes.io/dockerconfigjson
 data:
+{{- if .Values.crowdstrikeConfig.dockerAPIToken }}
   .dockerconfigjson: {{ template "falcon-image-analyzer.imagePullSecret" . }}
 {{- end }}
-{{ if .Values.image.pullSecret }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "falcon-image-analyzer.fullname" . }}-pull-secret
-  labels:
-  {{- include "falcon-image-analyzer.labels" . | nindent 4 }}
-type: kubernetes.io/dockerconfigjson
-data:
-  .dockerconfigjson: {{ .Values.image.pullSecret }}
-  {{- end}}
+{{- if .Values.image.registryConfigJSON }}
+  .dockerconfigjson: {{ .Values.image.registryConfigJSON }}
+{{- end }}
+{{- end }}
diff --git a/helm-charts/falcon-image-analyzer/values.yaml b/helm-charts/falcon-image-analyzer/values.yaml
@@ -31,6 +31,12 @@ image:
   # private repository
   pullSecret:
 
+  # Value must be base64. This setting conflicts with image.pullSecret
+  # The base64 encoded string of the docker config json for the pull secret can be
+  # gotten through:
+  # $ cat ~/.docker/config.json | base64 -
+  registryConfigJSON:
+
   envFrom:
     - configMapRef:
         name: agent-config