diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0e0f58f..da3dd17 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -107,6 +107,16 @@ jobs: tags: | ${{ env.REGISTRY }}/shankar0123/certctl-server:${{ steps.version.outputs.VERSION }} ${{ env.REGISTRY }}/shankar0123/certctl-server:latest + # Proxy propagation (M-4, Issue #9) — forwards runner-level proxy + # secrets into the Docker build so self-hosted runners behind + # corporate proxies can reach public registries. GitHub-hosted + # runners don't need proxies, so the secrets are optional and + # resolve to empty strings when unset — byte-identical to the + # pre-fix behaviour for the public-runner path. + build-args: | + HTTP_PROXY=${{ secrets.HTTP_PROXY }} + HTTPS_PROXY=${{ secrets.HTTPS_PROXY }} + NO_PROXY=${{ secrets.NO_PROXY }} cache-from: type=gha cache-to: type=gha,mode=max @@ -119,6 +129,13 @@ jobs: tags: | ${{ env.REGISTRY }}/shankar0123/certctl-agent:${{ steps.version.outputs.VERSION }} ${{ env.REGISTRY }}/shankar0123/certctl-agent:latest + # Proxy propagation (M-4, Issue #9) — see server-image step for + # rationale. Empty secrets resolve to empty build args, leaving + # the un-proxied code path byte-identical to the pre-fix tree. + build-args: | + HTTP_PROXY=${{ secrets.HTTP_PROXY }} + HTTPS_PROXY=${{ secrets.HTTPS_PROXY }} + NO_PROXY=${{ secrets.NO_PROXY }} cache-from: type=gha cache-to: type=gha,mode=max diff --git a/Dockerfile b/Dockerfile index 5416cdd..7a65a1d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,6 +3,22 @@ # Stage 1: Build frontend FROM node:20-alpine AS frontend +# Proxy propagation (M-4, Issue #9) — defaulted to empty so un-proxied builds +# behave identically to the pre-fix tree. When `HTTP_PROXY`/`HTTPS_PROXY`/ +# `NO_PROXY` are forwarded via `docker build --build-arg` (or compose +# `build.args`), they are re-exported as ENV with both upper- and lower-case +# names because npm/apk/curl read the lowercase variants while Go, Node, and +# most HTTP libraries read the uppercase ones. +ARG HTTP_PROXY= +ARG HTTPS_PROXY= +ARG NO_PROXY= +ENV HTTP_PROXY=${HTTP_PROXY} \ + HTTPS_PROXY=${HTTPS_PROXY} \ + NO_PROXY=${NO_PROXY} \ + http_proxy=${HTTP_PROXY} \ + https_proxy=${HTTPS_PROXY} \ + no_proxy=${NO_PROXY} + WORKDIR /app/web COPY web/ . @@ -13,6 +29,17 @@ RUN npm ci --include=dev || npm ci --include=dev && \ # Stage 2: Build Go binary FROM golang:1.25-alpine AS builder +# Proxy propagation (M-4, Issue #9) — see Stage 1 rationale. +ARG HTTP_PROXY= +ARG HTTPS_PROXY= +ARG NO_PROXY= +ENV HTTP_PROXY=${HTTP_PROXY} \ + HTTPS_PROXY=${HTTPS_PROXY} \ + NO_PROXY=${NO_PROXY} \ + http_proxy=${HTTP_PROXY} \ + https_proxy=${HTTPS_PROXY} \ + no_proxy=${NO_PROXY} + RUN apk add --no-cache git ca-certificates tzdata WORKDIR /app diff --git a/Dockerfile.agent b/Dockerfile.agent index 8cb3058..7e85dd7 100644 --- a/Dockerfile.agent +++ b/Dockerfile.agent @@ -2,6 +2,22 @@ # Stage 1: Build FROM golang:1.25-alpine AS builder +# Proxy propagation (M-4, Issue #9) — defaulted to empty so un-proxied builds +# behave identically to the pre-fix tree. When `HTTP_PROXY`/`HTTPS_PROXY`/ +# `NO_PROXY` are forwarded via `docker build --build-arg` (or compose +# `build.args`), they are re-exported as ENV with both upper- and lower-case +# names because apk and curl read the lowercase variants while Go reads the +# uppercase ones. +ARG HTTP_PROXY= +ARG HTTPS_PROXY= +ARG NO_PROXY= +ENV HTTP_PROXY=${HTTP_PROXY} \ + HTTPS_PROXY=${HTTPS_PROXY} \ + NO_PROXY=${NO_PROXY} \ + http_proxy=${HTTP_PROXY} \ + https_proxy=${HTTPS_PROXY} \ + no_proxy=${NO_PROXY} + RUN apk add --no-cache git ca-certificates WORKDIR /app diff --git a/deploy/docker-compose.dev.yml b/deploy/docker-compose.dev.yml index da44fe1..9a34a3d 100644 --- a/deploy/docker-compose.dev.yml +++ b/deploy/docker-compose.dev.yml @@ -9,6 +9,16 @@ services: build: context: .. dockerfile: Dockerfile + # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env + # vars into the Docker build so the Node frontend stage and Go module + # download can reach the public registries behind corporate proxies. + # Defaults to empty; omit the variables from the host environment for + # un-proxied builds and the behaviour is byte-identical to the pre-fix + # tree. + args: + HTTP_PROXY: ${HTTP_PROXY:-} + HTTPS_PROXY: ${HTTPS_PROXY:-} + NO_PROXY: ${NO_PROXY:-} environment: # Verbose logging for development CERTCTL_LOG_LEVEL: debug @@ -29,6 +39,15 @@ services: build: context: .. dockerfile: Dockerfile.agent + # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env + # vars into the Docker build so the Go module download stage can reach + # the public Go module proxy behind corporate proxies. Defaults to + # empty; omit the variables from the host environment for un-proxied + # builds and the behaviour is byte-identical to the pre-fix tree. + args: + HTTP_PROXY: ${HTTP_PROXY:-} + HTTPS_PROXY: ${HTTPS_PROXY:-} + NO_PROXY: ${NO_PROXY:-} environment: CERTCTL_LOG_LEVEL: debug diff --git a/deploy/docker-compose.test.yml b/deploy/docker-compose.test.yml index 3b038a6..2692139 100644 --- a/deploy/docker-compose.test.yml +++ b/deploy/docker-compose.test.yml @@ -150,6 +150,16 @@ services: build: context: .. dockerfile: Dockerfile + # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env + # vars into the Docker build so the Node frontend stage and Go module + # download can reach the public registries behind corporate proxies. + # Defaults to empty; omit the variables from the host environment for + # un-proxied builds and the behaviour is byte-identical to the pre-fix + # tree. + args: + HTTP_PROXY: ${HTTP_PROXY:-} + HTTPS_PROXY: ${HTTPS_PROXY:-} + NO_PROXY: ${NO_PROXY:-} container_name: certctl-test-server depends_on: postgres: @@ -266,6 +276,15 @@ services: build: context: .. dockerfile: Dockerfile.agent + # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env + # vars into the Docker build so the Go module download stage can reach + # the public Go module proxy behind corporate proxies. Defaults to + # empty; omit the variables from the host environment for un-proxied + # builds and the behaviour is byte-identical to the pre-fix tree. + args: + HTTP_PROXY: ${HTTP_PROXY:-} + HTTPS_PROXY: ${HTTPS_PROXY:-} + NO_PROXY: ${NO_PROXY:-} container_name: certctl-test-agent depends_on: certctl-server: diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml index 78f960a..cfdbabd 100644 --- a/deploy/docker-compose.yml +++ b/deploy/docker-compose.yml @@ -36,6 +36,16 @@ services: build: context: .. dockerfile: Dockerfile + # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env + # vars into the Docker build so the Node frontend stage and Go module + # download can reach the public registries behind corporate proxies. + # Defaults to empty; omit the variables from the host environment for + # un-proxied builds and the behaviour is byte-identical to the pre-fix + # tree. + args: + HTTP_PROXY: ${HTTP_PROXY:-} + HTTPS_PROXY: ${HTTPS_PROXY:-} + NO_PROXY: ${NO_PROXY:-} container_name: certctl-server depends_on: postgres: @@ -75,6 +85,15 @@ services: build: context: .. dockerfile: Dockerfile.agent + # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env + # vars into the Docker build so the Go module download stage can reach + # the public Go module proxy behind corporate proxies. Defaults to + # empty; omit the variables from the host environment for un-proxied + # builds and the behaviour is byte-identical to the pre-fix tree. + args: + HTTP_PROXY: ${HTTP_PROXY:-} + HTTPS_PROXY: ${HTTPS_PROXY:-} + NO_PROXY: ${NO_PROXY:-} container_name: certctl-agent depends_on: certctl-server: