Skip to content

CM-716: Add HTTP01 Challenge Proxy binary and CI Dockerfile#458

Closed
sebrandon1 wants to merge 1 commit into
openshift:masterfrom
sebrandon1:cm-716-add-http01-proxy-image
Closed

CM-716: Add HTTP01 Challenge Proxy binary and CI Dockerfile#458
sebrandon1 wants to merge 1 commit into
openshift:masterfrom
sebrandon1:cm-716-add-http01-proxy-image

Conversation

@sebrandon1

@sebrandon1 sebrandon1 commented Jul 15, 2026

Copy link
Copy Markdown
Member

Summary

  • Adds the HTTP01 Challenge Proxy binary source code under cmd/http01-proxy/
  • Adds FIPS-compliant CI Dockerfile at images/ci/http01proxy.Dockerfile
  • Adds Makefile targets: build-http01-proxy, image-build-http01-proxy

The proxy runs as a DaemonSet on baremetal control-plane nodes, redirecting HTTP-01 ACME challenge traffic from the API VIP to the ingress router via NFTables rules and a Go reverse proxy.

This is split out from the full HTTP01Proxy controller PR (#398) to allow the image build pipeline to start early while the controller integration is reviewed. PR #398 will rebase on top of this once merged.

Related PRs

What the proxy does (~200 LOC)

  1. Discovers the cluster environment (Infrastructure, Ingress, ClusterVersion CRs)
  2. DNS-resolves API VIP and Apps VIP (IPv4-only) — exits if they are equal (no proxy needed)
  3. Creates NFTables MachineConfig to redirect <API_VIP>:80 → proxy port 8888
  4. Runs a reverse proxy that forwards /.well-known/acme-challenge/* requests to the Apps VIP

Test plan

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 15, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 15, 2026

Copy link
Copy Markdown

@sebrandon1: This pull request references CM-716 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

  • Adds the HTTP01 Challenge Proxy binary source code under cmd/http01-proxy/
  • Adds FIPS-compliant CI Dockerfile at images/ci/http01proxy.Dockerfile
  • Adds Makefile targets: build-http01-proxy, image-build-http01-proxy

The proxy runs as a DaemonSet on baremetal control-plane nodes, redirecting HTTP-01 ACME challenge traffic from the API VIP to the ingress router via NFTables rules and a Go reverse proxy.

This is split out from the full HTTP01Proxy controller PR (#398) to allow the image build pipeline to start early while the controller integration is reviewed. The controller PR will rebase on top of this once merged.

What the proxy does (~200 LOC)

  1. Discovers the cluster environment (Infrastructure, Ingress, ClusterVersion CRs)
  2. DNS-resolves API VIP and Apps VIP — exits if they are equal (no proxy needed)
  3. Creates NFTables MachineConfig to redirect <API_VIP>:80 → proxy port 8888
  4. Runs a reverse proxy that forwards /.well-known/acme-challenge/* requests to the Apps VIP

CI integration (companion PR needed)

A companion PR to openshift/release is needed to add:

  • Image build entry in ci-operator config (to: cert-manager-http01-proxy)
  • Operator substitution for the proxy pullspec

Test plan

  • make build-http01-proxy compiles successfully
  • make lint passes (no issues in cmd/http01-proxy/)
  • go vet ./cmd/http01-proxy/... passes
  • CI rehearsal validates the Dockerfile builds in CI (pending openshift/release companion PR)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Adds an OpenShift HTTP-01 reverse proxy that discovers cluster VIPs, applies nftables routing, forwards ACME challenge requests, and packages the binary in a UBI-based container image.

Changes

HTTP-01 proxy

Layer / File(s) Summary
Cluster discovery and nftables routing
cmd/http01-proxy/pkg/utils.go, cmd/http01-proxy/templates/templates.go
Discovers OpenShift configuration and VIPs, validates supported versions, renders nftables and MachineConfig manifests, and applies them through the Kubernetes API.
Proxy startup and request forwarding
cmd/http01-proxy/main.go, cmd/http01-proxy/pkg/utils.go
Configures the listen port, forwards ACME challenge paths to the Apps VIP, rejects other paths, and starts the HTTP server with request timeouts.
Binary and image packaging
Makefile, images/ci/http01proxy.Dockerfile, .gitignore
Adds versioned binary and image build targets, packages the proxy in a FIPS-compatible UBI9 minimal image, and ignores the built binary.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
  participant HTTP01Proxy
  participant KubernetesAPI
  participant DNS
  participant AppsVIP
  HTTP01Proxy->>KubernetesAPI: Read OpenShift configuration
  HTTP01Proxy->>DNS: Resolve API and Apps VIP addresses
  HTTP01Proxy->>KubernetesAPI: Apply nftables MachineConfig resources
  HTTP01Proxy->>AppsVIP: Forward ACME challenge requests
Loading

Possibly related PRs

Suggested reviewers: swghosh, bharath-b-rh


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name Status Explanation Resolution
No-Sensitive-Data-In-Logs ❌ Error main.go logs APIHostname, APIVIP, AppsVIP, and backend URL; these are internal cluster hostnames/IPs and match the sensitive-data check. Remove or redact those values from logs; keep only non-sensitive status messages, and avoid logging full backend URLs or VIPs.
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (13 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No Ginkgo test files or titles were added or modified in the PR changes, so there are no unstable test names to flag.
Test Structure And Quality ✅ Passed No Ginkgo test files were added or modified in this PR; the new http01-proxy package has only source files, so the test-quality check is not applicable.
Microshift Test Compatibility ✅ Passed No Ginkgo e2e tests were added; the PR only adds proxy code, templates, Makefile targets, and a Dockerfile, so MicroShift test compatibility is not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the PR only introduces proxy source, templates, Dockerfile, Makefile, and ignore rules.
Topology-Aware Scheduling Compatibility ✅ Passed The PR only adds a standalone binary, templates, and image/build plumbing; no Deployment/DaemonSet, pod affinity, topology spread, replica, or control-plane nodeSelector changes were added.
Ote Binary Stdout Contract ✅ Passed No stdout writes found in process-level code; main uses log.Printf/log.Fatalf (stderr by default) and there are no fmt.Print/klog stdout violations.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the diff only contains implementation/CI files and no *_test.go or It/Describe/Context/When declarations.
No-Weak-Crypto ✅ Passed No MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or crypto/subtle usage appears in the new proxy code; only non-secret IP equality checks and base64 encoding are present.
Container-Privileges ✅ Passed No privileged, host*, SYS_ADMIN, or allowPrivilegeEscalation settings were added; the new Dockerfile runs as UID 65532.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main additions: the HTTP01 proxy binary and its CI Dockerfile.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci
openshift-ci Bot requested review from bharath-b-rh and swghosh July 15, 2026 16:39
@openshift-ci

openshift-ci Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign bharath-b-rh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🧹 Nitpick comments (2)
images/ci/http01proxy.Dockerfile (1)

1-12: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Pin the base images to approved immutable digests.

The builder tag and ubi9-minimal:latest are mutable references, so identical builds can produce different binaries or runtime contents. This weakens reproducibility and FIPS/security attestation; Red Hat describes UBI minimal as regularly updated. (catalog.redhat.com)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/ci/http01proxy.Dockerfile` around lines 1 - 12, Update both FROM
instructions in the Dockerfile to use approved immutable image digests instead
of the mutable builder tag and ubi9-minimal:latest reference, preserving the
existing builder and runtime images and stage structure.
cmd/http01-proxy/pkg/utils.go (1)

47-69: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

req.Header.Set("Host", req.Host) has no effect on the outgoing request.

For client requests, Go's net/http writes the wire "Host:" line from req.Host (or req.URL.Host if empty) — the Header map's "Host" entry is ignored by Request.Write/the transport. This line is dead code. It happens to be harmless today only because the custom Director also never sets req.Host = target.Host, so the original client Host header (needed for the router at the Apps VIP to route the ACME challenge to the right Route) is preserved by default — not because of this line. Recommend removing the no-op call (or, if the intent actually was to override the Host header, use req.Host = target.Host — but note that would break Host-based routing to the challenge Route at the Apps VIP).

♻️ Proposed cleanup
 	proxy.Director = func(req *http.Request) {
 		req.URL.Scheme = target.Scheme
 		req.URL.Host = target.Host
-		req.Header.Set("Host", req.Host)
 		req.Header.Set("X-Proxy-Server", "cert-manager-http01-proxy")
 	}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/http01-proxy/pkg/utils.go` around lines 47 - 69, Remove the no-op
req.Header.Set("Host", req.Host) call from the NewReverseProxy Director.
Preserve req.Host unchanged so the original client Host remains available for
Host-based routing, while retaining the existing target URL scheme and host
assignments and other proxy headers.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/http01-proxy/main.go`:
- Around line 20-21: Reduce or gate the informational logging in the startup
flow around the OCP API log and the similar log near line 61 so internal values
such as env.APIHostname, env.APIVIP, env.AppsVIP, and backendServer are not
emitted in normal or off-node logs. Preserve only non-sensitive context at the
default verbosity, and expose detailed endpoint values only when an explicit
debug setting is enabled.
- Around line 57-60: Update the http.Server configuration in the main server
setup to set explicit ReadTimeout, WriteTimeout, and IdleTimeout values
alongside ReadHeaderTimeout, using finite durations appropriate for the
unauthenticated ACME HTTP-01 endpoint so slow connections cannot remain open
indefinitely.
- Around line 32-35: Validate the port selected in the startup configuration
around PROXY_PORT before passing it to CreateNFTablesRuleMachineConfig or
constructing http.Server.Addr: parse it as a numeric TCP port and require a
value from 1 through 65535, falling back to defaultPort or returning a clear
configuration error for invalid input. Preserve the existing defaultPort
behavior when PROXY_PORT is unset.

In `@cmd/http01-proxy/pkg/utils.go`:
- Around line 91-235: Replace context.TODO() in the external-call paths with
caller-provided context.Context values, threading context through
GetOCPEnvDetails, CreateNFTablesRuleMachineConfig, applyManifest, and
resolveDNSRecord. Ensure every Kubernetes Get/Patch and DNS lookup uses that
context so callers can impose cancellation and deadlines, while preserving the
existing error handling and behavior.

In `@cmd/http01-proxy/templates/templates.go`:
- Around line 9-18: Remove the standalone `table inet crtmgr_proxy_table` line
from the `NFTRuleTemplate` string, leaving the existing delete command and
single braced table definition intact so the rendered template loads through
`nft -f`.

---

Nitpick comments:
In `@cmd/http01-proxy/pkg/utils.go`:
- Around line 47-69: Remove the no-op req.Header.Set("Host", req.Host) call from
the NewReverseProxy Director. Preserve req.Host unchanged so the original client
Host remains available for Host-based routing, while retaining the existing
target URL scheme and host assignments and other proxy headers.

In `@images/ci/http01proxy.Dockerfile`:
- Around line 1-12: Update both FROM instructions in the Dockerfile to use
approved immutable image digests instead of the mutable builder tag and
ubi9-minimal:latest reference, preserving the existing builder and runtime
images and stage structure.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 943033bd-c480-4844-8671-68d35cfd3ac7

📥 Commits

Reviewing files that changed from the base of the PR and between 849995e and b1f35d0.

📒 Files selected for processing (6)
  • .gitignore
  • Makefile
  • cmd/http01-proxy/main.go
  • cmd/http01-proxy/pkg/utils.go
  • cmd/http01-proxy/templates/templates.go
  • images/ci/http01proxy.Dockerfile

Comment thread cmd/http01-proxy/main.go
Comment on lines +20 to +21
log.Printf("OCP API: %s, API VIP: %s, APPS VIP: %s, Platform: %s, Version: %s",
env.APIHostname, env.APIVIP, env.AppsVIP, env.PlatformType, env.ClusterVersion)

@coderabbitai coderabbitai Bot Jul 15, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Logs internal cluster hostnames/VIPs.

This log.Printf (and similarly line 61) logs env.APIHostname, env.APIVIP, env.AppsVIP, and backendServer — internal cluster hostnames/IP addresses. As per coding guidelines, logging that may expose internal hostnames should be flagged. Consider lowering verbosity/gating this behind a debug flag if these logs are shipped off-node.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/http01-proxy/main.go` around lines 20 - 21, Reduce or gate the
informational logging in the startup flow around the OCP API log and the similar
log near line 61 so internal values such as env.APIHostname, env.APIVIP,
env.AppsVIP, and backendServer are not emitted in normal or off-node logs.
Preserve only non-sensitive context at the default verbosity, and expose
detailed endpoint values only when an explicit debug setting is enabled.

