Go Control Plane

The Go control plane orchestrates services, enforces policies with OPA, and manages device lifecycle through gRPC.

Overview

The Go control plane sits between the data plane and the AI Engine, providing service orchestration, policy enforcement, and management APIs. It is built with Go for high concurrency and low latency.

Service Structure

go/
  controlplane/               # Service orchestration
    cmd/controlplane/         # Main entrypoint
    internal/
      policy/                 # OPA policy engine
      vault/                  # HashiCorp Vault client
  mgmtapi/                    # Management REST API
    cmd/mgmtapi/              # Main entrypoint
    internal/
      devices/                # Device lifecycle management
  agents/device-agent/        # Edge device agent
    internal/
      tpm/                    # TPM sealing for secrets

OPA Policy Engine

The control plane integrates Open Policy Agent (OPA) for fine-grained, declarative policy enforcement:

• Policy Bundles -- load and manage Rego policy bundles
• Runtime Evaluation -- evaluate policies against incoming requests in real time
• Admission Control -- validate Kubernetes deployments before admission
• Compliance Policies -- enforce SOC 2, GDPR, and HIPAA requirements

Example Rego Policy

package qbitel.admission

default allow = false

allow {
    input.request.kind.kind == "Pod"
    not uses_privileged_container
    has_resource_limits
    has_security_context
}

uses_privileged_container {
    some container
    input.request.object.spec.containers[container].securityContext.privileged == true
}

has_resource_limits {
    some container
    input.request.object.spec.containers[container].resources.limits
}

gRPC Services

The control plane exposes gRPC services for high-performance inter-service communication:

Service	Description
PolicyService	Policy evaluation and management
DeviceService	Device registration, lifecycle, and certificate management
ConfigService	Configuration distribution to agents
HealthService	Health checks and readiness probes

HashiCorp Vault Integration

Secrets management is handled through HashiCorp Vault:

• Dynamic secrets -- generate short-lived database credentials on demand
• PKI engine -- issue and rotate X.509 certificates
• Transit engine -- encrypt/decrypt data without exposing keys
• Auto-renewal -- automatic token and lease renewal

Device Management

The management API handles the full device lifecycle:

• Registration -- onboard new devices with certificate-based identity
• Certificate Management -- issue, rotate, and revoke device certificates
• Lifecycle Control -- provision, update, decommission, and quarantine devices
• TPM Sealing -- seal secrets to the device's TPM for hardware-backed protection

Edge Device Agent

The device agent runs on edge nodes and communicates with the control plane:

• Lightweight Go binary for resource-constrained environments
• mTLS connection to the control plane
• Local policy caching for offline operation
• TPM-backed secret storage

Next Steps

• Go Development Guide -- contribute to the control plane
• gRPC API Reference -- full service definitions
• Zero-Trust Architecture -- policy enforcement details