Merge branch 'master' into use-default-cm-and-secret

cmd/tap.go

@@ -61,4 +61,5 @@ func init() {
 	tapCmd.Flags().Bool(configStructs.IngressEnabledLabel, defaultTapConfig.Ingress.Enabled, "Enable Ingress")
 	tapCmd.Flags().Bool(configStructs.TelemetryEnabledLabel, defaultTapConfig.Telemetry.Enabled, "Enable/disable Telemetry")
 	tapCmd.Flags().Bool(configStructs.ResourceGuardEnabledLabel, defaultTapConfig.ResourceGuard.Enabled, "Enable/disable resource guard")
+	tapCmd.Flags().Bool(configStructs.WatchdogEnabled, defaultTapConfig.Watchdog.Enabled, "Enable/disable watchdog")
 }

config/configStructs/tapConfig.go

@@ -44,6 +44,7 @@ const (
 	PcapKubeconfig               = "kubeconfig"
 	PcapDumpEnabled              = "enabled"
 	PcapTime                     = "time"
+	WatchdogEnabled              = "watchdogEnabled"
 )
 
 type ResourceLimitsHub struct {
@@ -190,6 +191,14 @@ type IngressConfig struct {
 	Annotations map[string]string       `yaml:"annotations" json:"annotations" default:"{}"`
 }
 
+type RoutingConfig struct {
+	Front FrontRoutingConfig `yaml:"front" json:"front"`
+}
+
+type FrontRoutingConfig struct {
+	BasePath string `yaml:"basePath" json:"basePath" default:""`
+}
+
 type ReleaseConfig struct {
 	Repo      string `yaml:"repo" json:"repo" default:"https://helm.kubeshark.co"`
 	Name      string `yaml:"name" json:"name" default:"kubeshark"`
@@ -209,6 +218,10 @@ type SentryConfig struct {
 	Environment string `yaml:"environment" json:"environment" default:"production"`
 }
 
+type WatchdogConfig struct {
+	Enabled bool `yaml:"enabled" json:"enabled" default:"true"`
+}
+
 type CapabilitiesConfig struct {
 	NetworkCapture     []string `yaml:"networkCapture" json:"networkCapture"  default:"[]"`
 	ServiceMeshCapture []string `yaml:"serviceMeshCapture" json:"serviceMeshCapture"  default:"[]"`
@@ -304,10 +317,12 @@ type TapConfig struct {
 	Tolerations                  TolerationsConfig       `yaml:"tolerations" json:"tolerations" default:"{}"`
 	Auth                         AuthConfig              `yaml:"auth" json:"auth"`
 	Ingress                      IngressConfig           `yaml:"ingress" json:"ingress"`
+	Routing                      RoutingConfig           `yaml:"routing" json:"routing"`
 	IPv6                         bool                    `yaml:"ipv6" json:"ipv6" default:"true"`
 	Debug                        bool                    `yaml:"debug" json:"debug" default:"false"`
 	Telemetry                    TelemetryConfig         `yaml:"telemetry" json:"telemetry"`
 	ResourceGuard                ResourceGuardConfig     `yaml:"resourceGuard" json:"resourceGuard"`
+	Watchdog                     WatchdogConfig          `yaml:"watchdog" json:"watchdog"`
 	Sentry                       SentryConfig            `yaml:"sentry" json:"sentry"`
 	DefaultFilter                string                  `yaml:"defaultFilter" json:"defaultFilter" default:"!dns and !error"`
 	LiveConfigMapChangesDisabled bool                    `yaml:"liveConfigMapChangesDisabled" json:"liveConfigMapChangesDisabled" default:"false"`

helm-chart/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: kubeshark
-version: "52.5"
+version: "52.6"
 description: The API Traffic Analyzer for Kubernetes
 home: https://kubeshark.co
 keywords:

helm-chart/README.md

@@ -196,11 +196,12 @@ Example for overriding image names:
 | `tap.ingress.host`                        | Host of the `Ingress`                          | `ks.svc.cluster.local`                                  |
 | `tap.ingress.tls`                         | `Ingress` TLS configuration                     | `[]`                                                    |
 | `tap.ingress.annotations`                 | `Ingress` annotations                           | `{}`                                                    |
+| `tap.routing.front.basePath`             | Set this value to serve `front` under specific base path. Example: `/custompath` (forward slash must be present)         | `""`       |
 | `tap.ipv6`                                | Enable IPv6 support for the front-end                        | `true`                                                  |
 | `tap.debug`                               | Enable debug mode                             | `false`                                                 |
 | `tap.telemetry.enabled`                   | Enable anonymous usage statistics collection           | `true`                                                  |
 | `tap.resourceGuard.enabled`               | Enable resource guard worker process, which watches RAM/disk usage and enables/disables traffic capture based on available resources | `false` |
-| `tap.sentry.enabled`                      | Enable sending of error logs to Sentry          | `false`                                                  |
