feat(orchestrator): Proxmox BFF route (CF-Access service token proxy) (#3)

Co-authored-by: Nakamoto, S <nsatoshi2007@hotmail.com> Co-committed-by: Nakamoto, S <nsatoshi2007@hotmail.com>
2026-04-22 17:11:42 +00:00
parent 9f1e919dac
commit e4b0be8a63
3 changed files with 158 additions and 0 deletions
--- a/orchestrator/src/api/proxmox.ts
+++ b/orchestrator/src/api/proxmox.ts
@@ -0,0 +1,40 @@
+/**
+ * Proxmox BFF API routes — proxies browser requests to the Cloudflare
+ * Access protected Proxmox API using a server-side service token.
+ *
+ * These routes intentionally expose a **narrow, safelisted** surface to
+ * the browser — we don't want to proxy arbitrary Proxmox endpoints.
+ *
+ * Current endpoints:
+ *   GET /api/proxmox/health          — upstream reachability check
+ *   GET /api/proxmox/cluster/status  — aggregated cluster node status
+ */
+import type { Request, Response } from "express";
+import { getClusterHealth, isProxmoxConfigured, readProxmoxEnv } from "../integrations/proxmox";
+
+export async function proxmoxHealth(_req: Request, res: Response) {
+  const env = readProxmoxEnv();
+  if (!isProxmoxConfigured(env)) {
+    return res.status(503).json({
+      status: "unconfigured",
+      message:
+        "PROXMOX_API_URL / PROXMOX_CF_ACCESS_CLIENT_ID / PROXMOX_CF_ACCESS_CLIENT_SECRET not set on the orchestrator.",
+      required: ["PROXMOX_API_URL", "PROXMOX_CF_ACCESS_CLIENT_ID", "PROXMOX_CF_ACCESS_CLIENT_SECRET"],
+    });
+  }
+  return res.json({ status: "configured", baseUrl: env.baseUrl });
+}
+
+export async function proxmoxClusterStatus(_req: Request, res: Response) {
+  const env = readProxmoxEnv();
+  if (!isProxmoxConfigured(env)) {
+    return res.status(503).json({
+      status: "unconfigured",
+      online: false,
+      nodes: [],
+      message: "Proxmox BFF not configured. See GET /api/proxmox/health for required env vars.",
+    });
+  }
+  const health = await getClusterHealth();
+  return res.status(health.online ? 200 : 502).json(health);
+}