[release]: bump version to 0.6.2 and appVersion to 0.4.5; add dnsConfig options for improved DNS resolution

pedrofrxncx · pedrofrxncx · commit 7222549e1481 · 2026-05-08T19:18:48.000-03:00
diff --git a/deploy/helm/sandbox-env/Chart.yaml b/deploy/helm/sandbox-env/Chart.yaml
@@ -9,7 +9,7 @@ description: |
   releases coexist in the shared `agent-sandbox-system` namespace.
   Requires the sandbox-operator chart to already be installed.
 type: application
-version: 0.6.1
+version: 0.6.2
 # appVersion tracks the studio-sandbox image version (image.tag default).
-appVersion: "0.3.0"
+appVersion: "0.4.5"
 kubeVersion: ">=1.30.0-0"
diff --git a/deploy/helm/sandbox-env/templates/sandbox-template.yaml b/deploy/helm/sandbox-env/templates/sandbox-template.yaml
@@ -64,6 +64,10 @@ spec:
       topologySpreadConstraints:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.dnsConfig }}
+      dnsConfig:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- if not .Values.hostUsers }}
       # User namespace remap: UID 1000 inside the pod maps to a high
       # subordinate UID on the node, so a container escape lands as a
diff --git a/deploy/helm/sandbox-env/values.yaml b/deploy/helm/sandbox-env/values.yaml
@@ -131,6 +131,24 @@ affinity: {}
 #         app.kubernetes.io/name: studio-sandbox-<envName>
 topologySpreadConstraints: []
 
+# DNS resolver options for sandbox pods. The Kubernetes default (ndots:5)
+# causes every external lookup to generate up to 8 queries (4 search-domain
+# expansions × A+AAAA) before reaching the absolute form. On EKS this burns
+# into the 1024 pps/ENI AWS VPC DNS rate limit and causes intermittent git
+# clone / npm install failures under load. Set ndots:1 to send external
+# hostnames (github.com, registry.npmjs.org, …) directly to the absolute
+# form. Safe for sandbox pods: the NetworkPolicy blocks all in-cluster egress
+# except port 53 to CoreDNS, so search-domain expansions that resolve to
+# private IPs would be unreachable regardless.
+#
+# Recommended for production:
+#
+# dnsConfig:
+#   options:
+#     - name: ndots
+#       value: "1"
+dnsConfig: {}
+
 # ── sandbox-pod hardening ──────────────────────────────────────────────
 # User namespace remap (`spec.hostUsers: false`): UID 1000 inside the pod
 # maps to a high, unprivileged subordinate UID on the node, so a
