From 76e6e85e002549689896d663be51e53e84d1db78 Mon Sep 17 00:00:00 2001 From: Juan Gonzalez Date: Mon, 23 Oct 2023 12:18:10 +0200 Subject: [PATCH] Add mTLS certificate loading capability Signed-off-by: Juan Gonzalez --- charts/falco/README.md | 31 +++++++++++++++++++ .../falco/templates/client-certs-secret.yaml | 21 +++++++++++++ charts/falco/templates/pod-template.tpl | 14 +++++++++ charts/falco/values.yaml | 13 ++++++-- 4 files changed, 76 insertions(+), 3 deletions(-) create mode 100644 charts/falco/templates/client-certs-secret.yaml diff --git a/charts/falco/README.md b/charts/falco/README.md index 5abc55dcf..f845188c0 100644 --- a/charts/falco/README.md +++ b/charts/falco/README.md @@ -474,6 +474,37 @@ helm install falco \ falcosecurity/falco ``` +## Enable http_output + +HTTP output enables Falco to send events through HTTP(S) via the following configuration: + +```shell +helm install falco \ + --set falco.http_output.enabled=true \ + --set falco.http_output.url="http://some.url/some/path/" \ + --set falco.json_output=true \ + --set json_include_output_property=true + falcosecurity/falco +``` + +Additionaly, you can enable mTLS communication and load HTTP client cryptographic material via: + +```shell +helm install falco \ + --set falco.http_output.enabled=true \ + --set falco.http_output.url="https://some.url/some/path/" \ + --set falco.json_output=true \ + --set json_include_output_property=true \ + --set falco.http_output.mtls=true \ + --set falco.http_output.client_cert="/etc/falco/certs/client/client.crt" \ + --set falco.http_output.client_key="/etc/falco/certs/client/client.key" \ + --set falco.http_output.ca_cert="/etc/falco/certs/client/ca.crt" \ + --set-file certs.client.key="/path/to/client.key",certs.client.crt="/path/to/client.crt",certs.ca.crt="/path/to/cacert.crt" \ + falcosecurity/falco +``` + +Or instead of directly setting the files via `--set-file`, mounting an existing volume with the `certs.existingClientSecret` value. + ## Deploy Falcosidekick with Falco [`Falcosidekick`](https://github.com/falcosecurity/falcosidekick) can be installed with `Falco` by setting `--set falcosidekick.enabled=true`. This setting automatically configures all options of `Falco` for working with `Falcosidekick`. diff --git a/charts/falco/templates/client-certs-secret.yaml b/charts/falco/templates/client-certs-secret.yaml new file mode 100644 index 000000000..530056674 --- /dev/null +++ b/charts/falco/templates/client-certs-secret.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "falco.fullname" . }}-client-certs + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "falco.name" . }} + helm.sh/chart: {{ include "falco.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +type: Opaque +data: + {{ $key := .Values.certs.client.key }} + client.key: {{ $key | b64enc | quote }} + {{ $crt := .Values.certs.client.crt }} + client.crt: {{ $crt | b64enc | quote }} + falcoclient.pem: {{ print $key $crt | b64enc | quote }} + ca.crt: {{ .Values.certs.ca.crt | b64enc | quote }} + ca.pem: {{ .Values.certs.ca.crt | b64enc | quote }} +{{- end }} diff --git a/charts/falco/templates/pod-template.tpl b/charts/falco/templates/pod-template.tpl index e47c00797..2103adeeb 100644 --- a/charts/falco/templates/pod-template.tpl +++ b/charts/falco/templates/pod-template.tpl @@ -201,6 +201,11 @@ spec: name: certs-volume readOnly: true {{- end }} + {{- if or .Values.certs.existingSecret (and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt) }} + - mountPath: /etc/falco/certs/client + name: client-certs-volume + readOnly: true + {{- end }} {{- include "falco.unixSocketVolumeMount" . | nindent 8 -}} {{- with .Values.mounts.volumeMounts }} {{- toYaml . | nindent 8 }} @@ -335,6 +340,15 @@ spec: secretName: {{ include "falco.fullname" . }}-certs {{- end }} {{- end }} + {{- if or .Values.certs.existingSecret (and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt) }} + - name: client-certs-volume + secret: + {{- if .Values.certs.existingClientSecret }} + secretName: {{ .Values.certs.existingClientSecret }} + {{- else }} + secretName: {{ include "falco.fullname" . }}-client-certs + {{- end }} + {{- end }} {{- include "falco.unixSocketVolume" . | nindent 4 -}} {{- with .Values.mounts.volumes }} {{- toYaml . | nindent 4 }} diff --git a/charts/falco/values.yaml b/charts/falco/values.yaml index c6ed654c7..b6467f422 100644 --- a/charts/falco/values.yaml +++ b/charts/falco/values.yaml @@ -313,6 +313,13 @@ certs: ca: # -- CA certificate used by gRPC, webserver and AuditSink validation. crt: "" + existingClientSecret: "" + client: + # -- Key used by http mTLS client. + key: "" + # -- Certificate used by http mTLS client. + crt: "" + # -- Third party rules enabled for Falco. More info on the dedicated section in README.md file. customRules: {} @@ -708,13 +715,13 @@ falco: ca_bundle: "" # -- Path to a folder that will be used as the CA certificate store. CA certificate need to be # stored as indivitual PEM files in this directory. - ca_path: "/etc/ssl/certs" + ca_path: "/etc/falco/certs/" # -- Tell Falco to use mTLS mtls: false # -- Path to the client cert. - client_cert: "/etc/ssl/certs/client.crt" + client_cert: "/etc/falco/certs/client/client.crt" # -- Path to the client key. - client_key: "/etc/ssl/certs/client.key" + client_key: "/etc/falco/certs/client/client.key" # -- Whether to echo server answers to stdout echo: false