Sync develop → main for v1.7.1 chart release (egress-enforcement preflight helm test, inert)#254
Open
saadqbal wants to merge 3 commits into
Open
Sync develop → main for v1.7.1 chart release (egress-enforcement preflight helm test, inert)#254saadqbal wants to merge 3 commits into
saadqbal wants to merge 3 commits into
Conversation
…250) The mysql-storage-pvc template (PVC + bare-metal hostPath PV backing the per-cluster MySQL state store) had no dedicated suite. Add one covering: - dynamic-PVC-only path (hostPath.enabled=false, managed default) - hostPath PV+PVC pair, claimRef binding, fixed release-scoped path - the helm.sh/resource-policy:keep annotation protecting the state store - access-mode defaulting, pvc size, and storageClass wiring Tests-only; no source/template/values changes. Security invariants unchanged. Co-authored-by: Claude <noreply@anthropic.com>
The logs-pvc template (PV + PVC for client logs) had no dedicated helm-unittest suite. Adds tests/logs_pvc_test.yaml covering the dynamic-provisioning PVC path and the hostPath PV+PVC path. Co-authored-by: Claude <noreply@anthropic.com>
feat(egress-proxy): deploy-time egress-enforcement pre-flight (non-blocking) [client-runtime#104]
saadqbal
added
the
skip-fr-gate
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit f09d98c. Configure here.
This was referenced Jun 12, 2026
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release chart v1.7.1 to
main. All changes are additive and inert — no behavioural change on the fleet at upgrade time.Contents (
main1.7.0 →develop1.7.1)helm.sh/hook: testJob, gated on the §8.2 lockdown being enabled (networkPolicy.training.allowExternalHttps=false), that probes direct external egress from atracebloc.io/workload: training-labelled pod and failshelm test(exit 1) if the CNI isn't enforcing egress NetworkPolicy. Dormant by default; as a test hook it never runs on install/upgrade (incl. the hourly auto-upgrade).Release type
Phase-1-class: inert. The enforcement check ships dormant (lockdown default-off) and is a
helm testhook, so the fleet auto-upgrade to 1.7.1 changes nothing operationally — it just makeshelm test <release>available to operators who flip the lockdown.After merge
Publish GitHub Release v1.7.1 tagged on
main→ the release workflow packages the chart to gh-pages → fleet auto-upgrades at:23.Rolls under the §8.2 egress epic (client-runtime#102, client-runtime#104).
🤖 Generated with Claude Code
Note
Low Risk
Default upgrades stay behavior-neutral; the enforcement Job is a manual
helm testhook and only appears when operators enable the egress lockdown.Overview
Releases chart v1.7.1 with additive, mostly inert changes for the default fleet (
allowExternalHttpsstays true).Adds an optional §8.2 egress enforcement path: new
networkPolicy.training.enforcementProbeHost(default1.1.1.1,""disables) and a gatedhelm.sh/hook: testJob that only renders when training NetworkPolicy is on, lockdown is enabled (allowExternalHttps=false), and a probe host is set. The probe runs as a training-labelled, hardened curl pod and failshelm testif direct HTTPS to the probe host succeeds—surfacing CNI egress policies that are not actually enforced. It does not run on install/upgrade.Adds helm-unittest coverage for the enforcement hook template and for logs and mysql storage PVC templates (dynamic PVC vs hostPath PV+PVC,
keepannotation, sizing, storage class).Reviewed by Cursor Bugbot for commit f09d98c. Bugbot is set up for automated code reviews on this repo. Configure here.