feat(ingress): runtime per-workload CF ingress on /deploy#137
Merged
Conversation
DD preview readyURL: https://pr-137.devopsdefender.com Browser login: paste CLI / curl: Register endpoint for a local agent: |
posix4e
force-pushed
the
feat/runtime-ingress
branch
from
65acc8a to
f2f1825
Compare
PR #134 wired `expose` at boot time — the ingress rules baked into the agent VM's config.iso got published when CP first created the tunnel. This extends that to the runtime path: when a workload POSTed to dd-agent's /deploy declares `expose: {hostname_label, port}`, the agent now calls the CP's new /ingress/replace endpoint with the merged (boot + runtime) extras list, and CP re-PUTs the tunnel config + upserts a CNAME for the new hostname. Wire-level summary: - cf.rs — extract `apply_ingress()` used by both `create()` (at register) and a new public `update_ingress()` (at runtime). The existing tunnel id + token stay stable. - cp.rs — new endpoint POST /ingress/replace. PAT-authenticated, looks up the agent in the store by agent_id, re-PUTs the tunnel config, updates the store's `extras` field for the agent. - collector::Agent — gains `tunnel_id` + `extras` fields, preserved across /health scrapes so the collector doesn't clobber them. - agent.rs — stores `agent_id` from the register bootstrap, holds a live `Arc<RwLock<Vec<(String, u16)>>>` for the merged extras, hooks into /deploy to push updates. Soft-fails — workload stays running even if the ingress update fails; only public reachability is affected. Opens the runtime path slopandmop needs: POST openclaw to an agent, the agent asks CP to route `openclaw.<agent-host>` → localhost:port, CF picks up the ingress config within seconds, browser hits the URL. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
posix4e
force-pushed
the
feat/runtime-ingress
branch
from
f2f1825 to
2377bd9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extends the boot-time `expose` feature from #134 to runtime. When a workload POSTed to dd-agent's `/deploy` declares `expose: {hostname_label, port}`, the agent now asks CP to route a public hostname to the workload's port — same shape as boot-time, just done dynamically.
Wire-level changes:
Depends on
What this unblocks
slopandmop's openclaw (and anything else POSTed at runtime) can now ask for `openclaw.` → `localhost:` and have it show up on the public internet within seconds. No more "v1 limitation: runtime exposure deferred" note.
Test plan
🤖 Generated with Claude Code