Expand description
Long-running TLS server: router + listener + reconcile loop + polls.
Modules§
- middleware 🔒
- Auth + protocol middleware for the v1 router.
- route_
error 🔒 - Shared route-handler error helpers. Each returns a
FnOnce(E) -> StatusCodethat logs and converts - paired with?to drop the 4-line map_err blocks. - routes 🔒
- Noun-based HTTP route modules.
- state 🔒
- Shared state + configuration types for the long-running server.
Structs§
- AppState
- Closure
Upstream - Issuance
Paths - Serve
Args Defaultdefaults are bogus on purpose; prod paths fail at first IO if clap parsing is skipped.- Verified
Fleet Snapshot (fleet, hash, raw_bytes)tuple under one lock prevents readers seeing fresh fleet with stale hash or stale bytes.artifact_bytes+signature_bytesare the canonical signed bytes thecp_manifest_pollworker fetched + verified; the/v1/fleet.resolvedroute serves them directly so agents see the exact bytes CP verified, not stale closure-embedded content from the--artifactflag.
Constants§
- HTTP_
DRAIN_ 🔒DEADLINE - Listener drain budget; remaining 5s of
TASK_SHUTDOWN_DEADLINEis for background drain. - TASK_
SHUTDOWN_ 🔒DEADLINE - 30s = systemd
TimeoutStopSec=default; stay under to avoid SIGKILL.
Functions§
- build_
router 🔒 /healthzoutside/v1;/v1/enrollis anonymous; all other/v1/*require mTLS./v1/*is gated byrequire_ready_layer(#95) so agents get 503 + Retry-After until the first signed artifact is verified - no stale-state serving.- drain_
background_ 🔒tasks - Tasks past
TASK_SHUTDOWN_DEADLINEare abandoned (handles dropped -> abort). - prime_
from_ 🔒artifact_ files - File-fallback verify+parse for the –artifact / –signature CLI args.
Synchronous; called once at startup before the listener opens. Hash is
computed against the received bytes (not a re-serialised parsed struct)
so additive schema changes the CP’s proto doesn’t yet know about don’t
shift the rolloutId anchor — same load-bearing reason as in
manifest_poll::poll_once. - serve
- version_
layer 🔒