refactor: replace galactic-agent with galactic-router (controller-runtime)

Replace the gRPC-based galactic-agent DaemonSet with a controller-runtime based galactic-router.

Key changes:

- Remove internal/agent, internal/bootstrap, internal/gobgp packages
- Add internal/controller with BGPRouter, BGPPeer, BGPAdvertisement, BGPPolicy, Secret, Node reconcilers
- Add internal/reconcile for CRD-to-DesiredRouter translation
- Add internal/runtime with RuntimeFactory pattern (GoBGP tenant, FRR fabric stub)
- Add internal/model for internal BGP types and internal/hash for change detection
- Update deployment manifests, Dockerfile, containerlab config, and docs
- Switch health probes to gRPC on port 5000; remove HTTP health and webhook ports
- GoBGP starts lazily on first BGPRouter reconcile (listenPort=-1, outbound-only)
- Hash-based no-op suppression prevents redundant GoBGP Apply calls

Author: privateip

.devcontainer/galactic/README.md

@@ -62,8 +62,7 @@ The devcontainer includes the following extensions:
 
 ### Forwarded Ports
 - **8080** - Metrics endpoint
-- **8081** - Health check endpoint
-- **9443** - Webhook server
+- **5000** - gRPC health endpoint (liveness/readiness probes)
 
 ## Capabilities
 

.devcontainer/galactic/devcontainer.json

@@ -107,18 +107,14 @@
 			}
 		}
 	},
-	"forwardPorts": [8080, 8081, 9443],
+	"forwardPorts": [8080, 5000],
 	"portsAttributes": {
 		"8080": {
 			"label": "Metrics",
 			"onAutoForward": "silent"
 		},
-		"8081": {
-			"label": "Health",
-			"onAutoForward": "silent"
-		},
-		"9443": {
-			"label": "Webhook",
+		"5000": {
+			"label": "gRPC Health",
 			"onAutoForward": "silent"
 		}
 	},

AGENTS.md

@@ -6,33 +6,36 @@ See [ARCHITECTURE.md](ARCHITECTURE.md) for a full architecture reference includi
 
 ## Purpose & Architecture
 
-Galactic is the SRv6 data plane for multi-cloud VPC networking. It consists of a DaemonSet agent (`internal/agent/`) that manages kernel SRv6 routes and VRFs per node, and a CNI plugin (`internal/cni/`) that wires containers into VPC networks. VPC and VPCAttachment CRD management lives in a separate operator project; Galactic receives pre-populated identifiers through the CNI config and acts on them. BGP is used as the control plane for distributing SRv6 routes between agents.
+Galactic is the SRv6 data plane for multi-cloud VPC networking. It consists of a controller-runtime reconciler (`cmd/galactic-router/`) that watches Cosmos BGP CRDs and drives an embedded GoBGP server per node, and a CNI plugin (`internal/cni/`) that wires containers into VPC networks. VPC and VPCAttachment CRD management lives in a separate operator project; Galactic receives pre-populated identifiers through the CNI config and acts on them.
 
-**Data flow:** CNI invoked with pre-populated VPC/VPCAttachment identifiers → gRPC registers endpoint with agent → agent manages SRv6 ingress routes locally → BGP distributes SRv6 routes between agents.
+**Data flow:** CNI invoked with pre-populated VPC/VPCAttachment identifiers → CNI creates kernel SRv6 state (VRF, veth, ingress route) and writes a `BGPAdvertisement` CRD → `galactic-router` reconciles the CRD → GoBGP advertises the EVPN path → BGP distributes routes between nodes.
 
 **Non-obvious decisions:**
 - VPC identifiers are 48-bit hex; VPCAttachment identifiers are 16-bit hex. These are embedded into IPv6 SRv6 endpoint addresses for deterministic route lookups. Both are supplied by an external operator via the CNI config.
 - Identifiers are also Base62-encoded for interface naming (VRF: `vrfX-Y`, veth host side: `galX-Y`) to keep kernel interface name length within limits.
-- `galactic-cni` is a pure CNI plugin; `main()` calls `cni.RunPlugin()` directly with no CLI layer. `galactic-agent` uses flag parsing for its configuration flags.
+- `galactic-cni` is a pure CNI plugin; `main()` calls `cni.RunPlugin()` directly with no CLI layer. `galactic-router` uses environment variables (`NODE_NAME`, `ROUTER_ROLE`) for its configuration.
 - The Kubernetes operator, VPC/VPCAttachment CRDs, and webhook code have been removed from this repository. They live in a separate companion operator project.
+- GoBGP starts lazily on the first `BGPRouter` reconcile (`listenPort=-1`, outbound-only). ASN or RouterID changes trigger a full `Reconfigure`.
+- Liveness and readiness probes use the gRPC health protocol on port 5000. There is no HTTP health endpoint.
 
