feat(workstation): Remove strict sudo requirement on workstation

[rmvangun]

Note

Medium Risk

This PR touches core CLI commands (up, down, bootstrap, configure), the provisioner's onApply hook interface, and the DNS config API — any of which could affect a broad set of operators on upgrade.

Overview

The change removes the eager EnsureNetworkPrivilege call from windsor up, replacing it with a halt-signal mechanism: when the workstation Terraform component applies and cluster reachability would require a host route, the onApply hook returns (true, nil) to stop further component applies cleanly and surface a printDeferredWork summary pointing the operator at windsor configure network. The configure network command gains --dry-run and --revert flags, and a precondition gate keyed on the presence of workstation.yaml. The dns.enabled field is removed from both config API versions; DNS is now configured whenever dns.domain and the resolver address are both present.

The dns.enabled removal is a silent behavioral change: any windsor.yaml that carries dns.enabled: false today will have DNS configuration activated after upgrade if dns.domain and the address are also set. The help text example --set dns.enabled=false was removed, but no migration notice is included. Operators who relied on this flag to suppress DNS forwarding should verify their configs. The halt-signal threading through Stack → Provisioner → Project → cmd is internally consistent; cmd/bootstrap.go correctly guards printDeferredWork with a nil check that cmd/up.go and cmd/down.go do not need (both already return early when Workstation is nil).

Reviewed by Claude for commit 1676ab38.

[claude]

Interface name from VM interpolated into sh -c without format validation

Low Severity · pkg/workstation/network/colima_network.go:187

This PR adds validateCIDR and validateIPAddress to guard values going into shell commands, but outputInterface — discovered by scanning ls /sys/class/net inside the VM — is interpolated into the sh -c delete command without a parallel check. Linux's IFNAMSIZ limit (15 usable characters) makes a working payload very hard to construct, and the interface must also begin with br-, so this is low-risk in practice. A simple allowlist check in the bridge-discovery loop (strings.ContainsAny(iface, " ;$'\"") returning an error) would complete the defense-in-depth pattern established elsewhere in this diff.

[rmvangun]

@copilot resolve the merge conflicts in this pull request

[Copilot]

@copilot resolve the merge conflicts in this pull request

Resolved the merge conflict and pushed the fix in commit 51caa0f. The branch now cleanly merges with origin/main.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• registry.example.com
  • Triggering command: /tmp/go-build609808434/b1127/cmd.test /tmp/go-build609808434/b1127/cmd.test -test.testlogfile=/tmp/go-build609808434/b1127/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build609808434/b966/vet.cfg .go lient.go ux-amd64/pkg/tool/linux_amd64/vet --gdwarf-5 (dns block)
  • Triggering command: /tmp/go-build4041165416/b1122/cmd.test /tmp/go-build4041165416/b1122/cmd.test -test.testlogfile=/tmp/go-build4041165416/b1122/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build4041165416/b821/vet.cfg birQ/04vHgsOPC38-p t ux-amd64/pkg/tool/linux_amd64/vet -p k8s.io/client-go-atomic t ux-amd64/pkg/too-buildtags -o authentication/i-errorsas t ux-amd64/pkg/tool/linux_amd64/vet -p ession t ux-amd64/pkg/too-buildtags (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)