From 899ab6c9226bf70c338b838f4d1c248bd906d6af Mon Sep 17 00:00:00 2001 From: Alex Pickering Date: Fri, 28 Jun 2024 11:48:32 -0700 Subject: [PATCH] add falcon setup Signed-off-by: Alex Pickering --- .github/workflows/deploy-infra.yaml | 108 ++++++++++++++++++++++++++-- 1 file changed, 103 insertions(+), 5 deletions(-) diff --git a/.github/workflows/deploy-infra.yaml b/.github/workflows/deploy-infra.yaml index b3cdc05236..7c4e9afc88 100644 --- a/.github/workflows/deploy-infra.yaml +++ b/.github/workflows/deploy-infra.yaml @@ -780,18 +780,116 @@ jobs: kubectl apply -f infra/datadog/datadog-sidecar-rbac.yaml fi + - id: login-ecr + name: Login to Amazon ECR + uses: aws-actions/amazon-ecr-login@v1 + + - id: create-ecr-registry + name: Create an ECR repository for the Falcon Sensor (if needed) + # This will fail if the registry already exists, which is fine. If there is some other + # error, the `push` step will fail instead. + continue-on-error: true + run: |- + if [[ -n "${{ secrets.FALCON_CID }}" ]]; + then + aws ecr create-repository --repository-name falcon-sensor --image-tag-mutability IMMUTABLE + else + echo "CrowdStrike CID missing, not creating falcon sensor repo" + fi + + - id: create-falcon-namespace + name: Attempt to create falcon namespace + continue-on-error: true + run: |- + if [[ -n "${{ secrets.FALCON_CID }}" ]]; + then + kubectl create namespace falcon-system + else + echo "CrowdStrike CID missing, not creating falcon namespace" + fi + - id: setup-falcon-sensor name: Setup Falcon Sensor run: |- if [[ -n "${{ secrets.FALCON_CID }}" ]]; then + + # configure the API client ID and password + export FALCON_CLIENT_ID="${{ secrets.FALCON_CLIENT_ID }}" + export FALCON_CLIENT_SECRET="${{ secrets.FALCON_CLIENT_SECRET }}" + + # confgure CID + export FALCON_CID="${{ secrets.FALCON_CID }}" + + # configure cloud region variables + export FALCON_CLOUD_API="${{ secrets.FALCON_CLOUD_API }}" + export FALCON_REGION="${{ secrets.FALCON_REGION }}" + export FALCON_CONTAINER_REGISTRY="${{ secrets.FALCON_CONTAINER_REGISTRY }}" + + # Get OAuth2 token to interact with the CrowdStrike API: + export FALCON_CS_API_TOKEN=$(curl \ + --data "client_id=${FALCON_CLIENT_ID}&client_secret=${FALCON_CLIENT_SECRET}"\ + --request POST \ + --silent \ + https://${FALCON_CLOUD_API}/oauth2/token | jq -cr '.access_token | values') + + # Get CrowdStrike registry username and password: + export FALCON_ART_USERNAME="fc-$(echo ${FALCON_CID} | awk '{ print tolower($0) }' | cut -d'-' -f1)" + export FALCON_ART_PASSWORD=$(curl -X GET -H "authorization: Bearer ${FALCON_CS_API_TOKEN}" + https://${FALCON_CLOUD_API}/container-security/entities/image-registry-credentials/v1 | jq -cr + '.resources[].token | values') + + # Obtain a token to interact with the CrowdStrike private registry: + export REGISTRY_BEARER=$(curl -X GET -s -u "${FALCON_ART_USERNAME}:${FALCON_ART_PASSWORD}" + "https://${FALCON_CONTAINER_REGISTRY}/v2/token?=fc-${CID}&scope=repository:falcon- + sensor/${FALCON_REGION}/release/falcon-sensor:pull&service=${FALCON_CONTAINER_REGISTRY}" | jq -r '.token') + + # Fetch the latest tag: + export SENSORTYPE=falcon-container + export FALCON_SENSOR_IMAGE_REPO="${FALCON_CONTAINER_REGISTRY}/${SENSORTYPE}/${FALCON_REGION}/release/${SENSORTYPE}" + + export FALCON_SENSOR_IMAGE_TAG=$(curl -X GET -s -H "authorization: Bearer ${REGISTRY_BEARER}" + "https://${FALCON_CONTAINER_REGISTRY}/v2/${SENSORTYPE}/${FALCON_REGION}/release/falcon-sensor/tags/list" | + jq -r '.tags[-1]') + + # Push Container Images to Private Registry + # Configure your container registry + export MY_INTERNAL_CONTAINER_REGISTRY=falcon-sensor + + # Configure your sensor repo + export MY_INTERNAL_SENSOR_IMAGE_REPO="${MY_INTERNAL_CONTAINER_REGISTRY}/${SENSORTYPE}" + + # Login to crowdstrike registry + echo $FALCON_ART_PASSWORD | docker login -u $FALCON_ART_USERNAME --password-stdin ${FALCON_CONTAINER_REGISTRY} + + # Login to your internal registry + docker login ${MY_INTERNAL_CONTAINER_REGISTRY} + + # Move images to your local registry + + ## Pull latest falcon-sensor image for daemonset deployment + docker pull ${FALCON_SENSOR_IMAGE_REPO}:${FALCON_SENSOR_IMAGE_TAG} + + ## Tag the images to point to your registry + docker tag ${FALCON_SENSOR_IMAGE_REPO}:${FALCON_SENSOR_IMAGE_TAG} \ + ${MY_INTERNAL_SENSOR_IMAGE_REPO}:${FALCON_SENSOR_IMAGE_TAG} + + ## push the images to your registry + docker push ${MY_INTERNAL_SENSOR_IMAGE_REPO}:${FALCON_SENSOR_IMAGE_TAG} + + # add the repository to your Helm client + export REPO=crowdstrike/falcon-sensor + + # install into a customized namespace helm repo add crowdstrike https://crowdstrike.github.io/falcon-helm helm repo update - helm upgrade --install falcon-helm crowdstrike/falcon-sensor \ - --set node.enabled=false \ - --set container.enabled=true \ - --set falcon.cid=$FALCON_CID \ - --set container.image.repository="/falcon-sensor" + helm install falcon-helm ${REPO} \ + -n falcon-system --create-namespace \ + --set node.enabled=false \ + --set container.enabled=true \ + --set falcon.cid="$CROWDSTRIKE_CID" \ + --set container.image.repository="$FALCON_IMAGE_REPO" \ + --set container.image.tag="$FALCON_IMAGE_TAG" else echo "CrowdStrike CID missing, skipping falcon sensor setup" fi