Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: Add mTLS certificate loading for Falco via Helm #549

Closed
wants to merge 7 commits into from
+461 −126
Closed

Feature: Add mTLS certificate loading for Falco via Helm #549

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
d753c94
Added http_output mtls cert mounting via Helm
jgmartinez Oct 16, 2023
b72b1a8
Bumped Chart version and updated documentation
jgmartinez Oct 18, 2023
517b84f
Bumped Chart version and added Changelog
jgmartinez Oct 20, 2023
c020611
* add aws.config.useirsa to fix the behavior with AWS IRSA
Issif Oct 2, 2023
a6462b6
Upgrade falcosidekick chart to v0.7.6
Issif Oct 20, 2023
a53877c
Revert "Bumped Chart version and added Changelog"
jgmartinez Oct 23, 2023
38b2ca3
Rebase to master
jgmartinez Oct 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions charts/falco/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,11 @@
This file documents all notable changes to Falco Helm Chart. The release
numbering uses [semantic versioning](http://semver.org).

## v3.8.2

* Enable mounting Falco client cryptographic material through `certs.client.key` and `certs.client.crt` values or `certs.existingClientSecret`.
* Upgrade falcosidekick chart to `v0.7.6`.

## v3.8.1

* noop change just to test the ci
Expand Down
4 changes: 2 additions & 2 deletions charts/falco/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v2
name: falco
version: 3.8.1
version: 3.8.2
appVersion: "0.36.1"
description: Falco
keywords:
Expand All @@ -19,6 +19,6 @@ maintainers:
email: [email protected]
dependencies:
- name: falcosidekick
version: "0.7.1"
version: "0.7.6"
condition: falcosidekick.enabled
repository: https://falcosecurity.github.io/charts
31 changes: 31 additions & 0 deletions charts/falco/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -474,6 +474,37 @@ helm install falco \
falcosecurity/falco
```

## Enable http_output

HTTP output enables Falco to send events through HTTP(S) via the following configuration:

```shell
helm install falco \
--set falco.http_output.enabled=true \
--set falco.http_output.url="http://some.url/some/path/" \
--set falco.json_output=true \
--set json_include_output_property=true
falcosecurity/falco
```

Additionaly, you can enable mTLS communication and load HTTP client cryptographic material via:

```shell
helm install falco \
--set falco.http_output.enabled=true \
--set falco.http_output.url="https://some.url/some/path/" \
--set falco.json_output=true \
--set json_include_output_property=true \
--set falco.http_output.mtls=true \
--set falco.http_output.client_cert="/etc/falco/certs/client/client.crt" \
--set falco.http_output.client_key="/etc/falco/certs/client/client.key" \
--set falco.http_output.ca_cert="/etc/falco/certs/client/ca.crt" \
--set-file certs.client.key="/path/to/client.key",certs.client.crt="/path/to/client.crt",certs.ca.crt="/path/to/cacert.crt" \
falcosecurity/falco
```

Or instead of directly setting the files via `--set-file`, mounting an existing volume with the `certs.existingClientSecret` value.

## Deploy Falcosidekick with Falco

[`Falcosidekick`](https://github.com/falcosecurity/falcosidekick) can be installed with `Falco` by setting `--set falcosidekick.enabled=true`. This setting automatically configures all options of `Falco` for working with `Falcosidekick`.
Expand Down
21 changes: 21 additions & 0 deletions charts/falco/templates/client-certs-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
{{- if and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "falco.fullname" . }}-client-certs
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "falco.name" . }}
helm.sh/chart: {{ include "falco.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
type: Opaque
data:
{{ $key := .Values.certs.client.key }}
client.key: {{ $key | b64enc | quote }}
{{ $crt := .Values.certs.client.crt }}
client.crt: {{ $crt | b64enc | quote }}
falcoclient.pem: {{ print $key $crt | b64enc | quote }}
ca.crt: {{ .Values.certs.ca.crt | b64enc | quote }}
ca.pem: {{ .Values.certs.ca.crt | b64enc | quote }}
{{- end }}
14 changes: 14 additions & 0 deletions charts/falco/templates/pod-template.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,11 @@ spec:
name: certs-volume
readOnly: true
{{- end }}
{{- if or .Values.certs.existingSecret (and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt) }}
- mountPath: /etc/falco/certs/client
name: client-certs-volume
readOnly: true
{{- end }}
{{- include "falco.unixSocketVolumeMount" . | nindent 8 -}}
{{- with .Values.mounts.volumeMounts }}
{{- toYaml . | nindent 8 }}
Expand Down Expand Up @@ -335,6 +340,15 @@ spec:
secretName: {{ include "falco.fullname" . }}-certs
{{- end }}
{{- end }}
{{- if or .Values.certs.existingSecret (and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt) }}
- name: client-certs-volume
secret:
{{- if .Values.certs.existingClientSecret }}
secretName: {{ .Values.certs.existingClientSecret }}
{{- else }}
secretName: {{ include "falco.fullname" . }}-client-certs
{{- end }}
{{- end }}
{{- include "falco.unixSocketVolume" . | nindent 4 -}}
{{- with .Values.mounts.volumes }}
{{- toYaml . | nindent 4 }}
Expand Down
19 changes: 16 additions & 3 deletions charts/falco/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -299,20 +299,28 @@ extra:
# -- Additional initContainers for Falco pods.
initContainers: []

# -- certificates used by webserver and grpc server.
# -- certificates used by webserver and grpc server and client.
# paste certificate content or use helm with --set-file
# or use existing secret containing key, crt, ca as well as pem bundle
certs:
# -- Existing secret containing the following key, crt and ca as well as the bundle pem.
# -- Existing server secret containing the following key, crt and ca as well as the bundle pem.
existingSecret: ""
# -- Existing client secret containing the following key, crt and ca as well as the bundle pem.
existingClientSecret: ""
server:
# -- Key used by gRPC and webserver.
key: ""
# -- Certificate used by gRPC and webserver.
crt: ""
client:
# -- Key used by http mTLS client.
key: ""
# -- Certificate used by http mTLS client.
crt: ""
ca:
# -- CA certificate used by gRPC, webserver and AuditSink validation.
# -- CA certificate used by gRPC, webserver and AuditSink validation. Also used for mTLS Server validation.
crt: ""

# -- Third party rules enabled for Falco. More info on the dedicated section in README.md file.
customRules:
{}
Expand Down Expand Up @@ -696,6 +704,11 @@ falco:
# [Stable] `http_output`
#
# -- Send logs to an HTTP endpoint or webhook.
# -- When mounting mTLS certificates via Helm, the client cryptographic material is at:
# private_key: "/etc/falco/certs/client/client.key"
# cert_chain: "/etc/falco/certs/client/server.crt"
# root_certs: "/etc/falco/certs/ca.crt"

http_output:
enabled: false
url: ""
Expand Down
7 changes: 7 additions & 0 deletions charts/falcosidekick/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,13 @@ numbering uses [semantic versioning](http://semver.org).

Before release 0.1.20, the helm chart can be found in `falcosidekick` [repository](https://github.com/falcosecurity/falcosidekick/tree/master/deploy/helm/falcosidekick).

## 0.7.6

* Fix the behavior with the `AWS IRSA` with a new value `aws.config.useirsa`
* Add a section in the README to describe how to use a subpath for `Falcosidekick-ui` ingress
* Add a `ServiceMonitor` for prometheus-operator
* Add a `PrometheusRule` for prometheus-operator

## 0.7.5

* noop change just to test the ci
Expand Down
2 changes: 1 addition & 1 deletion charts/falcosidekick/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ appVersion: 2.28.0
description: Connect Falco to your ecosystem
icon: https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png
name: falcosidekick
version: 0.7.5
version: 0.7.6
keywords:
- monitoring
- security
Expand Down
133 changes: 74 additions & 59 deletions charts/falcosidekick/README.gotmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,99 +17,106 @@ It works as a single endpoint for as many as you want `Falco` instances :

`Falcosidekick` manages a large variety of outputs with different purposes.

> **Note**
Follow the links to get the configuration of each output.

### Chat

- [**Slack**](https://slack.com)
- [**Rocketchat**](https://rocket.chat/)
- [**Mattermost**](https://mattermost.com/)
- [**Teams**](https://products.office.com/en-us/microsoft-teams/group-chat-software)
- [**Discord**](https://www.discord.com/)
- [**Google Chat**](https://workspace.google.com/products/chat/)
- [**Zoho Cliq**](https://www.zoho.com/cliq/)
- [**Telegram**](https://telegram.org)
- [**Slack**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/slack.md)
- [**Rocketchat**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/rocketchat.md)
- [**Mattermost**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/mattermost.md)
- [**Teams**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/teams.md)
- [**Discord**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/discord.md)
- [**Google Chat**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/googlechat.md)
- [**Zoho Cliq**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/cliq.md)
- [**Telegram**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/telegram.md)

### Metrics / Observability

- [**Datadog**](https://www.datadoghq.com/)
- [**Influxdb**](https://www.influxdata.com/products/influxdb-overview/)
- [**StatsD**](https://github.com/statsd/statsd) (for monitoring of `falcosidekick`)
- [**DogStatsD**](https://docs.datadoghq.com/developers/dogstatsd/?tab=go) (for monitoring of `falcosidekick`)
- [**Prometheus**](https://prometheus.io/) (for both events and monitoring of `falcosidekick`)
- [**Wavefront**](https://www.wavefront.com)
- [**Spyderbat**](https://www.spyderbat.com)
- [**TimescaleDB**](https://www.timescale.com/)
- [**Dynatrace**](https://www.dynatrace.com/)
- [**Datadog**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/datadog.md)
- [**Influxdb**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/influxdb.md)
- [**StatsD**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/statsd.md) (for monitoring of `falcosidekick`)
- [**DogStatsD**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/dogstatsd.md) (for monitoring of `falcosidekick`)
- [**Prometheus**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/prometheus.md) (for both events and monitoring of `falcosidekick`)
- [**Wavefront**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/wavefront.md)
- [**Spyderbat**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/spyderbat.md)
- [**TimescaleDB**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/timescaledb.md)
- [**Dynatrace**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/dynatrace.md)

### Alerting

- [**AlertManager**](https://prometheus.io/docs/alerting/alertmanager/)
- [**Opsgenie**](https://www.opsgenie.com/)
- [**PagerDuty**](https://pagerduty.com/)
- [**Grafana OnCall**](https://grafana.com/products/oncall/)
- [**AlertManager**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/alertmanager.md)
- [**Opsgenie**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/opsgenie.md)
- [**PagerDuty**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/pagerduty.md)
- [**Grafana OnCall**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/grafana_oncall.md)

### Logs

- [**Elasticsearch**](https://www.elastic.co/)
- [**Loki**](https://grafana.com/oss/loki)
- [**AWS CloudWatchLogs**](https://aws.amazon.com/cloudwatch/features/)
- [**Grafana**](https://grafana.com/) (annotations)
- **Syslog**
- [**Zincsearch**](https://docs.zincsearch.com/)
- [**OpenObserve**](https://openobserve.ai)
- [**Elasticsearch**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/elasticsearch.md)
- [**Loki**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/loki.md)
- [**AWS CloudWatchLogs**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_cloudwatch_logs.md)
- [**Grafana**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/grafana.md)
- [**Syslog**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/syslog.md)
- [**Zincsearch**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs//zincsearch.md)
- [**OpenObserve**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/openobserve.md)

### Object Storage

- [**AWS S3**](https://aws.amazon.com/s3/features/)
- [**GCP Storage**](https://cloud.google.com/storage)
