Skip to content

Add DockerProxy field for dynamic proxy configuration #583

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mtrmac merged 1 commit into from
Jan 9, 2026
Merged

Add DockerProxy field for dynamic proxy configuration #583

mtrmac merged 1 commit into from
Jan 9, 2026

Conversation

@pablintino
Copy link
Contributor

@pablintino pablintino commented Jan 9, 2026

Add a new DockerProxy field to SystemContext that accepts a function for determining proxy URLs dynamically per request. This provides more flexibility than the static DockerProxyURL field, allowing for advanced proxy configurations such as those from httpproxy.Config.ProxyFunc().

@github-actions github-actions bot added the image Related to "image" package label Jan 9, 2026
podmanbot pushed a commit to podmanbot/buildah that referenced this pull request Jan 9, 2026
@github-actions
dnm: Vendor changes from containers/container-libs#583
93a9ed2
@podmanbot
Copy link

podmanbot commented Jan 9, 2026

✅ A new PR has been created in buildah to vendor these changes: containers/buildah#6627

@podmanbot podmanbot mentioned this pull request Jan 9, 2026
Closed
@pablintino
Add DockerProxy field for dynamic proxy configuration
2cf5727 
Add a new DockerProxy field to SystemContext that accepts a function
for determining proxy URLs dynamically per request. This provides more
flexibility than the static DockerProxyURL field, allowing for advanced
proxy configurations such as those from httpproxy.Config.ProxyFunc().

Signed-off-by: Pablo Rodriguez Nava <[email protected]>
@pablintino pablintino force-pushed the advanced-docker-client-proxy branch from f22b8f2 to 2cf5727 Compare January 9, 2026 09:17
podmanbot pushed a commit to podmanbot/buildah that referenced this pull request Jan 9, 2026
@github-actions
dnm: Vendor changes from containers/container-libs#583
cf4b246
mtrmac
mtrmac reviewed Jan 9, 2026
View reviewed changes
Copy link
Contributor

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR. The implementation looks reasonable, but is it really necessary? The default behavior is net/http.ProxyFromEnvironment, which internally calls the same golang.org/x/net/http/httpproxy.

Certainly manual configuration of httpproxy.Config is not equivalent to reading from the environment, but … I think it would be pretty surprising for a proxy configuration of that kind to only apply to some references. Either registry.example needs a proxy or it doesn’t, I don’t see how using it for one operation and not using it for another makes much sense.

@pablintino
Copy link
Contributor Author

pablintino commented Jan 9, 2026
edited
Loading

Thanks for the PR. The implementation looks reasonable, but is it really necessary? The default behavior is net/http.ProxyFromEnvironment, which internally calls the same golang.org/x/net/http/httpproxy.

Certainly manual configuration of httpproxy.Config is not equivalent to reading from the environment, but … I think it would be pretty surprising for a proxy configuration of that kind to only apply to some references. Either registry.example needs a proxy or it doesn’t, I don’t see how using it for one operation and not using it for another makes much sense.

Thanks for the review @mtrmac . As we discussed offline, here is the context on why relying on http.ProxyFromEnvironment or creating a new context per request isn't viable for our use case:

  • Performance & Context Reuse: We perform bulk image inspections in parallel. Building the SystemContext is expensive in our environment because it requires fetching certificates and pull secrets from the KubeAPI. To minimize overhead, we create a single context and reuse it across these bulk operations.

  • Concurrency Safety: Since the application is multi-threaded and the proxy configuration is reconciled dynamically from a Kubernetes CR (the OpenShift Proxy config), modifying environment variables at runtime to satisfy ProxyFromEnvironment would be unsafe and lead to race conditions.

  • Bootstrapping Constraints: This logic is also used during cluster bootstrapping (Day 0) via the Machine Config Operator. At this stage, the standard OpenShift environment variable injection isn't available yet, so we need a way to programmatically map the proxy configuration directly to the transport layer without relying on global state or fully deployed cluster mechanics.

This change allows us to bridge that gap safely.

mtrmac
mtrmac approved these changes Jan 9, 2026
View reviewed changes
Copy link
Contributor

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@mtrmac mtrmac merged commit e7626b7 into containers:main Jan 9, 2026
24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtrmac mtrmac mtrmac approved these changes

Assignees

No one assigned

Labels

image Related to "image" package

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pablintino @podmanbot @mtrmac