feat(egress): make credential vault TLS transport check configurable#1063
Conversation
Credential vault write operations previously always required TLS or loopback transport, which blocks requests arriving through a TLS- terminating reverse proxy (e.g. tengine-ingress). Add env var OPENSANDBOX_EGRESS_CREDENTIAL_VAULT_REQUIRE_TLS to opt into the check (default off), and trust X-Forwarded-Proto: https when enabled. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d0c8d2baf0
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 26a76c2616
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Summary
OPENSANDBOX_EGRESS_CREDENTIAL_VAULT_REQUIRE_TLSenv var to control whether credential vault write operations require TLS/loopback transport (default: off)X-Forwarded-Proto: httpsheader for requests arriving through TLS-terminating reverse proxiesTest plan
TestCredentialVaultWriteSkipsTLSCheckByDefault— default off, non-TLS non-loopback writes succeedTestCredentialVaultWriteRequiresTLSOrLoopback— enabled, non-TLS non-loopback rejected with 426TestCredentialVaultWriteAllowsForwardedProto— enabled,X-Forwarded-Proto: httpsaccepted🤖 Generated with Claude Code