Proxy through the console instead of our own separate service.

CrowdStrike · Oct 16, 2024 · 9be9125 · 9be9125
1 parent e6ac053
commit 9be9125
Show file tree

Hide file tree

Showing 9 changed files with 43 additions and 64 deletions.
diff --git a/.github/workflows/container_build_apigw.yml b/.github/workflows/container_build_apigw.yml
diff --git a/README.md b/README.md
@@ -23,9 +23,13 @@ The Falcon OpenShift Console Plugin is an open source project, not a CrowdStrike
 
 ## Deployment
 
+### Prerequisites
+
+This plugin currently only supports CrowdStrike's US-2 cloud region.
+
 ### Deploy the Helm chart
 
-The Falcon OpenShift Console Plugin is available at [quay.io/crowdstrike/falcon-openshift-console-plugin](https://quay.io/crowdstrike/falcon-openshift-console-plugin) and the required API gateway is at [quay.io/crowdstrike/falcon-openshift-console-plugin-apigw](https://quay.io/crowdstrike/falcon-openshift-console-plugin-apigw)
+The Falcon OpenShift Console Plugin is available at [quay.io/crowdstrike/falcon-openshift-console-plugin](https://quay.io/crowdstrike/falcon-openshift-console-plugin)
 
 Install the chart using the name of the plugin as the Helm release name into a new namespace or an existing namespace as specified by the `plugin_console-plugin-template` parameter by using the following command:
 

diff --git a/api-gateway/Dockerfile b/api-gateway/Dockerfile
diff --git a/api-gateway/README.md b/api-gateway/README.md
diff --git a/api-gateway/location.conf b/api-gateway/location.conf
diff --git a/api-gateway/upstream.conf b/api-gateway/upstream.conf
diff --git a/charts/openshift-console-plugin/templates/configmap.yaml b/charts/openshift-console-plugin/templates/configmap.yaml
@@ -14,11 +14,31 @@ data:
       include            /etc/nginx/mime.types;
       default_type       application/octet-stream;
       keepalive_timeout  65;
+
+      upstream crowdstrike_api {
+        server api.us-2.crowdstrike.com:443;
+      }
+
       server {
         listen              {{ .Values.plugin.port }} ssl;
         listen              [::]:{{ .Values.plugin.port }} ssl;
         ssl_certificate     /var/cert/tls.crt;
         ssl_certificate_key /var/cert/tls.key;
         root                /usr/share/nginx/html;
+
+        location /crwdapi/ {
+          # respond to preflight requests
+          if ($request_method = OPTIONS) {
+            add_header Access-Control-Allow-Origin $http_origin;
+            add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
+            add_header Access-Control-Allow-Headers 'Authorization';
+            add_header Content-Type text/plain;
+            add_header Content-Length 0;
+            return 204;
+          }
+          # all other requests, proxy the response and then add CORS header
+          proxy_pass https://crowdstrike_api/;
+          add_header Access-Control-Allow-Origin $http_origin;
+        }
       }
     }
diff --git a/charts/openshift-console-plugin/templates/consoleplugin.yaml b/charts/openshift-console-plugin/templates/consoleplugin.yaml
@@ -7,12 +7,24 @@ metadata:
     {{- include "openshift-console-plugin.labels" . | nindent 4 }}
 spec:
   displayName: {{ default (printf "%s Plugin" (include "openshift-console-plugin.name" .)) .Values.plugin.description }}
-  i18n: 
+  i18n:
     loadType: Preload
   backend:
     type: Service
     service:
       name: {{ template "openshift-console-plugin.name" . }}
       namespace: {{ .Release.Namespace }}
       port: {{ .Values.plugin.port }}
-      basePath: {{ .Values.plugin.basePath }}
+      basePath: {{ .Values.plugin.basePath }}
+  proxy:
+    # re-proxy the existing backend service, since the backend is normally exposed to only allow
+    # GET's, but our reverse proxy in the nginx config supports any method
+    # https://github.com/openshift/console/blob/master/pkg/plugins/handlers.go
+    - alias: reproxy
+      authorization: None
+      endpoint:
+        service:
+          name: {{ template "openshift-console-plugin.name" . }}
+          namespace: {{ .Release.Namespace }}
+          port: {{ .Values.plugin.port }}
+        type: Service
diff --git a/src/components/shared/ProxiedFetch.ts b/src/components/shared/ProxiedFetch.ts
@@ -1,10 +1,9 @@
+import { consoleFetch } from '@openshift-console/dynamic-plugin-sdk';
+
 // make requests to our reverse proxy instead of directly to the CrowdStrike API, since it doesn't
 // support arbitrary CORS
 export default function proxiedFetch(url, options) {
-  const proxyBase = window.location.origin.replace(
-    'console-openshift-console',
-    'api-gateway-falcon-openshift-console-plugin',
-  );
+  const proxyBase = '/api/proxy/plugin/falcon-openshift-console-plugin/reproxy/crwdapi';
   const path = url.substr(url.indexOf('.com') + 4);
-  return fetch(proxyBase + path, options);
+  return consoleFetch(proxyBase + path, options);
 }