47268f6fd6
The egress addon now selects each request's Config by the calling bottle's
source IP, so one shared sidecar serves every bottle. Opt-in and fail-closed;
single-tenant behaviour is unchanged.
Orchestrator side (source-IP-primary attribution, per the PRD invariant):
* registry: `by_source_ip` (the single active bottle at a source IP —
network-layer attribution); `attribute` now composes it + the token.
* service: `resolve(source_ip, token="")` — with a token, strict
attribution; without, source IP alone.
* control_plane: `POST /resolve`'s identity_token is now OPTIONAL (absent
→ source-IP-only); split cleanly from the token-required `/attribute`.
* policy_resolver: `resolve` token now optional.
Egress side:
* egress_addon_core: `resolve_client_config(resolver, client_ip, token)` —
fetches + parses the client's Config, **fail-closed**: unattributed, a
resolver error, or an unparseable policy all yield deny-all (no routes).
Host-testable; `PolicyResolverLike` Protocol keeps it import-free.
* egress_addon: consolidated mode when `BOT_BOTTLE_ORCHESTRATOR_URL` is
set → `_active_config(flow)` resolves per client IP (reads + strips the
`x-bot-bottle-identity` header); `request()` uses it. Unset → the static
routes file, exactly as before. `PolicyResolver` added to the bundle.
Security note: source-IP-only resolution is safe where the IP is unspoofable
(Firecracker /31 + nft) AND the control plane is reachable only by the
trusted sidecar; the identity token, when the agent injects it, strengthens
it on weaker backends.
Scope note: the egress data plane is now multi-tenant. Remaining to be fully
live: the network topology routing every bottle's proxy to the one shared
sidecar, git-gate multitenancy, and agent-side identity-token injection.
Tests: registry by_source_ip; orchestrator resolve (with/without token);
control-plane /resolve token-optional; resolver token-optional;
resolve_client_config fail-closed matrix. All 182 egress tests still pass
(single-tenant unchanged). Full suite green.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01WBMWTEtQdJ4W5UrWuLHCck
106 lines
4.7 KiB
Docker
106 lines
4.7 KiB
Docker
# Per-bottle sidecar bundle image (PRD 0024).
|
|
#
|
|
# Collapses the prior per-sidecar images (egress, git-gate,
|
|
# supervise) into one. A small stdlib-Python init supervisor at
|
|
# /app/sidecar_init.py spawns all daemons, forwards SIGTERM, and
|
|
# propagates per-daemon stdout/stderr to the container log with a
|
|
# `[name]` prefix. See PRD 0024 for the rationale.
|
|
#
|
|
# Layout:
|
|
#
|
|
# /usr/bin/gitleaks gitleaks binary
|
|
# /app/egress_addon.py + siblings mitmproxy addon (egress)
|
|
# /app/egress-entrypoint.sh mitmdump launcher
|
|
# /app/supervise_server.py + .py supervise MCP server
|
|
# /app/sidecar_init.py PID 1 supervisor
|
|
# /etc/egress/routes.yaml bind-mounted at run time
|
|
# /etc/git-gate/pre-receive docker-cp'd at start time
|
|
# /git-gate-entrypoint.sh docker-cp'd at start time
|
|
# /git-gate/creds/* docker-cp'd at start time
|
|
# /git/* bare repos, populated at runtime
|
|
# /run/supervise/bot-bottle.db bind-mounted at run time
|
|
# /home/mitmproxy/.mitmproxy/ mitmproxy CA dir
|
|
#
|
|
# Exposed ports inside the container:
|
|
# 9099 egress (mitmproxy, agent-facing HTTPS proxy)
|
|
# 9418 git-gate (git-daemon)
|
|
# 9420 git-gate smart HTTP (VM-backend agent-facing transport)
|
|
# 9100 supervise (MCP HTTP)
|
|
|
|
# Stage 1: gitleaks binary. The upstream gitleaks image is alpine
|
|
# with the binary at /usr/bin/gitleaks. Pinned by digest in lockstep
|
|
# with Dockerfile.git-gate's prior base (now deleted at chunk 3).
|
|
FROM zricethezav/gitleaks@sha256:c00b6bd0aeb3071cbcb79009cb16a60dd9e0a7c60e2be9ab65d25e6bc8abbb7f AS gitleaks-src
|
|
|
|
# Stage 2: assembly. mitmproxy/mitmproxy is debian-slim-based with
|
|
# Python + mitmdump pre-installed — heavier than the others, so
|
|
# this stage starts there and pulls the standalone binaries in.
|
|
FROM mitmproxy/mitmproxy:11.1.3
|
|
|
|
# Run as root inside the bundle. The bundle is the isolation
|
|
# boundary; per-daemon user separation inside it is not load-bearing
|
|
# and complicates the supervisor's spawn path.
|
|
USER root
|
|
|
|
# Runtime system deps:
|
|
# git supplies the `git daemon` subcommand (no separate package)
|
|
# plus the core `git` binary the pre-receive hook invokes.
|
|
# openssh-client supplies the upstream SSH transport the
|
|
# pre-receive hook uses to forward accepted refs.
|
|
# ca-certificates is needed for mitmdump upstream TLS (the
|
|
# base image already has it; listed for explicitness).
|
|
RUN apt-get update \
|
|
&& apt-get install -y --no-install-recommends \
|
|
git openssh-client ca-certificates \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Pull the standalone binaries into the final image.
|
|
COPY --from=gitleaks-src /usr/bin/gitleaks /usr/bin/gitleaks
|
|
|
|
# Project Python: addon + server modules + the init supervisor.
|
|
# Kept flat under /app/ so mitmdump's loader resolves them as
|
|
# top-level siblings (absolute imports), matching the prior
|
|
# Dockerfile.egress / Dockerfile.supervise layout.
|
|
COPY bot_bottle/egress_addon_core.py /app/egress_addon_core.py
|
|
COPY bot_bottle/egress_dlp_config.py /app/egress_dlp_config.py
|
|
COPY bot_bottle/egress_addon.py /app/egress_addon.py
|
|
COPY bot_bottle/policy_resolver.py /app/policy_resolver.py
|
|
COPY bot_bottle/dlp_detectors.py /app/dlp_detectors.py
|
|
COPY bot_bottle/yaml_subset.py /app/yaml_subset.py
|
|
COPY bot_bottle/paths.py /app/paths.py
|
|
COPY bot_bottle/migrations.py /app/migrations.py
|
|
COPY bot_bottle/db_store.py /app/db_store.py
|
|
COPY bot_bottle/supervise_types.py /app/supervise_types.py
|
|
COPY bot_bottle/queue_store.py /app/queue_store.py
|
|
COPY bot_bottle/audit_store.py /app/audit_store.py
|
|
COPY bot_bottle/store_manager.py /app/store_manager.py
|
|
COPY bot_bottle/supervise.py /app/supervise.py
|
|
COPY bot_bottle/supervise_server.py /app/supervise_server.py
|
|
COPY bot_bottle/sidecar_init.py /app/sidecar_init.py
|
|
COPY bot_bottle/git_http_backend.py /app/git_http_backend.py
|
|
COPY bot_bottle/egress_entrypoint.sh /app/egress-entrypoint.sh
|
|
RUN chmod +x /app/egress-entrypoint.sh
|
|
|
|
# Pre-create runtime directories the compose renderer + start
|
|
# step expect to exist. `docker cp` does not create intermediate
|
|
# dirs, and bind mounts won't either if the parent is missing.
|
|
RUN mkdir -p \
|
|
/etc/egress \
|
|
/etc/git-gate \
|
|
/git-gate/creds \
|
|
/git \
|
|
/run/supervise \
|
|
/home/mitmproxy/.mitmproxy
|
|
|
|
# Documentation only — the compose renderer publishes whichever
|
|
# subset the bottle uses.
|
|
EXPOSE 8888 9099 9418 9420 9100
|
|
|
|
# WORKDIR matches Dockerfile.supervise's prior layout so the
|
|
# in-app same-dir import in supervise_server.py stays deterministic.
|
|
WORKDIR /app
|
|
|
|
# PID 1 is the supervisor. It owns signal handling and exit-code
|
|
# propagation; no `exec` chain in the entrypoint itself.
|
|
ENTRYPOINT ["python3", "/app/sidecar_init.py"]
|