search

CrowdStrike / falcon-operator

https://artifacthub.io/packages/olm/falcon-operator/falcon-operator
Apache License 2.0
49 stars 36 forks source link

feat: copy node.imagePullSecret from falcon-operator namespace to installNamespace #567

Open evanstoner opened 1 month ago

evanstoner commented 1 month ago

The operator manages the lifecycle of the installNamespace (default falcon-system). When deploying from a custom registry that requires a pull secret, the user has to either:

  1. Create the falcon-system namespace and the secret before creating the FalconNodeSensor
  2. Create the FalconNodeSensor, wait for the operator to create the falcon-system namespace, then create the secret

This is not an ideal workflow. It would make more sense for the configuration of such secrets to be in the falcon-operator namespace and then copy those secrets to a managed secret in the installNamespace.

Related, the docs are not clear on where the secret should reside ("(optional) list of references to secrets to use for pulling image from image_override location.") especially since the FalconNodeSensor is now cluster-secoped. However, the samples does mention falcon-system (although does not mention installNamespace): https://github.com/CrowdStrike/falcon-operator/blob/main/config/samples/falcon_v1alpha1_falconnodesensor-all-options.yaml#L29-L33

evanstoner commented 1 month ago

Or maybe just accept the base64 encoded token in the FalconNodeSensor itself:

node:
  imagePullSecrets:
    - name: referenced-the-current-way
    - value: base64-output-from-image-pull-script