kubeshark
diff --git a/‎charts/chart/Chart.yaml‎
Lines changed: 1 addition & 1 deletion b/‎charts/chart/Chart.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎charts/chart/README.md‎
Lines changed: 11 additions & 5 deletions b/‎charts/chart/README.md‎
Lines changed: 11 additions & 5 deletions
diff --git a/‎charts/chart/docs/snapshots_cloud_storage.md‎
Lines changed: 226 additions & 0 deletions b/‎charts/chart/docs/snapshots_cloud_storage.md‎
Lines changed: 226 additions & 0 deletions
diff --git a/‎charts/chart/templates/04-hub-deployment.yaml‎
Lines changed: 25 additions & 9 deletions b/‎charts/chart/templates/04-hub-deployment.yaml‎
Lines changed: 25 additions & 9 deletions
diff --git a/‎charts/chart/templates/06-front-deployment.yaml‎
Lines changed: 12 additions & 6 deletions b/‎charts/chart/templates/06-front-deployment.yaml‎
Lines changed: 12 additions & 6 deletions
diff --git a/‎charts/chart/templates/09-snapshots-pvc.yaml‎
Lines changed: 3 additions & 3 deletions b/‎charts/chart/templates/09-snapshots-pvc.yaml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎charts/chart/templates/09-worker-daemon-set.yaml‎
Lines changed: 7 additions & 3 deletions b/‎charts/chart/templates/09-worker-daemon-set.yaml‎
Lines changed: 7 additions & 3 deletions
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: kubeshark
-version: "52.12.0"
+version: "53.1.0"
 description: The API Traffic Analyzer for Kubernetes
 home: https://kubeshark.com
 keywords:
 
@@ -0,0 +1,226 @@
+# Cloud Storage for Snapshots
+
+Kubeshark can upload and download snapshots to cloud object storage, enabling cross-cluster sharing, backup/restore, and long-term retention.
+
+Supported providers: **Amazon S3** (`s3`) and **Azure Blob Storage** (`azblob`).
+
+## Helm Values
+
+```yaml
+tap:
+  snapshots:
+    cloud:
+      provider: ""      # "s3" or "azblob" (empty = disabled)
+      configMaps: []    # names of pre-existing ConfigMaps with cloud config env vars
+      secrets: []       # names of pre-existing Secrets with cloud credentials
+```
+
+- `provider` selects which cloud backend to use. Leave empty to disable cloud storage.
+- `configMaps` and `secrets` are lists of names of existing ConfigMap/Secret resources. They are mounted as `envFrom` on the hub pod, injecting all their keys as environment variables.
+
+---
+
+## Amazon S3
+
+### Environment Variables
+
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `SNAPSHOT_AWS_BUCKET` | Yes | S3 bucket name |
+| `SNAPSHOT_AWS_REGION` | No | AWS region (uses SDK default if empty) |
+| `SNAPSHOT_AWS_ACCESS_KEY` | No | Static access key ID (empty = use default credential chain) |
+| `SNAPSHOT_AWS_SECRET_KEY` | No | Static secret access key |
+| `SNAPSHOT_AWS_ROLE_ARN` | No | IAM role ARN to assume via STS (for cross-account access) |
+| `SNAPSHOT_AWS_EXTERNAL_ID` | No | External ID for the STS AssumeRole call |
+| `SNAPSHOT_CLOUD_PREFIX` | No | Key prefix in the bucket (e.g. `snapshots/`) |
+
+### Authentication Methods
+
+Credentials are resolved in this order:
+
+1. **Static credentials** -- If `SNAPSHOT_AWS_ACCESS_KEY` is set, static credentials are used directly.
+2. **STS AssumeRole** -- If `SNAPSHOT_AWS_ROLE_ARN` is also set, the static (or default) credentials are used to assume the given IAM role. This is useful for cross-account S3 access.
+3. **AWS default credential chain** -- When no static credentials are provided, the SDK default chain is used:
+   - **IRSA** (EKS service account token) -- recommended for production on EKS
+   - EC2 instance profile
+   - Standard AWS environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, etc.)
+   - Shared credentials file (`~/.aws/credentials`)
+
+The provider validates bucket access on startup via `HeadBucket`. If the bucket is inaccessible, the hub will fail to start.
+
+### Example: IRSA (recommended for EKS)
+
+Create a ConfigMap with bucket configuration:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kubeshark-s3-config
+data:
+  SNAPSHOT_AWS_BUCKET: my-kubeshark-snapshots
+  SNAPSHOT_AWS_REGION: us-east-1
+```
+
+Set Helm values:
+
+```yaml
+tap:
+  snapshots:
+    cloud:
+      provider: "s3"
+      configMaps:
+        - kubeshark-s3-config
+```
+
+The hub pod's service account must be annotated for IRSA with an IAM role that has S3 access to the bucket.
+
+### Example: Static Credentials
+
+Create a Secret with credentials:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kubeshark-s3-creds
+type: Opaque
+stringData:
+  SNAPSHOT_AWS_ACCESS_KEY: AKIA...
+  SNAPSHOT_AWS_SECRET_KEY: wJal...
+```
+
+Create a ConfigMap with bucket configuration:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kubeshark-s3-config
+data:
+  SNAPSHOT_AWS_BUCKET: my-kubeshark-snapshots
+  SNAPSHOT_AWS_REGION: us-east-1
+```
+
+Set Helm values:
+
+```yaml
+tap:
+  snapshots:
+    cloud:
+      provider: "s3"
+      configMaps:
+        - kubeshark-s3-config
+      secrets:
+        - kubeshark-s3-creds
+```
+
+### Example: Cross-Account Access via AssumeRole
+
+Add the role ARN to your ConfigMap:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kubeshark-s3-config
+data:
+  SNAPSHOT_AWS_BUCKET: other-account-bucket
+  SNAPSHOT_AWS_REGION: eu-west-1
+  SNAPSHOT_AWS_ROLE_ARN: arn:aws:iam::123456789012:role/KubesharkCrossAccountRole
+  SNAPSHOT_AWS_EXTERNAL_ID: my-external-id   # optional, if required by the trust policy
+```
+
+The hub will first authenticate using its own credentials (IRSA, static, or default chain), then assume the specified role to access the bucket.
+
+---
+
+## Azure Blob Storage
+
+### Environment Variables
+
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `SNAPSHOT_AZBLOB_STORAGE_ACCOUNT` | Yes | Azure storage account name |
+| `SNAPSHOT_AZBLOB_CONTAINER` | Yes | Blob container name |
+| `SNAPSHOT_AZBLOB_STORAGE_KEY` | No | Storage account access key (empty = use DefaultAzureCredential) |
+| `SNAPSHOT_CLOUD_PREFIX` | No | Key prefix in the container (e.g. `snapshots/`) |
+
+### Authentication Methods
+
+Credentials are resolved in this order:
+
+1. **Shared Key** -- If `SNAPSHOT_AZBLOB_STORAGE_KEY` is set, the storage account key is used directly.
+2. **DefaultAzureCredential** -- When no storage key is provided, the Azure SDK default credential chain is used:
+   - **Workload Identity** (AKS pod identity) -- recommended for production on AKS
+   - Managed Identity (system or user-assigned)
+   - Azure CLI credentials
+   - Environment variables (`AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_CLIENT_SECRET`)
+
+The provider validates container access on startup via `GetProperties`. If the container is inaccessible, the hub will fail to start.
+
+### Example: Workload Identity (recommended for AKS)
+
+Create a ConfigMap with storage configuration:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kubeshark-azblob-config
+data:
+  SNAPSHOT_AZBLOB_STORAGE_ACCOUNT: mykubesharksa
+  SNAPSHOT_AZBLOB_CONTAINER: snapshots
+```
+
+Set Helm values:
+
+```yaml
+tap:
+  snapshots:
+    cloud:
+      provider: "azblob"
+      configMaps:
+        - kubeshark-azblob-config
+```
+
+The hub pod's service account must be configured for AKS Workload Identity with a managed identity that has the **Storage Blob Data Contributor** role on the container.
+
+### Example: Storage Account Key
+
+Create a Secret with the storage key:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kubeshark-azblob-creds
+type: Opaque
+stringData:
+  SNAPSHOT_AZBLOB_STORAGE_KEY: "base64-encoded-storage-key..."
+```
+
+Create a ConfigMap with storage configuration:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kubeshark-azblob-config
+data:
+  SNAPSHOT_AZBLOB_STORAGE_ACCOUNT: mykubesharksa
+  SNAPSHOT_AZBLOB_CONTAINER: snapshots
+```
+
+Set Helm values:
+
+```yaml
+tap:
+  snapshots:
+    cloud:
+      provider: "azblob"
+      configMaps:
+        - kubeshark-azblob-config
+      secrets:
+        - kubeshark-azblob-creds
+```
@@ -37,13 +37,17 @@ spec:
             - -loglevel
             - '{{ .Values.logLevel | default "warning" }}'
             - -capture-stop-after
-            - "{{ if hasKey .Values.tap.capture "stopAfter" }}{{ .Values.tap.capture.stopAfter }}{{ else }}5m{{ end }}"
+            - "{{ if hasKey .Values.tap.capture.dissection "stopAfter" }}{{ .Values.tap.capture.dissection.stopAfter }}{{ else }}5m{{ end }}"
             - -snapshot-size-limit
             - '{{ .Values.tap.snapshots.storageSize }}'
-            {{- if .Values.tap.delayedDissection.image }}
             - -dissector-image
-            - '{{ .Values.tap.delayedDissection.image }}'
-            {{- end }}
+          {{- if .Values.tap.docker.overrideImage.worker }}
+            - '{{ .Values.tap.docker.overrideImage.worker }}'
+          {{- else if .Values.tap.docker.overrideTag.worker }}
+            - '{{ .Values.tap.docker.registry }}/worker:{{ .Values.tap.docker.overrideTag.worker }}'
+          {{- else }}
+            - '{{ .Values.tap.docker.registry }}/worker:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}'
+          {{- end }}
             {{- if .Values.tap.delayedDissection.cpu }}
             - -dissector-cpu
             - '{{ .Values.tap.delayedDissection.cpu }}'
@@ -55,12 +59,26 @@ spec:
             {{- if .Values.tap.gitops.enabled }}
             - -gitops
             {{- end }}
-          {{- if .Values.tap.secrets }}
+            - -cloud-api-url
+            - '{{ .Values.cloudApiUrl }}'
+            {{- if .Values.tap.snapshots.cloud.provider }}
+            - -cloud-storage-provider
+            - '{{ .Values.tap.snapshots.cloud.provider }}'
+            {{- end }}
+          {{- if or .Values.tap.secrets .Values.tap.snapshots.cloud.configMaps .Values.tap.snapshots.cloud.secrets }}
           envFrom:
             {{- range .Values.tap.secrets }}
             - secretRef:
                 name: {{ . }}
             {{- end }}
+            {{- range .Values.tap.snapshots.cloud.configMaps }}
+            - configMapRef:
+                name: {{ . }}
+            {{- end }}
+            {{- range .Values.tap.snapshots.cloud.secrets }}
+            - secretRef:
+                name: {{ . }}
+            {{- end }}
           {{- end }}
           env:
           - name: POD_NAME
@@ -75,8 +93,6 @@ spec:
             value: '{{ (include "sentry.enabled" .) }}'
           - name: SENTRY_ENVIRONMENT
             value: '{{ .Values.tap.sentry.environment }}'
-          - name: KUBESHARK_CLOUD_API_URL
-            value: 'https://api.kubeshark.com'
           - name: PROFILING_ENABLED
             value: '{{ .Values.tap.pprof.enabled }}'
         {{- if .Values.tap.docker.overrideImage.hub }}
@@ -184,10 +200,10 @@ spec:
               - key: AUTH_SAML_X509_KEY
                 path: kubeshark.key
       - name: snapshots-volume
-        {{- if .Values.tap.snapshots.storageClass }}
+        {{- if .Values.tap.snapshots.local.storageClass }}
         persistentVolumeClaim:
           claimName: {{ include "kubeshark.name" . }}-snapshots-pvc
         {{- else }}
         emptyDir:
-          sizeLimit: {{ .Values.tap.snapshots.storageSize }}
+          sizeLimit: {{ .Values.tap.snapshots.local.storageSize }}
         {{- end }}
@@ -48,6 +48,12 @@ spec:
               value: '{{ not (eq .Values.tap.auth.saml.idpMetadataUrl "") | ternary .Values.tap.auth.saml.idpMetadataUrl " " }}'
             - name: REACT_APP_TIMEZONE
               value: '{{ not (eq .Values.timezone "") | ternary .Values.timezone " " }}'
+            - name: REACT_APP_SCRIPTING_HIDDEN
+              value: '{{- if and .Values.scripting (eq (.Values.scripting.enabled | toString) "false") -}}
+                        true
+                      {{- else -}}
+                        false
+                      {{- end }}'
             - name: REACT_APP_SCRIPTING_DISABLED
               value: '{{- if .Values.tap.liveConfigMapChangesDisabled -}}
                         {{- if .Values.demoModeEnabled -}}
@@ -66,20 +72,20 @@ spec:
               value: '{{ eq .Values.tap.packetCapture "af_packet" | ternary "false" "true" }}'
             - name: REACT_APP_RECORDING_DISABLED
               value: '{{ .Values.tap.liveConfigMapChangesDisabled }}'
-            - name: REACT_APP_STOP_TRAFFIC_CAPTURING_DISABLED
-              value: '{{- if and .Values.tap.liveConfigMapChangesDisabled .Values.tap.capture.stopped -}}
-                        false
+            - name: REACT_APP_DISSECTION_ENABLED
+              value: '{{ .Values.tap.capture.dissection.enabled | ternary "true" "false" }}'
+            - name: REACT_APP_DISSECTION_CONTROL_ENABLED
+              value: '{{- if and .Values.tap.liveConfigMapChangesDisabled (not .Values.tap.capture.dissection.enabled) -}}
+                        true
                       {{- else -}}
-                        {{ .Values.tap.liveConfigMapChangesDisabled | ternary "true" "false" }}
+                        {{ not .Values.tap.liveConfigMapChangesDisabled | ternary "true" "false" }}
                       {{- end -}}'
             - name: 'REACT_APP_CLOUD_LICENSE_ENABLED'
               value: '{{- if or (and .Values.cloudLicenseEnabled (not (empty .Values.license))) (not .Values.internetConnectivity) -}}
                         "false"
                       {{- else -}}
                         {{ .Values.cloudLicenseEnabled }}
                       {{- end }}'
-            - name: 'REACT_APP_AI_ASSISTANT_ENABLED'
-              value: '{{ .Values.aiAssistantEnabled | ternary "true" "false" }}'
             - name: REACT_APP_SUPPORT_CHAT_ENABLED
               value: '{{ and .Values.supportChatEnabled .Values.internetConnectivity | ternary "true" "false" }}'
             - name: REACT_APP_BETA_ENABLED
 
@@ -1,5 +1,5 @@
 ---
-{{- if .Values.tap.snapshots.storageClass }}
+{{- if .Values.tap.snapshots.local.storageClass }}
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
@@ -16,7 +16,7 @@ spec:
     - ReadWriteOnce
   resources:
     requests:
-      storage: {{ .Values.tap.snapshots.storageSize }}
-  storageClassName: {{ .Values.tap.snapshots.storageClass }}
+      storage: {{ .Values.tap.snapshots.local.storageSize }}
+  storageClassName: {{ .Values.tap.snapshots.local.storageClass }}
 status: {}
 {{- end }}
@@ -99,10 +99,16 @@ spec:
             - '{{ .Values.tap.misc.resolutionStrategy }}'
             - -staletimeout
             - '{{ .Values.tap.misc.staleTimeoutSeconds }}'
+            - -tcp-flow-full-timeout
+            - '{{ .Values.tap.misc.tcpFlowTimeout }}'
+            - -udp-flow-full-timeout
+            - '{{ .Values.tap.misc.udpFlowTimeout }}'
             - -storage-size
             - '{{ .Values.tap.storageLimit }}'
             - -capture-db-max-size
             - '{{ .Values.tap.capture.dbMaxSize }}'
+            - -cloud-api-url
+            - '{{ .Values.cloudApiUrl }}'
         {{- if .Values.tap.docker.overrideImage.worker }}
           image: '{{ .Values.tap.docker.overrideImage.worker }}'
         {{- else if .Values.tap.docker.overrideTag.worker }}
@@ -129,8 +135,6 @@ spec:
             value: '{{ .Values.tap.misc.tcpStreamChannelTimeoutMs }}'
           - name: TCP_STREAM_CHANNEL_TIMEOUT_SHOW
             value: '{{ .Values.tap.misc.tcpStreamChannelTimeoutShow }}'
-          - name: KUBESHARK_CLOUD_API_URL
-            value: 'https://api.kubeshark.com'
           - name: PROFILING_ENABLED
             value: '{{ .Values.tap.pprof.enabled }}'
           - name: SENTRY_ENABLED
@@ -402,8 +406,8 @@ spec:
         - hostPath:
             path: /
           name: root
-        - name: data
         {{- end }}
+        - name: data
 {{- if .Values.tap.persistentStorage }}
           persistentVolumeClaim:
             claimName: kubeshark-persistent-volume-claim