Skip to content

feat(network): add api service static IP for proxy force-through#181

Closed
jhaynie wants to merge 3 commits intomainfrom
task/secrets-injection
Closed

feat(network): add api service static IP for proxy force-through#181
jhaynie wants to merge 3 commits intomainfrom
task/secrets-injection

Conversation

@jhaynie
Copy link
Copy Markdown
Member

@jhaynie jhaynie commented Mar 16, 2026
edited by coderabbitai Bot
Loading

Summary

  • Add api to the static service IP generation list
  • Generates ApiServiceIP constant (fd15:d710:2c:e000:9dc5:82b5::)

Why

The eBPF firewall in Hadron needs to force traffic to api.agentuity.{io,cloud} through the transparent proxy for secret injection. Like catalyst, streams, and otel, the api service needs a magic IPv6 address so the eBPF program can identify it and redirect traffic to the proxy instead of letting it bypass via the Gravity tunnel.

What changed

  • network/gen_static.go — added "api" to the services list
  • network/static_generated.go — regenerated with new ApiServiceIP constant, Services map entry, and Addresses map entry

Summary by CodeRabbit

  • New Features
    • Enhanced secret injection with configurable authentication schemes (Bearer, Basic, Raw) and per-host matching rules for granular access control.
    • Added support for EU region deployments, including six new European locations for improved data residency and performance.

jhaynie added 3 commits March 15, 2026 14:18
@jhaynie
feat(gravity): add SecretRule proto for transparent proxy secret inje…
428a2ad 
…ction

Add SecretRule message to CodeMetadata in the gravity session proto.
This enables Ion to send secret injection rules to Hadron via the
deployment metadata response, telling the transparent proxy how to
replace hashed placeholder tokens with real secret values in outbound
HTTP requests to platform services.
@jhaynie
refactor(gravity): use typed SecretScheme enum instead of freeform st…
19e72e9 
…ring

Replace the freeform string scheme field on SecretRule with a typed
SecretScheme enum (BEARER, BASIC, RAW) for compile-time safety.
Clarify host_match semantics: empty means matches no hosts
(deny-by-default) and will be rejected at validation time.
@jhaynie
feat(network): add api service to static IP generation
07ecbc8 
Add 'api' to the list of services that get a static magic IPv6 address
in the Graviton overlay network. This allows the eBPF firewall to
force traffic to api.agentuity.{io,cloud} through the transparent
proxy for secret injection, same as catalyst, streams, and otel.
@jhaynie jhaynie closed this Mar 16, 2026
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Mar 16, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0b4ea581-1f4f-47c0-8866-d2e9049700ae

📥 Commits

Reviewing files that changed from the base of the PR and between 828c8ab and 07ecbc8.

⛔ Files ignored due to path filters (1)
  • gravity/proto/gravity_session.pb.go is excluded by !**/*.pb.go
📒 Files selected for processing (3)
  • gravity/proto/gravity_session.proto
  • network/gen_static.go
  • network/static_generated.go
📝 Walkthrough

Walkthrough

This PR introduces secret injection rules for HTTP headers in protobuf definitions, adds an "api" service to the network code generator, and extends network infrastructure with API service mappings and EU region subnet support.

Changes

Cohort / File(s) Summary
Secret Injection Rules
gravity/proto/gravity_session.proto		 Added SecretRule message and SecretScheme enum to enable per-secret header injection configuration. Extended CodeMetadata with repeated secret_rules field supporting environment-to-header mapping with scheme formatting and host matching patterns.
Network Service Configuration
network/gen_static.go		 Added "api" service to the code generator's services list, triggering generation of API service constants, mappings, and address data alongside existing services.
Network Infrastructure Constants
network/static_generated.go		 Added ApiServiceIP constant and corresponding mappings. Introduced 12 new EU region subnet constants for Agent and Hadron services. Added AgentSubnetForRegion() and HadronSubnetForRegion() functions with EU region case mappings.
📝 Coding Plan
  • Generate coding plan for human review comments

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jhaynie