ManageIQ · moolitayer · Aug 6, 2017 · Jun 20, 2017 · moolitayer · Aug 6, 2017
@@ -14,6 +14,7 @@ class ManageIQ::Providers::Kubernetes::ContainerManager < ManageIQ::Providers::C
   require_nested :Scanning
 
   include ManageIQ::Providers::Kubernetes::ContainerManagerMixin
+  include ManageIQ::Providers::Kubernetes::ContainerManager::Options
 
   # See HasMonitoringManagerMixin
   has_one :monitoring_manager,

@@ -0,0 +1,75 @@
+module ManageIQ::Providers::Kubernetes::ContainerManager::Options
+  extend ActiveSupport::Concern
+
+  module ClassMethods
+    def proxy_settings
+      {
+        :http_proxy => {
+          :label          => N_('HTTP Proxy'),
+          :help_text      => N_('HTTP Proxy to connect ManageIQ to the provider. example: http://user:password@my_https_proxy'),
+          :global_default => VMDB::Util.http_proxy_uri,
+        },
+      }
+    end
+
+    def advanced_settings
+      {
+        :image_inspector_options => {
+          :label     => N_('Image Inspector Options'),
+          :help_text => N_('Settings for Image Inspector tool'),
+          :settings  => {
+            :http_proxy  => {
+              :label     => N_('HTTP Proxy'),
+              :help_text => N_('HTTP Proxy to connect image inspector pods to the internet. example: http://user:password@my_https_proxy'),
+            },
+            :https_proxy => {
+              :label     => N_('HTTPS Proxy'),
+              :help_text => N_('HTTPS Proxy to connect image inspector pods to the internet. example: https://user:password@my_https_proxy'),
+            },
+            :no_proxy    => {
+              :label     => N_('NO Proxy'),
+              :help_text => N_('NO Proxy lists urls that should\'nt be sent to any proxy. example: my_file_server.org'),
+            },
+            :repository  => {
+              :label          => N_('Image-Inspector Repository'),
+              :help_text      => N_('Image-Inspector Repository. example: openshift/image-inspector'),
+              :global_default => Settings.ems.ems_kubernetes.image_inspector_repository,
+            },
+            :registry    => {
+              :label          => N_('Image-Inspector Registry'),
+              :help_text      => N_('Registry to provide the image inspector repository. example: docker.io'),
+              :global_default => Settings.ems.ems_kubernetes.image_inspector_registry,
+            },
+            :image_tag   => {
+              :label          => N_('Image-Inspector Tag'),
+              :help_text      => N_('Image-Inspector image tag. example: 2.1'),
+              :global_default => ManageIQ::Providers::Kubernetes::ContainerManager::Scanning::Job::INSPECTOR_IMAGE_TAG,
+            },
+            :cve_url     => {
+              :label     => N_('CVE location'),
+              :help_text => N_('Enables defining a URL path prefix for XCCDF file instead of accessing the default location.
+  example: http://my_file_server.org:3333/xccdf_files/
+  Expecting to find com.redhat.rhsa-RHEL7.ds.xml.bz2 file there.'),
+              # Future versions of image inspector will extend this.
+            },
+          }
+        }
+      }
+    end
+
+    def provider_settings
+      {
+        :proxy_settings    => {
+          :label     => N_('Proxy Settings'),
+          :help_text => N_('Proxy Settings for connection to the provider'),
+          :settings  => proxy_settings,
+        },
+        :advanced_settings => {
+          :label     => N_('Advanced Settings'),
+          :help_text => N_('Advanced Settings for provider configuration'),
+          :settings  => advanced_settings,
+        }
+      }
+    end
+  end
+end
@@ -13,7 +13,6 @@ class ManageIQ::Providers::Kubernetes::ContainerManager::Scanning::Job < Job
   ERRCODE_NOTFOUND = 404
   IMAGE_INSPECTOR_SA = 'inspector-admin'
   INSPECTOR_ADMIN_SECRET_PATH = '/var/run/secrets/kubernetes.io/inspector-admin-secret-'
-  ATTRIBUTE_SECTION = 'cluster_settings'
   PROXY_ENV_VARIABLES = %w(no_proxy http_proxy https_proxy)
 
   def load_transitions
@@ -347,6 +346,10 @@ def inspector_admin_secret
     return nil
   end
 
+  def ems_image_inspector_options
+    @provider_options ||= ext_management_system.options.try(:fetch_path, :image_inspector_options) || {}
+  end
+
   def pod_definition(inspector_admin_secret_name)
     pod_def = {
       :apiVersion => "v1",
@@ -409,6 +412,7 @@ def pod_definition(inspector_admin_secret_name)
     }
 
     add_secret_to_pod_def(pod_def, inspector_admin_secret_name) unless inspector_admin_secret_name.blank?
+    add_cve_url(pod_def)
     Kubeclient::Resource.new(pod_def)
   end
 
@@ -425,17 +429,24 @@ def add_secret_to_pod_def(pod_def, inspector_admin_secret_name)
   end
 
   def inspector_image
-    registry = ::Settings.ems.ems_kubernetes.image_inspector_registry
-    repo = ::Settings.ems.ems_kubernetes.image_inspector_repository
-    "#{registry}/#{repo}:#{INSPECTOR_IMAGE_TAG}"
+    registry = ems_image_inspector_options.fetch_path(:registry) || ::Settings.ems.ems_kubernetes.image_inspector_registry
+    repo = ems_image_inspector_options.fetch_path(:repository) || ::Settings.ems.ems_kubernetes.image_inspector_repository
+    tag = ems_image_inspector_options.fetch_path(:image_tag) || INSPECTOR_IMAGE_TAG
+    "#{registry}/#{repo}:#{tag}"
   end
 
   def inspector_proxy_env_variables
-    settings = ext_management_system.custom_attributes
-    settings.where(:section => ATTRIBUTE_SECTION,
-                   :name    => PROXY_ENV_VARIABLES).each_with_object([]) do |att, env|
-      env << {:name  => att.name.upcase,
-              :value => att.value} unless att.value.blank?
+    PROXY_ENV_VARIABLES.each_with_object([]) do |var_name, env|
+      next unless ems_image_inspector_options.key?(var_name.to_sym)
+      var_value = ems_image_inspector_options[var_name.to_sym]
+      env << {:name  => var_name.upcase,
+              :value => var_value}
+    end
+  end
+
+  def add_cve_url(pod_def)
+    if ems_image_inspector_options.key?(:cve_url)
+      pod_def[:spec][:containers][0][:command].append("--cve-url=#{ems_image_inspector_options[:cve_url]}")
     end
   end
 end
@@ -42,7 +42,7 @@ def kubernetes_connect(hostname, port, options)
         options[:version] || kubernetes_version,
         :ssl_options    => Kubeclient::Client::DEFAULT_SSL_OPTIONS.merge(options[:ssl_options] || {}),
         :auth_options   => kubernetes_auth_options(options),
-        :http_proxy_uri => VMDB::Util.http_proxy_uri,
+        :http_proxy_uri => options[:http_proxy] || VMDB::Util.http_proxy_uri,
         :timeouts       => {
           :open => Settings.ems.ems_kubernetes.open_timeout.to_f_with_method,
           :read => Settings.ems.ems_kubernetes.read_timeout.to_f_with_method
@@ -108,11 +108,12 @@ def ssl_cert_store(endpoint = default_endpoint)
 
