From c65fd9a2c2c27e49d573c1a9c95ff7b4df5bd5dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Gajdu=C5=A1ek?= <ogajduse@redhat.com>
Date: Fri, 29 Aug 2025 17:32:43 +0200
Subject: [PATCH] quadlet: add HttpProxy option for Container sections
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add support for HttpProxy key in quadlet Container sections to control
proxy environment variable inheritance during image pulls and builds.

- HttpProxy=true enables proxy inheritance (default podman behavior)
- HttpProxy=false disables proxy inheritance
- When omitted, uses podman's default behavior

This addresses the need for declarative proxy configuration in IPv6-only
networks and other scenarios where proxy settings need to be controlled
at the container level without manual workarounds.

Fixes #26925

Signed-off-by: Ondřej Gajdušek <ogajduse@redhat.com>
---
 docs/source/markdown/podman-systemd.unit.5.md | 10 ++++++++++
 pkg/systemd/quadlet/quadlet.go                |  3 +++
 test/e2e/quadlet/httpproxy-false.container    |  6 ++++++
 test/e2e/quadlet/httpproxy-true.container     |  6 ++++++
 test/e2e/quadlet_test.go                      |  2 ++
 5 files changed, 27 insertions(+)
 create mode 100644 test/e2e/quadlet/httpproxy-false.container
 create mode 100644 test/e2e/quadlet/httpproxy-true.container

diff --git a/docs/source/markdown/podman-systemd.unit.5.md b/docs/source/markdown/podman-systemd.unit.5.md
index 25bd975bef..480f08eb22 100644
--- a/docs/source/markdown/podman-systemd.unit.5.md
+++ b/docs/source/markdown/podman-systemd.unit.5.md
@@ -338,6 +338,7 @@ Valid options for `[Container]` are listed below:
 | HealthStartupTimeout=1m33s           | --health-startup-timeout=1m33s                       |
 | HealthTimeout=20s                    | --health-timeout=20s                                 |
 | HostName=example.com                 | --hostname example.com                               |
+| HttpProxy=true                       | --http-proxy=true                                    |
 | Image=ubi8                           | Image specification - ubi8                           |
 | IP=192.5.0.1                         | --ip 192.5.0.1                                       |
 | IP6=2001:db8::1                      | --ip6 2001:db8::1                                    |
@@ -647,6 +648,15 @@ Equivalent to the Podman `--health-timeout` option.
 Sets the host name that is available inside the container.
 Equivalent to the Podman `--hostname` option.
 
+### `HttpProxy=`
+
+Controls whether proxy environment variables (http_proxy, https_proxy, ftp_proxy, no_proxy) are passed from the Podman process into the container during image pulls and builds.
+
+Set to `true` to enable proxy inheritance (default Podman behavior) or `false` to disable it.
+This option is particularly useful on systems that require proxy configuration for internet access but don't want proxy settings passed to the container runtime.
+
+Equivalent to the Podman `--http-proxy` option.
+
 ### `Image=`
 
 The image to run in the container.
diff --git a/pkg/systemd/quadlet/quadlet.go b/pkg/systemd/quadlet/quadlet.go
index d41effaf93..23c090b798 100644
--- a/pkg/systemd/quadlet/quadlet.go
+++ b/pkg/systemd/quadlet/quadlet.go
@@ -109,6 +109,7 @@ const (
 	KeyHealthStartupTimeout  = "HealthStartupTimeout"
 	KeyHealthTimeout         = "HealthTimeout"
 	KeyHostName              = "HostName"
+	KeyHttpProxy             = "HttpProxy"
 	KeyImage                 = "Image"
 	KeyImageTag              = "ImageTag"
 	KeyInterfaceName         = "InterfaceName"
@@ -274,6 +275,7 @@ var (
 				KeyHealthStartupTimeout:  true,
 				KeyHealthTimeout:         true,
 				KeyHostName:              true,
+				KeyHttpProxy:             true,
 				KeyIP6:                   true,
 				KeyIP:                    true,
 				KeyImage:                 true,
@@ -676,6 +678,7 @@ func ConvertContainer(container *parser.UnitFile, isUser bool, unitsInfoMap map[
 	boolKeys := map[string]string{
 		KeyRunInit:         "--init",
 		KeyEnvironmentHost: "--env-host",
+		KeyHttpProxy:       "--http-proxy",
 		KeyReadOnlyTmpfs:   "--read-only-tmpfs",
 	}
 	lookupAndAddBoolean(container, ContainerGroup, boolKeys, podman)
diff --git a/test/e2e/quadlet/httpproxy-false.container b/test/e2e/quadlet/httpproxy-false.container
new file mode 100644
index 0000000000..76f6881ff4
--- /dev/null
+++ b/test/e2e/quadlet/httpproxy-false.container
@@ -0,0 +1,6 @@
+## assert-podman-final-args localhost/imagename
+## assert-podman-args --http-proxy=false
+
+[Container]
+Image=localhost/imagename
+HttpProxy=false
diff --git a/test/e2e/quadlet/httpproxy-true.container b/test/e2e/quadlet/httpproxy-true.container
new file mode 100644
index 0000000000..cbb0b7baab
--- /dev/null
+++ b/test/e2e/quadlet/httpproxy-true.container
@@ -0,0 +1,6 @@
+## assert-podman-final-args localhost/imagename
+## assert-podman-args --http-proxy
+
+[Container]
+Image=localhost/imagename
+HttpProxy=true
diff --git a/test/e2e/quadlet_test.go b/test/e2e/quadlet_test.go
index 9ee8f939ed..e5bb020c78 100644
--- a/test/e2e/quadlet_test.go
+++ b/test/e2e/quadlet_test.go
@@ -901,6 +901,8 @@ BOGUS=foo
 		Entry("group-add.container", "group-add.container"),
 		Entry("health.container", "health.container"),
 		Entry("host.container", "host.container"),
+		Entry("httpproxy-false.container", "httpproxy-false.container"),
+		Entry("httpproxy-true.container", "httpproxy-true.container"),
 		Entry("hostname.container", "hostname.container"),
 		Entry("idmapping.container", "idmapping.container"),
 		Entry("image.container", "image.container"),