⚡ Template the AUTH_APPROVED_DOMAINS and certmanager.k8s.io/cluster-issuer

Also add `networking.k8s.io` to `apiGroups` in `ClusterRole`
2025-08-28 13:25:13 +00:00 · 2023-05-25 05:07:42 +03:00 · 2023-05-25 05:07:42 +03:00 · be5bd6a372
commit be5bd6a372
parent 42df7aa42f
9 changed files with 39 additions and 12 deletions
--- a/cmd/helmChart.go
+++ b/cmd/helmChart.go
@ -144,6 +144,10 @@ var hubPodMappings = map[string]interface{}{
 			"name":  "SCRIPTING_SCRIPTS",
 			"value": "[]",
 		},
+		{
+			"name":  "AUTH_APPROVED_DOMAINS",
+			"value": "{{ gt (len .Values.tap.ingress.auth.approvedDomains) 0 | ternary (join \",\" .Values.tap.ingress.auth.approvedDomains) \"\" }}",
+		},
 	},
 	"spec.containers[0].image":                     "{{ .Values.tap.docker.registry }}/hub:{{ .Values.tap.docker.tag }}",
 	"spec.containers[0].imagePullPolicy":           "{{ .Values.tap.docker.imagepullpolicy }}",
@ -180,6 +184,7 @@ var workerDaemonSetMappings = map[string]interface{}{
 var ingressClassMappings = serviceAccountMappings
 var ingressMappings = map[string]interface{}{
 	"metadata.namespace": "{{ .Values.tap.selfnamespace }}",
+	"metadata.annotations[\"certmanager.k8s.io/cluster-issuer\"]": "{{ .Values.tap.ingress.certManager }}",
 	"spec.rules[0].host": "{{ .Values.tap.ingress.host }}",
 	"spec.tls":           "{{ .Values.tap.ingress.tls | toYaml }}",
 }
--- a/helm-chart/Chart.yaml
+++ b/helm-chart/Chart.yaml
@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: "40.3"
+appVersion: "40.4"
 description: The API Traffic Analyzer for Kubernetes
 home: https://kubeshark.co
 keywords:
@ -22,4 +22,4 @@ name: kubeshark
 sources:
  - https://github.com/kubeshark/kubeshark/tree/master/helm-chart
 type: application
-version: "40.3"
+version: "40.4"
--- a/helm-chart/README.md
+++ b/helm-chart/README.md
@ -51,3 +51,18 @@ kubectl port-forward -n kubeshark service/kubeshark-front 8899:80
 ```

 Visit [localhost:8899](http://localhost:8899)
+
+## Installing with Ingress Enabled
+
+```shell
+helm install kubeshark kubeshark/kubeshark \
+  --set tap.ingress.enabled=true \
+  --set tap.ingress.host=ks.svc.cluster.local \
+  --set "tap.ingress.auth.approvedDomains={gmail.com}"
+```
+
+## Installing with Persistent Storage Enabled
+
+```shell
+helm install kubeshark kubeshark/kubeshark --set tap.persistentstorage=true
+```
--- a/helm-chart/templates/02-cluster-role.yaml
+++ b/helm-chart/templates/02-cluster-role.yaml
@ -15,6 +15,7 @@ rules:
      - ""
      - extensions
      - apps
+      - networking.k8s.io
    resources:
      - pods
      - services
--- a/helm-chart/templates/04-hub-pod.yaml
+++ b/helm-chart/templates/04-hub-pod.yaml
@ -25,6 +25,8 @@ spec:
          value: '{}'
        - name: SCRIPTING_SCRIPTS
          value: '[]'
+        - name: AUTH_APPROVED_DOMAINS
+          value: '{{ gt (len .Values.tap.ingress.auth.approvedDomains) 0 | ternary (join "," .Values.tap.ingress.auth.approvedDomains) "" }}'
      image: '{{ .Values.tap.docker.registry }}/hub:{{ .Values.tap.docker.tag }}'
      imagePullPolicy: '{{ .Values.tap.docker.imagepullpolicy }}'
      name: kubeshark-hub
--- a/helm-chart/templates/11-ingress.yaml
+++ b/helm-chart/templates/11-ingress.yaml
@ -5,7 +5,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  annotations:
-    certmanager.k8s.io/cluster-issuer: letsencrypt-prod
+    certmanager.k8s.io/cluster-issuer: '{{ .Values.tap.ingress.certManager }}'
    nginx.ingress.kubernetes.io/rewrite-target: /$2
  creationTimestamp: null
  labels:
--- a/kubernetes/provider.go
+++ b/kubernetes/provider.go
@ -667,6 +667,7 @@ func (provider *Provider) BuildClusterRole() *rbac.ClusterRole {
 					"",
 					"extensions",
 					"apps",
+					"networking.k8s.io",
 				},
 				Resources: []string{
 					"pods",
--- a/manifests/02-cluster-role.yaml
+++ b/manifests/02-cluster-role.yaml
@ -15,6 +15,7 @@ rules:
      - ""
      - extensions
      - apps
+      - networking.k8s.io
    resources:
      - pods
      - services
--- a/resources/createResources.go
+++ b/resources/createResources.go
@ -70,17 +70,19 @@ func CreateHubResources(ctx context.Context, kubernetesProvider *kubernetes.Prov
 	}
 	log.Info().Str("service", kubernetes.FrontServiceName).Msg("Successfully created a service.")

-	_, err = kubernetesProvider.CreateIngressClass(ctx, kubernetesProvider.BuildIngressClass())
-	if err != nil {
-		return selfServiceAccountExists, err
-	}
-	log.Info().Str("ingress-class", kubernetes.IngressClassName).Msg("Successfully created an ingress class.")
+	if config.Config.Tap.Ingress.Enabled {
+		_, err = kubernetesProvider.CreateIngressClass(ctx, kubernetesProvider.BuildIngressClass())
+		if err != nil {
+			return selfServiceAccountExists, err
+		}
+		log.Info().Str("ingress-class", kubernetes.IngressClassName).Msg("Successfully created an ingress class.")

-	_, err = kubernetesProvider.CreateIngress(ctx, selfNamespace, kubernetesProvider.BuildIngress())
-	if err != nil {
-		return selfServiceAccountExists, err
+		_, err = kubernetesProvider.CreateIngress(ctx, selfNamespace, kubernetesProvider.BuildIngress())
+		if err != nil {
+			return selfServiceAccountExists, err
+		}
+		log.Info().Str("ingress", kubernetes.IngressName).Msg("Successfully created an ingress.")
 	}
-	log.Info().Str("ingress", kubernetes.IngressName).Msg("Successfully created an ingress.")

 	return selfServiceAccountExists, nil
 }