From 6d97f5f456890a22838fb24f69e8d9c86346fe46 Mon Sep 17 00:00:00 2001
From: Asad Iqbal <asad.dsoft@gmail.com>
Date: Tue, 9 Jun 2026 14:01:32 +0500
Subject: [PATCH 1/3] =?UTF-8?q?fix(#238):=20gate=20proxy-key=20exclusion?=
 =?UTF-8?q?=20on=20HTTP=5FPROXY=5FHOST=20=E2=80=94=20preserve=20a=20direct?=
 =?UTF-8?q?ly-set=20env.HTTP=5FPROXY?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

#236 excluded the proxy-owned keys (HTTP_PROXY/HTTPS_PROXY/NO_PROXY/… plus
the HTTP_PROXY_* inputs) from jobs-manager's generic .Values.env passthrough
UNCONDITIONALLY, so tracebloc.proxyEnv would be the sole source. But proxyEnv
only emits when HTTP_PROXY_HOST is set — when it is UNSET, proxyEnv renders
nothing AND the passthrough now drops a directly-set env.HTTP_PROXY (a full
proxy URL, the pre-1.6.0 way to configure a corporate proxy). Net effect:
clusters that set the raw HTTP_PROXY value instead of HTTP_PROXY_HOST lose
backend/registry egress behind their corporate proxy on upgrade to 1.6.0 — an
upgrade regression flagged by Cursor Bugbot on release PR #235.

Gate the exclusion on proxyEnv being active: build $proxyKeys empty and only
populate it when .Values.env.HTTP_PROXY_HOST is set (mirrors proxyEnv's own
gate). When unset, the list stays empty so the passthrough emits directly-set
proxy vars verbatim — prior behavior preserved. When set, the exclusion holds
exactly as in #236 (proxyEnv authoritative; a stray direct HTTP_PROXY dropped).

Adds a proxy_env_test regression: a direct env.HTTP_PROXY + NO_PROXY with no
HTTP_PROXY_HOST passes through on both jobs-manager containers. Confirmed the
test fails (4 asserts) against the unconditional #236 template.

Validation: helm unittest 196 pass (+1 regression); lint clean; 4-platform
render (aks/bm/eks/oc) clean; render-verified both scenarios (direct HTTP_PROXY
survives when host unset; proxyEnv authoritative and stray direct value dropped
when host set).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 client/templates/jobs-manager-deployment.yaml |  7 +++--
 client/tests/proxy_env_test.yaml              | 26 +++++++++++++++++++
 2 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/client/templates/jobs-manager-deployment.yaml b/client/templates/jobs-manager-deployment.yaml
index 054a0b0..ff0f03c 100644
--- a/client/templates/jobs-manager-deployment.yaml
+++ b/client/templates/jobs-manager-deployment.yaml
@@ -1,5 +1,8 @@
-{{- /* #229: these env keys are owned by tracebloc.proxyEnv, which emits HTTP(S)_PROXY and a merged, cluster-safe NO_PROXY. Exclude them from the generic .Values.env passthrough below so a user-set NO_PROXY (or proxy var) is not re-emitted UNMERGED after proxyEnv — Kubernetes keeps the LAST duplicate env, which would drop the cluster-internal NO_PROXY entries and route in-cluster traffic through the proxy. */ -}}
-{{- $proxyKeys := list "HTTP_PROXY_HOST" "HTTP_PROXY_PORT" "HTTP_PROXY_USERNAME" "HTTP_PROXY_PASSWORD" "NO_PROXY" "no_proxy" "HTTP_PROXY" "HTTPS_PROXY" "http_proxy" "https_proxy" -}}
+{{- /* #229/#238: when HTTP_PROXY_HOST is set, tracebloc.proxyEnv owns these keys — it emits HTTP(S)_PROXY and a merged, cluster-safe NO_PROXY. Exclude them from the generic .Values.env passthrough below so a user-set NO_PROXY (or proxy var) is not re-emitted UNMERGED after proxyEnv — Kubernetes keeps the LAST duplicate env, which would drop the cluster-internal NO_PROXY entries and route in-cluster traffic through the proxy. When HTTP_PROXY_HOST is UNSET, proxyEnv renders nothing, so the exclusion list stays empty and the passthrough still emits a directly-set env.HTTP_PROXY / NO_PROXY — the pre-1.6.0 way to configure a corporate proxy. Dropping those unconditionally was an upgrade regression (#238): gate the exclusion on proxyEnv being active. */ -}}
+{{- $proxyKeys := list -}}
+{{- if .Values.env.HTTP_PROXY_HOST -}}
+{{- $proxyKeys = list "HTTP_PROXY_HOST" "HTTP_PROXY_PORT" "HTTP_PROXY_USERNAME" "HTTP_PROXY_PASSWORD" "NO_PROXY" "no_proxy" "HTTP_PROXY" "HTTPS_PROXY" "http_proxy" "https_proxy" -}}
+{{- end -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
diff --git a/client/tests/proxy_env_test.yaml b/client/tests/proxy_env_test.yaml
index ba16e3c..39b621a 100644
--- a/client/tests/proxy_env_test.yaml
+++ b/client/tests/proxy_env_test.yaml
@@ -119,3 +119,29 @@ tests:
       - notContains:
           path: spec.template.spec.containers[1].env
           content: {name: NO_PROXY, value: "myinternal.example"}
+  # ===== #238 regression: a directly-set env.HTTP_PROXY survives when HTTP_PROXY_HOST is UNSET =====
+  # Before 1.6.0 a corporate proxy was configured by setting env.HTTP_PROXY (a
+  # full URL) directly; tracebloc.proxyEnv (the HTTP_PROXY_HOST-driven helper)
+  # did not exist. The #229 proxy-key exclusion must therefore stay INACTIVE
+  # when HTTP_PROXY_HOST is unset — otherwise the passthrough drops the user's
+  # HTTP_PROXY and their backend/registry egress breaks on upgrade to 1.6.0.
+  # proxyEnv renders nothing here, so the generic passthrough is the sole (and
+  # correct) source: the direct values pass through verbatim, NO_PROXY unmerged.
+  - it: a directly-set env.HTTP_PROXY survives when HTTP_PROXY_HOST is unset (jobs-manager)
+    template: templates/jobs-manager-deployment.yaml
+    set: {env.HTTP_PROXY: "http://corp-proxy.example.com:3128", env.NO_PROXY: "myinternal.example"}
+    asserts:
+      # api container: directly-set proxy vars pass through (proxyEnv inactive)
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content: {name: HTTP_PROXY, value: "http://corp-proxy.example.com:3128"}
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content: {name: NO_PROXY, value: "myinternal.example"}
+      # pods-monitor container: same
+      - contains:
+          path: spec.template.spec.containers[1].env
+          content: {name: HTTP_PROXY, value: "http://corp-proxy.example.com:3128"}
+      - contains:
+          path: spec.template.spec.containers[1].env
+          content: {name: NO_PROXY, value: "myinternal.example"}

From 18298b5fc31ded6a755243e20f938982605e206f Mon Sep 17 00:00:00 2001
From: Asad Iqbal <asad.dsoft@gmail.com>
Date: Tue, 9 Jun 2026 14:08:54 +0500
Subject: [PATCH 2/3] =?UTF-8?q?fix(chart):=20bump=20appVersion=201.5.1=20?=
 =?UTF-8?q?=E2=86=92=201.6.0=20to=20restore=20version/appVersion=20lockste?=
 =?UTF-8?q?p?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The 1.6.0 chart bump (#231) moved Chart.yaml `version` 1.5.1 → 1.6.0 but left
`appVersion` at "1.5.1" — every prior release (1.1.0 … 1.5.1) bumped the two
in lockstep. tracebloc.labels emits `app.kubernetes.io/version` from
.Chart.AppVersion, so a 1.6.0 chart labelled every resource (and reported to
cluster info, which reads that standard label) as app version 1.5.1 while
`helm.sh/chart` correctly said client-1.6.0 — two disagreeing version signals.

Restore lockstep so the published 1.6.0 carries the right app version from the
start (no stale-label 1.6.1 follow-up). No functional/workload change; helm
unittest 196 pass, lint clean, render shows both labels at 1.6.0.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 client/Chart.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/client/Chart.yaml b/client/Chart.yaml
index a79dbeb..fc8f13f 100644
--- a/client/Chart.yaml
+++ b/client/Chart.yaml
@@ -3,7 +3,7 @@ name: client
 description: A unified Helm chart for tracebloc on AKS, EKS, bare-metal, and OpenShift
 type: application
 version: 1.6.0
-appVersion: "1.5.1"
+appVersion: "1.6.0"
 keywords:
   - tracebloc
   - kubernetes

From 54feeee188c40d9a3609900d219c597b15000c25 Mon Sep 17 00:00:00 2001
From: Asad Iqbal <asad.dsoft@gmail.com>
Date: Tue, 9 Jun 2026 14:12:51 +0500
Subject: [PATCH 3/3] =?UTF-8?q?chore(chart):=20bump=20chart=201.6.0=20?=
 =?UTF-8?q?=E2=86=92=201.6.1=20(version=20+=20appVersion)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Ship this PR's fixes as a 1.6.1 fast-follow (per #238) rather than folding
into the still-unpublished 1.6.0: the proxy-key exclusion gate (#238) and the
appVersion lockstep correction. Bumps both version and appVersion together so
they stay in lockstep (the 1.6.0 bump's miss is what stranded appVersion at
1.5.1 in the first place); supersedes the intermediate appVersion=1.6.0 from
the previous commit.

helm unittest 196 pass; lint clean; render shows both labels (app version +
helm.sh/chart) at 1.6.1.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 client/Chart.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/client/Chart.yaml b/client/Chart.yaml
index fc8f13f..acf7b17 100644
--- a/client/Chart.yaml
+++ b/client/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: client
 description: A unified Helm chart for tracebloc on AKS, EKS, bare-metal, and OpenShift
 type: application
-version: 1.6.0
-appVersion: "1.6.0"
+version: 1.6.1
+appVersion: "1.6.1"
 keywords:
   - tracebloc
   - kubernetes