Motivation
I would like the upstream falco chart to have an optional dedicated section in one the extra or certs sections in which i can provide a custom corporate CA certificate used for registry in which falcoctl will interact with.
In my various experimentations i encountered issues with falcoctl not being able to retrieve artifacts (plugins or rulesfile) that are stored in a 'on premise' registry with it's certificate signed by a custom corporate CA certificate that falcoctl can't load. It leads falcoctl initContainer falcoctl-artifact-install and falcoctl sidecar container falcoctl-artifact-follow to fail with an tls: failed to verify certificate: x509 error.
It is not possible to fallback on a workaround relying on falcoct insecure flags ss falcoctl don't have any --insecure or --skip-tls-verify flag at the moment (feature request here falcosecurity/falcoctl#135). It is then not possible to customize falcoctl to integrate the custom corporate CA Cert out of the box using helm chart.
Feature
At the moment mounts.volumes, falcoctl.artifact.install.mounts and falcoctl.artifact.follow.mounts sections already exists in the falco upstream chart, but no extra section to declare the secret object in which you put the CACert content in: so i would like it's possible to declare it to have full integration out of the box after helm install command.
Alternatives
At the moment, the only alternative found as discussed in the comment section of falcosecurity/falcoctl#135, is a manual intervention workaround:
- Manually embed the CAcert content in a secret object that you deploy on the cluster in falco's target namespace (default:
falco):
apiVersion: v1
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: falco
app.kubernetes.io/managed-by: manual
app.kubernetes.io/name: falco
name: falco-falcoctl-corporate-ca
namespace: falco
type: Opaque
data:
corporate-root-ca.pem: >-
__some_redacted_base64_encoded_corporate_CA__
- Reference a Volume mapped to that secret using its name in the
mounts.volumes section of the values.yml file that will be provided as argument to helm install command:
[...]
mounts:
volumes:
- name: corporate-ca-volume
secret:
secretName: falco-falcoctl-corporate-ca
defaultMode: 420
items:
- key: corporate-root-ca.pem
path: corporate-root-ca.pem
[...]
- Reference VolumeMounts mapped to the volume previously defined in the
falcoctl.artifact.install.mounts and falcoctl.artifact.follow.mounts sections of the values.yml file that will be provided as argument to helm install command
falcoctl:
[...]
artifact:
install:
enabled: true
args: ["--log-format=json"]
mounts:
volumeMounts:
- name: falcoctl-index-volume
mountPath: /etc/falcoctl-custom/index.yaml
subPath: index.yaml
- name: orange-ca-volume
mountPath: /etc/ssl/certs
follow:
enabled: true
args: ["--log-format=json"]
mounts:
volumeMounts:
- name: falcoctl-index-volume
mountPath: /etc/falcoctl-custom/index.yaml
subPath: index.yaml
- name: orange-ca-volume
mountPath: /etc/ssl/certs
[...]Additional context
There are indeed a certs.existingSecret and certs.ca section in the values.yml but they seems more related to falco webserver itself and not related to registry CAcertificate. Thus it didn't allow me to make the custom corporate CA cert to be reckognized.
Motivation
I would like the upstream falco chart to have an optional dedicated section in one the
extraorcertssections in which i can provide a custom corporate CA certificate used for registry in which falcoctl will interact with.In my various experimentations i encountered issues with falcoctl not being able to retrieve artifacts (plugins or rulesfile) that are stored in a 'on premise' registry with it's certificate signed by a custom corporate CA certificate that falcoctl can't load. It leads falcoctl initContainer
falcoctl-artifact-installand falcoctl sidecar containerfalcoctl-artifact-followto fail with antls: failed to verify certificate: x509error.It is not possible to fallback on a workaround relying on falcoct insecure flags ss falcoctl don't have any
--insecureor--skip-tls-verifyflag at the moment (feature request here falcosecurity/falcoctl#135). It is then not possible to customize falcoctl to integrate the custom corporate CA Cert out of the box using helm chart.Feature
At the moment
mounts.volumes,falcoctl.artifact.install.mountsandfalcoctl.artifact.follow.mountssections already exists in the falco upstream chart, but no extra section to declare the secret object in which you put the CACert content in: so i would like it's possible to declare it to have full integration out of the box after helm install command.Alternatives
At the moment, the only alternative found as discussed in the comment section of falcosecurity/falcoctl#135, is a manual intervention workaround:
falco):mounts.volumessection of the values.yml file that will be provided as argument to helm install command:falcoctl.artifact.install.mountsandfalcoctl.artifact.follow.mountssections of the values.yml file that will be provided as argument to helm install commandAdditional context
There are indeed a
certs.existingSecretandcerts.casection in the values.yml but they seems more related to falco webserver itself and not related to registry CAcertificate. Thus it didn't allow me to make the custom corporate CA cert to be reckognized.