Armored Ferry — Secure API Gateway

A highly secure, point-to-point relay for external-facing services. Provides per-request AMTD key rotation at Layer 7 between a boundary Gateway and a boundary Sink.

Tags: Armored Car | Single Cluster | HTTP1/REST | 2 Pods

---

Overview

The Armored Ferry is the simplest HTTP blueprint: a Gateway/Initiator (http-gateway) connected directly to a Sink/Terminator (http-sink). Both are boundary pods, meaning both are externally accessible — the Gateway accepts POST /trigger, the Sink exposes GET /output.

Armored Car mode (xtra7) provides per-request key rotation via the WoSP WASM filter. Every HTTP request generates a new workload identity, invalidating the previous credential before the next request arrives.

flowchart TD
    A["Gateway / Initiator\n(http-gateway)\nPINHOLE_ENABLED=true"]
    B["Sink / Terminator\n(http-sink)\nPINHOLE_ENABLED=true"]
    A -->|"WoSP xtra7"| B

Use Cases

• External API endpoints requiring per-request Zero Trust authentication
• Point-to-point relay between client systems and backend services
• Entry point for any service that receives external HTTP traffic
• Replacing mTLS or API key auth with ephemeral WoSP workload identity

Bundle Contents

armored-ferry/
├── gateway/          ← http-gateway (boundary)
├── sink/             ← http-sink (boundary)
├── deploy.sh
├── teardown.sh
├── pinhole-setup.sh
├── blueprint.yaml
├── README.md
└── EULA.md

Deploy

Path 0 — Local k3dPath 1 — Cloud Default ImagePath 2 — Cloud Custom Image

Prerequisites: Docker Desktop, k3d >= 5.0, kubectl, valid Hopr license

# Build images
cd gateway/app/ && docker build -t serial-app-wosp-node:latest . && k3d image import serial-app-wosp-node:latest
cd ../../sink/app/ && docker build -t serial-app-wosp-node:latest . && k3d image import serial-app-wosp-node:latest
cd ../..

# Deploy
bash deploy.sh

Prerequisites: kubectl with cluster context, LoadBalancer support, valid Hopr license

bash deploy.sh

Wait 2–5 minutes for LoadBalancer IPs to be assigned before verifying.

Modify Section 1 in gateway/app/app.py and/or sink/app/app.py, then rebuild:

cd gateway/app/
docker build -t myregistry/armored-ferry-gateway:v1.0.0 .
docker push myregistry/armored-ferry-gateway:v1.0.0

Update the image: field in gateway/03-deployment.yaml, then run bash deploy.sh.

See Build, Package, and Deploy for the full workflow.

Verify

Check the auto-trigger logs on the gateway pod:

kubectl logs -n armored-ferry-gateway-ns \
  deployment/gateway -c web-app -f

Expected output:

🔁 Auto-trigger starting — sending 5 messages
🔁 Auto-trigger complete — 5/5 messages sent.

Confirm delivery at the sink:

kubectl port-forward -n armored-ferry-sink-ns deployment/sink 8000:8000
curl http://localhost:8000/output

Expected: {"count": 5, "results": [...]}

Customize

Hook functions for this blueprint:

• on_trigger(payload, headers) — in gateway/app/app.py: add authentication, validation, payload transformation
• on_receive_terminator(payload) — in sink/app/app.py: process the final result, dispatch to external systems

See Hook Functions Reference for implementation guidance.

Pricing

2 WoSP units (1 per pod). See Commercial Licensing.