 ## Tech Stack
 
-- **Go 1.26** — agent and CNI plugin
+- **Go 1.26** — router and CNI plugin
+- **controller-runtime** — BGPRouter/BGPPeer/BGPAdvertisement/BGPPolicy reconcilers
+- **Cosmos BGP API** (`bgp.miloapis.com/v1alpha1`) — BGPRouter, BGPPeer, BGPAdvertisement, BGPPolicy CRDs
 - **Multus CNI** — multi-network for pods; NAD generation is handled by the external operator
-- **gRPC + protobuf** — CNI-to-agent local communication
 - **SRv6 + netlink** — kernel-level routing; `github.com/vishvananda/netlink`
-- **BGP** — control plane for SRv6 route distribution between agents (in progress)
+- **GoBGP v4** — embedded BGP server for the tenant role
 
 ## Development Workflow
 
 ```
-task build          # produces bin/galactic
+task build          # produces bin/galactic-cni and bin/galactic-router
 task test           # runs test:unit then test:e2e
 task test:unit      # unit tests with race detection
 task test:e2e       # Kind cluster lifecycle test
 task lint           # golangci-lint; lint-fix applies safe auto-fixes
-task run-agent      # run agent (requires root / CAP_NET_ADMIN)
+task run-router     # run galactic-router (requires root / CAP_NET_ADMIN)
 ```
 
 **Before every PR:** `task lint test`.
@@ -47,13 +50,14 @@ Summary:
 
 ## Deployments
 
-- **`deploy/galactic-agent/`** — Kustomize manifests for the agent DaemonSet, RBAC, and ServiceAccount. Apply with `kubectl apply -k deploy/galactic-agent/`.
-- **`deploy/containerlab/`** — ContainerLab topology (`gvpc.clab.yaml`) for three Kind clusters (iad, sjc, infra) wired over an IPv6 SRv6 transit mesh. FRR runs as a hostNetwork DaemonSet on each worker for eBGP underlay; GoBGP handles L3VPN type-5 routes over iBGP to the infra route reflector. See `deploy/containerlab/README.md` and `deploy/containerlab/Taskfile.yaml` for bring-up commands.
+- **`deploy/galactic-router/`** — Kustomize manifests for the router DaemonSet, RBAC, and ServiceAccount. Apply with `kubectl apply -k deploy/galactic-router/`.
+- **`deploy/containerlab/`** — ContainerLab topology (`gvpc.clab.yaml`) for three Kind clusters (iad, sjc, infra) wired over an IPv6 SRv6 transit mesh. FRR runs as a hostNetwork DaemonSet on each worker for eBGP underlay; `galactic-router` (tenant role) handles EVPN path distribution over iBGP. See `deploy/containerlab/README.md` and `deploy/containerlab/Taskfile.yaml` for bring-up commands.
 
 ## New Developer Entry Points
 
 1. Run `task build` to verify toolchain; run `task test` to confirm unit tests pass.
-2. Read `internal/cni/cni.go` (cmdAdd/cmdDel) to understand the container attach path.
-3. Read `internal/plumbing/intf/intf.go` to understand SRv6 endpoint encoding, interface naming, and base62↔hex conversion.
-4. Read `internal/plumbing/srv6/srv6.go` to understand kernel SRv6 ingress route management.
-5. Explore `internal/plumbing/` for shared kernel and network primitives (VRF, sysctl, interface naming, SRv6).
+2. Read `internal/cni/cni.go` (cmdAdd/cmdDel) to understand the container attach path and how `BGPAdvertisement` CRDs are created.
+3. Read `internal/reconcile/reconcile.go` to understand how Cosmos CRDs are translated into a `DesiredRouter`.
+4. Read `internal/runtime/gobgp/runtime.go` to understand how `DesiredRouter` is applied to GoBGP.
+5. Read `internal/plumbing/intf/intf.go` to understand SRv6 endpoint encoding, interface naming, and base62↔hex conversion.
+6. Explore `internal/plumbing/` for shared kernel and network primitives (VRF, sysctl, interface naming, SRv6).

