Sync develop → main for v1.6.1 chart release

client/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: client
 description: A unified Helm chart for tracebloc on AKS, EKS, bare-metal, and OpenShift
 type: application
-version: 1.6.0
-appVersion: "1.5.1"
+version: 1.6.1
+appVersion: "1.6.1"
 keywords:
   - tracebloc
   - kubernetes

client/templates/jobs-manager-deployment.yaml

@@ -1,5 +1,8 @@
-{{- /* #229: these env keys are owned by tracebloc.proxyEnv, which emits HTTP(S)_PROXY and a merged, cluster-safe NO_PROXY. Exclude them from the generic .Values.env passthrough below so a user-set NO_PROXY (or proxy var) is not re-emitted UNMERGED after proxyEnv — Kubernetes keeps the LAST duplicate env, which would drop the cluster-internal NO_PROXY entries and route in-cluster traffic through the proxy. */ -}}
-{{- $proxyKeys := list "HTTP_PROXY_HOST" "HTTP_PROXY_PORT" "HTTP_PROXY_USERNAME" "HTTP_PROXY_PASSWORD" "NO_PROXY" "no_proxy" "HTTP_PROXY" "HTTPS_PROXY" "http_proxy" "https_proxy" -}}
+{{- /* #229/#238: when HTTP_PROXY_HOST is set, tracebloc.proxyEnv owns these keys — it emits HTTP(S)_PROXY and a merged, cluster-safe NO_PROXY. Exclude them from the generic .Values.env passthrough below so a user-set NO_PROXY (or proxy var) is not re-emitted UNMERGED after proxyEnv — Kubernetes keeps the LAST duplicate env, which would drop the cluster-internal NO_PROXY entries and route in-cluster traffic through the proxy. When HTTP_PROXY_HOST is UNSET, proxyEnv renders nothing, so the exclusion list stays empty and the passthrough still emits a directly-set env.HTTP_PROXY / NO_PROXY — the pre-1.6.0 way to configure a corporate proxy. Dropping those unconditionally was an upgrade regression (#238): gate the exclusion on proxyEnv being active. */ -}}
+{{- $proxyKeys := list -}}
+{{- if .Values.env.HTTP_PROXY_HOST -}}
+{{- $proxyKeys = list "HTTP_PROXY_HOST" "HTTP_PROXY_PORT" "HTTP_PROXY_USERNAME" "HTTP_PROXY_PASSWORD" "NO_PROXY" "no_proxy" "HTTP_PROXY" "HTTPS_PROXY" "http_proxy" "https_proxy" -}}
+{{- end -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:

client/tests/proxy_env_test.yaml

@@ -119,3 +119,29 @@ tests:
       - notContains:
           path: spec.template.spec.containers[1].env
           content: {name: NO_PROXY, value: "myinternal.example"}
+  # ===== #238 regression: a directly-set env.HTTP_PROXY survives when HTTP_PROXY_HOST is UNSET =====
+  # Before 1.6.0 a corporate proxy was configured by setting env.HTTP_PROXY (a
+  # full URL) directly; tracebloc.proxyEnv (the HTTP_PROXY_HOST-driven helper)
+  # did not exist. The #229 proxy-key exclusion must therefore stay INACTIVE
+  # when HTTP_PROXY_HOST is unset — otherwise the passthrough drops the user's
+  # HTTP_PROXY and their backend/registry egress breaks on upgrade to 1.6.0.
+  # proxyEnv renders nothing here, so the generic passthrough is the sole (and
+  # correct) source: the direct values pass through verbatim, NO_PROXY unmerged.
+  - it: a directly-set env.HTTP_PROXY survives when HTTP_PROXY_HOST is unset (jobs-manager)
+    template: templates/jobs-manager-deployment.yaml
+    set: {env.HTTP_PROXY: "http://corp-proxy.example.com:3128", env.NO_PROXY: "myinternal.example"}
+    asserts:
+      # api container: directly-set proxy vars pass through (proxyEnv inactive)
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content: {name: HTTP_PROXY, value: "http://corp-proxy.example.com:3128"}
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content: {name: NO_PROXY, value: "myinternal.example"}
+      # pods-monitor container: same
+      - contains:
+          path: spec.template.spec.containers[1].env
+          content: {name: HTTP_PROXY, value: "http://corp-proxy.example.com:3128"}
+      - contains:
+          path: spec.template.spec.containers[1].env
+          content: {name: NO_PROXY, value: "myinternal.example"}