fix(#229): dedupe NO_PROXY — exclude proxy keys from generic env passthrough#237
Merged
Conversation
…passthrough jobs-manager's api and pods-monitor containers include tracebloc.proxyEnv (merged, cluster-safe NO_PROXY) AND a generic .Values.env passthrough. The passthrough re-emitted a user-set NO_PROXY UNMERGED after proxyEnv; k8s keeps the last duplicate, so the unmerged copy won — dropping the cluster-internal entries (.svc, 10.0.0.0/8, ...) and routing in-cluster traffic through the proxy. Exclude proxy-owned keys (via a shared $proxyKeys list) from both passthrough loops so proxyEnv is the sole source. Adds a proxy_env_test regression (custom NO_PROXY + proxy -> single merged NO_PROXY, no unmerged copy) for both jobs-manager containers. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
divyasinghds
approved these changes
Jun 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #236. Found by Cursor Bugbot on the v1.6.0 release PR #235.
jobs-manager's
api+pods-monitorcontainers includetracebloc.proxyEnv(merged, cluster-safeNO_PROXY) AND a generic.Values.envpassthrough that re-emitted a user-setNO_PROXYunmerged afterwards. k8s keeps the last duplicate, so the unmerged copy won — dropping cluster-internal entries (.svc,10.0.0.0/8, …) and routing in-cluster traffic through the proxy. Affects proxy customers (#229's target audience); invisible to non-proxy installs.Fix: exclude proxy-owned keys from both passthrough loops via a shared
$proxyKeyslist (proxyEnv stays the sole source). Adds aproxy_env_testregression (custom NO_PROXY + proxy → one merged NO_PROXY, no unmerged copy) for both containers.Validation: helm unittest 195 pass (+1), render-verified single merged NO_PROXY, non-proxy passthrough intact, lint + 4-platform render clean.
Blocks the v1.6.0 release (#234) — re-cut after this lands on develop.
🤖 Generated with Claude Code
Note
Medium Risk
Affects proxy-enabled installs only but fixes incorrect in-cluster routing; change is narrow Helm template logic with a targeted regression test.
Overview
Fixes a Helm templating bug in
jobs-manager-deploymentwhere proxy-related values could be emitted twice:tracebloc.proxyEnvfirst (mergedNO_PROXY+HTTP(S)_PROXY), then again from the generic.Values.envloop.Kubernetes keeps the last duplicate env entry, so a user-set
NO_PROXYwithout cluster-internal suffixes could override the merged value and send in-cluster traffic (e.g.mysql-client,requests-proxy) through the corporate proxy.The change introduces a shared
$proxyKeyslist and skips those keys in both the api and pods-monitor passthrough loops so proxy env comes only fromproxyEnv. A helm unittest regression asserts a customNO_PROXYappears once, merged with cluster defaults, on both containers.Reviewed by Cursor Bugbot for commit 576761f. Bugbot is set up for automated code reviews on this repo. Configure here.