Edge Model
ServiceRadar runs a single edge binary, serviceradar-agent, on monitored sites. The agent connects outbound to the control plane over mTLS gRPC and:
- runs collectors and polling engines close to the network
- executes sandboxed Wasm plugins (via
wazero) - streams results to the platform using unary and streaming gRPC (chunked payloads when needed)
- participates in a bidirectional control stream for commands and config updates
What Runs In The Agent
The agent is not just a "status pusher". It is the edge runtime for:
- Wasm plugin execution (sandboxed, capability-based host ABI)
- embedded sync integrations (inventory sources like NetBox/ArMIS)
- SNMP polling
- discovery/mapping engines (topology discovery)
- mDNS collection (where enabled)
Connection And Config Flow
High level lifecycle:
- Agent starts and establishes an outbound mTLS gRPC connection to
agent-gateway. - Agent sends
Hello(identity metadata; identity is derived from the certificate). - Agent fetches its effective config (
GetConfig). - Agent opens streaming channels for control-plane signaling and large payload delivery.
Edge gRPC API (Gateway)
The edge agent talks to the platform through AgentGatewayService:
Hello: initial enrollment/identity handshake (mTLS identity is derived from the certificate).GetConfig: fetch effective config; supports versioning (not_modifiedwhen unchanged).PushStatus: unary push for status/results payloads that fit comfortably in a single request.StreamStatus: client-streaming push for large status/results payloads (chunked).ControlStream: bidirectional stream for command dispatch, command acks/progress/results, and pushed config updates.
Security Boundaries
- Agents do not join the ERTS cluster.
- Agents do not connect to CNPG directly.
- Plugins do not get raw filesystem or socket access; network access is proxied and allowlisted.
For plugin details, see Wasm Plugin Checkers.