   def connect(options = {})
     effective_options = options.merge(
-      :hostname => options[:hostname] || address,
-      :port     => options[:port] || port,
-      :user     => options[:user] || authentication_userid(options[:auth_type]),
-      :pass     => options[:pass] || authentication_password(options[:auth_type]),
-      :bearer   => options[:bearer] || authentication_token(options[:auth_type] || 'bearer'),
+      :hostname    => options[:hostname] || address,
+      :port        => options[:port] || port,
+      :user        => options[:user] || authentication_userid(options[:auth_type]),
+      :pass        => options[:pass] || authentication_password(options[:auth_type]),
+      :bearer      => options[:bearer] || authentication_token(options[:auth_type] || 'bearer'),
+      :http_proxy  => self.options ? self.options.fetch_path(:proxy_settings, :http_proxy) : nil,
       :ssl_options => options[:ssl_options] || {
         :verify_ssl => verify_ssl_mode,
         :cert_store => ssl_cert_store

@@ -190,18 +190,30 @@ def fetch_oscap_arf
       end
     end
 
-    it 'should add correct environment variables' do
-      att_name = 'http_proxy'
-      my_value = "MY_TEST_VALUE"
-      @ems.custom_attributes.create(:section => described_class::ATTRIBUTE_SECTION,
-                                    :name    => att_name,
-                                    :value   => my_value)
-      allow_any_instance_of(described_class).to receive_messages(:kubernetes_client => MockKubeClient.new)
-      kc = @job.kubernetes_client
-      secret_name = kc.get_service_account[:imagePullSecrets][0][:name]
-      pod = @job.send(:pod_definition, secret_name)
-      expect(pod[:spec][:containers][0][:env][0][:name]).to eq(att_name.upcase)
-      expect(pod[:spec][:containers][0][:env][0][:value]).to eq(my_value)
+    context "using provider options" do
+      def create_pod_definition
+        allow_any_instance_of(described_class).to receive_messages(:kubernetes_client => MockKubeClient.new)
+        kc = @job.kubernetes_client
+        secret_name = kc.get_service_account[:imagePullSecrets][0][:name]
+        @job.send(:pod_definition, secret_name)
+      end
+
+      it 'should add correct environment variables from options' do
+        att_name = 'http_proxy'
+        my_value = "MY_TEST_VALUE"
+        @ems.update(:options => { :image_inspector_options => {att_name.to_sym => my_value} })
+        pod = create_pod_definition
+        expect(pod[:spec][:containers][0][:env][0][:name]).to eq(att_name.upcase)
+        expect(pod[:spec][:containers][0][:env][0][:value]).to eq(my_value)
+      end
+
+      it 'should send cve_url from options' do
+        cve_url_value = "get_cve_from_here.com"
+        @ems.update(:options => { :image_inspector_options => {:cve_url => cve_url_value} })
+        pod = create_pod_definition
+        expect(pod[:spec][:containers][0][:command]
+          .select { |cmd| cmd.starts_with?("--cve-url=") }.first.split('=').last).to eq(cve_url_value)
+      end
     end
 
     it 'should send correct dockercfg secrets' do

@@ -172,6 +172,25 @@
       )
       described_class.raw_connect(hostname, port, options)
     end
+
+    it "connect uses provider options for http_proxy" do
+      allow(VMDB::Util).to receive(:http_proxy_uri).and_return(URI::HTTP.build(:host => "some"))
+      require 'kubeclient'
+      my_proxy_value = "internal_proxy.org"
+      expect(Kubeclient::Client).to receive(:new).with(
+        instance_of(URI::HTTPS), 'v1',
+        hash_including(:http_proxy_uri => my_proxy_value)
+      )
+      ems = FactoryGirl.create(
+        :ems_kubernetes,
+        :endpoints => [
+          FactoryGirl.create(:endpoint, :role => 'default', :hostname => 'host'),
+          FactoryGirl.create(:endpoint, :role => 'prometheus_alerts', :hostname => 'host2'),
+        ]
+      )
+      ems.update(:options => {:proxy_settings => {:http_proxy => my_proxy_value}})
+      ems.connect
+    end
   end
 
   # Test MonitoringManager functionality related to ContainerManager