🔧 Add helm variable to disable live config-map user actions (#1689)

* 🔧 Add helm variable to disable live config-map user actions

* 🐛 Fix ternary for `PRESET_FILTERS_CHANGING_ENABLED` config

---------

Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>

config/configStruct.go

@@ -104,22 +104,21 @@ type ManifestsConfig struct {
 }
 
 type ConfigStruct struct {
-	Tap                       configStructs.TapConfig       `yaml:"tap" json:"tap"`
+	Tap                  configStructs.TapConfig       `yaml:"tap" json:"tap"`
-	Logs                      configStructs.LogsConfig      `yaml:"logs" json:"logs"`
+	Logs                 configStructs.LogsConfig      `yaml:"logs" json:"logs"`
-	Config                    configStructs.ConfigConfig    `yaml:"config,omitempty" json:"config,omitempty"`
+	Config               configStructs.ConfigConfig    `yaml:"config,omitempty" json:"config,omitempty"`
-	PcapDump                  configStructs.PcapDumpConfig  `yaml:"pcapdump" json:"pcapdump"`
+	PcapDump             configStructs.PcapDumpConfig  `yaml:"pcapdump" json:"pcapdump"`
-	Kube                      KubeConfig                    `yaml:"kube" json:"kube"`
+	Kube                 KubeConfig                    `yaml:"kube" json:"kube"`
-	DumpLogs                  bool                          `yaml:"dumpLogs" json:"dumpLogs" default:"false"`
+	DumpLogs             bool                          `yaml:"dumpLogs" json:"dumpLogs" default:"false"`
-	HeadlessMode              bool                          `yaml:"headless" json:"headless" default:"false"`
+	HeadlessMode         bool                          `yaml:"headless" json:"headless" default:"false"`
-	License                   string                        `yaml:"license" json:"license" default:""`
+	License              string                        `yaml:"license" json:"license" default:""`
-	CloudLicenseEnabled       bool                          `yaml:"cloudLicenseEnabled" json:"cloudLicenseEnabled" default:"true"`
+	CloudLicenseEnabled  bool                          `yaml:"cloudLicenseEnabled" json:"cloudLicenseEnabled" default:"true"`
-	SupportChatEnabled        bool                          `yaml:"supportChatEnabled" json:"supportChatEnabled" default:"true"`
+	SupportChatEnabled   bool                          `yaml:"supportChatEnabled" json:"supportChatEnabled" default:"true"`
-	InternetConnectivity      bool                          `yaml:"internetConnectivity" json:"internetConnectivity" default:"true"`
+	InternetConnectivity bool                          `yaml:"internetConnectivity" json:"internetConnectivity" default:"true"`
-	DissectorsUpdatingEnabled bool                          `yaml:"dissectorsUpdatingEnabled" json:"dissectorsUpdatingEnabled" default:"true"`
+	Scripting            configStructs.ScriptingConfig `yaml:"scripting" json:"scripting"`
-	Scripting                 configStructs.ScriptingConfig `yaml:"scripting" json:"scripting"`
+	Manifests            ManifestsConfig               `yaml:"manifests,omitempty" json:"manifests,omitempty"`
-	Manifests                 ManifestsConfig               `yaml:"manifests,omitempty" json:"manifests,omitempty"`
+	Timezone             string                        `yaml:"timezone" json:"timezone"`
-	Timezone                  string                        `yaml:"timezone" json:"timezone"`
+	LogLevel             string                        `yaml:"logLevel" json:"logLevel" default:"warning"`
-	LogLevel                  string                        `yaml:"logLevel" json:"logLevel" default:"warning"`
 }
 
 func (config *ConfigStruct) ImagePullPolicy() v1.PullPolicy {

config/configStructs/tapConfig.go

@@ -222,7 +222,6 @@ type PcapDumpConfig struct {
 	PcapMaxSize      string `yaml:"maxSize" json:"maxSize" default:"500MB"`
 	PcapSrcDir       string `yaml:"pcapSrcDir" json:"pcapSrcDir" default:"pcapdump"`
 	PcapTime         string `yaml:"time" json:"time" default:"time"`
-	PcapDest         string `yaml:"dest" json:"dest" default:""`
 }
 
