d-bis/Sankofa
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Apply Composer changes: comprehensive API updates, migrations, middleware, and infrastructure improvements

Browse Source 
- Add comprehensive database migrations (001-024) for schema evolution
- Enhance API schema with expanded type definitions and resolvers
- Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth
- Implement new services: AI optimization, billing, blockchain, compliance, marketplace
- Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage)
- Update Crossplane provider with enhanced VM management capabilities
- Add comprehensive test suite for API endpoints and services
- Update frontend components with improved GraphQL subscriptions and real-time updates
- Enhance security configurations and headers (CSP, CORS, etc.)
- Update documentation and configuration files
- Add new CI/CD workflows and validation scripts
- Implement design system improvements and UI enhancements
This commit is contained in:
defiQUG
2025-12-12 18:01:35 -08:00
parent e01131efaf
commit 9daf1fd378
968 changed files with 160890 additions and 1092 deletions
Download Patch File Download Diff File Expand all files Collapse all files

230
infrastructure/network/README.md Normal file
View File

@@ -0,0 +1,230 @@
# Network Infrastructure Management
Comprehensive management tools for network infrastructure including switches, routers, VLANs, and network topology.
## Overview
This directory contains management components for network infrastructure across Sankofa Phoenix sites, including:
- **Switches**: Configuration management for network switches
- **Routers**: Router configuration and routing protocol management
- **VLANs**: VLAN configuration and tracking
- **Topology**: Network topology discovery and visualization
## Components
### Switches (`switches/`)
Switch management tools for:
- VLAN configuration
- Port configuration
- Trunk/LAG setup
- STP configuration
- Port security
- SNMP monitoring
### Routers (`routers/`)
Router management tools for:
- Routing table management
- BGP/OSPF configuration
- Firewall rules
- NAT configuration
- VPN tunnels
- Interface configuration
### VLANs (`vlans/`)
VLAN management for:
- VLAN creation and deletion
- VLAN assignment to ports
- VLAN trunking
- Inter-VLAN routing
- VLAN tracking across sites
## Usage
### Switch Configuration
```bash
# Configure switch VLAN
./switches/configure-vlan.sh \
--switch switch-01 \
--vlan 100 \
--name "Employee-Network" \
--ports "1-24"
# Configure trunk port
./switches/configure-trunk.sh \
--switch switch-01 \
--port 25 \
--vlans "100,200,300"
```
### Router Configuration
```bash
# Configure BGP
./routers/configure-bgp.sh \
--router router-01 \
--asn 65001 \
--neighbor 10.0.0.1 \
--remote-asn 65000
# Configure OSPF
./routers/configure-ospf.sh \
--router router-01 \
--area 0 \
--network 10.1.0.0/24
```
### VLAN Management
```bash
# Create VLAN
./vlans/create-vlan.sh \
--vlan 100 \
--name "Employee-Network" \
--description "Employee network segment"
# Assign VLAN to switch port
./vlans/assign-vlan.sh \
--switch switch-01 \
--port 10 \
--vlan 100
```
## Network Topology
### Discovery
```bash
# Discover network topology
./discover-topology.sh --site us-east-1
# Export topology
./export-topology.sh --format graphviz --output topology.dot
```
### Visualization
Network topology can be visualized using:
- Graphviz
- D3.js
- React Flow (in Portal)
## Integration with Omada
Network management integrates with TP-Link Omada for:
- Unified network policy management
- Centralized VLAN configuration
- Network analytics
See [Omada Management](../omada/README.md) for details.
## Configuration
### Switch Configuration
```yaml
switches:
- name: switch-01
model: TP-Link T1600G
ip: 10.1.0.1
vlans:
- id: 100
name: Employee-Network
ports: [1-24]
- id: 200
name: Guest-Network
ports: [25-48]
trunks:
- port: 49
vlans: [100, 200, 300]
```
### Router Configuration
```yaml
routers:
- name: router-01
model: TP-Link ER7206
ip: 10.1.0.254
bgp:
asn: 65001
neighbors:
- ip: 10.0.0.1
asn: 65000
ospf:
area: 0
networks:
- 10.1.0.0/24
- 10.2.0.0/24
```
### VLAN Configuration
```yaml
vlans:
- id: 100
name: Employee-Network
description: Employee network segment
subnet: 10.1.100.0/24
gateway: 10.1.100.1
dhcp: true
switches:
- switch-01: [1-24]
- switch-02: [1-24]
- id: 200
name: Guest-Network
description: Guest network segment
subnet: 10.1.200.0/24
gateway: 10.1.200.1
dhcp: true
isolation: true
```
## Monitoring
Network monitoring includes:
- SNMP monitoring for switches and routers
- Flow monitoring (NetFlow/sFlow)
- Network performance metrics
- Topology change detection
See [Monitoring](../monitoring/README.md) for details.
## Security
- Network segmentation via VLANs
- Port security on switches
- Firewall rules on routers
- Network access control
- Regular security audits
## Troubleshooting
### Common Issues
**Switch connectivity:**
```bash
./switches/test-connectivity.sh --switch switch-01
```
**VLAN issues:**
```bash
./vlans/diagnose-vlan.sh --vlan 100
```
**Routing problems:**
```bash
./routers/diagnose-routing.sh --router router-01
```
## Related Documentation
- [Omada Management](../omada/README.md)
- [System Architecture](../../docs/system_architecture.md)
- [Infrastructure Management](../README.md)

144
infrastructure/network/network-policies.yaml Normal file
View File

@@ -0,0 +1,144 @@
# Network Policies for DoD/MilSpec Compliance
#
# Implements network segmentation per:
# - NIST SP 800-53: SC-7 (Boundary Protection)
# - NIST SP 800-171: 3.13.1 (Network Segmentation)
#
# Zero Trust network architecture with micro-segmentation
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-default
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
# Deny all traffic by default (whitelist approach)
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-allow-ingress
namespace: default
spec:
podSelector:
matchLabels:
app: sankofa-api
policyTypes:
- Ingress
- Egress
ingress:
# Allow ingress from ingress controller only
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
- podSelector:
matchLabels:
app: ingress-nginx
ports:
- protocol: TCP
port: 4000
egress:
# Allow egress to database
- to:
- namespaceSelector:
matchLabels:
name: database
- podSelector:
matchLabels:
app: postgres
ports:
- protocol: TCP
port: 5432
# Allow egress to Keycloak
- to:
- namespaceSelector:
matchLabels:
name: identity
- podSelector:
matchLabels:
app: keycloak
ports:
- protocol: TCP
port: 8080
# Allow DNS
- to:
- namespaceSelector:
matchLabels:
name: kube-system
- podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: UDP
port: 53
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database-isolate
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
- Egress
ingress:
# Only allow from API namespace
- from:
- namespaceSelector:
matchLabels:
name: default
podSelector:
matchLabels:
app: sankofa-api
ports:
- protocol: TCP
port: 5432
egress:
# Deny all egress (database should not initiate connections)
- {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: classification-based-segmentation
namespace: default
spec:
podSelector:
matchLabels:
classification: classified
policyTypes:
- Ingress
- Egress
ingress:
# Only allow from same classification level or higher
- from:
- podSelector:
matchLabels:
classification: classified
- podSelector:
matchLabels:
classification: secret
- podSelector:
matchLabels:
classification: top-secret
egress:
# Restricted egress for classified data
- to:
- podSelector:
matchLabels:
classification: classified
- podSelector:
matchLabels:
classification: secret
- podSelector:
matchLabels:
classification: top-secret