Merge pull request #2987 from cyberark/CNJR-2792-no-proxy-arg

K8s authenticator now supports no_proxy env var

CHANGELOG.md

@@ -34,6 +34,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Use base images with newer Ubuntu and UBI.
   Display FIPS Mode status in the UI (requires temporary fix for OpenSSL gem).
   [cyberark/conjur#2874](https://github.com/cyberark/conjur/pull/2874)
+- Support for the no_proxy & NO_PROXY environment variables for the k8s authenticator.
+  [CNJR-2759](https://ca-il-jira.il.cyber-ark.com:8443/browse/CNJR-2759)
 
 ### Changed
 - The database thread pool max connection size is now based on the number of

app/domain/authentication/authn_k8s/k8s_object_lookup.rb

@@ -60,7 +60,7 @@ def options
             cert_store: @cert_store,
             verify_ssl: OpenSSL::SSL::VERIFY_PEER
           },
-          http_proxy_uri: ENV['https_proxy'] || ENV['http_proxy']
+          http_proxy_uri: URI.parse(api_url).find_proxy
         }
       end
 

app/domain/authentication/authn_k8s/web_socket_client.rb

@@ -134,17 +134,7 @@ def secure_socket
       # environment. If the server connection uses TLS, then use the
       # https_proxy value, otherwise use the http_proxy value.
       def proxy_uri
-        @proxy_uri ||= begin
-          proxy_url = if secure?
-            ENV['https_proxy'] || ENV['HTTPS_PROXY']
-          else
-            ENV['http_proxy'] || ENV['HTTP_PROXY']
-          end
-
-          URI.parse(proxy_url)
-        rescue URI::InvalidURIError
-          nil
-        end
+        @proxy_uri ||= @uri.find_proxy
       end
 
       def secure?

ci/test_suites/authenticators_k8s/dev/dev_conjur.template.yaml

@@ -86,6 +86,12 @@ spec:
         name: conjur
         command: ["conjurctl", "server"]
         env:
+        - name: KUBERNETES_SERVICE_HOST
+          value: kubernetes.default.svc
+        - name: https_proxy
+          value: 'http://nonexistent_proxy.local'
+        - name: NO_PROXY
+          value: kubernetes.default.svc
         - name: DATABASE_URL
           value: postgres://postgres@postgres:5432/postgres
         - name: CONJUR_ADMIN_PASSWORD

spec/app/domain/authentication/authn_k8s/k8s_object_lookup_spec.rb

@@ -10,11 +10,18 @@
       authenticator_name: 'authn-k8s',
       service_id: 'MockService'
     )
-  end  
+  end
+
+  let(:proxy_uri) { URI.parse("http://uri") }
 
   context "inside of kubernetes" do
     include_context "running in kubernetes"
 
+    before do
+      allow(URI).to receive_message_chain(:parse, :find_proxy)
+        .and_return(proxy_uri)
+    end
+
     context "instantiation" do
       it "does not require a webservice" do
         expect { Authentication::AuthnK8s::K8sObjectLookup.new }.not_to raise_error
@@ -34,6 +41,10 @@
     it "has the correct auth options" do
       expect(subject.options[:auth_options]).to include(bearer_token: kubernetes_service_token)
     end
+
+    it "has the correct proxy uri" do
+      expect(subject.options[:http_proxy_uri]).to equal(proxy_uri)
+    end
   end
 
   context "outside of kubernetes" do