Fix and document how to use existing secrets in cs-k8s-protection-agent

[Jaykul]

Currently, the config.yaml you provide has the crowdstrikeConfig.dockerAPIToken directly in the yaml, and the instructions require us to put our clientApiKey there as well -- in any GitOps environment, this would result in putting secrets into source control.

Additionally, the chart is currently wrong here, so if I pre-create the and provide the image.pullSecrets it will generate invalid config (i.e. two name: entries).

Apart from fixing that, the README should document how to do this configuration:

The client API Access secret needs to have the AGENT_CLIENT_ID and AGENT_CLIENT_SECRET in it. Create this however you create your secrets:

apiVersion: v1
kind: Secret
metadata:
  name: crowdstrike-agent-apiaccess
type: Opaque
data:
  AGENT_CLIENT_ID: xxxBASE64xENCODEDxxxCLIENTxIDxxxx
  AGENT_CLIENT_SECRET: xxxBASE64xENCODEDxxxCLIENTxSECRETxxxx

The other, with the appropriate Image Pull Secret needs to be a kubernetes.io/dockerconfigjson secret which is in .docker/config.json format. You need to use the config that's correct for your environment, and embed the dockerAPIToken in it.

EXAMPLE JSON NEEDED HERE

apiVersion: v1
kind: Secret
metadata:
  name: crowdstrike-imagepullsecret
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: xxxBASE64xENCODEDxxxDOCKERxCONFIGxJSONxxxx

Then, in your values.yaml you can set the image.pullSecrets instead of the crowdstrikeConfig.dockerAPIToken and the crowdstrikeConfig.existingSecret instead of the crowdstrikeConfig.clientID and crowdstrikeConfig.clientSecret:

image:
  repository: registry.crowdstrike.com/kubernetes_protection/kpagent
  pullSecrets: crowdstrike-imagepullsecret
crowdstrikeConfig:
  existingSecret: crowdstrike-agent-apiaccess
  ...