Skip to content

fix(endpoint-exposer): make install usable and spec tenant-agnostic #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jcastiarena merged 7 commits into from
Apr 21, 2026
Merged

fix(endpoint-exposer): make install usable and spec tenant-agnostic #11

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
2d9374b
fix(endpoint-exposer): make spec tenant-agnostic
jcastiarena Apr 20, 2026
eea5bb4
fix(endpoint-exposer/install): migrate tofu to current tofu-modules API
jcastiarena Apr 20, 2026
152db65
fix(endpoint-exposer/install): override available_links to []
jcastiarena Apr 20, 2026
ba8ed98
fix(endpoint-exposer): drop non-existent "environment" from route req…
jcastiarena Apr 20, 2026
ffe0ad3
fix(endpoint-exposer): default INGRESS_TYPE=istio, derive SERVICE_PATH
jcastiarena Apr 20, 2026
fc71f4e
fix(endpoint-exposer): auto-prepend "/" to Exact/PathPrefix values
jcastiarena Apr 20, 2026
809009c
docs(endpoint-exposer/install): note spec fields overridden by TF
jcastiarena Apr 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions endpoint-exposer/entrypoint/entrypoint
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,15 @@ for arg in "$@"; do
esac
done

# Fall back to deriving SERVICE_PATH from the script's own location when the
# caller doesn't pass --service-path. WORKING_DIRECTORY points at the
# `entrypoint/` directory inside the service; the parent is the service root
# (e.g. `/root/.np/nullplatform/services/endpoint-exposer`). Without this
# fallback, every absolute path below becomes `/workflows/...` instead of
# `<service-root>/workflows/...`, and the np CLI fails with
# "failed to read workflow file: open /workflows/<type>/<action>.yaml".
SERVICE_PATH="${SERVICE_PATH:-$(cd "$WORKING_DIRECTORY/.." && pwd)}"

OVERRIDES_PATH="${OVERRIDES_PATH:-$SERVICE_PATH/overrides}"

export SERVICE_PATH
Expand Down
2 changes: 1 addition & 1 deletion endpoint-exposer/entrypoint/service
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ case "$SERVICE_ACTION_TYPE" in
;;
esac

INGRESS_TYPE="${INGRESS_TYPE:-alb}"
INGRESS_TYPE="${INGRESS_TYPE:-istio}"

echo "INGRESS_TYPE is set to '$INGRESS_TYPE'"
echo "OVERRIDES_PATH is set to '$OVERRIDES_PATH'"
Expand Down
46 changes: 32 additions & 14 deletions endpoint-exposer/install/installation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ git clone https://github.com/nullplatform/services /root/.np/nullplatform/servic
git clone https://github.com/nullplatform/tofu-modules /root/.np/nullplatform/tofu-modules
```

> The `repo_path` variable defaults to `/root/.np/nullplatform/services/endpoint-exposer`. Adjust if you clone elsewhere.
> The agent cmdline resolves to `<base_clone_path>/<repository_org>/<repository_name>/<agent_service_path>/entrypoint/entrypoint`, which defaults to `/root/.np/nullplatform/services/endpoint-exposer/entrypoint/entrypoint`. Adjust the variables if you clone elsewhere.

### 2. Configure variables

Expand All @@ -35,14 +35,18 @@ Edit `terraform.tfvars` with your values:

| Variable | Required | Description |
|---|---|---|
| `nrn` | ✅ | Nullplatform Resource Name (`organization:account`) |
| `np_api_key` | ✅ | Nullplatform API key |
| `nrn` | ✅ | Nullplatform Resource Name (`organization=<org-id>:account=<account-id>`) |
| `np_api_key` | ✅ | Nullplatform API key used by the agent |
| `tags_selectors` | ✅ | Tags to select the agent (e.g. `{ environment = "production" }`) |
| `github_token` | ✅ | GitHub token with `contents: read` on `nullplatform/services` |
| `git_branch` | — | Branch to fetch specs from (default: `main`) |
| `repo_path` | — | Path where endpoint-exposer is located on the agent |
| `overrides_enabled` | — | Set `true` to enable config overrides |
| `overrides_repo_path` | — | Full path to the overrides directory on the agent |
| `github_token` | — | Only required if `repository_org`/`repository_name` point at a private fork. Not needed for the public `nullplatform/services` repo. |
| `repository_org` | — | Org that owns the spec repository (default: `nullplatform`) |
| `repository_name` | — | Spec repository name (default: `services`) |
| `repository_branch` | — | Branch to fetch specs from (default: `main`) |
| `spec_path` | — | In-repo path to `specs/service-spec.json.tpl` (default: `endpoint-exposer/install`) |
| `agent_service_path` | — | In-repo path where the agent runtime lives (default: `endpoint-exposer`) |
| `service_name` | — | Display name in nullplatform (default: `Endpoint Exposer`) |
| `overrides_enabled` | — | Set `true` to pass `--overrides-path` to the agent |
| `overrides_repo_path` | — | Absolute path to the overrides directory on the agent (required when `overrides_enabled = true`) |

### 3. Initialize OpenTofu

Expand All @@ -59,25 +63,39 @@ tofu plan
tofu apply
```

## Domains

The `publicDomain` / `privateDomain` fields in the service spec are free-text strings. Developers type the concrete FQDN at scope-creation time (via the nullplatform UI, CLI, or API). The base domain must resolve to the appropriate Istio gateway in the target cluster (public or private).

## Spec fields governed by Terraform

A few top-level fields in `install/specs/service-spec.json.tpl` are **overridden by the `service_definition` module at apply time**, so their value in the `.tpl` is ignored:

| Spec field | Source at apply time |
|---|---|
| `name` | `var.service_name` |
| `visible_to` | `concat([var.nrn], var.extra_visibile_to_nrns)` |

Do not add `{{ env.Getenv ... }}` template expressions to other fields expecting runtime substitution — there is no template engine in the pipeline (the module reads the spec with `data "http"` + `jsondecode()`). Any template string in a non-overridden field will reach the nullplatform API as a literal.

## Overrides

If the account requires local configuration overrides (e.g. from a networking repo), enable the override flag so the agent appends `--overrides-path` to its command:
If the account requires local configuration overrides (e.g. from a networking repo), enable the override flag so the agent receives `--overrides-path` as an argument:

```hcl
overrides_enabled = true
overrides_repo_path = "/root/.np/nullplatform/scopes-networking/endpoint-exposer"
```

This results in the agent running:
The agent cmdline becomes:
```
/root/.np/nullplatform/services/endpoint-exposer/entrypoint \
--service-path=/root/.np/nullplatform/services/endpoint-exposer \
/root/.np/nullplatform/services/endpoint-exposer/entrypoint/entrypoint \
--overrides-path=/root/.np/nullplatform/scopes-networking/endpoint-exposer
```

## Updating specs

To push spec changes after editing templates in `specs/`:
To push spec changes after editing templates in `install/specs/`:

1. Merge your branch to `main` (or update `git_branch` in tfvars)
1. Merge your branch to `main` (or update `repository_branch` in tfvars)
2. Run `tofu apply` — the module fetches templates from GitHub on each run
6 changes: 3 additions & 3 deletions endpoint-exposer/install/prerequisites.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ The agent pod must have the following repository cloned at the expected path:
|---|---|
| [nullplatform/services](https://github.com/nullplatform/services) | `/root/.np/nullplatform/services/endpoint-exposer` |

Override the default path via the `repo_path` variable in `terraform.tfvars`.
Override the default path via the `repository_org` / `repository_name` / `agent_service_path` variables in `terraform.tfvars`.

## Required tooling on the agent pod

Expand Down Expand Up @@ -61,6 +61,6 @@ A `Gateway` resource must exist in the cluster for both public and private traff

## GitHub Token

A GitHub personal access token with `contents: read` permission on the `nullplatform/services` repository is required to fetch spec templates during `tofu apply`.
The `service_definition` module fetches spec templates from GitHub at `tofu apply` time via authenticated or anonymous HTTP. Since `nullplatform/services` is a **public** repository, **no token is required** for the default setup.

Set it in `terraform.tfvars` as `github_token`.
If you point `repository_org` / `repository_name` at a private fork, provide a GitHub personal access token with `contents: read` permission on that repo via the `github_token` variable in `terraform.tfvars`.
58 changes: 16 additions & 42 deletions endpoint-exposer/install/specs/service-spec.json.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,7 @@
{
"name": "{{ env.Getenv \"SERVICE_NAME\" | default \"Endpoint Exposer\" }}",
"name": "Endpoint Exposer",
"type": "dependency",
"visible_to": [
"{{ env.Getenv \"NRN\" }}"
],
"visible_to": [],
Comment thread
javi-null marked this conversation as resolved.
"dimensions": {},
"scopes": {},
"assignable_to": "any",
Expand Down Expand Up @@ -145,8 +143,7 @@
"method",
"path",
"scope",
"visibility",
"environment"
"visibility"
],
"properties": {
"path": {
Expand Down Expand Up @@ -210,22 +207,18 @@
}
},
"publicDomain": {
"enum": [
"hello.idp.poc.nullapps.io"
],
"type": "string",
"title": "Public Domain",
"description": "Base domain for routes with visibility=public. Tenant-specific — provide the FQDN that resolves to the public Istio gateway of the target cluster.",
"editableOn": [
"create",
"update"
]
},
"privateDomain": {
"enum": [
"hello.idp.poc.nullapps.io"
],
"type": "string",
"title": "Private Domain",
"description": "Base domain for routes with visibility=private. Tenant-specific — provide the FQDN that resolves to the private (internal) Istio gateway of the target cluster.",
"editableOn": [
"create",
"update"
Expand Down Expand Up @@ -464,23 +457,19 @@
}
},
"publicDomain": {
"enum": [
"hello.idp.poc.nullapps.io"
],
"type": "string",
"title": "Public Domain",
"description": "Base domain for routes with visibility=public. Tenant-specific — provide the FQDN that resolves to the public Istio gateway of the target cluster.",
"target": "publicDomain",
"editableOn": [
"create",
"update"
]
},
"privateDomain": {
"enum": [
"hello.idp.poc.nullapps.io"
],
"type": "string",
"title": "Private Domain",
"description": "Base domain for routes with visibility=private. Tenant-specific — provide the FQDN that resolves to the private (internal) Istio gateway of the target cluster.",
"target": "privateDomain",
"editableOn": [
"create",
Expand Down Expand Up @@ -628,8 +617,7 @@
"method",
"path",
"scope",
"visibility",
"environment"
"visibility"
],
"properties": {
"path": {
Expand Down Expand Up @@ -695,23 +683,19 @@
}
},
"publicDomain": {
"enum": [
Comment thread
jcastiarena marked this conversation as resolved.
"hello.idp.poc.nullapps.io"
],
"type": "string",
"title": "Public Domain",
"description": "Base domain for routes with visibility=public. Tenant-specific — provide the FQDN that resolves to the public Istio gateway of the target cluster.",
"target": "publicDomain",
"editableOn": [
"create",
"update"
]
},
"privateDomain": {
"enum": [
"hello.idp.poc.nullapps.io"
],
"type": "string",
"title": "Private Domain",
"description": "Base domain for routes with visibility=private. Tenant-specific — provide the FQDN that resolves to the private (internal) Istio gateway of the target cluster.",
"target": "privateDomain",
"editableOn": [
"create",
Expand Down Expand Up @@ -867,8 +851,7 @@
"method",
"path",
"scope",
"visibility",
"environment"
"visibility"
],
"properties": {
"path": {
Expand Down Expand Up @@ -932,22 +915,18 @@
}
},
"publicDomain": {
"enum": [
"hello.idp.poc.nullapps.io"
],
"type": "string",
"title": "Public Domain",
"description": "Base domain for routes with visibility=public. Tenant-specific — provide the FQDN that resolves to the public Istio gateway of the target cluster.",
"editableOn": [
"create",
"update"
]
},
"privateDomain": {
"enum": [
"hello.idp.poc.nullapps.io"
],
"type": "string",
"title": "Private Domain",
"description": "Base domain for routes with visibility=private. Tenant-specific — provide the FQDN that resolves to the private (internal) Istio gateway of the target cluster.",
"editableOn": [
"create",
"update"
Expand Down Expand Up @@ -1094,8 +1073,7 @@
"method",
"path",
"scope",
"visibility",
"environment"
"visibility"
],
"properties": {
"path": {
Expand Down Expand Up @@ -1159,22 +1137,18 @@
}
},
"publicDomain": {
"enum": [
"hello.idp.poc.nullapps.io"
],
"type": "string",
"title": "Public Domain",
"description": "Base domain for routes with visibility=public. Tenant-specific — provide the FQDN that resolves to the public Istio gateway of the target cluster.",
"editableOn": [
"create",
"update"
]
},
"privateDomain": {
"enum": [
"hello.idp.poc.nullapps.io"
],
"type": "string",
"title": "Private Domain",
"description": "Base domain for routes with visibility=private. Tenant-specific — provide the FQDN that resolves to the private (internal) Istio gateway of the target cluster.",
"editableOn": [
"create",
"update"
Expand Down
39 changes: 3 additions & 36 deletions endpoint-exposer/install/tofu/.terraform.lock.hcl
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading