docs: update readme, add alternative cert setup

kube-tarian · Nov 21, 2021 · 64bb638 · 64bb638
1 parent 8008c56
commit 64bb638
Showing 1 changed file with 64 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -54,6 +54,8 @@ kubectl create namespace falco
 
 ### Prepare Certificate for mTLS
 
+#### With Cert Manager
+
 You can setup certificates manually and save those certs to secrets accessible from Falco and Tarian pods. For convenient, you can use Cert Manager to manage the certs.
 
 1. Install Cert Manager by following this guide https://cert-manager.io/docs/installation/
@@ -65,6 +67,8 @@ kubectl wait --for=condition=ready pods --all -n cert-manager --timeout=3m
 
 3. Setup certs
 
+##### A. If you don't have an existing cluster issuer, you can create one using a self-signed issuer
+
 Save this to `tarian-falco-certs.yaml`, then run `kubectl apply -f tarian-falco-certs.yaml`.
 
 ```yaml
@@ -144,6 +148,66 @@ spec:
     group: cert-manager.io
 ```
 
+##### B. If you have an existing cluster issuer
+
+Save this to `tarian-falco-certs.yaml`, then run `kubectl apply -f tarian-falco-certs.yaml`.
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: falco-grpc-server
+  namespace: falco
+spec:
+  isCA: false
+  commonName: falco-grpc
+  dnsNames:
+  - falco-grpc.falco.svc
+  - falco-grpc
+  secretName: falco-grpc-server-cert
+  usages:
+  - server auth
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: your-issuer # change this to yours
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: falco-integration-cert
+  namespace: tarian-system
+spec:
+  isCA: false
+  commonName: tarian-falco-integration
+  dnsNames:
+  - tarian-falco-integration
+  usages:
+  - client auth
+  secretName: tarian-falco-integration
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: your-issuer # change this to yours
+    kind: ClusterIssuer
+    group: cert-manager.io
+```
+
+#### Setup certificates manually
+
+If you have other ways to setup the certificates, that would work too. You can create kubernetes secrets containing those certificates.
+The following steps expect that the secrets are named:
+
+- `tarian-falco-integration` in namespace `tarian-system`
+- `falco-grpc-server-cert` in namespace `falco`
+
+For mTLS to work, those certificates need to be signed by the same CA.
+
+
 ### Install Falco
 
 Save this to `falco-values.yaml`