From 986ffef22a54cda772c8f851f207c0615df62e8d Mon Sep 17 00:00:00 2001 From: boxp Date: Thu, 4 Jun 2026 04:50:08 +0000 Subject: [PATCH] Enroll Codex workspace through Cloudflare WARP --- argoproj/codex-workspace/deployment.yaml | 35 ++++++++++++++++++- argoproj/codex-workspace/external-secret.yaml | 24 +++++++++++++ argoproj/codex-workspace/networkpolicy.yaml | 5 +++ .../plan.md | 16 +++++++++ 4 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 docs/project_docs/BOXP-17-codex-workspace-warp-client/plan.md diff --git a/argoproj/codex-workspace/deployment.yaml b/argoproj/codex-workspace/deployment.yaml index d277ba9f7..bb50f835b 100644 --- a/argoproj/codex-workspace/deployment.yaml +++ b/argoproj/codex-workspace/deployment.yaml @@ -95,6 +95,25 @@ spec: secretKeyRef: name: codex-workspace-gemini key: GEMINI_API_KEY + - name: CLOUDFLARE_WARP_ENABLED + value: "true" + - name: CLOUDFLARE_WARP_REQUIRED + value: "false" + - name: CLOUDFLARE_WARP_AUTH_CLIENT_ID + valueFrom: + secretKeyRef: + name: codex-workspace-cloudflare-warp + key: auth-client-id + - name: CLOUDFLARE_WARP_AUTH_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: codex-workspace-cloudflare-warp + key: auth-client-secret + - name: CLOUDFLARE_WARP_ORGANIZATION + valueFrom: + secretKeyRef: + name: codex-workspace-cloudflare-warp + key: organization - name: DOCKER_HOST value: tcp://127.0.0.1:2375 - name: DOCKER_BUILDKIT @@ -104,7 +123,15 @@ spec: runAsUser: 0 allowPrivilegeEscalation: true capabilities: - add: ["AUDIT_WRITE", "CHOWN", "FOWNER", "SETGID", "SETUID", "SYS_CHROOT"] + add: + - AUDIT_WRITE + - CHOWN + - FOWNER + - NET_ADMIN + - NET_RAW + - SETGID + - SETUID + - SYS_CHROOT drop: ["ALL"] readOnlyRootFilesystem: false resources: @@ -135,6 +162,8 @@ spec: mountPath: /usr/local/bin/docker subPath: docker readOnly: true + - name: dev-net-tun + mountPath: /dev/net/tun - name: obsidian-sync image: ghcr.io/boxp/arch/codex-workspace:latest imagePullPolicy: Always @@ -248,3 +277,7 @@ spec: emptyDir: {} - name: docker-graph-storage emptyDir: {} + - name: dev-net-tun + hostPath: + path: /dev/net/tun + type: CharDevice diff --git a/argoproj/codex-workspace/external-secret.yaml b/argoproj/codex-workspace/external-secret.yaml index 55f2ff902..7237d5466 100644 --- a/argoproj/codex-workspace/external-secret.yaml +++ b/argoproj/codex-workspace/external-secret.yaml @@ -51,3 +51,27 @@ spec: - secretKey: GEMINI_API_KEY remoteRef: key: /lolice/codex-workspace/gemini-api-key +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: codex-workspace-cloudflare-warp + namespace: codex-workspace +spec: + refreshInterval: 1h + secretStoreRef: + name: parameterstore + kind: ClusterSecretStore + target: + name: codex-workspace-cloudflare-warp + creationPolicy: Owner + data: + - secretKey: auth-client-id + remoteRef: + key: /lolice/codex-workspace/cloudflare-warp-auth-client-id + - secretKey: auth-client-secret + remoteRef: + key: /lolice/codex-workspace/cloudflare-warp-auth-client-secret + - secretKey: organization + remoteRef: + key: /lolice/codex-workspace/cloudflare-warp-organization diff --git a/argoproj/codex-workspace/networkpolicy.yaml b/argoproj/codex-workspace/networkpolicy.yaml index 3c72b7c4c..26d0ec82f 100644 --- a/argoproj/codex-workspace/networkpolicy.yaml +++ b/argoproj/codex-workspace/networkpolicy.yaml @@ -56,3 +56,8 @@ spec: - 22 - 80 - 443 + - action: Allow + protocol: UDP + destination: + ports: + - 2408 diff --git a/docs/project_docs/BOXP-17-codex-workspace-warp-client/plan.md b/docs/project_docs/BOXP-17-codex-workspace-warp-client/plan.md new file mode 100644 index 000000000..b16813156 --- /dev/null +++ b/docs/project_docs/BOXP-17-codex-workspace-warp-client/plan.md @@ -0,0 +1,16 @@ +# BOXP-17: Codex workspace WARP client + +Codex workspace から `even-g2-main.b0xp.io` を、`even-g2-main.even-g2-lab.svc.cluster.local` 直通ではなく Cloudflare WARP 利用者と同じ private hostname route で確認できるようにする。 + +## Scope + +- workspace container に Cloudflare WARP enrollment 用 secret を注入する。 +- workspace container に `/dev/net/tun` と `NET_ADMIN` / `NET_RAW` を付与する。 +- Calico egress policy で WARP の UDP 2408 を許可する。 +- `even-g2-main` Service 側の NetworkPolicy には Codex workspace 直通許可を追加しない。 + +## Dependencies + +- `boxp/arch` 側で codex-workspace image に Cloudflare WARP client と entrypoint 起動処理を追加する。 +- `boxp/arch` 側で WARP Service Token client ID / secret / organization を AWS SSM Parameter Store に用意する。 +- Cloudflare Zero Trust 側で、その Service Token を許可する device enrollment policy が必要。