fix(proxy): make all egress workloads proxy-aware (wire the dead HTTP_PROXY_* values)

client/templates/_helpers.tpl

@@ -207,3 +207,41 @@ Usage: {{ include "tracebloc.image" (dict "repository" "tracebloc/jobs-manager"
 {{ $registry }}/{{ .repository }}:{{ .tag | default "prod" }}
 {{- end -}}
 {{- end }}
+
+{{/*
+tracebloc.proxyEnv — corporate-proxy env for egress-needing workloads.
+Derives HTTP(S)_PROXY + an auto-augmented NO_PROXY from .Values.env.HTTP_PROXY_*
+so workload pods can reach the backend / registries through a corporate proxy.
+Renders nothing when HTTP_PROXY_HOST is unset (non-proxy installs unchanged).
+NO_PROXY always carries the cluster-internal ranges so in-cluster + MySQL
+traffic never traverses the proxy (mirrors scripts/lib/cluster.sh defaults).
+Usage inside a container's env: list:
+  {{- include "tracebloc.proxyEnv" . | nindent 8 }}
+*/}}
+{{- define "tracebloc.proxyEnv" -}}
+{{- if .Values.env.HTTP_PROXY_HOST }}
+{{- $host := .Values.env.HTTP_PROXY_HOST -}}
+{{- $port := .Values.env.HTTP_PROXY_PORT | default "" -}}
+{{- $user := .Values.env.HTTP_PROXY_USERNAME | default "" -}}
+{{- $pass := .Values.env.HTTP_PROXY_PASSWORD | default "" -}}
+{{- $hostport := $host -}}
+{{- if $port }}{{- $hostport = printf "%s:%v" $host $port -}}{{- end -}}
+{{- $cred := "" -}}
+{{- if $user }}{{- $cred = printf "%s:%s@" $user $pass -}}{{- end -}}
+{{- $url := printf "http://%s%s" $cred $hostport -}}
+{{- $noProxy := "localhost,127.0.0.1,0.0.0.0,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.svc.cluster.local,.cluster.local,host.k3d.internal" -}}
+{{- with .Values.env.NO_PROXY }}{{- $noProxy = printf "%s,%s" . $noProxy -}}{{- end }}
+- name: HTTP_PROXY
+  value: {{ $url | quote }}
+- name: HTTPS_PROXY
+  value: {{ $url | quote }}
+- name: http_proxy
+  value: {{ $url | quote }}
+- name: https_proxy
+  value: {{ $url | quote }}
+- name: NO_PROXY
+  value: {{ $noProxy | quote }}
+- name: no_proxy
+  value: {{ $noProxy | quote }}
+{{- end }}
+{{- end -}}

client/templates/auto-upgrade-cronjob.yaml

@@ -134,6 +134,7 @@ spec:
               # our script instead.
               command: ["/bin/sh", "/scripts/auto-upgrade.sh"]
               env:
+              {{- include "tracebloc.proxyEnv" . | nindent 16 }}
                 - name: RELEASE_NAME
                   value: {{ .Release.Name | quote }}
                 - name: RELEASE_NAMESPACE

client/templates/image-refresh-cronjob.yaml

@@ -486,6 +486,7 @@ spec:
               # alpine/k8s entrypoint is kubectl; override to run our script.
               command: ["/bin/sh", "/scripts/image-refresh.sh"]
               env:
+              {{- include "tracebloc.proxyEnv" . | nindent 16 }}
                 # alpine/k8s's kubectl writes a discovery cache under
                 # $HOME/.kube. The pod runs uid 1000 with
                 # readOnlyRootFilesystem, so point HOME at the writable

client/templates/jobs-manager-deployment.yaml

@@ -66,6 +66,7 @@ spec:
             subPath: ingestion-authz.yaml
             readOnly: true
         env:
+        {{- include "tracebloc.proxyEnv" . | nindent 8 }}
         - name: CLIENT_ID
           valueFrom:
             secretKeyRef:
@@ -142,6 +143,7 @@ spec:
         - name: logs-volume
           mountPath: "/data/logs"
         env:
+        {{- include "tracebloc.proxyEnv" . | nindent 8 }}
         - name: CLIENT_ID
           valueFrom:
             secretKeyRef:

client/templates/requests-proxy-deployment.yaml

@@ -71,6 +71,7 @@ spec:
               cpu: {{ $rpLim.cpu | default "1000m" | quote }}
               memory: {{ $rpLim.memory | default "512Mi" | quote }}
           env:
+          {{- include "tracebloc.proxyEnv" . | nindent 12 }}
             - name: MYSQL_HOST
               value: "mysql-client"
             - name: EXPERIMENTS_QUEUE_NAME

client/tests/proxy_env_test.yaml

@@ -0,0 +1,97 @@
+suite: Corporate-proxy env injection (backend#768 — guards proxy-blind workloads)
+templates:
+  - templates/jobs-manager-deployment.yaml
+  - templates/requests-proxy-deployment.yaml
+  - templates/image-refresh-cronjob.yaml
+  - templates/auto-upgrade-cronjob.yaml
+set:
+  clientId: "test-id"
+  clientPassword: "test"
+tests:
+  # ===== WITHOUT a proxy: non-proxy installs must be unchanged (no HTTP_PROXY env) =====
+  - it: jobs-manager api has no HTTP_PROXY env by default
+    template: templates/jobs-manager-deployment.yaml
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content: {name: HTTP_PROXY}
+          any: true
+  - it: jobs-manager pods-monitor has no HTTP_PROXY env by default
+    template: templates/jobs-manager-deployment.yaml
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[1].env
+          content: {name: HTTP_PROXY}
+          any: true
+  - it: requests-proxy has no HTTP_PROXY env by default
+    template: templates/requests-proxy-deployment.yaml
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content: {name: HTTP_PROXY}
+          any: true
+  - it: image-refresh has no HTTP_PROXY env by default
+    template: templates/image-refresh-cronjob.yaml
+    documentSelector: {path: kind, value: CronJob}
+    asserts:
+      - notContains:
+          path: spec.jobTemplate.spec.template.spec.containers[0].env
+          content: {name: HTTP_PROXY}
+          any: true
+  - it: auto-upgrade has no HTTP_PROXY env by default
+    template: templates/auto-upgrade-cronjob.yaml
+    documentSelector: {path: kind, value: CronJob}
+    asserts:
+      - notContains:
+          path: spec.jobTemplate.spec.template.spec.containers[0].env
+          content: {name: HTTP_PROXY}
+          any: true
+  # ===== WITH a proxy: every egress workload carries HTTP_PROXY + cluster-safe NO_PROXY =====
+  - it: jobs-manager api gets HTTP_PROXY + cluster-safe NO_PROXY when a proxy is set
+    template: templates/jobs-manager-deployment.yaml
+    set: {env.HTTP_PROXY_HOST: proxy.example.com, env.HTTP_PROXY_PORT: "8080"}
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content: {name: HTTP_PROXY, value: "http://proxy.example.com:8080"}
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content: {name: NO_PROXY, value: "localhost,127.0.0.1,0.0.0.0,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.svc.cluster.local,.cluster.local,host.k3d.internal"}
+  - it: jobs-manager pods-monitor gets HTTP_PROXY when a proxy is set
+    template: templates/jobs-manager-deployment.yaml
+    set: {env.HTTP_PROXY_HOST: proxy.example.com, env.HTTP_PROXY_PORT: "8080"}
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[1].env
+          content: {name: HTTP_PROXY, value: "http://proxy.example.com:8080"}
+  - it: requests-proxy gets HTTP_PROXY when a proxy is set
+    template: templates/requests-proxy-deployment.yaml
+    set: {env.HTTP_PROXY_HOST: proxy.example.com, env.HTTP_PROXY_PORT: "8080"}
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content: {name: HTTP_PROXY, value: "http://proxy.example.com:8080"}
+  - it: image-refresh gets HTTP_PROXY when a proxy is set
+    template: templates/image-refresh-cronjob.yaml
+    documentSelector: {path: kind, value: CronJob}
+    set: {env.HTTP_PROXY_HOST: proxy.example.com, env.HTTP_PROXY_PORT: "8080"}
+    asserts:
+      - contains:
+          path: spec.jobTemplate.spec.template.spec.containers[0].env
+          content: {name: HTTP_PROXY, value: "http://proxy.example.com:8080"}
+  - it: auto-upgrade gets HTTP_PROXY when a proxy is set
+    template: templates/auto-upgrade-cronjob.yaml
+    documentSelector: {path: kind, value: CronJob}
+    set: {env.HTTP_PROXY_HOST: proxy.example.com, env.HTTP_PROXY_PORT: "8080"}
+    asserts:
+      - contains:
+          path: spec.jobTemplate.spec.template.spec.containers[0].env
+          content: {name: HTTP_PROXY, value: "http://proxy.example.com:8080"}
+  # ===== authenticated proxy: credentials embed in the URL =====
+  - it: an authenticated proxy embeds the credentials in the proxy URL
+    template: templates/jobs-manager-deployment.yaml
+    set: {env.HTTP_PROXY_HOST: proxy.example.com, env.HTTP_PROXY_PORT: "8080", env.HTTP_PROXY_USERNAME: bob, env.HTTP_PROXY_PASSWORD: pw}
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content: {name: HTTP_PROXY, value: "http://bob:pw@proxy.example.com:8080"}