From a6eabbbdee7cb00ebbcd4f3dcc5c7dfb5a5237a2 Mon Sep 17 00:00:00 2001
From: Serhii Ponomarenko <116438358+tiptophelmet@users.noreply.github.com>
Date: Fri, 4 Apr 2025 20:07:02 +0300
Subject: [PATCH] :hammer: Add `tap.auth.dexOidc.bypassSslCaCheck` flag (#1737)
* :hammer: Add `tap.auth.dexOidc.bypassSslCaCheck` flag
* :memo: Update docs for Dex SSL CA bypass
* :hammer: Bring back deleted Dex node-selector-terms
---
config/configStructs/tapConfig.go | 1 +
helm-chart/README.md | 13 +++++++++++++
helm-chart/templates/12-config-map.yaml | 9 +++++++++
helm-chart/values.yaml | 6 ++++++
4 files changed, 29 insertions(+)
diff --git a/config/configStructs/tapConfig.go b/config/configStructs/tapConfig.go
index 923223cb0..99bf42159 100644
--- a/config/configStructs/tapConfig.go
+++ b/config/configStructs/tapConfig.go
@@ -138,6 +138,7 @@ type NodeSelectorTermsConfig struct {
Hub []v1.NodeSelectorTerm `yaml:"hub" json:"hub" default:"[]"`
Workers []v1.NodeSelectorTerm `yaml:"workers" json:"workers" default:"[]"`
Front []v1.NodeSelectorTerm `yaml:"front" json:"front" default:"[]"`
+ Dex []v1.NodeSelectorTerm `yaml:"dex" json:"dex" default:"[]"`
}
type TolerationsConfig struct {
diff --git a/helm-chart/README.md b/helm-chart/README.md
index c18b30137..2aa877b09 100644
--- a/helm-chart/README.md
+++ b/helm-chart/README.md
@@ -351,8 +351,20 @@ tap:
clientSecret: create your own client password
refreshTokenLifetime: "3960h" # 165 days
oauth2StateParamExpiry: "10m"
+ bypassSslCaCheck: false
```
+---
+
+**Note:**
+Set `tap.auth.dexOidc.bypassSslCaCheck: true`
+to allow Kubeshark communication with Dex IdP having an unknown SSL Certificate Authority.
+
+This setting allows you to prevent such SSL CA-related errors:
+`tls: failed to verify certificate: x509: certificate signed by unknown authority`
+
+---
+
Once you run `helm install kubeshark kubeshark/kubeshark -f ./values.yaml`, Kubeshark will be installed with (Dex) OIDC authentication enabled.
---
@@ -443,6 +455,7 @@ tap:
refreshTokenLifetime: "3960h" # 165 days
oauth2StateParamExpiry: "10m"
+ bypassSslCaCheck: false
dexConfig:
# This field is REQUIRED!
#
diff --git a/helm-chart/templates/12-config-map.yaml b/helm-chart/templates/12-config-map.yaml
index 3cf3d7144..a7e554e6c 100644
--- a/helm-chart/templates/12-config-map.yaml
+++ b/helm-chart/templates/12-config-map.yaml
@@ -33,6 +33,15 @@ data:
AUTH_OIDC_ISSUER: '{{ default "not set" (((.Values.tap).auth).dexOidc).issuer }}'
AUTH_OIDC_REFRESH_TOKEN_LIFETIME: '{{ default "3960h" (((.Values.tap).auth).dexOidc).refreshTokenLifetime }}'
AUTH_OIDC_STATE_PARAM_EXPIRY: '{{ default "10m" (((.Values.tap).auth).dexOidc).oauth2StateParamExpiry }}'
+ AUTH_OIDC_BYPASS_SSL_CA_CHECK: '{{- if and
+ (hasKey .Values.tap "auth")
+ (hasKey .Values.tap.auth "dexOidc")
+ (hasKey .Values.tap.auth.dexOidc "bypassSslCaCheck")
+ -}}
+ {{ eq .Values.tap.auth.dexOidc.bypassSslCaCheck true | ternary "true" "false" }}
+ {{- else -}}
+ false
+ {{- end }}'
TELEMETRY_DISABLED: '{{ not .Values.internetConnectivity | ternary "true" (not .Values.tap.telemetry.enabled | ternary "true" "false") }}'
SCRIPTING_DISABLED: '{{- if .Values.tap.liveConfigMapChangesDisabled -}}
{{- if .Values.demoModeEnabled -}}
diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml
index a898a8e58..f4e2d41f9 100644
--- a/helm-chart/values.yaml
+++ b/helm-chart/values.yaml
@@ -99,6 +99,12 @@ tap:
operator: In
values:
- linux
+ dex:
+ - matchExpressions:
+ - key: kubernetes.io/os
+ operator: In
+ values:
+ - linux
tolerations:
hub: []
workers: