Federation¶
Federation is the mechanism by which two or more Ampora servers expose a read-only aggregation surface to each other. Operators on either side can list and inspect agents that live on the other side without merging tenants or breaking per-cluster security boundaries.
| Page | Use it for |
|---|---|
| Registering a peer | The bilateral, manual trust setup |
| Federated rollouts | Multi-peer rollouts coordinated centrally |
| Cross-cluster handover | Move an agent from one peer to another with identity continuity |
Tutorial¶
The end-to-end walkthrough is on Tutorials → Federate two clusters.
Trust model¶
- mTLS client cert + shared secret. Both factors required.
- Trust pinned by certificate thumbprint, not CA — Ampora servers often have unrelated CAs.
- Manual bilateral setup: each side knows the other's cert PEM and the shared secret. There is no auto-discovery.
This is deliberate; federation is a sparse graph (typically 2–5 peers) operated by the same organisation, and the manual cost is a one-time setup.
What federation is not¶
- Not a global control plane. No shared identity provider, no shared tenant ID.
- Not a write-coordination protocol (in Tranche 3). Reads only, with the local audit log untouched by remote calls.
- Not a replacement for HA. Federation links separate fleets, not multiple instances of the same fleet. Use HA wire-up for the latter.
Tranches¶
| Tranche | What it gives you | Status |
|---|---|---|
| 3 (foundation) | Read-only aggregation, peer registration, mTLS + secret auth | Shipped |
| 4 | Federated rollouts; cross-cluster handover | Shipped, see Federated rollouts and Handover |
The ADRs for the underlying protocol are ADR-050 and ADR-051.