Source: Coding guidelines

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are startup-only log lines in a DaemonSet running on control-plane nodes. The information (API hostname, VIPs, platform type) is essential for debugging proxy issues. The logs stay on-node in the pod's stdout/stderr. This is the same logging pattern used by the upstream proxy. Leaving as-is.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sebrandon1, that context makes sense — startup-only diagnostic logging confined to on-node pod stdout/stderr for a DaemonSet, consistent with the upstream proxy's pattern, is a reasonable tradeoff given how essential this info is for debugging VIP/platform detection issues. I'll leave this as-is.

Comment thread cmd/http01-proxy/main.go
Comment thread cmd/http01-proxy/main.go
Comment thread cmd/http01-proxy/pkg/utils.go Outdated
Comment thread cmd/http01-proxy/templates/templates.go
@sebrandon1
sebrandon1 force-pushed the cm-716-add-http01-proxy-image branch 2 times, most recently from e699136 to ed26462 Compare July 15, 2026 18:13

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🧹 Nitpick comments (2)
cmd/http01-proxy/pkg/utils.go (2)

94-115: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

unstructured.NestedString's "found" flag is discarded at all three call sites.

platformType, ingressDomain, and clusterVersion are all extracted with _ for the "found" return value. If any of these fields is absent from the resource (schema drift, unexpected platform, etc.), NestedString returns ("", false, nil) — no error — and the code silently proceeds with an empty string instead of failing fast with a clear message.

♻️ Proposed fix (repeat for all three)
-	ingressDomain, _, err := unstructured.NestedString(ingressData.Object, "spec", "domain")
-	if err != nil {
-		return nil, fmt.Errorf("failed to read ingress domain: %w", err)
-	}
+	ingressDomain, found, err := unstructured.NestedString(ingressData.Object, "spec", "domain")
+	if err != nil {
+		return nil, fmt.Errorf("failed to read ingress domain: %w", err)
+	}
+	if !found || ingressDomain == "" {
+		return nil, fmt.Errorf("ingress domain not found in ingresses/cluster")
+	}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/http01-proxy/pkg/utils.go` around lines 94 - 115, Update the three
unstructured.NestedString calls in the surrounding resource-loading flow to
retain and validate the found flag for platformType, ingressDomain, and
clusterVersion. Return a descriptive error when any required field is absent,
while preserving the existing error handling for extraction failures and
successful values.

117-117: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

apiHostname derived by string-replacing "apps"→"api" in the ingress domain is a brittle heuristic.

OpenShift's Infrastructure status already exposes a canonical apiServerURL field, populated for this purpose. Deriving the API hostname via strings.Replace(ingressDomain, "apps", "api", 1) assumes the literal substring "apps" appears exactly once and only in the expected position; any base domain that happens to contain "apps" elsewhere, or a non-standard ingress domain naming scheme, would silently produce a wrong hostname (which then feeds an incorrect DNS lookup at line 124) rather than a decode error.

Consider reading status.apiServerURL off infrastructureData (already fetched at line 90) and parsing the host out of it instead of pattern-matching the ingress domain string.
apiServerURL is a valid URI with scheme 'https', address and optionally a port (defaulting to 443), intended so components can find the Kubernetes API.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/http01-proxy/pkg/utils.go` at line 117, The apiHostname derivation in the
surrounding infrastructure lookup uses a brittle ingress-domain string
replacement. Read the canonical apiServerURL from infrastructureData.status,
parse its HTTPS URI, and derive the API host (preserving its optional port,
defaulting to 443) before the DNS lookup; remove the strings.Replace-based
heuristic.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/http01-proxy/pkg/utils.go`:
- Around line 119-136: The DNS lookups in the environment construction flow must
return IPv4 addresses because AppsVIP and APIVIP are consumed by IPv4-specific
paths. Update the resolveDNSRecord calls used for appsIPs and apiIPs to request
IPv4 results, or explicitly select an IPv4 entry before assigning AppsVIP and
APIVIP.
- Around line 63-65: Add bounded timeouts to the http.Transport assigned to
proxy.Transport, configuring DialContext and ResponseHeaderTimeout (or an
equivalent client timeout) so stalled backend connections and response headers
cannot block indefinitely. Preserve the existing ProxyFromEnvironment behavior.

In `@images/ci/http01proxy.Dockerfile`:
- Around line 4-9: Update the Dockerfile build configuration around
GO_BUILD_TAGS so callers cannot override or remove the mandatory
strictfipsruntime and openssl tags. Hardcode both required tags in the go build
invocation, or validate any supplied value and fail unless both tags are
present; preserve the existing FIPS-related GOEXPERIMENT and CGO_ENABLED
settings.
- Around line 9-10: Create the /app directory before the go build command in the
Dockerfile, using RUN mkdir -p /app or setting WORKDIR /app, so the output path
for cert-manager-http01-proxy is valid.
- Around line 12-15: Update the final runtime stage based on the UBI9-minimal
image to install the OpenSSL/FIPS runtime dependencies required by the
strictfipsruntime,openssl build, specifically openssl-libs and
openssl-fips-provider or an equivalent image-provided set, before copying and
launching cert-manager-http01-proxy.

---

Nitpick comments:
In `@cmd/http01-proxy/pkg/utils.go`:
- Around line 94-115: Update the three unstructured.NestedString calls in the
surrounding resource-loading flow to retain and validate the found flag for
platformType, ingressDomain, and clusterVersion. Return a descriptive error when
any required field is absent, while preserving the existing error handling for
extraction failures and successful values.
- Line 117: The apiHostname derivation in the surrounding infrastructure lookup
uses a brittle ingress-domain string replacement. Read the canonical
apiServerURL from infrastructureData.status, parse its HTTPS URI, and derive the
API host (preserving its optional port, defaulting to 443) before the DNS
lookup; remove the strings.Replace-based heuristic.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8f79c938-8ea6-4198-a1e5-92b4d68afbba

📥 Commits

Reviewing files that changed from the base of the PR and between b1f35d0 and e699136.

📒 Files selected for processing (6)
  • .gitignore
  • Makefile
  • cmd/http01-proxy/main.go
  • cmd/http01-proxy/pkg/utils.go
  • cmd/http01-proxy/templates/templates.go
  • images/ci/http01proxy.Dockerfile
🚧 Files skipped from review as they are similar to previous changes (4)
  • .gitignore
  • cmd/http01-proxy/main.go
  • cmd/http01-proxy/templates/templates.go
  • Makefile

Comment thread cmd/http01-proxy/pkg/utils.go Outdated
Comment thread cmd/http01-proxy/pkg/utils.go
Comment thread images/ci/http01proxy.Dockerfile
Comment thread images/ci/http01proxy.Dockerfile
Comment thread images/ci/http01proxy.Dockerfile
Adds the HTTP01 Challenge Proxy binary source code and CI build
infrastructure. The proxy runs as a DaemonSet on baremetal control-plane
nodes, redirecting HTTP-01 ACME challenge traffic from the API VIP to
the ingress router via NFTables rules and a Go reverse proxy.

This is split out from the full HTTP01Proxy controller PR to allow the
image build pipeline to start early while the controller is reviewed.

New files:
- cmd/http01-proxy/ - proxy binary source (~200 LOC)
- images/ci/http01proxy.Dockerfile - FIPS-compliant CI image build
- Makefile targets: build-http01-proxy, image-build-http01-proxy
@sebrandon1
sebrandon1 force-pushed the cm-716-add-http01-proxy-image branch from 1d1a239 to 9bfd18f Compare July 15, 2026 18:34
sebrandon1 added a commit to sebrandon1/release that referenced this pull request Jul 15, 2026
Adds the cert-manager-http01-proxy image build to the ci-operator
config for cert-manager-operator. The proxy binary source and CI
Dockerfile were added in openshift/cert-manager-operator#458.

This enables CI to build the FIPS-compliant proxy image alongside
the existing operator and cert-manager operand images, and substitutes
it into the OLM bundle for e2e testing.
sebrandon1 added a commit to sebrandon1/release that referenced this pull request Jul 15, 2026
Adds the cert-manager-http01-proxy image build to the ci-operator
config for cert-manager-operator. The proxy binary source and CI
Dockerfile were added in openshift/cert-manager-operator#458.

This enables CI to build the FIPS-compliant proxy image alongside
the existing operator and cert-manager operand images, and substitutes
it into the OLM bundle for e2e testing.
@openshift-ci

openshift-ci Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

@sebrandon1: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@sebrandon1

Copy link
Copy Markdown
Member Author

Closing — the DNAT+SNAT experiment (branch experiment/dnat-snat-operator) replaces the proxy binary with nftables rules delivered via MachineConfig. No proxy image is needed.

The new approach was validated on baremetal cluster cnfdt16 (3-node, OCP 5.0) — all tests pass. See the new PR for details.

PR #398 remains open for reference/comparison of the two approaches.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants