⭐️ add support for using http proxies (#859)

* add support for using http proxies Signed-off-by: Ivan Milchev <ivan@mondoo.com> * set http proxy config in MondooOperatorConfig instead of MondooAuditConfig Signed-off-by: Ivan Milchev <ivan@mondoo.com> * set up proxy for token exchange Signed-off-by: Ivan Milchev <ivan@mondoo.com> * fix integrations controller Signed-off-by: Ivan Milchev <ivan@mondoo.com> * fix comments Signed-off-by: Ivan Milchev <ivan@mondoo.com> * remove commented out code Signed-off-by: Ivan Milchev <ivan@mondoo.com> --------- Signed-off-by: Ivan Milchev <ivan@mondoo.com>
mondoohq · Sep 25, 2023 · 79942d6 · 79942d6
1 parent a89a740
commit 79942d6
Show file tree

Hide file tree

Showing 48 changed files with 1,204 additions and 939 deletions.
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -22,5 +22,5 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v3
         with:
-          version: v1.53
-          args: --timeout=15m0s
+          version: v1.54
+          args: --timeout=20m0s
diff --git a/api/v1alpha2/mondoooperatorconfig_types.go b/api/v1alpha2/mondoooperatorconfig_types.go
@@ -31,6 +31,8 @@ type MondooOperatorConfigSpec struct {
 	Metrics Metrics `json:"metrics,omitempty"`
 	// Allows skipping Image resolution from upstream repository
 	SkipContainerResolution bool `json:"skipContainerResolution,omitempty"`
+	// HttpProxy specifies a proxy to use for HTTP requests to the Mondoo platform.
+	HttpProxy *string `json:"httpProxy,omitempty"`
 }
 
 type Metrics struct {

diff --git a/api/v1alpha2/zz_generated.deepcopy.go b/api/v1alpha2/zz_generated.deepcopy.go
diff --git a/cmd/mondoo-operator/garbage_collect/cmd.go b/cmd/mondoo-operator/garbage_collect/cmd.go
@@ -15,7 +15,7 @@ import (
 	"github.com/spf13/cobra"
 	"go.mondoo.com/cnquery/motor/providers"
 	"go.mondoo.com/cnspec/policy/scan"
-	"go.mondoo.com/mondoo-operator/pkg/mondooclient"
+	"go.mondoo.com/mondoo-operator/pkg/client/scanapiclient"
 	"go.mondoo.com/mondoo-operator/pkg/utils/logger"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
@@ -70,10 +70,13 @@ func init() {
 			token = strings.TrimSuffix(string(tokenBytes), "\n")
 		}
 
-		client := mondooclient.NewClient(mondooclient.ClientOptions{
+		client, err := scanapiclient.NewClient(scanapiclient.ScanApiClientOptions{
 			ApiEndpoint: *scanApiUrl,
 			Token:       token,
 		})
+		if err != nil {
+			return err
+		}
 
 		logger.Info("triggering garbage collection")
 		ctx, cancel := context.WithTimeout(context.Background(), time.Duration((*timeout))*time.Minute)
@@ -87,7 +90,7 @@ func init() {
 	}
 }
 
-func GarbageCollectCmd(ctx context.Context, client mondooclient.Client, platformRuntime, olderThan, managedBy string, labels map[string]string, logger logr.Logger) error {
+func GarbageCollectCmd(ctx context.Context, client scanapiclient.ScanApiClient, platformRuntime, olderThan, managedBy string, labels map[string]string, logger logr.Logger) error {
 	gcOpts := &scan.GarbageCollectOptions{
 		ManagedBy: managedBy,
 		Labels:    labels,

diff --git a/cmd/mondoo-operator/k8s_scan/cmd.go b/cmd/mondoo-operator/k8s_scan/cmd.go
@@ -14,7 +14,7 @@ import (
 	"github.com/spf13/cobra"
 	"go.mondoo.com/cnquery/motor/providers"
 	"go.mondoo.com/mondoo-operator/cmd/mondoo-operator/garbage_collect"
-	"go.mondoo.com/mondoo-operator/pkg/mondooclient"
+	"go.mondoo.com/mondoo-operator/pkg/client/scanapiclient"
 	"go.mondoo.com/mondoo-operator/pkg/utils/logger"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
@@ -56,15 +56,18 @@ func init() {
 		}
 		token := strings.TrimSuffix(string(tokenBytes), "\n")
 
-		client := mondooclient.NewClient(mondooclient.ClientOptions{
+		client, err := scanapiclient.NewClient(scanapiclient.ScanApiClientOptions{
 			ApiEndpoint: *scanApiUrl,
 			Token:       token,
 		})
+		if err != nil {
+			return err
+		}
 
 		logger.Info("triggering Kubernetes resources scan")
 		ctx, cancel := context.WithTimeout(context.Background(), time.Duration((*timeout))*time.Minute)
 		defer cancel()
-		scanOpts := &mondooclient.ScanKubernetesResourcesOpts{
+		scanOpts := &scanapiclient.ScanKubernetesResourcesOpts{
 			IntegrationMrn:      *integrationMrn,
 			ScanContainerImages: *scanContainerImages,
 			ManagedBy:           *setManagedBy,

diff --git a/config/crd/bases/k8s.mondoo.com_mondoooperatorconfigs.yaml b/config/crd/bases/k8s.mondoo.com_mondoooperatorconfigs.yaml
@@ -39,6 +39,10 @@ spec:
           spec:
             description: MondooOperatorConfigSpec defines the desired state of MondooOperatorConfig
             properties:
+              httpProxy:
+                description: HttpProxy specifies a proxy to use for HTTP requests
+                  to the Mondoo platform.
+                type: string
               metrics:
                 description: Metrics controls the enabling/disabling of metrics report
                   of mondoo-operator

diff --git a/controllers/admission/deployment_handler_test.go b/controllers/admission/deployment_handler_test.go
@@ -32,8 +32,8 @@ import (
 	certmanagerv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
 
 	mondoov1alpha2 "go.mondoo.com/mondoo-operator/api/v1alpha2"
+	"go.mondoo.com/mondoo-operator/pkg/client/mondooclient"
 	"go.mondoo.com/mondoo-operator/pkg/constants"
-	"go.mondoo.com/mondoo-operator/pkg/mondooclient"
 	"go.mondoo.com/mondoo-operator/pkg/utils/k8s"
 	fakeMondoo "go.mondoo.com/mondoo-operator/pkg/utils/mondoo/fake"
 	ctrl "sigs.k8s.io/controller-runtime"

diff --git a/controllers/container_image/deployment_handler.go b/controllers/container_image/deployment_handler.go
@@ -114,7 +114,7 @@ func (n *DeploymentHandler) syncCronJob(ctx context.Context) error {
 	}
 
 	existing := &batchv1.CronJob{}
-	desired := CronJob(mondooClientImage, integrationMrn, clusterUid, privateRegistriesSecretName, *n.Mondoo)
+	desired := CronJob(mondooClientImage, integrationMrn, clusterUid, privateRegistriesSecretName, *n.Mondoo, *n.MondooOperatorConfig)
 	if err := ctrl.SetControllerReference(n.Mondoo, desired, n.KubeClient.Scheme()); err != nil {
 		logger.Error(err, "Failed to set ControllerReference", "namespace", desired.Namespace, "name", desired.Name)
 		return err

diff --git a/controllers/container_image/deployment_handler_test.go b/controllers/container_image/deployment_handler_test.go
@@ -70,7 +70,7 @@ func (s *DeploymentHandlerSuite) TestReconcile_Create() {
 	image, err := s.containerImageResolver.CnspecImage("", "", false)
 	s.NoError(err)
 
-	expected := CronJob(image, "", test.KubeSystemNamespaceUid, "", s.auditConfig)
+	expected := CronJob(image, "", test.KubeSystemNamespaceUid, "", s.auditConfig, mondoov1alpha2.MondooOperatorConfig{})
 	s.NoError(ctrl.SetControllerReference(&s.auditConfig, expected, d.KubeClient.Scheme()))
 
 	// Set some fields that the kube client sets
@@ -113,7 +113,7 @@ func (s *DeploymentHandlerSuite) TestReconcile_Create_PrivateRegistriesSecret()
 	image, err := s.containerImageResolver.CnspecImage("", "", false)
 	s.NoError(err)
 
-	expected := CronJob(image, "", test.KubeSystemNamespaceUid, s.auditConfig.Spec.Scanner.PrivateRegistriesPullSecretRef.Name, s.auditConfig)
+	expected := CronJob(image, "", test.KubeSystemNamespaceUid, s.auditConfig.Spec.Scanner.PrivateRegistriesPullSecretRef.Name, s.auditConfig, mondoov1alpha2.MondooOperatorConfig{})
 	s.NoError(ctrl.SetControllerReference(&s.auditConfig, expected, d.KubeClient.Scheme()))
 
 	// Set some fields that the kube client sets
@@ -155,7 +155,7 @@ func (s *DeploymentHandlerSuite) TestReconcile_Create_ConsoleIntegration() {
 	image, err := s.containerImageResolver.CnspecImage("", "", false)
 	s.NoError(err)
 
-	expected := CronJob(image, integrationMrn, test.KubeSystemNamespaceUid, "", s.auditConfig)
+	expected := CronJob(image, integrationMrn, test.KubeSystemNamespaceUid, "", s.auditConfig, mondoov1alpha2.MondooOperatorConfig{})
 	s.NoError(ctrl.SetControllerReference(&s.auditConfig, expected, d.KubeClient.Scheme()))
 
 	// Set some fields that the kube client sets
@@ -179,15 +179,15 @@ func (s *DeploymentHandlerSuite) TestReconcile_Update() {
 	s.NoError(err)
 
 	// Make sure a cron job exists with different container command
-	cronJob := CronJob(image, "", "", "", s.auditConfig)
+	cronJob := CronJob(image, "", "", "", s.auditConfig, mondoov1alpha2.MondooOperatorConfig{})
 	cronJob.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Command = []string{"test-command"}
 	s.NoError(d.KubeClient.Create(s.ctx, cronJob))
 
 	result, err := d.Reconcile(s.ctx)
 	s.NoError(err)
 	s.True(result.IsZero())
 
-	expected := CronJob(image, "", test.KubeSystemNamespaceUid, "", s.auditConfig)
+	expected := CronJob(image, "", test.KubeSystemNamespaceUid, "", s.auditConfig, mondoov1alpha2.MondooOperatorConfig{})
 	s.NoError(ctrl.SetControllerReference(&s.auditConfig, expected, d.KubeClient.Scheme()))
 
 	// Set some fields that the kube client sets

diff --git a/controllers/container_image/resources.go b/controllers/container_image/resources.go
@@ -35,9 +35,20 @@ const (
 	InventoryConfigMapBase = "-containers-inventory"
 )
 
-func CronJob(image, integrationMrn, clusterUid, privateImageScanningSecretName string, m v1alpha2.MondooAuditConfig) *batchv1.CronJob {
+func CronJob(image, integrationMrn, clusterUid, privateImageScanningSecretName string, m v1alpha2.MondooAuditConfig, cfg v1alpha2.MondooOperatorConfig) *batchv1.CronJob {
 	ls := CronJobLabels(m)
 
+	cmd := []string{
+		"cnspec", "scan", "k8s",
+		"--config", "/etc/opt/mondoo/mondoo.yml",
+		"--inventory-file", "/etc/opt/mondoo/inventory.yml",
+		"--score-threshold", "0",
+	}
+
+	if cfg.Spec.HttpProxy != nil {
+		cmd = append(cmd, []string{"--api-proxy", *cfg.Spec.HttpProxy}...)
+	}
+
 	// We want to start the cron job one minute after it was enabled.
 	cronStart := time.Now().Add(1 * time.Minute)
 	cronTab := fmt.Sprintf("%d %d * * *", cronStart.Minute(), cronStart.Hour())
@@ -65,13 +76,8 @@ func CronJob(image, integrationMrn, clusterUid, privateImageScanningSecretName s
 									Image:           image,
 									ImagePullPolicy: corev1.PullIfNotPresent,
 									Name:            "mondoo-containers-scan",
-									Command: []string{
-										"cnspec", "scan", "k8s",
-										"--config", "/etc/opt/mondoo/mondoo.yml",
-										"--inventory-file", "/etc/opt/mondoo/inventory.yml",
-										"--score-threshold", "0",
-									},
-									Resources: k8s.ResourcesRequirementsWithDefaults(m.Spec.Containers.Resources, k8s.DefaultContainerScanningResources),
+									Command:         cmd,
+									Resources:       k8s.ResourcesRequirementsWithDefaults(m.Spec.Containers.Resources, k8s.DefaultContainerScanningResources),
 									SecurityContext: &corev1.SecurityContext{
 										AllowPrivilegeEscalation: pointer.Bool(false),
 										ReadOnlyRootFilesystem:   pointer.Bool(true),

diff --git a/controllers/integration/integration_controller.go b/controllers/integration/integration_controller.go
@@ -15,15 +15,17 @@ import (
 	"time"
 
 	"go.uber.org/zap"
+	"k8s.io/apimachinery/pkg/api/errors"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 
 	"go.mondoo.com/mondoo-operator/api/v1alpha2"
-	"go.mondoo.com/mondoo-operator/pkg/mondooclient"
+	"go.mondoo.com/mondoo-operator/pkg/client/mondooclient"
 	"go.mondoo.com/mondoo-operator/pkg/utils/k8s"
 	"go.mondoo.com/mondoo-operator/pkg/utils/mondoo"
 )
@@ -60,7 +62,7 @@ type IntegrationReconciler struct {
 
 	// Interval is the length of time we sleep between runs
 	Interval            time.Duration
-	MondooClientBuilder func(mondooclient.ClientOptions) mondooclient.Client
+	MondooClientBuilder func(mondooclient.MondooClientOptions) (mondooclient.MondooClient, error)
 	ctx                 context.Context
 }
 
@@ -119,7 +121,14 @@ func (r *IntegrationReconciler) processMondooAuditConfig(m v1alpha2.MondooAuditC
 		return err
 	}
 
-	if err = mondoo.IntegrationCheckIn(r.ctx, integrationMrn, *serviceAccount, r.MondooClientBuilder, logger); err != nil {
+	config := &v1alpha2.MondooOperatorConfig{}
+	if err = r.Client.Get(r.ctx, types.NamespacedName{Name: v1alpha2.MondooOperatorConfigName}, config); err != nil {
+		if !errors.IsNotFound(err) {
+			return err
+		}
+	}
+
+	if err = mondoo.IntegrationCheckIn(r.ctx, integrationMrn, *serviceAccount, r.MondooClientBuilder, config.Spec.HttpProxy, logger); err != nil {
 		logger.Error(err, "failed to CheckIn() for integration", "integrationMRN", string(integrationMrn))
 		return err
 	}

diff --git a/controllers/integration/integration_controller_test.go b/controllers/integration/integration_controller_test.go
@@ -31,9 +31,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	"go.mondoo.com/mondoo-operator/api/v1alpha2"
+	"go.mondoo.com/mondoo-operator/pkg/client/mondooclient"
+	mockmondoo "go.mondoo.com/mondoo-operator/pkg/client/mondooclient/mock"
 	"go.mondoo.com/mondoo-operator/pkg/constants"
-	"go.mondoo.com/mondoo-operator/pkg/mondooclient"
-	mockmondoo "go.mondoo.com/mondoo-operator/pkg/mondooclient/mock"
 	"go.mondoo.com/mondoo-operator/tests/credentials"
 )
 
@@ -105,15 +105,15 @@ func (s *IntegrationCheckInSuite) TestCheckIn() {
 
 	mockCtrl := gomock.NewController(s.T())
 
-	mClient := mockmondoo.NewMockClient(mockCtrl)
+	mClient := mockmondoo.NewMockMondooClient(mockCtrl)
 	mClient.EXPECT().IntegrationCheckIn(gomock.Any(), &mondooclient.IntegrationCheckInInput{
 		Mrn: testIntegrationMRN, // make sure MRN in the CheckIn() in what is required for the real Mondoo API
 	}).Times(1).Return(&mondooclient.IntegrationCheckInOutput{
 		Mrn: testIntegrationMRN,
 	}, nil)
 
-	testMondooClientBuilder := func(mondooclient.ClientOptions) mondooclient.Client {
-		return mClient
+	testMondooClientBuilder := func(mondooclient.MondooClientOptions) (mondooclient.MondooClient, error) {
+		return mClient, nil
 	}
 
 	fakeClient := fake.NewClientBuilder().WithRuntimeObjects(existingObjects...).Build()
@@ -150,15 +150,15 @@ func (s *IntegrationCheckInSuite) TestClearPreviousCondition() {
 
 	mockCtrl := gomock.NewController(s.T())
 
-	mClient := mockmondoo.NewMockClient(mockCtrl)
+	mClient := mockmondoo.NewMockMondooClient(mockCtrl)
 	mClient.EXPECT().IntegrationCheckIn(gomock.Any(), &mondooclient.IntegrationCheckInInput{
 		Mrn: testIntegrationMRN, // make sure MRN in the CheckIn() in what is required for the real Mondoo API
 	}).Times(1).Return(&mondooclient.IntegrationCheckInOutput{
 		Mrn: testIntegrationMRN,
 	}, nil)
 
-	testMondooClientBuilder := func(mondooclient.ClientOptions) mondooclient.Client {
-		return mClient
+	testMondooClientBuilder := func(mondooclient.MondooClientOptions) (mondooclient.MondooClient, error) {
+		return mClient, nil
 	}
 
 	fakeClient := fake.NewClientBuilder().WithRuntimeObjects(existingObjects...).Build()
@@ -192,11 +192,11 @@ func (s *IntegrationCheckInSuite) TestMissingIntegrationMRN() {
 
 	mockCtrl := gomock.NewController(s.T())
 
-	mClient := mockmondoo.NewMockClient(mockCtrl)
+	mClient := mockmondoo.NewMockMondooClient(mockCtrl)
 	// EXPECT no call because of the missing integration MRN data
 
-	testMondooClientBuilder := func(mondooclient.ClientOptions) mondooclient.Client {
-		return mClient
+	testMondooClientBuilder := func(mondooclient.MondooClientOptions) (mondooclient.MondooClient, error) {
+		return mClient, nil
 	}
 
 	fakeClient := fake.NewClientBuilder().WithRuntimeObjects(existingObjects...).Build()
@@ -230,11 +230,11 @@ func (s *IntegrationCheckInSuite) TestBadServiceAccountData() {
 
 	mockCtrl := gomock.NewController(s.T())
 
-	mClient := mockmondoo.NewMockClient(mockCtrl)
+	mClient := mockmondoo.NewMockMondooClient(mockCtrl)
 	// EXPECT no call because of the bad service account data
 
-	testMondooClientBuilder := func(mondooclient.ClientOptions) mondooclient.Client {
-		return mClient
+	testMondooClientBuilder := func(mondooclient.MondooClientOptions) (mondooclient.MondooClient, error) {
+		return mClient, nil
 	}
 
 	fakeClient := fake.NewClientBuilder().WithRuntimeObjects(existingObjects...).Build()
@@ -266,13 +266,13 @@ func (s *IntegrationCheckInSuite) TestFailedCheckIn() {
 
 	mockCtrl := gomock.NewController(s.T())
 
-	mClient := mockmondoo.NewMockClient(mockCtrl)
+	mClient := mockmondoo.NewMockMondooClient(mockCtrl)
 	mClient.EXPECT().IntegrationCheckIn(gomock.Any(), gomock.Any()).Times(1).Return(
 		nil, fmt.Errorf(`http status 401: {"code":16,"message":"request permission unauthenticated"}`),
 	)
 
-	testMondooClientBuilder := func(mondooclient.ClientOptions) mondooclient.Client {
-		return mClient
+	testMondooClientBuilder := func(mondooclient.MondooClientOptions) (mondooclient.MondooClient, error) {
+		return mClient, nil
 	}
 
 	fakeClient := fake.NewClientBuilder().WithRuntimeObjects(existingObjects...).Build()

diff --git a/controllers/k8s_scan/deployment_handler_test.go b/controllers/k8s_scan/deployment_handler_test.go
@@ -32,8 +32,8 @@ import (
 	"go.mondoo.com/mondoo-operator/controllers/resource_monitor/scan_api_store"
 	scanapistoremock "go.mondoo.com/mondoo-operator/controllers/resource_monitor/scan_api_store/mock"
 	"go.mondoo.com/mondoo-operator/controllers/scanapi"
+	"go.mondoo.com/mondoo-operator/pkg/client/mondooclient"
 	"go.mondoo.com/mondoo-operator/pkg/constants"
-	"go.mondoo.com/mondoo-operator/pkg/mondooclient"
 	"go.mondoo.com/mondoo-operator/pkg/utils/mondoo"
 	fakeMondoo "go.mondoo.com/mondoo-operator/pkg/utils/mondoo/fake"
 	"go.mondoo.com/mondoo-operator/pkg/utils/test"