- [**Yandex S3 Storage**](https://cloud.yandex.com/en-ru/services/storage)
- [**AWS S3**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_s3.md)
- [**GCP Storage**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gcp_storage.md)
- [**Yandex S3 Storage**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/yandex_s3.md)

### FaaS / Serverless

- [**AWS Lambda**](https://aws.amazon.com/lambda/features/)
- [**GCP Cloud Run**](https://cloud.google.com/run)
- [**GCP Cloud Functions**](https://cloud.google.com/functions)
- [**Fission**](https://fission.io)
- [**KNative (CloudEvents)**](https://knative.dev)
- [**Kubeless**](https://kubeless.io/)
- [**OpenFaaS**](https://www.openfaas.com)
- [**Tekton**](https://tekton.dev)
- [**AWS Lambda**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_lambda.md)
- [**GCP Cloud Run**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gcp_cloud_run.md)
- [**GCP Cloud Functions**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gcp_cloud_functions.md)
- [**Fission**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/fission.md)
- [**KNative (CloudEvents)**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/cloudevents.md)
- [**Kubeless**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/kubeless.md)
- [**OpenFaaS**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/openfaas.md)
- [**Tekton**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/tekton.md)

### Message queue / Streaming

- [**NATS**](https://nats.io/)
- [**STAN (NATS Streaming)**](https://docs.nats.io/nats-streaming-concepts/intro)
- [**AWS SQS**](https://aws.amazon.com/sqs/features/)
- [**AWS SNS**](https://aws.amazon.com/sns/features/)
- [**AWS Kinesis**](https://aws.amazon.com/kinesis/)
- [**GCP PubSub**](https://cloud.google.com/pubsub)
- [**Apache Kafka**](https://kafka.apache.org/)
- [**Kafka Rest Proxy**](https://docs.confluent.io/platform/current/kafka-rest/index.html)
- [**RabbitMQ**](https://www.rabbitmq.com/)
- [**Azure Event Hubs**](https://azure.microsoft.com/en-in/services/event-hubs/)
- [**Yandex Data Streams**](https://cloud.yandex.com/en/docs/data-streams/)
- [**MQTT**](https://mqtt.org/)
- [**Gotify**](https://gotify.net/)
- [**NATS**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/nats.md)
- [**STAN (NATS Streaming)**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/stan.md)
- [**AWS SQS**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_sqs.md)
- [**AWS SNS**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_sns.md)
- [**AWS Kinesis**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_kinesis.md)
- [**GCP PubSub**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gcp_pub_sub.md)
- [**Apache Kafka**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/kafka.md)
- [**Kafka Rest Proxy**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/kafkarest.md)
- [**RabbitMQ**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/rabbitmq.md)
- [**Azure Event Hubs**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/azure_event_hub.md)
- [**Yandex Data Streams**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/yandex_datastreams.md)
- [**MQTT**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/mqtt.md)
- [**Gotify**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gotify.md)

### Email

- **SMTP**
- [**SMTP**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/smtp.md)

### Database

- [**Redis**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/redis.md)

### Web

- **Webhook**
- [**Node-RED**](https://nodered.org/)
- [**WebUI**](https://github.com/falcosecurity/falcosidekick-ui) (a Web UI for displaying latest events in real time)
- [**Webhook**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/webhook.md)
- [**Node-RED**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/nodered.md)
- [**WebUI (Falcosidekick UI)**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/falcosidekick-ui.md)

### SIEM

- [**AWS Security Lake**](https://aws.amazon.com/security-lake/)
- [**AWS Security Lake**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_security_lake.md)

### Workflow

- [**n8n**](https://n8n.io/)
- [**n8n**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/n8n.md)

### Other
- [**Policy Report**](https://github.com/kubernetes-sigs/wg-policy-prototypes/tree/master/policy-report/falco-adapter)
- [**Policy Report**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/policy-reporter.md)

## Adding `falcosecurity` repository

Expand Down Expand Up @@ -170,3 +177,11 @@ Specify each parameter using the `--set key=value[,key=value]` argument to `helm

A `prometheus` endpoint can be scrapped at `/metrics`.

## Access Falcosidekick UI through an Ingress and a subpath

You may want to access the `WebUI (Falcosidekick UI)`](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/falcosidekick-ui.md) dashboard not from `/` but from `/subpath` and use an Ingress, here's an example of annotations to add to the Ingress for `nginx-ingress controller`:

```yaml
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/use-regex: "true"
```
Loading