From 660fa1c3c1a6c476a671c83ac03dcde752a61e8b Mon Sep 17 00:00:00 2001 From: Volodymyr Stoiko Date: Tue, 22 Jul 2025 00:42:03 +0300 Subject: [PATCH 1/3] Add priority class into templates --- config/configStructs/tapConfig.go | 1 + helm-chart/templates/04-hub-deployment.yaml | 3 +++ helm-chart/templates/06-front-deployment.yaml | 3 +++ helm-chart/templates/09-worker-daemon-set.yaml | 3 +++ helm-chart/templates/18-cleanup-job.yaml | 5 ++++- helm-chart/templates/18-dex-deployment.yaml | 4 +++- helm-chart/values.yaml | 1 + 7 files changed, 18 insertions(+), 2 deletions(-) diff --git a/config/configStructs/tapConfig.go b/config/configStructs/tapConfig.go index 1251e8e99..9fda21fe5 100644 --- a/config/configStructs/tapConfig.go +++ b/config/configStructs/tapConfig.go @@ -328,6 +328,7 @@ type TapConfig struct { Tolerations TolerationsConfig `yaml:"tolerations" json:"tolerations" default:"{}"` Auth AuthConfig `yaml:"auth" json:"auth"` Ingress IngressConfig `yaml:"ingress" json:"ingress"` + PriorityClass string `yaml:"priorityClass" json:"priorityClass" default:""` Routing RoutingConfig `yaml:"routing" json:"routing"` IPv6 bool `yaml:"ipv6" json:"ipv6" default:"true"` Debug bool `yaml:"debug" json:"debug" default:"false"` diff --git a/helm-chart/templates/04-hub-deployment.yaml b/helm-chart/templates/04-hub-deployment.yaml index 49df442d3..30539c33b 100644 --- a/helm-chart/templates/04-hub-deployment.yaml +++ b/helm-chart/templates/04-hub-deployment.yaml @@ -25,6 +25,9 @@ spec: spec: dnsPolicy: ClusterFirstWithHostNet serviceAccountName: {{ include "kubeshark.serviceAccountName" . }} + {{- if .Values.tap.priorityClass }} + priorityClassName: {{ .Values.tap.priorityClass | quote }} + {{- end }} containers: - name: hub command: diff --git a/helm-chart/templates/06-front-deployment.yaml b/helm-chart/templates/06-front-deployment.yaml index cda39fb00..d4d185895 100644 --- a/helm-chart/templates/06-front-deployment.yaml +++ b/helm-chart/templates/06-front-deployment.yaml @@ -175,3 +175,6 @@ spec: name: kubeshark-nginx-config-map dnsPolicy: ClusterFirstWithHostNet serviceAccountName: {{ include "kubeshark.serviceAccountName" . }} + {{- if .Values.tap.priorityClass }} + priorityClassName: {{ .Values.tap.priorityClass | quote }} + {{- end }} diff --git a/helm-chart/templates/09-worker-daemon-set.yaml b/helm-chart/templates/09-worker-daemon-set.yaml index a183eb365..a2a963bdd 100644 --- a/helm-chart/templates/09-worker-daemon-set.yaml +++ b/helm-chart/templates/09-worker-daemon-set.yaml @@ -331,6 +331,9 @@ spec: dnsPolicy: ClusterFirstWithHostNet hostNetwork: true serviceAccountName: {{ include "kubeshark.serviceAccountName" . }} + {{- if .Values.tap.priorityClass }} + priorityClassName: {{ .Values.tap.priorityClass | quote }} + {{- end }} {{- if .Values.tap.tolerations.workers }} tolerations: {{- range .Values.tap.tolerations.workers }} diff --git a/helm-chart/templates/18-cleanup-job.yaml b/helm-chart/templates/18-cleanup-job.yaml index 59a076299..716019f1c 100644 --- a/helm-chart/templates/18-cleanup-job.yaml +++ b/helm-chart/templates/18-cleanup-job.yaml @@ -10,6 +10,9 @@ spec: template: spec: serviceAccountName: {{ include "kubeshark.serviceAccountName" . }} + {{- if .Values.tap.priorityClass }} + priorityClassName: {{ .Values.tap.priorityClass | quote }} + {{- end }} restartPolicy: Never containers: - name: cleanup @@ -21,4 +24,4 @@ spec: image: '{{ .Values.tap.docker.registry }}/hub:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}' {{- end }} command: ["/app/cleanup"] -{{ end -}} \ No newline at end of file +{{ end -}} diff --git a/helm-chart/templates/18-dex-deployment.yaml b/helm-chart/templates/18-dex-deployment.yaml index bf50dddc7..f9314c6a6 100644 --- a/helm-chart/templates/18-dex-deployment.yaml +++ b/helm-chart/templates/18-dex-deployment.yaml @@ -106,5 +106,7 @@ spec: secretName: kubeshark-dex-conf-secret dnsPolicy: ClusterFirstWithHostNet serviceAccountName: {{ include "kubeshark.serviceAccountName" . }} - + {{- if .Values.tap.priorityClass }} + priorityClassName: {{ .Values.tap.priorityClass | quote }} + {{- end }} {{- end }} diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index 6686cf8d1..a79875358 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -139,6 +139,7 @@ tap: host: ks.svc.cluster.local tls: [] annotations: {} + priorityClass: "" routing: front: basePath: "" From da061f341955ad87686a750774c21549137cfb45 Mon Sep 17 00:00:00 2001 From: Volodymyr Stoiko Date: Tue, 22 Jul 2025 00:48:26 +0300 Subject: [PATCH 2/3] upd readme --- helm-chart/README.md | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/helm-chart/README.md b/helm-chart/README.md