Skip to content

Commit

Permalink
feat(container-image-pull): add override ability to copy operation fo…
Browse files Browse the repository at this point in the history 
…r destination path (#400)
  • Loading branch information
@carlosmmatos
carlosmmatos authored Jan 29, 2025
1 parent a49f2c7 commit 20ccd16
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 4 deletions.
27 changes: 24 additions & 3 deletions bash/containers/falcon-container-sensor-pull/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ Optional Flags:
-f, --cid <FALCON_CID> Falcon Customer ID
-r, --region <FALCON_CLOUD> Falcon Cloud Region [us-1|us-2|eu-1|us-gov-1] (Default: us-1)
-c, --copy <REGISTRY/NAMESPACE> Registry to copy the image to, e.g., myregistry.com/mynamespace
By default, the image name is appended. Use --copy-omit-image-name to override behavior.
-v, --version <SENSOR_VERSION> Specify sensor version to retrieve from the registry
-p, --platform <SENSOR_PLATFORM> Specify sensor platform to retrieve, e.g., x86_64, aarch64
-t, --type <SENSOR_TYPE> Specify which sensor to download (Default: falcon-container)
Expand All @@ -99,6 +100,7 @@ Optional Flags:
--runtime <RUNTIME> Use a different container runtime [docker, podman, skopeo] (Default: docker)
--dump-credentials Print registry credentials to stdout to copy/paste into container tools
--copy-omit-image-name Omit the image name from the destination path when copying
--get-image-path Get the full image path including the registry, repository, and latest tag for the specified SENSOR_TYPE
--get-pull-token Get the pull token of the selected SENSOR_TYPE for Kubernetes
--get-cid Get the CID assigned to the API Credentials
Expand All @@ -121,14 +123,15 @@ Help Options:
| `-f`, `--cid <FALCON_CID>` | `$FALCON_CID` | `None` (Optional) | CrowdStrike Customer ID (CID). *If not provided, CID will be auto-detected.* |
| `-u`, `--client-id <FALCON_CLIENT_ID>` | `$FALCON_CLIENT_ID` | `None` (Required) | CrowdStrike API Client ID |
| `-s`, `--client-secret <FALCON_CLIENT_SECRET>` | `$FALCON_CLIENT_SECRET` | `None` (Required) | CrowdStrike API Client Secret |
| `-r`, `--region <FALCON_CLOUD>` | `$FALCON_CLOUD` | `us-1` (Optional) | CrowdStrike Region. \**Auto-discovery is only available for [`us-1, us-2, eu-1`] regions.* |
| `-c`, `--copy <REGISTRY/NAMESPACE>` | `$COPY` | `None` (Optional) | Registry you want to copy the sensor image to. Example: `myregistry.com/mynamespace` |
| `-r`, `--region <FALCON_CLOUD>` | `$FALCON_CLOUD` | `us-1` (Optional) | CrowdStrike Region. <br>\**Auto-discovery is only available for [`us-1, us-2, eu-1`] regions.* |
| `-c`, `--copy <REGISTRY/NAMESPACE>` | `$COPY` | `None` (Optional) | Registry you want to copy the sensor image to. Example: `myregistry.com/mynamespace`. <br> *\*By default, the image name is appended. Use `--copy-omit-image-name` to override behavior.* |
| `-v`, `--version <SENSOR_VERSION>` | `$SENSOR_VERSION` | `None` (Optional) | Specify sensor version to retrieve from the registry |
| `-p`, `--platform <SENSOR_PLATFORM>` | `$SENSOR_PLATFORM` | `None` (Optional) | Specify sensor platform to retrieve from the registry |
| `-t`, `--type <SENSOR_TYPE>` | `$SENSOR_TYPE` | `falcon-container` (Optional) | Specify which sensor to download [`falcon-container`, `falcon-sensor`, `falcon-kac`, `falcon-snapshot`, `falcon-imageanalyzer`, `kpagent`, `fcs`, `falcon-jobcontroller`, `falcon-registryassessmentexecutor`] ([see more details below](#sensor-types)) |
| `--runtime` | `$CONTAINER_TOOL` | `docker` (Optional) | Use a different container runtime [docker, podman, skopeo]. **Default is Docker**. |
| `--dump-credentials` | `$CREDS` | `False` (Optional) | Print registry credentials to stdout to copy/paste into container tools |
| `--get-image-path` | N/A | `None` | Get the full image path including the registry, repository, and latest tag for the specified `SENSOR_TYPE`. |
| `--copy-omit-image-name` | N/A | `None` | Omit the image name from the destination path when copying |
| `--get-pull-token` | N/A | `None` | Get the pull token of the selected `SENSOR_TYPE` for Kubernetes. |
| `--get-cid` | N/A | `None` | Get the CID assigned to the API Credentials. |
| `--list-tags` | `$LISTTAGS` | `False` (Optional) | List all tags available for the selected sensor |
Expand Down Expand Up @@ -237,15 +240,33 @@ The following example will dump the credentials to stdout to copy/paste into con

The following example will copy the `falcon-sensor` multi-arch image to a different registry using Skopeo.

> Default behavior (appends image name to destination):
```shell
./falcon-container-sensor-pull.sh \
--client-id <FALCON_CLIENT_ID> \
--client-secret <FALCON_CLIENT_SECRET> \
--type falcon-sensor \
--copy myregistry.com/mynamespace
--copy myregistry.com/mynamespace \
--runtime skopeo
```

Results in: `myregistry.com/mynamespace/falcon-sensor:<tag>`

> To copy to an exact destination path without appending the sensor type image name:
```shell
./falcon-container-sensor-pull.sh \
--client-id <FALCON_CLIENT_ID> \
--client-secret <FALCON_CLIENT_SECRET> \
--type falcon-sensor \
--copy myregistry.com/mynamespace/myfalcon-sensor \
--copy-omit-image-name \
--runtime skopeo
```

Results in: `myregistry.com/mynamespace/myfalcon-sensor:<tag>`

#### Example copying multi-arch image for a specific platform

The following example will copy the `falcon-sensor` multi-arch image for the `aarch64` platform to a different registry using Skopeo.
Expand Down
17 changes: 16 additions & 1 deletion bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ Optional Flags:
-f, --cid <FALCON_CID> Falcon Customer ID
-r, --region <FALCON_CLOUD> Falcon Cloud Region [us-1|us-2|eu-1|us-gov-1] (Default: us-1)
-c, --copy <REGISTRY/NAMESPACE> Registry to copy the image to, e.g., myregistry.com/mynamespace
By default, the image name is appended. Use --copy-omit-image-name to override behavior.
-v, --version <SENSOR_VERSION> Specify sensor version to retrieve from the registry
-p, --platform <SENSOR_PLATFORM> Specify sensor platform to retrieve, e.g., x86_64, aarch64
-t, --type <SENSOR_TYPE> Specify which sensor to download (Default: falcon-container)
Expand All @@ -38,6 +39,7 @@ Optional Flags:
--runtime <RUNTIME> Use a different container runtime [docker, podman, skopeo] (Default: docker)
--dump-credentials Print registry credentials to stdout to copy/paste into container tools
--copy-omit-image-name Omit the image name from the destination path when copying
--get-image-path Get the full image path including the registry, repository, and latest tag for the specified SENSOR_TYPE
--get-pull-token Get the pull token of the selected SENSOR_TYPE for Kubernetes
--get-cid Get the CID assigned to the API Credentials
Expand Down Expand Up @@ -138,6 +140,11 @@ while [ $# != 0 ]; do
GETIMAGEPATH=true
fi
;;
--copy-omit-image-name)
if [ -n "${1}" ]; then
COPY_OMIT_IMAGE_NAME=true
fi
;;
--get-pull-token)
if [ -n "${1}" ]; then
PULLTOKEN=true
Expand Down Expand Up @@ -719,8 +726,16 @@ if [ "$GETIMAGEPATH" ]; then
exit 0
fi

if [ "${COPY_OMIT_IMAGE_NAME}" = "true" ] && [ -z "${COPY}" ]; then
die "--copy-omit-image-name requires -c, --copy to be specified"
fi

# Construct destination path
COPYPATH="$COPY/$IMAGE_NAME:$LATESTSENSOR"
if [ "${COPY_OMIT_IMAGE_NAME}" = "true" ]; then
COPYPATH="$COPY:$LATESTSENSOR"
else
COPYPATH="$COPY/$IMAGE_NAME:$LATESTSENSOR"
fi

# Handle multi-arch images first
if [ "$(is_multi_arch "$FULLIMAGEPATH")" = "true" ]; then
Expand Down

0 comments on commit 20ccd16

Please sign in to comment.