Mesh Propagation — Artifact Distribution¶
This document covers the three-tier artifact source resolution strategy and mesh-based artifact propagation for fleet rollouts.
Overview¶
Artifacts (OCI images, lock files, policy bundles) needed for rollout activation are resolved through a three-tier strategy:
Verified local cache — instant, no network
Reachable mesh peer — LAN relay, lower latency
Registry fallback — WAN, always available
Critical invariant: mesh propagation distributes bytes only. It never grants activation permission. Verification is always local and mandatory after peer or registry fetch, before any activation can proceed.
Source Resolution¶
SourceResolver (runtime/source_resolver.go) implements the strategy:
Tier 1: Local Cache¶
If a LocalCacheChecker is configured and HasVerifiedArtifact(ref) returns
true, the artifact is used immediately. No network access needed.
Tier 2: Mesh Peer Relay¶
If PeerFetcher is configured and MeshHints include peer relay nodes:
Filter peers through
PeerReachableprobeFor each reachable peer, call
FetchFromPeer(ctx, peer, ref)On fetch success, verify locally using the configured
VerifierEmit
artifact_source_peertelemetry event
If a peer-fetched artifact fails verification, try the next peer.
Tier 3: Registry Fallback¶
If all peers fail (or none are configured):
Call
RegistryFetcher.FetchFromRegistry(ctx, ref)Verify locally using the configured
VerifierEmit
artifact_source_registrytelemetry event
Fail-Closed Verification¶
If any fetch source is configured (peer or registry) but Verifier or
PubKeyPath is missing, the resolver returns an error immediately. Fetched
artifacts are never used without verification.
Configuration¶
SourceResolverConfig fields:
Field |
Type |
Required |
Description |
|---|---|---|---|
|
|
No |
Checks for verified local copy |
|
|
No |
Fetches from mesh peers |
|
|
No |
Fetches from OCI registry |
|
|
Yes* |
Verifies fetched artifacts |
|
|
Yes* |
Cosign public key path |
|
|
No |
Probes peer reachability |
*Required when PeerFetcher or RegistryFetcher is configured.
Mesh Hints¶
MeshHints are delivered alongside rollout poll responses from the control
plane. They include:
PeerRelayNodes— list of peer node IDs that have the artifact availableRegistryRef— the canonical OCI registry reference
Peer selection uses SelectReachablePeers() which filters the hints through
the PeerReachable probe.
Edge Relay Configuration¶
The edge relay subsystem (edge/config/config.go) controls outbound
multi-peer relay behavior:
Field |
Type |
Description |
|---|---|---|
|
|
|
|
|
Evict segment immediately on relay success |
|
|
Concurrent relay executor goroutines |
|
|
Max dial time for outbound relay |
|
|
Max wait for peer ACK after send |
Artifact Availability Tracking¶
The control plane tracks artifact availability per-node in the
artifact_availability table:
CREATE TABLE IF NOT EXISTS artifact_availability (
plan_id TEXT NOT NULL,
artifact_fingerprint TEXT NOT NULL,
node_id TEXT NOT NULL,
locally_available INTEGER NOT NULL DEFAULT 0,
peer_available INTEGER NOT NULL DEFAULT 0,
relay_status TEXT NOT NULL DEFAULT 'not_started',
last_seen_peer_id TEXT,
peer_count INTEGER NOT NULL DEFAULT 0,
updated_at TEXT NOT NULL,
PRIMARY KEY (plan_id, node_id)
);
This data is advisory (read-only observability surface). It does not affect activation eligibility.
Telemetry Events¶
Artifact distribution events are emitted as EventKindRollout with
attrs["phase"] set to the phase constant:
Phase Constant |
Value |
When |
|---|---|---|
|
|
Artifact fetched from mesh peer |
|
|
Artifact fetched from registry |
|
|
Peer identified as source |
|
|
Fetch initiated |
|
|
Artifact received and verified |
|
|
Fetch attempt failed |
|
|
Falling back from peer to registry |
|
|
Relay retries exhausted |
Additional attributes on source events:
artifact_ref— the OCI artifact referencesource—"mesh_peer"or"registry"peer_node_id— the peer’s node ID (peer source only)