ARCHITECTURE.md

@@ -2,25 +2,26 @@
 
 > Galactic is the SRv6 data plane for multi-cloud VPC networking, deployed as two
 > binaries on each Kubernetes node: a CNI plugin that attaches containers to VPC
-> networks, and an agent that manages kernel SRv6 routes and distributes EVPN
-> (L2VPN/EVPN AFI/SAFI) paths via an embedded GoBGP server.
+> networks, and a router that reconciles Cosmos BGP CRDs and drives an embedded
+> GoBGP server to distribute EVPN (L2VPN/EVPN AFI/SAFI) paths between nodes.
 
-_Last updated: 2026-06-14_
+_Last updated: 2026-06-19_
 
 ---
 
 ## Overview
 
 Galactic implements VPC isolation and cross-cluster reachability using Linux SRv6.
 When a pod is attached to a VPC, the CNI plugin creates the required kernel state
-(VRF, veth pair, SRv6 ingress route) and injects EVPN paths into the
-node-local GoBGP daemon. GoBGP distributes those paths to a BGP route reflector,
-enabling pods on different nodes or clusters to reach each other via
-SRv6-encapsulated traffic.
+(VRF, veth pair, SRv6 ingress route) and writes a `BGPAdvertisement` CRD.
+`galactic-router` watches that CRD and injects the EVPN path into the node-local
+GoBGP server. GoBGP distributes the path to a BGP route reflector, enabling pods
+on different nodes or clusters to reach each other via SRv6-encapsulated traffic.
 
 VPC and VPCAttachment CRDs are owned by a separate companion operator
 (`go.miloapis.com/cosmos`). Galactic receives pre-populated identifiers through the
-CNI config and acts on them without running its own CRD controllers.
+CNI config and acts on them. `galactic-router` reconciles BGP CRDs from the same
+cosmos API group directly — no gRPC sidecar, no provider CRD lifecycle.
 
 ### SRv6 SID encoding
 
@@ -40,26 +41,32 @@ enabling automatic cross-node path import without explicit RT configuration.
 ```
 galactic/
 ├── cmd/
-│   ├── galactic-cni/    # CNI binary
-│   └── galactic-agent/  # Agent binary
+│   ├── galactic-cni/        # CNI binary
+│   └── galactic-router/     # Router binary (controller-runtime reconciler)
 ├── internal/
-│   ├── agent/           # Agent run loop; wires GoBGP, health, metrics, bootstrap
-│   ├── bootstrap/       # BGPProvider CR lifecycle (create on start, delete on stop)
-│   ├── cni/             # CNI cmdAdd / cmdDel
-│   │   ├── route/       # Host-side static routes via netlink
-│   │   └── veth/        # veth pair management
-│   ├── gobgp/           # Embedded GoBGP server lifecycle
-│   ├── metrics/         # Prometheus metrics (galactic_agent_*)
-│   └── plumbing/        # Low-level kernel and network primitives
-│       ├── intf/        # Interface naming, base62↔hex encoding, SRv6 endpoint encode/decode
-│       ├── srv6/        # SRv6 ingress route add/del (END.DT46)
-│       ├── sysctl/      # Interface sysctl helpers
-│       └── vrf/         # Linux VRF create/delete/lookup
+│   ├── controller/          # controller-runtime reconcilers (BGPRouter, BGPPeer,
+│   │                        #   BGPAdvertisement, BGPPolicy, Secret, Node)
+│   ├── reconcile/           # CRD → DesiredRouter translation (node/role checks,
+│   │                        #   secret resolution, IPv6 next-hop from Node)
+│   ├── runtime/             # RouterRuntime interface + RuntimeManager
+│   │   ├── gobgp/           # GoBGP RouterRuntime (tenant role)
+│   │   └── frr/             # FRR RouterRuntime stub (fabric role, Phase 2)
+│   ├── model/               # DesiredRouter and family; re-exports cosmos enums
+│   ├── hash/                # SHA-256 change detection over DesiredRouter
+│   ├── metrics/             # Prometheus metrics (galactic_router_*)
+│   ├── cni/                 # CNI cmdAdd / cmdDel
+│   │   ├── route/           # Host-side static routes via netlink
+│   │   └── veth/            # veth pair management
+│   └── plumbing/            # Low-level kernel and network primitives
+│       ├── intf/            # Interface naming, base62↔hex encoding, SRv6 endpoint encode/decode
+│       ├── srv6/            # SRv6 ingress route add/del (END.DT46)
+│       ├── sysctl/          # Interface sysctl helpers
+│       └── vrf/             # Linux VRF create/delete/lookup
 ├── deploy/
-│   ├── galactic-agent/  # Kustomize: DaemonSet, RBAC, ServiceAccount
-│   └── containerlab/    # ContainerLab lab topology and scripts
+│   ├── galactic-router/     # Kustomize: DaemonSet, RBAC, ServiceAccount
+│   └── containerlab/        # ContainerLab lab topology and scripts
 └── containers/
-    └── galactic/        # Production Dockerfile (builds galactic CNI binary)
+    └── galactic/            # Production Dockerfile
 ```
 
 ---
@@ -68,18 +75,21 @@ galactic/
 
 See [docs/cni-sequence.md](docs/cni-sequence.md) for the full CNI ADD/DEL sequence diagram.
 
-See [docs/agent-startup.md](docs/agent-startup.md) for the agent startup sequence diagram.
+See [docs/agent-startup.md](docs/agent-startup.md) for the router startup sequence diagram.
 
 ---
 
 ## Components
 
 | Component | Binary | Role |
 |-----------|--------|------|
-| `internal/agent` | `galactic-agent` | Run loop; wires GoBGP, health, metrics, bootstrap |
-| `internal/bootstrap` | `galactic-agent` | BGPProvider CR lifecycle |
-| `internal/gobgp` | `galactic-agent` | Embedded GoBGP server |
-| `internal/metrics` | `galactic-agent` | Prometheus metrics |
+| `internal/controller` | `galactic-router` | controller-runtime reconcilers; field index registration; CRD status helpers |
+| `internal/reconcile` | `galactic-router` | CRD → DesiredRouter translation |
+| `internal/runtime/gobgp` | `galactic-router` | Embedded GoBGP server (tenant role) |
+| `internal/runtime/frr` | `galactic-router` | FRR stub (fabric role, Phase 2) |
+| `internal/model` | `galactic-router` | Internal BGP model types |
+| `internal/hash` | `galactic-router` | Change detection |
+| `internal/metrics` | `galactic-router` | Prometheus metrics |
 | `internal/cni` | `galactic-cni` | CNI cmdAdd / cmdDel |
 | `internal/plumbing/intf` | both | Interface naming, base62↔hex encoding, SRv6 endpoint encode/decode |
 | `internal/plumbing/srv6` | both | SRv6 ingress route add/del (END.DT46) |
@@ -92,12 +102,16 @@ See [docs/agent-startup.md](docs/agent-startup.md) for the agent startup sequenc
 
 - **Identifiers in the SID.** VPC (48-bit) and VPCAttachment (16-bit) identifiers are packed into the low 64 bits of the SRv6 SID, making forwarding state fully self-describing without a lookup table.
 - **Base62 interface names.** Kernel interface names are Base62-encoded to stay within the 15-character limit (`vrfX-Y`, `galX-Y`). The hex form is used for BGP and SRv6; base62 for kernel interfaces.
-- **GoBGP embedded, not sidecar.** GoBGP runs in-process so the agent owns its lifecycle and can gate readiness on BGP availability. Peer and policy config is applied by the cosmos operator via `BGPProvider` / `BGPInstance` / `BGPPeer` CRDs. The provider advertises `L2VPN/EVPN` (AFI=25, SAFI=70) as its sole address family capability.
-- **CNI binary auto-detects mode.** The `galactic-cni` binary runs as both the CNI plugin (when `CNI_COMMAND` is set) and a CLI tool. This avoids shipping two separate binaries on the node.
+- **GoBGP embedded, lazy-started.** GoBGP runs in-process and starts only when the first `BGPRouter` is reconciled (`listenPort=-1`, outbound-only). ASN or RouterID changes trigger a full `Reconfigure` (fresh `BgpServer` — `StopBgp` is not called because it permanently terminates the v4 Serve loop).
+- **CRD-driven config, no sidecar gRPC.** `galactic-router` watches cosmos BGP CRDs directly via controller-runtime. The CNI writes a `BGPAdvertisement` CRD; the router reconciler picks it up. No in-node gRPC calls.
+- **Hash-based no-op suppression.** SHA-256 over the sorted `DesiredRouter` prevents redundant GoBGP Apply calls on every CRD event touch.
+- **RuntimeFactory pattern.** `ROUTER_ROLE=tenant` selects GoBGP; `ROUTER_ROLE=fabric` selects FRR (Phase 2 stub). The binary is selected at startup; no controller changes are needed for Phase 2.
+- **gRPC health on :5000.** Liveness and readiness probes use the gRPC health protocol (`google.golang.org/grpc/health`) on port 5000. No HTTP health endpoint.
 
 ---
 
 ## Known Constraints
 
-- **GoBGP RIB is ephemeral.** All BGP state is in-process memory. On restart, sessions and paths must be re-established. The cosmos operator is responsible for re-applying config.
-- **No kernel-path unit tests.** `internal/cni`, `internal/plumbing/srv6`, and `internal/plumbing/vrf` require `CAP_NET_ADMIN` and a real kernel. `internal/plumbing/intf` is fully unit-testable (pure functions only). Coverage comes from the e2e suite (`task ci:e2etest`), which only runs on `main` and release tags.
+- **GoBGP RIB is ephemeral.** All BGP state is in-process memory. On restart, sessions and paths must be re-established from CRD state; controller-runtime's reconcile loop handles this automatically.
+- **EVPN Type 5 deferred.** `BGPAdvertisement` does not carry a Route Distinguisher field in the current cosmos API. `galactic-router` returns `ErrMissingRouteDistinguisher` for l2vpn/evpn advertisements and sets `Accepted=False` on the CRD.
+- **No kernel-path unit tests.** `internal/cni`, `internal/plumbing/srv6`, and `internal/plumbing/vrf` require `CAP_NET_ADMIN` and a real kernel. `internal/plumbing/intf` is fully unit-testable (pure functions only). Coverage comes from the e2e suite (`task test:e2e`).

CONVENTIONS.md

@@ -10,13 +10,14 @@ This document defines the coding standards, naming rules, error handling pattern
 
 - Module: `go.datum.net/galactic`
 - `cmd/galactic-cni/main.go` — CNI plugin entry point; calls `cni.RunPlugin()` directly
-- `cmd/galactic-agent/main.go` — agent entry point; parses flags and calls `agent.Run()`
-- `internal/plumbing/` — low-level kernel and network primitives shared between agent and CNI (`intf`, `srv6`, `sysctl`, `vrf`)
-- `internal/agent/` — agent entry point and gRPC server
+- `cmd/galactic-router/main.go` — router entry point; reads `NODE_NAME` and `ROUTER_ROLE` env vars, starts controller-runtime manager
+- `internal/plumbing/` — low-level kernel and network primitives shared between router and CNI (`intf`, `srv6`, `sysctl`, `vrf`)
+- `internal/controller/` — controller-runtime reconcilers (BGPRouter, BGPPeer, BGPAdvertisement, BGPPolicy, Secret, Node); also contains field index registration (`indexer.go`) and CRD status helpers (`status.go`)
+- `internal/reconcile/` — CRD → DesiredRouter translation
+- `internal/runtime/` — RouterRuntime interface; `gobgp/` (tenant) and `frr/` (fabric stub)
 - `internal/cni/` — CNI plugin (cmdAdd / cmdDel implementation)
-- `internal/cmd/version/` — ldflags variables (Version, GitCommit, etc.) set at build time
-- `internal/gobgp/` — embedded GoBGP server lifecycle
-- `internal/bootstrap/` — agent startup sequencing (BGPProvider resource management)
+- `internal/model/` — internal BGP model types
+- `internal/hash/` — SHA-256 change detection over DesiredRouter
 - `internal/metrics/` — Prometheus metrics registration
 
 Place new code in `internal/` unless it must be imported by an external caller. Prefer creating a focused sub-package over adding to an existing large one.

Taskfile.yaml

@@ -96,7 +96,7 @@ tasks:
         -X go.datum.net/galactic/internal/metadata.BuildDate={{.BUILD_DATE}}
     cmds:
       - go build -ldflags "{{.LDFLAGS}}" -o bin/galactic-cni cmd/galactic-cni/main.go
-      - go build -ldflags "{{.LDFLAGS}}" -o bin/galactic-agent cmd/galactic-agent/main.go
+      - go build -ldflags "{{.LDFLAGS}}" -o bin/galactic-router cmd/galactic-router/main.go
 
   docker-build:
     desc: Build container image