OCPBUGS-60993: Enrich IBI config image proxy NoProxy with cluster networks

[mlorenzofr]

This PR fixes OCPBUGS-60993 by enriching the IBI proxy NoProxy configuration with internal cluster network CIDRs and the internal API server hostname, ensuring that internal cluster traffic bypasses the proxy.

/cc @omertuc @carbonin

Summary by CodeRabbit

Release Notes

• Improvements

  • Enhanced NO_PROXY handling by enriching it with localhost defaults, internal service/API entries, and cluster/service/machine network CIDRs derived from the install configuration.
  • Preserves behavior when the proxy is unset or when NO_PROXY is already set to *.
  • Merges user NO_PROXY values with trimming, empty-value filtering, and deduplication.

• Bug Fixes

  • Fixed NO_PROXY consistency between proxy manifest generation and image-based installer manifest generation.

• Tests

  • Updated and expanded unit tests to validate the enriched and merged NO_PROXY behavior.

[openshift-ci-robot]

@mlorenzofr: This pull request references Jira Issue OCPBUGS-60993, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This PR fixes OCPBUGS-60993 by enriching the IBI proxy NoProxy configuration with internal cluster network CIDRs and the internal API server hostname, ensuring that internal cluster traffic bypasses the proxy.

/cc @omertuc @carbonin

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c96b767e-69c4-4d6e-82da-9ef61cd89d45

📥 Commits

Reviewing files that changed from the base of the PR and between ccca0dc and 554180d.

📒 Files selected for processing (5)

• pkg/asset/imagebased/configimage/clusterconfiguration.go
• pkg/asset/imagebased/configimage/clusterconfiguration_test.go
• pkg/asset/manifests/proxy.go
• pkg/types/proxy.go
• pkg/types/proxy_test.go

🚧 Files skipped from review as they are similar to previous changes (5)

• pkg/asset/imagebased/configimage/clusterconfiguration.go
• pkg/asset/manifests/proxy.go
• pkg/asset/imagebased/configimage/clusterconfiguration_test.go
• pkg/types/proxy_test.go
• pkg/types/proxy.go

---

Walkthrough

A shared BuildNoProxySet helper is added in pkg/types, then reused by manifest proxy generation and image-based cluster configuration to build expanded NoProxy values from install config data and user overrides. Related tests were updated to match the new proxy contents.

Changes

Centralized NO_PROXY construction

Layer / File(s)	Summary
Shared set builder and tests pkg/types/proxy.go, pkg/types/proxy_test.go	BuildNoProxySet builds NoProxy entries from default localhost and cluster service names, network CIDRs, the internal API hostname, and parsed user values. Tests cover CIDR inclusion, trimming, empty filtering, and deduplication.
Manifest proxy generation pkg/asset/manifests/proxy.go	createNoProxy now uses types.BuildNoProxySet directly, (*Proxy).Generate no longer wires in Networking, and the final NO_PROXY string is joined from the shared set. Platform-specific additions remain.
Image-based proxy enrichment pkg/asset/imagebased/configimage/clusterconfiguration.go, pkg/asset/imagebased/configimage/clusterconfiguration_test.go	SeedReconfiguration.Proxy now passes through enrichNoProxy, which preserves empty and wildcard cases while rebuilding other proxy values with the shared NoProxy set. Tests were updated with an expanded proxy expectation helper.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly matches the main change: enriching IBI proxy NoProxy with cluster network entries.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The added test titles are static strings; no titles or subtest names include dynamic IDs, IPs, timestamps, or generated values.
Test Structure And Quality	✅ Passed	The changed tests are plain table-driven unit tests, not Ginkgo; they don’t create cluster resources or use Eventually/Consistently, and each subtest targets one behavior.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; changed tests are plain Go unit tests (t.Run) and don't use MicroShift-unsupported APIs or tags.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo/e2e tests were added; the touched tests are plain Go unit tests using t.Run, so this SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Touched files only adjust proxy/NoProxy rendering; no affinity, topology spread, nodeSelector, replica, or ControlPlaneTopology logic was added.
Ote Binary Stdout Contract	✅ Passed	Touched files only adjust proxy config logic and unit tests; no main/init/TestMain/BeforeSuite/RunSpecs or stdout logging writes were added.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Touched tests are standard Go unit tests (testing package), not Ginkgo e2e; no external connectivity is introduced.
No-Weak-Crypto	✅ Passed	The PR only changes proxy NoProxy enrichment and related tests; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or secret comparisons were added.
Container-Privileges	✅ Passed	The PR only changes proxy NoProxy generation/tests; no container/K8s fields like privileged, hostPID, hostNetwork, or allowPrivilegeEscalation were added.
No-Sensitive-Data-In-Logs	✅ Passed	No new logging was added in the touched files; changes only adjust NoProxy generation/tests and emit no passwords, tokens, PII, or hostnames to logs.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign dtantsur for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[omertuc]

Please git-fixup your additional commit into the appropriate existing commit

[mlorenzofr]

/retest-required

[omertuc]

/retest

[mlorenzofr]

/retest

[openshift-ci]

@mlorenzofr: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.