Merge pull request #443 from snyk/feat/proxying

Feat/proxying

Author: ivanstanev

.circleci/config.yml

@@ -216,6 +216,28 @@ jobs:
       - store_artifacts:
           path: /tmp/logs/test/integration/kind-helm
 
+  integration_tests_proxy:
+    <<: *default_machine_config
+    steps:
+      - checkout
+      - setup_node12
+      - install_python_requests
+      - run:
+          name: Create temporary directory for logs
+          command: mkdir -p /tmp/logs/test/integration/proxy
+      - run:
+          name: Integration tests with Helm deployment
+          command: |
+            export KUBERNETES_MONITOR_IMAGE_NAME_AND_TAG=$(./scripts/circleci-jobs/setup-integration-tests.py)
+            npm run test:integration:kind:proxy
+      - run:
+          name: Notify Slack on failure
+          command: |
+            ./scripts/slack/notify_failure_on_branch.py "staging-integration-proxy-tests-${CIRCLE_SHA1}"
+          when: on_fail
+      - store_artifacts:
+          path: /tmp/logs/test/integration/proxy
+
   eks_integration_tests:
     <<: *default_machine_config
     steps:
@@ -455,6 +477,10 @@ workflows:
           requires:
             - build_image
           <<: *staging_branch_only_filter
+      - integration_tests_proxy:
+          requires:
+            - build_image
+          <<: *staging_branch_only_filter
       - eks_integration_tests:
           requires:
             - build_image
@@ -477,6 +503,7 @@ workflows:
             - system_tests
             - integration_tests
             - integration_tests_helm
+            - integration_tests_proxy
           <<: *staging_branch_only_filter
       - deploy_dev:
           requires:

README.md

@@ -87,3 +87,37 @@ Finally, to launch the Snyk monitor in your cluster, run the following:
 ```shell
 kubectl apply -f snyk-monitor-deployment.yaml
 ```
+
+## Setting up proxying ##
+
+Proxying traffic through a forwarding proxy can be achieved by modifying the `snyk-monitor-cluster-permissions.yaml` or `snyk-monitor-namespaced-permissions.yaml` (depending on which one was applied) and setting the following variables in the `ConfigMap`:
+
+* http_proxy
+* https_proxy
+* no_proxy
+
+For example:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  ...
+data:
+  ...
+  https_proxy: "http://192.168.99.100:8080"
+```
+
+The `snyk-monitor` currently works with HTTP proxies only.
+
+Note that `snyk-monitor` does not proxy requests to the Kubernetes API server.
+
+Note that `snyk-monitor` does not support wildcards or CIDR addresses in `no_proxy` -- it will only look for exact matches. For example:
+
+```yaml
+# not OK:
+no_proxy: *.example.local,*.other.global,192.168.0.0/16
+
+# OK:
+no_proxy: long.domain.name.local,example.local
+```