Skip to content

feat: Add infrastructure and security improvements#169

Merged
AbelOsaretin merged 4 commits into
Heliobond:mainfrom
trustosaretin:feat/infra-security-improvements
Jun 30, 2026
Merged

feat: Add infrastructure and security improvements#169
AbelOsaretin merged 4 commits into
Heliobond:mainfrom
trustosaretin:feat/infra-security-improvements

Conversation

@trustosaretin

Copy link
Copy Markdown
Contributor

Closes #118, Closes #119, Closes #120, Closes #121

Type of Change

  • New feature (non-breaking change that adds functionality)

Summary

This PR implements four infrastructure and security improvements for the Heliobond backend:

  1. Request Signing Verification (HMAC) - Adds middleware to verify request integrity using HMAC-SHA256 signatures with configurable secrets, timestamp validation (5-minute window), and timing-safe comparison to prevent replay and timing attacks.

  2. Kubernetes Readiness Probe - Adds a /ready endpoint that checks database connection pool status and satellite data source health, returning 200 when ready and 503 when not ready with detailed check results.

  3. Kubernetes Liveness Probe - The existing /health endpoint serves as the liveness probe, returning basic health status and uptime information.

  4. APM Integration - Implements application performance monitoring with configurable provider support for DataDog, New Relic, and OpenTelemetry, with graceful fallback when packages are not installed.

Motivation / Context

Closes #118, Closes #119, Closes #120, Closes #121

These improvements enhance the backend's production readiness by:

  • Adding request integrity verification for admin endpoints
  • Providing Kubernetes-native health check endpoints for container orchestration
  • Enabling application performance monitoring for observability

The implementation follows existing codebase patterns and includes comprehensive test coverage for the request signing middleware.

Implement request signing verification to ensure request integrity
using HMAC-SHA256 signatures. Features include:
- HMAC signature validation with configurable secret
- Timestamp validation (5-minute window) to prevent replay attacks
- Timing-safe comparison to prevent timing attacks
- Middleware integration for admin endpoints
- Comprehensive test coverage
Implement /ready endpoint for Kubernetes readiness checks.
The probe verifies:
- Database connection pool is operational
- Satellite data sources are not in extended outage
Returns 200 when ready, 503 when not ready with detailed check results.
…emetry

Implement application performance monitoring integration with
configurable provider support:
- DataDog APM with dd-trace
- New Relic monitoring
- OpenTelemetry with auto-instrumentation
- Environment-based configuration (APM_PROVIDER env var)
- Graceful fallback when packages are not installed
Wire up the new middleware and endpoints:
- Apply request signing middleware to admin routes
- Add /ready endpoint alongside existing /health liveness endpoint
- Initialize APM provider on server startup
- Add environment variable documentation for all new features
@drips-wave

drips-wave Bot commented Jun 30, 2026

Copy link
Copy Markdown

@trustosaretin Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@AbelOsaretin AbelOsaretin merged commit 6d792f3 into Heliobond:main Jun 30, 2026
0 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add APM integration (DataDog/New Relic) Add Kubernetes liveness probe Add Kubernetes readiness probe Add request signing verification

2 participants