HTTP Proxy Support

charts/zora/README.md

@@ -118,6 +118,8 @@ The following table lists the configurable parameters of the Zora chart and thei
 | kubexnsImage.repository | string | `"ghcr.io/undistro/kubexns"` | kubexns image repository |
 | kubexnsImage.tag | string | `"v0.1.2"` | kubexns image tag |
 | customChecksConfigMap | string | `"zora-custom-checks"` | Custom checks ConfigMap name |
+| httpsProxy | string | `""` | HTTPS proxy URL |
+| noProxy | string | `"kubernetes.default.svc.*,127.0.0.1,localhost"` | Comma-separated list of URL patterns to be excluded from going through the proxy |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 

charts/zora/templates/operator/deployment.yaml

@@ -59,6 +59,13 @@ spec:
           securityContext:
             {{- toYaml .Values.operator.rbacProxy.securityContext | nindent 12 }}
         - name: manager
+          {{- if .Values.httpsProxy }}
+          env:
+            - name: HTTPS_PROXY
+              value: {{ .Values.httpsProxy | quote }}
+            - name: NO_PROXY
+              value: {{ .Values.noProxy | quote }}
+          {{- end }}
           command:
             - /manager
           args:

charts/zora/templates/plugins/trivy.yaml

@@ -31,6 +31,12 @@ spec:
   env:
     - name: TRIVY_IGNORE_VULN_DESCRIPTIONS
       value: {{ .Values.scan.plugins.trivy.ignoreDescriptions | quote }}
+    {{- if .Values.httpsProxy }}
+    - name: HTTPS_PROXY
+      value: {{ .Values.httpsProxy | quote }}
+    - name: NO_PROXY
+      value: {{ .Values.noProxy | quote }}
+    {{- end }}
   command:
     - /bin/sh
     - -c

charts/zora/values.yaml

@@ -235,3 +235,8 @@ kubexnsImage:
 
 # -- Custom checks ConfigMap name
 customChecksConfigMap: zora-custom-checks
+
+# -- HTTPS proxy URL
+httpsProxy: ""
+# -- Comma-separated list of URL patterns to be excluded from going through the proxy
+noProxy: kubernetes.default.svc.*,127.0.0.1,localhost

cmd/main.go

@@ -108,8 +108,9 @@ func main() {
 
 	var onClusterUpdate, onClusterDelete saas.ClusterHook
 	var onClusterScanUpdate, onClusterScanDelete saas.ClusterScanHook
+	client := &http.Client{Transport: &http.Transport{Proxy: http.ProxyFromEnvironment}}
 	if saasWorkspaceID != "" {
-		saasClient, err := saas.NewClient(saasServer, version, saasWorkspaceID, http.DefaultClient)
+		saasClient, err := saas.NewClient(saasServer, version, saasWorkspaceID, client)
 		if err != nil {
 			setupLog.Error(err, "unable to create SaaS client", "workspaceID", saasWorkspaceID)
 			os.Exit(1)

docs/configuration/https-proxy.md

@@ -0,0 +1,25 @@
+# HTTPS Proxy
+
+If your network environment requires the use of a proxy, you must ensure proper configuration of the `httpsProxy`
+parameter when running `helm upgrade --install` command.
+
+```shell 
+# omitted "helm upgrade --install" command and parameters
+
+--set httpsProxy="https://secure.proxy.tld"
+```
+
+Additionally, you can specify URLs that should bypass the proxy, by setting the `noProxy` parameter in comma-separated 
+list format. Note that this parameter already has a default value: `kubernetes.default.svc.*,127.0.0.1,localhost`.
+
+Configuring proxy settings enables both `trivy` plugin and `zora-operator` to use the proxy for external requests.
+
+Zora OSS sends scan results to the following external URL if your installation is integrated with
+[Zora Dashboard](../dashboard.md):
+
+- `https://zora-dashboard.undistro.io`
+
+While [Trivy](../plugins/trivy.md) downloads vulnerability databases during scans from the following external sources:
+
+- `ghcr.io/aquasecurity/trivy-db` 
+- `ghcr.io/aquasecurity/trivy-java-db`

mkdocs.yml

@@ -87,6 +87,7 @@ nav:
           - Suspending scans: configuration/suspend-scan.md
           - Retain issues: configuration/retain-issues.md
           - Ignore unfixed vulnerabilities: plugins/trivy/#large-vulnerability-reports
+          - HTTPS Proxy: configuration/https-proxy.md
       - "🔌 Plugins":
           - Overview: plugins/index.md
           - Misconfiguration: