I'm more unsure about the exact UX of how we're extending the runtime config yaml.

The only user-visible changes should be the new [outbound_networking] / blocked_networks config. If that is what you are unsure about then we should definitely discuss before merging.

The only user-visible changes should be the new [outbound_networking] / blocked_networks config. If that is what you are unsure about then we should definitely discuss before merging.

Indeed. My concern is more of a vibe than anything (which is why I've approved this PR and don't want to block). I don't have concrete suggestions - I'm simply unsure about the API and unsure about introducing such additions to the Spin API in a PR. For example, some random questions I have:

• Should we expose this as blocking networks (as you've done here) or allowing networks (mirroring the API we expose in spin.toml)?
  • I think I agree with your choice of blocking vs. allowing (as typically operators care more about explicitly restricting rather than explicitly allowing).
• Is the private keyword, the right way to block the use of all non-globally-routable networks?
  • It seems fine so 🤷

I guess in general, I'm wondering if the user facing changes should be introduced through a SIP instead of a PR. It's a small feature so I understand why that wasn't done initially, but it feels like anything that impacts the public API of Spin should be discussed in a SIP.

• Should we expose this as blocking networks (as you've done here) or allowing networks (mirroring the API we expose in spin.toml)?

  * I think I agree with your choice of blocking vs. allowing (as typically operators care more about explicitly restricting rather than explicitly allowing).
  

I thought about this a little. It seems somewhat unlikely that an operator that wanted to lock down the network that much wouldn't also have complete control over the apps (and therefor allowed_outbound_hosts), but if there is demand for that it should be quite easy to add an allow_hosts field which is either mutually exclusive with block_hosts or does something slightly more fancy to merge the two.

* Is the `private` keyword, the right way to block the use of all non-globally-routable networks?
  
  * It seems fine so 🤷

You could translate private into a large set of explicit CIDRs. It's really just a convenience for what (to me) seems like the most likely use-case for this feature: "don't let apps access services behind the firewall".

I guess in general, I'm wondering if the user facing changes should be introduced through a SIP instead of a PR.

First off, this is definitely a reasonable question to ask.

it feels like anything that impacts the public API of Spin should be discussed in a SIP.

Depending on your interpretation, "anything that impacts the public API" could apply to a lot of things that we haven't covered with SIPs before, but we can certainly adjust our attitudes / policies / guidance on that if we want. I guess it didn't even occur to me to do a SIP here in part because we didn't do one for the even larger [[client_tls]] feature it lives right next to. 🤷

More broadly:

SIPs are documented as being for "major work items" which...leaves a little room for interpretation 😅 but I think reflects that one of the goals is to avoid putting in "too much" work into an implementation before getting feedback on the design. This is important both to avoid wasting contributor's time and to avoid putting too much pressure on reviewers to accept a design just because there is a lot of code already written for it. On the flip side, there is overhead in the SIP process and every extra bit of friction incrementally raises the bar for contribution - even for maintainers!

@lann it occurs to me that perhaps one reason I'm nervous about this is that runtime-config.yaml isn't currently versioned. Perhaps if it were, I'd be less worried?

I prefer to think of it as "version 0"; you always get that one freebie before you have to start writing down explicit schema versions. 🙂