Falcosidekick does not send events to WebUI

[bmassemin]

Describe the bug

The chart is deployed successfully, the discord events are properly fired, but not the WebUI ones.

How to reproduce it

My helmfile:

repositories:
  - name: falcosecurity
    url: https://falcosecurity.github.io/charts

releases:
  - name: falco
    chart: falcosecurity/falco
    namespace: falco
    version: 3.8.5
    values:
      - driver:
          kind: "ebpf"
      - falcosidekick:
          enabled: "true"
          config:
            existingSecret: "falcosidekick-config"
            discord:
              minimumpriority: "notice"
          webui:
            enabled: "true"
            replicaCount: 1
            disableauth: "true"

Expected behaviour

Looking at the logs, I only see Discord events:

2023/11/28 10:38:36 [INFO]  : Falco Sidekick version: 2.28.0
2023/11/28 10:38:36 [INFO]  : Enabled Outputs : [Discord]
2023/11/28 10:38:36 [WARN] : tlsserver.deploy is false but tlsserver.notlspaths is not empty, change tlsserver.deploy to true to deploy two servers
2023/11/28 10:38:36 [INFO] : Falco Sidekick is up and listening on :2801
2023/11/28 10:41:51 [INFO]  : Discord - Post OK (204)
2023/11/28 10:51:51 [INFO]  : Discord - Post OK (204)

But I would have expected WebUI events too.

Screenshots

Environment

• Falco version:

  Tue Nov 28 10:57:30 2023: Falco version: 0.36.2 (x86_64)
  Tue Nov 28 10:57:30 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
  {"default_driver_version":"6.0.1+driver","driver_api_version":"5.0.0","driver_schema_version":"2.0.0","engine_version":"26","falco_version":"0.36.2","libs_version":"0.13.4","plugin_api_version":"3.1.0"}

• System info:

  Tue Nov 28 10:57:57 2023: Falco version: 0.36.2 (x86_64)
  Tue Nov 28 10:57:57 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
  Tue Nov 28 10:57:57 2023: Loading rules from file /etc/falco/falco_rules.yaml
  {
  "machine": "x86_64",
  "nodename": "falco-zl4nw",
  "release": "5.15.0-84-generic",
  "sysname": "Linux",
  "version": "#93-Ubuntu SMP Tue Sep 5 17:16:10 UTC 2023"
  }

• Cloud provider or hardware configuration:
• OS: OVH Managed K8S
• Kernel: Linux falco-zl4nw 5.15.0-84-generic #93-Ubuntu SMP Tue Sep 5 17:16:10 UTC 2023 x86_64 GNU/Linux
• Installation method: helmfile

Additional context

[Issif]

Can you check if the redis pod is up and running please?

[bmassemin]

❯ kubectl get pods -n falco
NAME                                     READY   STATUS    RESTARTS        AGE
falco-falcosidekick-5954875598-dmkwm     1/1     Running   0               3h22m
falco-falcosidekick-5954875598-tdp2x     1/1     Running   0               3h22m
falco-falcosidekick-ui-9896c86df-tbrlz   1/1     Running   3 (3h22m ago)   3h22m
falco-falcosidekick-ui-redis-0           1/1     Running   0               3h22m
falco-zl4nw                              2/2     Running   0               3h22m

I was curious about the 3 restarts for falco-falcosidekick-ui-9896c86df-tbrlz:

2023/11/28 10:38:55 [WARN] : Index does not exist
2023/11/28 10:38:55 [WARN] : Create Index
2023/11/28 10:38:55 dial tcp 10.3.101.247:6379: connect: connection refused

Looks like a transient error.

UPDATE: it was juste some restart while the pod was waiting for redis, so there's no error.

[Issif]

The restarts of the UI at the bootstrap are "normal", I will fix that with an initContainer asap.

In your case, I don't understand how you can have the deployment of the UI but not the enabling in Falcosidekick.

Can you check the secrets for Falcosidekick to see if the webui output is correctly set please.

[bmassemin]

There's no secret, and apparently that's because I use existingSecret: "falcosidekick-config" to set the discord webhook url. Removing that line resolve the issue. Is there a way to set the webhook url through a secret without overriding the generated secret? Thanks.

[Issif]

If you use your own secret file you have to set up the settings for the Webui too, not just Discord. The existingSecret overrides everything, can't mix for now.

[bmassemin]

Ok thanks, I'll copy paste the generated one in my secret, and I'll freeze the chart updates until we can mix configs.

[Issif]

Ok thanks, I'll copy paste the generated one in my secret, and I'll freeze the chart updates until we can mix configs.

I'm adding that in my todo then.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[Issif]

/remove-lifecycle rotten

[abeleon-m1]

What are the variables I need to include in my own secret/env vars so the events make it to the UI? Im doing the same thing for a slack webhook url (using existingSecret) and trying to pass in:

falcosidekick:
  enabled: true
  environment:
    - WEBUI_URL=http://myaddress:2802
    - REDIS_DATABASE=0
    - REDIS_KEY=falco
    - REDIS_STORAGETYPE=list

But no dice. A lot of the other vars dont seem relevant.

Edit: for anyone who may run into issue. Setting the following helm values forwards to UI and you can use existingSecret for whatever else youre forwarding alerts to:

falcosidekick:
  enabled: true
  webui:
    enabled: true
  config:
    extraEnv:
      - name: WEBUI_URL
        value: "http://myaddress:2802"
      - name: REDIS_DATABASE
        value: "0"
      - name: REDIS_KEY
        value: "falco"
      - name: REDIS_STORAGETYPE
        value: "list"
    existingSecret: "my-external-secret"

[leogr]

/assign @Issif

[Issif]

I explained here how to use the existingSecret setting