d-bis/CurrenciCombo
4
0
Fork 0
Code Issues Pull Requests 4 Actions Packages Projects Releases Wiki Activity

feat(orchestrator): Proxmox BFF route (CF-Access service token proxy) #3

Open
nsatoshi wants to merge 1 commits from devin/1776587283-proxmox-bff into main
pull from: devin/1776587283-proxmox-bff
merge into: d-bis:main
Conversation 0 Commits 1 Files Changed 3 +158
nsatoshi commented 2026-04-19 08:29:46 +00:00
Owner
Copy Link

feat(orchestrator): Proxmox BFF route (CF-Access service token proxy)

Adds a narrow, safelisted BFF surface so the Solace Bank Group PLC portal
(and other browser clients) can reach the Cloudflare Access protected
Proxmox API without requiring the user to complete a CF-Access SSO flow
in-browser.

Endpoints:
GET /api/proxmox/health — configuration probe (503 when unset)
GET /api/proxmox/cluster/status — aggregated cluster node status

Required orchestrator env:
PROXMOX_API_URL
PROXMOX_CF_ACCESS_CLIENT_ID
PROXMOX_CF_ACCESS_CLIENT_SECRET

When env is missing the endpoints return 503 with an actionable JSON
body and the frontend stays in its mocked state — no crashes, no
partial deploys.

Verification performed this session

  • `cd orchestrator && npx tsc --noEmit` — clean (orchestrator TS compiles).
  • Routes registered in `orchestrator/src/index.ts`:
    • `GET /api/proxmox/health`
    • `GET /api/proxmox/cluster/status`

Not yet done (intentional)

  • No new deployment in this PR — orchestrator change only.
  • Frontend is not pointed at these routes yet; the Solace portal still marks Proxmox as `bff-required` (see PR #2). After this lands + deploys, we can flip `src/services/proxmox.ts` over.
  • No integration test covers the upstream CF-Access call; we'd need a mock fetch and CI secrets.

Required orchestrator env (staging + prod)

  • `PROXMOX_API_URL` — e.g. `https://proxmox-api.d-bis.org`
  • `PROXMOX_CF_ACCESS_CLIENT_ID` — CF Access service-token ID
  • `PROXMOX_CF_ACCESS_CLIENT_SECRET` — CF Access service-token secret

When any of these are missing, both routes return 503 with an actionable JSON body rather than crashing.

feat(orchestrator): Proxmox BFF route (CF-Access service token proxy) Adds a narrow, safelisted BFF surface so the Solace Bank Group PLC portal (and other browser clients) can reach the Cloudflare Access protected Proxmox API without requiring the user to complete a CF-Access SSO flow in-browser. Endpoints: GET /api/proxmox/health — configuration probe (503 when unset) GET /api/proxmox/cluster/status — aggregated cluster node status Required orchestrator env: PROXMOX_API_URL PROXMOX_CF_ACCESS_CLIENT_ID PROXMOX_CF_ACCESS_CLIENT_SECRET When env is missing the endpoints return 503 with an actionable JSON body and the frontend stays in its mocked state — no crashes, no partial deploys. --- ## Verification performed this session - \`cd orchestrator && npx tsc --noEmit\` — clean (orchestrator TS compiles). - Routes registered in \`orchestrator/src/index.ts\`: - \`GET /api/proxmox/health\` - \`GET /api/proxmox/cluster/status\` ## Not yet done (intentional) - No new deployment in this PR — orchestrator change only. - Frontend is **not** pointed at these routes yet; the Solace portal still marks Proxmox as \`bff-required\` (see PR #2). After this lands + deploys, we can flip \`src/services/proxmox.ts\` over. - No integration test covers the upstream CF-Access call; we'd need a mock fetch and CI secrets. ## Required orchestrator env (staging + prod) - \`PROXMOX_API_URL\` — e.g. \`https://proxmox-api.d-bis.org\` - \`PROXMOX_CF_ACCESS_CLIENT_ID\` — CF Access service-token ID - \`PROXMOX_CF_ACCESS_CLIENT_SECRET\` — CF Access service-token secret When any of these are missing, both routes return **503** with an actionable JSON body rather than crashing.
nsatoshi added 1 commit 2026-04-19 08:29:46 +00:00
feat(orchestrator): Proxmox BFF route (CF-Access service token proxy)
Some checks failed
Code Quality / SonarQube Analysis (pull_request) Failing after 26s
Details
Code Quality / Code Quality Checks (pull_request) Failing after 6s
Details
Security Scan / Dependency Vulnerability Scan (pull_request) Failing after 3s
Details
Security Scan / OWASP ZAP Scan (pull_request) Failing after 3s
Details
ecd5412923 
Adds a narrow, safelisted BFF surface so the Solace Bank Group PLC portal
(and other browser clients) can reach the Cloudflare Access protected
Proxmox API without requiring the user to complete a CF-Access SSO flow
in-browser.

Endpoints:
  GET /api/proxmox/health          — configuration probe (503 when unset)
  GET /api/proxmox/cluster/status  — aggregated cluster node status

Required orchestrator env:
  PROXMOX_API_URL
  PROXMOX_CF_ACCESS_CLIENT_ID
  PROXMOX_CF_ACCESS_CLIENT_SECRET

When env is missing the endpoints return 503 with an actionable JSON
body and the frontend stays in its mocked state — no crashes, no
partial deploys.
Some checks failed
Code Quality / SonarQube Analysis (pull_request) Failing after 26s
Details
Code Quality / Code Quality Checks (pull_request) Failing after 6s
Details
Security Scan / Dependency Vulnerability Scan (pull_request) Failing after 3s
Details
Security Scan / OWASP ZAP Scan (pull_request) Failing after 3s
Details
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin devin/1776587283-proxmox-bff:devin/1776587283-proxmox-bff
git checkout devin/1776587283-proxmox-bff
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
70rn4710n A.r.yavari SEG nsatoshi
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: d-bis/CurrenciCombo#3
Delete Branch "devin/1776587283-proxmox-bff"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?