From ef53027fb72a54a2bc83323f43f4272c17206493 Mon Sep 17 00:00:00 2001 From: Codex Date: Fri, 12 Jun 2026 16:24:14 +0000 Subject: [PATCH] fix: allow g14 langbot postgres access --- config/platform-db/postgres-pk01.yaml | 13 +++++++++++++ scripts/src/platform-infra-langbot.ts | 24 ++++++++++++++++++++---- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/config/platform-db/postgres-pk01.yaml b/config/platform-db/postgres-pk01.yaml index 4e238e04..0369e7e1 100644 --- a/config/platform-db/postgres-pk01.yaml +++ b/config/platform-db/postgres-pk01.yaml @@ -86,6 +86,9 @@ postgres: - id: D601-public cidr: 36.49.29.73/32 purpose: platform-infra-standby-app + - id: G14-public + cidr: 202.98.17.68/32 + purpose: platform-infra-langbot-runtime tuning: maxConnections: 50 sharedBuffers: 512MB @@ -156,6 +159,16 @@ postgres: user: langbot address: 74.48.78.17/32 method: scram-sha-256 + - type: hostssl + database: langbot + user: langbot + address: 202.98.17.68/32 + method: scram-sha-256 + - type: hostssl + database: postgres + user: langbot + address: 202.98.17.68/32 + method: scram-sha-256 secrets: source: master-local diff --git a/scripts/src/platform-infra-langbot.ts b/scripts/src/platform-infra-langbot.ts index c0c930b1..bf944452 100644 --- a/scripts/src/platform-infra-langbot.ts +++ b/scripts/src/platform-infra-langbot.ts @@ -473,7 +473,8 @@ async function apply(config: UniDeskConfig, options: ApplyOptions): Promise { }; } -function renderManifest(langbot: LangBotConfig, target: LangBotTarget): string { +function renderManifest(langbot: LangBotConfig, target: LangBotTarget, secretFingerprint = "not-prepared"): string { const image = `${langbot.image.repository}:${langbot.image.tag}`; const configHash = createHash("sha256").update(JSON.stringify({ langbot, target })).digest("hex").slice(0, 16); const db = langbot.runtime.database; @@ -859,6 +860,7 @@ spec: app.kubernetes.io/part-of: platform-infra annotations: unidesk.ai/langbot-config-hash: "${configHash}" + unidesk.ai/langbot-secret-fingerprint: "${secretFingerprint}" unidesk.ai/public-base-url: "${exposure.publicBaseUrl}" unidesk.ai/box-enabled: "${langbot.runtime.box.enabled}" spec: @@ -1459,14 +1461,28 @@ tmp="$(mktemp -d)" trap 'rm -rf "$tmp"' EXIT ${commands} python3 - "$tmp" ${components.map((item) => shQuote(item)).join(" ")} <<'PY' -import json, os, sys +import json, os, re, sys tmp = sys.argv[1] components = sys.argv[2:] payload = {"ok": True, "components": {}, "valuesPrinted": False} +secret_markers = ("PASSWORD", "SECRET", "TOKEN", "API_KEY", "DATABASE_URL") +generic_secret = re.compile(r"(?i)((?:password|secret|token|api[_-]?key|database_url)\\s*[=:]\\s*)[^\\s,;]+") +def redact(value): + value = re.sub(r"lbk_[A-Za-z0-9_-]+", "lbk_", value) + value = re.sub(r"(postgresql://)[^@\\s]+@", r"\\1@", value) + redacted_lines = [] + for line in value.splitlines(): + if "env_key:" in line and "env_value:" in line: + key = line.split("env_key:", 1)[1].split(",", 1)[0].strip().upper() + if any(marker in key for marker in secret_markers): + line = line.split("env_value:", 1)[0] + "env_value: " + line = generic_secret.sub(r"\\1", line) + redacted_lines.append(line) + return "\\n".join(redacted_lines) for component in components: def text(suffix): try: - return open(os.path.join(tmp, f"{component}.{suffix}"), encoding="utf-8", errors="replace").read()[-12000:] + return redact(open(os.path.join(tmp, f"{component}.{suffix}"), encoding="utf-8", errors="replace").read())[-12000:] except FileNotFoundError: return "" rc_text = text("rc").strip()