fix(proxy): make all egress workloads proxy-aware (wire the dead HTTP_PROXY_* values)

[LukasWodka]

Summary

Behind a corporate proxy, the chart's workload pods are proxy-blind: no pod received HTTP(S)_PROXY/NO_PROXY env, so any pod making a direct external call (jobs-manager → api.tracebloc.io) failed with [Errno 111] Connection refused → CrashLoopBackOff. The env.HTTP_PROXY_HOST/PORT/USERNAME/PASSWORD values were declared in values.yaml + values.schema.json but wired into nothing — a promise the chart never kept. The installer's proxy hardening (scripts/lib/cluster.sh) only covers the k3s node (image pulls), not the application pods.

This makes those values real: a tracebloc.proxyEnv helper derives HTTP_PROXY/HTTPS_PROXY/http_proxy/https_proxy (http://[user:pass@]host[:port]) + an auto-augmented NO_PROXY (always carrying the cluster-internal ranges from cluster.sh, so in-cluster + MySQL traffic never traverses the proxy), referenced on every external-egress workload. Renders nothing when no proxy is set → non-proxy installs are byte-unchanged.

Root-cause + egress analysis: tracebloc/backend#768.

Workloads covered (and excluded)

Workload	External call	Proxy env
jobs-manager — api + pods-monitor-container	api.tracebloc.io	✅
requests-proxy	Service Bus / backend	✅
image-refresh CronJob	docker.io / ghcr.io	✅
auto-upgrade CronJob	helm repo + registries	✅
mysql-client / resource-monitor	none / in-cluster	excluded (no egress)
ingestor sub-chart (dataset push)	jobs-manager.<ns>.svc only	excluded (in-cluster)

This makes the per-pod kubectl set env bridge patches used to recover the affected deployment unnecessary going forward.

Type

• Bug fix (regression — corporate-proxy deployments)

Test plan (helm template, ci/bm-values.yaml)

• With proxy (--set-string env.HTTP_PROXY_HOST=proxy.example.com --set-string env.HTTP_PROXY_PORT=8080): all 5 egress containers render HTTP_PROXY=http://proxy.example.com:8080; NO_PROXY includes 172.16.0.0/12, 10.0.0.0/8, .svc, .cluster.local; full manifest parses as valid YAML.
• Without proxy: 0 HTTP_PROXY entries — non-proxy installs unchanged; parses cleanly.
• Note: env.HTTP_PROXY_PORT is a string in the schema → set with --set-string.

Checklist

• Targets develop
• No customer identifiers
• Reviewer to confirm CI (helm-ci, installer-tests) green

Follow-ups (in backend#768, not this PR)

• Installer auto-pass: have the installer set env.HTTP_PROXY_HOST/PORT from the proxy it already detects, so a proxied install is zero-config (no manual values).
• Extend e2e-proxy.sh: assert a workload pod (not just the node) reaches an allowlisted external host through the proxy — the test that would have caught this.
• A helm-unittest assertion for the proxy env (couldn't add here without confirming the repo's unittest layout — flag for the reviewer).

[LukasWodka]

👋 Heads-up — Code review queue is at 9 / 8

Above the WIP limit. The team convention is to review existing PRs before opening new work.

Open PRs currently in Code review (oldest first):

• client#215 — Post-install self-verification of CLI usability (#738) · author: @LukasWodka · no reviewer assigned
• client#223 — test(charts): add helm-unittest suite for requests-proxy-service template · author: @saadqbal · no reviewer assigned
• client#224 — fix(Wire SINGLE_NODE flag: chart default from hostPath.enabled + installer sets it #222): wire SINGLE_NODE — chart default from hostPath.enabled + installer · author: @saadqbal · no reviewer assigned
• client#225 — fix(mysql): probe over TCP so a moved socket can't kill a healthy DB · author: @LukasWodka · reviewer: @saadqbal
• client#226 — fix(ingestor): bump baseline image digest v0.3.2 → v0.3.6 (fixes LMU helm-upgrade regression) · author: @LukasWodka · reviewer: @saadqbal
• client-runtime#93 — fix(chore: revert default CODEOWNERS (back to author-picks-reviewer) #92): gate GPU→CPU pending fallback to single-node clusters · author: @saadqbal · no reviewer assigned
• data-ingestors#169 — feat: add token_classification (NER/POS) ingestion · author: @shujaatTracebloc · reviewer: @divyasinghds
• design-system#38 — feat(molecules): add ButtonGroup + InputButtonCombo · author: @waqaskhanroghani · reviewer: @saadqbal
• tracebloc-client#355 — fix(object_detection): scale RCNN targets to pixel space · author: @shujaatTracebloc · reviewer: @divyasinghds

Pull from review before opening new work. (This is a nudge from the kanban WIP check, not a block.)