Armored Convoy — Serial Relay Pipeline

A sequential three-pod pipeline for inserting transformation, enrichment, or audit-logging middleware between a gateway and a sink. Includes TLS Pinhole access on both boundary pods.

Tags: Armored Car | Single Cluster | HTTP1/REST | 3 Pods

---

Overview

The Armored Convoy chains three pods in sequence: a Gateway/Initiator (http-gateway) → a Relay/Processor (http-relay) → a Sink/Terminator (http-sink). The gateway and sink are boundary pods; the relay/middleware is internal.

Each message travels through all three pods in order. The relay pod processes and transforms the payload before forwarding it to the sink. Armored Car mode (xtra7) provides per-request key rotation at every hop.

flowchart TD
    A["Gateway / Initiator\n(http-gateway)\nPINHOLE_ENABLED=true"]
    B["Relay / Processor\n(http-relay)\nPINHOLE_ENABLED=false"]
    C["Sink / Terminator\n(http-sink)\nPINHOLE_ENABLED=true"]
    A -->|"WoSP xtra7"| B -->|"WoSP xtra7"| C

Use Cases

• Inserting middleware between an API gateway and a backend service
• Audit logging: relay pod records every message before forwarding
• Data transformation: relay pod enriches, filters, or reshapes the payload
• Sequential processing pipelines where each stage must complete before the next begins

Bundle Contents

armored-convoy/
├── gateway/          ← http-gateway (boundary)
├── middleware/       ← http-relay (internal)
├── backend/          ← http-sink (boundary)
├── deploy.sh
├── teardown.sh
├── pinhole-setup.sh
├── blueprint.yaml
├── README.md
└── EULA.md

Deploy

Path 0 — Local k3dPath 1 — Cloud Default ImagePath 2 — Cloud Custom Image

Prerequisites: Docker Desktop, k3d >= 5.0, kubectl, valid Hopr license

cd gateway/app/ && docker build -t serial-app-wosp-node:latest . && k3d image import serial-app-wosp-node:latest
cd ../../middleware/app/ && docker build -t serial-app-wosp-node:latest . && k3d image import serial-app-wosp-node:latest
cd ../../backend/app/ && docker build -t serial-app-wosp-node:latest . && k3d image import serial-app-wosp-node:latest
cd ../..
bash deploy.sh

Prerequisites: kubectl with cluster context, LoadBalancer support, valid Hopr license

bash deploy.sh

Wait 2–5 minutes for LoadBalancer IPs before verifying.

Modify Section 1 in any or all pod app.py files, then rebuild each changed image. See Build, Package, and Deploy.

Verify

kubectl logs -n armored-convoy-gateway-ns \
  deployment/gateway -c web-app -f

Expected output:

🔁 Auto-trigger starting — sending 5 messages
🔁 Auto-trigger complete — 5/5 messages sent.

Confirm delivery at the sink:

kubectl port-forward -n armored-convoy-backend-ns deployment/backend 8000:8000
curl http://localhost:8000/output

Expected: {"count": 5, "results": [...]}. Each result's "trail" lists all three pod names, confirming every hop is connected.

Customize

Hook functions for this blueprint:

• on_trigger(payload, headers) — in gateway/app/app.py: authentication, validation, initial transformation
• on_receive_relay(payload) — in middleware/app/app.py: middleware processing, enrichment, audit logging
• on_receive_terminator(payload) — in backend/app/app.py: final processing, dispatch to external systems

See Hook Functions Reference.

Pricing

3 WoSP units (1 per pod). See Commercial Licensing.