NationTech/harmony
5
0
Fork 2
Code Issues 40 Pull Requests 12 Actions 3 Packages Projects Releases Wiki Activity
Files
feat/iot-walking-skeleton
harmony/ROADMAP/iot_platform/context_conversation.md
Jean-Gabriel Gill-Couture 65ef540b97
Some checks are pending
Run Check Script / check (pull_request) Waiting to run
Details
feat: scaffold IoT walking skeleton — podman module, operator, and agent 
- Add PodmanV0Score/IotScore (adjacent-tagged serde) and PodmanV0Interpret stub
- Gate virt behind kvm feature and podman-api behind podman feature
- Scaffold iot-operator-v0 (kube-rs operator stub) and iot-agent-v0 (NATS KV watch)
- Add PodmanV0 to InterpretName enum
- Fix aarch64 cross-compilation by making kvm/podman optional features
- Align async-nats across workspace, add workspace deps for tracing/toml/tracing-subscriber
- Remove unused deps (serde_yaml from agent, schemars from operator)
- Add Send+Sync to CredentialSource, fix &PathBuf → &Path, remove dead_code allow
- Update 5 KVM example Cargo.tomls with explicit features = ["kvm"]
2026-04-17 20:15:10 -04:00

246 lines
18 KiB
Markdown
Raw Permalink Blame History

# Conversation Summary: IoT Platform Architecture
**For agents implementing this system:** This document captures the full decision trail that led to the final `iot-platform-v0-walking-skeleton.md` plan. Understanding *why* decisions were made is as important as understanding *what* was decided — especially for judgment calls during implementation where the plan doesn't spell something out explicitly.
---
## The original ask
Sylvain (CTO of NationTech) wanted to build an IoT platform with these specific requirements:
- SSO via Zitadel
- Secrets via OpenBao
- Per-device identity, devices belong to groups
- Full CI/CD integration
- A "mini-kubelet" with NATS as the storage backend — each device is a node, reads its own resources, reconciles in a loop, reports status back to NATS KV
- Central operator with CRDs for deployments, device groups, devices — operator writes to NATS on CRD change and reports deployment status back
- CI/CD pipeline publishes hydrated Helm charts to Harbor registry; ArgoCD applies them; operator picks them up and pushes to NATS
- Devices run containers declared via Harmony Scores
- Strong consistency assumed free (NATS provides it)
- Zitadel/OpenBao integration already ~99% done in Harmony
Original constraints: simplicity key throughout, production-ready, don't go down rabbit holes, deadline and cost discipline.
---
## Phase 1: Initial architecture research and design
Claude researched NATS, Zitadel, and OpenBao integration patterns in depth using primary sources. Key findings that shaped the design:
**NATS auth callout with bearer-token JWTs is the right identity primitive.** Devices don't hold NATS signing material. An auth callout service mints a scoped per-connection user JWT with `bearer_token: true` (skips nonce signing, per the `nats-io/jwt` source) after verifying a Zitadel token the device presents at CONNECT time. This is cleaner than distributing long-lived NATS NKeys to devices. ADR-26 is the authoritative spec.
**Zitadel JWT Profile grant is the device auth path.** Service accounts with public keys registered in Zitadel, devices sign self-JWTs with their private key, exchange for access tokens. Zitadel Discussion #8406 documents exactly this pattern with working Go code for an IoT/TPM case. Key gotcha: external-OpenSSL keys need `ParsePKCS8PrivateKey`, not PKCS1.
**OpenBao's JWT auth method + templated policies** with `token_policies_template_claims` (PR #618) lets one policy resolve per-device based on JWT claims. One policy for N devices instead of N policies.
The three systems compose cleanly:
- Zitadel = identity (who or what)
- OpenBao = policy + secrets (what they can access)
- NATS = transport + subject-level authorization (where messages go)
A ~900-line architecture document captured this with primary-source citations. It remains the reference for implementation detail on auth flows.
---
## Phase 2: Planning iterations and scope calibration
Claude produced three planning documents in sequence, each refining the approach:
1. **Issue breakdown (22 issues, 9 tracks)** — human-executable parallel tracks
2. **Autonomous agent harness plan** — contract-first with phase gates, for agent-driven execution
3. **Walking skeleton plan** — thin end-to-end thread shipping Tuesday
**Sylvain's critical intervention:** when Claude produced the parallel-tracks plan targeting day 14, Sylvain pushed back. The real approach should be **walking skeleton** (Cockburn) / **tracer bullet** — ship a naive end-to-end loop first, let architecture emerge from running code, harden from there. This reduces the risk of reaching day 14 with nothing integrated.
Claude acknowledged overreach: the three documents shouldn't all exist. Walking skeleton supersedes the other two. The first two became reference material only.
---
## Phase 3: The "start from scratch objectively" challenge
Sylvain asked Claude to reconsider the architecture from scratch, with access to NationTech's full resource context (k8s clusters, ArgoCD, Harbor, Zitadel, OpenBao, Harmony ownership) but without emotional attachment to the previous design.
**Claude's initial recommendation:** k3s on each Pi + ArgoCD + external-secrets-operator. Boring, CNCF-standard, maintained by the ecosystem rather than by NationTech. Argued the custom NATS-mini-kubelet approach was "building a platform when you could buy one."
**Sylvain's decisive pushback** reframed this correctly. Claude had under-weighted several things:
1. **End-customer engineers are mechanical/electrical/chemical, not Kubernetes-literate.** They debug with `systemctl`, `journalctl`, `ps`. A k3s device forces them to learn kubectl/CRDs/CNI — a real productivity tax on a team that shouldn't have to pay it. A single Rust binary + podman is inspectable with tools they already know.
2. **The platform bet is strategic, not technical.** NationTech's positioning as "no vendor lock-in, decentralized, open-source enterprise cloud" gains credibility from having a product (Harmony), not from being "extraordinary plumbers for off-the-shelf CNCF." Building a custom platform on this bet is how you become a platform company instead of an integration shop.
3. **NationTech is its own largest customer.** Multiple OKD clusters already need coordination; manually connecting to each to make deployments is a major operational pain that hinders growth. The same architecture (agent reconciling against NATS KV) eventually manages podman on Pis, `kubectl apply` on OKD clusters, and VM-level operations. One abstraction, three instantiations.
4. **NATS is architecturally superior for federation.** ArgoCD doesn't naturally federate — it manages clusters *from one place*. A NATS supercluster with strict ordering across regions supports "operator in multiple clusters, ArgoCD instances all over, deployments coming from everywhere." For the long-term decentralized control plane, NATS is the correct substrate.
5. **Rancher code quality (k3s provenance) is real data, not nostalgia.** Sylvain has direct experience; Claude had over-indexed on CNCF graduation as a quality proxy.
6. **Harmony daemon-mode `Interpret` is already solved.** Claude had repeatedly flagged "does `Score::interpret()` work in a loop?" as a major unknown. Reality: `s.clone().interpret().await` is exactly the TUI's daemon pattern, and `harmony_agent` runs this in production for distributed CNPG PostgreSQL management. The concern was unfounded.
**Result:** Claude updated. The custom NATS-based platform is correct for this context. The k3s alternative genuinely doesn't fit. The walking skeleton plan stands.
Remaining real risks (acknowledged, not architecture-invalidating):
- Platform scope creep → walking skeleton discipline
- Bus factor → normal Harmony collaboration patterns with Jean-Gabriel
- Customers #2-N for the federation story → business question, not technical
---
## Phase 4: Strategic alignment and scope clarifications
Sylvain provided specific clarifications that shaped the final plan:
**Balena was considered and rejected.** It's the closest viable alternative, open-source, but requires custom OS (balenaOS — lock-in of a different kind), lacks native SSO + secrets integration, and positions NationTech as a Balena integrator rather than a platform company. AGPL Harmony vs. Balena has similar license profiles; NationTech can deliver honest no-lock-in positioning.
**Three-way relationship structure:** NationTech → Partner (custom software shop, engineering-quality-focused, does coaching) → End-customer (whose field-deployed Pi 5 devices run the partner's application). Tuesday's demo is for the Partner. Production deployment may involve direct end-customer contact later.
**Partner relationship is healthy and collaborative.** They want NationTech to succeed. Demo failure modes tolerable. Platform partnership is an active topic between the teams — they explicitly value having a platform partner they trust for landing their own customers.
**Other potential customers exist but aren't paying.** NationTech is managing their OKD clusters via other means for now. They can wait. NationTech's own OKD coordination pain is the largest driver.
---
## Phase 5: Technical nitty-gritty corrections
Sylvain corrected several technical details Claude had gotten wrong or overdesigned:
**No `harmony-podman-score` new crate.** It's a new module in `harmony/src/modules/podman/` following existing Harmony module conventions. Corrected in the plan.
**Use `podman-api` Rust crate, not shell-out.** Strongly typed API preferred. Requires `systemctl --user enable --now podman.socket` on the device. `podlet` crate worth evaluating later when Quadlet comes back in scope (v0.1+).
**Graceful shutdown is just `podman stop` with 5-min timeout then SIGKILL.** Not kubelet-style pod termination. Claude had overcomplicated this.
**Score envelope was overdesigned — drop it.** The "ScoreEnvelope with format/encoding/content_hash/data" pattern reminded Sylvain of SOAP. Use adjacently-tagged serde enum instead: `#[serde(tag = "type", content = "data")]`. Rust type name is the discriminator. Agent deserializes directly into the typed Score. No double-deserialization, no opaque bytes, no format version strings.
**Change detection via string comparison, not content hash.** Comparing serialized Score strings is cheap enough at this scale (a couple times per minute). Removes hashing-algorithm risk. More deterministic.
**Agent config is flat TOML for v0.** Long-term target is zero-config — device boots (PXE if budget allows), has a Zitadel URL + initial token, fetches real config from OpenBao, connects to NATS. OpenBao as source of truth for NATS credentials. v0 uses simple shared NATS credentials directly in TOML.
**OpenBao outage must not break NATS reconnect if token is still valid.** The auth callout in v0.2 should validate Zitadel tokens against JWKS directly; OpenBao lookup for group permissions should be cached in the callout. Availability-favoring design — reboot isn't more of a security event than a passing minute, and NATS rejects on actual token expiry anyway. No degradation of real security posture.
---
## Phase 6: aarch64 discovery
Late in the conversation, the single most important technical issue surfaced. Claude had been flagging "does Harmony `Interpret` work in daemon mode?" as the biggest Friday risk. Sylvain corrected that this was a non-issue.
**The real issue:** Harmony doesn't currently compile on aarch64. When `harmony_agent` was cross-compiled for ARM64, an upstream dependency had to be pulled out. Sylvain's 80% confidence: single sub-dependency used by only a few modules, feature-gatable, those modules become unavailable on ARM (acceptable — device doesn't need every Harmony feature).
**This replaces the Friday-evening "§6 decision" in the plan.** It becomes the first-hour investigation. Fallback paths exist: build agent against minimum aarch64-clean Harmony subset, or (worst case) pure Rust without Harmony Score traits for v0, adopt them in v0.1.
---
## Phase 7: Final plan adjustments
The walking skeleton plan was updated with all agreed decisions in a single coherent revision. Key decisions baked into the final doc:
**Section-by-section:**
- **§1 Strategic framing** now explicitly names NationTech as largest customer and describes the decentralized cloud vision (heating buildings, sovereign, etc.) so collaborators reading the plan understand this is long-term investment, not a side project.
- **§5.4 agent scope:** kubelet compatibility explicitly NOT a goal, kubelet architecture as north star only, v0 absolutely minimal. One paragraph, no enforced limits — discipline through inherent minimalism.
- **§5.5 Score message format:** adjacently-tagged serde enum, no envelope, no content hash, string comparison for change detection.
- **§6.7 agent config:** flat TOML for v0. v0.2 narrows to Zitadel-token-bootstrap model.
- **§7 aarch64 investigation** is the Friday-evening critical path. Fallbacks documented.
- **§8 Hour 1-2 field readiness:** heavy power-cycle testing, network-out-during-boot, agent crash loop. SD card wear / thermal / PoE explicitly ruled out per partner conversation.
- **Agent task cards:** A1 uses new Score format. A2 targets `harmony/src/modules/rpi/`. A3 commits to `podman-api` crate. Graceful shutdown simplified.
- **§12 v0.2 roadmap** includes availability-favoring auth callout design (cached OpenBao permissions, NATS handles token expiry).
- **§13 partner conversation:** technical strategy only; "others in your network" question dropped per Sylvain ("overstepping into sales, not your concern").
**Explicitly removed:**
- OKD-as-device future spike (kept in strategic framing only, not execution)
- Three-level Jean-Gabriel review process (normal Harmony collaboration applies)
- ScoreEnvelope wrapping
- Content hash in Score messages
- `iot-contracts` crate in v0 (extract v0.1)
- Thesis document Sunday dispatch (moved to v0.1 Week 2)
---
## Key principles for implementing agents
Drawing these out as they're load-bearing for judgment calls:
1. **The walking skeleton is the plan. Ship Tuesday with something crude but working.** Not production-ready, not complete. Working end-to-end thread from git push to container running on Pi.
2. **Inherent discipline over enforced limits.** The plan doesn't have line-count budgets or anti-scope lists because Sylvain argued (correctly) that walking-skeleton discipline makes them redundant. If you find yourself wanting to add PLEG event streams, per-workload worker pools, or housekeeping sweeps to v0 — don't. Periodic relist is enough.
3. **Architectural boundaries (§6) must survive v0 even under deadline pressure.** Score enum polymorphic from day one. Credentials behind a trait. Topology generalizable. CRD spec forward-compatible. NATS subject grammar matches long-term. These cost little now and save big later. Don't take shortcuts here to save 20 minutes.
4. **Scope cuts (§4) are real, not aspirational.** Zitadel/OpenBao deferred to v0.2. One device for Tuesday. No groups. No rollout state machine. No API. No TUI. No observability beyond journalctl. Fighting these cuts is the plan's biggest risk.
5. **Availability favored over strict security posture.** The auth callout caches OpenBao lookups. Token expiry is the authoritative revocation mechanism, not real-time policy lookup. A disconnected OpenBao doesn't brick the fleet.
6. **The `podman-api` crate is the happy path.** Shell-out to `podman` is fallback-only. Strong typing wins when available.
7. **Sylvain owns the critical code himself.** Agent A1 (operator), A2 (Pi provisioning), A3 (installer), A4 (demo script) are agent-dispatched. The agent binary itself and the `PodmanV0Score` implementation are Sylvain's work. The auth callout (v0.2) will also be human-written. Don't propose that agents take over these pieces.
8. **The partner relationship is strategic.** Tuesday demo conversation is half the Tuesday deliverable. Framing the v0.1/v0.2/v0.3 roadmap to them matters as much as the running code.
9. **End-customer debuggability is a UX constraint.** Mechanical/electrical/chemical engineers will touch these devices. `systemctl status iot-agent` must tell them what's happening. `journalctl -u iot-agent` must be parseable by humans. Error messages must be understandable without Kubernetes knowledge.
10. **NATS is the long-term architectural commitment.** Everything on NATS — not as a queue, as a coordination fabric. The "decentralized cluster management" future depends on this choice. Implementation decisions that weaken this (e.g., "let's just put a database in the middle") should be pushed back on.
---
## What failed or went wrong in the planning process
Noted for meta-awareness — avoid repeating:
- **Claude overproduced.** Three planning documents when two would do. Under deadline pressure, planning documents are distractions from execution. Sylvain eventually said this directly.
- **Claude under-weighted end-customer UX.** Initial k3s recommendation treated "Kubernetes is easy" as universal when it's only easy for people who already know Kubernetes.
- **Claude under-weighted strategic positioning.** Platform-building vs. integration-consulting is a business choice; Claude treated it as purely technical.
- **Claude repeatedly flagged the Harmony daemon-mode concern** despite it being already solved. A better first question would have been "does this work today?" rather than "what if this doesn't work?"
- **Claude's initial Zitadel/OpenBao integration estimate was too large** because Claude didn't fully internalize "integration is 99% done in Harmony." The remaining work is wiring, not implementing.
- **Claude started with the ScoreEnvelope pattern** before understanding Harmony's native serde patterns. The "SOAP" reaction was deserved.
---
## What's in the final plan
The final document `iot-platform-v0-walking-skeleton.md` (~700 lines) contains:
- Strategic framing (§1)
- Walking skeleton vs. alternatives comparison (§2)
- Tuesday demo definition (§3)
- Scope cuts with milestones (§4)
- End-to-end architecture (§5)
- Architecture boundaries to preserve (§6)
- Friday aarch64 investigation and fallbacks (§7)
- Hour-by-hour Friday-Tuesday plan (§8)
- Four agent task cards (§9)
- Anti-patterns prevented (§10)
- Failure-mode decision tree (§11)
- Post-Tuesday roadmap v0.1→v0.4+ (§12)
- Partner conversation structure for Tuesday (§13)
Companion documents for deep-dive reference:
- `iot-platform-architecture.md` — full architecture with primary-source citations, useful for v0.2+ when auth is implemented
---
## What agents should do when uncertain
The plan cannot anticipate everything. When an agent hits an ambiguity, the decision hierarchy is:
1. **Does this preserve the end-to-end thread for Tuesday?** If yes, proceed. If it breaks the thread, stop and escalate.
2. **Does this preserve architectural boundaries §6?** If unsure, favor the boundary.
3. **Does this add scope beyond §4's in-scope list?** If yes, don't do it, regardless of how easy it seems.
4. **Is this security-critical?** If yes, don't add new code — flag for human review. Especially relevant for v0.2 auth callout work.
5. **Would this be more elegant but take an extra hour?** Don't do it. Ship Tuesday.
6. **Is the end-customer engineer's debuggability harmed by this choice?** If yes, don't do it.
7. **Is this on the path to the OKD-cluster-as-device future?** Don't optimize for this in v0. The abstractions are correct; don't over-invest.
The walking skeleton's entire value is shipping Tuesday. Every decision that serves that goal is correct. Every decision that defers it (no matter how well-intentioned) is wrong.
Reference in New Issue View Git Blame Copy Permalink