falcosecurity · jgmartinez · Oct 13, 2023 · Oct 13, 2023 · Oct 16, 2023 · Oct 16, 2023
diff --git a/falco/Chart.yaml b/falco/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: falco
-version: 3.7.1
+version: 3.7.2
 appVersion: "0.36.0"
 description: Falco
 keywords:

diff --git a/falco/templates/client-certs-secret.yaml b/falco/templates/client-certs-secret.yaml
@@ -0,0 +1,21 @@
+{{- if and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "falco.fullname" . }}-client-certs
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "falco.name" . }}
+    helm.sh/chart: {{ include "falco.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+type: Opaque
+data:
+  {{ $key := .Values.certs.client.key }}
+  client.key: {{ $key | b64enc | quote }}
+  {{ $crt := .Values.certs.client.crt }}
+  client.crt: {{ $crt | b64enc | quote }}
+  falcoclient.pem: {{ print $key $crt | b64enc | quote }}
+  ca.crt: {{ .Values.certs.ca.crt | b64enc | quote }}
+  ca.pem: {{ .Values.certs.ca.crt | b64enc | quote }}
+{{- end }}
diff --git a/falco/templates/pod-template.tpl b/falco/templates/pod-template.tpl
@@ -201,6 +201,11 @@ spec:
           name: certs-volume
           readOnly: true
         {{- end }}
+        {{- if or .Values.certs.existingSecret (and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt) }}
+        - mountPath: /etc/falco/certs/client
+          name: client-certs-volume
+          readOnly: true
+        {{- end }}
         {{- include "falco.unixSocketVolumeMount"  . | nindent 8 -}}
         {{- with .Values.mounts.volumeMounts }}
           {{- toYaml . | nindent 8 }}
@@ -335,6 +340,15 @@ spec:
         secretName: {{ include "falco.fullname" . }}-certs
         {{- end }}
     {{- end }}
+    {{- if or .Values.certs.existingSecret (and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt) }}
+    - name: client-certs-volume
+      secret:
+        {{- if .Values.certs.existingClientSecret }}
+        secretName: {{ .Values.certs.existingClientSecret }}
+        {{- else }}
+        secretName: {{ include "falco.fullname" . }}-client-certs
+        {{- end }}
+    {{- end }}
     {{- include "falco.unixSocketVolume" . | nindent 4 -}}
     {{- with .Values.mounts.volumes }}
       {{- toYaml . | nindent 4 }}

diff --git a/falco/values.yaml b/falco/values.yaml
@@ -306,13 +306,20 @@ certs:
   # -- Existing secret containing the following key, crt and ca as well as the bundle pem.
   existingSecret: ""
   server:
-    # -- Key used by gRPC and webserver.
+    # -- Key used by gRPC and webserver. Mounted under /etc/falco/certs/
     key: ""
-    # -- Certificate used by gRPC and webserver.
+    # -- Certificate used by gRPC and webserver. Mounted under /etc/falco/certs/
     crt: ""
   ca:
     # -- CA certificate used by gRPC, webserver and AuditSink validation.
     crt: ""
+  existingClientSecret: ""
+  client:
+    # -- Key used by http mTLS client. Mounted under /etc/falco/certs/client/
+    key: ""
+    # -- Certificate used by http mTLS client. Mounted under /etc/falco/certs/client/
+    crt: ""
+
 # -- Third party rules enabled for Falco. More info on the dedicated section in README.md file.
 customRules:
   {}
@@ -714,14 +721,14 @@ falco:
     # -- Path to a specific file that will be used as the CA certificate store.
     ca_bundle: ""
     # -- Path to a folder that will be used as the CA certificate store. CA certificate need to be
-    # stored as indivitual PEM files in this directory.
-    ca_path: "/etc/ssl/certs"
+    # stored as indivitual PEM files in this directory. Defaults to /etc/ssl/certs.
+    ca_path: ""
     # -- Tell Falco to use mTLS
     mtls: false
-    # -- Path to the client cert.
-    client_cert: "/etc/ssl/certs/client.crt"
-    # -- Path to the client key.
-    client_key: "/etc/ssl/certs/client.key"
+    # -- Path to the client cert. Defaults to /etc/ssl/certs/client.crt.
+    client_cert: ""
+    # -- Path to the client key. Defaults to /etc/ssl/certs/client.key.
+    client_key: ""
     # -- Whether to echo server answers to stdout
     echo: false
 

diff --git a/falcosidekick/Chart.yaml b/falcosidekick/Chart.yaml
@@ -3,7 +3,7 @@ appVersion: 2.28.0
 description: Connect Falco to your ecosystem
 icon: https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png
 name: falcosidekick
-version: 0.7.2
+version: 0.7.3
 keywords:
   - monitoring
   - security

diff --git a/falcosidekick/templates/certs-secret.yaml b/falcosidekick/templates/certs-secret.yaml
@@ -0,0 +1,21 @@
+{{- if and .Values.certs.server.key .Values.certs.server.crt .Values.certs.ca.crt }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "falcosidekick.fullname" . }}-certs
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "falcosidekick.name" . }}
+    helm.sh/chart: {{ include "falcosidekick.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+type: Opaque
+data:
+  {{ $key := .Values.certs.server.key }}
+  server.key: {{ $key | b64enc | quote }}
+  {{ $crt := .Values.certs.server.crt }}
+  server.crt: {{ $crt | b64enc | quote }}
+  falcosidekick.pem: {{ print $key $crt | b64enc | quote }}
+  ca.crt: {{ .Values.certs.ca.crt | b64enc | quote }}
+  ca.pem: {{ .Values.certs.ca.crt | b64enc | quote }}
+{{- end }}
diff --git a/falcosidekick/templates/deployment.yaml b/falcosidekick/templates/deployment.yaml
@@ -57,16 +57,29 @@ spec:
             - name: http
               containerPort: 2801
               protocol: TCP
+          {{- if .Values.config.tlsserver.deploy }}
+            - name: http-notls
+              containerPort: 2810
+              protocol: TCP
+          {{- end }}
           livenessProbe:
             httpGet:
               path: /ping
+              {{- if .Values.config.tlsserver.deploy }}
+              port: http-notls
+              {{- else }}
               port: http
+              {{- end }}
             initialDelaySeconds: 10
             periodSeconds: 5
           readinessProbe:
             httpGet:
               path: /ping
+              {{- if .Values.config.tlsserver.deploy }}
+              port: http-notls
+              {{- else }}
               port: http
+              {{- end }}
             initialDelaySeconds: 10
             periodSeconds: 5
           {{- if .Values.securityContext }}
@@ -117,10 +130,17 @@ spec:
             {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-          {{- if .Values.extraVolumeMounts }}
+        {{- if or .Values.extraVolumeMounts .Values.certs }}
           volumeMounts:
+        {{- if or .Values.certs.existingSecret (and .Values.certs.server.key .Values.certs.server.crt .Values.certs.ca.crt) }}
+            - mountPath: /etc/falcosidekick/certs
+              name: certs-volume
+              readOnly: true
+        {{- end }}  
+        {{- if or .Values.extraVolumeMounts }}   
 {{ toYaml .Values.extraVolumeMounts | indent 12 }}
-          {{- end }}
+        {{- end }}
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -133,8 +153,19 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
     {{- end }}
-    {{- if .Values.extraVolumes }}
+    {{- if or .Values.extraVolumes .Values.certs.existingSecret (and .Values.certs.server.key .Values.certs.server.crt .Values.certs.ca.crt) }}
       volumes:
+    {{- if or .Values.certs.existingSecret (and .Values.certs.server.key .Values.certs.server.crt .Values.certs.ca.crt) }}
+        - name: certs-volume
+          secret:
+            {{- if .Values.certs.existingSecret }}
+            secretName: {{ .Values.certs.existingSecret }}
+            {{- else }}
+            secretName: {{ include "falcosidekick.fullname" . }}-certs
+            {{- end }}
+    {{- end }}
+    {{- if or .Values.extraVolumes }}
 {{ toYaml .Values.extraVolumes | indent 8 }}
     {{- end }}
+    {{- end }}
 
diff --git a/falcosidekick/templates/service.yaml b/falcosidekick/templates/service.yaml
@@ -20,6 +20,13 @@ spec:
       targetPort: http
       protocol: TCP
       name: http
+    {{- if not (eq .Values.config.tlsserver.notlspaths "") }}
+    - port: {{ .Values.config.tlsserver.notlsport }}
+      targetPort: http-notls
+      protocol: TCP
+      name: http-notls
+    {{- end }}
+
   selector:
     app.kubernetes.io/name: {{ include "falcosidekick.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
diff --git a/falcosidekick/values.yaml b/falcosidekick/values.yaml
@@ -63,7 +63,7 @@ config:
   # -- if not empty, the brackets in keys of Output Fields are replaced
   bracketreplacer: ""
   # -- folder which will used to store client.crt, client.key and ca.crt files for mutual tls for outputs, will be deprecated in the future (default: "/etc/certs")
-  mutualtlsfilespath: "/etc/certs"
+  mutualtlsfilespath: "/etc/falcosidekick/certs"
 
   mutualtlsclient:
     # -- client certification file for mutual TLS client certification, takes priority over mutualtlsfilespath if not empty
@@ -77,13 +77,13 @@ config:
     # -- if true TLS server will be deployed instead of HTTP
     deploy: false
     # -- server certification file for TLS Server
-    certfile: "/etc/certs/server/server.crt"
+    certfile: "/etc/falcosidekick/certs/server.crt"
     # -- server key file for TLS Server
-    keyfile: "/etc/certs/server/server.key"
+    keyfile: "/etc/falcosidekick/certs/server.key"
     # -- if true mutual TLS server will be deployed instead of TLS, deploy also has to be true
     mutualtls: false
     # --  CA certification file for client certification if mutualtls is true
-    cacertfile: "/etc/certs/server/ca.crt"
+    cacertfile: "/etc/falcosidekick/certs/ca.crt"
     # -- port to serve http server serving selected endpoints
     notlsport: 2810
     # -- a comma separated list of endpoints, if not empty, a separate http server will be deployed for the specified endpoints
@@ -925,6 +925,19 @@ extraVolumeMounts: []
 # - mountPath: /etc/certs/mtlscert.optional.tls
 #   name: optional-mtls-volume
 
+# -- Certificates for mutual TLS server
+certs:
+  # -- Existing secret containing the following key, crt and ca as well as the bundle pem.
+  existingSecret: ""
+  server:
+    # -- Key used by gRPC and webserver.
+    key: ""
+    # -- Certificate used by gRPC and webserver.
+    crt: ""
+  ca:
+    # -- CA certificate used by gRPC, webserver and AuditSink validation.
+    crt: ""
+
 testConnection:
   # -- test connection nodeSelector field
   nodeSelector: {}