index 1f46fef41..4c8afce1e 100644 --- a/helm-chart/README.md +++ b/helm-chart/README.md @@ -112,7 +112,7 @@ Example for overriding image names: ```yaml docker: - overrideImage: + overrideImage: worker: docker.io/kubeshark/worker:v52.3.87 front: docker.io/kubeshark/front:v52.3.87 hub: docker.io/kubeshark/hub:v52.3.87 @@ -180,6 +180,7 @@ Example for overriding image names: | `tap.nodeSelectorTerms.workers` | Node selector terms for workers components | `[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]` | | `tap.nodeSelectorTerms.hub` | Node selector terms for hub component | `[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]` | | `tap.nodeSelectorTerms.front` | Node selector terms for front-end component | `[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]` | +| `tap.priorityClass` | Priority class name for Kubeshark components | `""` | | `tap.tolerations.workers` | Tolerations for workers components | `[ {"operator": "Exists", "effect": "NoExecute"}` | | `tap.tolerations.hub` | Tolerations for hub component | `[]` | | `tap.tolerations.front` | Tolerations for front-end component | `[]` | @@ -302,7 +303,7 @@ tap: [**Click here to see full docs**](https://docs.kubeshark.co/en/saml#installing-with-oidc-enabled-dex-idp). -Choose this option, if **you already have a running instance** of Dex in your cluster & +Choose this option, if **you already have a running instance** of Dex in your cluster & you want to set up Dex OIDC authentication for Kubeshark users. Kubeshark supports authentication using [Dex - A Federated OpenID Connect Provider](https://dexidp.io/). @@ -344,7 +345,7 @@ Add these helm values to set up OIDC authentication powered by your Dex IdP: ```yaml # values.yaml -tap: +tap: auth: enabled: true type: dex @@ -374,7 +375,7 @@ Once you run `helm install kubeshark kubeshark/kubeshark -f ./values.yaml`, Kube # Installing your own Dex IdP along with Kubeshark -Choose this option, if **you need to deploy an instance of Dex IdP** along with Kubeshark & +Choose this option, if **you need to deploy an instance of Dex IdP** along with Kubeshark & set up Dex OIDC authentication for Kubeshark users. Depending on Ingress enabled/disabled, your Dex configuration might differ. @@ -410,10 +411,10 @@ The following Dex settings will have these values: Please, make sure to prepare the following things first. -1. Choose **[Connectors](https://dexidp.io/docs/connectors/)** to enable in Dex IdP. +1. Choose **[Connectors](https://dexidp.io/docs/connectors/)** to enable in Dex IdP. - i.e. how many kind of "Log in with ..." options you'd like to offer your users - You will need to specify connectors in `tap.auth.dexConfig.connectors` -2. Choose type of **[Storage](https://dexidp.io/docs/configuration/storage/)** to use in Dex IdP. +2. Choose type of **[Storage](https://dexidp.io/docs/configuration/storage/)** to use in Dex IdP. - You will need to specify storage settings in `tap.auth.dexConfig.storage` - default: `memory` 3. Decide on the OAuth2 `?state=` param expiration time: @@ -445,28 +446,28 @@ Make sure to: Helm `values.yaml`: ```yaml -tap: +tap: auth: enabled: true type: dex dexOidc: issuer: https:///dex - + # Client ID/secret must be taken from `tap.auth.dexConfig.staticClients -> id/secret` clientId: kubeshark clientSecret: create your own client password - + refreshTokenLifetime: "3960h" # 165 days oauth2StateParamExpiry: "10m" bypassSslCaCheck: false dexConfig: # This field is REQUIRED! - # + # # The base path of Dex and the external name of the OpenID Connect service. # This is the canonical URL that all clients MUST use to refer to Dex. If a # path is provided, Dex's HTTP service will listen at a non-root URL. issuer: https:///dex - + # Expiration configuration for tokens, signing keys, etc. expiry: refreshTokens: @@ -474,15 +475,15 @@ tap: absoluteLifetime: "3960h" # 165 days # This field is REQUIRED! - # + # # The storage configuration determines where Dex stores its state. # See the documentation (https://dexidp.io/docs/storage/) for further information. storage: type: memory # This field is REQUIRED! - # - # Attention: + # + # Attention: # Do not change this field and its values. # This field is required for internal Kubeshark-to-Dex communication. # @@ -492,7 +493,7 @@ tap: # This field is REQUIRED! # - # Attention: + # Attention: # Do not change this field and its values. # This field is required for internal Kubeshark-to-Dex communication. # @@ -518,10 +519,10 @@ tap: # Connectors are used to authenticate users against upstream identity providers. # See the documentation (https://dexidp.io/docs/connectors/) for further information. # - # Attention: - # When you define a new connector, `config.redirectURI` must be: + # Attention: + # When you define a new connector, `config.redirectURI` must be: # https:///dex/callback - # + # # Example with Google connector: # connectors: # - type: google From 766e13c7db447dff218628f60813225be9ca68c6 Mon Sep 17 00:00:00 2001 From: Volodymyr Stoiko Date: Tue, 22 Jul 2025 00:50:28 +0300 Subject: [PATCH 3/3] upd --- helm-chart/README.md | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/helm-chart/README.md b/helm-chart/README.md index 4c8afce1e..33d99cbac 100644 --- a/helm-chart/README.md +++ b/helm-chart/README.md @@ -112,7 +112,7 @@ Example for overriding image names: ```yaml docker: - overrideImage: + overrideImage: worker: docker.io/kubeshark/worker:v52.3.87 front: docker.io/kubeshark/front:v52.3.87 hub: docker.io/kubeshark/hub:v52.3.87 @@ -303,7 +303,7 @@ tap: [**Click here to see full docs**](https://docs.kubeshark.co/en/saml#installing-with-oidc-enabled-dex-idp). -Choose this option, if **you already have a running instance** of Dex in your cluster & +Choose this option, if **you already have a running instance** of Dex in your cluster & you want to set up Dex OIDC authentication for Kubeshark users. Kubeshark supports authentication using [Dex - A Federated OpenID Connect Provider](https://dexidp.io/). @@ -345,7 +345,7 @@ Add these helm values to set up OIDC authentication powered by your Dex IdP: ```yaml # values.yaml -tap: +tap: auth: enabled: true type: dex @@ -375,7 +375,7 @@ Once you run `helm install kubeshark kubeshark/kubeshark -f ./values.yaml`, Kube # Installing your own Dex IdP along with Kubeshark -Choose this option, if **you need to deploy an instance of Dex IdP** along with Kubeshark & +Choose this option, if **you need to deploy an instance of Dex IdP** along with Kubeshark & set up Dex OIDC authentication for Kubeshark users. Depending on Ingress enabled/disabled, your Dex configuration might differ. @@ -411,10 +411,10 @@ The following Dex settings will have these values: Please, make sure to prepare the following things first. -1. Choose **[Connectors](https://dexidp.io/docs/connectors/)** to enable in Dex IdP. +1. Choose **[Connectors](https://dexidp.io/docs/connectors/)** to enable in Dex IdP. - i.e. how many kind of "Log in with ..." options you'd like to offer your users - You will need to specify connectors in `tap.auth.dexConfig.connectors` -2. Choose type of **[Storage](https://dexidp.io/docs/configuration/storage/)** to use in Dex IdP. +2. Choose type of **[Storage](https://dexidp.io/docs/configuration/storage/)** to use in Dex IdP. - You will need to specify storage settings in `tap.auth.dexConfig.storage` - default: `memory` 3. Decide on the OAuth2 `?state=` param expiration time: @@ -446,28 +446,28 @@ Make sure to: Helm `values.yaml`: ```yaml -tap: +tap: auth: enabled: true type: dex dexOidc: issuer: https:///dex - + # Client ID/secret must be taken from `tap.auth.dexConfig.staticClients -> id/secret` clientId: kubeshark clientSecret: create your own client password - + refreshTokenLifetime: "3960h" # 165 days oauth2StateParamExpiry: "10m" bypassSslCaCheck: false dexConfig: # This field is REQUIRED! - # + # # The base path of Dex and the external name of the OpenID Connect service. # This is the canonical URL that all clients MUST use to refer to Dex. If a # path is provided, Dex's HTTP service will listen at a non-root URL. issuer: https:///dex - + # Expiration configuration for tokens, signing keys, etc. expiry: refreshTokens: @@ -475,15 +475,15 @@ tap: absoluteLifetime: "3960h" # 165 days # This field is REQUIRED! - # + # # The storage configuration determines where Dex stores its state. # See the documentation (https://dexidp.io/docs/storage/) for further information. storage: type: memory # This field is REQUIRED! - # - # Attention: + # + # Attention: # Do not change this field and its values. # This field is required for internal Kubeshark-to-Dex communication. # @@ -493,7 +493,7 @@ tap: # This field is REQUIRED! # - # Attention: + # Attention: # Do not change this field and its values. # This field is required for internal Kubeshark-to-Dex communication. # @@ -519,10 +519,10 @@ tap: # Connectors are used to authenticate users against upstream identity providers. # See the documentation (https://dexidp.io/docs/connectors/) for further information. # - # Attention: - # When you define a new connector, `config.redirectURI` must be: + # Attention: + # When you define a new connector, `config.redirectURI` must be: # https:///dex/callback - # + # # Example with Google connector: # connectors: # - type: google