fix: support secure HTTP proxy with gRPC dial

Most of the work is to add proper test environment for more cases.

Include a test for pulling an image

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>

Author: smira

.github/workflows/ci.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-09-29T11:30:50Z by kres eb905b6-dirty.
+# Generated on 2025-10-01T17:01:09Z by kres bc281a9.
 
 concurrency:
   group: ${{ github.head_ref || github.run_id }}
@@ -549,6 +549,116 @@ jobs:
           path: |
             _out/grype-scan.log
           retention-days: "5"
+  integration-airgapped:
+    permissions:
+      actions: read
+      contents: write
+      issues: read
+      packages: write
+      pull-requests: read
+    runs-on:
+      group: large
+    if: contains(fromJSON(needs.default.outputs.labels), 'integration/misc') || contains(fromJSON(needs.default.outputs.labels), 'integration/airgapped') || contains(fromJSON(needs.default.outputs.labels), 'integration/release-gate')
+    needs:
+      - default
+    steps:
+      - name: gather-system-info
+        id: system-info
+        uses: kenchan0130/actions-system-info@v1.4.0
+        continue-on-error: true
+      - name: print-system-info
+        run: |
+          MEMORY_GB=$((${{ steps.system-info.outputs.totalmem }}/1024/1024/1024))
+
+          OUTPUTS=(
+            "CPU Core: ${{ steps.system-info.outputs.cpu-core }}"
+            "CPU Model: ${{ steps.system-info.outputs.cpu-model }}"
+            "Hostname: ${{ steps.system-info.outputs.hostname }}"
+            "NodeName: ${NODE_NAME}"
+            "Kernel release: ${{ steps.system-info.outputs.kernel-release }}"
+            "Kernel version: ${{ steps.system-info.outputs.kernel-version }}"
+            "Name: ${{ steps.system-info.outputs.name }}"
+            "Platform: ${{ steps.system-info.outputs.platform }}"
+            "Release: ${{ steps.system-info.outputs.release }}"
+            "Total memory: ${MEMORY_GB} GB"
+          )
+
+          for OUTPUT in "${OUTPUTS[@]}";do
+            echo "${OUTPUT}"
+          done
+        continue-on-error: true
+      - name: checkout
+        uses: actions/checkout@v5
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Set up Docker Buildx
+        id: setup-buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: remote
+          endpoint: tcp://buildkit-amd64.ci.svc.cluster.local:1234
+        timeout-minutes: 10
+      - name: Download artifacts
+        if: github.event_name != 'schedule'
+        uses: actions/download-artifact@v4
+        with:
+          name: talos-artifacts
+          path: _out
+      - name: Fix artifact permissions
+        if: github.event_name != 'schedule'
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: ci-temp-release-tag
+        if: github.event_name != 'schedule'
+        run: |
+          make ci-temp-release-tag
+      - name: build
+        if: github.event_name == 'schedule'
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          PLATFORM: linux/amd64,linux/arm64
+          PUSH: "true"
+        run: |
+          make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
+      - name: talosctl-cni-bundle
+        if: github.event_name == 'schedule'
+        run: |
+          make talosctl-cni-bundle
+      - name: e2e-airgapped-http-proxy
+        env:
+          GITHUB_STEP_NAME: ${{ github.job}}-e2e-http-proxy
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_AIRGAPPED: http-proxy
+        run: |
+          sudo -E make e2e-qemu
+      - name: e2e-airgapped-secure-proxy
+        env:
+          GITHUB_STEP_NAME: ${{ github.job}}-e2e-secure-proxy
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_AIRGAPPED: secure-http-proxy
+        run: |
+          sudo -E make e2e-qemu
+      - name: e2e-airgapped-reverse-proxy
+        env:
+          GITHUB_STEP_NAME: ${{ github.job}}-e2e-reverse-proxy
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_AIRGAPPED: https-reverse-proxy
+        run: |
+          sudo -E make e2e-qemu
+      - name: save artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: talos-logs-integration-airgapped
+          path: |-
+            /tmp/logs-*.tar.gz
+            /tmp/support-*.zip
+            /tmp/airgapped*.log
+          retention-days: "5"
   integration-aws:
     permissions:
       actions: read
@@ -2620,14 +2730,6 @@ jobs:
         if: github.event_name == 'schedule'
         run: |
           make talosctl-cni-bundle
-      - name: e2e-airgapped
-        env:
-          GITHUB_STEP_NAME: ${{ github.job}}-e2e-airgapped
-          IMAGE_REGISTRY: registry.dev.siderolabs.io
-          SHORT_INTEGRATION_TEST: "yes"
-          WITH_AIRGAPPED: "true"
-        run: |
-          sudo -E make e2e-qemu
       - name: e2e-no-cluster-discovery
         env:
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-no-cluster-discovery
@@ -2672,7 +2774,6 @@ jobs:
           path: |-
             /tmp/logs-*.tar.gz
             /tmp/support-*.zip
-            /tmp/airgapped*.log
           retention-days: "5"
   integration-misc-1-enforcing:
     permissions:

.github/workflows/integration-airgapped-cron.yaml

@@ -0,0 +1,113 @@
+# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
+#
+# Generated on 2025-10-01T17:01:09Z by kres bc281a9.
+
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+"on":
+  schedule:
+    - cron: 30 5 * * *
+name: integration-airgapped-cron
+jobs:
+  default:
+    runs-on:
+      group: large
+    steps:
+      - name: gather-system-info
+        id: system-info
+        uses: kenchan0130/actions-system-info@v1.4.0
+        continue-on-error: true
+      - name: print-system-info
+        run: |
+          MEMORY_GB=$((${{ steps.system-info.outputs.totalmem }}/1024/1024/1024))
+
+          OUTPUTS=(
+            "CPU Core: ${{ steps.system-info.outputs.cpu-core }}"
+            "CPU Model: ${{ steps.system-info.outputs.cpu-model }}"
+            "Hostname: ${{ steps.system-info.outputs.hostname }}"
+            "NodeName: ${NODE_NAME}"
+            "Kernel release: ${{ steps.system-info.outputs.kernel-release }}"
+            "Kernel version: ${{ steps.system-info.outputs.kernel-version }}"
+            "Name: ${{ steps.system-info.outputs.name }}"
+            "Platform: ${{ steps.system-info.outputs.platform }}"
+            "Release: ${{ steps.system-info.outputs.release }}"
+            "Total memory: ${MEMORY_GB} GB"
+          )
+
+          for OUTPUT in "${OUTPUTS[@]}";do
+            echo "${OUTPUT}"
+          done
+        continue-on-error: true
+      - name: checkout
+        uses: actions/checkout@v5
+      - name: Unshallow
+        run: |
+          git fetch --prune --unshallow
+      - name: Set up Docker Buildx
+        id: setup-buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: remote
+          endpoint: tcp://buildkit-amd64.ci.svc.cluster.local:1234
+        timeout-minutes: 10
+      - name: Download artifacts
+        if: github.event_name != 'schedule'
+        uses: actions/download-artifact@v4
+        with:
+          name: talos-artifacts
+          path: _out
+      - name: Fix artifact permissions
+        if: github.event_name != 'schedule'
+        run: |
+          xargs -a _out/executable-artifacts -I {} chmod +x {}
+      - name: ci-temp-release-tag
+        if: github.event_name != 'schedule'
+        run: |
+          make ci-temp-release-tag
+      - name: build
+        if: github.event_name == 'schedule'
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          PLATFORM: linux/amd64,linux/arm64
+          PUSH: "true"
+        run: |
+          make talosctl-linux-amd64 kernel sd-boot sd-stub initramfs installer-base imager talos _out/integration-test-linux-amd64
+      - name: talosctl-cni-bundle
+        if: github.event_name == 'schedule'
+        run: |
+          make talosctl-cni-bundle
+      - name: e2e-airgapped-http-proxy
+        env:
+          GITHUB_STEP_NAME: ${{ github.job}}-e2e-http-proxy
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_AIRGAPPED: http-proxy
+        run: |
+          sudo -E make e2e-qemu
+      - name: e2e-airgapped-secure-proxy
+        env:
+          GITHUB_STEP_NAME: ${{ github.job}}-e2e-secure-proxy
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_AIRGAPPED: secure-http-proxy
+        run: |
+          sudo -E make e2e-qemu
+      - name: e2e-airgapped-reverse-proxy
+        env:
+          GITHUB_STEP_NAME: ${{ github.job}}-e2e-reverse-proxy
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_AIRGAPPED: https-reverse-proxy
+        run: |
+          sudo -E make e2e-qemu
+      - name: save artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: talos-logs-integration-airgapped
+          path: |-
+            /tmp/logs-*.tar.gz
+            /tmp/support-*.zip
+            /tmp/airgapped*.log
+          retention-days: "5"

.github/workflows/integration-misc-1-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-09-19T11:03:20Z by kres 065ec4c.
+# Generated on 2025-10-01T14:57:23Z by kres bc281a9.
 
 concurrency:
   group: ${{ github.head_ref || github.run_id }}
@@ -77,14 +77,6 @@ jobs:
         if: github.event_name == 'schedule'
         run: |
           make talosctl-cni-bundle
-      - name: e2e-airgapped
-        env:
-          GITHUB_STEP_NAME: ${{ github.job}}-e2e-airgapped
-          IMAGE_REGISTRY: registry.dev.siderolabs.io
-          SHORT_INTEGRATION_TEST: "yes"
-          WITH_AIRGAPPED: "true"
-        run: |
-          sudo -E make e2e-qemu
       - name: e2e-no-cluster-discovery
         env:
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-no-cluster-discovery
@@ -129,5 +121,4 @@ jobs:
           path: |-
             /tmp/logs-*.tar.gz
             /tmp/support-*.zip
-            /tmp/airgapped*.log
           retention-days: "5"

.github/workflows/slack-notify-ci-failure.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-09-25T16:16:48Z by kres fdbc9fc.
+# Generated on 2025-10-01T14:57:23Z by kres bc281a9.
 
 "on":
   workflow_run:
@@ -17,6 +17,7 @@
       - integration-provision-0-cron
       - integration-provision-1-cron
       - integration-provision-2-cron
+      - integration-airgapped-cron
       - integration-misc-0-cron
       - integration-misc-1-cron
       - integration-misc-1-enforcing-cron

.github/workflows/slack-notify.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-09-25T16:16:48Z by kres fdbc9fc.
+# Generated on 2025-10-01T14:57:23Z by kres bc281a9.
 
 "on":
   workflow_run:
@@ -17,6 +17,7 @@
       - integration-provision-0-cron
       - integration-provision-1-cron
       - integration-provision-2-cron
+      - integration-airgapped-cron
       - integration-misc-0-cron
       - integration-misc-1-cron
       - integration-misc-1-enforcing-cron