Added CA support

Author: ofirc-wiz

wiz-network-analyzer/templates/NOTES.txt

@@ -6,13 +6,14 @@ Next steps:
 
 2. Collect the support package from the cluster
    POD_NAME=$(kubectl get pod -l app.kubernetes.io/name=wiz-network-analyzer -n {{ .Release.Namespace }})
-   kubectl cp $POD_NAME:/support-package.zip .
+   kubectl -n wiz cp $POD_NAME:/support-package.zip .
 
 2. Upload it to Wiz
    Follow the instructions in the support package to upload it to Wiz.
 
 3. (Optional) access the logs
-   TODO: add commands
+   POD_NAME=$(kubectl get pod -l app.kubernetes.io/name=wiz-network-analyzer -n {{ .Release.Namespace }})
+   kubectl -n {{ .Release.Namespace }}) logs $POD_NAME > wiz-network-analyzer.log
 
 Upon completion, the Job will remain for 5 minutes to allow extracting the support package.
 After that, the Job will be deleted automatically.

wiz-network-analyzer/templates/_helpers.tpl

@@ -60,6 +60,10 @@ Secrets names
 {{ coalesce (.Values.global.httpProxyConfiguration.secretName) (.Values.httpProxyConfiguration.secretName) (printf "%s-na-proxy-configuration" .Release.Name) }}
 {{- end }}
 
+{{- define "wiz-network-analyzer.caSecretName" -}}
+{{ coalesce (.Values.caCertificate.secretName) (printf "%s-na-ca" .Release.Name) }}
+{{- end }}
+
 {{/*
 Input parameters
 */}}

wiz-network-analyzer/templates/job-network-analyzer.yaml

@@ -23,9 +23,6 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
-        {{/*
-        `labels` includes `selectorLabels`
-        */}}
         {{- include "wiz-network-analyzer.labels" . | nindent 8 }}
     spec:
       {{- with .Values.global.imagePullSecrets }}
@@ -40,8 +37,17 @@ spec:
         {{- else }}
         {{- toYaml .Values.global.podSecurityContext | nindent 8 }}
         {{- end }}
-      {{- if or .Values.global.customVolumes .Values.customVolumes }}
+      {{- if or .Values.global.customVolumes .Values.customVolumes .Values.caCertificate.enabled }}
       volumes:
+      {{- if .Values.caCertificate.enabled }}
+      - name: additional-certs
+        secret:
+          secretName: {{ include "wiz-network-analyzer.caSecretName" . | trim }}
+          items:
+            - key: ca.crt
+              path: ca-certificates.crt
+          defaultMode: 420
+      {{- end }}
       {{ with .Values.global.customVolumes }}
         {{- toYaml . | nindent 6 }}
       {{- end }}
@@ -96,12 +102,6 @@ spec:
           - name: WIZ_ENV
             value: {{ coalesce .Values.global.wizApiToken.clientEndpoint .Values.wizApiToken.clientEndpoint | quote }}
           {{- if (or .Values.global.httpProxyConfiguration.enabled .Values.httpProxyConfiguration.enabled) }}
-          - name: HTTP_PROXY
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "wiz-network-analyzer.proxySecretName" . | trim }}
-                key: httpProxy
-                optional: false
           - name: HTTPS_PROXY
             valueFrom:
               secretKeyRef:
@@ -115,10 +115,20 @@ spec:
                 key: noProxyAddress
                 optional: false
           {{- end }}
+          {{- if .Values.caCertificate.enabled }}
+          - name: SSL_CERT_DIR
+            value: /usr/local/share/ca-certificates/:/certificates/:/etc/ssl/certs
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-          {{- if or .Values.customVolumeMounts .Values.global.customVolumeMounts }}
+          {{- if or .Values.customVolumeMounts .Values.global.customVolumeMounts .Values.caCertificate.enabled }}
           volumeMounts:
+          {{- if .Values.caCertificate.enabled }}
+          - name: additional-certs
+            mountPath: /certificates
+          - name: additional-certs
+            mountPath: /etc/ssl/certs
+          {{- end }}
           {{- with .Values.customVolumeMounts }}
             {{- toYaml . | nindent 12 }}
           {{- end -}}
@@ -137,4 +147,4 @@ spec:
       {{- with (coalesce .Values.global.tolerations .Values.tolerations) }}
       tolerations:
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+      {{- end }}

wiz-network-analyzer/templates/secret-ca.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.caCertificate.enabled .Values.caCertificate.create }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "wiz-network-analyzer.caSecretName" . | trim }}
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-1"
+    {{- with .Values.caCertificate.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "wiz-network-analyzer.labels" . | nindent 4 }}
+stringData:
+  ca.crt: {{ .Values.caCertificate.certificate | quote }}
+{{- end }}

wiz-network-analyzer/templates/secret-proxy.yaml

@@ -14,7 +14,6 @@ metadata:
   labels:
     {{- include "wiz-network-analyzer.labels" . | nindent 4 }}
 stringData:
-  httpProxy: {{ .Values.httpProxyConfiguration.httpProxy | quote }}
   httpsProxy: {{ .Values.httpProxyConfiguration.httpsProxy | quote }}
   noProxyAddress: {{ .Values.httpProxyConfiguration.noProxyAddress | quote }}
 {{- end }}

wiz-network-analyzer/values.yaml

@@ -25,6 +25,18 @@ clusterReader:
         resources: ["*"]
         verbs: ["get", "list", "watch"]
 
+# Set this to true if you are using Istio in sidecar mode.
+# When Istio uses sidecars, there are 2 issues when using Wiz:
+# 1) The creation and deletion Jobs never complete (due to istio-proxy sidecar)
+# 2) There is a race condition and possible network connectivity failures
+#    when contacting the Wiz backend.
+#
+# When either of this happens, either the installation, upgrade or uninstallation
+# of the charts fail.
+# Setting this to true ensures that the istio-proxy gets a graceful shutdown
+# and mitigates the networking race condition by sleeping before the Job starts.
+# Learn more:
+# https://istio.io/latest/blog/2023/native-sidecars/
 istio:
   enabled: false
   sleepBeforeJobSecs: 15
@@ -67,21 +79,49 @@ tolerations: []
 
 affinity: {}
 
-# Redirect HTTP and/or HTTPS traffic through a proxy.
+# Redirect HTTPS traffic through a proxy.
 httpProxyConfiguration:
-  enabled: false # Should the components use a proxy.
+  # Set to true to enable using a proxy.
+  enabled: false
 
   # Should a Secret be created by the chart or not.
-  # Set this to false if you wish to create the Secret yourself or using another tool.
-  # The Secret should contain httpProxy, httpsProxy and noProxyAddress.
+  # Set this to false if you wish to create the Secret yourself or using another tool
+  # (e.g. external secrets operator).
+  # The Secret should contain httpsProxy and noProxyAddress.
   create: true
   secretName: "" # The name of the proxy Secret.
   annotations: {} # Annotations to be set on the secret
 
-  httpProxy: "" # URL to use as a proxy for outbound HTTP traffic.
+  # URL to use as a proxy for outbound HTTPS traffic.
+  # Leave blank for transparent proxy.
   httpsProxy: "" # URL to use as a proxy for outbound HTTPS traffic.
   noProxyAddress: "kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster.local"
 
+caCertificate:
+  # Set to true to enable using a custom CA certificate.
+  # Useful only in man-in-the-middle (MitM) / TLS inspection / SSL bumping scenarios.
+  # Regular/forward/CONNECT proxies do not require this.
+  enabled: false
+
+  # Should a Secret be created by the chart or not.
+  # Set this to false if you wish to create the Secret yourself or using another tool
+  # (e.g. external secrets operator).
+  # The Secret should contain a key called `ca.crt` and the value
+  # should be a certificate in PEM format.
+  create: true
+
+  # The certificate must be in PEM format.
+  # Simply copy-n-paste the contents of the certificate file.
+  certificate: |
+    -----BEGIN CERTIFICATE-----
+    -----END CERTIFICATE-----
+
+  # The name of the CA certificate Secret.
+  # Must have a key called `ca.crt` with the certificate in PEM format.
+  secretName: ""
+
+  annotations: {} # Annotations to be set on the secret.
+
 # The address of the Kubernetes API server.
 # Override this if you are using a different endpoint for your Kubernetes API server.
 apiServerEndpoint: "https://kubernetes.default.svc.cluster.local"
@@ -153,7 +193,20 @@ global:
     secret:
       name: "" # Override with parent secret name
 
+  # Redirect HTTPS traffic through a proxy.
   httpProxyConfiguration:
-    enabled: false # Should the components use a proxy.
-    create: false # Secret created by wiz-network-analyzer.
+    # Set to true to enable using a proxy.
+    enabled: false
+
+    # Should a Secret be created by the chart or not.
+    # Set this to false if you wish to create the Secret yourself or using another tool
+    # (e.g. external secrets operator).
+    # The Secret should contain httpsProxy and noProxyAddress.
+    create: true
     secretName: "" # The name of the proxy Secret.
+    annotations: {} # Annotations to be set on the secret
+
+    # URL to use as a proxy for outbound HTTPS traffic.
+    # Leave blank for transparent proxy.
+    httpsProxy: "" # URL to use as a proxy for outbound HTTPS traffic.
+    noProxyAddress: "kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster.local"