Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(container-pull): add ability to add custom tag when copying to a registry #406

Merged
merged 4 commits into from
Mar 11, 2025
Merged

feat(container-pull): add ability to add custom tag when copying to a registry #406

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
aeade85
feat(container-pull): add ability to add custom tags when copying to …
carlosmmatos Mar 10, 2025
3eb3ff4
chore: update note around --copy
carlosmmatos Mar 10, 2025
37f1415
chore: change latest to something custom
carlosmmatos Mar 10, 2025
0fa239a
chore: make it clearer for copy option
carlosmmatos Mar 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 39 additions & 5 deletions bash/containers/falcon-container-sensor-pull/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,8 @@ Optional Flags:
-f, --cid <FALCON_CID> Falcon Customer ID
-r, --region <FALCON_CLOUD> Falcon Cloud Region [us-1|us-2|eu-1|us-gov-1] (Default: us-1)
-c, --copy <REGISTRY/NAMESPACE> Registry to copy the image to, e.g., myregistry.com/mynamespace
By default, the image name is appended. Use --copy-omit-image-name to override behavior.
By default, the image name and tag are appended. Use --copy-omit-image-name
and/or --copy-custom-tag to change that behavior.
-v, --version <SENSOR_VERSION> Specify sensor version to retrieve from the registry
-p, --platform <SENSOR_PLATFORM> Specify sensor platform to retrieve, e.g., x86_64, aarch64
-t, --type <SENSOR_TYPE> Specify which sensor to download (Default: falcon-container)
Expand All @@ -100,7 +101,8 @@ Optional Flags:

--runtime <RUNTIME> Use a different container runtime [docker, podman, skopeo] (Default: docker)
--dump-credentials Print registry credentials to stdout to copy/paste into container tools
--copy-omit-image-name Omit the image name from the destination path when copying
--copy-omit-image-name Omit the image name from the destination path when copying (requires -c, --copy)
--copy-custom-tag <TAG> Use custom tag when copying image (requires -c, --copy)
--get-image-path Get the full image path including the registry, repository, and latest tag for the specified SENSOR_TYPE
--get-pull-token Get the pull token of the selected SENSOR_TYPE for Kubernetes
--get-cid Get the CID assigned to the API Credentials
Expand All @@ -123,15 +125,16 @@ Help Options:
| `-f`, `--cid <FALCON_CID>` | `$FALCON_CID` | `None` (Optional) | CrowdStrike Customer ID (CID). *If not provided, CID will be auto-detected.* |
| `-u`, `--client-id <FALCON_CLIENT_ID>` | `$FALCON_CLIENT_ID` | `None` (Required) | CrowdStrike API Client ID |
| `-s`, `--client-secret <FALCON_CLIENT_SECRET>` | `$FALCON_CLIENT_SECRET` | `None` (Required) | CrowdStrike API Client Secret |
| `-r`, `--region <FALCON_CLOUD>` | `$FALCON_CLOUD` | `us-1` (Optional) | CrowdStrike Region. <br>\**Auto-discovery is only available for [`us-1, us-2, eu-1`] regions.* |
| `-c`, `--copy <REGISTRY/NAMESPACE>` | `$COPY` | `None` (Optional) | Registry you want to copy the sensor image to. Example: `myregistry.com/mynamespace`. <br> *\*By default, the image name is appended. Use `--copy-omit-image-name` to override behavior.* |
| `-r`, `--region <FALCON_CLOUD>` | `$FALCON_CLOUD` | `us-1` (Optional) | CrowdStrike Region. <br>\**Auto-discovery is only available for [`us-1, us-2, eu-1`] regions.* |
| `-c`, `--copy <REGISTRY/NAMESPACE>` | `$COPY` | `None` (Optional) | Registry you want to copy the sensor image to. Example: `myregistry.com/mynamespace`. <br> *\*By default, the image name and tag are appended. Use `--copy-omit-image-name` and/or `--copy-custom-tag` to change that behavior.* |
| `-v`, `--version <SENSOR_VERSION>` | `$SENSOR_VERSION` | `None` (Optional) | Specify sensor version to retrieve from the registry |
| `-p`, `--platform <SENSOR_PLATFORM>` | `$SENSOR_PLATFORM` | `None` (Optional) | Specify sensor platform to retrieve from the registry |
| `-t`, `--type <SENSOR_TYPE>` | `$SENSOR_TYPE` | `falcon-container` (Optional) | Specify which sensor to download [`falcon-container`, `falcon-sensor`, `falcon-kac`, `falcon-snapshot`, `falcon-imageanalyzer`, `kpagent`, `fcs`, `falcon-jobcontroller`, `falcon-registryassessmentexecutor`] ([see more details below](#sensor-types)) |
| `--runtime` | `$CONTAINER_TOOL` | `docker` (Optional) | Use a different container runtime [docker, podman, skopeo]. **Default is Docker**. |
| `--dump-credentials` | `$CREDS` | `False` (Optional) | Print registry credentials to stdout to copy/paste into container tools |
| `--get-image-path` | N/A | `None` | Get the full image path including the registry, repository, and latest tag for the specified `SENSOR_TYPE`. |
| `--copy-omit-image-name` | N/A | `None` | Omit the image name from the destination path when copying |
| `--copy-omit-image-name` | N/A | `None` | Omit the image name from the destination path when copying (requires -c, --copy) |
| `--copy-custom-tag <TAG>` | N/A | `None` | Use custom tag when copying image (requires -c, --copy) |
| `--get-pull-token` | N/A | `None` | Get the pull token of the selected `SENSOR_TYPE` for Kubernetes. |
| `--get-cid` | N/A | `None` | Get the CID assigned to the API Credentials. |
| `--list-tags` | `$LISTTAGS` | `False` (Optional) | List all tags available for the selected sensor |
Expand Down Expand Up @@ -267,6 +270,37 @@ Results in: `myregistry.com/mynamespace/falcon-sensor:<tag>`

Results in: `myregistry.com/mynamespace/myfalcon-sensor:<tag>`

#### Example copying an image with a custom tag

The following example will copy the `falcon-container` image to a different registry using a custom tag instead of the default version tag:

```shell
./falcon-container-sensor-pull.sh \
--client-id <FALCON_CLIENT_ID> \
--client-secret <FALCON_CLIENT_SECRET> \
--type falcon-container \
--copy myregistry.com/mynamespace \
--copy-custom-tag v1.2.3-custom \
--runtime docker
```

Results in: `myregistry.com/mynamespace/falcon-container:latest`

You can also combine this with other options:

```shell
./falcon-container-sensor-pull.sh \
--client-id <FALCON_CLIENT_ID> \
--client-secret <FALCON_CLIENT_SECRET> \
--type falcon-sensor \
--copy myregistry.com/mynamespace/custom-sensor \
--copy-omit-image-name \
--copy-custom-tag v1.2.3-production \
--runtime skopeo
```

Results in: `myregistry.com/mynamespace/custom-sensor:v1.2.3-production`

#### Example copying multi-arch image for a specific platform

The following example will copy the `falcon-sensor` multi-arch image for the `aarch64` platform to a different registry using Skopeo.
Expand Down
38 changes: 31 additions & 7 deletions bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,8 @@ Optional Flags:
-f, --cid <FALCON_CID> Falcon Customer ID
-r, --region <FALCON_CLOUD> Falcon Cloud Region [us-1|us-2|eu-1|us-gov-1] (Default: us-1)
-c, --copy <REGISTRY/NAMESPACE> Registry to copy the image to, e.g., myregistry.com/mynamespace
By default, the image name is appended. Use --copy-omit-image-name to override behavior.
By default, the image name and tag are appended. Use --copy-omit-image-name
and/or --copy-custom-tag to change that behavior.
-v, --version <SENSOR_VERSION> Specify sensor version to retrieve from the registry
-p, --platform <SENSOR_PLATFORM> Specify sensor platform to retrieve, e.g., x86_64, aarch64
-t, --type <SENSOR_TYPE> Specify which sensor to download (Default: falcon-container)
Expand All @@ -39,7 +40,8 @@ Optional Flags:

--runtime <RUNTIME> Use a different container runtime [docker, podman, skopeo] (Default: docker)
--dump-credentials Print registry credentials to stdout to copy/paste into container tools
--copy-omit-image-name Omit the image name from the destination path when copying
--copy-omit-image-name Omit the image name from the destination path when copying (requires -c, --copy)
--copy-custom-tag <TAG> Use custom tag when copying image (requires -c, --copy)
--get-image-path Get the full image path including the registry, repository, and latest tag for the specified SENSOR_TYPE
--get-pull-token Get the pull token of the selected SENSOR_TYPE for Kubernetes
--get-cid Get the CID assigned to the API Credentials
Expand Down Expand Up @@ -145,6 +147,12 @@ while [ $# != 0 ]; do
COPY_OMIT_IMAGE_NAME=true
fi
;;
--copy-custom-tag)
if [ -n "${1}" ]; then
CUSTOM_TAG="${2}"
shift
fi
;;
--get-pull-token)
if [ -n "${1}" ]; then
PULLTOKEN=true
Expand Down Expand Up @@ -415,7 +423,6 @@ copy_image() {
"$CONTAINER_TOOL" tag "$source_path" "$destination_path"
"$CONTAINER_TOOL" push "$destination_path"
fi
echo "Image copied to: $destination_path"
}

detect_container_tool() {
Expand Down Expand Up @@ -730,11 +737,24 @@ if [ "${COPY_OMIT_IMAGE_NAME}" = "true" ] && [ -z "${COPY}" ]; then
die "--copy-omit-image-name requires -c, --copy to be specified"
fi

if [ -n "${CUSTOM_TAG}" ] && [ -z "${COPY}" ]; then
die "--copy-custom-tag requires --copy to be specified"
fi

# Construct destination path
if [ "${COPY_OMIT_IMAGE_NAME}" = "true" ]; then
COPYPATH="$COPY:$LATESTSENSOR"
if [ -n "${CUSTOM_TAG}" ]; then
# Use custom tag if specified
if [ "${COPY_OMIT_IMAGE_NAME}" = "true" ]; then
COPYPATH="$COPY:$CUSTOM_TAG"
else
COPYPATH="$COPY/$IMAGE_NAME:$CUSTOM_TAG"
fi
else
COPYPATH="$COPY/$IMAGE_NAME:$LATESTSENSOR"
if [ "${COPY_OMIT_IMAGE_NAME}" = "true" ]; then
COPYPATH="$COPY:$LATESTSENSOR"
else
COPYPATH="$COPY/$IMAGE_NAME:$LATESTSENSOR"
fi
fi

# Handle multi-arch images first
Expand All @@ -743,7 +763,7 @@ if [ "$(is_multi_arch "$FULLIMAGEPATH")" = "true" ]; then
if [ -n "$SENSOR_PLATFORM" ]; then
# If Skopeo is being used, the platform must be overridden
if grep -qw "skopeo" "$CONTAINER_TOOL"; then
"$CONTAINER_TOOL" copy --override-arch "$(platform_override)" "docker://$FULLIMAGEPATH" "docker://$COPYPATH"
"$CONTAINER_TOOL" copy --override-arch "$(platform_override)" --override-os linux "docker://$FULLIMAGEPATH" "docker://$COPYPATH"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's the override-os meant to be configurable?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@redhatrises this is to prevent issues when using skopeo on macOS. W/O this it will think that your <os/platform> is incorrect so this is to ensure we say linux.. This doesn't impact Linux, I tested this and it works the same.

else
# Podman/Docker can pull the specific platform
pf_override="linux/$(platform_override)"
Expand Down Expand Up @@ -781,3 +801,7 @@ else
fi
fi
fi

if [ -n "$COPY" ]; then
echo "Image copied to: $COPYPATH"
fi
Loading