Refactor/egress mitmproxy yaml config#975
Open
Pangjiping wants to merge 3 commits into
Open
Conversation
Pangjiping
force-pushed
the
refactor/egress-mitmproxy-yaml-config
branch
from
022c537 to
92581d3
Compare
…ynamic)
Move fleet-wide, rarely-changing mitmproxy options into a baked-in
config.yaml under the standard mitm confdir layout, so launch.go only
emits per-deployment dynamic overrides via --set. This eliminates two
classes of bug along the way:
- stream_large_bodies was set in two places (launch.go --set 1m and
custom.py ctx.options 10m), with the addon silently winning — making
the launch.go line dead code. Now declared once in config.yaml (10m).
- ignore_hosts was env-driven with `;`-separated values, but each value
was passed as a separate --set, and mitmproxy --set on a list option
REPLACES the list — so configuring multiple bypass patterns silently
only kept the last one. config.yaml uses a native YAML list with no
override semantics.
Static options now in /var/lib/mitmproxy/.mitmproxy/config.yaml:
mode, listen_host, connection_strategy (lazy — historical default
preserved here; switching to eager is tracked in a separate change),
stream_large_bodies (10m), http2, ignore_hosts (empty default),
ssl_verify_upstream_trusted_confdir (default).
Dynamic overrides remain env-driven and applied as --set in launch.go
(precedence: --set > config.yaml > mitm defaults):
OPENSANDBOX_EGRESS_MITMPROXY_TRANSPARENT (toggle)
OPENSANDBOX_EGRESS_MITMPROXY_PORT
OPENSANDBOX_EGRESS_MITMPROXY_SCRIPT
OPENSANDBOX_EGRESS_MITMPROXY_SSL_INSECURE
OPENSANDBOX_EGRESS_MITMPROXY_UPSTREAM_TRUST_DIR
Removed env vars (no internal use, replaced by config.yaml):
OPENSANDBOX_EGRESS_MITMPROXY_CONFDIR — confdir is the mitm user's
home (/var/lib/mitmproxy), which is also where config.yaml lives;
splitting them via env created an unused escape hatch that would
have broken config.yaml discovery.
OPENSANDBOX_EGRESS_MITMPROXY_IGNORE_HOSTS — replaced by ignore_hosts
in config.yaml (native list, no covert-overwrite bug).
The mitmproxy.Config struct loses its ConfDir field accordingly.
SyncRootCA still accepts an optional confDirEnv argument so the existing
candidate-path search behavior is preserved if a future caller needs to
plumb it back in.
…ConfigMap mount) The previous draft told operators to edit components/egress/mitmproxy/config.yaml and rebuild — true for the in-repo flow, but does not help operators consuming a published egress image who want different static defaults. Add a section spelling out the three supported override paths: 1. Build a downstream image that COPYs an alternate config.yaml over the baked-in path (recommended: version-controlled, reproducible). 2. Mount an override at /var/lib/mitmproxy/.mitmproxy/config.yaml at runtime (Kubernetes ConfigMap subPath mount example included). 3. Use the env-driven --set escape hatch for the small set of options exposed via environment variables. Also warn against in-container edits, which are lost on restart and blocked by the mitmproxy user's read-only access.
…ibility PR opensandbox-group#951 moved the egress binary from /egress to /opt/opensandbox-egress/egress so the supervisor and binary could share a single grouped directory. External tooling and older deployment manifests may still reference the old /egress path; add a symlink so both paths resolve to the same binary. Symlink rather than COPY: zero extra image size, single source of truth for chmod and replacement, and `exec /egress` resolves to the supervisor-managed binary like before.
Pangjiping
force-pushed
the
refactor/egress-mitmproxy-yaml-config
branch
from
6b6824c to
a90b629
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Move static mitmproxy options out of
launch.gohardcodes into a baked-inconfig.yamlunder the standard mitm confdir layout.launch.gokeeps only per-deployment dynamic flags(env-driven
--set).config.yamllists only deviations from mitm built-in defaults:Precedence:
--set(env override) >config.yaml> mitm defaults.Why
Two latent bugs in the launch.go surface:
stream_large_bodiesset twice. launch.go wrote1m, custom.py overrode to10mviactx.options. launch.go line was dead.ignore_hostsmulti-value silently overwritten. Each;-separated entry was a separate--set ignore_hosts=..., and mitm--seton a list option REPLACES the list — only thelast value survived.
config.yamlnatively expresses lists, eliminates the double-set, and gives operators a single reviewable file for fleet-wide static defaults.Removed env vars
OPENSANDBOX_EGRESS_MITMPROXY_CONFDIR— no internal use; would have broken config.yaml discovery.OPENSANDBOX_EGRESS_MITMPROXY_IGNORE_HOSTS— replaced by yaml-native list (the env path was the source of the silent-overwrite bug).Override paths (documented)
COPYover the baked-in path (recommended).subPathmount at runtime.--setfor the documented dynamic env vars.Backward compat
/egresssymlink →/opt/opensandbox-egress/egressfor tooling that still references the pre-#951 path.Testing
Breaking Changes
Checklist