Skip to content

[WIP] Add optional cluster-wide proxy support for snc.sh #1237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
praveenkumar wants to merge 1 commit into
base: release-4.21
Choose a base branch
from
Open

[WIP] Add optional cluster-wide proxy support for snc.sh #1237

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,4 +83,17 @@ SNC_GENERATE_MACOS_BUNDLE : if set to 0, bundle generation for MacOS is disabled
SNC_GENERATE_WINDOWS_BUNDLE : if set to 0, bundle generation for Windows is disabled, any other value will enable it.
SNC_GENERATE_LINUX_BUNDLE : if set to 0, bundle generation for Linux is disabled, any other value will enable it.

SNC_USE_PROXY : set to `enabled` to configure cluster-wide proxy in install-config (default: `disabled`).
SNC_HTTP_PROXY : HTTP proxy URL (required when `SNC_USE_PROXY=enabled`).
SNC_HTTPS_PROXY : HTTPS proxy URL (required when `SNC_USE_PROXY=enabled`).

Example:

```bash
export SNC_USE_PROXY=enabled
export SNC_HTTP_PROXY=http://proxy.example.com:8080
export SNC_HTTPS_PROXY=http://proxy.example.com:8080
./snc.sh
```

Please note the SNC project is “as-is” on this Github repository. At this time, it is not an offically supported Red Hat solution.
17 changes: 16 additions & 1 deletion snc-library.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,22 @@ function replace_pull_secret() {
set -x
}

function configure_install_config_proxy() {
local install_config=$1
if [[ ${SNC_USE_PROXY} != "enabled" ]]; then
return 0
fi
Comment on lines +118 to +120
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fail fast on invalid SNC_USE_PROXY values.

Line 118 silently disables proxy for any unexpected value (e.g., true, yes, typo), which makes misconfiguration hard to detect.

Proposed fix 
 function configure_install_config_proxy() {
         local install_config=$1
-        if [[ ${SNC_USE_PROXY} != "enabled" ]]; then
-                return 0
-        fi
+        case "${SNC_USE_PROXY}" in
+                enabled) ;;
+                disabled) return 0 ;;
+                *)
+                        echo "Invalid SNC_USE_PROXY='${SNC_USE_PROXY}'. Expected 'enabled' or 'disabled'."
+                        exit 1
+                        ;;
+        esac
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if [[ ${SNC_USE_PROXY} != "enabled" ]]; then
return 0
fi
function configure_install_config_proxy() {
local install_config=$1
case "${SNC_USE_PROXY}" in
enabled) ;;
disabled) return 0 ;;
*)
echo "Invalid SNC_USE_PROXY='${SNC_USE_PROXY}'. Expected 'enabled' or 'disabled'."
exit 1
;;
esac
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@snc-library.sh` around lines 118 - 120, The current check treats any
non-"enabled" value as silent disablement; update the SNC_USE_PROXY validation
to explicitly allow only "enabled" or "disabled": if SNC_USE_PROXY=="enabled"
enable proxy logic, if "disabled" return 0, otherwise print a clear error to
stderr mentioning the invalid SNC_USE_PROXY value and exit non‑zero (or return
non‑zero) so misconfigurations fail fast; reference the SNC_USE_PROXY variable
and the existing enabling/return branch when implementing this change.

if [[ -z "${SNC_HTTP_PROXY}" || -z "${SNC_HTTPS_PROXY}" ]]; then
echo "SNC_USE_PROXY=enabled requires SNC_HTTP_PROXY and SNC_HTTPS_PROXY"
exit 1
fi
local api_int="api-int.${SNC_PRODUCT_NAME}.${BASE_DOMAIN}"
local no_proxy="localhost,.cluster.local,.svc,127.0.0.1,${api_int}"
${YQ} eval --inplace ".proxy.httpProxy = \"${SNC_HTTP_PROXY}\"" "${install_config}"
${YQ} eval --inplace ".proxy.httpsProxy = \"${SNC_HTTPS_PROXY}\"" "${install_config}"
${YQ} eval --inplace ".proxy.noProxy = \"${no_proxy}\"" "${install_config}"
Comment on lines +127 to +129
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Proxy credentials are exposed in logs.

Line 127-Line 129 run under global xtrace (set -x), so proxy URLs (including embedded credentials) will be printed to CI logs.

Proposed fix 
 function configure_install_config_proxy() {
         local install_config=$1
@@
         local api_int="api-int.${SNC_PRODUCT_NAME}.${BASE_DOMAIN}"
         local no_proxy="localhost,.cluster.local,.svc,127.0.0.1,${api_int}"
+        set +x
         ${YQ} eval --inplace ".proxy.httpProxy = \"${SNC_HTTP_PROXY}\"" "${install_config}"
         ${YQ} eval --inplace ".proxy.httpsProxy = \"${SNC_HTTPS_PROXY}\"" "${install_config}"
         ${YQ} eval --inplace ".proxy.noProxy = \"${no_proxy}\"" "${install_config}"
+        set -x
 }
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@snc-library.sh` around lines 127 - 129, The three YQ invocations (${YQ} eval
--inplace ".proxy.httpProxy = \"${SNC_HTTP_PROXY}\"" "${install_config}", etc.)
are executed under global xtrace so embedded proxy credentials can leak to CI
logs; wrap these updates in a temporary xtrace-suppressed section (turn off
xtrace before the three ${YQ} calls and re-enable it afterwards) or use a safe
write method that reads proxy values from a file or environment without echoing
(e.g., pass masked values via stdin or a here-doc) so that SNC_HTTP_PROXY,
SNC_HTTPS_PROXY and no_proxy are never printed; ensure you modify the script
around the ${YQ} eval lines (reference the ${YQ} eval, SNC_HTTP_PROXY,
SNC_HTTPS_PROXY, no_proxy and install_config symbols) to disable tracing only
for the sensitive operations and then restore the original xtrace state.

}

function create_json_description {
local bundle_type=$1
sncGitHash=$(git describe --abbrev=4 HEAD 2>/dev/null || git rev-parse --short=4 HEAD)
Expand Down Expand Up @@ -274,4 +290,3 @@ function wait_till_cluster_stable() {
# Wait till all the pods are either running or complete state
retry all_pods_are_running_completed "${ignoreNamespace}"
}

4 changes: 4 additions & 0 deletions snc.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,9 @@ SCP="scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i id_ecdsa
MIRROR=${MIRROR:-https://mirror.openshift.com/pub/openshift-v4/$ARCH/clients/ocp}
CERT_ROTATION=${SNC_DISABLE_CERT_ROTATION:-enabled}
USE_PATCHED_RELEASE_IMAGE=${SNC_USE_PATCHED_RELEASE_IMAGE:-disabled}
SNC_USE_PROXY=${SNC_USE_PROXY:-disabled}
SNC_HTTP_PROXY=${SNC_HTTP_PROXY:-}
SNC_HTTPS_PROXY=${SNC_HTTPS_PROXY:-}
HTPASSWD_FILE='users.htpasswd'

run_preflight_checks ${BUNDLE_TYPE}
Expand Down Expand Up @@ -134,6 +137,7 @@ ${YQ} eval --inplace ".baseDomain = \"${BASE_DOMAIN}\"" ${INSTALL_DIR}/install-c
${YQ} eval --inplace ".metadata.name = \"${SNC_PRODUCT_NAME}\"" ${INSTALL_DIR}/install-config.yaml
replace_pull_secret ${INSTALL_DIR}/install-config.yaml
${YQ} eval ".sshKey = \"$(cat id_ecdsa_crc.pub)\"" --inplace ${INSTALL_DIR}/install-config.yaml
configure_install_config_proxy ${INSTALL_DIR}/install-config.yaml

# Create the manifests using the INSTALL_DIR
OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE=$OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE ${OPENSHIFT_INSTALL} --dir ${INSTALL_DIR} create manifests
Expand Down