feat!: use HTTP output instead of gRPC output

[ekoops]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind documentation

/kind tests

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area commands

/area pkg

/area events

What this PR does / why we need it:

Falco gRPC output has been deprecated in version 0.43.0 and could be removed at any time starting from version 0.44.0. This PR drops any usage of the gRPC output and replace it with the use of the HTTP Output. Specifically, the PR drops the gRPC alert retriever and replaces its usage in suite sub-command code with usage on an HTTP alert retriever, just added for this purpose. Moreover, the new alert retriever is reused in bench and test sub-commands code.

The patch drops the following gRPC parameter:

--grpc-ca string                 CA root file path for connecting to a Falco gRPC server (default "/etc/falco/certs/ca.crt")
--grpc-cert string               Cert file path for connecting to a Falco gRPC server (default "/etc/falco/certs/client.crt")
--grpc-hostname string           Hostname for connecting to a Falco gRPC server (default "localhost")
--grpc-key string                Key file path for connecting to a Falco gRPC server (default "/etc/falco/certs/client.key")
--grpc-port uint16               Port for connecting to a Falco gRPC server (default 5060)
--grpc-unix-socket string        Unix socket path for connecting to a Falco gRPC server (default "unix:///run/falco/falco.sock")

with these new ones:

--http-client-ca string                                 The path of the CA root certificate used for Falco HTTP client's certificate validation (to be used together with --http-server-security-mode=mtls) (default "/etc/falco/certs/ca.crt")
--http-server-address string                            The address the alert retriever HTTP server must be bound to (default "localhost:8080")
--http-server-cert string                               the path of the server certificate to be used for TLS against the Falco HTTP client (to be used together with--http-server-security-mode=(tls|mtls)) (default "/etc/falco/certs/server.crt")
--http-server-key string                                The path of the server private key to be used for TLS against the Falco HTTP client (to be used together with--http-server-security-mode=(tls|mtls)) (default "/etc/falco/certs/server.key")
--http-server-security-mode http-server-security-mode   The security mode the alert retriever HTTP server must use; can be 'insecure', 'tls' or 'mtls' (default insecure)

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Is it possible to test the new implementation with something like the following:

1. spawn falco

docker run --rm -it \
  --privileged \
  --net=host \
  -v /sys/kernel/tracing:/sys/kernel/tracing:ro \
  -v /var/run/docker.sock:/host/var/run/docker.sock \
  -v /proc:/host/proc:ro \
  -v /etc:/host/etc:ro \
  -v /path-to-certs:/host/certs:ro \
  falcosecurity/falco:0.43.0 falco \
  -o http_output.enabled=true \
  -o http_output.url=https://localhost:8080 \
  -o json_output=true \
  -o 'append_output[]={"extra_fields": ["proc.env"]}' \
  -o http_output.client_cert=/host/certs/client.crt \
  -o http_output.client_key=/host/certs/client.key \
  -o http_output.ca_cert=/host/certs/server-ca.crt \
  -o http_output.insecure=false -o http_output.mtls=true

2. run the event-generator after building it

sudo ./event-generator bench "ReadSensitiveFileUntrusted" --sleep 10ms --http-server-cert /certs/server.crt --http-server-key /path-to-certs/server.key --http-client-ca /path-to-certs/client-ca.crt --http-server-security-mode mtls

Just remember to replace path-to-certs with a folder containing the certificates and the keys for both the client and the server, as well as the certificates of the client and server CAs. Notice that the provided example just allow to test the mTLS use case. In order to test the TLS scenario, --http-server-security-mode should be set to tls, and the -o http_output.mtls=false must be passed to Falco.

[leogr]

Terrific job!

I just found a couple of typos, and I also have a question about a possible issue. See my comments below.

Otherwise SGTM!

Thank you 🙏

[ekoops]

Suggestions applied and changes pushed!

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ekoops, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ekoops,leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment