Kcl/exporter update docs

.github/workflows/docs.yml

@@ -13,7 +13,7 @@ jobs:
 
       - name: Run Helm Docs and check the outcome
         run: |
-          for chart in event-generator falco k8s-metacollector; do
+          for chart in event-generator falco k8s-metacollector falco-exporter; do
             docker run \
               --rm \
               --workdir=/helm-docs \

Makefile

@@ -22,7 +22,7 @@ lint-%:
 	ct lint --config ./ct.yaml --charts ./charts/$*
 
 .PHONY: docs
-docs: $(addprefix docs-, $(filter-out falco-exporter,$(CHARTS_NAMES)))
+docs: $(addprefix docs-, $(CHARTS_NAMES))
 
 docs-%:
 	@docker run \

charts/falco-exporter/CHANGELOG.md

@@ -3,6 +3,11 @@
 This file documents all notable changes to `falco-exporter` Helm Chart. The release
 numbering uses [semantic versioning](http://semver.org).
 
+## v0.9.10
+
+* update configuration values in README.md
+* introduce helm docs for the chart
+
 ## v0.9.9
 
 * update tolerations

charts/falco-exporter/Chart.yaml

@@ -14,7 +14,7 @@ type: application
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.9.9
+version: 0.9.10
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.

charts/falco-exporter/README.gotmpl

@@ -0,0 +1,75 @@
+# falco-exporter Helm Chart
+
+[falco-exporter](https://github.com/falcosecurity/falco-exporter) is a Prometheus Metrics Exporter for Falco output events.
+
+Before using this chart, you need [Falco installed](https://falco.org/docs/installation/) and running with the [gRPC Output](https://falco.org/docs/grpc/) enabled (over Unix socket by default).
+
+This chart is compatible with the [Falco Chart](https://github.com/falcosecurity/charts/tree/master/falco) version `v1.2.0` or greater. Instructions to enable the gRPC Output in the Falco Helm Chart can be found [here](https://github.com/falcosecurity/charts/tree/master/falco#enabling-grpc). We also strongly recommend using [gRPC over Unix socket](https://github.com/falcosecurity/charts/tree/master/falco#grpc-over-unix-socket-default).
+
+## Introduction
+
+The chart deploys **falco-exporter** as Daemon Set on your the Kubernetes cluster. If a [Prometheus installation](https://github.com/helm/charts/tree/master/stable/prometheus) is running within your cluster, metrics provided by **falco-exporter** will be automatically discovered.
+
+## Adding `falcosecurity` repository
+
+Prior to installing the chart, add the `falcosecurity` charts repository:
+
+```bash
+helm repo add falcosecurity https://falcosecurity.github.io/charts
+helm repo update
+```
+
+## Installing the Chart
+
+To install the chart with the release name `falco-exporter` run:
+
+```bash
+helm install falco-exporter falcosecurity/falco-exporter
+```
+
+After a few seconds, **falco-exporter** should be running.
+
+> **Tip**: List all releases using `helm list`, a release is a name used to track a specific deployment
+
+## Uninstalling the Chart
+
+To uninstall the `falco-exporter` deployment:
+
+```bash
+helm uninstall falco-exporter
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+```bash
+helm install falco-exporter --set falco.grpcTimeout=3m falcosecurity/falco-exporter
+```
+
+Alternatively, a YAML file that specifies the parameters' values can be provided while installing the chart. For example,
+
+```bash
+helm install falco-exporter -f values.yaml falcosecurity/falco-exporter
+```
+
+### Enable Mutual TLS
+
+Mutual TLS for `/metrics` endpoint can be enabled to prevent alerts content from being consumed by unauthorized components.
+
+To install falco-exporter with Mutual TLS enabled, you have to:
+
+```shell
+helm install falco-exporter \
+  --set service.mTLS.enabled=true \
+  --set-file service.mTLS.server.key=/path/to/server.key \
+  --set-file service.mTLS.server.crt=/path/to/server.crt \
+  --set-file service.mTLS.ca.crt=/path/to/ca.crt \
+  falcosecurity/falco-exporter
+```
+
+> **Tip**: You can use the default [values.yaml](values.yaml)
+
+## Configuration
+
+The following table lists the main configurable parameters of the {{ template "chart.name" . }} chart v{{ template "chart.version" . }} and their default values. Please, refer to [values.yaml](./values.yaml) for the full list of configurable parameters.
+
+{{ template "chart.valuesSection" . }}

