[edgefunc] Add EdgeController for per-namespace runtime management (APO-408)

Transition from per-function containers to per-namespace runtimes with
dynamically-loaded functions via edge-runtime control API.

New components:
- pkg/edgefunc/controller: RuntimeManager, FunctionDeployer, FunctionRouter
- pkg/edgefunc/mainservice: Main service TypeScript for edge-runtime

Changes:
- runc: Add ExecNamespace() for namespace-based containers with control API
- backplane: Support dual-mode reconciliation (controller vs legacy)
- ci: Build from apoxy-dev/edge-runtime fork, bundle main-service.ts

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: dilyevsky

ci/main.go

@@ -371,15 +371,18 @@ func (m *ApoxyCli) PublishGithubRelease(
 		})
 }
 
+// EdgeRuntimeVersion is the version of the Apoxy edge-runtime fork.
+const EdgeRuntimeVersion = "v0.1.0"
+
 func (m *ApoxyCli) BuildEdgeRuntime(
 	ctx context.Context,
 	platform string,
 	// +optional
 	src *dagger.Directory,
 ) *dagger.Container {
 	if src == nil {
-		src = dag.Git("https://github.com/supabase/edge-runtime").
-			Tag("v1.62.2").
+		src = dag.Git("https://github.com/apoxy-dev/edge-runtime").
+			Branch("main").
 			Tree()
 	}
 	p := dagger.Platform(platform)
@@ -392,13 +395,47 @@ func (m *ApoxyCli) BuildEdgeRuntime(
 		WithExec([]string{"cargo", "build", "--release"})
 }
 
-// PullEdgeRuntime pulls the edge runtime image from dockerhub.
+// PullEdgeRuntime builds the Apoxy edge-runtime fork from source.
+// The built container includes the edge-runtime binary and main service.
 func (m *ApoxyCli) PullEdgeRuntime(
 	ctx context.Context,
 	p dagger.Platform,
+	// +optional
+	apoxyCliSrc *dagger.Directory,
 ) *dagger.Container {
-	return dag.Container(dagger.ContainerOpts{Platform: p}).
-		From("docker.io/supabase/edge-runtime:v1.62.2")
+	goarch := archOf(p)
+
+	// Build edge-runtime from source.
+	edgeRuntimeSrc := dag.Git("https://github.com/apoxy-dev/edge-runtime").
+		Branch("main").
+		Tree()
+
+	builder := dag.Container(dagger.ContainerOpts{Platform: p}).
+		From("rust:1.82.0-bookworm").
+		WithExec([]string{"apt-get", "update"}).
+		WithExec([]string{"apt-get", "install", "-y", "llvm-dev", "libclang-dev", "gcc", "cmake", "binutils"}).
+		WithMountedCache("/usr/local/cargo/registry", dag.CacheVolume("cargo-registry-"+goarch)).
+		WithMountedCache("/src/target", dag.CacheVolume("cargo-target-"+goarch)).
+		WithWorkdir("/src").
+		WithDirectory("/src", edgeRuntimeSrc).
+		WithExec([]string{"cargo", "build", "--release"}).
+		WithExec([]string{"cp", "/src/target/release/edge-runtime", "/edge-runtime"})
+
+	// Create a minimal container with the binary and main service.
+	ctr := dag.Container(dagger.ContainerOpts{Platform: p}).
+		From("debian:bookworm-slim").
+		WithExec([]string{"apt-get", "update"}).
+		WithExec([]string{"apt-get", "install", "-y", "libssl-dev", "ca-certificates"}).
+		WithExec([]string{"rm", "-rf", "/var/lib/apt/lists/*"}).
+		WithFile("/usr/local/bin/edge-runtime", builder.File("/edge-runtime")).
+		WithExec([]string{"mkdir", "-p", "/etc/main"})
+
+	// Copy the main service from this repo.
+	if apoxyCliSrc != nil {
+		ctr = ctr.WithFile("/etc/main/index.ts", apoxyCliSrc.File("pkg/edgefunc/mainservice/main-service.ts"))
+	}
+
+	return ctr
 }
 
 // BuildAPIServer builds an API server binary.
@@ -421,12 +458,13 @@ func (m *ApoxyCli) BuildAPIServer(
 		WithEnvVariable("CC", fmt.Sprintf("zig-wrapper cc --target=%s-linux-musl", canonArchFromGoArch(goarch))).
 		WithExec([]string{"go", "build", "-o", "apiserver", "./cmd/apiserver"})
 
-	runtimeCtr := m.PullEdgeRuntime(ctx, p)
+	runtimeCtr := m.PullEdgeRuntime(ctx, p, src)
 
 	return dag.Container(dagger.ContainerOpts{Platform: p}).
 		From("cgr.dev/chainguard/wolfi-base:latest").
 		WithFile("/bin/apiserver", builder.File("/src/apiserver")).
 		WithFile("/bin/edge-runtime", runtimeCtr.File("/usr/local/bin/edge-runtime")).
+		WithDirectory("/etc/main", runtimeCtr.Directory("/etc/main")).
 		WithEntrypoint([]string{"/bin/apiserver"})
 }
 
@@ -475,7 +513,7 @@ func (m *ApoxyCli) BuildBackplane(
 		WithExec([]string{"go", "build", "-o", "/src/" + otelOut}).
 		WithWorkdir("/src")
 
-	runtimeCtr := m.PullEdgeRuntime(ctx, p)
+	runtimeCtr := m.PullEdgeRuntime(ctx, p, src)
 
 	return dag.Container(dagger.ContainerOpts{Platform: p}).
 		From("cgr.dev/chainguard/wolfi-base:latest").
@@ -484,6 +522,7 @@ func (m *ApoxyCli) BuildBackplane(
 		WithFile("/bin/dial-stdio", builder.File(dsOut)).
 		WithFile("/bin/otel-collector", builder.File(otelOut)).
 		WithFile("/bin/edge-runtime", runtimeCtr.File("/usr/local/bin/edge-runtime")).
+		WithDirectory("/etc/main", runtimeCtr.Directory("/etc/main")).
 		WithExec([]string{
 			"/bin/backplane",
 			"--project_id=apoxy",

cmd/backplane/main.go

@@ -16,6 +16,7 @@ import (
 
 	"github.com/ClickHouse/clickhouse-go/v2"
 	chdriver "github.com/ClickHouse/clickhouse-go/v2/lib/driver"
+	"github.com/coredns/coredns/plugin"
 	"github.com/google/uuid"
 	"google.golang.org/grpc"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -34,6 +35,7 @@ import (
 	"github.com/apoxy-dev/apoxy/pkg/backplane/metrics"
 	"github.com/apoxy-dev/apoxy/pkg/backplane/wasm/ext_proc"
 	"github.com/apoxy-dev/apoxy/pkg/backplane/wasm/manifest"
+	edgefuncctrl "github.com/apoxy-dev/apoxy/pkg/edgefunc/controller"
 	"github.com/apoxy-dev/apoxy/pkg/edgefunc/runc"
 	"github.com/apoxy-dev/apoxy/pkg/log"
 	"github.com/apoxy-dev/apoxy/pkg/net/dns"
@@ -94,6 +96,9 @@ var (
 
 	dnsPort  = flag.Int("dns_port", 8053, "Port for the DNS server.")
 	extIface = flag.String("ext_iface", "eth0", "External interface name.")
+
+	useEdgeController    = flag.Bool("use_edge_controller", false, "Use new per-namespace EdgeController instead of legacy per-function runtime.")
+	edgeControllerNS     = flag.String("edge_controller_namespace", "default", "Default namespace for EdgeController.")
 )
 
 func main() {
@@ -306,15 +311,31 @@ func main() {
 	if err != nil {
 		log.Fatalf("failed to set up EdgeFunction controller: %v", err)
 	}
-	if err := bpctrl.NewEdgeFunctionRevisionReconciler(
-		mgr.GetClient(),
-		*replicaName,
-		net.JoinHostPort(apiServerHost, strconv.Itoa(*wasmStorePort)),
-		ms,
-		*goPluginDir,
-		*esZipDir,
-		edgeRuntime,
-	).SetupWithManager(ctx, mgr, *proxyName); err != nil {
+
+	var edgeController *edgefuncctrl.EdgeController
+	if *useEdgeController {
+		log.Infof("Using new per-namespace EdgeController (namespace=%s)", *edgeControllerNS)
+		edgeController = edgefuncctrl.NewEdgeControllerFromRuntime(
+			edgeRuntime,
+			*esZipDir,
+			edgefuncctrl.Namespace(*edgeControllerNS),
+		)
+	} else {
+		log.Infof("Using legacy per-function EdgeRuntime")
+	}
+
+	edgeFuncReconciler := bpctrl.NewEdgeFunctionRevisionReconciler(bpctrl.EdgeFunctionRevisionReconcilerArgs{
+		Client:           mgr.GetClient(),
+		ReplicaName:      *replicaName,
+		ApiserverHost:    net.JoinHostPort(apiServerHost, strconv.Itoa(*wasmStorePort)),
+		WasmStore:        ms,
+		GoStoreDir:       *goPluginDir,
+		JsStoreDir:       *esZipDir,
+		EdgeRuntime:      edgeRuntime,
+		EdgeController:   edgeController,
+		DefaultNamespace: edgefuncctrl.Namespace(*edgeControllerNS),
+	})
+	if err := edgeFuncReconciler.SetupWithManager(ctx, mgr, *proxyName); err != nil {
 		log.Fatalf("failed to set up EdgeFunction controller: %v", err)
 	}
 
@@ -333,9 +354,17 @@ func main() {
 	}
 
 	go func() {
+		// Use EdgeController's resolver if available, otherwise use legacy runtime's resolver.
+		var edgeFuncResolver func(next plugin.Handler) plugin.Handler
+		if edgeController != nil {
+			edgeFuncResolver = edgeController.Resolver
+		} else {
+			edgeFuncResolver = edgeRuntime.Resolver
+		}
+
 		if err := dns.ListenAndServe(
 			fmt.Sprintf(":%d", *dnsPort),
-			dns.WithPlugins(edgeRuntime.Resolver, tunnelResolver.Resolver),
+			dns.WithPlugins(edgeFuncResolver, tunnelResolver.Resolver),
 			dns.WithBlockNonGlobalIPs(),
 		); err != nil {
 			log.Fatalf("failed to start DNS server: %v", err)