feat(helm): add Azure Workload Identity support for Falcosidekick

Signed-off-by: Alex of Cyberia <[email protected]>

Author: Alex of Cyberia

charts/falcosidekick/CHANGELOG.md

@@ -5,6 +5,10 @@ numbering uses [semantic versioning](http://semver.org).
 
 Before release 0.1.20, the helm chart can be found in `falcosidekick` [repository](https://github.com/falcosecurity/falcosidekick/tree/master/deploy/helm/falcosidekick).
 
+## 0.9.9
+
+- Added Azure Workload Identity for Falcosidekick
+
 ## 0.9.8
 
 - Ugrade to Falcosidekick 2.31.1 (fix last release)

charts/falcosidekick/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: 2.31.1
 description: Connect Falco to your ecosystem
 icon: https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png
 name: falcosidekick
-version: 0.9.8
+version: 0.9.9
 keywords:
   - monitoring
   - security

charts/falcosidekick/README.md

@@ -220,6 +220,7 @@ The following table lists the main configurable parameters of the Falcosidekick
 | config.azure.eventHub.namespace | string | `""` | Name of the space the Hub is in |
 | config.azure.podIdentityClientID | string | `""` | Azure Identity Client ID |
 | config.azure.podIdentityName | string | `""` | Azure Identity name |
+| config.azure.workloadIdentityClientID | string | `""` | Azure Workload Identity Client ID |
 | config.azure.resourceGroupName | string | `""` | Azure Resource Group name |
 | config.azure.subscriptionID | string | `""` | Azure Subscription ID |
 | config.bracketreplacer | string | `""` | if not empty, the brackets in keys of Output Fields are replaced |

charts/falcosidekick/templates/deployment.yaml

@@ -31,6 +31,9 @@ spec:
         {{- if and .Values.config.azure.podIdentityClientID .Values.config.azure.podIdentityName }}
         aadpodidbinding: {{ include "falcosidekick.fullname" . }}
         {{- end }}
+        {{- if .Values.config.azure.workloadIdentityClientID }}
+        azure.workload.identity/use: "true"
+        {{- end }}
         {{- if .Values.podLabels }}
         {{ toYaml .Values.podLabels | nindent 8 }}
         {{- end }}

charts/falcosidekick/templates/rbac.yaml

@@ -4,18 +4,26 @@ kind: ServiceAccount
 metadata:
   name: {{ include "falcosidekick.fullname" . }}
   namespace: {{ .Release.Namespace }}
+  {{- if or .Values.config.azure.workloadIdentityClientID (and .Values.config.aws.useirsa .Values.config.aws.rolearn) }}
+  annotations:
+    {{- if .Values.config.azure.workloadIdentityClientID }}
+    azure.workload.identity/client-id: {{ .Values.config.azure.workloadIdentityClientID | quote }}
+    {{- end }}
+    {{- if and .Values.config.aws.useirsa .Values.config.aws.rolearn }}
+    {{- with .Values.customAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    eks.amazonaws.com/role-arn: {{ .Values.config.aws.rolearn | quote }}
+    {{- end }}
+  {{- end }}
+
   {{- if and .Values.config.aws.useirsa .Values.config.aws.rolearn }}
   labels:
     {{- include "falcosidekick.labels" . | nindent 4 }}
     app.kubernetes.io/component: core
     {{- with .Values.customLabels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
-  annotations:
-    {{- with .Values.customAnnotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-    eks.amazonaws.com/role-arn: {{ .Values.config.aws.rolearn }}
   {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1

charts/falcosidekick/values.yaml

@@ -578,6 +578,8 @@ config:
     podIdentityClientID: ""
     # -- Azure Identity name
     podIdentityName: ""
+    # -- Azure Workload Identity Client ID
+    workloadIdentityClientID: ""
     eventHub:
       # -- Name of the space the Hub is in
       namespace: ""