feat: Add support for GCP Workload Identity

Signed-off-by: mlaczkowski <mateusz.laczkowski@gmail.com>

Author: Mlaczkowski

charts/falcosidekick/CHANGELOG.md

@@ -5,6 +5,10 @@ numbering uses [semantic versioning](http://semver.org).
 
 Before release 0.1.20, the helm chart can be found in `falcosidekick` [repository](https://github.com/falcosecurity/falcosidekick/tree/master/deploy/helm/falcosidekick).
 
+## 0.13.0
+
+- Add support for GCP Workload Identity
+
 ## 0.12.1
 
 - fix Redis customConfig type

charts/falcosidekick/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: 2.31.1
 description: Connect Falco to your ecosystem
 icon: https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png
 name: falcosidekick
-version: 0.12.1
+version: 0.13.0
 keywords:
   - monitoring
   - security

charts/falcosidekick/README.md

@@ -298,6 +298,7 @@ The following table lists the main configurable parameters of the Falcosidekick
 | config.gcp.storage.bucket | string | `""` | The name of the bucket |
 | config.gcp.storage.minimumpriority | string | `"debug"` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` |
 | config.gcp.storage.prefix | string | `""` | Name of prefix, keys will have format: gs://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json |
+| config.gcp.workloadIdentityServiceAccount | string | `""` | GCP ServiceAccount used by Workload Identity |
 | config.googlechat.messageformat | string | `""` | a Go template to format Google Chat Text above Attachment, displayed in addition to the output from `config.googlechat.outputformat`. If empty, no Text is displayed before Attachment |
 | config.googlechat.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` |
 | config.googlechat.outputformat | string | `"all"` | `all` (default), `text` (only text is displayed in Google chat) |

charts/falcosidekick/templates/rbac.yaml

@@ -4,11 +4,14 @@ kind: ServiceAccount
 metadata:
   name: {{ include "falcosidekick.fullname" . }}
   namespace: {{ .Release.Namespace }}
-  {{- if or .Values.config.azure.workloadIdentityClientID (and .Values.config.aws.useirsa .Values.config.aws.rolearn) }}
+  {{- if or .Values.config.azure.workloadIdentityClientID (and .Values.config.aws.useirsa .Values.config.aws.rolearn) .Values.config.gcp.workloadIdentityServiceAccount }}
   annotations:
     {{- if .Values.config.azure.workloadIdentityClientID }}
     azure.workload.identity/client-id: {{ .Values.config.azure.workloadIdentityClientID | quote }}
     {{- end }}
+    {{- if .Values.config.gcp.workloadIdentityServiceAccount }}
+    iam.gke.io/gcp-service-account: {{ .Values.config.gcp.workloadIdentityServiceAccount | quote }}
+    {{- end }}
     {{- if and .Values.config.aws.useirsa .Values.config.aws.rolearn }}
     {{- with .Values.customAnnotations }}
     {{- toYaml . | nindent 4 }}

charts/falcosidekick/values.yaml

@@ -605,6 +605,8 @@ config:
   gcp:
     # -- Base64 encoded JSON key file for the GCP service account
     credentials: ""
+    # -- GCP ServiceAccount used by Workload Identity
+    workloadIdentityServiceAccount: ""
     pubsub:
       # -- The GCP Project ID containing the Pub/Sub Topic
       projectid: ""