TL;DR

  • traffic flows from gateway to environment proxy to sidecar to app
  • the environment proxy only publishes to host loopback
  • the sidecar is the only direct ingress to the app
  • rootless networking changes how loopback is reached from the proxy layer

Working model

The pattern is intentionally layered:

  • gateway handles public TLS and accepted hostnames
  • environment proxy handles environment routing
  • sidecar bridges into the app namespace
  • app stays bound to local loopback only

Why I kept it

This is not the smallest possible setup, but it is easier to reason about than one giant proxy configuration.

Each layer has:

  • its own logs
  • its own health check
  • its own failure mode

That makes the system slower to misunderstand when something breaks.