CrowdStrike · papanito · Jan 24, 2025 · Jan 27, 2025
diff --git a/helm-charts/falcon-self-hosted-registry-assessment/README.md b/helm-charts/falcon-self-hosted-registry-assessment/README.md
@@ -250,6 +250,7 @@ crowdstrikeConfig:
 |:------------------------------------|-----------|:------------------------------------------------------------------------------------------------------|:----------|
 | `crowdstrikeConfig.clientID`        | required  | The client ID used to authenticate the self-hosted registry assessment service with CrowdStrike.      | ""        |
 | `crowdstrikeConfig.clientSecret`    | required  | The client secret used to authenticate the self-hosted registry assessment service with CrowdStrike.  | ""        |
+| `crowdstrikeConfig.clientSecretRef` | optional  | Refernce to a secret which contains `clientID` (`CLIENT_ID`) and `clientSecret` (`CLIENT_SECRET`).  | ""
 
 
 #### Option 2. Configure your CrowdStrike credentials using Kubernetes secrets or configmaps

diff --git a/helm-charts/falcon-self-hosted-registry-assessment/templates/_helpers.tpl b/helm-charts/falcon-self-hosted-registry-assessment/templates/_helpers.tpl
@@ -13,11 +13,11 @@ If release name contains chart name it will be used as a full name.
 {{- define "ra-self-hosted.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 40 | trimSuffix "-" }}
-{{- else }}
+{{- else -}}
 {{- $name := default "shra" .Values.nameOverride }}
 {{- if contains $name .Release.Name }}
 {{- .Release.Name | trunc 40 | trimSuffix "-" }}
-{{- else }}
+{{- else -}}
 {{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }}
 {{- end }}
 {{- end }}