+| `tap.sentry.enabled`                      | Enable sending of error logs to Sentry          | `true` (only for qualified users)                                                  |
 | `tap.sentry.environment`                      | Sentry environment to label error logs with      | `production`                                                  |
 | `tap.defaultFilter`                       | Sets the default dashboard KFL filter (e.g. `http`). By default, this value is set to filter out noisy protocols such as DNS, UDP, ICMP and TCP. The user can easily change this, **temporarily**, in the Dashboard. For a permanent change, you should change this value in the `values.yaml` or `config.yaml` file.        | `"!dns and !error"`                                    |
 | `tap.liveConfigMapChangesDisabled`        | If set to `true`, all user functionality (scripting, targeting settings, global & default KFL modification, traffic recording, traffic capturing on/off, protocol dissectors) involving dynamic ConfigMap changes from UI will be disabled     | `false`      |
@@ -228,7 +229,7 @@ KernelMapping pairs kernel versions with a
                             DriverContainer image. Kernel versions can be matched
                             literally or using a regular expression
 
-## Installing with SAML enabled
+# Installing with SAML enabled
 
 ### Prerequisites:
 
@@ -293,3 +294,226 @@ tap:
         UaV5sbRtTzYLxpOSQyi8CEFA+A==
         -----END PRIVATE KEY-----
 ```
+
+# Installing with Dex OIDC authentication
+
+[**Click here to see full docs**](https://docs.kubeshark.co/en/saml#installing-with-oidc-enabled-dex-idp).
+
+Choose this option, if **you already have a running instance** of Dex in your cluster & 
+you want to set up Dex OIDC authentication for Kubeshark users.
+
+Kubeshark supports authentication using [Dex - A Federated OpenID Connect Provider](https://dexidp.io/).
+Dex is an abstraction layer designed for integrating a wide variety of Identity Providers.
+
+**Requirement:**
+Your Dex IdP must have a publicly accessible URL.
+
+### Pre-requisites:
+
+**1. If you configured Ingress for Kubeshark:**
+
+(see section: "Installing with Ingress (EKS) enabled")
+
+OAuth2 callback URL is: <br/>
+`https://<kubeshark-ingress-hostname>/api/oauth2/callback`
+
+**2. If you did not configure Ingress for Kubeshark:**
+
+OAuth2 callback URL is: <br/>
+`http://0.0.0.0:8899/api/oauth2/callback`
+
+Use chosen OAuth2 callback URL to replace `<your-kubeshark-host>` in Step 3.
+
+**3. Add this static client to your Dex IdP configuration (`config.yaml`):**
+```yaml
+staticClients:
+   - id: kubeshark
+     secret: create your own client password
+     name: Kubeshark
+     redirectURIs:
+     - https://<your-kubeshark-host>/api/oauth2/callback
+```
+
+**Final step:**
+
+Add these helm values to set up OIDC authentication powered by your Dex IdP:
+
+```yaml
+# values.yaml
+
+tap: 
+  auth:
+    enabled: true
+    type: dex
+    dexOidc:
+      issuer: <put Dex IdP issuer URL here>
+      clientId: kubeshark
+      clientSecret: create your own client password
+      refreshTokenLifetime: "3960h" # 165 days
+      oauth2StateParamExpiry: "10m"
+```
+
+Once you run `helm install kubeshark kubeshark/kubeshark -f ./values.yaml`, Kubeshark will be installed with (Dex) OIDC authentication enabled.
+
+---
+
+# Installing your own Dex IdP along with Kubeshark
+
+Choose this option, if **you need to deploy an instance of Dex IdP** along with Kubeshark & 
+set up Dex OIDC authentication for Kubeshark users.
+
+Depending on Ingress enabled/disabled, your Dex configuration might differ.
+
+**Requirement:**
+Please, configure Ingress using `tap.ingress` for your Kubeshark installation. For example:
+
+```yaml
+tap:
+  ingress:
+    enabled: true
+    className: "alb"
+    host: ks.example.com
+    tls: []
+    annotations:
+      alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:7..8:certificate/b...65c
+      alb.ingress.kubernetes.io/target-type: ip
+      alb.ingress.kubernetes.io/scheme: internet-facing
+```
+
+The following Dex settings will have these values:
+
+| Setting                                               | Value                                        |
+|-------------------------------------------------------|----------------------------------------------|
+| `tap.auth.dexOidc.issuer`                             | `https://ks.example.com/dex`                 |
+| `tap.auth.dexConfig.issuer`                           | `https://ks.example.com/dex`                 |
+| `tap.auth.dexConfig.staticClients -> redirectURIs`    | `https://ks.example.com/api/oauth2/callback` |
+| `tap.auth.dexConfig.connectors -> config.redirectURI` | `https://ks.example.com/dex/callback`        |
+
+---
+
+### Before proceeding with Dex IdP installation:
+
+Please, make sure to prepare the following things first.
+
+1. Choose **[Connectors](https://dexidp.io/docs/connectors/)** to enable in Dex IdP. 
+   - i.e. how many kind of "Log in with ..." options you'd like to offer your users
+   - You will need to specify connectors in `tap.auth.dexConfig.connectors`
+2. Choose type of **[Storage](https://dexidp.io/docs/configuration/storage/)** to use in Dex IdP. 
+   - You will need to specify storage settings in `tap.auth.dexConfig.storage`
+   - default: `memory`
+3. Decide on the OAuth2 `?state=` param expiration time:
+   - field: `tap.auth.dexOidc.oauth2StateParamExpiry`
+   - default: `10m` (10 minutes)
+   - valid time units are `s`, `m`, `h`
+4. Decide on the refresh token expiration:
+    - field 1: `tap.auth.dexOidc.expiry.refreshTokenLifetime`
+    - field 2: `tap.auth.dexConfig.expiry.refreshTokens.absoluteLifetime`
+    - default: `3960h` (165 days)
+    - valid time units are `s`, `m`, `h`
+5. Create a unique & secure password to set in these fields:
+    - field 1: `tap.auth.dexOidc.clientSecret`
+    - field 2: `tap.auth.dexConfig.staticClients -> secret`
+    - password must be the same for these 2 fields
+6. Discover more possibilities of **[Dex Configuration](https://dexidp.io/docs/configuration/)**
+   - if you decide to include more configuration options, make sure to add them into `tap.auth.dexConfig`
+---
+
+### Once you are ready with all the points described above:
+
+Use these helm `values.yaml` fields to:
+- Deploy your own instance of Dex IdP along with Kubeshark
+- Enable OIDC authentication for Kubeshark users
+
+Make sure to:
+- Replace `<your-ingress-hostname>` with a correct Kubeshark Ingress host (`tap.auth.ingress.host`).
+  - refer to section **Installing with Ingress (EKS) enabled** to find out how you can configure Ingress host.
+
+Helm `values.yaml`:
+```yaml
+tap: 
+  auth:
+    enabled: true
+    type: dex
+    dexOidc:
+      issuer: https://<your-ingress-hostname>/dex
+      
+      # Client ID/secret must be taken from `tap.auth.dexConfig.staticClients -> id/secret`
+      clientId: kubeshark
+      clientSecret: create your own client password
+      
+      refreshTokenLifetime: "3960h" # 165 days
+      oauth2StateParamExpiry: "10m"
+    dexConfig:
+      # This field is REQUIRED!
+      # 
+      # The base path of Dex and the external name of the OpenID Connect service.
+      # This is the canonical URL that all clients MUST use to refer to Dex. If a
+      # path is provided, Dex's HTTP service will listen at a non-root URL.
+      issuer: https://<your-ingress-hostname>/dex
+        
+      # Expiration configuration for tokens, signing keys, etc.
+      expiry:
+        refreshTokens:
+          validIfNotUsedFor: "2160h" # 90 days
+          absoluteLifetime: "3960h"  # 165 days
+
+      # This field is REQUIRED!
+      # 
+      # The storage configuration determines where Dex stores its state.
+      # See the documentation (https://dexidp.io/docs/storage/) for further information.
+      storage:
+        type: memory
+
+      # This field is REQUIRED!
+      # 
+      # Attention: 
+      # Do not change this field and its values.
+      # This field is required for internal Kubeshark-to-Dex communication.
+      #
+      # HTTP service configuration
+      web:
+        http: 0.0.0.0:5556
+
+      # This field is REQUIRED!
+      #
+      # Attention: 
+      # Do not change this field and its values.
+      # This field is required for internal Kubeshark-to-Dex communication.
+      #
+      # Telemetry configuration
+      telemetry:
+        http: 0.0.0.0:5558
+
+      # This field is REQUIRED!
+      #
+      # Static clients registered in Dex by default.
+      staticClients:
+        - id: kubeshark
+          secret: create your own client password
+          name: Kubeshark
+          redirectURIs:
+          - https://<your-ingress-hostname>/api/oauth2/callback
+
+      # Enable the password database.
+      # It's a "virtual" connector (identity provider) that stores
+      # login credentials in Dex's store.
+      enablePasswordDB: true
+
+      # Connectors are used to authenticate users against upstream identity providers.
+      # See the documentation (https://dexidp.io/docs/connectors/) for further information.
+      #
+      # Attention: 
+      # When you define a new connector, `config.redirectURI` must be: 
+      # https://<your-ingress-hostname>/dex/callback
+      # 
+      # Example with Google connector:
+      # connectors:
+      #  - type: google
+      #    id: google
+      #    name: Google
+      #    config:
+      #      clientID: your Google Cloud Auth app client ID
+      #      clientSecret: your Google Auth app client ID
+      #      redirectURI: https://<your-ingress-hostname>/dex/callback
+      connectors: []
+```

helm-chart/templates/06-front-deployment.yaml

@@ -26,12 +26,16 @@ spec:
         - env:
             - name: REACT_APP_AUTH_ENABLED
               value: '{{- if or (and .Values.cloudLicenseEnabled (not (empty .Values.license))) (not .Values.internetConnectivity) -}}
-                      "false"
+                        {{ (and .Values.tap.auth.enabled (eq .Values.tap.auth.type "dex")) | ternary true false }}
-                    {{- else -}}
+                      {{- else -}}
-                      {{ .Values.cloudLicenseEnabled | ternary "true" .Values.tap.auth.enabled }}
+                        {{ .Values.cloudLicenseEnabled | ternary "true" .Values.tap.auth.enabled }}
-                    {{- end }}'
+                      {{- end }}'
             - name: REACT_APP_AUTH_TYPE
-              value: '{{ not (eq .Values.tap.auth.type "") | ternary (.Values.cloudLicenseEnabled | ternary "oidc" .Values.tap.auth.type) " " }}'
+              value: '{{- if and .Values.cloudLicenseEnabled (not (eq .Values.tap.auth.type "dex")) -}}
+                        default
+                      {{- else -}}
+                        {{ .Values.tap.auth.type }}
+                      {{- end }}'
             - name: REACT_APP_AUTH_SAML_IDP_METADATA_URL
               value: '{{ not (eq .Values.tap.auth.saml.idpMetadataUrl "") | ternary .Values.tap.auth.saml.idpMetadataUrl " " }}'
             - name: REACT_APP_TIMEZONE

helm-chart/templates/09-worker-daemon-set.yaml

@@ -68,6 +68,9 @@ spec:
             - /hostproc
           {{- if .Values.tap.resourceGuard.enabled }}
             - -enable-resource-guard
+          {{- end }}
+          {{- if .Values.tap.watchdog.enabled }}
+            - -enable-watchdog
           {{- end }}
             - -resolution-strategy
             - '{{ .Values.tap.misc.resolutionStrategy }}'

helm-chart/templates/11-nginx-config-map.yaml

@@ -20,8 +20,8 @@ data:
       client_header_buffer_size   32k;
       large_client_header_buffers 8 64k;
 
-      location /api {
+      location {{ default "" (((.Values.tap).routing).front).basePath }}/api {
-        rewrite ^/api(.*)$ $1 break;
+        rewrite ^{{ default "" (((.Values.tap).routing).front).basePath }}/api(.*)$ $1 break;
         proxy_pass http://kubeshark-hub;
         proxy_set_header   X-Forwarded-For $remote_addr;
         proxy_set_header   Host $http_host;
@@ -35,8 +35,8 @@ data:
         proxy_pass_request_headers      on;
       }
 
-      location /saml {
+      location {{ default "" (((.Values.tap).routing).front).basePath }}/saml {
-        rewrite ^/saml(.*)$ /saml$1 break;
+        rewrite ^{{ default "" (((.Values.tap).routing).front).basePath }}/saml(.*)$ /saml$1 break;
         proxy_pass http://kubeshark-hub;
         proxy_set_header   X-Forwarded-For $remote_addr;
         proxy_set_header   Host $http_host;
@@ -46,6 +46,34 @@ data:
         proxy_pass_request_headers on;
       }
 
+{{- if .Values.tap.auth.dexConfig }}
+       location /dex {
+        rewrite ^{{ default "" (((.Values.tap).routing).front).basePath }}/dex(.*)$ /dex$1 break;
+        proxy_pass http://kubeshark-dex;
+        proxy_set_header   X-Forwarded-For $remote_addr;
+        proxy_set_header   Host $http_host;
+        proxy_set_header Upgrade websocket;
+        proxy_set_header Connection Upgrade;
+        proxy_set_header  Authorization $http_authorization;
+        proxy_pass_header Authorization;
+        proxy_connect_timeout 4s;
+        proxy_read_timeout 120s;
+        proxy_send_timeout 12s;
+        proxy_pass_request_headers      on;
+      }
+{{- end }}
+
