Multi-Plant Federation

Federation connects multiple Conduit instances across facilities, enabling cross-plant visibility and queries.

How It Works

Each plant runs its own NATS server as a leaf node. Leaf nodes connect to a central hub cluster. When a dashboard at the hub subscribes to uns.PlantA.Line3.>, the PlantA leaf node automatically forwards matching messages.

Plant A (Leaf)              Plant B (Leaf)
  NATS ◄──── WAN ────► NATS
    │                     │
    └────────┐   ┌───────┘
             │   │
       ┌─────▼───▼──────┐
       │   NATS Hub      │
       │   (Central)     │
       │                 │
       │  Dashboard      │
       └─────────────────┘

Setup

1. Hub Configuration

The hub NATS server accepts leaf node connections:

# hub-nats.conf
listen: 0.0.0.0:4222

leafnodes {
  listen: 0.0.0.0:7422
  tls {
    cert_file: /certs/hub.crt
    key_file: /certs/hub.key
    ca_file: /certs/ca.crt
    verify: true
  }
}

jetstream {
  store_dir: /data
}

2. Leaf Node Configuration

Each plant's NATS server connects to the hub:

# leaf-nats.conf
listen: 0.0.0.0:4222

leafnodes {
  remotes [
    {
      url: "tls://hub.company.com:7422"
      tls {
        cert_file: /certs/plant-a.crt
        key_file: /certs/plant-a.key
        ca_file: /certs/ca.crt
      }
    }
  ]
}

jetstream {
  store_dir: /data
}

3. Docker Compose (Federation Profile)

services:
  nats-hub:
    image: nats:2.10-alpine
    command: --config /etc/nats/hub-nats.conf
    ports:
      - "4222:4222"
      - "7422:7422"
    volumes:
      - ./config/hub-nats.conf:/etc/nats/hub-nats.conf:ro
      - ./certs:/certs:ro
      - nats-hub-data:/data

  nats-leaf-a:
    image: nats:2.10-alpine
    command: --config /etc/nats/leaf-nats.conf
    volumes:
      - ./config/leaf-a-nats.conf:/etc/nats/leaf-nats.conf:ro
      - ./certs:/certs:ro
      - nats-leaf-a-data:/data

  nats-leaf-b:
    image: nats:2.10-alpine
    command: --config /etc/nats/leaf-nats.conf
    volumes:
      - ./config/leaf-b-nats.conf:/etc/nats/leaf-nats.conf:ro
      - ./certs:/certs:ro
      - nats-leaf-b-data:/data

volumes:
  nats-hub-data:
  nats-leaf-a-data:
  nats-leaf-b-data:

Cross-Plant Queries

When a query from Plant B targets data at Plant A:

1. Conduit Core at Plant B receives the query
2. The Mesh Registry identifies Plant A as the data owner
3. The query is routed via MCP to Plant A's Conduit Core
4. Plant A executes the query against its local translators
5. Results return to Plant B

For real-time data, the hub automatically forwards NATS messages based on subscription interest — no explicit query routing needed.

Security

All cross-plant connections use mTLS:

• Each plant has its own TLS certificate
• The hub verifies client certificates against a shared CA
• Certificate rotation is supported without service restarts
• The NatsTlsService monitors certificate expiry and alerts

Next Steps

• Mesh Routing Fabric — Architecture deep-dive
• Deployment — Production deployment guide