diff --git a/charts/falco/templates/client-certs-secret.yaml b/charts/falco/templates/client-certs-secret.yaml new file mode 100644 index 000000000..530056674 --- /dev/null +++ b/charts/falco/templates/client-certs-secret.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "falco.fullname" . }}-client-certs + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "falco.name" . }} + helm.sh/chart: {{ include "falco.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +type: Opaque +data: + {{ $key := .Values.certs.client.key }} + client.key: {{ $key | b64enc | quote }} + {{ $crt := .Values.certs.client.crt }} + client.crt: {{ $crt | b64enc | quote }} + falcoclient.pem: {{ print $key $crt | b64enc | quote }} + ca.crt: {{ .Values.certs.ca.crt | b64enc | quote }} + ca.pem: {{ .Values.certs.ca.crt | b64enc | quote }} +{{- end }} diff --git a/charts/falco/templates/pod-template.tpl b/charts/falco/templates/pod-template.tpl index e47c00797..2103adeeb 100644 --- a/charts/falco/templates/pod-template.tpl +++ b/charts/falco/templates/pod-template.tpl @@ -201,6 +201,11 @@ spec: name: certs-volume readOnly: true {{- end }} + {{- if or .Values.certs.existingSecret (and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt) }} + - mountPath: /etc/falco/certs/client + name: client-certs-volume + readOnly: true + {{- end }} {{- include "falco.unixSocketVolumeMount" . | nindent 8 -}} {{- with .Values.mounts.volumeMounts }} {{- toYaml . | nindent 8 }} @@ -335,6 +340,15 @@ spec: secretName: {{ include "falco.fullname" . }}-certs {{- end }} {{- end }} + {{- if or .Values.certs.existingSecret (and .Values.certs.client.key .Values.certs.client.crt .Values.certs.ca.crt) }} + - name: client-certs-volume + secret: + {{- if .Values.certs.existingClientSecret }} + secretName: {{ .Values.certs.existingClientSecret }} + {{- else }} + secretName: {{ include "falco.fullname" . }}-client-certs + {{- end }} + {{- end }} {{- include "falco.unixSocketVolume" . | nindent 4 -}} {{- with .Values.mounts.volumes }} {{- toYaml . | nindent 4 }} diff --git a/charts/falco/values.yaml b/charts/falco/values.yaml index c6ed654c7..ad14df9d8 100644 --- a/charts/falco/values.yaml +++ b/charts/falco/values.yaml @@ -299,20 +299,28 @@ extra: # -- Additional initContainers for Falco pods. initContainers: [] -# -- certificates used by webserver and grpc server. +# -- certificates used by webserver and grpc server and client. # paste certificate content or use helm with --set-file # or use existing secret containing key, crt, ca as well as pem bundle certs: - # -- Existing secret containing the following key, crt and ca as well as the bundle pem. + # -- Existing server secret containing the following key, crt and ca as well as the bundle pem. existingSecret: "" + # -- Existing client secret containing the following key, crt and ca as well as the bundle pem. + existingClientSecret: "" server: # -- Key used by gRPC and webserver. key: "" # -- Certificate used by gRPC and webserver. crt: "" + client: + # -- Key used by http mTLS client. + key: "" + # -- Certificate used by http mTLS client. + crt: "" ca: - # -- CA certificate used by gRPC, webserver and AuditSink validation. + # -- CA certificate used by gRPC, webserver and AuditSink validation. Also used for mTLS Server validation. crt: "" + # -- Third party rules enabled for Falco. More info on the dedicated section in README.md file. customRules: {} @@ -696,6 +704,11 @@ falco: # [Stable] `http_output` # # -- Send logs to an HTTP endpoint or webhook. + # -- When mounting mTLS certificates via Helm, the client cryptographic material is at: + # private_key: "/etc/falco/certs/client/client.key" + # cert_chain: "/etc/falco/certs/client/server.crt" + # root_certs: "/etc/falco/certs/ca.crt" + http_output: enabled: false url: ""