Add gateway CA certificate setup for SSL proxy #35
Description
Summary
The sandbox entrypoint may need to configure the gateway CA certificate for SSL proxy operations, depending on the proxy configuration approach used.
Current State
The jib-container entrypoint.py has a setup_gateway_ca() function (lines 411-458) that:
- Copies gateway CA cert from shared volume to system CA store
- Runs
update-ca-certificates - Sets environment variables for various runtimes:
REQUESTS_CA_BUNDLESSL_CERT_FILENODE_EXTRA_CA_CERTS
Analysis Needed
With the ANTHROPIC_BASE_URL approach (routing LLM traffic to gateway HTTP endpoint), SSL interception may not be needed for LLM API traffic. The current jib implementation notes:
"With ANTHROPIC_BASE_URL routing Claude Code traffic directly to the gateway HTTP endpoint (PR #701), this CA trust is no longer required for Anthropic API traffic."
However, this function is kept for:
- Backwards compatibility
- Potential future HTTPS interception needs
Recommendation
Investigate and document:
- Is gateway CA setup needed with the current egg proxy architecture?
- If not, document why it's not needed
- If yes, port the
setup_gateway_ca()function
Implementation (if needed)
def setup_gateway_ca(config: Config, logger: Logger) -> None:
"""Add gateway CA certificate to container trust store."""
gateway_ca_src = Path("/shared/certs/gateway-ca.crt")
gateway_ca_dst = Path("/usr/local/share/ca-certificates/gateway-ca.crt")
if not gateway_ca_src.exists():
logger.info("Gateway CA certificate not found (may not be needed)")
return
shutil.copy(gateway_ca_src, gateway_ca_dst)
run_cmd(["update-ca-certificates"])
os.environ["REQUESTS_CA_BUNDLE"] = "/etc/ssl/certs/ca-certificates.crt"
os.environ["SSL_CERT_FILE"] = "/etc/ssl/certs/ca-certificates.crt"
os.environ["NODE_EXTRA_CA_CERTS"] = str(gateway_ca_dst)Acceptance Criteria
- Document whether gateway CA setup is needed for egg
- If needed, implement
setup_gateway_ca()in entrypoint - If not needed, add comment explaining why
Authored-by: jib