Skip to content

Commit

Permalink
Merge pull request #297 from redhatrises/fig_update
Browse files Browse the repository at this point in the history
chore: update FIG chart to the latest released version 3.2.0
  • Loading branch information
redhatrises authored Jun 17, 2024
2 parents cc4b440 + 534a9a7 commit 3a21721
Show file tree
Hide file tree
Showing 7 changed files with 499 additions and 124 deletions.
4 changes: 2 additions & 2 deletions helm-charts/falcon-integration-gateway/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,13 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.3.0
version: 0.4.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: 3.1.10
appVersion: 3.2.0

keywords:
- CrowdStrike
Expand Down
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{{- define "falcon-integration-gateway.backends" -}}
{{- $aws := ternary "AWS" "" .Values.push.aws_security_hub.enabled }}
{{- $aws_sqs := ternary "AWS_SQS" "" .Values.push.aws_sqs.enabled }}
{{- $azure := ternary "AZURE" "" .Values.push.azure_log_analytics.enabled }}
{{- $chronicle := ternary "CHRONICLE" "" .Values.push.chronicle.enabled }}
{{- $cloudtrail_lake := ternary "CLOUDTRAIL_LAKE" "" .Values.push.cloudtrail_lake.enabled }}
{{- $gcp := ternary "GCP" "" .Values.push.gcp_security_command_center.enabled }}
{{- $workspaceone := ternary "WORKSPACEONE" "" .Values.push.vmware_workspace_one.enabled }}
{{- $backends := list $aws $azure $chronicle $cloudtrail_lake $gcp $workspaceone | compact }}
{{- $generic := ternary "GENERIC" "" .Values.push.generic.enabled }}
{{- $backends := list $aws $aws_sqs $azure $chronicle $cloudtrail_lake $gcp $workspaceone $generic | compact }}
{{- $_ := first $backends | required "at least one push backend must be enabled" }}
{{- join "," $backends }}
{{- end }}
Expand Down
189 changes: 183 additions & 6 deletions helm-charts/falcon-integration-gateway/templates/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,9 @@ data:
# Falcon Integration Gateway
[main]
# Uncomment to enable backends. Alternatively, use FIG_BACKENDS env variable.
# Cloud backends that are enabled. The gateway will push events to the cloud providers specified below
#backends = AWS,AWS_SQS,AZURE,GCP,WORKSPACEONE,CHRONICLE,CLOUDTRAIL_LAKE,GENERIC
backends={{- include "falcon-integration-gateway.backends" . }}
# Uncomment to configure number of threads that process Falcon Events
Expand All @@ -20,38 +22,213 @@ data:
{{- end }}
[events]
# Uncomment to filter out events based on severity (allowed values 1-5, default 2)
# Uncomment to filter out events based on severity (allowed values 1-5, default 2).
#severity_threshold = 3
{{- if .Values.falcon.integration_gateway.severity_threshold }}
severity_threshold = {{ .Values.falcon.integration_gateway.severity_threshold }}
{{- end }}
# Uncomment to filter out events based on number of days past the event (default 365)
#older_than_days_threshold = 90
# Uncomment to filter out events based on number of days past the event (default 21).
#older_than_days_threshold = 14
{{- if .Values.falcon.integration_gateway.older_than_days_threshold }}
older_than_days_threshold = {{ .Values.falcon.integration_gateway.older_than_days_threshold }}
{{- end }}
# Exclude events originating from certain cloud environments (AWS, Azure, GCP, or unrecognized)
# detections_exclude_clouds =
{{- if .Values.falcon.integration_gateway.detections_exclude_clouds }}
detections_exclude_clouds = {{ .Values.falcon.integration_gateway.detections_exclude_clouds }}
{{- end }}
# Pass in the offset to start the stream from. This is useful to prevent duplicate events.
#offset = 0
{{- if .Values.falcon.integration_gateway.offset }}
offset = {{ .Values.falcon.integration_gateway.offset }}
{{- end }}
[logging]
# Uncomment to request logging level (ERROR, WARN, INFO, DEBUG)
# level = DEBUG
# Uncomment to request logging level (ERROR, WARN, INFO, DEBUG).
#level = DEBUG
{{- if .Values.falcon.integration_gateway.level }}
level = {{ .Values.falcon.integration_gateway.level }}
{{- end }}
[falcon]
# Uncomment to provide Falcon Cloud alternatively use FALCON_CLOUD_REGION to override
# Uncomment to provide Falcon Cloud. Alternatively, use FALCON_CLOUD_REGION env variable to override.
#cloud_region = us-1
{{- if .Values.falcon.cloud_region }}
cloud_region = {{ .Values.falcon.cloud_region }}
{{- end }}
# Uncomment to provide OAuth Client ID.
# Alternatively, use FALCON_CLIENT_ID env variable or a credentials store (see [credentials_store] section).
#client_id = ABCD
# Uncomment to provide OAuth Secret.
# Alternatively, use FALCON_CLIENT_SECRET env variable or a credentials store (see [credentials_store] section).
#client_secret = ABCD
# Uncomment to provide application id. Needs to be different per each fig instance.
#application_id = my-acme-gcp-1
{{- if .Values.falcon.integration_gateway.application_id }}
application_id = {{ .Values.falcon.integration_gateway.application_id }}
{{- end }}
[credentials_store]
# Uncomment to provide credentials store. Alternatively, use CREDENTIALS_STORE env variable.
# Supported values: ssm, secrets_manager
#store = ssm
{{- if .Values.credentials_store.store }}
store = {{ .Values.credentials_store.store }}
{{- end }}
[ssm]
# Uncomment to provide aws region for SSM. Alternatively, use SSM_REGION env variable.
#region = us-west-2
{{- if .Values.credentials_store.ssm.region }}
region = {{ .Values.credentials_store.ssm.region }}
{{- end }}
# Uncomment to provide SSM parameter name or path for client id. Alternatively, use SSM_CLIENT_ID env variable.
#ssm_client_id = /falcon/fig/client_id
{{- if .Values.credentials_store.ssm.client_id }}
ssm_client_id = {{ .Values.credentials_store.ssm.client_id }}
{{- end }}
# Uncomment to provide SSM parameter name or path for client secret. Alternatively, use SSM_CLIENT_SECRET env variable.
#ssm_client_secret = /falcon/fig/client_secret
{{- if .Values.credentials_store.ssm.client_secret }}
ssm_client_secret = {{ .Values.credentials_store.ssm.client_secret }}
{{- end }}
[secrets_manager]
# Uncomment to provide aws region for Secrets Manager. Alternatively, use SECRETS_MANAGER_REGION env variable.
#region = us-west-2
{{- if .Values.credentials_store.secrets_manager.region }}
region = {{ .Values.credentials_store.secrets_manager.region }}
{{- end }}
# Uncomment to provide Secrets Manager secret name. Alternatively, use SECRETS_MANAGER_SECRET_NAME env variable.
#secrets_manager_secret_name = falcon/fig/credentials
{{- if .Values.credentials_store.secrets_manager.secret_name }}
secrets_manager_secret_name = {{ .Values.credentials_store.secrets_manager.secret_name }}
{{- end }}
# Uncomment to provide Secrets Manager client id key. Alternatively, use SECRETS_MANAGER_CLIENT_ID_KEY env variable.
#secrets_manager_client_id_key = client_id
{{- if .Values.credentials_store.secrets_manager.client_id_key }}
secrets_manager_client_id_key = {{ .Values.credentials_store.secrets_manager.client_id_key }}
{{- end }}
# Uncomment to provide Secrets Manager client secret key. Alternatively, use SECRETS_MANAGER_CLIENT_SECRET_KEY env variable.
#secrets_manager_client_secret_key = client_secret
{{- if .Values.credentials_store.secrets_manager.client_secret_key }}
secrets_manager_client_secret_key = {{ .Values.credentials_store.secrets_manager.client_secret_key }}
{{- end }}
[generic]
# Generic section is applicable only when GENERIC backend is enabled in the [main] section.
# Generic backend can be used for outputting events to STDOUT
[gcp]
# GCP section is applicable only when GCP backend is enabled in the [main] section.
# Use GOOGLE_APPLICATION_CREDENTIALS env variable to configure GCP Backend. GOOGLE_APPLICATION_CREDENTIALS
# is an environment variable used to configure GCP Service accounts, it should point out to the credentials
# file for given service account.
[azure]
# Azure section is applicable only when AZURE backend is enabled in the [main] section.
# Uncomment to provide Azure Workspace ID. Alternatively, use WORKSPACE_ID env variable.
#workspace_id =
# Uncomment to provide Azure Primary Key. Alternatively, use PRIMARY_KEY env variable.
#primary_key =
# Uncomment to enable RTR based auto discovery of Azure Arc Systems. Alternatively,
# use ARC_AUTODISCOVERY env variable.
#arc_autodiscovery = true
{{- if .Values.push.azure_log_analytics.arc_autodiscovery }}
arc_autodiscovery = {{ .Values.push.azure_log_analytics.arc_autodiscovery }}
{{- end }}
[aws]
# AWS section is applicable only when AWS backend is enabled in the [main] section.
# Uncomment to provide aws region. Alternatively, use AWS_REGION env variable
#region = eu-west-1
{{- if .Values.push.aws_security_hub.region }}
region = {{ .Values.push.aws_security_hub.region }}
{{- end }}
# Uncomment to manage whether or not to confirm instance in AWS account supported region.
# Alternatively, use AWS_CONFIRM_INSTANCE env variable.
#confirm_instance = true
{{- if .Values.push.aws_security_hub.confirm_instance }}
confirm_instance = {{ .Values.push.aws_security_hub.confirm_instance }}
{{- end }}
[cloudtrail_lake]
# AWS CloudTrail Lake section is applicable only when CLOUDTRAIL_LAKE backend is enabled in the [main] section.
# Uncomment to provide the Channel ARN. Alternatively, use CLOUDTRAIL_LAKE_CHANNEL_ARN env variable.
#channel_arn =
# Uncomment to provide the AWS region. Should match the same region as the Channel.
# Alternatively, use CLOUDTRAIL_LAKE_REGION env variable.
#region =
{{- if .Values.push.cloudtrail_lake.region }}
region = {{ .Values.push.cloudtrail_lake.region }}
{{- end }}
[aws_sqs]
# AWS SQS section is applicable only when AWS backend is enabled in the [main] section.
# AWS SQS Backend publishes raw events to SQS queue
# Uncomment to provide AWS region. Alternatively, use AWS_REGION env variable
#region = eu-west-1
{{- if .Values.push.aws_sqs.region }}
region = {{ .Values.push.aws_sqs.region }}
{{- end }}
# Uncomment to provide name of AWS SQS. Alternatively, use AWS_SQS env variable
#sqs_queue_name = my-sqs-queue-for-falcon
{{- if .Values.push.aws_sqs.sqs_queue_name }}
sqs_queue_name = {{ .Values.push.aws_sqs.sqs_queue_name }}
{{- end }}
[workspaceone]
# Workspace One section is applicable only when Workspace One backend is enabled in the [main] section.
# Uncomment to provide Workspace One token. Alternatively, use WORKSPACEONE_TOKEN env variable
#token =
# Uncomment to provide syslog host. Alternatively, use SYSLOG_HOST env variable
#syslog_host =
{{- if .Values.push.vmware_workspace_one.syslog_host }}
syslog_host = {{ .Values.push.vmware_workspace_one.syslog_host }}
{{- end }}
# Uncomment to provide syslog port. Alternatively, use SYSLOG_PORT env variable
#syslog_port =
{{- if .Values.push.vmware_workspace_one.syslog_port }}
syslog_port = {{ .Values.push.vmware_workspace_one.syslog_port }}
{{- end }}
[chronicle]
# Chronicle section is applicable only when Chronicle backend is enabled in the [main] section
# Uncomment to provide Google Service Account filepath. Alternatively, use GOOGLE_SERVICE_ACCOUNT_FILE variable
#service_account = apikeys-demo.json
{{- if .Values.push.chronicle.service_account }}
service_account = {{ .Values.push.chronicle.service_account }}
{{- end }}
# Uncomment to provide Chronicle Customer ID. Alternatively, use GOOGLE_CUSTOMER_ID variable
#customer_id = XXX
# Uncomment to provide Chronicle region (us, europe, asia-southeast1). Alternatively, use CHRONICLE_REGION variable
#region =
{{- if .Values.push.chronicle.region }}
region = {{ .Values.push.chronicle.region}}
{{- end }}
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,11 @@ spec:
subPath: config.ini
envFrom:
- secretRef:
{{- if .Values.falcon.existingSecret }}
name: {{ .Values.falcon.existingSecret }}
{{- else }}
name: {{ include "falcon-integration-gateway.fullname" . }}-creds
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
command:
Expand Down
12 changes: 3 additions & 9 deletions helm-charts/falcon-integration-gateway/templates/secret.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if not .Values.falcon.existingSecret -}}
apiVersion: v1
kind: Secret
type: Opaque
Expand All @@ -10,24 +11,17 @@ data:
FALCON_CLIENT_ID: {{ .Values.falcon.client_id | b64enc }}
FALCON_CLIENT_SECRET: {{ .Values.falcon.client_secret | b64enc }}
FALCON_CLOUD_REGION: {{ .Values.falcon.cloud_region | b64enc }}
{{- if .Values.push.aws_security_hub.enabled }}
AWS_REGION: {{ .Values.push.aws_security_hub.region | b64enc }}
{{- end }}
{{- if .Values.push.azure_log_analytics.enabled }}
WORKSPACE_ID: {{ .Values.push.azure_log_analytics.workspace_id | b64enc }}
PRIMARY_KEY: {{ .Values.push.azure_log_analytics.primary_key | b64enc }}
ARC_AUTODISCOVERY: {{ .Values.push.azure_log_analytics.arc_autodiscovery | toString | b64enc }}
{{- end }}
{{- if .Values.push.chronicle.enabled }}
CHRONICLE_REGION: {{ .Values.push.chronicle.region | b64enc }}
GOOGLE_SECURITY_KEY: {{ .Values.push.chronicle.security_key | b64enc }}
CUSTOMER_ID: {{ .Values.push.chronicle.customer_id | b64enc }}
{{- end }}
{{- if .Values.push.cloudtrail_lake.enabled }}
CLOUDTRAIL_LAKE_CHANNEL_ARN: {{ .Values.push.cloudtrail_lake.channel_arn | b64enc }}
CLOUDTRAIL_LAKE_REGION: {{ .Values.push.cloudtrail_lake.region | b64enc }}
{{- end }}
{{- if .Values.push.vmware_workspace_one.enabled }}
SYSLOG_HOST: {{ .Values.push.vmware_workspace_one.syslog_host | b64enc }}
SYSLOG_PORT: {{ .Values.push.vmware_workspace_one.syslog_port | b64enc }}
WORKSPACEONE_TOKEN: {{ .Values.push.vmware_workspace_one.token | b64enc }}
{{- end }}
{{- end }}
Loading

0 comments on commit 3a21721

Please sign in to comment.