fix: allow g14 langbot postgres access

This commit is contained in:
Codex
2026-06-12 16:24:14 +00:00
parent efadc396d7
commit ef53027fb7
2 changed files with 33 additions and 4 deletions
+13
View File
@@ -86,6 +86,9 @@ postgres:
- id: D601-public
cidr: 36.49.29.73/32
purpose: platform-infra-standby-app
- id: G14-public
cidr: 202.98.17.68/32
purpose: platform-infra-langbot-runtime
tuning:
maxConnections: 50
sharedBuffers: 512MB
@@ -156,6 +159,16 @@ postgres:
user: langbot
address: 74.48.78.17/32
method: scram-sha-256
- type: hostssl
database: langbot
user: langbot
address: 202.98.17.68/32
method: scram-sha-256
- type: hostssl
database: postgres
user: langbot
address: 202.98.17.68/32
method: scram-sha-256
secrets:
source: master-local
+20 -4
View File
@@ -473,7 +473,8 @@ async function apply(config: UniDeskConfig, options: ApplyOptions): Promise<Reco
}
const secretMaterial = prepareSecretMaterial(langbot);
const frpcSecret = prepareFrpcSecret(langbot, target);
const result = await capture(config, target.route, ["script"], applyScript(yaml, langbot, target, secretMaterial, frpcSecret));
const confirmedYaml = renderManifest(langbot, target, secretMaterial.fingerprint);
const result = await capture(config, target.route, ["script"], applyScript(confirmedYaml, langbot, target, secretMaterial, frpcSecret));
const parsed = parseJsonOutput(result.stdout);
const caddy = await applyPk01Caddy(config, target);
return {
@@ -642,7 +643,7 @@ function query(options: QueryOptions): Record<string, unknown> {
};
}
function renderManifest(langbot: LangBotConfig, target: LangBotTarget): string {
function renderManifest(langbot: LangBotConfig, target: LangBotTarget, secretFingerprint = "not-prepared"): string {
const image = `${langbot.image.repository}:${langbot.image.tag}`;
const configHash = createHash("sha256").update(JSON.stringify({ langbot, target })).digest("hex").slice(0, 16);
const db = langbot.runtime.database;
@@ -859,6 +860,7 @@ spec:
app.kubernetes.io/part-of: platform-infra
annotations:
unidesk.ai/langbot-config-hash: "${configHash}"
unidesk.ai/langbot-secret-fingerprint: "${secretFingerprint}"
unidesk.ai/public-base-url: "${exposure.publicBaseUrl}"
unidesk.ai/box-enabled: "${langbot.runtime.box.enabled}"
spec:
@@ -1459,14 +1461,28 @@ tmp="$(mktemp -d)"
trap 'rm -rf "$tmp"' EXIT
${commands}
python3 - "$tmp" ${components.map((item) => shQuote(item)).join(" ")} <<'PY'
import json, os, sys
import json, os, re, sys
tmp = sys.argv[1]
components = sys.argv[2:]
payload = {"ok": True, "components": {}, "valuesPrinted": False}
secret_markers = ("PASSWORD", "SECRET", "TOKEN", "API_KEY", "DATABASE_URL")
generic_secret = re.compile(r"(?i)((?:password|secret|token|api[_-]?key|database_url)\\s*[=:]\\s*)[^\\s,;]+")
def redact(value):
value = re.sub(r"lbk_[A-Za-z0-9_-]+", "lbk_<redacted>", value)
value = re.sub(r"(postgresql://)[^@\\s]+@", r"\\1<redacted>@", value)
redacted_lines = []
for line in value.splitlines():
if "env_key:" in line and "env_value:" in line:
key = line.split("env_key:", 1)[1].split(",", 1)[0].strip().upper()
if any(marker in key for marker in secret_markers):
line = line.split("env_value:", 1)[0] + "env_value: <redacted>"
line = generic_secret.sub(r"\\1<redacted>", line)
redacted_lines.append(line)
return "\\n".join(redacted_lines)
for component in components:
def text(suffix):
try:
return open(os.path.join(tmp, f"{component}.{suffix}"), encoding="utf-8", errors="replace").read()[-12000:]
return redact(open(os.path.join(tmp, f"{component}.{suffix}"), encoding="utf-8", errors="replace").read())[-12000:]
except FileNotFoundError:
return ""
rc_text = text("rc").strip()