charts/falco-exporter/values.yaml

@@ -2,92 +2,121 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
+# -- service exposes the exporter service to be accessed from within the cluster.
 service:
+  # -- type denotes the service type. Setting it to "ClusterIP" we ensure that are accessible
+  # from within the cluster.
   type: ClusterIP
+  # -- clusterIP set to none. It's headless service.
   clusterIP: None
+  # -- port is the port on which the Service will listen.
   port: 9376
+  # -- targetPort is the port on which the Pod is listening.
   targetPort: 9376
-  nodePort:
+  # -- labels set of labels to be applied to the service.
   labels: {}
+  # -- annotations set of annotations to be applied to the service.
   annotations:
     prometheus.io/scrape: "true"
     prometheus.io/port: "9376"
-  # Enable Mutual TLS for HTTP metrics server
+  # -- mTLS mutual TLS for HTTP metrics server.
   mTLS:
+    # -- enabled specifies whether the mTLS should be enabled.
     enabled: false
 
+# -- healthChecks contains the configuration for liveness and readiness probes.
 healthChecks:
+  # -- livenessProbe is a diagnostic mechanism used to determine weather a container within a Pod is still running and healthy.
   livenessProbe:
-    # liveness probes port
+    # -- probesPort is liveness probes port.
     probesPort: 19376
-    # -- Tells the kubelet that it should wait X seconds before performing the first probe.
+    # -- initialDelaySeconds tells the kubelet that it should wait X seconds before performing the first probe.
     initialDelaySeconds: 60
-    # -- Number of seconds after which the probe times out.
+    # -- timeoutSeconds number of seconds after which the probe times out.
     timeoutSeconds: 5
-    # -- Specifies that the kubelet should perform the check every x seconds.
+    # -- periodSeconds specifies the interval at which the liveness probe will be repeated.
     periodSeconds: 15
+  # -- readinessProbe is a mechanism used to determine whether a container within a Pod is ready to serve traffic.
   readinessProbe:
-    # readiness probes port
+    # probesPort is readiness probes port
     probesPort: 19376
-    # -- Tells the kubelet that it should wait X seconds before performing the first probe.
+    # -- initialDelaySeconds tells the kubelet that it should wait X seconds before performing the first probe.
     initialDelaySeconds: 30
-    # -- Number of seconds after which the probe times out.
+    # -- timeoutSeconds is the number of seconds after which the probe times out.
     timeoutSeconds: 5
-    # -- Specifies that the kubelet should perform the check every x seconds.
+    # -- periodSeconds specifies the interval at which the readiness probe will be repeated.
     periodSeconds: 15
 
+# -- image is the configuration for the exporter image.
 image:
+  # -- registry is the image registry to pull from.
   registry: docker.io
+  # -- repository is the image repository to pull from.
   repository: falcosecurity/falco-exporter
-  tag: 0.8.3
+  # -- tag is image tag to pull.
+  tag: "0.8.3"
+  # -- pullPolicy is the policy used to determine when a node should attempt to pull the container image.
   pullPolicy: IfNotPresent
 
+# -- pullSecrets a list of secrets containing credentials used when pulling from private/secure registries.
 imagePullSecrets: []
+# -- nameOverride is the new name used to override the release name used for exporter's components.
 nameOverride: ""
+# -- fullNameOverride same as nameOverride but for the full name.
 fullnameOverride: ""
 
