diff --git a/client/Chart.yaml b/client/Chart.yaml index a79dbeb..acf7b17 100644 --- a/client/Chart.yaml +++ b/client/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: client description: A unified Helm chart for tracebloc on AKS, EKS, bare-metal, and OpenShift type: application -version: 1.6.0 -appVersion: "1.5.1" +version: 1.6.1 +appVersion: "1.6.1" keywords: - tracebloc - kubernetes diff --git a/client/templates/jobs-manager-deployment.yaml b/client/templates/jobs-manager-deployment.yaml index 054a0b0..ff0f03c 100644 --- a/client/templates/jobs-manager-deployment.yaml +++ b/client/templates/jobs-manager-deployment.yaml @@ -1,5 +1,8 @@ -{{- /* #229: these env keys are owned by tracebloc.proxyEnv, which emits HTTP(S)_PROXY and a merged, cluster-safe NO_PROXY. Exclude them from the generic .Values.env passthrough below so a user-set NO_PROXY (or proxy var) is not re-emitted UNMERGED after proxyEnv — Kubernetes keeps the LAST duplicate env, which would drop the cluster-internal NO_PROXY entries and route in-cluster traffic through the proxy. */ -}} -{{- $proxyKeys := list "HTTP_PROXY_HOST" "HTTP_PROXY_PORT" "HTTP_PROXY_USERNAME" "HTTP_PROXY_PASSWORD" "NO_PROXY" "no_proxy" "HTTP_PROXY" "HTTPS_PROXY" "http_proxy" "https_proxy" -}} +{{- /* #229/#238: when HTTP_PROXY_HOST is set, tracebloc.proxyEnv owns these keys — it emits HTTP(S)_PROXY and a merged, cluster-safe NO_PROXY. Exclude them from the generic .Values.env passthrough below so a user-set NO_PROXY (or proxy var) is not re-emitted UNMERGED after proxyEnv — Kubernetes keeps the LAST duplicate env, which would drop the cluster-internal NO_PROXY entries and route in-cluster traffic through the proxy. When HTTP_PROXY_HOST is UNSET, proxyEnv renders nothing, so the exclusion list stays empty and the passthrough still emits a directly-set env.HTTP_PROXY / NO_PROXY — the pre-1.6.0 way to configure a corporate proxy. Dropping those unconditionally was an upgrade regression (#238): gate the exclusion on proxyEnv being active. */ -}} +{{- $proxyKeys := list -}} +{{- if .Values.env.HTTP_PROXY_HOST -}} +{{- $proxyKeys = list "HTTP_PROXY_HOST" "HTTP_PROXY_PORT" "HTTP_PROXY_USERNAME" "HTTP_PROXY_PASSWORD" "NO_PROXY" "no_proxy" "HTTP_PROXY" "HTTPS_PROXY" "http_proxy" "https_proxy" -}} +{{- end -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/client/tests/proxy_env_test.yaml b/client/tests/proxy_env_test.yaml index ba16e3c..39b621a 100644 --- a/client/tests/proxy_env_test.yaml +++ b/client/tests/proxy_env_test.yaml @@ -119,3 +119,29 @@ tests: - notContains: path: spec.template.spec.containers[1].env content: {name: NO_PROXY, value: "myinternal.example"} + # ===== #238 regression: a directly-set env.HTTP_PROXY survives when HTTP_PROXY_HOST is UNSET ===== + # Before 1.6.0 a corporate proxy was configured by setting env.HTTP_PROXY (a + # full URL) directly; tracebloc.proxyEnv (the HTTP_PROXY_HOST-driven helper) + # did not exist. The #229 proxy-key exclusion must therefore stay INACTIVE + # when HTTP_PROXY_HOST is unset — otherwise the passthrough drops the user's + # HTTP_PROXY and their backend/registry egress breaks on upgrade to 1.6.0. + # proxyEnv renders nothing here, so the generic passthrough is the sole (and + # correct) source: the direct values pass through verbatim, NO_PROXY unmerged. + - it: a directly-set env.HTTP_PROXY survives when HTTP_PROXY_HOST is unset (jobs-manager) + template: templates/jobs-manager-deployment.yaml + set: {env.HTTP_PROXY: "http://corp-proxy.example.com:3128", env.NO_PROXY: "myinternal.example"} + asserts: + # api container: directly-set proxy vars pass through (proxyEnv inactive) + - contains: + path: spec.template.spec.containers[0].env + content: {name: HTTP_PROXY, value: "http://corp-proxy.example.com:3128"} + - contains: + path: spec.template.spec.containers[0].env + content: {name: NO_PROXY, value: "myinternal.example"} + # pods-monitor container: same + - contains: + path: spec.template.spec.containers[1].env + content: {name: HTTP_PROXY, value: "http://corp-proxy.example.com:3128"} + - contains: + path: spec.template.spec.containers[1].env + content: {name: NO_PROXY, value: "myinternal.example"}