Components
Runink Platform Components
This page describes the core building blocks of Runink โ from the API server to slices โ that make up the distributed data environment. Each component serves a purpose in ensuring secure, auditable, and high-performance pipeline execution.
Components Table
| Component | Role | Location |
|---|---|---|
| API Server | Entry point, AuthN/Z, coordination | Control Plane |
| Identity Manager | OIDC/JWT validation and RBAC enforcement | Control Plane |
| Barn | Raft-backed KV store | Control Plane |
| Scheduler | DAG-aware placement engine | Control Plane |
| Secrets Manager | Encrypted secret storage and delivery | Control Plane |
| Governance Svc | Lineage, quality, LLM annotations | Control Plane |
| Runi Agent | Worker orchestrator (cgroup+namespace) | Worker Node |
| Runi Slice | Executed unit of pipeline logic | Worker Node |
| Herd | Tenant boundary and resource isolation | System-wide |
| Contracts | Data validation and schema enforcement | Contracts repo |
| DSL Parser | Converts .dsl to Go DAGs | Build pipeline |
Runink Services
๐ Contract Engine
All data contracts (schemas) are defined in Go structs, with support for:
- Required/optional fields
- Type validation and coercion
- Golden testing and schema diffing
- Metadata annotations (e.g., PII, lineage tags)
๐ผ Used in: DSL @contract, golden tests, slice validation stages.
โ๏ธ Feature DSL Parser
Parser and compiler for .dsl files.
- Converts scenario definitions into Go-based DAGs
- Enforces step ordering and contract compliance
- Attaches metadata for scheduling, RBAC, lineage
๐ค Keywords: @step, @contract, @source, @sink, @affinity, @requires.
๐ Runi Agent
Daemon running on each worker node, responsible for execution.
- Registers with the control plane.
- Launches slices as Go processes within cgroups and namespaces.
- Sets up stdio pipes, config injection, and secrets access.
- Collects logs and exposes Prometheus metrics.
๐ก Design: PID 1 in isolated namespace, manages ephemeral slices securely.
โ๏ธ Runi Slice
A single unit of work โ a pipeline step โ running in an isolated environment.
- Executed via
os.Execas a native Go binary. - Enforces herd-defined resource quotas using cgroups.
- Receives config, secrets, and contracts.
- Reports lineage to Governance Service.
๐ฆ Properties: Ephemeral, scoped, observable, auditable.
๐งฑ Barn (Cluster State Store)
A Raft-backed KV store providing durable, consistent cluster state.
- Stores pipeline definitions, slice metadata, herd configs, secrets, etc.
- Supports leader election and quorum for all control plane decisions.
๐ก๏ธ Guarantees: High availability, deterministic orchestration, and strong consistency.
๐งฐ Herd
Logical boundary for multi-tenancy, quotas, and governance.
- Maps to a namespace (network, user, mount, etc.).
- RBAC is scoped per herd.
- Resource quotas applied at the herd level.
- All metadata, secrets, and lineage are tagged with a herd context.
๐ Analogy: Like Kubernetes namespaces but tighter and more secure.
Herd Control Plane Services
๐ก API Server
The entry point for all client interactions (CLI, UI, and service integrations).
- Exposes REST/gRPC APIs secured via OIDC/JWT.
- Enforces RBAC and herd scoping.
- Forwards validated requests to:
- State store (
Barn) - Identity Manager
- Scheduler
- Secrets Manager
- Governance Service
- State store (
๐ Security: Applies policies based on identity and herd-level permissions.
๐ง Identity & RBAC Manager
Responsible for identity resolution and access control.
- Validates JWT/OIDC tokens.
- Resolves user roles and herd membership.
- Provides per-herd scoped RBAC policies.
๐ Location: Can run co-located with the API server or standalone.
๐ Slice Scheduler
The component responsible for task placement and orchestration.
- Reads resource constraints from DSLs (
@requires). - Evaluates herd quotas, affinities, and node health.
- Determines optimal slice placement.
- Writes placements into
Barn.
๐งฎ Logic: Constraint-solving over stateful inputs โ affinity, quotas, node availability.
๐ Secrets Manager
Handles secure secrets storage and delivery.
- Stores secrets in encrypted form (AES/GCM).
- Enforces access via RBAC.
- Slices receive secrets via
Runi Agentduring launch.
๐๏ธ Design: Secrets access scoped by herd and role, logged via Raft.
๐ Data Governance Service
Tracks lineage, metadata, and annotations for all slices.
- Stores rich metadata per run, stage, and contract hash.
- Supports querying for audit, compliance, and debugging.
- Can receive LLM-based annotations.
๐ Outputs: Lineage graphs, quality reports, field-level annotations.
๐ Observability Stack
Built-in support for:
- Prometheus: Metrics exposure via
/metrics - Fluentd or stdout logs: Structured JSON logs captured per slice
- gRPC metadata reporting: Trace context, tags, and result metadata
๐งญ Goal: Enable deep pipeline inspection without needing external agents.
๐ Pipes and Channels
Slices and agents use pipes (via io.Pipe, os.Pipe, net.Pipe) to transmit data and logs.
- Steps within a slice communicate via in-memory streams.
- No intermediate buffering โ zero-copy, backpressure-safe.
- Logs are captured via stdout/stderr and piped to the agent.
๐ฐ Benefits: Stream processing, constant memory, no containers.