Enroll Codex workspace through Cloudflare WARP#600
Conversation
ArgoCD Diff ResultAuth path: tailscale アプリケーション: codex-workspace の差分パス: argoproj/codex-workspace ===== apps/Deployment codex-workspace/codex-workspace ======
483a484,502
> - name: CLOUDFLARE_WARP_ENABLED
> value: "true"
> - name: CLOUDFLARE_WARP_REQUIRED
> value: "false"
> - name: CLOUDFLARE_WARP_AUTH_CLIENT_ID
> valueFrom:
> secretKeyRef:
> key: auth-client-id
> name: codex-workspace-cloudflare-warp
> - name: CLOUDFLARE_WARP_AUTH_CLIENT_SECRET
> valueFrom:
> secretKeyRef:
> key: auth-client-secret
> name: codex-workspace-cloudflare-warp
> - name: CLOUDFLARE_WARP_ORGANIZATION
> valueFrom:
> secretKeyRef:
> key: organization
> name: codex-workspace-cloudflare-warp
527a547,548
> - NET_ADMIN
> - NET_RAW
548a570,571
> - mountPath: /dev/net/tun
> name: dev-net-tun
731a755,758
> - hostPath:
> path: /dev/net/tun
> type: CharDevice
> name: dev-net-tun
===== projectcalico.org/NetworkPolicy codex-workspace/codex-workspace-network-policy ======
40d39
< source: {}
48d46
< source: {}
57d54
< source: {}
65c62,66
< source: {}
---
> - action: Allow
> destination:
> ports:
> - 2408
> protocol: UDP
===== external-secrets.io/ExternalSecret codex-workspace/codex-workspace-cloudflare-warp ======
0a1,25
> apiVersion: external-secrets.io/v1
> kind: ExternalSecret
> metadata:
> annotations:
> argocd.argoproj.io/tracking-id: codex-workspace:external-secrets.io/ExternalSecret:codex-workspace/codex-workspace-cloudflare-warp
> name: codex-workspace-cloudflare-warp
> namespace: codex-workspace
> spec:
> data:
> - remoteRef:
> key: /lolice/codex-workspace/cloudflare-warp-auth-client-id
> secretKey: auth-client-id
> - remoteRef:
> key: /lolice/codex-workspace/cloudflare-warp-auth-client-secret
> secretKey: auth-client-secret
> - remoteRef:
> key: /lolice/codex-workspace/cloudflare-warp-organization
> secretKey: organization
> refreshInterval: 1h
> secretStoreRef:
> kind: ClusterSecretStore
> name: parameterstore
> target:
> creationPolicy: Owner
> name: codex-workspace-cloudflare-warp
ℹ️ 上記の差分が見つかりました |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 986ffef22a
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| protocol: UDP | ||
| destination: | ||
| ports: | ||
| - 2408 |
There was a problem hiding this comment.
Cloudflare WARP のデバイスプロファイルが MASQUE(FedRAMP High を含む)に設定されている環境では、WARP ingress のデフォルトが UDP/443 になると Cloudflare の公式ドキュメントに記載されています(https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/firewall/)。この追加は UDP/2408 だけを許可しており、既存の 443 許可は TCP のみなので、その構成ではトンネル確立パケットが NetworkPolicy で落ちて even-g2-main.b0xp.io へ到達できません。WireGuard に固定するか、Cloudflare WARP ingress 向けに UDP/443 も許可してください。
Useful? React with 👍 / 👎.
1 participant
Summary
/dev/net/tun,NET_ADMIN, andNET_RAWContext
BOXP-17 needs the Codex workspace to access
even-g2-main.b0xp.iothrough the same Cloudflare WARP route used by WARP-connected users. This PR intentionally does not add a direct NetworkPolicy exception to theeven-g2-mainService.Dependencies
/lolice/codex-workspace/cloudflare-warp-*.Verification
git diff --checkKubernetes manifest validation was not run locally because
kubectl/kustomizeare not installed in this workspace. WARP connection was not tested locally because it requires the real service token and Pod TUN device.