Skip to content

peat-gateway: enterprise control plane with multi-org tenancy, CDC, IDAM, and Zarf/UDS packaging #42

Open
Open
peat-gateway: enterprise control plane with multi-org tenancy, CDC, IDAM, and Zarf/UDS packaging#42
@kitplummer

Description

@kitplummer
kitplummer
opened on Mar 10, 2026

Summary

peat-mesh-node is a single-formation tactical node. Enterprise/cloud deployments need a dedicated gateway service — peat-gateway (separate repo) — that provides:

  1. Multi-org tenancy — multiple organizations, each with independent formations (app IDs), isolated key material, per-org IDAM, and scoped CDC sinks
  2. CDC (Change Data Capture) — stream CRDT document changes to Kafka, NATS, Redis Streams, webhooks
  3. AuthZ pass-through — per-org OIDC/SAML federation for enrollment (Keycloak, Okta, Azure AD, CAC/mTLS)
  4. Admin UI — SvelteKit web dashboard for org/formation management, topology, documents, certs, CDC monitoring
  5. Zarf/UDS packaging — first-class UDS capability with Helm chart, UDS Package CR, SSO, network policies, Grafana dashboards, air-gapped bundle

Architecture

See ADR-0011 for full design.

Separate repo (defenseunicorns/peat-gateway) depending on peat-mesh as a library. Feature-flagged sinks (kafka, nats, redis-streams, webhook), identity providers (oidc, saml), and backends (postgres).

Implementation Phases

Phase 1: Foundation

  • Create peat-gateway repo
  • Tenant manager (org CRUD, multi-genesis, per-formation cert stores)
  • Admin REST API (org/formation CRUD, peers, certificates)
  • Health + Prometheus metrics
  • Dockerfile (multi-arch, Chainguard)

Phase 2: CDC

  • CDC event model + Automerge change watcher
  • Sink trait + cursor tracking (at-least-once)
  • NATS JetStream, Kafka, webhook sinks

Phase 3: Identity Federation

  • Per-org OIDC token introspection + claim-to-tier mapping
  • Enrollment delegation (OIDC token → mesh certificate)
  • SAML consumer for gov/DoD

Phase 4: Admin UI

  • SvelteKit dashboard (orgs, formations, peers, documents, certs, CDC sinks)

Phase 5: Zarf / UDS Packaging

  • Helm chart + UDS Package CR + network policies + SSO
  • Zarf package + UDS bundle (with NATS, optional Postgres)
  • Grafana dashboards
  • CI: test → build → cosign → SBOM → Zarf → publish

Phase 6: Production Hardening

  • Postgres + KMS for key material
  • Horizontal scaling + leader election
  • Integration + load testing

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions