loco/mesh-discovery
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
61 commits 1 branch 20 tags 8.5 MiB
  • Go 99.3%
  • Dockerfile 0.7%
Find a file
Exact
statevault 7cd86fe660 chore(ci): pin shared-ci-shared:v1, swap golang:1.25-alpine → shared-go-base:v1 
Two changes bundled:

1. Float shared-ci-shared from :v1.0.7 (deleted by the morning's
   "keep last 3 versions" Forgejo prune) to :v1 — survives future
   prunes.

2. Swap the build / binaries / go-test steps from upstream
   docker.io/library/golang:1.25-alpine to loco/shared-go-base:v1
   (built today, carries git + gcc + musl-dev + make + helm). Drops
   the per-step `apk add --no-cache git` in `build` (git is already
   in the image).

hadolint/hadolint stays upstream — it's a special-purpose Dockerfile
linter, not a base image.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 12:20:09 +02:00
.woodpecker chore(ci): pin shared-ci-shared:v1, swap golang:1.25-alpine → shared-go-base:v1 2026-05-13 12:20:09 +02:00
cmd feat(discovery-server): make TLS listener optional 2026-04-25 09:35:33 +02:00
docs chore: scrub registry paths to loco/<group>-<project> 2026-05-01 19:43:55 +02:00
internal test(state): improve coverage 62% → 90%, add fuzz tests 2026-04-17 20:50:34 +02:00
.ci-probe-2 chore(ci): probe after trusted.network flip 2026-05-04 13:48:54 +02:00
.gitignore chore(gitignore): exclude .wiki-state.json (wiki-publish.py state file) 2026-05-04 12:05:35 +02:00
bao.yml chore(ci): consolidate to single pipeline + unified bao-checks 2026-05-01 17:31:50 +02:00
CHANGELOG.md chore(release): v0.8.2 [skip ci] 2026-05-13 08:14:02 +00:00
Dockerfile docs: add comprehensive architecture, operations, wg-peer, and development docs 2026-04-17 21:15:29 +02:00
go.mod feat(telemetry): full instrumentation — zap logging, Prometheus metrics, OTLP tracing 2026-04-17 20:40:38 +02:00
go.sum feat(telemetry): full instrumentation — zap logging, Prometheus metrics, OTLP tracing 2026-04-17 20:40:38 +02:00
mkdocs.yml chore: add mkdocs.yml for wiki publishing 2026-04-18 00:46:24 +02:00
README.md chore: scrub registry paths to loco/<group>-<project> 2026-05-01 19:43:55 +02:00
sonar-project.properties feat(telemetry): full instrumentation — zap logging, Prometheus metrics, OTLP tracing 2026-04-17 20:40:38 +02:00

README.md

discovery

WireGuard peer discovery server for the loop-coop mesh.

Deployment. Runs as an Incus system container on service-machine (mesh 10.92.0.18, public discovery.svc.loop-coop.net:3000). Consumed by Talos KubeSpan in the talos-hcloud-cluster platform — nodes register via this service to establish the WireGuard mesh.

Implements the siderolabs discovery protocol (MPL-2.0): peers register encrypted blobs, discover each other, and stay current via long-lived streaming Watch RPCs. The server never decrypts peer data — it relays opaque ciphertext between nodes.

Binaries

Binary Purpose
discovery-server gRPC server (:3000) + Prometheus metrics (:2122)
wg-peer Per-node daemon: registers WireGuard peer, keeps wg in sync
integration-test Live smoke test exercising all gRPC methods

Quick Start

# Build
CGO_ENABLED=0 go build ./cmd/discovery-server

# Run (TLS required)
./discovery-server \
  --cert server.crt \
  --key  server.key \
  --log-dev

# With mTLS client verification
./discovery-server \
  --cert server.crt \
  --key  server.key \
  --ca   ca-bundle.pem

# With OpenBao snapshot persistence
./discovery-server \
  --cert          server.crt \
  --key           server.key \
  --bao-addr      http://10.90.0.2:8200 \
  --bao-token-file /run/bao-agent/token

# With OTLP tracing disabled
./discovery-server --cert ... --key ... --otlp-endpoint ""

Flags

Flag Default Description
--addr :3000 gRPC listen address
--metrics-addr :2122 Prometheus metrics listen address
--cert (required) TLS certificate file (PEM)
--key (required) TLS key file (PEM)
--ca CA bundle for mTLS client verification; empty = server-TLS only
--bao-addr OpenBao address for snapshot persistence
--bao-token-file File containing OpenBao token
--otlp-endpoint http://10.90.0.2:4318 OTLP HTTP endpoint; empty = tracing disabled
--log-level info Log level: debug, info, warn, error
--log-dev false Pretty console log format for development

Deployment

Runs on service-machine (10.90.0.3) as a Podman container inside Incus:

Container image: git.loop-coop.net/loco/mesh-discovery:<version>
gRPC:            10.90.0.3:3000  (+ HAProxy public frontend on gateway :3000)
Metrics:         10.90.0.3:2122  (scraped by local Prometheus)
Traces:          → Alloy at 10.92.0.13:4318 → cluster Tempo
Logs:            → host journal → Alloy → local Loki (10.90.0.3:3110)

Documentation

  • Architecture — data flow, state machine, shutdown sequence
  • Operations — deployment, metrics reference, logs, smoke testing
  • wg-peer — peer daemon flags, key management, reconciliation
  • Development — building, testing, CI pipelines, local dev

Testing

go test ./...
go test -coverprofile=coverage.out ./...

# Fuzz (30s each)
go test -fuzz=FuzzUpdate       -fuzztime=30s ./internal/state/
go test -fuzz=FuzzUpdateDelete -fuzztime=30s ./internal/state/
go test -fuzz=FuzzEndpointUpdate -fuzztime=30s ./internal/state/
go test -fuzz=FuzzWatchFanout  -fuzztime=30s ./internal/state/

# Live smoke test
go run ./cmd/integration-test -endpoint=10.90.0.3:3000 -insecure

Release

Push to main → bump pipeline tags v0.x.y+1 → release pipeline builds binaries + container and creates a Forgejo release.

License

Server code: MIT. Depends on siderolabs/discovery-api and siderolabs/discovery-client (MPL-2.0).