-priorityClassName:
+# -- priorityClassName specifies the name of the PriorityClass for the pods.
+priorityClassName: ""
 
+# -- falco the configuration to connect falco.
 falco:
+  # -- grpcUnixSocketPath path to the falco's grpc unix socket.
   grpcUnixSocketPath: "unix:///run/falco/falco.sock"
+  # -- grpcTimeout timout value for grpc connection.
   grpcTimeout: 2m
 
+# -- serviceAccount is the configuration for the service account.
 serviceAccount:
-  # Specifies whether a service account should be created
+  # create specifies whether a service account should be created.
   create: true
-  # Annotations to add to the service account
+  # annotations to add to the service account
   annotations: {}
-  # The name of the service account to use.
+  # -- name is the name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template.
   # If set and create is false, an already existing serviceAccount must be provided.
-  name:
+  name: ""
 
+# -- podSecurityPolicy holds the security policy settings for the pod.
 podSecurityPolicy:
-  # Specifies whether a PSP, Role and RoleBinding should be created
+  # -- create specifies whether a PSP, Role and RoleBinding should be created
   create: false
-  # Annotations to add to the PSP, Role and RoleBinding
+  # -- annotations to add to the PSP, Role and RoleBinding
   annotations: {}
-  # The name of the PSP, Role and RoleBinding to use.
+  # -- name of the PSP, Role and RoleBinding to use.
   # If not set and create is true, a name is generated using the fullname template
-  name:
+  name: ""
 
+# -- podSecurityPolicy holds the security policy settings for the pod.
 podSecurityContext:
   {}
   # fsGroup: 2000
 
+# -- daemonset holds the configuration for the daemonset.
 daemonset:
-  # Perform rolling updates by default in the DaemonSet agent
+  # updateStrategy perform rolling updates by default in the DaemonSet agent
   # ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
   updateStrategy:
-    # You can also customize maxUnavailable or minReadySeconds if you
-    # need it
+    # type of the strategy. Can also customize maxUnavailable or minReadySeconds based on your needs.
     type: RollingUpdate
 
-  # Annotations to add to the DaemonSet pods
+  # -- annotations to add to the DaemonSet pods.
   annotations: {}
+  # -- podLabels labels to add to the pods.
   podLabels: {}
 
+# -- securityContext holds the security context for the daemonset.
 securityContext:
+  # -- capabilities to be assigned to the daemonset.
   capabilities:
     drop:
     - ALL
@@ -97,6 +126,8 @@ securityContext:
   seccompProfile:
     type: RuntimeDefault
 
+
+# -- resources defines the computing resources (CPU and memory) that are allocated to the containers running within the Pod.
 resources:
   {}
   # We usually recommend not to specify default resources and to leave this as a conscious
@@ -110,38 +141,54 @@ resources:
   #   cpu: 100m
   #   memory: 128Mi
 
+# -- nodeSelector specifies a set of key-value pairs that must match labels assigned to nodes
+# for the Pod to be eligible for scheduling on that node
 nodeSelector: {}
 
-# -- Tolerations to run on Kubernetes control planes.
+# -- tolerations are applied to pods and allow them to be scheduled on nodes with matching taints.
 tolerations:
   - effect: NoSchedule
     key: node-role.kubernetes.io/master
   - effect: NoSchedule
     key: node-role.kubernetes.io/control-plane
 
+# -- affinity allows pod placement based on node characteristics, or any other custom labels assigned to nodes.
 affinity: {}
 
+
+# -- serviceMonitor holds the configuration for the ServiceMonitor CRD.
+# A ServiceMonitor is a custom resource definition (CRD) used to configure how Prometheus should
+# discover and scrape metrics from the exporter service.
 serviceMonitor:
-  # Enable the deployment of a Service Monitor for the Prometheus Operator.
+  # -- enable the deployment of a Service Monitor for the Prometheus Operator.
   enabled: false
-  # Specify Additional labels to be added on the Service Monitor.
+  # -- additionalLabels specifies labels to be added on the Service Monitor.
   additionalLabels: {}
-  # Specify a user defined interval. When not specified Prometheus default interval is used.
+  # -- interval specifies the time interval at which Prometheus should scrape metrics from the service.
   interval: ""
-  # Specify a user defined scrape timeout. When not specified Prometheus default scrape timeout is used.
+  # -- scrapeTimeout determines the maximum time Prometheus should wait for a target to respond to a scrape request.
+  # If the target does not respond within the specified timeout, Prometheus considers the scrape as failed for
+  # that target.
   scrapeTimeout: ""
 
+# -- grafanaDashboard contains the configuration related to grafana dashboards.
 grafanaDashboard:
+  # -- enabled specifies whether the dashboard should be deployed.
   enabled: false
-  folder:
+  # -- folder where the dashboard is stored by grafana.
+  folder: ""
+  # -- namespace specifies the namespace for the configmap.
   namespace: default
+  # -- prometheusDatasourceName name of the data source.
   prometheusDatasourceName: Prometheus
+
 scc:
   # true here enabled creation of Security Context Constraints in Openshift
   create: true
 
-# Create PrometheusRules for alerting on priority events
+# prometheusRules holds the configuration for alerting on priority events.
 prometheusRules:
+  # -- enabled specifies whether the prometheus rules should be deployed.
   enabled: false
   alerts:
     warning:

charts/falco/CHANGELOG.md

@@ -3,6 +3,10 @@
 This file documents all notable changes to Falco Helm Chart. The release
 numbering uses [semantic versioning](http://semver.org).
 
+## v4.2.0
+
+* Bump falco to v0.37.1 and falcoctl to v0.7.2
+
 ## v4.1.2
 * Fix links in output after falco install without sidekick
 

charts/falco/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: falco
-version: 4.1.2
-appVersion: "0.37.0"
+version: 4.2.0
+appVersion: "0.37.1"
 description: Falco
 keywords:
   - monitoring

charts/falco/README.md

@@ -563,7 +563,7 @@ If you use a Proxy in your cluster, the requests between `Falco` and `Falcosidek
 
 ## Configuration
 
-The following table lists the main configurable parameters of the falco chart v4.1.2 and their default values. See `values.yaml` for full list.
+The following table lists the main configurable parameters of the falco chart v4.2.0 and their default values. See `values.yaml` for full list.
 
 ## Values
 
@@ -701,7 +701,7 @@ The following table lists the main configurable parameters of the falco chart v4
 | falcoctl.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy. |
 | falcoctl.image.registry | string | `"docker.io"` | The image registry to pull from. |
 | falcoctl.image.repository | string | `"falcosecurity/falcoctl"` | The image repository to pull from. |
-| falcoctl.image.tag | string | `"0.7.1"` | The image tag to pull. |
+| falcoctl.image.tag | string | `"0.7.2"` | The image tag to pull. |
 | falcosidekick | object | `{"enabled":false,"fullfqdn":false,"listenPort":""}` | For configuration values, see https://github.com/falcosecurity/charts/blob/master/falcosidekick/values.yaml |
 | falcosidekick.enabled | bool | `false` | Enable falcosidekick deployment. |
 | falcosidekick.fullfqdn | bool | `false` | Enable usage of full FQDN of falcosidekick service (useful when a Proxy is used). |

charts/falco/values.yaml

@@ -372,7 +372,7 @@ falcoctl:
     # -- The image repository to pull from.
     repository: falcosecurity/falcoctl
     # -- The image tag to pull.
-    tag: "0.7.1"
+    tag: "0.7.2"
   artifact:
     # -- Runs "falcoctl artifact install" command as an init container. It is used to install artfacts before
     # Falco starts. It provides them to Falco by using an emptyDir volume.