 type TapConfig struct {
@@ -258,11 +257,7 @@ type TapConfig struct {
 	ResourceGuard                ResourceGuardConfig   `yaml:"resourceGuard" json:"resourceGuard"`
 	Sentry                       SentryConfig          `yaml:"sentry" json:"sentry"`
 	DefaultFilter                string                `yaml:"defaultFilter" json:"defaultFilter" default:"!dns and !error"`
-	ScriptingDisabled            bool                  `yaml:"scriptingDisabled" json:"scriptingDisabled" default:"false"`
+	LiveConfigMapChangesDisabled bool                  `yaml:"liveConfigMapChangesDisabled" json:"liveConfigMapChangesDisabled" default:"false"`
-	TargetedPodsUpdateDisabled   bool                  `yaml:"targetedPodsUpdateDisabled" json:"targetedPodsUpdateDisabled" default:"false"`
-	PresetFiltersChangingEnabled bool                  `yaml:"presetFiltersChangingEnabled" json:"presetFiltersChangingEnabled" default:"true"`
-	RecordingDisabled            bool                  `yaml:"recordingDisabled" json:"recordingDisabled" default:"false"`
-	StopTrafficCapturingDisabled bool                  `yaml:"stopTrafficCapturingDisabled" json:"stopTrafficCapturingDisabled" default:"false"`
 	Capabilities                 CapabilitiesConfig    `yaml:"capabilities" json:"capabilities"`
 	GlobalFilter                 string                `yaml:"globalFilter" json:"globalFilter" default:""`
 	EnabledDissectors            []string              `yaml:"enabledDissectors" json:"enabledDissectors"`

helm-chart/README.md

@@ -196,6 +196,7 @@ Example for overriding image names:
 | `tap.sentry.enabled`                      | Enable sending of error logs to Sentry          | `false`                                                  |
 | `tap.sentry.environment`                      | Sentry environment to label error logs with      | `production`                                                  |
 | `tap.defaultFilter`                       | Sets the default dashboard KFL filter (e.g. `http`). By default, this value is set to filter out noisy protocols such as DNS, UDP, ICMP and TCP. The user can easily change this, **temporarily**, in the Dashboard. For a permanent change, you should change this value in the `values.yaml` or `config.yaml` file.        | `"!dns and !error"`                                    |
+| `tap.liveConfigMapChangesDisabled`        | If set to `true`, all user functionality (scripting, targeting settings, global & default KFL modification, traffic recording, traffic capturing on/off, protocol dissectors) involving dynamic ConfigMap changes from UI will be disabled     | `false`      |
 | `tap.globalFilter`                        | Prepends to any KFL filter and can be used to limit what is visible in the dashboard. For example, `redact("request.headers.Authorization")` will redact the appropriate field. Another example `!dns` will not show any DNS traffic.      | `""`                                        |
 | `tap.metrics.port`                  | Pod port used to expose Prometheus metrics          | `49100`                                                  |
 | `tap.enabledDissectors`                   | This is an array of strings representing the list of supported protocols. Remove or comment out redundant protocols (e.g., dns).| The default list excludes: `udp` and `tcp` |
@@ -214,7 +215,6 @@ Example for overriding image names:
 | `timezone`                                | IANA time zone applied to time shown in the front-end | `""` (local time zone applies) |
 | `supportChatEnabled`                      | Enable real-time support chat channel based on Intercom | `true` |
 | `internetConnectivity`                    | Turns off API requests that are dependant on Internet connectivity such as `telemetry` and `online-support`. | `true` |
-| `dissectorsUpdatingEnabled`                     | Turns off UI for enabling/disabling dissectors | `true` |
 
 KernelMapping pairs kernel versions with a
                             DriverContainer image. Kernel versions can be matched

helm-chart/templates/06-front-deployment.yaml

@@ -37,20 +37,20 @@ spec:
             - name: REACT_APP_TIMEZONE
               value: '{{ not (eq .Values.timezone "") | ternary .Values.timezone " " }}'
             - name: REACT_APP_SCRIPTING_DISABLED
-              value: '{{ .Values.tap.scriptingDisabled }}'
+              value: '{{ .Values.tap.liveConfigMapChangesDisabled }}'
             - name: REACT_APP_TARGETED_PODS_UPDATE_DISABLED
-              value: '{{ .Values.tap.targetedPodsUpdateDisabled }}'
+              value: '{{ .Values.tap.liveConfigMapChangesDisabled }}'
             - name: REACT_APP_PRESET_FILTERS_CHANGING_ENABLED
-              value: '{{ .Values.tap.presetFiltersChangingEnabled }}'
+              value: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "false" "true" }}'
             - name: REACT_APP_BPF_OVERRIDE_DISABLED
               value: '{{ eq .Values.tap.packetCapture "ebpf" | ternary "true" "false" }}'
             - name: REACT_APP_RECORDING_DISABLED
-              value: '{{ .Values.tap.recordingDisabled }}'
+              value: '{{ .Values.tap.liveConfigMapChangesDisabled }}'
             - name: REACT_APP_STOP_TRAFFIC_CAPTURING_DISABLED
-              value: '{{- if and .Values.tap.stopTrafficCapturingDisabled .Values.tap.stopped -}}
+              value: '{{- if and .Values.tap.liveConfigMapChangesDisabled .Values.tap.stopped -}}
                         false
                       {{- else -}}
-                        {{ .Values.tap.stopTrafficCapturingDisabled | ternary "true" "false" }}
+                        {{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "false" }}
                       {{- end -}}'
             - name: 'REACT_APP_CLOUD_LICENSE_ENABLED'
               value: '{{- if or (and .Values.cloudLicenseEnabled (not (empty .Values.license))) (not .Values.internetConnectivity) -}}
@@ -61,7 +61,7 @@ spec:
             - name: REACT_APP_SUPPORT_CHAT_ENABLED
               value: '{{ and .Values.supportChatEnabled .Values.internetConnectivity | ternary "true" "false" }}'
             - name: REACT_APP_DISSECTORS_UPDATING_ENABLED
-              value: '{{ .Values.dissectorsUpdatingEnabled | ternary "true" "false" }}'
+              value: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "false" "true" }}'
             - name: REACT_APP_SENTRY_ENABLED
               value: '{{ (include "sentry.enabled" .) }}'
             - name: REACT_APP_SENTRY_ENVIRONMENT

