test proxy in deploy-konflux-operator

[ajaggapa]

Testing proxy dependency for installing oc & opm

Summary by CodeRabbit

This PR modifies the deploy-konflux-operator workflow script to improve testing of proxy dependency functionality for the OpenShift CI infrastructure.

Changes

The script now includes:

1. Proxy environment variable logging (lines 131-136): Added diagnostic logging to output the current values of proxy-related environment variables (HTTP_PROXY, HTTPS_PROXY, NO_PROXY, and their lowercase equivalents) before proceeding with dependency installation.

2. Reordered execution sequence (lines 138-139): Changed the execution order so that install_deps (which installs opm and oc tools via curl) runs before set_proxy, meaning proxy configuration is applied after the initial tools are downloaded rather than before.

Impact

These changes enable better testing of the proxy configuration in the deploy-konflux-operator workflow step, allowing visibility into the proxy environment variables and ensuring that dependency installation can be verified independently of proxy settings before proxy configuration is applied.

[coderabbitai]

Walkthrough

In deploy-konflux-operator-commands.sh, debug logging is added to print all proxy-related environment variables (HTTP_PROXY, HTTPS_PROXY, NO_PROXY, and lowercase equivalents). The execution order is also changed so install_deps runs before set_proxy instead of after.

Changes

Deploy Konflux Operator Script

Layer / File(s)	Summary
Proxy debug logging and setup order change ci-operator/step-registry/deploy-konflux-operator/deploy-konflux-operator-commands.sh	Adds echo statements printing all six proxy environment variables before dependency installation, and reorders the main sequence so install_deps executes before set_proxy.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	Lines 131-136 echo raw HTTP/HTTPS proxy environment variables to logs, which can expose embedded credentials and internal infrastructure details. Proxy URLs can contain username:password combinations.	Redact proxy variable values; log only presence (yes/no) instead of echoing raw environment variable content containing potential credentials.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'test proxy in deploy-konflux-operator' directly relates to the main change: adding proxy logging and reordering proxy configuration in the deployment script.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR modifies only a shell script (deploy-konflux-operator-commands.sh) and contains no Ginkgo test files. The custom check for Ginkgo test name stability is not applicable to this PR.
Test Structure And Quality	✅ Passed	PR only modifies shell script (deploy-konflux-operator-commands.sh), contains no Ginkgo test code. Custom check for Ginkgo test quality is not applicable.
Microshift Test Compatibility	✅ Passed	This PR modifies a bash shell script (deploy-konflux-operator-commands.sh), not Go Ginkgo e2e tests. The MicroShift Test Compatibility check only applies to new Ginkgo e2e tests, so it is not appli...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR; only a CI operator shell script is modified. Check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies a CI/CD step registry bash script, not deployment manifests, operator code, or controllers. No scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	The custom check applies only to OTE binaries (Go test binaries communicating via JSON stdout). The PR modifies a bash shell script for deployment, not a Go OTE binary, so the check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies a bash shell script (deploy-konflux-operator-commands.sh), not a Go test file. The custom check applies only when Ginkgo e2e tests are added; no such tests are present in this PR.
No-Weak-Crypto	✅ Passed	The modified script handles proxy configuration and dependency installation with no weak cryptography patterns (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB, custom crypto, or non-constant-time compari...
Container-Privileges	✅ Passed	PR contains no container/K8s manifests with privileged: true, hostPID/hostNetwork/hostIPC, SYS_ADMIN capability, or allowPrivilegeEscalation settings. The bash script and ref.yaml file added/modifi...

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ajaggapa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/deploy-konflux-operator/OWNERS [ajaggapa]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@ajaggapa: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-cluster-network-operator-master-e2e-metal-ipi-ovn-dualstack-bgp-local-gw	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-master-e2e-metal-ipi-ovn-dualstack-bgp-local-gw-techpreview	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-5.1-e2e-metal-ipi-ovn-dualstack-bgp-local-gw	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-5.1-e2e-metal-ipi-ovn-dualstack-bgp-local-gw-techpreview	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-5.0-e2e-metal-ipi-ovn-dualstack-bgp-local-gw	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-5.0-e2e-metal-ipi-ovn-dualstack-bgp-local-gw-techpreview	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-4.23-e2e-metal-ipi-ovn-dualstack-bgp-local-gw	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-4.23-e2e-metal-ipi-ovn-dualstack-bgp-local-gw-techpreview	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-4.22-e2e-metal-ipi-ovn-dualstack-bgp-local-gw	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-4.22-e2e-metal-ipi-ovn-dualstack-bgp-local-gw-techpreview	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-4.21-e2e-metal-ipi-ovn-dualstack-bgp-local-gw	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-4.20-e2e-metal-ipi-ovn-dualstack-bgp-local-gw	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-4.19-e2e-metal-ipi-ovn-dualstack-bgp-local-gw	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-master-e2e-aws-ovn-serial-ipsec-1of2	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-master-e2e-aws-ovn-serial-ipsec-2of2	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-5.1-e2e-aws-ovn-serial-ipsec-1of2	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-5.1-e2e-aws-ovn-serial-ipsec-2of2	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-5.0-e2e-aws-ovn-serial-ipsec-1of2	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-5.0-e2e-aws-ovn-serial-ipsec-2of2	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-4.23-e2e-aws-ovn-serial-ipsec-1of2	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-4.23-e2e-aws-ovn-serial-ipsec-2of2	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-4.22-e2e-aws-ovn-serial-ipsec-1of2	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-4.22-e2e-aws-ovn-serial-ipsec-2of2	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-4.21-e2e-aws-ovn-serial-ipsec-1of2	openshift/cluster-network-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-network-operator-release-4.21-e2e-aws-ovn-serial-ipsec-2of2	openshift/cluster-network-operator	presubmit	Registry content changed

A total of 287 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here
Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/deploy-konflux-operator/deploy-konflux-operator-commands.sh`:
- Around line 138-139: The `install_deps` and `set_proxy` function calls are in
the wrong order. The `set_proxy` function must be called before `install_deps`
to ensure that proxy environment variables are configured before any dependency
installation commands are executed. Swap the order of these two function calls
so that `set_proxy` executes first, followed by `install_deps`.
- Around line 131-136: The echo statements for HTTP_PROXY, HTTPS_PROXY,
NO_PROXY, http_proxy, https_proxy, and no_proxy variables expose sensitive
infrastructure details including URLs and embedded credentials to CI logs.
Replace these raw variable echo statements with checks that only indicate
whether each proxy variable is set (without printing the actual value), such as
using conditional tests or redacted confirmation messages that show presence but
not content.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 90e64513-c30b-450d-be71-fd42a2a43eaf

📥 Commits

Reviewing files that changed from the base of the PR and between bcb6f0b and fe8ffd8.

📒 Files selected for processing (1)

• ci-operator/step-registry/deploy-konflux-operator/deploy-konflux-operator-commands.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Do not print raw proxy environment variables to CI logs.

HTTP_PROXY/HTTPS_PROXY/http_proxy/https_proxy can contain full URLs and embedded credentials; echoing them leaks sensitive infrastructure details. Log presence only (or redact values) instead of printing raw content.

Suggested fix

-echo "HTTP_PROXY=${HTTP_PROXY:-}"
-echo "HTTPS_PROXY=${HTTPS_PROXY:-}"
-echo "NO_PROXY=${NO_PROXY:-}"
-echo "http_proxy=${http_proxy:-}"
-echo "https_proxy=${https_proxy:-}"
-echo "no_proxy=${no_proxy:-}"
+echo "HTTP_PROXY set: $([[ -n ${HTTP_PROXY:-} ]] && echo yes || echo no)"
+echo "HTTPS_PROXY set: $([[ -n ${HTTPS_PROXY:-} ]] && echo yes || echo no)"
+echo "NO_PROXY set: $([[ -n ${NO_PROXY:-} ]] && echo yes || echo no)"
+echo "http_proxy set: $([[ -n ${http_proxy:-} ]] && echo yes || echo no)"
+echo "https_proxy set: $([[ -n ${https_proxy:-} ]] && echo yes || echo no)"
+echo "no_proxy set: $([[ -n ${no_proxy:-} ]] && echo yes || echo no)"

As per coding guidelines, step-registry command scripts must never print sensitive data (including URLs/credential-bearing values) to logs.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/deploy-konflux-operator/deploy-konflux-operator-commands.sh`
around lines 131 - 136, The echo statements for HTTP_PROXY, HTTPS_PROXY,
NO_PROXY, http_proxy, https_proxy, and no_proxy variables expose sensitive
infrastructure details including URLs and embedded credentials to CI logs.
Replace these raw variable echo statements with checks that only indicate
whether each proxy variable is set (without printing the actual value), such as
using conditional tests or redacted confirmation messages that show presence but
not content.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Proxy setup must happen before dependency installation.

install_deps now runs before set_proxy, so oc/opm installs may execute without required proxy env and fail in restricted networks. The order should be set_proxy first, then install_deps.

Suggested fix

-install_deps
-set_proxy
+set_proxy
+install_deps

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	install_deps
	set_proxy
	set_proxy
	install_deps

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/deploy-konflux-operator/deploy-konflux-operator-commands.sh`
around lines 138 - 139, The `install_deps` and `set_proxy` function calls are in
the wrong order. The `set_proxy` function must be called before `install_deps`
to ensure that proxy environment variables are configured before any dependency
installation commands are executed. Swap the order of these two function calls
so that `set_proxy` executes first, followed by `install_deps`.

[ajaggapa]

/pj-rehearse pull-ci-openshift-ovn-kubernetes-main-e2e-metal-ipi-ovn-dualstack-bgp-local-gw

[openshift-merge-bot]

@ajaggapa: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.