proxy

studio/proxy

Fork 0

Commit Graph

Author	SHA1	Message	Date
Sienna Meridian Satterwhite	e5b6802107	feat(proxy): add SSH TCP passthrough and graceful HTTP-only startup Add optional [ssh] config block that proxies port 22 → Gitea SSH pod, running on a dedicated thread/runtime matching the cert-watcher pattern. Also start HTTP-only on first deploy when the TLS cert file doesn't exist yet — once ACME challenge completes and the cert watcher writes the file, a graceful upgrade adds the TLS listener without downtime. Fix ACME watcher to handle InitApply events (kube-runtime v3+) so Ingresses that existed before the proxy started are picked up correctly. Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt>	2026-03-10 23:38:19 +00:00
Sienna Meridian Satterwhite	d0146b47e3	feat(proxy): add per-route disable_secure_redirection; preserve query string in redirect By default every plain-HTTP request is 301-redirected to HTTPS — no upstream is ever contacted, making it as close to an L4 redirect as HTTP allows. New RouteConfig field `disable_secure_redirection` (bool, default false): when set to true on a route, plain-HTTP requests for that host pass through to the backend unchanged instead of being redirected. Also fixes the redirect URL to include the original query string, which was previously dropped (e.g. ?next=/dashboard would be lost after redirect). Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt>	2026-03-10 23:38:19 +00:00
Sienna Meridian Satterwhite	6ec0f78a5b	feat: initial sunbeam-proxy implementation Custom Pingora-based edge proxy for the Sunbeam infrastructure stack. - HTTPS termination: mkcert file-based (local dev) or rustls-acme ACME (production) - Host-prefix routing with path-based sub-routing (auth virtual host) - HTTP→HTTPS redirect, WebSocket passthrough - cert-manager HTTP-01 challenge routing via Kubernetes Ingress watcher - TLS cert auto-reload via K8s Secret watcher - JSON structured audit logging (tracing-subscriber) - OpenTelemetry OTLP stub (disabled by default) - Multi-stage Dockerfile: musl static binary on chainguard/static distroless image Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt>	2026-03-10 23:38:19 +00:00

Author

SHA1

Message

Date

Sienna Meridian Satterwhite

e5b6802107

feat(proxy): add SSH TCP passthrough and graceful HTTP-only startup

Add optional [ssh] config block that proxies port 22 → Gitea SSH pod,
running on a dedicated thread/runtime matching the cert-watcher pattern.

Also start HTTP-only on first deploy when the TLS cert file doesn't exist
yet — once ACME challenge completes and the cert watcher writes the file,
a graceful upgrade adds the TLS listener without downtime.

Fix ACME watcher to handle InitApply events (kube-runtime v3+) so
Ingresses that existed before the proxy started are picked up correctly.

Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt>

2026-03-10 23:38:19 +00:00

Sienna Meridian Satterwhite

d0146b47e3

feat(proxy): add per-route disable_secure_redirection; preserve query string in redirect

By default every plain-HTTP request is 301-redirected to HTTPS — no upstream
is ever contacted, making it as close to an L4 redirect as HTTP allows.

New RouteConfig field `disable_secure_redirection` (bool, default false):
when set to true on a route, plain-HTTP requests for that host pass through
to the backend unchanged instead of being redirected.

Also fixes the redirect URL to include the original query string, which was
previously dropped (e.g. ?next=/dashboard would be lost after redirect).

Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt>

2026-03-10 23:38:19 +00:00

Sienna Meridian Satterwhite

6ec0f78a5b

feat: initial sunbeam-proxy implementation

Custom Pingora-based edge proxy for the Sunbeam infrastructure stack.

- HTTPS termination: mkcert file-based (local dev) or rustls-acme ACME (production)
- Host-prefix routing with path-based sub-routing (auth virtual host)
- HTTP→HTTPS redirect, WebSocket passthrough
- cert-manager HTTP-01 challenge routing via Kubernetes Ingress watcher
- TLS cert auto-reload via K8s Secret watcher
- JSON structured audit logging (tracing-subscriber)
- OpenTelemetry OTLP stub (disabled by default)
- Multi-stage Dockerfile: musl static binary on chainguard/static distroless image

Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt>

2026-03-10 23:38:19 +00:00

3 Commits