Skip to content

fix(docker): handle Kubernetes service-link port env#2045

Open
dev07060 wants to merge 1 commit into
unclecode:developfrom
dev07060:bugfix/docker-k8s-service-link-port
Open

fix(docker): handle Kubernetes service-link port env#2045
dev07060 wants to merge 1 commit into
unclecode:developfrom
dev07060:bugfix/docker-k8s-service-link-port

Conversation

@dev07060

@dev07060 dev07060 commented Jun 30, 2026

Copy link
Copy Markdown

Summary

Fixes a Docker entrypoint failure mode in Kubernetes clusters where service-link environment variables can inject a non-numeric CRAWL4AI_PORT value such as tcp://10.0.101.25:80.

This keeps the existing secure-by-default Docker bind posture intact:

  • no credential -> loopback-only 127.0.0.1:<port>
  • credential/JWT enabled -> existing dual-stack [::]:<port> default
  • explicit GUNICORN_BIND in credentialed mode is preserved and does not force CRAWL4AI_PORT parsing

The only behavior change is port normalization before the entrypoint composes its own default bind address. Numeric CRAWL4AI_PORT values still work as before; Kubernetes-style tcp://... service-link values are ignored with a warning and fall back to 11235; other non-numeric values fail fast with a clear error.

I also checked current open PRs for overlap using Kubernetes/k8s/GUNICORN_BIND/CRAWL4AI_PORT/service-link/entrypoint/bind search terms and did not find another PR covering this entrypoint service-link collision.

List of files changed and why

  • deploy/docker/entrypoint.sh - add narrow CRAWL4AI_PORT normalization for Kubernetes tcp://... service-link collisions while preserving the existing [::] default and explicit GUNICORN_BIND override behavior.
  • deploy/docker/tests/test_security_container_posture.py - add entrypoint regression tests for the dual-stack credentialed bind, service-link fallback with and without credentials, explicit GUNICORN_BIND preservation, and invalid non-service-link port values.

How Has This Been Tested?

  • uv run --no-project --with pytest pytest deploy/docker/tests/test_security_container_posture.py -q -k 'TestEntrypoint or TestDockerfile or TestSupervisord or TestCompose' (21 passed, 2 deselected)
  • bash -n deploy/docker/entrypoint.sh
  • git diff --check

I also attempted the editable project test command, but local dependency setup failed while building scipy==1.13.1 because this machine does not have a Fortran compiler (gfortran) installed.

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (N/A: entrypoint behavior is covered by regression tests)
  • I have added/updated unit tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

@dev07060 dev07060 marked this pull request as ready for review June 30, 2026 16:15
@dev07060 dev07060 force-pushed the bugfix/docker-k8s-service-link-port branch from d140524 to 17c565d Compare June 30, 2026 16:51
@dev07060 dev07060 force-pushed the bugfix/docker-k8s-service-link-port branch from 17c565d to f0c9693 Compare June 30, 2026 17:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant