fix: tighten container bind defaults for landing (#61818) (thanks @openperf)

2026-04-16 11:41:08 +00:00 · 2026-04-06 13:51:53 +01:00
parent c857e93735
commit c9e4b86c7e
7 changed files with 57 additions and 17 deletions
--- a/src/cli/daemon-cli/status.gather.test.ts
+++ b/src/cli/daemon-cli/status.gather.test.ts
@@ -241,6 +241,24 @@ describe("gatherDaemonStatus", () => {
    expect(loadConfigCalls).not.toHaveBeenCalled();
  });

+  it("defaults unset daemon bind mode to loopback for host-side status reporting", async () => {
+    daemonLoadedConfig = {
+      gateway: {
+        tls: { enabled: true },
+        auth: { token: "daemon-token" },
+      },
+    };
+
+    const status = await gatherDaemonStatus({
+      rpc: {},
+      probe: true,
+      deep: false,
+    });
+
+    expect(resolveGatewayBindHost).toHaveBeenCalledWith("loopback", undefined);
+    expect(status.gateway?.bindMode).toBe("loopback");
+  });
+
  it("does not force local TLS fingerprint when probe URL is explicitly overridden", async () => {
    const status = await gatherDaemonStatus({
      rpc: { url: "wss://override.example:18790" },
@@ -474,7 +492,9 @@ describe("gatherDaemonStatus", () => {
    });

    expect(status.rpc?.ok).toBe(false);
-    expect(status.rpc?.authWarning).toContain("gateway.auth.token SecretRef is unavailable");
+    expect(status.rpc?.authWarning).toContain(
+      "gateway.auth.token SecretRef is unresolved in this command path",
+    );
    expect(status.rpc?.authWarning).toContain("probing without configured auth credentials");
  });

--- a/src/cli/daemon-cli/status.gather.ts
+++ b/src/cli/daemon-cli/status.gather.ts
@@ -16,7 +16,6 @@ import type { ServiceConfigAudit } from "../../daemon/service-audit.js";
 import type { GatewayServiceRuntime } from "../../daemon/service-runtime.js";
 import { resolveGatewayService } from "../../daemon/service.js";
 import { trimToUndefined } from "../../gateway/credentials.js";
-import { defaultGatewayBindMode } from "../../gateway/net.js";
 import {
  inspectBestEffortPrimaryTailnetIPv4,
  resolveBestEffortGatewayBindHostForDisplay,
@@ -261,9 +260,7 @@ async function resolveGatewayStatusSummary(params: {
  const portSource: GatewayStatusSummary["portSource"] = portFromArgs
    ? "service args"
    : "env/config";
-  const statusTailscaleMode = params.daemonCfg.gateway?.tailscale?.mode ?? "off";
-  const bindMode: GatewayBindMode =
-    params.daemonCfg.gateway?.bind ?? defaultGatewayBindMode(statusTailscaleMode);
+  const bindMode: GatewayBindMode = params.daemonCfg.gateway?.bind ?? "loopback";
  const customBindHost = params.daemonCfg.gateway?.customBindHost;
  const { bindHost, warning: bindHostWarning } = await resolveBestEffortGatewayBindHostForDisplay({
    bindMode,