Added HTTPS proxy support for Wiz Kubernetes Integration (#590)

ofirc-wiz · nitzanzuler · web-flow · commit b7c1206a07bf · 2025-03-24T11:57:01.000+02:00
Co-authored-by: nitzanzuler &lt;71496861+nitzanzuler@users.noreply.github.com&gt;
diff --git a/wiz-kubernetes-integration/Chart.yaml b/wiz-kubernetes-integration/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: wiz-kubernetes-integration
 description: A Helm chart for Kubernetes
 type: application
-version: 0.2.87
+version: 0.2.88
 appVersion: ""
 
 # Dependencies for wiz-kubernetes connector and wiz-admission-controller and wiz-sensor
diff --git a/wiz-kubernetes-integration/templates/secret-proxy.yaml b/wiz-kubernetes-integration/templates/secret-proxy.yaml
@@ -4,8 +4,18 @@
 
 {{- if and .Values.global.httpProxyConfiguration.enabled .Values.global.httpProxyConfiguration.create }}
   {{- if hasPrefix "https://" .Values.global.httpProxyConfiguration.httpsProxy }}
-    {{- fail "Error: httpsProxy must start with 'http://', https or any other protocol is not supported." }}
+    {{- if index .Values "wiz-kubernetes-connector" "enabled" }}
+      {{- fail "Error: httpsProxy must start with 'http://', https or any other protocol is not supported for the Wiz Kubernetes Connector or the Wiz Broker." }}
+    {{- end }}
+    {{- if empty .Values.global.httpProxyConfiguration.clientCertificate }}
+      {{- fail "Error: HTTPS proxy requires a client certificate. Please provide clientCertificate in httpProxyConfiguration." }}
+    {{- end }}
+  {{- else }}
+    {{- if not (empty .Values.global.httpProxyConfiguration.clientCertificate) }}
+      {{- fail "Error: Client certificate is only supported for HTTPS proxies. Please remove clientCertificate or use an HTTPS proxy." }}
+    {{- end }}
   {{- end }}
+
 apiVersion: v1
 kind: Secret
 type: Opaque
@@ -32,4 +42,5 @@ stringData:
   httpsProxy: {{ .Values.global.httpProxyConfiguration.httpsProxy | quote }}
   noProxyAddress: {{ .Values.global.httpProxyConfiguration.noProxyAddress | quote }}
   caCertificate: {{ .Values.global.httpProxyConfiguration.caCertificate | quote }}
+  clientCertificate: {{ .Values.global.httpProxyConfiguration.clientCertificate | quote }}
 {{- end }}
diff --git a/wiz-kubernetes-integration/values.yaml b/wiz-kubernetes-integration/values.yaml
@@ -45,19 +45,23 @@ global:
 
     # Should a Secret be created by the chart or not.
     # Set this to false if you wish to create the Secret yourself or using another tool.
-    # The Secret should contain httpProxy, httpsProxy, noProxyAddress and caCertificate.
+    # The Secret should contain httpProxy, httpsProxy, noProxyAddress, caCertificate and clientCertificate.
     create: true
     secretName: "wiz-proxy" # The name of the proxy Secret.
     annotations: {} # Annotations to be set on the secret
-    
+
     httpProxy: "" # URL to use as a proxy for outbound HTTP traffic.
     httpsProxy: "" # URL to use as a proxy for outbound HTTPS traffic.
     noProxyAddress: # Comma or space-separated list of machine or domain names. Note: This does not affect the Sensor.
-    
+
     # Proxy CA certificate in PEM format. This is required for TLS intercept proxies
     # This value is currently only used by the wiz sensor.
     caCertificate: ""
 
+    # (optional) Proxy client certificate in PEM format. This is required for client certificate authentication.
+    # The file should contain a certificate and a private key in PEM format.
+    clientCertificate: ""
+
   image:
     registry: "" # Registry to get the container images from.
     pullPolicy: "" # Container image pull policy. One of Always, Never, IfNotPresent.