+{{- if (((.Values.tap).routing).front).basePath }}
+      location {{ .Values.tap.routing.front.basePath }} {
+        rewrite ^{{ .Values.tap.routing.front.basePath }}(.*)$ $1 break;
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+        try_files $uri $uri/ /index.html;
+        expires -1;
+        add_header Cache-Control no-cache;
+      }
+{{- end }}
+
       location / {
         root   /usr/share/nginx/html;
         index  index.html index.htm;

helm-chart/templates/12-config-map.yaml

@@ -18,14 +18,21 @@ data:
     INGRESS_HOST: '{{ .Values.tap.ingress.host }}'
     PROXY_FRONT_PORT: '{{ .Values.tap.proxy.front.port }}'
     AUTH_ENABLED: '{{- if and .Values.cloudLicenseEnabled (not (empty .Values.license)) -}}
-                      "false"
+                      {{ and .Values.tap.auth.enabled (eq .Values.tap.auth.type "dex") | ternary true false }}
                   {{- else -}}
                       {{ .Values.cloudLicenseEnabled | ternary "true" (.Values.tap.auth.enabled | ternary "true" "") }}
                   {{- end }}'
-    AUTH_TYPE: '{{ .Values.cloudLicenseEnabled | ternary "oidc" (.Values.tap.auth.type) }}'
+    AUTH_TYPE: '{{- if and .Values.cloudLicenseEnabled (not (eq .Values.tap.auth.type "dex")) -}}
+                  default
+                {{- else -}}
+                  {{ .Values.tap.auth.type }}
+                {{- end }}'
     AUTH_SAML_IDP_METADATA_URL: '{{ .Values.tap.auth.saml.idpMetadataUrl }}'
     AUTH_SAML_ROLE_ATTRIBUTE: '{{ .Values.tap.auth.saml.roleAttribute }}'
     AUTH_SAML_ROLES: '{{ .Values.tap.auth.saml.roles | toJson }}'
+    AUTH_OIDC_ISSUER: '{{ default "not set" (((.Values.tap).auth).dexOidc).issuer }}'
+    AUTH_OIDC_REFRESH_TOKEN_LIFETIME: '{{ default "3960h" (((.Values.tap).auth).dexOidc).refreshTokenLifetime }}'
+    AUTH_OIDC_STATE_PARAM_EXPIRY: '{{ default "10m" (((.Values.tap).auth).dexOidc).oauth2StateParamExpiry }}'
     TELEMETRY_DISABLED: '{{ not .Values.internetConnectivity | ternary "true" (not .Values.tap.telemetry.enabled | ternary "true" "false") }}'
     SCRIPTING_DISABLED: '{{- if .Values.tap.liveConfigMapChangesDisabled -}}
                            {{- if .Values.demoModeEnabled -}}

helm-chart/templates/13-secret.yaml

@@ -9,6 +9,8 @@ metadata:
 stringData:
     LICENSE: '{{ .Values.license }}'
     SCRIPTING_ENV: '{{ .Values.scripting.env | toJson }}'
+    OIDC_CLIENT_ID: '{{ default "not set" (((.Values.tap).auth).dexOidc).clientId }}'
+    OIDC_CLIENT_SECRET: '{{ default "not set" (((.Values.tap).auth).dexOidc).clientSecret }}'
 
 ---
 

helm-chart/templates/17-network-policies.yaml

@@ -53,6 +53,31 @@ spec:
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  annotations:
+  {{- if .Values.tap.annotations }}
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: kubeshark-dex-network-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubeshark.co/app: dex
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 5556
+  egress:
+    - {}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
 metadata:
   labels:
     {{- include "kubeshark.labels" . | nindent 4 }}

helm-chart/templates/18-dex-deployment.yaml

@@ -0,0 +1,116 @@
+{{- if .Values.tap.auth.dexConfig }}
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubeshark.co/app: dex
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  annotations:
+  {{- if .Values.tap.annotations }}
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: {{ include "kubeshark.name" . }}-dex
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1  # Set the desired number of replicas
+  selector:
+    matchLabels:
+      app.kubeshark.co/app: dex
+      {{- include "kubeshark.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        app.kubeshark.co/app: dex
+        {{- include "kubeshark.labels" . | nindent 8 }}
+    spec:
+      containers:
+        - name: kubeshark-dex
+          image: 'dexidp/dex:v2.42.0-alpine'
+          ports:
+            - name: http
+              containerPort: 5556
+              protocol: TCP
+            - name: telemetry
+              containerPort: 5558
+              protocol: TCP
+          args:
+          - dex
+          - serve
+          - /etc/dex/dex-config.yaml
+          imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }}
+          volumeMounts:
+            - name: dex-secret-conf-volume
+              mountPath: /etc/dex/dex-config.yaml
+              subPath: dex-config.yaml
+              readOnly: true
+          livenessProbe:
+            httpGet:
+              path: /healthz/live
+              port: 5558
+            periodSeconds: 1
+            failureThreshold: 3
+            successThreshold: 1
+            initialDelaySeconds: 3
+          readinessProbe:
+            httpGet:
+              path: /healthz/ready
+              port: 5558
+            periodSeconds: 1
+            failureThreshold: 3
+            successThreshold: 1
+            initialDelaySeconds: 3
+            timeoutSeconds: 1
+          resources:
+            limits:
+              cpu: 750m
+              memory: 1Gi
+            requests:
+              cpu: 50m
+              memory: 50Mi
+    {{- if .Values.tap.docker.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.tap.docker.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+    {{- end }}
+{{- if gt (len .Values.tap.nodeSelectorTerms.dex) 0}}
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              {{- toYaml .Values.tap.nodeSelectorTerms.dex | nindent 12 }}
+{{- end }}
+      {{- if or .Values.tap.dns.nameservers .Values.tap.dns.searches .Values.tap.dns.options }}
+      dnsConfig:
+        {{- if .Values.tap.dns.nameservers }}
+        nameservers:
+        {{- range .Values.tap.dns.nameservers }}
+          - {{ . | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.tap.dns.searches }}
+        searches:
+        {{- range .Values.tap.dns.searches }}
+          - {{ . | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.tap.dns.options }}
+        options:
+        {{- range .Values.tap.dns.options }}
+          - name: {{ .name | quote }}
+            {{- if .value }}
+            value: {{ .value | quote }}
+            {{- end }}
+        {{- end }}
+        {{- end }}
+      {{- end }}
+      volumes:
+        - name: dex-secret-conf-volume
+          secret:
+            secretName: kubeshark-dex-conf-secret
+      dnsPolicy: ClusterFirstWithHostNet
+      serviceAccountName: {{ include "kubeshark.serviceAccountName" . }}
+
+{{- end }}

helm-chart/templates/19-dex-service.yaml

@@ -0,0 +1,25 @@
+{{- if .Values.tap.auth.dexConfig }}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubeshark.co/app: dex
+    {{- include "kubeshark.labels" . | nindent 4 }}
+  annotations:
+  {{- if .Values.tap.annotations }}
+    {{- toYaml .Values.tap.annotations | nindent 4 }}
+  {{- end }}
+  name: kubeshark-dex
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+    - name: kubeshark-dex
+      port: 80
+      targetPort: 5556
+  selector:
+    app.kubeshark.co/app: dex
+  type: ClusterIP
+
+{{- end }}

helm-chart/templates/20-dex-secret.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.tap.auth.dexConfig }}
+
+kind: Secret
+apiVersion: v1
+metadata:
+  name: kubeshark-dex-conf-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubeshark.co/app: hub
+    {{- include "kubeshark.labels" . | nindent 4 }}
+data:
+  dex-config.yaml: {{ .Values.tap.auth.dexConfig | toYaml | b64enc | quote }}
+
+{{- end }}

helm-chart/templates/NOTES.txt

@@ -34,7 +34,7 @@ Notices:
 {{ if .Values.tap.ingress.enabled }}
 
 You can now access the application through the following URL:
-http{{ if .Values.tap.ingress.tls }}s{{ end }}://{{ .Values.tap.ingress.host }}
+http{{ if .Values.tap.ingress.tls }}s{{ end }}://{{ .Values.tap.ingress.host }}{{ default "" (((.Values.tap).routing).front).basePath }}/
 
 {{- else }}
 To access the application, follow these steps:
@@ -44,6 +44,6 @@ To access the application, follow these steps:
     kubectl port-forward -n {{ .Release.Namespace }} service/kubeshark-front 8899:80
 
 2. Once port forwarding is done, you can access the application by visiting the following URL in your web browser:
-    http://0.0.0.0:8899
+    http://0.0.0.0:8899{{ default "" (((.Values.tap).routing).front).basePath }}/
 
 {{- end }}

helm-chart/templates/_helpers.tpl

@@ -86,3 +86,15 @@ Set sentry based on internet connectivity and telemetry
   {{- end -}}
   {{- $sentryEnabledVal -}}
 {{- end -}}
+
+{{/*
+Dex IdP: retrieve a secret for static client with a specific ID
+*/}}
+{{- define "getDexKubesharkStaticClientSecret" -}}
+  {{- $clientId := .clientId -}}
+  {{- range .clients }}
+    {{- if eq .id $clientId }}
