add proxy support (#2336)

* add proxy support

* Update agent documentation on configuring proxy server

---------

Co-authored-by: ramanan-ravi <[email protected]>
(cherry picked from commit 3d88af1)

# Conflicts:
#	README.md
#	deepfence_agent/plugins/SecretScanner
#	deepfence_agent/plugins/YaraHunter
#	deepfence_agent/plugins/cloud-scanner
#	deepfence_agent/plugins/yara-rules
#	deployment-scripts/helm-charts/deepfence-agent/templates/deployment.yaml
#	deployment-scripts/start-agent.sh
#	deployment-scripts/start-podman-agent.sh

README.md

@@ -94,6 +94,9 @@ docker run -dit \
     -e MGMT_CONSOLE_URL="---CONSOLE-IP---" \
     -e MGMT_CONSOLE_PORT="443" \
     -e DEEPFENCE_KEY="---DEEPFENCE-API-KEY---" \
+    -e http_proxy="" \
+    -e https_proxy="" \
+    -e no_proxy="" \
     quay.io/deepfenceio/deepfence_agent_ce:2.4.0
 ```
 

deployment-scripts/helm-charts/deepfence-agent/templates/daemonset.yaml

@@ -109,6 +109,12 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
+            - name: http_proxy
+              value: "{{ .Values.managementConsoleProxy.http_proxy }}"
+            - name: https_proxy
+              value: "{{ .Values.managementConsoleProxy.https_proxy }}"
+            - name: no_proxy
+              value: "{{ .Values.managementConsoleProxy.no_proxy }}"
             {{- if .Values.clusterName }}
             - name: SCOPE_HOSTNAME
               value: "{{ .Values.clusterName }}-$(AGENT_HOSTNAME)"

deployment-scripts/helm-charts/deepfence-agent/templates/deployment.yaml

@@ -24,6 +24,9 @@ spec:
         {{- end }}
     spec:
       serviceAccountName: {{ include "deepfence-agent.serviceAccountName" . }}
+      {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName | quote }}
+      {{- end }}
       containers:
         - name: deepfence-cluster-agent
           image: "{{ .Values.cluster_agent.image.name }}:{{ default .Values.global.imageTag .Values.cluster_agent.image.tag }}"
@@ -47,6 +50,13 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
+            - name: http_proxy
+              value: "{{ .Values.managementConsoleProxy.http_proxy }}"
+            - name: https_proxy
+              value: "{{ .Values.managementConsoleProxy.https_proxy }}"
+            - name: no_proxy
+              value: "{{ .Values.managementConsoleProxy.no_proxy }}"
+
             {{- if .Values.clusterName }}
             - name: SCOPE_HOSTNAME
               value: "{{ .Values.clusterName }}-$(AGENT_HOSTNAME)"

deployment-scripts/helm-charts/deepfence-agent/values.yaml

@@ -75,6 +75,13 @@ cluster_agent:
 # required deepfence management console url and port
 managementConsoleUrl: ""
 managementConsolePort: "443"
+managementConsoleProxy:
+  # Optional - only set a value if agent needs to go via a proxy
+  # Example: http://172.17.0.1:3128
+  http_proxy: ""
+  https_proxy: ""
+  # Domains or ip addresses to add in no_proxy env variable, comma-separated string
+  no_proxy: ""
 
 # Auth: Get deepfence api key from UI -> Settings -> User Management
 deepfenceKey: ""

deployment-scripts/helm-charts/index.yaml

@@ -3,9 +3,9 @@ entries:
   deepfence-agent:
   - apiVersion: v2
     appVersion: 2.4.0
-    created: "2024-10-07T20:53:51.547293+05:30"
+    created: "2024-10-10T14:42:06.187013+05:30"
     description: Deepfence Agent - Helm chart for Kubernetes
-    digest: 7bea678c2d8a0384a8606ced47b1cb1f2df652c6436f023a687e0d945d3dee43
+    digest: 374f24f488f286ec738fa5a616007550a4cb779671258d0613c3057f3e0410b8
     name: deepfence-agent
     type: application
     urls:
@@ -823,4 +823,4 @@ entries:
     urls:
     - deepfence-router-1.0.0.tgz
     version: 1.0.0
-generated: "2024-10-07T20:53:51.546531+05:30"
+generated: "2024-10-10T14:42:06.186533+05:30"

deployment-scripts/start-agent.sh

@@ -20,6 +20,12 @@ EOF
 
 MGMT_CONSOLE_URL=""
 MGMT_CONSOLE_PORT="443"
+# Optional - only set a value if agent needs to go via a proxy
+# Example: http://172.17.0.1:3128
+MGMT_CONSOLE_HTTP_PROXY=""
+MGMT_CONSOLE_HTTPS_PROXY=""
+NO_PROXY=""
+
 # Log level: debug / info / error
 DF_LOG_LEVEL="info"
 USER_DEFINED_TAGS=""
@@ -113,6 +119,9 @@ start_agent() {
     -e DEEPFENCE_KEY="$DEEPFENCE_KEY" \
     -e DF_USE_DUMMY_SCOPE="$DF_USE_DUMMY_SCOPE" \
     -e DF_USE_FAT_DUMMY_SCOPE="$DF_USE_FAT_DUMMY_SCOPE" \
+    -e http_proxy="$MGMT_CONSOLE_HTTP_PROXY" \
+    -e https_proxy="$MGMT_CONSOLE_HTTPS_PROXY" \
+    -e no_proxy="$NO_PROXY" \
     "$IMAGE_REPOSITORY"/deepfence_agent_ce:"${DF_IMG_TAG:-2.4.0}"
 }
 

deployment-scripts/start-podman-agent.sh

@@ -20,6 +20,14 @@ EOF
 
 MGMT_CONSOLE_URL=""
 MGMT_CONSOLE_PORT="443"
+# Optional - only set a value if agent needs to go via a proxy
+# Example: http://172.17.0.1:3128
+MGMT_CONSOLE_HTTP_PROXY=""
+MGMT_CONSOLE_HTTPS_PROXY=""
+NO_PROXY=""
+
+# Log level: debug / info / error
+DF_LOG_LEVEL="info"
 USER_DEFINED_TAGS=""
 DEEPFENCE_KEY=""
 DF_HOSTNAME=""
@@ -101,6 +109,7 @@ start_agent() {
     -v /run/podman/podman.sock:/run/podman/podman.sock \
     -v /run/systemd/:/run/systemd/ \
     -v /:/fenced/mnt/host/:ro \
+    -e DF_LOG_LEVEL=$DF_LOG_LEVEL \
     -e DF_ENABLE_PROCESS_REPORT="true" \
     -e DF_ENABLE_CONNECTIONS_REPORT="true" \
     -e INSTANCE_ID_SUFFIX="$INSTANCE_ID_SUFFIX" \
@@ -111,6 +120,9 @@ start_agent() {
     -e DEEPFENCE_KEY="$DEEPFENCE_KEY" \
     -e DF_USE_DUMMY_SCOPE="$DF_USE_DUMMY_SCOPE" \
     -e DF_USE_FAT_DUMMY_SCOPE="$DF_USE_FAT_DUMMY_SCOPE" \
+    -e http_proxy="$MGMT_CONSOLE_HTTP_PROXY" \
+    -e https_proxy="$MGMT_CONSOLE_HTTPS_PROXY" \
+    -e no_proxy="$NO_PROXY" \
     "$IMAGE_REPOSITORY"/deepfence_agent_ce:"${DF_IMG_TAG:-2.4.0}"
 }
 

docs/docs/developers/deploy-agent.md

@@ -37,6 +37,9 @@ docker run -dit \
     -e MGMT_CONSOLE_URL="---CONSOLE-IP---" \
     -e MGMT_CONSOLE_PORT="443" \
     -e DEEPFENCE_KEY="---DEEPFENCE-API-KEY---" \
+    -e http_proxy="" \
+    -e https_proxy="" \
+    -e no_proxy="" \
     $ACC/deepfence_agent_ce:THREATMAPPER_VERSION
 ```
 

docs/docs/sensors/docker.md

@@ -39,6 +39,9 @@ docker run -dit \
     -e MGMT_CONSOLE_URL="---CONSOLE-IP---" \
     -e MGMT_CONSOLE_PORT="443" \
     -e DEEPFENCE_KEY="---DEEPFENCE-API-KEY---" \
+    -e http_proxy="" \
+    -e https_proxy="" \
+    -e no_proxy="" \
     quay.io/deepfenceio/deepfence_agent_ce:THREATMAPPER_VERSION
 ```
 
@@ -66,6 +69,9 @@ sudo podman run -dit \
     -e MGMT_CONSOLE_URL="---CONSOLE-IP---" \
     -e MGMT_CONSOLE_PORT="443" \
     -e DEEPFENCE_KEY="---DEEPFENCE-API-KEY---" \
+    -e http_proxy="" \
+    -e https_proxy="" \
+    -e no_proxy="" \
     quay.io/deepfenceio/deepfence_agent_ce:THREATMAPPER_VERSION
 ```
 
@@ -80,7 +86,11 @@ To upgrade a sensor install, stop the existing sensor and start the new version.
 
 ## Using a Proxy Server with Docker
 
-If ThreatMapper management console is accessed through a proxy server, add the proxy server details to the docker configuration.
+If ThreatMapper management console is accessed through a proxy server, there are two ways of configuring it.
+- You can start the container by providing the environment variable `http_proxy` and `https_proxy` as shown [here](#docker-1).
+The environment variable will be used by our agent to communicate with the proxy.
+
+- Alternatively, you can also configure docker to use a proxy server for all transactions.
 
 Edit the file: `~/.docker/config.json`, and add the following content.  Remember to change the proxy server ip address from 111.111.111.111 to your proxy server ip: