🔨 Add tap.auth.dexOidc.bypassSslCaCheck flag (#1737)

* 🔨 Add `tap.auth.dexOidc.bypassSslCaCheck` flag * 📝 Update docs for Dex SSL CA bypass * 🔨 Bring back deleted Dex node-selector-terms
2025-06-23 23:08:35 +00:00 · 2025-04-04 20:07:02 +03:00 · 2025-04-04 20:07:02 +03:00 · a6eabbbdee
commit a6eabbbdee
parent a914733078
4 changed files with 29 additions and 0 deletions
--- a/config/configStructs/tapConfig.go
+++ b/config/configStructs/tapConfig.go
@ -138,6 +138,7 @@ type NodeSelectorTermsConfig struct {
 	Hub     []v1.NodeSelectorTerm `yaml:"hub" json:"hub" default:"[]"`
 	Workers []v1.NodeSelectorTerm `yaml:"workers" json:"workers" default:"[]"`
 	Front   []v1.NodeSelectorTerm `yaml:"front" json:"front" default:"[]"`
+	Dex     []v1.NodeSelectorTerm `yaml:"dex" json:"dex" default:"[]"`
 }

 type TolerationsConfig struct {
--- a/helm-chart/README.md
+++ b/helm-chart/README.md
@ -351,8 +351,20 @@ tap:
      clientSecret: create your own client password
      refreshTokenLifetime: "3960h" # 165 days
      oauth2StateParamExpiry: "10m"
+      bypassSslCaCheck: false
 ```

+---
+
+**Note:**<br/>
+Set `tap.auth.dexOidc.bypassSslCaCheck: true`
+to allow Kubeshark communication with Dex IdP having an unknown SSL Certificate Authority.
+
+This setting allows you to prevent such SSL CA-related errors:<br/>
+`tls: failed to verify certificate: x509: certificate signed by unknown authority`
+
+---
+
 Once you run `helm install kubeshark kubeshark/kubeshark -f ./values.yaml`, Kubeshark will be installed with (Dex) OIDC authentication enabled.

 ---
@ -443,6 +455,7 @@ tap:
      
      refreshTokenLifetime: "3960h" # 165 days
      oauth2StateParamExpiry: "10m"
+      bypassSslCaCheck: false
    dexConfig:
      # This field is REQUIRED!
      # 
--- a/helm-chart/templates/12-config-map.yaml
+++ b/helm-chart/templates/12-config-map.yaml
@ -33,6 +33,15 @@ data:
    AUTH_OIDC_ISSUER: '{{ default "not set" (((.Values.tap).auth).dexOidc).issuer }}'
    AUTH_OIDC_REFRESH_TOKEN_LIFETIME: '{{ default "3960h" (((.Values.tap).auth).dexOidc).refreshTokenLifetime }}'
    AUTH_OIDC_STATE_PARAM_EXPIRY: '{{ default "10m" (((.Values.tap).auth).dexOidc).oauth2StateParamExpiry }}'
+    AUTH_OIDC_BYPASS_SSL_CA_CHECK: '{{- if and
+                                      (hasKey .Values.tap "auth")
+                                      (hasKey .Values.tap.auth "dexOidc")
+                                      (hasKey .Values.tap.auth.dexOidc "bypassSslCaCheck")
+                                    -}}
+                                      {{ eq .Values.tap.auth.dexOidc.bypassSslCaCheck true | ternary "true" "false" }}
+                                    {{- else -}}
+                                      false
+                                    {{- end }}'
    TELEMETRY_DISABLED: '{{ not .Values.internetConnectivity | ternary "true" (not .Values.tap.telemetry.enabled | ternary "true" "false") }}'
    SCRIPTING_DISABLED: '{{- if .Values.tap.liveConfigMapChangesDisabled -}}
                           {{- if .Values.demoModeEnabled -}}
--- a/helm-chart/values.yaml
+++ b/helm-chart/values.yaml
@ -99,6 +99,12 @@ tap:
        operator: In
        values:
        - linux
+    dex:
+    - matchExpressions:
+      - key: kubernetes.io/os
+        operator: In
+        values:
+        - linux
  tolerations:
    hub: []
    workers: