-
Notifications
You must be signed in to change notification settings - Fork 1k
feat(sandbox,gateway): route sandbox egress through corporate HTTP proxy #2245
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
feloy
wants to merge
28
commits into
NVIDIA:main
Choose a base branch
from
feloy:fix-1792-corporate-proxy-podman
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+4,495
−43
Open
Changes from all commits
Commits
Show all changes
28 commits
Select commit
Hold shift + click to select a range
cc0405c
feat(sandbox,gateway): route sandbox egress through corporate HTTP proxy
feloy 3c43b52
fix(sandbox,podman): make corporate proxy routing operator-owned
feloy fa0082c
feat(sandbox,podman): deliver corporate proxy credentials via secret …
feloy a82cf26
fix(sandbox,podman): fail closed on invalid upstream proxy configuration
feloy 1a9bcb0
fix(sandbox,podman): finish the fail-closed upstream proxy credential…
feloy 2990c6c
fix(sandbox,podman): close remaining fail-open upstream proxy config …
feloy 1394b24
fix(sandbox,podman): reject upstream proxy URLs with path, query, or …
feloy c6a92fa
fix(sandbox,podman): remove plain-HTTP upstream proxy support
feloy 1f19d26
fix(sandbox,podman): escape generated TOML and require explicit proxy…
feloy 4389400
fix(sandbox,podman): preserve tunneled bytes read with the CONNECT re…
feloy a1c8b99
fix(sandbox,podman): gate cleartext proxy Basic auth behind an explic…
feloy f86d73c
fix(sandbox,podman): honor port qualifiers and resolved addresses in …
feloy 5617bcf
fix(sandbox,podman): bind proxied CONNECT tunnels to validated addresses
feloy 32930c2
fix(sandbox,podman): reject empty port after bracketed IPv6 proxy host
feloy cdf5d89
fix(sandbox,podman): fall back across validated addresses in proxied …
feloy 707a50f
fix(sandbox,podman): strip new reserved proxy vars and complete docs/…
feloy 2768c08
fix(sandbox,podman): cap each proxied CONNECT attempt within the shar…
feloy fcc2651
fix(sandbox,podman): deliver corporate proxy config on the supervisor…
feloy 5be9905
docs(sandbox): align proxy comments with the argv transport
feloy 3192ee8
fix(sandbox): parse bracketed IPv6 authorities in client CONNECT targets
feloy 19f2369
test(podman): cover proxy-auth secret cleanup across lifecycle failures
feloy 80e4ac3
docs: list corporate proxy keys in the Podman compute-driver overview
feloy c8434ad
test(sandbox): cover the SSRF-to-TLS composition across the proxy tunnel
feloy 4524ac9
fix(sandbox,podman): bound proxy-auth reads, reject port 0, fix stale…
feloy 1f9fc5b
fix(sandbox): open proxy-auth file non-blocking to reject FIFOs promptly
feloy 2b18a75
test(podman): cover corporate proxy egress across driver and supervisor
feloy c2c797e
test(podman): restart the gateway on the proxy-config panic path
feloy 39b8d2a
fix(supervisor-network): derive the loopback proxy bypass from resolv…
feloy File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Critical: This target table also captures the existing
chronoandreqwestdeclarations below it. Telemetry is enabled by default and uses both crates on non-Unix targets, so those builds will lose the dependencies and fail. Keepchronoandreqwestin[dependencies], and place onlynixunder[target.'cfg(unix)'.dependencies].