Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: Add mTLS certificate loading for Falco via Helm #565

Merged
merged 3 commits into from
Nov 22, 2023
Merged

Feature: Add mTLS certificate loading for Falco via Helm #565

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6577928
Add mTLS certificate loading capability
jgmartinez Oct 23, 2023
5bbab8b
Bumped chart version and changelog
jgmartinez Oct 30, 2023
62d565d
Changed label import
jgmartinez Nov 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions charts/falco/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@
This file documents all notable changes to Falco Helm Chart. The release
numbering uses [semantic versioning](http://semver.org).

## v3.8.5

* Add mTLS cryptographic material load via Helm for Falco

## v3.8.4

* Upgrade Falco to 0.36.2: https://github.com/falcosecurity/falco/releases/tag/0.36.2
Expand Down
2 changes: 1 addition & 1 deletion charts/falco/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v2
name: falco
version: 3.8.4
version: 3.8.5
appVersion: "0.36.2"
description: Falco
keywords:
Expand Down
31 changes: 31 additions & 0 deletions charts/falco/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -474,6 +474,37 @@ helm install falco \
falcosecurity/falco
```

## Enable http_output

HTTP output enables Falco to send events through HTTP(S) via the following configuration:

```shell
helm install falco \
--set falco.http_output.enabled=true \
--set falco.http_output.url="http://some.url/some/path/" \
--set falco.json_output=true \
--set json_include_output_property=true
falcosecurity/falco
```

Additionaly, you can enable mTLS communication and load HTTP client cryptographic material via:

```shell
helm install falco \
--set falco.http_output.enabled=true \
--set falco.http_output.url="https://some.url/some/path/" \
--set falco.json_output=true \
--set json_include_output_property=true \
--set falco.http_output.mtls=true \
--set falco.http_output.client_cert="/etc/falco/certs/client/client.crt" \
--set falco.http_output.client_key="/etc/falco/certs/client/client.key" \
--set falco.http_output.ca_cert="/etc/falco/certs/client/ca.crt" \
--set-file certs.client.key="/path/to/client.key",certs.client.crt="/path/to/client.crt",certs.ca.crt="/path/to/cacert.crt" \
falcosecurity/falco
```

Or instead of directly setting the files via `--set-file`, mounting an existing volume with the `certs.existingClientSecret` value.

## Deploy Falcosidekick with Falco

[`Falcosidekick`](https://github.com/falcosecurity/falcosidekick) can be installed with `Falco` by setting `--set falcosidekick.enabled=true`. This setting automatically configures all options of `Falco` for working with `Falcosidekick`.
Expand Down
18 changes: 18 additions & 0 deletions charts/falco/templates/client-certs-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{{- if and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "falco.fullname" . }}-client-certs
namespace: {{ .Release.Namespace }}
labels:
{{- include "falco.labels" $ | nindent 4 }}
type: Opaque
data:
{{ $key := .Values.certs.client.key }}
client.key: {{ $key | b64enc | quote }}
{{ $crt := .Values.certs.client.crt }}
client.crt: {{ $crt | b64enc | quote }}
falcoclient.pem: {{ print $key $crt | b64enc | quote }}
ca.crt: {{ .Values.certs.ca.crt | b64enc | quote }}
ca.pem: {{ .Values.certs.ca.crt | b64enc | quote }}
{{- end }}
14 changes: 14 additions & 0 deletions charts/falco/templates/pod-template.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,11 @@ spec:
name: certs-volume
readOnly: true
{{- end }}
{{- if or .Values.certs.existingSecret (and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt) }}
- mountPath: /etc/falco/certs/client
name: client-certs-volume
readOnly: true
{{- end }}
{{- include "falco.unixSocketVolumeMount" . | nindent 8 -}}
{{- with .Values.mounts.volumeMounts }}
{{- toYaml . | nindent 8 }}
Expand Down Expand Up @@ -335,6 +340,15 @@ spec:
secretName: {{ include "falco.fullname" . }}-certs
{{- end }}
{{- end }}
{{- if or .Values.certs.existingSecret (and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt) }}
- name: client-certs-volume
secret:
{{- if .Values.certs.existingClientSecret }}
secretName: {{ .Values.certs.existingClientSecret }}
{{- else }}
secretName: {{ include "falco.fullname" . }}-client-certs
{{- end }}
{{- end }}
{{- include "falco.unixSocketVolume" . | nindent 4 -}}
{{- with .Values.mounts.volumes }}
{{- toYaml . | nindent 4 }}
Expand Down
13 changes: 10 additions & 3 deletions charts/falco/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -313,6 +313,13 @@ certs:
ca:
# -- CA certificate used by gRPC, webserver and AuditSink validation.
crt: ""
existingClientSecret: ""
client:
# -- Key used by http mTLS client.
key: ""
# -- Certificate used by http mTLS client.
crt: ""

# -- Third party rules enabled for Falco. More info on the dedicated section in README.md file.
customRules:
{}
Expand Down Expand Up @@ -708,13 +715,13 @@ falco:
ca_bundle: ""
# -- Path to a folder that will be used as the CA certificate store. CA certificate need to be
# stored as indivitual PEM files in this directory.
ca_path: "/etc/ssl/certs"
ca_path: "/etc/falco/certs/"
# -- Tell Falco to use mTLS
mtls: false
# -- Path to the client cert.
client_cert: "/etc/ssl/certs/client.crt"
client_cert: "/etc/falco/certs/client/client.crt"
# -- Path to the client key.
client_key: "/etc/ssl/certs/client.key"
client_key: "/etc/falco/certs/client/client.key"
# -- Whether to echo server answers to stdout
Comment on lines +718 to 725
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although this is legit, we will risk getting these values overwritten when maintainers update the config (N.B.: these defaults are usually copied/pasted from falco.yaml).

So I'd prefer to keep the /etc/ssl/certs folder unless there's any compelling reason not to do so 🤔

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reason I changed the path is because if we use /etc/ssl/certs we are overwriting the base image CAs and other certificates, risking getting certificate errors if the container need to trust other servers or other certificate related issues.

This being said, we could mount a folder inside like /etc/ssl/certs/ falco so there's some consistency :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. I believe /etc/falco/certs works. Just waiting for @alacuku for a second opinion.

Thank you!

echo: false

Expand Down
Loading