Added http_output mtls cert mounting via Helm

Signed-off-by: Juan Gonzalez Martinez <[email protected]>

charts/falco/templates/client-certs-secret.yaml

@@ -0,0 +1,21 @@
+{{- if and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "falco.fullname" . }}-client-certs
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "falco.name" . }}
+    helm.sh/chart: {{ include "falco.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+type: Opaque
+data:
+  {{ $key := .Values.certs.client.key }}
+  client.key: {{ $key | b64enc | quote }}
+  {{ $crt := .Values.certs.client.crt }}
+  client.crt: {{ $crt | b64enc | quote }}
+  falcoclient.pem: {{ print $key $crt | b64enc | quote }}
+  ca.crt: {{ .Values.certs.ca.crt | b64enc | quote }}
+  ca.pem: {{ .Values.certs.ca.crt | b64enc | quote }}
+{{- end }}

charts/falco/templates/pod-template.tpl

@@ -201,6 +201,11 @@ spec:
           name: certs-volume
           readOnly: true
         {{- end }}
+        {{- if or .Values.certs.existingSecret (and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt) }}
+        - mountPath: /etc/falco/certs/client
+          name: client-certs-volume
+          readOnly: true
+        {{- end }}
         {{- include "falco.unixSocketVolumeMount"  . | nindent 8 -}}
         {{- with .Values.mounts.volumeMounts }}
           {{- toYaml . | nindent 8 }}
@@ -335,6 +340,15 @@ spec:
         secretName: {{ include "falco.fullname" . }}-certs
         {{- end }}
     {{- end }}
+    {{- if or .Values.certs.existingSecret (and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt) }}
+    - name: client-certs-volume
+      secret:
+        {{- if .Values.certs.existingClientSecret }}
+        secretName: {{ .Values.certs.existingClientSecret }}
+        {{- else }}
+        secretName: {{ include "falco.fullname" . }}-client-certs
+        {{- end }}
+    {{- end }}
     {{- include "falco.unixSocketVolume" . | nindent 4 -}}
     {{- with .Values.mounts.volumes }}
       {{- toYaml . | nindent 4 }}

charts/falco/values.yaml

@@ -299,20 +299,28 @@ extra:
   # -- Additional initContainers for Falco pods.
   initContainers: []
 
-# -- certificates used by webserver and grpc server.
+# -- certificates used by webserver and grpc server and client.
 # paste certificate content or use helm with --set-file
 # or use existing secret containing key, crt, ca as well as pem bundle
 certs:
-  # -- Existing secret containing the following key, crt and ca as well as the bundle pem.
+  # -- Existing server secret containing the following key, crt and ca as well as the bundle pem.
   existingSecret: ""
+  # -- Existing client secret containing the following key, crt and ca as well as the bundle pem.
+  existingClientSecret: ""
   server:
     # -- Key used by gRPC and webserver.
     key: ""
     # -- Certificate used by gRPC and webserver.
     crt: ""
+  client:
+    # -- Key used by http mTLS client.
+    key: ""
+    # -- Certificate used by http mTLS client.
+    crt: ""
   ca:
-    # -- CA certificate used by gRPC, webserver and AuditSink validation.
+    # -- CA certificate used by gRPC, webserver and AuditSink validation. Also used for mTLS Server validation.
     crt: ""
+
 # -- Third party rules enabled for Falco. More info on the dedicated section in README.md file.
 customRules:
   {}
@@ -696,6 +704,11 @@ falco:
   # [Stable] `http_output`
   #
   # -- Send logs to an HTTP endpoint or webhook.
+  # -- When mounting mTLS certificates via Helm, the client cryptographic material is at:
+  #     private_key: "/etc/falco/certs/client/client.key"
+  #     cert_chain: "/etc/falco/certs/client/server.crt"
+  #     root_certs: "/etc/falco/certs/ca.crt"
+
   http_output:
     enabled: false
     url: ""