github/kubeshark
1
0
Fork 0
mirror of https://github.com/kubeshark/kubeshark.git synced 2025-08-10 12:53:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into use-default-cm-and-secret

Browse Source
This commit is contained in:
Alon Girmonsky 2025-04-08 12:11:37 -07:00 committed by GitHub
commit d08c451d36
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
10 changed files with 124 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
cmd/scripts.go
View File

@ -123,7 +123,7 @@ func createScript(provider *kubernetes.Provider, script misc.ConfigMapScript) (i
} }
if k8serrors.IsConflict(err) { if k8serrors.IsConflict(err) {
log.Warn().Err(err).Msg("Conflict detected, retrying update...") log.Debug().Err(err).Msg("Conflict detected, retrying update...")
time.Sleep(500 * time.Millisecond) time.Sleep(500 * time.Millisecond)
continue continue
} }
@ -332,23 +332,29 @@ func watchConfigMap(ctx context.Context, provider *kubernetes.Provider) {
continue continue
} }
// Create a goroutine to process events
watcherClosed := make(chan struct{})
go func() {
defer close(watcherClosed)
for event := range watcher.ResultChan() { for event := range watcher.ResultChan() {
select {
case <-ctx.Done():
log.Info().Msg("ConfigMap watcher loop exiting gracefully.")
watcher.Stop()
return
default:
if event.Type == watch.Added { if event.Type == watch.Added {
log.Info().Msg("ConfigMap created or modified") log.Info().Msg("ConfigMap created or modified")
runScriptsSync(provider) runScriptsSync(provider)
} else if event.Type == watch.Deleted { } else if event.Type == watch.Deleted {
log.Warn().Msg("ConfigMap deleted, waiting for recreation...") log.Warn().Msg("ConfigMap deleted, waiting for recreation...")
watcher.Stop()
break break
} }
} }
}()
// Wait for either context cancellation or watcher completion
select {
case <-ctx.Done():
watcher.Stop()
log.Info().Msg("ConfigMap watcher stopping due to context cancellation")
return
case <-watcherClosed:
log.Info().Msg("Watcher closed, restarting...")
} }
time.Sleep(5 * time.Second) time.Sleep(5 * time.Second)

18
config/configStruct.go
View File

@ -50,6 +50,17 @@ func CreateDefaultConfig() ConfigStruct {
}, },
}, },
}, },
Dex: []v1.NodeSelectorTerm{
{
MatchExpressions: []v1.NodeSelectorRequirement{
{
Key: "kubernetes.io/os",
Operator: v1.NodeSelectorOpIn,
Values: []string{"linux"},
},
},
},
},
}, },
Tolerations: configStructs.TolerationsConfig{ Tolerations: configStructs.TolerationsConfig{
Workers: []v1.Toleration{ Workers: []v1.Toleration{
@ -135,6 +146,9 @@ func CreateDefaultConfig() ConfigStruct {
LDAP: []uint16{389}, LDAP: []uint16{389},
DIAMETER: []uint16{3868}, DIAMETER: []uint16{3868},
}, },
Dashboard: configStructs.DashboardConfig{
CompleteStreamingEnabled: true,
},
}, },
} }
} }
@ -158,9 +172,9 @@ type ConfigStruct struct {
HeadlessMode bool `yaml:"headless" json:"headless" default:"false"` HeadlessMode bool `yaml:"headless" json:"headless" default:"false"`
License string `yaml:"license" json:"license" default:""` License string `yaml:"license" json:"license" default:""`
CloudLicenseEnabled bool `yaml:"cloudLicenseEnabled" json:"cloudLicenseEnabled" default:"true"` CloudLicenseEnabled bool `yaml:"cloudLicenseEnabled" json:"cloudLicenseEnabled" default:"true"`
AiAssistantEnabled bool `yaml:"aiAssistantEnabled" json:"aiAssistantEnabled" default:"false"` AiAssistantEnabled bool `yaml:"aiAssistantEnabled" json:"aiAssistantEnabled" default:"true"`
DemoModeEnabled bool `yaml:"demoModeEnabled" json:"demoModeEnabled" default:"false"` DemoModeEnabled bool `yaml:"demoModeEnabled" json:"demoModeEnabled" default:"false"`
SupportChatEnabled bool `yaml:"supportChatEnabled" json:"supportChatEnabled" default:"true"` SupportChatEnabled bool `yaml:"supportChatEnabled" json:"supportChatEnabled" default:"false"`
InternetConnectivity bool `yaml:"internetConnectivity" json:"internetConnectivity" default:"true"` InternetConnectivity bool `yaml:"internetConnectivity" json:"internetConnectivity" default:"true"`
Scripting configStructs.ScriptingConfig `yaml:"scripting" json:"scripting"` Scripting configStructs.ScriptingConfig `yaml:"scripting" json:"scripting"`
Manifests ManifestsConfig `yaml:"manifests,omitempty" json:"manifests,omitempty"` Manifests ManifestsConfig `yaml:"manifests,omitempty" json:"manifests,omitempty"`

7
config/configStructs/tapConfig.go
View File

@ -138,6 +138,7 @@ type NodeSelectorTermsConfig struct {
Hub []v1.NodeSelectorTerm `yaml:"hub" json:"hub" default:"[]"` Hub []v1.NodeSelectorTerm `yaml:"hub" json:"hub" default:"[]"`
Workers []v1.NodeSelectorTerm `yaml:"workers" json:"workers" default:"[]"` Workers []v1.NodeSelectorTerm `yaml:"workers" json:"workers" default:"[]"`
Front []v1.NodeSelectorTerm `yaml:"front" json:"front" default:"[]"` Front []v1.NodeSelectorTerm `yaml:"front" json:"front" default:"[]"`
Dex []v1.NodeSelectorTerm `yaml:"dex" json:"dex" default:"[]"`
} }
type TolerationsConfig struct { type TolerationsConfig struct {
@ -195,6 +196,10 @@ type RoutingConfig struct {
Front FrontRoutingConfig `yaml:"front" json:"front"` Front FrontRoutingConfig `yaml:"front" json:"front"`
} }
type DashboardConfig struct {
CompleteStreamingEnabled bool `yaml:"completeStreamingEnabled" json:"completeStreamingEnabled" default:"true"`
}
type FrontRoutingConfig struct { type FrontRoutingConfig struct {
BasePath string `yaml:"basePath" json:"basePath" default:""` BasePath string `yaml:"basePath" json:"basePath" default:""`
} }
@ -300,6 +305,7 @@ type TapConfig struct {
Release ReleaseConfig `yaml:"release" json:"release"` Release ReleaseConfig `yaml:"release" json:"release"`
PersistentStorage bool `yaml:"persistentStorage" json:"persistentStorage" default:"false"` PersistentStorage bool `yaml:"persistentStorage" json:"persistentStorage" default:"false"`
PersistentStorageStatic bool `yaml:"persistentStorageStatic" json:"persistentStorageStatic" default:"false"` PersistentStorageStatic bool `yaml:"persistentStorageStatic" json:"persistentStorageStatic" default:"false"`
PersistentStoragePvcVolumeMode string `yaml:"persistentStoragePvcVolumeMode" json:"persistentStoragePvcVolumeMode" default:"FileSystem"`
EfsFileSytemIdAndPath string `yaml:"efsFileSytemIdAndPath" json:"efsFileSytemIdAndPath" default:""` EfsFileSytemIdAndPath string `yaml:"efsFileSytemIdAndPath" json:"efsFileSytemIdAndPath" default:""`
StorageLimit string `yaml:"storageLimit" json:"storageLimit" default:"5000Mi"` StorageLimit string `yaml:"storageLimit" json:"storageLimit" default:"5000Mi"`
StorageClass string `yaml:"storageClass" json:"storageClass" default:"standard"` StorageClass string `yaml:"storageClass" json:"storageClass" default:"standard"`
@ -320,6 +326,7 @@ type TapConfig struct {
Routing RoutingConfig `yaml:"routing" json:"routing"` Routing RoutingConfig `yaml:"routing" json:"routing"`
IPv6 bool `yaml:"ipv6" json:"ipv6" default:"true"` IPv6 bool `yaml:"ipv6" json:"ipv6" default:"true"`
Debug bool `yaml:"debug" json:"debug" default:"false"` Debug bool `yaml:"debug" json:"debug" default:"false"`
Dashboard DashboardConfig `yaml:"dashboard" json:"dashboard"`
Telemetry TelemetryConfig `yaml:"telemetry" json:"telemetry"` Telemetry TelemetryConfig `yaml:"telemetry" json:"telemetry"`
ResourceGuard ResourceGuardConfig `yaml:"resourceGuard" json:"resourceGuard"` ResourceGuard ResourceGuardConfig `yaml:"resourceGuard" json:"resourceGuard"`
Watchdog WatchdogConfig `yaml:"watchdog" json:"watchdog"` Watchdog WatchdogConfig `yaml:"watchdog" json:"watchdog"`

16
helm-chart/README.md
View File

@ -144,6 +144,7 @@ Example for overriding image names:
| `tap.release.namespace` | Helm release namespace | `default` | | `tap.release.namespace` | Helm release namespace | `default` |
| `tap.persistentStorage` | Use `persistentVolumeClaim` instead of `emptyDir` | `false` | | `tap.persistentStorage` | Use `persistentVolumeClaim` instead of `emptyDir` | `false` |
| `tap.persistentStorageStatic` | Use static persistent volume provisioning (explicitly defined `PersistentVolume` ) | `false` | | `tap.persistentStorageStatic` | Use static persistent volume provisioning (explicitly defined `PersistentVolume` ) | `false` |
| `tap.persistentStoragePvcVolumeMode` | Set the pvc volume mode (Filesystem\|Block) | `Filesystem` |
| `tap.efsFileSytemIdAndPath` | [EFS file system ID and, optionally, subpath and/or access point](https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/examples/kubernetes/access_points/README.md) `<FileSystemId>:<Path>:<AccessPointId>` | "" | | `tap.efsFileSytemIdAndPath` | [EFS file system ID and, optionally, subpath and/or access point](https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/examples/kubernetes/access_points/README.md) `<FileSystemId>:<Path>:<AccessPointId>` | "" |
| `tap.storageLimit` | Limit of either the `emptyDir` or `persistentVolumeClaim` | `500Mi` | | `tap.storageLimit` | Limit of either the `emptyDir` or `persistentVolumeClaim` | `500Mi` |
| `tap.storageClass` | Storage class of the `PersistentVolumeClaim` | `standard` | | `tap.storageClass` | Storage class of the `PersistentVolumeClaim` | `standard` |
@ -222,7 +223,7 @@ Example for overriding image names:
| `scripting.source` | Source directory of the scripts | `""` | | `scripting.source` | Source directory of the scripts | `""` |
| `scripting.watchScripts` | Enable watch mode for the scripts in source directory | `true` | | `scripting.watchScripts` | Enable watch mode for the scripts in source directory | `true` |
| `timezone` | IANA time zone applied to time shown in the front-end | `""` (local time zone applies) | | `timezone` | IANA time zone applied to time shown in the front-end | `""` (local time zone applies) |
| `supportChatEnabled` | Enable real-time support chat channel based on Intercom | `true` | | `supportChatEnabled` | Enable real-time support chat channel based on Intercom | `false` |
| `internetConnectivity` | Turns off API requests that are dependant on Internet connectivity such as `telemetry` and `online-support`. | `true` | | `internetConnectivity` | Turns off API requests that are dependant on Internet connectivity such as `telemetry` and `online-support`. | `true` |
KernelMapping pairs kernel versions with a KernelMapping pairs kernel versions with a
@ -351,8 +352,20 @@ tap:
clientSecret: create your own client password clientSecret: create your own client password
refreshTokenLifetime: "3960h" # 165 days refreshTokenLifetime: "3960h" # 165 days
oauth2StateParamExpiry: "10m" oauth2StateParamExpiry: "10m"
bypassSslCaCheck: false
``` ```
---
**Note:**<br/>
Set `tap.auth.dexOidc.bypassSslCaCheck: true`
to allow Kubeshark communication with Dex IdP having an unknown SSL Certificate Authority.
This setting allows you to prevent such SSL CA-related errors:<br/>
`tls: failed to verify certificate: x509: certificate signed by unknown authority`
---
Once you run `helm install kubeshark kubeshark/kubeshark -f ./values.yaml`, Kubeshark will be installed with (Dex) OIDC authentication enabled. Once you run `helm install kubeshark kubeshark/kubeshark -f ./values.yaml`, Kubeshark will be installed with (Dex) OIDC authentication enabled.
--- ---
@ -443,6 +456,7 @@ tap:
refreshTokenLifetime: "3960h" # 165 days refreshTokenLifetime: "3960h" # 165 days
oauth2StateParamExpiry: "10m" oauth2StateParamExpiry: "10m"
bypassSslCaCheck: false
dexConfig: dexConfig:
# This field is REQUIRED! # This field is REQUIRED!
# #

2
helm-chart/templates/02-cluster-role.yaml
View File

@ -82,5 +82,7 @@ rules:
resources: resources:
- secrets - secrets
- configmaps - configmaps
- pods/log
verbs: verbs:
- create - create
- get

6
helm-chart/templates/06-front-deployment.yaml
View File

@ -36,6 +36,12 @@ spec:
{{- else -}} {{- else -}}
{{ .Values.tap.auth.type }} {{ .Values.tap.auth.type }}
{{- end }}' {{- end }}'
- name: REACT_APP_COMPLETE_STREAMING_ENABLED
value: '{{- if and (hasKey .Values.tap "dashboard") (hasKey .Values.tap.dashboard "completeStreamingEnabled") -}}
{{ eq .Values.tap.dashboard.completeStreamingEnabled true | ternary "true" "false" }}
{{- else -}}
true
{{- end }}'
- name: REACT_APP_AUTH_SAML_IDP_METADATA_URL - name: REACT_APP_AUTH_SAML_IDP_METADATA_URL
value: '{{ not (eq .Values.tap.auth.saml.idpMetadataUrl "") | ternary .Values.tap.auth.saml.idpMetadataUrl " " }}' value: '{{ not (eq .Values.tap.auth.saml.idpMetadataUrl "") | ternary .Values.tap.auth.saml.idpMetadataUrl " " }}'
- name: REACT_APP_TIMEZONE - name: REACT_APP_TIMEZONE

1
helm-chart/templates/08-persistent-volume-claim.yaml
View File

@ -33,6 +33,7 @@ metadata:
name: kubeshark-persistent-volume-claim name: kubeshark-persistent-volume-claim
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
spec: spec:
volumeMode: {{ .Values.tap.persistentStoragePvcVolumeMode }}
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
resources: resources:

9
helm-chart/templates/12-config-map.yaml
View File

@ -33,6 +33,15 @@ data:
AUTH_OIDC_ISSUER: '{{ default "not set" (((.Values.tap).auth).dexOidc).issuer }}' AUTH_OIDC_ISSUER: '{{ default "not set" (((.Values.tap).auth).dexOidc).issuer }}'
AUTH_OIDC_REFRESH_TOKEN_LIFETIME: '{{ default "3960h" (((.Values.tap).auth).dexOidc).refreshTokenLifetime }}' AUTH_OIDC_REFRESH_TOKEN_LIFETIME: '{{ default "3960h" (((.Values.tap).auth).dexOidc).refreshTokenLifetime }}'
AUTH_OIDC_STATE_PARAM_EXPIRY: '{{ default "10m" (((.Values.tap).auth).dexOidc).oauth2StateParamExpiry }}' AUTH_OIDC_STATE_PARAM_EXPIRY: '{{ default "10m" (((.Values.tap).auth).dexOidc).oauth2StateParamExpiry }}'
AUTH_OIDC_BYPASS_SSL_CA_CHECK: '{{- if and
(hasKey .Values.tap "auth")
(hasKey .Values.tap.auth "dexOidc")
(hasKey .Values.tap.auth.dexOidc "bypassSslCaCheck")
-}}
{{ eq .Values.tap.auth.dexOidc.bypassSslCaCheck true | ternary "true" "false" }}
{{- else -}}
false
{{- end }}'
TELEMETRY_DISABLED: '{{ not .Values.internetConnectivity | ternary "true" (not .Values.tap.telemetry.enabled | ternary "true" "false") }}' TELEMETRY_DISABLED: '{{ not .Values.internetConnectivity | ternary "true" (not .Values.tap.telemetry.enabled | ternary "true" "false") }}'
SCRIPTING_DISABLED: '{{- if .Values.tap.liveConfigMapChangesDisabled -}} SCRIPTING_DISABLED: '{{- if .Values.tap.liveConfigMapChangesDisabled -}}
{{- if .Values.demoModeEnabled -}} {{- if .Values.demoModeEnabled -}}

2
helm-chart/templates/NOTES.txt
View File

@ -28,7 +28,7 @@ Notices:
- Support chat using Intercom is enabled. It can be disabled using `--set supportChatEnabled=false` - Support chat using Intercom is enabled. It can be disabled using `--set supportChatEnabled=false`
{{- end }} {{- end }}
{{- if eq .Values.license ""}} {{- if eq .Values.license ""}}
- No license key was detected. You can get your license key from https://console.kubeshark.co/. - No license key was detected. You can either log-in/sign-up through the dashboard, or download the license key from https://console.kubeshark.co/.
{{- end }} {{- end }}
{{ if .Values.tap.ingress.enabled }} {{ if .Values.tap.ingress.enabled }}

8
helm-chart/values.yaml
View File

@ -33,6 +33,7 @@ tap:
namespace: default namespace: default
persistentStorage: false persistentStorage: false
persistentStorageStatic: false persistentStorageStatic: false
persistentStoragePvcVolumeMode: FileSystem
efsFileSytemIdAndPath: "" efsFileSytemIdAndPath: ""
storageLimit: 5000Mi storageLimit: 5000Mi
storageClass: standard storageClass: standard
@ -99,6 +100,7 @@ tap:
operator: In operator: In
values: values:
- linux - linux
dex: []
tolerations: tolerations:
hub: [] hub: []
workers: workers:
@ -136,6 +138,8 @@ tap:
basePath: "" basePath: ""
ipv6: true ipv6: true
debug: false debug: false
dashboard:
completeStreamingEnabled: true
telemetry: telemetry:
enabled: true enabled: true
resourceGuard: resourceGuard:
@ -238,9 +242,9 @@ dumpLogs: false
headless: false headless: false
license: "" license: ""
cloudLicenseEnabled: true cloudLicenseEnabled: true
aiAssistantEnabled: false aiAssistantEnabled: true
demoModeEnabled: false demoModeEnabled: false
supportChatEnabled: true supportChatEnabled: false
internetConnectivity: true internetConnectivity: true
scripting: scripting:
env: {} env: {}