CrowdStrike Automatic Image Pull #43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CrowdStrike Automatic Image Pull | |
| on: | |
| ## scheduled job at 5:30 UTC every sunday | |
| schedule: | |
| - cron: '30 5 * * 0' | |
| ## manual trigger | |
| # workflow_dispatch | |
| ## on push | |
| push: | |
| branches: [ main ] | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| crowdstrike-automatic-image-pull: | |
| runs-on: ubuntu-latest | |
| env: | |
| # ==================================================== | |
| # Falcon Sensor requirements | |
| # FALCON_ART_USERNAME | |
| # login is using this format : fc-<your CID without checksum in lowercase> | |
| FALCON_ART_USERNAME: ${{ secrets.FALCON_ART_USERNAME }} | |
| # FALCON_ART_PASSWORD | |
| # You have to use the CrowdStrike API to get your registry password | |
| # or use this script: | |
| # CrowdStrike API Client created with Falcon Images Download (read) AND Sensor Download (read) scope assigned | |
| # export FALCON_CLIENT_ID= | |
| # export FALCON_CLIENT_SECRET= | |
| # curl https://raw.githubusercontent.com/CrowdStrike/falcon-scripts/main/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh | bash -s -- --dump-credentials | |
| FALCON_ART_PASSWORD: ${{ secrets.FALCON_ART_PASSWORD }} | |
| # FALCON_CLOUD_REGION | |
| FALCON_CLOUD_REGION: ${{ secrets.FALCON_CLOUD_REGION }} | |
| # ==================================================== | |
| # Falcon Kubernetes Protection | |
| # REQUIRED PARAMETERS: | |
| # FALCON_KPA_DOCKER_USERNAME | |
| # login is using this format kp-<your CID without checksum in lowercase> | |
| FALCON_KPA_DOCKER_USERNAME: ${{ secrets.FALCON_KPA_DOCKER_USERNAME }} | |
| # FALCON_KPA_DOCKER_PASSWORD | |
| # Go to Cloud Security > Account Registration > Kubernetes | |
| # Create a self-managed cluster and copy the DockerAPIToken | |
| FALCON_KPA_DOCKER_PASSWORD: ${{ secrets.FALCON_KPA_DOCKER_PASSWORD }} | |
| # ==================================================== | |
| # Sync to Repo config | |
| # YOUR TARGET REGISTRY and TARGET REPO TO SYNC | |
| REGISTRY_HOST: ${{ secrets.REGISTRY_HOST }} | |
| REGISTRY_REMOTE_REPO: vendors/crowdstrike | |
| # for x86 and aarch | |
| NUMBER_OF_IMAGES_TO_TAKE_DAEMONSET: 2 | |
| # only the last one | |
| NUMBER_OF_IMAGES_TO_TAKE_SIDECAR: 1 | |
| steps: | |
| - uses: azure/docker-login@v1 | |
| with: | |
| login-server: registry.crowdstrike.com | |
| username: ${{ secrets.FALCON_ART_USERNAME }} | |
| password: ${{ secrets.FALCON_ART_PASSWORD }} | |
| - uses: azure/docker-login@v1 | |
| with: | |
| login-server: ${{ secrets.REGISTRY_HOST }} | |
| username: ${{ secrets.REGISTRY_USERNAME }} | |
| password: ${{ secrets.REGISTRY_PASSWORD }} | |
| # REQUIRED PARAMATERS | |
| # FALCON_ART_USERNAME | |
| # login is using this format : fc-<your CID without checksum in lowercase> | |
| # FALCON_ART_PASSWORD | |
| # You have to use the CrowdStrike API to get your registry password | |
| # or use this script: | |
| # CrowdStrike API Client created with Falcon Images Download (read) AND Sensor Download (read) scope assigned | |
| # export FALCON_CLIENT_ID= | |
| # export FALCON_CLIENT_SECRET= | |
| # curl https://raw.githubusercontent.com/CrowdStrike/falcon-scripts/main/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh | bash -s -- --dump-credentials | |
| # FALCON_CLOUD_REGION | |
| # possible values : eu-1, us-1, us-2, us-gov-1 | |
| # NUMBER_OF_IMAGES_TO_TAKE_DAEMONSET | |
| # Numbers of images to download. The default is 2 so the x86 and aarch64 images will be download | |
| - name: Download latest Falcon sensor - DaemonSet | |
| run: | | |
| # Use these login command if you are not user the azure/docker-login action | |
| # echo "$FALCON_ART_PASSWORD" | docker login -u "$FALCON_ART_USERNAME" --password-stdin registry.crowdstrike.com | |
| # echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin REGISTRY_HOST | |
| ### Find the latest sensor version | |
| export REGISTRYBEARER=$(curl -X GET -s -u "${FALCON_ART_USERNAME}:${FALCON_ART_PASSWORD}" "https://registry.crowdstrike.com/v2/token?=${FALCON_ART_USERNAME}&scope=repository:$SENSORTYPE/$FALCON_CLOUD_REGION/release/falcon-sensor:pull&service=registry.crowdstrike.com" | jq -r '.token') | |
| export LAST_N_TAGS=$( \ | |
| curl -X GET -s -H "authorization: Bearer ${REGISTRYBEARER}" \ | |
| "https://registry.crowdstrike.com/v2/falcon-sensor/${FALCON_CLOUD_REGION}/release/falcon-sensor/tags/list" | \ | |
| jq -r ".tags[-$NUMBER_OF_IMAGES_TO_TAKE_DAEMONSET:][]" \ | |
| ) | |
| for tag in $LAST_N_TAGS | |
| do | |
| echo "Copying ${tag}" | |
| FALCON_IMAGE_REPO="registry.crowdstrike.com/falcon-sensor/${FALCON_CLOUD_REGION}/release/falcon-sensor" | |
| docker pull $FALCON_IMAGE_REPO:$tag | |
| docker tag $FALCON_IMAGE_REPO:$tag $REGISTRY_HOST/$REGISTRY_REMOTE_REPO/falcon-sensor:$tag | |
| docker push $REGISTRY_HOST/$REGISTRY_REMOTE_REPO/falcon-sensor:$tag | |
| done | |
| # REQUIRED PARAMATERS | |
| # FALCON_ART_USERNAME | |
| # login is using this format : fc-<your CID without checksum in lowercase> | |
| # FALCON_ART_PASSWORD | |
| # You have to use the CrowdStrike API to get your registry password | |
| # or use this script: | |
| # CrowdStrike API Client created with Falcon Images Download (read) AND Sensor Download (read) scope assigned | |
| # export FALCON_CLIENT_ID= | |
| # export FALCON_CLIENT_SECRET= | |
| # curl https://raw.githubusercontent.com/CrowdStrike/falcon-scripts/main/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh | bash -s -- --dump-credentials | |
| # FALCON_CLOUD_REGION | |
| # possible values : eu-1, us-1, us-2, us-gov-1 | |
| # NUMBER_OF_IMAGES_TO_TAKE_SIDECAR | |
| # Numbers of images to download. The default is 1 | |
| - name: Download latest Falcon container sensor - Sidecar | |
| run: | | |
| # Use these login command if you are not user the azure/docker-login action | |
| # echo "$FALCON_ART_PASSWORD" | docker login -u "$FALCON_ART_USERNAME" --password-stdin registry.crowdstrike.com | |
| # echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin REGISTRY_HOST | |
| ### Find the latest sensor version | |
| export REGISTRYBEARER=$(curl -X GET -s -u "${FALCON_ART_USERNAME}:${FALCON_ART_PASSWORD}" "https://registry.crowdstrike.com/v2/token?=${FALCON_ART_USERNAME}&scope=repository:$SENSORTYPE/$FALCON_CLOUD_REGION/release/falcon-sensor:pull&service=registry.crowdstrike.com" | jq -r '.token') | |
| export LAST_N_TAGS=$( \ | |
| curl -X GET -s -H "authorization: Bearer ${REGISTRYBEARER}" \ | |
| "https://registry.crowdstrike.com/v2/falcon-container/${FALCON_CLOUD_REGION}/release/falcon-sensor/tags/list" | \ | |
| jq -r ".tags[-$NUMBER_OF_IMAGES_TO_TAKE_SIDECAR:][]" \ | |
| ) | |
| for tag in $LAST_N_TAGS | |
| do | |
| echo "Copying ${tag}" | |
| FALCON_IMAGE_REPO="registry.crowdstrike.com/falcon-container/${FALCON_CLOUD_REGION}/release/falcon-sensor" | |
| docker pull $FALCON_IMAGE_REPO:$tag | |
| docker tag $FALCON_IMAGE_REPO:$tag $REGISTRY_HOST/$REGISTRY_REMOTE_REPO/falcon-container:$tag | |
| docker push $REGISTRY_HOST/$REGISTRY_REMOTE_REPO/falcon-container:$tag | |
| done | |
| - uses: azure/docker-login@v1 | |
| with: | |
| login-server: registry.crowdstrike.com | |
| username: ${{ secrets.FALCON_KPA_DOCKER_USERNAME }} | |
| password: ${{ secrets.FALCON_KPA_DOCKER_PASSWORD }} | |
| # REQUIRED PARAMETERS: | |
| # FALCON_KPA_DOCKER_USERNAME | |
| # login is form kp-<your CID without checksum in lowercase> | |
| # FALCON_KPA_DOCKER_PASSWORD | |
| # Go to Cloud Security > Account Registration > Kubernetes | |
| # Create a self-managed cluster and copy the DockerAPIToken | |
| - name: Download latest Falcon Kubernetes Protection | |
| run: | | |
| # Use these login command if you are not user the azure/docker-login action | |
| # echo "$FALCON_KPA_DOCKER_USERNAME" | docker login -u "$FALCON_KPA_DOCKER_PASSWORD" --password-stdin registry.crowdstrike.com | |
| # echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin REGISTRY_HOST | |
| ### Find the latest Kubernetes Protection Agent version | |
| export REGISTRYBEARER=$(curl -X GET -s -u "${FALCON_KPA_DOCKER_USERNAME}:${FALCON_KPA_DOCKER_PASSWORD}" "https://registry.crowdstrike.com/v2/token?=${FALCON_KPA_DOCKER_USERNAME}&scope=repository:kubernetes_protection/kpagent:pull&service=registry.crowdstrike.com" | jq -r '.token') | |
| FALCON_IMAGE_KPA_TAG=$(curl -X GET -s -H "authorization: Bearer ${REGISTRYBEARER}" "https://registry.crowdstrike.com/v2/kubernetes_protection/kpagent/tags/list" | jq -r '.tags[-1]') | |
| FALCON_IMAGE_KPA_REPO="registry.crowdstrike.com/kubernetes_protection/kpagent" | |
| docker pull $FALCON_IMAGE_KPA_REPO:$FALCON_IMAGE_KPA_TAG | |
| docker tag $FALCON_IMAGE_KPA_REPO:$FALCON_IMAGE_KPA_TAG $REGISTRY_HOST/$REGISTRY_REMOTE_REPO/kpagent:$FALCON_IMAGE_KPA_TAG | |
| docker push $REGISTRY_HOST/$REGISTRY_REMOTE_REPO/kpagent:$FALCON_IMAGE_KPA_TAG |