falcon-operator icon indicating copy to clipboard operation
falcon-operator copied to clipboard
verified publisher icon CrowdStrike

feat: copy node.imagePullSecret from falcon-operator namespace to installNamespace

Open evanstoner opened this issue 1 year ago • 1 comments

The operator manages the lifecycle of the installNamespace (default falcon-system). When deploying from a custom registry that requires a pull secret, the user has to either:

  1. Create the falcon-system namespace and the secret before creating the FalconNodeSensor
  2. Create the FalconNodeSensor, wait for the operator to create the falcon-system namespace, then create the secret

This is not an ideal workflow. It would make more sense for the configuration of such secrets to be in the falcon-operator namespace and then copy those secrets to a managed secret in the installNamespace.

Related, the docs are not clear on where the secret should reside ("(optional) list of references to secrets to use for pulling image from image_override location.") especially since the FalconNodeSensor is now cluster-secoped. However, the samples does mention falcon-system (although does not mention installNamespace): https://github.com/CrowdStrike/falcon-operator/blob/main/config/samples/falcon_v1alpha1_falconnodesensor-all-options.yaml#L29-L33

evanstoner avatar Jul 24 '24 18:07 evanstoner

Or maybe just accept the base64 encoded token in the FalconNodeSensor itself:

node:
  imagePullSecrets:
    - name: referenced-the-current-way
    - value: base64-output-from-image-pull-script

evanstoner avatar Jul 24 '24 18:07 evanstoner