upgrade falcosidekick chart to falcosidekick 2.29.0 + custom

labels/annotations + add initContainer to check if the redis is up for falcosidekick-ui

Signed-off-by: Thomas Labarussias <issif+github@gadz.org>

.lycheeignore

@@ -16,3 +16,5 @@ http://some.url/some/path/
 https://localhost:32765/k8s-audit
 https://some.url/some/path/
 http://localhost:8765/versions
+https://environmentid.live.dynatrace.com/api
+https://yourdomain/e/ENVIRONMENTID/api

charts/falcosidekick/CHANGELOG.md

@@ -5,6 +5,14 @@ numbering uses [semantic versioning](http://semver.org).
 
 Before release 0.1.20, the helm chart can be found in `falcosidekick` [repository](https://github.com/falcosecurity/falcosidekick/tree/master/deploy/helm/falcosidekick).
 
+## 0.8.0
+
+- ugrade to Falcosidekick 2.29.0
+- allow to set custom labels and annotations to set to all resources
+- allow to use an existing secrets and values for the env vars at the same time
+- fix missing ingressClassName settings in the values.yaml
+- add of an initContainer to check if the redis for falcosidekick-ui is up
+
 ## 0.7.22
 
 - upgrade redis-stack image to 7.2.0-v11

charts/falcosidekick/Chart.yaml

@@ -1,9 +1,9 @@
 apiVersion: v1
-appVersion: 2.28.0
+appVersion: 2.29.0
 description: Connect Falco to your ecosystem
 icon: https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png
 name: falcosidekick
-version: 0.7.22
+version: 0.8.0
 keywords:
   - monitoring
   - security

charts/falcosidekick/README.md

@@ -197,7 +197,9 @@ The following table lists the main configurable parameters of the Falcosidekick
 | config.aws.region | string | `""` | AWS Region (optionnal if you use EC2 Instance Profile) |
 | config.aws.rolearn | string | `""` | AWS IAM role ARN for falcosidekick service account to associate with (optionnal if you use EC2 Instance Profile) |
 | config.aws.s3.bucket | string | `""` | AWS S3, bucket name |
+| config.aws.s3.endpoint | string | `""` | Endpoint URL that overrides the default generated endpoint, use this for S3 compatible APIs |
 | config.aws.s3.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` |
+| config.aws.s3.objectcannedacl | string | `"bucket-owner-full-control"` | Canned ACL (x-amz-acl) to use when creating the object |
 | config.aws.s3.prefix | string | `""` | AWS S3, name of prefix, keys will have format: s3://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json |
 | config.aws.secretaccesskey | string | `""` | AWS Secret Access Key (optionnal if you use EC2 Instance Profile) |
 | config.aws.securitylake.accountid | string | `""` | Account ID |
@@ -241,12 +243,20 @@ The following table lists the main configurable parameters of the Falcosidekick
 | config.dogstatsd.forwarder | string | `""` | The address for the DogStatsD forwarder, in the form <http://host:port>, if not empty DogStatsD is *enabled* |
 | config.dogstatsd.namespace | string | `"falcosidekick."` | A prefix for all metrics |
 | config.dogstatsd.tags | string | `""` | A comma-separated list of tags to add to all metrics |
+| config.dynatrace.apitoken | string | `""` | Dynatrace API token with the "logs.ingest" scope, more info : https://dt-url.net/8543sda, if not empty, Dynatrace output is enabled |
+| config.dynatrace.apiurl | string | `""` | Dynatrace API url, use https://ENVIRONMENTID.live.dynatrace.com/api for Dynatrace SaaS and https://YOURDOMAIN/e/ENVIRONMENTID/api for Dynatrace Managed, more info : https://dt-url.net/ej43qge |
+| config.dynatrace.checkcert | bool | `true` | check if ssl certificate of the output is valid |
+| config.dynatrace.minimumpriority | string | `""` | minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
 | config.elasticsearch.checkcert | bool | `true` | check if ssl certificate of the output is valid |
+| config.elasticsearch.createindextemplate | bool | `false` | Create an index template (default: false) |
 | config.elasticsearch.customheaders | string | `""` | a list of comma separated custom headers to add, syntax is "key:value,key:value" |
+| config.elasticsearch.flattenfields | bool | `false` | Replace . by _ to avoid mapping conflicts, force to true if createindextemplate==true (default: false) |
 | config.elasticsearch.hostport | string | `""` | Elasticsearch <http://host:port>, if not `empty`, Elasticsearch is *enabled* |
 | config.elasticsearch.index | string | `"falco"` | Elasticsearch index |
 | config.elasticsearch.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` |
 | config.elasticsearch.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) |
+| config.elasticsearch.numberofreplicas | int | `3` | Number of replicas set by the index template (default: 3) |
+| config.elasticsearch.numberofshards | int | `3` | Number of shards set by the index template (default: 3) |
 | config.elasticsearch.password | string | `""` | use this password to authenticate to Elasticsearch if the password is not empty |
 | config.elasticsearch.suffix | string | `"daily"` |  |
 | config.elasticsearch.type | string | `"_doc"` | Elasticsearch document type |
@@ -401,6 +411,16 @@ The following table lists the main configurable parameters of the Falcosidekick
 | config.opsgenie.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` |
 | config.opsgenie.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) |
 | config.opsgenie.region | `us` or `eu` | `""` | region of your domain |
+| config.otlp.traces.checkcert | bool | `true` | check if ssl certificate of the output is valid |
+| config.otlp.traces.duration | int | `1000` | Artificial span duration in milliseconds (default: 1000) |
+| config.otlp.traces.endpoint | string | `""` | OTLP endpoint in the form of http://{domain or ip}:4318/v1/traces, if not empty, OTLP Traces output is enabled |
+| config.otlp.traces.extraenvvars | object | `{}` | Extra env vars (override the other settings) |
+| config.otlp.traces.headers | string | `""` | OTLP headers: list of headers to apply to all outgoing traces in the form of "some-key=some-value,other-key=other-value" (default: "") |
+| config.otlp.traces.minimumpriority | string | `""` | minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" |
+| config.otlp.traces.protocol | string | `""` | OTLP protocol http/json, http/protobuf, grpc (default: "" which uses SDK default: http/json) |
+| config.otlp.traces.synced | bool | `false` | Set to true if you want traces to be sent synchronously (default: false) |
+| config.otlp.traces.timeout | string | `""` | OTLP timeout: timeout value in milliseconds (default: "" which uses SDK default: 10000) |
+| config.outputFieldFormat | string | `""` |  |
 | config.pagerduty.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` |
 | config.pagerduty.region | string | `"us"` | Pagerduty Region, can be 'us' or 'eu' |
 | config.pagerduty.routingkey | string | `""` | Pagerduty Routing Key, if not empty, Pagerduty output is *enabled* |
@@ -410,6 +430,15 @@ The following table lists the main configurable parameters of the Falcosidekick
 | config.policyreport.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` |
 | config.policyreport.prunebypriority | bool | `false` | if true; the events with lowest severity are pruned first, in FIFO order |
 | config.prometheus.extralabels | string | `""` | comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields |
+| config.quickwit.apiendpoint | string | `"/api/v1"` | API endpoint (containing the API version, overideable in case of quickwit behind a reverse proxy with URL rewriting) |
+| config.quickwit.autocreateindex | bool | `false` | Autocreate a falco index mapping if it doesn't exists |
+| config.quickwit.checkcert | bool | `true` | check if ssl certificate of the output is valid |
+| config.quickwit.customHeaders | string | `""` | a list of comma separated custom headers to add, syntax is "key:value,key:value" |
+| config.quickwit.hostport | string | `""` | http://{domain or ip}:{port}, if not empty, Quickwit output is enabled |
+| config.quickwit.index | string | `"falco"` | Index |
+| config.quickwit.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` |
+| config.quickwit.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) |
+| config.quickwit.version | string | `"0.7"` | Version of quickwi |
 | config.rabbitmq.minimumpriority | string | `"debug"` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` |
 | config.rabbitmq.queue | string | `""` | Rabbitmq Queue name |
 | config.rabbitmq.url | string | `""` | Rabbitmq URL, if not empty, Rabbitmq output is *enabled* |
@@ -461,11 +490,20 @@ The following table lists the main configurable parameters of the Falcosidekick
 | config.stan.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) |
 | config.statsd.forwarder | string | `""` | The address for the StatsD forwarder, in the form <http://host:port>, if not empty StatsD is *enabled* |
 | config.statsd.namespace | string | `"falcosidekick."` | A prefix for all metrics |
+| config.sumologic.checkcert | bool | `true` | check if ssl certificate of the output is valid (default: true) |
+| config.sumologic.minimumpriority | string | `""` | minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default) |
+| config.sumologic.name | string | `""` | Override the default Sumologic Source Name |
+| config.sumologic.receiverURL | string | `""` | Sumologic HTTP Source URL, if not empty, Sumologic output is enabled |
+| config.sumologic.sourceCategory | string | `""` | Override the default Sumologic Source Category |
+| config.sumologic.sourceHost | string | `""` | Override the default Sumologic Source Host |
 | config.syslog.format | string | `"json"` | Syslog payload format. It can be either "json" or "cef" |
 | config.syslog.host | string | `""` | Syslog Host, if not empty, Syslog output is *enabled* |
 | config.syslog.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` |
 | config.syslog.port | string | `""` | Syslog endpoint port number |
 | config.syslog.protocol | string | `"tcp"` | Syslog transport protocol. It can be either "tcp" or "udp" |
+| config.talon.address | string | `""` | Talon address, if not empty, Talon output is enabled |
+| config.talon.checkcert | bool | `true` | check if ssl certificate of the output is valid |
+| config.talon.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` |
 | config.teams.activityimage | string | `""` | Teams section image |
 | config.teams.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` |
 | config.teams.outputformat | string | `"all"` | `all` (default), `text` (only text is displayed in Teams), `facts` (only facts are displayed in Teams) |
@@ -485,6 +523,7 @@ The following table lists the main configurable parameters of the Falcosidekick
 | config.timescaledb.password | string | `"postgres"` | Password to authenticate with TimescaleDB |
 | config.timescaledb.port | int | `5432` | TimescaleDB port (default: 5432) |
 | config.timescaledb.user | string | `"postgres"` | Username to authenticate with TimescaleDB |
+| config.tlsclient.cacertfile | string | `"/etc/certs/client/ca.crt"` | CA certificate file for server certification on TLS connections, appended to the system CA pool if not empty |
 | config.tlsserver.cacertfile | string | `"/etc/certs/server/ca.crt"` | CA certification file path for client certification if mutualtls is true |
 | config.tlsserver.cacrt | string | `""` |  |
 | config.tlsserver.certfile | string | `"/etc/certs/server/server.crt"` | server certification file path for TLS Server |
@@ -526,18 +565,21 @@ The following table lists the main configurable parameters of the Falcosidekick
 | config.zincsearch.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` |
 | config.zincsearch.password | string | `""` | use this password to authenticate to ZincSearch |
 | config.zincsearch.username | string | `""` | use this username to authenticate to ZincSearch |
+| customAnnotations | object | `{}` | custom annotations to add to all resources |
+| customLabels | object | `{}` | custom labels to add to all resources |
 | extraVolumeMounts | list | `[]` | Extra volume mounts for sidekick deployment |
 | extraVolumes | list | `[]` | Extra volumes for sidekick deployment |
 | fullnameOverride | string | `""` | Override the name |
-| image | object | `{"pullPolicy":"IfNotPresent","registry":"docker.io","repository":"falcosecurity/falcosidekick","tag":"2.28.0"}` | number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) revisionHistoryLimit: 1 |
+| image | object | `{"pullPolicy":"IfNotPresent","registry":"docker.io","repository":"falcosecurity/falcosidekick","tag":"2.29.0"}` | number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) revisionHistoryLimit: 1 |
 | image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
 | image.registry | string | `"docker.io"` | The image registry to pull from |
 | image.repository | string | `"falcosecurity/falcosidekick"` | The image repository to pull from |
-| image.tag | string | `"2.28.0"` | The image tag to pull |
+| image.tag | string | `"2.29.0"` | The image tag to pull |
 | imagePullSecrets | list | `[]` | Secrets for the registry |
 | ingress.annotations | object | `{}` | Ingress annotations |
 | ingress.enabled | bool | `false` | Whether to create the ingress |
 | ingress.hosts | list | `[{"host":"falcosidekick.local","paths":[{"path":"/"}]}]` | Ingress hosts |
+| ingress.ingressClassName | string | `""` | ingress class name |
 | ingress.tls | list | `[]` | Ingress TLS configuration |
 | nameOverride | string | `""` | Override name |
 | nodeSelector | object | `{}` | Sidekick nodeSelector field |
@@ -597,6 +639,7 @@ The following table lists the main configurable parameters of the Falcosidekick
 | webui.ingress.annotations | object | `{}` | Web UI ingress annotations |
 | webui.ingress.enabled | bool | `false` | Whether to create the Web UI ingress |
 | webui.ingress.hosts | list | `[{"host":"falcosidekick-ui.local","paths":[{"path":"/"}]}]` | Web UI ingress hosts configuration |
+| webui.ingress.ingressClassName | string | `""` | ingress class name |
 | webui.ingress.tls | list | `[]` | Web UI ingress TLS configuration |
 | webui.loglevel | string | `"info"` | Log level ("debug", "info", "warning", "error") |
 | webui.nodeSelector | object | `{}` | Web UI nodeSelector field |
@@ -605,6 +648,8 @@ The following table lists the main configurable parameters of the Falcosidekick
 | webui.podSecurityContext | object | `{"fsGroup":1234,"runAsUser":1234}` | Web UI pod securityContext |
 | webui.priorityClassName | string | `""` | Name of the priority class to be used by the Web UI pods, priority class needs to be created beforehand |
 | webui.redis.affinity | object | `{}` | Affinity for the Web UI Redis pods |
+| webui.redis.customAnnotations | object | `{}` | custom annotations to add to all resources |
+| webui.redis.customLabels | object | `{}` | custom labels to add to all resources |
 | webui.redis.enabled | bool | `true` | Is mutually exclusive with webui.externalRedis.enabled |
 | webui.redis.existingSecret | string | `""` | Existing secret with configuration |
 | webui.redis.image.pullPolicy | string | `"IfNotPresent"` | The web UI image pull policy |

charts/falcosidekick/templates/aadpodidentity.yaml

@@ -6,6 +6,13 @@ metadata:
   labels:
     {{- include "falcosidekick.labels" . | nindent 4 }}
     app.kubernetes.io/component: core
+    {{- with .Values.customLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.customAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "falcosidekick.fullname" . }}
   namespace: {{ .Release.Namespace }}
 spec:

charts/falcosidekick/templates/certs-secret.yaml

@@ -7,6 +7,13 @@ metadata:
   labels:
     {{- include "falcosidekick.labels" . | nindent 4 }}
     app.kubernetes.io/component: core
+    {{- with .Values.customLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.customAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 type: Opaque
 data:
   {{ $key := .Values.config.tlsserver.serverkey }}

charts/falcosidekick/templates/clusterrole.yaml

@@ -7,6 +7,13 @@ metadata:
   labels:
     {{- include "falcosidekick.labels" . | nindent 4 }}
     app.kubernetes.io/component: core
+    {{- with .Values.customLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.customAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 rules:
   - apiGroups:
       - policy

charts/falcosidekick/templates/deployment-ui.yaml

@@ -13,6 +13,13 @@ metadata:
   labels:
     {{- include "falcosidekick.labels" . | nindent 4 }}
     app.kubernetes.io/component: ui
+    {{- with .Values.webui.customLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.webui.customAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
   replicas: {{ .Values.webui.replicaCount }}
   {{- if .Values.webui.revisionHistoryLimit }}
@@ -49,17 +56,21 @@ spec:
       securityContext:
       {{- toYaml .Values.webui.podSecurityContext | nindent 8}}
       {{- end }}
+      initContainers:
+        - name: wait-redis
+          image: busybox:1.31
+          command: ['sh', '-c', 'echo -e "Checking for the availability of the Redis Server"; while ! nc -z {{ include "falcosidekick.fullname" . }}-ui-redis 6379; do sleep 1; done; echo -e "Redis Server has started";']
       containers:
         - name: {{ .Chart.Name }}-ui
           image: "{{ .Values.webui.image.registry }}/{{ .Values.webui.image.repository }}:{{ .Values.webui.image.tag }}"
           imagePullPolicy: {{ .Values.webui.image.pullPolicy }}
           envFrom:
             - secretRef:
-                {{- if .Values.webui.existingSecret }}
-                name: {{ .Values.webui.existingSecret }}
-                {{- else }}
                 name: {{ include "falcosidekick.fullname" . }}-ui
-                {{- end }}
+            {{- if .Values.webui.existingSecret }}
+            - secretRef:
+                name: {{ .Values.webui.existingSecret }}
+            {{- end }}
           args:
             - "-r"
             {{- if .Values.webui.redis.enabled }}