OCPBUGS-60993: Enrich IBI config image proxy NoProxy with cluster networks

[carbonin]

Automatically add cluster, service, and machine network CIDRs to the proxy NoProxy field during image-based installation. This ensures internal cluster communication bypasses the proxy, preventing an additional node reboot that occurs when these networks aren't explicitly included in the install-config.yaml.

The enrichment adds:

• Essential values (localhost, 127.0.0.1, .svc, .cluster.local)
• All service network CIDRs
• All machine network CIDRs
• All cluster network (pod) CIDRs
• User-provided NoProxy values (deduplicated)

Resolves https://redhat.atlassian.net/browse/OCPBUGS-60993

/cc @omertuc

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • Enhanced proxy configuration to automatically include internal cluster addresses, services, and networks in the no-proxy list, ensuring internal Kubernetes communication bypasses the configured proxy.

[coderabbitai]

Walkthrough

The PR enriches the Proxy configuration's NoProxy field during cluster configuration generation. A new enrichNoProxy helper function expands NoProxy with internal cluster/service network addresses and default local entries while preserving user-provided values. Tests are updated to expect the enriched proxy configuration.

Changes

Proxy Enrichment Logic

Layer / File(s)	Summary
Imports pkg/asset/imagebased/configimage/clusterconfiguration.go	Added strings and k8s.io/apimachinery/pkg/util/sets to support proxy enrichment logic.
Core Enrichment Function pkg/asset/imagebased/configimage/clusterconfiguration.go	New enrichNoProxy function expands NoProxy with fixed local entries (127.0.0.1, localhost, .svc, .cluster.local), derives network CIDRs from cluster/service/machine networks, deduplicates values, and preserves user-provided entries and the \* wildcard.
Integration pkg/asset/imagebased/configimage/clusterconfiguration.go	ClusterConfiguration.Generate calls enrichNoProxy instead of directly copying the proxy config from installConfig.
Tests pkg/asset/imagebased/configimage/clusterconfiguration_test.go	Added enrichedProxy test helper; updated three test cases ("valid configuration with proxy", "additionalTrustBundle, policyAlways without proxy", "additionalTrustBundle with proxy") to expect enriched proxy values.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: enriching the IBI config image proxy NoProxy field with cluster networks.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The test file uses standard Go testing framework (t.Run), not Ginkgo. All test case names are static and deterministic with no dynamic values. Check is not applicable to non-Ginkgo tests.
Test Structure And Quality	✅ Passed	Custom check specifies Ginkgo test requirements (Describe/It blocks, BeforeEach/AfterEach). The PR modifies testify-based tests using t.Run subtests, not Ginkgo. Check not applicable to this codebase.
Microshift Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. The new test file uses Go's standard testing package with only unit tests, not Ginkgo framework tests. Custom check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The modifications are to unit tests in pkg/asset/imagebased/configimage/ using Go's standard testing package, not Ginkgo. The custom check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies proxy configuration in image-based installation infrastructure code, not pod scheduling. No deployment manifests, affinity rules, nodeSelectors, or topology constraints introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies installer asset code, not OTE binaries. No stdout writes detected. OTE contract check not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. The modified files contain only unit tests using the standard Go testing package, not Ginkgo patterns. The custom check applies only to new Ginkgo e2e tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.1)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

pkg/asset/imagebased/configimage/clusterconfiguration_test.go (1)

39-220: ⚡ Quick win

Add explicit tests for wildcard and input-normalization branches in enrichNoProxy.

Current cases cover the happy path, but not NoProxy == "*" and duplicate/whitespace-heavy user input normalization. Adding both will harden regression coverage for the new helper.

💡 Suggested test additions

 func TestClusterConfiguration_Generate(t *testing.T) {
   cases := []struct {
     ...
   }{
+    {
+      name: "valid configuration with proxy wildcard noProxy",
+      dependencies: []asset.Asset{
+        clusterID(), kubeadminPassword(), lbCertKey(), localhostCertKey(),
+        serviceNetworkCertKey(), adminKubeConfigCertKey(), ingressCertKey(),
+        installConfig().proxy(&types.Proxy{
+          HTTPProxy:  "http://10.10.10.11:80",
+          HTTPSProxy: "http://my-lab-proxy.org:443",
+          NoProxy:    "*",
+        }).build(),
+        imageBasedConfig(),
+      },
+      expectedConfig: clusterConfiguration().proxy(&types.Proxy{
+        HTTPProxy:  "http://10.10.10.11:80",
+        HTTPSProxy: "http://my-lab-proxy.org:443",
+        NoProxy:    "*",
+      }).build().Config,
+    },
+    {
+      name: "valid configuration with proxy duplicate and spaced noProxy",
+      dependencies: []asset.Asset{
+        ... installConfig().proxy(&types.Proxy{
+          HTTPProxy:  "http://10.10.10.11:80",
+          HTTPSProxy: "http://my-lab-proxy.org:443",
+          NoProxy:    " internal.com,internal.com, , localhost ",
+        }).build(),
+        ...
+      },
+      expectedConfig: clusterConfiguration().proxy(enrichedProxy()).build().Config,
+    },
   }
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/asset/imagebased/configimage/clusterconfiguration_test.go` around lines
39 - 220, Add two new table-driven cases to TestClusterConfiguration_Generate
exercising enrichNoProxy: one where the InstallConfig proxy's NoProxy is the
wildcard "*" and one where NoProxy contains duplicate entries/extra whitespace
(e.g. "a, a ,  b,,"). For each case, include the same standard dependencies but
set installConfig().proxy(proxyWithCustomNoProxy("<value>")).build() (or reuse
proxy() but modify its NoProxy), then set expectedConfig to the
clusterConfiguration().proxy(enrichedProxyWithNormalizedNoProxy("<expected>")).build().Config
and assert equality the same way existing cases do; reference the enrichNoProxy
helper by name and reuse proxy(), enrichedProxy() patterns so the test verifies
both the wildcard branch and the input-normalization branch.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/asset/imagebased/configimage/clusterconfiguration_test.go`:
- Around line 39-220: Add two new table-driven cases to
TestClusterConfiguration_Generate exercising enrichNoProxy: one where the
InstallConfig proxy's NoProxy is the wildcard "*" and one where NoProxy contains
duplicate entries/extra whitespace (e.g. "a, a ,  b,,"). For each case, include
the same standard dependencies but set
installConfig().proxy(proxyWithCustomNoProxy("<value>")).build() (or reuse
proxy() but modify its NoProxy), then set expectedConfig to the
clusterConfiguration().proxy(enrichedProxyWithNormalizedNoProxy("<expected>")).build().Config
and assert equality the same way existing cases do; reference the enrichNoProxy
helper by name and reuse proxy(), enrichedProxy() patterns so the test verifies
both the wildcard branch and the input-normalization branch.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b80db09c-f43a-45c5-a806-5e1ede7337ba

📥 Commits

Reviewing files that changed from the base of the PR and between e71ff06 and dbd1d38.

📒 Files selected for processing (2)

• pkg/asset/imagebased/configimage/clusterconfiguration.go
• pkg/asset/imagebased/configimage/clusterconfiguration_test.go

[carbonin]

/hold

holding until we can do manual testing