chore(orch): improve envd init logs#2154
Merged
Merged
Conversation
sitole
approved these changes
Mar 18, 2026
levb
added a commit
that referenced
this pull request
Mar 18, 2026
Incorporate main commits: #2150 (validate specified IPs in egress), #2156 (disable request timeout), #2154 (envd init logs), #2151 (storage cache test fix). Resolve conflict in sandbox_create.go by consolidating validation: Egress validation — matches main #2150 + port rejection: - validateEgressRules stays in sandbox_create.go (same location as main) - Uses IsSpecifiedIPOrCIDR from #2150 to reject unspecified addresses (0.0.0.0, ::, 0.0.0.0/24, etc.) while allowing 0.0.0.0/0 - Uses ParseAddressesAndDomains to separate IPs from domains (same as main) - Adds port rejection (egress doesn't support port-specific rules) Ingress validation — new, added next to validateEgressRules: - validateIngressRules + validateIngressEntry in sandbox_create.go - Uses SplitHostPort to separate CIDR from port, validates each part - Uses IsSpecifiedIPOrCIDR for IPv4 + allows ::/0 for IPv6 block-all - Uses ParsePortRange for port/port-range validation - Rejects domains (ingress is IP/CIDR only) - Requires deny-all when allow rules are present Simplify rule.go — remove ParseRule/ParseRules: - Egress validation uses IsSpecifiedIPOrCIDR + ParseAddressesAndDomains directly - Ingress validation uses SplitHostPort + IsIPOrCIDR + ParsePortRange directly - Keep: Rule/ACL structs (hot-path matching), SplitHostPort, ParsePortRange (public) make[1]: Entering directory '/home/lev/dev/infra/iac/provider-gcp' - Remove: ParseRule, ParseRules (tried to be one-size-fits-all, added complexity) Simplify orchestrator ACL building: - newEgressACL: uses parseCIDRs (direct net.ParseCIDR, no ParseRules) - newIngressACL/parseIngressRules: unchanged (builds from proto fields) Update create_instance.go: - buildEgressConfig: uses IsIPOrCIDR for domain detection (was ParseRule) - parseIngressRules: uses SplitHostPort + ParsePortRange (was ParseRule) Test updates: - Error messages updated to match main's IsSpecifiedIPOrCIDR style - Integration tests: replace ::/1/0.0.0.0/1 with ::/0/0.0.0.0/0 (unspecified network addresses now rejected) - TestIsSpecifiedIPOrCIDR preserved from #2150 - TestSplitHostPort, TestParsePortRange replace TestParseRule/TestParseRules
ValentaTomas
pushed a commit
that referenced
this pull request
May 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note
Low Risk
Low risk logging-only change around envd init; behavior is unchanged aside from log emission timing and added attempt counts.
Overview
Tweaks
envdinit retry logging by removing per-retry debug messages and instead logging a single error when retries ultimately fail (including totalattempts) plus a debug message when init succeeds (also includingattemptsand the configured timeout), while keeping the existing init metrics behavior intact.Written by Cursor Bugbot for commit b2d6a83. This will update automatically on new commits. Configure here.