Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

⭐️ add support for using http proxies #859

Merged
merged 6 commits into from
Sep 25, 2023
Merged

⭐️ add support for using http proxies #859

merged 6 commits into from
Sep 25, 2023

Conversation

imilchev
Copy link
Member

  • Make sure the proxy is used by cnspec
  • make sure the operator uses the proxy too when reporting status upstream

@imilchev imilchev marked this pull request as ready for review September 20, 2023 14:58
@chris-rock chris-rock mentioned this pull request Sep 21, 2023
@czunker
Copy link
Contributor

czunker commented Sep 22, 2023

This PR solves #853

pkg/client/mondooclient/fakeserver/fakeserver.go Outdated Show resolved Hide resolved
controllers/k8s_scan/resources.go Outdated Show resolved Hide resolved
controllers/nodes/resources.go Outdated Show resolved Hide resolved
@czunker
Copy link
Contributor

czunker commented Sep 22, 2023

For testing, I used network policies to limit the traffic. I came across these messages for the image scan:

k -n mondoo-operator logs pod/k8s-containers-scan-now-dqd4m -f                                                                                           ✔ │ minikube ○ │ 14:07:05 
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source --config
→ load inventory inventory-file=/etc/opt/mondoo/inventory.yml
→ using service account credentials
→ discover related assets for 1 asset(s)
x failed to convert container image to asset error="could not resolve image quay.io/jetstack/cert-manager-cainjector@sha256:7c65d8478484155f6f1886b1ed60064e854c7c371b1fddbe220c71e5574e6526. Get \"https://quay.io/v2/\": dial tcp 34.228.154.221:443: i/o timeout"
x failed to convert container image to asset error="could not resolve image calico/cni@sha256:3be3c67ddba17004c292eafec98cc49368ac273b40b27c8a6621be4471d348d6. Get \"https://index.docker.io/v2/\": dial tcp 3.216.34.172:443: i/o timeout"
x failed to convert container image to asset error="could not resolve image calico/node@sha256:8e34517775f319917a0be516ed3a373dbfca650d1ee8e72158087c24356f47fb. Get \"https://index.docker.io/v2/\": dial tcp 44.205.64.79:443: i/o timeout"
x failed to convert container image to asset error="could not resolve image registry.k8s.io/etcd@sha256:51eae8381dcb1078289fa7b4f3df2630cdc18d09fb56f8e56b41c40e191d6c83. Get \"https://registry.k8s.io/v2/\": dial tcp 34.96.108.209:443: i/o timeout"
x failed to convert container image to asset error="could not resolve image registry.k8s.io/kube-controller-manager@sha256:6286e500782ad6d0b37a1b8be57fc73f597dc931dfc73ff18ce534059803b265. Get \"https://registry.k8s.io/v2/\": dial tcp 34.96.108.209:443: i/o timeout"
x failed to convert container image to asset error="could not resolve image registry.k8s.io/kube-proxy@sha256:4bcb707da9898d2625f5d4edc6d0c96519a24f16db914fc673aa8f97e41dbabf. Get \"https://registry.k8s.io/v2/\": dial tcp 34.96.108.209:443: i/o timeout"
x failed to convert container image to asset error="could not resolve image gcr.io/k8s-minikube/storage-provisioner@sha256:18eb69d1418e854ad5a19e399310e52808a8321e4c441c1dddad8977a0d7a944. Get \"https://gcr.io/v2/\": dial tcp 66.102.1.82:443: i/o timeout"

This client is not taking up the proxy. But I'm not sure whether this was intended by the request. The linked issue only mentions the API proxy.

@czunker
Copy link
Contributor

czunker commented Sep 22, 2023

For some scans, I see the requests in the proxy logs and also the assets in the console.

Signed-off-by: Ivan Milchev <[email protected]>
@czunker
Copy link
Contributor

czunker commented Sep 25, 2023

During a test, I had an error in my setup. But nice to see we get a meaningful error message:

error: failed to do request: Post "https://api.edge.mondoo.com/PolicyResolver/SynchronizeAssets": proxyconnect tcp: dial tcp 192.168.1.87:3128: connect: connection refused

@czunker
Copy link
Contributor

czunker commented Sep 25, 2023

Node scan is now also working via proxy:

Scanned 1 assets

Ubuntu 22.04.2 LTS
    D minikube

Copy link
Contributor

@czunker czunker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks @imilchev

@imilchev imilchev merged commit 79942d6 into main Sep 25, 2023
@imilchev imilchev deleted the ivan/api-proxy branch September 25, 2023 14:00
@github-actions github-actions bot locked and limited conversation to collaborators Sep 25, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants