Scalr/agent-helm agent-job-0.6.1 on GitHub

Added a PodDisruptionBudget for task pods (task.podDisruptionBudget), enabled by default with maxUnavailable: 0. Previously only the controller had a PDB (selecting app.kubernetes.io/component: agent), so task pods were not covered and could be evicted mid-run by the Eviction API during node upgrades/drains — the pod-level safe-to-evict/karpenter annotations do not protect against that path, only a PDB does. With the new PDB a draining node now waits for the running task to finish on its own before evicting it. Configurable via task.podDisruptionBudget.enabled, minAvailable, and maxUnavailable.
Added mTLS client certificate configuration (global.tls.clientCertSecret, global.tls.clientCert, global.tls.clientKey) for mutual TLS authentication between the agent and Scalr. The bootstrap certificate and key are mounted read-only at /etc/scalr-agent/ssl/ and mapped to SCALR_AGENT_TLS_CERT_FILE and SCALR_AGENT_TLS_KEY_FILE. Supports both existing Kubernetes secrets (including kubernetes.io/tls type) and inline PEM values. Applied to the controller and worker containers; the runner container is not affected. Note: mTLS is an upcoming Enterprise feature.

Fixed helm upgrade failing with YAML parse error ... mapping values are not allowed in this context when global.labels was set. The common labels helper was emitting the rendered map on the same line as the preceding label, producing invalid YAML. Thanks to @PabloPie for reporting and contributing the fix in #148.
Fixed global.labels not being applied to pods. Labels set via global.labels now propagate to both workload metadata.labels and the pod template's spec.template.metadata.labels for the controller Deployment and task Jobs, matching the behavior users expect from a "global" label setting. Component-specific overrides (global.podLabels, agent.podLabels, task.podLabels) continue to take precedence on key collisions.
Fixed agent.podSecurityContext and task.podSecurityContext having no effect when overriding values from global.podSecurityContext. Component-specific values now correctly take precedence over global defaults.