Multi-tenant administration APIs with Kubernetes-native deployment and WebAuthn authentication
Important
Under active development. Not production-ready.
git clone https://github.com/inferadb/control && cd control
docker-compose up -d
export INFERADB_CTRL__AUTH__KEY_ENCRYPTION_SECRET=$(openssl rand -base64 32)
mise trust && mise install
cargo run --bin inferadb-controlRegister and login:
# Register
curl -X POST http://localhost:9090/v1/auth/register \
-H "Content-Type: application/json" \
-d '{"email": "alice@example.com", "password": "securepass123", "name": "Alice"}'
# Login
curl -X POST http://localhost:9090/v1/auth/login/password \
-H "Content-Type: application/json" \
-d '{"email": "alice@example.com", "password": "securepass123"}'| Endpoint | URL |
|---|---|
| REST API | http://localhost:9090 |
| gRPC API | http://localhost:9091 |
| Mesh API | http://localhost:9092 |
| Health | http://localhost:9090/healthz |
| Metrics | http://localhost:9090/metrics |
| Feature | Description |
|---|---|
| Authentication | Password, passkey, OAuth, email verification |
| Multi-Tenancy | Organization-based isolation with RBAC |
| Vault Management | Policy containers with access grants |
| Client Auth | Ed25519 certificates, JWT assertions |
| Token Issuance | Vault-scoped JWTs for Engine API |
| Entity | Description |
|---|---|
| User | Account with auth methods (password, passkey) |
| Organization | Workspace with members and roles |
| Vault | Authorization policy container |
| Client | Service identity with Ed25519 certs |
| Team | Group-based vault access |
Auth Flow: User → Session → Vault access → JWT → Engine API
graph TD
Bin[inferadb-control] --> API[inferadb-control-api]
Bin --> Config[inferadb-control-config]
API --> Core[inferadb-control-core]
Core --> Config
Core --> Storage[inferadb-control-storage]
Storage --> SharedStorage[inferadb-storage]
SharedStorage --> Memory[(Memory)]
SharedStorage --> StorageLedger[inferadb-storage-ledger]
StorageLedger --> Ledger[(InferaDB Ledger)]
Core --> Engine[inferadb-control-engine-client]
| Crate | Purpose |
|---|---|
| inferadb-control | Binary entrypoint |
| inferadb-control-api | REST/gRPC handlers |
| inferadb-control-config | Configuration loading |
| inferadb-control-const | Shared constants |
| inferadb-control-core | Business logic, entities |
| inferadb-control-storage | Repositories + storage factory |
| inferadb-control-types | Shared type definitions |
| inferadb-control-engine-client | Engine API client |
| Crate | Purpose |
|---|---|
| inferadb-storage | Generic StorageBackend trait + MemoryBackend |
| inferadb-storage-ledger | Ledger-backed StorageBackend implementation |
control:
listen:
http: "0.0.0.0:9090"
grpc: "0.0.0.0:9091"
mesh: "0.0.0.0:9092"
# Storage: "memory" (dev) or "ledger" (production)
storage: "ledger"
# Ledger configuration (requires --features ledger)
ledger:
endpoint: "http://ledger.inferadb:50051"
client_id: "control-prod-001"
namespace_id: 1
vault_id: 1 # optional
webauthn:
party: "localhost"
origin: "http://localhost:9090"Environment variables use INFERADB_CTRL__ prefix with double underscores for nesting:
| Variable | Description | Example |
|---|---|---|
INFERADB_CTRL__LISTEN__HTTP |
HTTP listen address | 0.0.0.0:9090 |
INFERADB_CTRL__STORAGE |
Storage backend | ledger |
INFERADB_CTRL__LEDGER__ENDPOINT |
Ledger server URL | http://ledger:50051 |
INFERADB_CTRL__LEDGER__CLIENT_ID |
Client ID for idempotency | control-001 |
INFERADB_CTRL__LEDGER__NAMESPACE_ID |
Namespace for data scoping | 1 |
INFERADB_CTRL__LEDGER__VAULT_ID |
Vault for finer scoping | 1 |
See config.yaml for all options.
# Setup (one-time)
mise trust && mise install
# Run the control plane
cargo run --bin inferadb-control
# Run tests
cargo test --all-targets
# Format and lint
cargo +nightly fmt --all
cargo clippy --workspace --all-targets --all-features -- -D warnings
# Build release
cargo build --releasedocker run -p 9090:9090 inferadb/control:latesthelm install inferadb-control ./helm \
--namespace inferadb \
--create-namespace \
--set config.storage=ledger \
--set config.ledger.endpoint=http://ledger.inferadb:50051 \
--set config.webauthn.party=example.com \
--set config.webauthn.origin=https://app.example.comSee helm/README.md for full configuration options.
| Topic | Link |
|---|---|
| Getting Started | docs/getting-started.md |
| Authentication | docs/authentication.md |
| Architecture | docs/architecture.md |
| API Reference | openapi.yaml |
Join us on Discord for questions, discussions, and contributions.
Dual-licensed under MIT or Apache 2.0.