✨ Update the Helm chart

Author: alongir

charts/chart/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: kubeshark
-version: "52.6"
+version: "52.7"
 description: The API Traffic Analyzer for Kubernetes
 home: https://kubeshark.co
 keywords:

charts/chart/README.md

@@ -144,6 +144,7 @@ Example for overriding image names:
 | `tap.release.namespace`                   | Helm release namespace                        | `default`                                               |
 | `tap.persistentStorage`                   | Use `persistentVolumeClaim` instead of `emptyDir` | `false`                                             |
 | `tap.persistentStorageStatic`             | Use static persistent volume provisioning (explicitly defined `PersistentVolume` ) | `false`            |
+| `tap.persistentStoragePvcVolumeMode` | Set the pvc volume mode (Filesystem\|Block) | `Filesystem` |
 | `tap.efsFileSytemIdAndPath`               | [EFS file system ID and, optionally, subpath and/or access point](https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/examples/kubernetes/access_points/README.md) `<FileSystemId>:<Path>:<AccessPointId>`  | ""                             |
 | `tap.storageLimit`                        | Limit of either the `emptyDir` or `persistentVolumeClaim` | `500Mi`                                     |
 | `tap.storageClass`                        | Storage class of the `PersistentVolumeClaim`          | `standard`                                      |
@@ -209,6 +210,7 @@ Example for overriding image names:
 | `tap.metrics.port`                  | Pod port used to expose Prometheus metrics          | `49100`                                                  |
 | `tap.enabledDissectors`                   | This is an array of strings representing the list of supported protocols. Remove or comment out redundant protocols (e.g., dns).| The default list excludes: `udp` and `tcp` |
 | `tap.mountBpf`                            | BPF filesystem needs to be mounted for eBPF to work properly. This helm value determines whether Kubeshark will attempt to mount the filesystem. This option is not required if filesystem is already mounts. │ `true`|
+| `tap.gitops.enabled`                          | Enable GitOps functionality. This will allow you to use GitOps to manage your Kubeshark configuration. | `false` |
 | `logs.file`                               | Logs dump path                      | `""`                                                    |
 | `pcapdump.enabled`                        | Enable recording of all traffic captured according to other parameters. Whatever Kubeshark captures, considering pod targeting rules, will be stored in pcap files ready to be viewed by tools                 | `true`                                                                                                  |
 | `pcapdump.maxTime`                        | The time window into the past that will be stored. Older traffic will be discarded.  | `2h`  |
@@ -222,7 +224,7 @@ Example for overriding image names:
 | `scripting.source`                        | Source directory of the scripts                | `""`                                                    |
 | `scripting.watchScripts`                  | Enable watch mode for the scripts in source directory          | `true`                                                  |
 | `timezone`                                | IANA time zone applied to time shown in the front-end | `""` (local time zone applies) |
-| `supportChatEnabled`                      | Enable real-time support chat channel based on Intercom | `true` |
+| `supportChatEnabled`                      | Enable real-time support chat channel based on Intercom | `false` |
 | `internetConnectivity`                    | Turns off API requests that are dependant on Internet connectivity such as `telemetry` and `online-support`. | `true` |
 
 KernelMapping pairs kernel versions with a
@@ -351,8 +353,20 @@ tap:
       clientSecret: create your own client password
       refreshTokenLifetime: "3960h" # 165 days
       oauth2StateParamExpiry: "10m"
+      bypassSslCaCheck: false
 ```
 
+---
+
+**Note:**<br/>
+Set `tap.auth.dexOidc.bypassSslCaCheck: true`
+to allow Kubeshark communication with Dex IdP having an unknown SSL Certificate Authority.
+
+This setting allows you to prevent such SSL CA-related errors:<br/>
+`tls: failed to verify certificate: x509: certificate signed by unknown authority`
+
+---
+
 Once you run `helm install kubeshark kubeshark/kubeshark -f ./values.yaml`, Kubeshark will be installed with (Dex) OIDC authentication enabled.
 
 ---
@@ -443,6 +457,7 @@ tap:
 
       refreshTokenLifetime: "3960h" # 165 days
       oauth2StateParamExpiry: "10m"
+      bypassSslCaCheck: false
     dexConfig:
       # This field is REQUIRED!
       # 

charts/chart/templates/02-cluster-role.yaml

@@ -63,12 +63,26 @@ rules:
     resourceNames:
       - kubeshark-secret
       - kubeshark-config-map
+      - kubeshark-secret-default
+      - kubeshark-config-map-default
     resources:
       - secrets
       - configmaps
     verbs:
+      - create
       - get
       - watch
       - list
       - update
       - patch
+      - delete
+  - apiGroups:
+      - ""
+      - v1
+    resources:
+      - secrets
+      - configmaps
+      - pods/log
+    verbs:
+      - create
+      - get

charts/chart/templates/04-hub-deployment.yaml

@@ -33,6 +33,9 @@ spec:
             - "8080"
             - -loglevel
             - '{{ .Values.logLevel | default "warning" }}'
+            {{- if .Values.tap.gitops.enabled }}
+            - -gitops
+            {{- end }}
           env:
           - name: POD_NAME
             valueFrom:

charts/chart/templates/06-front-deployment.yaml

@@ -36,6 +36,12 @@ spec:
                       {{- else -}}
                         {{ .Values.tap.auth.type }}
                       {{- end }}'
+            - name: REACT_APP_COMPLETE_STREAMING_ENABLED
+              value: '{{- if and (hasKey .Values.tap "dashboard") (hasKey .Values.tap.dashboard "completeStreamingEnabled") -}}
+                        {{ eq .Values.tap.dashboard.completeStreamingEnabled true | ternary "true" "false" }}
+                      {{- else -}}
+                        true
+                      {{- end }}'
             - name: REACT_APP_AUTH_SAML_IDP_METADATA_URL
               value: '{{ not (eq .Values.tap.auth.saml.idpMetadataUrl "") | ternary .Values.tap.auth.saml.idpMetadataUrl " " }}'
             - name: REACT_APP_TIMEZONE

charts/chart/templates/08-persistent-volume-claim.yaml

@@ -33,6 +33,7 @@ metadata:
   name: kubeshark-persistent-volume-claim
   namespace: {{ .Release.Namespace }}
 spec:
+  volumeMode: {{ .Values.tap.persistentStoragePvcVolumeMode }}
   accessModes:
     - ReadWriteMany
   resources:

charts/chart/templates/12-config-map.yaml

@@ -1,7 +1,7 @@
 kind: ConfigMap
 apiVersion: v1
 metadata:
-  name: kubeshark-config-map
+  name: {{ include "kubeshark.configmapName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubeshark.co/app: hub
@@ -33,6 +33,15 @@ data:
     AUTH_OIDC_ISSUER: '{{ default "not set" (((.Values.tap).auth).dexOidc).issuer }}'
     AUTH_OIDC_REFRESH_TOKEN_LIFETIME: '{{ default "3960h" (((.Values.tap).auth).dexOidc).refreshTokenLifetime }}'
     AUTH_OIDC_STATE_PARAM_EXPIRY: '{{ default "10m" (((.Values.tap).auth).dexOidc).oauth2StateParamExpiry }}'
+    AUTH_OIDC_BYPASS_SSL_CA_CHECK: '{{- if and
+                                      (hasKey .Values.tap "auth")
+                                      (hasKey .Values.tap.auth "dexOidc")
+                                      (hasKey .Values.tap.auth.dexOidc "bypassSslCaCheck")
+                                    -}}
+                                      {{ eq .Values.tap.auth.dexOidc.bypassSslCaCheck true | ternary "true" "false" }}
+                                    {{- else -}}
+                                      false
+                                    {{- end }}'
     TELEMETRY_DISABLED: '{{ not .Values.internetConnectivity | ternary "true" (not .Values.tap.telemetry.enabled | ternary "true" "false") }}'
     SCRIPTING_DISABLED: '{{- if .Values.tap.liveConfigMapChangesDisabled -}}
                            {{- if .Values.demoModeEnabled -}}

charts/chart/templates/13-secret.yaml

@@ -1,7 +1,7 @@
 kind: Secret
 apiVersion: v1
 metadata:
-  name: kubeshark-secret
+  name: {{ include "kubeshark.secretName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubeshark.co/app: hub

charts/chart/templates/18-cleanup-job.yaml

@@ -0,0 +1,24 @@
+{{ if .Values.tap.gitops.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: kubeshark-cleanup-job
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    spec:
+      serviceAccountName: {{ include "kubeshark.serviceAccountName" . }}
+      restartPolicy: Never
+      containers:
+        - name: cleanup
+        {{- if .Values.tap.docker.overrideImage.hub }}
+          image: '{{ .Values.tap.docker.overrideImage.hub }}'
+        {{- else if .Values.tap.docker.overrideTag.hub }}
+          image: '{{ .Values.tap.docker.registry }}/hub:{{ .Values.tap.docker.overrideTag.hub }}'
+        {{ else }}
+          image: '{{ .Values.tap.docker.registry }}/hub:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}'
+        {{- end }}
+          command: ["/app/cleanup"]
+{{ end -}}

charts/chart/templates/NOTES.txt

@@ -28,7 +28,7 @@ Notices:
 - Support chat using Intercom is enabled. It can be disabled using `--set supportChatEnabled=false`
 {{- end }}
 {{- if eq .Values.license ""}}
-- No license key was detected. You can get your license key from https://console.kubeshark.co/.
+- No license key was detected. You can either log-in/sign-up through the dashboard, or download the license key from https://console.kubeshark.co/.
 {{- end }}
 
 {{ if .Values.tap.ingress.enabled }}