diff --git a/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml b/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml
@@ -23,7 +23,11 @@ spec:
     spec:
       serviceAccountName: {{ include "ra-self-hosted-executor.fullname" . }}
       securityContext:
-        fsGroup: 2001
+{{ if .Values.executor.podSecurityContext -}}
+{{ .Values.executor.podSecurityContext | toYaml | indent 8 }}
+{{- else -}}
+{{ .Values.podSecurityContext | toYaml | indent 8 }}
+{{- end }}
      {{- if or (.Values.executor.image.pullSecret) (.Values.executor.image.registryConfigJSON) }}
       imagePullSecrets:
        {{ if .Values.executor.image.registryConfigJSON }}
@@ -45,13 +49,15 @@ spec:
             - name: "REGION"
               value: {{ .Values.crowdstrikeConfig.region }}
             {{- if .Values.crowdstrikeConfig.clientID }}
+            {{ if not .Values.crowdstrikeConfig.clientSecretRef }}
             - name: "CLIENT_ID"
               value: {{ .Values.crowdstrikeConfig.clientID }}
             {{- end }}
             {{- if .Values.crowdstrikeConfig.clientSecret }}
             - name: "CLIENT_SECRET"
               value: {{ .Values.crowdstrikeConfig.clientSecret }}
             {{- end }}
+            {{- end }}
             - name: "STORAGE_ENGINE"
               value: "sqlite"
             - name: "AGENT_RUN_MODE"
@@ -64,15 +70,20 @@ spec:
               value: {{ .value }}
             {{- end }}
             {{- end }}
-          {{ if (or .Values.registryConfigs .Values.executor.additionalCMEnvFrom .Values.executor.additionalSecretEnvFrom) -}} 
+          {{ if (or .Values.registryConfigs .Values.executor.additionalCMEnvFrom .Values.executor.additionalSecretEnvFrom .Values.crowdstrikeConfig.clientSecretRef) -}} 
           envFrom:
             {{- if .Values.registryConfigs }}
             - configMapRef:
                 name: {{ include "ra-self-hosted-executor.fullname" . }}
             {{- end }}
-            {{- range .Values.executor.additionalSecretEnvFrom }}
+            {{ if (or .Values.executor.additionalSecretEnvFrom .Values.crowdstrikeConfig.clientSecretRef) -}}
             - secretRef:
+            {{- range .Values.executor.additionalSecretEnvFrom }}
 {{ . | toYaml | indent 16 }}
+            {{- end }}
+            {{- if .Values.crowdstrikeConfig.clientSecretRef }}
+                name: {{ .Values.crowdstrikeConfig.clientSecretRef }}
+            {{- end }}
             {{- end }}
             {{- range .Values.executor.additionalCMEnvFrom }}
             - configMapRef:
@@ -89,11 +100,11 @@ spec:
 {{ .Values.executor.resources | toYaml | indent 12 }}
           {{- end }}
           securityContext:
-            runAsUser: 1001
-            runAsGroup: 2001
-            runAsNonRoot: true
-            readOnlyRootFilesystem: true
-            allowPrivilegeEscalation: false
+{{ if .Values.executor.securityContext }}
+{{ .Values.executor.securityContext | toYaml | indent 12 }}
+{{- else -}}
+{{ .Values.securityContext | toYaml | indent 12 }}
+{{- end }}
       containers:
         - name: executor
           image: {{ include "ra-self-hosted-executor.image" . }}
@@ -110,28 +121,35 @@ spec:
             - name: "REGION"
               value: {{ .Values.crowdstrikeConfig.region }}
             {{- if .Values.crowdstrikeConfig.clientID }}
+            {{ if not .Values.crowdstrikeConfig.clientSecretRef -}}
             - name: "CLIENT_ID"
               value: {{ .Values.crowdstrikeConfig.clientID }}
             {{- end }}
             {{- if .Values.crowdstrikeConfig.clientSecret }}
             - name: "CLIENT_SECRET"
               value: {{ .Values.crowdstrikeConfig.clientSecret }}
             {{- end }}
+            {{- end }} 
             - name: "STORAGE_ENGINE"
               value: "sqlite"
             - name: "LOG_LEVEL"
               value: {{ .Values.executor.logLevel | quote }}
             - name: "CATALOG_PER_PAGE_RATE"
               value: {{ .Values.executor.catalogPerPageRate | quote }}
-          {{ if (or .Values.registryConfigs .Values.executor.additionalCMEnvFrom .Values.executor.additionalSecretEnvFrom) -}}
+          {{ if (or .Values.registryConfigs .Values.executor.additionalCMEnvFrom .Values.executor.additionalSecretEnvFrom .Values.crowdstrikeConfig.clientSecretRef) -}}
           envFrom:
             {{- if .Values.registryConfigs }}
             - configMapRef:
                 name: {{ include "ra-self-hosted-executor.fullname" . }}
             {{- end }}
-            {{- range .Values.executor.additionalSecretEnvFrom }}
+            {{ if (or .Values.executor.additionalSecretEnvFrom .Values.crowdstrikeConfig.clientSecretRef) -}}
             - secretRef:
+            {{- range .Values.executor.additionalSecretEnvFrom }}
 {{ . | toYaml | indent 16 }}
+            {{- end }}
+            {{- if .Values.crowdstrikeConfig.clientSecretRef }}
+                name: {{ .Values.crowdstrikeConfig.clientSecretRef }}
+            {{- end }}
             {{- end }}
             {{- range .Values.executor.additionalCMEnvFrom }}
             - configMapRef:
@@ -152,11 +170,11 @@ spec:
 {{ .Values.executor.resources | toYaml | indent 12 }}
           {{- end }}
           securityContext:
-            runAsUser: 1001
-            runAsGroup: 2001
-            runAsNonRoot: true
-            readOnlyRootFilesystem: true
-            allowPrivilegeEscalation: false
+{{ if .Values.executor.securityContext }}
+{{ .Values.executor.securityContext | toYaml | indent 19 }}
+{{- else -}}
+{{ .Values.securityContext | toYaml | indent 12 }}
+{{- end }}
       {{- if .Values.executor.nodeSelector }}
       nodeSelector:
         {{- .Values.executor.nodeSelector | toYaml | nindent 8 }}

diff --git a/helm-charts/falcon-self-hosted-registry-assessment/templates/job-controller-deployment.yaml b/helm-charts/falcon-self-hosted-registry-assessment/templates/job-controller-deployment.yaml
@@ -19,7 +19,11 @@ spec:
         checksum/config: {{ include (print $.Template.BasePath "/job-controller-configmap.yaml") . | sha256sum }}
     spec:
       securityContext:
-        fsGroup: 2001
+{{ if .Values.jobController.podSecurityContext -}}
+{{ .Values.jobController.podSecurityContext | toYaml | indent 8 }}
+{{- else -}}
+{{ .Values.podSecurityContext | toYaml | indent 8 }}
+{{- end }}
      {{- if or (.Values.jobController.image.pullSecret) (.Values.jobController.image.registryConfigJSON) }}
       imagePullSecrets:
        {{ if .Values.jobController.image.registryConfigJSON }}
@@ -73,11 +77,11 @@ spec:
               name: tls
             {{- end }}
           securityContext:
-            runAsUser: 1001
-            runAsGroup: 2001
-            runAsNonRoot: true
-            readOnlyRootFilesystem: true
-            allowPrivilegeEscalation: false
+{{ if .Values.jobController.securityContext }}
+{{ .Values.jobController.securityContext | toYaml | indent 12 }}
+{{- else -}}
+{{ .Values.securityContext | toYaml | indent 12 }}
+{{- end }}
       containers:
         - name: job-controller
           image: {{ include "ra-self-hosted-job-controller.image" . }}
@@ -131,11 +135,11 @@ spec:
               name: tls
             {{- end }}
           securityContext:
-            runAsUser: 1001
-            runAsGroup: 2001
-            runAsNonRoot: true
-            readOnlyRootFilesystem: true
-            allowPrivilegeEscalation: false
+{{ if .Values.jobController.securityContext }}
+{{ .Values.jobController.securityContext | toYaml | indent 12 }}
+{{- else -}}
+{{ .Values.securityContext | toYaml | indent 12 }}
+{{- end }}
       {{- if .Values.jobController.nodeSelector }}
       nodeSelector:
         {{- .Values.jobController.nodeSelector | toYaml | nindent 8 }}

diff --git a/helm-charts/falcon-self-hosted-registry-assessment/values.yaml b/helm-charts/falcon-self-hosted-registry-assessment/values.yaml
@@ -4,6 +4,26 @@
 nameOverride: ""
 fullnameOverride: ""
 
+podSecurityContext:
+  runAsUser: 1001
+  runAsGroup: 2001
+  fsGroup: 2001
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+
+securityContext:
+  runAsUser: 1001
+  runAsGroup: 2001
+  runAsNonRoot: true
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+    - ALL
+
 executor:
   replicaCount: 1
   image:
@@ -47,6 +67,28 @@ executor:
       accessModes:
         - ReadWriteOnce
 
+  # Use to override the global podSecurityContext        
+  # podSecurityContext:
+  #   runAsUser: 1001
+  #   runAsGroup: 2001
+  #   fsGroup: 2001
+  #   runAsNonRoot: true
+  #   seccompProfile:
+  #     type: RuntimeDefault
+
+  # Use to override the global securityContext
+  # securityContext:
+  #   runAsUser: 1001
+  #   runAsGroup: 2001
+  #   runAsNonRoot: true
+  #   readOnlyRootFilesystem: true
+  #   allowPrivilegeEscalation: false
+  #   seccompProfile:
+  #     type: RuntimeDefault
+  #   capabilities:
+  #     drop:
+  #     - ALL
+
   logLevel: 3  # log level to be set for the service (1:error, 2:warning, 3:info, 4:debug)
   catalogPerPageRate: 100  # page size per catalog request
 
@@ -169,8 +211,31 @@ jobController:
 
   additionalSecretEnvFrom: []
 
+  # Use to override the global podSecurityContext        
+  # podSecurityContext:
+  #   runAsUser: 1001
+  #   runAsGroup: 2001
+  #   fsGroup: 2001
+  #   runAsNonRoot: true
+  #   seccompProfile:
+  #     type: RuntimeDefault
+
+  # Use to override the global securityContext
+  # securityContext:
+  #   runAsUser: 1001
+  #   runAsGroup: 2001
+  #   runAsNonRoot: true
+  #   readOnlyRootFilesystem: true
+  #   allowPrivilegeEscalation: false
+  #   seccompProfile:
+  #     type: RuntimeDefault
+  #   capabilities:
+  #     drop:
+  #     - ALL
+
 crowdstrikeConfig:
   region: "autodiscovery"  # autodiscovery, us-1, us-2, eu-1, gov1, or gov2
+  # clientSecretRef: "" # use that instead `clientID` and `clientSecret`
   clientID: ""
   clientSecret: ""