feat: Add configured HTTPS expose routes#371
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ddb3c6d1f8
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
lox
force-pushed
the
lox/configured-https-expose
branch
from
8ae4cff to
680455f
Compare
|
@codex review |
1 similar comment
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 50e1647ec7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5cddef4225
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 40b7e3d92e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if arg == "--" { | ||
| break | ||
| } |
There was a problem hiding this comment.
normalizeBareExposeHTTPSArgs keeps scanning argv until a literal --, so it also rewrites --expose-https tokens that appear after a passthrough command has already started (for exec/console, which use passthrough:"partial"). In those cases --expose-https is a guest-command argument, not a Cleanroom flag, and this conversion silently changes the workload argv (for example cleanroom exec npm --expose-https becomes npm --expose-https=__cleanroom_configured_https__).
Useful? React with 👍 / 👎.
1 participant
Configured HTTPS exposure currently requires every route to be repeated on the command line, and the trusted leaf certificate shape only covers
cleanroom.localhostplus one wildcard level. That makes multi-host local apps awkward, especially when they need wildcard labels such as*.*.<base>.This adds an
expose.httpsconfig block that--expose-httpscan expand when the flag is passed without a value. Projects can enumerate exact local hostnames, or define a base such as{sandbox_id}.cleanroom.localhostand route{base},*.{base}, and*.*.{base}to a guest port:sudo cleanroom dns installremains a one-time setup for the managedcleanroom.localhostresolver and trust material. The route and TLS layer also accepts other local suffixes such as{sandbox_id}.localhost, but those only resolve when that suffix is already pointed at the Cleanroom DNS listener.Implementation notes:
expose:is loaded outside the compiled policy hash so route choices do not change sandbox policy identity.--expose-httpsis normalized before Kong parsing and expanded after a sandbox id is known.google.comare rejected by the exposure manager.--expose-https name:portflags.Validation:
mise exec -- go test ./internal/policy ./internal/cli ./internal/exposuremise exec -- go test ./...git diff --checkmise exec -- go run ../../cmd/cleanroom policy validatefromexamples/multi-host-routing(passed; local observability export warned becauselocalhost:14318was not listening)