Add mTLS certificate loading capability

Signed-off-by: Juan Gonzalez <[email protected]>
falcosecurity · Nov 22, 2023 · 76e6e85 · 76e6e85
1 parent 2a9dd9a
commit 76e6e85
Show file tree

Hide file tree

Showing 4 changed files with 76 additions and 3 deletions.
diff --git a/charts/falco/README.md b/charts/falco/README.md
@@ -474,6 +474,37 @@ helm install falco \
   falcosecurity/falco
 ```
 
+## Enable http_output
+
+HTTP output enables Falco to send events through HTTP(S) via the following configuration:
+
+```shell
+helm install falco \
+  --set falco.http_output.enabled=true \
+  --set falco.http_output.url="http://some.url/some/path/" \
+  --set falco.json_output=true \
+  --set json_include_output_property=true
+  falcosecurity/falco
+```
+
+Additionaly, you can enable mTLS communication and load HTTP client cryptographic material via:
+
+```shell
+helm install falco \
+  --set falco.http_output.enabled=true \
+  --set falco.http_output.url="https://some.url/some/path/" \
+  --set falco.json_output=true \
+  --set json_include_output_property=true \
+  --set falco.http_output.mtls=true \
+  --set falco.http_output.client_cert="/etc/falco/certs/client/client.crt" \
+  --set falco.http_output.client_key="/etc/falco/certs/client/client.key" \
+  --set falco.http_output.ca_cert="/etc/falco/certs/client/ca.crt" \
+  --set-file certs.client.key="/path/to/client.key",certs.client.crt="/path/to/client.crt",certs.ca.crt="/path/to/cacert.crt" \
+  falcosecurity/falco
+```
+
+Or instead of directly setting the files via `--set-file`, mounting an existing volume with the `certs.existingClientSecret` value.
+
 ## Deploy Falcosidekick with Falco
 
 [`Falcosidekick`](https://github.com/falcosecurity/falcosidekick) can be installed with `Falco` by setting `--set falcosidekick.enabled=true`. This setting automatically configures all options of `Falco` for working with `Falcosidekick`.

diff --git a/charts/falco/templates/client-certs-secret.yaml b/charts/falco/templates/client-certs-secret.yaml
@@ -0,0 +1,21 @@
+{{- if and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "falco.fullname" . }}-client-certs
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "falco.name" . }}
+    helm.sh/chart: {{ include "falco.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+type: Opaque
+data:
+  {{ $key := .Values.certs.client.key }}
+  client.key: {{ $key | b64enc | quote }}
+  {{ $crt := .Values.certs.client.crt }}
+  client.crt: {{ $crt | b64enc | quote }}
+  falcoclient.pem: {{ print $key $crt | b64enc | quote }}
+  ca.crt: {{ .Values.certs.ca.crt | b64enc | quote }}
+  ca.pem: {{ .Values.certs.ca.crt | b64enc | quote }}
+{{- end }}
diff --git a/charts/falco/templates/pod-template.tpl b/charts/falco/templates/pod-template.tpl
@@ -201,6 +201,11 @@ spec:
           name: certs-volume
           readOnly: true
         {{- end }}
+        {{- if or .Values.certs.existingSecret (and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt) }}
+        - mountPath: /etc/falco/certs/client
+          name: client-certs-volume
+          readOnly: true
+        {{- end }}
         {{- include "falco.unixSocketVolumeMount"  . | nindent 8 -}}
         {{- with .Values.mounts.volumeMounts }}
           {{- toYaml . | nindent 8 }}
@@ -335,6 +340,15 @@ spec:
         secretName: {{ include "falco.fullname" . }}-certs
         {{- end }}
     {{- end }}
+    {{- if or .Values.certs.existingSecret (and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt) }}
+    - name: client-certs-volume
+      secret:
+        {{- if .Values.certs.existingClientSecret }}
+        secretName: {{ .Values.certs.existingClientSecret }}
+        {{- else }}
+        secretName: {{ include "falco.fullname" . }}-client-certs
+        {{- end }}
+    {{- end }}
     {{- include "falco.unixSocketVolume" . | nindent 4 -}}
     {{- with .Values.mounts.volumes }}
       {{- toYaml . | nindent 4 }}

diff --git a/charts/falco/values.yaml b/charts/falco/values.yaml
@@ -313,6 +313,13 @@ certs:
   ca:
     # -- CA certificate used by gRPC, webserver and AuditSink validation.
     crt: ""
+  existingClientSecret: ""
+  client:
+    # -- Key used by http mTLS client.
+    key: ""
+    # -- Certificate used by http mTLS client.
+    crt: ""
+
 # -- Third party rules enabled for Falco. More info on the dedicated section in README.md file.
 customRules:
   {}
@@ -708,13 +715,13 @@ falco:
     ca_bundle: ""
     # -- Path to a folder that will be used as the CA certificate store. CA certificate need to be
     # stored as indivitual PEM files in this directory.
-    ca_path: "/etc/ssl/certs"
+    ca_path: "/etc/falco/certs/"
     # -- Tell Falco to use mTLS
     mtls: false
     # -- Path to the client cert.
-    client_cert: "/etc/ssl/certs/client.crt"
+    client_cert: "/etc/falco/certs/client/client.crt"
     # -- Path to the client key.
-    client_key: "/etc/ssl/certs/client.key"
+    client_key: "/etc/falco/certs/client/client.key"
     # -- Whether to echo server answers to stdout
     echo: false