feat(server): support injecting env vars into egress container#1069
feat(server): support injecting env vars into egress container#1069Pangjiping wants to merge 2 commits into
Conversation
…ENSANDBOX_EGRESS_ prefix Env vars in CreateSandboxRequest.env with the OPENSANDBOX_EGRESS_ prefix are now automatically routed to the egress sidecar container instead of the main sandbox container. This enables users to configure egress behavior (e.g., mitmproxy scripts, log level, DNS settings) at sandbox creation time without requiring a custom egress image. Reserved internal vars (RULES, MODE, TOKEN) are rejected with 400 to prevent overriding server-managed state. Closes #968 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Pangjiping
requested review from
Generalwin,
hittyt,
jwx0925 and
ninan-nn
as code owners
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: eaeadabc80
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
- Mirror OPENSANDBOX_EGRESS_MITMPROXY_TRANSPARENT to sandbox container so execd bootstrap.sh can trust the MITM CA in manual MITM path - Move _build_create_workload_context into try block so reserved env var ValueError is caught and returned as 400 instead of 500 - Skip user-supplied MITMPROXY_TRANSPARENT in extra_env when credential_proxy_enabled to prevent overriding the internal value - Reserve OPENSANDBOX_EGRESS_HTTP_ADDR to prevent users from changing the egress listen address and breaking readiness probes Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: dee470ea2c
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| if key.startswith(EGRESS_ENV_PREFIX): | ||
| if key in RESERVED_EGRESS_ENV_VARS: | ||
| raise ValueError( | ||
| f"Environment variable '{key}' is reserved and cannot be overridden" | ||
| ) | ||
| egress_env[key] = value |
There was a problem hiding this comment.
For Kubernetes create requests that do not include networkPolicy, this branch still removes every non-reserved OPENSANDBOX_EGRESS_... variable from the sandbox env and stores it only in egress_env. Because _build_create_workload_context only sets an egress image/token when request.network_policy is present, apply_egress_to_spec() returns without creating a sidecar, so these variables are silently injected nowhere instead of into the requested sandbox runtime. Only split these keys when an egress sidecar will actually be created, or reject this combination explicitly.
Useful? React with 👍 / 👎.
| if credential_proxy_enabled and name == OPENSANDBOX_EGRESS_MITMPROXY_TRANSPARENT: | ||
| continue | ||
| env.append({"name": name, "value": value or ""}) |
There was a problem hiding this comment.
When credentialProxy.enabled is true, a request can still pass OPENSANDBOX_EGRESS_MITMPROXY_SSL_INSECURE=true through env, and this loop appends it to the egress sidecar. The credential vault explicitly refuses to operate in that mode (components/egress/pkg/credentialvault/vault.go:373-378), so credential-vault writes for that sandbox fail even though the create request asked the server to provision credential proxy support. Filter or reject this env var on the credential-proxy path the same way the transparent MITM flag is protected.
Useful? React with 👍 / 👎.
2 participants
Summary
OPENSANDBOX_EGRESS_*prefixed env vars fromCreateSandboxRequest.envto the egress sidecar container instead of the main sandbox containerOPENSANDBOX_EGRESS_RULES,OPENSANDBOX_EGRESS_MODE,OPENSANDBOX_EGRESS_TOKEN) with 400 errorenvfield with prefix conventionCloses #968
Test plan
_split_egress_env: prefix splitting, empty/None input, reserved var rejection,MITMPROXY_TRANSPARENTallowedapply_egress_to_specwithextra_env: injection, None value handling, empty dict noop🤖 Generated with Claude Code