feat(supervisor-middleware): add in-process egress middleware#2027
Draft
pimlock wants to merge 16 commits into
Draft
feat(supervisor-middleware): add in-process egress middleware#2027pimlock wants to merge 16 commits into
pimlock wants to merge 16 commits into
Conversation
|
Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually. Contributors can view more details about this message here. |
b429440 to
9ebcdd5
Compare
Collaborator
Author
|
/ok to test 9ebcdd5 |
595191e to
97b750f
Compare
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
358906a to
1fbcdbc
Compare
|
🌿 Preview your docs: https://nvidia-preview-pr-2027.docs.buildwithfern.com/openshell |
This comment was marked as outdated.
This comment was marked as outdated.
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
This comment was marked as outdated.
This comment was marked as outdated.
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
This comment was marked as outdated.
This comment was marked as outdated.
Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
This comment was marked as outdated.
This comment was marked as outdated.
…are outages An unreachable operator-registered middleware service previously aborted sandbox startup via a hard error in load_policy, contradicting the per-request on_error contract and the resilient live-reload path. Retry the initial connect and, on failure, degrade to the built-in registry so matched requests are governed by each config's on_error (deny for fail_closed, allow for fail_open) instead of blocking the whole sandbox. The policy poll loop now reconciles the registry on every poll while an install is pending, so a recovered service is adopted without waiting for a config change; a failed reconcile also no longer blocks unrelated policy updates. Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
…limit A chain entry whose binding did not resolve reported a zero body limit, which dragged the whole chain's buffer cap to zero and spuriously failed body-bearing requests over capacity even when a resolved middleware could have processed them. Exclude unresolved entries from the limit via a new DescribedChainEntry::is_resolved(); when no entry resolves, skip buffering and apply each entry's on_error directly. Also fix two parallel-test flakes found while validating the change: - Build middleware OCSF events into a Vec and assert on it directly instead of capturing through the global tracing pipeline, whose callsite-interest cache is process-global and raced under parallel runs. - Accumulate the websocket deny response until the reason marker arrives rather than assuming a single read returns the full body. Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements the first usable RFC 0009 supervisor middleware slice: proto-backed, host-selected HTTP egress middleware for
HttpRequest/pre_credentials, with both in-process built-ins and statically registered operator-run gRPC services.The implementation covers RFC 0009 Phase 1 and adds basic external-service support from Phase 2. It establishes the contract, policy plumbing, ordered chain execution, built-in secret redaction, static gateway registration, relay integration, validation before policy persistence, body limits, audit events, and user-facing configuration and operations documentation.
Related Issue
Closes #2010
Part of #1733
Design/RFC: #1738
Changes
openshell.middleware.v1protobuf contract withDescribe,ValidateConfig, andEvaluateHttpRequest, plus generated Rust module wiring.openshell-supervisor-middlewarecrate with a common service abstraction for built-in and operator-run middleware, ordered chain execution, fail-open/fail-closed handling, safe append-only header mutation, body replacement, metadata propagation, findings, and the built-inopenshell/secretsredactor.http://and TLShttps://endpoints using platform trust roots.Describe, the gateway rejects configured limits above that capability, and built-ins use their code-owned advertised limits.network_middlewarespolicy list. Middleware selection is independent of the network policy that admitted a request and uses case-insensitive destination-hostincludeandexcludeselectors, with exclusions taking precedence.tls: skipendpoints.Testing
mise run pre-commitpassescargo test -p openshell-supervisor-middlewarecargo test -p openshell-supervisor-networkcargo test -p openshell-server --features test-supportChecklist