helm-chart/templates/12-config-map.yaml

@@ -27,14 +27,14 @@ data:
     AUTH_SAML_ROLE_ATTRIBUTE: '{{ .Values.tap.auth.saml.roleAttribute }}'
     AUTH_SAML_ROLES: '{{ .Values.tap.auth.saml.roles | toJson }}'
     TELEMETRY_DISABLED: '{{ not .Values.internetConnectivity | ternary "true" (not .Values.tap.telemetry.enabled | ternary "true" "false") }}'
-    SCRIPTING_DISABLED: '{{ .Values.tap.scriptingDisabled | ternary "true" "" }}'
+    SCRIPTING_DISABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "" }}'
-    TARGETED_PODS_UPDATE_DISABLED: '{{ .Values.tap.targetedPodsUpdateDisabled | ternary "true" "" }}'
+    TARGETED_PODS_UPDATE_DISABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "" }}'
-    PRESET_FILTERS_CHANGING_ENABLED: '{{ .Values.tap.presetFiltersChangingEnabled | ternary "true" "" }}'
+    PRESET_FILTERS_CHANGING_ENABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "false" "true" }}'
-    RECORDING_DISABLED: '{{ .Values.tap.recordingDisabled | ternary "true" "" }}'
+    RECORDING_DISABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "" }}'
-    STOP_TRAFFIC_CAPTURING_DISABLED: '{{- if and .Values.tap.stopTrafficCapturingDisabled .Values.tap.stopped -}}
+    STOP_TRAFFIC_CAPTURING_DISABLED: '{{- if and .Values.tap.liveConfigMapChangesDisabled .Values.tap.stopped -}}
                                         false
                                       {{- else -}}
-                                        {{ .Values.tap.stopTrafficCapturingDisabled | ternary "true" "false" }}
+                                        {{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "false" }}
                                       {{- end }}'
     GLOBAL_FILTER: {{ include "kubeshark.escapeDoubleQuotes" .Values.tap.globalFilter | quote }}
     DEFAULT_FILTER: {{ include "kubeshark.escapeDoubleQuotes" .Values.tap.defaultFilter | quote }}
@@ -51,7 +51,7 @@ data:
     DUPLICATE_TIMEFRAME: '{{ .Values.tap.misc.duplicateTimeframe }}'
     ENABLED_DISSECTORS: '{{ gt (len .Values.tap.enabledDissectors) 0 | ternary (join "," .Values.tap.enabledDissectors) "" }}'
     CUSTOM_MACROS: '{{ toJson .Values.tap.customMacros }}'
-    DISSECTORS_UPDATING_ENABLED: '{{ .Values.dissectorsUpdatingEnabled | ternary "true" "false" }}'
+    DISSECTORS_UPDATING_ENABLED: '{{ .Values.tap.liveConfigMapChangesDisabled | ternary "false" "true" }}'
     DETECT_DUPLICATES: '{{ .Values.tap.misc.detectDuplicates | ternary "true" "false" }}'
     PCAP_DUMP_ENABLE: '{{ .Values.pcapdump.enabled }}'
     PCAP_TIME_INTERVAL: '{{ .Values.pcapdump.timeInterval }}'

helm-chart/values.yaml

@@ -119,11 +119,7 @@ tap:
     enabled: false
     environment: production
   defaultFilter: "!dns and !error"
-  scriptingDisabled: false
+  liveConfigMapChangesDisabled: false
-  targetedPodsUpdateDisabled: false
-  presetFiltersChangingEnabled: true
-  recordingDisabled: false
-  stopTrafficCapturingDisabled: false
   capabilities:
     networkCapture:
     - NET_RAW
@@ -188,7 +184,6 @@ license: ""
 cloudLicenseEnabled: true
 supportChatEnabled: true
 internetConnectivity: true
-dissectorsUpdatingEnabled: true
 scripting:
   env: {}
   source: ""