feat: kong proxy for codex

containers/agent/setup-iptables.sh

@@ -127,6 +127,21 @@ fi
 echo "[iptables] Allow traffic to Squid proxy (${SQUID_IP}:${SQUID_PORT})..."
 iptables -t nat -A OUTPUT -d "$SQUID_IP" -j RETURN
 
+# Bypass Squid for api-proxy when API proxy IP is configured.
+# The agent needs to connect directly to api-proxy (not through Squid).
+# The api-proxy then routes outbound traffic through Squid to enforce domain whitelisting.
+# Architecture: agent -> api-proxy (direct) -> Squid -> internet
+# Use AWF_API_PROXY_IP environment variable set by docker-manager (172.30.0.30)
+if [ -n "$AWF_API_PROXY_IP" ]; then
+  if is_valid_ipv4 "$AWF_API_PROXY_IP"; then
+    echo "[iptables] Allow direct traffic to api-proxy (${AWF_API_PROXY_IP}) - bypassing Squid..."
+    # NAT: skip DNAT to Squid for all traffic to api-proxy
+    iptables -t nat -A OUTPUT -d "$AWF_API_PROXY_IP" -j RETURN
+  else
+    echo "[iptables] WARNING: AWF_API_PROXY_IP has invalid format '${AWF_API_PROXY_IP}', skipping api-proxy bypass"
+  fi
+fi
+
 # Bypass Squid for host.docker.internal when host access is enabled.
 # MCP gateway traffic to host.docker.internal gets DNAT'd to Squid,
 # where Squid fails with "Invalid URL" because rmcp sends relative URLs.
@@ -263,6 +278,14 @@ iptables -A OUTPUT -p tcp -d 127.0.0.11 --dport 53 -j ACCEPT
 # Allow traffic to Squid proxy (after NAT redirection)
 iptables -A OUTPUT -p tcp -d "$SQUID_IP" -j ACCEPT
 
+# Allow traffic to Kong API Gateway sidecar (port 8000 for OpenAI proxy, 8001 for admin API)
+# Must be added before the final DROP rule
+if [ -n "$AWF_API_PROXY_IP" ]; then
+  echo "[iptables] Allow traffic to Kong Gateway (${AWF_API_PROXY_IP}) ports 8000, 8001..."
+  iptables -A OUTPUT -p tcp -d "$AWF_API_PROXY_IP" --dport 8000 -j ACCEPT
+  iptables -A OUTPUT -p tcp -d "$AWF_API_PROXY_IP" --dport 8001 -j ACCEPT
+fi
+
 # Drop all other TCP traffic (default deny policy)
 # This ensures that only explicitly allowed ports can be accessed
 echo "[iptables] Drop all non-redirected TCP traffic (default deny)..."

containers/api-proxy/Dockerfile

@@ -1,32 +1,28 @@
-# Node.js API proxy for credential management
+# Kong API Gateway for credential management
 # Routes through Squid to respect domain whitelisting
-FROM node:22-alpine
+FROM kong:3.5-alpine
 
-# Install curl for healthchecks
-RUN apk add --no-cache curl
+# Install curl for healthchecks and envsubst for config templating
+USER root
+RUN apk add --no-cache curl gettext
 
-# Create app directory
-WORKDIR /app
+# Create configuration directory
+RUN mkdir -p /etc/kong
 
-# Copy package files
-COPY package*.json ./
+# Copy Kong declarative configuration template
+COPY kong.yml.template /etc/kong/kong.yml.template
 
-# Install dependencies
-RUN npm ci --only=production
+# Copy entrypoint script that generates config from environment
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
 
-# Copy application files
-COPY server.js ./
-
-# Create non-root user
-RUN addgroup -S apiproxy && adduser -S apiproxy -G apiproxy
-
-# Switch to non-root user
-USER apiproxy
+# Switch back to kong user
+USER kong
 
 # Expose ports
-# 10000 - OpenAI API proxy
-# 10001 - Anthropic API proxy
-EXPOSE 10000 10001
+# 8000 - HTTP proxy port (we'll use this for OpenAI API)
+# 8001 - Admin API (for health checks)
+EXPOSE 8000 8001
 
-# Start the proxy server
-CMD ["node", "server.js"]
+# Use our custom entrypoint that generates config from env vars
+ENTRYPOINT ["/entrypoint.sh"]

containers/api-proxy/README.md

@@ -6,7 +6,7 @@ Node.js-based API proxy that keeps LLM API credentials isolated from the agent c
 
 ```
 Agent Container (172.30.0.20)
-  ↓ HTTP request to api-proxy:10000
+  ↓ HTTP request to 172.30.0.30:10000
 API Proxy Sidecar (172.30.0.30)
   ↓ Injects Authorization header
   ↓ Routes via HTTP_PROXY (172.30.0.10:3128)