+      {{- .secret }}
+    {{- end }}
+  {{- end }}
+{{- end }}

helm-chart/values.yaml

@@ -131,12 +131,17 @@ tap:
     host: ks.svc.cluster.local
     tls: []
     annotations: {}
+  routing:
+    front:
+      basePath: ""
   ipv6: true
   debug: false
   telemetry:
     enabled: true
   resourceGuard:
     enabled: false
+  watchdog:
+    enabled: true
   sentry:
     enabled: false
     environment: production

manifests/complete.yaml

@@ -4,10 +4,10 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   labels:
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-hub-network-policy
@@ -34,10 +34,10 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   labels:
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-front-network-policy
@@ -61,10 +61,37 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   labels:
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+  name: kubeshark-dex-network-policy
+  namespace: default
+spec:
+  podSelector:
+    matchLabels:
+      app.kubeshark.co/app: dex
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 5556
+  egress:
+    - {}
+---
+# Source: kubeshark/templates/17-network-policies.yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    helm.sh/chart: kubeshark-52.6
+    app.kubernetes.io/name: kubeshark
+    app.kubernetes.io/instance: kubeshark
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-worker-network-policy
@@ -90,10 +117,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-service-account
@@ -107,14 +134,16 @@ metadata:
   namespace: default
   labels:
     app.kubeshark.co/app: hub
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
 stringData:
     LICENSE: ''
     SCRIPTING_ENV: '{}'
+    OIDC_CLIENT_ID: 'not set'
+    OIDC_CLIENT_SECRET: 'not set'
 ---
 # Source: kubeshark/templates/13-secret.yaml
 kind: Secret
@@ -124,10 +153,10 @@ metadata:
   namespace: default
   labels:
     app.kubeshark.co/app: hub
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
 stringData:
   AUTH_SAML_X509_CRT: |
@@ -140,10 +169,10 @@ metadata:
   namespace: default
   labels:
     app.kubeshark.co/app: hub
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
 stringData:
   AUTH_SAML_X509_KEY: |
@@ -155,10 +184,10 @@ metadata:
   name: kubeshark-nginx-config-map
   namespace: default
   labels:
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
 data:
   default.conf: |
@@ -219,10 +248,10 @@ metadata:
   namespace: default
   labels:
     app.kubeshark.co/app: hub
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
 data:
     POD_REGEX: '.*'
@@ -236,10 +265,13 @@ data:
     INGRESS_HOST: 'ks.svc.cluster.local'
     PROXY_FRONT_PORT: '8899'
     AUTH_ENABLED: 'true'
-    AUTH_TYPE: 'oidc'
+    AUTH_TYPE: 'default'
     AUTH_SAML_IDP_METADATA_URL: ''
     AUTH_SAML_ROLE_ATTRIBUTE: 'role'
     AUTH_SAML_ROLES: '{"admin":{"canDownloadPCAP":true,"canStopTrafficCapturing":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":"","scriptingPermissions":{"canActivate":true,"canDelete":true,"canSave":true},"showAdminConsoleLink":true}}'
+    AUTH_OIDC_ISSUER: 'not set'
+    AUTH_OIDC_REFRESH_TOKEN_LIFETIME: '3960h'
+    AUTH_OIDC_STATE_PARAM_EXPIRY: '10m'
     TELEMETRY_DISABLED: 'false'
     SCRIPTING_DISABLED: 'false'
     TARGETED_PODS_UPDATE_DISABLED: ''
@@ -271,10 +303,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-cluster-role-default
@@ -319,10 +351,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-cluster-role-binding-default
@@ -341,10 +373,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-self-config-role
@@ -371,10 +403,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-self-config-role-binding
@@ -394,10 +426,10 @@ kind: Service
 metadata:
   labels:
     app.kubeshark.co/app: hub
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-hub
@@ -416,10 +448,10 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-front
@@ -438,10 +470,10 @@ kind: Service
 apiVersion: v1
 metadata:
   labels:
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
   annotations:
     prometheus.io/scrape: 'true'
@@ -451,10 +483,10 @@ metadata:
 spec:
   selector:
     app.kubeshark.co/app: worker
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
   ports:
   - name: metrics
@@ -467,10 +499,10 @@ kind: Service
 apiVersion: v1
 metadata:
   labels:
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
   annotations:
     prometheus.io/scrape: 'true'
@@ -480,10 +512,10 @@ metadata:
 spec:
   selector:
     app.kubeshark.co/app: hub
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
   ports:
   - name: metrics
@@ -498,10 +530,10 @@ metadata:
   labels:
     app.kubeshark.co/app: worker
     sidecar.istio.io/inject: "false"
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-worker-daemon-set
@@ -516,10 +548,10 @@ spec:
     metadata:
       labels:
         app.kubeshark.co/app: worker
-        helm.sh/chart: kubeshark-52.5
+        helm.sh/chart: kubeshark-52.6
         app.kubernetes.io/name: kubeshark
         app.kubernetes.io/instance: kubeshark
-        app.kubernetes.io/version: "52.5"
+        app.kubernetes.io/version: "52.6"
         app.kubernetes.io/managed-by: Helm
       name: kubeshark-worker-daemon-set
       namespace: kubeshark
@@ -529,7 +561,7 @@ spec:
           - /bin/sh
           - -c
           - mkdir -p /sys/fs/bpf && mount | grep -q '/sys/fs/bpf' || mount -t bpf bpf /sys/fs/bpf
-          image: 'docker.io/kubeshark/worker:v52.5'
+          image: 'docker.io/kubeshark/worker:v52.6'
           imagePullPolicy: Always
           name: mount-bpf
           securityContext:
@@ -554,11 +586,12 @@ spec:
             - -servicemesh
             - -procfs
             - /hostproc
+            - -enable-watchdog
             - -resolution-strategy
             - 'auto'
             - -staletimeout
             - '30'
-          image: 'docker.io/kubeshark/worker:v52.5'
+          image: 'docker.io/kubeshark/worker:v52.6'
           imagePullPolicy: Always
           name: sniffer
           ports:
@@ -632,7 +665,7 @@ spec:
             - -disable-tls-log
             - -loglevel
             - 'warning'
-          image: 'docker.io/kubeshark/worker:v52.5'
+          image: 'docker.io/kubeshark/worker:v52.6'
           imagePullPolicy: Always
           name: tracer
           env:
@@ -724,10 +757,10 @@ kind: Deployment
 metadata:
   labels:
     app.kubeshark.co/app: hub
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-hub
@@ -743,10 +776,10 @@ spec:
     metadata:
       labels:
         app.kubeshark.co/app: hub
-        helm.sh/chart: kubeshark-52.5
+        helm.sh/chart: kubeshark-52.6
         app.kubernetes.io/name: kubeshark
         app.kubernetes.io/instance: kubeshark
-        app.kubernetes.io/version: "52.5"
+        app.kubernetes.io/version: "52.6"
         app.kubernetes.io/managed-by: Helm
     spec:
       dnsPolicy: ClusterFirstWithHostNet
@@ -776,7 +809,7 @@ spec:
             value: 'https://api.kubeshark.co'
           - name: PROFILING_ENABLED
             value: 'false'
-          image: 'docker.io/kubeshark/hub:v52.5'
+          image: 'docker.io/kubeshark/hub:v52.6'
           imagePullPolicy: Always
           readinessProbe:
             periodSeconds: 10
@@ -839,10 +872,10 @@ kind: Deployment
 metadata:
   labels:
     app.kubeshark.co/app: front
-    helm.sh/chart: kubeshark-52.5
+    helm.sh/chart: kubeshark-52.6
     app.kubernetes.io/name: kubeshark
     app.kubernetes.io/instance: kubeshark
-    app.kubernetes.io/version: "52.5"
+    app.kubernetes.io/version: "52.6"
     app.kubernetes.io/managed-by: Helm
   annotations:
   name: kubeshark-front
@@ -858,10 +891,10 @@ spec:
     metadata:
       labels:
         app.kubeshark.co/app: front
-        helm.sh/chart: kubeshark-52.5
+        helm.sh/chart: kubeshark-52.6
         app.kubernetes.io/name: kubeshark
         app.kubernetes.io/instance: kubeshark
-        app.kubernetes.io/version: "52.5"
+        app.kubernetes.io/version: "52.6"
         app.kubernetes.io/managed-by: Helm
     spec:
       containers:
@@ -869,7 +902,7 @@ spec:
             - name: REACT_APP_AUTH_ENABLED
               value: 'true'
             - name: REACT_APP_AUTH_TYPE
-              value: 'oidc'
+              value: 'default'
             - name: REACT_APP_AUTH_SAML_IDP_METADATA_URL
               value: ' '
             - name: REACT_APP_TIMEZONE
@@ -898,7 +931,7 @@ spec:
               value: 'false'
             - name: REACT_APP_SENTRY_ENVIRONMENT
               value: 'production'
-          image: 'docker.io/kubeshark/front:v52.5'
+          image: 'docker.io/kubeshark/front:v52.6'
           imagePullPolicy: Always
           name: kubeshark-front
           livenessProbe: