Skip to content

Add egress proxy container with automation #640

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 10, 2025
Merged

Add egress proxy container with automation #640

merged 3 commits into from
Jun 10, 2025

Conversation

JAORMX
Copy link
Collaborator

@JAORMX JAORMX commented Jun 5, 2025
edited by ChrisJBurns
Loading

Summary

Adds a minimal and secure egress proxy container based on Squid with full automation support.

Changes

Container Setup

  • Dockerfile: Minimal Alpine Linux 3.22.0 base with Squid proxy
  • Security: Non-root execution, minimal attack surface, portable healthcheck
  • Configuration: Runtime configuration support (no baked-in config)
  • Process Management: Uses ENTRYPOINT for proper container lifecycle

Automation

  • GitHub Actions: Added egress-proxy-image-build-and-publish job
  • Release Strategy: Only pushes to registry on tag releases
  • Multi-platform: Supports linux/amd64 and linux/arm64
  • Security: Includes Cosign image signing
  • Registry: Images published to ghcr.io/stacklok/toolhive/egress-proxy

Development Tooling

  • Taskfile: Added build-egress-proxy and build-all-images targets
  • Local Development: Uses --load flag for immediate Docker daemon availability
  • Integration: Builds alongside main toolhive container

Usage

# Local development
task build-egress-proxy

# Build all images
task build-all-images

# Production releases
# Automatic on git tags via GitHub Actions

Testing

  • Local container build
  • GitHub Actions workflow validation
  • Multi-platform build verification
  • Image signing verification

Security Considerations

  • Minimal Alpine base image reduces attack surface
  • Non-root execution prevents privilege escalation
  • Runtime configuration prevents config leakage
  • Signed images ensure supply chain integrity
  • Portable healthcheck works in isolated networks

@JAORMX
Add egress proxy container with automation
f35f39e 
- Add minimal Alpine-based Dockerfile for Squid proxy
- Configure secure non-root execution with runtime config
- Add GitHub Actions workflow for automated builds and releases
- Include Taskfile targets for local development
- Only push container images on tag releases
- Support multi-platform builds (amd64/arm64)
- Include proper image signing with Cosign
@JAORMX JAORMX requested a review from yrobla June 5, 2025 12:15
yrobla
yrobla previously approved these changes Jun 6, 2025
View reviewed changes
@JAORMX JAORMX force-pushed the feature/egress-proxy-container branch from f35f39e to d4ac7bc Compare June 9, 2025 10:06
@JAORMX JAORMX mentioned this pull request Jun 9, 2025
Merged
@JAORMX JAORMX force-pushed the feature/egress-proxy-container branch from d4ac7bc to d227ad3 Compare June 9, 2025 10:39
@yrobla yrobla force-pushed the feature/egress-proxy-container branch from d227ad3 to 1e4143f Compare June 10, 2025 09:36
@yrobla yrobla marked this pull request as ready for review June 10, 2025 11:02
@yrobla yrobla merged commit 9c88ba6 into main Jun 10, 2025
13 checks passed
@yrobla yrobla deleted the feature/egress-proxy-container branch June 10, 2025 11:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yrobla yrobla

@rdimitrov rdimitrov

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@JAORMX @yrobla @rdimitrov