From 59ef0f8f80aec34f52ec04de11a567710d74e18f Mon Sep 17 00:00:00 2001 From: Serhii Ponomarenko <116438358+tiptophelmet@users.noreply.github.com> Date: Tue, 1 Apr 2025 23:08:46 +0300 Subject: [PATCH 1/3] :hammer: Add `tap.dashboard.completeStreamingEnabled` flag (#1733) --- config/configStruct.go | 3 +++ config/configStructs/tapConfig.go | 5 +++++ helm-chart/templates/06-front-deployment.yaml | 6 ++++++ helm-chart/values.yaml | 2 ++ 4 files changed, 16 insertions(+) diff --git a/config/configStruct.go b/config/configStruct.go index a911dc64c..4cd4bef31 100644 --- a/config/configStruct.go +++ b/config/configStruct.go @@ -135,6 +135,9 @@ func CreateDefaultConfig() ConfigStruct { LDAP: []uint16{389}, DIAMETER: []uint16{3868}, }, + Dashboard: configStructs.DashboardConfig{ + CompleteStreamingEnabled: true, + }, }, } } diff --git a/config/configStructs/tapConfig.go b/config/configStructs/tapConfig.go index 1be086b04..923223cb0 100644 --- a/config/configStructs/tapConfig.go +++ b/config/configStructs/tapConfig.go @@ -195,6 +195,10 @@ type RoutingConfig struct { Front FrontRoutingConfig `yaml:"front" json:"front"` } +type DashboardConfig struct { + CompleteStreamingEnabled bool `yaml:"completeStreamingEnabled" json:"completeStreamingEnabled" default:"true"` +} + type FrontRoutingConfig struct { BasePath string `yaml:"basePath" json:"basePath" default:""` } @@ -320,6 +324,7 @@ type TapConfig struct { Routing RoutingConfig `yaml:"routing" json:"routing"` IPv6 bool `yaml:"ipv6" json:"ipv6" default:"true"` Debug bool `yaml:"debug" json:"debug" default:"false"` + Dashboard DashboardConfig `yaml:"dashboard" json:"dashboard"` Telemetry TelemetryConfig `yaml:"telemetry" json:"telemetry"` ResourceGuard ResourceGuardConfig `yaml:"resourceGuard" json:"resourceGuard"` Watchdog WatchdogConfig `yaml:"watchdog" json:"watchdog"` diff --git a/helm-chart/templates/06-front-deployment.yaml b/helm-chart/templates/06-front-deployment.yaml index 1644bf450..6fd699df5 100644 --- a/helm-chart/templates/06-front-deployment.yaml +++ b/helm-chart/templates/06-front-deployment.yaml @@ -36,6 +36,12 @@ spec: {{- else -}} {{ .Values.tap.auth.type }} {{- end }}' + - name: REACT_APP_COMPLETE_STREAMING_ENABLED + value: '{{- if and (hasKey .Values.tap "dashboard") (hasKey .Values.tap.dashboard "completeStreamingEnabled") -}} + {{ eq .Values.tap.dashboard.completeStreamingEnabled true | ternary "true" "false" }} + {{- else -}} + true + {{- end }}' - name: REACT_APP_AUTH_SAML_IDP_METADATA_URL value: '{{ not (eq .Values.tap.auth.saml.idpMetadataUrl "") | ternary .Values.tap.auth.saml.idpMetadataUrl " " }}' - name: REACT_APP_TIMEZONE diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index 97342ca36..a898a8e58 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -136,6 +136,8 @@ tap: basePath: "" ipv6: true debug: false + dashboard: + completeStreamingEnabled: true telemetry: enabled: true resourceGuard: From a9147330784db7ff9a15096ac6a2274de4c8ca16 Mon Sep 17 00:00:00 2001 From: Volodymyr Stoiko Date: Tue, 1 Apr 2025 23:29:04 +0300 Subject: [PATCH 2/3] Allow reading logs (#1734) Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com> --- helm-chart/templates/02-cluster-role.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/helm-chart/templates/02-cluster-role.yaml b/helm-chart/templates/02-cluster-role.yaml index 7191853c9..5c9f56d83 100644 --- a/helm-chart/templates/02-cluster-role.yaml +++ b/helm-chart/templates/02-cluster-role.yaml @@ -72,3 +72,9 @@ rules: - list - update - patch + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get \ No newline at end of file From a6eabbbdee7cb00ebbcd4f3dcc5c7dfb5a5237a2 Mon Sep 17 00:00:00 2001 From: Serhii Ponomarenko <116438358+tiptophelmet@users.noreply.github.com> Date: Fri, 4 Apr 2025 20:07:02 +0300 Subject: [PATCH 3/3] :hammer: Add `tap.auth.dexOidc.bypassSslCaCheck` flag (#1737) * :hammer: Add `tap.auth.dexOidc.bypassSslCaCheck` flag * :memo: Update docs for Dex SSL CA bypass * :hammer: Bring back deleted Dex node-selector-terms --- config/configStructs/tapConfig.go | 1 + helm-chart/README.md | 13 +++++++++++++ helm-chart/templates/12-config-map.yaml | 9 +++++++++ helm-chart/values.yaml | 6 ++++++ 4 files changed, 29 insertions(+) diff --git a/config/configStructs/tapConfig.go b/config/configStructs/tapConfig.go index 923223cb0..99bf42159 100644 --- a/config/configStructs/tapConfig.go +++ b/config/configStructs/tapConfig.go @@ -138,6 +138,7 @@ type NodeSelectorTermsConfig struct { Hub []v1.NodeSelectorTerm `yaml:"hub" json:"hub" default:"[]"` Workers []v1.NodeSelectorTerm `yaml:"workers" json:"workers" default:"[]"` Front []v1.NodeSelectorTerm `yaml:"front" json:"front" default:"[]"` + Dex []v1.NodeSelectorTerm `yaml:"dex" json:"dex" default:"[]"` } type TolerationsConfig struct { diff --git a/helm-chart/README.md b/helm-chart/README.md index c18b30137..2aa877b09 100644 --- a/helm-chart/README.md +++ b/helm-chart/README.md @@ -351,8 +351,20 @@ tap: clientSecret: create your own client password refreshTokenLifetime: "3960h" # 165 days oauth2StateParamExpiry: "10m" + bypassSslCaCheck: false ``` +--- + +**Note:**
+Set `tap.auth.dexOidc.bypassSslCaCheck: true` +to allow Kubeshark communication with Dex IdP having an unknown SSL Certificate Authority. + +This setting allows you to prevent such SSL CA-related errors:
+`tls: failed to verify certificate: x509: certificate signed by unknown authority` + +--- + Once you run `helm install kubeshark kubeshark/kubeshark -f ./values.yaml`, Kubeshark will be installed with (Dex) OIDC authentication enabled. --- @@ -443,6 +455,7 @@ tap: refreshTokenLifetime: "3960h" # 165 days oauth2StateParamExpiry: "10m" + bypassSslCaCheck: false dexConfig: # This field is REQUIRED! # diff --git a/helm-chart/templates/12-config-map.yaml b/helm-chart/templates/12-config-map.yaml index 3cf3d7144..a7e554e6c 100644 --- a/helm-chart/templates/12-config-map.yaml +++ b/helm-chart/templates/12-config-map.yaml @@ -33,6 +33,15 @@ data: AUTH_OIDC_ISSUER: '{{ default "not set" (((.Values.tap).auth).dexOidc).issuer }}' AUTH_OIDC_REFRESH_TOKEN_LIFETIME: '{{ default "3960h" (((.Values.tap).auth).dexOidc).refreshTokenLifetime }}' AUTH_OIDC_STATE_PARAM_EXPIRY: '{{ default "10m" (((.Values.tap).auth).dexOidc).oauth2StateParamExpiry }}' + AUTH_OIDC_BYPASS_SSL_CA_CHECK: '{{- if and + (hasKey .Values.tap "auth") + (hasKey .Values.tap.auth "dexOidc") + (hasKey .Values.tap.auth.dexOidc "bypassSslCaCheck") + -}} + {{ eq .Values.tap.auth.dexOidc.bypassSslCaCheck true | ternary "true" "false" }} + {{- else -}} + false + {{- end }}' TELEMETRY_DISABLED: '{{ not .Values.internetConnectivity | ternary "true" (not .Values.tap.telemetry.enabled | ternary "true" "false") }}' SCRIPTING_DISABLED: '{{- if .Values.tap.liveConfigMapChangesDisabled -}} {{- if .Values.demoModeEnabled -}} diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index a898a8e58..f4e2d41f9 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -99,6 +99,12 @@ tap: operator: In values: - linux + dex: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux tolerations: hub: [] workers: