From 8a8852ac9a48b54490029fcdd077c3f20191b09f Mon Sep 17 00:00:00 2001 From: Matheus Moraes Date: Tue, 21 Nov 2023 17:43:48 -0300 Subject: [PATCH 1/6] feat: add http proxy support in http client --- cmd/main.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cmd/main.go b/cmd/main.go index a6fd66ad..59e88039 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -108,8 +108,9 @@ func main() { var onClusterUpdate, onClusterDelete saas.ClusterHook var onClusterScanUpdate, onClusterScanDelete saas.ClusterScanHook + client := &http.Client{Transport: &http.Transport{Proxy: http.ProxyFromEnvironment}} if saasWorkspaceID != "" { - saasClient, err := saas.NewClient(saasServer, version, saasWorkspaceID, http.DefaultClient) + saasClient, err := saas.NewClient(saasServer, version, saasWorkspaceID, client) if err != nil { setupLog.Error(err, "unable to create SaaS client", "workspaceID", saasWorkspaceID) os.Exit(1) From 22931609ae3ec3026b63020aae071c1d75061e9c Mon Sep 17 00:00:00 2001 From: Matheus Moraes Date: Tue, 21 Nov 2023 17:44:19 -0300 Subject: [PATCH 2/6] feat: add env and envFrom parameters in helm chart --- charts/zora/Chart.yaml | 4 ++-- charts/zora/README.md | 6 ++++-- charts/zora/templates/operator/deployment.yaml | 4 ++++ charts/zora/values.yaml | 9 +++++++++ 4 files changed, 19 insertions(+), 4 deletions(-) diff --git a/charts/zora/Chart.yaml b/charts/zora/Chart.yaml index 40b01d1c..42e4d8de 100644 --- a/charts/zora/Chart.yaml +++ b/charts/zora/Chart.yaml @@ -17,7 +17,7 @@ name: zora description: A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times. icon: https://zora-docs.undistro.io/v0.7/assets/logo.svg type: application -version: 0.7.0 -appVersion: "v0.7.0" +version: 0.7.1 +appVersion: "v0.7.1" sources: - https://github.com/undistro/zora diff --git a/charts/zora/README.md b/charts/zora/README.md index 6ec942cd..e39c5035 100644 --- a/charts/zora/README.md +++ b/charts/zora/README.md @@ -1,6 +1,6 @@ # Zora Helm Chart -![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.7.0](https://img.shields.io/badge/AppVersion-v0.7.0-informational?style=flat-square&color=3CA9DD) +![Version: 0.7.1](https://img.shields.io/badge/Version-0.7.1-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.7.1](https://img.shields.io/badge/AppVersion-v0.7.1-informational?style=flat-square&color=3CA9DD) A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times. @@ -13,7 +13,7 @@ helm repo add undistro https://charts.undistro.io --force-update helm repo update undistro helm upgrade --install zora undistro/zora \ -n zora-system \ - --version 0.7.0 \ + --version 0.7.1 \ --create-namespace \ --wait \ --set clusterName="$(kubectl config current-context)" @@ -93,6 +93,8 @@ The following table lists the configurable parameters of the Zora chart and thei | operator.log.level | string | `"info"` | Log level to configure the verbosity of logging. Can be one of 'debug', 'info', 'error', or any integer value > 0 which corresponds to custom debug levels of increasing verbosity | | operator.log.stacktraceLevel | string | `"error"` | Log level at and above which stacktraces are captured (one of 'info', 'error' or 'panic') | | operator.log.timeEncoding | string | `"rfc3339"` | Log time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano') | +| operator.env | list | `[]` | List of environment variables to set in operator container. Cannot be updated | +| operator.envFrom | list | `[]` | List of sources to populate environment variables in operator container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. | | scan.misconfiguration.enabled | bool | `true` | Specifies whether misconfiguration scan is enabled | | scan.misconfiguration.schedule | string | Cron expression for every hour at the current minute + 5 minutes | Cluster scan schedule in Cron format for misconfiguration scan | | scan.misconfiguration.successfulScansHistoryLimit | int | `1` | The number of successful finished scans and their issues to retain. | diff --git a/charts/zora/templates/operator/deployment.yaml b/charts/zora/templates/operator/deployment.yaml index 21a3ca84..1f111cf2 100644 --- a/charts/zora/templates/operator/deployment.yaml +++ b/charts/zora/templates/operator/deployment.yaml @@ -59,6 +59,10 @@ spec: securityContext: {{- toYaml .Values.operator.rbacProxy.securityContext | nindent 12 }} - name: manager + envFrom: + {{- toYaml .Values.operator.envFrom | nindent 12 }} + env: + {{- toYaml .Values.operator.env | nindent 12 }} command: - /manager args: diff --git a/charts/zora/values.yaml b/charts/zora/values.yaml index 44aeafae..f96a572d 100644 --- a/charts/zora/values.yaml +++ b/charts/zora/values.yaml @@ -143,6 +143,15 @@ operator: stacktraceLevel: error # -- Log time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano') timeEncoding: rfc3339 + # -- List of environment variables to set in operator container. Cannot be updated + env: [] + # - name: key + # value: value + + # -- List of sources to populate environment variables in operator container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. + envFrom: [] + # - configMapRef: + # name: foo scan: misconfiguration: From 02af01f6437f83bca22a37b8ef07eba2a2e268b7 Mon Sep 17 00:00:00 2001 From: Matheus Moraes Date: Tue, 21 Nov 2023 17:45:16 -0300 Subject: [PATCH 3/6] bump chart version to 0.7.1-rc1 --- charts/zora/Chart.yaml | 4 ++-- charts/zora/README.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/zora/Chart.yaml b/charts/zora/Chart.yaml index 42e4d8de..b32422a8 100644 --- a/charts/zora/Chart.yaml +++ b/charts/zora/Chart.yaml @@ -17,7 +17,7 @@ name: zora description: A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times. icon: https://zora-docs.undistro.io/v0.7/assets/logo.svg type: application -version: 0.7.1 -appVersion: "v0.7.1" +version: 0.7.1-rc1 +appVersion: "v0.7.1-rc1" sources: - https://github.com/undistro/zora diff --git a/charts/zora/README.md b/charts/zora/README.md index e39c5035..f5415fc4 100644 --- a/charts/zora/README.md +++ b/charts/zora/README.md @@ -1,6 +1,6 @@ # Zora Helm Chart -![Version: 0.7.1](https://img.shields.io/badge/Version-0.7.1-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.7.1](https://img.shields.io/badge/AppVersion-v0.7.1-informational?style=flat-square&color=3CA9DD) +![Version: 0.7.1-rc1](https://img.shields.io/badge/Version-0.7.1--rc1-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.7.1-rc1](https://img.shields.io/badge/AppVersion-v0.7.1--rc1-informational?style=flat-square&color=3CA9DD) A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times. @@ -13,7 +13,7 @@ helm repo add undistro https://charts.undistro.io --force-update helm repo update undistro helm upgrade --install zora undistro/zora \ -n zora-system \ - --version 0.7.1 \ + --version 0.7.1-rc1 \ --create-namespace \ --wait \ --set clusterName="$(kubectl config current-context)" From 059c3e3da41c2d65bd0e8c72a5d250c1def6dd9d Mon Sep 17 00:00:00 2001 From: Matheus Moraes Date: Wed, 7 Feb 2024 10:45:22 -0300 Subject: [PATCH 4/6] generate helm docs --- charts/zora/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/zora/README.md b/charts/zora/README.md index 6c9f2adc..c827b7de 100644 --- a/charts/zora/README.md +++ b/charts/zora/README.md @@ -93,6 +93,8 @@ The following table lists the configurable parameters of the Zora chart and thei | operator.log.level | string | `"info"` | Log level to configure the verbosity of logging. Can be one of 'debug', 'info', 'error', or any integer value > 0 which corresponds to custom debug levels of increasing verbosity | | operator.log.stacktraceLevel | string | `"error"` | Log level at and above which stacktraces are captured (one of 'info', 'error' or 'panic') | | operator.log.timeEncoding | string | `"rfc3339"` | Log time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano') | +| operator.env | list | `[]` | List of environment variables to set in operator container. Cannot be updated | +| operator.envFrom | list | `[]` | List of sources to populate environment variables in operator container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. | | scan.misconfiguration.enabled | bool | `true` | Specifies whether misconfiguration scan is enabled | | scan.misconfiguration.schedule | string | Cron expression for every hour at the current minute + 5 minutes | Cluster scan schedule in Cron format for misconfiguration scan | | scan.misconfiguration.successfulScansHistoryLimit | int | `1` | The number of successful finished scans and their issues to retain. | From c81f49cee5080482bc529e69a2c4702e3f8c4d81 Mon Sep 17 00:00:00 2001 From: Matheus Moraes Date: Wed, 7 Feb 2024 17:43:19 -0300 Subject: [PATCH 5/6] add httpsProxy and noProxy variables --- charts/zora/README.md | 4 ++-- charts/zora/templates/operator/deployment.yaml | 9 ++++++--- charts/zora/templates/plugins/trivy.yaml | 6 ++++++ charts/zora/values.yaml | 14 +++++--------- 4 files changed, 19 insertions(+), 14 deletions(-) diff --git a/charts/zora/README.md b/charts/zora/README.md index c827b7de..90823a88 100644 --- a/charts/zora/README.md +++ b/charts/zora/README.md @@ -93,8 +93,6 @@ The following table lists the configurable parameters of the Zora chart and thei | operator.log.level | string | `"info"` | Log level to configure the verbosity of logging. Can be one of 'debug', 'info', 'error', or any integer value > 0 which corresponds to custom debug levels of increasing verbosity | | operator.log.stacktraceLevel | string | `"error"` | Log level at and above which stacktraces are captured (one of 'info', 'error' or 'panic') | | operator.log.timeEncoding | string | `"rfc3339"` | Log time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano') | -| operator.env | list | `[]` | List of environment variables to set in operator container. Cannot be updated | -| operator.envFrom | list | `[]` | List of sources to populate environment variables in operator container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. | | scan.misconfiguration.enabled | bool | `true` | Specifies whether misconfiguration scan is enabled | | scan.misconfiguration.schedule | string | Cron expression for every hour at the current minute + 5 minutes | Cluster scan schedule in Cron format for misconfiguration scan | | scan.misconfiguration.successfulScansHistoryLimit | int | `1` | The number of successful finished scans and their issues to retain. | @@ -120,6 +118,8 @@ The following table lists the configurable parameters of the Zora chart and thei | kubexnsImage.repository | string | `"ghcr.io/undistro/kubexns"` | kubexns image repository | | kubexnsImage.tag | string | `"v0.1.2"` | kubexns image tag | | customChecksConfigMap | string | `"zora-custom-checks"` | Custom checks ConfigMap name | +| httpsProxy | string | `""` | HTTPS proxy URL | +| noProxy | string | `"kubernetes.default.svc.*,127.0.0.1,localhost"` | Comma-separated list of URL patterns to be excluded from going through the proxy | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, diff --git a/charts/zora/templates/operator/deployment.yaml b/charts/zora/templates/operator/deployment.yaml index 1f111cf2..9bd38ff9 100644 --- a/charts/zora/templates/operator/deployment.yaml +++ b/charts/zora/templates/operator/deployment.yaml @@ -59,10 +59,13 @@ spec: securityContext: {{- toYaml .Values.operator.rbacProxy.securityContext | nindent 12 }} - name: manager - envFrom: - {{- toYaml .Values.operator.envFrom | nindent 12 }} + {{- if .Values.httpsProxy }} env: - {{- toYaml .Values.operator.env | nindent 12 }} + - name: HTTPS_PROXY + value: {{ .Values.httpsProxy | quote }} + - name: NO_PROXY + value: {{ .Values.noProxy | quote }} + {{- end }} command: - /manager args: diff --git a/charts/zora/templates/plugins/trivy.yaml b/charts/zora/templates/plugins/trivy.yaml index cd9b025e..72b8cd87 100644 --- a/charts/zora/templates/plugins/trivy.yaml +++ b/charts/zora/templates/plugins/trivy.yaml @@ -31,6 +31,12 @@ spec: env: - name: TRIVY_IGNORE_VULN_DESCRIPTIONS value: {{ .Values.scan.plugins.trivy.ignoreDescriptions | quote }} + {{- if .Values.httpsProxy }} + - name: HTTPS_PROXY + value: {{ .Values.httpsProxy | quote }} + - name: NO_PROXY + value: {{ .Values.noProxy | quote }} + {{- end }} command: - /bin/sh - -c diff --git a/charts/zora/values.yaml b/charts/zora/values.yaml index 6f68b2e2..919aeb9e 100644 --- a/charts/zora/values.yaml +++ b/charts/zora/values.yaml @@ -143,15 +143,6 @@ operator: stacktraceLevel: error # -- Log time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano') timeEncoding: rfc3339 - # -- List of environment variables to set in operator container. Cannot be updated - env: [] - # - name: key - # value: value - - # -- List of sources to populate environment variables in operator container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. - envFrom: [] - # - configMapRef: - # name: foo scan: misconfiguration: @@ -244,3 +235,8 @@ kubexnsImage: # -- Custom checks ConfigMap name customChecksConfigMap: zora-custom-checks + +# -- HTTPS proxy URL +httpsProxy: "" +# -- Comma-separated list of URL patterns to be excluded from going through the proxy +noProxy: kubernetes.default.svc.*,127.0.0.1,localhost From 1c5769ce0572716c7a51e36f9c38517c32c3d576 Mon Sep 17 00:00:00 2001 From: Matheus Moraes Date: Wed, 7 Feb 2024 18:54:12 -0300 Subject: [PATCH 6/6] add docs for HTTPS proxy settings --- docs/configuration/https-proxy.md | 25 +++++++++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 26 insertions(+) create mode 100644 docs/configuration/https-proxy.md diff --git a/docs/configuration/https-proxy.md b/docs/configuration/https-proxy.md new file mode 100644 index 00000000..cc087c5e --- /dev/null +++ b/docs/configuration/https-proxy.md @@ -0,0 +1,25 @@ +# HTTPS Proxy + +If your network environment requires the use of a proxy, you must ensure proper configuration of the `httpsProxy` +parameter when running `helm upgrade --install` command. + +```shell +# omitted "helm upgrade --install" command and parameters + +--set httpsProxy="https://secure.proxy.tld" +``` + +Additionally, you can specify URLs that should bypass the proxy, by setting the `noProxy` parameter in comma-separated +list format. Note that this parameter already has a default value: `kubernetes.default.svc.*,127.0.0.1,localhost`. + +Configuring proxy settings enables both `trivy` plugin and `zora-operator` to use the proxy for external requests. + +Zora OSS sends scan results to the following external URL if your installation is integrated with +[Zora Dashboard](../dashboard.md): + +- `https://zora-dashboard.undistro.io` + +While [Trivy](../plugins/trivy.md) downloads vulnerability databases during scans from the following external sources: + +- `ghcr.io/aquasecurity/trivy-db` +- `ghcr.io/aquasecurity/trivy-java-db` diff --git a/mkdocs.yml b/mkdocs.yml index a727fa53..2b58e87c 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -87,6 +87,7 @@ nav: - Suspending scans: configuration/suspend-scan.md - Retain issues: configuration/retain-issues.md - Ignore unfixed vulnerabilities: plugins/trivy/#large-vulnerability-reports + - HTTPS Proxy: configuration/https-proxy.md - "🔌 Plugins": - Overview: plugins/index.md - Misconfiguration: