From 64ed7d846e54f3f5eb8906218b77c602dfb5f37f Mon Sep 17 00:00:00 2001 From: Agents Agent Date: Sat, 27 Jun 2026 14:55:46 +0200 Subject: [PATCH] fix(agents-login): install ca-certificates so codex sign-in TLS works; revert IPv6 churn MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ACTUAL root cause of "codex login ... error sending request": the agents-login image (bookworm-slim) ships NO ca-certificates, and the Codex CLI is a Rust binary that verifies TLS against the SYSTEM root store. With /etc/ssl/certs absent, EVERY codex HTTPS handshake fails — including device-auth to auth.openai.com. Node and Claude work because they bundle their own roots, which is why this looked like a codex-only "network" error. Proven live: pointing codex at a real CA bundle (SSL_CERT_FILE=node's roots) made `codex login --device-auth` reach the user-code step. It was never IPv6. - Install ca-certificates in the runtime image (provides /etc/ssl/certs/ca-certificates.crt that codex's system-roots TLS uses). - Revert the misguided IPv6 mitigations that targeted the wrong cause: the gai.conf (#742) and /etc/hosts init container (#745) were already gone; this removes the CoreDNS AAAA-stripping sidecar + dnsConfig (#746), restoring the worker pod's default DNS. Co-Authored-By: Claude Opus 4.8 (1M context) --- .../flux/apps/agents/agents-login/worker.yaml | 82 ------------------- services/agents-login/Dockerfile | 9 ++ 2 files changed, 9 insertions(+), 82 deletions(-) diff --git a/platform/cluster/flux/apps/agents/agents-login/worker.yaml b/platform/cluster/flux/apps/agents/agents-login/worker.yaml index 843f5611..a7a5b7ef 100644 --- a/platform/cluster/flux/apps/agents/agents-login/worker.yaml +++ b/platform/cluster/flux/apps/agents/agents-login/worker.yaml @@ -1,28 +1,3 @@ -# Pod-local resolver for the agents-login worker. Codex 0.141.x ships a musl -# static binary whose resolver ignores /etc/gai.conf and /etc/hosts for the -# failing auth.openai.com path; this CoreDNS sidecar strips AAAA at DNS level -# while forwarding every non-AAAA lookup to kube-dns. -apiVersion: v1 -kind: ConfigMap -metadata: - name: agents-login-worker-coredns - namespace: agents-system - labels: - app.kubernetes.io/name: agents-login-worker - app.kubernetes.io/part-of: agents-login -data: - Corefile: | - .:53 { - errors - health :8080 - ready :8181 - template IN AAAA . { - rcode NOERROR - } - forward . 10.43.0.10 - cache 30 - } ---- # Private half of the portal. Owns the PTY that runs `claude setup-token` and # `codex login --device`, captures credentials, and posts them to agents-api # under a Lease lock. Single instance + Recreate so the Lease is never @@ -58,17 +33,6 @@ spec: spec: serviceAccountName: agents-login-worker automountServiceAccountToken: true - dnsPolicy: None - dnsConfig: - nameservers: - - 127.0.0.1 - searches: - - agents-system.svc.cluster.local - - svc.cluster.local - - cluster.local - options: - - name: ndots - value: '5' # The image is amd64-only (it bundles the Claude/Codex CLIs + node-pty and # is not worth a QEMU arm64 build). Keep it off the arm64 Pi nodes, where # it would ImagePullBackOff on "no match for platform in manifest". @@ -82,49 +46,6 @@ spec: seccompProfile: type: RuntimeDefault containers: - - name: dns - image: registry.k8s.io/coredns/coredns:v1.12.1 - imagePullPolicy: IfNotPresent - args: - - -conf - - /etc/coredns/Corefile - ports: - - name: dns-udp - containerPort: 53 - protocol: UDP - - name: dns-tcp - containerPort: 53 - protocol: TCP - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: ['ALL'] - add: ['NET_BIND_SERVICE'] - volumeMounts: - - name: coredns-config - mountPath: /etc/coredns - readOnly: true - readinessProbe: - httpGet: - path: /ready - port: 8181 - initialDelaySeconds: 1 - periodSeconds: 10 - livenessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 20 - resources: - requests: - cpu: 5m - memory: 16Mi - limits: - cpu: 100m - memory: 64Mi - name: worker image: ghcr.io/extratoast/personal-stack/agents-login:latest imagePullPolicy: Always @@ -185,9 +106,6 @@ spec: cpu: 500m memory: 512Mi volumes: - - name: coredns-config - configMap: - name: agents-login-worker-coredns - name: home emptyDir: {} - name: tmp diff --git a/services/agents-login/Dockerfile b/services/agents-login/Dockerfile index 023c1019..7e5fc245 100644 --- a/services/agents-login/Dockerfile +++ b/services/agents-login/Dockerfile @@ -24,6 +24,15 @@ RUN npm run build \ # ---- runtime stage -------------------------------------------------------- FROM node:22-bookworm-slim AS runtime +# CA certificates: the bookworm-slim base ships none, and the Codex CLI is a +# Rust binary that verifies TLS against the SYSTEM root store (not a bundled +# one like Node). Without this, every codex HTTPS call — including +# `codex login --device-auth` to auth.openai.com — fails with "error sending +# request". Node/Claude work regardless because they bundle their own roots. +RUN apt-get update \ + && apt-get install -y --no-install-recommends ca-certificates \ + && rm -rf /var/lib/apt/lists/* + # Pinned CLI versions. Keep these in lockstep with the agent-runner image so the # captured credential schema always matches what the runners consume. ARG CLAUDE_CODE_VERSION=2.1.186