-
Notifications
You must be signed in to change notification settings - Fork 285
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update(falcosidekick): Upgrade to v2.28 #512
update(falcosidekick): Upgrade to v2.28 #512
Conversation
Can you update this PR with this last feature, I'll review then falcosecurity/falcosidekick#565 Thanks |
b37d993
to
039e4c6
Compare
Updated to the last merged PR. |
7e8813d
to
443ab5d
Compare
Signed-off-by: Lyonel Martinez <[email protected]>
443ab5d
to
b5041fa
Compare
- name: MUTUALTLSFILESPATH | ||
value: {{ .Values.config.mutualtlsfilespath | quote }} | ||
- name: MUTUALTLSCLIENT_CERTFILE | ||
value: {{ .Values.config.mutualtlsclient.certfile | quote }} | ||
- name: MUTUALTLSCLIENT_KEYFILE | ||
value: {{ .Values.config.mutualtlsclient.keyfile | quote }} | ||
- name: MUTUALTLSCLIENT_CACERTFILE | ||
value: {{ .Values.config.mutualtlsclient.cacertfile | quote }} | ||
- name: TLSSERVER_DEPLOY | ||
value: {{ .Values.config.tlsserver.deploy | quote }} | ||
- name: TLSSERVER_CERTFILE | ||
value: {{ .Values.config.tlsserver.certfile | quote }} | ||
- name: TLSSERVER_KEYFILE | ||
value: {{ .Values.config.tlsserver.keyfile | quote }} | ||
- name: TLSSERVER_CACERTFILE | ||
value: {{ .Values.config.tlsserver.cacertfile | quote }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to go further, as nothing is already there to add the cert and key files, these settings are useless. We need to mount secrets as volumes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does including TLS and mTLS server configs is a repetition of the ingress job ?
With the way of doing thing inside Kubernetes, do we need to let the possibility to activate this kind of feature inside the pod ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the best method to handle the TLS and mTLS use cases, for the chart, is to use the Ingress options and not let these 2 happen in the pod.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some users expect the pods to communicate with TLS, but OK. Let's keep as is for now.
# -- CA certification file for client certification if mutualtls is true | ||
cacertfile: "/etc/certs/server/ca.crt" | ||
# -- port to serve http server serving selected endpoints | ||
notlsport: 2810 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we need to open this port in the service and ingress with the excluded paths from TLS
Signed-off-by: Lyonel Martinez <[email protected]>
e41e56c
to
7a69b1e
Compare
LGTM label has been added. Git tree hash: 630f9b68a0a4eaf0b55f8f74e8d61413d6494752
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Issif, Lowaiz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@Lowaiz can you open the PR for the falco chart now please? |
What type of PR is this?
/kind feature
/kind chart-release
Any specific area of the project related to this PR?
/area falcosidekick-chart
What this PR does / why we need it:
Update values, env and secrets to fit new features of the next falcosidekick update
Which issue(s) this PR fixes:
None
Special notes for your reviewer:
Ping to @Issif, with the large milestone that v2.28 is, I think that might help a little bit.
Checklist