Skip to content

feat(egress): make credential vault TLS transport check configurable#1063

Merged
hittyt merged 3 commits into
mainfrom
feat/egress-credential-vault-optional-tls-check
Jun 15, 2026
Merged

feat(egress): make credential vault TLS transport check configurable#1063
hittyt merged 3 commits into
mainfrom
feat/egress-credential-vault-optional-tls-check

Conversation

@Pangjiping

Copy link
Copy Markdown
Collaborator

Summary

  • Add OPENSANDBOX_EGRESS_CREDENTIAL_VAULT_REQUIRE_TLS env var to control whether credential vault write operations require TLS/loopback transport (default: off)
  • When enabled, also trust X-Forwarded-Proto: https header for requests arriving through TLS-terminating reverse proxies
  • Fixes HTTP 426 when credential vault writes go through ingress gateways that terminate TLS (e.g. tengine-ingress)

Test plan

  • TestCredentialVaultWriteSkipsTLSCheckByDefault — default off, non-TLS non-loopback writes succeed
  • TestCredentialVaultWriteRequiresTLSOrLoopback — enabled, non-TLS non-loopback rejected with 426
  • TestCredentialVaultWriteAllowsForwardedProto — enabled, X-Forwarded-Proto: https accepted
  • All existing credential vault tests pass

🤖 Generated with Claude Code

Credential vault write operations previously always required TLS or
loopback transport, which blocks requests arriving through a TLS-
terminating reverse proxy (e.g. tengine-ingress). Add env var
OPENSANDBOX_EGRESS_CREDENTIAL_VAULT_REQUIRE_TLS to opt into the
check (default off), and trust X-Forwarded-Proto: https when enabled.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Pangjiping Pangjiping added component/egress feature New feature or request labels Jun 15, 2026
Pangjiping and others added 2 commits June 15, 2026 19:15
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Pangjiping Pangjiping requested a review from ninan-nn as a code owner June 15, 2026 11:17

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d0c8d2baf0

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread components/egress/policy_server.go
Comment thread components/egress/policy_server.go

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 26a76c2616

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread components/egress/policy_server.go

@hittyt hittyt left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hittyt hittyt merged commit 1e8374b into main Jun 15, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

component/egress feature New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants