Skip to content

fix(podman): deliver sandbox JWTs as secrets#2156

Merged
maxamillion merged 1 commit into
NVIDIA:mainfrom
maxamillion:podman_jwt_secrets
Jul 6, 2026
Merged

fix(podman): deliver sandbox JWTs as secrets#2156
maxamillion merged 1 commit into
NVIDIA:mainfrom
maxamillion:podman_jwt_secrets

Conversation

@maxamillion

@maxamillion maxamillion commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Summary

Deliver Podman sandbox JWTs through per-sandbox Podman secrets instead of host bind-mounted token files. This keeps bearer tokens out of host state files while preserving the supervisor's file-based token loading path.

Related Issue

Issue: #1909
PR: #2111

Changes

  • Added Podman libpod secret create/delete client helpers.
  • Create a per-sandbox JWT secret during Podman sandbox provisioning and clean it up on failures/deletion.
  • Mount the JWT secret at the existing sandbox token file path and keep raw token values out of container env metadata.
  • Updated Podman driver documentation to describe JWT secret delivery.

Testing

  • mise run pre-commit passes
  • Unit tests added/updated
  • E2E tests added/updated (if applicable)

Additional validation:

  • cargo test -p openshell-driver-podman
  • Live local Podman API smoke checked secret create/delete and file-mounted secret readability.

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (if applicable)

Signed-off-by: Adam Miller <admiller@redhat.com>
@maxamillion maxamillion requested review from a team, derekwaynecarr and mrunalp as code owners July 6, 2026 22:26
@copy-pr-bot

copy-pr-bot Bot commented Jul 6, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@TaylorMutch

Copy link
Copy Markdown
Collaborator

/ok to test 6b45b14

@maxamillion maxamillion merged commit abe42fb into NVIDIA:main Jul 6, 2026
32 checks passed
jameswnl added a commit to jameswnl/lightspeed-cloud-agents that referenced this pull request Jul 11, 2026
…tials, filesystem policy, MCP secrets (#105)

* RSPEED-0000: Close OpenShell spawner production gaps (issue #104)

Implement all missing features in OpenShellSpawner:
- Skills image loading via Podman CLI extraction + exec_stream tar
- Credential injection via OpenShell Provider API with file-based fallback
- Read-only filesystem via SandboxPolicy with injection-target allowlist
- MCP secret file injection with correct mount_path/key handling
- TLS certs and service_account skip with info log
- Provider cleanup in _do_destroy()

Remove Podman 5.8.x JWT workaround (issue #82):
- OpenShell v0.0.79+ delivers sandbox JWTs natively via Podman secrets
  when gateway_jwt is configured (PR NVIDIA/OpenShell#2156)
- Removed _inject_podman_token and all helpers/constants
- Removed podman_cli/podman_socket constructor params
- History documented in spawner docstring

E2E verified on EC2 (RHEL 9, m5.xlarge):
- OpenShell gateway v0.0.80 with Podman driver
- All 6 example workflows pass through OpenShell spawner
- Sandbox lifecycle: create → wait_ready → exec → destroy confirmed

Closes #104

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix review findings: cross-platform skills, credential validation, _podman_cli init

beesarmy:
- Skills image extraction now cross-platform: uses Podman Python SDK
  (works in any container) with CLI fallback. Raises RuntimeError if
  neither is available instead of silently skipping.

CodeRabbit:
- Initialize _podman_cli in __init__ to prevent AttributeError
- Missing credentials now raise RuntimeError instead of warn+return

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jameswnl added a commit to jameswnl/lightspeed-cloud-agents that referenced this pull request Jul 11, 2026
…is (#108)

* RSPEED-0000: Close OpenShell spawner production gaps (issue #104)

Implement all missing features in OpenShellSpawner:
- Skills image loading via Podman CLI extraction + exec_stream tar
- Credential injection via OpenShell Provider API with file-based fallback
- Read-only filesystem via SandboxPolicy with injection-target allowlist
- MCP secret file injection with correct mount_path/key handling
- TLS certs and service_account skip with info log
- Provider cleanup in _do_destroy()

Remove Podman 5.8.x JWT workaround (issue #82):
- OpenShell v0.0.79+ delivers sandbox JWTs natively via Podman secrets
  when gateway_jwt is configured (PR NVIDIA/OpenShell#2156)
- Removed _inject_podman_token and all helpers/constants
- Removed podman_cli/podman_socket constructor params
- History documented in spawner docstring

E2E verified on EC2 (RHEL 9, m5.xlarge):
- OpenShell gateway v0.0.80 with Podman driver
- All 6 example workflows pass through OpenShell spawner
- Sandbox lifecycle: create → wait_ready → exec → destroy confirmed

Closes #104

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix review findings: cross-platform skills, credential validation, _podman_cli init

beesarmy:
- Skills image extraction now cross-platform: uses Podman Python SDK
  (works in any container) with CLI fallback. Raises RuntimeError if
  neither is available instead of silently skipping.

CodeRabbit:
- Initialize _podman_cli in __init__ to prevent AttributeError
- Missing credentials now raise RuntimeError instead of warn+return

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* RSPEED-0000: Skills image via Podman driver_config + fragility analysis

Skills image handling per OpenShell driver:
- Podman driver: native image mount via SandboxSpec.template.driver_config
  (no extraction, no tar streaming — Podman mounts OCI image directly)
- K8s driver: tar streaming fallback with crane → Podman SDK → CLI chain
- New OPENSHELL_DRIVER env var ("podman"|"kubernetes") selects the path

Spike doc updates:
- Fragility analysis for all 7 production features
- Updated Resolved section (JWT workaround removed, production gaps closed)
- Spawner comparison table with accurate skills_image status
- OpenShell convention: bake skills into sandbox image for production
  (FROM scratch + COPY skills — per NVIDIA community sandboxes docs)

Refs #106

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix credential lookup: try K8s-normalized and original env key

credential_secret_name is K8s-normalized (e.g. "openai-api-key") by
_to_k8s_secret_name(), but env dict has the original key ("OPENAI_API_KEY").
Try both forms before raising RuntimeError.

E2E verified: all 7 workflows pass with Podman driver, 3 with K8s driver.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: trigger CI

* Fix CodeRabbit findings: tar traversal, posixpath, provider cleanup

- Harden crane tar extraction: reject symlinks/hardlinks, validate
  resolved paths stay within tmp_dir (prevents path traversal)
- Use posixpath.join for MCP secret file paths instead of f-string
  concatenation (correct regardless of trailing slash)
- Provider cleanup: only remove _provider_ids entry after successful
  detach, retain for retry on failure

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: trigger CI on new branch

* chore: whitespace to trigger CI

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants