From 251af5d3c4aebc75dddd3a1288d707f183117c7c Mon Sep 17 00:00:00 2001 From: Gabe Alford Date: Mon, 9 Oct 2023 15:41:44 -0600 Subject: [PATCH] fix: various scaffolding fixes - Fix falconadmission group api - Add xDescriptors for falcon API and falcon settings - Minor Makefile fixes --- Makefile | 4 ++-- PROJECT | 5 +++-- api/falcon/v1alpha1/falcon.go | 11 +++++++++-- api/falcon/v1alpha1/falcon_api.go | 19 ++++++++++++++----- ...lcon.crowdstrike.com_falconcontainers.yaml | 2 +- .../cainjection_in_falconadmissions.yaml | 2 +- .../patches/webhook_in_falconadmissions.yaml | 2 +- deploy/falcon-operator.yaml | 2 +- 8 files changed, 32 insertions(+), 15 deletions(-) diff --git a/Makefile b/Makefile index 2017b128..d25126b5 100644 --- a/Makefile +++ b/Makefile @@ -259,7 +259,7 @@ endif .PHONY: bundle bundle: manifests kustomize operator-sdk ## Generate bundle manifests and metadata, then validate generated files. - $(OPERATOR_SDK) generate kustomize manifests --interactive=false -q + $(OPERATOR_SDK) generate kustomize manifests --interactive=false -q --apis-dir api cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) $(KUSTOMIZE) build config/manifests | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS) $(OPERATOR_SDK) bundle validate ./bundle @@ -281,7 +281,7 @@ ifeq (,$(shell which opm 2>/dev/null)) set -e ;\ mkdir -p $(dir $(OPM)) ;\ OS=$(shell go env GOOS) && ARCH=$(shell go env GOARCH) && \ - curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.23.0/$${OS}-$${ARCH}-opm ;\ + curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.29.0/$${OS}-$${ARCH}-opm ;\ chmod +x $(OPM) ;\ } else diff --git a/PROJECT b/PROJECT index 0889d853..64569b13 100644 --- a/PROJECT +++ b/PROJECT @@ -4,9 +4,9 @@ # More info: https://book.kubebuilder.io/reference/project-config.html componentConfig: true domain: crowdstrike.com -layout: -- go.kubebuilder.io/v3 multigroup: true +layout: +- go.kubebuilder.io/v4-alpha plugins: manifests.sdk.operatorframework.io/v2: {} scorecard.sdk.operatorframework.io/v2: {} @@ -35,6 +35,7 @@ resources: namespaced: true controller: true domain: crowdstrike.com + group: falcon kind: FalconAdmission path: github.com/crowdstrike/falcon-operator/api/falcon/v1alpha1 version: v1alpha1 diff --git a/api/falcon/v1alpha1/falcon.go b/api/falcon/v1alpha1/falcon.go index 2faefc64..8526566d 100644 --- a/api/falcon/v1alpha1/falcon.go +++ b/api/falcon/v1alpha1/falcon.go @@ -7,29 +7,36 @@ type FalconSensor struct { // +kubebuilder:validation:Pattern:="^[0-9a-fA-F]{32}-[0-9a-fA-F]{2}$" // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Customer ID (CID)",order=1 CID *string `json:"cid,omitempty"` + // Disable the Falcon Sensor's use of a proxy. // +kubebuilder:default:=false - // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Disable Falcon Proxy",order=3 + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Disable Falcon Proxy",order=3,xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch" APD *bool `json:"apd,omitempty"` + // The application proxy host to use for Falcon sensor proxy configuration. // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Disable Falcon Proxy Host",order=4 APH string `json:"aph,omitempty"` + // The application proxy port to use for Falcon sensor proxy configuration. // +kubebuilder:validation:Minimum:=0 // +kubebuilder:validation:Maximum:=65535 - // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Proxy Port",order=5 + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Proxy Port",order=5,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:number"} APP *int `json:"app,omitempty"` + // Utilize default or Pay-As-You-Go billing. // +kubebuilder:validation:Enum:=default;metered // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Billing",order=8 Billing string `json:"billing,omitempty"` + // Installation token that prevents unauthorized hosts from being accidentally or maliciously added to your customer ID (CID). // +kubebuilder:validation:Pattern:="^[0-9a-fA-F]{8}$" // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Provisioning Token",order=2 PToken string `json:"provisioning_token,omitempty"` + // Sensor grouping tags are optional, user-defined identifiers that can used to group and filter hosts. Allowed characters: all alphanumerics, '/', '-', and '_'. // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Sensor Grouping Tags",order=6 Tags []string `json:"tags,omitempty"` + // Set sensor trace level. // +kubebuilder:validation:Enum:=none;err;warn;info;debug // +kubebuilder:default:=none diff --git a/api/falcon/v1alpha1/falcon_api.go b/api/falcon/v1alpha1/falcon_api.go index 2fe89723..846a0dc2 100644 --- a/api/falcon/v1alpha1/falcon_api.go +++ b/api/falcon/v1alpha1/falcon_api.go @@ -15,12 +15,15 @@ type FalconAPI struct { // +kubebuilder:validation:Enum=autodiscover;us-1;us-2;eu-1;us-gov-1 // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="CrowdStrike Falcon Cloud Region",order=3 CloudRegion string `json:"cloud_region"` + // Falcon OAuth2 API Client ID - // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Client ID",order=1 + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Client ID",order=1,xDescriptors="urn:alm:descriptor:com.tectonic.ui:password" ClientId string `json:"client_id"` + // Falcon OAuth2 API Client Secret - // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Client Secret",order=2 + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Client Secret",order=2,xDescriptors="urn:alm:descriptor:com.tectonic.ui:password" ClientSecret string `json:"client_secret"` + // Falcon Customer ID (CID) Override (optional, default is derived from the API Key pair) // +kubebuilder:validation:Pattern="^[0-9a-fA-F]{32}-[0-9a-fA-F]{2}$" // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Customer ID (CID)",order=4 @@ -30,13 +33,15 @@ type FalconAPI struct { // RegistryTLSSpec configures TLS for registry pushing type RegistryTLSSpec struct { // Allow pushing to docker registries over HTTPS with failed TLS verification. Note that this does not affect other TLS connections. - // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Skip Registry TLS Verification",order=1 + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Skip Registry TLS Verification",order=1,xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch" InsecureSkipVerify bool `json:"insecure_skip_verify,omitempty"` + // Allow for users to provide a CA Cert Bundle, as either a string or base64 encoded string // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Registry CA Certificate Bundle; optionally (double) base64 encoded",order=2 CACertificate string `json:"caCertificate,omitempty"` + // Allow for users to provide a ConfigMap containing a CA Cert Bundle under a key ending in .crt - // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="ConfigMap containing Registry CA Certificate Bundle",order=3 + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="ConfigMap containing Registry CA Certificate Bundle",order=3,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:selector:core:v1:ConfigMap"} CACertificateConfigMap string `json:"caCertificateConfigMap,omitempty"` } @@ -57,13 +62,17 @@ const ( // RegistrySpec configures container image registry to which the Falcon Container image will be pushed type RegistrySpec struct { - // Type of the registry to be used + // Type of container registry to be used // +kubebuilder:validation:Enum=acr;ecr;gcr;crowdstrike;openshift + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Registry Type",order=1 Type RegistryTypeSpec `json:"type"` // TLS configures TLS connection for push of Falcon Container image to the registry + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Registry TLS Configuration",order=2 TLS RegistryTLSSpec `json:"tls,omitempty"` + // Azure Container Registry Name represents the name of the ACR for the Falcon Container push. Only applicable to Azure cloud. + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Azure Container Registry Name",order=3 AcrName *string `json:"acr_name,omitempty"` } diff --git a/config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml b/config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml index e5f50c88..3f5d5f66 100644 --- a/config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml +++ b/config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml @@ -1899,7 +1899,7 @@ spec: type: boolean type: object type: - description: Type of the registry to be used + description: Type of container registry to be used enum: - acr - ecr diff --git a/config/crd/patches/cainjection_in_falconadmissions.yaml b/config/crd/patches/cainjection_in_falconadmissions.yaml index 1452ca40..07cd29f6 100644 --- a/config/crd/patches/cainjection_in_falconadmissions.yaml +++ b/config/crd/patches/cainjection_in_falconadmissions.yaml @@ -4,4 +4,4 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - name: falconadmissions.crowdstrike.com + name: falconadmissions.falcon.crowdstrike.com diff --git a/config/crd/patches/webhook_in_falconadmissions.yaml b/config/crd/patches/webhook_in_falconadmissions.yaml index 9def903f..50546ed2 100644 --- a/config/crd/patches/webhook_in_falconadmissions.yaml +++ b/config/crd/patches/webhook_in_falconadmissions.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: falconadmissions.crowdstrike.com + name: falconadmissions.falcon.crowdstrike.com spec: conversion: strategy: Webhook diff --git a/deploy/falcon-operator.yaml b/deploy/falcon-operator.yaml index 4aaddb02..d0b743c7 100644 --- a/deploy/falcon-operator.yaml +++ b/deploy/falcon-operator.yaml @@ -1962,7 +1962,7 @@ spec: type: boolean type: object type: - description: Type of the registry to be used + description: Type of container registry to be used enum: - acr - ecr