new: Add Mutual TLS deployment

Signed-off-by: Jose Angel Santiago <>

falco-exporter/CHANGELOG.md

@@ -2,6 +2,11 @@
 
 This file documents all notable changes to `falco-exporter` Helm Chart. The release
 numbering uses [semantic versioning](http://semver.org).
+## v0.4.0
+
+### Mayor Changes
+
+* Add Mutual TLS for falco-exporter enable/disabled feature
 
 ## v0.3.8
 

falco-exporter/Chart.yaml

@@ -14,7 +14,7 @@ type: application
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.3.8
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.

falco-exporter/README.md

@@ -61,7 +61,7 @@ The following table lists the main configurable parameters of the chart and thei
 | `grafanaDashboard.enabled`        | Enable the falco security dashboard, see https://github.com/falcosecurity/falco-exporter#grafana | `false`                            |
 | `grafanaDashboard.namespace`      | The namespace to deploy the dashboard configmap in                                               | `default`                          |
 | `scc.create`                      | Create OpenShift's Security Context Constraint                                                   | `true`                             |
-
+| `service.mTLS.enabled`            | Enable falco-exporter server Mutual TLS feature                                                  | `false`                          
 
 Please, refer to [values.yaml](./values.yaml) for the full list of configurable parameters.
 
@@ -77,4 +77,19 @@ Alternatively, a YAML file that specifies the parameters' values can be provided
 helm install falco-exporter -f values.yaml falcosecurity/falco-exporter
 ```
 
+### Enable Mutual TLS
+
+Mutual TLS for `/metrics` endpoint can be enabled to prevent alerts content from being consumed by unauthorized components.
+
+To install falco-exporter with Mutual TLS enabled, you have to:
+
+```shell
+helm install falco-exporter \
+  --set service.mTLS.enabled=true \
+  --set-file service.mTLS.server.key=/path/to/server.key \
+  --set-file service.mTLS.server.crt=/path/to/server.crt \
+  --set-file service.mTLS.ca.crt=/path/to/ca.crt \
+  falcosecurity/falco-exporter
+```
+
 > **Tip**: You can use the default [values.yaml](values.yaml)

falco-exporter/templates/NOTES.txt

@@ -2,14 +2,15 @@ Get the falco-exporter metrics URL by running these commands:
 {{- if contains "NodePort" .Values.service.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "falco-exporter.fullname" . }})
   export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT/metrics
+  echo {{- if .Values.service.mTLS.enabled }} https{{- else }} http{{- end }}://$NODE_IP:$NODE_PORT/metrics
 {{- else if contains "LoadBalancer" .Values.service.type }}
      NOTE: It may take a few minutes for the LoadBalancer IP to be available.
            You can watch the status of by running 'kubectl get svc -w {{ template "falco-exporter.fullname" . }}'
   export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "falco-exporter.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-  echo http://$SERVICE_IP:{{ .Values.service.port }}/metrics
+  echo {{- if .Values.service.mTLS.enabled }} https{{- else }} http{{- end }}://$SERVICE_IP:{{ .Values.service.port }}/metrics
 {{- else if contains "ClusterIP" .Values.service.type }}
   export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "falco-exporter.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  echo "Visit http://127.0.0.1:{{ .Values.service.targetPort }}/metrics to use your application"
+  echo "Visit {{- if .Values.service.mTLS.enabled }} https{{- else }} http{{- end }}://127.0.0.1:{{ .Values.service.targetPort }}/metrics to use your application"
   kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME {{ .Values.service.targetPort }}
 {{- end }}
+  echo {{- if .Values.service.mTLS.enabled }} "You'll need a valid client certificate and its corresponding key for Mutual TLS handshake" {{- end }}

falco-exporter/templates/daemonset.yaml

@@ -40,18 +40,23 @@ spec:
             {{- end }}
             - --timeout={{ .Values.falco.grpcTimeout }}
             - --listen-address=0.0.0.0:{{ .Values.service.port }}
+            {{- if .Values.service.mTLS.enabled }}
+            - --server-ca=/etc/falco/server-certs/ca.crt
+            - --server-cert=/etc/falco/server-certs/server.crt
+            - --server-key=/etc/falco/server-certs/server.key
+            {{- end }}
           ports:
             - name: metrics
               containerPort: {{ .Values.service.targetPort }}
               protocol: TCP
           livenessProbe:
             httpGet:
-              path: /metrics
-              port: {{ .Values.service.port }}
+              path: /liveness
+              port: {{ .Values.probesPort }}
           readinessProbe:
             httpGet:
               path: /readiness
-              port: {{ .Values.service.port }}
+              port: {{ .Values.probesPort }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           volumeMounts:
@@ -64,6 +69,11 @@ spec:
               name: certs-volume
               readOnly: true
           {{- end }}
+          {{- if .Values.service.mTLS.enabled }}
+            - mountPath: /etc/falco/server-certs
+              name: server-certs-volume
+              readOnly: true
+          {{- end }}
       volumes:
       {{- if .Values.falco.grpcUnixSocketPath }}
         - name: falco-socket-dir
@@ -81,6 +91,18 @@ spec:
               - key: ca.crt
                 path: ca.crt
       {{- end }}
+      {{- if .Values.service.mTLS.enabled }}
+        - name: server-certs-volume
+          secret:
+            secretName: {{ include "falco-exporter.fullname" . }}-server-certs
+            items:
+              - key: server.key
+                path: server.key
+              - key: server.crt
+                path: server.crt
+              - key: ca.crt
+                path: ca.crt
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

falco-exporter/templates/server-secret-certs.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.service.mTLS.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "falco-exporter.fullname" . }}-server-certs
+  labels:
+    {{- include "falco-exporter.labels" . | nindent 4 }}
+type: Opaque
+data:
+  server.crt: {{ .Values.service.mTLS.server.crt | b64enc | quote }}
+  server.key: {{ .Values.service.mTLS.server.key | b64enc | quote }}
+  ca.crt: {{ .Values.service.mTLS.ca.crt | b64enc | quote }}
+{{- end }}

falco-exporter/values.yaml

@@ -12,10 +12,16 @@ service:
   annotations:
     prometheus.io/scrape: "true"
     prometheus.io/port: "9376"
+  # Enable Mutual TLS for HTTP metrics server
+  mTLS:
+    enabled: false
+
+# /readiness and /liveness probes port
+probesPort: 19376
 
 image:
   repository: falcosecurity/falco-exporter
-  tag: 0.3.0
+  tag: 0.4.1
   pullPolicy: IfNotPresent
 
 imagePullSecrets: []
@@ -95,4 +101,5 @@ grafanaDashboard:
 
 scc:
   # true here enabled creation of Security Context Constraints in Openshift
-  create: true
+  create: true
+