Skip to content

feat: integrate invalidation proxy into operator (#15)#21

Merged
jensens merged 3 commits intomainfrom
feat/invalidation-proxy-integration
Apr 8, 2026
Merged

feat: integrate invalidation proxy into operator (#15)#21
jensens merged 3 commits intomainfrom
feat/invalidation-proxy-integration

Conversation

@jensens
Copy link
Copy Markdown
Member

@jensens jensens commented Apr 8, 2026

Summary

Wires the existing proxy code (internal/proxy/) into the operator. The proxy was fully implemented but never connected to the operator lifecycle.

Changes

  1. TokenProvider — proxy reads agent Bearer token from K8s Secret for BAN auth to the vinyl-agent
  2. Reconciler integration — updates PodMap with ready peer IPs and registers/unregisters routes on VinylCache create/update/delete
  3. K8sTokenProvider — reads agent-token from per-namespace cloud-vinyl-agent-token Secret
  4. Operator startup — proxy HTTP server on :8090, runs on ALL replicas (not just leader)

How it works

PURGE/BAN request → invalidation Service (:8090)
                   → operator pod (proxy)
                   → Host header lookup → namespace/cacheName
                   → PodMap lookup → pod IPs
                   → broadcast to all pods in parallel

Fixes #15.

jensens and others added 3 commits April 8, 2026 15:22
@jensens @claude
feat: add TokenProvider to proxy for agent BAN auth
ab581ef 
BAN requests are forwarded to the agent on port 9090 which requires
Bearer auth. The proxy reads the token from a TokenProvider (injected
by the controller) and includes it in the Authorization header.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jensens @claude
feat: wire proxy PodMap/Router into reconciler and add K8sTokenProvider
40e6ae0 
Reconciler updates PodMap with ready peer IPs and registers/unregisters
routes on VinylCache create/delete. K8sTokenProvider reads agent token
from per-namespace Secret for BAN request auth.

Fields are optional (nil-safe) so proxy can be disabled.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jensens @claude
feat: start invalidation proxy on operator port 8090
f3e6984 
Proxy runs on all replicas (not just leader) because the invalidation
Service load-balances across all operator pods. Router and PodMap
are shared with the reconciler for dynamic pod/route updates.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jensens jensens merged commit 5b8d340 into main Apr 8, 2026
7 of 8 checks passed
@jensens jensens deleted the feat/invalidation-proxy-integration branch April 8, 2026 13:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement invalidation proxy (PURGE/BAN broadcast)

1 participant

@jensens