Proxy Configuration

The Qualys Cloud Agent supports the multi-proxy and authentication proxy. You can configure a proxy in the lxa-gke-deploy.yml file. Following is an example of proxy configuration.

env:

- name: https_proxy

value:"https://#Vg8pvTO+uU44F/iPtowDXg==:#Yf9zVR9xzR2t4WE6Beupbg==@34.41.70.4:3128"

The following parameters are optional while configuring the proxy.

Parameter

Description

proxy

IPv4 address or FQDN of the proxy server

value

<proxy FQDN or IP address>:<port#>

ProxyCertFile

Proxy certificate file path. This parameter is applicable only if the proxy has a valid certificate file. If this option is not provided, then Qualys Cloud Agent tries to connect to the server with given https_proxy settings only. If only ProxyCertFile is provided without the proxy configuration, Cloud Agent ignores the ProxyCertFile and it tries to connect to the server without any https_proxy settings.

Proxy Certificate File Configuration

You can configure the proxy configuration file using yml with the following methods:

  • Using secret
  • Using configMap

Configure Proxy Certificate File using Secrets

Steps to create a secret

  1. Create a secret, use the following command
    kubectl create secret generic qualys-cert --from-file=qualys-cert.crt  -n qualys-agent
  2. View the secret using the following command:
    kubectl describe secret qualys-cert -n qualys-agent 
  3. Edit the lxa-gke-deploy.yml and uncomment the following entries:

    from volumeMounts section
    # uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud and you are using secret method to provide cert file
    #                - name: cert-secret-volume
    #                  mountPath: /etc/qualys/cloud-agent/cert/custom-ca.crt
    #                  subPath: qualys-cert.crt


    from volumes section
    # uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud and you are using secret method to provide cert file
    #             - name: cert-secret-volume
    #               secret:
    #                  secretName: qualys-cert
  4. Apply the .yml file using the following command:
    kubectl apply -f lxa-gke-deploy.yml

Configure Proxy Certificate File using ConfigMap

Steps to create a configMap

  1. Create a configMap, use the following command:
    kubectl create configmap qualys-configmap --from-file=qualys-cert.crt -n qualys-agent
  2. View the configMap using the following command:
    kubectl describe configmap qualys-configmap -n qualys-agent
  3. Edit the lxa-gke-deploy.yml and uncomment the following entries:

    from the volumeMounts section
    # uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud and you are using configMap method to provide cert file
    #                - name: cert-configmap-volume
    #                  mountPath: /etc/qualys/cloud-agent/cert/custom-ca.crt
    #                  subPath: qualys-cert.crt


    from the volumes section
    # uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud and you are using configMap method to provide cert file
    #             - name: cert-configmap-volume
    #               configMap:
    #                 name: qualys-configmap
  4. Apply the .yml file using the following command:
    kubectl apply -f lxa-gke-deploy.yml

Commands and Explaination

Command Description
kubectl Command-line tool for interacting with GKE clusters.
create secret generic Indicates that you are creating a generic secret.
create configmap indicates that you are creating a configMap.
qualys-cert Name of the secret you are creating.
qualys-configmap Name of the configMap you are creating.
--from-file Allows to specify files that will be included in the configMap.
 qualys-cert.crt cert file name that will be included in secret or configmap. For example, qualys-cert.crt=/root/qualys-cert.crt: This syntax specifies that the file /root/qualys-cert.crt should be included in the secret with the key qualys-cert.crt.

When the GCP COS instance is started, it activates the Qualys Cloud Agent and provisions itself. Once the Qualys Cloud Agent provisions itself, it continues to function as expected.