Is it possible to use GCP special agent in 2.2 via proxy?

JanR · November 9, 2023, 3:58pm

Hi,
I just tried to set up the GCP special agent according to docs at Monitoring Google Cloud Platform (GCP), but it seems that it does not work through proxy. I have the proxy set in the global env, no proxy setting seems to be possible in the GCP agent rule.

Has anybody else the same problem? Is it possible to use GCP agent via proxy?

As in corporate environment access to the internet via proxies is rather a common setup, it seems to me that there should be some way to do it, but I did not find one so far. Environment variables seem to be ignored, global setting as well.

JanR · January 9, 2024, 2:33pm

Well, I will answer myself

It is possible to create a PSC (Private Service Connect) in the GCP, explanation is here: Private Service Connect | VPC | Google Cloud

This will allow you to reach the Google API on your private address as well. When it is set up, then on the checkmk site you need to ensure the DNS masquerade that will translate any DNS query to *.googleapis.com with your private IP from your PSC.

For example, you install the unbound daemon and configure it like this:

server:
        interface: 127.0.0.1
#       interface: ::1
        access-control: 127.0.0.0/8 allow
#        access-control: ::1 allow
        statistics-interval: 0
        extended-statistics: yes
        statistics-cumulative: no
        verbosity: 1
        do-ip6: no
        local-zone: "localhost." nodefault
        local-zone: "127.in-addr.arpa." nodefault
        local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
        local-zone: "10.in-addr.arpa." nodefault
        local-zone: "16.172.in-addr.arpa." nodefault
        local-zone: "17.172.in-addr.arpa." nodefault
        local-zone: "18.172.in-addr.arpa." nodefault
        local-zone: "19.172.in-addr.arpa." nodefault
        local-zone: "20.172.in-addr.arpa." nodefault
        local-zone: "21.172.in-addr.arpa." nodefault
        local-zone: "22.172.in-addr.arpa." nodefault
        local-zone: "23.172.in-addr.arpa." nodefault
        local-zone: "24.172.in-addr.arpa." nodefault
        local-zone: "25.172.in-addr.arpa." nodefault
        local-zone: "26.172.in-addr.arpa." nodefault
        local-zone: "27.172.in-addr.arpa." nodefault
        local-zone: "28.172.in-addr.arpa." nodefault
        local-zone: "29.172.in-addr.arpa." nodefault
        local-zone: "30.172.in-addr.arpa." nodefault
        local-zone: "31.172.in-addr.arpa." nodefault
        local-zone: "168.192.in-addr.arpa." nodefault
        local-zone: "0.in-addr.arpa." nodefault
        local-zone: "254.169.in-addr.arpa." nodefault
        local-zone: "2.0.192.in-addr.arpa." nodefault
        local-zone: "100.51.198.in-addr.arpa." nodefault
        local-zone: "113.0.203.in-addr.arpa." nodefault
        local-zone: "255.255.255.255.in-addr.arpa." nodefault
        local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
        local-zone: "d.f.ip6.arpa." nodefault
        local-zone: "8.e.f.ip6.arpa." nodefault
        local-zone: "9.e.f.ip6.arpa." nodefault
        local-zone: "a.e.f.ip6.arpa." nodefault
        local-zone: "b.e.f.ip6.arpa." nodefault
        local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
        # DNS masquerade of googleapis.com to PSC
        local-zone: "googleapis.com." redirect
        local-data: "googleapis.com. IN A <your Google API PSC IP>"
 
# forward everything not handled locally to on-prem DNS servers
forward-zone:
        name: "."
        forward-addr: <your internal DNS server 1>
        forward-addr: <your internal DNS server 2>
 
remote-control:
        control-enable: yes

Start it (and enable) and set up the /etc/resolv.conf to contain the 127.0.0.1 as the first nameserver. For example like this:

search          example.com other.example.com
nameserver      127.0.0.1
nameserver      <your internal DNS server 1>
nameserver      <your internal DNS server 2>
options         timeout:1

This way, resolving will work even if unbound is down for some reason.

At the same time, anything *.googleapis.com will be translated to your PSC IP.

As the PSC IP is on your private network and thus it should be accessible without proxy - hopefully - GCP plugin should start to work right away.

An obvious disadvantage is that a single site on a single host can only have one such DNS masq. In the case you need to cover multiple PSC IPs, probable solution will be to create one site per such Google API PSC IP address and do the proper DNS masquerade for each one.

Note that reply from GCP plugin could take a long time, so you will probably need to set a larger interval for CheckMK service than the default 1 minute.