feat: ContextForge - Automatic HTTP Header Propagation for Kubernetes#1
Merged
feat: ContextForge - Automatic HTTP Header Propagation for Kubernetes#1
Conversation
- Add go.mod/go.sum with controller-runtime dependencies - Add Makefile with kubebuilder targets (build, test, deploy, e2e) - Add PROJECT file for kubebuilder scaffolding - Add golangci-lint configuration - Add hack/boilerplate.go.txt for license headers 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add v1alpha1 API types for HeaderPropagationPolicy - Define spec with selector, propagationRules, headers - Support header generation (UUID, timestamp) - Include DeepCopy implementations 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add operator main.go with controller-runtime setup - Implement HeaderPropagationPolicy controller - Add mutating admission webhook for pod sidecar injection - Configure HTTP_PROXY/HTTPS_PROXY env vars on containers 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add proxy main.go with signal handling and graceful shutdown - Implement HTTP handler for header extraction and injection - Add server with health/ready endpoints - Support configurable headers via environment variables - Store headers in context for outgoing request injection 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add CRD for HeaderPropagationPolicy - Add RBAC (ClusterRole, RoleBinding, ServiceAccount) - Add operator Deployment and Service - Add MutatingWebhookConfiguration for pod injection - Add cert-manager Certificate for webhook TLS - Add kustomize overlays (default, crd, rbac, webhook) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Dockerfile.operator with multi-stage build, distroless base - Add Dockerfile.proxy with Alpine base, health checks - Add .dockerignore for minimal build context - Both images run as non-root (UID 65532) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Chart.yaml with metadata and dependencies (cert-manager) - Add values.yaml with configurable operator/proxy settings - Add templates for Deployment, Service, RBAC, CRDs - Add MutatingWebhookConfiguration template - Support cert-manager for TLS certificates 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add test utilities (envtest setup) - Add e2e test suite with Ginkgo - Test sidecar injection on annotated pods - Test header propagation through service chain - Test multi-header and edge cases - Test HTTPS CONNECT tunnel behavior 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add CI workflow (lint, test, build on PR/push) - Add e2e workflow (Kind cluster, full integration tests) - Add release workflow (build images, push to ghcr.io, create release) - Add Helm chart release workflow - Add website deploy workflow - Add git-cliff config for changelog generation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add comprehensive README with architecture diagrams - Add CONTRIBUTING.md with development guidelines - Add Apache 2.0 LICENSE - Add Hugo website with Hextra theme - Add docs: getting-started, installation, configuration - Add docs: how-it-works, examples, limitations, changelog 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add VS Code devcontainer with Go, Docker, kubectl, Kind, Helm - Update .gitignore for binaries, backups, IDE files, Hugo 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Remove standalone lint.yml, test.yml, test-e2e.yml that duplicate jobs already defined in ci.yaml and e2e.yaml. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The .golangci.yml config uses v2 format which requires golangci-lint v2. Update the GitHub Action from v4 to v6 which supports v2.x. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Action v6 doesn't support golangci-lint v2, need v7. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use t.Setenv instead of os.Setenv in tests (auto-cleanup) - Handle json.Encode and conn.Close return values - Remove unnecessary nil check in transport.go - Remove unused error return from injectSidecar - Add AnnotationValueTrue constant for repeated "true" string - Relax linters for test files (dupl, errcheck, goconst, ginkgolinter, lll) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Remove error return value usage since injectSidecar no longer returns error. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The HeaderPropagationPolicy CRD requires at least one propagation rule. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The controller tests require envtest binaries (etcd, kube-apiserver). Using make test instead of go test directly to ensure setup-envtest runs. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add certificate.yaml template that creates self-signed Issuer and Certificate when webhook.certManager.enabled=true - Fix namespace mismatch in E2E workflow (use contextforge-system consistently instead of ctxforge-system) - Add certificate debugging output to failure logs - Update values.yaml with createSelfSignedIssuer option 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The namespace must exist before Helm can install resources into it. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…-namespace The Helm chart's namespace template conflicts with the --create-namespace flag. Disabling the chart's namespace creation lets Helm handle it. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The kubebuilder-generated manager doesn't have a --webhook-port CLI flag. The webhook port is configured in the manager code, not via CLI arguments. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…ection The webhook template had an objectSelector requiring the label ctxforge.io/enabled=true, but the actual injection decision is made in the webhook code based on annotations. This caused the webhook to not be called for pods without the label. The webhook code's shouldInject() method already filters based on annotations, so the objectSelector is unnecessary. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add metrics collection for the proxy including: - ctxforge_proxy_requests_total counter (method, status labels) - ctxforge_proxy_request_duration_seconds histogram - ctxforge_proxy_headers_propagated_total counter - ctxforge_proxy_active_connections gauge Also includes ResponseWriter wrapper to capture status codes. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add token bucket rate limiter using golang.org/x/time/rate: - Configurable via RATE_LIMIT_ENABLED, RATE_LIMIT_RPS, RATE_LIMIT_BURST - Disabled by default for backward compatibility - Returns 429 Too Many Requests when limit exceeded - Includes comprehensive unit tests 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement full HeaderPropagationPolicy controller: - Reconcile loop fetches policy and lists matching pods - Counts pods with ctxforge-proxy sidecar container - Updates status.AppliedToPods, status.Conditions, status.ObservedGeneration - Watches both policies and pods for changes - Adds findPoliciesForPod() for reverse lookup - Requeues every 30 seconds to track pod changes Also adds e2e tests for controller reconciliation. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Update from Alpine 3.18 to 3.21 for security patches and updates. Alpine 3.18 reached end of support. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…22) Security improvements: - Change default proxy image from :latest to :0.1.0 (#18) - Remove misleading HTTPS_PROXY env var since HTTPS uses tunneling (#19) Validation and resources: - Add target port validation (1-65535, not proxy port) (#20) - Increase proxy resources: 25m/32Mi requests, 200m/128Mi limits (#22) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add security job to CI pipeline that scans Docker images for vulnerabilities using Trivy. Fails on CRITICAL and HIGH severity findings to prevent vulnerable images from being released. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…25) Helm improvements: - Add PodDisruptionBudget template with minAvailable: 1 (#11) - Update image tags from :latest to :0.1.0 (#18) - Increase proxy resources to match webhook defaults (#22) - Reduce operator CPU limit from 500m to 200m (#25) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…#15) Configuration improvements: - Add configurable HTTP server timeouts via env vars (#16): READ_TIMEOUT, WRITE_TIMEOUT, IDLE_TIMEOUT, READ_HEADER_TIMEOUT, TARGET_DIAL_TIMEOUT (with sensible defaults) - Add getEnvDuration(), getEnvBool(), getEnvFloat() helpers - Add rate limiting config: RATE_LIMIT_ENABLED, RATE_LIMIT_RPS, RATE_LIMIT_BURST (#24) - Improve error messages with examples (#15) Server integration: - Use config timeouts instead of hardcoded values - Apply rate limiting middleware when enabled - Expose /metrics endpoint for Prometheus 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Error handling improvements: - Change NewProxyHandler to return error instead of log.Fatal() (#21) - Update main.go to handle returned error properly - Add logging architecture documentation comments (#13) Metrics integration: - Record request metrics (total, duration) in ServeHTTP (#10) - Track active connections gauge - Record headers propagated counter 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Documentation additions: - Update README with observability section (metrics, health endpoints) - Update README with rate limiting configuration - Update project structure to include new packages - Add HTTP-only note for header propagation New documentation: - docs/configuration.md - Complete configuration reference with env vars, Helm values, CRD examples, and troubleshooting - UPGRADING.md - Upgrade guide with version notes Logging documentation: - Add architecture comments explaining zerolog (proxy) vs logf (operator) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix gofmt alignment in e2e_suite_test.go var block - Mark unused ctx parameter with underscore in setReadyCondition 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Generated from kubebuilder RBAC markers in the controller. Required for listing pods to count sidecar injection status. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Change apiGroups from "ctxforge.io" to "ctxforge.ctxforge.io" to match the actual CRD API group. This fixes the controller RBAC permissions for listing and watching HeaderPropagationPolicy resources. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add RFC 7230 header name validation to reject invalid headers at admission - Increase proxy resource limits (CPU: 50m/500m, Memory: 64Mi/256Mi) - Document timeout values with rationale, increase TargetDialTimeout to 5s - Change webhook failurePolicy default to Ignore to prevent cluster outages 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implements advanced header propagation features: - Header generators (UUID v4, ULID, RFC3339 timestamp) for auto-generating missing headers like x-request-id - Path-based filtering with regex patterns (e.g., only propagate for /api/*) - HTTP method-based filtering (e.g., only for POST, PUT, DELETE) - HEADER_RULES environment variable for JSON-based advanced configuration - Controller requeue optimization - event-driven instead of 30s polling Documentation updates: - Certificate rotation guide (docs/certificate-rotation.md) - Updated configuration docs with HEADER_RULES, generator types - README comparison section with service meshes - Helm chart examples for common use cases Tests: - Unit tests for generators, config parsing, handler filtering - E2E tests for header generation, path/method filtering Closes #5, #6, #8, #9, #27, #28 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add support for ctxforge.io/header-rules annotation for advanced header configuration (JSON format with generators, path/method filters) - Webhook now triggers sidecar injection when either headers or header-rules annotation is present - Add JSON validation for header-rules annotation format - Pass HEADER_RULES env var to sidecar when annotation is set - Update e2e tests to use annotation-based configuration 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add header-rules annotation to Pod Annotations table in README - Add header-rules annotation to configuration.md with callout - Add advanced mode example showing header-rules annotation usage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Services in advanced_features_test.go were incorrectly routing to port 8080 (app) instead of port 9090 (proxy), causing header generation tests to fail since requests bypassed the proxy entirely. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Initial implementation of ContextForge - a Kubernetes operator that automatically propagates HTTP headers through microservice chains without code changes.
Features
Components
cmd/main.go) - Kubernetes controller with admission webhookcmd/proxy/) - Lightweight HTTP proxy for header propagationdeploy/helm/) - Easy installation via Helmwebsite/) - Hugo site with Hextra themeTest plan
make test)make test-e2e)